Merge pull request #26 from hashicorp/multizonal

Switch from a single-zone Managed Instance Group to a Multi-Zonal Group
hashicorp · Sep 11, 2018 · 3f0cd57 · 3f0cd57
2 parents bb0d0b9 + 19399ef
commit 3f0cd57
Show file tree

Hide file tree

Showing 8 changed files with 126 additions and 110 deletions.
diff --git a/examples/consul-image/consul.json b/examples/consul-image/consul.json
@@ -3,7 +3,7 @@
   "variables": {
     "project_id": null,
     "zone": null,
-    "consul_version": "1.1.0"
+    "consul_version": "1.2.2"
   },
   "builders": [{
     "type": "googlecompute",

diff --git a/examples/root-example/README.md b/examples/root-example/README.md
@@ -36,3 +36,12 @@ To deploy a Consul Cluster:
    print out the IP addresses of the Consul servers and some example commands you can run to interact with the cluster:
    `../consul-examples-helper/consul-examples-helper.sh`.
 
+### WARNING: This example exposes your cluster to the public Internet!
+
+This example enables your Consul Client and Consul Server to be accessible from `0.0.0.0/0` (any IP address) by default.
+This is not an acceptable security posture in a production setting! In a production setting, you should set the
+`allowed_inbound_cidr_blocks_http_api` property of the [consul-cluster](
+https://github.com/hashicorp/terraform-google-consul/tree/master/modules/consul-cluster) module to either an empty list
+or a limited range of IP addresses.
+
+Note that for access within GCP, using the `allowed_inbound_tags_http_api` module property is preferred.
diff --git a/main.tf b/main.tf
@@ -7,8 +7,8 @@
 # ---------------------------------------------------------------------------------------------------------------------
 
 provider "google" {
-  project     = "${var.gcp_project}"
-  region      = "${var.gcp_region}"
+  project = "${var.gcp_project}"
+  region  = "${var.gcp_region}"
 }
 
 terraform {
@@ -25,18 +25,18 @@ module "consul_servers" {
   # source = "git::git@github.com:gruntwork-io/consul-gcp-module.git//modules/consul-cluster?ref=v0.0.1"
   source = "./modules/consul-cluster"
 
-  gcp_zone = "${var.gcp_zone}"
-  cluster_name = "${var.consul_server_cluster_name}"
+  gcp_region          = "${var.gcp_region}"
+  cluster_name        = "${var.consul_server_cluster_name}"
   cluster_description = "Consul Server cluster"
-  cluster_size = "${var.consul_server_cluster_size}"
-  cluster_tag_name = "${var.consul_server_cluster_tag_name}"
-  startup_script = "${data.template_file.startup_script_server.rendered}"
+  cluster_size        = "${var.consul_server_cluster_size}"
+  cluster_tag_name    = "${var.consul_server_cluster_tag_name}"
+  startup_script      = "${data.template_file.startup_script_server.rendered}"
 
   # Grant API and DNS access to requests originating from the the Consul client cluster we create below.
-  allowed_inbound_tags_http_api = ["${var.consul_server_cluster_tag_name}"]
+  allowed_inbound_tags_http_api        = ["${var.consul_server_cluster_tag_name}"]
   allowed_inbound_cidr_blocks_http_api = "${var.consul_server_allowed_inbound_cidr_blocks_http_api}"
 
-  allowed_inbound_tags_dns = ["${var.consul_server_cluster_tag_name }"]
+  allowed_inbound_tags_dns        = ["${var.consul_server_cluster_tag_name }"]
   allowed_inbound_cidr_blocks_dns = "${var.consul_server_allowed_inbound_cidr_blocks_dns}"
 
   # WARNING! These configuration values are suitable for testing, but for production, see https://www.consul.io/docs/guides/performance.html
@@ -46,7 +46,8 @@ module "consul_servers" {
   # - root_volume_disk_type: pd-ssd or local-ssd (for write-heavy workloads, use SSDs for the best write throughput)
   # - root_volume_disk_size_gb: Consul's data set is persisted, so this depends on the size of your expected data set
   machine_type = "g1-small"
-  root_volume_disk_type = "pd-standard"
+
+  root_volume_disk_type    = "pd-standard"
   root_volume_disk_size_gb = "15"
 
   # WARNING! By specifying just the "family" name of the Image, Google will automatically use the latest Consul image.
@@ -87,29 +88,30 @@ module "consul_clients" {
   # source = "git::git@github.com:gruntwork-io/consul-gcp-module.git//modules/consul-cluster?ref=v0.0.1"
   source = "./modules/consul-cluster"
 
