feat(initial): add initial version of the openstack lz module
This commit is contained in:
parent
e004ae7f24
commit
4b73631dc5
19
.pre-commit-config.yaml
Normal file
19
.pre-commit-config.yaml
Normal file
@ -0,0 +1,19 @@
|
||||
repos:
|
||||
- repo: https://github.com/antonbabenko/pre-commit-terraform
|
||||
rev: v1.86.0
|
||||
hooks:
|
||||
- id: terraform_fmt
|
||||
- id: terraform_docs
|
||||
args:
|
||||
- "--hook-config=--path-to-file=README.md"
|
||||
- "--hook-config=--add-to-existing-file=true"
|
||||
- "--hook-config=--create-file-if-not-exist=true"
|
||||
- "--args=--escape=false"
|
||||
- "--args=--lockfile=false"
|
||||
- "--args=--indent 3"
|
||||
- "--args=--show all"
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: v4.5.0
|
||||
hooks:
|
||||
- id: trailing-whitespace
|
||||
- id: end-of-file-fixer
|
||||
79
README.md
79
README.md
@ -1,3 +1,80 @@
|
||||
# terraform-openstack-lz
|
||||
|
||||
Terraform module to deploy a completely customizable OpenStack
|
||||
Terraform module to deploy a completely customizable OpenStack<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
|
||||
### Requirements
|
||||
|
||||
| Name | Version |
|
||||
|------|---------|
|
||||
| <a name="requirement_terraform"></a> [terraform](#requirement_terraform) | >= 1.0.0 |
|
||||
|
||||
### Providers
|
||||
|
||||
| Name | Version |
|
||||
|------|---------|
|
||||
| <a name="provider_openstack"></a> [openstack](#provider_openstack) | n/a |
|
||||
|
||||
### Modules
|
||||
|
||||
No modules.
|
||||
|
||||
### Resources
|
||||
|
||||
| Name | Type |
|
||||
|------|------|
|
||||
| [openstack_networking_network_v2.backend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_network_v2) | resource |
|
||||
| [openstack_networking_network_v2.database](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_network_v2) | resource |
|
||||
| [openstack_networking_network_v2.frontend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_network_v2) | resource |
|
||||
| [openstack_networking_router_interface_v2.backend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_router_interface_v2) | resource |
|
||||
| [openstack_networking_router_interface_v2.database](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_router_interface_v2) | resource |
|
||||
| [openstack_networking_router_interface_v2.frontend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_router_interface_v2) | resource |
|
||||
| [openstack_networking_router_v2.this](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_router_v2) | resource |
|
||||
| [openstack_networking_secgroup_rule_v2.backend_egress](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2) | resource |
|
||||
| [openstack_networking_secgroup_rule_v2.backend_ingress](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2) | resource |
|
||||
| [openstack_networking_secgroup_rule_v2.database_egress](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2) | resource |
|
||||
| [openstack_networking_secgroup_rule_v2.database_ingress](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2) | resource |
|
||||
| [openstack_networking_secgroup_rule_v2.frontend_egress](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2) | resource |
|
||||
| [openstack_networking_secgroup_rule_v2.frontend_ingress](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2) | resource |
|
||||
| [openstack_networking_secgroup_v2.backend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_v2) | resource |
|
||||
| [openstack_networking_secgroup_v2.database](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_v2) | resource |
|
||||
| [openstack_networking_secgroup_v2.frontend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_v2) | resource |
|
||||
| [openstack_networking_subnet_v2.backend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_subnet_v2) | resource |
|
||||
| [openstack_networking_subnet_v2.database](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_subnet_v2) | resource |
|
||||
| [openstack_networking_subnet_v2.frontend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_subnet_v2) | resource |
|
||||
