[arvados] created: 2.6.0-143-ge83d9f4c1
git repository hosting
git at public.arvados.org
Tue May 9 16:44:19 UTC 2023
at e83d9f4c1cf5d5178d756bd1246730ed73354928 (commit)
commit e83d9f4c1cf5d5178d756bd1246730ed73354928
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Mon May 8 21:10:09 2023 -0300
20482: Allows deploying on known VPC & subnets.
Instead of creating everything new, the admin now has the option to deploy
the resources on preexisting networks.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/terraform/aws/services/outputs.tf b/tools/salt-install/terraform/aws/services/outputs.tf
index 9dbccf81c..8ff12c71b 100644
--- a/tools/salt-install/terraform/aws/services/outputs.tf
+++ b/tools/salt-install/terraform/aws/services/outputs.tf
@@ -6,10 +6,6 @@ output "vpc_id" {
value = data.terraform_remote_state.vpc.outputs.arvados_vpc_id
}
-output "vpc_cidr" {
- value = data.terraform_remote_state.vpc.outputs.arvados_vpc_cidr
-}
-
output "arvados_subnet_id" {
value = data.terraform_remote_state.vpc.outputs.public_subnet_id
}
diff --git a/tools/salt-install/terraform/aws/vpc/locals.tf b/tools/salt-install/terraform/aws/vpc/locals.tf
index eb0371a35..017e5d4b8 100644
--- a/tools/salt-install/terraform/aws/vpc/locals.tf
+++ b/tools/salt-install/terraform/aws/vpc/locals.tf
@@ -12,6 +12,15 @@ locals {
route53_public_zone = one(aws_route53_zone.public_zone[*])
iam_user_letsencrypt = one(aws_iam_user.letsencrypt[*])
iam_access_key_letsencrypt = one(aws_iam_access_key.letsencrypt[*])
+
+ arvados_vpc_id = one(aws_vpc.arvados_vpc[*]) != null ? one(aws_vpc.arvados_vpc[*]).id : var.vpc_id
+ arvados_vpc_cidr_block = one(aws_vpc.arvados_vpc[*])
+
+ arvados_sg_id = one(aws_security_group.arvados_sg[*]) != null ? one(aws_security_group.arvados_sg[*]).id : var.sg_id
+
+ private_subnet_id = one(aws_subnet.private_subnet[*]) != null ? one(aws_subnet.private_subnet[*]).id : var.private_subnet_id
+ public_subnet_id = one(aws_subnet.public_subnet[*]) != null ? one(aws_subnet.public_subnet[*]).id : var.public_subnet_id
+
public_hosts = var.private_only ? [] : var.user_facing_hosts
private_hosts = concat(
var.internal_service_hosts,
diff --git a/tools/salt-install/terraform/aws/vpc/main.tf b/tools/salt-install/terraform/aws/vpc/main.tf
index a5eb02049..be5e57490 100644
--- a/tools/salt-install/terraform/aws/vpc/main.tf
+++ b/tools/salt-install/terraform/aws/vpc/main.tf
@@ -20,38 +20,64 @@ provider "aws" {
}
resource "aws_vpc" "arvados_vpc" {
+ count = var.vpc_id == "" ? 1 : 0
cidr_block = "10.1.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
+
+ lifecycle {
+ precondition {
+ condition = (var.sg_id == "")
+ error_message = "vpc_id should be set if sg_id is also set"
+ }
+ }
}
resource "aws_subnet" "public_subnet" {
- vpc_id = aws_vpc.arvados_vpc.id
+ count = var.public_subnet_id == "" ? 1 : 0
+ vpc_id = local.arvados_vpc_id
availability_zone = local.availability_zone
cidr_block = "10.1.1.0/24"
+
+ lifecycle {
+ precondition {
+ condition = (var.vpc_id == "")
+ error_message = "public_subnet_id should be set if vpc_id is also set"
+ }
+ }
}
resource "aws_subnet" "private_subnet" {
- vpc_id = aws_vpc.arvados_vpc.id
+ count = var.private_subnet_id == "" ? 1 : 0
+ vpc_id = local.arvados_vpc_id
availability_zone = local.availability_zone
