platform/aws: create bootstrap step

modules/aws/vpc/variables.tf

@@ -76,3 +76,8 @@ variable "custom_dns_name" {
   default     = ""
   description = "DNS prefix used to construct the console and API server endpoints."
 }
+
+variable "depends_on" {
+  default = []
+  type    = "list"
+}

steps/assets/ignition-bootstrap.tf

@@ -1,24 +1,7 @@
-resource "aws_s3_bucket_object" "ignition_bootstrap" {
-  bucket  = "${aws_s3_bucket.tectonic.bucket}"
-  key     = "ignition"
-  content = "${data.ignition_config.bootstrap.rendered}"
-  acl     = "public-read"
-
-  # TODO: Lock down permissions.
-  # At the minute this is pulic (so accessible via http) so joiners nodes can reach the NCG using the same url
-  server_side_encryption = "AES256"
-
-  tags = "${merge(map(
-      "Name", "${var.tectonic_cluster_name}-ignition-master",
-      "KubernetesCluster", "${var.tectonic_cluster_name}",
-      "tectonicClusterID", "${module.tectonic.cluster_id}"
-    ), var.tectonic_aws_extra_tags)}"
-}
-
 module "ignition_bootstrap" {
   source = "../../modules/ignition"
 
-  assets_location           = "${aws_s3_bucket_object.tectonic_assets.bucket}/${aws_s3_bucket_object.tectonic_assets.key}"
+  assets_location           = "${local.bucket_name}/${local.bucket_assets_key}"
   base_domain               = "${var.tectonic_base_domain}"
   bootstrap_upgrade_cl      = "${var.tectonic_bootstrap_upgrade_cl}"
   cloud_provider            = "aws"
@@ -85,7 +68,7 @@ data "template_file" "init_assets" {
   vars {
     cluster_name       = "${var.tectonic_cluster_name}"
     awscli_image       = "${var.tectonic_container_images["awscli"]}"
-    assets_s3_location = "${aws_s3_bucket_object.tectonic_assets.bucket}/${aws_s3_bucket_object.tectonic_assets.key}"
+    assets_s3_location = "${local.bucket_name}/${local.bucket_assets_key}"
   }
 }
 
@@ -105,7 +88,7 @@ data "template_file" "rm_assets" {
   vars {
     cluster_name       = "${var.tectonic_cluster_name}"
     awscli_image       = "${var.tectonic_container_images["awscli"]}"
-    assets_s3_location = "${aws_s3_bucket_object.tectonic_assets.bucket}/${aws_s3_bucket_object.tectonic_assets.key}"
+    assets_s3_location = "${local.bucket_name}/${local.bucket_assets_key}"
   }
 }
 
@@ -118,3 +101,8 @@ data "ignition_file" "rm_assets" {
     content = "${data.template_file.rm_assets.rendered}"
   }
 }
+
+resource "local_file" "ignition_bootstrap" {
+  content  = "${data.ignition_config.bootstrap.rendered}"
+  filename = "./generated/ignition/bootstrap.json"
+}

steps/assets/ignition-etcd.tf

@@ -3,22 +3,6 @@ locals {
   etcd_instance_count          = "${length(compact(var.tectonic_etcd_servers)) == 0 ? local.etcd_internal_instance_count : 0}"
 }
 
-resource "aws_s3_bucket_object" "ignition_etcd" {
-  count   = "${local.etcd_instance_count}"
-  bucket  = "${aws_s3_bucket.tectonic.bucket}"
-  key     = "ignition_etcd_${count.index}.json"
-  content = "${data.ignition_config.etcd.*.rendered[count.index]}"
-  acl     = "private"
-
-  server_side_encryption = "AES256"
-
-  tags = "${merge(map(
-      "Name", "${var.tectonic_cluster_name}-ignition-etcd-${count.index}",
-      "KubernetesCluster", "${var.tectonic_cluster_name}",
-      "tectonicClusterID", "${module.tectonic.cluster_id}"
-    ), var.tectonic_aws_extra_tags)}"
-}
-
 data "ignition_config" "etcd" {
   count = "${local.etcd_instance_count}"
 
