276 lines
9.4 KiB
HCL
276 lines
9.4 KiB
HCL
# project
|
|
variable "identifier" {
|
|
type = string
|
|
description = <<-EOT
|
|
A random string used to uniquely identify resources in this project.
|
|
Servers will receive a tag 'Id' with this value.
|
|
EOT
|
|
}
|
|
variable "owner" {
|
|
type = string
|
|
description = <<-EOT
|
|
An identifier for the person or group responsible for the resources created.
|
|
A tag 'Owner' will be added to the servers with this value.
|
|
EOT
|
|
}
|
|
variable "project_name" {
|
|
type = string
|
|
description = <<-EOT
|
|
A name for the project, used as a prefix for resource names.
|
|
EOT
|
|
}
|
|
variable "domain" {
|
|
type = string
|
|
description = <<-EOT
|
|
The host for this project, should not include the zone.
|
|
The zone for this domain must already exist in AWS and should be specified in the 'zone' variable.
|
|
If left empty this will default to the project name.
|
|
eg. "test" in "test.example.com"
|
|
EOT
|
|
}
|
|
variable "zone" {
|
|
type = string
|
|
description = <<-EOT
|
|
The Route53 DNS zone to deploy the cluster into.
|
|
The zone must already exist and have propagated.
|
|
EOT
|
|
}
|
|
variable "skip_project_cert_generation" {
|
|
type = bool
|
|
description = <<-EOT
|
|
This allows a user to skip generating a TLS cert in Terraform using the Acme provider.
|
|
This is useful when configuring Cert Manager to supply TLS certs.
|
|
EOT
|
|
default = false
|
|
}
|
|
# access
|
|
variable "key_name" {
|
|
type = string
|
|
description = <<-EOT
|
|
The name of an AWS key pair to use for SSH access to the instance.
|
|
This key should already be added to your ssh agent for server authentication.
|
|
EOT
|
|
}
|
|
variable "key" {
|
|
type = string
|
|
description = <<-EOT
|
|
The contents of an AWS key pair to use for SSH access to the instance.
|
|
This is necessary for installing rke2 on the nodes and will be removed after installation.
|
|
EOT
|
|
}
|
|
variable "username" {
|
|
type = string
|
|
description = <<-EOT
|
|
The username to use for SSH access to the instance.
|
|
EOT
|
|
}
|
|
variable "admin_ip" {
|
|
type = string
|
|
description = <<-EOT
|
|
The IP address of the server running Terraform.
|
|
EOT
|
|
}
|
|
# rke2
|
|
variable "rke2_version" {
|
|
type = string
|
|
description = <<-EOT
|
|
The version of rke2 to install on the nodes.
|
|
EOT
|
|
}
|
|
variable "local_file_path" {
|
|
type = string
|
|
description = <<-EOT
|
|
A local path to store files related to the install.
|
|
Needs to be isolated from the terraform files and state.
|
|
EOT
|
|
default = "./rke2"
|
|
}
|
|
variable "install_method" {
|
|
type = string
|
|
description = <<-EOT
|
|
The method to use for installing rke2 on the nodes.
|
|
Can be either 'rpm' or 'tar'.
|
|
EOT
|
|
}
|
|
variable "cni" {
|
|
type = string
|
|
description = <<-EOT
|
|
The CNI plugin to use for the cluster.
|
|
EOT
|
|
}
|
|
variable "node_configuration" {
|
|
type = map(object({
|
|
type = string
|
|
size = string
|
|
os = string
|
|
indirect_access = bool
|
|
initial = bool
|
|
}))
|
|
description = <<-EOT
|
|
A map of configuration options for the nodes to constitute the cluster.
|
|
Only one node should have the "initial" attribute set to true.
|
|
Be careful which node you decide to start the cluster,
|
|
it must host the database for others to be able to join properly.
|
|
There are 5 types of node: 'all-in-one', 'control-plane', 'worker', 'database', 'api'.
|
|
'all-in-one' nodes have all roles (control-plane, worker, etcd)
|
|
'control-plane' nodes have the api (control-plane) and database (etcd) roles
|
|
'worker' nodes have just the 'worker' role
|
|
'database' nodes have only the database (etcd) role
|
|
'api' nodes have only the api (control-plane) server role
|
|
By default we will set taints to prevent non-component workloads
|
|
from running on database, api, and control-plane nodes.
|
|
Size correlates to the server size options from the server module:
|
|
https://github.com/rancher/terraform-aws-server/blob/main/modules/server/types.tf
|
|
We recommend using the size nodes that best fit your use case:
|
|
https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements#rke2-kubernetes
|
|
OS correlates to the server image options from the server module:
|
|
https://github.com/rancher/terraform-aws-server/blob/main/modules/image/types.tf
|
|
We recommend using the same os for all servers, we don't currently test for clusters with mixed OS types.
|
|
Indirect access refers to how the cluster will be load balanced,
|
|
some admins are ok with every server in the cluster responding to inbound requests since the built in proxy will redirect,
|
|
but that isn't always the best choice since some nodes (like database nodes and secure workers)
|
|
are better to restrict to internal access only.
|
|
Setting this value to true will allow the network load balancer to direct traffic to the node.
|
|
Setting this value to false will prevent the load balancer from directing traffic to the node.
