From 3e76c83422da51af6ad57ea73ad39c944d9665a3 Mon Sep 17 00:00:00 2001 From: Annie Hedgpeth <18335499+anniehedgpeth@users.noreply.github.com> Date: Wed, 1 Nov 2023 08:14:15 -0600 Subject: [PATCH] Update for Utility repo changes (#236) * add proxy settings * add values for http/s port * reverting http/s port, adding cond'l for tls ca * add trusted_proxies * remove tls_ca_bundle_file var declaration * ca_certificate_secret not ca_certificate_secret_id --- locals.tf | 11 +++++++ main.tf | 38 ++++++++++++------------- tests/private-active-active/main.tf | 8 ++++-- tests/private-tcp-active-active/main.tf | 8 ++++-- tests/public-active-active/main.tf | 10 ++++--- tests/standalone-external/main.tf | 8 ++++-- tests/standalone-mounted-disk/main.tf | 10 ++++--- variables.tf | 24 ++++++++++++---- 8 files changed, 75 insertions(+), 42 deletions(-) diff --git a/locals.tf b/locals.tf index d99b91e0..f393a552 100644 --- a/locals.tf +++ b/locals.tf @@ -48,6 +48,17 @@ locals { # User Data # --------- + no_proxy = concat([ + "127.0.0.1", + "localhost", + "169.254.169.254", + ".azure.com", + ".windows.net", + ".microsoft.com", + module.load_balancer.fqdn, + var.network_cidr, + ], var.no_proxy) + trusted_proxies = concat( var.trusted_proxies, [var.network_frontend_subnet_cidr] diff --git a/main.tf b/main.tf index 5a80de8f..2fdb37dc 100644 --- a/main.tf +++ b/main.tf @@ -176,22 +176,23 @@ module "docker_compose_config" { source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/docker_compose_config?ref=main" count = var.is_replicated_deployment ? 0 : 1 - hostname = module.load_balancer.fqdn - tfe_license = var.hc_license license_reporting_opt_out = var.license_reporting_opt_out - cert_file = "/etc/ssl/private/terraform-enterprise/cert.pem" - key_file = "/etc/ssl/private/terraform-enterprise/key.pem" - operational_mode = local.active_active ? "active-active" : var.production_type - tfe_image = var.tfe_image - tls_ca_bundle_file = var.tls_ca_bundle_file - tls_ciphers = var.tls_ciphers - tls_version = var.tls_version - run_pipeline_image = var.run_pipeline_image + hostname = module.load_balancer.fqdn capacity_concurrency = var.capacity_concurrency capacity_cpu = var.capacity_cpu capacity_memory = var.capacity_memory iact_subnets = join(",", var.iact_subnet_list) iact_time_limit = var.iact_subnet_time_limit + operational_mode = local.active_active ? "active-active" : var.production_type + run_pipeline_image = var.run_pipeline_image + tfe_image = var.tfe_image + tfe_license = var.hc_license + tls_ciphers = var.tls_ciphers + tls_version = var.tls_version + + cert_file = "/etc/ssl/private/terraform-enterprise/cert.pem" + key_file = "/etc/ssl/private/terraform-enterprise/key.pem" + tls_ca_bundle_file = var.ca_certificate_secret != null ? "/etc/ssl/private/terraform-enterprise/bundle.pem" : null database_user = local.database.server.administrator_login database_password = local.database.server.administrator_password @@ -205,6 +206,13 @@ module "docker_compose_config" { azure_account_name = local.object_storage.storage_account_name azure_container = local.object_storage.storage_account_container_name + http_port = var.http_port + https_port = var.https_port + http_proxy = var.proxy_ip != null ? "${var.proxy_ip}:${var.proxy_port}" : null + https_proxy = var.proxy_ip != null ? "${var.proxy_ip}:${var.proxy_port}" : null + no_proxy = local.no_proxy + trusted_proxies = local.trusted_proxies + redis_host = local.redis.hostname redis_user = "" redis_password = local.redis.primary_access_key @@ -237,15 +245,7 @@ module "settings" { release_sequence = var.release_sequence trusted_proxies = local.trusted_proxies - extra_no_proxy = [ - "127.0.0.1", - "169.254.169.254", - ".azure.com", - ".windows.net", - ".microsoft.com", - module.load_balancer.fqdn, - var.network_cidr - ] + extra_no_proxy = local.no_proxy # Replicated Base Configuration hostname = module.load_balancer.fqdn diff --git a/tests/private-active-active/main.tf b/tests/private-active-active/main.tf index 5fc63a47..238184f6 100644 --- a/tests/private-active-active/main.tf +++ b/tests/private-active-active/main.tf @@ -65,9 +65,6 @@ module "private_active_active" { # Private Active / Active Scenario consolidated_services_enabled = var.consolidated_services_enabled distribution = "rhel" - vm_node_count = 2 - vm_sku = "Standard_D16as_v4" - vm_image_id = "rhel" load_balancer_public = false load_balancer_type = "application_gateway" load_balancer_sku_name = "WAF_v2" @@ -76,6 +73,9 @@ module "private_active_active" { redis_use_password_auth = true redis_use_tls = false production_type = "external" + vm_image_id = "rhel" + vm_node_count = 2 + vm_sku = "Standard_D16as_v4" create_bastion = false tags = local.common_tags @@ -83,6 +83,8 @@ module "private_active_active" { # FDO Specific Values is_replicated_deployment = var.is_replicated_deployment hc_license = var.hc_license + http_port = 8080 + https_port = 8443 license_reporting_opt_out = true registry_password = var.registry_password registry_username = var.registry_username diff --git a/tests/private-tcp-active-active/main.tf b/tests/private-tcp-active-active/main.tf index 59666c92..3e2d9ad5 100644 --- a/tests/private-tcp-active-active/main.tf +++ b/tests/private-tcp-active-active/main.tf @@ -67,9 +67,6 @@ module "private_tcp_active_active" { # Private Active / Active Scenario consolidated_services_enabled = var.consolidated_services_enabled distribution = "rhel" - vm_node_count = 2 - vm_sku = "Standard_D32a_v4" - vm_image_id = "rhel" load_balancer_public = false load_balancer_type = "load_balancer" redis_use_password_auth = true @@ -77,6 +74,9 @@ module "private_tcp_active_active" { redis_rdb_backup_enabled = true redis_rdb_backup_frequency = 60 production_type = "external" + vm_node_count = 2 + vm_sku = "Standard_D32a_v4" + vm_image_id = "rhel" create_bastion = false tags = local.common_tags @@ -84,6 +84,8 @@ module "private_tcp_active_active" { # FDO Specific Values is_replicated_deployment = var.is_replicated_deployment hc_license = var.hc_license + http_port = 8080 + https_port = 8443 license_reporting_opt_out = true registry_password = var.registry_password registry_username = var.registry_username diff --git a/tests/public-active-active/main.tf b/tests/public-active-active/main.tf index db83cac4..65c8320f 100644 --- a/tests/public-active-active/main.tf +++ b/tests/public-active-active/main.tf @@ -27,21 +27,23 @@ module "public_active_active" { # Public Active / Active Scenario consolidated_services_enabled = var.consolidated_services_enabled distribution = "ubuntu" - production_type = "external" iact_subnet_list = var.iact_subnet_list - vm_node_count = 2 - vm_sku = "Standard_D4_v3" - vm_image_id = "ubuntu" load_balancer_public = true load_balancer_type = "application_gateway" + production_type = "external" redis_use_password_auth = false redis_use_tls = false + vm_node_count = 2 + vm_sku = "Standard_D4_v3" + vm_image_id = "ubuntu" tags = local.common_tags # FDO Specific Values is_replicated_deployment = var.is_replicated_deployment hc_license = var.hc_license + http_port = 8080 + https_port = 8443 license_reporting_opt_out = true registry_password = var.registry_password registry_username = var.registry_username diff --git a/tests/standalone-external/main.tf b/tests/standalone-external/main.tf index ed0b561f..0beb5a6e 100644 --- a/tests/standalone-external/main.tf +++ b/tests/standalone-external/main.tf @@ -41,13 +41,13 @@ module "standalone_external" { consolidated_services_enabled = var.consolidated_services_enabled distribution = "ubuntu" database_version = var.database_version - production_type = "external" iact_subnet_list = ["0.0.0.0/0"] + load_balancer_public = true + load_balancer_type = "load_balancer" + production_type = "external" vm_node_count = 1 vm_sku = "Standard_D4_v3" vm_image_id = "ubuntu" - load_balancer_public = true - load_balancer_type = "load_balancer" enable_ssh = true create_bastion = false @@ -56,6 +56,8 @@ module "standalone_external" { # FDO Specific Values is_replicated_deployment = var.is_replicated_deployment hc_license = var.hc_license + http_port = 8080 + https_port = 8443 license_reporting_opt_out = true registry_password = var.registry_password registry_username = var.registry_username diff --git a/tests/standalone-mounted-disk/main.tf b/tests/standalone-mounted-disk/main.tf index 4fcc1a31..17cf7c73 100644 --- a/tests/standalone-mounted-disk/main.tf +++ b/tests/standalone-mounted-disk/main.tf @@ -42,15 +42,15 @@ module "standalone_mounted_disk" { distribution = var.distribution production_type = "disk" disk_path = "/opt/hashicorp/data" - vm_node_count = 1 - vm_sku = "Standard_D4_v3" + load_balancer_public = true + load_balancer_type = "load_balancer" vm_image_id = local.vm_image_id vm_image_publisher = local.vm_image_publisher vm_image_offer = local.vm_image_offer vm_image_sku = local.vm_image_sku vm_image_version = local.vm_image_version - load_balancer_public = true - load_balancer_type = "load_balancer" + vm_node_count = 1 + vm_sku = "Standard_D4_v3" # VM Data Disk vm_data_disk_caching = "ReadWrite" @@ -66,6 +66,8 @@ module "standalone_mounted_disk" { # FDO Specific Values is_replicated_deployment = var.is_replicated_deployment hc_license = var.hc_license + http_port = 8080 + https_port = 8443 license_reporting_opt_out = true registry_password = var.registry_password registry_username = var.registry_username diff --git a/variables.tf b/variables.tf index 914d63f2..5a56faa6 100644 --- a/variables.tf +++ b/variables.tf @@ -865,12 +865,6 @@ variable "tls_bootstrap_key_pathname" { description = "The path on the TFE instance to put the key. ex. '/var/lib/terraform-enterprise/key.pem'" } -variable "tls_ca_bundle_file" { - default = null - type = string - description = "(Not needed if is_replicated_deployment is true) Path to a file containing TLS CA certificates to be added to the OS CA certificates bundle. Leave blank to not add CA certificates to the OS CA certificates bundle. Defaults to ''." -} - variable "tls_ciphers" { default = null type = string @@ -1004,6 +998,24 @@ variable "vm_key_secret" { # Proxy # ----- +variable "http_port" { + default = 80 + type = number + description = "(Optional if is_replicated_deployment is false) Port application listens on for HTTP. Default is 80." +} + +variable "https_port" { + default = 443 + type = number + description = "(Optional if is_replicated_deployment is false) Port application listens on for HTTPS. Default is 443." +} + +variable "no_proxy" { + type = list(string) + description = "(Optional) List of IP addresses to not proxy" + default = [] +} + variable "proxy_ip" { default = null type = string