Fixed gitignore.

.gitignore

@@ -44,6 +44,7 @@ terraform.rc
 ################################################################################
 
 k8s-key*
+*admin-key*
 STARTHERE
 inventory
 

get-vm-ips.sh

@@ -22,6 +22,10 @@ VM_NAME_PREFIX="$(
         tail -n 1 | \
         sed 's/^.*=\s*"\(.*\)"/\1/g')"
 
+PUBLIC_IP_OUTPUT="groups_hostnames_ips"
+PRIVATE_IP_OUTPUT="groups_hostnames_private_ips"
+IP_TYPE="$PRIVATE_IP_OUTPUT"
+
 # This command stores the output data in the format below.
 # [
 #   {
@@ -48,7 +52,7 @@ VM_NAME_PREFIX="$(
 #   }
 # ]
 DATA="$(terraform show -json | \
-    jq '.values.outputs.groups_hostnames_ips.value | to_entries |
+    jq '.values.outputs.'"$IP_TYPE"'.value | to_entries |
         map({group: .key, vms:.value | to_entries |
         map({hostname:.key,ip:.value})})')"
 

main.tf

@@ -1,21 +1,12 @@
-terraform {
-  required_version = ">= 1.0.8"
-  required_providers {
-    libvirt = {
-      source  = "dmacvicar/libvirt"
-      version = "0.6.11"
-    }
-  }
-}
 
 locals {
   nodes-config = {
     "master" = {
-      base-image = var.centos8-ami
+      base-image = var.ubuntu-ami
       num = 1
     },
     "worker" = {
-      base-image = var.centos8-ami
+      base-image = var.ubuntu-ami
       num = 2
     }
   }
@@ -43,10 +34,6 @@ module "cloud-init-config" {
 # libvirt modules/resources.
 ################################################################################
 
-provider "aws" {
-  region = "us-east-2"
-}
-
 # This module will grab the latest ami for a variety of distros. Uncomment to
 # get a list of the latest AMIs for our supported distros.
 # module "aws-amis" {
@@ -56,14 +43,29 @@ provider "aws" {
 #   value = module.aws-amis.amis
 # }
 
-module "aws-network" {
-  source            = "./modules/aws-network"
-  name-prefix       = var.vm-name-prefix
-  vpc-cidr-block    = var.aws-vpc-cidr-block
-  subnet-cidr-block = var.aws-subnet-cidr-block
-  admin-ips         = var.admin-ips
+################################################################################
+# AWS Networking
+# Use of the 2 modules below to create resources for the AWS network.
+# aws-network-from-scratch will build the AWS network from scratch.
+# aws-network-existing will query AWS for an existing VPC.
+################################################################################
+
+# module "aws-network-from-scratch" {
+#   source            = "./modules/aws-network-from-scratch"
+#   name-prefix       = var.vm-name-prefix
+#   vpc-cidr-block    = var.aws-vpc-cidr-block
+#   subnet-cidr-block = var.aws-subnet-cidr-block
+#   admin-ips         = var.admin-ips
+# }
+
+module "aws-network-existing" {
+  source                      = "./modules/aws-network-existing"
+  default-vpc-name            = var.aws-existing-vpc-name
+  default-security-group-name = var.aws-existing-sg-name
 }
 
+################################################################################
+
 # This key pair is not actually used. Keys are added to the nodes via cloud-init
 # instead. We just add this here that this key will show up in the AWS console."
 resource "aws_key_pair" "key" {
@@ -79,8 +81,8 @@ module "nodes" {
   source             = "./modules/aws-nodes"
   ami                = each.value.base-image
   ec2-instance-type  = var.aws-ec2-instance-type
-  subnet-id          = module.aws-network.subnet.id
-  security-group-ids = [module.aws-network.default-security-group.id]
+  subnet-id          = module.aws-network-existing.k8s-subnets-ids[0]
+  security-group-ids = [module.aws-network-existing.default-sg.id]
   user-datas         = lookup(module.cloud-init-config, each.key, null).user-datas
   num-nodes          = each.value.num
   name-prefix        = "${var.vm-name-prefix}-${each.key}"
@@ -132,3 +134,9 @@ module "nodes" {
 output "groups_hostnames_ips" {
   value = { for type, node in module.nodes : type => zipmap(node.names, node.ips) }
 }
+
+# This will outpus a map of group => [{hostname, private_ip}].
+# TODO Figure out how what to do about private_ips for libvirt.
+output "groups_hostnames_private_ips" {
+  value = { for type, node in module.nodes : type => zipmap(node.names, node.private_ips) }
+}

