Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-08-20 04:28:07 -04:00
Code Issues Projects Releases Packages Wiki Activity

terraform: simplify additional tagging logic to ensure they are always applied (#3045)

Browse source 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2024-04-26 11:53:25 +02:00 committed by GitHub
parent 680d3318af
commit 46994b7ee0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 32 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

22
terraform/infrastructure/aws/main.tf
View file

@ -48,9 +48,10 @@ locals {
// example: given "name-1234567890.region.elb.amazonaws.com" it will return "*.region.elb.amazonaws.com" // example: given "name-1234567890.region.elb.amazonaws.com" it will return "*.region.elb.amazonaws.com"
wildcard_lb_dns_name = replace(aws_lb.front_end.dns_name, "/^[^.]*\\./", "*.") wildcard_lb_dns_name = replace(aws_lb.front_end.dns_name, "/^[^.]*\\./", "*.")
tags = { tags = merge(
constellation-uid = local.uid, var.additional_tags,
} { constellation-uid = local.uid }
)
in_cluster_endpoint = aws_lb.front_end.dns_name in_cluster_endpoint = aws_lb.front_end.dns_name
out_of_cluster_endpoint = var.internal_load_balancer && var.debug ? module.jump_host[0].ip : local.in_cluster_endpoint out_of_cluster_endpoint = var.internal_load_balancer && var.debug ? module.jump_host[0].ip : local.in_cluster_endpoint
@ -68,7 +69,7 @@ resource "random_password" "init_secret" {
resource "aws_vpc" "vpc" { resource "aws_vpc" "vpc" {
cidr_block = "192.168.0.0/16" cidr_block = "192.168.0.0/16"
tags = merge(local.tags, var.additional_tags, { Name = "${local.name}-vpc" }) tags = merge(local.tags, { Name = "${local.name}-vpc" })
} }
module "public_private_subnet" { module "public_private_subnet" {
@ -79,7 +80,7 @@ module "public_private_subnet" {
cidr_vpc_subnet_internet = "192.168.0.0/20" cidr_vpc_subnet_internet = "192.168.0.0/20"
zone = var.zone zone = var.zone
zones = local.zones zones = local.zones
tags = merge(local.tags, var.additional_tags) tags = local.tags
} }
resource "aws_eip" "lb" { resource "aws_eip" "lb" {
@ -89,14 +90,14 @@ resource "aws_eip" "lb" {
# control-plane. # control-plane.
for_each = var.internal_load_balancer ? [] : toset([var.zone]) for_each = var.internal_load_balancer ? [] : toset([var.zone])
domain = "vpc" domain = "vpc"
tags = merge(local.tags, var.additional_tags, { "constellation-ip-endpoint" = each.key == var.zone ? "legacy-primary-zone" : "additional-zone" }) tags = merge(local.tags, { "constellation-ip-endpoint" = each.key == var.zone ? "legacy-primary-zone" : "additional-zone" })
} }
resource "aws_lb" "front_end" { resource "aws_lb" "front_end" {
name = "${local.name}-loadbalancer" name = "${local.name}-loadbalancer"
internal = var.internal_load_balancer internal = var.internal_load_balancer
load_balancer_type = "network" load_balancer_type = "network"
tags = merge(local.tags, var.additional_tags) tags = local.tags
security_groups = [aws_security_group.security_group.id] security_groups = [aws_security_group.security_group.id]
dynamic "subnet_mapping" { dynamic "subnet_mapping" {
@ -123,7 +124,7 @@ resource "aws_security_group" "security_group" {
name = local.name name = local.name
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
description = "Security group for ${local.name}" description = "Security group for ${local.name}"
tags = merge(local.tags, var.additional_tags) tags = local.tags
egress { egress {
from_port = 0 from_port = 0
@ -171,7 +172,7 @@ module "load_balancer_targets" {
healthcheck_path = each.value.name == "kubernetes" ? "/readyz" : "" healthcheck_path = each.value.name == "kubernetes" ? "/readyz" : ""
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
lb_arn = aws_lb.front_end.arn lb_arn = aws_lb.front_end.arn
tags = merge(local.tags, var.additional_tags) tags = local.tags
} }
module "instance_group" { module "instance_group" {
@ -194,7 +195,6 @@ module "instance_group" {
enable_snp = var.enable_snp enable_snp = var.enable_snp
tags = merge( tags = merge(
local.tags, local.tags,
var.additional_tags,
{ Name = "${local.name}-${each.value.role}" }, { Name = "${local.name}-${each.value.role}" },
{ constellation-role = each.value.role }, { constellation-role = each.value.role },
{ constellation-node-group = each.key }, { constellation-node-group = each.key },
@ -213,5 +213,5 @@ module "jump_host" {
ports = [for port in local.load_balancer_ports : port.port] ports = [for port in local.load_balancer_ports : port.port]
security_groups = [aws_security_group.security_group.id] security_groups = [aws_security_group.security_group.id]
iam_instance_profile = var.iam_instance_profile_name_worker_nodes iam_instance_profile = var.iam_instance_profile_name_worker_nodes
additional_tags = var.additional_tags additional_tags = local.tags
} }

