This helper module manages a cloud-config configuration that can start a container on Container Optimized OS (COS). Either a complete cloud-config template can be provided via the cloud_config variable with optional template variables via the config_variables, or a generic cloud-config can be generated based on typical parameters needed to start a container.
Logging can be enabled via the Google Cloud Logging docker driver using the gcp_logging variable. This is enabled by default, but requires that the service account running the COS instance have the roles/logging.logWriter IAM role or equivalent permissions on the project. If it doesn't, the container will fail to start unless this is disabled.
The module renders the generated cloud config in the cloud_config output, which can be directly used in instances or instance templates via the user-data metadata attribute.
This example will create a cloud-config that starts Envoy Proxy and expose it on port 80. For a complete example, look at the sibling envoy-traffic-director module that uses this module to start Envoy Proxy and connect it to Traffic Director.
module "cos-envoy" {
source = "./modules/cos-generic-metadata"
container_image = "envoyproxy/envoy:v1.14.1"
container_name = "envoy"
container_args = "-c /etc/envoy/envoy.yaml --log-level info --allow-unknown-static-fields"
container_volumes = [
{ host = "/etc/envoy/envoy.yaml", container = "/etc/envoy/envoy.yaml" }
]
docker_args = "--network host --pid host"
files = {
"/var/run/envoy/customize.sh" = {
content = file("customize.sh")
owner = "root"
permissions = "0744"
}
"/etc/envoy/envoy.yaml" = {
content = file("envoy.yaml")
owner = "root"
permissions = "0644"
}
}
run_commands = [
"iptables -t nat -N ENVOY_IN_REDIRECT",
"iptables -t nat -A ENVOY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15001",
"iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j ENVOY_IN_REDIRECT",
"iptables -t filter -A INPUT -p tcp -m tcp --dport 15001 -m state --state NEW,ESTABLISHED -j ACCEPT",
"/var/run/envoy/customize.sh",
"systemctl daemon-reload",
"systemctl start envoy",
]
users = [
{
username = "envoy",
uid = 1337
}
]
}| name | description | type | required | default |
|---|---|---|---|---|
| container_image | Container image. | string |
✓ | |
| authenticate_gcr | Setup docker to pull images from private GCR. Requires at least one user since the token is stored in the home of the first user defined. | bool |
false |
|
| boot_commands | List of cloud-init bootcmds. |
list(string) |
[] |
|
| cloud_config | Cloud config template path. If provided, takes precedence over all other arguments. | string |
null |
|
| config_variables | Additional variables used to render the template passed via cloud_config. |
map(any) |
{} |
|
| container_args | Arguments for container. | string |
"" |
|
| container_name | Name of the container to be run. | string |
"container" |
|
| container_volumes | List of volumes. | list(object({…})) |
[] |
|
| docker_args | Extra arguments to be passed for docker. | string |
null |
|
| file_defaults | Default owner and permissions for files. | object({…}) |
{…} |
|
| files | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | map(object({…})) |
{} |
|
| gcp_logging | Should container logs be sent to Google Cloud Logging. | bool |
true |
|
| run_commands | List of cloud-init runcmds. |
list(string) |
[] |
|
| users | List of usernames to be created. If provided, first user will be used to run the container. | list(object({…})) |
[…] |
| name | description | sensitive |
|---|---|---|
| cloud_config | Rendered cloud-config file to be passed as user-data instance metadata. |