modules/aws-amis/main.tf

@@ -1,31 +1,52 @@
 locals {
   amis = {
     amzn2 = {
-      owner-id = "137112412989"
+      # us-east-2
+      # owner-id = "137112412989"
+      # us-gov-west-1
+      owner-id = "045324592363"
       name = "amzn2-ami-hvm-2*x86_64-gp2"
     },
     ubuntu = {
-      owner-id = "099720109477"
+      # us-east-2
+      # owner-id = "099720109477"
+      # us-gov-west-1
+      owner-id = "513442679011"
       name = "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"
     },
-    centos7 = {
-      owner-id = "125523088429"
-      name = "CentOS 7.*x86_64"
-    },
-    centos8 = {
-      owner-id = "125523088429"
-      name = "CentOS 8.*x86_64"
-    },
-    arch = {
-      owner-id = "093273469852"
-      name = "arch-linux-lts-hvm*x86_64-ebs"
-    },
+    # centos7 = {
+    #   # us-east-2
+    #   # owner-id = "125523088429"
+    #   # us-gov-west-1
+    #   # owner-id = THERE IS NO CENTOS7 IMAGE in us-gov-west-1!!
+    #   name = "CentOS 7.*x86_64"
+    # },
+    # centos8 = {
+    #   # us-east-2
+    #   # owner-id = "125523088429"
+    #   # us-gov-west-1
+    #   # owner-id = THERE IS NO CENTOS8 IMAGE in us-gov-west-1!!
+    #   name = "CentOS 8.*x86_64"
+    # },
+    # arch = {
+    #   # us-east-2
+    #   # owner-id = "093273469852"
+    #   # us-gov-west-1
+    #   # owner-id = THERE IS NO ARCH IMAGE in us-gov-west-1!!
+    #   name = "arch-linux-lts-hvm*x86_64-ebs"
+    # },
     rhel7 = {
-      owner-id = "309956199498"
+      # us-east-2
+      # owner-id = "309956199498"
+      # us-gov-west-1
+      owner-id = "219670896067"
       name = "RHEL-7.*HVM*x86_64*GP2"
     },
     rhel8 = {
-      owner-id = "309956199498"
+      # us-east-2
+      # owner-id = "309956199498"
+      # us-gov-west-1
+      owner-id = "219670896067"
       name = "RHEL-8.*HVM*x86_64*GP2"
     }
   }

modules/aws-network-existing/main.tf

@@ -0,0 +1,27 @@
+locals {
+  az-to-subnets = {
+    for s in data.aws_subnet.subnets : s.availability_zone => s.id...
+  }
+}
+
+data "aws_vpc" "default" {
+  tags = {
+    Name = var.default-vpc-name
+  }
+}
+
+data "aws_subnets" "subnet-ids" {
+  filter {
+    name = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
+}
+
+data "aws_subnet" "subnets" {
+  for_each = toset(data.aws_subnets.subnet-ids.ids)
+  id = each.key
+}
+
+data "aws_security_group" "default" {
+  name = var.default-security-group-name
+}

modules/aws-network-existing/outputs.tf

@@ -0,0 +1,22 @@
+output "default-vpc" {
+  value = data.aws_vpc.default
+}
+
+output "default-sg" {
+  value = data.aws_security_group.default
+}
+
+output "subnets" {
+  description = "An array of all subnets in default-vpc."
+  value = data.aws_subnet.subnets
+}
+
+output "k8s-subnets-ids" {
+  description = "An array of subnets to be used for k8s VMs. These subnets were chosen by selecting a single subnet from each availability_zone."
+  value = [for k,v in local.az-to-subnets : v[0]]
+}
+
+output "az-to-subnets" {
+  description = "A map of availability zone to array of subnets that are in thet availability zone."
+  value = local.az-to-subnets
+}

modules/aws-network-existing/variables.tf

@@ -0,0 +1,7 @@
+variable "default-security-group-name" {
+  description = "The name of the existing default security group. This module will query AWS for a security group with this name,"
+}
+
+variable "default-vpc-name" {
+  description = "The name of the existing default VPC. This module will query AWS for a VPC with this name,"
+}

