diff --git a/cli/internal/terraform/terraform/aws-constellation/.terraform.lock.hcl b/cli/internal/terraform/terraform/aws-constellation/.terraform.lock.hcl deleted file mode 100644 index ebdd23caa1..0000000000 --- a/cli/internal/terraform/terraform/aws-constellation/.terraform.lock.hcl +++ /dev/null @@ -1,45 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.17.0" - constraints = "5.17.0" - hashes = [ - "h1:rplvK7UGP2FuzM44t2eRX+QYYPC0aUIoKdi5XayRI8M=", - "zh:0087b9dd2c9c638fd63e527e5b9b70988008e263d480a199f180efe5a4f070f0", - "zh:0fd532a4fd03ddef11f0502ff9fe4343443e1ae805cb088825a71d6d48906ec7", - "zh:16411e731100cd15f7e165f53c23be784b2c86c2fcfd34781e0642d17090d342", - "zh:251d520927e77f091e2ec6302e921d839a2430ac541c6a461aed7c08fb5eae12", - "zh:4919e69682dc2a8c32d44f6ebc038a52c9f40af9c61cb574b64e322800d6a794", - "zh:5334c60759d5f76bdc51355d1a3ebcc451d4d20f632f5c73b6e55c52b5dc9e52", - "zh:7341a2b7247572eba0d0486094a870b872967702ec0ac7af728c2df2c30af4e5", - "zh:81d1b1cb2cac6b3922a05adab69543b678f344a01debd54500263700dad7a288", - "zh:882bc8e15ef6d4020a07321ec4c056977c5c1d96934118032922561d29504d43", - "zh:8cd4871ef2b03fd916de1a6dc7eb8a81a354c421177d4334a2e3308e50215e41", - "zh:97e12fe6529b21298adf1046c5e20ac35d0569c836a6f385ff041e257e00cfd2", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9f5baf5d59b9f3cf5504d1fa975f10f27da3791896a9e18ece47c258bac17634", - "zh:dffafba6731ac1db1c540bdbd6a8c878486b71de9d0ca1d23c5c00a6c3c14d80", - "zh:fa7440c3c15a42fc5731444d324ced75407d417bfe3184661ae47d40a9718dce", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.5.1" - constraints = "3.5.1" - hashes = [ - "h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=", - "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", - "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d", - "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831", - "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3", - "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b", - "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2", - "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865", - "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03", - "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602", - "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014", - ] -} diff --git a/cli/internal/terraform/terraform/aws-constellation/main.tf b/cli/internal/terraform/terraform/aws-constellation/main.tf deleted file mode 100644 index 80f644229a..0000000000 --- a/cli/internal/terraform/terraform/aws-constellation/main.tf +++ /dev/null @@ -1,39 +0,0 @@ -module "aws_iam" { - source = "../iam/aws" - name_prefix = var.name_prefix - region = var.region -} - - -module "aws" { - source = "../aws" - name = var.name - node_groups = var.node_groups - iam_instance_profile_worker_nodes = module.aws_iam.worker_nodes_instance_profile - iam_instance_profile_control_plane = module.aws_iam.control_plane_instance_profile - ami = var.ami - region = var.region - zone = var.zone - debug = var.debug - enable_snp = var.enable_snp - custom_endpoint = var.custom_endpoint -} - -module "constellation" { - source = "../constellation-cluster" - csp = "aws" - name = var.name - image = var.image - microservice_version = var.microservice_version - kubernetes_version = var.kubernetes_version - uid = module.aws.uid - clusterEndpoint = module.aws.out_of_cluster_endpoint - inClusterEndpoint = module.aws.in_cluster_endpoint - initSecretHash = module.aws.initSecret - apiServerCertSANs = module.aws.api_server_cert_sans - iam_instance_profile_control_plane = module.aws_iam.control_plane_instance_profile # TODO CSP specific - iam_instance_profile_worker_nodes = module.aws_iam.worker_nodes_instance_profile # TODO CSP specific - region = var.region # TODO CSP specific - zone = var.zone # TODO CSP specific - node_groups = var.node_groups -} diff --git a/cli/internal/terraform/terraform/aws-constellation/variables.tf b/cli/internal/terraform/terraform/aws-constellation/variables.tf deleted file mode 100644 index 684d9dc40e..0000000000 --- a/cli/internal/terraform/terraform/aws-constellation/variables.tf +++ /dev/null @@ -1,110 +0,0 @@ -variable "name" { - type = string - description = "Name of your Constellation" - validation { - condition = length(var.name) <= 10 - error_message = "The length of the name of the Constellation must be <= 10 characters" - } -} - -variable "image" { - type = string - description = "Node image version" - default = "v2.12.0" -} - -variable "microservice_version" { - type = string - description = "Microservice version" - default = "v2.12.0" -} - -variable "kubernetes_version" { - type = string - description = "Kubernetes version" - default = "v1.26.9" -} - - -variable "node_groups" { - type = map(object({ - role = string - initial_count = optional(number) - instance_type = string - disk_size = number - disk_type = string - zone = string - })) - description = "A map of node group names to node group configurations." - validation { - condition = can([for group in var.node_groups : group.role == "control-plane" || group.role == "worker"]) - error_message = "The role has to be 'control-plane' or 'worker'." - } - default = { - control_plane_default = { - role = "control-plane" - zone = "eu-west-1b" - instance_type = "m6a.xlarge" - disk_size = 30 - disk_type = "gp3" - initial_count = 2 - }, - worker_default = { - role = "worker" - zone = "eu-west-1b" - instance_type = "m6a.xlarge" - disk_size = 30 - disk_type = "gp3" - initial_count = 2 - } - } -} - -variable "ami" { - type = string - description = "AMI ID" - validation { - condition = length(var.ami) > 4 && substr(var.ami, 0, 4) == "ami-" - error_message = "The image_id value must be a valid AMI id, starting with \"ami-\"." - } - default = "ami-05f952f58bc859371" // TODO translate from image version -} - -variable "region" { - type = string - description = "The AWS region to create the cluster in" -} - -variable "zone" { - type = string - description = "The AWS availability zone name to create the cluster in" -} - -variable "debug" { - type = bool - default = false - description = "Enable debug mode. This opens up a debugd port that can be used to deploy a custom bootstrapper." -} - -variable "enable_snp" { - type = bool - default = true - description = "Enable AMD SEV SNP. Setting this to true sets the cpu-option AmdSevSnp to enable." -} - -variable "custom_endpoint" { - type = string - default = "" - description = "Custom endpoint to use for the Kubernetes apiserver. If not set, the default endpoint will be used." -} - -variable "internal_load_balancer" { - type = bool - default = false - description = "Use an internal load balancer." -} - -variable "name_prefix" { - type = string - description = "Prefix for all resources" -} diff --git a/cli/internal/terraform/terraform/aws/.terraform.lock.hcl b/cli/internal/terraform/terraform/aws/.terraform.lock.hcl deleted file mode 100644 index 1bd9326f87..0000000000 --- a/cli/internal/terraform/terraform/aws/.terraform.lock.hcl +++ /dev/null @@ -1,68 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.17.0" - constraints = "5.17.0" - hashes = [ - "h1:+riTtJ8Tqjd6js1SGim+926BtDuxy8Jn4F+xV8LXvvg=", - "h1:7XJ6tsfZR1m2RTHkJHmp7FtNxz8JP5Y/7p89RPebcAY=", - "h1:A/Z75kGeHrP3euYJv1OaGfTVy63NXIeUj1YBHg4TdO0=", - "h1:GVzgP42qi2UlVUyPqizWhFyaA9SpxhmAnPqwLKVxBqM=", - "h1:IOvWK6rZ2e8AubIWAfKzqI+9AcG+QNPcMOZlujhO840=", - "h1:OJMhYliR4PFDrTtOPocwq4NfuYZVGmmxwInPmcIC1x0=", - "h1:U+EDfeUqefebA1h7KyBMD1xH0h311LMi7wijPDPkC/0=", - "h1:WxtQKHotfGqgEJrV3Flb0CWziKxDfOz2RZUAIT09Uss=", - "h1:fKgoYBRyK55vJSChUHPptDUQuXqjfDjVKVJ11+scq64=", - "h1:lTrdAde+ANuM0Cn+RLFE0sOl2iFoWK9It0dIqi+xkv8=", - "h1:pHssdSGtZ9R9lk3IfQIy20SpFjjZdBzvybDsT/y2cQA=", - "h1:pcDQYPgf/6OQCapDcRV/RTvToi9qXHFsY16rvZx3vsY=", - "h1:rplvK7UGP2FuzM44t2eRX+QYYPC0aUIoKdi5XayRI8M=", - "h1:ytz93JU2mhkKFYWj0V5TV5GMH0v6cIekk485rn9me6A=", - "zh:0087b9dd2c9c638fd63e527e5b9b70988008e263d480a199f180efe5a4f070f0", - "zh:0fd532a4fd03ddef11f0502ff9fe4343443e1ae805cb088825a71d6d48906ec7", - "zh:16411e731100cd15f7e165f53c23be784b2c86c2fcfd34781e0642d17090d342", - "zh:251d520927e77f091e2ec6302e921d839a2430ac541c6a461aed7c08fb5eae12", - "zh:4919e69682dc2a8c32d44f6ebc038a52c9f40af9c61cb574b64e322800d6a794", - "zh:5334c60759d5f76bdc51355d1a3ebcc451d4d20f632f5c73b6e55c52b5dc9e52", - "zh:7341a2b7247572eba0d0486094a870b872967702ec0ac7af728c2df2c30af4e5", - "zh:81d1b1cb2cac6b3922a05adab69543b678f344a01debd54500263700dad7a288", - "zh:882bc8e15ef6d4020a07321ec4c056977c5c1d96934118032922561d29504d43", - "zh:8cd4871ef2b03fd916de1a6dc7eb8a81a354c421177d4334a2e3308e50215e41", - "zh:97e12fe6529b21298adf1046c5e20ac35d0569c836a6f385ff041e257e00cfd2", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9f5baf5d59b9f3cf5504d1fa975f10f27da3791896a9e18ece47c258bac17634", - "zh:dffafba6731ac1db1c540bdbd6a8c878486b71de9d0ca1d23c5c00a6c3c14d80", - "zh:fa7440c3c15a42fc5731444d324ced75407d417bfe3184661ae47d40a9718dce", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.5.1" - constraints = "3.5.1" - hashes = [ - "h1:0ULxM8/DscMzfiDWg1yclBf/39U44wQmlx745BfYZ80=", - "h1:3hjTP5tQBspPcFAJlfafnWrNrKnr7J4Cp0qB9jbqf30=", - "h1:6FVyQ/aG6tawPam6B+oFjgdidKd83uG9n7dOSQ66HBA=", - "h1:6ePAACdONiMGe1j5pwUc0gpDFt82y/ka0zRimMg/geM=", - "h1:BD3Y4CcrGHb9sx+Bl5V8M2PSyw23mykzXSwj+/6FhHA=", - "h1:HGeb7Tajn7HZwX0MhrdyL57LoCSz5GMcI2wbHs12D4U=", - "h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=", - "h1:JiENkIxSWc32/2Dtd1n4CWY3ow/PHvAeGhdgcOLpWZM=", - "h1:MROYZuKGTuaTNf2FgbwCgSVpteQW25ubnb+Xfok2jvk=", - "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=", - "h1:sZ7MTSD4FLekNN2wSNFGpM+5slfvpm5A/NLVZiB7CO0=", - "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", - "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d", - "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831", - "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3", - "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b", - "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2", - "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865", - "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03", - "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602", - "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014", - ] -} diff --git a/cli/internal/terraform/terraform/aws/main.tf b/cli/internal/terraform/terraform/aws/main.tf deleted file mode 100644 index 0968eb1435..0000000000 --- a/cli/internal/terraform/terraform/aws/main.tf +++ /dev/null @@ -1,258 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "5.17.0" - } - random = { - source = "hashicorp/random" - version = "3.5.1" - } - } -} - -# Configure the AWS Provider -provider "aws" { - region = var.region -} - -locals { - uid = random_id.uid.hex - name = "${var.name}-${local.uid}" - initSecretHash = random_password.initSecret.bcrypt_hash - ports_node_range = "30000-32767" - load_balancer_ports = flatten([ - { name = "kubernetes", port = "6443", health_check = "HTTPS" }, - { name = "bootstrapper", port = "9000", health_check = "TCP" }, - { name = "verify", port = "30081", health_check = "TCP" }, - { name = "konnectivity", port = "8132", health_check = "TCP" }, - { name = "recovery", port = "9999", health_check = "TCP" }, - { name = "join", port = "30090", health_check = "TCP" }, - var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [], - ]) - target_group_arns = { - control-plane : [ - for port in local.load_balancer_ports : module.load_balancer_targets[port.name].target_group_arn - ] - worker : [] - } - iam_instance_profile = { - control-plane : var.iam_instance_profile_control_plane - worker : var.iam_instance_profile_worker_nodes - } - # zones are all availability zones that are used by the node groups - zones = distinct(sort([ - for node_group in var.node_groups : node_group.zone - ])) - // wildcard_lb_dns_name is the DNS name of the load balancer with a wildcard for the name. - // example: given "name-1234567890.region.elb.amazonaws.com" it will return "*.region.elb.amazonaws.com" - wildcard_lb_dns_name = replace(aws_lb.front_end.dns_name, "/^[^.]