From 6e3f5792f05ff56f59fb0238d3da9a26f384cce7 Mon Sep 17 00:00:00 2001 From: Fred Willien Date: Mon, 12 May 2025 14:01:50 +0200 Subject: [PATCH] refacto part1 --- .editorconfig | 31 ++ .github/workflows/ansible-ci.yml | 76 +-- .github/workflows/terraform-baseline.yml | 81 +-- .github/workflows/terraform-build.yml | 83 +-- .github/workflows/terraform-myapp.yml | 78 +-- .github/workflows/terraform-vpc.yml | 93 ++-- .gitignore | 373 +------------ .pre-commit-config.yaml | 32 ++ .terraform-version | 2 +- Makefile | 46 -- README.md | 80 +-- TODO.md | 23 + Taskfile.yml | 6 + _docs/how-to-terraform-cloud.md | 19 - _docs/howto-iam-awsume.md | 7 + _docs/howto-terraform-cloud.md | 27 + _docs/howto-vpc.md | 17 + _tools/ansible/ansible.cfg | 7 +- _tools/ansible/ansible.sh | 13 + _tools/ansible/galaxy/requirements.yml | 61 +++ _tools/ansible/playbooks/bastion.yml | 15 +- .../ansible/playbooks/group_vars/all/apt.yml | 6 - .../playbooks/group_vars/all/packages.yml | 6 + .../playbooks/group_vars/bastion/apt.yml | 3 - .../playbooks/group_vars/bastion/packages.yml | 3 + .../playbooks/group_vars/bastion/teleport.yml | 3 + .../playbooks/group_vars/haproxy/haproxy.yml | 22 +- _tools/ansible/playbooks/inventory/all.yaml | 7 + .../ansible/playbooks/inventory/sandbox.yml | 18 - .../roles/ansible-awscli/defaults/main.yml | 2 + .../roles/ansible-awscli/tasks/main.yml | 32 ++ .../roles/ansible-packages/defaults/main.yml | 4 + .../roles/ansible-packages/tasks/main.yml | 11 + .../ansible/roles/ansible-teleport/README.md | 133 +++++ .../roles/ansible-teleport/defaults/main.yml | 53 ++ .../roles/ansible-teleport/handlers/main.yml | 5 + .../ansible-teleport/tasks/configure.yml | 6 + .../roles/ansible-teleport/tasks/main.yml | 14 + .../ansible-teleport/tasks/setup-Debian.yml | 18 + .../ansible-teleport/tasks/setup-RedHat.yml | 18 + .../templates/teleport.yaml.j2 | 90 ++++ .../roles/ansible-teleport/vars/main.yml | 2 + _tools/ansible/roles/apt/defaults/main.yml | 6 - _tools/ansible/roles/apt/tasks/main.yml | 8 - _tools/ansible/roles/aws-cli/.yamllint | 36 -- .../ansible/roles/aws-cli/defaults/main.yml | 6 - .../aws-cli/molecule/default/converge.yml | 19 - .../aws-cli/molecule/default/molecule.yml | 21 - .../roles/aws-cli/molecule/default/verify.yml | 18 - _tools/ansible/roles/aws-cli/tasks/main.yml | 35 -- _tools/packer/Dockerfile | 38 -- _tools/packer/Makefile | 92 ---- _tools/packer/_packer.sh | 392 ++++++++------ _tools/packer/all/amazonlinux-2023.pkr.hcl | 1 + _tools/packer/all/debian-bookworm.pkr.hcl | 1 + _tools/packer/all/plugins.pkr.hcl | 28 + _tools/packer/all/ubuntu-2204.pkr.hcl | 1 + _tools/packer/all/variables.pkr.hcl | 1 + .../amazonlinux/amazonlinux-2023.pkr.hcl | 163 ++++++ .../amazonlinux-2023/Vagrantfile.tpl | 17 + .../linux/debian/debian-bookworm.pkr.hcl | 160 ++++++ .../linux/debian/debian-bulleye.pkr.hcl | 109 ++++ .../packer/linux/debian/debian-buster.pkr.hcl | 112 ++++ .../templates/debian/bookworm/Vagrantfile.tpl | 17 + .../templates/debian/bullseye/Vagrantfile.tpl | 17 + .../templates/debian/buster/Vagrantfile.tpl | 17 + .../templates/ubuntu/1804/Vagrantfile.tpl | 17 + .../templates/ubuntu/2004/Vagrantfile.tpl | 17 + .../templates/ubuntu/2204/Vagrantfile.tpl | 17 + .../packer/linux/ubuntu/ubuntu-1804.pkr.hcl | 112 ++++ .../packer/linux/ubuntu/ubuntu-2004.pkr.hcl | 109 ++++ .../packer/linux/ubuntu/ubuntu-2204.pkr.hcl | 184 +++++++ _tools/packer/run.sh | 123 +++++ _tools/packer/scripts/bootstrap.sh | 86 ++- _tools/packer/scripts/cleanup.sh | 8 +- _tools/packer/templates/builder-qemu.json | 31 -- _tools/packer/templates/debian-buster.json | 140 ----- .../templates/debian-buster/builds.pkr.hcl | 46 -- .../templates/debian-buster/http/base.preseed | 69 --- .../templates/debian-buster/http/preseed.cfg | 22 - .../templates/debian-buster/sources.pkr.hcl | 141 ----- .../templates/debian-buster/variables.pkr.hcl | 333 ------------ .../debian/10_buster/base-crypt-uefi.preseed | 101 ---- .../debian/10_buster/base-crypt-uefi.yaml | 313 ----------- .../debian/10_buster/base-crypt.preseed | 78 --- .../debian/10_buster/base-crypt.yaml | 300 ----------- .../debian/10_buster/base-uefi.preseed | 88 ---- .../templates/debian/10_buster/base-uefi.yaml | 313 ----------- .../templates/debian/10_buster/base.preseed | 69 --- .../templates/debian/10_buster/base.yaml | 300 ----------- .../templates/debian/10_buster/vagrant.rb.j2 | 7 - .../11_bullseye/base-crypt-uefi.preseed | 101 ---- .../debian/11_bullseye/base-crypt-uefi.yaml | 313 ----------- .../debian/11_bullseye/base-crypt.preseed | 78 --- .../debian/11_bullseye/base-crypt.yaml | 300 ----------- .../debian/11_bullseye/base-uefi.preseed | 88 ---- .../debian/11_bullseye/base-uefi.yaml | 313 ----------- .../templates/debian/11_bullseye/base.preseed | 69 --- .../templates/debian/11_bullseye/base.yaml | 300 ----------- .../debian/11_bullseye/vagrant.rb.j2 | 7 - _tools/packer/templates/ubuntu-bionic.json | 119 ----- .../templates/ubuntu-bionic/builds.pkr.hcl | 38 -- .../templates/ubuntu-bionic/sources.pkr.hcl | 80 --- .../templates/ubuntu-bionic/variables.pkr.hcl | 124 ----- _tools/packer/variables.pkr.hcl | 167 ++++++ .../scripts/ConfigureRemotingForAnsible.ps1 | 453 ++++++++++++++++ .../windowsserver/scripts/bootstrap.txt | 47 ++ .../windowsserver/windows-2016.pkr.hcl | 199 +++++++ .../windowsserver/windows-2019.pkr.hcl | 238 +++++++++ _tools/scripts/common.sh | 65 +++ _tools/scripts/init-tf-cloud.sh | 257 --------- _tools/scripts/terraform-version.sh | 46 ++ _tools/scripts/tfc-manage.py | 334 ++++++++++++ _tools/scripts/uniformize-tf-version.sh | 66 --- _tools/taskfiles/global.yml | 41 ++ _tools/taskfiles/init.yml | 97 ++++ _tools/taskfiles/keypair.yml | 23 + _tools/taskfiles/terraform.yml | 101 ++++ _tools/taskfiles/vagrant.yml | 44 ++ _tools/terraform/Makefile | 8 +- .../modules/terraform-aws-api-gateway/main.tf | 8 +- .../terraform-aws-api-gateway/outputs.tf | 2 +- .../terraform-aws-bootstrap/variables.tf | 6 +- .../modules/terraform-aws-eks/addons.tf | 0 .../modules/terraform-aws-eks/iam.tf | 271 ++++++++++ .../modules/terraform-aws-eks/kms.tf | 35 ++ .../modules/terraform-aws-eks/main.tf | 490 ++++++++++-------- .../terraform-aws-alb-ingress/README.md | 2 +- .../modules/terraform-aws-alb-ingress/main.tf | 28 +- .../terraform-aws-alb-ingress/outputs.tf | 2 +- .../terraform-aws-alb-ingress/provider.tf | 6 +- .../terraform-aws-external-dns/main.tf | 18 +- .../modules/terraform-aws-eks/nodes.tf | 0 .../modules/terraform-aws-eks/outputs.tf | 50 +- .../modules/terraform-aws-eks/variables.tf | 468 +++++++++++++++-- .../modules/terraform-aws-kms/main.tf | 485 +++++++++++++++++ .../modules/terraform-aws-kms/outputs.tf | 52 ++ .../modules/terraform-aws-kms/variables.tf | 253 +++++++++ .../modules/terraform-aws-kms/versions.tf | 10 + .../modules/terraform-aws-lambda/main.tf | 20 +- .../modules/terraform-aws-lambda/variables.tf | 18 +- .../terraform-aws-packer-build/README.md | 54 +- .../modules/terraform-aws-packer-build/iam.tf | 40 ++ .../terraform-aws-packer-build/outputs.tf | 6 +- .../terraform-aws-packer-build/variables.tf | 9 +- .../modules/terraform-aws-s3-bucket/README.md | 64 +++ .../modules/terraform-aws-s3-bucket/iam.tf | 0 .../modules/terraform-aws-s3-bucket/main.tf | 189 +++++++ .../terraform-aws-s3-bucket/outputs.tf | 15 + .../terraform-aws-s3-bucket/provider.tf | 7 + .../terraform-aws-s3-bucket/variable.tf | 99 ++++ .../modules/terraform-aws-vpc/certificate.tf | 6 +- .../modules/terraform-aws-vpc/endpoints.tf | 49 ++ .../modules/terraform-aws-vpc/main.tf | 134 +---- .../terraform-aws-vpc/securitygroup.tf | 27 + .../modules/terraform-aws-vpc/variables.tf | 7 +- .../modules/terraform-gandi-dns/README.md | 40 ++ .../modules/terraform-gandi-dns/main.tf | 8 +- .../modules/terraform-gandi-dns/outputs.tf | 6 +- .../modules/terraform-gandi-dns/variables.tf | 7 +- baseline/_terraform/.terraform-version | 2 +- baseline/_terraform/backend.tf | 8 +- baseline/_terraform/main.tf | 105 +--- baseline/_terraform/outputs.tf | 12 +- baseline/_terraform/provider.tf | 2 +- baseline/_terraform/variables.tf | 75 +-- baseline/qa/eu-west-1/.terraform-version | 1 - baseline/qa/eu-west-1/Makefile | 1 - baseline/qa/eu-west-1/README.md | 46 ++ .../qa/eu-west-1/{_backend.tf => backend.tf} | 0 ...rraform-config => config.remote.tfbackend} | 0 baseline/qa/eu-west-1/{_main.tf => main.tf} | 0 .../qa/eu-west-1/{_outputs.tf => outputs.tf} | 0 baseline/qa/eu-west-1/override.tf | 6 +- .../eu-west-1/{_provider.tf => provider.tf} | 0 baseline/qa/eu-west-1/terraform.auto.tfvars | 39 +- .../eu-west-1/{_variables.tf => variables.tf} | 0 build/_terraform/.terraform-version | 2 +- build/_terraform/backend.tf | 4 +- build/_terraform/main.tf | 18 +- build/_terraform/outputs.tf | 6 +- build/_terraform/provider.tf | 4 +- build/qa/eu-west-1/.terraform-version | 1 - build/qa/eu-west-1/Makefile | 1 - build/qa/eu-west-1/README.md | 44 ++ .../qa/eu-west-1/{_backend.tf => backend.tf} | 0 ...rraform-config => config.remote.tfbackend} | 0 build/qa/eu-west-1/{_main.tf => main.tf} | 0 .../qa/eu-west-1/{_outputs.tf => outputs.tf} | 0 build/qa/eu-west-1/override.tf | 6 +- .../eu-west-1/{_provider.tf => provider.tf} | 0 .../eu-west-1/{_variables.tf => variables.tf} | 0 cloudfront/_terraform/.terraform-version | 2 +- cloudfront/_terraform/main.tf | 6 +- cloudfront/_terraform/variables.tf | 11 +- cloudfront/qa/eu-west-1/terraform.auto.tfvars | 4 +- eks/_terraform/.terraform-version | 2 +- eks/_terraform/backend.tf | 2 +- eks/_terraform/main.tf | 108 ++-- eks/_terraform/provider.tf | 2 +- eks/_terraform/remote-states.tf | 18 +- eks/_terraform/variables.tf | 9 +- eks/qa/eu-west-1/Makefile | 1 - .../qa/eu-west-1/backend.tf | 0 ...rraform-config => config.remote.tfbackend} | 0 .../_main.tf => eks/qa/eu-west-1/main.tf | 0 eks/qa/eu-west-1/override.tf | 3 + .../qa/eu-west-1/provider.tf | 0 .../qa/eu-west-1/remote-states.tf | 0 eks/qa/eu-west-1/terraform.auto.tfvars | 31 +- .../qa/eu-west-1/variables.tf | 0 myapp/_terraform/.terraform-version | 2 +- myapp/_terraform/outputs.tf | 2 +- myapp/_terraform/variables.tf | 10 +- vault/_terraform/.terraform-version | 2 +- vpc/_packer/packer.auto.pkrvars.hcl | 28 +- vpc/_packer/packer.sh | 1 - vpc/_packer/run.sh | 1 + vpc/_terraform/.terraform-version | 2 +- vpc/_terraform/backend.tf | 2 +- vpc/_terraform/db-import.sh.tpl | 4 +- vpc/_terraform/main.tf | 26 +- vpc/_terraform/provider.tf | 2 +- vpc/_terraform/variables.tf | 20 +- vpc/qa/eu-west-1/.terraform-version | 1 - vpc/qa/eu-west-1/Makefile | 1 - vpc/qa/eu-west-1/README.md | 11 - vpc/qa/eu-west-1/backend.tf | 1 + ...rraform-config => config.remote.tfbackend} | 0 vpc/qa/eu-west-1/main.tf | 1 + vpc/qa/eu-west-1/{_outputs.tf => outputs.tf} | 0 vpc/qa/eu-west-1/override.tf | 8 - vpc/qa/eu-west-1/provider.tf | 1 + vpc/qa/eu-west-1/remote-states.tf | 1 + vpc/qa/eu-west-1/terraform.auto.tfvars | 6 +- vpc/qa/eu-west-1/variables.tf | 1 + vpc/qa/us-east-1/.terraform-config | 3 - vpc/qa/us-east-1/.terraform-version | 1 - vpc/qa/us-east-1/Makefile | 3 - vpc/qa/us-east-1/_override.tf | 7 - vpc/qa/us-east-1/terraform.auto.tfvars | 18 - 241 files changed, 7196 insertions(+), 