From 65b2fcb01736d5d8fa22e42e3722d8622de9c5cf Mon Sep 17 00:00:00 2001 From: Maja Date: Mon, 5 May 2025 15:59:51 +0200 Subject: [PATCH 1/8] Added validation workflows for the Kubernetes and MISP modules --- .github/workflows/validate_kubernetes.yml | 46 +++++++++++++++++++++++ .github/workflows/validate_misp.yml | 39 +++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 .github/workflows/validate_kubernetes.yml create mode 100644 .github/workflows/validate_misp.yml diff --git a/.github/workflows/validate_kubernetes.yml b/.github/workflows/validate_kubernetes.yml new file mode 100644 index 0000000..6031804 --- /dev/null +++ b/.github/workflows/validate_kubernetes.yml @@ -0,0 +1,46 @@ +name: Validate Kubernetes module + +on: + push: + branches-ignore: + - 'main' + paths: + - 'kubernetes/**' + - 'modules/cluster_network/**' + - 'modules/control_plane/**' + - 'modules/load_balancer/**' + - 'modules/security/**' + - 'modules/shared_router/**' + - 'modules/ssh_key/**' + - 'modules/storage/**' + - 'modules/talos_config/**' + - 'modules/workers/**' + workflow_dispatch: + +jobs: + + validate: + runs-on: dev + env: + WORKING_DIR: ./kubernetes + PG_CONN_STR: ${{ secrets.PG_CONN_STR_DEV }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Terraform init + run: terraform init + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform fmt + run: terraform fmt + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform validate + run: terraform validate + working-directory: ${{ env.WORKING_DIR }} + + - name: Tfsec + run: tfsec + working-directory: ${{ env.WORKING_DIR }} \ No newline at end of file diff --git a/.github/workflows/validate_misp.yml b/.github/workflows/validate_misp.yml new file mode 100644 index 0000000..f755921 --- /dev/null +++ b/.github/workflows/validate_misp.yml @@ -0,0 +1,39 @@ +name: Validate MISP module + +on: + push: + branches-ignore: + - 'main' + paths: + - 'misp/**' + - 'modules/misp/**' + - 'modules/security/**' + workflow_dispatch: + +jobs: + + validate: + runs-on: dev + env: + WORKING_DIR: ./misp + PG_CONN_STR: ${{ secrets.PG_CONN_STR_DEV }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Terraform init + run: terraform init + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform fmt + run: terraform fmt + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform validate + run: terraform validate + working-directory: ${{ env.WORKING_DIR }} + + - name: Tfsec + run: tfsec + working-directory: ${{ env.WORKING_DIR }} \ No newline at end of file From a7bb45bda464f25c0acf242f3f3a7e002cb6fb16 Mon Sep 17 00:00:00 2001 From: Maja Date: Mon, 5 May 2025 16:13:29 +0200 Subject: [PATCH 2/8] Added validation workflows for the Kubernetes and MISP modules --- .github/workflows/deploy_capev2.yml | 6 ++--- .github/workflows/test_workflow.yml | 24 +++++++++++++++++++ capev2/main.tf | 2 +- ...capev2ansible.yaml => capev2_install.yaml} | 0 4 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/test_workflow.yml rename playbooks/{capev2ansible.yaml => capev2_install.yaml} (100%) diff --git a/.github/workflows/deploy_capev2.yml b/.github/workflows/deploy_capev2.yml index 476dde1..135ece7 100644 --- a/.github/workflows/deploy_capev2.yml +++ b/.github/workflows/deploy_capev2.yml @@ -7,8 +7,8 @@ on: paths: - 'capev2/**' - 'modules/cape_vm/**' - - 'playbooks/capev2ansible.yaml' - 'playbooks/openstack.yaml' + - 'playbooks/capev2_install.yaml' workflow_dispatch: env: @@ -43,7 +43,7 @@ jobs: working-directory: ${{ env.WORKING_DIR }} - name: Run capev2 configuration ansible playbook - run: ansible-playbook -i openstack.yaml capev2ansible.yaml -u ansible + run: ansible-playbook -i openstack.yaml capev2_install.yaml -u ansible working-directory: ./playbooks staging: @@ -74,5 +74,5 @@ jobs: working-directory: ${{ env.WORKING_DIR }} - name: Run capev2 configuration ansible playbook - run: ansible-playbook -i openstack.yaml capev2ansible.yaml -u ansible + run: ansible-playbook -i openstack.yaml capev2_install.yaml -u ansible working-directory: ./playbooks \ No newline at end of file diff --git a/.github/workflows/test_workflow.yml b/.github/workflows/test_workflow.yml new file mode 100644 index 0000000..6681f61 --- /dev/null +++ b/.github/workflows/test_workflow.yml @@ -0,0 +1,24 @@ +name: Test workflow + +on: + push: + branches: + - 'maja' + paths: + - 'capev2/**' + workflow_dispatch: + +jobs: + + validate: + runs-on: stage + env: + WORKING_DIR: ./capev2 + PG_CONN_STR: ${{ secrets.PG_CONN_STR_STAGE }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Test + run: echo "${{ secrets.TEST }}" > terraform.tfvars \ No newline at end of file diff --git a/capev2/main.tf b/capev2/main.tf index 4d8b568..dfbbe48 100644 --- a/capev2/main.tf +++ b/capev2/main.tf @@ -15,7 +15,7 @@ provider "openstack" { application_credential_secret = var.os_application_credential_secret } - +# test # Get network info data "openstack_networking_network_v2" "network" { diff --git a/playbooks/capev2ansible.yaml b/playbooks/capev2_install.yaml similarity index 100% rename from playbooks/capev2ansible.yaml rename to playbooks/capev2_install.yaml From 9282db4680472778ce4c142c57284f4d8e317a9b Mon Sep 17 00:00:00 2001 From: Maja Date: Mon, 5 May 2025 16:17:24 +0200 Subject: [PATCH 3/8] Testing GitHub secrets --- .github/workflows/test_workflow.