| [openstack_networking_subnetpool_v2.this](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_subnetpool_v2) | resource |
|
||||
| [openstack_identity_project_v3.this](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/data-sources/identity_project_v3) | data source |
|
||||
|
||||
### Inputs
|
||||
|
||||
| Name | Description | Type | Default | Required |
|
||||
|------|-------------|------|---------|:--------:|
|
||||
| <a name="input_architecture_tiers"></a> [architecture_tiers](#input_architecture_tiers) | The type of architecture.<br>Can be either 0, 1, 2 or 3.<br>Tier 0 will not create any subnets or networks.<br>Tier 1 will only create a single frontend subnet.<br>Tier 2 will create a frontend and backend subnet.<br>Tier 3 will create a frontend, backend and database subnet. | `number` | `1` | no |
|
||||
| <a name="input_attach_to_external"></a> [attach_to_external](#input_attach_to_external) | Whether the frontend subnet should be routed or not to the external LAN.<br>This options implies that you have sufficient permissions to configure static route on the backbone infrastructure.<br>This will create an static route entry in the route table of the backbone router, in order to make your project available from the outside. | `bool` | `false` | no |
|
||||
| <a name="input_backend_subnet_prefix_len"></a> [backend_subnet_prefix_len](#input_backend_subnet_prefix_len) | The prefix length of the backend subnet. Must be between 20 and 32. | `number` | `24` | no |
|
||||
| <a name="input_create_default_secgroups"></a> [create_default_secgroups](#input_create_default_secgroups) | Whether to create default security groups or not.<br>Depending on your choice of architecture tiering, will create security groups so that each tier can connect to the one below.<br>Security groups for the database tier will be created for mariadb, postgresql and redis.<br>A default security group allowing ssh connection will also be created. | `bool` | `false` | no |
|
||||
| <a name="input_create_subnetpool"></a> [create_subnetpool](#input_create_subnetpool) | Whether the module should create a subnet pool for this project, or use an existing one. | `bool` | `true` | no |
|
||||
| <a name="input_database_secgroup_strict"></a> [database_secgroup_strict](#input_database_secgroup_strict) | Defines whether the security groups for the database network should be strict.<br>In strict mode, egress is only allowed to the backend network. | `bool` | `false` | no |
|
||||
| <a name="input_database_subnet_prefix_len"></a> [database_subnet_prefix_len](#input_database_subnet_prefix_len) | The prefix length of the database subnet. Must be between 24 and 32. | `number` | `24` | no |
|
||||
| <a name="input_database_subnetpool_id"></a> [database_subnetpool_id](#input_database_subnetpool_id) | The id of the subnetpool to create the databse network from.<br>Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets. | `string` | `null` | no |
|
||||
| <a name="input_external_network_id"></a> [external_network_id](#input_external_network_id) | The id of the external network to connect the frontend router to. | `string` | `null` | no |
|
||||
| <a name="input_external_subnet_id"></a> [external_subnet_id](#input_external_subnet_id) | The id of the external subnet to connect the frontend router to. | `string` | `null` | no |
|
||||
| <a name="input_frontend_subnet_prefix_len"></a> [frontend_subnet_prefix_len](#input_frontend_subnet_prefix_len) | The prefix length of the frontend subnet. Must be between 20 and 32. | `number` | `24` | no |
|
||||
| <a name="input_project_domain"></a> [project_domain](#input_project_domain) | The domain where this project will be created | `string` | `"default"` | no |
|
||||
| <a name="input_project_name"></a> [project_name](#input_project_name) | The name of the project | `string` | n/a | yes |
|
||||
| <a name="input_project_tags"></a> [project_tags](#input_project_tags) | The tags to append to this project | `list(string)` | `[]` | no |
|
||||
| <a name="input_public_subnetpool_id"></a> [public_subnetpool_id](#input_public_subnetpool_id) | The id of the subnetpool to create the public (first 2 tier) networks from.<br>Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets. | `string` | `null` | no |
