From adfe248b27ab511fe8cb0a0797133a8bed1e779d Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 9 Sep 2024 08:06:00 +0200 Subject: [PATCH 1/6] terraform: bump sops provider in uptime checks --- terraform/azure/main.tf | 2 +- terraform/gcp/main.tf | 2 +- terraform/uptime-checks/main.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/azure/main.tf b/terraform/azure/main.tf index 33f59d5a90..0b032f7a61 100644 --- a/terraform/azure/main.tf +++ b/terraform/azure/main.tf @@ -24,7 +24,7 @@ terraform { sops = { # ref: https://registry.terraform.io/providers/carlpett/sops/latest source = "carlpett/sops" - version = "~> 1.0" + version = "~> 1.1" } } backend "gcs" { diff --git a/terraform/gcp/main.tf b/terraform/gcp/main.tf index 8eda10ced3..15bc124b33 100644 --- a/terraform/gcp/main.tf +++ b/terraform/gcp/main.tf @@ -17,7 +17,7 @@ terraform { sops = { # ref: https://registry.terraform.io/providers/carlpett/sops/latest source = "carlpett/sops" - version = "~> 1.0" + version = "~> 1.1" } } } diff --git a/terraform/uptime-checks/main.tf b/terraform/uptime-checks/main.tf index f497b15cc5..320af70fc8 100644 --- a/terraform/uptime-checks/main.tf +++ b/terraform/uptime-checks/main.tf @@ -17,7 +17,7 @@ terraform { sops = { # ref: https://registry.terraform.io/providers/carlpett/sops/latest source = "carlpett/sops" - version = "~> 0.7.2" + version = "~> 1.1" } } } From a9926dbc97dda0896fca3aa3ea13d21d64215621 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 9 Sep 2024 08:24:26 +0200 Subject: [PATCH 2/6] terraform, azure: add reference comments --- terraform/azure/budget-alerts.tf | 3 +++ terraform/azure/pagerduty.tf | 3 +++ terraform/azure/service-principal.tf | 2 ++ terraform/azure/storage.tf | 4 ++++ 4 files changed, 12 insertions(+) diff --git a/terraform/azure/budget-alerts.tf b/terraform/azure/budget-alerts.tf index 4f359be9ee..dd9f823350 100644 --- a/terraform/azure/budget-alerts.tf +++ b/terraform/azure/budget-alerts.tf @@ -1,4 +1,7 @@ +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription data "azurerm_subscription" "current" {} + +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/consumption_budget_subscription resource "azurerm_consumption_budget_subscription" "budget" { count = var.budget_alert_enabled ? 1 : 0 diff --git a/terraform/azure/pagerduty.tf b/terraform/azure/pagerduty.tf index 38b61355d8..cbd8288b89 100644 --- a/terraform/azure/pagerduty.tf +++ b/terraform/azure/pagerduty.tf @@ -8,11 +8,13 @@ * https://2i2c-org.pagerduty.com/service-directory/?direction=asc&query=&team_ids=all * */ +# ref: https://registry.terraform.io/providers/carlpett/sops/latest/docs/data-sources/file data "sops_file" "pagerduty_service_integration_keys" { # Read sops encrypted file containing integration key for pagerduty source_file = "secret/enc-pagerduty-service-integration-keys.secret.yaml" } +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_action_group resource "azurerm_monitor_action_group" "alerts" { name = "AlertsActionGroup" # Changing this forces a recreation resource_group_name = var.resourcegroup_name @@ -24,6 +26,7 @@ resource "azurerm_monitor_action_group" "alerts" { } } +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert resource "azurerm_monitor_metric_alert" "disk_space_full_alert" { # Changing the name forces a recreation every time we apply name = "Used disk space approaching capacity on Azure Subscription ${var.subscription_id}" diff --git a/terraform/azure/service-principal.tf b/terraform/azure/service-principal.tf index 78760d860a..2cf2c79a48 100644 --- a/terraform/azure/service-principal.tf +++ b/terraform/azure/service-principal.tf @@ -1,3 +1,4 @@ +# ref: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal resource "azuread_service_principal" "service_principal" { count = var.create_service_principal ? 1 : 0 @@ -6,6 +7,7 @@ resource "azuread_service_principal" "service_principal" { use_existing = true } +# ref: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password.html resource "azuread_service_principal_password" "service_principal_password" { count = var.create_service_principal ? 