Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-05-02 14:26:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

terraform: Terraform module for AWS (#2503)

Browse source
This commit is contained in:
Adrian Stobbe 2023-11-08 19:10:01 +01:00 committed by GitHub
parent 0bac72261d
commit cea6204b37
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
94 changed files with 912 additions and 87 deletions
Download patch file Download diff file Expand all files Collapse all files

45
terraform/infrastructure/qemu/modules/instance_group/domain.xsl Normal file
View file

@ -0,0 +1,45 @@
<xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output omit-xml-declaration="yes" indent="yes"/>
<xsl:template match="node()|@*">
<xsl:copy>
<xsl:apply-templates select="node()|@*"/>
</xsl:copy>
</xsl:template>
<xsl:template match="os">
<os>
<xsl:apply-templates select="@*|node()"/>
</os>
</xsl:template>
<xsl:template match="/domain/os/loader">
<xsl:copy>
<!--<xsl:apply-templates select="node()|@*"/>-->
<xsl:attribute name="secure">
<xsl:value-of select="'no'"/>
</xsl:attribute>
<xsl:attribute name="readonly">
<xsl:value-of select="'yes'"/>
</xsl:attribute>
<xsl:attribute name="type">
<xsl:value-of select="'pflash'"/>
</xsl:attribute>
<xsl:value-of select="."/>
</xsl:copy>
</xsl:template>
<xsl:template match="/domain/features">
<xsl:copy>
<xsl:apply-templates select="node()|@*"/>
<xsl:element name ="smm" />
</xsl:copy>
</xsl:template>
<xsl:template match="/domain/devices/tpm/backend">
<xsl:copy>
<xsl:apply-templates select="node()|@*"/>
<xsl:element name ="active_pcr_banks">
<xsl:element name="sha1"></xsl:element>
<xsl:element name="sha256"></xsl:element>
<xsl:element name="sha384"></xsl:element>
<xsl:element name="sha512"></xsl:element>
</xsl:element>
</xsl:copy>
</xsl:template>
</xsl:stylesheet>

99
terraform/infrastructure/qemu/modules/instance_group/main.tf Normal file
View file

@ -0,0 +1,99 @@
terraform {
required_providers {
libvirt = {
source = "dmacvicar/libvirt"
version = "0.7.1"
}
random = {
source = "hashicorp/random"
version = "3.5.1"
}
}
}
resource "libvirt_domain" "instance_group" {
count = var.amount
name = "${var.base_name}-${var.role}-${local.group_uid}-${count.index}"
memory = var.memory
vcpu = var.vcpus
machine = var.machine
firmware = local.firmware
dynamic "cpu" {
for_each = var.boot_mode == "direct-linux-boot" ? [1] : []
content {
mode = "host-passthrough"
}
}
dynamic "nvram" {
for_each = var.boot_mode == "uefi" ? [1] : []
content {
file = "/var/lib/libvirt/qemu/nvram/${var.role}-${count.index}_VARS.fd"
template = var.nvram
}
}
xml {
xslt = file("${path.module}/${local.xslt_filename}")
}
kernel = local.kernel
initrd = local.initrd
cmdline = local.cmdline
tpm {
backend_type = "emulator"
backend_version = "2.0"
}
disk {
volume_id = element(libvirt_volume.boot_volume.*.id, count.index)
}
disk {
volume_id = element(libvirt_volume.state_volume.*.id, count.index)
}
network_interface {
network_id = var.network_id
hostname = "${var.role}-${count.index}"
addresses = [cidrhost(var.cidr, local.ip_range_start + count.index)]
wait_for_lease = true
}
console {
type = "pty"
target_port = "0"
}
}
resource "libvirt_volume" "boot_volume" {
count = var.amount
name = "constellation-${var.role}-${local.group_uid}-${count.index}-boot"
pool = var.pool
base_volume_id = var.boot_volume_id
lifecycle {
ignore_changes = [
name, # required. Allow legacy scale sets to keep their old names
]
}
}
resource "libvirt_volume" "state_volume" {
count = var.amount
name = "constellation-${var.role}-${local.group_uid}-${count.index}-state"
pool = var.pool
size = local.state_disk_size_byte
format = "qcow2"
lifecycle {
ignore_changes = [
name, # required. Allow legacy scale sets to keep their old names
]
}
}
resource "random_id" "uid" {
byte_length = 4
}
locals {
group_uid = random_id.uid.hex
state_disk_size_byte = 1073741824 * var.state_disk_size
ip_range_start = 100
kernel = var.boot_mode == "direct-linux-boot" ? var.kernel_volume_id : null
initrd = var.boot_mode == "direct-linux-boot" ? var.initrd_volume_id : null
cmdline = var.boot_mode == "direct-linux-boot" ? [{ "_" = var.kernel_cmdline }] : null
firmware = var.boot_mode == "uefi" ? var.firmware : null
xslt_filename = var.boot_mode == "direct-linux-boot" ? "tdx_domain.xsl" : "domain.xsl"
}

3
terraform/infrastructure/qemu/modules/instance_group/outputs.tf Normal file
View file

@ -0,0 +1,3 @@
output "instance_ips" {
value = flatten(libvirt_domain.instance_group[*].network_interface[*].addresses[*])
}

92
terraform/infrastructure/qemu/modules/instance_group/tdx_domain.xsl Normal file
View file

