-
Notifications
You must be signed in to change notification settings - Fork 1.4k
/
main.tf
281 lines (237 loc) · 10.2 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
locals {
bootstrap_nic_ip_v4_configuration_name = "bootstrap-nic-ip-v4"
bootstrap_nic_ip_v6_configuration_name = "bootstrap-nic-ip-v6"
description = "Created By OpenShift Installer"
}
provider "azurerm" {
features {}
subscription_id = var.azure_subscription_id
client_id = var.azure_client_id
client_secret = var.azure_client_secret
client_certificate_password = var.azure_certificate_password
client_certificate_path = var.azure_certificate_path
tenant_id = var.azure_tenant_id
environment = var.azure_environment
use_msi = var.azure_use_msi
}
data "azurerm_storage_account" "storage_account" {
name = var.storage_account_name
resource_group_name = var.resource_group_name
}
data "azurerm_storage_account_sas" "ignition" {
connection_string = data.azurerm_storage_account.storage_account.primary_connection_string
https_only = true
resource_types {
service = false
container = false
object = true
}
services {
blob = true
queue = false
table = false
file = false
}
start = timestamp()
expiry = timeadd(timestamp(), "24h")
permissions {
read = true
list = true
create = false
add = false
delete = false
process = false
write = false
update = false
filter = false
tag = false
}
}
resource "azurerm_storage_container" "ignition" {
name = "ignition"
storage_account_name = var.storage_account_name
}
resource "azurerm_storage_blob" "ignition" {
name = "bootstrap.ign"
source = var.ignition_bootstrap_file
storage_account_name = var.storage_account_name
storage_container_name = azurerm_storage_container.ignition.name
type = var.azure_keyvault_key_name != "" ? "Page" : "Block"
}
data "ignition_config" "redirect" {
replace {
source = "${azurerm_storage_blob.ignition.url}${data.azurerm_storage_account_sas.ignition.sas}"
}
}
resource "azurerm_public_ip" "bootstrap_public_ip_v4" {
count = var.azure_private || ! var.use_ipv4 ? 0 : 1
sku = "Standard"
location = var.azure_region
name = "${var.cluster_id}-bootstrap-pip-v4"
resource_group_name = var.resource_group_name
allocation_method = "Static"
tags = var.azure_extra_tags
}
data "azurerm_public_ip" "bootstrap_public_ip_v4" {
count = var.azure_private ? 0 : 1
name = azurerm_public_ip.bootstrap_public_ip_v4[0].name
resource_group_name = var.resource_group_name
}
resource "azurerm_public_ip" "bootstrap_public_ip_v6" {
count = var.azure_private || ! var.use_ipv6 ? 0 : 1
sku = "Standard"
location = var.azure_region
name = "${var.cluster_id}-bootstrap-pip-v6"
resource_group_name = var.resource_group_name
allocation_method = "Static"
ip_version = "IPv6"
tags = var.azure_extra_tags
}
data "azurerm_public_ip" "bootstrap_public_ip_v6" {
count = var.azure_private || ! var.use_ipv6 ? 0 : 1
name = azurerm_public_ip.bootstrap_public_ip_v6[0].name
resource_group_name = var.resource_group_name
}
resource "azurerm_network_interface" "bootstrap" {
name = "${var.cluster_id}-bootstrap-nic"
location = var.azure_region
resource_group_name = var.resource_group_name
dynamic "ip_configuration" {
for_each = [for ip in [
{
// LIMITATION: azure does not allow an ipv6 address to be primary today
primary : var.use_ipv4,
name : local.bootstrap_nic_ip_v4_configuration_name,
ip_address_version : "IPv4",
public_ip_id : var.azure_private ? null : azurerm_public_ip.bootstrap_public_ip_v4[0].id,
include : var.use_ipv4 || var.use_ipv6,
},
{
primary : ! var.use_ipv4,
name : local.bootstrap_nic_ip_v6_configuration_name,
ip_address_version : "IPv6",
public_ip_id : var.azure_private || ! var.use_ipv6 ? null : azurerm_public_ip.bootstrap_public_ip_v6[0].id,
include : var.use_ipv6,
},
] : {
primary : ip.primary
name : ip.name
ip_address_version : ip.ip_address_version
public_ip_id : ip.public_ip_id
include : ip.include
} if ip.include
]
content {
primary = ip_configuration.value.primary
name = ip_configuration.value.name
subnet_id = var.master_subnet_id
private_ip_address_version = ip_configuration.value.ip_address_version
private_ip_address_allocation = "Dynamic"
public_ip_address_id = ip_configuration.value.public_ip_id
}
}
tags = var.azure_extra_tags
}
resource "azurerm_network_interface_backend_address_pool_association" "public_lb_bootstrap_v4" {
// This is required because terraform cannot calculate counts during plan phase completely and therefore the `vnet/public-lb.tf`
