feat: prepare aws-instance, aws-network-setup to EUSC AWS partition, migrate Terragrunt cli usage

Author: matihost

.pre-commit-config.yaml

@@ -30,7 +30,7 @@ repos:
   rev: v0.1.30
   hooks:
   - id: tofu-fmt
-  - id: tofu-validate
+  # - id: tofu-validate
   - id: terragrunt-hcl-fmt
   - id: markdown-link-check
   - id: gofmt

terraform/aws/aws-alb/module/webserver.tf

@@ -22,6 +22,12 @@ data "aws_ami" "ubuntu" {
     values = [var.ec2_architecture]
   }
 
+  # "most_recent" is set to "true" and results are not filtered by owner or
+  # image ID. With this configuration, a third party may introduce a new image
+  # which will be returned by this data source. Filter by owner or image ID to
+  # avoid this possibility.
+  allow_unsafe_filter = true # it is safe when search is by owner-alias or owners
+
   owners = ["099720109477"] # Canonical
 }
 

terraform/aws/aws-iam-linked/stage/eusc.hcl

@@ -35,7 +35,6 @@ provider "aws" {
 EOF
 }
 
-
 terraform {
   extra_arguments "common_vars" {
     commands = get_terraform_commands_that_need_vars()

terraform/aws/aws-instana/module/agent.tf

@@ -65,6 +65,11 @@ data "aws_ami" "image" {
     values = [var.ec2_architecture]
   }
 
+  # "most_recent" is set to "true" and results are not filtered by owner or
+  # image ID. With this configuration, a third party may introduce a new image
+  # which will be returned by this data source. Filter by owner or image ID to
+  # avoid this possibility.
+  allow_unsafe_filter = true # it is safe when search is by owner-alias or owners
 
   dynamic "filter" {
     for_each = var.ec2_ami_account_alias != "" ? [1] : []

terraform/aws/aws-instance/Makefile

@@ -4,70 +4,77 @@ SHELL := /usr/bin/env bash
 DEBUG := false
 ifeq ($(strip $(DEBUG)),true)
 	TF_LOG := DEBUG
-	TG_FLAGS := --terragrunt-debug
+	TG_FLAGS := --inputs-debug
 endif
 
 MODE := apply
 ifeq ($(strip $(MODE)),apply)
-	MODE_STR := apply -auto-approve
+	MODE_STR := --non-interactive -- apply -auto-approve
 else ifeq ($(strip $(MODE)),destroy)
-	MODE_STR := destroy -auto-approve
+	MODE_STR := --non-interactive -- destroy -auto-approve
 else
-	MODE_STR := plan
+	MODE_STR := --non-interactive -- plan
 endif
 
+PARTITION := aws
 
 ENV := dev
 
+ifeq ($(strip $(PARTITION)),eusc)
+	DEPLOY_PATH := stage/eusc/$(ENV)
+else
+	DEPLOY_PATH := stage/$(ENV)
+endif
+
 init: prepare
-	cd stage/$(ENV) && terragrunt run-all init -upgrade=true
+	cd $(DEPLOY_PATH) && terragrunt run --all -- init -upgrade=true
 
 run-one: prepare ## setup one EC2 instance from environment, usage: make run-one INSTANCE=instance-ubuntu [ENV=dev] [MODE=apply]
 ifndef INSTANCE
 	$(error Env INSTANCE is not defined. Usage make run-one ENV=dev INSTANCE=ubuntu)
 endif
-	cd stage/$(ENV)/${INSTANCE} && terragrunt init -upgrade=true && terragrunt validate && terragrunt $(MODE_STR) --non-interactive $(TG_FLAGS)
+	cd $(DEPLOY_PATH)/${INSTANCE} && terragrunt init -upgrade=true && terragrunt validate && terragrunt $(MODE_STR) $(TG_FLAGS)
 
 run: init ## setup EC2 instances for environment, usage: make run [ENV=dev] [MODE=apply]
-	@cd stage/$(ENV) && terragrunt run-all validate && terragrunt run-all $(MODE_STR) --non-interactive $(TG_FLAGS)
+	@cd $(DEPLOY_PATH) && terragrunt run --all validate && terragrunt run --all $(MODE_STR) $(TG_FLAGS)
 
