-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathmain.tf
More file actions
185 lines (179 loc) · 7.56 KB
/
main.tf
File metadata and controls
185 lines (179 loc) · 7.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
locals {
# project
identifier = var.identifier
owner = var.owner
project_name = var.project_name
domain = lower(var.domain)
zone = lower(var.zone)
fqdn = lower(join(".", [local.domain, local.zone]))
# access
key_name = var.key_name
key = var.key
username = var.username
admin_ip = var.admin_ip
# rke2
rke2_version = var.rke2_version
local_file_path = (
var.local_file_path != "" ?
(var.local_file_path == path.root ? "${path.root}/rke2" : var.local_file_path) :
"${path.root}/rke2"
)
install_method = var.install_method
cni = var.cni
node_configuration = var.node_configuration
# rancher
install_cert_manager = true # only used to isolate Rancher install in testing
cert_manager_version = var.cert_manager_version
cert_use_strategy = var.cert_use_strategy # "module", "rancher", "supply"
skip_cert = contains(["rancher", "supply"], local.cert_use_strategy)
externalTLS = contains(["module", "supply"], local.cert_use_strategy)
configure_cert_manager = (local.externalTLS ? false : true) # opposite of externalTLS
cert_manager_configuration = var.cert_manager_configuration
cert_manager_config = (local.cert_manager_configuration == null ? {
aws_access_key_id = ""
aws_secret_access_key = ""
aws_region = ""
aws_session_token = ""
acme_email = ""
acme_server_url = ""
} : local.cert_manager_configuration)
tls_public_cert = var.tls_public_cert
tls_public_chain = var.tls_public_chain
tls_private_key = var.tls_private_key
cert_public = coalesce(
(local.cert_use_strategy == "module" ? module.cluster.cert.public_key : null),
(local.cert_use_strategy == "supply" ? local.tls_public_cert : null),
(local.cert_use_strategy == "rancher" ? "empty" : null),
)
cert_private = coalesce(
(local.cert_use_strategy == "module" ? module.cluster.cert.private_key : null),
(local.cert_use_strategy == "supply" ? local.tls_private_key : null),
(local.cert_use_strategy == "rancher" ? "empty" : null),
)
cert_chain = coalesce(
(local.cert_use_strategy == "module" ? module.cluster.cert.chain : null),
(local.cert_use_strategy == "supply" ? local.tls_public_chain : null),
(local.cert_use_strategy == "rancher" ? "empty" : null),
)
rancher_version = var.rancher_version
rancher_helm_repo = var.rancher_helm_repo
rancher_helm_channel = var.rancher_helm_channel
ip_family = "ipv4"
rancher_helm_chart_values = var.rancher_helm_chart_values
rancher_helm_chart_use_strategy = var.rancher_helm_chart_use_strategy
install_rancher = var.install_rancher
bootstrap_rancher = var.bootstrap_rancher
acme_server_url = var.acme_server_url
}
resource "terraform_data" "input_validation" {
lifecycle {
precondition {
condition = can(regex(
"^(?:https?://)?[[:alpha:]](?:[[:alnum:]\\p{Pd}]{1,63}\\.)+[[:alnum:]\\p{Pd}]{1,62}[[:alnum:]](?::[[:digit:]]{1,5})?$",
local.fqdn
))
error_message = "The fqdn must be a fully qualified domain name"
}
precondition {
condition = (
local.rancher_helm_chart_values != {} &&
lookup(local.rancher_helm_chart_values, "hostname", "") != "" &&
lookup(local.rancher_helm_chart_values, "hostname", "") != lower(lookup(local.rancher_helm_chart_values, "hostname", ""))
) ? false : true # define the bad condition and flip the boolean to trigger the error
error_message = "hostname in rancher_helm_chart_values must be lowercase"
}
precondition {
condition = local.cert_use_strategy != "rancher" || local.cert_manager_configuration != null
error_message = "cert_manager_configuration must not be null when using rancher for certs"
}
precondition {
condition = local.cert_use_strategy != "supply" || (local.tls_public_cert != null && local.tls_public_cert != "")
error_message = "tls_public_cert must not be null or empty when using supply strategy for certs"
}
precondition {
condition = local.cert_use_strategy != "supply" || (local.tls_private_key != null && local.tls_private_key != "")
error_message = "tls_private_key must not be null or empty when using supply strategy for certs"
}
}
}
data "aws_route53_zone" "zone" {
name = "${local.zone}."
}
module "cluster" {
depends_on = [
terraform_data.input_validation,
]
source = "./modules/cluster"
identifier = local.identifier
owner = local.owner
project_name = local.project_name
domain = local.domain
zone = local.zone
key_name = local.key_name
key = local.key
username = local.username
runner_ip = local.admin_ip
rke2_version = local.rke2_version
file_path = local.local_file_path
install_method = local.install_method
cni = local.cni
node_configuration = local.node_configuration
ip_family = local.ip_family
acme_server_url = local.acme_server_url
skip_cert_creation = local.skip_cert
}
module "install_cert_manager" {
depends_on = [
terraform_data.input_validation,
module.cluster,
]
count = (local.install_cert_manager ? 1 : 0)
source = "./modules/install_cert_manager"
path = local.local_file_path
project_domain = local.fqdn
zone = local.zone
zone_id = data.aws_route53_zone.zone.zone_id
configure_cert_manager = local.configure_cert_manager
cert_manager_version = local.cert_manager_version
cert_manager_configuration = local.cert_manager_config
}
module "install_rancher" {
depends_on = [
terraform_data.input_validation,
module.cluster,
module.install_cert_manager,
]
count = (local.install_rancher ? 1 : 0)
source = "./modules/install_rancher"
path = local.local_file_path
project_domain = local.fqdn
zone_id = data.aws_route53_zone.zone.zone_id
region = local.cert_manager_config.aws_region
email = local.cert_manager_config.acme_email
acme_server_url = local.acme_server_url
rancher_version = local.rancher_version
rke2_version = local.rke2_version
rancher_helm_repo = local.rancher_helm_repo
rancher_helm_channel = local.rancher_helm_channel
cert_manager_version = local.cert_manager_version
externalTLS = local.externalTLS
cert_public = local.cert_public
cert_private = local.cert_private
cert_chain = local.cert_chain
rancher_helm_chart_values = local.rancher_helm_chart_values
rancher_helm_chart_use_strategy = local.rancher_helm_chart_use_strategy
}
module "bootstrap_rancher" {
depends_on = [
terraform_data.input_validation,
module.cluster,
module.install_cert_manager,
module.install_rancher,
]
count = (local.bootstrap_rancher ? 1 : 0)
source = "./modules/bootstrap_rancher"
path = local.local_file_path
rancher_domain = local.fqdn
ca_certs = module.install_rancher[0].ca_certs
admin_password = module.install_rancher[0].rancher_admin_password
}