feat: add all of the terraform files

Signed-off-by: Vojtech Mares <iam@vojtechmares.com>
2024-01-22 15:03:40 +01:00 · 2024-01-22 15:03:40 +01:00 · 3a2ac8bc50
commit 3a2ac8bc50
parent 4dff9a8639
9 changed files with 453 additions and 0 deletions
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@ -0,0 +1,66 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/cloudflare/cloudflare" {
  version     = "4.19.0"
  constraints = "4.19.0"
  hashes = [
    "h1:3EZM8zAObdA81PcyXyiic4y2aZsTowYKG29RjZKXbJU=",
    "zh:1d5315dcbd8187a3a978dc1fb08e80b6cdd353de10afe531b3d1ecb834d0dbae",
    "zh:2a6e5b2e5072e442b35ce6142172e15afb835e16799d04a0054a79d3067f7560",
    "zh:308c5690024a1f6797300018456a1ac781c8699fa4bc4892a8c36eb992604a26",
    "zh:4286969a594396ef09ff6f6840428eef9c7dac037a3a3ef1ccae12a7a21b6655",
    "zh:55cfe536e4fd76ca9a256b905ffa2823b21b5ab6288245c5295a16b03ac4d0b8",
    "zh:58c74a26eef114d59d371f978131d78daa88260df2f75a2b6ec908f61dad2754",
    "zh:5c8dd7ff7820fd96f64e37f5611ad8e265a9b54a04d25e03fe589470ad5d2a0f",
    "zh:6501f10ee5e73ebe3cfe87d4141942c9c784c4ddcde15c6f500b8a41ca3cb174",
    "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
    "zh:97f83ab5ff249bd195cfae3b2521f037dea2ad600d70e2917b35895db67c034f",
    "zh:b340b815cc53f197b42d9e64acb6729914706d93dcf60da02e3ac53aeadfde14",
    "zh:c49c8f4908b5776f52211e41880a98a18ebf558363b69ed6af461f2c0d5c9e00",
    "zh:d0ec9cec6a169b160825b0c585b56d42175871549bb291b9409b36086e9e6756",
    "zh:f6912037890a4777a2f8b55858f38fb3428ac53610fb7297d99ced1e73531d5c",
    "zh:f95ca4b80b66b02f1762d314172523ad57176369b7b1aaf4e5018a32f4525582",
  ]
 }
 provider "registry.terraform.io/hashicorp/random" {
  version = "3.6.0"
  hashes = [
    "h1:I8MBeauYA8J8yheLJ8oSMWqB0kovn16dF/wKZ1QTdkk=",
    "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d",
    "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211",
    "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829",
    "zh:30ffb297ffd1633175d6545d37c2217e2cef9545a6e03946e514c59c0859b77d",
    "zh:454ce4b3dbc73e6775f2f6605d45cee6e16c3872a2e66a2c97993d6e5cbd7055",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
    "zh:91df0a9fab329aff2ff4cf26797592eb7a3a90b4a0c04d64ce186654e0cc6e17",
    "zh:aa57384b85622a9f7bfb5d4512ca88e61f22a9cea9f30febaa4c98c68ff0dc21",
    "zh:c4a3e329ba786ffb6f2b694e1fd41d413a7010f3a53c20b432325a94fa71e839",
    "zh:e2699bc9116447f96c53d55f2a00570f982e6f9935038c3810603572693712d0",
    "zh:e747c0fd5d7684e5bfad8aa0ca441903f15ae7a98a737ff6aca24ba223207e2c",
    "zh:f1ca75f417ce490368f047b63ec09fd003711ae48487fba90b4aba2ccf71920e",
  ]
 }
 provider "registry.terraform.io/hetznercloud/hcloud" {
  version     = "1.44.1"
  constraints = "1.44.1"
  hashes = [
    "h1:q2JvvbG+seeZ4A2ijxPi5Tis+NJVoB59cAt3KeQe0uA=",
    "zh:156df81d2c740608b9fb7f439defbb39b89585c55dc6e62e4af928808ff67f9e",
    "zh:32407f1df8b59afe5e35710c4acf2c8a8cbf5ea9a32126f34cb0c49ff142a047",
    "zh:456133e16e9ebfcd89534c968a8b2a3f931bf4acb76a8165acc2242b0b73ba78",
    "zh:6855c90399abc11e32fcdc0bf54bdedb50009c46183b926b3493fdcf48d5e39c",
    "zh:68fe1e7e9f692a29d75a3cc199b472e8bc00c9486b299bfaf816133797207804",
    "zh:6c62a9fe0a6de3cd4ea0591193baef00b65c838610feb369d14e36d15f9ea93e",
    "zh:6cb1db2287cc8baec8538d9df6a44f602f61580d8df4c484625295aa622f03d1",