// conditional need to be recreated. See https://github.com/hashicorp/terraform/issues/12570
count = (! var.azure_private || var.azure_outbound_routing_type != "UserDefinedRouting") ? 1 : 0
network_interface_id = azurerm_network_interface.bootstrap.id
backend_address_pool_id = var.elb_backend_pool_v4_id
ip_configuration_name = local.bootstrap_nic_ip_v4_configuration_name
}
resource "azurerm_network_interface_backend_address_pool_association" "public_lb_bootstrap_v6" {
// This is required because terraform cannot calculate counts during plan phase completely and therefore the `vnet/public-lb.tf`
// conditional need to be recreated. See https://github.com/hashicorp/terraform/issues/12570
count = var.use_ipv6 && (! var.azure_private || var.azure_outbound_routing_type != "UserDefinedRouting") ? 1 : 0
network_interface_id = azurerm_network_interface.bootstrap.id
backend_address_pool_id = var.elb_backend_pool_v6_id
ip_configuration_name = local.bootstrap_nic_ip_v6_configuration_name
}
resource "azurerm_network_interface_backend_address_pool_association" "internal_lb_bootstrap_v4" {
count = var.use_ipv4 ? 1 : 0
network_interface_id = azurerm_network_interface.bootstrap.id
backend_address_pool_id = var.ilb_backend_pool_v4_id
ip_configuration_name = local.bootstrap_nic_ip_v4_configuration_name
}
resource "azurerm_network_interface_backend_address_pool_association" "internal_lb_bootstrap_v6" {
count = var.use_ipv6 ? 1 : 0
network_interface_id = azurerm_network_interface.bootstrap.id
backend_address_pool_id = var.ilb_backend_pool_v6_id
ip_configuration_name = local.bootstrap_nic_ip_v6_configuration_name
}
resource "azurerm_linux_virtual_machine" "bootstrap" {
name = "${var.cluster_id}-bootstrap"
location = var.azure_region
resource_group_name = var.resource_group_name
network_interface_ids = [azurerm_network_interface.bootstrap.id]
size = var.azure_master_vm_type
admin_username = "core"
# The password is normally applied by WALA (the Azure agent), but this
# isn't installed in RHCOS. As a result, this password is never set. It is
# included here because it is required by the Azure ARM API.
admin_password = "NotActuallyApplied!"
disable_password_authentication = false
encryption_at_host_enabled = var.azure_master_encryption_at_host_enabled
secure_boot_enabled = var.azure_master_secure_boot == "Enabled"
vtpm_enabled = var.azure_master_virtualized_trusted_platform_module == "Enabled"
identity {
type = "UserAssigned"
identity_ids = [var.identity]
}
os_disk {
name = "${var.cluster_id}-bootstrap_OSDisk" # os disk name needs to match cluster-api convention
caching = "ReadWrite"
storage_account_type = var.azure_master_root_volume_type
disk_size_gb = 1000
disk_encryption_set_id = var.azure_master_disk_encryption_set_id
security_encryption_type = var.azure_master_security_encryption_type
secure_vm_disk_encryption_set_id = var.azure_master_secure_vm_disk_encryption_set_id
}
# Either source_image_id or source_image_reference must be defined
source_image_id = ! var.azure_use_marketplace_image ? var.vm_image : null
dynamic "source_image_reference" {
for_each = var.azure_use_marketplace_image ? [1] : []
content {
publisher = var.azure_marketplace_image_publisher
offer = var.azure_marketplace_image_offer
sku = var.azure_marketplace_image_sku
version = var.azure_marketplace_image_version
}
}
dynamic "plan" {
for_each = var.azure_use_marketplace_image && var.azure_marketplace_image_has_plan ? [1] : []
content {
publisher = var.azure_marketplace_image_publisher
product = var.azure_marketplace_image_offer
name = var.azure_marketplace_image_sku
}
}
computer_name = "${var.cluster_id}-bootstrap-vm"
custom_data = base64encode(data.ignition_config.redirect.rendered)
boot_diagnostics {
storage_account_uri = null # null enables managed storage account for boot diagnostics
}
depends_on = [
azurerm_network_interface_backend_address_pool_association.public_lb_bootstrap_v4,
azurerm_network_interface_backend_address_pool_association.public_lb_bootstrap_v6,
azurerm_network_interface_backend_address_pool_association.internal_lb_bootstrap_v4,
azurerm_network_interface_backend_address_pool_association.internal_lb_bootstrap_v6
]
tags = var.azure_extra_tags
}
resource "azurerm_network_security_rule" "bootstrap_ssh_in" {
count = var.azure_private ? 0 : 1
name = "bootstrap_ssh_in"
priority = 103
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = var.resource_group_name
network_security_group_name = var.nsg_name
description = local.description
}