From f9bcd5776d5a5582fc41ad19e633847e56fb46ba Mon Sep 17 00:00:00 2001
From: Pedro Alvarez <pedro.alvarez@codethink.co.uk>
Date: Mon, 16 Aug 2021 15:50:31 +0200
Subject: Deploy infrastructure servers using Terraform

---
 terraform/base.tf       |  33 +++++++
 terraform/infra.tf      | 230 ++++++++++++++++++++++++++++++++++++++++++++++++
 terraform/networking.tf | 211 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 474 insertions(+)
 create mode 100644 terraform/base.tf
 create mode 100644 terraform/infra.tf
 create mode 100644 terraform/networking.tf

diff --git a/terraform/base.tf b/terraform/base.tf
new file mode 100644
index 00000000..54af2083
--- /dev/null
+++ b/terraform/base.tf
@@ -0,0 +1,33 @@
+# Define required providers
+terraform {
+required_version = ">= 0.14.0"
+  required_providers {
+    openstack = {
+      source  = "terraform-provider-openstack/openstack"
+      version = "~> 1.35.0"
+    }
+  }
+}
+
+# Configure the OpenStack Provider
+provider "openstack" {
+  auth_url   = "https://fra1.citycloud.com:5000"
+}
+
+
+locals {
+  username               = "cloud"
+  image_name             = "Ubuntu 20.04 Focal Fossa 20200423"
+  name_prefix            = "bazel-poc"
+  flavor_name_frontend   = "1C-1GB-20GB"
+  flavor_name_webserver  = "1C-2GB-20GB"
+  flavor_name_gbo        = "4C-8GB"
+  flavor_name_ostree     = "2C-4GB-20GB"
+}
+
+
+# Create keypairs
+resource "openstack_compute_keypair_v2" "pedro-keypair" {
+  name       = "pedro-alvarez_latty"
+  public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDrfYhQAgqiwtcl37TfBR7N5Fq7ze17Cn4UUbz/Nuby/9qfypUp5Ir2x0P1otbQfozwWBOwmKCFRQMs+fZXFpWsvshNcmaw+rMI8wP1Bx2cqSuPusLPEYbvRbnfGo/E7aj/GvpSKRlBCGF3tORzGAmQsogUUXXcXP7PKIkPB3Jo04K8IeuSoRGd8cGfUWA6dcx9YuZHeJ3o/RzpV8UvU3Ge50mLf05cbrS2LlXgnG2PGbuBX5l87O6u3KUXq5zoafd0AtpSelNcVfAjpwdPokyuR1pXn+3q2w+l7ExmIAjwJV+QJeSSRMRfiHbk/+D3vYUlnqoarB0UrsTb2mY2tAPD"
+}
diff --git a/terraform/infra.tf b/terraform/infra.tf
new file mode 100644
index 00000000..9b5b7ccf
--- /dev/null
+++ b/terraform/infra.tf
@@ -0,0 +1,230 @@
+data "openstack_images_image_v2" "image_id" {
+  name        = local.image_name
+  most_recent = true
+}
+
+# Frontend
+data "openstack_compute_flavor_v2" "flavor_frontend" {
+  name = local.flavor_name_frontend
+}
+
+resource "openstack_networking_port_v2" "frontend_port" {
+  name               = "port_1"
+  network_id         = "${openstack_networking_network_v2.baserock_network.id}"
+  admin_state_up     = "true"
+
+  fixed_ip {
+    subnet_id  = "${openstack_networking_subnet_v2.baserock_subnet.id}"
+    ip_address = "10.3.0.10"
+  }
+}
+
+resource "openstack_networking_floatingip_v2" "floatip_frontend" {
+  pool = "ext-net"
+}
+
+resource "openstack_networking_floatingip_associate_v2" "floatip_associate_frontend" {
+  floating_ip = "${openstack_networking_floatingip_v2.floatip_frontend.address}"
+  port_id     = "${openstack_networking_port_v2.frontend_port.id}"
+}
+
+resource "openstack_compute_instance_v2" "baserock_frontend" {
+  name            = "frontend-haproxy"
+  image_id        = data.openstack_images_image_v2.image_id.id
+  flavor_id       = data.openstack_compute_flavor_v2.flavor_frontend.id
+  key_pair        = "${openstack_compute_keypair_v2.pedro-keypair.name}"
+
+  security_groups = [
+    "${openstack_networking_secgroup_v2.sg_base.name}",
+    "${openstack_networking_secgroup_v2.sg_gitlab_bot.name}",
+    "${openstack_networking_secgroup_v2.sg_web_server.name}",
+    "${openstack_networking_secgroup_v2.sg_haste_server.name}",
+    "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.name}",
+  ]
+  network {
+    port = "${openstack_networking_port_v2.frontend_port.id}"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to base image
+      image_id,
+      # Ignore changes to key_pairs
+      key_pair,
+    ]
+  }
+}
+
+
+# Webserver
+data "openstack_compute_flavor_v2" "flavor_webserver" {
+  name = local.flavor_name_webserver
+}
+
+resource "openstack_networking_port_v2" "webserver_port" {
+  name               = "webserver_port"
+  network_id         = "${openstack_networking_network_v2.baserock_network.id}"
+  admin_state_up     = "true"
+
+  fixed_ip {
+    subnet_id  = "${openstack_networking_subnet_v2.baserock_subnet.id}"
+    ip_address = "10.3.0.13"
+  }
+}
+
+resource "openstack_compute_instance_v2" "baserock_webserver" {
+  name            = "webserver"
+  image_id        = data.openstack_images_image_v2.image_id.id
+  flavor_id       = data.openstack_compute_flavor_v2.flavor_webserver.id
+  key_pair        = "${openstack_compute_keypair_v2.pedro-keypair.name}"
+
+  security_groups = [
+    "${openstack_networking_secgroup_v2.sg_base.name}",
