Get the private VPC working

bootstrap/aws/private-cloud/config-default.sh

@@ -1,25 +1,13 @@
 #!/bin/bash
 
-# Keeping atlas variable without prefix as it's been shared by consul and tf at the moment.
-export ATLAS_TOKEN=${ATLAS_TOKEN:?"Need to set ATLAS_TOKEN non-empty"}
-export ATLAS_INFRASTRUCTURE=${ATLAS_INFRASTRUCTURE:-capgemini/apollo}
-
-export TF_VAR_user=${TF_VAR_user:?"Need to set User non-empty"}
 export TF_VAR_access_key=${TF_VAR_access_key:?"Need to set TF_VAR_access_key non-empty"}
 export TF_VAR_secret_key=${TF_VAR_secret_key:?"Need to set TF_VAR_secret_key non-empty"}
-export TF_VAR_key_file=${TF_VAR_key_file:-$HOME/.ssh/apollo_aws_rsa}
-export TF_VAR_key_name=${TF_VAR_key_name:-apollo}
 
 # Overrides default folder in Terraform.py inventory.
 export TF_VAR_STATE_ROOT="${APOLLO_ROOT}/terraform/${APOLLO_PROVIDER}"
 
 export ANSIBLE_SSH_ARGS="-F ${APOLLO_ROOT}/terraform/${APOLLO_PROVIDER}/ssh.config -q"
 
 export TF_VAR_region=${TF_VAR_region:-eu-west-1}
-export TF_VAR_master_instance_type=${TF_VAR_master_instance_type:-m3.medium}
-export TF_VAR_slave_instance_type=${TF_VAR_slave_instance_type:-m3.medium}
-export TF_VAR_slaves=${TF_VAR_slaves:-1}
-export TF_VAR_availability_zones=${TF_VAR_availability_zones:-'eu-west-1a,eu-west-1b,eu-west-1c'}
-export TF_VAR_public_subnet_availability_zone=${TF_VAR_public_subnet_availability_zone:-'eu-west-1a'}
 export APOLLO_consul_dc=${APOLLO_consul_dc:-$TF_VAR_region}
 export APOLLO_mesos_cluster_name=${APOLLO_mesos_cluster_name:-$TF_VAR_region}

bootstrap/aws/private-cloud/util.sh

@@ -18,7 +18,7 @@ ansible_ssh_config() {
     export APOLLO_bastion_ip=$( terraform output bastion.ip )
 
     # Virtual private cloud CIDR IP.
-    ip=$( terraform output vpc_cidr_block.ip )
+    ip=$( terraform output -module=vpc vpc_cidr_block )
     export APOLLO_network_identifier=$( get_network_identifier "${ip}" )
 
     cat <<EOF > ssh.config

bootstrap/aws/public-cloud/config-default.sh

@@ -1,9 +1,5 @@
 #!/bin/bash
 
-# Keeping atlas variable without prefix as it's been shared by consul and tf at the moment.
-export ATLAS_TOKEN=${ATLAS_TOKEN:?"Need to set ATLAS_TOKEN non-empty"}
-export ATLAS_INFRASTRUCTURE=${ATLAS_INFRASTRUCTURE:-capgemini/apollo}
-
 export TF_VAR_access_key=${TF_VAR_access_key:?"Need to set TF_VAR_access_key non-empty"}
 export TF_VAR_secret_key=${TF_VAR_secret_key:?"Need to set TF_VAR_secret_key non-empty"}
 

terraform/aws/private-cloud/bastion-server.tf

@@ -9,7 +9,9 @@ module "ami_bastion" {
 resource "aws_instance" "bastion" {
   ami               = "${module.ami_bastion.ami_id}"
   instance_type     = "${var.bastion_instance_type}"
-  subnet_id         = "${module.vpc.public_subnets}"
+  # Just put the bastion in the first public subnet
+  subnet_id         = "${element(split(",", module.vpc.public_subnets), 0)}"
+  # @todo - this allows bastion connection on any port which is not ideal but was like this previously.
   security_groups   = ["${module.sg-default.security_group_id}", "${aws_security_group.bastion.id}"]
   key_name          = "${module.aws-keypair.keypair_name}"
   source_dest_check = false