cidr_block = "10.1.2.0/24"
+
+ lifecycle {
+ precondition {
+ condition = (var.vpc_id == "")
+ error_message = "private_subnet_id should be set if vpc_id is also set"
+ }
+ }
}
#
# VPC S3 access
#
resource "aws_vpc_endpoint" "s3" {
- vpc_id = aws_vpc.arvados_vpc.id
+ vpc_id = local.arvados_vpc_id
service_name = "com.amazonaws.${var.region_name}.s3"
}
resource "aws_vpc_endpoint_route_table_association" "compute_s3_route" {
+ count = var.private_subnet_id == "" ? 1 : 0
vpc_endpoint_id = aws_vpc_endpoint.s3.id
- route_table_id = aws_route_table.private_subnet_rt.id
+ route_table_id = aws_route_table.private_subnet_rt[0].id
}
#
# Internet access for Public IP instances
#
resource "aws_internet_gateway" "internet_gw" {
- vpc_id = aws_vpc.arvados_vpc.id
+ count = var.vpc_id == "" ? 1 : 0
+ vpc_id = local.arvados_vpc_id
}
resource "aws_eip" "arvados_eip" {
for_each = toset(local.public_hosts)
@@ -60,45 +86,59 @@ resource "aws_eip" "arvados_eip" {
]
}
resource "aws_route_table" "public_subnet_rt" {
- vpc_id = aws_vpc.arvados_vpc.id
+ count = var.public_subnet_id == "" ? 1 : 0
+ vpc_id = local.arvados_vpc_id
route {
cidr_block = "0.0.0.0/0"
- gateway_id = aws_internet_gateway.internet_gw.id
+ gateway_id = aws_internet_gateway.internet_gw[0].id
}
}
resource "aws_route_table_association" "public_subnet_assoc" {
- subnet_id = aws_subnet.public_subnet.id
- route_table_id = aws_route_table.public_subnet_rt.id
+ count = var.public_subnet_id == "" ? 1 : 0
+ subnet_id = aws_subnet.public_subnet[0].id
+ route_table_id = aws_route_table.public_subnet_rt[0].id
}
#
# Internet access for Private IP instances
#
resource "aws_eip" "nat_gw_eip" {
+ count = var.private_subnet_id == "" ? 1 : 0
depends_on = [
- aws_internet_gateway.internet_gw
+ aws_internet_gateway.internet_gw[0]
]
}
resource "aws_nat_gateway" "nat_gw" {
+ count = var.private_subnet_id == "" ? 1 : 0
# A NAT gateway should be placed on a subnet with an internet gateway
- subnet_id = aws_subnet.public_subnet.id
- allocation_id = aws_eip.nat_gw_eip.id
+ subnet_id = aws_subnet.public_subnet[0].id
+ allocation_id = aws_eip.nat_gw_eip[0].id
}
resource "aws_route_table" "private_subnet_rt" {
- vpc_id = aws_vpc.arvados_vpc.id
+ count = var.private_subnet_id == "" ? 1 : 0
+ vpc_id = local.arvados_vpc_id
route {
cidr_block = "0.0.0.0/0"
- nat_gateway_id = aws_nat_gateway.nat_gw.id
+ nat_gateway_id = aws_nat_gateway.nat_gw[0].id
}
}
resource "aws_route_table_association" "private_subnet_assoc" {
- subnet_id = aws_subnet.private_subnet.id
- route_table_id = aws_route_table.private_subnet_rt.id
+ count = var.private_subnet_id == "" ? 1 : 0
+ subnet_id = aws_subnet.private_subnet[0].id
+ route_table_id = aws_route_table.private_subnet_rt[0].id
}
resource "aws_security_group" "arvados_sg" {
name = "arvados_sg"
- vpc_id = aws_vpc.arvados_vpc.id
+ count = var.sg_id == "" ? 1 : 0
+ vpc_id = aws_vpc.arvados_vpc[0].id
+
+ lifecycle {
+ precondition {
+ condition = (var.vpc_id == "")
+ error_message = "sg_id should be set if vpc_id is set"
+ }
+ }
dynamic "ingress" {
for_each = local.allowed_ports
@@ -116,7 +156,7 @@ resource "aws_security_group" "arvados_sg" {
from_port = 0
to_port = 0
protocol = "-1"
- cidr_blocks = [ aws_vpc.arvados_vpc.cidr_block ]
+ cidr_blocks = [ aws_vpc.arvados_vpc[0].cidr_block ]
