From 78ca31f154e904af20fc54ad1009b82ff411c735 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 8 Sep 2024 13:16:37 +0200 Subject: [PATCH 01/13] feat: add versioning requirements, and automatic documentation pipeline --- .cz.toml | 7 ++++ .gitea/workflows/development.yml | 26 +++++++++++++ .gitea/workflows/pull-request-open.yml | 43 ++++++++++++++++++++ .gitea/workflows/release.yml | 54 ++++++++++++++++++++++++++ .pre-commit-config.yaml | 12 +++++- LICENSE | 20 ++++++++++ 6 files changed, 160 insertions(+), 2 deletions(-) create mode 100644 .cz.toml create mode 100644 .gitea/workflows/development.yml create mode 100644 .gitea/workflows/pull-request-open.yml create mode 100644 .gitea/workflows/release.yml create mode 100644 LICENSE diff --git a/.cz.toml b/.cz.toml new file mode 100644 index 0000000..088e162 --- /dev/null +++ b/.cz.toml @@ -0,0 +1,7 @@ +[tool.commitizen] +name = "cz_conventional_commits" +version_provider = "scm" +version_files = ["galaxy.yml:^version"] +update_changelog_on_bump = true +major_version_zero = true +tag_format = "v$version" diff --git a/.gitea/workflows/development.yml b/.gitea/workflows/development.yml new file mode 100644 index 0000000..bfba126 --- /dev/null +++ b/.gitea/workflows/development.yml @@ -0,0 +1,26 @@ +--- +name: development +on: + push: + branches-ignore: + - main + +jobs: + commit-check: + name: Check commit compliance + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install commitizen + run: pip3 install commitizen + shell: bash + working-directory: ./ + + - name: Verify commit message compliance + run: | + echo "cz check --message '${{ github.event.head_commit.message }}'" + cz check --message "${{ github.event.head_commit.message }}" + shell: bash + working-directory: ./ diff --git a/.gitea/workflows/pull-request-open.yml b/.gitea/workflows/pull-request-open.yml new file mode 100644 index 0000000..0c7f08a --- /dev/null +++ b/.gitea/workflows/pull-request-open.yml @@ -0,0 +1,43 @@ +--- +name: pull-requests-open +on: + pull_request: + types: + - opened + - edited + - synchronize + branches: + - main + +jobs: + commit-history-check: + name: Check commit compliance + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + + - name: Install commitizen + run: pip3 install commitizen + shell: bash + working-directory: ./ + + - run: git log origin/${{ github.event.pull_request.base.ref }}.. + + - name: Verify commit message compliance + run: | + echo "cz check --rev-range origin/${{ gitea.event.pull_request.base.ref }}.." + cz check --rev-range origin/${{ gitea.event.pull_request.base.ref }}.. + shell: bash + working-directory: ./ + + - name: Render terraform docs + uses: Dirrk/terraform-docs@v1.0.8 + with: + tf_docs_working_dir: . + tf_docs_output_file: README.md + tf_docs_output_method: inject + tf_docs_git_push: "true" diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml new file mode 100644 index 0000000..c72fc74 --- /dev/null +++ b/.gitea/workflows/release.yml @@ -0,0 +1,54 @@ +--- +name: build-deploy +on: + push: + branches: + - main + +jobs: + do-release: + if: "!startsWith(github.event.head_commit.message, 'bump:')" + runs-on: ubuntu-latest + name: Bump version and create changelog with commitizen + steps: + - name: Get secrets from vault + id: import-secrets + uses: hashicorp/vault-action@v3 + with: + url: "https://vault.ednz.fr" + method: approle + roleId: ${{ secrets.VAULT_APPROLE_ID }} + secretId: ${{ secrets.VAULT_APPROLE_SECRET_ID }} + secrets: | + kv/data/applications/gitea/users/actions username | GITEA_ACTIONS_USERNAME ; + kv/data/applications/gitea/users/actions token_write | GITEA_ACTIONS_TOKEN ; + + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }} + + - name: Install commitizen + run: pip3 install commitizen + shell: bash + working-directory: ./ + + - name: Configure git credentials + uses: oleksiyrudenko/gha-git-credentials@v2 + with: + global: true + name: "Gitea-Actions Bot" + email: "gitea-actions@ednz.fr" + actor: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_USERNAME }} + token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }} + + - name: Do release + run: cz -nr 21 bump --yes + shell: bash + working-directory: ./ + + - name: Push release + run: git push && git push --tags + shell: bash + working-directory: ./ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c54adef..0035188 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.86.0 + rev: v1.94.1 hooks: - id: terraform_fmt - id: terraform_docs @@ -13,7 +13,15 @@ repos: - "--args=--indent 3" - "--args=--show all" - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v4.6.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer + - repo: https://github.com/commitizen-tools/commitizen + rev: v3.29.0 + hooks: + - id: commitizen + - id: commitizen-branch + stages: + - post-commit + - push diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..f412dc0 --- /dev/null +++ b/LICENSE @@ -0,0 +1,20 @@ +The MIT License (MIT) + +Copyright (c) 2023 Bertrand Lanson + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. From 74a01b5b050f78e873565b3adc9a612993299810 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 8 Sep 2024 13:26:48 +0200 Subject: [PATCH 02/13] ci: remove tfdcos action, replace with pre-commit check --- .gitea/workflows/pull-request-open.yml | 24 ++++++++++++++++++------ README.md | 4 ++-- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/.gitea/workflows/pull-request-open.yml b/.gitea/workflows/pull-request-open.yml index 0c7f08a..e8e4b99 100644 --- a/.gitea/workflows/pull-request-open.yml +++ b/.gitea/workflows/pull-request-open.yml @@ -34,10 +34,22 @@ jobs: shell: bash working-directory: ./ - - name: Render terraform docs - uses: Dirrk/terraform-docs@v1.0.8 + pre-commit-check: + name: Check pre-commit status + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 with: - tf_docs_working_dir: . - tf_docs_output_file: README.md - tf_docs_output_method: inject - tf_docs_git_push: "true" + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + + - name: Install commitizen + run: pip3 install pre-commit + shell: bash + working-directory: ./ + + - name: Verify pre-commit status + run: pre-commit run --all + shell: bash + working-directory: ./ diff --git a/README.md b/README.md index 24603aa..e2f58b0 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Terraform module to deploy a completely customizable OpenStack - + ### Requirements | Name | Version | @@ -82,4 +82,4 @@ No modules. | [frontend_subnet](#output_frontend_subnet) | The frontend subnet object (as a list), if created | | [router](#output_router) | The entire router object (as a list), if created | | [subnetpool](#output_subnetpool) | The subnetpool object (as a list), if created | - + From 8611f1d266637676ce669779a5bd5a2f1fa52ebc Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 8 Sep 2024 14:44:01 +0200 Subject: [PATCH 03/13] ci: install dependencies for pre-commit hooks --- .gitea/workflows/pull-request-open.yml | 13 ++++++++++++- .pre-commit-config.yaml | 9 +++++---- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/.gitea/workflows/pull-request-open.yml b/.gitea/workflows/pull-request-open.yml index e8e4b99..47a66d7 100644 --- a/.gitea/workflows/pull-request-open.yml +++ b/.gitea/workflows/pull-request-open.yml @@ -44,11 +44,22 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - - name: Install commitizen + - name: Install pre-commit run: pip3 install pre-commit shell: bash working-directory: ./ + - name: Install pre-commit dependencies + run: | + # terraform-docs + curl -sSLo /tmp/terraform-docs.tar.gz \ + https://terraform-docs.io/dl/v0.18.0/terraform-docs-v0.18.0-$(uname)-amd64.tar.gz + tar -xzf /tmp/terraform-docs.tar.gz + chmod +x /tmp/terraform-docs + mv /tmp/terraform-docs /usr/local/bin/terraform-docs + shell: bash + working-directory: ./ + - name: Verify pre-commit status run: pre-commit run --all shell: bash diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0035188..9752267 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,13 +1,14 @@ repos: - - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.94.1 + - repo: https://github.com/tofuutils/pre-commit-opentofu + rev: v1.0.2 hooks: - - id: terraform_fmt - - id: terraform_docs + - id: tofu_fmt + - id: tofu_docs args: - "--hook-config=--path-to-file=README.md" - "--hook-config=--add-to-existing-file=true" - "--hook-config=--create-file-if-not-exist=true" + - "--hook-config=--use-standard-markers=true" - "--args=--escape=false" - "--args=--lockfile=false" - "--args=--indent 3" From d31e79430b876c55af69e26366a5c8130be19bf2 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 8 Sep 2024 14:46:17 +0200 Subject: [PATCH 04/13] ci: check where the tf-docs binary is decompressed --- .gitea/workflows/pull-request-open.