*\\./", "*.") - - tags = { - constellation-uid = local.uid, - } - - in_cluster_endpoint = aws_lb.front_end.dns_name - out_of_cluster_endpoint = var.internal_load_balancer && var.debug ? module.jump_host[0].ip : local.in_cluster_endpoint -} - -resource "random_id" "uid" { - byte_length = 4 -} - -resource "random_password" "initSecret" { - length = 32 - special = true - override_special = "_%@" -} - -resource "aws_vpc" "vpc" { - cidr_block = "192.168.0.0/16" - tags = merge(local.tags, { Name = "${local.name}-vpc" }) -} - -module "public_private_subnet" { - source = "./modules/public_private_subnet" - name = local.name - vpc_id = aws_vpc.vpc.id - cidr_vpc_subnet_nodes = "192.168.176.0/20" - cidr_vpc_subnet_internet = "192.168.0.0/20" - zone = var.zone - zones = local.zones - tags = local.tags -} - -resource "aws_eip" "lb" { - # TODO(malt3): use for_each = toset(module.public_private_subnet.all_zones) - # in a future version to support all availability zones in the chosen region - # This should only be done after we migrated to DNS-based addressing for the - # control-plane. - for_each = var.internal_load_balancer ? [] : toset([var.zone]) - domain = "vpc" - tags = merge(local.tags, { "constellation-ip-endpoint" = each.key == var.zone ? "legacy-primary-zone" : "additional-zone" }) -} - -resource "aws_lb" "front_end" { - name = "${local.name}-loadbalancer" - internal = var.internal_load_balancer - load_balancer_type = "network" - tags = local.tags - security_groups = [aws_security_group.security_group.id] - - dynamic "subnet_mapping" { - # TODO(malt3): use for_each = toset(module.public_private_subnet.all_zones) - # in a future version to support all availability zones in the chosen region - # without needing to constantly replace the loadbalancer. - # This has to wait until the bootstrapper that we upgrade from (source version) use - # DNS-based addressing for the control-plane. - # for_each = toset(module.public_private_subnet.all_zones) - for_each = toset([var.zone]) - content { - subnet_id = module.public_private_subnet.public_subnet_id[subnet_mapping.key] - allocation_id = var.internal_load_balancer ? "" : aws_eip.lb[subnet_mapping.key].id - } - } - enable_cross_zone_load_balancing = true - - lifecycle { - ignore_changes = [security_groups] - } -} - -resource "aws_security_group" "security_group" { - name = local.name - vpc_id = aws_vpc.vpc.id - description = "Security group for ${local.name}" - tags = local.tags - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - description = "Allow all outbound traffic" - } - - ingress { - from_port = split("-", local.ports_node_range)[0] - to_port = split("-", local.ports_node_range)[1] - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - description = "K8s node ports" - } - - dynamic "ingress" { - for_each = local.load_balancer_ports - content { - description = ingress.value.name - from_port = ingress.value.port - to_port = ingress.value.port - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - } - - ingress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [aws_vpc.vpc.cidr_block] - description = "allow all internal" - } - -} - -resource "aws_cloudwatch_log_group" "log_group" { - name = local.name - retention_in_days = 30 - tags = local.tags -} - -module "load_balancer_targets" { - for_each = { for port in local.load_balancer_ports : port.name => port } - source = "./modules/load_balancer_target" - name = "${local.name}-${each.value.name}" - port = each.value.port - healthcheck_protocol = each.value.health_check - healthcheck_path = each.value.name == "kubernetes" ? "/readyz" : "" - vpc_id = aws_vpc.vpc.id - lb_arn = aws_lb.front_end.arn - tags = local.tags -} - -module "instance_group" { - source = "./modules/instance_group" - for_each = var.node_groups - base_name = local.name - node_group_name = each.key - role = each.value.role - zone = each.value.zone - uid = local.uid - instance_type = each.value.instance_type - initial_count = each.value.initial_count - image_id = var.ami - state_disk_type = each.value.disk_type - state_disk_size = each.value.disk_size - target_group_arns = local.target_group_arns[each.value.role] - security_groups = [aws_security_group.security_group.id] - subnetwork = module.public_private_subnet.private_subnet_id[each.value.zone] - iam_instance_profile = local.iam_instance_profile[each.value.role] - enable_snp = var.enable_snp - tags = merge( - local.tags, - { Name = "${local.name}-${each.value.role}" }, - { constellation-role = each.value.role }, - { constellation-node-group = each.key }, - { constellation-uid = local.uid }, - { constellation-init-secret-hash = local.initSecretHash }, - { "kubernetes.io/cluster/${local.name}" = "owned" } - ) -} - -module "jump_host" { - count = var.internal_load_balancer && var.debug ? 1 : 0 - source = "./modules/jump_host" - base_name = local.name - subnet_id = module.public_private_subnet.public_subnet_id[var.zone] - lb_internal_ip = aws_lb.front_end.dns_name - ports = [for port in local.load_balancer_ports : port.port] - iam_instance_profile = var.iam_instance_profile_worker_nodes - security_group_id = aws_security_group.security_group.id -} - -# TODO(31u3r): Remove once 2.12 is released -moved { - from = module.load_balancer_target_konnectivity - to = module.load_balancer_targets["konnectivity"] -} - -moved { - from = module.load_balancer_target_verify - to = module.load_balancer_targets["verify"] -} - -moved { - from = module.load_balancer_target_recovery - to = module.load_balancer_targets["recovery"] -} - -moved { - from = module.load_balancer_target_join - to = module.load_balancer_targets["join"] -} - -moved { - from = module.load_balancer_target_debugd[0] - to = module.load_balancer_targets["debugd"] -} - -moved { - from = module.load_balancer_target_kubernetes - to = module.load_balancer_targets["kubernetes"] -} - -moved { - from = module.load_balancer_target_bootstrapper - to = module.load_balancer_targets["bootstrapper"] -} - diff --git a/cli/internal/terraform/terraform/aws/modules/instance_group/main.tf b/cli/internal/terraform/terraform/aws/modules/instance_group/main.tf deleted file mode 100644 index d863fa1148..0000000000 --- a/cli/internal/terraform/terraform/aws/modules/instance_group/main.tf +++ /dev/null @@ -1,115 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "5.17.0" - } - random = { - source = "hashicorp/random" - version = "3.5.1" - } - } -} - -locals { - group_uid = random_id.uid.hex - name = "${var.base_name}-${lower(var.role)}-${local.group_uid}" -} - -resource "random_id" "uid" { - byte_length = 4 -} - -resource "aws_launch_template" "launch_template" { - name_prefix = local.name - image_id = var.image_id - instance_type = var.instance_type - iam_instance_profile { - name = var.iam_instance_profile - } - vpc_security_group_ids = var.security_groups - metadata_options { - http_endpoint = "enabled" - http_tokens = "required" - instance_metadata_tags = "disabled" - http_put_response_hop_limit = 2 - } - - block_device_mappings { - device_name = "/dev/sdb" - ebs { - volume_size = var.state_disk_size - volume_type = var.state_disk_type - encrypted = true - delete_on_termination = true - } - } - - # See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#cpu-options - cpu_options { - # use "enabled" to enable SEV-SNP - # use "disabled" to disable SEV-SNP (but still require SNP-capable hardware) - # use null to leave the setting unset (allows non-SNP-capable hardware to be used) - amd_sev_snp = var.enable_snp ? "enabled" : null - # Disable SMT. We are already disabling it inside the image. - # Disabling SMT only in the image, not in the Hypervisor creates problems. - # Thus, also disable it in the Hypervisor. - # TODO(derpsteb): reenable once AWS confirms it's safe to do so. - # threads_per_core = 1 - # When setting threads_per_core we also have to set core_count. - # For the currently supported SNP instance families (C6a, M6a, R6a) default_cores - # equals the maximum number of available cores. - # core_count = data.aws_ec2_instance_type.instance_data.default_cores - } - - lifecycle { - create_before_destroy = true - ignore_changes = [ - cpu_options, # required. we cannot change the CPU options of a launch template - name_prefix, # required. Allow legacy scale sets to keep their old names - default_version, # required. update procedure creates new versions of the launch template - image_id, # required. update procedure modifies the image id externally - ] - } -} - -resource "aws_autoscaling_group" "autoscaling_group" { - name = local.name - launch_template { - id = aws_launch_template.launch_template.id - } - min_size = 1 - max_size = 10 - desired_capacity = var.initial_count - vpc_zone_identifier = [var.subnetwork] - target_group_arns = var.target_group_arns - - # TODO(msanft): Remove this (to have the 10m default) once AWS SEV-SNP boot problems are resolved. - # Set a higher timeout for the ASG to fulfill the desired healthy capcity. Temporary workaround to - # long boot times on SEV-SNP machines on AWS. - wait_for_capacity_timeout = var.enable_snp ? "20m" : "10m" - - dynamic "tag" { - for_each = var.tags - content { - key = tag.key - value = tag.value - propagate_at_launch = true - } - } - - lifecycle { - create_before_destroy = true - ignore_changes = [ - name, # required. Allow legacy scale sets to keep their old names - launch_template.0.version, # required. update procedure creates new versions of the launch template - min_size, # required. autoscaling modifies the instance count externally - max_size, # required. autoscaling modifies the instance count externally - desired_capacity, # required. autoscaling modifies the instance count externally - ] - } -} - -data "aws_ec2_instance_type" "instance_data" { - instance_type = var.instance_type -} diff --git a/cli/internal/terraform/terraform/aws/modules/instance_group/variables.tf b/cli/internal/terraform/terraform/aws/modules/instance_group/variables.tf deleted file mode 100644 index 15e4420fd9..0000000000 --- a/cli/internal/terraform/terraform/aws/modules/instance_group/variables.tf +++ /dev/null @@ -1,84 +0,0 @@ -variable "base_name" { - type = string - description = "Base name of the instance group." -} - -variable "node_group_name" { - type = string - description = "Constellation name for the node group (used for configuration and CSP-independent naming)." -} - -variable "role" { - type = string - description = "The role of the instance group." - validation { - condition = contains(["control-plane", "worker"], var.role) - error_message = "The role has to be 'control-plane' or 'worker'." - } -} - -variable "uid" { - type = string - description = "UID of the cluster. This is used for tags." -} - -variable "instance_type" { - type = string - description = "Instance type for the nodes." -} - -variable "initial_count" { - type = number - description = "Number of instances in the instance group." -} - -variable "image_id" { - type = string - description = "Image ID for the nodes." -} - -variable "state_disk_type" { - type = string - description = "EBS disk type for the state disk of the nodes." -} - -variable "state_disk_size" { - type = number - description = "Disk size for the state disk of the nodes [GB]." -} - -variable "target_group_arns" { - type = list(string) - description = "ARN of the target group." -} - -variable "subnetwork" { - type = string - description = "Name of the subnetwork to use." -} - -variable "iam_instance_profile" { - type = string - description = "IAM instance profile for the nodes." -} - -variable "security_groups" { - type = list(string) - description = "List of IDs of the security groups for an instance." -} - -variable "tags" { - type = map(string) - description = "The tags to add to the instance group." -} - -variable "enable_snp" { - type = bool - default = true - description = "Enable AMD SEV SNP. Setting this to true sets the cpu-option AmdSevSnp to enable." -} - -variable "zone" { - type = string - description = "Zone to deploy the instance group in." -} diff --git a/cli/internal/terraform/terraform/aws/modules/jump_host/main.tf b/cli/internal/terraform/terraform/aws/modules/jump_host/main.tf deleted file mode 100644 index ad5d24e23a..0000000000 --- a/cli/internal/terraform/terraform/aws/modules/jump_host/main.tf +++ /dev/null @@ -1,59 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "5.17.0" - } - } -} - - -data "aws_ami" "ubuntu" { - most_recent = true - owners = ["099720109477"] # Canonical - - filter { - name = "name" - values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"] - } -} - -resource "aws_instance" "jump_host" { - ami = data.aws_ami.ubuntu.id - instance_type = "c5a.large" - associate_public_ip_address = true - - iam_instance_profile = var.iam_instance_profile - subnet_id = var.subnet_id - security_groups = [var.security_group_id] - - tags = { - "Name" = "${var.base_name}-jump-host" - } - - user_data = < 192.168.176.0/24 (unused private subnet cidr) - # 1 => 192.168.177.0/24 (unused private subnet cidr) - legacy = 2 # => 192.168.178.0/24 (legacy private subnet) - a = 3 # => 192.168.179.0/24 (first newly created zonal private subnet) - b = 4 - c = 5 - d = 6 - e = 7 - f = 8 - g = 9 - h = 10 - i = 11 - j = 12 - k = 13 - l = 14 - m = 15 # => 192.168.191.0/24 (last reserved zonal private subnet cidr). In reality, AWS doesn't have that many zones in a region. - } -} - -data "aws_availability_zones" "available" { - state = "available" -} - -data "aws_availability_zone" "all" { - for_each = toset(data.aws_availability_zones.available.names) - - name = each.key -} - -resource "aws_eip" "nat" { - for_each = toset(var.zones) - domain = "vpc" - tags = var.tags -} - -resource "aws_subnet" "private" { - for_each = data.aws_availability_zone.all - vpc_id = var.vpc_id - cidr_block = cidrsubnet(var.cidr_vpc_subnet_nodes, 4, local.az_number[each.value.name_suffix]) - availability_zone = each.key - tags = merge(var.tags, { Name = "${var.name}-subnet-nodes" }, { "kubernetes.io/role/internal-elb" = 1 }) # aws-load-balancer-controller needs role annotation - lifecycle { - ignore_changes = [ - cidr_block, # required. Legacy subnets used fixed cidr blocks for the single zone that don't match the new scheme. - ] - } -} - -resource "aws_subnet" "public" { - for_each = data.aws_availability_zone.all - vpc_id = var.vpc_id - cidr_block = cidrsubnet(var.cidr_vpc_subnet_internet, 4, local.az_number[each.value.name_suffix]) - availability_zone = each.key - tags = merge(var.tags, { Name = "${var.name}-subnet-internet" }, { "kubernetes.io/role/elb" = 1 }) # aws-load-balancer-controller needs role annotation - lifecycle { - ignore_changes = [ - cidr_block, # required. Legacy subnets used fixed cidr blocks for the single zone that don't match the new scheme. - ] - } -} - -resource "aws_internet_gateway" "gw" { - vpc_id = var.vpc_id - tags = merge(var.tags, { Name = "${var.name}-internet-gateway" }) -} - -resource "aws_nat_gateway" "gw" { - for_each = toset(var.zones) - subnet_id = aws_subnet.public[each.key].id - allocation_id = aws_eip.nat[each.key].id - tags = merge(var.tags, { Name = "${var.name}-nat-gateway" }) -} - -resource "aws_route_table" "private_nat" { - for_each = toset(var.zones) - vpc_id = var.vpc_id - tags = merge(var.tags, { Name = "${var.name}-private-nat" }) - - route { - cidr_block = "0.0.0.0/0" - nat_gateway_id = aws_nat_gateway.gw[each.key].id - } -} - -resource "aws_route_table" "public_igw" { - for_each = toset(var.zones) - vpc_id = var.vpc_id - tags = merge(var.tags, { Name = "${var.name}-public-igw" }) - - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.gw.id - } -} - -resource "aws_route_table_association" "private_nat" { - for_each = toset(var.zones) - subnet_id = aws_subnet.private[each.key].id - route_table_id = aws_route_table.private_nat[each.key].id -} - -resource "aws_route_table_association" "route_to_internet" { - for_each = toset(var.zones) - subnet_id = aws_subnet.public[each.key].id - route_table_id = aws_route_table.public_igw[each.key].id -} diff --git a/cli/internal/terraform/terraform/aws/modules/public_private_subnet/output.tf b/cli/internal/terraform/terraform/aws/modules/public_private_subnet/output.tf deleted file mode 100644 index eda7d64cfd..0000000000 --- a/cli/internal/terraform/terraform/aws/modules/public_private_subnet/output.tf +++ /dev/null @@ -1,19 +0,0 @@ -output "private_subnet_id" { - value = { - for az in data.aws_availability_zone.all : - az.name => aws_subnet.private[az.name].id - } -} - -output "public_subnet_id" { - value = { - for az in data.aws_availability_zone.all : - az.name => aws_subnet.public[az.name].id - } -} - -# all_zones is a list of all availability zones in the region -# it also contains zones that are not currently used by node groups (but might be in the future) -output "all_zones" { - value = distinct(sort([for az in data.aws_availability_zone.all : az.name])) -} diff --git a/cli/internal/terraform/terraform/aws/modules/public_private_subnet/variables.tf b/cli/internal/terraform/terraform/aws/modules/public_private_subnet/variables.tf deleted file mode 100644 index 0cbe581247..0000000000 --- a/cli/internal/terraform/terraform/aws/modules/public_private_subnet/variables.tf +++ /dev/null @@ -1,34 +0,0 @@ -variable "name" { - type = string - description = "Name of your Constellation, which is used as a prefix for tags." -} - -variable "vpc_id" { - type = string - description = "ID of the VPC." -} - -variable "zone" { - type = string - description = "Main availability zone. Only used for legacy reasons." -} - -variable "zones" { - type = list(string) - description = "Availability zones." -} - -variable "cidr_vpc_subnet_nodes" { - type = string - description = "CIDR block for the subnet that will contain the nodes." -} - -variable "cidr_vpc_subnet_internet" { - type = string - description = "CIDR block for the subnet that contains resources reachable from the Internet." -} - -variable "tags" { - type = map(string) - description = "The tags to add to the resource." -} diff --git a/cli/internal/terraform/terraform/aws/outputs.tf b/cli/internal/terraform/terraform/aws/outputs.tf deleted file mode 100644 index 6147861045..0000000000 --- a/cli/internal/terraform/terraform/aws/outputs.tf +++ /dev/null @@ -1,33 +0,0 @@ -output "out_of_cluster_endpoint" { - value = local.out_of_cluster_endpoint -} - -output "in_cluster_endpoint" { - value = local.in_cluster_endpoint -} -output "api_server_cert_sans" { - value = sort( - distinct( - concat( - [ - local.in_cluster_endpoint, - local.out_of_cluster_endpoint, - ], - var.custom_endpoint == "" ? [] : [var.custom_endpoint], - ) - ) - ) -} - -output "uid" { - value = local.uid -} - -output "initSecret" { - value = random_password.initSecret.result - sensitive = true -} - -output "name" { - value = local.name -} diff --git a/cli/internal/terraform/terraform/aws/variables.tf b/cli/internal/terraform/terraform/aws/variables.tf deleted file mode 100644 index 584c3ddf7e..0000000000 --- a/cli/internal/terraform/terraform/aws/variables.tf +++ /dev/null @@ -1,77 +0,0 @@ -variable "name" { - type = string - description = "Name of your Constellation" - validation { - condition = length(var.name) <= 10 - error_message = "The length of the name of the Constellation must be <= 10 characters" - } -} - -variable "node_groups" { - type = map(object({ - role = string - initial_count = optional(number) - instance_type = string - disk_size = number - disk_type = string - zone = string - })) - description = "A map of node group names to node group configurations." - validation { - condition = can([for group in var.node_groups : group.role == "control-plane" || group.role == "worker"]) - error_message = "The role has to be 'control-plane' or 'worker'." - } -} - -variable "iam_instance_profile_worker_nodes" { - type = string - description = "Name of the IAM instance profile for worker nodes" -} - -variable "iam_instance_profile_control_plane" { - type = string - description = "Name of the IAM instance profile for control plane nodes" -} - -variable "ami" { - type = string - description = "AMI ID" - validation { - condition = length(var.ami) > 4 && substr(var.ami, 0, 4) == "ami-" - error_message = "The image_id value must be a valid AMI id, starting with \"ami-\"." - } -} - -variable "region" { - type = string - description = "The AWS region to create the cluster in" -} - -variable "zone" { - type = string - description = "The AWS availability zone name to create the cluster in" -} - -variable "debug" { - type = bool - default = false - description = "Enable debug mode. This opens up a debugd port that can be used to deploy a custom bootstrapper." -} - -variable "enable_snp" { - type = bool - default = true - description = "Enable AMD SEV SNP. Setting this to true sets the cpu-option AmdSevSnp to enable." -} - -variable "custom_endpoint" { - type = string - default = "" - description = "Custom endpoint to use for the Kubernetes apiserver. If not set, the default endpoint will be used." -} - -variable "internal_load_balancer" { - type = bool - default = false - description = "Use an internal load balancer." -} diff --git a/cli/internal/terraform/terraform/azure/.terraform.lock.hcl b/cli/internal/terraform/terraform/azure/.terraform.lock.hcl deleted file mode 100644 index 6ebb30089f..0000000000 --- a/cli/internal/terraform/terraform/azure/.terraform.lock.hcl +++ /dev/null @@ -1,85 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.74.0" - constraints = "3.74.0" - hashes = [ - "h1:1kSiowd/tBNswp3iv7ePlzkP5llWihjHcY3pdXdJqVU=", - "h1:4b15khHtc5OkIVEFg0W5QRwf/ov1WVQkXVdSiAcTCS8=", - "h1:ETVZfmulZQ435+lgFCkZRpfVOLyAxfDOwbPXFg3aLLQ=", - "h1:H3diAufZ5VDQKsQNYykVRaFTOUJ4gjFiT2VLYi574+w=", - "h1:LEdK8BxNSNiBQbtcJhQZKMMHDjmPpUsvDpr3Mzs93Tg=", - "h1:OtJKZcMwrRNR84ylT1GgMwGR8KTxVOCkNifbjABlGj0=", - "h1:Rq+CNb+4u47dw20tlAeI2yxSOuDtLm+S/GZO2pneLyA=", - "h1:VfBB00BE0wvFiod7BlL+Cn6r2599MEi94hnAQ277ux8=", - "h1:YJ15rwD0G7lYc9OVh5GO4VTqcd2jhqegfgyqTJH1M/I=", - "h1:YvxxiqiwXjZdU53u3b9q49ezsIAb59KmdLLFkwkwFAs=", - "h1:xDRmcV40KrWttPYg/w0/IN/frS9K1twuyvqRNVZko44=", - "zh:0424c70152f949da1ec52ba96d20e5fd32fd22d9bd9203ce045d5f6aab3d20fc", - "zh:16dbf581d10f8e7937185bcdcceb4f91d08c919e452fb8da7580071288c8c397", - "zh:3019103bc2c3b4e185f5c65696c349697644c968f5c085af5505fed6d01c4241", - "zh:49bb56ebaed6653fdb913c2b2bb74fc8b5399e7258d1e89084f72c44ea1130dd", - "zh:85547666517f899d88620bd23a000a8f43c7dc93587c350eb1ea17bcb3e645c7", - "zh:8bed8b646ff1822d8764de68b56b71e5dd971a4b77eba80d47f400a530800bea", - "zh:8bfa6c70c004ba05ebce47f74f49ce872c28a68a18bb71b281a9681bcbbdbfa1", - "zh:a2ae9e38fda0695fb8aa810e4f1ce4b104bfda651a87923b307bb1728680d8b6", - "zh:beac1efe32f99072c892095f5ff46e40d6852b66679a03bc3acbe1b90fb1f653", - "zh:d8a6ca20e49ebe7ea5688d91233d571e2c2ccc3e41000c39a7d7031df209ea8e", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f937b5fdf49b072c0347408d0a1c5a5d822dae1a23252915930e5a82d1d8ce8b", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.5.1" - constraints = "3.5.1" - hashes = [ - "h1:0ULxM8/DscMzfiDWg1yclBf/39U44wQmlx745BfYZ80=", - "h1:3hjTP5tQBspPcFAJlfafnWrNrKnr7J4Cp0qB9jbqf30=", - "h1:6FVyQ/aG6tawPam6B+oFjgdidKd83uG9n7dOSQ66HBA=", - "h1:6ePAACdONiMGe1j5pwUc0gpDFt82y/ka0zRimMg/geM=", - "h1:BD3Y4CcrGHb9sx+Bl5V8M2PSyw23mykzXSwj+/6FhHA=", - "h1:HGeb7Tajn7HZwX0MhrdyL57LoCSz5GMcI2wbHs12D4U=", - "h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=", - "h1:JiENkIxSWc32/2Dtd1n4CWY3ow/PHvAeGhdgcOLpWZM=", - "h1:MROYZuKGTuaTNf2FgbwCgSVpteQW25ubnb+Xfok2jvk=", - "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=", - "h1:sZ7MTSD4FLekNN2wSNFGpM+5slfvpm5A/NLVZiB7CO0=", - "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", - "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d", - "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831", - "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3", - "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b", - "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2", - "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865", - "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03", - "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602", - "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014", - ] -} - -provider "registry.terraform.io/hashicorp/tls" { - version = "4.0.4" - hashes = [ - "h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=", - "h1:Wd3RqmQW60k2QWPN4sK5CtjGuO1d+CRNXgC+D4rKtXc=", - "h1:bNsvpX5EGuVxgGRXBQVLXlmq40PdoLp8Rfuh1ZmV7yY=", - "h1:pe9vq86dZZKCm+8k1RhzARwENslF3SXb9ErHbQfgjXU=", - "h1:rKKMyIEBZwR+8j6Tx3PwqBrStuH+J+pxcbCR5XN8WAw=", - "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", - "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848", - "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be", - "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5", - "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe", - "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e", - "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48", - "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8", - "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60", - "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e", - "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/cli/internal/terraform/terraform/azure/main.tf b/cli/internal/terraform/terraform/azure/main.tf deleted file mode 100644 index 6252396f99..0000000000 --- a/cli/internal/terraform/terraform/azure/main.tf +++ /dev/null @@ -1,292 +0,0 @@ -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "3.74.0" - } - random = { - source = "hashicorp/random" - version = "3.5.1" - } - } -} - -provider "azurerm" { - features { - resource_group { - prevent_deletion_if_contains_resources = false - } - } -} - -locals { - uid = random_id.uid.hex - name = "${var.name}-${local.uid}" - initSecretHash = random_password.initSecret.bcrypt_hash - tags = { - constellation-uid = local.uid, - } - ports_node_range = "30000-32767" - cidr_vpc_subnet_nodes = "192.168.178.0/24" - cidr_vpc_subnet_pods = "10.10.0.0/16" - ports = flatten([ - { name = "kubernetes", port = "6443", health_check_protocol = "Https", path = "/readyz", priority = 100 }, - { name = "bootstrapper", port = "9000", health_check_protocol = "Tcp", path = null, priority = 101 }, - { name = "verify", port = "30081", health_check_protocol = "Tcp", path = null, priority = 102 }, - { name = "konnectivity", port = "8132", health_check_protocol = "Tcp", path = null, priority = 103 }, - { name = "recovery", port = "9999", health_check_protocol = "Tcp", path = null, priority = 104 }, - { name = "join", port = "30090", health_check_protocol = "Tcp", path = null, priority = 105 }, - var.debug ? [{ name = "debugd", port = "4000", health_check_protocol = "Tcp", path = null, priority = 106 }] : [], - ]) - // wildcard_lb_dns_name is the DNS name of the load balancer with a wildcard for the name. - // example: given "name-1234567890.location.cloudapp.azure.com" it will return "*.location.cloudapp.azure.com" - wildcard_lb_dns_name = var.internal_load_balancer ? "" : replace(data.azurerm_public_ip.loadbalancer_ip[0].fqdn, "/^[^.]