24
terraform/infrastructure/azure/main.tf
View file

@ -23,9 +23,10 @@ locals {
uid = random_id.uid.hex uid = random_id.uid.hex
name = "${var.name}-${local.uid}" name = "${var.name}-${local.uid}"
init_secret_hash = random_password.init_secret.bcrypt_hash init_secret_hash = random_password.init_secret.bcrypt_hash
tags = { tags = merge(
constellation-uid = local.uid, var.additional_tags,
} { constellation-uid = local.uid }
)
ports_node_range = "30000-32767" ports_node_range = "30000-32767"
cidr_vpc_subnet_nodes = "10.9.0.0/16" cidr_vpc_subnet_nodes = "10.9.0.0/16"
ports = flatten([ ports = flatten([
@ -76,7 +77,7 @@ resource "azurerm_attestation_provider" "attestation_provider" {
ignore_changes = [open_enclave_policy_base64, sgx_enclave_policy_base64, tpm_policy_base64, sev_snp_policy_base64] ignore_changes = [open_enclave_policy_base64, sgx_enclave_policy_base64, tpm_policy_base64, sev_snp_policy_base64]
} }
tags = var.additional_tags tags = local.tags
} }
resource "azurerm_public_ip" "loadbalancer_ip" { resource "azurerm_public_ip" "loadbalancer_ip" {
@ -87,7 +88,7 @@ resource "azurerm_public_ip" "loadbalancer_ip" {
location = var.location location = var.location
allocation_method = "Static" allocation_method = "Static"
sku = "Standard" sku = "Standard"
tags = merge(local.tags, var.additional_tags) tags = local.tags
lifecycle { lifecycle {
ignore_changes = [name] ignore_changes = [name]
@ -113,7 +114,7 @@ resource "azurerm_public_ip" "nat_gateway_ip" {
location = var.location location = var.location
allocation_method = "Static" allocation_method = "Static"
sku = "Standard" sku = "Standard"
tags = merge(local.tags, var.additional_tags) tags = local.tags
} }
resource "azurerm_nat_gateway" "gateway" { resource "azurerm_nat_gateway" "gateway" {
@ -122,7 +123,7 @@ resource "azurerm_nat_gateway" "gateway" {
resource_group_name = var.resource_group resource_group_name = var.resource_group
sku_name = "Standard" sku_name = "Standard"
idle_timeout_in_minutes = 10 idle_timeout_in_minutes = 10
tags = var.additional_tags tags = local.tags
} }
resource "azurerm_subnet_nat_gateway_association" "example" { resource "azurerm_subnet_nat_gateway_association" "example" {
@ -140,7 +141,7 @@ resource "azurerm_lb" "loadbalancer" {
location = var.location location = var.location
resource_group_name = var.resource_group resource_group_name = var.resource_group
sku = "Standard" sku = "Standard"
tags = merge(local.tags, var.additional_tags) tags = local.tags
dynamic "frontend_ip_configuration" { dynamic "frontend_ip_configuration" {
for_each = var.internal_load_balancer ? [] : [1] for_each = var.internal_load_balancer ? [] : [1]
@ -188,7 +189,7 @@ resource "azurerm_virtual_network" "network" {
resource_group_name = var.resource_group resource_group_name = var.resource_group
location = var.location location = var.location
address_space = ["10.0.0.0/8"] address_space = ["10.0.0.0/8"]
tags = merge(local.tags, var.additional_tags) tags = local.tags
} }
resource "azurerm_subnet" "loadbalancer_subnet" { resource "azurerm_subnet" "loadbalancer_subnet" {
@ -210,7 +211,7 @@ resource "azurerm_network_security_group" "security_group" {
name = local.name name = local.name
location = var.location location = var.location
resource_group_name = var.resource_group resource_group_name = var.resource_group
tags = merge(local.tags, var.additional_tags) tags = local.tags
dynamic "security_rule" { dynamic "security_rule" {
for_each = concat( for_each = concat(
@ -240,7 +241,6 @@ module "scale_set_group" {
zones = each.value.zones zones = each.value.zones
tags = merge( tags = merge(
local.tags, local.tags,
var.additional_tags,
{ constellation-init-secret-hash = local.init_secret_hash }, { constellation-init-secret-hash = local.init_secret_hash },
{ constellation-maa-url = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : "" }, { constellation-maa-url = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : "" },
) )
@ -276,7 +276,7 @@ module "jump_host" {
subnet_id = azurerm_subnet.loadbalancer_subnet[0].id subnet_id = azurerm_subnet.loadbalancer_subnet[0].id
ports = [for port in local.ports : port.port] ports = [for port in local.ports : port.port]
lb_internal_ip = azurerm_lb.loadbalancer.frontend_ip_configuration[0].private_ip_address lb_internal_ip = azurerm_lb.loadbalancer.frontend_ip_configuration[0].private_ip_address
tags = var.additional_tags tags = local.tags
} }
data "azurerm_subscription" "current" { data "azurerm_subscription" "current" {