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/pull-request-open.yml b/.gitea/workflows/pull-request-open.yml index 47a66d7..42046fb 100644 --- a/.gitea/workflows/pull-request-open.yml +++ b/.gitea/workflows/pull-request-open.yml @@ -54,9 +54,12 @@ jobs: # terraform-docs curl -sSLo /tmp/terraform-docs.tar.gz \ https://terraform-docs.io/dl/v0.18.0/terraform-docs-v0.18.0-$(uname)-amd64.tar.gz - tar -xzf /tmp/terraform-docs.tar.gz + tar -xzf /tmp/terraform-docs.tar.gz -C /tmp + ls -la + ls -la /tmp chmod +x /tmp/terraform-docs mv /tmp/terraform-docs /usr/local/bin/terraform-docs + rm -rf /tmp/terraform-docs* shell: bash working-directory: ./ From 99d716c62b514b9f0f6e6374503bc8b4c3af940d Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 8 Sep 2024 14:51:51 +0200 Subject: [PATCH 05/13] ci: install opentofu aswell for pre-commit --- .gitea/workflows/pull-request-open.yml | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/.gitea/workflows/pull-request-open.yml b/.gitea/workflows/pull-request-open.yml index 42046fb..fb459b7 100644 --- a/.gitea/workflows/pull-request-open.yml +++ b/.gitea/workflows/pull-request-open.yml @@ -23,7 +23,7 @@ jobs: - name: Install commitizen run: pip3 install commitizen shell: bash - working-directory: ./ + working-directory: ${{ gitea.workspace }} - run: git log origin/${{ github.event.pull_request.base.ref }}.. @@ -32,7 +32,7 @@ jobs: echo "cz check --rev-range origin/${{ gitea.event.pull_request.base.ref }}.." cz check --rev-range origin/${{ gitea.event.pull_request.base.ref }}.. shell: bash - working-directory: ./ + working-directory: ${{ gitea.workspace }} pre-commit-check: name: Check pre-commit status @@ -47,23 +47,31 @@ jobs: - name: Install pre-commit run: pip3 install pre-commit shell: bash - working-directory: ./ + working-directory: ${{ gitea.workspace }} - name: Install pre-commit dependencies run: | # terraform-docs curl -sSLo /tmp/terraform-docs.tar.gz \ - https://terraform-docs.io/dl/v0.18.0/terraform-docs-v0.18.0-$(uname)-amd64.tar.gz + https://terraform-docs.io/dl/${TERRAFORM_DOCS_VERSION}/terraform-docs-${TERRAFORM_DOCS_VERSION}-$(uname)-amd64.tar.gz tar -xzf /tmp/terraform-docs.tar.gz -C /tmp - ls -la - ls -la /tmp chmod +x /tmp/terraform-docs mv /tmp/terraform-docs /usr/local/bin/terraform-docs - rm -rf /tmp/terraform-docs* + rm -rf /tmp/* + + # opentofu + curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh \ + -o install-opentofu.sh + chmod +x install-opentofu.sh + ./install-opentofu.sh --install-method standalone --opentofu-version $OPENTOFU_VERSION + rm -f install-opentofu.sh shell: bash - working-directory: ./ + working-directory: ${{ gitea.workspace }} + env: + OPENTOFU_VERSION: 1.8.0 + TERRAFORM_DOCS_VERSION: v0.18.0 - name: Verify pre-commit status run: pre-commit run --all shell: bash - working-directory: ./ + working-directory: ${{ gitea.workspace }} From f5c4d1527246498e867cdc8a79eb2c0bb084522e Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 8 Sep 2024 15:13:10 +0200 Subject: [PATCH 06/13] ci: adjust job dependencies --- .gitea/workflows/pull-request-open.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitea/workflows/pull-request-open.yml b/.gitea/workflows/pull-request-open.yml index fb459b7..675edc9 100644 --- a/.gitea/workflows/pull-request-open.yml +++ b/.gitea/workflows/pull-request-open.yml @@ -37,6 +37,7 @@ jobs: pre-commit-check: name: Check pre-commit status runs-on: ubuntu-latest + needs: commit-history-check steps: - name: Checkout uses: actions/checkout@v4 From bbfa3b45928b4e2fd0e1b573753353ef8c9014b2 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Mon, 9 Sep 2024 20:45:03 +0200 Subject: [PATCH 07/13] feat: add tests to module --- .cz.toml | 1 - .gitignore | 38 +++++++ .terraform.lock.hcl | 41 ++++++++ README.md | 14 ++- main.tf | 46 +++++---- outputs.tf | 13 ++- tests/module/.terraform.lock.hcl | 41 ++++++++ tests/module/locals.tf | 18 ++++ tests/module/main.tf | 67 ++++++++++++ tests/module/variables.tf | 170 +++++++++++++++++++++++++++++++ tests/one_tier.tftest.hcl | 59 +++++++++++ tests/three_tier.tftest.hcl | 62 +++++++++++ tests/two_tier.tftest.hcl | 60 +++++++++++ variables.tf | 42 +++++--- 14 files changed, 634 insertions(+), 38 deletions(-) create mode 100644 .gitignore create mode 100644 .terraform.lock.hcl create mode 100644 tests/module/.terraform.lock.hcl create mode 100644 tests/module/locals.tf create mode 100644 tests/module/main.tf create mode 100644 tests/module/variables.tf create mode 100644 tests/one_tier.tftest.hcl create mode 100644 tests/three_tier.tftest.hcl create mode 100644 tests/two_tier.tftest.hcl diff --git a/.cz.toml b/.cz.toml index 088e162..7866eab 100644 --- a/.cz.toml +++ b/.cz.toml @@ -1,7 +1,6 @@ [tool.commitizen] name = "cz_conventional_commits" version_provider = "scm" -version_files = ["galaxy.yml:^version"] update_changelog_on_bump = true major_version_zero = true tag_format = "v$version" diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0cd8e68 --- /dev/null +++ b/.gitignore @@ -0,0 +1,38 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Exclude all .tfvars files, which are likely to contain sentitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +# +#*.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# +# !example_override.tf + +# Ignore CLI configuration files +.terraformrc +terraform.rc + +# Credentials files +credentials.auto.tfvars + +# Local plan files +plan.out +**temp.txt diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100644 index 0000000..59aa238 --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,41 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/hashicorp/vault" { + version = "4.4.0" + hashes = [ + "h1:s0t6P9ZfUQnHLxtUcnpPWpME68KwO/OxZqHAKSIvOoo=", + "zh:0309ea8f81386e17ab13c06c5991ca959708c55c815b0cfba2bbcd865e0d606e", + "zh:40e56199ccd266bffa216e8ebbcdc2e29b6ef5145b39377be766e763cac759c8", + "zh:6fad1f073bd2e53e34736e000f98db581137e153ac80bbb5c4f1a1e38b46a1d2", + "zh:74564fd4759decccf7f3c952aa2feba1012f103a66ec354aa3b3292a2f1b2412", + "zh:7aae012c1a43e6e5dae6f608ec0f08cdb3f95fa121a32e413fe7ee37cb99947f", + "zh:7c83f508e164844b1dd9bafe9de0fe60c7be7b55a02e704a6e2f50cff38b7d96", + "zh:873a42322b68d9fba4a38217b97ee04a1eb617e811d7f9954016f5c3eb6cb0bc", + "zh:9db2b13472cf91a5f18f0a7c6ae532277c05b0980d87f492341426b981679f7b", + "zh:ac1cbd2926265db80efe3f1814bed82901f7d8a7d4e5b1e22592e1eef234b1c7", + "zh:f465a955cc96f640e7426a648ba672c169a4a2959bad6146fe61583d67642561", + ] +} + +provider "registry.opentofu.org/terraform-provider-openstack/openstack" { + version = "2.1.0" + constraints = ">= 1.54.0, ~> 2.1.0" + hashes = [ + "h1:2TcmfEzBOGQPALErrXTaL6v+k/WAL40adao4izRYmdw=", + "zh:113661750398bf21c8fe36aade9fb6f5eb82b5bcd3bcd30bd37ac805d83398f4", + "zh:1b3c26347b9cd61e413ee93c2f422cc3278a77f55fd3516eaabb3e2a85f65281", + "zh:1b751bbf1e4152829a643b532fd3f5967a2e89a41fac381257e0b41665be3306", + "zh:1b967bbfd9b344419c0e0df0c3a15fcbd731e91f19a18955a55aace8d9ec039a", + "zh:1bc0fc7c0a21e568db043b654501ce668ba19bf7628d37a7d2aaa512fd6e5aeb", + "zh:425cbf61757d4b503e7bf0f409ea59835ca3afbd2432d56ad552c2e5d234a572", + "zh:67d4f059cb4d73bf6c060313ec32962c4e5bd8dc7be2542a6f2098ab32575cd9", + "zh:7fe841ac5b68a4f52fb3cf45070828f3845de44746679d434e4349f3c23e3ef2", + "zh:ac1ed4c6ef0b6a3410568a05d3f9933d184497f065988503c43da0b2f0786ab2", + "zh:c5c0d14c86fabd9ab6a5d555e6a8d511942665fb5fa948dd452b0d1934068344", + "zh:c9ae5c210192275185d6823566a9421983e8e64c2665a4cae00b92dd0706bd19", + "zh:ee9865ccc053e7f345e532654fb628d1cf1e81cd2e929643c1691bebffcf7b98", + "zh:f3416d2f666095e740522c4964e436470bb9ec17bd53aaae8169ad93297d07bd", + "zh:fbca85457dd49e17168989d64f7cfc4a519d55ef4e00e89cea2859e87ad87f83", + ] +} diff --git a/README.md b/README.md index e2f58b0..7b8a6b3 100644 --- a/README.md +++ b/README.md @@ -43,20 +43,25 @@ No modules. | [openstack_networking_subnet_v2.backend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_subnet_v2) | resource | | [openstack_networking_subnet_v2.database](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_subnet_v2) | resource | | [openstack_networking_subnet_v2.frontend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_subnet_v2) | resource | -| [openstack_networking_subnetpool_v2.this](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_subnetpool_v2) | resource | +| [openstack_networking_subnetpool_v2.apps](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_subnetpool_v2) | resource | +| [openstack_networking_subnetpool_v2.database](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_subnetpool_v2) | resource | | [openstack_identity_project_v3.this](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/data-sources/identity_project_v3) | data source | ### Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [application_subnetpool_cidr_blocks](#input_application_subnetpool_cidr_blocks) | The CIDR blocks for the application subnet pool | `list(string)` | 
[
  "192.168.0.0/21"
]
| no | +| [application_subnetpool_id](#input_application_subnetpool_id) | The id of the subnetpool to create the public (first 2 tier) networks from.
Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets. | `string` | `null` | no | | [architecture_tiers](#input_architecture_tiers) | The type of architecture.
Can be either 0, 1, 2 or 3.
Tier 0 will not create any subnets or networks.
Tier 1 will only create a single frontend subnet.
Tier 2 will create a frontend and backend subnet.
Tier 3 will create a frontend, backend and database subnet. | `number` | `1` | no | | [attach_to_external](#input_attach_to_external) | Whether the frontend subnet should be routed or not to the external LAN.
This options implies that you have sufficient permissions to configure static route on the backbone infrastructure.
This will create an static route entry in the route table of the backbone router, in order to make your project available from the outside. | `bool` | `false` | no | | [backend_subnet_prefix_len](#input_backend_subnet_prefix_len) | The prefix length of the backend subnet. Must be between 20 and 32. | `number` | `24` | no | +| [create_application_subnetpool](#input_create_application_subnetpool) | Whether the module should create an application subnet pool for this project, or use an existing one. | `bool` | `true` | no | +| [create_database_subnetpool](#input_create_database_subnetpool) | Whether the module should create a database subnet pool for this project, or use an existing one. | `bool` | `true` | no | | [create_default_secgroups](#input_create_default_secgroups) | Whether to create default security groups or not.
Depending on your choice of architecture tiering, will create security groups so that each tier can connect to the one below.
Security groups for the database tier will be created for mariadb, postgresql and redis.
A default security group allowing ssh connection will also be created. | `bool` | `false` | no | -| [create_subnetpool](#input_create_subnetpool) | Whether the module should create a subnet pool for this project, or use an existing one. | `bool` | `true` | no | | [database_secgroup_strict](#input_database_secgroup_strict) | Defines whether the security groups for the database network should be strict.
In strict mode, egress is only allowed to the backend network. | `bool` | `false` | no | | [database_subnet_prefix_len](#input_database_subnet_prefix_len) | The prefix length of the database subnet. Must be between 24 and 32. | `number` | `24` | no | +| [database_subnetpool_cidr_blocks](#input_database_subnetpool_cidr_blocks) | The CIDR blocks for the database subnet pool | `list(string)` | 
[
  "192.168.8.0/23"
]
| no | | [database_subnetpool_id](#input_database_subnetpool_id) | The id of the subnetpool to create the databse network from.
Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets. | `string` | `null` | no | | [external_network_id](#input_external_network_id) | The id of the external network to connect the frontend router to. | `string` | `null` | no | | [frontend_subnet_prefix_len](#input_frontend_subnet_prefix_len) | The prefix length of the frontend subnet. Must be between 20 and 32. | `number` | `24` | no | @@ -64,22 +69,21 @@ No modules. | [project_name](#input_project_name) | The name of the project | `string` | n/a | yes | | [project_tags](#input_project_tags) | The tags to append to this project | `list(string)` | `[]` | no | | [public_nameservers](#input_public_nameservers) | A list of public DNS servers to upstreams requests to in your subnets.
This is not necessary if your openstack deployment already has configured default upstreams for neutron. | `list(string)` | `[]` | no | -| [public_subnetpool_id](#input_public_subnetpool_id) | The id of the subnetpool to create the public (first 2 tier) networks from.
Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets. | `string` | `null` | no | -| [subnetpool_cidr_blocks](#input_subnetpool_cidr_blocks) | The CIDR block for the subnet pool | `list(string)` | 
[
  "192.168.0.0/21"
]
| no | ### Outputs | Name | Description | |------|-------------| +| [apps_subnetpool](#output_apps_subnetpool) | The application subnetpool object (as a list), if created | | [backend_network](#output_backend_network) | The backend network object (as a list), if created | | [backend_secgroups](#output_backend_secgroups) | The backend security group objects (as a list), if created | | [backend_subnet](#output_backend_subnet) | The backend subnet object (as a list), if created | | [database_network](#output_database_network) | The database network object (as a list), if created | | [database_secgroups](#output_database_secgroups) | The database security group objects (as a list), if created | | [database_subnet](#output_database_subnet) | The database subnet object (as a list), if created | +| [database_subnetpool](#output_database_subnetpool) | The database subnetpool object (as a list), if created | | [frontend_network](#output_frontend_network) | The frontend network object (as a list), if created | | [frontend_secgroups](#output_frontend_secgroups) | The frontend security group objects (as a list), if created | | [frontend_subnet](#output_frontend_subnet) | The frontend subnet object (as a list), if created | | [router](#output_router) | The entire router object (as a list), if created | -| [subnetpool](#output_subnetpool) | The subnetpool object (as a list), if created | diff --git a/main.tf b/main.tf index e331bf0..aec813d 100644 --- a/main.tf +++ b/main.tf @@ -11,6 +11,10 @@ terraform { } } +locals { + resource_prefix = lower(var.project_name) +} + #! data sources data "openstack_identity_project_v3" "this" { name = var.project_name @@ -18,18 +22,26 @@ data "openstack_identity_project_v3" "this" { } #! subnetpools -resource "openstack_networking_subnetpool_v2" "this" { - count = var.create_subnetpool ? 1 : 0 - name = "${var.project_name}-subnetpool" +resource "openstack_networking_subnetpool_v2" "apps" { + count = var.create_application_subnetpool ? 1 : 0 + name = "${local.resource_prefix}-application-subnetpool" is_default = false ip_version = 4 - prefixes = var.subnetpool_cidr_blocks + prefixes = var.application_subnetpool_cidr_blocks +} + +resource "openstack_networking_subnetpool_v2" "database" { + count = var.create_database_subnetpool ? 1 : 0 + name = "${local.resource_prefix}-database-subnetpool" + is_default = false + ip_version = 4 + prefixes = var.database_subnetpool_cidr_blocks } #! networks & subnets resource "openstack_networking_network_v2" "frontend" { count = var.architecture_tiers > 0 ? 1 : 0 - name = "${var.project_name}-frontend-network" + name = "${local.resource_prefix}-frontend-network" description = "Terraform managed." tenant_id = data.openstack_identity_project_v3.this.id shared = false @@ -39,7 +51,7 @@ resource "openstack_networking_network_v2" "frontend" { resource "openstack_networking_network_v2" "backend" { count = var.architecture_tiers > 1 ? 1 : 0 - name = "${var.project_name}-backend-network" + name = "${local.resource_prefix}-backend-network" description = "Terraform managed." tenant_id = data.openstack_identity_project_v3.this.id shared = false @@ -49,7 +61,7 @@ resource "openstack_networking_network_v2" "backend" { resource "openstack_networking_network_v2" "database" { count = var.architecture_tiers == 3 ? 1 : 0 - name = "${var.project_name}-database-network" + name = "${local.resource_prefix}-database-network" description = "Terraform managed." tenant_id = data.openstack_identity_project_v3.this.id shared = false @@ -59,44 +71,44 @@ resource "openstack_networking_network_v2" "database" { resource "openstack_networking_subnet_v2" "frontend" { count = var.architecture_tiers > 0 ? 1 : 0 - name = "${var.project_name}-frontend-subnet-${count.index + 1}" + name = "${local.resource_prefix}-frontend-subnet-${count.index + 1}" description = "Terraform managed." tenant_id = data.openstack_identity_project_v3.this.id network_id = openstack_networking_network_v2.frontend[0].id prefix_length = var.frontend_subnet_prefix_len ip_version = 4 - subnetpool_id = var.create_subnetpool ? openstack_networking_subnetpool_v2.this[0].id : var.public_subnetpool_id + subnetpool_id = var.create_application_subnetpool ? openstack_networking_subnetpool_v2.apps[0].id : var.application_subnetpool_id dns_nameservers = var.public_nameservers } resource "openstack_networking_subnet_v2" "backend" { count = var.architecture_tiers > 1 ? 