modules/aws-network-from-scratch/main.tf

@@ -0,0 +1,67 @@
+resource "aws_vpc" "vpc" {
+  cidr_block = var.vpc-cidr-block
+  tags = {
+      Name = "${var.name-prefix}-vpc"
+  }
+}
+
+resource "aws_subnet" "subnet" {
+  vpc_id = aws_vpc.vpc.id
+  cidr_block = var.subnet-cidr-block
+  # availability_zone = var.avail_zone
+  tags = {
+      Name = "${var.name-prefix}-subnet"
+  }
+}
+
+resource "aws_default_security_group" "sg" {
+  vpc_id = aws_vpc.vpc.id
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = var.admin-ips
+  }
+
+  egress {
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    cidr_blocks     = ["0.0.0.0/0"]
+    prefix_list_ids = []
+  }
+
+  tags = {
+    Name = "${var.name-prefix}-ssh-from-admins-sg"
+  }
+}
+
+resource "aws_internet_gateway" "igw" {
+	vpc_id = aws_vpc.vpc.id
+  tags = {
+    Name = "${var.name-prefix}-igw"
+  }
+}
+
+resource "aws_default_route_table" "route-table" {
+   default_route_table_id = aws_vpc.vpc.main_route_table_id
+
+   route {
+     cidr_block = "0.0.0.0/0"
+     gateway_id = aws_internet_gateway.igw.id
+   }
+
+   # default route, mapping VPC CIDR block to "local", created implicitly and
+   # cannot be specified.
+
+   tags = {
+     Name = "${var.name-prefix}-route-table"
+   }
+}
+
+# Associate subnet with Route Table
+resource "aws_route_table_association" "a-rtb-subnet" {
+  subnet_id      = aws_subnet.subnet.id
+  route_table_id = aws_default_route_table.route-table.id
+}

modules/aws-network-from-scratch/outputs.tf

@@ -0,0 +1,11 @@
+output "vpc" {
+  value = aws_vpc.vpc
+}
+
+output "subnet" {
+  value = aws_subnet.subnet
+}
+
+output "default-security-group" {
+  value = aws_default_security_group.sg
+}

modules/aws-network-from-scratch/variables.tf

@@ -0,0 +1,23 @@
+variable "admin-ips" {
+  description = "A list of ips or cidr blocks that are allowed to connect to the nodes."
+  type = list(string)
+}
+
+variable "name-prefix" {
+  default = "tf"
+  description = "This prefix will be used in all the names of the resources creates in our AWS network."
+  type = string
+}
+
+variable "subnet-cidr-block" {
+  default = "10.0.1.0/24"
+  description = "The address space to be used for this subnet."
+  type = string
+}
+
+variable "vpc-cidr-block" {
+  default = "10.0.0.0/16"
+  description = "The address space to be used for out networks VPC."
+  type = string
+}
+

modules/aws-nodes/main.tf

@@ -1,7 +1,7 @@
 resource "aws_instance" "nodes" {
   ami                         = var.ami
   instance_type               = var.ec2-instance-type
-  # key_name                    = aws_key_pair.debug1.key_name
+  # TODO Make this a variable.
   associate_public_ip_address = true
   subnet_id                   = var.subnet-id
   vpc_security_group_ids = var.security-group-ids

modules/aws-nodes/outputs.tf

@@ -2,6 +2,10 @@ output "ips" {
   value = aws_instance.nodes.*.public_ip
 }
 
+output "private_ips" {
+  value = aws_instance.nodes.*.private_ip
+}
+
 output "names" {
   value = aws_instance.nodes.*.tags.Name
 }