-  gcp_zone = "${var.gcp_zone}"
-  cluster_name = "${var.consul_client_cluster_name}"
+  gcp_region          = "${var.gcp_region}"
+  cluster_name        = "${var.consul_client_cluster_name}"
   cluster_description = "Consul Clients cluster"
-  cluster_size = "${var.consul_client_cluster_size}"
-  cluster_tag_name = "${var.consul_client_cluster_tag_name}"
-  startup_script = "${data.template_file.startup_script_client.rendered}"
+  cluster_size        = "${var.consul_client_cluster_size}"
+  cluster_tag_name    = "${var.consul_client_cluster_tag_name}"
+  startup_script      = "${data.template_file.startup_script_client.rendered}"
 
-  allowed_inbound_tags_http_api = ["${var.consul_client_cluster_tag_name}"]
+  allowed_inbound_tags_http_api        = ["${var.consul_client_cluster_tag_name}"]
   allowed_inbound_cidr_blocks_http_api = "${var.consul_client_allowed_inbound_cidr_blocks_http_api}"
 
-  allowed_inbound_tags_dns = ["${var.consul_client_cluster_tag_name }"]
+  allowed_inbound_tags_dns        = ["${var.consul_client_cluster_tag_name }"]
   allowed_inbound_cidr_blocks_dns = "${var.consul_client_allowed_inbound_cidr_blocks_dns}"
 
-  machine_type = "g1-small"
-  root_volume_disk_type = "pd-standard"
+  machine_type             = "g1-small"
+  root_volume_disk_type    = "pd-standard"
   root_volume_disk_size_gb = "15"
 
   assign_public_ip_addresses = true
 
   source_image = "${var.consul_client_source_image}"
 
   # Our Consul Clients are completely stateless, so we are free to destroy and re-create them as needed.
-  instance_group_update_strategy = "RESTART"
+  # Todo: Research this further
+  instance_group_update_strategy = "NONE"
 }
 
 # Render the Startup Script that will run on each Consul Server Instance on boot.

diff --git a/modules/consul-cluster/main.tf b/modules/consul-cluster/main.tf
@@ -15,12 +15,12 @@ terraform {
 # ---------------------------------------------------------------------------------------------------------------------
 
 # Create the single-zone Managed Instance Group where Consul Server will live.
-resource "google_compute_instance_group_manager" "consul_server" {
+resource "google_compute_region_instance_group_manager" "consul_server" {
   name = "${var.cluster_name}-ig"
 
   base_instance_name = "${var.cluster_name}"
   instance_template  = "${data.template_file.compute_instance_template_self_link.rendered}"
-  zone               = "${var.gcp_zone}"
+  region             = "${var.gcp_region}"
 
   # Consul Server is a stateful cluster, so the update strategy used to roll out a new GCE Instance Template must be
   # a rolling update. But since Terraform does not yet support ROLLING_UPDATE, such updates must be manually rolled out.
@@ -43,14 +43,14 @@ resource "google_compute_instance_template" "consul_server_public" {
   instance_description = "${var.cluster_description}"
   machine_type         = "${var.machine_type}"
 
-  tags = "${concat(list(var.cluster_tag_name), var.custom_tags)}"
+  tags                    = "${concat(list(var.cluster_tag_name), var.custom_tags)}"
   metadata_startup_script = "${var.startup_script}"
-  metadata = "${merge(map(var.metadata_key_name_for_cluster_size, var.cluster_size), var.custom_metadata)}"
+  metadata                = "${merge(map(var.metadata_key_name_for_cluster_size, var.cluster_size), var.custom_metadata)}"
 
   scheduling {
     automatic_restart   = true
     on_host_maintenance = "MIGRATE"
-    preemptible = false
+    preemptible         = false
   }
 
   disk {
@@ -64,6 +64,7 @@ resource "google_compute_instance_template" "consul_server_public" {
   network_interface {
     network    = "${var.subnetwork_name != "" ? "" : var.network_name}"
     subnetwork = "${var.subnetwork_name != "" ? var.subnetwork_name : ""}"
+
     access_config {
       # The presence of this property assigns a public IP address to each Compute Instance. We intentionally leave it
       # blank so that an external IP address is selected automatically.
@@ -72,16 +73,16 @@ resource "google_compute_instance_template" "consul_server_public" {
   }
 
   service_account {
-    email   = "${var.service_account_email}"
-    scopes  = ["${concat(
+    email = "${var.service_account_email}"
+
+    scopes = ["${concat(
       list(
         "userinfo-email", 
         "compute-ro", 
         "${var.storage_access_scope}"
       ),
       var.service_account_scopes
     )}"]
-
   }
 
