Skip to content

Commit

Permalink
Merge pull request #44 from paseaf/zl/refactor-scripts
Browse files Browse the repository at this point in the history
Refactor packer and terraform scripts
  • Loading branch information
paseaf authored Jul 10, 2022
2 parents aa48738 + 7258204 commit c879eda
Show file tree
Hide file tree
Showing 13 changed files with 264 additions and 240 deletions.
8 changes: 3 additions & 5 deletions packer/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,11 @@ What you need:

2. Move the downloaded service account key file to `./gcp.key.json`

> Note: if you want to use a different file name or location, change `account_file` in [`./main.pkr.hcl`](./main.pkr.hcl) accordingly
3. Create a `variables.auto.pkrvars.hcl` file:

```bash
project = "<your_GCP_project_ID>"
```
```bash
project_id = "<your_GCP_project_ID>"
```

### Build the image

Expand Down
2 changes: 1 addition & 1 deletion packer/main.pkr.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ source "googlecompute" "ubuntu-2204" {
source_image_family = "ubuntu-pro-2204-lts"
ssh_username = "root"
zone = "europe-west3-c"
account_file = var.credentials
account_file = var.gcp_key_file
machine_type = "e2-small"
}

Expand Down
4 changes: 3 additions & 1 deletion packer/variables.pkr.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,12 @@
// For those variables that you don't provide a default for, you must
// set them from the command line, a var-file, or the environment.

variable "credentials" {
variable "gcp_key_file" {
type = string
description = "Path to your GCP service account key file (JSON)"
default = "gcp.key.json"
}

variable "project_id" {
type = string
description = "Your GCP project ID"
Expand Down
14 changes: 11 additions & 3 deletions terraform/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,12 @@ Install Terraform as follows:
2. Install [Terraform CLI](https://learn.hashicorp.com/tutorials/terraform/install-cli?in=terraform/gcp-get-started)

3. Create and download a GCP _service account key_ (in JSON) following [Terraform - Set Up GCP](https://learn.hashicorp.com/tutorials/terraform/google-cloud-platform-build?in=terraform/gcp-get-started).\
Terraform will use it to manage your GCP resources. Move the key file to current folder as `./gcp-key.json`
Terraform will use it to manage your GCP resources. Move the key file to current folder as `./gcp.key.json`

4. Create a `terraform/terraform.tfvars` file with the following content

```bash
project = "<your_GCP_project_ID>"
credentials_file = "gcp.key.json"
project_id = "<your_GCP_project_ID>"
```

5. Create an SSH key to run commands on created VM
Expand Down Expand Up @@ -137,3 +136,12 @@ google_compute_instance.gateway_vm: Still creating... [5m10s elapsed]
Possible solution:
Remove `./deployer_key`, `./deployer_key.pub`, and regenerate them following this README.
### Trouble: unset credentials
Sometimes `terraform apply` may fail due to corrupted `./credentials.txt`.
Regenerate the credential file via
```bash
./generate_credentials.sh
```
Then, `terraform destroy` and `terraform apply` again.
98 changes: 98 additions & 0 deletions terraform/firewall_rules.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
resource "google_compute_firewall" "containerssh_allow_all" {
name = "containerssh-allow-all"
network = google_compute_network.main.self_link

allow {
protocol = "icmp"
}
allow {
protocol = "udp"
ports = ["0-65535"]
}
allow {
protocol = "tcp"
ports = ["0-65535"]
}
source_ranges = ["0.0.0.0/0"]
}

resource "google_compute_firewall" "containerssh_allow_ssh" {
name = "containerssh-allow-ssh"
network = google_compute_network.main.self_link

allow {
protocol = "icmp"
}

allow {
protocol = "tcp"
ports = ["22"]
}

source_ranges = ["0.0.0.0/0"]
}

# open port 3000 for Grafana, 9000 and 9090 for MinIO on our logger-vm
resource "google_compute_firewall" "firewall_logger_view" {
name = "firewall-logger-view"
network = google_compute_network.main.self_link
allow {
protocol = "tcp"
ports = ["3000", "9000", "9090"]
}
target_tags = ["observer"]
source_ranges = ["0.0.0.0/0"]
}

