Skip to content
This repository has been archived by the owner on Nov 17, 2023. It is now read-only.

Commit

Permalink
Merge pull request #140 from AdamsDisturber/DLAB-terraform
Browse files Browse the repository at this point in the history 
 [DLAB-769] Terraform templates and README for Endpoint.
  • Loading branch information
@omartushevskyi
omartushevskyi committed Jul 8, 2019
2 parents 8db6a72 + 50c46d7 commit 6630e8b
Show file tree
Hide file tree
Showing 9 changed files with 431 additions and 1 deletion.
17 changes: 17 additions & 0 deletions infrastructure-provisioning/terraform/aws/main/main.tf
View file
Expand Up @@ -124,3 +124,20 @@ module "ami" {
project_tag = "${var.project_tag}"
notebook_name = "${var.notebook_name}"
}

module "endpoint" {
source = "../modules/endpoint"
service_base_name = var.service_base_name
region = var.region
zone = var.zone
product = var.product_name
subnet_cidr = var.subnet_cidr
endpoint_instance_shape = var.endpoint_instance_shape
key_name = var.key_name
ami = var.ami
vpc_id = var.vpc_id
subnet_id = var.subnet_id
network_type = var.network_type
vpc_cidr = var.vpc_cidr
endpoint_volume_size = var.endpoint_volume_size
}
14 changes: 13 additions & 1 deletion infrastructure-provisioning/terraform/aws/main/variables.tf
View file
Expand Up @@ -157,4 +157,16 @@ variable "bid_price" {

variable "source_instance_id" {
default = ""
}
}

variable "endpoint_instance_shape" {
default = "t2.medium"
}

variable "network_type" {
default = "public"
}

variable "endpoint_volume_size" {
default = "30"
}
18 changes: 18 additions & 0 deletions infrastructure-provisioning/terraform/aws/modules/endpoint/README.md
View file
@@ -0,0 +1,18 @@
# Terraform module for deploying DLab Endpoint instance

List of variables which should be provided:

| Variable | Type | Description/Value |
|--------------------------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
| service\_base\_name | string | Any infrastructure value (should be unique if multiple SSN’s have been deployed before). Should be same as on ssn |
| vpc\_id | string | ID of AWS VPC if you already have VPC created. |
| vpc\_cidr | string | CIDR for VPC creation. Conflicts with _vpc\_id_. Default: 172.31.0.0/16 |
| subnet\_id | string | ID of AWS Subnet if you already have subnet created. |
| subnet\_cidr | string | CIDR for Subnet creation. Conflicts with _subnet\_id_. Default: 172.31.0.0/24 |
| ami | string | **Required** ID of EC2 AMI. Default ubuntu 18.04.1 (debian os): "ami-08692d171e3cf02d6" (aws ami: 258751437250/ami-ubuntu-18.04-1.13.0-00-1543963388|
| key\_name | string | **Required** Name of EC2 Key pair. (Existed on AWS account) |
| region | string | Name of AWS region. Default: us-west-2 |
| zone | string | Name of AWS zone. Default: a |
| endpoint\_volume\_size | int | Size of root volume in GB. Default: 30 |
| network\_type | string | Type of created network (if network is not existed and require creation) for endpoint. Default: public |
| endpoint\_instance\_shape| string | Instance shape of Endpoint. Default: t2.medium |
13 changes: 13 additions & 0 deletions infrastructure-provisioning/terraform/aws/modules/endpoint/files/assume-policy.json
View file
@@ -0,0 +1,13 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
95 changes: 95 additions & 0 deletions infrastructure-provisioning/terraform/aws/modules/endpoint/files/endpoint-policy.json
View file
@@ -0,0 +1,95 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:CreatePolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:DeletePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:GetUser",
"iam:ListUsers",
"iam:ListAccessKeys",
"iam:ListUserPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:CreateRole",
"iam:CreateInstanceProfile",
"iam:PutRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:PassRole",
"iam:GetInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:ListInstanceProfiles",
"iam:DeleteRole",
"iam:GetRole"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteRouteTable",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeInstanceStatus",
"ec2:ModifyInstanceAttribute",
"ec2:RevokeSecurityGroupIngress",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:DescribeRouteTables",
"ec2:CreateRouteTable",
"ec2:AssociateRouteTable",
"ec2:DescribeVpcEndpoints",
"ec2:CreateVpcEndpoint",
"ec2:ModifyVpcEndpoint",
"ec2:DescribeInstances",
"ec2:RunInstances",
"ec2:DescribeAddresses",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:DisassociateAddress",
"ec2:ReleaseAddress",
"ec2:TerminateInstances",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress"