6624 deletions(-) create mode 100644 .editorconfig create mode 100644 .pre-commit-config.yaml delete mode 100644 Makefile create mode 100644 TODO.md create mode 100644 Taskfile.yml delete mode 100644 _docs/how-to-terraform-cloud.md create mode 100644 _docs/howto-iam-awsume.md create mode 100644 _docs/howto-terraform-cloud.md create mode 100644 _docs/howto-vpc.md create mode 100755 _tools/ansible/ansible.sh create mode 100644 _tools/ansible/galaxy/requirements.yml delete mode 100644 _tools/ansible/playbooks/group_vars/all/apt.yml create mode 100644 _tools/ansible/playbooks/group_vars/all/packages.yml delete mode 100644 _tools/ansible/playbooks/group_vars/bastion/apt.yml create mode 100644 _tools/ansible/playbooks/group_vars/bastion/packages.yml create mode 100644 _tools/ansible/playbooks/group_vars/bastion/teleport.yml create mode 100644 _tools/ansible/playbooks/inventory/all.yaml delete mode 100644 _tools/ansible/playbooks/inventory/sandbox.yml create mode 100644 _tools/ansible/roles/ansible-awscli/defaults/main.yml create mode 100644 _tools/ansible/roles/ansible-awscli/tasks/main.yml create mode 100644 _tools/ansible/roles/ansible-packages/defaults/main.yml create mode 100644 _tools/ansible/roles/ansible-packages/tasks/main.yml create mode 100644 _tools/ansible/roles/ansible-teleport/README.md create mode 100644 _tools/ansible/roles/ansible-teleport/defaults/main.yml create mode 100644 _tools/ansible/roles/ansible-teleport/handlers/main.yml create mode 100644 _tools/ansible/roles/ansible-teleport/tasks/configure.yml create mode 100644 _tools/ansible/roles/ansible-teleport/tasks/main.yml create mode 100644 _tools/ansible/roles/ansible-teleport/tasks/setup-Debian.yml create mode 100644 _tools/ansible/roles/ansible-teleport/tasks/setup-RedHat.yml create mode 100644 _tools/ansible/roles/ansible-teleport/templates/teleport.yaml.j2 create mode 100644 _tools/ansible/roles/ansible-teleport/vars/main.yml delete mode 100644 _tools/ansible/roles/apt/defaults/main.yml delete mode 100644 _tools/ansible/roles/apt/tasks/main.yml delete mode 100644 _tools/ansible/roles/aws-cli/.yamllint delete mode 100644 _tools/ansible/roles/aws-cli/defaults/main.yml delete mode 100644 _tools/ansible/roles/aws-cli/molecule/default/converge.yml delete mode 100644 _tools/ansible/roles/aws-cli/molecule/default/molecule.yml delete mode 100644 _tools/ansible/roles/aws-cli/molecule/default/verify.yml delete mode 100644 _tools/ansible/roles/aws-cli/tasks/main.yml delete mode 100644 _tools/packer/Dockerfile delete mode 100644 _tools/packer/Makefile create mode 120000 _tools/packer/all/amazonlinux-2023.pkr.hcl create mode 120000 _tools/packer/all/debian-bookworm.pkr.hcl create mode 100644 _tools/packer/all/plugins.pkr.hcl create mode 120000 _tools/packer/all/ubuntu-2204.pkr.hcl create mode 120000 _tools/packer/all/variables.pkr.hcl create mode 100644 _tools/packer/linux/amazonlinux/amazonlinux-2023.pkr.hcl create mode 100644 _tools/packer/linux/amazonlinux/templates/amazonlinux-2023/Vagrantfile.tpl create mode 100644 _tools/packer/linux/debian/debian-bookworm.pkr.hcl create mode 100644 _tools/packer/linux/debian/debian-bulleye.pkr.hcl create mode 100644 _tools/packer/linux/debian/debian-buster.pkr.hcl create mode 100644 _tools/packer/linux/debian/templates/debian/bookworm/Vagrantfile.tpl create mode 100644 _tools/packer/linux/debian/templates/debian/bullseye/Vagrantfile.tpl create mode 100644 _tools/packer/linux/debian/templates/debian/buster/Vagrantfile.tpl create mode 100644 _tools/packer/linux/ubuntu/templates/ubuntu/1804/Vagrantfile.tpl create mode 100644 _tools/packer/linux/ubuntu/templates/ubuntu/2004/Vagrantfile.tpl create mode 100644 _tools/packer/linux/ubuntu/templates/ubuntu/2204/Vagrantfile.tpl create mode 100644 _tools/packer/linux/ubuntu/ubuntu-1804.pkr.hcl create mode 100644 _tools/packer/linux/ubuntu/ubuntu-2004.pkr.hcl create mode 100644 _tools/packer/linux/ubuntu/ubuntu-2204.pkr.hcl create mode 100755 _tools/packer/run.sh delete mode 100644 _tools/packer/templates/builder-qemu.json delete mode 100644 _tools/packer/templates/debian-buster.json delete mode 100644 _tools/packer/templates/debian-buster/builds.pkr.hcl delete mode 100644 _tools/packer/templates/debian-buster/http/base.preseed delete mode 100644 _tools/packer/templates/debian-buster/http/preseed.cfg delete mode 100644 _tools/packer/templates/debian-buster/sources.pkr.hcl delete mode 100644 _tools/packer/templates/debian-buster/variables.pkr.hcl delete mode 100644 _tools/packer/templates/debian/10_buster/base-crypt-uefi.preseed delete mode 100644 _tools/packer/templates/debian/10_buster/base-crypt-uefi.yaml delete mode 100644 _tools/packer/templates/debian/10_buster/base-crypt.preseed delete mode 100644 _tools/packer/templates/debian/10_buster/base-crypt.yaml delete mode 100644 _tools/packer/templates/debian/10_buster/base-uefi.preseed delete mode 100644 _tools/packer/templates/debian/10_buster/base-uefi.yaml delete mode 100644 _tools/packer/templates/debian/10_buster/base.preseed delete mode 100644 _tools/packer/templates/debian/10_buster/base.yaml delete mode 100644 _tools/packer/templates/debian/10_buster/vagrant.rb.j2 delete mode 100644 _tools/packer/templates/debian/11_bullseye/base-crypt-uefi.preseed delete mode 100644 _tools/packer/templates/debian/11_bullseye/base-crypt-uefi.yaml delete mode 100644 _tools/packer/templates/debian/11_bullseye/base-crypt.preseed delete mode 100644 _tools/packer/templates/debian/11_bullseye/base-crypt.yaml delete mode 100644 _tools/packer/templates/debian/11_bullseye/base-uefi.preseed