luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-nomad/e2e/terraform/network.tf

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

216 lines
4.7 KiB
Terraform
Raw Normal View History

[COMPLIANCE] Add Copyright and License Headers
2023-04-10 15:36:59 +00:00
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
data "aws_vpc" "default" {
default = true
}
e2e: add EBS and EFS volumes for testing CSI (#7266) This changeset adds volumes but does not mount them to instances so that we can test the mounting ("staging") via CSI plugins. The CSI plugins themselves will be installed as Nomad jobs. In order to ensure we can always mount the EFS volume, this changeset pins the deployment of the cluster to a specific subnet. In future work we should spread the cluster out among several AZs and test that behavior explicitly.
2020-03-04 15:44:51 +00:00
data "aws_subnet" "default" {
availability_zone = var.availability_zone
vpc_id = data.aws_vpc.default.id
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
default_for_az = true
}
data "aws_subnet" "secondary" {
availability_zone = var.availability_zone
vpc_id = data.aws_vpc.default.id
default_for_az = false
tags = {
Secondary = "true"
}
e2e: add EBS and EFS volumes for testing CSI (#7266) This changeset adds volumes but does not mount them to instances so that we can test the mounting ("staging") via CSI plugins. The CSI plugins themselves will be installed as Nomad jobs. In order to ensure we can always mount the EFS volume, this changeset pins the deployment of the cluster to a specific subnet. In future work we should spread the cluster out among several AZs and test that behavior explicitly.
2020-03-04 15:44:51 +00:00
}
e2e: use DNS instead of HTTP to get my_public_ipv4 (#17759)
2023-06-28 18:11:57 +00:00
# using a dns lookup instead of http, because it's faster
# and should be more reliable.
data "external" "my_public_ipv4" {
program = ["/bin/sh", "-c", <<-EOT
ip="$(dig @resolver4.opendns.com myip.opendns.com +short -4)"
echo '{"ip": "'$ip'"}'
EOT
]
restrict ingress ip
2021-06-04 14:04:45 +00:00
}
locals {
e2e: use DNS instead of HTTP to get my_public_ipv4 (#17759)
2023-06-28 18:11:57 +00:00
ingress_cidr = var.restrict_ingress_cidrblock ? "${chomp(data.external.my_public_ipv4.result["ip"])}/32" : "0.0.0.0/0"
restrict ingress ip
2021-06-04 14:04:45 +00:00
}
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
resource "aws_security_group" "servers" {
name = "${local.random_name}-servers"
e2e: upgrade terraform to 0.12.x (#6489)
2019-10-14 15:27:08 +00:00
vpc_id = data.aws_vpc.default.id
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
# SSH from test runner
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
restrict ingress ip
2021-06-04 14:04:45 +00:00
cidr_blocks = [local.ingress_cidr]
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
}
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
# Nomad HTTP and RPC from test runner
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
ingress {
from_port = 4646
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
to_port = 4647
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
protocol = "tcp"
restrict ingress ip
2021-06-04 14:04:45 +00:00
cidr_blocks = [local.ingress_cidr]
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
}
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
# Nomad HTTP and RPC from clients
E2E: provide options for reverse proxy for web UI (#12671) Our E2E test environment is deployed with mTLS, but it's impractical for us to use mTLS in headless browsers for automated testing (or even in manual testing). Provide certificates for proxying the web UI via Nginx. This proxy uses client certs for proxying to the HTTP endpoint and a self-signed cert for the browser-facing endpoint. We can accept certificate errors in the automated tests we'll be adding in the next step of this work.
2022-04-19 20:55:05 +00:00
ingress {
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
from_port = 4646
to_port = 4647
protocol = "tcp"
security_groups = [aws_security_group.clients.id]
}
# Nomad serf is covered here: only allowed between hosts in the servers own
# security group so that clients can't accidentally use serf address
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
# allow all outbound
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# the secondary VPC security group is intended only for internal traffic
# and so that we can exercise behaviors with multiple IPs
resource "aws_security_group" "servers_secondary" {
name = "${local.random_name}-servers-secondary"
vpc_id = data.aws_vpc.default.id
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
# allow all outbound
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "clients" {
name = "${local.random_name}-clients"
vpc_id = data.aws_vpc.default.id
# SSH from test runner
ingress {
from_port = 22
to_port = 22
E2E: provide options for reverse proxy for web UI (#12671) Our E2E test environment is deployed with mTLS, but it's impractical for us to use mTLS in headless browsers for automated testing (or even in manual testing). Provide certificates for proxying the web UI via Nginx. This proxy uses client certs for proxying to the HTTP endpoint and a self-signed cert for the browser-facing endpoint. We can accept certificate errors in the automated tests we'll be adding in the next step of this work.
2022-04-19 20:55:05 +00:00
protocol = "tcp"
cidr_blocks = [local.ingress_cidr]
}
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
# Nomad HTTP and RPC from test runner
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
ingress {
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
from_port = 4646
to_port = 4647
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
protocol = "tcp"
restrict ingress ip
2021-06-04 14:04:45 +00:00
cidr_blocks = [local.ingress_cidr]