*\\./", "*.") - // deduce from format (subscriptions)/$ID/resourceGroups/$RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$NAME" - // move from the right as to ignore the optional prefixes - uai_resource_group = element(split("/", var.user_assigned_identity), length(split("/", var.user_assigned_identity)) - 5) - // deduce as above - uai_name = element(split("/", var.user_assigned_identity), length(split("/", var.user_assigned_identity)) - 1) - - in_cluster_endpoint = var.internal_load_balancer ? azurerm_lb.loadbalancer.frontend_ip_configuration[0].private_ip_address : azurerm_public_ip.loadbalancer_ip[0].ip_address - out_of_cluster_endpoint = var.debug && var.internal_load_balancer ? module.jump_host[0].ip : local.in_cluster_endpoint -} - -resource "random_id" "uid" { - byte_length = 4 -} - -resource "random_password" "initSecret" { - length = 32 - special = true - override_special = "_%@" -} - -resource "azurerm_attestation_provider" "attestation_provider" { - count = var.create_maa ? 1 : 0 - # name must be between 3 and 24 characters in length and use numbers and lower-case letters only. - name = format("constell%s", local.uid) - resource_group_name = var.resource_group - location = var.location - - lifecycle { - # Attestation policies will be set automatically upon creation, even if not specified in the resource, - # while they aren't being incorporated into the Terraform state correctly. - # To prevent them from being set to null when applying an upgrade, ignore the changes until the issue - # is resolved by Azure. - # Related issue: https://github.com/hashicorp/terraform-provider-azurerm/issues/21998 - ignore_changes = [open_enclave_policy_base64, sgx_enclave_policy_base64, tpm_policy_base64, sev_snp_policy_base64] - } -} - -resource "azurerm_application_insights" "insights" { - name = local.name - location = var.location - resource_group_name = var.resource_group - application_type = "other" - tags = local.tags -} - -resource "azurerm_public_ip" "loadbalancer_ip" { - count = var.internal_load_balancer ? 0 : 1 - name = "${local.name}-lb" - domain_name_label = local.name - resource_group_name = var.resource_group - location = var.location - allocation_method = "Static" - sku = "Standard" - tags = local.tags - - lifecycle { - ignore_changes = [name] - } -} - -// Reads data from the resource of the same name. -// Used to wait to the actual resource to become ready, before using data from that resource. -// Property "fqdn" only becomes available on azurerm_public_ip resources once domain_name_label is set. -// Since we are setting domain_name_label starting with 2.10 we need to migrate -// resources for clusters created before 2.9. In those cases we need to wait until loadbalancer_ip has -// been updated before reading from it. -data "azurerm_public_ip" "loadbalancer_ip" { - count = var.internal_load_balancer ? 0 : 1 - name = "${local.name}-lb" - resource_group_name = var.resource_group - depends_on = [azurerm_public_ip.loadbalancer_ip] -} - -resource "azurerm_public_ip" "nat_gateway_ip" { - name = "${local.name}-nat" - resource_group_name = var.resource_group - location = var.location - allocation_method = "Static" - sku = "Standard" - tags = local.tags -} - -resource "azurerm_nat_gateway" "gateway" { - name = local.name - location = var.location - resource_group_name = var.resource_group - sku_name = "Standard" - idle_timeout_in_minutes = 10 -} - -resource "azurerm_subnet_nat_gateway_association" "example" { - nat_gateway_id = azurerm_nat_gateway.gateway.id - subnet_id = azurerm_subnet.node_subnet.id -} - -resource "azurerm_nat_gateway_public_ip_association" "example" { - nat_gateway_id = azurerm_nat_gateway.gateway.id - public_ip_address_id = azurerm_public_ip.nat_gateway_ip.id -} - -resource "azurerm_lb" "loadbalancer" { - name = local.name - location = var.location - resource_group_name = var.resource_group - sku = "Standard" - tags = local.tags - - dynamic "frontend_ip_configuration" { - for_each = var.internal_load_balancer ? [] : [1] - content { - name = "PublicIPAddress" - public_ip_address_id = azurerm_public_ip.loadbalancer_ip[0].id - } - } - - dynamic "frontend_ip_configuration" { - for_each = var.internal_load_balancer ? [1] : [] - content { - name = "PrivateIPAddress" - private_ip_address_allocation = "Dynamic" - subnet_id = azurerm_subnet.loadbalancer_subnet[0].id - } - } -} - -module "loadbalancer_backend_control_plane" { - source = "./modules/load_balancer_backend" - - name = "${local.name}-control-plane" - loadbalancer_id = azurerm_lb.loadbalancer.id - frontend_ip_configuration_name = azurerm_lb.loadbalancer.frontend_ip_configuration[0].name - ports = local.ports -} - -module "loadbalancer_backend_worker" { - source = "./modules/load_balancer_backend" - - name = "${local.name}-worker" - loadbalancer_id = azurerm_lb.loadbalancer.id - frontend_ip_configuration_name = azurerm_lb.loadbalancer.frontend_ip_configuration[0].name - ports = [] -} - -resource "azurerm_lb_backend_address_pool" "all" { - loadbalancer_id = azurerm_lb.loadbalancer.id - name = "${var.name}-all" -} - -resource "azurerm_virtual_network" "network" { - name = local.name - resource_group_name = var.resource_group - location = var.location - address_space = ["10.0.0.0/8"] - tags = local.tags -} - -resource "azurerm_subnet" "loadbalancer_subnet" { - count = var.internal_load_balancer ? 1 : 0 - name = "${local.name}-lb" - resource_group_name = var.resource_group - virtual_network_name = azurerm_virtual_network.network.name - address_prefixes = ["10.10.0.0/16"] -} - -resource "azurerm_subnet" "node_subnet" { - name = "${local.name}-node" - resource_group_name = var.resource_group - virtual_network_name = azurerm_virtual_network.network.name - address_prefixes = ["10.9.0.0/16"] -} - -resource "azurerm_network_security_group" "security_group" { - name = local.name - location = var.location - resource_group_name = var.resource_group - tags = local.tags - - dynamic "security_rule" { - for_each = concat( - local.ports, - [{ name = "nodeports", port = local.ports_node_range, priority = 200 }] - ) - content { - name = security_rule.value.name - priority = security_rule.value.priority - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = security_rule.value.port - source_address_prefix = "*" - destination_address_prefix = "*" - } - } -} - -module "scale_set_group" { - source = "./modules/scale_set" - for_each = var.node_groups - base_name = local.name - node_group_name = each.key - role = each.value.role - zones = each.value.zones - tags = merge( - local.tags, - { constellation-init-secret-hash = local.initSecretHash }, - { constellation-maa-url = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : "" }, - ) - - initial_count = each.value.initial_count - state_disk_size = each.value.disk_size - state_disk_type = each.value.disk_type - location = var.location - instance_type = each.value.instance_type - confidential_vm = var.confidential_vm - secure_boot = var.secure_boot - resource_group = var.resource_group - user_assigned_identity = var.user_assigned_identity - image_id = var.image_id - network_security_group_id = azurerm_network_security_group.security_group.id - subnet_id = azurerm_subnet.node_subnet.id - backend_address_pool_ids = each.value.role == "control-plane" ? [ - azurerm_lb_backend_address_pool.all.id, - module.loadbalancer_backend_control_plane.backendpool_id - ] : [ - azurerm_lb_backend_address_pool.all.id, - module.loadbalancer_backend_worker.backendpool_id - ] -} - -module "jump_host" { - count = var.internal_load_balancer && var.debug ? 1 : 0 - source = "./modules/jump_host" - base_name = local.name - resource_group = var.resource_group - location = var.location - subnet_id = azurerm_subnet.loadbalancer_subnet[0].id - ports = [for port in local.ports : port.port] - lb_internal_ip = azurerm_lb.loadbalancer.frontend_ip_configuration[0].private_ip_address -} - -data "azurerm_subscription" "current" { -} - -data "azurerm_user_assigned_identity" "uaid" { - name = local.uai_name - resource_group_name = local.uai_resource_group -} - diff --git a/cli/internal/terraform/terraform/azure/modules/jump_host/main.tf b/cli/internal/terraform/terraform/azure/modules/jump_host/main.tf deleted file mode 100644 index 74a5405886..0000000000 --- a/cli/internal/terraform/terraform/azure/modules/jump_host/main.tf +++ /dev/null @@ -1,85 +0,0 @@ -resource "azurerm_linux_virtual_machine" "jump_host" { - name = "${var.base_name}-jump-host" - resource_group_name = var.resource_group - location = var.location - size = "Standard_D2as_v5" - - network_interface_ids = [ - azurerm_network_interface.jump_host.id, - ] - - admin_username = "adminuser" - - admin_ssh_key { - username = "adminuser" - public_key = tls_private_key.ssh_key.public_key_openssh - } - - os_disk { - caching = "ReadWrite" - storage_account_type = "Standard_LRS" - } - - source_image_reference { - publisher = "Canonical" - offer = "0001-com-ubuntu-server-jammy" - sku = "22_04-lts-gen2" - version = "latest" - } - - boot_diagnostics { - - } - - user_data = base64encode(< port } - - loadbalancer_id = var.loadbalancer_id - name = each.value.name - port = each.value.port - protocol = each.value.health_check_protocol - request_path = each.value.path - interval_in_seconds = 5 -} - -resource "azurerm_lb_rule" "rules" { - for_each = azurerm_lb_probe.health_probes - - loadbalancer_id = var.loadbalancer_id - name = each.value.name - protocol = "Tcp" - frontend_port = each.value.port - backend_port = each.value.port - frontend_ip_configuration_name = var.frontend_ip_configuration_name - backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend_pool.id] - probe_id = each.value.id - disable_outbound_snat = true -} diff --git a/cli/internal/terraform/terraform/azure/modules/load_balancer_backend/outputs.tf b/cli/internal/terraform/terraform/azure/modules/load_balancer_backend/outputs.tf deleted file mode 100644 index 70d2833267..0000000000 --- a/cli/internal/terraform/terraform/azure/modules/load_balancer_backend/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "backendpool_id" { - value = azurerm_lb_backend_address_pool.backend_pool.id - description = "The ID of the created backend pool." -} diff --git a/cli/internal/terraform/terraform/azure/modules/load_balancer_backend/variables.tf b/cli/internal/terraform/terraform/azure/modules/load_balancer_backend/variables.tf deleted file mode 100644 index 93512df8f0..0000000000 --- a/cli/internal/terraform/terraform/azure/modules/load_balancer_backend/variables.tf +++ /dev/null @@ -1,25 +0,0 @@ -variable "name" { - type = string - default = "constell" - description = "Base name of the cluster." -} - -variable "frontend_ip_configuration_name" { - type = string - description = "The name of the frontend IP configuration to use for the load balancer." -} - -variable "loadbalancer_id" { - type = string - description = "The ID of the load balancer to add the backend to." -} - -variable "ports" { - type = list(object({ - name = string - port = number - health_check_protocol = string - path = string - })) - description = "The ports to add to the backend. Protocol can be either 'Tcp' or 'Https'. Path is only used for 'Https' protocol and can otherwise be null." -} diff --git a/cli/internal/terraform/terraform/azure/modules/scale_set/main.tf b/cli/internal/terraform/terraform/azure/modules/scale_set/main.tf deleted file mode 100644 index 751d057caa..0000000000 --- a/cli/internal/terraform/terraform/azure/modules/scale_set/main.tf +++ /dev/null @@ -1,102 +0,0 @@ -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "3.74.0" - } - random = { - source = "hashicorp/random" - version = "3.5.1" - } - } -} - -locals { - tags = merge( - var.tags, - { constellation-role = var.role }, - { constellation-node-group = var.node_group_name }, - ) - group_uid = random_id.uid.hex - name = "${var.base_name}-${var.role}-${local.group_uid}" -} - -resource "random_id" "uid" { - byte_length = 4 -} -resource "random_password" "password" { - length = 16 - min_lower = 1 - min_upper = 1 - min_numeric = 1 - min_special = 1 -} - -resource "azurerm_linux_virtual_machine_scale_set" "scale_set" { - name = local.name - resource_group_name = var.resource_group - location = var.location - sku = var.instance_type - instances = var.initial_count - admin_username = "adminuser" - admin_password = random_password.password.result - overprovision = false - provision_vm_agent = false - vtpm_enabled = true - disable_password_authentication = false - upgrade_mode = "Manual" - secure_boot_enabled = var.secure_boot - source_image_id = var.image_id - tags = local.tags - zones = var.zones - identity { - type = "UserAssigned" - identity_ids = [var.user_assigned_identity] - } - - boot_diagnostics {} - - dynamic "os_disk" { - for_each = var.confidential_vm ? [1] : [] # if confidential_vm is true - content { - security_encryption_type = "VMGuestStateOnly" - caching = "ReadWrite" - storage_account_type = "Premium_LRS" - } - } - dynamic "os_disk" { - for_each = var.confidential_vm ? [] : [1] # else - content { - caching = "ReadWrite" - storage_account_type = "Premium_LRS" - } - } - - data_disk { - storage_account_type = var.state_disk_type - disk_size_gb = var.state_disk_size - caching = "ReadWrite" - lun = 0 - } - - network_interface { - name = "node-network" - primary = true - network_security_group_id = var.network_security_group_id - - ip_configuration { - name = "node-network" - primary = true - subnet_id = var.subnet_id - load_balancer_backend_address_pool_ids = var.backend_address_pool_ids - } - } - - lifecycle { - ignore_changes = [ - name, # required. Allow legacy scale sets to keep their old names - instances, # required. autoscaling modifies the instance count externally - source_image_id, # required. update procedure modifies the image id externally - ] - } -} diff --git a/cli/internal/terraform/terraform/azure/modules/scale_set/variables.tf b/cli/internal/terraform/terraform/azure/modules/scale_set/variables.tf deleted file mode 100644 index 252317da6d..0000000000 --- a/cli/internal/terraform/terraform/azure/modules/scale_set/variables.tf +++ /dev/null @@ -1,98 +0,0 @@ -variable "base_name" { - type = string - description = "Base name of the instance group." -} - -variable "node_group_name" { - type = string - description = "Constellation name for the node group (used for configuration and CSP-independent naming)." -} - -variable "role" { - type = string - description = "The role of the instance group." - validation { - condition = contains(["control-plane", "worker"], var.role) - error_message = "The role has to be 'control-plane' or 'worker'." - } -} - -variable "tags" { - type = map(string) - description = "Tags to include in the scale_set." -} - -variable "zones" { - type = list(string) - description = "List of availability zones." - default = null -} - -variable "initial_count" { - type = number - description = "The number of instances in this scale set." -} - -variable "instance_type" { - type = string - description = "The Azure instance type to deploy." -} - -variable "state_disk_size" { - type = number - default = 30 - description = "The size of the state disk in GB." -} - -variable "resource_group" { - type = string - description = "The name of the Azure resource group to create the Constellation cluster in." -} - -variable "location" { - type = string - description = "The Azure location to deploy the cluster in." -} - -variable "image_id" { - type = string - description = "The image to use for the cluster nodes." -} - -variable "user_assigned_identity" { - type = string - description = "The name of the user assigned identity to attache to the nodes of the cluster." -} - -variable "state_disk_type" { - type = string - default = "Premium_LRS" - description = "The type of the state disk." -} - -variable "network_security_group_id" { - type = string - description = "The ID of the network security group to use for the scale set." -} - -variable "backend_address_pool_ids" { - type = list(string) - description = "The IDs of the backend address pools to use for the scale set." -} - -variable "subnet_id" { - type = string - description = "The ID of the subnet to use for the scale set." -} - -variable "confidential_vm" { - type = bool - default = true - description = "Whether to deploy the cluster nodes as confidential VMs." -} - -variable "secure_boot" { - type = bool - default = false - description = "Whether to deploy the cluster nodes with secure boot." -} diff --git a/cli/internal/terraform/terraform/azure/outputs.tf b/cli/internal/terraform/terraform/azure/outputs.tf deleted file mode 100644 index 12ae01c2d8..0000000000 --- a/cli/internal/terraform/terraform/azure/outputs.tf +++ /dev/null @@ -1,60 +0,0 @@ -output "out_of_cluster_endpoint" { - value = local.out_of_cluster_endpoint -} - -output "in_cluster_endpoint" { - value = local.in_cluster_endpoint -} - -output "api_server_cert_sans" { - value = sort( - distinct( - concat( - [ - local.in_cluster_endpoint, - local.out_of_cluster_endpoint, - ], - var.custom_endpoint == "" ? [] : [var.custom_endpoint], - var.internal_load_balancer ? [] : [local.wildcard_lb_dns_name], - ) - ) - ) -} - -output "uid" { - value = local.uid -} - -output "initSecret" { - value = random_password.initSecret.result - sensitive = true -} - -output "attestationURL" { - value = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : "" -} - -output "network_security_group_name" { - value = azurerm_network_security_group.security_group.name -} - -output "loadbalancer_name" { - value = azurerm_lb.loadbalancer.name -} - - -output "user_assigned_identity_client_id" { - value = data.azurerm_user_assigned_identity.uaid.client_id -} - -output "resource_group" { - value = var.resource_group -} - -output "subscription_id" { - value = data.azurerm_subscription.current.subscription_id -} - -output "name" { - value = local.name -} diff --git a/cli/internal/terraform/terraform/azure/variables.tf b/cli/internal/terraform/terraform/azure/variables.tf deleted file mode 100644 index 32e72ae4a3..0000000000 --- a/cli/internal/terraform/terraform/azure/variables.tf +++ /dev/null @@ -1,75 +0,0 @@ -variable "name" { - type = string - description = "Base name of the cluster." -} - -variable "node_groups" { - type = map(object({ - role = string - initial_count = optional(number) - instance_type = string - disk_size = number - disk_type = string - zones = optional(list(string)) - })) - description = "A map of node group names to node group configurations." - validation { - condition = can([for group in var.node_groups : group.role == "control-plane" || group.role == "worker"]) - error_message = "The role has to be 'control-plane' or 'worker'." - } -} - -variable "location" { - type = string - description = "The Azure location to deploy the cluster in." -} - -variable "image_id" { - type = string - description = "The image to use for the cluster nodes." -} - -variable "create_maa" { - type = bool - default = false - description = "Whether to create a Microsoft Azure attestation provider." -} - -variable "debug" { - type = bool - default = false - description = "Enable debug mode. This opens up a debugd port that can be used to deploy a custom bootstrapper." -} - -variable "confidential_vm" { - type = bool - default = true - description = "Whether to deploy the cluster nodes as confidential VMs." -} - -variable "secure_boot" { - type = bool - default = false - description = "Whether to deploy the cluster nodes with secure boot." -} - -variable "resource_group" { - type = string - description = "The name of the Azure resource group to create the Constellation cluster in." -} -variable "user_assigned_identity" { - type = string - description = "The name of the user assigned identity to attach to the nodes of the cluster. Should be of format: /subscriptions/$ID/resourceGroups/$RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$NAME" -} - -variable "custom_endpoint" { - type = string - default = "" - description = "Custom endpoint to use for the Kubernetes apiserver. If not set, the default endpoint will be used." -} - -variable "internal_load_balancer" { - type = bool - default = false - description = "Whether to use an internal load balancer for the Constellation." -} diff --git a/cli/internal/terraform/terraform/constellation-cluster/.terraform.lock.hcl b/cli/internal/terraform/terraform/constellation-cluster/.terraform.lock.hcl deleted file mode 100644 index 6e7e533323..0000000000 --- a/cli/internal/terraform/terraform/constellation-cluster/.terraform.lock.hcl +++ /dev/null @@ -1,2 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. diff --git a/cli/internal/terraform/terraform/constellation-cluster/install-constellation.sh b/cli/internal/terraform/terraform/constellation-cluster/install-constellation.sh deleted file mode 100755 index dcafe4dfea..0000000000 --- a/cli/internal/terraform/terraform/constellation-cluster/install-constellation.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -VERSION="latest" -if ! command -v constellation &> /dev/null; then - OS=$(uname -s) - ARCH=$(uname -m) - - URL="" - - if [[ $OS == "Darwin" ]]; then - if [[ $ARCH == "arm64" ]]; then - URL="https://github.com/edgelesssys/constellation/releases/${VERSION}/download/constellation-darwin-arm64" - elif [[ $ARCH == "x86_64" ]]; then - URL="https://github.com/edgelesssys/constellation/releases/${VERSION}/download/constellation-darwin-amd64" - fi - elif [[ $OS == "Linux" ]]; then - if [[ $ARCH == "x86_64" ]]; then - URL="https://github.com/edgelesssys/constellation/releases/${VERSION}/download/constellation-linux-amd64" - elif [[ $ARCH == "arm64" ]]; then - URL="https://github.com/edgelesssys/constellation/releases/${VERSION}/download/constellation-linux-arm64" - fi - fi - - if [ -z "$URL" ]; then - echo "Unsupported OS or architecture" - exit 1 - else - curl -o constellation -LO $URL - sudo install constellation /usr/local/bin/constellation - fi -fi diff --git a/cli/internal/terraform/terraform/constellation-cluster/main.tf b/cli/internal/terraform/terraform/constellation-cluster/main.tf deleted file mode 100644 index ad7b58940b..0000000000 --- a/cli/internal/terraform/terraform/constellation-cluster/main.tf +++ /dev/null @@ -1,89 +0,0 @@ -locals { - yq_node_groups = join("\n", flatten([ - for name, group in var.node_groups : [ - "yq eval '.nodeGroups.${name}.role = \"${group.role}\"' -i constellation-conf.yaml", - "yq eval '.nodeGroups.${name}.zone = \"${group.zone}\"' -i constellation-conf.yaml", - "yq eval '.nodeGroups.${name}.instanceType = \"${group.instance_type}\"' -i constellation-conf.yaml", - "yq eval '.nodeGroups.${name}.stateDiskSizeGB = ${group.disk_size}' -i constellation-conf.yaml", - "yq eval '.nodeGroups.${name}.stateDiskType = \"${group.disk_type}\"' -i constellation-conf.yaml", - "yq eval '.nodeGroups.${name}.initialCount = ${group.initial_count}' -i constellation-conf.yaml" - ] - ])) -} - - -resource "terraform_data" "ensure_cli" { - provisioner "local-exec" { - command = "${path.module}/install-constellation.sh && ./constellation config generate ${var.csp}" - } - // generate config here to only create it once (csp won't change) -} -# TODO ensure yq dependency - -# TODO how to handle CSP specific config without CSP specific input? -resource "terraform_data" "csp_config" { - count = var.csp == "aws" ? 1 : 0 - provisioner "local-exec" { - command = < name... - } - control_plane_instance_groups = [ - for control_plane in local.node_groups_by_role["control-plane"] : module.instance_group[control_plane].instance_group - ] - in_cluster_endpoint = var.internal_load_balancer ? google_compute_address.loadbalancer_ip_internal[0].address : google_compute_global_address.loadbalancer_ip[0].address - out_of_cluster_endpoint = var.debug && var.internal_load_balancer ? module.jump_host[0].ip : local.in_cluster_endpoint -} - -resource "random_id" "uid" { - byte_length = 4 -} - -resource "random_password" "initSecret" { - length = 32 - special = true - override_special = "_%@" -} - -resource "google_compute_network" "vpc_network" { - name = local.name - description = "Constellation VPC network" - auto_create_subnetworks = false - mtu = 8896 -} - -resource "google_compute_subnetwork" "vpc_subnetwork" { - name = local.name - description = "Constellation VPC subnetwork" - network = google_compute_network.vpc_network.id - ip_cidr_range = local.cidr_vpc_subnet_nodes - secondary_ip_range = [ - { - range_name = local.name, - ip_cidr_range = local.cidr_vpc_subnet_pods, - } - ] -} - - -resource "google_compute_subnetwork" "proxy_subnet" { - count = var.internal_load_balancer ? 1 : 0 - name = "${local.name}-proxy" - ip_cidr_range = local.cidr_vpc_subnet_proxy - region = var.region - purpose = "REGIONAL_MANAGED_PROXY" - role = "ACTIVE" - network = google_compute_network.vpc_network.id -} - -resource "google_compute_subnetwork" "ilb_subnet" { - count = var.internal_load_balancer ? 