|
||||
| <a name="input_subnetpool_cidr_blocks"></a> [subnetpool_cidr_blocks](#input_subnetpool_cidr_blocks) | The CIDR block for the subnet pool | `list(string)` | <pre>[<br> "192.168.0.0/21"<br>]</pre> | no |
|
||||
|
||||
### Outputs
|
||||
|
||||
| Name | Description |
|
||||
|------|-------------|
|
||||
| <a name="output_backend_network"></a> [backend_network](#output_backend_network) | description |
|
||||
| <a name="output_backend_secgroups"></a> [backend_secgroups](#output_backend_secgroups) | description |
|
||||
| <a name="output_backend_subnet"></a> [backend_subnet](#output_backend_subnet) | description |
|
||||
| <a name="output_database_network"></a> [database_network](#output_database_network) | description |
|
||||
| <a name="output_database_secgroups"></a> [database_secgroups](#output_database_secgroups) | description |
|
||||
| <a name="output_database_subnets"></a> [database_subnets](#output_database_subnets) | description |
|
||||
| <a name="output_frontend_network"></a> [frontend_network](#output_frontend_network) | description |
|
||||
| <a name="output_frontend_secgroups"></a> [frontend_secgroups](#output_frontend_secgroups) | description |
|
||||
| <a name="output_frontend_subnet"></a> [frontend_subnet](#output_frontend_subnet) | description |
|
||||
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
|
||||
|
||||
228
main.tf
Normal file
228
main.tf
Normal file
@ -0,0 +1,228 @@
|
||||
terraform {
|
||||
# version requirements
|
||||
required_version = ">= 1.0.0"
|
||||
|
||||
# providers requirements
|
||||
required_providers {
|
||||
openstack = {
|
||||
source = "terraform-provider-openstack/openstack"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#! data sources
|
||||
data "openstack_identity_project_v3" "this" {
|
||||
name = var.project_name
|
||||
domain_id = var.project_domain
|
||||
}
|
||||
|
||||
#! subnetpools
|
||||
resource "openstack_networking_subnetpool_v2" "this" {
|
||||
count = var.create_subnetpool ? 1 : 0
|
||||
name = "${var.project_name}-subnetpool"
|
||||
is_default = true
|
||||
ip_version = 4
|
||||
prefixes = var.subnetpool_cidr_blocks
|
||||
}
|
||||
|
||||
#! networks & subnets
|
||||
resource "openstack_networking_network_v2" "frontend" {
|
||||
count = var.architecture_tiers > 0 ? 1 : 0
|
||||
name = "${var.project_name}-frontend-network"
|
||||
description = "Terraform managed."
|
||||
tenant_id = data.openstack_identity_project_v3.this.id
|
||||
shared = false
|
||||
admin_state_up = "true"
|
||||
mtu = 1450
|
||||
}
|
||||
|
||||
resource "openstack_networking_network_v2" "backend" {
|
||||
count = var.architecture_tiers > 1 ? 1 : 0
|
||||
name = "${var.project_name}-backend-network"
|
||||
description = "Terraform managed."
|
||||
tenant_id = data.openstack_identity_project_v3.this.id
|
||||
shared = false
|
||||
admin_state_up = "true"
|
||||
mtu = 1450
|
||||
}
|
||||
|
||||
resource "openstack_networking_network_v2" "database" {
|
||||
count = var.architecture_tiers == 3 ? 1 : 0
|
||||
name = "${var.project_name}-database-network"
|
||||
description = "Terraform managed."
|
||||
tenant_id = data.openstack_identity_project_v3.this.id
|
||||
shared = false
|
||||
admin_state_up = "true"
|
||||
mtu = 1450
|
||||
}
|
||||
|
||||
resource "openstack_networking_subnet_v2" "frontend" {
|
||||
count = var.architecture_tiers > 0 ? 1 : 0
|
||||
name = "${var.project_name}-frontend-subnet-${count.index + 1}"
|
||||
description = "Terraform managed."
|
||||
tenant_id = data.openstack_identity_project_v3.this.id
|
||||
network_id = openstack_networking_network_v2.frontend[0].id
|
||||
prefix_length = var.frontend_subnet_prefix_len
|
||||
ip_version = 4
|
||||
subnetpool_id = var.create_subnetpool ? openstack_networking_subnetpool_v2.this.id : var.public_subnetpool_id
|
||||
}
|
||||
|
||||
resource "openstack_networking_subnet_v2" "backend" {
|
||||
count = var.architecture_tiers > 1 ? 1 : 0
|
||||
name = "${var.project_name}-backend-subnet-${count.index + 1}"
|
||||
description = "Terraform managed."