providers.tf

@@ -0,0 +1,76 @@
+
+provider "aws" {
+  region = "us-gov-west-1"
+}
+
+
+terraform {
+  required_version = ">= 1.0.8"
+
+    backend "s3" {
+      
+      bucket            = "mss-terraform-state"
+      key               = "global/s3/terraform.tfstate"
+      region            = "us-gov-west-1"
+      
+      dynamodb_table    = "mss-terraform-state-lock"
+      encrypt           = true
+
+  }
+  required_providers {
+    libvirt = {
+      source  = "dmacvicar/libvirt"
+      version = "0.6.11"
+    }
+  }
+}
+
+
+
+
+
+##
+#S3 bucket create to hold our TFState file so we can all share env settings
+resource "aws_s3_bucket" "terraform_state" {
+    bucket = "mss-terraform-state"
+
+    # enable versioning for the state files 
+    versioning {
+        enabled = true
+    }
+
+    #enable server-side encryption
+    server_side_encryption_configuration {
+      
+      rule {
+          apply_server_side_encryption_by_default {
+              sse_algorithm = "AES256"
+              }
+          }
+        } 
+}
+
+##
+# no sql database used so that we can lock the TFstate file in the S3 bucket to ensure two people 
+# are not running a terraform command at the same time 
+resource "aws_dynamodb_table" "terraform_locks" {
+    name            = "mss-terraform-state-lock"
+    billing_mode    = "PAY_PER_REQUEST"
+    hash_key        = "LockID"
+
+    attribute {
+      name = "LockID"
+      type = "S"
+    }
+
+
+}
+
+
+##
+# output variable to give details on the s3 bucket created
+#TODO: move to output.tf
+output "s3_bucket_arn" {
+  value       = aws_s3_bucket.terraform_state.arn
+  description = "The ARN of the S3 bucket"
+}

variables.tf

@@ -1,4 +1,5 @@
 variable "admin-ips" {
+  default = ["0.0.0.0/0"]
   description = "A list of ips or cidr blocks that are allowed to connect to the nodes."
   type = list(string)
 }
@@ -8,6 +9,21 @@ variable "aws-ec2-instance-type" {
   description = "The AWS instance type to use for all nodes."
 }
 
+variable "aws-existing-sg-name" {
+  default = "change-me-if-using-aws-network-existing"
+  description = "The name of the existing security group when using aws-network-existing."
+}
+
+variable "aws-existing-vpc-name" {
+  default = "change-me-if-using-aws-network-existing"
+  description = "The name of the existing VPC when using aws-network-existing."
+}
+
+variable "aws-region" {
+  default = "us-east-1"
+  description = "The AWS region to use."
+}
+
 variable "aws-subnet-cidr-block" {
   default = "10.0.1.0/24"
   description = "The address space to be used for this subnet."
@@ -28,6 +44,7 @@ variable "disk-image-pool-name" {
 }
 
 variable "libvirt-connection-url" {
+  default = "nobody@localhost"
   description = "The libvirt connection URI, ie. qemu+ssh://<user>@<host>/system"
 }
 
@@ -90,31 +107,46 @@ variable "vm-name-prefix" {
 ################################################################################
 
 variable "amzn2-ami" {
-  default     = "ami-0dd0ccab7e2801812"
+  # us-east-2
+  # default     = "ami-0dd0ccab7e2801812"
+  # us-gov-west-1
+  default     = "ami-098bf51d9a35299f0"
   description = "The AMI to use for Amazon Linux 2."
 }
 variable "ubuntu-ami" {
-  default = "ami-06c7d6c0987eaa46c"
+  # us-east-2
+  # default = "ami-06c7d6c0987eaa46c"
+  # us-gov-west-1
+  default = "ami-087ee83c8de303181"
   description = "The AMI to use for Ubuntu."
 }
 variable "centos7-ami" {
+  # us-east-2
   default = "ami-00f8e2c955f7ffa9b"
   description = "The AMI to use for CentOS 7."
 }
 variable "centos8-ami" {
+  # us-east-2
   default = "ami-057cacbfbbb471bb3"
   description = "The AMI to use for CentOS 8."
 }
 variable "arch-ami" {
+  # us-east-2
   default = "ami-02653f06de985e3ba"
   description = "The AMI to use for Arch Linux."
 }
 variable "rhel7-ami" {
-  default = "ami-0a509b3c2a4d05b3f"
+  # us-east-2
+  # default = "ami-0a509b3c2a4d05b3f"
+  # us-gov-west-1
+  default = "ami-04ccdf5793086ea95"
   description = "The AMI to use for RHEL 7."
 }
 variable "rhel8-ami" {
-  default = "ami-0d871ca8a77af2948"
+  # us-east-2
+  # default = "ami-0d871ca8a77af2948"
+  # us-gov-west-1
+  default = "ami-0b1f10cd1cd107dd2"
   description = "The AMI to use for RHEL 8."
 }