delete mode 100644 _tools/packer/templates/debian/11_bullseye/base-uefi.yaml delete mode 100644 _tools/packer/templates/debian/11_bullseye/base.preseed delete mode 100644 _tools/packer/templates/debian/11_bullseye/base.yaml delete mode 100644 _tools/packer/templates/debian/11_bullseye/vagrant.rb.j2 delete mode 100644 _tools/packer/templates/ubuntu-bionic.json delete mode 100644 _tools/packer/templates/ubuntu-bionic/builds.pkr.hcl delete mode 100644 _tools/packer/templates/ubuntu-bionic/sources.pkr.hcl delete mode 100644 _tools/packer/templates/ubuntu-bionic/variables.pkr.hcl create mode 100644 _tools/packer/variables.pkr.hcl create mode 100644 _tools/packer/windows/windowsserver/scripts/ConfigureRemotingForAnsible.ps1 create mode 100644 _tools/packer/windows/windowsserver/scripts/bootstrap.txt create mode 100644 _tools/packer/windows/windowsserver/windows-2016.pkr.hcl create mode 100644 _tools/packer/windows/windowsserver/windows-2019.pkr.hcl create mode 100755 _tools/scripts/common.sh delete mode 100755 _tools/scripts/init-tf-cloud.sh create mode 100755 _tools/scripts/terraform-version.sh create mode 100755 _tools/scripts/tfc-manage.py delete mode 100755 _tools/scripts/uniformize-tf-version.sh create mode 100644 _tools/taskfiles/global.yml create mode 100644 _tools/taskfiles/init.yml create mode 100644 _tools/taskfiles/keypair.yml create mode 100644 _tools/taskfiles/terraform.yml create mode 100644 _tools/taskfiles/vagrant.yml create mode 100644 _tools/terraform/modules/terraform-aws-eks/addons.tf create mode 100644 _tools/terraform/modules/terraform-aws-eks/iam.tf create mode 100644 _tools/terraform/modules/terraform-aws-eks/kms.tf create mode 100644 _tools/terraform/modules/terraform-aws-eks/nodes.tf create mode 100644 _tools/terraform/modules/terraform-aws-kms/main.tf create mode 100644 _tools/terraform/modules/terraform-aws-kms/outputs.tf create mode 100644 _tools/terraform/modules/terraform-aws-kms/variables.tf create mode 100644 _tools/terraform/modules/terraform-aws-kms/versions.tf create mode 100644 _tools/terraform/modules/terraform-aws-packer-build/iam.tf create mode 100644 _tools/terraform/modules/terraform-aws-s3-bucket/README.md create mode 100644 _tools/terraform/modules/terraform-aws-s3-bucket/iam.tf create mode 100644 _tools/terraform/modules/terraform-aws-s3-bucket/main.tf create mode 100644 _tools/terraform/modules/terraform-aws-s3-bucket/outputs.tf create mode 100644 _tools/terraform/modules/terraform-aws-s3-bucket/provider.tf create mode 100644 _tools/terraform/modules/terraform-aws-s3-bucket/variable.tf create mode 100644 _tools/terraform/modules/terraform-aws-vpc/endpoints.tf create mode 100644 _tools/terraform/modules/terraform-aws-vpc/securitygroup.tf create mode 100644 _tools/terraform/modules/terraform-gandi-dns/README.md delete mode 120000 baseline/qa/eu-west-1/.terraform-version delete mode 100644 baseline/qa/eu-west-1/Makefile create mode 100644 baseline/qa/eu-west-1/README.md rename baseline/qa/eu-west-1/{_backend.tf => backend.tf} (100%) rename baseline/qa/eu-west-1/{.terraform-config => config.remote.tfbackend} (100%) rename baseline/qa/eu-west-1/{_main.tf => main.tf} (100%) rename baseline/qa/eu-west-1/{_outputs.tf => outputs.tf} (100%) rename baseline/qa/eu-west-1/{_provider.tf => provider.tf} (100%) rename baseline/qa/eu-west-1/{_variables.tf => variables.tf} (100%) delete mode 120000 build/qa/eu-west-1/.terraform-version delete mode 100644 build/qa/eu-west-1/Makefile create mode 100644 build/qa/eu-west-1/README.md rename build/qa/eu-west-1/{_backend.tf => backend.tf} (100%) rename build/qa/eu-west-1/{.terraform-config => config.remote.tfbackend} (100%) rename build/qa/eu-west-1/{_main.tf => main.tf} (100%) rename build/qa/eu-west-1/{_outputs.tf => outputs.tf} (100%) rename build/qa/eu-west-1/{_provider.tf => provider.tf} (100%) rename build/qa/eu-west-1/{_variables.tf => variables.tf} (100%) delete mode 100644 eks/qa/eu-west-1/Makefile rename vpc/qa/eu-west-1/_backend.tf => eks/qa/eu-west-1/backend.tf (100%) rename eks/qa/eu-west-1/{.terraform-config => config.remote.tfbackend} (100%) rename vpc/qa/eu-west-1/_main.tf => eks/qa/eu-west-1/main.tf (100%) create mode 100644 eks/qa/eu-west-1/override.tf rename vpc/qa/eu-west-1/_provider.tf => eks/qa/eu-west-1/provider.tf (100%) rename vpc/qa/eu-west-1/_remote-states.tf => eks/qa/eu-west-1/remote-states.tf (100%) rename vpc/qa/eu-west-1/_variables.tf => eks/qa/eu-west-1/variables.tf (100%) delete mode 120000 vpc/_packer/packer.sh create mode 120000 vpc/_packer/run.sh delete mode 120000 vpc/qa/eu-west-1/.terraform-version delete mode 100644 vpc/qa/eu-west-1/Makefile create mode 120000 vpc/qa/eu-west-1/backend.tf rename vpc/qa/eu-west-1/{.terraform-config => config.remote.tfbackend} (100%) create mode 120000 vpc/qa/eu-west-1/main.tf rename vpc/qa/eu-west-1/{_outputs.tf => outputs.tf} (100%) create mode 120000 vpc/qa/eu-west-1/provider.tf create mode 120000 vpc/qa/eu-west-1/remote-states.tf create mode 120000 vpc/qa/eu-west-1/variables.tf delete mode 100644 vpc/qa/us-east-1/.terraform-config delete mode 120000 vpc/qa/us-east-1/.terraform-version delete mode 100644 vpc/qa/us-east-1/Makefile delete mode 100644 vpc/qa/us-east-1/_override.tf delete mode 100644 vpc/qa/us-east-1/terraform.auto.tfvars diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..0ecc8dc --- /dev/null +++ b/.editorconfig @@ -0,0 +1,31 @@ +# EditorConfig is awesome: http://EditorConfig.org + +# top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +charset = utf-8 +end_of_line = lf +indent_size = 2 +indent_style = space +insert_final_newline = true +max_line_length = 80 +trim_trailing_whitespace = true + +[*.