Compare commits

..

No commits in common. "01650d19d2ea80f17187ec8a9cb0df32c0cb3357" and "e004ae7f243a6ec7ab18ab8429ee7225c260e38d" have entirely different histories.

5 changed files with 1 additions and 600 deletions

View File

@ -1,19 +0,0 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.86.0
hooks:
- id: terraform_fmt
- id: terraform_docs
args:
- "--hook-config=--path-to-file=README.md"
- "--hook-config=--add-to-existing-file=true"
- "--hook-config=--create-file-if-not-exist=true"
- "--args=--escape=false"
- "--args=--lockfile=false"
- "--args=--indent 3"
- "--args=--show all"
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer

View File

@ -1,82 +1,3 @@
# terraform-openstack-lz
Terraform module to deploy a completely customizable OpenStack
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
### Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement_terraform) | >= 1.0.0 |
### Providers
| Name | Version |
|------|---------|
| <a name="provider_openstack"></a> [openstack](#provider_openstack) | n/a |
### Modules
No modules.
### Resources
| Name | Type |
|------|------|
| [openstack_networking_network_v2.backend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_network_v2) | resource |
| [openstack_networking_network_v2.database](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_network_v2) | resource |
| [openstack_networking_network_v2.frontend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_network_v2) | resource |
| [openstack_networking_router_interface_v2.backend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_router_interface_v2) | resource |
| [openstack_networking_router_interface_v2.database](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_router_interface_v2) | resource |
| [openstack_networking_router_interface_v2.frontend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_router_interface_v2) | resource |
| [openstack_networking_router_v2.this](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_router_v2) | resource |
| [openstack_networking_secgroup_rule_v2.backend_egress](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2) | resource |
| [openstack_networking_secgroup_rule_v2.backend_ingress](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2) | resource |
| [openstack_networking_secgroup_rule_v2.database_egress](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2) | resource |
| [openstack_networking_secgroup_rule_v2.database_ingress](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2) | resource |
| [openstack_networking_secgroup_rule_v2.frontend_egress](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2) | resource |
| [openstack_networking_secgroup_rule_v2.frontend_ingress](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2) | resource |
| [openstack_networking_secgroup_v2.backend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_v2) | resource |
| [openstack_networking_secgroup_v2.database](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_v2) | resource |
| [openstack_networking_secgroup_v2.frontend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_v2) | resource |
| [openstack_networking_subnet_v2.backend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_subnet_v2) | resource |
| [openstack_networking_subnet_v2.database](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_subnet_v2) | resource |
| [openstack_networking_subnet_v2.frontend](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_subnet_v2) | resource |
| [openstack_networking_subnetpool_v2.this](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_subnetpool_v2) | resource |
| [openstack_identity_project_v3.this](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/data-sources/identity_project_v3) | data source |
### Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_architecture_tiers"></a> [architecture_tiers](#input_architecture_tiers) | The type of architecture.<br>Can be either 0, 1, 2 or 3.<br>Tier 0 will not create any subnets or networks.<br>Tier 1 will only create a single frontend subnet.<br>Tier 2 will create a frontend and backend subnet.<br>Tier 3 will create a frontend, backend and database subnet. | `number` | `1` | no |