1 : 0 - name = "${var.project_name}-backend-subnet-${count.index + 1}" + name = "${local.resource_prefix}-backend-subnet-${count.index + 1}" description = "Terraform managed." tenant_id = data.openstack_identity_project_v3.this.id network_id = openstack_networking_network_v2.backend[0].id prefix_length = var.backend_subnet_prefix_len ip_version = 4 - subnetpool_id = var.create_subnetpool ? openstack_networking_subnetpool_v2.this[0].id : var.public_subnetpool_id + subnetpool_id = var.create_application_subnetpool ? openstack_networking_subnetpool_v2.apps[0].id : var.application_subnetpool_id dns_nameservers = var.public_nameservers } resource "openstack_networking_subnet_v2" "database" { count = var.architecture_tiers == 3 ? 1 : 0 - name = "${var.project_name}-database-subnet-${count.index + 1}" + name = "${local.resource_prefix}-database-subnet-${count.index + 1}" description = "Terraform managed." tenant_id = data.openstack_identity_project_v3.this.id network_id = openstack_networking_network_v2.database[0].id prefix_length = var.database_subnet_prefix_len ip_version = 4 - subnetpool_id = var.create_subnetpool ? openstack_networking_subnetpool_v2.this[0].id : var.database_subnetpool_id + subnetpool_id = var.create_application_subnetpool ? openstack_networking_subnetpool_v2.database[0].id : var.database_subnetpool_id dns_nameservers = var.public_nameservers } #! router resource "openstack_networking_router_v2" "this" { count = var.architecture_tiers > 0 ? 1 : 0 - name = "${var.project_name}-main-${count.index + 1}" + name = "${local.resource_prefix}-main-${count.index + 1}" description = "Terraform managed." tenant_id = data.openstack_identity_project_v3.this.id external_network_id = var.attach_to_external ? var.external_network_id : null @@ -128,7 +140,7 @@ resource "openstack_networking_secgroup_v2" "frontend" { var.create_default_secgroups ) ? 1 : 0 - name = "${var.project_name}-frontend-secgroup" + name = "${local.resource_prefix}-frontend-secgroup" description = "Terraform managed." tenant_id = data.openstack_identity_project_v3.this.id delete_default_rules = true @@ -163,7 +175,7 @@ resource "openstack_networking_secgroup_v2" "backend" { var.architecture_tiers > 1 && var.create_default_secgroups ) ? 1 : 0 - name = "${var.project_name}-backend-secgroup" + name = "${local.resource_prefix}-backend-secgroup" description = "Terraform managed." tenant_id = data.openstack_identity_project_v3.this.id delete_default_rules = true @@ -198,7 +210,7 @@ resource "openstack_networking_secgroup_v2" "database" { var.architecture_tiers == 3 && var.create_default_secgroups ) ? length(local.db_secgroups) : 0 - name = "${var.project_name}-database-${local.db_secgroups[count.index].type}-secgroup" + name = "${local.resource_prefix}-database-${local.db_secgroups[count.index].type}-secgroup" description = "Terraform managed." tenant_id = data.openstack_identity_project_v3.this.id delete_default_rules = true diff --git a/outputs.tf b/outputs.tf index 7c9a7f3..ff82575 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,7 +1,14 @@ -output "subnetpool" { - value = length(openstack_networking_subnetpool_v2.this) > 0 ? openstack_networking_subnetpool_v2.this.* : null +output "apps_subnetpool" { + value = length(openstack_networking_subnetpool_v2.apps) > 0 ? openstack_networking_subnetpool_v2.apps.* : null sensitive = false - description = "The subnetpool object (as a list), if created" + description = "The application subnetpool object (as a list), if created" + depends_on = [] +} + +output "database_subnetpool" { + value = length(openstack_networking_subnetpool_v2.database) > 0 ? openstack_networking_subnetpool_v2.database.* : null + sensitive = false + description = "The database subnetpool object (as a list), if created" depends_on = [] } diff --git a/tests/module/.terraform.lock.hcl b/tests/module/.terraform.lock.hcl new file mode 100644 index 0000000..59aa238 --- /dev/null +++ b/tests/module/.terraform.lock.hcl @@ -0,0 +1,41 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/hashicorp/vault" { + version = "4.4.0" + hashes = [ + "h1:s0t6P9ZfUQnHLxtUcnpPWpME68KwO/OxZqHAKSIvOoo=", + "zh:0309ea8f81386e17ab13c06c5991ca959708c55c815b0cfba2bbcd865e0d606e", + "zh:40e56199ccd266bffa216e8ebbcdc2e29b6ef5145b39377be766e763cac759c8", + "zh:6fad1f073bd2e53e34736e000f98db581137e153ac80bbb5c4f1a1e38b46a1d2", + "zh:74564fd4759decccf7f3c952aa2feba1012f103a66ec354aa3b3292a2f1b2412", + "zh:7aae012c1a43e6e5dae6f608ec0f08cdb3f95fa121a32e413fe7ee37cb99947f", + "zh:7c83f508e164844b1dd9bafe9de0fe60c7be7b55a02e704a6e2f50cff38b7d96", + "zh:873a42322b68d9fba4a38217b97ee04a1eb617e811d7f9954016f5c3eb6cb0bc", + "zh:9db2b13472cf91a5f18f0a7c6ae532277c05b0980d87f492341426b981679f7b", + "zh:ac1cbd2926265db80efe3f1814bed82901f7d8a7d4e5b1e22592e1eef234b1c7", + "zh:f465a955cc96f640e7426a648ba672c169a4a2959bad6146fe61583d67642561", + ] +} + +provider "registry.opentofu.org/terraform-provider-openstack/openstack" { + version = "2.1.0" + constraints = ">= 1.54.0, ~> 2.1.0" + hashes = [ + "h1:2TcmfEzBOGQPALErrXTaL6v+k/WAL40adao4izRYmdw=", + "zh:113661750398bf21c8fe36aade9fb6f5eb82b5bcd3bcd30bd37ac805d83398f4", + "zh:1b3c26347b9cd61e413ee93c2f422cc3278a77f55fd3516eaabb3e2a85f65281", + "zh:1b751bbf1e4152829a643b532fd3f5967a2e89a41fac381257e0b41665be3306", + "zh:1b967bbfd9b344419c0e0df0c3a15fcbd731e91f19a18955a55aace8d9ec039a", + "zh:1bc0fc7c0a21e568db043b654501ce668ba19bf7628d37a7d2aaa512fd6e5aeb", + "zh:425cbf61757d4b503e7bf0f409ea59835ca3afbd2432d56ad552c2e5d234a572", + "zh:67d4f059cb4d73bf6c060313ec32962c4e5bd8dc7be2542a6f2098ab32575cd9", + "zh:7fe841ac5b68a4f52fb3cf45070828f3845de44746679d434e4349f3c23e3ef2", + "zh:ac1ed4c6ef0b6a3410568a05d3f9933d184497f065988503c43da0b2f0786ab2", + "zh:c5c0d14c86fabd9ab6a5d555e6a8d511942665fb5fa948dd452b0d1934068344", + "zh:c9ae5c210192275185d6823566a9421983e8e64c2665a4cae00b92dd0706bd19", + "zh:ee9865ccc053e7f345e532654fb628d1cf1e81cd2e929643c1691bebffcf7b98", + "zh:f3416d2f666095e740522c4964e436470bb9ec17bd53aaae8169ad93297d07bd", + "zh:fbca85457dd49e17168989d64f7cfc4a519d55ef4e00e89cea2859e87ad87f83", + ] +} diff --git a/tests/module/locals.tf b/tests/module/locals.tf new file mode 100644 index 0000000..41b3be0 --- /dev/null +++ b/tests/module/locals.tf @@ -0,0 +1,18 @@ +locals { + project_name = data.vault_kv_secret_v2.openstack_provider_project_info.data["tenant_name"] + project_domain = var.project_domain + project_tags = var.project_tags + architecture_tiers = var.architecture_tiers + create_application_subnetpool = var.create_application_subnetpool + application_subnetpool_cidr_blocks = var.application_subnetpool_cidr_blocks + create_database_subnetpool = var.create_database_subnetpool + database_subnetpool_cidr_blocks = var.database_subnetpool_cidr_blocks + frontend_subnet_prefix_len = var.frontend_subnet_prefix_len + backend_subnet_prefix_len = var.backend_subnet_prefix_len + database_subnet_prefix_len = var.database_subnet_prefix_len + public_nameservers = var.public_nameservers + create_default_secgroups = var.create_default_secgroups + database_secgroup_strict = var.database_secgroup_strict + attach_to_external = var.attach_to_external + external_network_id = data.openstack_networking_network_v2.ext_floating.id +} diff --git a/tests/module/main.tf b/tests/module/main.tf new file mode 100644 index 0000000..d1c5af4 --- /dev/null +++ b/tests/module/main.tf @@ -0,0 +1,67 @@ +terraform { + required_version = ">= 1.0.0" + required_providers { + vault = { + source = "hashicorp/vault" + } + openstack = { + source = "terraform-provider-openstack/openstack" + version = "~> 2.1.0" + } + } +} + +provider "vault" { + address = "https://active.vault.service.consul:8200" + skip_tls_verify = true +} + +provider "openstack" { + auth_url = data.vault_kv_secret_v2.openstack_provider_region.data["auth_url"] + region = data.vault_kv_secret_v2.openstack_provider_region.data["region_name"] + tenant_name = data.vault_kv_secret_v2.openstack_provider_project_info.data["tenant_name"] + application_credential_id = data.vault_kv_secret_v2.openstack_provider_project_user.data["application_credential_id"] + application_credential_secret = data.vault_kv_secret_v2.openstack_provider_project_user.data["application_credential_secret"] +} + +data "vault_kv_secret_v2" "openstack_provider_region" { + mount = "kv" + name = "infrastructure/openstack/regions/dc3_a" +} + +data "vault_kv_secret_v2" "openstack_provider_project_user" { + mount = "kv" + name = "infrastructure/openstack/projects/pcp_dawxdax/users/tofu" +} + +data "vault_kv_secret_v2" "openstack_provider_project_info" { + mount = "kv" + name = "infrastructure/openstack/projects/pcp_dawxdax/info" +} + +data "openstack_networking_network_v2" "ext_floating" { + name = "ext-floating1" +} + +module "landing_zone" { + source = "../../" + + project_name = local.project_name + project_domain = local.project_domain + project_tags = local.project_tags + + architecture_tiers = local.architecture_tiers + create_application_subnetpool = local.create_application_subnetpool + application_subnetpool_cidr_blocks = local.application_subnetpool_cidr_blocks + create_database_subnetpool = local.create_database_subnetpool + database_subnetpool_cidr_blocks = local.database_subnetpool_cidr_blocks + frontend_subnet_prefix_len = local.frontend_subnet_prefix_len + backend_subnet_prefix_len = local.backend_subnet_prefix_len + database_subnet_prefix_len = local.database_subnet_prefix_len + public_nameservers = local.public_nameservers + + create_default_secgroups = local.create_default_secgroups + + attach_to_external = local.attach_to_external + external_network_id = local.external_network_id +} diff --git a/tests/module/variables.tf b/tests/module/variables.tf new file mode 100644 index 0000000..bdb6bc1 --- /dev/null +++ b/tests/module/variables.tf @@ -0,0 +1,170 @@ +#! global variables +variable "project_domain" { + type = string + description = "The domain where this project will be created" + default = "default" +} + +variable "project_tags" { + type = list(string) + description = "The tags to append to this project" + default = [] +} + +#! architecture tiering variables +variable "architecture_tiers" { + type = number + description = <<-EOT + The type of architecture. + Can be either 0, 1, 2 or 3. + Tier 0 will not create any subnets or networks. + Tier 1 will only create a single frontend subnet. + Tier 2 will create a frontend and backend subnet. + Tier 3 will create a frontend, backend and database subnet. + EOT + default = 1 + validation { + condition = ( + var.architecture_tiers > 0 && + var.architecture_tiers <= 3 + ) + error_message = "The architecture_tiers must be between 0 and 3." + } +} + +#! subnetpools creation +variable "create_application_subnetpool" { + type = bool + description = "Whether the module should create an application subnet pool for this project, or use an existing one." + default = true +} + +variable "application_subnetpool_cidr_blocks" { + type = list(string) + description = "The CIDR blocks for the application subnet pool" + default = ["192.168.0.0/21"] + validation { + condition = alltrue([ + for i in var.application_subnetpool_cidr_blocks : can(cidrhost(i, 0)) + ]) + error_message = "The application_subnetpool_cidr_blocks must be a valid IPv4 CIDR" + } +} + +variable "create_database_subnetpool" { + type = bool + description = "Whether the module should create a database subnet pool for this project, or use an existing one." + default = true +} + +variable "database_subnetpool_cidr_blocks" { + type = list(string) + description = "The CIDR blocks for the database subnet pool" + default = ["192.168.8.0/23"] + validation { + condition = alltrue([ + for i in var.database_subnetpool_cidr_blocks : can(cidrhost(i, 0)) + ]) + error_message = "The database_subnetpool_cidr_blocks must be a valid IPv4 CIDR" + } +} + +#! networking variables +variable "frontend_subnet_prefix_len" { + type = number + description = "The prefix length of the frontend subnet. Must be between 20 and 32." + default = 24 + validation { + condition = ( + var.frontend_subnet_prefix_len >= 20 && + var.frontend_subnet_prefix_len <= 32 + ) + error_message = "The prefix length must be between 20 and 32." + } +} + +variable "backend_subnet_prefix_len" { + type = number + description = "The prefix length of the backend subnet. Must be between 20 and 32." + default = 24 + validation { + condition = ( + var.backend_subnet_prefix_len >= 20 && + var.backend_subnet_prefix_len <= 32 + ) + error_message = "The prefix length must be between 20 and 32." + } +} + +variable "database_subnet_prefix_len" { + type = number + description = "The prefix length of the database subnet. Must be between 24 and 32." + default = 24 + validation { + condition = ( + var.database_subnet_prefix_len >= 24 && + var.database_subnet_prefix_len <= 32 + ) + error_message = "The prefix length must be between 24 and 32." + } +} + +variable "public_nameservers" { + type = list(string) + description = <<-EOT + A list of public DNS servers to upstreams requests to in your subnets. + This is not necessary if your openstack deployment already has configured default upstreams for neutron. + EOT + default = [] +} + +#! security variables +variable "create_default_secgroups" { + type = bool + description = <<-EOT + Whether to create default security groups or not. + Depending on your choice of architecture tiering, will create security groups so that each tier can connect to the one below. + Security groups for the database tier will be created for mariadb, postgresql and redis. + A default security group allowing ssh connection will also be created. + EOT + default = false +} + +variable "database_secgroup_strict" { + type = bool + description = <<-EOT + Defines whether the security groups for the database network should be strict. + In strict mode, egress is only allowed to the backend network. + EOT + default = false +} + +#! subnetpool variables & validation +variable "application_subnetpool_id" { + type = string + description = <<-EOT + The id of the subnetpool to create the public (first 2 tier) networks from. + Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets. + EOT + default = null +} + +variable "database_subnetpool_id" { + type = string + description = <<-EOT + The id of the subnetpool to create the databse network from. + Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets. + EOT + default = null +} + +#! public network attachement variables +variable "attach_to_external" { + type = bool + description = <<-EOT + Whether the frontend subnet should be routed or not to the external LAN. + This options implies that you have sufficient permissions to configure static route on the backbone infrastructure. + This will create an static route entry in the route table of the backbone router, in order to make your project available from the outside. + EOT + default = false +} diff --git a/tests/one_tier.tftest.hcl b/tests/one_tier.tftest.hcl new file mode 100644 index 0000000..73961d8 --- /dev/null +++ b/tests/one_tier.tftest.hcl @@ -0,0 +1,59 @@ +run "two_tier" { + module { + source = "./tests/module" + } + + variables { + project_domain = "default" + project_tags = ["cloud", "test", "tofu"] + architecture_tiers = 1 + create_application_subnetpool = true + application_subnetpool_cidr_blocks = ["10.10.128.0/17"] + create_database_subnetpool = false + frontend_subnet_prefix_len = 24 + public_nameservers = ["9.9.9.9", "9.9.9.10"] + create_default_secgroups = true + database_secgroup_strict = false + attach_to_external = true + } + + assert { + condition = alltrue([for i in module.landing_zone.apps_subnetpool[0].prefixes : can(cidrhost(i, 0))]) + error_message = "The application subnetpool does not seem correct" + } + + assert { + condition = module.landing_zone.database_subnetpool == null + error_message = "The database subnetpool is not null" + } + + assert { + condition = can(regex("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", module.landing_zone.frontend_network[0].id)) + error_message = "The frontend network was not created successfully" + } + + assert { + condition = module.landing_zone.backend_network == null + error_message = "The backend network is not null" + } + + assert { + condition = module.landing_zone.database_network == null + error_message = "The database network is not null" + } + + assert { + condition = can(regex("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", module.landing_zone.frontend_subnet[0].id)) + error_message = "The frontend subnet was not created successfully" + } + + assert { + condition = module.landing_zone.backend_subnet == null + error_message = "The backend subnet is not null" + } + + assert { + condition = module.landing_zone.database_subnet == null + error_message = "The database subnet is not null" + } +} diff --git a/tests/three_tier.tftest.hcl b/tests/three_tier.tftest.hcl new file mode 100644 index 0000000..6eba221 --- /dev/null +++ b/tests/three_tier.tftest.hcl @@ -0,0 +1,62 @@ +run "three_tier" { + module { + source = "./tests/module" + } + + variables { + project_domain = "default" + project_tags = ["cloud", "test", "tofu"] + architecture_tiers = 3 + create_application_subnetpool = true + application_subnetpool_cidr_blocks = ["10.10.128.0/17"] + create_database_subnetpool = true + database_subnetpool_cidr_blocks = ["192.168.0.0/16"] + frontend_subnet_prefix_len = 24 + backend_subnet_prefix_len = 24 + database_subnet_prefix_len = 24 + public_nameservers = ["9.9.9.9", "9.9.9.10"] + create_default_secgroups = true + database_secgroup_strict = false + attach_to_external = true + } + + assert { + condition = alltrue([for i in module.landing_zone.apps_subnetpool[0].prefixes : can(cidrhost(i, 0))]) + error_message = "The application subnetpool was not created successfully" + } + + assert { + condition = alltrue([for i in module.landing_zone.database_subnetpool[0].prefixes : can(cidrhost(i, 0))]) + error_message = "The database subnetpool was not created successfully" + } + + assert { + condition = can(regex("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", module.landing_zone.frontend_network[0].id)) + error_message = "The frontend network was not created successfully" + } + + assert { + condition = can(regex("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", module.landing_zone.backend_network[0].id)) + error_message = "The backend network was not created successfully" + } + + assert { + condition = can(regex("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", module.landing_zone.database_network[0].id)) + error_message = "The database network was not created successfully" + } + + assert { + condition = can(regex("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", module.landing_zone.frontend_subnet[0].id)) + error_message = "The frontend subnet was not created successfully" + } + + assert { + condition = can(regex("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", module.landing_zone.backend_subnet[0].id)) + error_message = "The backend subnet was not created successfully" + } + + assert { + condition = can(regex("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", module.landing_zone.database_subnet[0].id)) + error_message = "The database subnet was not created successfully" + } +} diff --git a/tests/two_tier.tftest.hcl b/tests/two_tier.tftest.hcl new file mode 100644 index 0000000..d71b500 --- /dev/null +++ b/tests/two_tier.tftest.hcl @@ -0,0 +1,60 @@ +run "two_tier" { + module { + source = "./tests/module" + } + + variables { + project_domain = "default" + project_tags = ["cloud", "test", "tofu"] + architecture_tiers = 2 + create_application_subnetpool = true + application_subnetpool_cidr_blocks = ["10.10.128.0/17"] + create_database_subnetpool = false + frontend_subnet_prefix_len = 24 + backend_subnet_prefix_len = 24 + public_nameservers = ["9.9.9.9", "9.9.9.10"] + create_default_secgroups = true + database_secgroup_strict = false + attach_to_external = true + } + + assert { + condition = alltrue([for i in module.landing_zone.apps_subnetpool[0].prefixes : can(cidrhost(i, 0))]) + error_message = "The application subnetpool does not seem correct" + } + + assert { + condition = module.landing_zone.database_subnetpool == null + error_message = "The database subnetpool does not seem correct" + } + + assert { + condition = can(regex("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", module.landing_zone.frontend_network[0].id)) + error_message = "The frontend network was not created successfully" + } + + assert { + condition = can(regex("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", module.landing_zone.backend_network[0].id)) + error_message = "The backend network was not created successfully" + } + + assert { + condition = module.landing_zone.database_network == null + error_message = "The database network is not null" + } + + assert { + condition = can(regex("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", module.landing_zone.frontend_subnet[0].id)) + error_message = "The frontend subnet was not created successfully" + } + + assert { + condition = can(regex("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", module.landing_zone.backend_subnet[0].id)) + error_message = "The backend subnet was not created successfully" + } + + assert { + condition = module.landing_zone.database_subnet == null + error_message = "The database subnet is not null" + } +} diff --git a/variables.tf b/variables.tf index f5da099..6a3fddf 100644 --- a/variables.tf +++ b/variables.tf @@ -41,22 +41,40 @@ variable "architecture_tiers" { } } -#! subnetpool creation -variable "create_subnetpool" { +#! subnetpools creation +variable "create_application_subnetpool" { type = bool - description = "Whether the module should create a subnet pool for this project, or use an existing one." + description = "Whether the module should create an application subnet pool for this project, or use an existing one." default = true } -variable "subnetpool_cidr_blocks" { +variable "application_subnetpool_cidr_blocks" { type = list(string) - description = "The CIDR block for the subnet pool" + description = "The CIDR blocks for the application subnet pool" default = ["192.168.0.0/21"] validation { condition = alltrue([ - for i in var.subnetpool_cidr_blocks : can(cidrhost(i, 0)) + for i in var.application_subnetpool_cidr_blocks : can(cidrhost(i, 0)) ]) - error_message = "The subnetpool_cidr_blocks must be a valid IPv4 CIDR" + error_message = "The application_subnetpool_cidr_blocks must be a valid IPv4 CIDR" + } +} + +variable "create_database_subnetpool" { + type = bool + description = "Whether the module should create a database subnet pool for this project, or use an existing one." + default = true +} + +variable "database_subnetpool_cidr_blocks" { + type = list(string) + description = "The CIDR blocks for the database subnet pool" + default = ["192.168.8.0/23"] + validation { + condition = alltrue([ + for i in var.database_subnetpool_cidr_blocks : can(cidrhost(i, 0)) + ]) + error_message = "The database_subnetpool_cidr_blocks must be a valid IPv4 CIDR" } } @@ -152,7 +170,7 @@ locals { } #! subnetpool variables & validation -variable "public_subnetpool_id" { +variable "application_subnetpool_id" { type = string description = <<-EOT The id of the subnetpool to create the public (first 2 tier) networks from. @@ -171,14 +189,14 @@ variable "database_subnetpool_id" { } locals { - validate_public_subnetpool_ids = ( + validate_application_subnetpool_ids = ( var.architecture_tiers > 0 && - var.create_subnetpool == false && - var.public_subnetpool_id == null + var.create_application_subnetpool == false && + var.application_subnetpool_id == null ) ? tobool("You have to either create or specify an existing subnetpool to create the public subnets from") : true validate_database_subnetpool_ids = ( var.architecture_tiers > 2 && - var.create_subnetpool == false && + var.create_database_subnetpool == false && var.database_subnetpool_id == null ) ? tobool("You have to either create or specify an existing subnetpool to create the database subnets from") : true } From 4d9f46876eb1ca4cf88baee75a034da955d94ba1 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Mon, 9 Sep 2024 20:45:32 +0200 Subject: [PATCH 08/13] fix: add readme for test module --- tests/module/README.md | 57 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 tests/module/README.md diff --git a/tests/module/README.md b/tests/module/README.md new file mode 100644 index 0000000..1affb25 --- /dev/null +++ b/tests/module/README.md @@ -0,0 +1,57 @@ +# module + + +### Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [openstack](#requirement_openstack) | ~> 2.1.0 | + +### Providers + +| Name | Version | +|------|---------| +| [openstack](#provider_openstack) | ~> 2.1.0 | +| [vault](#provider_vault) | n/a | + +### Modules + +| Name | Source | Version | +|------|--------|---------| +| [landing_zone](#module_landing_zone) | ../../ | n/a | + +### Resources + +| Name | Type | +|------|------| +| [openstack_networking_network_v2.ext_floating](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/data-sources/networking_network_v2) | data source | +| [vault_kv_secret_v2.openstack_provider_project_info](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/data-sources/kv_secret_v2) | data source | +| [vault_kv_secret_v2.openstack_provider_project_user](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/data-sources/kv_secret_v2) | data source | +| [vault_kv_secret_v2.openstack_provider_region](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/data-sources/kv_secret_v2) | data source | + +### Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [application_subnetpool_cidr_blocks](#input_application_subnetpool_cidr_blocks) | The CIDR blocks for the application subnet pool | `list(string)` | 
[
  "192.168.0.0/21"
]
| no | +| [application_subnetpool_id](#input_application_subnetpool_id) | The id of the subnetpool to create the public (first 2 tier) networks from.
Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets. | `string` | `null` | no | +| [architecture_tiers](#input_architecture_tiers) | The type of architecture.
Can be either 0, 1, 2 or 3.
Tier 0 will not create any subnets or networks.
Tier 1 will only create a single frontend subnet.
Tier 2 will create a frontend and backend subnet.
Tier 3 will create a frontend, backend and database subnet. | `number` | `1` | no | +| [attach_to_external](#input_attach_to_external) | Whether the frontend subnet should be routed or not to the external LAN.
This options implies that you have sufficient permissions to configure static route on the backbone infrastructure.
This will create an static route entry in the route table of the backbone router, in order to make your project available from the outside. | `bool` | `false` | no | +| [backend_subnet_prefix_len](#input_backend_subnet_prefix_len) | The prefix length of the backend subnet. Must be between 20 and 32. | `number` | `24` | no | +| [create_application_subnetpool](#input_create_application_subnetpool) | Whether the module should create an application subnet pool for this project, or use an existing one. | `bool` | `true` | no | +| [create_database_subnetpool](#input_create_database_subnetpool) | Whether the module should create a database subnet pool for this project, or use an existing one. | `bool` | `true` | no | +| [create_default_secgroups](#input_create_default_secgroups) | Whether to create default security groups or not.
Depending on your choice of architecture tiering, will create security groups so that each tier can connect to the one below.
Security groups for the database tier will be created for mariadb, postgresql and redis.
A default security group allowing ssh connection will also be created. | `bool` | `false` | no | +| [database_secgroup_strict](#input_database_secgroup_strict) | Defines whether the security groups for the database network should be strict.
In strict mode, egress is only allowed to the backend network. | `bool` | `false` | no | +| [database_subnet_prefix_len](#input_database_subnet_prefix_len) | The prefix length of the database subnet. Must be between 24 and 32. | `number` | `24` | no | +| [database_subnetpool_cidr_blocks](#input_database_subnetpool_cidr_blocks) | The CIDR blocks for the database subnet pool | `list(string)` | 
[
  "192.168.8.0/23"
]
| no | +| [database_subnetpool_id](#input_database_subnetpool_id) | The id of the subnetpool to create the databse network from.
Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets. | `string` | `null` | no | +| [frontend_subnet_prefix_len](#input_frontend_subnet_prefix_len) | The prefix length of the frontend subnet. Must be between 20 and 32. | `number` | `24` | no | +| [project_domain](#input_project_domain) | The domain where this project will be created | `string` | `"default"` | no | +| [project_tags](#input_project_tags) | The tags to append to this project | `list(string)` | `[]` | no | +| [public_nameservers](#input_public_nameservers) | A list of public DNS servers to upstreams requests to in your subnets.
This is not necessary if your openstack deployment already has configured default upstreams for neutron. | `list(string)` | `[]` | no | + +### Outputs + +No outputs. + From 331752707d794d609e90782af75ff49aeba0abf3 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Mon, 9 Sep 2024 20:51:06 +0200 Subject: [PATCH 09/13] ci: add tests --- .gitea/workflows/development.yml | 4 +-- .gitea/workflows/pull-request-open.yml | 42 ++++++++++++++++++++++++-- .gitea/workflows/release.yml | 6 ++-- 3 files changed, 44 insertions(+), 8 deletions(-) diff --git a/.gitea/workflows/development.yml b/.gitea/workflows/development.yml index bfba126..19cb03e 100644 --- a/.gitea/workflows/development.yml +++ b/.gitea/workflows/development.yml @@ -16,11 +16,11 @@ jobs: - name: Install commitizen run: pip3 install commitizen shell: bash - working-directory: ./ + working-directory: ${{ gitea.workspace }} - name: Verify commit message compliance run: | echo "cz check --message '${{ github.event.head_commit.message }}'" cz check --message "${{ github.event.head_commit.message }}" shell: bash - working-directory: ./ + working-directory: ${{ gitea.workspace }} diff --git a/.gitea/workflows/pull-request-open.yml b/.gitea/workflows/pull-request-open.yml index 675edc9..8a198d3 100644 --- a/.gitea/workflows/pull-request-open.yml +++ b/.gitea/workflows/pull-request-open.yml @@ -41,9 +41,6 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.sha }} - fetch-depth: 0 - name: Install pre-commit run: pip3 install pre-commit @@ -76,3 +73,42 @@ jobs: run: pre-commit run --all shell: bash working-directory: ${{ gitea.workspace }} + + end-to-end-tests: + name: Run E2E tofu tests + runs-on: ubuntu-latest + needs: pre-commit-check + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install required packages + run: | + export DEBIAN_FRONTEND=noninteractive + sudo apt update + sudo apt install -y curl jq + + curl https://vault.ednz.fr/v1/ednz-root-ca/ca -o /tmp/ednz_ca + openssl x509 -inform DER -in /tmp/ednz_ca -out /usr/local/share/ca-certificates/ednz_ca.crt -outform pem + update-ca-certificates + + - name: Install OpenTofu + uses: opentofu/setup-opentofu@v1 + with: + tofu_version: 1.8.2 + + - name: Get required credentials + id: tofu-auth + run: | + VAULT_TOKEN=$(curl --silent --request POST --data '{"role_id": "${{ steps.import-secrets.outputs.VAULT_INFRABUILDER_APPROLE_ID }}","secret_id": "${{ steps.import-secrets.outputs.VAULT_INFRABUILDER_APPROLE_SECRET_ID }}"}' https://vault.ednz.fr/v1/auth/approle/login | jq -r .auth.client_token) + echo "vault_token=$VAULT_TOKEN" >> $GITHUB_OUTPUT + + - name: Tofu init + run: tofu init + shell: bash + working-directory: ${{ gitea.workspace }} + + - name: Tofu test + run: tofu test + shell: bash + working-directory: ${{ gitea.workspace }} diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index c72fc74..472ddaa 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -32,7 +32,7 @@ jobs: - name: Install commitizen run: pip3 install commitizen shell: bash - working-directory: ./ + working-directory: ${{ gitea.workspace }} - name: Configure git credentials uses: oleksiyrudenko/gha-git-credentials@v2 @@ -46,9 +46,9 @@ jobs: - name: Do release run: cz -nr 21 bump --yes shell: bash - working-directory: ./ + working-directory: ${{ gitea.workspace }} - name: Push release run: git push && git push --tags shell: bash - working-directory: ./ + working-directory: ${{ gitea.workspace }} From 19c2032afa3dcd7be43eb482d0f1bc4239c90a8e Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Mon, 9 Sep 2024 20:54:43 +0200 Subject: [PATCH 10/13] ci: fix unauthorized issue on e2e testS --- .gitea/workflows/pull-request-open.yml | 2 ++ tests/two_tier.tftest.hcl | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/pull-request-open.yml b/.gitea/workflows/pull-request-open.yml index 8a198d3..ddbadf6 100644 --- a/.gitea/workflows/pull-request-open.yml +++ b/.gitea/workflows/pull-request-open.yml @@ -112,3 +112,5 @@ jobs: run: tofu test shell: bash working-directory: ${{ gitea.workspace }} + env: + VAULT_TOKEN: ${{ steps.tofu-auth.outputs.vault_token }} diff --git a/tests/two_tier.tftest.hcl b/tests/two_tier.tftest.hcl index d71b500..b2d7dad 100644 --- a/tests/two_tier.tftest.hcl +++ b/tests/two_tier.tftest.hcl @@ -25,7 +25,7 @@ run "two_tier" { assert { condition = module.landing_zone.database_subnetpool == null - error_message = "The database subnetpool does not seem correct" + error_message = "The database subnetpool is not null" } assert { From 7a8ff6341ad5b32067c202db0b0a862f5558d55b Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Tue, 10 Sep 2024 18:51:03 +0200 Subject: [PATCH 11/13] ci: fix credentials for tofu test stage --- .gitea/workflows/pull-request-open.