Skip to content

Commit

Permalink
Support terraform 5.1.0
Browse files Browse the repository at this point in the history
  • Loading branch information
itsdalmo committed Apr 29, 2019
1 parent 6bc87ca commit 700770d
Show file tree
Hide file tree
Showing 6 changed files with 46 additions and 36 deletions.
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,12 +50,12 @@ Or you can add it to SSM Parameter store/Secrets Manager and [aws-env](https://g
module "concourse_atc" {
# ... other configuration
github_client_id = "sm:///concourse-internal/github-oauth-client-id"
github_client_secret = "sm:///concourse-internal/github-oauth-client-secret"
github_client_id = "sm:///concourse-deployment/github-oauth-client-id"
github_client_secret = "sm:///concourse-deployment/github-oauth-client-secret"
}
```

By default the ATC will have permissions to read secrets from `/concourse-internal/*` in secrets manager (in addition to `/concourse/*` for the secrets backend).
By default the ATC will have permissions to read secrets from `/concourse-deployment/*` in secrets manager (in addition to `/concourse/*` for the secrets backend).

## Usage

Expand Down
23 changes: 12 additions & 11 deletions examples/default/example.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ data "aws_subnet_ids" "main" {
}

locals {
name_prefix = "concourse-example"
instance_ami = "<packer-ami>"
postgres_password = "dolphins"
}
Expand All @@ -19,7 +20,7 @@ module "postgres" {
source = "telia-oss/rds-cluster/aws"
version = "0.3.0"

name_prefix = "example"
name_prefix = "${local.name_prefix}"
username = "superuser"
password = "${local.postgres_password}"
engine = "aurora-postgresql"
Expand All @@ -36,7 +37,7 @@ module "postgres" {
module "concourse_atc" {
source = "../../modules/atc"

name_prefix = "example"
name_prefix = "${local.name_prefix}"
web_protocol = "HTTP"
web_port = "80"
authorized_cidr = ["0.0.0.0/0"]
Expand All @@ -51,23 +52,23 @@ module "concourse_atc" {
postgres_database = "${module.postgres.database_name}"
encryption_key = ""
instance_ami = "${local.instance_ami}"
github_client_id = "sm:///concourse-internal/github-oauth-client-id"
github_client_secret = "sm:///concourse-internal/github-oauth-client-secret"
github_client_id = "sm:///concourse-deployment/github-oauth-client-id"
github_client_secret = "sm:///concourse-deployment/github-oauth-client-secret"
github_users = ["itsdalmo"]
github_teams = ["telia-oss:concourse-owners"]
local_user = "sm:///concourse-internal/admin-user"
local_user = "sm:///concourse-deployment/admin-user"
local_admin_user = "admin"

tags {
environment = "prod"
environment = "dev"
terraform = "True"
}
}

module "concourse_worker" {
source = "../../modules/worker"

name_prefix = "example"
name_prefix = "${local.name_prefix}"
concourse_keys = "${path.root}/keys"
vpc_id = "${data.aws_vpc.main.id}"
private_subnet_ids = ["${data.aws_subnet_ids.main.ids}"]
Expand All @@ -77,7 +78,7 @@ module "concourse_worker" {
instance_ami = "${local.instance_ami}"

tags {
environment = "prod"
environment = "dev"
terraform = "True"
}
}
Expand All @@ -94,7 +95,7 @@ resource "aws_security_group_rule" "atc_ingress_postgres" {

# Allow workers to fetch ECR images
resource "aws_iam_role_policy" "main" {
name = "example-worker-ecr-policy"
name = "${local.name_prefix}-worker-ecr-policy"
role = "${module.concourse_worker.role_name}"
policy = "${data.aws_iam_policy_document.worker.json}"
}
Expand Down Expand Up @@ -123,15 +124,15 @@ module "atc_ssm_agent" {
source = "telia-oss/ssm-agent-policy/aws"
version = "0.1.0"

name_prefix = "example-atc"
name_prefix = "${local.name_prefix}-atc"
role = "${module.concourse_atc.role_name}"
}

module "worker_ssm_agent" {
source = "telia-oss/ssm-agent-policy/aws"
version = "0.1.0"

name_prefix = "example-worker"
name_prefix = "${local.name_prefix}-worker"
role = "${module.concourse_worker.role_name}"
}

Expand Down
5 changes: 3 additions & 2 deletions modules/atc/cloud-config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,12 +71,13 @@ write_files:
Environment="CONCOURSE_SESSION_SIGNING_KEY=/concourse/keys/web/session_signing_key"
Environment="CONCOURSE_ENCRYPTION_KEY=${encryption_key}"
Environment="CONCOURSE_OLD_ENCRYPTION_KEY=${old_encryption_key}"
Environment="CONCOURSE_AWS_SECRETSMANAGER_REGION=${region}"
${prometheus_bind_ip}
${prometheus_bind_port}
ExecStartPre=/bin/bash -c "/bin/systemctl set-environment CONCOURSE_PEER_URL=http://$(curl -L http://169.254.169.254/latest/meta-data/local-ipv4):${atc_port}"
ExecStart=/usr/local/bin/aws-env exec -- /usr/local/bin/concourse web --aws-secretsmanager-region=${region}
ExecStartPre=/bin/bash -c "/bin/systemctl set-environment CONCOURSE_PEER_ADDRESS=$(curl -L http://169.254.169.254/latest/meta-data/local-ipv4)"
ExecStart=/usr/local/bin/aws-env exec -- /usr/local/concourse/bin/concourse web