+    "${openstack_networking_secgroup_v2.sg_gitlab_bot.name}",
+    "${openstack_networking_secgroup_v2.sg_web_server.name}",
+    "${openstack_networking_secgroup_v2.sg_haste_server.name}",
+  ]
+  network {
+    port = "${openstack_networking_port_v2.webserver_port.id}"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to base image
+      image_id,
+      # Ignore changes to key_pairs
+      key_pair,
+    ]
+  }
+}
+
+resource "openstack_blockstorage_volume_v2" "volume_webserver" {
+  name = "webserver-volume"
+  size = 150
+}
+
+resource "openstack_compute_volume_attach_v2" "volume_attach_webserver" {
+  instance_id = "${openstack_compute_instance_v2.baserock_webserver.id}"
+  volume_id   = "${openstack_blockstorage_volume_v2.volume_webserver.id}"
+  device      = "/dev/vdb"
+}
+
+# g.b.o
+
+data "openstack_images_image_v2" "gbo_image_id" {
+  name        = "Debian 10 Buster"
+  most_recent = true
+}
+
+data "openstack_compute_flavor_v2" "flavor_gbo" {
+  name = local.flavor_name_gbo
+}
+
+resource "openstack_networking_port_v2" "gbo_port" {
+  name               = "gbo_port"
+  network_id         = "${openstack_networking_network_v2.baserock_network.id}"
+  admin_state_up     = "true"
+
+  fixed_ip {
+    subnet_id  = "${openstack_networking_subnet_v2.baserock_subnet.id}"
+    ip_address = "10.3.0.4"
+  }
+}
+
+
+resource "openstack_networking_floatingip_v2" "floatip_gbo" {
+  pool = "ext-net"
+}
+
+resource "openstack_networking_floatingip_associate_v2" "floatip_associate_gbo" {
+  floating_ip = "${openstack_networking_floatingip_v2.floatip_gbo.address}"
+  port_id     = "${openstack_networking_port_v2.gbo_port.id}"
+}
+
+resource "openstack_compute_instance_v2" "baserock_gbo" {
+  name            = "git.baserock.org-debian"
+  image_id        = data.openstack_images_image_v2.gbo_image_id.id
+  flavor_id       = data.openstack_compute_flavor_v2.flavor_gbo.id
+  key_pair        = "${openstack_compute_keypair_v2.pedro-keypair.name}"
+
+  security_groups = [
+    "${openstack_networking_secgroup_v2.sg_base.name}",
+    "${openstack_networking_secgroup_v2.sg_git_server.name}",
+  ]
+  network {
+    port = "${openstack_networking_port_v2.gbo_port.id}"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to base image
+      image_id,
+      # Ignore changes to key_pairs
+      key_pair,
+    ]
+  }
+}
+
+resource "openstack_blockstorage_volume_v2" "volume_gbo" {
+  name = "git.baserock.org-srv"
+  size = 300
+}
+
+resource "openstack_compute_volume_attach_v2" "volume_attach_gbo" {
+  instance_id = "${openstack_compute_instance_v2.baserock_gbo.id}"
+  volume_id   = "${openstack_blockstorage_volume_v2.volume_gbo.id}"
+  device      = "/dev/vdb"
+}
+
+# ostree
+
+data "openstack_compute_flavor_v2" "flavor_ostree" {
+  name = local.flavor_name_ostree
+}
+
+resource "openstack_networking_port_v2" "ostree_port" {
+  name               = "ostree_port"
+  network_id         = "${openstack_networking_network_v2.baserock_network.id}"
+  admin_state_up     = "true"
+
+  fixed_ip {
+    subnet_id  = "${openstack_networking_subnet_v2.baserock_subnet.id}"
+    ip_address = "10.3.0.12"
+  }
+}
+
+resource "openstack_compute_instance_v2" "baserock_ostree" {
+  name            = "ostree"
+  image_id        = data.openstack_images_image_v2.image_id.id
+  flavor_id       = data.openstack_compute_flavor_v2.flavor_ostree.id
+  key_pair        = "${openstack_compute_keypair_v2.pedro-keypair.name}"
+
+  security_groups = [
+    "${openstack_networking_secgroup_v2.sg_base.name}",
+    "${openstack_networking_secgroup_v2.sg_web_server.name}",
+    "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.name}",
+  ]
+  network {
+    port = "${openstack_networking_port_v2.ostree_port.id}"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to base image
+      image_id,
+      # Ignore changes to key_pairs
+      key_pair,
+    ]
+  }
+}
+
+resource "openstack_blockstorage_volume_v2" "volume_ostree" {
+  name = "ostree-volume"
+  size = 100
+}
+
+resource "openstack_compute_volume_attach_v2" "volume_attach_ostree" {
+  instance_id = "${openstack_compute_instance_v2.baserock_ostree.id}"
+  volume_id   = "${openstack_blockstorage_volume_v2.volume_ostree.id}"
+  device      = "/dev/vdb"
+}
diff --git a/terraform/networking.tf b/terraform/networking.tf
new file mode 100644
index 00000000..3293c8c8
--- /dev/null
+++ b/terraform/networking.tf
@@ -0,0 +1,211 @@
+resource "openstack_networking_network_v2" "baserock_network" {
+  name           = "Baserock Network"
+  admin_state_up = "true"
+}
+
+resource "openstack_networking_subnet_v2" "baserock_subnet" {
+  name       = "Baserock Subnet"
+  network_id = "${openstack_networking_network_v2.baserock_network.id}"