{tf,tfvars}] +indent_size = 2 +indent_style = space + +[*.md] +max_line_length = 0 +trim_trailing_whitespace = false +insert_final_newline = false + +# Tab indentation (no size specified) +[Makefile] +tab_width = 2 +indent_style = tab + +[COMMIT_EDITMSG] +max_line_length = 0 diff --git a/.github/workflows/ansible-ci.yml b/.github/workflows/ansible-ci.yml index 1647fff..18b56ee 100644 --- a/.github/workflows/ansible-ci.yml +++ b/.github/workflows/ansible-ci.yml @@ -1,45 +1,45 @@ -name: Ansible Molecule +# name: Ansible Molecule -on: - push: - branches: - - main - paths: - - '.github/**' - - '_tools/ansible/**' - pull_request: - branches: - - '*' - paths: - - '.github/**' - - '_tools/ansible/**' +# on: +# push: +# branches: +# - main +# paths: +# - '.github/**' +# - '_tools/ansible/**' +# pull_request: +# branches: +# - '*' +# paths: +# - '.github/**' +# - '_tools/ansible/**' -jobs: - aws-cli: - name: AWScli Role - runs-on: ubuntu-latest +# jobs: +# aws-cli: +# name: AWScli Role +# runs-on: ubuntu-latest - strategy: - matrix: - distro: - - centos8 - - debian10 +# strategy: +# matrix: +# distro: +# - centos8 +# - debian10 - steps: - - name: Check out the codebase. - uses: actions/checkout@v2 +# steps: +# - name: Check out the codebase. +# uses: actions/checkout@v2 - - name: Set up Python 3. - uses: actions/setup-python@v2 - with: - python-version: '3.x' +# - name: Set up Python 3. +# uses: actions/setup-python@v2 +# with: +# python-version: '3.x' - - name: Install test dependencies. - run: pip3 install molecule docker yamllint ansible ansible-lint 'molecule[docker]' +# - name: Install test dependencies. +# run: pip3 install molecule docker yamllint ansible ansible-lint 'molecule[docker]' - - name: Run Molecule tests ansible role - run: cd _tools/ansible/roles/aws-cli && molecule test - env: - PY_COLORS: '1' - ANSIBLE_FORCE_COLOR: '1' - MOLECULE_DISTRO: ${{ matrix.distro }} +# - name: Run Molecule tests ansible role +# run: cd _tools/ansible/roles/aws-cli && molecule test +# env: +# PY_COLORS: '1' +# ANSIBLE_FORCE_COLOR: '1' +# MOLECULE_DISTRO: ${{ matrix.distro }} diff --git a/.github/workflows/terraform-baseline.yml b/.github/workflows/terraform-baseline.yml index 6355aeb..ecf5b8a 100644 --- a/.github/workflows/terraform-baseline.yml +++ b/.github/workflows/terraform-baseline.yml @@ -1,43 +1,46 @@ -name: Terraform Baseline +# name: Terraform Baseline -on: - push: - branches: - - main - paths: - - '.github/**' - - 'baseline/**' - - '_tools/terraform/modules/**' - pull_request: - branches: - - '*' - paths: - - '.github/**' - - 'baseline/**' - - '_tools/terraform/modules/**' +# on: +# push: +# branches: +# - main +# paths: +# - '.github/**' +# - 'baseline/**' +# - '_tools/terraform/modules/**' +# pull_request: +# branches: +# - '*' +# paths: +# - '.github/**' +# - 'baseline/**' +# - '_tools/terraform/modules/**' -jobs: +# jobs: - terraform-baseline: - name: 'TF Baseline QA' - runs-on: ubuntu-latest - env: - environment: qa - region: eu-west-1 - steps: - - name: Setup terraform provider - uses: hashicorp/setup-terraform@v1 - with: - terraform_version: 1.0.0 - cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - - name: Checkout Source - uses: actions/checkout@v2 +# terraform-baseline: +# name: 'TF Baseline QA' +# runs-on: ubuntu-latest +# env: +# environment: qa +# region: eu-west-1 +# steps: +# - name: Setup go-task +# uses: pnorton5432/setup-task@v1 +# with: +# task-version: 3.43.3 +# - name: Setup terraform provider +# uses: hashicorp/setup-terraform@v3 +# with: +# terraform_version: 1.11.4 +# cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} +# - name: Checkout Source +# uses: actions/checkout@v4 - - name: baseline-${{ env.environment }}-${{ env.region }} - shell: bash - run: | - make init - make validate - make version - make plan - working-directory: ./baseline/${{ env.environment }}/${{ env.region }} +# - name: baseline-${{ env.environment }}-${{ env.region }} +# shell: bash +# run: | +# task tf:init +# task tf:validate +# task tf:plan +# working-directory: ./baseline/${{ env.environment }}/${{ env.region }} diff --git a/.github/workflows/terraform-build.yml b/.github/workflows/terraform-build.yml index a878ff9..560995e 100644 --- a/.github/workflows/terraform-build.yml +++ b/.github/workflows/terraform-build.yml @@ -1,45 +1,46 @@ -# - https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets +# name: Terraform Build -name: Terraform Build +# on: +# push: +# branches: +# - main +# paths: +# - '.github/**' +# - 'build/**' +# - '_tools/terraform/modules/**' +# pull_request: +# branches: +# - '*' +# paths: +# - '.github/**' +# - 'build/**' +# - '_tools/terraform/modules/**' -on: - push: - branches: - - main - paths: - - '.github/**' - - 'build/**' - - '_tools/terraform/modules/**' - pull_request: - branches: - - '*' - paths: - - '.github/**' - - 'build/**' - - '_tools/terraform/modules/**' +# jobs: -jobs: +# terraform-build: +# name: 'TF Build QA' +# runs-on: ubuntu-latest +# env: +# environment: qa +# region: eu-west-1 +# steps: +# - name: Setup go-task +# uses: pnorton5432/setup-task@v1 +# with: +# task-version: 3.43.3 +# - name: Setup terraform provider +# uses: hashicorp/setup-terraform@v3 +# with: +# terraform_version: 1.11.4 +# cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} +# - name: Checkout Source +# uses: actions/checkout@v4 - terraform-build: - name: 'TF Build QA' - runs-on: ubuntu-latest - env: - environment: qa - region: eu-west-1 - steps: - - name: Setup terraform provider - uses: hashicorp/setup-terraform@v1 - with: - terraform_version: 1.0.0 - cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - - name: Checkout Source - uses: actions/checkout@v2 - - - name: build-${{ env.environment }}-${{ env.region }} - shell: bash - run: | - make init - make validate - make version - make plan - working-directory: ./build/${{ env.environment }}/${{ env.region }} +# - name: build-${{ env.environment }}-${{ env.region }} +# shell: bash +# run: | +# task tf:init +# task tf:validate +# task tf:plan +# working-directory: ./build/${{ env.environment }}/${{ env.region }} diff --git a/.github/workflows/terraform-myapp.yml b/.github/workflows/terraform-myapp.yml index 5ccdb83..be71917 100644 --- a/.github/workflows/terraform-myapp.yml +++ b/.github/workflows/terraform-myapp.yml @@ -1,43 +1,43 @@ -name: Terraform MyApp +# name: Terraform MyApp -on: - push: - branches: - - main - paths: - - '.github/**' - - 'myapp/**' - - '_tools/terraform/modules/**' - pull_request: - branches: - - '*' - paths: - - '.github/**' - - 'myapp/**' - - '_tools/terraform/modules/**' +# on: +# push: +# branches: +# - main +# paths: +# - '.github/**' +# - 'myapp/**' +# - '_tools/terraform/modules/**' +# pull_request: +# branches: +# - '*' +# paths: +# - '.github/**' +# - 'myapp/**' +# - '_tools/terraform/modules/**' -jobs: +# jobs: - terraform-myapp: - name: 'TF MyApp QA' - runs-on: ubuntu-latest - env: - environment: qa - region: eu-west-1 - steps: - - name: Setup terraform provider - uses: hashicorp/setup-terraform@v1 - with: - terraform_version: 1.0.0 - cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - - name: Checkout Source - uses: actions/checkout@v2 +# terraform-myapp: +# name: 'TF MyApp QA' +# runs-on: ubuntu-latest +# env: +# environment: qa +# region: eu-west-1 +# steps: +# - name: Setup terraform provider +# uses: hashicorp/setup-terraform@v1 +# with: +# terraform_version: 1.0.0 +# cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} +# - name: Checkout Source +# uses: actions/checkout@v2 - - name: myapp-${{ env.environment }}-${{ env.region }} - shell: bash - run: | - make init - make validate - make version - make plan - working-directory: ./myapp/${{ env.environment }}/${{ env.region }} +# - name: myapp-${{ env.environment }}-${{ env.region }} +# shell: bash +# run: | +# make init +# make validate +# make version +# make plan +# working-directory: ./myapp/${{ env.environment }}/${{ env.region }} diff --git a/.github/workflows/terraform-vpc.yml b/.github/workflows/terraform-vpc.yml index 6eb443d..edf2d9c 100644 --- a/.github/workflows/terraform-vpc.yml +++ b/.github/workflows/terraform-vpc.yml @@ -1,51 +1,54 @@ -# - https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets +# # - https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets -name: Terraform VPC +# name: Terraform VPC -on: - push: - branches: - - main - paths: - - '.github/**' - - 'vpc/**' - - '_tools/terraform/modules/**' - pull_request: - branches: - - '*' - paths: - - '.github/**' - - 'vpc/**' - - '_tools/terraform/modules/**' +# on: +# push: +# branches: +# - main +# paths: +# - '.github/**' +# - 'vpc/**' +# - '_tools/terraform/modules/**' +# pull_request: +# branches: +# - '*' +# paths: +# - '.github/**' +# - 'vpc/**' +# - '_tools/terraform/modules/**' -jobs: +# jobs: - terraform-vpc: - name: 'TF VPC QA' - runs-on: ubuntu-latest - env: - environment: qa - region: eu-west-1 - steps: - - name: Setup terraform provider - uses: hashicorp/setup-terraform@v1 - with: - terraform_version: 1.0.0 - cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - - name: Checkout Source - uses: actions/checkout@v2 +# terraform-vpc: +# name: 'TF VPC QA' +# runs-on: ubuntu-latest +# env: +# environment: qa +# region: eu-west-1 +# steps: +# - name: Setup go-task +# uses: pnorton5432/setup-task@v1 +# with: +# task-version: 3.43.3 +# - name: Setup terraform provider +# uses: hashicorp/setup-terraform@v1 +# with: +# terraform_version: 1.0.0 +# cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} +# - name: Checkout Source +# uses: actions/checkout@v2 - - name: vpc-${{ env.environment }}-${{ env.region }} - shell: bash - run: | - make init - make validate - make version - make plan - working-directory: ./vpc/${{ env.environment }}/${{ env.region }} +# - name: vpc-${{ env.environment }}-${{ env.region }} +# shell: bash +# run: | +# task tf:init +# task tf:validate +# task tf:plan +# working-directory: ./vpc/${{ env.environment }}/${{ env.region }} - # # On push to main, build or change infrastructure according to Terraform configuration files - # # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - # - name: Terraform Apply - # if: github.ref == 'refs/heads/main' && github.event_name == 'push' - # run: terraform apply -auto-approve +# # # On push to main, build or change infrastructure according to Terraform configuration files +# # # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks +# # - name: Terraform Apply +# # if: github.ref == 'refs/heads/main' && github.event_name == 'push' +# # run: terraform apply -auto-approve diff --git a/.gitignore b/.gitignore index e536251..c1886c1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,6 @@ .idea/* .DS_Store *.code-workspace -**/.terraform.lock.hcl # Created by https://www.toptal.com/developers/gitignore/api/vs,terraform,ansible,git,helm,packer,vagrant # Edit at https://www.toptal.com/developers/gitignore?templates=vs,terraform,ansible,git,helm,packer,vagrant @@ -14,16 +13,6 @@ # $ git config --global mergetool.keepBackup false *.orig -# Created by git when using merge tools for conflicts -*.BACKUP.