Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-12-10 05:31:11 -05:00
Code Issues Projects Releases Packages Wiki Activity

terraform: Terraform module for AWS (#2503)

Browse source
This commit is contained in:
Adrian Stobbe 2023-11-08 19:10:01 +01:00 committed by GitHub
parent 0bac72261d
commit cea6204b37
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
94 changed files with 912 additions and 87 deletions
Download patch file Download diff file Expand all files Collapse all files

115
terraform/infrastructure/aws/modules/instance_group/main.tf Normal file
View file

@ -0,0 +1,115 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.17.0"
}
random = {
source = "hashicorp/random"
version = "3.5.1"
}
}
}
locals {
group_uid = random_id.uid.hex
name = "${var.base_name}-${lower(var.role)}-${local.group_uid}"
}
resource "random_id" "uid" {
byte_length = 4
}
resource "aws_launch_template" "launch_template" {
name_prefix = local.name
image_id = var.image_id
instance_type = var.instance_type
iam_instance_profile {
name = var.iam_instance_profile
}
vpc_security_group_ids = var.security_groups
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
instance_metadata_tags = "disabled"
http_put_response_hop_limit = 2
}
block_device_mappings {
device_name = "/dev/sdb"
ebs {
volume_size = var.state_disk_size
volume_type = var.state_disk_type
encrypted = true
delete_on_termination = true
}
}
# See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#cpu-options
cpu_options {
# use "enabled" to enable SEV-SNP
# use "disabled" to disable SEV-SNP (but still require SNP-capable hardware)
# use null to leave the setting unset (allows non-SNP-capable hardware to be used)
amd_sev_snp = var.enable_snp ? "enabled" : null
# Disable SMT. We are already disabling it inside the image.
# Disabling SMT only in the image, not in the Hypervisor creates problems.
# Thus, also disable it in the Hypervisor.
# TODO(derpsteb): reenable once AWS confirms it's safe to do so.
# threads_per_core = 1
# When setting threads_per_core we also have to set core_count.
# For the currently supported SNP instance families (C6a, M6a, R6a) default_cores
# equals the maximum number of available cores.
# core_count = data.aws_ec2_instance_type.instance_data.default_cores
}
lifecycle {
create_before_destroy = true
ignore_changes = [
cpu_options, # required. we cannot change the CPU options of a launch template
name_prefix, # required. Allow legacy scale sets to keep their old names
default_version, # required. update procedure creates new versions of the launch template
image_id, # required. update procedure modifies the image id externally
]
}
}
resource "aws_autoscaling_group" "autoscaling_group" {
name = local.name
launch_template {
id = aws_launch_template.launch_template.id
}
min_size = 1
max_size = 10
desired_capacity = var.initial_count
vpc_zone_identifier = [var.subnetwork]
target_group_arns = var.target_group_arns
# TODO(msanft): Remove this (to have the 10m default) once AWS SEV-SNP boot problems are resolved.
# Set a higher timeout for the ASG to fulfill the desired healthy capcity. Temporary workaround to
# long boot times on SEV-SNP machines on AWS.
wait_for_capacity_timeout = var.enable_snp ? "20m" : "10m"
dynamic "tag" {
for_each = var.tags
content {
key = tag.key
value = tag.value
propagate_at_launch = true
}
}
lifecycle {
create_before_destroy = true
ignore_changes = [
name, # required. Allow legacy scale sets to keep their old names
launch_template.0.version, # required. update procedure creates new versions of the launch template
min_size, # required. autoscaling modifies the instance count externally
max_size, # required. autoscaling modifies the instance count externally
desired_capacity, # required. autoscaling modifies the instance count externally
]
}
}
data "aws_ec2_instance_type" "instance_data" {
instance_type = var.instance_type
}

84
terraform/infrastructure/aws/modules/instance_group/variables.tf Normal file
View file

@ -0,0 +1,84 @@
variable "base_name" {
type = string
description = "Base name of the instance group."
}
variable "node_group_name" {
type = string
description = "Constellation name for the node group (used for configuration and CSP-independent naming)."
}
variable "role" {
type = string
description = "The role of the instance group."
validation {
condition = contains(["control-plane", "worker"], var.role)
error_message = "The role has to be 'control-plane' or 'worker'."
}
}
variable "uid" {
type = string
description = "UID of the cluster. This is used for tags."
}
variable "instance_type" {
type = string
description = "Instance type for the nodes."
}
variable "initial_count" {
type = number
description = "Number of instances in the instance group."
}
variable "image_id" {
type = string
description = "Image ID for the nodes."
}
variable "state_disk_type" {
type = string
description = "EBS disk type for the state disk of the nodes."
}
variable "state_disk_size" {
type = number
description = "Disk size for the state disk of the nodes [GB]."
}
variable "target_group_arns" {
type = list(string)
description = "ARN of the target group."
}
variable "subnetwork" {
type = string
description = "Name of the subnetwork to use."
}
variable "iam_instance_profile" {
type = string
description = "IAM instance profile for the nodes."
}
variable "security_groups" {
type = list(string)
description = "List of IDs of the security groups for an instance."
}
variable "tags" {
type = map(string)
description = "The tags to add to the instance group."
}
variable "enable_snp" {
type = bool
default = true
description = "Enable AMD SEV SNP. Setting this to true sets the cpu-option AmdSevSnp to enable."
}
variable "zone" {
type = string
description = "Zone to deploy the instance group in."
}