zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into master

This commit is contained in:
Roberto Jung Drebes 2022-08-24 16:23:03 +02:00 committed by GitHub
parent 1bcfa51a40 40314b4741
commit 48fcfa8233
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 233 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
modules/cloud-config-container/nginx-tls/README.md Normal file
View File

@ -0,0 +1,61 @@
# Containerized Nginx with self-signed TLS on Container Optimized OS
This module manages a `cloud-config` configuration that starts a containerized Nginx with a self-signed TLS cert on Container Optimized OS.
This can be useful if you need quickly a VM or instance group answering HTTPS for prototyping.
The generated cloud config is rendered in the `cloud_config` output, and is meant to be used in instances or instance templates via the `user-data` metadata.
This module depends on the [`cos-generic-metadata` module](../cos-generic-metadata) being in the parent folder. If you change its location be sure to adjust the `source` attribute in `main.tf`.
## Examples
### Default configuration
```hcl
# Nginx with self-signed TLS config
module "cos-nginx-tls" {
source = "./modules/cloud-config-container/nginx-tls"
}
# COS VM
module "vm-nginx-tls" {
source = "./modules/compute-vm"
project_id = local.project_id
zone = local.zone
name = "cos-nginx-tls"
network_interfaces = [{
network = local.vpc.self_link,
subnetwork = local.vpc.subnet_self_link,
nat = false,
addresses = null
}]
metadata = {
user-data = module.cos-nginx-tls.cloud_config
}
boot_disk = {
image = "projects/cos-cloud/global/images/family/cos-stable"
type = "pd-ssd"
size = 10
}
service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
}
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [docker_logging](variables.tf#L23) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> | | <code>true</code> |
| [nginx_image](variables.tf#L17) | Nginx container image to use. | <code>string</code> | | <code>&#34;nginx:1.23.1&#34;</code> |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. | |
<!-- END TFDOC -->

18
modules/cloud-config-container/nginx-tls/files/customize.sh Normal file
View File

@ -0,0 +1,18 @@
#!/bin/bash
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
HOSTNAME=$(curl -s -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/hostname)
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj /CN=$HOSTNAME/ -keyout /etc/ssl/self-signed.key -out /etc/ssl/self-signed.crt
sed -i "s/HOSTNAME/${HOSTNAME}/" /etc/nginx/conf.d/default.conf

20
modules/cloud-config-container/nginx-tls/files/default.conf Normal file
View File

@ -0,0 +1,20 @@
server {
listen 80;
listen 443 ssl;
server_name HOSTNAME;
ssl_certificate /etc/ssl/self-signed.crt;
ssl_certificate_key /etc/ssl/self-signed.key;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}

58
modules/cloud-config-container/nginx-tls/main.tf Normal file
View File

@ -0,0 +1,58 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "cos-envoy-td" {
source = "../cos-generic-metadata"
boot_commands = [
"systemctl start node-problem-detector",
]
container_image = var.nginx_image
container_name = "nginx"
container_args = ""
container_volumes = [
{ host = "/etc/nginx/conf.d", container = "/etc/nginx/conf.d" },
{ host = "/etc/ssl", container = "/etc/ssl" },
]
docker_args = "--network host --pid host"
files = {
"/var/run/nginx/customize.sh" = {
content = file("${path.module}/files/customize.sh")
owner = "root"
permissions = "0744"
}
"/etc/nginx/conf.d/default.conf" = {
content = file("${path.module}/files/default.conf")
owner = "root"
permissions = "0644"
}
}
gcp_logging = var.docker_logging
run_commands = [
"iptables -I INPUT 1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT",
"iptables -I INPUT 1 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT",
"/var/run/nginx/customize.sh",
"systemctl daemon-reload",
"systemctl start nginx",
]
}

20
modules/cloud-config-container/nginx-tls/outputs.tf Normal file
View File

@ -0,0 +1,20 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "cloud_config" {
description = "Rendered cloud-config file to be passed as user-data instance metadata."
value = module.cos-envoy-td.cloud_config
}

27
modules/cloud-config-container/nginx-tls/variables.tf Normal file
View File

@ -0,0 +1,27 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "nginx_image" {
description = "Nginx container image to use."
type = string
default = "nginx:1.23.1"
}
variable "docker_logging" {
description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
type = bool
default = true
}

29
modules/cloud-config-container/nginx-tls/versions.tf Normal file
View File

@ -0,0 +1,29 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
terraform {
required_version = ">= 1.1.0"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 4.32.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 4.32.0" # tftest
}
}
}