}
# Even though AWS auto-creates an "allow all" egress rule,
# Terraform deletes it, so we add it explicitly.
@@ -171,7 +211,7 @@ resource "aws_route53_record" "public_cname_record" {
resource "aws_route53_zone" "private_zone" {
name = var.domain_name
vpc {
- vpc_id = aws_vpc.arvados_vpc.id
+ vpc_id = local.arvados_vpc_id
}
}
resource "aws_route53_record" "private_a_record" {
diff --git a/tools/salt-install/terraform/aws/vpc/outputs.tf b/tools/salt-install/terraform/aws/vpc/outputs.tf
index e1c0fe171..ca11f5d0d 100644
--- a/tools/salt-install/terraform/aws/vpc/outputs.tf
+++ b/tools/salt-install/terraform/aws/vpc/outputs.tf
@@ -3,22 +3,22 @@
# SPDX-License-Identifier: CC-BY-SA-3.0
output "arvados_vpc_id" {
- value = aws_vpc.arvados_vpc.id
+ value = local.arvados_vpc_id
}
output "arvados_vpc_cidr" {
- value = aws_vpc.arvados_vpc.cidr_block
+ value = try(local.arvados_vpc_cidr_block, "")
}
output "public_subnet_id" {
- value = aws_subnet.public_subnet.id
+ value = local.public_subnet_id
}
output "private_subnet_id" {
- value = aws_subnet.private_subnet.id
+ value = local.private_subnet_id
}
output "arvados_sg_id" {
- value = aws_security_group.arvados_sg.id
+ value = local.arvados_sg_id
}
output "eip_id" {
diff --git a/tools/salt-install/terraform/aws/vpc/terraform.tfvars b/tools/salt-install/terraform/aws/vpc/terraform.tfvars
index 9cc96437d..32480f879 100644
--- a/tools/salt-install/terraform/aws/vpc/terraform.tfvars
+++ b/tools/salt-install/terraform/aws/vpc/terraform.tfvars
@@ -7,4 +7,12 @@ region_name = "us-east-1"
# domain_name = "xarv1.example.com"
# Uncomment this to create an non-publicly accessible Arvados cluster
-# private_only = true
\ No newline at end of file
+# private_only = true
+
+# Optional networking options. Set existing resources to be used instead of
+# creating new ones.
+# NOTE: We only support fully managed or fully custom networking, not a mix of both.
+# vpc_id = "vpc-"
+# sg_id = "sg-"
+# public_subnet_id = "subnet-"
+# private_subnet_id = "subnet-"
\ No newline at end of file
diff --git a/tools/salt-install/terraform/aws/vpc/variables.tf b/tools/salt-install/terraform/aws/vpc/variables.tf
index 276f31433..e14c59808 100644
--- a/tools/salt-install/terraform/aws/vpc/variables.tf
+++ b/tools/salt-install/terraform/aws/vpc/variables.tf
@@ -37,4 +37,28 @@ variable "internal_service_hosts" {
description = "List of hostnames for nodes that hold internal Arvados services"
type = list(string)
default = [ "keep0", "shell" ]
+}
+
+variable "vpc_id" {
+ description = "Use existing VPC instead of creating one for the cluster"
+ type = string
+ default = ""
+}
+
+variable "sg_id" {
+ description = "Use existing security group instead of creating one for the cluster"
+ type = string
+ default = ""
+}
+
+variable "private_subnet_id" {
+ description = "Use existing private subnet instead of creating one for the cluster"
+ type = string
+ default = ""
+}
+
+variable "public_subnet_id" {
+ description = "Use existing public subnet instead of creating one for the cluster"
+ type = string
+ default = ""
}
\ No newline at end of file
commit c2a6e69f13eb2355694c87214197fd276d699a4b
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Mon May 8 12:11:49 2023 -0300
20482: Fixes use of var domain_name, it's now used for the Route53 zone.