terraform/aws/private-cloud/cloud-config.yml.tpl

@@ -2,18 +2,19 @@
 
 coreos:
   etcd2:
-    # $public_ipv4 and $private_ipv4 are populated by the cloud provider
-    advertise-client-urls: http://$public_ipv4:2379
+    # $private_ipv4 is populated by the cloud provider
+    # we don't have a $public_ipv4 in the private VPC
+    advertise-client-urls: http://$private_ipv4:2379,http://$private_ipv4:4001
     initial-advertise-peer-urls: http://$private_ipv4:2380
+    # listen on both the official ports and the legacy ports
+    # legacy ports can be omitted if your application doesn't depend on them
     listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
     listen-peer-urls: http://$private_ipv4:2380,http://$private_ipv4:7001
     # Discovery is populated by Terraform
     discovery: ${etcd_discovery_url}
-  fleet:
-    public-ip: "$public_ipv4"
   units:
     - name: etcd2.service
       command: start
-    - name: fleet.service
-      command: start
+  update:
+    reboot-strategy: "reboot"
 manage_etc_hosts: localhost

terraform/aws/private-cloud/main.tf

@@ -21,15 +21,16 @@ provider "aws" {
 }
 
 module "vpc" {
-  source          = "github.com/terraform-community-modules/tf_aws_vpc"
+  source              = "./vpc"
 
-  name            = "default"
+  name                = "default"
 
-  cidr            = "${var.vpc_cidr_block}"
-  private_subnets = "10.0.1.0/24,10.0.2.0/24,10.0.3.0/24"
-  public_subnets  = "10.0.101.0/24,10.0.102.0/24,10.0.103.0/24"
+  cidr                = "${var.vpc_cidr_block}"
+  private_subnets     = "10.0.1.0/24,10.0.2.0/24,10.0.3.0/24"
+  public_subnets      = "10.0.101.0/24,10.0.102.0/24,10.0.103.0/24"
+  bastion_instance_id = "${aws_instance.bastion.id}"
 
-  azs             = "${var.availability_zones}"
+  azs                 = "${var.availability_zones}"
 }
 
 # ssh keypair for instances
@@ -79,7 +80,9 @@ output "master_ips" {
 output "slave_ips" {
   value = "${join(",", aws_instance.mesos-slave.*.private_ip)}"
 }
-/*
+output "vpc_cidr_block_ip" {
+ value = "${module.vpc.vpc_cidr_block}"
+}
 output "elb.hostname" {
   value = "${module.elb.elb_dns_name}"
-}*/
+}

terraform/aws/private-cloud/mesos-masters.tf

@@ -25,7 +25,7 @@ resource "aws_instance" "mesos-master" {
   count             = "${var.masters}"
   key_name          = "${module.aws-keypair.keypair_name}"
   source_dest_check = false
-  subnet_id         = "${element(aws_subnet.private.*.id, count.index)}"
+  subnet_id         = "${element(split(",", module.vpc.private_subnets), count.index)}"
   security_groups   = ["${module.sg-default.security_group_id}"]
   depends_on        = ["aws_instance.bastion"]
   user_data         = "${template_file.master_cloud_init.rendered}"

terraform/aws/private-cloud/mesos-slaves.tf

@@ -19,13 +19,17 @@ resource "template_file" "slave_cloud_init" {
   }
 }
 
+/*
+  @todo This should be changed to be an autoscaling slave with launch config
+ */
 resource "aws_instance" "mesos-slave" {
   instance_type     = "${var.slave_instance_type}"
   ami               = "${module.slave_ami.ami_id}"
   count             = "${var.slaves}"
   key_name          = "${module.aws-keypair.keypair_name}"
   source_dest_check = false
-  subnet_id         = "${element(aws_subnet.private.*.id, count.index)}"
+  # @todo - fix this as this only allows 3 slaves maximum (due to splittingo on the count variable)
+  subnet_id         = "${element(split(",", module.vpc.private_subnets), count.index)}"
   security_groups   = ["${module.sg-default.security_group_id}"]
   depends_on        = ["aws_instance.bastion", "aws_instance.mesos-master"]
   user_data         = "${template_file.master_cloud_init.rendered}"

terraform/aws/private-cloud/security_groups.tf

@@ -1,22 +1,40 @@
 resource "aws_security_group" "bastion" {
-  name        = "bastion-apollo-mesos"
+  name        = "bastion-apollo"
   description = "Security group for bastion instances that allows SSH and VPN traffic from internet"
   vpc_id      = "${module.vpc.vpc_id}"
 
+  # inbound http/https traffic from the private subnets to allow them to talk with the internet
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  }
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  }
+
+  # ssh
   ingress {
     from_port   = 22
     to_port     = 22
     protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
   }
 
+  # openvpn
   ingress {
     from_port   = 1194
     to_port     = 1194
     protocol    = "udp"
     cidr_blocks = ["0.0.0.0/0"]
   }
 
