-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstep-01-chef-server.tf.off
238 lines (235 loc) · 10 KB
/
step-01-chef-server.tf.off
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
## Setup Chef Server Security Group and Rules
resource "aws_security_group" "chef-server" {
name = "${var.instance["hostname"]}.${var.instance["domain"]} security group"
description = "Chef Server ${var.instance["hostname"]}.${var.instance["domain"]}"
vpc_id = "${aws_vpc.chef.id}"
tags = "${merge(var.default_tags, map(
"Name", "${var.prefix}-chef-server",
))}"
}
# SSH from Bastion
resource "aws_security_group_rule" "chef-server_allow_22_tcp_admin_sg" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
source_security_group_id = "${aws_security_group.chef_admin.id}"
security_group_id = "${aws_security_group.chef-server.id}"
}
# HTTPS (nginx) from Bastion
resource "aws_security_group_rule" "chef-server_allow_443_tcp_admin_sg" {
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
source_security_group_id = "${aws_security_group.chef_admin.id}"
security_group_id = "${aws_security_group.chef-server.id}"
}
# SSH from Workstation
resource "aws_security_group_rule" "chef-server_allow_22_tcp_acb" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["${split(",", var.allowed_cidrs)}"]
security_group_id = "${aws_security_group.chef-server.id}"
}
# HTTPS (nginx) from Workstation
resource "aws_security_group_rule" "chef-server_allow_443_tcp_acb" {
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["${split(",", var.allowed_cidrs)}"]
security_group_id = "${aws_security_group.chef-server.id}"
}
# Outbound All
resource "aws_security_group_rule" "chef-server_allow_egress" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "${aws_security_group.chef-server.id}"
}
## Local prep to get ready for Chef Server setup
# Creates encrypted_data_bag_secret file
resource "null_resource" "encrypted_data_bag_secret" {
provisioner "local-exec" {
command = <<-EOF
[ -f .chef/encrypted_data_bag_secret ] && rm -f .chef/encrypted_data_bag_secret
openssl rand -base64 512 | tr -d '\r\n' > .chef/encrypted_data_bag_secret
EOF
}
}
# Creates Chef provisiong attributes_json and .chef/dna.json templating
data "template_file" "attributes_json" {
template = "${file("${path.module}/files/attributes-json.tpl")}"
vars {
domain = "${var.instance["domain"]}"
host = "${var.instance["hostname"]}"
license = "${var.chef_license}"
version = "${var.chef_versions["server"]}"
}
}
# knife.rb templating
data "template_file" "knife-rb" {
template = "${file("${path.module}/files/knife-rb.tpl")}"
vars {
user = "${var.chef_user["username"]}"
fqdn = "${var.instance["hostname"]}.${var.instance["domain"]}"
org = "${var.chef_org["short"]}"
}
}
# Generate knife.rb
resource "local_file" "knife-rb" {
content = "${data.template_file.knife-rb.rendered}"
filename = ".chef/knife.rb"
}
data "template_file" "get-chef-client" {
template = "${file("${path.module}/files/get-chef-client.tpl")}"
vars {
version = "${var.chef_versions["client"]}"
}
}
#
# Provision server
#
resource "aws_instance" "chef-server" {
depends_on = ["null_resource.encrypted_data_bag_secret", "aws_instance.linux-bastion"]
ami = "${data.aws_ami.centos.id}"
count = 1
instance_type = "${var.instance_type}"
associate_public_ip_address = "${var.chef_server_pub}"
subnet_id = "${aws_subnet.chef_01_public.id}"
vpc_security_group_ids = [
"${aws_security_group.chef-server.id}",
"${aws_security_group.chef_internal.id}"
]
key_name = "${var.ssh_key["name"]}"
tags = "${merge(var.default_tags, map(
"Name", "${var.prefix}-chef-server",
))}"
root_block_device = {
delete_on_termination = "${var.instance_volume["delete"]}"
volume_size = "${var.instance_volume["size"]}"
volume_type = "${var.instance_volume["type"]}"
}
connection {
bastion_host = "${aws_instance.linux-bastion.public_ip}"
host = "${self.private_ip}"