|
||||
tenant_id = data.openstack_identity_project_v3.this.id
|
||||
network_id = openstack_networking_network_v2.backend[0].id
|
||||
prefix_length = var.backend_subnet_prefix_len
|
||||
ip_version = 4
|
||||
subnetpool_id = var.create_subnetpool ? openstack_networking_subnetpool_v2.this.id : var.public_subnetpool_id
|
||||
}
|
||||
|
||||
resource "openstack_networking_subnet_v2" "database" {
|
||||
count = var.architecture_tiers == 3 ? 1 : 0
|
||||
name = "${var.project_name}-database-subnet-${count.index + 1}"
|
||||
description = "Terraform managed."
|
||||
tenant_id = data.openstack_identity_project_v3.this.id
|
||||
network_id = openstack_networking_network_v2.database[0].id
|
||||
prefix_length = var.database_subnet_prefix_len
|
||||
ip_version = 4
|
||||
subnetpool_id = var.create_subnetpool ? openstack_networking_subnetpool_v2.this.id : var.database_subnetpool_id
|
||||
}
|
||||
|
||||
#! router
|
||||
resource "openstack_networking_router_v2" "this" {
|
||||
count = var.architecture_tiers > 0 ? 1 : 0
|
||||
name = "${var.project_name}-main-${count.index + 1}"
|
||||
description = "Terraform managed."
|
||||
tenant_id = data.openstack_identity_project_v3.this.id
|
||||
external_network_id = var.attach_to_external ? var.external_network_id : null
|
||||
admin_state_up = true
|
||||
}
|
||||
|
||||
resource "openstack_networking_router_interface_v2" "frontend" {
|
||||
count = var.architecture_tiers > 0 ? 1 : 0
|
||||
router_id = openstack_networking_router_v2.this[0].id
|
||||
subnet_id = openstack_networking_subnet_v2.frontend[0].id
|
||||
}
|
||||
|
||||
resource "openstack_networking_router_interface_v2" "backend" {
|
||||
count = var.architecture_tiers > 1 ? 1 : 0
|
||||
router_id = openstack_networking_router_v2.this[0].id
|
||||
subnet_id = openstack_networking_subnet_v2.backend[0].id
|
||||
}
|
||||
|
||||
resource "openstack_networking_router_interface_v2" "database" {
|
||||
count = var.architecture_tiers == 3 ? 1 : 0
|
||||
router_id = openstack_networking_router_v2.this[0].id
|
||||
subnet_id = openstack_networking_subnet_v2.database[0].id
|
||||
}
|
||||
|
||||
#! security groups
|
||||
resource "openstack_networking_secgroup_v2" "frontend" {
|
||||
count = (
|
||||
var.architecture_tiers > 0 &&
|
||||
var.create_default_secgroups
|
||||
) ? 1 : 0
|
||||
|
||||
name = "${var.project_name}-frontend-secgroup"
|
||||
description = "Terraform managed."
|
||||
tenant_id = data.openstack_identity_project_v3.this.id
|
||||
delete_default_rules = true
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "frontend_egress" {
|
||||
count = (
|
||||
var.architecture_tiers > 0 &&
|
||||
var.create_default_secgroups
|
||||
) ? 1 : 0
|
||||
|
||||
direction = "egress"
|
||||
ethertype = "IPv4"
|
||||
remote_ip_prefix = "0.0.0.0/0"
|
||||
security_group_id = openstack_networking_secgroup_v2.frontend[0].id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "frontend_ingress" {
|
||||
count = (
|
||||
var.architecture_tiers > 0 &&
|
||||
var.create_default_secgroups
|
||||
) ? 1 : 0
|
||||
|
||||
direction = "ingress"
|
||||
ethertype = "IPv4"
|
||||
remote_ip_prefix = "0.0.0.0/0"
|
||||
security_group_id = openstack_networking_secgroup_v2.frontend[0].id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_v2" "backend" {
|
||||
count = (
|
||||
var.architecture_tiers > 1 &&
|
||||
var.create_default_secgroups
|
||||
) ? 1 : 0
|
||||
name = "${var.project_name}-backend-secgroup"
|
||||
description = "Terraform managed."