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test_workflow.yml b/.github/workflows/test_workflow.yml index 6681f61..4170cbb 100644 --- a/.github/workflows/test_workflow.yml +++ b/.github/workflows/test_workflow.yml @@ -21,4 +21,7 @@ jobs: uses: actions/checkout@v4 - name: Test - run: echo "${{ secrets.TEST }}" > terraform.tfvars \ No newline at end of file + run: echo "${{ secrets.TEST }}" > terraform.tfvars + + - name: Test2 + run: echo "${{ secrets.TEST }}" >> terraform.tfvars \ No newline at end of file From 006d8eaf0ee2e14ddfb268a4770c8620ce5371a2 Mon Sep 17 00:00:00 2001 From: Maja Date: Mon, 5 May 2025 16:17:47 +0200 Subject: [PATCH 4/8] Testing GitHub secrets --- capev2/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/capev2/main.tf b/capev2/main.tf index dfbbe48..4d8b568 100644 --- a/capev2/main.tf +++ b/capev2/main.tf @@ -15,7 +15,7 @@ provider "openstack" { application_credential_secret = var.os_application_credential_secret } -# test + # Get network info data "openstack_networking_network_v2" "network" { From 006ecf3f19c96f737407db1016ac2fefc9f9e6c5 Mon Sep 17 00:00:00 2001 From: Maja Date: Mon, 5 May 2025 16:25:25 +0200 Subject: [PATCH 5/8] Testing GitHub actions --- .github/workflows/test_workflow.yml | 27 --------------------------- kubernetes/provider.tf | 4 +++- kubernetes/variabels.tf | 19 +++++++++++++++++++ misp/main.tf | 1 + 4 files changed, 23 insertions(+), 28 deletions(-) delete mode 100644 .github/workflows/test_workflow.yml diff --git a/.github/workflows/test_workflow.yml b/.github/workflows/test_workflow.yml deleted file mode 100644 index 4170cbb..0000000 --- a/.github/workflows/test_workflow.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Test workflow - -on: - push: - branches: - - 'maja' - paths: - - 'capev2/**' - workflow_dispatch: - -jobs: - - validate: - runs-on: stage - env: - WORKING_DIR: ./capev2 - PG_CONN_STR: ${{ secrets.PG_CONN_STR_STAGE }} - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Test - run: echo "${{ secrets.TEST }}" > terraform.tfvars - - - name: Test2 - run: echo "${{ secrets.TEST }}" >> terraform.tfvars \ No newline at end of file diff --git a/kubernetes/provider.tf b/kubernetes/provider.tf index 26dc9b6..ecdb788 100644 --- a/kubernetes/provider.tf +++ b/kubernetes/provider.tf @@ -22,7 +22,9 @@ terraform { provider "talos" {} provider "openstack" { - cloud = "openstack" + auth_url = var.os_auth_url + application_credential_id = var.os_application_credential_id + application_credential_secret = var.os_application_credential_secret } provider "kubernetes" { diff --git a/kubernetes/variabels.tf b/kubernetes/variabels.tf index cc258a7..29568e1 100644 --- a/kubernetes/variabels.tf +++ b/kubernetes/variabels.tf @@ -1,3 +1,22 @@ + +# Credentials +variable "os_auth_url" { + type = string + sensitive = true +} + +variable "os_application_credential_id" { + type = string + sensitive = true +} + +variable "os_application_credential_secret" { + type = string + sensitive = true +} + + + # talos/variables.tf variable "region" { diff --git a/misp/main.tf b/misp/main.tf index 7aabe76..2b39396 100644 --- a/misp/main.tf +++ b/misp/main.tf @@ -1,3 +1,4 @@ +# test ############################## # 1. Security and SSH Key Setup ############################## From 02ca91adfa39edde4e3c630c52fc13fa0a6dfeca Mon Sep 17 00:00:00 2001 From: Maja Date: Mon, 5 May 2025 20:38:23 +0200 Subject: [PATCH 6/8] Testing GitHub actions --- modules/misp/security.tf | 9 ++++++--- modules/security/main.tf | 27 ++++++++++++++++++--------- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/modules/misp/security.tf b/modules/misp/security.tf index 72fe95c..b3d64b8 100644 --- a/modules/misp/security.tf +++ b/modules/misp/security.tf @@ -12,7 +12,8 @@ resource "openstack_networking_secgroup_rule_v2" "misp_allow_http" { protocol = "tcp" port_range_min = 80 port_range_max = 80 - remote_ip_prefix = "0.0.0.0/0" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.misp_sg.id } @@ -23,7 +24,8 @@ resource "openstack_networking_secgroup_rule_v2" "misp_allow_https" { protocol = "tcp" port_range_min = 443 port_range_max = 443 - remote_ip_prefix = "0.0.0.0/0" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.misp_sg.id } @@ -34,6 +36,7 @@ resource "openstack_networking_secgroup_rule_v2" "misp_allow_ssh" { protocol = "tcp" port_range_min = 22 port_range_max = 22 - remote_ip_prefix = "0.0.0.0/0" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.misp_sg.id } \ No newline at end of file diff --git a/modules/security/main.tf b/modules/security/main.tf index 011c451..aff0749 100644 --- a/modules/security/main.tf +++ b/modules/security/main.tf @@ -134,7 +134,8 @@ resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_6443" { port_range_min = 6443 port_range_max = 6443 security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id - remote_ip_prefix = "0.0.0.0/0" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections } # Allow LB to talk to control plane on 6443 @@ -193,7 +194,8 @@ resource "openstack_networking_secgroup_rule_v2" "allow_icmp_ping" { direction = "ingress" ethertype = "IPv4" protocol = "icmp" - remote_ip_prefix = "0.0.0.0/0" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # used for pinging the service security_group_id = openstack_networking_secgroup_v2.allowed_management_ingress_ipv4_cidrs[0].id } @@ -204,7 +206,8 @@ resource "openstack_networking_secgroup_rule_v2" "allow_ssh" { protocol = "tcp" port_range_min = 22 port_range_max = 22 - remote_ip_prefix = "0.0.0.0/0" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.allowed_management_ingress_ipv4_cidrs[0].id } @@ -215,7 +218,8 @@ resource "openstack_networking_secgroup_rule_v2" "allow_talos_api" { protocol = "tcp" port_range_min = 50000 port_range_max = 50001 - remote_ip_prefix = "0.0.0.0/0" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.allowed_management_ingress_ipv4_cidrs[0].id } @@ -240,7 +244,8 @@ resource "openstack_networking_secgroup_rule_v2" "bastion_allow_ssh" { protocol = "tcp" port_range_min = 22 port_range_max = 22 - remote_ip_prefix = "0.0.0.0/0" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections ethertype = "IPv4" } @@ -253,7 +258,8 @@ resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_57314" { port_range_min = 57314 port_range_max = 57314 security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id - remote_ip_prefix = "0.0.0.0/0" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections } # Allow LB to talk to worker nodes on 57314 @@ -336,7 +342,8 @@ resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_strelka_ui protocol = "tcp" port_range_min = 30662 port_range_max = 30662 - remote_ip_prefix = "0.0.0.0/0" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id } @@ -348,7 +355,8 @@ resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_jaeger_ui" protocol = "tcp" port_range_min = 16686 port_range_max = 16686 - remote_ip_prefix = "0.0.0.0/0" + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id } @@ -371,7 +379,8 @@ resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_jaeger_ui_ protocol = "tcp" port_range_min = 31697 port_range_max = 31697 - remote_ip_prefix = "0.0.0.0/0" # ✅ allow access from external world + #tfsec:ignore:openstack-networking-no-public-ingress + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id } From 4a1e5e220e4bebbf0f1680a7eaad0527b5465863 Mon Sep 17 00:00:00 2001 From: Maja Date: Mon, 5 May 2025 20:39:18 +0200 Subject: [PATCH 7/8] Correctly formatted some files --- kubernetes/locals.tf | 2 +- kubernetes/main.tf | 114 ++++++++++++++--------------- kubernetes/variabels.tf | 72 +++++++++--------- modules/cluster_network/main.tf | 2 +- modules/control_plane/outputs.tf | 4 +- modules/load_balancer/main.tf | 4 +- modules/load_balancer/outputs.tf | 2 +- modules/load_balancer/variables.tf | 16 ++-- modules/misp/main.tf | 4 +- modules/misp/security.tf | 30 ++++---- modules/misp/variabels.tf | 4 +- modules/security/main.tf | 76 +++++++++---------- modules/security/variabels.tf | 26 +++---- modules/ssh_key/variabels.tf | 2 +- modules/storage/main.tf | 2 +- modules/talos_config/main.tf | 44 +++++------ modules/workers/variabels.tf | 4 +- 17 files changed, 204 insertions(+), 204 deletions(-) diff --git a/kubernetes/locals.tf b/kubernetes/locals.tf index f4d474f..08f9f1f 100644 --- a/kubernetes/locals.tf +++ b/kubernetes/locals.tf @@ -1,4 +1,4 @@ locals { - kubernetes_internal_endpoint = "https://${module.control_plane.control_plane_internal_ips[0]}:6443" + kubernetes_internal_endpoint = "https://${module.control_plane.control_plane_internal_ips[0]}:6443" } diff --git a/kubernetes/main.tf b/kubernetes/main.tf index eba4d5a..18be1c0 100644 --- a/kubernetes/main.tf +++ b/kubernetes/main.tf @@ -28,7 +28,7 @@ module "shared_router" { source = "../modules/shared_router" existing_router_name = var.main_router_name - cluster_subnet_id = module.cluster_network.subnet_id + cluster_subnet_id = module.cluster_network.subnet_id } ############################## @@ -50,15 +50,15 @@ module "ssh_key" { # 2. Control Plane (Master Nodes) Setup ############################## module "control_plane" { - source = "../modules/control_plane" - talos_image_name = var.talos_image_name - internal_network_id = module.cluster_network.network_id - control_plane_subnet_id = module.cluster_network.subnet_id - control_plane_flavor_name = var.control_plane_flavor_name - control_plane_node_count = var.control_plane_node_count - kubernetes_cluster_name = var.kubernetes_cluster_name - control_plane_sg_id = module.security.control_plane_sg_id - allow_all_egress_sg_id = module.security.allow_all_egress_id + source = "../modules/control_plane" + talos_image_name = var.talos_image_name + internal_network_id = module.cluster_network.network_id + control_plane_subnet_id = module.cluster_network.subnet_id + control_plane_flavor_name = var.control_plane_flavor_name + control_plane_node_count = var.control_plane_node_count + kubernetes_cluster_name = var.kubernetes_cluster_name + control_plane_sg_id = module.security.control_plane_sg_id + allow_all_egress_sg_id = module.security.allow_all_egress_id allowed_management_ingress_sg_id = module.security.allowed_management_ingress_sg_id } @@ -66,39 +66,39 @@ module "control_plane" { # 3. Worker Nodes Setup ############################## module "workers" { - source = "../modules/workers" - talos_image_name = var.talos_image_name - internal_network_id = module.cluster_network.network_id - worker_nodes_subnet_id = module.cluster_network.subnet_id - worker_nodes_flavor_name = var.worker_nodes_flavor_name - worker_nodes_node_count = var.worker_nodes_node_count - kubernetes_cluster_name = var.kubernetes_cluster_name - allow_all_egress_sg_id = module.security.allow_all_egress_id + source = "../modules/workers" + talos_image_name = var.talos_image_name + internal_network_id = module.cluster_network.network_id + worker_nodes_subnet_id = module.cluster_network.subnet_id + worker_nodes_flavor_name = var.worker_nodes_flavor_name + worker_nodes_node_count = var.worker_nodes_node_count + kubernetes_cluster_name = var.kubernetes_cluster_name + allow_all_egress_sg_id = module.security.allow_all_egress_id allowed_management_ingress_sg_id = module.security.allowed_management_ingress_sg_id - worker_nodes_sg_id = module.security.worker_nodes_sg_id + worker_nodes_sg_id = module.security.worker_nodes_sg_id } ############################## # 4. Load Balancer Setup ############################## module "load_balancer" { - source = "../modules/load_balancer" - internal_network_id = module.cluster_network.network_id - control_plane_subnet_id = module.cluster_network.subnet_id - kubernetes_name = var.kubernetes_cluster_name - instance_image_name = var.haproxy_image_name - instance_flavor_name = var.haproxy_flavor_name - ssh_key_name = module.ssh_key.ssh_key_name - ssh_public_key = module.ssh_key.public_key - load_balancer_ip = var.load_balancer_ip - floating_ip_pool = var.public_network_name - control_plane_ips = module.control_plane.control_plane_internal_ips - worker_node_ips = module.workers.worker_node_internal_ips - control_plane_sg_id = module.security.control_plane_sg_id - allow_all_egress_sg_id = module.security.allow_all_egress_id + source = "../modules/load_balancer" + internal_network_id = module.cluster_network.network_id + control_plane_subnet_id = module.cluster_network.subnet_id + kubernetes_name = var.kubernetes_cluster_name + instance_image_name = var.haproxy_image_name + instance_flavor_name = var.haproxy_flavor_name + ssh_key_name = module.ssh_key.ssh_key_name + ssh_public_key = module.ssh_key.public_key + load_balancer_ip = var.load_balancer_ip + floating_ip_pool = var.public_network_name + control_plane_ips = module.control_plane.control_plane_internal_ips + worker_node_ips = module.workers.worker_node_internal_ips + control_plane_sg_id = module.security.control_plane_sg_id + allow_all_egress_sg_id = module.security.allow_all_egress_id allowed_management_ingress_sg_id = module.security.allowed_management_ingress_sg_id - allow_bastion = module.security.bastion_sg_id - load_balancer_sg_id = module.security.load_balancer_sg_id + allow_bastion = module.security.bastion_sg_id + load_balancer_sg_id = module.security.load_balancer_sg_id } ############################## @@ -108,52 +108,52 @@ module "talos_config" { source = "../modules/talos_config" # Basic cluster information - cluster_name = var.kubernetes_cluster_name - control_plane_lb_ip = module.load_balancer.control_plane_lb_ip - control_plane_endpoints = module.control_plane.control_plane_ips - worker_endpoints = module.workers.worker_nodes_ips + cluster_name = var.kubernetes_cluster_name + control_plane_lb_ip = module.load_balancer.control_plane_lb_ip + control_plane_endpoints = module.control_plane.control_plane_ips + worker_endpoints = module.workers.worker_nodes_ips control_plane_dns_nameservers = var.control_plane_dns_nameservers # Versions - talos_version = var.talos_version - kubernetes_version = var.kubernetes_cluster_version + talos_version = var.talos_version + kubernetes_version = var.kubernetes_cluster_version # Dependencies on compute resources - control_plane_nodes = module.control_plane.control_plane_ips - worker_nodes = module.workers.worker_node_internal_ips + control_plane_nodes = module.control_plane.control_plane_ips + worker_nodes = module.workers.worker_node_internal_ips # Output configuration - output_dir = "./talos-config" - save_configs_locally = true - bootstrap_cluster = true + output_dir = "./talos-config" + save_configs_locally = true + bootstrap_cluster = true } ############################## # 6. Storage Setup ############################## module "storage" { - source = "../modules/storage" + source = "../modules/storage" kubernetes_cluster_name = var.kubernetes_cluster_name # Worker node information for volume attachment - worker_instance_ids = module.workers.worker_nodes_instance_ids + worker_instance_ids = module.workers.worker_nodes_instance_ids # Volume configuration - volume_count = var.storage_volume_count - volume_size = var.storage_volume_size - volume_type = var.storage_volume_type - availability_zone = var.storage_availability_zone + volume_count = var.storage_volume_count + volume_size = var.storage_volume_size + volume_type = var.storage_volume_type + availability_zone = var.storage_availability_zone # Mount configuration - mount_path = var.storage_mount_path + mount_path = var.storage_mount_path # StorageClass configuration - create_storage_class = true + create_storage_class = true make_default_storage_class = true - storage_reclaim_policy = "Delete" - fs_type = "ext4" + storage_reclaim_policy = "Delete" + fs_type = "ext4" # Dependency to ensure Kubernetes is available - kubernetes_dependency = module.talos_config + kubernetes_dependency = module.talos_config } ############################## diff --git a/kubernetes/variabels.tf b/kubernetes/variabels.tf index 29568e1..0eeb2b0 100644 --- a/kubernetes/variabels.tf +++ b/kubernetes/variabels.tf @@ -20,7 +20,7 @@ variable "os_application_credential_secret" { # talos/variables.tf variable "region" { - type = string + type = string description = "The OpenStack region" } @@ -48,79 +48,79 @@ variable "control_plane_dns_nameservers" { } variable "cluster_ip_version" { - type = number + type = number description = "IP version for the cluster network (4 or 6)" } variable "key_name" { - type = string + type = string description = "The name of the OpenStack key pair" - default = "lb_key" + default = "lb_key" } variable "allowed_management_ipv4_cidrs" { - type = list(string) + type = list(string) description = "CIDR blocks allowed to access management ports (SSH, etc.)" - # If you want to manage the cluster from your local machine, - # add your *public* IP address here (e.g., ["YOUR_PUBLIC_IP/32"]). + # If you want to manage the cluster from your local machine, + # add your *public* IP address here (e.g., ["YOUR_PUBLIC_IP/32"]). } variable "static_lb_ip" { - type = string + type = string description = "Static IP for the load balancer" } variable "talos_image_name" { - type = string + type = string description = "Name of the Talos image in OpenStack" } variable "control_plane_flavor_name" { - type = string + type = string description = "OpenStack flavor for control plane nodes" } variable "control_plane_node_count" { - type = string + type = string description = "Number of control plane nodes" } variable "haproxy_image_name" { - type = string + type = string description = "Name of the HAProxy image in OpenStack" } variable "haproxy_flavor_name" { - type = string + type = string description = "OpenStack flavor for HAProxy instance" } variable "worker_nodes_flavor_name" { - type = string + type = string description = "OpenStack flavor for worker nodes" } variable "worker_nodes_node_count" { - type = string + type = string description = "Number of worker nodes" } variable "main_network_name" { - type = string - description = "The name of the main network" - default = "main_network" + type = string + description = "The name of the main network" + default = "main_network" } variable "main_router_name" { - type = string - description = "The name of the main router" - default = "main_router" + type = string + description = "The name of the main router" + default = "main_router" } -variable "cluster_network_cidr"{ - type = string - description = "cidr of the cluster network" +variable "cluster_network_cidr" { + type = string + description = "cidr of the cluster network" } variable "public_network_name" { @@ -135,15 +135,15 @@ variable "kubernetes_cluster_version" { } variable "create_security_groups" { - type = bool - description = "Whether to create security groups for the cluster" - default = false + type = bool + description = "Whether to create security groups for the cluster" + default = false } variable "main_cluster_network_cidr" { - type = string + type = string description = "CIDR for the main cluster network" - default = "192.168.4.0/24" + default = "192.168.4.0/24" } variable "load_balancer_ip" { @@ -152,8 +152,8 @@ variable "load_balancer_ip" { } variable "talos_version" { - type = string - description = "The Talos version to use." + type = string + description = "The Talos version to use." } variable "kubernetes_api_port" { @@ -218,31 +218,31 @@ variable "stats_port" { variable "storage_volume_count" { description = "Number of storage volumes to create" type = number - default = 3 # Adjust based on your needs + default = 3 # Adjust based on your needs } variable "storage_volume_size" { description = "Size in GB for each storage volume" type = number - default = 100 # Adjust based on your needs + default = 100 # Adjust based on your needs } variable "storage_volume_type" { description = "Volume type for OpenStack volumes" type = string - default = "ceph" # Change to match your OpenStack environment + default = "ceph" # Change to match your OpenStack environment } variable "storage_availability_zone" { description = "OpenStack availability zone for storage volumes" type = string - default = "nova" # Change to match your OpenStack environment + default = "nova" # Change to match your OpenStack environment } variable "storage_mount_path" { description = "Path where the volumes will be mounted" type = string - default = "/var/data" # Adjust based on your needs + default = "/var/data" # Adjust based on your needs } diff --git a/modules/cluster_network/main.tf b/modules/cluster_network/main.tf index 43af691..cf07a72 100644 --- a/modules/cluster_network/main.tf +++ b/modules/cluster_network/main.tf @@ -14,5 +14,5 @@ resource "openstack_networking_subnet_v2" "cluster_subnet" { start = "192.169.3.20" } - enable_dhcp = true + enable_dhcp = true } diff --git a/modules/control_plane/outputs.tf b/modules/control_plane/outputs.tf index 32c14bd..96d3dc9 100644 --- a/modules/control_plane/outputs.tf +++ b/modules/control_plane/outputs.tf @@ -24,6 +24,6 @@ output "control_node_ports" { } output "control_plane_name" { - description = "Name of the control plane" - value = openstack_compute_instance_v2.control_node[*].name + description = "Name of the control plane" + value = openstack_compute_instance_v2.control_node[*].name } diff --git a/modules/load_balancer/main.tf b/modules/load_balancer/main.tf index 048ec09..8e1dadc 100644 --- a/modules/load_balancer/main.tf +++ b/modules/load_balancer/main.tf @@ -21,7 +21,7 @@ resource "openstack_compute_instance_v2" "control_plane_lb" { user_data = templatefile("${path.module}/tftemplates/haproxy_cloud_init.tftpl", { ssh_public_key = var.ssh_public_key, control_plane_ips = local.haproxy.control_plane_ips, - worker_node_ips = local.haproxy.worker_node_ips # Add worker node IPs to the template + worker_node_ips = local.haproxy.worker_node_ips # Add worker node IPs to the template }) # Attach the instance to the previously created network port @@ -32,7 +32,7 @@ resource "openstack_compute_instance_v2" "control_plane_lb" { # 3. Allocate a floating IP from external network (e.g., public) resource "openstack_networking_floatingip_v2" "lb_fip" { - pool = var.floating_ip_pool # Must match your OpenStack external network name + pool = var.floating_ip_pool # Must match your OpenStack external network name } # 4. Associate the floating IP to the HAProxy port diff --git a/modules/load_balancer/outputs.tf b/modules/load_balancer/outputs.tf index 3b761ea..ccf2f4e 100644 --- a/modules/load_balancer/outputs.tf +++ b/modules/load_balancer/outputs.tf @@ -10,7 +10,7 @@ output "lb_instance_id" { output "control_plane_lb_lb" { description = "The control plane load balancer" - value = openstack_compute_instance_v2.control_plane_lb + value = openstack_compute_instance_v2.control_plane_lb } output "control_plane_lb_ip" { diff --git a/modules/load_balancer/variables.tf b/modules/load_balancer/variables.tf index 57144e8..6611a17 100644 --- a/modules/load_balancer/variables.tf +++ b/modules/load_balancer/variables.tf @@ -39,13 +39,13 @@ variable "allowed_management_ingress_sg_id" { } variable "allow_bastion" { - type = string - description = "Security group for bastion host" + type = string + description = "Security group for bastion host" } variable "load_balancer_sg_id" { - type = string - description = "Security group for load balancer" + type = string + description = "Security group for load balancer" } variable "control_plane_ips" { @@ -64,8 +64,8 @@ variable "ssh_key_name" { } variable "load_balancer_ip" { - description = "IP address of the load balancer" - type = string + description = "IP address of the load balancer" + type = string } variable "worker_node_ips" { @@ -75,6 +75,6 @@ variable "worker_node_ips" { } variable "floating_ip_pool" { - description = "The pool of floating IPs" - type = string + description = "The pool of floating IPs" + type = string } \ No newline at end of file diff --git a/modules/misp/main.tf b/modules/misp/main.tf index c30a9d7..e2fa603 100644 --- a/modules/misp/main.tf +++ b/modules/misp/main.tf @@ -24,11 +24,11 @@ resource "openstack_compute_instance_v2" "misp_server" { availability_zone = var.availability_zone network { - port = openstack_networking_port_v2.misp_port.id # Use the port here + port = openstack_networking_port_v2.misp_port.id # Use the port here } metadata = { - role = "misp-server" + role = "misp-server" environment = var.kubernetes_cluster_name } } diff --git a/modules/misp/security.tf b/modules/misp/security.tf index b3d64b8..938d2c1 100644 --- a/modules/misp/security.tf +++ b/modules/misp/security.tf @@ -7,11 +7,11 @@ resource "openstack_networking_secgroup_v2" "misp_sg" { # Allow HTTP (initially for setup) resource "openstack_networking_secgroup_rule_v2" "misp_allow_http" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 80 + port_range_max = 80 #tfsec:ignore:openstack-networking-no-public-ingress remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.misp_sg.id @@ -19,11 +19,11 @@ resource "openstack_networking_secgroup_rule_v2" "misp_allow_http" { # Allow HTTPS resource "openstack_networking_secgroup_rule_v2" "misp_allow_https" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 443 + port_range_max = 443 #tfsec:ignore:openstack-networking-no-public-ingress remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.misp_sg.id @@ -31,11 +31,11 @@ resource "openstack_networking_secgroup_rule_v2" "misp_allow_https" { # Allow SSH resource "openstack_networking_secgroup_rule_v2" "misp_allow_ssh" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 22 - port_range_max = 22 + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22 + port_range_max = 22 #tfsec:ignore:openstack-networking-no-public-ingress remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.misp_sg.id diff --git a/modules/misp/variabels.tf b/modules/misp/variabels.tf index d78b294..189d9e6 100644 --- a/modules/misp/variabels.tf +++ b/modules/misp/variabels.tf @@ -50,6 +50,6 @@ variable "public_network_name" { } variable "cluster_subnet_id" { - description = "ID of the cluster subnet" - type = string + description = "ID of the cluster subnet" + type = string } \ No newline at end of file diff --git a/modules/security/main.tf b/modules/security/main.tf index aff0749..bdc4f45 100644 --- a/modules/security/main.tf +++ b/modules/security/main.tf @@ -135,7 +135,7 @@ resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_6443" { port_range_max = 6443 security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id #tfsec:ignore:openstack-networking-no-public-ingress - remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections } # Allow LB to talk to control plane on 6443 @@ -190,34 +190,34 @@ data "openstack_networking_secgroup_v2" "allowed_management_ingress_ipv4_cidrs" } resource "openstack_networking_secgroup_rule_v2" "allow_icmp_ping" { - count = var.create_security_groups ? 1 : 0 - direction = "ingress" - ethertype = "IPv4" - protocol = "icmp" + count = var.create_security_groups ? 1 : 0 + direction = "ingress" + ethertype = "IPv4" + protocol = "icmp" #tfsec:ignore:openstack-networking-no-public-ingress remote_ip_prefix = "0.0.0.0/0" # used for pinging the service security_group_id = openstack_networking_secgroup_v2.allowed_management_ingress_ipv4_cidrs[0].id } resource "openstack_networking_secgroup_rule_v2" "allow_ssh" { - count = var.create_security_groups ? 1 : 0 - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 22 - port_range_max = 22 + count = var.create_security_groups ? 1 : 0 + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22 + port_range_max = 22 #tfsec:ignore:openstack-networking-no-public-ingress remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.allowed_management_ingress_ipv4_cidrs[0].id } resource "openstack_networking_secgroup_rule_v2" "allow_talos_api" { - count = var.create_security_groups ? 1 : 0 - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 50000 - port_range_max = 50001 + count = var.create_security_groups ? 1 : 0 + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 50000 + port_range_max = 50001 #tfsec:ignore:openstack-networking-no-public-ingress remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.allowed_management_ingress_ipv4_cidrs[0].id @@ -245,8 +245,8 @@ resource "openstack_networking_secgroup_rule_v2" "bastion_allow_ssh" { port_range_min = 22 port_range_max = 22 #tfsec:ignore:openstack-networking-no-public-ingress - remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections - ethertype = "IPv4" + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections + ethertype = "IPv4" } # Allow external traffic to Strelka frontend (57314) to LB @@ -259,7 +259,7 @@ resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_57314" { port_range_max = 57314 security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id #tfsec:ignore:openstack-networking-no-public-ingress - remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections + remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections } # Allow LB to talk to worker nodes on 57314 @@ -336,12 +336,12 @@ resource "openstack_networking_secgroup_rule_v2" "worker_nodes_allow_lb_nodeport # Allow external access to Strelka UI NodePort 30662 via Load Balancer resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_strelka_ui_nodeport" { - count = var.create_security_groups ? 1 : 0 - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 30662 - port_range_max = 30662 + count = var.create_security_groups ? 1 : 0 + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 30662 + port_range_max = 30662 #tfsec:ignore:openstack-networking-no-public-ingress remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id @@ -349,12 +349,12 @@ resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_strelka_ui # Allow external access to Jaeger UI on port 16686 via Load Balancer resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_jaeger_ui" { - count = var.create_security_groups ? 1 : 0 - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 16686 - port_range_max = 16686 + count = var.create_security_groups ? 1 : 0 + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 16686 + port_range_max = 16686 #tfsec:ignore:openstack-networking-no-public-ingress remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id @@ -373,12 +373,12 @@ resource "openstack_networking_secgroup_rule_v2" "load_balancer_to_workers_jaege } resource "openstack_networking_secgroup_rule_v2" "load_balancer_allow_jaeger_ui_nodeport" { - count = var.create_security_groups ? 1 : 0 - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 31697 - port_range_max = 31697 + count = var.create_security_groups ? 