1 : 0 diff --git a/terraform/azure/storage.tf b/terraform/azure/storage.tf index b6c2346eb3..0a336ff073 100644 --- a/terraform/azure/storage.tf +++ b/terraform/azure/storage.tf @@ -1,3 +1,4 @@ +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account resource "azurerm_storage_account" "homes" { name = var.global_storage_account_name resource_group_name = azurerm_resource_group.jupyterhub.name @@ -27,6 +28,7 @@ resource "azurerm_storage_account" "homes" { } } +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_share resource "azurerm_storage_share" "homes" { name = "homes" storage_account_name = azurerm_storage_account.homes.name @@ -43,6 +45,7 @@ output "azure_fileshare_url" { value = azurerm_storage_share.homes.url } +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/recovery_services_vault resource "azurerm_recovery_services_vault" "homedir_recovery_vault" { name = "homedir-recovery-vault" location = azurerm_resource_group.jupyterhub.location @@ -50,6 +53,7 @@ resource "azurerm_recovery_services_vault" "homedir_recovery_vault" { sku = "Standard" } +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/backup_policy_file_share resource "azurerm_backup_policy_file_share" "backup_policy" { name = "homedir-recovery-vault-policy" resource_group_name = azurerm_resource_group.jupyterhub.name From f6f0381ac81f4492b4ca1e290b85b297bd85b87f Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 9 Sep 2024 08:36:58 +0200 Subject: [PATCH 3/6] terraform: bump kubernetes providers lower version bound --- terraform/azure/main.tf | 2 +- terraform/gcp/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/azure/main.tf b/terraform/azure/main.tf index 0b032f7a61..a792a744bf 100644 --- a/terraform/azure/main.tf +++ b/terraform/azure/main.tf @@ -17,7 +17,7 @@ terraform { kubernetes = { # ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest source = "hashicorp/kubernetes" - version = "~> 2.31" + version = "~> 2.32" } # Used to decrypt sops encrypted secrets containing PagerDuty keys diff --git a/terraform/gcp/main.tf b/terraform/gcp/main.tf index 15bc124b33..8c3e940ade 100644 --- a/terraform/gcp/main.tf +++ b/terraform/gcp/main.tf @@ -11,7 +11,7 @@ terraform { kubernetes = { # ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest source = "hashicorp/kubernetes" - version = "~> 2.31" + version = "~> 2.32" } # Used to decrypt sops encrypted secrets containing PagerDuty keys sops = { From 1f9dc1591099ddc43ffb81a83bdefea5eac101bf Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 9 Sep 2024 08:37:42 +0200 Subject: [PATCH 4/6] terraform: require terraform 1.9+ up from 1.5+ --- terraform/aws/main.tf | 2 +- terraform/azure/main.tf | 2 +- terraform/gcp/main.tf | 2 +- terraform/uptime-checks/main.tf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/aws/main.tf b/terraform/aws/main.tf index e8e5f7f4af..127a28d63d 100644 --- a/terraform/aws/main.tf +++ b/terraform/aws/main.tf @@ -1,5 +1,5 @@ terraform { - required_version = "~> 1.5" + required_version = "~> 1.9" required_providers { aws = { diff --git a/terraform/azure/main.tf b/terraform/azure/main.tf index a792a744bf..3839ac187b 100644 --- a/terraform/azure/main.tf +++ b/terraform/azure/main.tf @@ -1,6 +1,6 @@ terraform { - required_version = "~> 1.5" + required_version = "~> 1.9" required_providers { azurerm = { # ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest diff --git a/terraform/gcp/main.tf b/terraform/gcp/main.tf index 8c3e940ade..139f61fd7f 100644 --- a/terraform/gcp/main.tf +++ b/terraform/gcp/main.tf @@ -1,5 +1,5 @@ terraform { - required_version = "~> 1.5" + required_version = "~> 1.9" backend "gcs" {} required_providers { diff --git a/terraform/uptime-checks/main.tf b/terraform/uptime-checks/main.tf index 320af70fc8..0a700e80c8 100644 --- a/terraform/uptime-checks/main.tf +++ b/terraform/uptime-checks/main.tf @@ -1,5 +1,5 @@ terraform { - required_version = "~> 1.5" + required_version = "~> 1.9" backend "gcs" { # This is a separate GCS bucket than what we use for our other terraform state # This is less sensitive, so let's keep it separate From b8eebcc2aeb1a38c1bb2bc966745e7ccc41e2ebd Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 9 Sep 2024 08:39:56 +0200 Subject: [PATCH 5/6] terraform: add fixme comments about major version upgrades --- terraform/azure/main.tf | 11 +++++++++++ terraform/gcp/main.tf | 1 + terraform/uptime-checks/main.tf | 1 + 3 files changed, 13 insertions(+) diff --git a/terraform/azure/main.tf b/terraform/azure/main.tf index 3839ac187b..a8292102b8 100644 --- a/terraform/azure/main.tf +++ b/terraform/azure/main.tf @@ -3,6 +3,7 @@ terraform { required_version = "~> 1.9" required_providers { azurerm = { + # FIXME: upgrade to v4, see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/4.0-upgrade-guide # ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest source = "hashicorp/azurerm" version = "~> 3.111" @@ -33,20 +34,24 @@ terraform { } } +# ref: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs#argument-reference