+  cidr       = "10.3.0.0/24"
+  ip_version = 4
+}
+
+
+data "openstack_networking_network_v2" "external_network" {
+  name = "ext-net"
+}
+
+resource "openstack_networking_router_v2" "baserock_router" {
+  name                = "Baserock Router"
+  admin_state_up      = true
+  external_network_id = data.openstack_networking_network_v2.external_network.id
+}
+
+resource "openstack_networking_router_interface_v2" "baserock_router_interface" {
+  router_id = "${openstack_networking_router_v2.baserock_router.id}"
+  subnet_id = "${openstack_networking_subnet_v2.baserock_subnet.id}"
+}
+
+# Security groups
+
+resource "openstack_networking_secgroup_v2" "sg_base" {
+  name        = "base"
+  description = "Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections"
+  delete_default_rules = "true"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_icmp" {
+  direction         = "egress"
+  ethertype         = "IPv4"
+  protocol          = "icmp"
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_any" {
+  direction         = "egress"
+  ethertype         = "IPv4"
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_any_v6" {
+  direction         = "egress"
+  ethertype         = "IPv6"
+  remote_ip_prefix  = "::/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_ingress_icmp" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "icmp"
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+
+resource "openstack_networking_secgroup_rule_v2" "sg_base_ingress_ssh" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}"
+}
+
+
+
+resource "openstack_networking_secgroup_v2" "sg_haste_server" {
+  name        = "haste-server"
+  description = "Allow incoming TCP requests for haste server"
+  delete_default_rules = "true"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_haste_server_main" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 7777
+  port_range_max    = 7777
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_haste_server.id}"
+}
+
+resource "openstack_networking_secgroup_v2" "sg_gitlab_bot" {
+  name        = "gitlab-bot"
+  description = "Allow incoming TCP requests for gitlab-bot"
+  delete_default_rules = "true"
+}
+
+
+resource "openstack_networking_secgroup_rule_v2" "sg_gitlab_bot_main" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 1337
+  port_range_max    = 1337
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_gitlab_bot.id}"
+}
+
+
+resource "openstack_networking_secgroup_v2" "sg_git_server" {
+  name        = "git-server"
+  description = "Allow inbound SSH, HTTP, HTTPS and Git requests."
+  delete_default_rules = "true"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_git_server_http" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 80
+  port_range_max    = 80
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_git_server_https" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 443
+  port_range_max    = 443
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_git_server_git" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 9418
+  port_range_max    = 9418
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}"
+}
+
+
+
+resource "openstack_networking_secgroup_v2" "sg_shared_artifact_cache" {
+  name        = "shared-artifact-cache"
+  description = "Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)"
+  delete_default_rules = "true"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_http" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 80
+  port_range_max    = 80
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}"
+}
+resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_https" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 443
+  port_range_max    = 443
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}"
+}
+resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_ssh" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 22200
+  port_range_max    = 22200
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}"
+}
+
+
+resource "openstack_networking_secgroup_v2" "sg_web_server" {
+  name        = "web-server"
+  description = "Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)"
+  delete_default_rules = "true"
+}
+
+
+resource "openstack_networking_secgroup_rule_v2" "sg_web_server_http" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 80
+  port_range_max    = 80
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_web_server.id}"
+}
+resource "openstack_networking_secgroup_rule_v2" "sg_web_server_https" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 443
+  port_range_max    = 443
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = "${openstack_networking_secgroup_v2.sg_web_server.id}"
+}
-- 
cgit v1.2.1