 ssh: ## ssh to EC2 instance
 ifndef INSTANCE
 	$(error Env INSTANCE is not defined. Usage make ssh ENV=dev INSTANCE=ubuntu)
 endif
-	ssh -o StrictHostKeyChecking=accept-new -i ~/.ssh/id_rsa.aws.vm ubuntu@$(shell cd stage/$(ENV)/${INSTANCE} && terragrunt output ec2_dns)
+	ssh -o StrictHostKeyChecking=accept-new -i ~/.ssh/id_rsa.aws.vm ubuntu@$(shell cd $(DEPLOY_PATH)/${INSTANCE} && terragrunt output ec2_dns)
 
 ssm-ssh: ## ssh to EC2 instance over SSM SSH
 ifndef INSTANCE
 	$(error Env INSTANCE is not defined. Usage make ssm-ssh ENV=dev INSTANCE=ubuntu)
 endif
-	aws ssm start-session --target "$(shell cd stage/$(ENV)/${INSTANCE} && terragrunt output ec2_id)"
+	aws ssm start-session --target "$(shell cd $(DEPLOY_PATH)/${INSTANCE} && terragrunt output ec2_id)"
 
 destroy-instance: ## terminate instance
 ifndef INSTANCE
 	$(error Env INSTANCE is not defined. Usage make destroy-instance ENV=dev INSTANCE=ubuntu)
 endif
-	aws ec2 terminate-instances --instance-ids "$(shell cd stage/$(ENV)/${INSTANCE} && terragrunt output ec2_id)"
+	aws ec2 terminate-instances --instance-ids "$(shell cd $(DEPLOY_PATH)/${INSTANCE} && terragrunt output ec2_id)"
 
 show-instance-startup-logs: # show EC2 cloud-init startup logs
 ifndef INSTANCE
 	$(error Env INSTANCE is not defined. Usage make destroy-instance ENV=dev INSTANCE=ubuntu)
 endif
-	ssh -o StrictHostKeyChecking=accept-new -i ~/.ssh/id_rsa.aws.vm ubuntu@$(shell cd stage/$(ENV)/${INSTANCE} && terragrunt output ec2_dns) cat /var/log/cloud-init-output.log
+	ssh -o StrictHostKeyChecking=accept-new -i ~/.ssh/id_rsa.aws.vm ubuntu@$(shell cd $(DEPLOY_PATH)/${INSTANCE} && terragrunt output ec2_dns) cat /var/log/cloud-init-output.log
 
 show-instance-startup-script: # show EC2 cloud-init startup script
 ifndef INSTANCE
 	$(error Env INSTANCE is not defined. Usage make destroy-instance ENV=dev INSTANCE=ubuntu)
 endif
-	ssh -o StrictHostKeyChecking=accept-new -i ~/.ssh/id_rsa.aws.vm ubuntu@$(shell cd stage/$(ENV)/${INSTANCE} && terragrunt output ec2_dns) sudo cat /var/lib/cloud/instance/cloud-config.txt
+	ssh -o StrictHostKeyChecking=accept-new -i ~/.ssh/id_rsa.aws.vm ubuntu@$(shell cd $(DEPLOY_PATH)/${INSTANCE} && terragrunt output ec2_dns) sudo cat /var/lib/cloud/instance/cloud-config.txt
 
 
 test: ## test Nginx instance
-	curl http://$(shell cd stage/$(ENV)/${INSTANCE} && terragrunt output ec2_dns):80
+	curl http://$(shell cd $(DEPLOY_PATH)/${INSTANCE} && terragrunt output ec2_dns):80
 
 
 show-state: ## show state
-	cd stage/$(ENV)/${INSTANCE} && terragrunt state list && terragrunt show
+	cd $(DEPLOY_PATH)/${INSTANCE} && terragrunt state list && terragrunt show
 