1 : 0 + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 31697 + port_range_max = 31697 #tfsec:ignore:openstack-networking-no-public-ingress remote_ip_prefix = "0.0.0.0/0" # should allow public ingress connections security_group_id = openstack_networking_secgroup_v2.load_balancer[0].id diff --git a/modules/security/variabels.tf b/modules/security/variabels.tf index e366a02..98eecc0 100644 --- a/modules/security/variabels.tf +++ b/modules/security/variabels.tf @@ -1,15 +1,15 @@ - variable "kubernetes_cluster_name" { - description = "Name of the Kubernetes cluster (used as a prefix for security groups)" - type = string - } +variable "kubernetes_cluster_name" { + description = "Name of the Kubernetes cluster (used as a prefix for security groups)" + type = string +} - variable "create_security_groups" { - description = "If true, create security groups; if false, look them up as data sources." - type = bool - default = true - } +variable "create_security_groups" { + description = "If true, create security groups; if false, look them up as data sources." + type = bool + default = true +} - variable "allowed_management_ipv4_cidrs" { - description = "List of allowed management IPv4 CIDRs for ingress rules" - type = list(string) - } +variable "allowed_management_ipv4_cidrs" { + description = "List of allowed management IPv4 CIDRs for ingress rules" + type = list(string) +} diff --git a/modules/ssh_key/variabels.tf b/modules/ssh_key/variabels.tf index 2015292..74fd706 100644 --- a/modules/ssh_key/variabels.tf +++ b/modules/ssh_key/variabels.tf @@ -5,7 +5,7 @@ variable "ssh_key_name" { } variable "key_name" { - type = string + type = string description = "Base name for the SSH key files" } diff --git a/modules/storage/main.tf b/modules/storage/main.tf index d3b3404..ab82558 100644 --- a/modules/storage/main.tf +++ b/modules/storage/main.tf @@ -17,7 +17,7 @@ resource "openstack_compute_volume_attach_v2" "data_attachment" { # Kubernetes readiness check (keep this from your existing code) resource "null_resource" "kubernetes_readiness" { - count = var.create_storage_class ? 1 : 0 + count = var.create_storage_class ? 1 : 0 depends_on = [var.kubernetes_dependency] provisioner "local-exec" { diff --git a/modules/talos_config/main.tf b/modules/talos_config/main.tf index 4826c87..94710b3 100644 --- a/modules/talos_config/main.tf +++ b/modules/talos_config/main.tf @@ -7,21 +7,21 @@ resource "talos_machine_secrets" "machine_secrets" { # Generate control plane configuration data "talos_machine_configuration" "control_plane" { - cluster_name = var.cluster_name - cluster_endpoint = "https://${var.control_plane_lb_ip}:6443" - machine_type = "controlplane" - machine_secrets = talos_machine_secrets.machine_secrets.machine_secrets - talos_version = var.talos_version + cluster_name = var.cluster_name + cluster_endpoint = "https://${var.control_plane_lb_ip}:6443" + machine_type = "controlplane" + machine_secrets = talos_machine_secrets.machine_secrets.machine_secrets + talos_version = var.talos_version kubernetes_version = var.kubernetes_version } # Generate worker configuration data "talos_machine_configuration" "worker" { - cluster_name = var.cluster_name - cluster_endpoint = "https://${var.control_plane_lb_ip}:6443" - machine_type = "worker" - machine_secrets = talos_machine_secrets.machine_secrets.machine_secrets - talos_version = var.talos_version + cluster_name = var.cluster_name + cluster_endpoint = "https://${var.control_plane_lb_ip}:6443" + machine_type = "worker" + machine_secrets = talos_machine_secrets.machine_secrets.machine_secrets + talos_version = var.talos_version kubernetes_version = var.kubernetes_version } @@ -57,24 +57,24 @@ resource "local_file" "talosconfig" { # Add a delay to ensure VMs are fully initialized before applying configuration resource "time_sleep" "wait_for_vms" { - depends_on = [var.control_plane_nodes, var.worker_nodes] + depends_on = [var.control_plane_nodes, var.worker_nodes] create_duration = "60s" } # Apply configuration to control plane nodes resource "talos_machine_configuration_apply" "control_plane" { - depends_on = [time_sleep.wait_for_vms] - count = length(var.control_plane_endpoints) - client_configuration = data.talos_client_configuration.talosconfig.client_configuration - machine_configuration_input = data.talos_machine_configuration.control_plane.machine_configuration - node = var.control_plane_endpoints[count.index] - apply_mode = "auto" + depends_on = [time_sleep.wait_for_vms] + count = length(var.control_plane_endpoints) + client_configuration = data.talos_client_configuration.talosconfig.client_configuration + machine_configuration_input = data.talos_machine_configuration.control_plane.machine_configuration + node = var.control_plane_endpoints[count.index] + apply_mode = "auto" config_patches = [ yamlencode({ machine = { nodeLabels = { - "node.kubernetes.io/role" = "control-plane" + "node.kubernetes.io/role" = "control-plane" "node.kubernetes.io/exclude-from-external-load-balancers" = "" } install = { @@ -115,7 +115,7 @@ resource "talos_machine_configuration_apply" "workers" { machine = { nodeLabels = { "node.kubernetes.io/role" = "worker" - "kubernetes.io/role" = "worker" + "kubernetes.io/role" = "worker" } install = { disk = "/dev/vda" @@ -197,9 +197,9 @@ resource "talos_machine_bootstrap" "bootstrap" { # Add delay after bootstrap to ensure the cluster is fully initialized resource "time_sleep" "wait_for_bootstrap" { - count = var.bootstrap_cluster ? 1 : 0 - depends_on = [talos_machine_bootstrap.bootstrap] - create_duration = "90s" + count = var.bootstrap_cluster ? 1 : 0 + depends_on = [talos_machine_bootstrap.bootstrap] + create_duration = "90s" } # Generate kubeconfig after the bootstrap is complete diff --git a/modules/workers/variabels.tf b/modules/workers/variabels.tf index dc9c8e7..cb2496a 100644 --- a/modules/workers/variabels.tf +++ b/modules/workers/variabels.tf @@ -39,8 +39,8 @@ variable "allow_all_egress_sg_id" { } variable "allowed_management_ingress_sg_id" { - description = "Security group ID for allowed management ingress" - type = string + description = "Security group ID for allowed management ingress" + type = string } From bf44bb2669ea34dfbf1411b599ba69aacaba2b84 Mon Sep 17 00:00:00 2001 From: Maja Date: Mon, 5 May 2025 21:13:31 +0200 Subject: [PATCH 8/8] Created automatic deployment for the Kubernetes module --- .github/workflows/deploy_kubernetes.yml | 82 +++++++++++++++++++++++++ kubernetes/provider.tf | 2 + modules/cluster_network/provider.tf | 7 +-- modules/control_plane/provider.tf | 7 +-- modules/load_balancer/provider.tf | 7 +-- modules/security/provider.tf | 7 +-- modules/shared_router/provider.tf | 8 +-- modules/ssh_key/provider.tf | 7 +-- modules/storage/provider.tf | 8 +-- modules/talos_config/provider.tf | 10 +-- modules/workers/provider.tf | 7 +-- 11 files changed, 93 insertions(+), 59 deletions(-) create mode 100644 .github/workflows/deploy_kubernetes.yml diff --git a/.github/workflows/deploy_kubernetes.yml b/.github/workflows/deploy_kubernetes.yml new file mode 100644 index 0000000..b399532 --- /dev/null +++ b/.github/workflows/deploy_kubernetes.yml @@ -0,0 +1,82 @@ +name: Deploy Kubernetes module + +on: + push: + branches: + - 'main' + paths: + - 'kubernetes/**' + - 'modules/cluster_network/**' + - 'modules/control_plane/**' + - 'modules/load_balancer/**' + - 'modules/security/**' + - 'modules/shared_router/**' + - 'modules/ssh_key/**' + - 'modules/storage/**' + - 'modules/talos_config/**' + - 'modules/workers/**' + workflow_dispatch: + +env: + WORKING_DIR: ./kubernetes + +jobs: + + dev: + runs-on: dev + env: + PG_CONN_STR: ${{ secrets.PG_CONN_STR_DEV }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Terraform init + run: terraform init + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform workspace select or create kubernetes + run: terraform workspace select -or-create kubernetes + working-directory: ${{ env.WORKING_DIR }} + + - name: Create tfvars file + run: echo ${{ secrets.KUBERNETES_TFVARS }} > terraform.tfvars + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform plan + run: terraform plan -var "os_auth_url=${{ secrets.OS_AUTH_URL_DEV }}" -var "os_application_credential_id=${{ secrets.OS_APPLICATION_CREDENTIAL_ID_DEV }}" -var "os_application_credential_secret=${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET_DEV }}" + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform apply + run: terraform apply -auto-approve -var "os_auth_url=${{ secrets.OS_AUTH_URL_DEV }}" -var "os_application_credential_id=${{ secrets.OS_APPLICATION_CREDENTIAL_ID_DEV }}" -var "os_application_credential_secret=${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET_DEV }}" + working-directory: ${{ env.WORKING_DIR }} + + staging: + needs: dev + runs-on: stage + env: + PG_CONN_STR: ${{ secrets.PG_CONN_STR_STAGE }} + + steps: + - name: Chekcout + uses: actions/checkout@v4 + + - name: Terraform init + run: terraform init + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform workspace select or create kubernetes + run: terraform workspace select -or-create kubernetes + working-directory: ${{ env.WORKING_DIR }} + + - name: Create tfvars file + run: echo ${{ secrets.KUBERNETES_TFVARS }} > terraform.tfvars + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform plan + run: terraform plan -var "os_auth_url=${{ secrets.OS_AUTH_URL_STAGE }}" -var "os_application_credential_id=${{ secrets.OS_APPLICATION_CREDENTIAL_ID_STAGE }}" -var "os_application_credential_secret=${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET_STAGE }}" + working-directory: ${{ env.WORKING_DIR }} + + - name: Terraform apply + run: terraform apply -auto-approve -var "os_auth_url=${{ secrets.OS_AUTH_URL_STAGE }}" -var "os_application_credential_id=${{ secrets.OS_APPLICATION_CREDENTIAL_ID_STAGE }}" -var "os_application_credential_secret=${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET_STAGE }}" + working-directory: ${{ env.WORKING_DIR }} \ No newline at end of file diff --git a/kubernetes/provider.tf b/kubernetes/provider.tf index ecdb788..c140880 100644 --- a/kubernetes/provider.tf +++ b/kubernetes/provider.tf @@ -17,6 +17,8 @@ terraform { version = "~> 2.24.0" } } + + backend "pg" {} } provider "talos" {} diff --git a/modules/cluster_network/provider.tf b/modules/cluster_network/provider.tf index e439325..4395c43 100644 --- a/modules/cluster_network/provider.tf +++ b/modules/cluster_network/provider.tf @@ -13,9 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - +} \ No newline at end of file diff --git a/modules/control_plane/provider.tf b/modules/control_plane/provider.tf index e439325..4395c43 100644 --- a/modules/control_plane/provider.tf +++ b/modules/control_plane/provider.tf @@ -13,9 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - +} \ No newline at end of file diff --git a/modules/load_balancer/provider.tf b/modules/load_balancer/provider.tf index e439325..4395c43 100644 --- a/modules/load_balancer/provider.tf +++ b/modules/load_balancer/provider.tf @@ -13,9 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - +} \ No newline at end of file diff --git a/modules/security/provider.tf b/modules/security/provider.tf index e439325..4395c43 100644 --- a/modules/security/provider.tf +++ b/modules/security/provider.tf @@ -13,9 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - +} \ No newline at end of file diff --git a/modules/shared_router/provider.tf b/modules/shared_router/provider.tf index 1766978..4395c43 100644 --- a/modules/shared_router/provider.tf +++ b/modules/shared_router/provider.tf @@ -13,10 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - - +} \ No newline at end of file diff --git a/modules/ssh_key/provider.tf b/modules/ssh_key/provider.tf index e439325..4395c43 100644 --- a/modules/ssh_key/provider.tf +++ b/modules/ssh_key/provider.tf @@ -13,9 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - +} \ No newline at end of file diff --git a/modules/storage/provider.tf b/modules/storage/provider.tf index 1766978..4395c43 100644 --- a/modules/storage/provider.tf +++ b/modules/storage/provider.tf @@ -13,10 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - - +} \ No newline at end of file diff --git a/modules/talos_config/provider.tf b/modules/talos_config/provider.tf index 52ad65c..4395c43 100644 --- a/modules/talos_config/provider.tf +++ b/modules/talos_config/provider.tf @@ -13,12 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - - - - -provider "openstack" { - cloud = "openstack" -} - +} \ No newline at end of file diff --git a/modules/workers/provider.tf b/modules/workers/provider.tf index e439325..4395c43 100644 --- a/modules/workers/provider.tf +++ b/modules/workers/provider.tf @@ -13,9 +13,4 @@ terraform { version = "~> 2.1.0" } } -} - -provider "openstack" { - cloud = "openstack" -} - +} \ No newline at end of file