|
||||
tenant_id = data.openstack_identity_project_v3.this.id
|
||||
delete_default_rules = true
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "backend_egress" {
|
||||
count = (
|
||||
var.architecture_tiers > 1 &&
|
||||
var.create_default_secgroups
|
||||
) ? 1 : 0
|
||||
|
||||
direction = "egress"
|
||||
ethertype = "IPv4"
|
||||
remote_ip_prefix = "0.0.0.0/0"
|
||||
security_group_id = openstack_networking_secgroup_v2.backend[0].id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "backend_ingress" {
|
||||
count = (
|
||||
var.architecture_tiers > 1 &&
|
||||
var.create_default_secgroups
|
||||
) ? 1 : 0
|
||||
|
||||
direction = "ingress"
|
||||
ethertype = "IPv4"
|
||||
remote_group_id = openstack_networking_secgroup_v2.frontend[0].id
|
||||
security_group_id = openstack_networking_secgroup_v2.backend[0].id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_v2" "database" {
|
||||
count = (
|
||||
var.architecture_tiers == 3 &&
|
||||
var.create_default_secgroups
|
||||
) ? length(local.db_secgroups) : 0
|
||||
name = "${var.project_name}-database-${local.db_secgroups[count.index].type}-secgroup"
|
||||
description = "Terraform managed."
|
||||
tenant_id = data.openstack_identity_project_v3.this.id
|
||||
delete_default_rules = true
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "database_egress" {
|
||||
count = (
|
||||
var.architecture_tiers == 3 &&
|
||||
var.create_default_secgroups
|
||||
) ? length(local.db_secgroups) : 0
|
||||
|
||||
direction = "egress"
|
||||
ethertype = "IPv4"
|
||||
remote_ip_prefix = "0.0.0.0/0"
|
||||
security_group_id = openstack_networking_secgroup_v2.database[count.index].id
|
||||
}
|
||||
|
||||
resource "openstack_networking_secgroup_rule_v2" "database_ingress" {
|
||||
count = (
|
||||
var.architecture_tiers == 3 &&
|
||||
var.create_default_secgroups
|
||||
) ? length(local.db_secgroups) : 0
|
||||
|
||||
direction = "ingress"
|
||||
ethertype = "IPv4"
|
||||
protocol = "tcp"
|
||||
port_range_min = local.db_secgroups[count.index].ingress_port
|
||||
port_range_max = local.db_secgroups[count.index].ingress_port
|
||||
remote_group_id = openstack_networking_secgroup_v2.backend[0].id
|
||||
security_group_id = openstack_networking_secgroup_v2.database[count.index].id
|
||||
}
|
||||
62
outputs.tf
Normal file
62
outputs.tf
Normal file
@ -0,0 +1,62 @@
|
||||
output "frontend_network" {
|
||||
value = openstack_networking_network_v2.frontend.*
|
||||
sensitive = false
|
||||
description = "description"
|
||||
depends_on = []
|
||||
}
|
||||
|
||||
output "frontend_subnet" {
|
||||
value = openstack_networking_subnet_v2.frontend.*
|
||||
sensitive = false
|
||||
description = "description"
|
||||
depends_on = []
|
||||
}
|
||||
|
||||
output "backend_network" {
|
||||
value = openstack_networking_network_v2.backend.*
|
||||
sensitive = false
|
||||
description = "description"
|
||||
depends_on = []
|
||||
}
|
||||
|
||||
output "backend_subnet" {
|
||||
value = openstack_networking_subnet_v2.backend.*
|
||||
sensitive = false
|
||||
description = "description"
|
||||
depends_on = []
|
||||
}
|
||||
|
||||
output "database_network" {
|
||||
value = openstack_networking_network_v2.database.*
|
||||
sensitive = false
|
||||
description = "description"
|
||||
depends_on = []
|
||||
}
|
||||
|
||||
output "database_subnets" {
|
||||
value = openstack_networking_subnet_v2.database.*
|
||||
sensitive = false
|
||||
description = "description"
|
||||
depends_on = []
|
||||
}
|
||||
|
||||
output "frontend_secgroups" {
|
||||
value = openstack_networking_secgroup_v2.frontend.*
|
||||
sensitive = false
|
||||
description = "description"
|
||||
depends_on = []
|
||||
}
|
||||
|
||||
output "backend_secgroups" {
|
||||
value = openstack_networking_secgroup_v2.backend.*
|
||||
sensitive = false
|
||||
description = "description"
|
||||
depends_on = []
|
||||
}
|
||||
|
||||
output "database_secgroups" {
|
||||
value = openstack_networking_secgroup_v2.database.*
|
||||
sensitive = false
|
||||
description = "description"
|
||||
depends_on = []
|
||||
}
|
||||
211
variables.tf
Normal file
211
variables.tf
Normal file
@ -0,0 +1,211 @@
|
||||
#! global variables
|
||||
variable "project_name" {
|
||||
type = string
|
||||
description = "The name of the project"
|
||||
validation {
|
||||
condition = can(regex("^[0-9A-Za-z-_]+$", var.project_name))
|
||||
error_message = "For the project_name value only a-z, A-Z, 0-9, - and _ are allowed."