 
 clean: ## clean cached plugins and data

terraform/aws/aws-instance/README.md

@@ -17,7 +17,7 @@ Use  AWS resources eliglible to AWS Free Tier __only__.
 
 ```bash
 # setup all instance for particular env
-make run [ENV=dev] [MODE=apply]
+make run [ENV=dev/default] [MODE=apply] [PARTITION=eusc]
 
 # deploy single instance
 make run-one ENV=dev INSTANCE=windows

terraform/aws/aws-instance/module/ec2.tf

@@ -94,6 +94,11 @@ data "aws_ami" "image" {
     values = [var.ec2_architecture]
   }
 
+  # "most_recent" is set to "true" and results are not filtered by owner or
+  # image ID. With this configuration, a third party may introduce a new image
+  # which will be returned by this data source. Filter by owner or image ID to
+  # avoid this possibility.
+  allow_unsafe_filter = true # it is safe when search is by owner-alias or owners
 
   dynamic "filter" {
     for_each = var.ec2_ami_account_alias != "" ? [1] : []

terraform/aws/aws-instance/module/variables.tf

@@ -102,12 +102,22 @@ variable "region" {
   description = "Preffered AWS region where resource need to be placed"
 }
 
+# tflint-ignore: terraform_unused_declarations
+variable "partition" {
+  type        = string
+  description = "The AWS partition in which to create resources"
+  default     = "aws"
+}
+
+
 # tflint-ignore: terraform_unused_declarations
 variable "aws_tags" {
   type        = map(string)
   description = "AWS tags"
+  default     = {}
 }
 
+
 variable "instance_profile" {
   default     = ""
   type        = string

terraform/aws/aws-instance/stage/eusc.hcl

@@ -0,0 +1,55 @@
+locals {
+  bucket  = "${local.account}-terraform-state"
+  account = "${run_cmd("--terragrunt-quiet", "aws", "sts", "get-caller-identity", "--query", "\"Account\"", "--output", "text")}"
+  region  = "eusc-de-east-1"
+  zone    = "eusc-de-east-1a"
+}
+
+remote_state {
+  backend = "s3"
+  generate = {
+    path      = "state.tf"
+    if_exists = "overwrite_terragrunt"
+  }
+  config = {
+    bucket = local.bucket
+    key    = "${basename(abspath("${get_parent_terragrunt_dir()}/.."))}/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/terraform.tfstate"
+    region = local.region
+    # TODO play with it... maybe not in free tier
+    # encrypt        = true
+    # dynamodb_table = "my-lock-table"
+  }
+}
+
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  region  = var.region
+  default_tags {
+    tags = var.aws_tags
+  }
+}
+EOF
+}
+
+terraform {
+  extra_arguments "common_vars" {
+    commands = get_terraform_commands_that_need_vars()
+
+    env_vars = {
+      TF_VAR_terraform_state_bucket = local.bucket
+    }
+  }
+}
+
+inputs = {
+  account = local.account
+  region  = local.region
+  zone    = local.zone
+
+  partition = "aws-eusc"
+
+}

terraform/aws/aws-instance/stage/eusc/default/ubuntu/ec2.cloud-init.tpl

@@ -0,0 +1,19 @@
+#cloud-config
+# EC2 location of cloud-init configuration: /var/lib/cloud/instance/cloud-config.txt
+# Cloud-init output logs: /var/log/cloud-init-output.log
+---
+repo_update: true
+repo_upgrade: all
+
+packages:
+ - nginx
+ - plocate
+
+# cloud-init creates a final script in: /var/lib/cloud/instance/scripts/runcmd
+runcmd:
+ - systemctl enable --now nginx
+ - echo -n "${ssh_pub}" |base64 -d > /home/ubuntu/.ssh/id_rsa.pub
+ - echo -n "${ssh_key}" |base64 -d > /home/ubuntu/.ssh/id_rsa
+ - cat /home/ubuntu/.ssh/id_rsa.pub >> /home/ubuntu/.ssh/authorized_keys
+ - 'chown ubuntu:ubuntu /home/ubuntu/.ssh/id_rsa*'
+ - chmod 400 /home/ubuntu/.ssh/id_rsa