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
}
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
# UI reverse proxy from test runner
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
ingress {
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
from_port = 6464
to_port = 6464
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
protocol = "tcp"
restrict ingress ip
2021-06-04 14:04:45 +00:00
cidr_blocks = [local.ingress_cidr]
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
}
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
# Fabio from test runner
e2e: bootstrap vault and provision Nomad with vault tokens (#9010) Provisions vault with the policies described in the Nomad Vault integration guide, and drops a configuration file for Nomad vault server configuration with its token. The vault root token is exposed to the E2E runner so that tests can write additional policies to vault.
2020-10-05 13:28:37 +00:00
ingress {
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
from_port = 9998
to_port = 9999
e2e: bootstrap vault and provision Nomad with vault tokens (#9010) Provisions vault with the policies described in the Nomad Vault integration guide, and drops a configuration file for Nomad vault server configuration with its token. The vault root token is exposed to the E2E runner so that tests can write additional policies to vault.
2020-10-05 13:28:37 +00:00
protocol = "tcp"
restrict ingress ip
2021-06-04 14:04:45 +00:00
cidr_blocks = [local.ingress_cidr]
e2e: bootstrap vault and provision Nomad with vault tokens (#9010) Provisions vault with the policies described in the Nomad Vault integration guide, and drops a configuration file for Nomad vault server configuration with its token. The vault root token is exposed to the E2E runner so that tests can write additional policies to vault.
2020-10-05 13:28:37 +00:00
}
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
# allow all client-to-client
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
# allow all outbound
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# the secondary VPC security group is intended only for internal traffic
# and so that we can exercise behaviors with multiple IPs
resource "aws_security_group" "clients_secondary" {
name = "${local.random_name}-clients-secondary"
vpc_id = data.aws_vpc.default.id
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
# allow all outbound
Terraform configs for e2e tests
2018-12-17 17:40:09 +00:00
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
e2e: add EBS and EFS volumes for testing CSI (#7266) This changeset adds volumes but does not mount them to instances so that we can test the mounting ("staging") via CSI plugins. The CSI plugins themselves will be installed as Nomad jobs. In order to ensure we can always mount the EFS volume, this changeset pins the deployment of the cluster to a specific subnet. In future work we should spread the cluster out among several AZs and test that behavior explicitly.
2020-03-04 15:44:51 +00:00
resource "aws_security_group" "nfs" {
e2e: add flag to opt-in to creating EBS/EFS volumes (#9082) For everyday developer use, we don't need volumes for testing CSI. Providing a flag to opt-in speeds up deploying dev clusters and slightly reduces infra costs. Skip CSI test if missing volume specs.
2020-10-14 14:29:33 +00:00
count = var.volumes ? 1 : 0
e2e: add EBS and EFS volumes for testing CSI (#7266) This changeset adds volumes but does not mount them to instances so that we can test the mounting ("staging") via CSI plugins. The CSI plugins themselves will be installed as Nomad jobs. In order to ensure we can always mount the EFS volume, this changeset pins the deployment of the cluster to a specific subnet. In future work we should spread the cluster out among several AZs and test that behavior explicitly.
2020-03-04 15:44:51 +00:00
name = "${local.random_name}-nfs"
vpc_id = data.aws_vpc.default.id
ingress {
from_port = 2049
to_port = 2049
protocol = "tcp"
E2E: add multi-home networking to test infrastructure (#16218) Add an Elastic Network Interface (ENI) to each Linux host, on a secondary subnet we have provisioned in each AZ. Revise security groups as follows: * Split out client security groups from servers so that we can't have clients accidentally accessing serf addresses or other unexpected cross-talk. * Add new security groups for the secondary subnet that only allows communication within the security group so we can exercise behaviors with multiple IPs. This changeset doesn't include any Nomad configuration changes needed to take advantage of the extra network interface. I'll include those with testing for PR #16217.
2023-02-20 09:08:28 +00:00
security_groups = [aws_security_group.clients.id]
}
}
# every server gets a ENI
resource "aws_network_interface" "servers_secondary" {
subnet_id = data.aws_subnet.secondary.id
security_groups = [aws_security_group.servers_secondary.id]
count = var.server_count
attachment {
instance = aws_instance.server[count.index].id
device_index = 1
}
}
# every Linux client gets a ENI
resource "aws_network_interface" "clients_secondary" {
subnet_id = data.aws_subnet.secondary.id
security_groups = [aws_security_group.clients_secondary.id]
count = var.client_count_ubuntu_jammy_amd64
attachment {
instance = aws_instance.client_ubuntu_jammy_amd64[count.index].id
device_index = 1
e2e: add EBS and EFS volumes for testing CSI (#7266) This changeset adds volumes but does not mount them to instances so that we can test the mounting ("staging") via CSI plugins. The CSI plugins themselves will be installed as Nomad jobs. In order to ensure we can always mount the EFS volume, this changeset pins the deployment of the cluster to a specific subnet. In future work we should spread the cluster out among several AZs and test that behavior explicitly.
2020-03-04 15:44:51 +00:00
}
}