-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlocals.tf
More file actions
107 lines (96 loc) · 5.75 KB
/
locals.tf
File metadata and controls
107 lines (96 loc) · 5.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
locals {
# Resolved k3s version: fetched from GitHub at plan-time when var.k3s_version == "latest"
k3s_version = var.k3s_version == "latest" ? jsondecode(data.http.k3s_latest_release[0].response_body).name : var.k3s_version
# SSH public key: prefer the string value; fall back to reading the file path.
# GitHub keys (github_ssh_keys_username) are appended when set.
ssh_public_key = join("\n", compact(concat(
[var.public_key != null ? var.public_key : trimspace(file(pathexpand(var.public_key_path)))],
var.github_ssh_keys_username != "" ? [for k in split("\n", trimspace(data.http.github_ssh_keys[0].response_body)) : k if k != ""] : []
)))
# Resolved OS image IDs: explicit variable wins; otherwise auto-detected from tenancy
os_image_id = var.os_image_id != null ? var.os_image_id : data.oci_core_images.k3s_nodes[0].images[0].id
# Applied to every OCI resource for consistent identification and cost tracking
common_tags = {
provisioner = "terraform"
environment = var.environment
k3s-cluster-name = var.cluster_name
(var.unique_tag_key) = var.unique_tag_value
}
# Shared OCI agent plugin configuration applied to all compute instances
agent_plugins = [
{ name = "Vulnerability Scanning", desired_state = "DISABLED" },
{ name = "Compute Instance Monitoring", desired_state = "ENABLED" },
{ name = "Custom Logs Monitoring", desired_state = "ENABLED" },
{ name = "Bastion", desired_state = var.enable_bastion ? "ENABLED" : "DISABLED" },
]
# Internal LB IP used as the k3s server URL for agent join
k3s_internal_lb_ip = oci_load_balancer_load_balancer.k3s_internal_lb.ip_address_details[0].ip_address
# Public NLB IP (first public address)
public_lb_ip = [
for addr in oci_network_load_balancer_network_load_balancer.k3s_public_nlb.ip_addresses :
addr.ip_address if addr.is_public == true
]
# Grafana hostname: user-supplied or derived from NLB IP via sslip.io.
# Cloud-init uses this to create the Gateway listener, Certificate, and HTTPRoute
# so that gitops/ manifests remain IP-independent across redeployments.
grafana_hostname = var.grafana_hostname != null ? var.grafana_hostname : (
length(local.public_lb_ip) > 0 ? "grafana.${local.public_lb_ip[0]}.sslip.io" : ""
)
# Shared cloud-init vars passed to both server and agent template files.
# Server-specific vars are merged on top in data.tf.
k3s_common_cloud_init_vars = {
k3s_version = local.k3s_version
k3s_subnet = var.k3s_subnet
k3s_token = var.enable_vault ? "" : random_password.k3s_token.result
k3s_url = local.k3s_internal_lb_ip
vault_secret_id_k3s_token = var.enable_vault ? oci_vault_secret.k3s_token[0].id : ""
}
# ── kubeconfig hint strings (used by output.tf) ───────────────────────────
_kubeconfig_hint_bastion = <<-EOT
# ── Fetch kubeconfig via OCI Bastion Service ─────────────────────────────
# Run from the example/ directory (requires oci CLI, tofu, jq, nc, ssh):
# ./get-kubeconfig.sh
#
# Or manually — port-forwarding session (no Bastion plugin required):
# oci bastion session create-port-forwarding \
# --bastion-id ${var.enable_bastion ? oci_bastion_bastion.k3s[0].id : "<bastion-ocid>"} \
# --ssh-public-key-file ~/.ssh/id_ed25519.pub \
# --target-private-ip ${try(data.oci_core_instance.k3s_servers[0].private_ip, "<server-ip>")} \
# --target-port 22 \
# --session-ttl 1800
# # Open tunnel (replace SESSION and REGION):
# ssh -N -L 22222:${try(data.oci_core_instance.k3s_servers[0].private_ip, "<server-ip>")}:22 \
# -p 22 ocid1.bastionsession...@host.bastion.<region>.oci.oraclecloud.com &
# # Fetch kubeconfig through tunnel:
# ssh -p 22222 ubuntu@localhost "sudo cat /etc/rancher/k3s/k3s.yaml" \
# | sed 's|127.0.0.1:6443|${try(local.public_lb_ip[0], "<public-nlb-ip>")}:${var.kube_api_port}|'
#
# Tip: add expose_ssh = true to terraform.tfvars for direct SSH without Bastion sessions.
# See the ssh_command output after tofu apply.
EOT
_kubeconfig_hint_no_bastion = <<-EOT
# ── No bastion configured ────────────────────────────────────────────────
# Nodes are in a private subnet and cannot be reached directly.
# Pick one option:
#
# Option A — OCI serial console (no infra change, one-time):
# OCI console connections require an RSA key (ed25519 is not supported).
# This one-liner creates the connection and opens the shell immediately:
# ssh -o ControlPath=none $(oci compute instance-console-connection create \
# --instance-id ${try(data.oci_core_instance.k3s_servers[0].id, "<server-ocid>")} \
# --ssh-public-key-file ~/.ssh/id_rsa.pub \
# --query 'data."connection-string"' --raw-output)
# # Then: sudo cat /etc/rancher/k3s/k3s.yaml
#
# Options B & C — both require a tofu apply:
#
# Option B — Enable OCI Bastion Service (managed, Always Free, no storage):
# enable_bastion = true by default. If disabled, add it back to terraform.tfvars, then run tofu apply.
# Then re-run: tofu output kubeconfig_hint
#
# Option C — Expose kubeapi via public NLB (restricted to ${var.my_public_ip_cidr}):
# Add expose_kubeapi = true to terraform.tfvars, then run tofu apply.
# Use Option A or B once to fetch the kubeconfig, then update the server URL:
# sed -i '' 's|127.0.0.1:6443|${try(local.public_lb_ip[0], "<public-nlb-ip>")}:${var.kube_api_port}|' ~/.kube/k3s-oci.yaml
EOT
}