Terraform

Dockerfile

@@ -84,26 +84,23 @@ FROM debian:buster
 
 RUN apt-get update && apt-get install -y git ca-certificates jq bash --no-install-recommends
 
-# Make a copy in /usr/local/go-faketime where the standard library
-# is installed with -tags=faketime.
-COPY --from=build-go /usr/local/go /usr/local/go-faketime
 
 ENV CGO_ENABLED 0
 ENV GOPATH /go
 ENV GOROOT /usr/local/go-faketime
 ARG GO_VERSION
 ENV GO_VERSION ${GO_VERSION}
-ENV PATH="/go/bin:/usr/local/go-faketime/bin:${PATH}"
+
 
 WORKDIR /usr/local/go-faketime
 # golang/go#57495: install std to warm the build cache. We only set
 # GOCACHE=/gocache here to keep it as small as possible, since it must be
 # copied on every build.
-RUN GOCACHE=/gocache ./bin/go install --tags=faketime std
+RUN GOCACHE=/gocache ./bin/go install std
 # Ignore the exit code. go vet std does not pass vet with the faketime
 # patches, but it successfully caches results for when we vet user
 # snippets.
-RUN ./bin/go vet --tags=faketime std || true
+RUN ./bin/go vet  std || true
 
 RUN mkdir /app
 COPY --from=build-playground /go/bin /app

infra/digitalocean/README.md

@@ -16,6 +16,7 @@ docker build -t codenire-deploy .
 # we can access the UI for Nomad, Vault, Consul, Traefik etc
 docker run \
 	-e DO_TOKEN="REPLACE_ME_WITH_DIGITAL_OCEAN_TOKEN"  \
+	-e HCP_TOKEN="REPLACE_ME_WITH_TERRAFORM_TOKEN"  \
 	-v $(pwd):/codenire-deploy  \
 	-it codenire-deploy
 

