wip

.gitignore

@@ -29,4 +29,7 @@ override.tf.json
 # example: *tfplan*
 
 # ides
-.idea
+.idea
+
+# Generated
+*.pem

data.tf

@@ -1,43 +1,43 @@
-data "template_cloudinit_config" "this" {
-  count = var.server_count
-
-  gzip          = true
-  base64_encode = true
-
-  # Main cloud-init config file
-  part {
-    filename     = "cloud-config.yaml"
-    content_type = "text/cloud-config"
-    content = templatefile("${path.module}/files/cloud-config.yaml", {
-      ssh_authorized_keys = var.ssh_authorized_keys
-    })
-  }
-
-  part {
-    filename     = "00_cfg.sh"
-    content_type = "text/x-shellscript"
-    content = templatefile("${path.module}/files/server.sh", {
-      server_index = count.index
-      server_lb    = module.cp_lb.dns
-
-      args = {
-        "token" = random_password.token.result
-      }
-
-      list_args = {
-        "tls-san" = [module.cp_lb.dns]
-      }
-
-      # User defined config
-      config = var.rke2_config
-    })
-  }
-
-  part {
-    filename     = "01_rke2.sh"
-    content_type = "text/x-shellscript"
-    content = templatefile("${path.module}/common/rke2.sh", {
-      type = "server"
-    })
-  }
-}
+//data "template_cloudinit_config" "this" {
+//  count = var.server_count
+//
+//  gzip          = true
+//  base64_encode = true
+//
+//  # Main cloud-init config file
+//  part {
+//    filename     = "cloud-config.yaml"
+//    content_type = "text/cloud-config"
+//    content = templatefile("${path.module}/files/cloud-config.yaml", {
+//      ssh_authorized_keys = var.ssh_authorized_keys
+//    })
+//  }
+//
+//  part {
+//    filename     = "00_cfg.sh"
+//    content_type = "text/x-shellscript"
+//    content = templatefile("${path.module}/files/server.sh", {
+//      server_index = count.index
+//      server_lb    = module.cp_lb.dns
+//
+//      args = {
+//        "token" = random_password.token.result
+//      }
+//
+//      list_args = {
+//        "tls-san" = [module.cp_lb.dns]
+//      }
+//
+//      # User defined config
+//      config = var.rke2_config
+//    })
+//  }
+//
+//  part {
+//    filename     = "01_rke2.sh"
+//    content_type = "text/x-shellscript"
+//    content = templatefile("${path.module}/common/rke2.sh", {
+//      type = "server"
+//    })
+//  }
+//}

examples/cloud-enabled/main.tf

@@ -38,8 +38,9 @@ resource "tls_private_key" "ssh" {
 }
 
 resource "local_file" "ssh_pem" {
-  filename = "${local.name}.pem"
-  content  = tls_private_key.ssh.private_key_pem
+  filename        = "${local.name}.pem"
+  content         = tls_private_key.ssh.private_key_pem
+  file_permission = "0600"
 }
 
 # IAM Policies

examples/quickstart/main.tf

@@ -38,8 +38,9 @@ resource "tls_private_key" "ssh" {
 }
 
 resource "local_file" "pem" {
-  filename = "${local.name}.pem"
-  content  = tls_private_key.ssh.private_key_pem
+  filename        = "${local.name}.pem"
+  content         = tls_private_key.ssh.private_key_pem
+  file_permission = "0600"
 }
 
 #

main.tf

@@ -23,43 +23,29 @@ module "cp_lb" {
 }
 
 #
-# Server Nodes
+# Server Nodepool
 #
-resource "aws_instance" "servers" {
-  count = var.server_count
-
-  ami                  = var.ami
-  instance_type        = var.instance_type
-  subnet_id            = var.subnets[0]
-  user_data_base64     = data.template_cloudinit_config.this[count.index].rendered
-  iam_instance_profile = var.iam_instance_profile
-
-  vpc_security_group_ids = [aws_security_group.cluster.id, aws_security_group.server.id]
-
-  root_block_device {
-    volume_size = var.block_device_mappings.size
-    volume_type = "gp2"
-    encrypted   = var.block_device_mappings.encrypted
+module "servers" {
+  source              = "./modules/server-nodepool"
+  name                = "server"
+  vpc_id              = var.vpc_id
+  subnets             = var.subnets
+  ami                 = var.ami
+  ssh_authorized_keys = var.ssh_authorized_keys
+
+  cluster_data = {
+    name                   = var.name
+    server_dns             = module.cp_lb.dns
+    cluster_security_group = aws_security_group.cluster.id
+    token                  = random_password.token.result
   }
 
-  tags = merge({
-    "Name" = "${var.name}-server-${count.index}"
-    "Role" = "server"
-  }, local.ccm_tags, var.tags)
-}
-
-resource "aws_lb_target_group_attachment" "server_tg_attachments" {
-  count = length(aws_instance.servers)
+  server_tg_arn            = module.cp_lb.server_tg_arn
+  server_supervisor_tg_arn = module.cp_lb.server_supervisor_tg_arn
 
-  target_group_arn = module.cp_lb.server_tg_arn
-  target_id        = aws_instance.servers[count.index].id
-}
-
-resource "aws_lb_target_group_attachment" "server_supervisor_tg_attachments" {
-  count = length(aws_instance.servers)
-
-  target_group_arn = module.cp_lb.server_supervisor_tg_arn
-  target_id        = aws_instance.servers[count.index].id
+  tags = merge({
+    "Role" = "Server",
+  }, var.tags)
 }
 