Also, updates documentation including the new private_only var.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/doc/install/salt-multi-host.html.textile.liquid b/doc/install/salt-multi-host.html.textile.liquid
index 022ec3bb9..b840b585a 100644
--- a/doc/install/salt-multi-host.html.textile.liquid
+++ b/doc/install/salt-multi-host.html.textile.liquid
@@ -102,7 +102,10 @@ Each section described above contain a @terraform.tfvars@ file with some configu
<pre><code>region_name = "us-east-1"
# cluster_name = "xarv1"
-# domain_name = "example.com"</code></pre>
+# domain_name = "xarv1.example.com"
+
+# Uncomment this to create an non-publicly accessible Arvados cluster
+# private_only = true</code></pre>
If you don't set the variables @vpc/terraform.tfvars@ file, you will be asked to re-enter these parameters every time you run Terraform.
diff --git a/tools/salt-install/terraform/aws/vpc/locals.tf b/tools/salt-install/terraform/aws/vpc/locals.tf
index a6e56c585..eb0371a35 100644
--- a/tools/salt-install/terraform/aws/vpc/locals.tf
+++ b/tools/salt-install/terraform/aws/vpc/locals.tf
@@ -17,7 +17,6 @@ locals {
var.internal_service_hosts,
var.private_only ? var.user_facing_hosts : []
)
- arvados_dns_zone = "${var.cluster_name}.${var.domain_name}"
public_ip = {
for k, v in aws_eip.arvados_eip: k => v.public_ip
}
diff --git a/tools/salt-install/terraform/aws/vpc/main.tf b/tools/salt-install/terraform/aws/vpc/main.tf
index 6f1fe96ec..a5eb02049 100644
--- a/tools/salt-install/terraform/aws/vpc/main.tf
+++ b/tools/salt-install/terraform/aws/vpc/main.tf
@@ -136,7 +136,7 @@ resource "aws_security_group" "arvados_sg" {
# PUBLIC DNS
resource "aws_route53_zone" "public_zone" {
count = var.private_only ? 0 : 1
- name = local.arvados_dns_zone
+ name = var.domain_name
}
resource "aws_route53_record" "public_a_record" {
zone_id = try(local.route53_public_zone.id, "")
@@ -158,7 +158,7 @@ resource "aws_route53_record" "public_cname_record" {
zone_id = try(local.route53_public_zone.id, "")
for_each = {
for i in local.cname_by_host: i.record =>
- "${i.cname}.${local.arvados_dns_zone}"
+ "${i.cname}.${var.domain_name}"
if var.private_only == false
}
name = each.key
@@ -169,7 +169,7 @@ resource "aws_route53_record" "public_cname_record" {
# PRIVATE DNS
resource "aws_route53_zone" "private_zone" {
- name = local.arvados_dns_zone
+ name = var.domain_name
vpc {
vpc_id = aws_vpc.arvados_vpc.id
}
@@ -191,7 +191,7 @@ resource "aws_route53_record" "private_main_a_record" {
}
resource "aws_route53_record" "private_cname_record" {
zone_id = aws_route53_zone.private_zone.id
- for_each = {for i in local.cname_by_host: i.record => "${i.cname}.${local.arvados_dns_zone}" }
+ for_each = {for i in local.cname_by_host: i.record => "${i.cname}.${var.domain_name}" }
name = each.key
type = "CNAME"
ttl = 300
diff --git a/tools/salt-install/terraform/aws/vpc/terraform.tfvars b/tools/salt-install/terraform/aws/vpc/terraform.tfvars
index 296e3130c..9cc96437d 100644
--- a/tools/salt-install/terraform/aws/vpc/terraform.tfvars
+++ b/tools/salt-install/terraform/aws/vpc/terraform.tfvars
@@ -4,7 +4,7 @@
region_name = "us-east-1"
# cluster_name = "xarv1"
-# domain_name = "example.com"
+# domain_name = "xarv1.example.com"
# Uncomment this to create an non-publicly accessible Arvados cluster
# private_only = true
\ No newline at end of file
commit aad7ebe7938a9f5cb225881a1df8746664c493e8