|
||||
}
|
||||
}
|
||||
|
||||
variable "project_domain" {
|
||||
type = string
|
||||
description = "The domain where this project will be created"
|
||||
default = "default"
|
||||
}
|
||||
|
||||
variable "project_tags" {
|
||||
type = list(string)
|
||||
description = "The tags to append to this project"
|
||||
default = []
|
||||
}
|
||||
|
||||
#! architecture tiering variables
|
||||
variable "architecture_tiers" {
|
||||
type = number
|
||||
description = <<-EOT
|
||||
The type of architecture.
|
||||
Can be either 0, 1, 2 or 3.
|
||||
Tier 0 will not create any subnets or networks.
|
||||
Tier 1 will only create a single frontend subnet.
|
||||
Tier 2 will create a frontend and backend subnet.
|
||||
Tier 3 will create a frontend, backend and database subnet.
|
||||
EOT
|
||||
default = 1
|
||||
validation {
|
||||
condition = (
|
||||
var.architecture_tiers > 0 &&
|
||||
var.architecture_tiers <= 3
|
||||
)
|
||||
error_message = "The architecture_tiers must be between 0 and 3."
|
||||
}
|
||||
}
|
||||
|
||||
#! subnetpool creation
|
||||
variable "create_subnetpool" {
|
||||
type = bool
|
||||
description = "Whether the module should create a subnet pool for this project, or use an existing one."
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "subnetpool_cidr_blocks" {
|
||||
type = list(string)
|
||||
description = "The CIDR block for the subnet pool"
|
||||
default = ["192.168.0.0/21"]
|
||||
validation {
|
||||
condition = alltrue([
|
||||
for i in var.subnetpool_cidr_blocks : can(cidrhost(i, 0))
|
||||
])
|
||||
error_message = "The subnetpool_cidr_blocks must be a valid IPv4 CIDR"
|
||||
}
|
||||
}
|
||||
|
||||
#! networking variables
|
||||
variable "frontend_subnet_prefix_len" {
|
||||
type = number
|
||||
description = "The prefix length of the frontend subnet. Must be between 20 and 32."
|
||||
default = 24
|
||||
validation {
|
||||
condition = (
|
||||
var.frontend_subnet_prefix_len >= 20 &&
|
||||
var.frontend_subnet_prefix_len <= 32
|
||||
)
|
||||
error_message = "The prefix length must be between 20 and 32."
|
||||
}
|
||||
}
|
||||
|
||||
variable "backend_subnet_prefix_len" {
|
||||
type = number
|
||||
description = "The prefix length of the backend subnet. Must be between 20 and 32."
|
||||
default = 24
|
||||
validation {
|
||||
condition = (
|
||||
var.backend_subnet_prefix_len >= 20 &&
|
||||
var.backend_subnet_prefix_len <= 32
|
||||
)
|
||||
error_message = "The prefix length must be between 20 and 32."