    "zh:7fd577a8079da2f6e96066a8bf6bce6e36fdd36c67ac03044fd29f15eb718a6c",
    "zh:9f94d862b827c429bf6a3eea7a65b856475cdc6da7e0d8a8edfbc09de40bed3f",
    "zh:a6499d633a63668629a32628624137d2ef8e1ca5ef77766669470def7f4d5732",
    "zh:b46004de824350b1b9a44cc253608d25e7cdf77d628571ece2df2fe96aacb8d7",
    "zh:b9d8c401f8ddb829ee67bf429aac781bf5022605f4d18b041c417622746a37a1",
    "zh:cf182e8426d7bd555a46ea4c5d75ed431edb41aa162e57f07f13d235d0e74f0d",
    "zh:e1b777a95498489aa04231b7825cca445119f2b1988bfdcd8f0a35e0ba59d883",
  ]
 }
--- a/terraform/backend.tf
+++ b/terraform/backend.tf
@ -0,0 +1,10 @@
 terraform {
  backend "s3" {
    bucket         = "cthulhunetes--terraform-state"
    key            = "terraform.tfstate"
    region         = "eu-west-1"
    encrypt        = true
    kms_key_id     = "alias/cthulhunetes-key"
    dynamodb_table = "cthulhunetes--terraform-state"
  }
 }
--- a/terraform/dns.tf
+++ b/terraform/dns.tf
@ -0,0 +1,77 @@
 resource "cloudflare_zone" "cthulhunetes" {
  account_id = "f24333bb3c47d6db753e57e2a0c90082"
  zone       = "cthulhunetes.net"
 }
 resource "cloudflare_zone_dnssec" "cthulhunetes" {
  zone_id = cloudflare_zone.cthulhunetes.id
 }
 resource "cloudflare_zone_settings_override" "cthulhunetes" {
  zone_id = cloudflare_zone.cthulhunetes.id
  settings {
    always_use_https         = "on"
    automatic_https_rewrites = "on"
    ssl                      = "full"
  }
 }
 resource "cloudflare_record" "cthulhu_masters" {
  count = length(hcloud_server.cthulhu_masters)
  zone_id = local.vxm_cz_zone_id
  name    = "master-${count.index}.cthulhu.k8s"
  value   = hcloud_server.cthulhu_masters[count.index].ipv4_address
  type    = "A"
  proxied = false
 }
 resource "cloudflare_record" "cthulhu_masters_ipv6" {
  count = length(hcloud_server.cthulhu_masters)
  zone_id = local.vxm_cz_zone_id
  name    = "master-${count.index}.cthulhu.k8s"
  value   = hcloud_server.cthulhu_masters[count.index].ipv6_address
  type    = "AAAA"
  proxied = false
 }
 resource "cloudflare_record" "cthulhu_kubeapi_singlenode" {
  count = length(hcloud_server.cthulhu_masters) == 1 ? 1 : 0
  zone_id = local.vxm_cz_zone_id
  name    = "api.cthulhu.k8s"
  value   = hcloud_server.cthulhu_masters[0].ipv4_address
  type    = "A"
  proxied = false
 }
 resource "cloudflare_record" "cthulhu_kubeapi_singlenode_ipv6" {
  count = length(hcloud_server.cthulhu_masters) == 1 ? 1 : 0
  zone_id = local.vxm_cz_zone_id
  name    = "api.cthulhu.k8s"
  value   = hcloud_server.cthulhu_masters[0].ipv6_address
  type    = "AAAA"
  proxied = false
 }
 resource "cloudflare_record" "cthulhu_workers" {
  count = length(hcloud_server.cthulhu_workers)
  zone_id = local.vxm_cz_zone_id
  name    = "worker-${random_string.workers_suffix.result}-${count.index}.cthulhu.k8s"
  value   = hcloud_server.cthulhu_workers[count.index].ipv4_address
  type    = "A"
  proxied = false
 }
 resource "cloudflare_record" "cthulhu_workers_ipv6" {
  count = length(hcloud_server.cthulhu_workers)
  zone_id = local.vxm_cz_zone_id
  name    = "worker-${random_string.workers_suffix.result}-${count.index}.cthulhu.k8s"
  value   = hcloud_server.cthulhu_workers[count.index].ipv6_address
  type    = "AAAA"
  proxied = false
 }
--- a/terraform/firewalls.tf
+++ b/terraform/firewalls.tf
@ -0,0 +1,95 @@
 resource "hcloud_firewall" "cthulhu_nodes_public" {
  name = "cthulhu-nodes-public"