1 : 0 - name = "${local.name}-ilb" - ip_cidr_range = local.cidr_vpc_subnet_ilb - region = var.region - network = google_compute_network.vpc_network.id - depends_on = [google_compute_subnetwork.proxy_subnet] -} - -resource "google_compute_router" "vpc_router" { - name = local.name - description = "Constellation VPC router" - network = google_compute_network.vpc_network.id -} - -resource "google_compute_router_nat" "vpc_router_nat" { - name = local.name - router = google_compute_router.vpc_router.name - nat_ip_allocate_option = "AUTO_ONLY" - source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" -} - -resource "google_compute_firewall" "firewall_external" { - name = local.name - description = "Constellation VPC firewall" - network = google_compute_network.vpc_network.id - source_ranges = ["0.0.0.0/0"] - direction = "INGRESS" - - allow { - protocol = "tcp" - ports = flatten([ - [for port in local.control_plane_named_ports : port.port], - [local.ports_node_range], - var.internal_load_balancer ? [22] : [], - ]) - } - -} - -resource "google_compute_firewall" "firewall_internal_nodes" { - name = "${local.name}-nodes" - description = "Constellation VPC firewall" - network = google_compute_network.vpc_network.id - source_ranges = [local.cidr_vpc_subnet_nodes] - direction = "INGRESS" - - allow { protocol = "tcp" } - allow { protocol = "udp" } - allow { protocol = "icmp" } -} - -resource "google_compute_firewall" "firewall_internal_pods" { - name = "${local.name}-pods" - description = "Constellation VPC firewall" - network = google_compute_network.vpc_network.id - source_ranges = [local.cidr_vpc_subnet_pods] - direction = "INGRESS" - - allow { protocol = "tcp" } - allow { protocol = "udp" } - allow { protocol = "icmp" } -} - - -module "instance_group" { - source = "./modules/instance_group" - for_each = var.node_groups - base_name = local.name - node_group_name = each.key - role = each.value.role - zone = each.value.zone - uid = local.uid - instance_type = each.value.instance_type - initial_count = each.value.initial_count - image_id = var.image_id - disk_size = each.value.disk_size - disk_type = each.value.disk_type - network = google_compute_network.vpc_network.id - subnetwork = google_compute_subnetwork.vpc_subnetwork.id - alias_ip_range_name = google_compute_subnetwork.vpc_subnetwork.secondary_ip_range[0].range_name - kube_env = local.kube_env - debug = var.debug - named_ports = each.value.role == "control-plane" ? local.control_plane_named_ports : [] - labels = local.labels - init_secret_hash = local.initSecretHash - custom_endpoint = var.custom_endpoint -} - -resource "google_compute_address" "loadbalancer_ip_internal" { - count = var.internal_load_balancer ? 1 : 0 - name = local.name - region = var.region - subnetwork = google_compute_subnetwork.ilb_subnet[0].id - purpose = "SHARED_LOADBALANCER_VIP" - address_type = "INTERNAL" -} - -resource "google_compute_global_address" "loadbalancer_ip" { - count = var.internal_load_balancer ? 0 : 1 - name = local.name -} - -module "loadbalancer_public" { - // for every port in control_plane_named_ports if internal lb is disabled - for_each = var.internal_load_balancer ? {} : { for port in local.control_plane_named_ports : port.name => port } - source = "./modules/loadbalancer" - name = local.name - backend_port_name = each.value.name - port = each.value.port - health_check = each.value.health_check - backend_instance_groups = local.control_plane_instance_groups - ip_address = google_compute_global_address.loadbalancer_ip[0].self_link - frontend_labels = merge(local.labels, { constellation-use = each.value.name }) -} - -module "loadbalancer_internal" { - for_each = var.internal_load_balancer ? { for port in local.control_plane_named_ports : port.name => port } : {} - source = "./modules/internal_load_balancer" - name = local.name - backend_port_name = each.value.name - port = each.value.port - health_check = each.value.health_check - backend_instance_group = local.control_plane_instance_groups[0] - ip_address = google_compute_address.loadbalancer_ip_internal[0].self_link - frontend_labels = merge(local.labels, { constellation-use = each.value.name }) - - region = var.region - network = google_compute_network.vpc_network.id - backend_subnet = google_compute_subnetwork.ilb_subnet[0].id -} - -module "jump_host" { - count = var.internal_load_balancer && var.debug ? 1 : 0 - source = "./modules/jump_host" - base_name = local.name - zone = var.zone - subnetwork = google_compute_subnetwork.vpc_subnetwork.id - labels = local.labels - lb_internal_ip = google_compute_address.loadbalancer_ip_internal[0].address - ports = [for port in local.control_plane_named_ports : port.port] -} -moved { - from = module.loadbalancer_boot - to = module.loadbalancer_public["bootstrapper"] -} - -moved { - from = module.loadbalancer_kube - to = module.loadbalancer_public["kubernetes"] -} - -moved { - from = module.loadbalancer_verify - to = module.loadbalancer_public["verify"] -} - -moved { - from = module.loadbalancer_konnectivity - to = module.loadbalancer_public["konnectivity"] -} - -moved { - from = module.loadbalancer_recovery - to = module.loadbalancer_public["recovery"] -} - -moved { - from = module.loadbalancer_debugd[0] - to = module.loadbalancer_public["debugd"] -} diff --git a/cli/internal/terraform/terraform/gcp/modules/instance_group/main.tf b/cli/internal/terraform/terraform/gcp/modules/instance_group/main.tf deleted file mode 100644 index c9d49cdf3f..0000000000 --- a/cli/internal/terraform/terraform/gcp/modules/instance_group/main.tf +++ /dev/null @@ -1,153 +0,0 @@ -terraform { - required_providers { - google = { - source = "hashicorp/google" - version = "4.83.0" - } - - random = { - source = "hashicorp/random" - version = "3.5.1" - } - } -} - -locals { - group_uid = random_id.uid.hex - name = "${var.base_name}-${var.role}-${local.group_uid}" - state_disk_name = "state-disk" -} - -resource "random_id" "uid" { - byte_length = 4 -} - -resource "google_compute_instance_template" "template" { - name = local.name - machine_type = var.instance_type - tags = ["constellation-${var.uid}"] // Note that this is also applied as a label - labels = merge(var.labels, { - constellation-role = var.role, - constellation-node-group = var.node_group_name, - }) - - confidential_instance_config { - enable_confidential_compute = true - } - - disk { - disk_size_gb = 10 - source_image = var.image_id - auto_delete = true - boot = true - mode = "READ_WRITE" - } - - disk { - disk_size_gb = var.disk_size - disk_type = var.disk_type - auto_delete = true - device_name = local.state_disk_name // This name is used by disk mapper to find the disk - boot = false - mode = "READ_WRITE" - type = "PERSISTENT" - } - - metadata = { - kube-env = var.kube_env - constellation-init-secret-hash = var.init_secret_hash - serial-port-enable = var.debug ? "TRUE" : "FALSE" - } - - network_interface { - network = var.network - subnetwork = var.subnetwork - alias_ip_range { - ip_cidr_range = "/24" - subnetwork_range_name = var.alias_ip_range_name - } - } - - scheduling { - on_host_maintenance = "TERMINATE" - } - - service_account { - scopes = [ - "https://www.googleapis.com/auth/compute", - "https://www.googleapis.com/auth/servicecontrol", - "https://www.googleapis.com/auth/service.management.readonly", - "https://www.googleapis.com/auth/devstorage.read_only", - "https://www.googleapis.com/auth/logging.write", - "https://www.googleapis.com/auth/monitoring.write", - "https://www.googleapis.com/auth/trace.append", - "https://www.googleapis.com/auth/cloud-platform", - ] - } - - shielded_instance_config { - enable_secure_boot = false - enable_vtpm = true - enable_integrity_monitoring = true - } - - lifecycle { - ignore_changes = [ - name, # required. legacy instance templates used different naming scheme - tags, - labels, - disk, # required. update procedure modifies the instance template externally - metadata, - network_interface, - scheduling, - service_account, - shielded_instance_config, - ] - } -} - -resource "google_compute_instance_group_manager" "instance_group_manager" { - provider = google-beta - name = local.name - description = "Instance group manager for Constellation" - base_instance_name = local.name - zone = var.zone - target_size = var.initial_count - - dynamic "stateful_disk" { - for_each = var.role == "control-plane" ? [1] : [] - content { - device_name = local.state_disk_name - delete_rule = "ON_PERMANENT_INSTANCE_DELETION" - } - } - - dynamic "stateful_internal_ip" { - for_each = var.role == "control-plane" ? [1] : [] - content { - interface_name = "nic0" - delete_rule = "ON_PERMANENT_INSTANCE_DELETION" - } - } - - version { - instance_template = google_compute_instance_template.template.id - } - - dynamic "named_port" { - for_each = toset(var.named_ports) - content { - name = named_port.value.name - port = named_port.value.port - } - } - - lifecycle { - ignore_changes = [ - name, # required. legacy instance templates used different naming scheme - base_instance_name, # required. legacy instance templates used different naming scheme - target_size, # required. autoscaling modifies the instance count externally - version, # required. update procedure modifies the instance template externally - ] - } -} diff --git a/cli/internal/terraform/terraform/gcp/modules/instance_group/outputs.tf b/cli/internal/terraform/terraform/gcp/modules/instance_group/outputs.tf deleted file mode 100644 index 66f793fb08..0000000000 --- a/cli/internal/terraform/terraform/gcp/modules/instance_group/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "instance_group" { - value = google_compute_instance_group_manager.instance_group_manager.instance_group -} diff --git a/cli/internal/terraform/terraform/gcp/modules/instance_group/variables.tf b/cli/internal/terraform/terraform/gcp/modules/instance_group/variables.tf deleted file mode 100644 index 016347ffdc..0000000000 --- a/cli/internal/terraform/terraform/gcp/modules/instance_group/variables.tf +++ /dev/null @@ -1,101 +0,0 @@ -variable "base_name" { - type = string - description = "Base name of the instance group." -} - -variable "node_group_name" { - type = string - description = "Constellation name for the node group (used for configuration and CSP-independent naming)." -} - -variable "role" { - type = string - description = "The role of the instance group." - validation { - condition = contains(["control-plane", "worker"], var.role) - error_message = "The role has to be 'control-plane' or 'worker'." - } -} - -variable "uid" { - type = string - description = "UID of the cluster. This is used for tags." -} - -variable "labels" { - type = map(string) - default = {} - description = "Labels to apply to the instance group." -} - -variable "instance_type" { - type = string - description = "Instance type for the nodes." -} - -variable "initial_count" { - type = number - description = "Number of instances in the instance group." -} - -variable "image_id" { - type = string - description = "Image ID for the nodes." -} - -variable "disk_size" { - type = number - description = "Disk size for the nodes, in GB." -} - -variable "disk_type" { - type = string - description = "Disk type for the nodes. Has to be 'pd-standard' or 'pd-ssd'." -} - -variable "network" { - type = string - description = "Name of the network to use." -} - -variable "subnetwork" { - type = string - description = "Name of the subnetwork to use." -} - -variable "kube_env" { - type = string - description = "Kubernetes env." -} - -variable "init_secret_hash" { - type = string - description = "Hash of the init secret." -} - -variable "named_ports" { - type = list(object({ name = string, port = number })) - default = [] - description = "Named ports for the instance group." -} - -variable "debug" { - type = bool - default = false - description = "Enable debug mode. This will enable serial port access on the instances." -} - -variable "alias_ip_range_name" { - type = string - description = "Name of the alias IP range to use." -} - -variable "zone" { - type = string - description = "Zone to deploy the instance group in." -} - -variable "custom_endpoint" { - type = string - description = "Custom endpoint to use for the Kubernetes apiserver. If not set, the default endpoint will be used." -} diff --git a/cli/internal/terraform/terraform/gcp/modules/internal_load_balancer/main.tf b/cli/internal/terraform/terraform/gcp/modules/internal_load_balancer/main.tf deleted file mode 100644 index 00ed5a0a7e..0000000000 --- a/cli/internal/terraform/terraform/gcp/modules/internal_load_balancer/main.tf +++ /dev/null @@ -1,72 +0,0 @@ -terraform { - required_providers { - google = { - source = "hashicorp/google" - version = "4.83.0" - } - } -} - -locals { - name = "${var.name}-${var.backend_port_name}" -} - -resource "google_compute_region_health_check" "health" { - name = local.name - region = var.region - check_interval_sec = 1 - timeout_sec = 1 - - dynamic "tcp_health_check" { - for_each = var.health_check == "TCP" ? [1] : [] - content { - port = var.port - } - } - - dynamic "https_health_check" { - for_each = var.health_check == "HTTPS" ? [1] : [] - content { - host = "" - port = var.port - request_path = "/readyz" - } - } -} - -resource "google_compute_region_backend_service" "backend" { - name = local.name - protocol = "TCP" - load_balancing_scheme = "INTERNAL_MANAGED" - health_checks = [google_compute_region_health_check.health.id] - port_name = var.backend_port_name - timeout_sec = 240 - region = var.region - - backend { - group = var.backend_instance_group - balancing_mode = "UTILIZATION" - capacity_scaler = 1.0 - } -} - -resource "google_compute_region_target_tcp_proxy" "proxy" { - name = local.name - region = var.region - backend_service = google_compute_region_backend_service.backend.id -} - -# forwarding rule -resource "google_compute_forwarding_rule" "forwarding" { - name = local.name - network = var.network - subnetwork = var.backend_subnet - region = var.region - ip_address = var.ip_address - ip_protocol = "TCP" - load_balancing_scheme = "INTERNAL_MANAGED" - port_range = var.port - allow_global_access = true - target = google_compute_region_target_tcp_proxy.proxy.id - labels = var.frontend_labels -} diff --git a/cli/internal/terraform/terraform/gcp/modules/internal_load_balancer/variables.tf b/cli/internal/terraform/terraform/gcp/modules/internal_load_balancer/variables.tf deleted file mode 100644 index 4ba586426f..0000000000 --- a/cli/internal/terraform/terraform/gcp/modules/internal_load_balancer/variables.tf +++ /dev/null @@ -1,54 +0,0 @@ -variable "name" { - type = string - description = "Base name of the load balancer." -} - -variable "region" { - type = string - description = "The region where the load balancer will be created." -} - -variable "network" { - type = string - description = "The network to which all network resources will be attached." -} - -variable "backend_subnet" { - type = string - description = "The subnet to which all backend network resources will be attached." -} - -variable "health_check" { - type = string - description = "The type of the health check. 'HTTPS' or 'TCP'." - validation { - condition = contains(["HTTPS", "TCP"], var.health_check) - error_message = "Health check must be either 'HTTPS' or 'TCP'." - } -} - -variable "port" { - type = string - description = "The port on which to listen for incoming traffic." -} - -variable "backend_port_name" { - type = string - description = "Name of backend port. The same name should appear in the instance groups referenced by this service." -} - -variable "backend_instance_group" { - type = string - description = "The URL of the instance group resource from which the load balancer will direct traffic." -} - -variable "ip_address" { - type = string - description = "The IP address that this forwarding rule serves." -} - -variable "frontend_labels" { - type = map(string) - default = {} - description = "Labels to apply to the forwarding rule." -} diff --git a/cli/internal/terraform/terraform/gcp/modules/jump_host/main.tf b/cli/internal/terraform/terraform/gcp/modules/jump_host/main.tf deleted file mode 100644 index f8de3e92f2..0000000000 --- a/cli/internal/terraform/terraform/gcp/modules/jump_host/main.tf +++ /dev/null @@ -1,73 +0,0 @@ -terraform { - required_providers { - google = { - source = "hashicorp/google" - version = "4.83.0" - } - - google-beta = { - source = "hashicorp/google-beta" - version = "4.83.0" - } - } -} - - -data "google_compute_image" "image_ubuntu" { - family = "ubuntu-2204-lts" - project = "ubuntu-os-cloud" -} - -resource "google_compute_instance" "vm_instance" { - name = "${var.base_name}-jumphost" - machine_type = "n2d-standard-4" - zone = var.zone - - boot_disk { - initialize_params { - image = data.google_compute_image.image_ubuntu.self_link - } - } - - network_interface { - subnetwork = var.subnetwork - access_config { - } - } - - service_account { - scopes = ["compute-ro"] - } - - labels = var.labels - - metadata = { - serial-port-enable = "TRUE" - } - - metadata_startup_script = < - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/cli/internal/terraform/terraform/qemu/modules/instance_group/main.tf b/cli/internal/terraform/terraform/qemu/modules/instance_group/main.tf deleted file mode 100644 index 5a392eca85..0000000000 --- a/cli/internal/terraform/terraform/qemu/modules/instance_group/main.tf +++ /dev/null @@ -1,99 +0,0 @@ -terraform { - required_providers { - libvirt = { - source = "dmacvicar/libvirt" - version = "0.7.1" - } - random = { - source = "hashicorp/random" - version = "3.5.1" - } - } -} -resource "libvirt_domain" "instance_group" { - count = var.amount - name = "${var.base_name}-${var.role}-${local.group_uid}-${count.index}" - memory = var.memory - vcpu = var.vcpus - machine = var.machine - firmware = local.firmware - dynamic "cpu" { - for_each = var.boot_mode == "direct-linux-boot" ? [1] : [] - content { - mode = "host-passthrough" - } - } - dynamic "nvram" { - for_each = var.boot_mode == "uefi" ? [1] : [] - content { - file = "/var/lib/libvirt/qemu/nvram/${var.role}-${count.index}_VARS.fd" - template = var.nvram - } - } - xml { - xslt = file("${path.module}/${local.xslt_filename}") - } - kernel = local.kernel - initrd = local.initrd - cmdline = local.cmdline - tpm { - backend_type = "emulator" - backend_version = "2.0" - } - disk { - volume_id = element(libvirt_volume.boot_volume.*.id, count.index) - } - disk { - volume_id = element(libvirt_volume.state_volume.*.id, count.index) - } - network_interface { - network_id = var.network_id - hostname = "${var.role}-${count.index}" - addresses = [cidrhost(var.cidr, local.ip_range_start + count.index)] - wait_for_lease = true - } - console { - type = "pty" - target_port = "0" - } -} - -resource "libvirt_volume" "boot_volume" { - count = var.amount - name = "constellation-${var.role}-${local.group_uid}-${count.index}-boot" - pool = var.pool - base_volume_id = var.boot_volume_id - lifecycle { - ignore_changes = [ - name, # required. Allow legacy scale sets to keep their old names - ] - } -} - -resource "libvirt_volume" "state_volume" { - count = var.amount - name = "constellation-${var.role}-${local.group_uid}-${count.index}-state" - pool = var.pool - size = local.state_disk_size_byte - format = "qcow2" - lifecycle { - ignore_changes = [ - name, # required. Allow legacy scale sets to keep their old names - ] - } -} - -resource "random_id" "uid" { - byte_length = 4 -} - -locals { - group_uid = random_id.uid.hex - state_disk_size_byte = 1073741824 * var.state_disk_size - ip_range_start = 100 - kernel = var.boot_mode == "direct-linux-boot" ? var.kernel_volume_id : null - initrd = var.boot_mode == "direct-linux-boot" ? var.initrd_volume_id : null - cmdline = var.boot_mode == "direct-linux-boot" ? [{ "_" = var.kernel_cmdline }] : null - firmware = var.boot_mode == "uefi" ? var.firmware : null - xslt_filename = var.boot_mode == "direct-linux-boot" ? "tdx_domain.xsl" : "domain.xsl" -} diff --git a/cli/internal/terraform/terraform/qemu/modules/instance_group/outputs.tf b/cli/internal/terraform/terraform/qemu/modules/instance_group/outputs.tf deleted file mode 100644 index 1e161bf02a..0000000000 --- a/cli/internal/terraform/terraform/qemu/modules/instance_group/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "instance_ips" { - value = flatten(libvirt_domain.instance_group[*].network_interface[*].addresses[*]) -} diff --git a/cli/internal/terraform/terraform/qemu/modules/instance_group/tdx_domain.xsl b/cli/internal/terraform/terraform/qemu/modules/instance_group/tdx_domain.xsl deleted file mode 100644 index 69257a7b7d..0000000000 --- a/cli/internal/terraform/terraform/qemu/modules/instance_group/tdx_domain.xsl +++ /dev/null @@ -1,92 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - destroy - restart - destroy - - - - - - - - - - - - - - - - - - - - - - 0x10000001 - vsock:2:4050 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/cli/internal/terraform/terraform/qemu/modules/instance_group/variables.tf b/cli/internal/terraform/terraform/qemu/modules/instance_group/variables.tf deleted file mode 100644 index b62a303ad2..0000000000 --- a/cli/internal/terraform/terraform/qemu/modules/instance_group/variables.tf +++ /dev/null @@ -1,95 +0,0 @@ -variable "amount" { - type = number - description = "amount of nodes" -} - -variable "vcpus" { - type = number - description = "amount of vcpus per instance" -} - -variable "memory" { - type = number - description = "amount of memory per instance (MiB)" -} - -variable "state_disk_size" { - type = number - description = "size of state disk (GiB)" -} - -variable "cidr" { - type = string - description = "subnet to use for dhcp" -} - -variable "network_id" { - type = string - description = "id of the network to use" -} - -variable "pool" { - type = string - description = "name of the storage pool to use" -} - -variable "boot_mode" { - type = string - description = "boot mode. Can be 'uefi' or 'direct-linux-boot'" - validation { - condition = can(regex("^(uefi|direct-linux-boot)$", var.boot_mode)) - error_message = "boot_mode must be 'uefi' or 'direct-linux-boot'" - } -} - -variable "boot_volume_id" { - type = string - description = "id of the constellation boot disk" -} - -variable "kernel_volume_id" { - type = string - description = "id of the constellation kernel volume" - default = "" -} - -variable "initrd_volume_id" { - type = string - description = "id of the constellation initrd volume" - default = "" -} - -variable "kernel_cmdline" { - type = string - description = "kernel cmdline" - default = "" -} - -variable "role" { - type = string - description = "role of the node in the constellation. either 'control-plane' or 'worker'" -} - -variable "machine" { - type = string - description = "machine type. use 'q35' for secure boot and 'pc' for non secure boot. See 'qemu-system-x86_64 -machine help'" -} - -variable "firmware" { - type = string - description = "path to UEFI firmware file. Ignored for direct-linux-boot." -} - -variable "nvram" { - type = string - description = "path to UEFI NVRAM template file. Used for secure boot." -} -variable "base_name" { - type = string - description = "name prefix of the cluster VMs" -} - -variable "node_group_name" { - type = string - description = "name of the node group" -} diff --git a/cli/internal/terraform/terraform/qemu/outputs.tf b/cli/internal/terraform/terraform/qemu/outputs.tf deleted file mode 100644 index bdf7355f92..0000000000 --- a/cli/internal/terraform/terraform/qemu/outputs.tf +++ /dev/null @@ -1,48 +0,0 @@ -output "out_of_cluster_endpoint" { - value = module.node_group["control_plane_default"].instance_ips[0] -} - -output "in_cluster_endpoint" { - value = module.node_group["control_plane_default"].instance_ips[0] -} - -output "api_server_cert_sans" { - value = sort(concat([module.node_group["control_plane_default"].instance_ips[0]], var.custom_endpoint == "" ? [] : [var.custom_endpoint])) -} - -output "uid" { - value = "qemu" // placeholder -} - -output "initSecret" { - value = random_password.initSecret.result - sensitive = true -} - -output "validate_constellation_kernel" { - value = null - precondition { - condition = var.constellation_boot_mode != "direct-linux-boot" || length(var.constellation_kernel) > 0 - error_message = "constellation_kernel must be set if constellation_boot_mode is 'direct-linux-boot'" - } -} - -output "validate_constellation_initrd" { - value = null - precondition { - condition = var.constellation_boot_mode != "direct-linux-boot" || length(var.constellation_initrd) > 0 - error_message = "constellation_initrd must be set if constellation_boot_mode is 'direct-linux-boot'" - } -} - -output "validate_constellation_cmdline" { - value = null - precondition { - condition = var.constellation_boot_mode != "direct-linux-boot" || length(var.constellation_cmdline) > 0 - error_message = "constellation_cmdline must be set if constellation_boot_mode is 'direct-linux-boot'" - } -} - -output "name" { - value = "${var.name}-qemu" // placeholder, as per "uid" output -} diff --git a/cli/internal/terraform/terraform/qemu/variables.tf b/cli/internal/terraform/terraform/qemu/variables.tf deleted file mode 100644 index 80b293352f..0000000000 --- a/cli/internal/terraform/terraform/qemu/variables.tf +++ /dev/null @@ -1,104 +0,0 @@ -variable "node_groups" { - type = map(object({ - role = string - initial_count = number // number of instances in the node group - disk_size = number // size of state disk (GiB) - vcpus = number - memory = number // amount of memory per instance (MiB) - })) - validation { - condition = can([for group in var.node_groups : group.role == "control-plane" || group.role == "worker"]) - error_message = "The role has to be 'control-plane' or 'worker'." - } - - description = "A map of node group names to node group