Refactor to take advantage of Terraform 0.12 features (#39)

* Fix AMI build due to Packer 1.4 and Ansible 2.8 issues * Convert to objects for jenkins workers * Update CDN site * Encrypt key and validation errors * Work on converting to use complex objects to pass resources * WIP * more WIP * yet more WIP * lambda cron update * WIP before terratime * Fix application type * More WIP on refactoring. validates clean! * Remove app_base * Refactor command console * Fix teleport subclusters * All validating * Add database support to command console * Fix string interpolation error * Fix list concat * Misc fixes * More fixes * Fix internal dns call * Fix json policy document * Fix wildcard cert validation * Fix wildcard validation, again * Try to fix cloudfront issue * More minor fixes * Try switching s3 origin for cloudfront * Fix cloudfront origin id * Refactor ingress to be instantiated first * Fix variables i goofed up * Looks like the not didn't work * fix up health checks * fix applications port variable * Add jenkins worker login rule * Try removing local to get rid of destroy cycle * Remove ingress dependency to test for cycle removal * Move ingress into base to try to avoid destroy pseudo-cycles * Remove exporting instances to try to break cycle on destroy * Fixes * Try another way to break the cycle * Try to break another cycle * Fix jenkins url * Fix an nlb listener issue * Switch teleport web listener to plain tcp * Remove local variable that's probably causing the pseudo-cycle * Try to break another cycle * Fix cidr_block variable name * Fix dynamo table flip-flop * Dynamodb fixes * Fix teleport secret issue * Add streams to allowed resources * Fix teleport proxy security groups * Don't set new cluster token, rely on value in there to prevent token race condition * pass through docker image for use by console * Fix multiple cert and ingress DNS issues * Fix cidr block for private ingress * Add fixes to subcluster * Fix ami conditional for asg * Base64 encode asg user data * Add device name for asg * Switch target group to instances for ASG * Remove invalid memory metric * Ignore desire count for autoscaling * Resize root asg volume * Root volume AMI updates * Fix tags on ASG * Fix teleport-secrets for ASG * Switch to use new ingress ASG setup * Fix NLB subnets * Ingress nginx fixes * ingress nginx fix * Trying some nlb stuff * Fix nginx asg setup * Fix ASG min amount * Enable proxy protocal 🤦 * Extend time to wait for connecting to primary teleport cluster * Fixes for teleport subcluster * Delete teleport.yaml * Remove superfluous file * Update versions in Jenkinsfile * Fix fmt * Remove duplicate key grant
adhocteam · Aug 21, 2019 · 1e9ba92 · 1e9ba92
1 parent 498665c
commit 1e9ba92
Show file tree

Hide file tree

Showing 117 changed files with 2,615 additions and 3,168 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -7,7 +7,7 @@ pipeline {
         stage('Terraform fmt') {
             agent {
                 docker {
-                    image 'hashicorp/terraform:light'
+                    image 'hashicorp/terraform:0.12.6'
                     args '-w $WORKSPACE --entrypoint=""'
                 }
             }
@@ -25,7 +25,7 @@ pipeline {
         stage('Terraform validation') {
             agent {
                 docker {
-                    image 'hashicorp/terraform:0.12.1'
+                    image 'hashicorp/terraform:0.12.6'
                     args '-w $WORKSPACE --entrypoint=""'
                 }
             }

diff --git a/ami/base.json b/ami/base.json
@@ -20,6 +20,14 @@
                 ],
                 "most_recent": true
             },
+            "launch_block_device_mappings": [
+                {
+                  "device_name": "/dev/xvda",
+                  "volume_size": 20,
+                  "volume_type": "gp2",
+                  "delete_on_termination": true
+                }
+            ],
             "instance_type": "{{user `instance_type`}}",
             "ssh_username": "{{user `ssh_username`}}",
             "ami_name": "{{user `ami_name`}}-{{isotime \"2006-01-02T03-04-05\"}}",

diff --git a/ami/files/teleport/teleport-secrets b/ami/files/teleport/teleport-secrets
@@ -1,13 +1,15 @@
 #!/bin/bash
 