|
||||
}
|
||||
}
|
||||
|
||||
variable "database_subnet_prefix_len" {
|
||||
type = number
|
||||
description = "The prefix length of the database subnet. Must be between 24 and 32."
|
||||
default = 24
|
||||
validation {
|
||||
condition = (
|
||||
var.database_subnet_prefix_len >= 24 &&
|
||||
var.database_subnet_prefix_len <= 32
|
||||
)
|
||||
error_message = "The prefix length must be between 24 and 32."
|
||||
}
|
||||
}
|
||||
|
||||
#! security variables
|
||||
variable "create_default_secgroups" {
|
||||
type = bool
|
||||
description = <<-EOT
|
||||
Whether to create default security groups or not.
|
||||
Depending on your choice of architecture tiering, will create security groups so that each tier can connect to the one below.
|
||||
Security groups for the database tier will be created for mariadb, postgresql and redis.
|
||||
A default security group allowing ssh connection will also be created.
|
||||
EOT
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "database_secgroup_strict" {
|
||||
type = bool
|
||||
description = <<-EOT
|
||||
Defines whether the security groups for the database network should be strict.
|
||||
In strict mode, egress is only allowed to the backend network.
|
||||
EOT
|
||||
default = false
|
||||
}
|
||||
|
||||
locals {
|
||||
db_secgroups = [
|
||||
{
|
||||
type = "mariadb"
|
||||
ingress_port = 3306
|
||||
},
|
||||
{
|
||||
type = "postgresql"
|
||||
ingress_port = 5432
|
||||
},
|
||||
{
|
||||
type = "mysql"
|
||||
ingress_port = 3306
|
||||
},
|
||||
{
|
||||
type = "redis"
|
||||
ingress_port = 6379
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
#! subnetpool variables & validation
|
||||
variable "public_subnetpool_id" {
|
||||
type = string
|
||||
description = <<-EOT
|
||||
The id of the subnetpool to create the public (first 2 tier) networks from.
|
||||
Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets.
|
||||
EOT
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "database_subnetpool_id" {
|
||||
type = string
|
||||
description = <<-EOT
|
||||
The id of the subnetpool to create the databse network from.
|
||||
Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets.
|
||||
EOT
|
||||
default = null
|
||||
}
|
||||
|
||||
locals {
|
||||
validate_public_subnetpool_ids = (
|
||||
var.architecture_tiers > 0 &&
|
||||
var.create_subnetpool == false &&
|
||||
var.public_subnetpool_id == null
|
||||
) ? tobool("You have to either create or specify an existing subnetpool to create the public subnets from") : true
|
||||
validate_database_subnetpool_ids = (
|
||||
var.architecture_tiers > 2 &&
|
||||
var.create_subnetpool == false &&
|
||||
var.database_subnetpool_id == null
|
||||
) ? tobool("You have to either create or specify an existing subnetpool to create the database subnets from") : true
|
||||
}
|
||||
|
||||
#! public network attachement variables
|
||||
variable "attach_to_external" {
|
||||
type = bool
|
||||
description = <<-EOT
|
||||
Whether the frontend subnet should be routed or not to the external LAN.
|
||||
This options implies that you have sufficient permissions to configure static route on the backbone infrastructure.
|
||||
This will create an static route entry in the route table of the backbone router, in order to make your project available from the outside.
|
||||
EOT
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "external_network_id" {
|
||||
type = string
|
||||
description = "The id of the external network to connect the frontend router to."
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "external_subnet_id" {
|
||||
type = string
|
||||
description = "The id of the external subnet to connect the frontend router to."
|
||||
default = null
|
||||
}
|
||||
|
||||
locals {
|
||||
validate_external_network_id = (
|
||||
var.architecture_tiers > 0 &&
|
||||
var.attach_to_external &&
|
||||
var.external_network_id == null
|
||||
) ? tobool("Please pass in the external network ID to attach the frontend router to.") : true
|
||||
validate_external_subnet_id = (
|
||||
var.architecture_tiers > 0 &&
|
||||
var.attach_to_external &&
|
||||
var.external_subnet_id == null
|
||||
) ? tobool("Please pass in the external subnet ID to attach the frontend router to.") : true
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user