  rule {
    description = "Allow ICMP (ping)"
    direction   = "in"
    protocol    = "icmp"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  rule {
    description = "Allow SSH"
    direction   = "in"
    protocol    = "tcp"
    port        = "22"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  rule {
    description = "Allow HTTP"
    direction   = "in"
    protocol    = "tcp"
    port        = "80"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  rule {
    description = "Allow HTTPS"
    direction   = "in"
    protocol    = "tcp"
    port        = "443"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  rule {
    description = "Allow HTTP/3"
    direction   = "in"
    protocol    = "udp"
    port        = "443"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
  rule {
    description = "Allow Kubernetes API Server"
    direction   = "in"
    protocol    = "tcp"
    port        = "6443"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
 }
 resource "hcloud_firewall" "cthulhu_nodes_private" {
  name = "cthulhu-nodes-private"
  rule {
    description = "Allow ICMP (ping)"
    direction   = "in"
    protocol    = "icmp"
    source_ips  = [hcloud_network.cthulhu.ip_range]
  }
  rule {
    description = "Allow eveyrthing TCP on all ports"
    direction   = "in"
    protocol    = "tcp"
    port        = "any"
    source_ips  = [hcloud_network.cthulhu.ip_range]
  }
  rule {
    description = "Allow eveyrthing UDP on all ports"
    direction   = "in"
    protocol    = "udp"
    port        = "any"
    source_ips  = [hcloud_network.cthulhu.ip_range]
  }
 }
--- a/terraform/loadbalancers.tf
+++ b/terraform/loadbalancers.tf
@ -0,0 +1,59 @@
 resource "hcloud_load_balancer" "ingress" {
  name               = "ingress"
  load_balancer_type = "lb11"
  location           = "fsn1"
  labels = {
    "env"                     = "production"
    "k8s.cluster.name"        = "cthulhu"
    "k8s.loadbalancer.target" = "ingress"
  }
 }
 resource "hcloud_load_balancer_target" "ingress" {
  type           = "label_selector"
  label_selector = "k8s.node.role=worker"
  use_private_ip = true
  load_balancer_id = hcloud_load_balancer.ingress.id
  depends_on = [ hcloud_load_balancer_network.ingress_to_network ]
 }
 resource "hcloud_load_balancer_service" "ingress_workers_tcp_80" {
  load_balancer_id = hcloud_load_balancer.ingress.id
  protocol         = "tcp"
  listen_port      = 80
  destination_port = 32080
  proxyprotocol    = true
 }
 resource "hcloud_load_balancer_service" "ingress_workers_tcp_443" {
  load_balancer_id = hcloud_load_balancer.ingress.id
  protocol         = "tcp"
  listen_port      = 443
  destination_port = 32443
  proxyprotocol    = true
 }
 resource "cloudflare_record" "ingress_cthulhu_k8s_vxm_cz" {
  zone_id = local.vxm_cz_zone_id
  name    = "ingress.cthulhu.k8s"
  value   = hcloud_load_balancer.ingress.ipv4
  type    = "A"
  proxied = false
 }
 resource "cloudflare_record" "ingress_cthulhu_k8s_vxm_cz_ipv6" {
  zone_id = local.vxm_cz_zone_id
  name    = "ingress.cthulhu.k8s"
  value   = hcloud_load_balancer.ingress.ipv6
  type    = "AAAA"
  proxied = false
 }
 resource "hcloud_load_balancer_network" "ingress_to_network" {
  load_balancer_id = hcloud_load_balancer.ingress.id
  network_id       = hcloud_network.cthulhu.id
  ip               = cidrhost(hcloud_network_subnet.service.ip_range, 1)