 #
@@ -95,34 +81,3 @@ resource "aws_security_group_rule" "cluster_egress" {
   type              = "egress"
   cidr_blocks       = ["0.0.0.0/0"]
 }
-
-#
-# Shared Server Security Group
-#
-resource "aws_security_group" "server" {
-  name        = "${var.name}-server"
-  description = "Shared ${var.name} server security group"
-  vpc_id      = var.vpc_id
-
-  tags = merge({
-    "kubernetes.io/cluster/${var.name}" = "owned",
-  }, local.ccm_tags, var.tags)
-}
-
-resource "aws_security_group_rule" "server_cp" {
-  from_port         = 6443
-  to_port           = 6443
-  protocol          = "tcp"
-  security_group_id = aws_security_group.server.id
-  type              = "ingress"
-  cidr_blocks       = ["0.0.0.0/0"]
-}
-
-resource "aws_security_group_rule" "server_cp_supervisor" {
-  from_port         = 9345
-  to_port           = 9345
-  protocol          = "tcp"
-  security_group_id = aws_security_group.server.id
-  type              = "ingress"
-  cidr_blocks       = ["0.0.0.0/0"]
-}

modules/agent-nodepool/data.tf

@@ -12,21 +12,21 @@ data "template_cloudinit_config" "this" {
   }
 
   part {
-    filename     = "00_cfg.sh"
+    filename     = "00_download.sh"
     content_type = "text/x-shellscript"
-    content = templatefile("${path.module}/files/agent.sh", {
-      token  = var.cluster_data.token
-      server = var.cluster_data.server_url
-
-      config = var.rke2_config
+    content = templatefile("${path.module}/../common/download.sh", {
+      type = "agent"
     })
   }
 
   part {
     filename     = "01_rke2.sh"
     content_type = "text/x-shellscript"
-    content = templatefile("${path.module}/../../common/rke2.sh", {
-      type = "agent"
+    content = templatefile("${path.module}/files/agent.sh", {
+      server = var.cluster_data.server_url
+      token  = var.cluster_data.token
+
+      config = var.rke2_config
     })
   }
 }

modules/agent-nodepool/files/agent.sh

@@ -1,16 +1,44 @@
 #!/bin/bash
 set -e
 
-build_config() {
+if [ "$${DEBUG}" == 2 ]; then
+  set -x
+fi
+
+# info logs the given argument at info log level.
+info() {
+    echo "[INFO] " "$@"
+}
+
+# warn logs the given argument at warn log level.
+warn() {
+    echo "[WARN] " "$@" >&2
+}
+
+# fatal logs the given argument at fatal log level.
+fatal() {
+    echo "[ERROR] " "$@" >&2
+    exit 1
+}
+
+config() {
   mkdir -p "/etc/rancher/rke2"
   cat <<-EOF > "/etc/rancher/rke2/config.yaml"
-token: ${token}
-server: ${server}
+server: "${server}"
+token: "${token}"
 
 ${config}
 EOF
 }
 
+start() {
+  config
+
+  systemctl enable "rke2-agent"
+  systemctl daemon-reload
+  systemctl start "rke2-agent"
+}
+
 {
-  build_config
+  start
 }

modules/nodepool/main.tf

@@ -0,0 +1,82 @@
+#
+# Launch template
+#
+resource "aws_launch_template" "this" {
+  name                   = "${var.name}-rke2-nodepool"
+  image_id               = var.ami
+  instance_type          = var.instance_type
+  user_data              = var.userdata
+  vpc_security_group_ids = var.vpc_security_group_ids
+
+  block_device_mappings {
+    device_name = "/dev/sda1"
+    ebs {
+      volume_size           = var.block_device_mappings.size
+      encrypted             = var.block_device_mappings.encrypted
+      delete_on_termination = true
+    }
+  }
+
+  dynamic "iam_instance_profile" {
+    for_each = var.iam_instance_profile != "" ? [var.iam_instance_profile] : []
+    content {
+      name = iam_instance_profile.value
+    }
+  }
+
+  tags = var.tags
+}
+
+#
+# Autoscaling group
+#
+resource "aws_autoscaling_group" "this" {
+  name                = "${var.name}-rke2-nodepool"
+  vpc_zone_identifier = var.subnets
+
+  min_size         = var.asg.min
+  max_size         = var.asg.max
+  desired_capacity = var.asg.desired
+
+  # Health check and target groups dependent on whether we're a server or not (identified via k3s_url)
+  health_check_type = var.health_check_type
+  target_group_arns = var.target_group_arns
+
+  dynamic "launch_template" {
+    for_each = var.spot ? [] : ["spot"]
+
+    content {
+      id      = aws_launch_template.this.id
+      version = "$Latest"
+    }
+  }
+
+  dynamic "mixed_instances_policy" {
+    for_each = var.spot ? ["spot"] : []
+
+    content {
+      instances_distribution {
+        on_demand_base_capacity                  = 0
+        on_demand_percentage_above_base_capacity = 0
+      }
+
+      launch_template {
+        launch_template_specification {
+          launch_template_id   = aws_launch_template.this.id
+          launch_template_name = aws_launch_template.this.name
+          version              = "$Latest"
+        }
+      }
+    }
+  }
+
+  dynamic "tag" {
+    for_each = var.tags
+
+    content {
+      key                 = tag.key
+      value               = tag.value
+      propagate_at_launch = true
+    }
+  }
+}