],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucketLocation",
"s3:PutBucketPolicy",
"s3:GetBucketPolicy",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutEncryptionConfiguration",
"s3:ListAllMyBuckets",
"s3:CreateBucket",
"s3:PutBucketTagging",
"s3:GetBucketTagging"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
55 changes: 55 additions & 0 deletions infrastructure-provisioning/terraform/aws/modules/endpoint/iam.tf
View file
@@ -0,0 +1,55 @@
# *****************************************************************************
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
# ******************************************************************************

locals {
role_name = "${var.service_base_name}-endpoint-role"
role_profile = "${var.service_base_name}-endpoint-profile"
policy_name = "${var.service_base_name}-endpoint-policy"
}

data "template_file" "endpoint_policy" {
template = file("../modules/endpoint/files/endpoint-policy.json")
}

resource "aws_iam_role" "endpoint_role" {
name = local.role_name
assume_role_policy = file("../modules/endpoint/files/assume-policy.json")
tags = {
product = "${var.product}"
Name = "${local.role_name}"
"${var.service_base_name}-Tag" = "${local.role_name}"
}
}

resource "aws_iam_instance_profile" "endpoint_profile" {
name = local.role_profile
role = aws_iam_role.endpoint_role.name
}

resource "aws_iam_policy" "endpoint_policy" {
name = local.policy_name
policy = data.template_file.endpoint_policy.rendered
}

resource "aws_iam_role_policy_attachment" "endpoint_policy_attach" {
role = aws_iam_role.endpoint_role.name
policy_arn = aws_iam_policy.endpoint_policy.arn
}
63 changes: 63 additions & 0 deletions infrastructure-provisioning/terraform/aws/modules/endpoint/instance.tf
View file
@@ -0,0 +1,63 @@
# *****************************************************************************
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
# ******************************************************************************

locals {
ec2_name = "${var.service_base_name}-endpoint"
eip_name = "${var.service_base_name}-endpoint-EIP"
}


resource "aws_instance" "endpoint" {
ami = var.ami
instance_type = var.endpoint_instance_shape
key_name = var.key_name
subnet_id = data.aws_subnet.data_subnet.id
security_groups = ["${aws_security_group.endpoint_sec_group.id}"]
root_block_device {
volume_type = "gp2"
volume_size = var.endpoint_volume_size
delete_on_termination = true
}
tags = {
Name = "${local.ec2_name}"
"${var.service_base_name}-Tag" = "${local.ec2_name}"
product = "${var.product}"
"user:tag" = "${var.service_base_name}:${local.ec2_name}"
}
}

resource "aws_eip" "e_ip" {
instance = aws_instance.endpoint.id
vpc = true
tags = {
Name = "${local.eip_name}"
"${var.service_base_name}-Tag" = "${local.eip_name}"
product = "${var.product}"
"user:tag" = "${var.service_base_name}:${local.eip_name}"
}
count = var.network_type == "public" ? 1 : 0
}

resource "aws_eip_association" "e_ip_assoc" {
instance_id = aws_instance.endpoint.id
allocation_id = aws_eip.e_ip.0.id
count = var.network_type == "public" ? 1 : 0
}

0 comments on commit 6630e8b

Please sign in to comment.