user = "${var.ssh_username}"
private_key = "${file("${var.ssh_key["file"]}")}"
}
# Setup
provisioner "remote-exec" {
script = "${path.module}/files/disable_firewall.sh"
}
provisioner "remote-exec" {
inline = [
"mkdir .chef"
]
}
provisioner "file" {
content = "${data.template_file.get-chef-client.rendered}"
destination = ".chef/get-chef-client.sh"
}
provisioner "remote-exec" {
inline = [
"mkdir -p .chef/trusted_certs",
"chmod 755 .chef/get-chef-client.sh",
"bash .chef/get-chef-client.sh",
"echo 'Version ${var.chef_versions["client"]} of chef-client installed'"
]
}
# Put certificate key
provisioner "file" {
source = "${var.chef_ssl["key"]}"
destination = ".chef/${var.instance["hostname"]}.${var.instance["domain"]}.key"
}
# Put certificate
provisioner "file" {
source = "${var.chef_ssl["cert"]}"
destination = ".chef/${var.instance["hostname"]}.${var.instance["domain"]}.pem"
}
# Write .chef/dna.json for chef-client --local-mode run
provisioner "file" {
content = "${data.template_file.attributes_json.rendered}"
destination = ".chef/dna.json"
}
# Move certs
provisioner "remote-exec" {
inline = [
"sudo mv .chef/${var.instance["hostname"]}.${var.instance["domain"]}.* /var/chef/ssl/"
]
}
# Run chef-client --local-mode and get us a Chef server
provisioner "remote-exec" {
inline = [
"cd /var/chef",
"sudo chef-solo -j /home/centos/.chef/dna.json -o 'recipe[chef-server::default]'",
]
}
# Create first user and org
provisioner "remote-exec" {
inline = [
"sudo chef-server-ctl user-create ${var.chef_user["username"]} ${var.chef_user["first"]} ${var.chef_user["last"]} ${var.chef_user["email"]} ${base64sha256(self.id)} -f .chef/${var.chef_user["username"]}.pem",
"sudo chef-server-ctl org-create ${var.chef_org["short"]} '${var.chef_org["long"]}' --association_user ${var.chef_user["username"]} --filename .chef/${var.chef_org["short"]}-validator.pem",
]
}
# Correct ownership on .chef so we can harvest files
provisioner "remote-exec" {
inline = [
"sudo chown -R ${var.ssh_username} .chef"
]
}
# Copy back .chef files
provisioner "local-exec" {
command = "scp -r -o stricthostkeychecking=no -i ${var.ssh_key["file"]} ${var.ssh_username}@${self.public_ip}:.chef/* .chef/"
}
# Replace local .chef/user.pem file with generated one
provisioner "local-exec" {
command = "cp -f .chef/${var.chef_user["username"]}.pem .chef/user.pem"
}
# Upload knife.rb
provisioner "file" {
content = "${data.template_file.knife-rb.rendered}"
destination = ".chef/knife.rb"
}
# Upload ssl cert
provisioner "file" {
source = "${var.chef_ssl["cert"]}"
destination = ".chef/trusted_certs/${var.instance["hostname"]}.${var.instance["domain"]}.crt"
}
# Push in cookbooks
provisioner "remote-exec" {
inline = [
"sudo knife ssl check",
"sudo knife cookbook upload -a -c .chef/knife.rb --cookbook-path /var/chef/cookbooks",
"sudo rm -rf /var/chef/cookbooks",
]
}
}
# Register Chef server against itself
resource "null_resource" "bootstrap_chef_server" {
depends_on = ["aws_instance.chef-server"]
connection {
bastion_host = "${aws_instance.linux-bastion.public_ip}"
host = "${aws_instance.chef-server.private_ip}"
user = "${var.ssh_username}"
private_key = "${file("${var.ssh_key["file"]}")}"
}
# Provision with Chef
provisioner "chef" {
attributes_json = "${data.template_file.attributes_json.rendered}"
environment = "_default"
log_to_file = "${var.chef_log}"
node_name = "${var.instance["hostname"]}.${var.instance["domain"]}"
run_list = ["recipe[chef-client::default]","recipe[chef-client::config]","recipe[chef-client::cron]","recipe[chef-client::delete_validation]","recipe[chef-server::default]","recipe[chef-server::addons]"]
server_url = "https://${var.instance["hostname"]}.${var.instance["domain"]}/organizations/${var.chef_org["short"]}"
skip_install = true
user_name = "${var.chef_user["username"]}"
user_key = "${file(".chef/user.pem")}"
fetch_chef_certificates = true
}
}