[Install]
WantedBy=multi-user.target
Expand Down
26 changes: 18 additions & 8 deletions modules/atc/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,15 @@ data "aws_vpc" "concourse" {
id = "${var.vpc_id}"
}

resource "aws_security_group_rule" "lb_ingress_atc" {
security_group_id = "${module.atc.security_group_id}"
type = "ingress"
protocol = "tcp"
from_port = "${var.atc_port}"
to_port = "${var.atc_port}"
source_security_group_id = "${module.external_lb.security_group_id}"
}

resource "aws_security_group_rule" "workers_ingress_tsa" {
security_group_id = "${module.atc.security_group_id}"
type = "ingress"
Expand All @@ -18,13 +27,13 @@ resource "aws_security_group_rule" "workers_ingress_tsa" {
cidr_blocks = ["${data.aws_vpc.concourse.cidr_block}"]
}

resource "aws_security_group_rule" "lb_ingress_atc" {
security_group_id = "${module.atc.security_group_id}"
type = "ingress"
protocol = "tcp"
from_port = "${var.atc_port}"
to_port = "${var.atc_port}"
source_security_group_id = "${module.external_lb.security_group_id}"
resource "aws_security_group_rule" "tsa_ingress_peers" {
security_group_id = "${module.atc.security_group_id}"
type = "ingress"
protocol = "-1"
from_port = "0"
to_port = "0"
self = "true"
}

resource "aws_autoscaling_attachment" "external_lb" {
Expand Down Expand Up @@ -156,7 +165,7 @@ data "aws_iam_policy_document" "atc" {

resources = [
"arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:/concourse/*",
"arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:/concourse-internal/*",
"arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:/concourse-deployment/*",
]
}
}
Expand Down Expand Up @@ -262,6 +271,7 @@ resource "aws_lb_target_group" "internal" {
port = "${var.tsa_port}"
protocol = "TCP"

# NOTE: This generates INFO log entries (error: EOF) since TSA will attempt to handshake the healthchecks.
health_check {
protocol = "TCP"
port = "${var.tsa_port}"
Expand Down
6 changes: 3 additions & 3 deletions modules/worker/cloud-config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,12 +60,12 @@ write_files:
Environment="CONCOURSE_BAGGAGECLAIM_LOG_LEVEL=${log_level}"
Environment="CONCOURSE_TSA_PUBLIC_KEY=/concourse/keys/worker/tsa_host_key.pub"
Environment="CONCOURSE_TSA_WORKER_PRIVATE_KEY=/concourse/keys/worker/worker_key"
Environment="CONCOURSE_REBALANCE_INTERVAL=30m"
ExecStartPre=/bin/bash -c "/bin/systemctl set-environment CONCOURSE_NAME=$(curl -L http://169.254.169.254/latest/meta-data/instance-id)"
ExecStartPre=/bin/bash -c "/bin/systemctl set-environment CONCOURSE_PEER_IP=$(curl -L http://169.254.169.254/latest/meta-data/local-ipv4)"
ExecStart=/usr/local/bin/concourse worker
ExecStart=/usr/local/concourse/bin/concourse worker
ExecStop=/usr/local/bin/concourse retire-worker
ExecStop=/usr/local/concourse/bin/concourse retire-worker
ExecStop=/bin/bash -c "while pgrep concourse >> /dev/null; do echo draining worker... && sleep 5; done; echo done draining!"
[Install]
Expand Down
16 changes: 7 additions & 9 deletions packer/template.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@
"source_ami": "",
"ami_users": "",
"template_version": null,
"concourse_version": "v4.2.1",
"lifecycled_version": "v3.0.2",
"aws_env_version": "v1.0.0"
"concourse_version": "5.1.0",
"lifecycled_version": "3.0.2",
"aws_env_version": "1.0.0"
},
"builders": [
{
Expand Down Expand Up @@ -49,16 +49,14 @@
{
"type": "shell",
"inline": [
"curl -L https://github.com/concourse/concourse/releases/download/{{user `concourse_version`}}/concourse_linux_amd64 -o concourse",
"sudo chmod +x concourse",
"sudo chown root:root concourse",
"sudo mv concourse /usr/local/bin/concourse"
"curl -L https://github.com/concourse/concourse/releases/download/v{{user `concourse_version`}}/concourse-{{user `concourse_version`}}-linux-amd64.tgz -o /tmp/concourse-linux-amd64.tgz",
"sudo tar -xvzf /tmp/concourse-linux-amd64.tgz -C /usr/local"
]
},
{
"type": "shell",
"inline": [
"curl -L https://github.com/buildkite/lifecycled/releases/download/{{user `lifecycled_version`}}/lifecycled-linux-amd64 -o lifecycled",
"curl -L https://github.com/buildkite/lifecycled/releases/download/v{{user `lifecycled_version`}}/lifecycled-linux-amd64 -o lifecycled",
"sudo chmod +x lifecycled",
"sudo chown root:root lifecycled",
"sudo mv lifecycled /usr/local/bin/lifecycled"
Expand All @@ -67,7 +65,7 @@
{
"type": "shell",
"inline": [
"curl -L https://github.com/telia-oss/aws-env/releases/download/{{user `aws_env_version`}}/aws-env-linux-amd64 -o aws-env",
"curl -L https://github.com/telia-oss/aws-env/releases/download/v{{user `aws_env_version`}}/aws-env-linux-amd64 -o aws-env",
"sudo chmod +x aws-env",
"sudo chown root:root aws-env",
"sudo mv aws-env /usr/local/bin/aws-env"
Expand Down

0 comments on commit 700770d

Please sign in to comment.