* -*.BASE.* -*.LOCAL.* -*.REMOTE.* -*_BACKUP_*.txt -*_BASE_*.txt -*_LOCAL_*.txt -*_REMOTE_*.txt - ### Helm ### # Chart dependencies **/charts/*.tgz @@ -46,12 +35,18 @@ output-*/ ### Terraform ### # Local .terraform directories **/.terraform/* +**/.terraform.lock.hcl # .tfstate files *.tfstate *.tfstate.* -# Crash log files +# Terraform graph output +*.dot +*.svg + +# Ansible galaxy roles +**/galaxy/roles # Ignore any .tfvars files that are generated automatically for each Terraform run. Most # .tfvars files are managed as part of configuration and so should be included in @@ -72,8 +67,10 @@ output-*/ # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan # example: *tfplan* +# Python virtual environment +.venv/ + ### Vagrant ### -# General .vagrant/ # Log files (if you are creating logs in debug mode, uncomment this) @@ -81,360 +78,10 @@ output-*/ ### Vagrant Patch ### -### vs ### -## Ignore Visual Studio temporary files, build results, and -## files generated by popular Visual Studio add-ons. -## -## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore - -# User-specific files -*.rsuser -*.suo -*.user -*.userosscache -*.sln.docstates - -# User-specific files (MonoDevelop/Xamarin Studio) -*.userprefs - -# Mono auto generated files -mono_crash.* - -# Build results -[Dd]ebug/ -[Dd]ebugPublic/ -[Rr]elease/ -[Rr]eleases/ -x64/ -x86/ -[Aa][Rr][Mm]/ -[Aa][Rr][Mm]64/ -bld/ -[Bb]in/ -[Oo]bj/ -[Ll]og/ -[Ll]ogs/ - -# Visual Studio 2015/2017 cache/options directory -.vs/ -# Uncomment if you have tasks that create the project's static files in wwwroot -#wwwroot/ - -# Visual Studio 2017 auto generated files -Generated\ Files/ - -# MSTest test Results -[Tt]est[Rr]esult*/ -[Bb]uild[Ll]og.* - -# NUnit -*.VisualState.xml -TestResult.xml -nunit-*.xml - -# Build Results of an ATL Project -[Dd]ebugPS/ -[Rr]eleasePS/ -dlldata.c - -# Benchmark Results -BenchmarkDotNet.Artifacts/ - -# .NET Core -project.lock.json -project.fragment.lock.json -artifacts/ - -# StyleCop -StyleCopReport.xml - -# Files built by Visual Studio -*_i.c -*_p.c -*_h.h -*.ilk -*.meta -*.obj -*.iobj -*.pch -*.pdb -*.ipdb -*.pgc -*.pgd -*.rsp -*.sbr -*.tlb -*.tli -*.tlh -*.tmp -*.tmp_proj -*_wpftmp.csproj -*.log -*.vspscc -*.vssscc -.builds -*.pidb -*.svclog -*.scc - -# Chutzpah Test files -_Chutzpah* - -# Visual C++ cache files -ipch/ -*.aps -*.ncb -*.opendb -*.opensdf -*.sdf -*.cachefile -*.VC.db -*.VC.VC.opendb - -# Visual Studio profiler -*.psess -*.vsp -*.vspx -*.sap - -# Visual Studio Trace Files -*.e2e - -# TFS 2012 Local Workspace -$tf/ - -# Guidance Automation Toolkit -*.gpState - -# ReSharper is a .NET coding add-in -_ReSharper*/ -*.[Rr]e[Ss]harper -*.DotSettings.user - -# TeamCity is a build add-in -_TeamCity* - -# DotCover is a Code Coverage Tool -*.dotCover - -# AxoCover is a Code Coverage Tool -.axoCover/* -!.axoCover/settings.json - -# Coverlet is a free, cross platform Code Coverage Tool -coverage*[.json, .xml, .info] - -# Visual Studio code coverage results -*.coverage -*.coveragexml - -# NCrunch -_NCrunch_* -.*crunch*.local.xml -nCrunchTemp_* - -# MightyMoose -*.mm.* -AutoTest.Net/ - -# Web workbench (sass) -.sass-cache/ - -# Installshield output folder -[Ee]xpress/ - -# DocProject is a documentation generator add-in -DocProject/buildhelp/ -DocProject/Help/*.HxT -DocProject/Help/*.HxC -DocProject/Help/*.hhc -DocProject/Help/*.hhk -DocProject/Help/*.hhp -DocProject/Help/Html2 -DocProject/Help/html - -# Click-Once directory -publish/ - -# Publish Web Output -*.[Pp]ublish.xml -*.azurePubxml -# Note: Comment the next line if you want to checkin your web deploy settings, -# but database connection strings (with potential passwords) will be unencrypted -*.pubxml -*.publishproj - -# Microsoft Azure Web App publish settings. Comment the next line if you want to -# checkin your Azure Web App publish settings, but sensitive information contained -# in these scripts will be unencrypted -PublishScripts/ - -# NuGet Packages -*.nupkg -# NuGet Symbol Packages -*.snupkg -# The packages folder can be ignored because of Package Restore -**/[Pp]ackages/* -# except build/, which is used as an MSBuild target. -!**/[Pp]ackages/build/ -# Uncomment if necessary however generally it will be regenerated when needed -#!**/[Pp]ackages/repositories.config -# NuGet v3's project.json files produces more ignorable files -*.nuget.props -*.nuget.targets - -# Microsoft Azure Build Output -csx/ -*.build.csdef - -# Microsoft Azure Emulator -ecf/ -rcf/ - -# Windows Store app package directories and files -AppPackages/ -BundleArtifacts/ -Package.StoreAssociation.xml -_pkginfo.txt -*.appx -*.appxbundle -*.appxupload - -# Visual Studio cache files -# files ending in .cache can be ignored -*.[Cc]ache -# but keep track of directories ending in .cache -!?*.