@@ -56,3 +40,9 @@ EOF
     },
   ]
 }
+
+resource "local_file" "ignition_etcd" {
+  count    = "${local.etcd_instance_count}"
+  content  = "${data.ignition_config.etcd.*.rendered[count.index]}"
+  filename = "./generated/ignition/etcd-${count.index}.json"
+}

steps/assets/ignition-ncg.tf

@@ -122,8 +122,9 @@ data "template_file" "ncg_config" {
   template = "${file("${path.module}/resources/ncg/ncg-config.yaml")}"
 
   vars {
-    ncg_config_worker   = "${jsonencode(data.ignition_config.workers.rendered)}"
-    ncg_config_master   = "${jsonencode(data.ignition_config.masters.rendered)}"
+    # need indent here https://github.com/hashicorp/terraform/issues/16775
+    ncg_config_worker   = "${indent(2, data.ignition_config.workers.rendered)}"
+    ncg_config_master   = "${indent(2, data.ignition_config.masters.rendered)}"
     kube_dns_service_ip = "${cidrhost(var.tectonic_service_cidr, 10)}"
   }
 }

steps/assets/outputs.tf

@@ -2,55 +2,15 @@ output "kube_dns_service_ip" {
   value = "${module.bootkube.kube_dns_service_ip}"
 }
 
-output "bootkube_service" {
-  value = "${module.bootkube.systemd_service_rendered}"
-}
-
-output "bootkube_path_unit" {
-  value = "${module.bootkube.systemd_path_unit_rendered}"
-}
-
-output "tectonic_service" {
-  value = "${module.tectonic.systemd_service_rendered}"
-}
-
-output "tectonic_path_unit" {
-  value = "${module.tectonic.systemd_path_unit_rendered}"
-}
-
-output "tectonic_bucket" {
-  value = "${aws_s3_bucket_object.tectonic_assets.bucket}"
-}
-
-output "tectonic_key" {
-  value = "${aws_s3_bucket_object.tectonic_assets.key}"
-}
-
-output "kubeconfig_bucket" {
-  value = "${aws_s3_bucket_object.kubeconfig.bucket}"
-}
-
-output "kubeconfig_key" {
-  value = "${aws_s3_bucket_object.kubeconfig.key}"
-}
-
 output "kubeconfig_content" {
   value = "${module.bootkube.kubeconfig}"
 }
 
-output "s3_bucket" {
-  value = "${aws_s3_bucket.tectonic.bucket}"
-}
-
-output "s3_bucket_domain_name" {
-  value = "${aws_s3_bucket.tectonic.bucket_domain_name}"
-}
-
 output "cluster_id" {
   value = "${module.tectonic.cluster_id}"
 }
 
-// TLS
+# TLS
 output "etcd_ca_crt_pem" {
   value = "${module.etcd_certs.etcd_ca_crt_pem}"
 }

steps/assets/resources/ncg/ncg-config.yaml

@@ -24,7 +24,8 @@ data:
       "name": "Worker Profile",
       "clc_id": "worker.ign"
     }
-  worker.clc: ${ncg_config_worker}
+  worker.clc: |
+    ${ncg_config_worker}
   master.group: |
     {
       "id": "master",
@@ -43,4 +44,5 @@ data:
       "name": "Master Profile",
       "clc_id": "master.ign"
     }
-  master.clc: ${ncg_config_master}
+  master.clc: |
+    ${ncg_config_master}

steps/assets/tectonic.tf

@@ -7,6 +7,8 @@ provider "aws" {
 locals {
   ingress_internal_fqdn = "${var.tectonic_cluster_name}.${var.tectonic_base_domain}"
   api_internal_fqdn     = "${var.tectonic_cluster_name}-api.${var.tectonic_base_domain}"
+  bucket_name           = "${var.tectonic_cluster_name}-ncg.${var.tectonic_base_domain}"
+  bucket_assets_key     = "assets.zip"
 }
 