17
terraform/infrastructure/gcp/main.tf
View file

@ -33,9 +33,10 @@ locals {
uid = random_id.uid.hex uid = random_id.uid.hex
name = "${var.name}-${local.uid}" name = "${var.name}-${local.uid}"
init_secret_hash = random_password.init_secret.bcrypt_hash init_secret_hash = random_password.init_secret.bcrypt_hash
labels = { labels = merge(
constellation-uid = local.uid, var.additional_labels,
} { constellation-uid = local.uid }
)
ports_node_range = "30000-32767" ports_node_range = "30000-32767"
cidr_vpc_subnet_nodes = "192.168.178.0/24" cidr_vpc_subnet_nodes = "192.168.178.0/24"
cidr_vpc_subnet_pods = "10.10.0.0/16" cidr_vpc_subnet_pods = "10.10.0.0/16"
@ -183,7 +184,7 @@ module "instance_group" {
kube_env = local.kube_env kube_env = local.kube_env
debug = var.debug debug = var.debug
named_ports = each.value.role == "control-plane" ? local.control_plane_named_ports : [] named_ports = each.value.role == "control-plane" ? local.control_plane_named_ports : []
labels = merge(var.additional_labels, local.labels) labels = local.labels
init_secret_hash = local.init_secret_hash init_secret_hash = local.init_secret_hash
custom_endpoint = var.custom_endpoint custom_endpoint = var.custom_endpoint
cc_technology = var.cc_technology cc_technology = var.cc_technology
@ -196,7 +197,7 @@ resource "google_compute_address" "loadbalancer_ip_internal" {
subnetwork = google_compute_subnetwork.ilb_subnet[0].id subnetwork = google_compute_subnetwork.ilb_subnet[0].id
purpose = "SHARED_LOADBALANCER_VIP" purpose = "SHARED_LOADBALANCER_VIP"
address_type = "INTERNAL" address_type = "INTERNAL"
labels = var.additional_labels labels = local.labels
} }
resource "google_compute_global_address" "loadbalancer_ip" { resource "google_compute_global_address" "loadbalancer_ip" {
@ -214,7 +215,7 @@ module "loadbalancer_public" {
health_check = each.value.health_check health_check = each.value.health_check
backend_instance_groups = local.control_plane_instance_groups backend_instance_groups = local.control_plane_instance_groups
ip_address = google_compute_global_address.loadbalancer_ip[0].self_link ip_address = google_compute_global_address.loadbalancer_ip[0].self_link
frontend_labels = merge(local.labels, var.additional_labels, { constellation-use = each.value.name }) frontend_labels = merge(local.labels, { constellation-use = each.value.name })
} }
module "loadbalancer_internal" { module "loadbalancer_internal" {
@ -226,7 +227,7 @@ module "loadbalancer_internal" {
health_check = each.value.health_check health_check = each.value.health_check
backend_instance_group = local.control_plane_instance_groups[0] backend_instance_group = local.control_plane_instance_groups[0]
ip_address = google_compute_address.loadbalancer_ip_internal[0].self_link ip_address = google_compute_address.loadbalancer_ip_internal[0].self_link
frontend_labels = merge(local.labels, var.additional_labels, { constellation-use = each.value.name }) frontend_labels = merge(local.labels, { constellation-use = each.value.name })
region = var.region region = var.region
network = google_compute_network.vpc_network.id network = google_compute_network.vpc_network.id
@ -239,7 +240,7 @@ module "jump_host" {
base_name = local.name base_name = local.name
zone = var.zone zone = var.zone
subnetwork = google_compute_subnetwork.vpc_subnetwork.id subnetwork = google_compute_subnetwork.vpc_subnetwork.id
labels = merge(local.labels, var.additional_labels) labels = local.labels
lb_internal_ip = google_compute_address.loadbalancer_ip_internal[0].address lb_internal_ip = google_compute_address.loadbalancer_ip_internal[0].address
ports = [for port in local.control_plane_named_ports : port.port] ports = [for port in local.control_plane_named_ports : port.port]
} }