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Sat May 6 15:18:54 2023 -0300
20482: Allow the site admin to create a non-public Arvados cluster.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/terraform/aws/services/locals.tf b/tools/salt-install/terraform/aws/services/locals.tf
index 523954ce3..d515453cb 100644
--- a/tools/salt-install/terraform/aws/services/locals.tf
+++ b/tools/salt-install/terraform/aws/services/locals.tf
@@ -6,11 +6,14 @@ locals {
region_name = data.terraform_remote_state.vpc.outputs.region_name
cluster_name = data.terraform_remote_state.vpc.outputs.cluster_name
use_external_db = data.terraform_remote_state.data-storage.outputs.use_external_db
+ private_only = data.terraform_remote_state.vpc.outputs.private_only
public_ip = data.terraform_remote_state.vpc.outputs.public_ip
private_ip = data.terraform_remote_state.vpc.outputs.private_ip
pubkey_path = pathexpand(var.pubkey_path)
- pubkey_name = "arvados-deployer-key"
+ pubkey_name = "${local.cluster_name}-arvados-deployer-key"
public_hosts = data.terraform_remote_state.vpc.outputs.public_hosts
private_hosts = data.terraform_remote_state.vpc.outputs.private_hosts
+ user_facing_hosts = data.terraform_remote_state.vpc.outputs.user_facing_hosts
+ internal_service_hosts = data.terraform_remote_state.vpc.outputs.internal_service_hosts
ssl_password_secret_name = "${local.cluster_name}-${var.ssl_password_secret_name_suffix}"
}
diff --git a/tools/salt-install/terraform/aws/services/main.tf b/tools/salt-install/terraform/aws/services/main.tf
index 68ffaf42d..b214aeb11 100644
--- a/tools/salt-install/terraform/aws/services/main.tf
+++ b/tools/salt-install/terraform/aws/services/main.tf
@@ -36,6 +36,7 @@ resource "aws_iam_instance_profile" "dispatcher_instance_profile" {
resource "aws_secretsmanager_secret" "ssl_password_secret" {
name = local.ssl_password_secret_name
+ recovery_window_in_days = 0
}
resource "aws_iam_instance_profile" "default_instance_profile" {
@@ -52,7 +53,7 @@ resource "aws_instance" "arvados_service" {
"hostname": each.value
})
private_ip = local.private_ip[each.value]
- subnet_id = contains(local.public_hosts, each.value) ? data.terraform_remote_state.vpc.outputs.public_subnet_id : data.terraform_remote_state.vpc.outputs.private_subnet_id
+ subnet_id = contains(local.user_facing_hosts, each.value) ? data.terraform_remote_state.vpc.outputs.public_subnet_id : data.terraform_remote_state.vpc.outputs.private_subnet_id
vpc_security_group_ids = [ data.terraform_remote_state.vpc.outputs.arvados_sg_id ]
# This should be done in a more readable way
iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : aws_iam_instance_profile.default_instance_profile.name
@@ -113,7 +114,7 @@ resource "aws_iam_policy_attachment" "cloud_dispatcher_ec2_access_attachment" {
}
resource "aws_eip_association" "eip_assoc" {
- for_each = toset(local.public_hosts)
+ for_each = local.private_only ? [] : toset(local.public_hosts)
instance_id = aws_instance.arvados_service[each.value].id
allocation_id = data.terraform_remote_state.vpc.outputs.eip_id[each.value]
}
diff --git a/tools/salt-install/terraform/aws/vpc/locals.tf b/tools/salt-install/terraform/aws/vpc/locals.tf
index 00e9d9494..a6e56c585 100644
--- a/tools/salt-install/terraform/aws/vpc/locals.tf
+++ b/tools/salt-install/terraform/aws/vpc/locals.tf
@@ -9,10 +9,18 @@ locals {
ssh: "22",
}
availability_zone = data.aws_availability_zones.available.names[0]
- public_hosts = [ "controller", "workbench" ]