 data "aws_availability_zones" "azs" {}
@@ -110,20 +112,3 @@ module "tectonic" {
 
   image_re = "${var.tectonic_image_re}"
 }
-
-data "archive_file" "assets" {
-  type       = "zip"
-  source_dir = "./generated/"
-
-  # Because the archive_file provider is a data source, depends_on can't be
-  # used to guarantee that the tectonic/bootkube modules have generated
-  # all the assets on disk before trying to archive them. Instead, we use their
-  # ID outputs, that are only computed once the assets have actually been
-  # written to disk. We re-hash the IDs (or dedicated module outputs, like module.bootkube.content_hash)
-  # to make the filename shorter, since there is no security nor collision risk anyways.
-  #
-  # Additionally, data sources do not support managing any lifecycle whatsoever,
-  # and therefore, the archive is never deleted. To avoid cluttering the module
-  # folder, we write it in the Terraform managed hidden folder `.terraform`.
-  output_path = "./.terraform/generated_${sha1("${data.template_file.ncg.id} ${data.template_file.ncg_config.id} ${module.etcd_certs.id} ${module.tectonic.id} ${module.bootkube.id}")}.zip"
-}

steps/assets/variables.tf

@@ -1 +1 @@
-../../platforms/aws/variables.tf
+../variables.tf

platforms/aws/inputs.tf → steps/bootstrap/inputs.tf

@@ -16,17 +16,7 @@ locals {
   etcd_server_key_pem       = "${data.terraform_remote_state.assets.etcd_server_key_pem}"
   ingress_certs_ca_cert_pem = "${data.terraform_remote_state.assets.ingress_certs_ca_cert_pem}"
   kube_certs_ca_cert_pem    = "${data.terraform_remote_state.assets.kube_certs_ca_cert_pem}"
-  tectonic_bucket           = "${data.terraform_remote_state.assets.tectonic_bucket}"
-  tectonic_key              = "${data.terraform_remote_state.assets.tectonic_key}"
-  kubeconfig_bucket         = "${data.terraform_remote_state.assets.tectonic_bucket}"
-  kubeconfig_key            = "${data.terraform_remote_state.assets.tectonic_key}"
   kube_dns_service_ip       = "${data.terraform_remote_state.assets.kube_dns_service_ip}"
-  s3_bucket                 = "${data.terraform_remote_state.assets.s3_bucket}"
   cluster_id                = "${data.terraform_remote_state.assets.cluster_id}"
-  tectonic_service          = "${data.terraform_remote_state.assets.bootkube_service}"
-  tectonic_path_unit        = "${data.terraform_remote_state.assets.tectonic_path_unit}"
-  bootkube_service          = "${data.terraform_remote_state.assets.bootkube_service}"
-  bootkube_path_unit        = "${data.terraform_remote_state.assets.bootkube_path_unit}"
   kubeconfig_content        = "${data.terraform_remote_state.assets.kubeconfig_content}"
-  s3_bucket_domain_name     = "${data.terraform_remote_state.assets.s3_bucket_domain_name}"
 }

platforms/aws/main.tf → steps/bootstrap/main.tf

@@ -24,8 +24,8 @@ module "container_linux" {
 }
 
 module "vpc" {
-  source = "../../modules/aws/vpc"
-
+  source                   = "../../modules/aws/vpc"
+  depends_on               = ["${aws_s3_bucket_object.tectonic_assets.id}"]
   base_domain              = "${var.tectonic_base_domain}"
   cidr_block               = "${var.tectonic_aws_vpc_cidr_block}"
   cluster_id               = "${local.cluster_id}"
@@ -88,7 +88,7 @@ module "etcd" {
   root_volume_iops        = "${var.tectonic_aws_etcd_root_volume_iops}"
   root_volume_size        = "${var.tectonic_aws_etcd_root_volume_size}"
   root_volume_type        = "${var.tectonic_aws_etcd_root_volume_type}"
-  s3_bucket               = "${local.s3_bucket}"
+  s3_bucket               = "${aws_s3_bucket.tectonic.bucket}"
   sg_ids                  = "${concat(var.tectonic_aws_etcd_extra_sg_ids, list(module.vpc.etcd_sg_id))}"
   ssh_key                 = "${var.tectonic_aws_ssh_key}"
   subnets                 = "${module.vpc.worker_subnet_ids}"

platforms/aws/ncg-s3.tf → steps/bootstrap/ncg-s3.tf

@@ -17,5 +17,5 @@ resource "aws_route53_record" "tectonic_ncg" {
   type    = "CNAME"
   ttl     = "1"
 
-  records = ["${local.s3_bucket_domain_name}"]
+  records = ["${aws_s3_bucket.tectonic.bucket_domain_name}"]
 }