+cp /etc/teleport.yaml.tmpl /etc/teleport.yaml
+
 # Setup teleport auth server config file
 INSTANCE_ID=$(curl -sSf http://169.254.169.254/latest/meta-data/instance-id)
 PRIVATE_IP=$(curl -sSf http://169.254.169.254/latest/meta-data/local-ipv4)
 REGION=$(curl -sSf http://169.254.169.254/latest/meta-data/placement/availability-zone | sed 's/.$//')
 ENVIRONMENT=$(aws ec2 describe-tags --region "$REGION" --filters "Name=resource-id,Values=${INSTANCE_ID}" | jq '.Tags | .[] | select(.Key | contains("env")) | .Value ' | cut -f 2 -d '"')
 SECRET_ID="${ENVIRONMENT}/teleport/cluster_token"
 
-NODENAME=$(aws ec2 describe-tags --region "$REGION" --filters "Name=resource-id,Values=${INSTANCE_ID}" | jq '.Tags | .[] | select(.Key | contains("Name")) | .Value ' | cut -f 2 -d '"')
+NODENAME=$(aws ec2 describe-tags --region "$REGION" --filters "Name=resource-id,Values=${INSTANCE_ID}" | jq '.Tags | .[] | select(.Key == "Name") | .Value ' | cut -f 2 -d '"')
 CLUSTER_TOKEN=$(aws secretsmanager get-secret-value --region "$REGION" --secret-id ${SECRET_ID} | jq ".SecretString" | cut -f 2 -d '"')
 
 sed -i "s/{{ private_ip }}/${PRIVATE_IP}/g" /etc/teleport.yaml

diff --git a/ami/files/teleport/teleport.yaml → ami/files/teleport/teleport.yaml.tmpl b/ami/files/teleport/teleport.yaml → ami/files/teleport/teleport.yaml.tmpl
diff --git a/ami/provision.sh b/ami/provision.sh
@@ -27,7 +27,7 @@ sudo useradd -d "/var/lib/teleport/" -g "adm" -k "/dev/null" -m -r -s "/sbin/nol
 sudo passwd -l teleport
 
 # Download info on the teleport release we are targeting
-TELEPORT_VERSION="v4.0.1"
+TELEPORT_VERSION="v4.0.2"
 TELEPORT_INFO=$(curl -sSf https://dashboard.gravitational.com/webapi/releases-oss?product=teleport | jq ".items | map(select(.version == \"${TELEPORT_VERSION}\")) | .[].downloads | map(select(.name == \"teleport-${TELEPORT_VERSION}-linux-amd64-bin.tar.gz\")) | .[]")
 
 # Install teleport binaries
@@ -47,14 +47,17 @@ sudo chmod 0755 /usr/local/bin/teleport-secrets
 
 echo "--- Configure teleport"
 # Install teleport configuration
-sudo cp /tmp/files/teleport/teleport.yaml /etc
-sudo chmod 0644 /etc/teleport.yaml
+sudo cp /tmp/files/teleport/teleport.yaml.tmpl /etc
+sudo chmod 0644 /etc/teleport.yaml.tmpl
 
 # Install teleport systemd units
 sudo cp /tmp/files/teleport/*.service /etc/systemd/system
 sudo chmod 0644 /etc/systemd/system/teleport*
 
 echo "--- Turn on systemd services"
-sudo systemctl enable --now docker
-sudo systemctl enable --now yum-cron
-sudo systemctl enable --now teleport
+sudo systemctl enable docker
+sudo systemctl enable yum-cron
+sudo systemctl enable teleport
+
+echo "--- Turn off systemd services"
+sudo systemctl disable --now amazon-ssm-agent
diff --git a/app_base/Readme.md b/app_base/Readme.md
diff --git a/app_base/data.tf b/app_base/data.tf
diff --git a/app_base/main.tf b/app_base/main.tf
diff --git a/app_base/outputs.tf b/app_base/outputs.tf
diff --git a/app_base/variables.tf b/app_base/variables.tf
diff --git a/app_base/versions.tf b/app_base/versions.tf