- private_hosts = [ "keep0", "shell" ]
+ route53_public_zone = one(aws_route53_zone.public_zone[*])
+ iam_user_letsencrypt = one(aws_iam_user.letsencrypt[*])
+ iam_access_key_letsencrypt = one(aws_iam_access_key.letsencrypt[*])
+ public_hosts = var.private_only ? [] : var.user_facing_hosts
+ private_hosts = concat(
+ var.internal_service_hosts,
+ var.private_only ? var.user_facing_hosts : []
+ )
arvados_dns_zone = "${var.cluster_name}.${var.domain_name}"
- public_ip = { for k, v in aws_eip.arvados_eip: k => v.public_ip }
+ public_ip = {
+ for k, v in aws_eip.arvados_eip: k => v.public_ip
+ }
private_ip = {
"controller": "10.1.1.11",
"workbench": "10.1.1.15",
diff --git a/tools/salt-install/terraform/aws/vpc/main.tf b/tools/salt-install/terraform/aws/vpc/main.tf
index eba48b9f9..6f1fe96ec 100644
--- a/tools/salt-install/terraform/aws/vpc/main.tf
+++ b/tools/salt-install/terraform/aws/vpc/main.tf
@@ -135,10 +135,11 @@ resource "aws_security_group" "arvados_sg" {
# PUBLIC DNS
resource "aws_route53_zone" "public_zone" {
+ count = var.private_only ? 0 : 1
name = local.arvados_dns_zone
}
resource "aws_route53_record" "public_a_record" {
- zone_id = aws_route53_zone.public_zone.id
+ zone_id = try(local.route53_public_zone.id, "")
for_each = local.public_ip
name = each.key
type = "A"
@@ -146,15 +147,20 @@ resource "aws_route53_record" "public_a_record" {
records = [ each.value ]
}
resource "aws_route53_record" "main_a_record" {
- zone_id = aws_route53_zone.public_zone.id
+ count = var.private_only ? 0 : 1
+ zone_id = try(local.route53_public_zone.id, "")
name = ""
type = "A"
ttl = 300
records = [ local.public_ip["controller"] ]
}
resource "aws_route53_record" "public_cname_record" {
- zone_id = aws_route53_zone.public_zone.id
- for_each = {for i in local.cname_by_host: i.record => "${i.cname}.${local.arvados_dns_zone}" }
+ zone_id = try(local.route53_public_zone.id, "")
+ for_each = {
+ for i in local.cname_by_host: i.record =>
+ "${i.cname}.${local.arvados_dns_zone}"
+ if var.private_only == false
+ }
name = each.key
type = "CNAME"
ttl = 300
@@ -196,16 +202,19 @@ resource "aws_route53_record" "private_cname_record" {
# Route53's credentials for Let's Encrypt
#
resource "aws_iam_user" "letsencrypt" {
+ count = var.private_only ? 0 : 1
name = "${var.cluster_name}-letsencrypt"
path = "/"
}
resource "aws_iam_access_key" "letsencrypt" {
- user = aws_iam_user.letsencrypt.name
+ count = var.private_only ? 0 : 1
+ user = local.iam_user_letsencrypt.name
}
resource "aws_iam_user_policy" "letsencrypt_iam_policy" {
+ count = var.private_only ? 0 : 1
name = "${var.cluster_name}-letsencrypt_iam_policy"
- user = aws_iam_user.letsencrypt.name
+ user = local.iam_user_letsencrypt.name
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [{
@@ -223,7 +232,7 @@ resource "aws_iam_user_policy" "letsencrypt_iam_policy" {
"route53:ChangeResourceRecordSets"
],
"Resource" : [
- "arn:aws:route53:::hostedzone/${aws_route53_zone.public_zone.id}"
+ "arn:aws:route53:::hostedzone/${local.route53_public_zone.id}"
]
}]
})
diff --git a/tools/salt-install/terraform/aws/vpc/outputs.tf b/tools/salt-install/terraform/aws/vpc/outputs.tf
index 09faa04a2..e1c0fe171 100644
--- a/tools/salt-install/terraform/aws/vpc/outputs.tf
+++ b/tools/salt-install/terraform/aws/vpc/outputs.tf
@@ -41,16 +41,28 @@ output "private_hosts" {
value = local.private_hosts
}
+output "user_facing_hosts" {
+ value = var.user_facing_hosts
