diff --git a/.github/workflows/deploy_capev2.yml b/.github/workflows/deploy_capev2.yml index 476dde1..135ece7 100644 --- a/.github/workflows/deploy_capev2.yml +++ b/.github/workflows/deploy_capev2.yml @@ -7,8 +7,8 @@ on: paths: - 'capev2/**' - 'modules/cape_vm/**' - - 'playbooks/capev2ansible.yaml' - 'playbooks/openstack.yaml' + - 'playbooks/capev2_install.yaml' workflow_dispatch: env: @@ -43,7 +43,7 @@ jobs: working-directory: ${{ env.WORKING_DIR }} - name: Run capev2 configuration ansible playbook - run: ansible-playbook -i openstack.yaml capev2ansible.yaml -u ansible + run: ansible-playbook -i openstack.yaml capev2_install.yaml -u ansible working-directory: ./playbooks staging: @@ -74,5 +74,5 @@ jobs: working-directory: ${{ env.WORKING_DIR }} - name: Run capev2 configuration ansible playbook - run: ansible-playbook -i openstack.yaml capev2ansible.yaml -u ansible + run: ansible-playbook -i openstack.yaml capev2_install.yaml -u ansible working-directory: ./playbooks \ No newline at end of file diff --git a/.github/workflows/deploy_kubernetes.yml b/.github/workflows/deploy_kubernetes.yml new file mode 100644 index 0000000..b399532 --- /dev/null +++ b/.github/workflows/deploy_kubernetes.yml @@ -0,0 +1,82 @@ +name: Deploy Kubernetes module + +on: + push: + branches: + - 'main' + paths: + - 'kubernetes/**' + - 'modules/cluster_network/**' + - 'modules/control_plane/**' + - 'modules/load_balancer/**' + - 'modules/security/**' + - 'modules/shared_router/**' + - 'modules/ssh_key/**' + - 'modules/storage/**' + - 'modules/talos_config/**' + - 'modules/workers/**' + workflow_dispatch: + +env: + WORKING_DIR: ./kubernetes + +jobs: + + dev: + runs-on: dev + env: + PG_CONN_STR: ${{ secrets.PG_CONN_STR_DEV }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Terraform init + run: terraform init + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform workspace select or create kubernetes + run: terraform workspace select -or-create kubernetes + working-directory: ${{ env.WORKING_DIR }} + + - name: Create tfvars file + run: echo ${{ secrets.KUBERNETES_TFVARS }} > terraform.tfvars + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform plan + run: terraform plan -var "os_auth_url=${{ secrets.OS_AUTH_URL_DEV }}" -var "os_application_credential_id=${{ secrets.OS_APPLICATION_CREDENTIAL_ID_DEV }}" -var "os_application_credential_secret=${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET_DEV }}" + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform apply + run: terraform apply -auto-approve -var "os_auth_url=${{ secrets.OS_AUTH_URL_DEV }}" -var "os_application_credential_id=${{ secrets.OS_APPLICATION_CREDENTIAL_ID_DEV }}" -var "os_application_credential_secret=${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET_DEV }}" + working-directory: ${{ env.WORKING_DIR }} + + staging: + needs: dev + runs-on: stage + env: + PG_CONN_STR: ${{ secrets.PG_CONN_STR_STAGE }} + + steps: + - name: Chekcout + uses: actions/checkout@v4 + + - name: Terraform init + run: terraform init + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform workspace select or create kubernetes + run: terraform workspace select -or-create kubernetes + working-directory: ${{ env.WORKING_DIR }} + + - name: Create tfvars file + run: echo ${{ secrets.KUBERNETES_TFVARS }} > terraform.tfvars + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform plan + run: terraform plan -var "os_auth_url=${{ secrets.OS_AUTH_URL_STAGE }}" -var "os_application_credential_id=${{ secrets.OS_APPLICATION_CREDENTIAL_ID_STAGE }}" -var "os_application_credential_secret=${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET_STAGE }}" + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform apply + run: terraform apply -auto-approve -var "os_auth_url=${{ secrets.OS_AUTH_URL_STAGE }}" -var "os_application_credential_id=${{ secrets.OS_APPLICATION_CREDENTIAL_ID_STAGE }}" -var "os_application_credential_secret=${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET_STAGE }}" + working-directory: ${{ env.WORKING_DIR }} \ No newline at end of file diff --git a/.github/workflows/validate_kubernetes.yml b/.github/workflows/validate_kubernetes.yml new file mode 100644 index 0000000..6031804 --- /dev/null +++ b/.github/workflows/validate_kubernetes.yml @@ -0,0 +1,46 @@ +name: Validate Kubernetes module + +on: + push: + branches-ignore: + - 'main' + paths: + - 'kubernetes/**' + - 'modules/cluster_network/**' + - 'modules/control_plane/**' + - 'modules/load_balancer/**' + - 'modules/security/**' + - 'modules/shared_router/**' + - 'modules/ssh_key/**' + - 'modules/storage/**' + - 'modules/talos_config/**' + - 'modules/workers/**' + workflow_dispatch: + +jobs: + + validate: + runs-on: dev + env: + WORKING_DIR: ./kubernetes + PG_CONN_STR: ${{ secrets.PG_CONN_STR_DEV }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Terraform init + run: terraform init + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform fmt + run: terraform fmt + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform validate + run: terraform validate + working-directory: ${{ env.WORKING_DIR }} + + - name: Tfsec + run: tfsec + working-directory: ${{ env.WORKING_DIR }} \ No newline at end of file diff --git a/.github/workflows/validate_misp.yml b/.github/workflows/validate_misp.yml new file mode 100644 index 0000000..f755921 --- /dev/null +++ b/.github/workflows/validate_misp.yml @@ -0,0 +1,39 @@ +name: Validate MISP module + +on: + push: + branches-ignore: + - 'main' + paths: + - 'misp/**' + - 'modules/misp/**' + - 'modules/security/**' + workflow_dispatch: + +jobs: + + validate: + runs-on: dev + env: + WORKING_DIR: ./misp + PG_CONN_STR: ${{ secrets.PG_CONN_STR_DEV }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Terraform init + run: terraform init + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform fmt + run: terraform fmt + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform validate + run: terraform validate + working-directory: ${{ env.WORKING_DIR }} + + - name: Tfsec + run: tfsec + working-directory: ${{ env.WORKING_DIR }} \ No newline at end of file diff --git a/kubernetes/locals.tf b/kubernetes/locals.tf index f4d474f..08f9f1f 100644 --- a/kubernetes/locals.tf +++ b/kubernetes/locals.tf @@ -1,4 +1,4 @@ locals { - kubernetes_internal_endpoint = "https://${module.control_plane.control_plane_internal_ips[0]}:6443" + kubernetes_internal_endpoint = "https://${module.control_plane.control_plane_internal_ips[0]}:6443" } diff --git a/kubernetes/main.tf b/kubernetes/main.tf index eba4d5a..18be1c0 100644 --- a/kubernetes/main.tf +++ b/kubernetes/main.tf @@ -28,7 +28,7 @@ module "shared_router" { source = "../modules/shared_router" existing_router_name = var.main_router_name - cluster_subnet_id = module.cluster_network.subnet_id + cluster_subnet_id = module.cluster_network.subnet_id } ############################## @@ -50,15 +50,15 @@ module "ssh_key" { # 2. Control Plane (Master Nodes) Setup ############################## module "control_plane" { - source = "../modules/control_plane" - talos_image_name = var.talos_image_name - internal_network_id = module.cluster_network.network_id - control_plane_subnet_id = module.cluster_network.subnet_id - control_plane_flavor_name = var.control_plane_flavor_name - control_plane_node_count = var.control_plane_node_count - kubernetes_cluster_name = var.kubernetes_cluster_name - control_plane_sg_id = module.security.control_plane_sg_id - allow_all_egress_sg_id = module.security.allow_all_egress_id + source = "../modules/control_plane" + talos_image_name = var.talos_image_name + internal_network_id = module.cluster_network.network_id + control_plane_subnet_id = module.cluster_network.subnet_id + control_plane_flavor_name = var.control_plane_flavor_name + control_plane_node_count = var.control_plane_node_count + kubernetes_cluster_name = var.kubernetes_cluster_name + control_plane_sg_id = module.security.control_plane_sg_id + allow_all_egress_sg_id = module.security.allow_all_egress_id allowed_management_ingress_sg_id = module.security.allowed_management_ingress_sg_id } @@ -66,39 +66,39 @@ module "control_plane" { # 3. Worker Nodes Setup ############################## module "workers" { - source = "../modules/workers" - talos_image_name = var.talos_image_name - internal_network_id = module.cluster_network.network_id - worker_nodes_subnet_id = module.cluster_network.subnet_id - worker_nodes_flavor_name = var.worker_nodes_flavor_name - worker_nodes_node_count = var.worker_nodes_node_count - kubernetes_cluster_name = var.kubernetes_cluster_name - allow_all_egress_sg_id = module.security.allow_all_egress_id + source = "../modules/workers" + talos_image_name = var.talos_image_name + internal_network_id = module.cluster_network.network_id + worker_nodes_subnet_id = module.cluster_network.subnet_id + worker_nodes_flavor_name = var.worker_nodes_flavor_name + worker_nodes_node_count = var.worker_nodes_node_count + kubernetes_cluster_name = var.kubernetes_cluster_name + allow_all_egress_sg_id = module.security.allow_all_egress_id allowed_management_ingress_sg_id = module.security.allowed_management_ingress_sg_id - worker_nodes_sg_id = module.security.worker_nodes_sg_id + worker_nodes_sg_id = module.security.worker_nodes_sg_id } ############################## # 4. Load Balancer Setup ############################## module "load_balancer" { - source = "../modules/load_balancer" - internal_network_id = module.cluster_network.network_id - control_plane_subnet_id = module.cluster_network.subnet_id - kubernetes_name = var.kubernetes_cluster_name - instance_image_name = var.haproxy_image_name - instance_flavor_name = var.haproxy_flavor_name - ssh_key_name = module.ssh_key.ssh_key_name - ssh_public_key = module.ssh_key.public_key - load_balancer_ip = var.load_balancer_ip - floating_ip_pool = var.public_network_name - control_plane_ips = module.control_plane.control_plane_internal_ips - worker_node_ips = module.workers.worker_node_internal_ips - control_plane_sg_id = module.security.control_plane_sg_id - allow_all_egress_sg_id = module.security.allow_all_egress_id + source = "../modules/load_balancer" + internal_network_id = module.cluster_network.network_id + control_plane_subnet_id = module.cluster_network.subnet_id + kubernetes_name = var.kubernetes_cluster_name + instance_image_name = var.haproxy_image_name + instance_flavor_name = var.haproxy_flavor_name + ssh_key_name = module.ssh_key.ssh_key_name + ssh_public_key = module.ssh_key.public_key + load_balancer_ip = var.load_balancer_ip + floating_ip_pool = var.public_network_name + control_plane_ips = module.control_plane.control_plane_internal_ips + worker_node_ips = module.workers.worker_node_internal_ips + control_plane_sg_id = module.security.control_plane_sg_id + allow_all_egress_sg_id = module.security.allow_all_egress_id allowed_management_ingress_sg_id = module.security.allowed_management_ingress_sg_id - allow_bastion = module.security.bastion_sg_id - load_balancer_sg_id = module.security.load_balancer_sg_id + allow_bastion = module.security.bastion_sg_id + load_balancer_sg_id = module.security.load_balancer_sg_id } ############################## @@ -108,52 +108,52 @@ module "talos_config" { source = "../modules/talos_config" # Basic cluster information - cluster_name = var.kubernetes_cluster_name - control_plane_lb_ip = module.load_balancer.control_plane_lb_ip - control_plane_endpoints = module.control_plane.control_plane_ips - worker_endpoints = module.workers.worker_nodes_ips + cluster_name = var.kubernetes_cluster_name + control_plane_lb_ip = module.load_balancer.control_plane_lb_ip + control_plane_endpoints = module.control_plane.control_plane_ips + worker_endpoints = module.workers.worker_nodes_ips control_plane_dns_nameservers = var.control_plane_dns_nameservers # Versions - talos_version = var.talos_version - kubernetes_version = var.kubernetes_cluster_version + talos_version = var.talos_version + kubernetes_version = var.kubernetes_cluster_version # Dependencies on compute resources - control_plane_nodes = module.control_plane.control_plane_ips - worker_nodes = module.workers.worker_node_internal_ips + control_plane_nodes = module.control_plane.control_plane_ips + worker_nodes = module.workers.worker_node_internal_ips # Output configuration - output_dir = "./talos-config" - save_configs_locally = true - bootstrap_cluster = true + output_dir = "./talos-config" + save_configs_locally = true + bootstrap_cluster = true } ############################## # 6. Storage Setup ############################## module "storage" { - source = "../modules/storage" + source = "../modules/storage" kubernetes_cluster_name = var.kubernetes_cluster_name # Worker node information for volume attachment - worker_instance_ids = module.workers.worker_nodes_instance_ids + worker_instance_ids = module.workers.worker_nodes_instance_ids # Volume configuration - volume_count = var.storage_volume_count - volume_size = var.storage_volume_size - volume_type = var.storage_volume_type - availability_zone = var.storage_availability_zone + volume_count = var.storage_volume_count + volume_size = var.storage_volume_size + volume_type = var.storage_volume_type + availability_zone = var.storage_availability_zone # Mount configuration - mount_path = var.storage_mount_path + mount_path = var.storage_mount_path # StorageClass configuration - create_storage_class = true + create_storage_class = true make_default_storage_class = true - storage_reclaim_policy = "Delete" - fs_type = "ext4" + storage_reclaim_policy = "Delete" + fs_type = "ext4" # Dependency to ensure Kubernetes is available - kubernetes_dependency = module.talos_config + kubernetes_dependency = module.talos_config } ############################## diff --git a/kubernetes/provider.tf b/kubernetes/provider.tf index 26dc9b6..c140880 100644 --- a/kubernetes/provider.tf +++ b/kubernetes/provider.tf @@ -17,12 +17,16 @@ terraform { version = "~> 2.24.0" } } + + backend "pg" {} } provider "talos" {} provider "openstack" { - cloud = "openstack" + auth_url = var.os_auth_url + application_credential_id = var.os_application_credential_id + application_credential_secret = var.os_application_credential_secret } provider "kubernetes" { diff --git a/kubernetes/variabels.tf b/kubernetes/variabels.tf index cc258a7..0eeb2b0 100644 --- a/kubernetes/variabels.tf +++ b/kubernetes/variabels.tf @@ -1,7 +1,26 @@ + +# Credentials +variable "os_auth_url" { + type = string + sensitive = true +} + +variable "os_application_credential_id" { + type = string + sensitive = true +} + +variable "os_application_credential_secret" { + type = string + sensitive = true +} + + + # talos/variables.tf variable "region" { - type = string + type = string description = "The OpenStack region" } @@ -29,79 +48,79 @@ variable "control_plane_dns_nameservers" { } variable "cluster_ip_version" { - type = number + type = number description = "IP version for the cluster network (4 or 6)" } variable "key_name" { - type = string + type = string description = "The name of the OpenStack key pair" - default = "lb_key" + default = "lb_key" } variable "allowed_management_ipv4_cidrs" { - type = list(string) + type = list(string) description = "CIDR blocks allowed to access management ports (SSH, etc.)" - # If you want to manage the cluster from your local machine, - # add your *public* IP address here (e.g., ["YOUR_PUBLIC_IP/32"]). + # If you want to manage the cluster from your local machine, + # add your *public* IP address here (e.g., ["YOUR_PUBLIC_IP/32"]). } variable "static_lb_ip" { - type = string + type = string description = "Static IP for the load balancer" } variable "talos_image_name" { - type = string + type = string description = "Name of the Talos image in OpenStack" } variable "control_plane_flavor_name" { - type = string + type = string description = "OpenStack flavor for control plane nodes" } variable "control_plane_node_count" { - type = string + type = string description = "Number of control plane nodes" } variable "haproxy_image_name" { - type = string + type = string description = "Name of the HAProxy image in OpenStack" } variable "haproxy_flavor_name" { - type = string + type = string description = "OpenStack flavor for HAProxy instance" } variable "worker_nodes_flavor_name" { - type = string + type = string description = "OpenStack flavor for worker nodes" } variable "worker_nodes_node_count" { - type = string + type = string description = "Number of worker nodes" } variable "main_network_name" { - type = string - description = "The name of the main network" - default = "main_network" + type = string + description = "The name of the main network" + default = "main_network" } variable "main_router_name" { - type = string - description = "The name of the main router" - default = "main_router" + type = string + description = "The name of the main router" + default = "main_router" } -variable "cluster_network_cidr"{ - type = string - description = "cidr of the cluster network" +variable "cluster_network_cidr" { + type = string + description = "cidr of the cluster network" } variable "public_network_name" { @@ -116,15 +135,15 @@ variable "kubernetes_cluster_version" { } variable "create_security_groups" { - type = bool - description = "Whether to create security groups for the cluster" - default = false + type = bool + description = "Whether to create security groups for the cluster" + default = false } variable "main_cluster_network_cidr" { - type = string + type = string description = "CIDR for the main cluster network" - default = "192.168.4.0/24" + default = "192.168.4.0/24" } variable "load_balancer_ip" { @@ -133,8 +152,8 @@ variable "load_balancer_ip" { } variable "talos_version" { - type = string - description = "The Talos version to use." + type = string + description = "The Talos version to use." } variable "kubernetes_api_port" { @@ -199,31 +218,31 @@ variable "stats_port" { variable "storage_volume_count" { description = "Number of storage volumes to create" type = number - default = 3 # Adjust based on your needs + default = 3 # Adjust based on your needs } variable "storage_volume_size" { description = "Size in GB for each storage volume" type = number - default = 100 # Adjust based on your needs + default = 100 # Adjust based on your needs } variable "storage_volume_type" { description = "Volume type for OpenStack volumes" type = string - default = "ceph" # Change to match your OpenStack environment + default = "ceph" # Change to match your OpenStack environment } variable "storage_availability_zone" { description = "OpenStack availability zone for storage volumes" type = string - default = "nova" # Change to match your OpenStack environment + default = "nova" # Change to match your OpenStack environment } variable "storage_mount_path" { description = "Path where the volumes will be mounted" type = string - default = "/var/data" # Adjust based on your needs + default = "/var/data" # Adjust based on your needs } diff --git a/misp/main.tf b/misp/main.tf index 7aabe76..2b39396 100644 --- a/misp/main.tf +++ b/misp/main.tf @@ -1,3 +1,4 @@ +# test ############################## # 1. Security and SSH Key Setup ############################## diff --git a/modules/cluster_network/main.tf b/modules/cluster_network/main.tf index 43af691..cf07a72 100644 --- a/modules/cluster_network/main.tf +++ b/modules/cluster_network/main.tf @@ -14,5 +14,5 @@ resource "openstack_networking_subnet_v2" "cluster_subnet" { start = "192.169.3.20" } - enable_dhcp = true + enable_dhcp = true } diff --git a/modules/cluster_network/provider.tf b/modules/cluster_network/provider.tf index e439325..4395c43 100644 --- a/modules/cluster_network/provider.tf +++ b/modules/cluster_network/provider.tf @@ -13,9 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - +} \ No newline at end of file diff --git a/modules/control_plane/outputs.tf b/modules/control_plane/outputs.tf index 32c14bd..96d3dc9 100644 --- a/modules/control_plane/outputs.tf +++ b/modules/control_plane/outputs.tf @@ -24,6 +24,6 @@ output "control_node_ports" { } output "control_plane_name" { - description = "Name of the control plane" - value = openstack_compute_instance_v2.control_node[*].name + description = "Name of the control plane" + value = openstack_compute_instance_v2.control_node[*].name } diff --git a/modules/control_plane/provider.tf b/modules/control_plane/provider.tf index e439325..4395c43 100644 --- a/modules/control_plane/provider.tf +++ b/modules/control_plane/provider.tf @@ -13,9 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - +} \ No newline at end of file diff --git a/modules/load_balancer/main.tf b/modules/load_balancer/main.tf index 048ec09..8e1dadc 100644 --- a/modules/load_balancer/main.tf +++ b/modules/load_balancer/main.tf @@ -21,7 +21,7 @@ resource "openstack_compute_instance_v2" "control_plane_lb" { user_data = templatefile("${path.module}/tftemplates/haproxy_cloud_init.tftpl", { ssh_public_key = var.ssh_public_key, control_plane_ips = local.haproxy.control_plane_ips, - worker_node_ips = local.haproxy.worker_node_ips # Add worker node IPs to the template + worker_node_ips = local.haproxy.worker_node_ips # Add worker node IPs to the template }) # Attach the instance to the previously created network port @@ -32,7 +32,7 @@ resource "openstack_compute_instance_v2" "control_plane_lb" { # 3. Allocate a floating IP from external network (e.g., public) resource "openstack_networking_floatingip_v2" "lb_fip" { - pool = var.floating_ip_pool # Must match your OpenStack external network name + pool = var.floating_ip_pool # Must match your OpenStack external network name } # 4. Associate the floating IP to the HAProxy port diff --git a/modules/load_balancer/outputs.tf b/modules/load_balancer/outputs.tf index 3b761ea..ccf2f4e 100644 --- a/modules/load_balancer/outputs.tf +++ b/modules/load_balancer/outputs.tf @@ -10,7 +10,7 @@ output "lb_instance_id" { output "control_plane_lb_lb" { description = "The control plane load balancer" - value = openstack_compute_instance_v2.control_plane_lb + value = openstack_compute_instance_v2.control_plane_lb } output "control_plane_lb_ip" { diff --git a/modules/load_balancer/provider.tf b/modules/load_balancer/provider.tf index e439325..4395c43 100644 --- a/modules/load_balancer/provider.tf +++ b/modules/load_balancer/provider.tf @@ -13,9 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - +} \ No newline at end of file diff --git a/modules/load_balancer/variables.tf b/modules/load_balancer/variables.tf index 57144e8..6611a17 100644 --- a/modules/load_balancer/variables.tf +++ b/modules/load_balancer/variables.tf @@ -39,13 +39,13 @@ variable "allowed_management_ingress_sg_id" { } variable "allow_bastion" { - type = string - description = "Security group for bastion host" + type = string + description = "Security group for bastion host" } variable "load_balancer_sg_id" { - type = string - description = "Security group for load balancer" + type = string + description = "Security group for load balancer" } variable "control_plane_ips" { @@ -64,8 +64,8 @@ variable "ssh_key_name" { } variable "load_balancer_ip" { - description = "IP address of the load balancer" - type = string + description = "IP address of the load balancer" + type = string } variable "worker_node_ips" { @@ -75,6 +75,6 @@ variable "worker_node_ips" { } variable "floating_ip_pool" { - description = "The pool of floating IPs" - type = string + description = "The pool of floating IPs" + type = string } \ No newline at end of file diff --git a/modules/misp/main.tf b/modules/misp/main.tf index c30a9d7..e2fa603 100644 --- a/modules/misp/main.tf +++ b/modules/misp/main.tf @@ -24,11 +24,11 @@ resource "openstack_compute_instance_v2" "misp_server" { availability_zone = var.availability_zone network { - port = openstack_networking_port_v2.misp_port.id # Use the port here + port = openstack_networking_port_v2.misp_port.id # Use the port here } metadata = { - role = "misp-server" + role = "misp-server" environment = var.kubernetes_cluster_name } } diff --git a/modules/misp/security.tf b/modules/misp/security.tf index 72fe95c..938d2c1 100644 --- a/modules/misp/security.tf +++ b/modules/misp/security.tf @@ -7,33 +7,36 @@ resource "openstack_networking_secgroup_v2" "misp_sg" { # Allow HTTP (initially for setup) resource "openstack_networking_secgroup_rule_v2" "misp_allow_http" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = "0.0.0.0/0" + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 80 + port_range_max = 80 + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.misp_sg.id } # Allow HTTPS resource "openstack_networking_secgroup_rule_v2" "misp_allow_https" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = "0.0.0.0/0" + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 443 + port_range_max = 443 + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.misp_sg.id } # Allow SSH resource "openstack_networking_secgroup_rule_v2" "misp_allow_ssh" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 22 - port_range_max = 22 - remote_ip_prefix = "0.0.0.0/0" + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22 + port_range_max = 22 + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.misp_sg.id } \ No newline at end of file diff --git a/modules/misp/variabels.tf b/modules/misp/variabels.tf index d78b294..189d9e6 100644 --- a/modules/misp/variabels.tf +++ b/modules/misp/variabels.tf @@ -50,6 +50,6 @@ variable "public_network_name" { } variable "cluster_subnet_id" { - description = "ID of the cluster subnet" - type = string + description = "ID of the cluster subnet" + type = string } \ No newline at end of file diff --git a/modules/security/main.tf b/modules/security/main.tf index 011c451..bdc4f45 100644 --- a/modules/security/main.tf +++ b/modules/security/main.tf @@ -134,7 +134,8 @@ resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_6443" { port_range_min = 6443 port_range_max = 6443 security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id - remote_ip_prefix = "0.0.0.0/0" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections } # Allow LB to talk to control plane on 6443 @@ -189,33 +190,36 @@ data "openstack_networking_secgroup_v2" "allowed_management_ingress_ipv4_cidrs" } resource "openstack_networking_secgroup_rule_v2" "allow_icmp_ping" { - count = var.create_security_groups ? 1 : 0 - direction = "ingress" - ethertype = "IPv4" - protocol = "icmp" - remote_ip_prefix = "0.0.0.0/0" + count = var.create_security_groups ? 1 : 0 + direction = "ingress" + ethertype = "IPv4" + protocol = "icmp" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # used for pinging the service security_group_id = openstack_networking_secgroup_v2.allowed_management_ingress_ipv4_cidrs[0].id } resource "openstack_networking_secgroup_rule_v2" "allow_ssh" { - count = var.create_security_groups ? 1 : 0 - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 22 - port_range_max = 22 - remote_ip_prefix = "0.0.0.0/0" + count = var.create_security_groups ? 1 : 0 + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22 + port_range_max = 22 + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.allowed_management_ingress_ipv4_cidrs[0].id } resource "openstack_networking_secgroup_rule_v2" "allow_talos_api" { - count = var.create_security_groups ? 1 : 0 - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 50000 - port_range_max = 50001 - remote_ip_prefix = "0.0.0.0/0" + count = var.create_security_groups ? 1 : 0 + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 50000 + port_range_max = 50001 + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.allowed_management_ingress_ipv4_cidrs[0].id } @@ -240,8 +244,9 @@ resource "openstack_networking_secgroup_rule_v2" "bastion_allow_ssh" { protocol = "tcp" port_range_min = 22 port_range_max = 22 - remote_ip_prefix = "0.0.0.0/0" - ethertype = "IPv4" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections + ethertype = "IPv4" } # Allow external traffic to Strelka frontend (57314) to LB @@ -253,7 +258,8 @@ resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_57314" { port_range_min = 57314 port_range_max = 57314 security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id - remote_ip_prefix = "0.0.0.0/0" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections } # Allow LB to talk to worker nodes on 57314 @@ -330,25 +336,27 @@ resource "openstack_networking_secgroup_rule_v2" "worker_nodes_allow_lb_nodeport # Allow external access to Strelka UI NodePort 30662 via Load Balancer resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_strelka_ui_nodeport" { - count = var.create_security_groups ? 