infra/digitalocean/ami/id_rsa

@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEA1lCx2womHs61RwfXRf+3SP9+VQm4gFvETRbH65R7BiWtI0z8UxLm
+kfbQHiAPIb6JoEk3FbO/twew+6oU3ShG6Nvr0niMMgd3lbRCU9wPFhKgpgXFAAiKd8Jd37
+BWe/cE6YLps1C9m5bq00bVdsGBZogPJXjCPn+P/w22affJMpukukaOdwpb89LwrNvzdqcb
+U+15xorXaKmwXNkHTlVqlaO6yPr6xAWEmGE0gplduvFATRQe0ACdSipfzQ7472YAg52Lbr
+cD/FbhRjYZq8g6tfAjI+KR74+jHYXkB49mrP3KbfztyzVIO32798LUdUyLUtajXPw2umkl
+xapkfGBJg5FJN0Iksb0LThhsNiarGxQgHJhKQJui7cfu5p+4v1cNVRjdZkBs4lAMhWX3pf
+EgNzp5pyfoU1WzB6GLxvbHnYeGf4Zrt19Z05Wo8XXuz+JXwgEe+BCG06CsdULs+OGh/4Pj
+2aZGs9/85LZcW7eaoj9PVp6WZ77kDEWD4wdWdhzdAAAFiHCLhdtwi4XbAAAAB3NzaC1yc2
+EAAAGBANZQsdsKJh7OtUcH10X/t0j/flUJuIBbxE0Wx+uUewYlrSNM/FMS5pH20B4gDyG+
+iaBJNxWzv7cHsPuqFN0oRujb69J4jDIHd5W0QlPcDxYSoKYFxQAIinfCXd+wVnv3BOmC6b
+NQvZuW6tNG1XbBgWaIDyV4wj5/j/8Ntmn3yTKbpLpGjncKW/PS8Kzb83anG1PtecaK12ip
+sFzZB05VapWjusj6+sQFhJhhNIKZXbrxQE0UHtAAnUoqX80O+O9mAIOdi263A/xW4UY2Ga
+vIOrXwIyPike+Pox2F5AePZqz9ym387cs1SDt9u/fC1HVMi1LWo1z8NrppJcWqZHxgSYOR
+STdCJLG9C04YbDYmqxsUIByYSkCbou3H7uafuL9XDVUY3WZAbOJQDIVl96XxIDc6eacn6F
+NVswehi8b2x52Hhn+Ga7dfWdOVqPF17s/iV8IBHvgQhtOgrHVC7Pjhof+D49mmRrPf/OS2
+XFu3mqI/T1aelme+5AxFg+MHVnYc3QAAAAMBAAEAAAGAZvax3ChOFDL/SLbtqAWpCvskuL
+pI1/I+p0Kwne/iAxwKyJDuEQNdnvbTGgYQ/wdJm6ZRPq3zB348e0xFZdM57hnqfF3KDScl
+PtkxnJR28wXUBK907AUucUcCTrurcTdGNuHcYXgDAENLYmH/oGRrRNVNYZVYzSoABmuSHe
+sb0KKSS6QmQe7KKqRHWOT7XR//sxy+irKdtvz/bDwglHPZFzdoP7LE03RLNeJNlgkUzQGn
+AOEPxKLm7oDZMe1lj66S4163iLu4Pc3fibX5iPY4b97ecFetqp2lrxrr8cROZoR5iDa2vV
+Bv2sMIUIYFFipQE46hL1gXfuE8+EYsXU8HmEitoJPRJ0323DOZO8u/PkagqIf7exY818eu
+feywGyibo14TTr7SjcihajDPnFGu2pVzamfZDkOQMyUGLNhm1foj1KzuMLry2LPf0T9cYr
+cPDGj8vMjp227QAigGSIbuBzH4+vJ8+M9NHcCVg0DGM7hcB5NK+h44Jq27OfBPLAqBAAAA
+wBBuzvBNuD67B09pA4SlgC4TibE30Vf0oN8nFBzvOxPPEtTFUjk1FcPYxYX4/vmSSailFQ
+NaBEX+TirLLwh+5cn/w6xHMZ2Hm0zOMPcLJ1mh88aN5sXcj0H9/6kMMVpOwK3S0a6dW3xj
+i5bGDpUOTh02lnW36eibQuuLXB1rJnoG76g9fxXknACbuICMnkRQ31NiJE2EBFUXOlZTDY
+gm9Y9aMN7/KZfHZtaV5hHtlbg/swjhr78VjcVvSXInY350uwAAAMEA9Nk76dntJ/ogCCNk
+awr62JbnIZHKD1qt9qwsA1ikoQFPUWZ8v9vZQRjBnXEJfBlKXCGU4pKIsLoLia8yIBaRUl
+9Wq9snTHSDAa9vNcTEhhQt+Xbx44TNpuD/6VG8ow0th5l6SafOCoMcnJnxd1FZiIWTQM8g
+vTQjKj3jFwt0RzbX/y5FtDOQh1/JoKmlIIzAG98p8At46b8762+4OEtBXWJA13O1MQ/+2d
+grhWWRW0Pi29GTvNsuVYA184jMlJGRAAAAwQDgE3Z4End9bdWfApEYvRumdNfpWomTp5zl
+aRXSWuOWQ6wJN/TO/pbGmGdB9R+ciFSTZPbRf1U6QA5Vx0kptE3l9/Xy/ZprvwbCrI7its
+q+IBpXfHC21kbYUlpRCkoJD+FdLxFPq+l17lgau7c9uGLR/a9jq3COPUiWEvGiztrShsjB
+rPW4KkcIN23eT0Ir7qDflUnaAN64hb9Muz/vfbiSppY8buXpjGlTQ+TuZqTDRzP00GeOiV
+gbcdpOCmiK8I0AAAARcm9vdEBjMGY3MzdhOTlhODYBAg==
+-----END OPENSSH PRIVATE KEY-----

infra/digitalocean/ami/id_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWULHbCiYezrVHB9dF/7dI/35VCbiAW8RNFsfrlHsGJa0jTPxTEuaR9tAeIA8hvomgSTcVs7+3B7D7qhTdKEbo2+vSeIwyB3eVtEJT3A8WEqCmBcUACIp3wl3fsFZ79wTpgumzUL2blurTRtV2wYFmiA8leMI+f4//DbZp98kym6S6Ro53Clvz0vCs2/N2pxtT7XnGitdoqbBc2QdOVWqVo7rI+vrEBYSYYTSCmV268UBNFB7QAJ1KKl/NDvjvZgCDnYtutwP8VuFGNhmryDq18CMj4pHvj6MdheQHj2as/cpt/O3LNUg7fbv3wtR1TItS1qNc/Da6aSXFqmR8YEmDkUk3QiSxvQtOGGw2JqsbFCAcmEpAm6Ltx+7mn7i/Vw1VGN1mQGziUAyFZfel8SA3OnmnJ+hTVbMHoYvG9sedh4Z/hmu3X1nTlajxde7P4lfCAR74EIbToKx1Quz44aH/g+PZpkaz3/zktlxbt5qiP09WnpZnvuQMRYPjB1Z2HN0= root@c0f737a99a86

infra/digitalocean/ami/main.tf

@@ -4,6 +4,18 @@ terraform {
       source  = "digitalocean/digitalocean"
       version = "~> 2.0"
     }
+
+    hcp = {
+      source = "hashicorp/hcp"
+      version = "~> 0.8"
+    }
+  }
+
+  cloud {
+    organization = "codenire"
+    workspaces {
+      name = "codenire-workspace"
+    }
   }
 }
 