provider "azuread" { tenant_id = var.tenant_id } +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#argument-reference provider "azurerm" { subscription_id = var.subscription_id features {} } +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group resource "azurerm_resource_group" "jupyterhub" { name = var.resourcegroup_name location = var.location } +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network resource "azurerm_virtual_network" "jupyterhub" { name = "k8s-network" location = azurerm_resource_group.jupyterhub.location @@ -54,6 +59,7 @@ resource "azurerm_virtual_network" "jupyterhub" { address_space = ["10.0.0.0/8"] } +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet resource "azurerm_subnet" "node_subnet" { name = "k8s-nodes-subnet" virtual_network_name = azurerm_virtual_network.jupyterhub.name @@ -64,6 +70,7 @@ resource "azurerm_subnet" "node_subnet" { service_endpoints = ["Microsoft.Storage"] } +# ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs provider "kubernetes" { host = azurerm_kubernetes_cluster.jupyterhub.kube_config[0].host client_certificate = base64decode(azurerm_kubernetes_cluster.jupyterhub.kube_config[0].client_certificate) @@ -72,6 +79,7 @@ provider "kubernetes" { } +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster resource "azurerm_kubernetes_cluster" "jupyterhub" { name = "hub-cluster" location = azurerm_resource_group.jupyterhub.location @@ -154,6 +162,7 @@ resource "azurerm_kubernetes_cluster" "jupyterhub" { } +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster_node_pool resource "azurerm_kubernetes_cluster_node_pool" "user_pool" { for_each = { for i, v in var.node_pools["user"] : v.name => v } @@ -180,6 +189,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "user_pool" { } +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster_node_pool resource "azurerm_kubernetes_cluster_node_pool" "dask_pool" { for_each = { for i, v in var.node_pools["dask"] : v.name => v } @@ -205,6 +215,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "dask_pool" { } +# ref: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry resource "azurerm_container_registry" "container_registry" { name = var.global_container_registry_name resource_group_name = azurerm_resource_group.jupyterhub.name diff --git a/terraform/gcp/main.tf b/terraform/gcp/main.tf index 139f61fd7f..4f38a03d63 100644 --- a/terraform/gcp/main.tf +++ b/terraform/gcp/main.tf @@ -4,6 +4,7 @@ terraform { backend "gcs" {} required_providers { google = { + # FIXME: upgrade to v6, see https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/version_6_upgrade # ref: https://registry.terraform.io/providers/hashicorp/google/latest source = "google" version = "~> 5.36" diff --git a/terraform/uptime-checks/main.tf b/terraform/uptime-checks/main.tf index 0a700e80c8..2b35605315 100644 --- a/terraform/uptime-checks/main.tf +++ b/terraform/uptime-checks/main.tf @@ -8,6 +8,7 @@ terraform { } required_providers { google = { + # FIXME: upgrade to v6, see https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/version_6_upgrade # ref: https://registry.terraform.io/providers/hashicorp/google/latest source = "google" version = "~> 4.55" From a465181c596f36d61e59895f0b6dc9d24bda9583 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 9 Sep 2024 08:44:19 +0200 Subject: [PATCH 6/6] terraform: bump lower bound of google provider --- terraform/gcp/main.tf | 2 +- terraform/uptime-checks/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gcp/main.tf b/terraform/gcp/main.tf index 4f38a03d63..9c80cc493c 100644 --- a/terraform/gcp/main.tf +++ b/terraform/gcp/main.tf @@ -7,7 +7,7 @@ terraform { # FIXME: upgrade to v6, see https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/version_6_upgrade # ref: https://registry.terraform.io/providers/hashicorp/google/latest source = "google" - version = "~> 5.36" + version = "~> 5.43" } kubernetes = { # ref: https://registry.terraform.io/providers/hashicorp/kubernetes/latest diff --git a/terraform/uptime-checks/main.tf b/terraform/uptime-checks/main.tf index 2b35605315..e6208b790a 100644 --- a/terraform/uptime-checks/main.tf +++ b/terraform/uptime-checks/main.tf @@ -11,7 +11,7 @@ terraform { # FIXME: upgrade to v6, see https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/version_6_upgrade # ref: https://registry.terraform.io/providers/hashicorp/google/latest source = "google" - version = "~> 4.55" + version = "~> 5.43" } # Used to decrypt sops encrypted secrets containing PagerDuty keys