| <a name="input_attach_to_external"></a> [attach_to_external](#input_attach_to_external) | Whether the frontend subnet should be routed or not to the external LAN.<br>This options implies that you have sufficient permissions to configure static route on the backbone infrastructure.<br>This will create an static route entry in the route table of the backbone router, in order to make your project available from the outside. | `bool` | `false` | no |
| <a name="input_backend_subnet_prefix_len"></a> [backend_subnet_prefix_len](#input_backend_subnet_prefix_len) | The prefix length of the backend subnet. Must be between 20 and 32. | `number` | `24` | no |
| <a name="input_create_default_secgroups"></a> [create_default_secgroups](#input_create_default_secgroups) | Whether to create default security groups or not.<br>Depending on your choice of architecture tiering, will create security groups so that each tier can connect to the one below.<br>Security groups for the database tier will be created for mariadb, postgresql and redis.<br>A default security group allowing ssh connection will also be created. | `bool` | `false` | no |
| <a name="input_create_subnetpool"></a> [create_subnetpool](#input_create_subnetpool) | Whether the module should create a subnet pool for this project, or use an existing one. | `bool` | `true` | no |
| <a name="input_database_secgroup_strict"></a> [database_secgroup_strict](#input_database_secgroup_strict) | Defines whether the security groups for the database network should be strict.<br>In strict mode, egress is only allowed to the backend network. | `bool` | `false` | no |
| <a name="input_database_subnet_prefix_len"></a> [database_subnet_prefix_len](#input_database_subnet_prefix_len) | The prefix length of the database subnet. Must be between 24 and 32. | `number` | `24` | no |
| <a name="input_database_subnetpool_id"></a> [database_subnetpool_id](#input_database_subnetpool_id) | The id of the subnetpool to create the databse network from.<br>Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets. | `string` | `null` | no |
| <a name="input_external_network_id"></a> [external_network_id](#input_external_network_id) | The id of the external network to connect the frontend router to. | `string` | `null` | no |
| <a name="input_external_subnet_id"></a> [external_subnet_id](#input_external_subnet_id) | The id of the external subnet to connect the frontend router to. | `string` | `null` | no |
| <a name="input_frontend_subnet_prefix_len"></a> [frontend_subnet_prefix_len](#input_frontend_subnet_prefix_len) | The prefix length of the frontend subnet. Must be between 20 and 32. | `number` | `24` | no |
| <a name="input_project_domain"></a> [project_domain](#input_project_domain) | The domain where this project will be created | `string` | `"default"` | no |
| <a name="input_project_name"></a> [project_name](#input_project_name) | The name of the project | `string` | n/a | yes |
| <a name="input_project_tags"></a> [project_tags](#input_project_tags) | The tags to append to this project | `list(string)` | `[]` | no |
| <a name="input_public_subnetpool_id"></a> [public_subnetpool_id](#input_public_subnetpool_id) | The id of the subnetpool to create the public (first 2 tier) networks from.<br>Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets. | `string` | `null` | no |
| <a name="input_subnetpool_cidr_blocks"></a> [subnetpool_cidr_blocks](#input_subnetpool_cidr_blocks) | The CIDR block for the subnet pool | `list(string)` | <pre>[<br> "192.168.0.0/21"<br>]</pre> | no |
### Outputs
| Name | Description |
|------|-------------|
| <a name="output_backend_network"></a> [backend_network](#output_backend_network) | description |
| <a name="output_backend_secgroups"></a> [backend_secgroups](#output_backend_secgroups) | description |
| <a name="output_backend_subnet"></a> [backend_subnet](#output_backend_subnet) | description |
| <a name="output_database_network"></a> [database_network](#output_database_network) | description |
| <a name="output_database_secgroups"></a> [database_secgroups](#output_database_secgroups) | description |
| <a name="output_database_subnets"></a> [database_subnets](#output_database_subnets) | description |
| <a name="output_frontend_network"></a> [frontend_network](#output_frontend_network) | description |
| <a name="output_frontend_secgroups"></a> [frontend_secgroups](#output_frontend_secgroups) | description |
| <a name="output_frontend_subnet"></a> [frontend_subnet](#output_frontend_subnet) | description |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

