terraform-rancher2-aws/examples/dev/main.tf at 37fc86ebeeab4195fa498e893184a9cb2a1c6890 · matttrach/terraform-rancher2-aws · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
provider "aws" {
  default_tags {
    tags = {
      Id    = local.identifier
      Owner = local.owner
    }
  }
}

provider "github" {}
provider "kubernetes" {} # make sure you set the env variable KUBE_CONFIG_PATH to local_file_path (file_path variable)
provider "helm" {}       # make sure you set the env variable KUBE_CONFIG_PATH to local_file_path (file_path variable)


terraform {
  backend "s3" {
    # This needs to be set in the backend configs on the command line or somewhere that your identifier can be set.
    # terraform init -reconfigure -backend-config="bucket=<identifier>"
    # https://developer.hashicorp.com/terraform/language/backend/s3
    # https://developer.hashicorp.com/terraform/language/backend#partial-configuration
    key = "tfstate"
  }
}

locals {
  identifier           = var.identifier
  example              = "dev"
  project_name         = "tf-${substr(md5(join("-", [local.example, local.identifier])), 0, 5)}"
  username             = local.project_name
  domain               = local.project_name
  zone                 = var.zone
  key_name             = var.key_name
  key                  = var.key
  owner                = var.owner
  rke2_version         = var.rke2_version
  rancher_helm_repo    = "https://releases.rancher.com/server-charts"
  rancher_helm_channel = "stable"
  helm_chart_strategy  = "provide"
  # These options use the Let's Encrypt cert that the module generates for you when you deploy the VPC and Domain.
  # WARNING! "hostname" must be an fqdn
  helm_chart_values = {
    "hostname"               = "${local.domain}.${local.zone}"
    "replicas"               = "1"
    "bootstrapPassword"      = random_password.admin_password.result
    "tls"                    = "ingress"
    "ingress.enabled"        = "true"
    "ingress.tls.source"     = "secret"
    "ingress.tls.secretName" = "tls-rancher-ingress"
    "certmanager.version"    = local.cert_manager_version
    "agentTLSMode"           = "strict"
    "privateCA"              = "true"
    "additionalTrustedCAs"   = "true"
  }
  node_configuration = {
    "rancher" = {
      type            = "all-in-one"
      size            = "xxl"
      os              = local.os
      indirect_access = true
      initial         = true
    }
  }
  local_file_path      = var.file_path
  runner_ip            = chomp(data.http.myip.response_body) # "runner" is the server running Terraform
  rancher_version      = var.rancher_version
  cert_manager_version = "1.18.1"
  os                   = "sle-micro-61"
}

resource "random_password" "admin_password" {
  length           = 16
  special          = true
  override_special = "!#$%&-_=+"
}


data "http" "myip" {
  url = "https://ipinfo.io/ip"
}

# you shouldn't do this in production, I am trying to show/prove self-signed certificates working with the Rancher configuration
# this could easily be replaced by some secret resource from Vault or if you are using Terraform 1.11+ you should use the ephemeral resources
module "tls" {
  source = "./modules/tls"
  domain = "${local.domain}.${local.zone}"
}

module "rancher" {
  depends_on = [
    module.tls,
  ]
  source = "../../"
  # project
  identifier   = local.identifier
  owner        = local.owner
  project_name = local.project_name
  domain       = local.domain
  zone         = local.zone
  # access
  key_name = local.key_name
  key      = local.key
  username = local.username
  admin_ip = local.runner_ip
  # rke2
  rke2_version       = local.rke2_version
  local_file_path    = local.local_file_path
  install_method     = "rpm" # rpm only for now, need to figure out local helm chart installs otherwise
  cni                = "canal"
  node_configuration = local.node_configuration
  # rancher
  cert_manager_version            = local.cert_manager_version
  cert_use_strategy               = "supply"
  tls_public_cert                 = module.tls.tls_public_certificate # just the cert, not any CA
  tls_private_key                 = module.tls.tls_private_key
  tls_public_chain                = module.tls.certificate_chain # just the chain, it should not include the cert itself
  rancher_version                 = local.rancher_version
  rancher_helm_repo               = local.rancher_helm_repo
  rancher_helm_channel            = local.rancher_helm_channel
  rancher_helm_chart_use_strategy = local.helm_chart_strategy
  rancher_helm_chart_values       = local.helm_chart_values
  bootstrap_rancher               = false
}