 }
--- a/terraform/machines.tf
+++ b/terraform/machines.tf
@ -0,0 +1,76 @@
 resource "hcloud_server" "cthulhu_masters" {
  count = 1
  name        = "master-${count.index}"
  image       = "rocky-9"
  server_type = "cax11"
  location    = "fsn1"
  backups                  = true
  shutdown_before_deletion = true
  firewall_ids = [
    hcloud_firewall.cthulhu_nodes_public.id,
    hcloud_firewall.cthulhu_nodes_private.id,
  ]
  ssh_keys = [data.hcloud_ssh_key.vojtechmares.id]
  labels = {
    "k8s.node.role"    = "master"
    "k8s.node.name"    = "master-${count.index}"
    "k8s.cluster.name" = "cthulhu"
  }
  public_net {
    ipv4_enabled = true
    ipv6_enabled = true
  }
  network {
    network_id = hcloud_network.cthulhu.id
    ip         = cidrhost(hcloud_network_subnet.masters.ip_range, count.index + 1)
  }
 }
 resource "random_string" "workers_suffix" {
  length  = 4
  special = false
  upper   = false
 }
 resource "hcloud_server" "cthulhu_workers" {
  count = 1
  name        = "worker-${random_string.workers_suffix.result}-${count.index}"
  image       = "rocky-9"
  server_type = "cpx31"
  location    = "fsn1"
  backups                  = true
  shutdown_before_deletion = true
  firewall_ids = [
    hcloud_firewall.cthulhu_nodes_public.id,
    hcloud_firewall.cthulhu_nodes_private.id,
  ]
  ssh_keys = [data.hcloud_ssh_key.vojtechmares.id]
  labels = {
    "k8s.node.role"    = "worker"
    "k8s.node.name"    = "worker-${random_string.workers_suffix.result}-${count.index}"
    "k8s.cluster.name" = "cthulhu"
    "k8s.node.pool"    = random_string.workers_suffix.result
  }
  public_net {
    ipv4_enabled = true
    ipv6_enabled = true
  }
  network {
    network_id = hcloud_network.cthulhu.id
    ip         = cidrhost(hcloud_network_subnet.workers.ip_range, count.index + 1)
  }
 }
--- a/terraform/main.tf
+++ b/terraform/main.tf
@ -0,0 +1,7 @@
 locals {
  vxm_cz_zone_id = "bac024cb43947f40e02a7491fc8d8f51"
 }
 data "hcloud_ssh_key" "vojtechmares" {
  name = "iam@vojtechmares.com"
 }
--- a/terraform/networks.tf
+++ b/terraform/networks.tf
@ -0,0 +1,25 @@
 resource "hcloud_network" "cthulhu" {
  name     = "cthulhu-net"
  ip_range = "172.16.0.0/16"
 }
 resource "hcloud_network_subnet" "masters" {
  network_id   = hcloud_network.cthulhu.id
  type         = "cloud"
  network_zone = "eu-central"
  ip_range     = "172.16.1.0/24"
 }
 resource "hcloud_network_subnet" "workers" {
  network_id   = hcloud_network.cthulhu.id
  type         = "cloud"
  network_zone = "eu-central"
  ip_range     = "172.16.10.0/24"
 }
 resource "hcloud_network_subnet" "service" {
  network_id   = hcloud_network.cthulhu.id
  type         = "cloud"
  network_zone = "eu-central"
  ip_range     = "172.16.250.0/24"
 }
--- a/terraform/versions.tf
+++ b/terraform/versions.tf
@ -0,0 +1,38 @@
 terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "4.19.0"
    }
    hcloud = {
      source  = "hetznercloud/hcloud"
      version = "1.44.1"
    }
  }
 }
 provider "cloudflare" {
  api_key = var.cloudflare_api_key
  email   = var.cloudflare_email
 }
 provider "hcloud" {
  token = var.hcloud_token
 }
 variable "cloudflare_api_key" {
  type      = string
  sensitive = true
 }
 variable "cloudflare_email" {
  type = string
 }
 variable "hcloud_token" {
  type      = string
  sensitive = true
 }