# open gateway-port 9100 and 9101, to our prometheus and metrics server
resource "google_compute_firewall" "firewall_gateway_nodeexport" {
name = "firewall-gateway-nodeexport"
network = google_compute_network.main.self_link

allow {
protocol = "tcp"
ports = ["8088", "9100", "9101"]
}

target_tags = ["gateway"]
source_tags = ["observer"]
}

# allow inbound connection on TCP port 2376 from gateway
resource "google_compute_firewall" "firewall_sacrificial_exception" {
name = "firewall-sacrificial-exception"
network = google_compute_network.main.name
priority = 500
source_tags = ["gateway"]
target_tags = ["sacrificial"]
allow {
protocol = "tcp"
ports = ["2376"]
}
}

# open sacrificial-port 8088 for cadvisor and 9100 for node-exporter
resource "google_compute_firewall" "firewall_sacrificial_nodeexport" {
name = "firewall-sacrificial-nodeexport"
network = google_compute_network.main.self_link

allow {
protocol = "tcp"
ports = ["8088", "9100"]
}

target_tags = ["sacrificial"]
source_tags = ["observer"]
}

# close all outgoing connection from sacrificial host
resource "google_compute_firewall" "firewall_sacrificial_no_egress" {
name = "firewall-sacrificial-no-egress"
network = google_compute_network.main.name
direction = "EGRESS"
destination_ranges = ["0.0.0.0/0"]
target_tags = ["sacrificial"]
deny {
protocol = "all"
}
}
118 changes: 118 additions & 0 deletions terraform/instances.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
resource "google_compute_instance" "gateway_vm" {
name = "gateway-vm"
machine_type = var.machine_type
tags = ["gateway"]

boot_disk {
initialize_params {
image = "ubuntu-with-docker-image"
size = 20
type = "pd-balanced"
}
}

network_interface {
subnetwork = google_compute_subnetwork.gateway_subnet.self_link
network_ip = "10.0.0.10"
access_config {

}
}

connection {
type = "ssh"
user = "deployer"
private_key = file("./deployer_key")
host = google_compute_instance.gateway_vm.network_interface.0.access_config.0.nat_ip
}

provisioner "file" {
source = "./files/config.yaml"
destination = "./config.yaml"
}

provisioner "remote-exec" {
scripts = [
"./scripts/run_cadvisor.sh"
]
}
}

resource "google_compute_instance" "sacrificial_vm" {
name = "sacrificial-vm"
machine_type = var.machine_type
tags = ["sacrificial"]
boot_disk {
initialize_params {
image = "sacrificial-vm-image"
size = 20
type = "pd-balanced"
}
}

network_interface {
subnetwork = google_compute_subnetwork.honeypot_subnet.name
network_ip = "10.0.1.10"
access_config {

}
}
}

resource "google_compute_instance" "logger_vm" {
name = "logger-vm"
machine_type = var.machine_type
tags = ["observer"]

boot_disk {
initialize_params {
image = "ubuntu-with-docker-image"
size = 200
type = "pd-balanced"
}
}

network_interface {
subnetwork = google_compute_subnetwork.gateway_subnet.name
network_ip = "10.0.0.11"
access_config {

}
}

connection {
type = "ssh"
user = "deployer"
private_key = file("./deployer_key")
host = google_compute_instance.logger_vm.network_interface.0.access_config.0.nat_ip
}

provisioner "local-exec" {
command = "./generate_credentials.sh"
interpreter = ["/bin/bash"]
}

provisioner "file" {
source = "./credentials.txt" # relative to terraform work_dir
destination = "./.env" # relative to remote $HOME
}

provisioner "file" {
source = "./files/prometheus.yml" # relative to terraform work_dir
destination = "./prometheus.yml" # relative to remote $HOME
}

provisioner "file" {
source = "./files/grafana" # relative to terraform work_dir
destination = "./" # relative to remote $HOME
}

provisioner "remote-exec" {
scripts = [
"./scripts/run_cadvisor.sh",
"./scripts/run_minio.sh",
"./scripts/run_prometheus.sh",
"./scripts/run_grafana.sh"
]
}
}
Loading

0 comments on commit c879eda

Please sign in to comment.