|
|
EOT
|
|
default = {
|
|
"initial" = {
|
|
type = "all-in-one"
|
|
size = "medium"
|
|
os = "sle-micro-60"
|
|
indirect_access = true
|
|
initial = true
|
|
}
|
|
}
|
|
}
|
|
# Rancher
|
|
variable "cert_manager_version" {
|
|
type = string
|
|
description = <<-EOT
|
|
The version of cert-manager to install.
|
|
EOT
|
|
default = "v1.18.1" # "v1.13.1" # "1.16.3"
|
|
}
|
|
variable "tls_cert_name" {
|
|
type = string
|
|
description = <<-EOT
|
|
The name of an AWS IAM Server Certificate where the public cert is stored.
|
|
This is only used when supplying your own TLS certificate.
|
|
EOT
|
|
default = ""
|
|
}
|
|
variable "tls_cert_key" {
|
|
type = string
|
|
description = <<-EOT
|
|
The name of an AWS SecretsManager Secret where the private key is stored.
|
|
This is only used when supplying your own TLS certificate.
|
|
EOT
|
|
default = ""
|
|
}
|
|
variable "rancher_version" {
|
|
type = string
|
|
description = <<-EOT
|
|
The version of rancher to install.
|
|
EOT
|
|
default = "2.11.2"
|
|
}
|
|
variable "rancher_helm_repo" {
|
|
type = string
|
|
description = <<-EOT
|
|
The Helm repository to retrieve charts from.
|
|
EOT
|
|
default = "https://releases.rancher.com/server-charts"
|
|
}
|
|
variable "rancher_helm_channel" {
|
|
type = string
|
|
description = <<-EOT
|
|
The Helm repository channel retrieve charts from.
|
|
Can be "latest" or "stable", defaults to "stable".
|
|
EOT
|
|
default = "stable"
|
|
}
|
|
variable "bootstrap_rancher" {
|
|
type = bool
|
|
description = <<-EOT
|
|
Whether or not to install Rancher, defaults to true.
|
|
This mostly exists to provide a convenient way to generate RKE2 clusters that are Rancher compatible.
|
|
For a more robust solution check out the terraform-aws-rke2 module.
|
|
EOT
|
|
default = true
|
|
}
|
|
variable "install_cert_manager" {
|
|
type = bool
|
|
description = <<-EOT
|
|
Whether or not to install Cert Manager, defaults to true.
|
|
This mostly exists for testing purposes.
|
|
EOT
|
|
default = true
|
|
}
|
|
variable "configure_cert_manager" {
|
|
type = bool
|
|
description = <<-EOT
|
|
Whether or not to configure cert manager with AWS access keys.
|
|
If left false, we will use the certificate generated by Terraform with the cluster.
|
|
EOT
|
|
default = false
|
|
}
|
|
variable "cert_manager_configuration" {
|
|
type = object({
|
|
aws_access_key_id = string
|
|
aws_secret_access_key = string
|
|
aws_region = string
|
|
aws_session_token = string
|
|
acme_email = string
|
|
acme_server_url = string
|
|
})
|
|
description = <<-EOT
|
|
The AWS access key information necessary to configure cert-manager.
|
|
This should have the limited access as found in the cert-manager documentation.
|
|
https://cert-manager.io/docs/configuration/acme/dns01/route53/#iam-user-with-long-term-access-key
|
|
This is an optional parameter, when not specified we will use the certificate that was generated with the project.
|
|
EOT
|
|
default = {
|
|
aws_access_key_id = ""
|
|
aws_secret_access_key = ""
|
|
aws_region = ""
|
|
aws_session_token = ""
|
|
acme_email = ""
|
|
acme_server_url = ""
|
|
}
|
|
sensitive = true
|
|
}
|
|
variable "rancher_helm_chart_use_strategy" {
|
|
type = string
|
|
description = <<-EOT
|
|
The strategy to use for Rancher's Helm chart values.
|
|
Options include: "default", "merge", or "provide".
|
|
Default will tell the module to use our suggested default configuration.
|
|
Merge will merge our default suggestions with your supplied configuration, anything you supply will override the default.
|
|
Provide will ignore our default suggestions and use the configuration provided in the rancher_helm_chart_values argument.
|
|
EOT
|
|
default = "default"
|
|
validation {
|
|
condition = contains(["default", "merge", "provide"], var.rancher_helm_chart_use_strategy)
|
|
error_message = "Must be one of 'default', 'merge', or 'provide'."
|
|
}
|
|
}
|
|
variable "rancher_helm_chart_values" {
|
|
type = map(any)
|
|
description = <<-EOT
|
|
A key/value map of Helm arguments to pass to the Rancher helm chart.
|
|
This will be ignored if the rancher_helm_chart_use_strategy argument is set to "default".
|
|
eg.
|
|
{
|
|
"hostname" = local.rancher_domain
|
|
"replicas" = "1"
|
|
"bootstrapPassword" = "admin"
|
|
"ingress.enabled" = "true"
|
|
"ingress.tls.source" = "secret"
|
|
"ingress.tls.secretName" = "tls-rancher-ingress"
|
|
"privateCA" = "true"
|
|
"agentTLSMode" = "system-store"
|
|
}
|
|
EOT
|
|
default = {}
|
|
}
|