   # Per Terraform Docs (https://www.terraform.io/docs/providers/google/r/compute_instance_template.html#using-with-instance-group-manager),
@@ -101,32 +102,35 @@ resource "google_compute_instance_template" "consul_server_private" {
   description = "${var.cluster_description}"
 
   instance_description = "${var.cluster_description}"
-  machine_type = "${var.machine_type}"
+  machine_type         = "${var.machine_type}"
 
-  tags = ["${concat(list(var.cluster_tag_name), var.custom_tags)}"]
+  tags                    = ["${concat(list(var.cluster_tag_name), var.custom_tags)}"]
   metadata_startup_script = "${var.startup_script}"
-  metadata = "${merge(map(var.metadata_key_name_for_cluster_size, var.cluster_size), var.custom_metadata)}"
+  metadata                = "${merge(map(var.metadata_key_name_for_cluster_size, var.cluster_size), var.custom_metadata)}"
 
   scheduling {
     automatic_restart   = true
     on_host_maintenance = "MIGRATE"
-    preemptible = false
+    preemptible         = false
   }
 
   disk {
     boot         = true
     auto_delete  = true
     source_image = "${var.source_image}"
+    disk_size_gb = "${var.root_volume_disk_size_gb}"
+    disk_type    = "${var.root_volume_disk_type}"
   }
 
   network_interface {
-    network =    "${var.subnetwork_name != "" ? "" : var.network_name}"
+    network    = "${var.subnetwork_name != "" ? "" : var.network_name}"
     subnetwork = "${var.subnetwork_name != "" ? var.subnetwork_name : ""}"
   }
 
   service_account {
-    email   = "${var.service_account_email}"
-    scopes  = ["${concat(
+    email = "${var.service_account_email}"
+
+    scopes = ["${concat(
       list(
         "userinfo-email", 
         "compute-ro", 
@@ -157,22 +161,24 @@ resource "google_compute_firewall" "allow_intracluster_consul" {
 
   allow {
     protocol = "tcp"
-    ports    = [
+
+    ports = [
       "${var.server_rpc_port}",
       "${var.cli_rpc_port}",
       "${var.serf_lan_port}",
       "${var.serf_wan_port}",
       "${var.http_api_port}",
-      "${var.dns_port}"
+      "${var.dns_port}",
     ]
   }
 
   allow {
     protocol = "udp"
-    ports    = [
+
+    ports = [
       "${var.serf_lan_port}",
       "${var.serf_wan_port}",
-      "${var.dns_port}"
+      "${var.dns_port}",
     ]
   }
 
@@ -193,14 +199,15 @@ resource "google_compute_firewall" "allow_inbound_http_api" {
 
   allow {
     protocol = "tcp"
-    ports    = [
+
+    ports = [
       "${var.http_api_port}",
     ]
   }
 
   source_ranges = "${var.allowed_inbound_cidr_blocks_http_api}"
-  source_tags = ["${var.allowed_inbound_tags_http_api}"]
-  target_tags = ["${var.cluster_tag_name}"]
+  source_tags   = ["${var.allowed_inbound_tags_http_api}"]
+  target_tags   = ["${var.cluster_tag_name}"]
 }
 
 # Specify which traffic is allowed into the Consul Cluster solely for DNS requests
@@ -216,21 +223,23 @@ resource "google_compute_firewall" "allow_inbound_dns" {
 
   allow {
     protocol = "tcp"
-    ports    = [
+
+    ports = [
       "${var.dns_port}",
     ]
   }
 
   allow {
     protocol = "udp"
-    ports    = [
+
+    ports = [
       "${var.dns_port}",
     ]
   }
 
   source_ranges = "${var.allowed_inbound_cidr_blocks_dns}"
-  source_tags = ["${var.allowed_inbound_tags_dns}"]
-  target_tags = ["${var.cluster_tag_name}"]
+  source_tags   = ["${var.allowed_inbound_tags_dns}"]
+  target_tags   = ["${var.cluster_tag_name}"]
 }
 
 # ---------------------------------------------------------------------------------------------------------------------

diff --git a/modules/consul-cluster/outputs.tf b/modules/consul-cluster/outputs.tf
@@ -1,5 +1,5 @@
-output "gcp_zone" {
-  value = "${var.gcp_zone}"
+output "gcp_region" {
+  value = "${var.gcp_region}"
 }
 
 output "cluster_name" {
@@ -11,11 +11,11 @@ output "cluster_tag_name" {
 }
 
 output "instance_group_url" {
-  value = "${google_compute_instance_group_manager.consul_server.self_link}"
+  value = "${google_compute_region_instance_group_manager.consul_server.self_link}"
 }
 
 output "instance_group_name" {
-  value = "${google_compute_instance_group_manager.consul_server.name}"
+  value = "${google_compute_region_instance_group_manager.consul_server.name}"
 }
 
 output "instance_template_url" {