1 : 0 - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 30662 - port_range_max = 30662 - remote_ip_prefix = "0.0.0.0/0" + count = var.create_security_groups ? 1 : 0 + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 30662 + port_range_max = 30662 + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id } # Allow external access to Jaeger UI on port 16686 via Load Balancer resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_jaeger_ui" { - count = var.create_security_groups ? 1 : 0 - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 16686 - port_range_max = 16686 - remote_ip_prefix = "0.0.0.0/0" + count = var.create_security_groups ? 1 : 0 + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 16686 + port_range_max = 16686 + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id } @@ -365,13 +373,14 @@ resource "openstack_networking_secgroup_rule_v2" "load_balancer_to_workers_jaege } resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_jaeger_ui_nodeport" { - count = var.create_security_groups ? 1 : 0 - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 31697 - port_range_max = 31697 - remote_ip_prefix = "0.0.0.0/0" # ✅ allow access from external world + count = var.create_security_groups ? 1 : 0 + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 31697 + port_range_max = 31697 + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id } diff --git a/modules/security/provider.tf b/modules/security/provider.tf index e439325..4395c43 100644 --- a/modules/security/provider.tf +++ b/modules/security/provider.tf @@ -13,9 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - +} \ No newline at end of file diff --git a/modules/security/variabels.tf b/modules/security/variabels.tf index e366a02..98eecc0 100644 --- a/modules/security/variabels.tf +++ b/modules/security/variabels.tf @@ -1,15 +1,15 @@ - variable "kubernetes_cluster_name" { - description = "Name of the Kubernetes cluster (used as a prefix for security groups)" - type = string - } +variable "kubernetes_cluster_name" { + description = "Name of the Kubernetes cluster (used as a prefix for security groups)" + type = string +} - variable "create_security_groups" { - description = "If true, create security groups; if false, look them up as data sources." - type = bool - default = true - } +variable "create_security_groups" { + description = "If true, create security groups; if false, look them up as data sources." + type = bool + default = true +} - variable "allowed_management_ipv4_cidrs" { - description = "List of allowed management IPv4 CIDRs for ingress rules" - type = list(string) - } +variable "allowed_management_ipv4_cidrs" { + description = "List of allowed management IPv4 CIDRs for ingress rules" + type = list(string) +} diff --git a/modules/shared_router/provider.tf b/modules/shared_router/provider.tf index 1766978..4395c43 100644 --- a/modules/shared_router/provider.tf +++ b/modules/shared_router/provider.tf @@ -13,10 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - - +} \ No newline at end of file diff --git a/modules/ssh_key/provider.tf b/modules/ssh_key/provider.tf index e439325..4395c43 100644 --- a/modules/ssh_key/provider.tf +++ b/modules/ssh_key/provider.tf @@ -13,9 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - +} \ No newline at end of file diff --git a/modules/ssh_key/variabels.tf b/modules/ssh_key/variabels.tf index 2015292..74fd706 100644 --- a/modules/ssh_key/variabels.tf +++ b/modules/ssh_key/variabels.tf @@ -5,7 +5,7 @@ variable "ssh_key_name" { } variable "key_name" { - type = string + type = string description = "Base name for the SSH key files" } diff --git a/modules/storage/main.tf b/modules/storage/main.tf index d3b3404..ab82558 100644 --- a/modules/storage/main.tf +++ b/modules/storage/main.tf @@ -17,7 +17,7 @@ resource "openstack_compute_volume_attach_v2" "data_attachment" { # Kubernetes readiness check (keep this from your existing code) resource "null_resource" "kubernetes_readiness" { - count = var.create_storage_class ? 1 : 0 + count = var.create_storage_class ? 