228
main.tf
View File

@ -1,228 +0,0 @@
terraform {
# version requirements
required_version = ">= 1.0.0"
# providers requirements
required_providers {
openstack = {
source = "terraform-provider-openstack/openstack"
}
}
}
#! data sources
data "openstack_identity_project_v3" "this" {
name = var.project_name
domain_id = var.project_domain
}
#! subnetpools
resource "openstack_networking_subnetpool_v2" "this" {
count = var.create_subnetpool ? 1 : 0
name = "${var.project_name}-subnetpool"
is_default = true
ip_version = 4
prefixes = var.subnetpool_cidr_blocks
}
#! networks & subnets
resource "openstack_networking_network_v2" "frontend" {
count = var.architecture_tiers > 0 ? 1 : 0
name = "${var.project_name}-frontend-network"
description = "Terraform managed."
tenant_id = data.openstack_identity_project_v3.this.id
shared = false
admin_state_up = "true"
mtu = 1450
}
resource "openstack_networking_network_v2" "backend" {
count = var.architecture_tiers > 1 ? 1 : 0
name = "${var.project_name}-backend-network"
description = "Terraform managed."
tenant_id = data.openstack_identity_project_v3.this.id
shared = false
admin_state_up = "true"
mtu = 1450
}
resource "openstack_networking_network_v2" "database" {
count = var.architecture_tiers == 3 ? 1 : 0
name = "${var.project_name}-database-network"
description = "Terraform managed."
tenant_id = data.openstack_identity_project_v3.this.id
shared = false
admin_state_up = "true"
mtu = 1450
}
resource "openstack_networking_subnet_v2" "frontend" {
count = var.architecture_tiers > 0 ? 1 : 0
name = "${var.project_name}-frontend-subnet-${count.index + 1}"
description = "Terraform managed."
tenant_id = data.openstack_identity_project_v3.this.id
network_id = openstack_networking_network_v2.frontend[0].id
prefix_length = var.frontend_subnet_prefix_len
ip_version = 4
subnetpool_id = var.create_subnetpool ? openstack_networking_subnetpool_v2.this.id : var.public_subnetpool_id
}
resource "openstack_networking_subnet_v2" "backend" {
count = var.architecture_tiers > 1 ? 1 : 0
name = "${var.project_name}-backend-subnet-${count.index + 1}"
description = "Terraform managed."
tenant_id = data.openstack_identity_project_v3.this.id
network_id = openstack_networking_network_v2.backend[0].id
prefix_length = var.backend_subnet_prefix_len
ip_version = 4
subnetpool_id = var.create_subnetpool ? openstack_networking_subnetpool_v2.this.id : var.public_subnetpool_id
}
resource "openstack_networking_subnet_v2" "database" {
count = var.architecture_tiers == 3 ? 1 : 0
name = "${var.project_name}-database-subnet-${count.index + 1}"
description = "Terraform managed."
tenant_id = data.openstack_identity_project_v3.this.id
network_id = openstack_networking_network_v2.database[0].id
prefix_length = var.database_subnet_prefix_len
ip_version = 4
subnetpool_id = var.create_subnetpool ? openstack_networking_subnetpool_v2.this.id : var.database_subnetpool_id
}
#! router
resource "openstack_networking_router_v2" "this" {
count = var.architecture_tiers > 0 ? 1 : 0
name = "${var.project_name}-main-${count.index + 1}"
description = "Terraform managed."
tenant_id = data.openstack_identity_project_v3.this.id
external_network_id = var.attach_to_external ? var.external_network_id : null
admin_state_up = true
}
resource "openstack_networking_router_interface_v2" "frontend" {
count = var.architecture_tiers > 0 ? 1 : 0
router_id = openstack_networking_router_v2.this[0].id