+}
+
+output "internal_service_hosts" {
+ value = var.internal_service_hosts
+}
+
+output "private_only" {
+ value = var.private_only
+}
+
output "route53_dns_ns" {
- value = aws_route53_zone.public_zone.name_servers
+ value = try(local.route53_public_zone.name_servers, [])
}
output "letsencrypt_iam_access_key_id" {
- value = aws_iam_access_key.letsencrypt.id
+ value = try(local.iam_access_key_letsencrypt.id, "")
}
output "letsencrypt_iam_secret_access_key" {
- value = aws_iam_access_key.letsencrypt.secret
+ value = try(local.iam_access_key_letsencrypt.secret, "")
sensitive = true
}
diff --git a/tools/salt-install/terraform/aws/vpc/terraform.tfvars b/tools/salt-install/terraform/aws/vpc/terraform.tfvars
index cac62ed6f..296e3130c 100644
--- a/tools/salt-install/terraform/aws/vpc/terraform.tfvars
+++ b/tools/salt-install/terraform/aws/vpc/terraform.tfvars
@@ -5,3 +5,6 @@
region_name = "us-east-1"
# cluster_name = "xarv1"
# domain_name = "example.com"
+
+# Uncomment this to create an non-publicly accessible Arvados cluster
+# private_only = true
\ No newline at end of file
diff --git a/tools/salt-install/terraform/aws/vpc/variables.tf b/tools/salt-install/terraform/aws/vpc/variables.tf
index 4237c56c8..276f31433 100644
--- a/tools/salt-install/terraform/aws/vpc/variables.tf
+++ b/tools/salt-install/terraform/aws/vpc/variables.tf
@@ -19,4 +19,22 @@ variable "cluster_name" {
variable "domain_name" {
description = "The domain name under which your Arvados cluster will be hosted"
type = string
+}
+
+variable "private_only" {
+ description = "Don't create infrastructure reachable from the public Internet"
+ type = bool
+ default = false
+}
+
+variable "user_facing_hosts" {
+ description = "List of hostnames for nodes that hold user-accesible Arvados services"
+ type = list(string)
+ default = [ "controller", "workbench" ]
+}
+
+variable "internal_service_hosts" {
+ description = "List of hostnames for nodes that hold internal Arvados services"
+ type = list(string)
+ default = [ "keep0", "shell" ]
}
\ No newline at end of file
commit 7e025dd4e222221eb5d143c8ce905b5c8e9de840
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Sat May 6 15:14:43 2023 -0300
20482: Fixes S3 bucket creation for Keep blocks due to changes in AWS defaults.
ACLs are now not accepted on newly created S3 buckets, and by default they're
set as private, so there's no need for us to explicitly asking for that.
See: https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/terraform/aws/data-storage/main.tf b/tools/salt-install/terraform/aws/data-storage/main.tf
index d4a3a7d21..6f7e233fd 100644
--- a/tools/salt-install/terraform/aws/data-storage/main.tf
+++ b/tools/salt-install/terraform/aws/data-storage/main.tf
@@ -24,20 +24,6 @@ resource "aws_s3_bucket" "keep_volume" {
bucket = "${local.cluster_name}-nyw5e-000000000000000-volume"
}
-resource "aws_s3_bucket_acl" "keep_volume_acl" {
- bucket = aws_s3_bucket.keep_volume.id
- acl = "private"
-}
-
-# Avoid direct public access to Keep blocks
-resource "aws_s3_bucket_public_access_block" "keep_volume_public_access" {
- bucket = aws_s3_bucket.keep_volume.id
-
- block_public_acls = true
- block_public_policy = true
- ignore_public_acls = true
-}
-
resource "aws_iam_role" "keepstore_iam_role" {
name = "${local.cluster_name}-keepstore-00-iam-role"
assume_role_policy = "${file("../assumerolepolicy.json")}"
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list