@@ -12,6 +24,7 @@ provider "digitalocean" {
   token = var.do_token
 }
 
+
 locals {
   input_environment_enums = {
     dev = "Development",
@@ -53,13 +66,14 @@ data "digitalocean_images" "sandbox_images" {
 
 resource "digitalocean_ssh_key" "codenire_ssh" {
   name       = "Codenire SSH Key"
-  public_key = file("${var.shared_path}/config/id_rsa.pub")
+  public_key = var.do_ssh_key_pub
 }
 
 resource "digitalocean_droplet" "sandbox_server" {
-  count = var.sandbox_servers_count
+  # count = var.sandbox_servers_count
   image = data.digitalocean_images.sandbox_images.images[0].id
-  name   = "sandbox-server-${var.environment}-${count.index}"
+  # name   = "sandbox-server-${var.environment}-${count.index}"
+  name   = "sandbox-server-${var.environment}"
   region = var.do_region
   size   = var.sandbox_droplet_size
   ssh_keys  = [digitalocean_ssh_key.codenire_ssh.fingerprint]
@@ -90,7 +104,6 @@ resource "digitalocean_droplet" "playground_server" {
   ]
 }
 
-
 resource "digitalocean_project" "codenire_project" {
   name        = "Codenire ${local.project_env}"
   description = "This is Codenire Project"
@@ -99,64 +112,57 @@ resource "digitalocean_project" "codenire_project" {
   # TODO:: filter droplets by tag (environment)
   # https://chatgpt.com/share/677d64a4-68cc-800c-b321-540db0cefd28
   resources   = concat(
-    digitalocean_droplet.sandbox_server.*.urn,
+    # digitalocean_droplet.sandbox_server.*.urn,
+    [digitalocean_droplet.sandbox_server.urn],
     [digitalocean_droplet.playground_server.urn]
   )
 }
 
-resource "digitalocean_floating_ip" "codenire_ip" {
-  region = var.do_region
-}
-
-resource "digitalocean_floating_ip_assignment" "codenire_web" {
-  ip_address = digitalocean_floating_ip.codenire_ip.ip_address
-  droplet_id = digitalocean_droplet.playground_server.id
-}
-
 locals {
   sandbox_droplet_ids = concat(
-    digitalocean_droplet.sandbox_server.*.id
+    # digitalocean_droplet.sandbox_server.*.id
+    [digitalocean_droplet.sandbox_server.id]
   )
 
   all_droplets = concat(
     local.sandbox_droplet_ids,
     [digitalocean_droplet.playground_server.id]
   )
-}
-
-resource "digitalocean_loadbalancer" "sandbox_internal" {
-  name   = "sandbox-loadbalancer"
-  region = var.do_region
-  project_id = digitalocean_project.codenire_project.id
-  vpc_uuid = digitalocean_vpc.codenire_vpc.id
-
-  disable_lets_encrypt_dns_records = true
 
-  # network = "INTERNAL"
+  all_ips = ["0.0.0.0/0", "::/0"]
 
-  droplet_ids = local.sandbox_droplet_ids
-
-  forwarding_rule {
-    entry_port     = 80
-    entry_protocol = "http"
-
-    target_port     = 80
-    target_protocol = "http"
-  }
-
-  healthcheck {
-    port     = 22
-    protocol = "tcp"
-  }
-
-  firewall {
-    deny = ["cidr:1.2.0.0/16", "ip:2.3.4.5"]
-  }
+  dev_ssh_ops = var.environment == "dev" ? local.all_ips : local.all_droplets
 }
 