subnet_id = openstack_networking_subnet_v2.frontend[0].id
}
resource "openstack_networking_router_interface_v2" "backend" {
count = var.architecture_tiers > 1 ? 1 : 0
router_id = openstack_networking_router_v2.this[0].id
subnet_id = openstack_networking_subnet_v2.backend[0].id
}
resource "openstack_networking_router_interface_v2" "database" {
count = var.architecture_tiers == 3 ? 1 : 0
router_id = openstack_networking_router_v2.this[0].id
subnet_id = openstack_networking_subnet_v2.database[0].id
}
#! security groups
resource "openstack_networking_secgroup_v2" "frontend" {
count = (
var.architecture_tiers > 0 &&
var.create_default_secgroups
) ? 1 : 0
name = "${var.project_name}-frontend-secgroup"
description = "Terraform managed."
tenant_id = data.openstack_identity_project_v3.this.id
delete_default_rules = true
}
resource "openstack_networking_secgroup_rule_v2" "frontend_egress" {
count = (
var.architecture_tiers > 0 &&
var.create_default_secgroups
) ? 1 : 0
direction = "egress"
ethertype = "IPv4"
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.frontend[0].id
}
resource "openstack_networking_secgroup_rule_v2" "frontend_ingress" {
count = (
var.architecture_tiers > 0 &&
var.create_default_secgroups
) ? 1 : 0
direction = "ingress"
ethertype = "IPv4"
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.frontend[0].id
}
resource "openstack_networking_secgroup_v2" "backend" {
count = (
var.architecture_tiers > 1 &&
var.create_default_secgroups
) ? 1 : 0
name = "${var.project_name}-backend-secgroup"
description = "Terraform managed."
tenant_id = data.openstack_identity_project_v3.this.id
delete_default_rules = true
}
resource "openstack_networking_secgroup_rule_v2" "backend_egress" {
count = (
var.architecture_tiers > 1 &&
var.create_default_secgroups
) ? 1 : 0
direction = "egress"
ethertype = "IPv4"
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.backend[0].id
}
resource "openstack_networking_secgroup_rule_v2" "backend_ingress" {
count = (
var.architecture_tiers > 1 &&
var.create_default_secgroups
) ? 1 : 0
direction = "ingress"
ethertype = "IPv4"
remote_group_id = openstack_networking_secgroup_v2.frontend[0].id
security_group_id = openstack_networking_secgroup_v2.backend[0].id
}
resource "openstack_networking_secgroup_v2" "database" {
count = (
var.architecture_tiers == 3 &&
var.create_default_secgroups
) ? length(local.db_secgroups) : 0
name = "${var.project_name}-database-${local.db_secgroups[count.index].type}-secgroup"
description = "Terraform managed."
tenant_id = data.openstack_identity_project_v3.this.id
delete_default_rules = true
}
resource "openstack_networking_secgroup_rule_v2" "database_egress" {
count = (
var.architecture_tiers == 3 &&
var.create_default_secgroups
) ? length(local.db_secgroups) : 0
direction = "egress"
ethertype = "IPv4"
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.database[count.index].id
}
resource "openstack_networking_secgroup_rule_v2" "database_ingress" {
count = (
var.architecture_tiers == 3 &&
var.create_default_secgroups
) ? length(local.db_secgroups) : 0
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = local.db_secgroups[count.index].ingress_port
port_range_max = local.db_secgroups[count.index].ingress_port
remote_group_id = openstack_networking_secgroup_v2.backend[0].id
security_group_id = openstack_networking_secgroup_v2.database[count.index].id
}

