-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.tf
More file actions
132 lines (108 loc) · 4.23 KB
/
main.tf
File metadata and controls
132 lines (108 loc) · 4.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# =============================================================================
# Workflow: NFS File Share
# =============================================================================
# Provisions a team shared storage volume with export policy:
# - File system (50 GiB provisioned, NFSv4.1, per-user quota)
# - NFS export policy
# - Rule 1: app servers — read-write with root-squash
# - Rule 2: backup agents — read-only with root-squash
#
# Typical use case: shared dataset for a batch processing team where multiple
# application pods and a backup agent need differentiated NFS access.
# =============================================================================
terraform {
required_providers {
flashblade = {
source = "numberly/mica"
version = "~> 2.1"
}
}
}
provider "flashblade" {
endpoint = var.flashblade_endpoint
auth = {
api_token = var.flashblade_api_token
}
}
# ---------------------------------------------------------------------------
# Variables
# ---------------------------------------------------------------------------
variable "flashblade_endpoint" {
type = string
description = "FlashBlade management endpoint URL."
}
variable "flashblade_api_token" {
type = string
sensitive = true
description = "FlashBlade API token."
}
variable "filesystem_name" {
type = string
description = "Name of the file system to create."
}
variable "app_subnet" {
type = string
default = "10.10.0.0/16"
description = "CIDR range for application servers that need read-write NFS access."
}
variable "backup_subnet" {
type = string
default = "10.20.0.0/16"
description = "CIDR range for backup agents that need read-only NFS access."
}
# ---------------------------------------------------------------------------
# NFS export policy
# ---------------------------------------------------------------------------
resource "flashblade_nfs_export_policy" "this" {
name = "${var.filesystem_name}-nfs"
enabled = true
}
# ---------------------------------------------------------------------------
# Rule 1: Application servers — read-write
# ---------------------------------------------------------------------------
resource "flashblade_nfs_export_policy_rule" "app_rw" {
policy_name = flashblade_nfs_export_policy.this.name
client = var.app_subnet
permission = "rw"
# root-squash maps UID 0 on the client to the anonymous UID on the array.
# App containers often run as root; squashing prevents root on NFS from
# bypassing POSIX permissions set by other users on shared files.
access = "root-squash"
# sys = standard UNIX AUTH_SYS security. Adequate when network access is
# already restricted to a trusted subnet (e.g. pod network).
security = ["sys"]
}
# ---------------------------------------------------------------------------
# Rule 2: Backup agents — read-only
# ---------------------------------------------------------------------------
resource "flashblade_nfs_export_policy_rule" "backup_ro" {
policy_name = flashblade_nfs_export_policy.this.name
client = var.backup_subnet
permission = "ro"
# Backup agents pull snapshots — read-only ensures they cannot modify live data
# even if the backup host is compromised.
access = "root-squash"
security = ["sys"]
}
# ---------------------------------------------------------------------------
# File system
# ---------------------------------------------------------------------------
resource "flashblade_file_system" "this" {
name = var.filesystem_name
provisioned = 53687091200 # 50 GiB
nfs {
enabled = true
# v4.1 required for per-client stateful mounts, locks, and delegations.
# Most modern Linux kernels (3.1+) support it. Disable v3 to avoid
# insecure stateless mounts from legacy clients sneaking in.
v4_1_enabled = true
v3_enabled = false
}
# Attach the export policy — file system will immediately enforce the rules above.
nfs_export_policy = flashblade_nfs_export_policy.this.name
default_quotas {
# 5 GiB soft quota per user prevents a single user from filling shared space.
# Quota is advisory (warn, not block) by default — configurable per use case.
user_quota = 5368709120 # 5 GiB
}
}