1 : 0 depends_on = [var.kubernetes_dependency] provisioner "local-exec" { diff --git a/modules/storage/provider.tf b/modules/storage/provider.tf index 1766978..4395c43 100644 --- a/modules/storage/provider.tf +++ b/modules/storage/provider.tf @@ -13,10 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - - +} \ No newline at end of file diff --git a/modules/talos_config/main.tf b/modules/talos_config/main.tf index 4826c87..94710b3 100644 --- a/modules/talos_config/main.tf +++ b/modules/talos_config/main.tf @@ -7,21 +7,21 @@ resource "talos_machine_secrets" "machine_secrets" { # Generate control plane configuration data "talos_machine_configuration" "control_plane" { - cluster_name = var.cluster_name - cluster_endpoint = "https://${var.control_plane_lb_ip}:6443" - machine_type = "controlplane" - machine_secrets = talos_machine_secrets.machine_secrets.machine_secrets - talos_version = var.talos_version + cluster_name = var.cluster_name + cluster_endpoint = "https://${var.control_plane_lb_ip}:6443" + machine_type = "controlplane" + machine_secrets = talos_machine_secrets.machine_secrets.machine_secrets + talos_version = var.talos_version kubernetes_version = var.kubernetes_version } # Generate worker configuration data "talos_machine_configuration" "worker" { - cluster_name = var.cluster_name - cluster_endpoint = "https://${var.control_plane_lb_ip}:6443" - machine_type = "worker" - machine_secrets = talos_machine_secrets.machine_secrets.machine_secrets - talos_version = var.talos_version + cluster_name = var.cluster_name + cluster_endpoint = "https://${var.control_plane_lb_ip}:6443" + machine_type = "worker" + machine_secrets = talos_machine_secrets.machine_secrets.machine_secrets + talos_version = var.talos_version kubernetes_version = var.kubernetes_version } @@ -57,24 +57,24 @@ resource "local_file" "talosconfig" { # Add a delay to ensure VMs are fully initialized before applying configuration resource "time_sleep" "wait_for_vms" { - depends_on = [var.control_plane_nodes, var.worker_nodes] + depends_on = [var.control_plane_nodes, var.worker_nodes] create_duration = "60s" } # Apply configuration to control plane nodes resource "talos_machine_configuration_apply" "control_plane" { - depends_on = [time_sleep.wait_for_vms] - count = length(var.control_plane_endpoints) - client_configuration = data.talos_client_configuration.talosconfig.client_configuration - machine_configuration_input = data.talos_machine_configuration.control_plane.machine_configuration - node = var.control_plane_endpoints[count.index] - apply_mode = "auto" + depends_on = [time_sleep.wait_for_vms] + count = length(var.control_plane_endpoints) + client_configuration = data.talos_client_configuration.talosconfig.client_configuration + machine_configuration_input = data.talos_machine_configuration.control_plane.machine_configuration + node = var.control_plane_endpoints[count.index] + apply_mode = "auto" config_patches = [ yamlencode({ machine = { nodeLabels = { - "node.kubernetes.io/role" = "control-plane" + "node.kubernetes.io/role" = "control-plane" "node.kubernetes.io/exclude-from-external-load-balancers" = "" } install = { @@ -115,7 +115,7 @@ resource "talos_machine_configuration_apply" "workers" { machine = { nodeLabels = { "node.kubernetes.io/role" = "worker" - "kubernetes.io/role" = "worker" + "kubernetes.io/role" = "worker" } install = { disk = "/dev/vda" @@ -197,9 +197,9 @@ resource "talos_machine_bootstrap" "bootstrap" { # Add delay after bootstrap to ensure the cluster is fully initialized resource "time_sleep" "wait_for_bootstrap" { - count = var.bootstrap_cluster ? 1 : 0 - depends_on = [talos_machine_bootstrap.bootstrap] - create_duration = "90s" + count = var.bootstrap_cluster ? 1 : 0 + depends_on = [talos_machine_bootstrap.bootstrap] + create_duration = "90s" } # Generate kubeconfig after the bootstrap is complete diff --git a/modules/talos_config/provider.tf b/modules/talos_config/provider.tf index 52ad65c..4395c43 100644 --- a/modules/talos_config/provider.tf +++ b/modules/talos_config/provider.tf @@ -13,12 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - - - - -provider "openstack" { - cloud = "openstack" -} - +} \ No newline at end of file diff --git a/modules/workers/provider.tf b/modules/workers/provider.tf index e439325..4395c43 100644 --- a/modules/workers/provider.tf +++ b/modules/workers/provider.tf @@ -13,9 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - +} \ No newline at end of file diff --git a/modules/workers/variabels.tf b/modules/workers/variabels.tf index dc9c8e7..cb2496a 100644 --- a/modules/workers/variabels.tf +++ b/modules/workers/variabels.tf @@ -39,8 +39,8 @@ variable "allow_all_egress_sg_id" { } variable "allowed_management_ingress_sg_id" { - description = "Security group ID for allowed management ingress" - type = string + description = "Security group ID for allowed management ingress" + type = string } diff --git a/playbooks/capev2ansible.yaml b/playbooks/capev2_install.yaml similarity index 100% rename from playbooks/capev2ansible.yaml rename to playbooks/capev2_install.yaml