+  # outbound access to the inernet
   egress {
     from_port   = 80
     to_port     = 80
@@ -32,23 +50,6 @@ resource "aws_security_group" "bastion" {
   }
 
   tags {
-    Name = "bastion-apollo-mesos"
-  }
-}
-
-resource "aws_security_group" "web" {
-  name = "web-apollo-mesos"
-  description = "Security group that allows web traffic from the internet"
-  vpc_id      = "${module.vpc.vpc_id}"
-
-  ingress {
-    from_port   = 80
-    to_port     = 80
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags {
-    Name = "web-apollo-mesos"
+    Name = "bastion-apollo-sg"
   }
 }

terraform/aws/private-cloud/vpc/main.tf

@@ -0,0 +1,98 @@
+variable "name" { }
+variable "cidr" { }
+variable "public_subnets" { default = "" }
+variable "private_subnets" { default = "" }
+variable "bastion_instance_id" { }
+variable "azs" { }
+variable "enable_dns_hostnames" {
+  description = "should be true if you want to use private DNS within the VPC"
+  default = false
+}
+variable "enable_dns_support" {
+  description = "should be true if you want to use private DNS within the VPC"
+  default = false
+}
+
+# resources
+resource "aws_vpc" "mod" {
+  cidr_block           = "${var.cidr}"
+  enable_dns_hostnames = "${var.enable_dns_hostnames}"
+  enable_dns_support   = "${var.enable_dns_support}"
+  tags {
+    Name = "${var.name}"
+  }
+}
+
+resource "aws_internet_gateway" "mod" {
+  vpc_id = "${aws_vpc.mod.id}"
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = "${aws_vpc.mod.id}"
+  route {
+      cidr_block = "0.0.0.0/0"
+      gateway_id = "${aws_internet_gateway.mod.id}"
+  }
+  tags {
+    Name = "${var.name}-public"
+  }
+}
+
+resource "aws_route_table" "private" {
+  vpc_id = "${aws_vpc.mod.id}"
+  route {
+    cidr_block  = "0.0.0.0/0"
+    instance_id = "${var.bastion_instance_id}"
+  }
+  tags {
+    Name = "${var.name}-private"
+  }
+}
+
+resource "aws_subnet" "private" {
+  vpc_id            = "${aws_vpc.mod.id}"
+  cidr_block        = "${element(split(",", var.private_subnets), count.index)}"
+  availability_zone = "${element(split(",", var.azs), count.index)}"
+  count             = "${length(compact(split(",", var.private_subnets)))}"
+  tags {
+    Name = "${var.name}-private"
+  }
+}
+
+resource "aws_subnet" "public" {
+  vpc_id            = "${aws_vpc.mod.id}"
+  cidr_block        = "${element(split(",", var.public_subnets), count.index)}"
+  availability_zone = "${element(split(",", var.azs), count.index)}"
+  count             = "${length(compact(split(",", var.public_subnets)))}"
+  tags {
+    Name = "${var.name}-public"
+  }
+
+  map_public_ip_on_launch = true
+}
+
+resource "aws_route_table_association" "private" {
+  count          = "${length(compact(split(",", var.private_subnets)))}"
+  subnet_id      = "${element(aws_subnet.private.*.id, count.index)}"
+  route_table_id = "${aws_route_table.private.id}"
+}
+
+resource "aws_route_table_association" "public" {
+  count          = "${length(compact(split(",", var.public_subnets)))}"
+  subnet_id      = "${element(aws_subnet.public.*.id, count.index)}"
+  route_table_id = "${aws_route_table.public.id}"
+}
+
+# outputs
+output "private_subnets" {
+  value = "${join(",", aws_subnet.private.*.id)}"
+}
+output "public_subnets" {
+  value = "${join(",", aws_subnet.public.*.id)}"
+}
+output "vpc_id" {
+  value = "${aws_vpc.mod.id}"
+}
+output "vpc_cidr_block" {
+  value = "${aws_vpc.mod.cidr_block}"
+}

terraform/aws/public-cloud/cloud-config.yml.tpl

@@ -16,4 +16,6 @@ coreos:
       command: start
     - name: fleet.service
       command: start
+  update:
+    reboot-strategy: "reboot"
 manage_etc_hosts: localhost

terraform/aws/sg-all-traffic/main.tf

@@ -32,7 +32,7 @@ resource "aws_security_group" "default" {
     cidr_blocks = ["${var.source_cidr_block}"]
   }
   tags {
-    Name = "apollo-mesos-default-security-group"
+    Name = "apollo-default-sg"
   }
 }
 

user-data

@@ -15,4 +15,6 @@ coreos:
     command: start
   - name: fleet.service
     command: start
+  update:
+    reboot-strategy: "reboot"
 manage_etc_hosts: localhost