@ -0,0 +1,92 @@
<xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
<xsl:output omit-xml-declaration="yes" indent="yes"/>
<xsl:template match="node()|@*">
<xsl:copy>
<xsl:apply-templates select="node()|@*"/>
</xsl:copy>
</xsl:template>
<xsl:template match="/domain">
<xsl:copy>
<xsl:apply-templates select="node()|@*"/>
<xsl:element name ="clock">
<xsl:attribute name="offset">
<xsl:value-of select="'utc'"/>
</xsl:attribute>
<xsl:element name ="timer">
<xsl:attribute name="name">
<xsl:value-of select="'hpet'"/>
</xsl:attribute>
<xsl:attribute name="present">
<xsl:value-of select="'no'"/>
</xsl:attribute>
</xsl:element>
</xsl:element>
<xsl:element name ="on_poweroff"><xsl:text>destroy</xsl:text></xsl:element>
<xsl:element name ="on_reboot"><xsl:text>restart</xsl:text></xsl:element>
<xsl:element name ="on_crash"><xsl:text>destroy</xsl:text></xsl:element>
<xsl:element name ="pm">
<xsl:element name ="suspend-to-mem">
<xsl:attribute name="enable">
<xsl:value-of select="'no'"/>
</xsl:attribute>
</xsl:element>
<xsl:element name ="suspend-to-disk">
<xsl:attribute name="enable">
<xsl:value-of select="'no'"/>
</xsl:attribute>
</xsl:element>
</xsl:element>
<xsl:element name ="allowReboot">
<xsl:attribute name="value">
<xsl:value-of select="'no'"/>
</xsl:attribute>
</xsl:element>
<xsl:element name ="launchSecurity">
<xsl:attribute name="type">
<xsl:value-of select="'tdx'"/>
</xsl:attribute>
<xsl:element name ="policy"><xsl:text>0x10000001</xsl:text></xsl:element>
<xsl:element name ="Quote-Generation-Service"><xsl:text>vsock:2:4050</xsl:text></xsl:element>
</xsl:element>
<xsl:element name ="qemu:commandline" >
<xsl:element name ="qemu:arg">
<xsl:attribute name="value">
<xsl:value-of select="'-cpu'"/>
</xsl:attribute>
</xsl:element>
<xsl:element name ="qemu:arg">
<xsl:attribute name="value">
<xsl:value-of select="'host,-kvm-steal-time'"/>
</xsl:attribute>
</xsl:element>
</xsl:element>
</xsl:copy>
</xsl:template>
<xsl:template match="os">
<os>
<xsl:apply-templates select="@*|node()"/>
</os>
</xsl:template>
<xsl:template match="/domain/os/loader">
<loader>
<xsl:apply-templates select="node()"/>
</loader>
</xsl:template>
<xsl:template match="/domain/features">
<features>
<acpi/>
<apic/>
<ioapic driver="qemu"/>
</features>
</xsl:template>
<xsl:template match="/domain/vcpu">
<vcpu placement="static"><xsl:apply-templates select="@*|node()"/></vcpu>
</xsl:template>
<xsl:template match="/domain/devices/console">
<console type="pty">
<target type="virtio" port="1" />
</console>
</xsl:template>
<xsl:template match="/domain/devices/graphics"></xsl:template>
<xsl:template match="/domain/devices/rng"></xsl:template>
</xsl:stylesheet>

95
terraform/infrastructure/qemu/modules/instance_group/variables.tf Normal file
View file

@ -0,0 +1,95 @@
variable "amount" {
type = number
description = "amount of nodes"
}
variable "vcpus" {
type = number
description = "amount of vcpus per instance"
}
variable "memory" {
type = number
description = "amount of memory per instance (MiB)"
}
variable "state_disk_size" {
type = number
description = "size of state disk (GiB)"
}
variable "cidr" {
type = string
description = "subnet to use for dhcp"
}
variable "network_id" {
type = string
description = "id of the network to use"
}
variable "pool" {
type = string
description = "name of the storage pool to use"
}
variable "boot_mode" {
type = string
description = "boot mode. Can be 'uefi' or 'direct-linux-boot'"
validation {
condition = can(regex("^(uefi|direct-linux-boot)$", var.boot_mode))
error_message = "boot_mode must be 'uefi' or 'direct-linux-boot'"
}
}
variable "boot_volume_id" {
type = string
description = "id of the constellation boot disk"
}
variable "kernel_volume_id" {
type = string
description = "id of the constellation kernel volume"
default = ""
}
variable "initrd_volume_id" {
type = string
description = "id of the constellation initrd volume"
default = ""
}
variable "kernel_cmdline" {
type = string
description = "kernel cmdline"
default = ""
}
variable "role" {
type = string
description = "role of the node in the constellation. either 'control-plane' or 'worker'"
}
variable "machine" {
type = string
description = "machine type. use 'q35' for secure boot and 'pc' for non secure boot. See 'qemu-system-x86_64 -machine help'"
}
variable "firmware" {
type = string
description = "path to UEFI firmware file. Ignored for direct-linux-boot."
}
variable "nvram" {
type = string
description = "path to UEFI NVRAM template file. Used for secure boot."
}
variable "base_name" {
type = string
description = "name prefix of the cluster VMs"
}
variable "node_group_name" {
type = string
description = "name of the node group"
}