-
-
-# Firewall
+# resource "digitalocean_loadbalancer" "sandbox_internal" {
+#   name   = "sandbox-loadbalancer"
+#   region = var.do_region
+#   project_id = digitalocean_project.codenire_project.id
+#   vpc_uuid = digitalocean_vpc.codenire_vpc.id
+#
+#   disable_lets_encrypt_dns_records = true
+#
+#   # network = "INTERNAL"
+#
+#   droplet_ids = local.sandbox_droplet_ids
+#
+#   forwarding_rule {
+#     entry_port     = 80
+#     entry_protocol = "http"
+#
+#     target_port     = 80
+#     target_protocol = "http"
+#   }
+#
+#   healthcheck {
+#     port     = 22
+#     protocol = "tcp"
+#   }
+# }
+
+
+
+# Firewall for private sandboxes
 resource "digitalocean_firewall" "codenire_intra_traffic" {
   name = "codenire-intra-traffic"
 
@@ -178,6 +184,13 @@ resource "digitalocean_firewall" "codenire_intra_traffic" {
     source_droplet_ids = local.all_droplets
   }
 
+  # ssh access for dev env
+  inbound_rule {
+    protocol         = "tcp"
+    port_range       = "22"
+    source_addresses = local.dev_ssh_ops
+  }
+
   outbound_rule {
     protocol              = "tcp"
     port_range            = "1-65535"
@@ -195,18 +208,19 @@ resource "digitalocean_firewall" "codenire_intra_traffic" {
   }
 }
 
+# Firewall for public playground
 resource "digitalocean_firewall" "codenire_play" {
   name = "codenire-play"
 
   droplet_ids = [digitalocean_droplet.playground_server.id]
 
-
   # All tcp traffic on port 22, 80 and 443 from outside
   inbound_rule {
     protocol         = "tcp"
     port_range       = "22"
     source_addresses = ["0.0.0.0/0", "::/0"]
   }
+
   inbound_rule {
     protocol         = "tcp"
     port_range       = "80"

infra/digitalocean/ami/outputs.tf

@@ -1,10 +1,10 @@
 
 output "codenire_site" {
-  value = digitalocean_floating_ip.codenire_ip.ip_address
+  value = digitalocean_droplet.playground_server.ipv4_address
 }
 
-output "sandbox_droplet_ips" {
-  value = join(",", digitalocean_droplet.sandbox_server[*].ipv4_address_private)
+output "sandbox_droplet_ip" {
+  value = digitalocean_droplet.sandbox_server.ipv4_address_private
 }
 
 output "playground_droplet_ip" {

infra/digitalocean/ami/variables.tf

@@ -2,9 +2,8 @@ variable "do_token" {
   type = string
 }
 
-variable "shared_path" {
-  default = " /codenire-web/infra/do/shared"
-}
+variable "do_ssh_key" {}
+variable "do_ssh_key_pub" {}
 
 variable "environment" {
   type    = string
@@ -22,7 +21,7 @@ variable "playground_servers_count" {
 }
 
 variable "sandbox_servers_count" {
-  default = 2
+  default = 1
 }
 
 variable "sandbox_droplet_size" {

infra/digitalocean/code/main.tf

@@ -0,0 +1,10 @@
+terraform {
+  cloud {
+
+    organization = "codenire"
+
+    workspaces {
+      name = "codenire-services"
+    }
+  }
+}

infra/digitalocean/docker-entry.sh

@@ -12,4 +12,12 @@ export TF_VAR_do_token=$DO_TOKEN
 echo "PKR_VAR_do_token=$DO_TOKEN" >> /root/.bashrc
 export PKR_VAR_do_token=$DO_TOKEN
 
+
+if [[ -z "${TF_TOKEN}" ]]; then
+	echo "TF_TOKEN env var not set. Exiting."
+	exit 1
+fi
+export TF_TOKEN_app_terraform_io=$TF_TOKEN
+
+
 /bin/bash

infra/digitalocean/image/build.pkr.hcl

@@ -21,16 +21,13 @@ source "digitalocean" "sandbox_droplet" {
 build {
   sources = [
     "source.digitalocean.playground_droplet",
-    # "source.digitalocean.sandbox_droplet"
+    "source.digitalocean.sandbox_droplet"
   ]
 
   provisioner "shell" {
     inline = [
       "sudo mkdir /ops",
       "sudo chmod 777 /ops",
-
-      # -- extended --
-      "sudo mkdir /.ssh",
     ]
   }
 
@@ -46,10 +43,6 @@ build {
   provisioner "shell" {
     script = "../shared/scripts/${source.name}.sh"
   }
-
-  provisioner "shell" {
-    script = "../shared/scripts/plugin_builder.sh"
-  }
 }
 
 packer {