terraform-rancher2-aws/modules/cluster/main.tf.tftpl at 8f7feab3387c6e2e06b267c7eba3a13dcd61861b · matttrach/terraform-rancher2-aws · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# control plane terraform templatefile

provider "aws" {
  default_tags {
    tags = {
      Id    = local.identifier
      Owner = local.owner
    }
  }
}

locals {
  # tflint-ignore: terraform_unused_declarations
  ingress_controller = var.ingress_controller # not currently in use, TODO: add traefik functionality
  identifier         = var.identifier         # this is a random unique string that can be used to identify resources in the cloud provider
  owner              = var.owner
  project_name       = var.project_name
  username           = var.username
  ip_family          = var.ip_family
  runner_ip          = var.runner_ip
  ssh_key            = var.key
  ssh_key_name       = var.key_name
  domain             = var.domain
  zone               = var.zone # DNS zone

  rke2_version   = var.rke2_version
  install_method = var.install_method
  download       = (local.install_method == "tar" ? "download" : "skip")

  server_info = jsondecode(<<-EOT
    ${server_info}
  EOT
  )
  install_prep_script = local.server_info.prep_script
  local_file_path     = local.server_info.file_path
  workfolder          = local.server_info.workfolder
  cloudinit_strategy  = local.server_info.cloudinit_strategy
  config              = local.server_info.config

  target_groups       = jsondecode(<<-EOT
    ${target_groups}
  EOT
  )
  cluster_cidr = jsondecode(<<-EOT
    ${cluster_cidr}
  EOT
  )
  service_cidr = jsondecode(<<-EOT
    ${service_cidr}
  EOT
  )
}

data "http" "myip" {
  url = "https://ipinfo.io/ip"
}

module "${role}_node" {
  source                              = "rancher/rke2/aws"
  version                             = "1.2.2"
  project_use_strategy                = "skip"
  project_domain                      = local.domain
  project_domain_zone                 = local.zone
  server_use_strategy                 = "create"
  server_name                         = local.server_info.name
  server_type                         = local.server_info.size
  server_security_group_name          = "${project_security_group_name}" # should always match project security group
  server_availability_zone            = local.server_info.az
  server_image_use_strategy           = "find"
  server_image_type                   = local.server_info.image
  server_ip_family                    = local.ip_family
  server_cloudinit_use_strategy       = local.server_info.cloudinit_strategy
  server_indirect_access_use_strategy = local.server_info.indirect_access
  server_load_balancer_target_groups  = values(local.target_groups)
  server_subnet_name                  = local.server_info.subnet
  server_direct_access_use_strategy   = "ssh"                    # configure the servers for direct ssh access
  # remember these are external access objects, internal access is enabled by default
  server_access_addresses = { # you must include ssh access here to enable setup
    ssh = {
      port      = 22 # allow access on ssh port
      protocol  = "tcp"
      ip_family = (local.ip_family == "ipv6" ? "ipv6" : "ipv4")
      cidrs     = (local.ip_family == "ipv6" ? ["$${local.runner_ip}/128"] : ["$${local.runner_ip}/32"])
    }
    api = {
      port      = 6443 # allow runner IP access to API
      protocol  = "tcp"
      ip_family = (local.ip_family == "ipv6" ? "ipv6" : "ipv4")
      cidrs     = (local.ip_family == "ipv6" ? ["$${local.runner_ip}/128"] : ["$${local.runner_ip}/32"])
    }
    application-secure = {
      port      = 443 # allow runner IP access to https
      protocol  = "tcp"
      ip_family = (local.ip_family == "ipv6" ? "ipv6" : "ipv4")
      cidrs     = (local.ip_family == "ipv6" ? ["$${local.runner_ip}/128"] : ["$${local.runner_ip}/32"])
    }
    application-insecure = {
      port      = 80 # allow runner IP access to http
      protocol  = "tcp"
      ip_family = (local.ip_family == "ipv6" ? "ipv6" : "ipv4")
      cidrs     = (local.ip_family == "ipv6" ? ["$${local.runner_ip}/128"] : ["$${local.runner_ip}/32"])
    }
  }
  server_user = {
    user                     = local.username
    aws_keypair_use_strategy = "select"
    ssh_key_name             = local.ssh_key_name
    public_ssh_key           = local.ssh_key
    user_workfolder          = local.server_info.workfolder
    timeout                  = 10
  }
  server_add_domain        = false
  server_domain_name       = local.server_info.domain
  server_domain_zone       = local.zone
  server_add_eip           = false
  install_use_strategy     = local.install_method
  local_file_use_strategy  = local.download
  local_file_path          = local.server_info.file_path
  install_rke2_version     = local.rke2_version
  install_rpm_channel      = "stable"
  install_remote_file_path = "$${local.server_info.workfolder}/rke2"
  install_role             = local.server_info.type
  install_start            = true
  install_prep_script      = local.server_info.prep_script
  install_start_timeout    = 10
  config_use_strategy      = local.server_info.config_strategy
  config_join_strategy     = "join"
  config_join_url          = "${join_url}"
  config_join_token        = "${join_token}"
  config_cluster_cidr      = local.cluster_cidr
  config_service_cidr      = local.service_cidr
  config_supplied_content  = local.server_info.config
  config_supplied_name     = "51-config.yaml"
  retrieve_kubeconfig      = false # use initial
}