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/pull-request-open.yml b/.gitea/workflows/pull-request-open.yml index ddbadf6..8f7079e 100644 --- a/.gitea/workflows/pull-request-open.yml +++ b/.gitea/workflows/pull-request-open.yml @@ -100,7 +100,7 @@ jobs: - name: Get required credentials id: tofu-auth run: | - VAULT_TOKEN=$(curl --silent --request POST --data '{"role_id": "${{ steps.import-secrets.outputs.VAULT_INFRABUILDER_APPROLE_ID }}","secret_id": "${{ steps.import-secrets.outputs.VAULT_INFRABUILDER_APPROLE_SECRET_ID }}"}' https://vault.ednz.fr/v1/auth/approle/login | jq -r .auth.client_token) + VAULT_TOKEN=$(curl --silent --request POST --data '{"role_id": "${{ secrets.VAULT_APPROLE_ID }}","secret_id": "${{ secrets.VAULT_APPROLE_SECRET_ID }}"}' https://vault.ednz.fr/v1/auth/approle/login | jq -r .auth.client_token) echo "vault_token=$VAULT_TOKEN" >> $GITHUB_OUTPUT - name: Tofu init From ce9b851217554cd036ad3da7520d49937616042a Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Tue, 10 Sep 2024 18:55:49 +0200 Subject: [PATCH 12/13] ci: fix credentials for tofu test stage --- .gitea/workflows/pull-request-open.yml | 14 +++++++++++++- README.md | 9 +++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/pull-request-open.yml b/.gitea/workflows/pull-request-open.yml index 8f7079e..af6d4fd 100644 --- a/.gitea/workflows/pull-request-open.yml +++ b/.gitea/workflows/pull-request-open.yml @@ -97,10 +97,22 @@ jobs: with: tofu_version: 1.8.2 + - name: Get secrets from vault + id: import-secrets + uses: hashicorp/vault-action@v3 + with: + url: "https://vault.ednz.fr" + method: approle + roleId: ${{ secrets.VAULT_APPROLE_ID }} + secretId: ${{ secrets.VAULT_APPROLE_SECRET_ID }} + secrets: | + kv/data/cicd/vault/infrabuilder approle_id | VAULT_INFRABUILDER_APPROLE_ID ; + kv/data/cicd/vault/infrabuilder approle_secret_id | VAULT_INFRABUILDER_APPROLE_SECRET_ID ; + - name: Get required credentials id: tofu-auth run: | - VAULT_TOKEN=$(curl --silent --request POST --data '{"role_id": "${{ secrets.VAULT_APPROLE_ID }}","secret_id": "${{ secrets.VAULT_APPROLE_SECRET_ID }}"}' https://vault.ednz.fr/v1/auth/approle/login | jq -r .auth.client_token) + VAULT_TOKEN=$(curl --silent --request POST --data '{"role_id": "${{ steps.import-secrets.outputs.VAULT_INFRABUILDER_APPROLE_ID }}","secret_id": "${{ steps.import-secrets.outputs.VAULT_INFRABUILDER_APPROLE_SECRET_ID }}"}' https://vault.ednz.fr/v1/auth/approle/login | jq -r .auth.client_token) echo "vault_token=$VAULT_TOKEN" >> $GITHUB_OUTPUT - name: Tofu init diff --git a/README.md b/README.md index 7b8a6b3..5a92084 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,11 @@ -# terraform-openstack-lz +# terraform-openstack-landing-zone + +Terraform/OpenTofu module to deploy a completely customizable OpenStack network architecture. + +![Terraform Badge](https://img.shields.io/badge/Terraform-844FBA?logo=terraform&logoColor=fff&style=for-the-badge) +![OpenTofu Badge](https://img.shields.io/badge/OpenTofu-FFDA18?logo=opentofu&logoColor=000&style=for-the-badge) +![OpenStack Badge](https://img.shields.io/badge/OpenStack-ED1944?logo=openstack&logoColor=fff&style=for-the-badge) -Terraform module to deploy a completely customizable OpenStack ### Requirements From 9c0377337802d5b5262c77e56f0b21078cf44d4d Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Tue, 10 Sep 2024 19:12:49 +0200 Subject: [PATCH 13/13] docs: update variable description to better reflect its meaning --- README.md | 2 +- tests/module/README.md | 2 +- tests/module/variables.tf | 5 ++--- variables.tf | 5 ++--- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 5a92084..3181faf 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ No modules. | [application_subnetpool_cidr_blocks](#input_application_subnetpool_cidr_blocks) | The CIDR blocks for the application subnet pool | `list(string)` | 
[
  "192.168.0.0/21"
]
| no | | [application_subnetpool_id](#input_application_subnetpool_id) | The id of the subnetpool to create the public (first 2 tier) networks from.
Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets. | `string` | `null` | no | | [architecture_tiers](#input_architecture_tiers) | The type of architecture.
Can be either 0, 1, 2 or 3.
Tier 0 will not create any subnets or networks.
Tier 1 will only create a single frontend subnet.
Tier 2 will create a frontend and backend subnet.
Tier 3 will create a frontend, backend and database subnet. | `number` | `1` | no | -| [attach_to_external](#input_attach_to_external) | Whether the frontend subnet should be routed or not to the external LAN.
This options implies that you have sufficient permissions to configure static route on the backbone infrastructure.
This will create an static route entry in the route table of the backbone router, in order to make your project available from the outside. | `bool` | `false` | no | +| [attach_to_external](#input_attach_to_external) | Whether to attach the router to an external network.
This will add a gateway interface to the router, and possibly consume a public IP address which might be billed by your cloud provider. | `bool` | `false` | no | | [backend_subnet_prefix_len](#input_backend_subnet_prefix_len) | The prefix length of the backend subnet. Must be between 20 and 32. | `number` | `24` | no | | [create_application_subnetpool](#input_create_application_subnetpool) | Whether the module should create an application subnet pool for this project, or use an existing one. | `bool` | `true` | no | | [create_database_subnetpool](#input_create_database_subnetpool) | Whether the module should create a database subnet pool for this project, or use an existing one. | `bool` | `true` | no | diff --git a/tests/module/README.md b/tests/module/README.md index 1affb25..39d0f93 100644 --- a/tests/module/README.md +++ b/tests/module/README.md @@ -37,7 +37,7 @@ | [application_subnetpool_cidr_blocks](#input_application_subnetpool_cidr_blocks) | The CIDR blocks for the application subnet pool | `list(string)` | 
[
  "192.168.0.0/21"
]
| no | | [application_subnetpool_id](#input_application_subnetpool_id) | The id of the subnetpool to create the public (first 2 tier) networks from.
Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets. | `string` | `null` | no | | [architecture_tiers](#input_architecture_tiers) | The type of architecture.
Can be either 0, 1, 2 or 3.
Tier 0 will not create any subnets or networks.
Tier 1 will only create a single frontend subnet.
Tier 2 will create a frontend and backend subnet.
Tier 3 will create a frontend, backend and database subnet. | `number` | `1` | no | -| [attach_to_external](#input_attach_to_external) | Whether the frontend subnet should be routed or not to the external LAN.
This options implies that you have sufficient permissions to configure static route on the backbone infrastructure.
This will create an static route entry in the route table of the backbone router, in order to make your project available from the outside. | `bool` | `false` | no | +| [attach_to_external](#input_attach_to_external) | Whether to attach the router to an external network.
This will add a gateway interface to the router, and possibly consume a public IP address which might be billed by your cloud provider. | `bool` | `false` | no | | [backend_subnet_prefix_len](#input_backend_subnet_prefix_len) | The prefix length of the backend subnet. Must be between 20 and 32. | `number` | `24` | no | | [create_application_subnetpool](#input_create_application_subnetpool) | Whether the module should create an application subnet pool for this project, or use an existing one. | `bool` | `true` | no | | [create_database_subnetpool](#input_create_database_subnetpool) | Whether the module should create a database subnet pool for this project, or use an existing one. | `bool` | `true` | no | diff --git a/tests/module/variables.tf b/tests/module/variables.tf index bdb6bc1..89032c6 100644 --- a/tests/module/variables.tf +++ b/tests/module/variables.tf @@ -162,9 +162,8 @@ variable "database_subnetpool_id" { variable "attach_to_external" { type = bool description = <<-EOT - Whether the frontend subnet should be routed or not to the external LAN. - This options implies that you have sufficient permissions to configure static route on the backbone infrastructure. - This will create an static route entry in the route table of the backbone router, in order to make your project available from the outside. + Whether to attach the router to an external network. + This will add a gateway interface to the router, and possibly consume a public IP address which might be billed by your cloud provider. EOT default = false } diff --git a/variables.tf b/variables.tf index 6a3fddf..648d06b 100644 --- a/variables.tf +++ b/variables.tf @@ -205,9 +205,8 @@ locals { variable "attach_to_external" { type = bool description = <<-EOT - Whether the frontend subnet should be routed or not to the external LAN. - This options implies that you have sufficient permissions to configure static route on the backbone infrastructure. - This will create an static route entry in the route table of the backbone router, in order to make your project available from the outside. + Whether to attach the router to an external network. + This will add a gateway interface to the router, and possibly consume a public IP address which might be billed by your cloud provider. EOT default = false }