configurations." -} - -variable "machine" { - type = string - default = "q35" - description = "machine type. use 'q35' for secure boot and 'pc' for non secure boot. See 'qemu-system-x86_64 -machine help'" -} - -variable "libvirt_uri" { - type = string - description = "libvirt socket uri" -} - -variable "constellation_boot_mode" { - type = string - description = "constellation boot mode. Can be 'uefi' or 'direct-linux-boot'" - validation { - condition = anytrue([ - var.constellation_boot_mode == "uefi", - var.constellation_boot_mode == "direct-linux-boot", - ]) - error_message = "constellation_boot_mode must be 'uefi' or 'direct-linux-boot'" - } -} - -variable "constellation_os_image" { - type = string - description = "constellation OS file path" -} - -variable "constellation_kernel" { - type = string - description = "constellation Kernel file path" - default = "" -} - -variable "constellation_initrd" { - type = string - description = "constellation initrd file path" - default = "" -} - -variable "constellation_cmdline" { - type = string - description = "constellation kernel cmdline" - default = "" -} - -variable "image_format" { - type = string - default = "qcow2" - description = "image format" -} -variable "firmware" { - type = string - default = "/usr/share/OVMF/OVMF_CODE.secboot.fd" - description = "path to UEFI firmware file. Use \"OVMF_CODE_4M.ms.fd\" on Ubuntu and \"OVMF_CODE.fd\" or \"OVMF_CODE.secboot.fd\" on Fedora." -} - -variable "nvram" { - type = string - description = "path to UEFI NVRAM template file. Used for secure boot." -} - -variable "metadata_api_image" { - type = string - description = "container image of the QEMU metadata api server" -} - -variable "metadata_libvirt_uri" { - type = string - description = "libvirt uri for the metadata api server" -} - -variable "libvirt_socket_path" { - type = string - description = "path to libvirt socket in case of unix socket" -} - -variable "name" { - type = string - default = "constellation" - description = "name prefix of the cluster VMs" -} - -variable "custom_endpoint" { - type = string - default = "" - description = "Custom endpoint to use for the Kubernetes apiserver. If not set, the default endpoint will be used." -} diff --git a/terraform/BUILD.bazel b/terraform/BUILD.bazel index 10f8bfd7b7..32bfc9b30a 100644 --- a/terraform/BUILD.bazel +++ b/terraform/BUILD.bazel @@ -4,9 +4,6 @@ go_library( name = "terraform", srcs = ["assets.go"], embedsrcs = [ - "terraform/aws-constellation/.terraform.lock.hcl", - "terraform/aws-constellation/main.tf", - "terraform/aws-constellation/variables.tf", "terraform/aws/.terraform.lock.hcl", "terraform/aws/main.tf", "terraform/aws/modules/instance_group/main.tf", @@ -34,10 +31,6 @@ go_library( "terraform/azure/modules/scale_set/variables.tf", "terraform/azure/outputs.tf", "terraform/azure/variables.tf", - "terraform/constellation-cluster/.terraform.lock.hcl", - "terraform/constellation-cluster/install-constellation.sh", - "terraform/constellation-cluster/main.tf", - "terraform/constellation-cluster/variables.tf", "terraform/gcp/.terraform.lock.hcl", "terraform/gcp/main.tf", "terraform/gcp/modules/instance_group/main.tf", diff --git a/terraform/terraform/aws-constellation/.terraform.lock.hcl b/terraform/terraform/aws-constellation/.terraform.lock.hcl deleted file mode 100644 index ebdd23caa1..0000000000 --- a/terraform/terraform/aws-constellation/.terraform.lock.hcl +++ /dev/null @@ -1,45 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.17.0" - constraints = "5.17.0" - hashes = [ - "h1:rplvK7UGP2FuzM44t2eRX+QYYPC0aUIoKdi5XayRI8M=", - "zh:0087b9dd2c9c638fd63e527e5b9b70988008e263d480a199f180efe5a4f070f0", - "zh:0fd532a4fd03ddef11f0502ff9fe4343443e1ae805cb088825a71d6d48906ec7", - "zh:16411e731100cd15f7e165f53c23be784b2c86c2fcfd34781e0642d17090d342", - "zh:251d520927e77f091e2ec6302e921d839a2430ac541c6a461aed7c08fb5eae12", - "zh:4919e69682dc2a8c32d44f6ebc038a52c9f40af9c61cb574b64e322800d6a794", - "zh:5334c60759d5f76bdc51355d1a3ebcc451d4d20f632f5c73b6e55c52b5dc9e52", - "zh:7341a2b7247572eba0d0486094a870b872967702ec0ac7af728c2df2c30af4e5", - "zh:81d1b1cb2cac6b3922a05adab69543b678f344a01debd54500263700dad7a288", - "zh:882bc8e15ef6d4020a07321ec4c056977c5c1d96934118032922561d29504d43", - "zh:8cd4871ef2b03fd916de1a6dc7eb8a81a354c421177d4334a2e3308e50215e41", - "zh:97e12fe6529b21298adf1046c5e20ac35d0569c836a6f385ff041e257e00cfd2", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9f5baf5d59b9f3cf5504d1fa975f10f27da3791896a9e18ece47c258bac17634", - "zh:dffafba6731ac1db1c540bdbd6a8c878486b71de9d0ca1d23c5c00a6c3c14d80", - "zh:fa7440c3c15a42fc5731444d324ced75407d417bfe3184661ae47d40a9718dce", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.5.1" - constraints = "3.5.1" - hashes = [ - "h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=", - "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", - "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d", - "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831", - "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3", - "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b", - "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2", - "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865", - "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03", - "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602", - "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014", - ] -} diff --git a/terraform/terraform/aws-constellation/main.tf b/terraform/terraform/aws-constellation/main.tf deleted file mode 100644 index 80f644229a..0000000000 --- a/terraform/terraform/aws-constellation/main.tf +++ /dev/null @@ -1,39 +0,0 @@ -module "aws_iam" { - source = "../iam/aws" - name_prefix = var.name_prefix - region = var.region -} - - -module "aws" { - source = "../aws" - name = var.name - node_groups = var.node_groups - iam_instance_profile_worker_nodes = module.aws_iam.worker_nodes_instance_profile - iam_instance_profile_control_plane = module.aws_iam.control_plane_instance_profile - ami = var.ami - region = var.region - zone = var.zone - debug = var.debug - enable_snp = var.enable_snp - custom_endpoint = var.custom_endpoint -} - -module "constellation" { - source = "../constellation-cluster" - csp = "aws" - name = var.name - image = var.image - microservice_version = var.microservice_version - kubernetes_version = var.kubernetes_version - uid = module.aws.uid - clusterEndpoint = module.aws.out_of_cluster_endpoint - inClusterEndpoint = module.aws.in_cluster_endpoint - initSecretHash = module.aws.initSecret - apiServerCertSANs = module.aws.api_server_cert_sans - iam_instance_profile_control_plane = module.aws_iam.control_plane_instance_profile # TODO CSP specific - iam_instance_profile_worker_nodes = module.aws_iam.worker_nodes_instance_profile # TODO CSP specific - region = var.region # TODO CSP specific - zone = var.zone # TODO CSP specific - node_groups = var.node_groups -} diff --git a/terraform/terraform/aws-constellation/variables.tf b/terraform/terraform/aws-constellation/variables.tf deleted file mode 100644 index 684d9dc40e..0000000000 --- a/terraform/terraform/aws-constellation/variables.tf +++ /dev/null @@ -1,110 +0,0 @@ -variable "name" { - type = string - description = "Name of your Constellation" - validation { - condition = length(var.name) <= 10 - error_message = "The length of the name of the Constellation must be <= 10 characters" - } -} - -variable "image" { - type = string - description = "Node image version" - default = "v2.12.0" -} - -variable "microservice_version" { - type = string - description = "Microservice version" - default = "v2.12.0" -} - -variable "kubernetes_version" { - type = string - description = "Kubernetes version" - default = "v1.26.9" -} - - -variable "node_groups" { - type = map(object({ - role = string - initial_count = optional(number) - instance_type = string - disk_size = number - disk_type = string - zone = string - })) - description = "A map of node group names to node group configurations." - validation { - condition = can([for group in var.node_groups : group.role == "control-plane" || group.role == "worker"]) - error_message = "The role has to be 'control-plane' or 'worker'." - } - default = { - control_plane_default = { - role = "control-plane" - zone = "eu-west-1b" - instance_type = "m6a.xlarge" - disk_size = 30 - disk_type = "gp3" - initial_count = 2 - }, - worker_default = { - role = "worker" - zone = "eu-west-1b" - instance_type = "m6a.xlarge" - disk_size = 30 - disk_type = "gp3" - initial_count = 2 - } - } -} - -variable "ami" { - type = string - description = "AMI ID" - validation { - condition = length(var.ami) > 4 && substr(var.ami, 0, 4) == "ami-" - error_message = "The image_id value must be a valid AMI id, starting with \"ami-\"." - } - default = "ami-05f952f58bc859371" // TODO translate from image version -} - -variable "region" { - type = string - description = "The AWS region to create the cluster in" -} - -variable "zone" { - type = string - description = "The AWS availability zone name to create the cluster in" -} - -variable "debug" { - type = bool - default = false - description = "Enable debug mode. This opens up a debugd port that can be used to deploy a custom bootstrapper." -} - -variable "enable_snp" { - type = bool - default = true - description = "Enable AMD SEV SNP. Setting this to true sets the cpu-option AmdSevSnp to enable." -} - -variable "custom_endpoint" { - type = string - default = "" - description = "Custom endpoint to use for the Kubernetes apiserver. If not set, the default endpoint will be used." -} - -variable "internal_load_balancer" { - type = bool - default = false - description = "Use an internal load balancer." -} - -variable "name_prefix" { - type = string - description = "Prefix for all resources" -} diff --git a/terraform/terraform/constellation-cluster/.terraform.lock.hcl b/terraform/terraform/constellation-cluster/.terraform.lock.hcl deleted file mode 100644 index 6e7e533323..0000000000 --- a/terraform/terraform/constellation-cluster/.terraform.lock.hcl +++ /dev/null @@ -1,2 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. diff --git a/terraform/terraform/constellation-cluster/install-constellation.sh b/terraform/terraform/constellation-cluster/install-constellation.sh deleted file mode 100755 index dcafe4dfea..0000000000 --- a/terraform/terraform/constellation-cluster/install-constellation.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -VERSION="latest" -if ! command -v constellation &> /dev/null; then - OS=$(uname -s) - ARCH=$(uname -m) - - URL="" - - if [[ $OS == "Darwin" ]]; then - if [[ $ARCH == "arm64" ]]; then - URL="https://github.com/edgelesssys/constellation/releases/${VERSION}/download/constellation-darwin-arm64" - elif [[ $ARCH == "x86_64" ]]; then - URL="https://github.com/edgelesssys/constellation/releases/${VERSION}/download/constellation-darwin-amd64" - fi - elif [[ $OS == "Linux" ]]; then - if [[ $ARCH == "x86_64" ]]; then - URL="https://github.com/edgelesssys/constellation/releases/${VERSION}/download/constellation-linux-amd64" - elif [[ $ARCH == "arm64" ]]; then - URL="https://github.com/edgelesssys/constellation/releases/${VERSION}/download/constellation-linux-arm64" - fi - fi - - if [ -z "$URL" ]; then - echo "Unsupported OS or architecture" - exit 1 - else - curl -o constellation -LO $URL - sudo install constellation /usr/local/bin/constellation - fi -fi diff --git a/terraform/terraform/constellation-cluster/main.tf b/terraform/terraform/constellation-cluster/main.tf deleted file mode 100644 index ad7b58940b..0000000000 --- a/terraform/terraform/constellation-cluster/main.tf +++ /dev/null @@ -1,89 +0,0 @@ -locals { - yq_node_groups = join("\n", flatten([ - for name, group in var.node_groups : [ - "yq eval '.nodeGroups.${name}.role = \"${group.role}\"' -i constellation-conf.yaml", - "yq eval '.nodeGroups.${name}.zone = \"${group.zone}\"' -i constellation-conf.yaml", - "yq eval '.nodeGroups.${name}.instanceType = \"${group.instance_type}\"' -i constellation-conf.yaml", - "yq eval '.nodeGroups.${name}.stateDiskSizeGB = ${group.disk_size}' -i constellation-conf.yaml", - "yq eval '.nodeGroups.${name}.stateDiskType = \"${group.disk_type}\"' -i constellation-conf.yaml", - "yq eval '.nodeGroups.${name}.initialCount = ${group.initial_count}' -i constellation-conf.yaml" - ] - ])) -} - - -resource "terraform_data" "ensure_cli" { - provisioner "local-exec" { - command = "${path.module}/install-constellation.sh && ./constellation config generate ${var.csp}" - } - // generate config here to only create it once (csp won't change) -} -# TODO ensure yq dependency - -# TODO how to handle CSP specific config without CSP specific input? -resource "terraform_data" "csp_config" { - count = var.csp == "aws" ? 1 : 0 - provisioner "local-exec" { - command = <