View File

@ -1,62 +0,0 @@
output "frontend_network" {
value = openstack_networking_network_v2.frontend.*
sensitive = false
description = "description"
depends_on = []
}
output "frontend_subnet" {
value = openstack_networking_subnet_v2.frontend.*
sensitive = false
description = "description"
depends_on = []
}
output "backend_network" {
value = openstack_networking_network_v2.backend.*
sensitive = false
description = "description"
depends_on = []
}
output "backend_subnet" {
value = openstack_networking_subnet_v2.backend.*
sensitive = false
description = "description"
depends_on = []
}
output "database_network" {
value = openstack_networking_network_v2.database.*
sensitive = false
description = "description"
depends_on = []
}
output "database_subnets" {
value = openstack_networking_subnet_v2.database.*
sensitive = false
description = "description"
depends_on = []
}
output "frontend_secgroups" {
value = openstack_networking_secgroup_v2.frontend.*
sensitive = false
description = "description"
depends_on = []
}
output "backend_secgroups" {
value = openstack_networking_secgroup_v2.backend.*
sensitive = false
description = "description"
depends_on = []
}
output "database_secgroups" {
value = openstack_networking_secgroup_v2.database.*
sensitive = false
description = "description"
depends_on = []
}

View File

@ -1,211 +0,0 @@
#! global variables
variable "project_name" {
type = string
description = "The name of the project"
validation {
condition = can(regex("^[0-9A-Za-z-_]+$", var.project_name))
error_message = "For the project_name value only a-z, A-Z, 0-9, - and _ are allowed."
}
}
variable "project_domain" {
type = string
description = "The domain where this project will be created"
default = "default"
}
variable "project_tags" {
type = list(string)
description = "The tags to append to this project"
default = []
}
#! architecture tiering variables
variable "architecture_tiers" {
type = number
description = <<-EOT
The type of architecture.
Can be either 0, 1, 2 or 3.
Tier 0 will not create any subnets or networks.
Tier 1 will only create a single frontend subnet.
Tier 2 will create a frontend and backend subnet.
Tier 3 will create a frontend, backend and database subnet.
EOT
default = 1
validation {
condition = (
var.architecture_tiers > 0 &&
var.architecture_tiers <= 3
)
error_message = "The architecture_tiers must be between 0 and 3."
}
}
#! subnetpool creation
variable "create_subnetpool" {
type = bool
description = "Whether the module should create a subnet pool for this project, or use an existing one."
default = true
}
variable "subnetpool_cidr_blocks" {
type = list(string)
description = "The CIDR block for the subnet pool"
default = ["192.168.0.0/21"]
validation {
condition = alltrue([
for i in var.subnetpool_cidr_blocks : can(cidrhost(i, 0))
])
error_message = "The subnetpool_cidr_blocks must be a valid IPv4 CIDR"
}
}
#! networking variables
variable "frontend_subnet_prefix_len" {
type = number
description = "The prefix length of the frontend subnet. Must be between 20 and 32."
default = 24
validation {
condition = (
var.frontend_subnet_prefix_len >= 20 &&
var.frontend_subnet_prefix_len <= 32
)
error_message = "The prefix length must be between 20 and 32."
}
}
variable "backend_subnet_prefix_len" {
type = number
description = "The prefix length of the backend subnet. Must be between 20 and 32."
default = 24
validation {
condition = (
var.backend_subnet_prefix_len >= 20 &&
var.backend_subnet_prefix_len <= 32
)
error_message = "The prefix length must be between 20 and 32."
}
}
variable "database_subnet_prefix_len" {
type = number
description = "The prefix length of the database subnet. Must be between 24 and 32."
default = 24
validation {
condition = (
var.database_subnet_prefix_len >= 24 &&
var.database_subnet_prefix_len <= 32
)
error_message = "The prefix length must be between 24 and 32."
}
}
#! security variables
variable "create_default_secgroups" {
type = bool
description = <<-EOT
Whether to create default security groups or not.
Depending on your choice of architecture tiering, will create security groups so that each tier can connect to the one below.
Security groups for the database tier will be created for mariadb, postgresql and redis.
A default security group allowing ssh connection will also be created.
EOT
default = false
}
variable "database_secgroup_strict" {
type = bool
description = <<-EOT
Defines whether the security groups for the database network should be strict.
In strict mode, egress is only allowed to the backend network.
EOT
default = false
}
locals {
db_secgroups = [
{
type = "mariadb"
ingress_port = 3306
},
{
type = "postgresql"
ingress_port = 5432
},
{
type = "mysql"
ingress_port = 3306
},
{
type = "redis"
ingress_port = 6379
}
]
}
#! subnetpool variables & validation
variable "public_subnetpool_id" {
type = string
description = <<-EOT
The id of the subnetpool to create the public (first 2 tier) networks from.
Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets.
EOT
default = null
}
variable "database_subnetpool_id" {
type = string
description = <<-EOT
The id of the subnetpool to create the databse network from.
Since this module can route private subnets to the backbone, it needs to make sure it's not creating overlapping subnets.
EOT
default = null
}
locals {
validate_public_subnetpool_ids = (
var.architecture_tiers > 0 &&
var.create_subnetpool == false &&
var.public_subnetpool_id == null
) ? tobool("You have to either create or specify an existing subnetpool to create the public subnets from") : true
validate_database_subnetpool_ids = (
var.architecture_tiers > 2 &&
var.create_subnetpool == false &&
var.database_subnetpool_id == null
) ? tobool("You have to either create or specify an existing subnetpool to create the database subnets from") : true
}
#! public network attachement variables
variable "attach_to_external" {
type = bool
description = <<-EOT
Whether the frontend subnet should be routed or not to the external LAN.
This options implies that you have sufficient permissions to configure static route on the backbone infrastructure.
This will create an static route entry in the route table of the backbone router, in order to make your project available from the outside.
EOT
default = false
}
variable "external_network_id" {
type = string
description = "The id of the external network to connect the frontend router to."
default = null
}
variable "external_subnet_id" {
type = string
description = "The id of the external subnet to connect the frontend router to."
default = null
}
locals {
validate_external_network_id = (
var.architecture_tiers > 0 &&
var.attach_to_external &&
var.external_network_id == null
) ? tobool("Please pass in the external network ID to attach the frontend router to.") : true
validate_external_subnet_id = (
var.architecture_tiers > 0 &&
var.attach_to_external &&
var.external_subnet_id == null
) ? tobool("Please pass in the external subnet ID to attach the frontend router to.") : true
}