[Cc]ache/ - -# Others -ClientBin/ -~$* -*~ -*.dbmdl -*.dbproj.schemaview -*.jfm -*.pfx -*.publishsettings -orleans.codegen.cs - -# Including strong name files can present a security risk -# (https://github.com/github/gitignore/pull/2483#issue-259490424) -#*.snk - -# Since there are multiple workflows, uncomment next line to ignore bower_components -# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) -#bower_components/ - -# RIA/Silverlight projects -Generated_Code/ - -# Backup & report files from converting an old project file -# to a newer Visual Studio version. Backup files are not needed, -# because we have git ;-) -_UpgradeReport_Files/ -Backup*/ -UpgradeLog*.XML -UpgradeLog*.htm -ServiceFabricBackup/ -*.rptproj.bak - -# SQL Server files -*.mdf -*.ldf -*.ndf - -# Business Intelligence projects -*.rdl.data -*.bim.layout -*.bim_*.settings -*.rptproj.rsuser -*- [Bb]ackup.rdl -*- [Bb]ackup ([0-9]).rdl -*- [Bb]ackup ([0-9][0-9]).rdl - -# Microsoft Fakes -FakesAssemblies/ - -# GhostDoc plugin setting file -*.GhostDoc.xml - # Node.js Tools for Visual Studio -.ntvs_analysis.dat node_modules/ **/*.zip -# Visual Studio 6 build log -*.plg - -# Visual Studio 6 workspace options file -*.opt - -# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) -*.vbw - -# Visual Studio LightSwitch build output -**/*.HTMLClient/GeneratedArtifacts -**/*.DesktopClient/GeneratedArtifacts -**/*.DesktopClient/ModelManifest.xml -**/*.Server/GeneratedArtifacts -**/*.Server/ModelManifest.xml -_Pvt_Extensions - -# Paket dependency manager -.paket/paket.exe -paket-files/ - -# FAKE - F# Make -.fake/ - -# CodeRush personal settings -.cr/personal - # Python Tools for Visual Studio (PTVS) __pycache__/ *.pyc - -# Cake - Uncomment if you are using it -# tools/** -# !tools/packages.config - -# Tabs Studio -*.tss - -# Telerik's JustMock configuration file -*.jmconfig - -# BizTalk build output -*.btp.cs -*.btm.cs -*.odx.cs -*.xsd.cs - -# OpenCover UI analysis results -OpenCover/ - -# Azure Stream Analytics local run output -ASALocalRun/ - -# MSBuild Binary and Structured Log -*.binlog - -# NVidia Nsight GPU debugger configuration file -*.nvuser - -# MFractors (Xamarin productivity tool) working folder -.mfractor/ - -# Local History for Visual Studio -.localhistory/ - -# BeatPulse healthcheck temp database -healthchecksdb - -# Backup folder for Package Reference Convert tool in Visual Studio 2017 -MigrationBackup/ - -# Ionide (cross platform F# VS Code tools) working folder -.ionide/ - -# End of https://www.toptal.com/developers/gitignore/api/vs,terraform,ansible,git,helm,packer,vagrant \ No newline at end of file diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..34e61cd --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,32 @@ +repos: + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.99.0 + hooks: + - id: terraform_fmt + - id: terraform_docs + args: + - '--args=--lockfile=false' + - id: terraform_tflint + args: + - '--args=--only=terraform_deprecated_interpolation' + - '--args=--only=terraform_deprecated_index' + - '--args=--only=terraform_unused_declarations' + - '--args=--only=terraform_comment_syntax' + - '--args=--only=terraform_documented_outputs' + - '--args=--only=terraform_documented_variables' + - '--args=--only=terraform_typed_variables' + - '--args=--only=terraform_module_pinned_source' + - '--args=--only=terraform_naming_convention' + - '--args=--only=terraform_required_version' + - '--args=--only=terraform_required_providers' + - '--args=--only=terraform_standard_module_structure' + - '--args=--only=terraform_workspace_remote' + - id: terraform_validate + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 + hooks: + - id: check-merge-conflict + - id: end-of-file-fixer + - id: trailing-whitespace + - id: mixed-line-ending + args: [--fix=lf] diff --git a/.terraform-version b/.terraform-version index 31e5c84..3d0e623 100644 --- a/.terraform-version +++ b/.terraform-version @@ -1 +1 @@ -1.3.3 +1.11.4 diff --git a/Makefile b/Makefile deleted file mode 100644 index 546cfd0..0000000 --- a/Makefile +++ /dev/null @@ -1,46 +0,0 @@ -default: help - -export PATH := $(PATH):/usr/local/bin -SHELL:=/bin/bash -eu - -# SERVICES = baseline build vpc myapp -KEYPAIR_NAME = iac-aws-key -SERVICES = build vpc myapp -ENV ?= qa -REGION ?= eu-west-1 - -help: ## Show this help. - @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/\\$$//' | sed -e 's/##//' - -init-tfc: ## Create Organisation and workspaces on TF Cloud - @_tools/scripts/init-tf-cloud.sh - -fmt-global: ## Apply terraform fmt recursively all .tf file - @terraform fmt -recursive - -tf-version-show: ## Show current version in all .terraform-version files - @_tools/scripts/uniformize-tf-version.sh -show - -tf-version-fix: ## Apply the same version in all .terraform-version files - @_tools/scripts/uniformize-tf-version.sh -fix - -.PHONY: install -install: $(SERVICES) ## Install all services in specific order - -.PHONY: ${SERVICES} -${SERVICES}: - @CURDIR=$(shell pwd) - cd $@/$(ENV)/$(REGION) ; make init -# make apply-force - cd $(CURDIR) - -keypair-create: ## Create a new Key Pair in defined AWS Region - @aws ec2 create-key-pair --key-name $(KEYPAIR_NAME) --query 'KeyMaterial' --output text > $(HOME)/.ssh/$(KEYPAIR_NAME).pem --region $(REGION) - @chmod 0600 $(HOME)/.ssh/$(KEYPAIR_NAME).pem - -keypair-delete: ## Delete the Key Pair in defined AWS Region - @aws ec2 delete-key-pair --key-name $(KEYPAIR_NAME) --region $(REGION) - @rm -f $(HOME)/.ssh/$(KEYPAIR_NAME).pem - -keypair-display: ## Display existing Key Pair in defined AWS Region - @aws ec2 describe-key-pairs --key-name $(KEYPAIR_NAME) --region $(REGION) \ No newline at end of file diff --git a/README.md b/README.md index 76fd78e..4d406bc 100644 --- a/README.md +++ b/README.md @@ -1,23 +1,45 @@ # IAC AWS -## Services +This repository manage the following infrastructure on AWS: + +- Build VPC / subnets on single or multi-region +- Build a Nat Gateway or HA-Nat Gateway +- Build a Bastion EC2 with packer +- Build a complete EKS +- Build a Vault on EC2. + +## Requirements -### VPC networking +- terraform +- jq +- git +- curl +- helm +- [terraform-docs](https://github.com/terraform-docs/) +- tfenv +- python3 +- [uv](https://docs.astral.sh/uv/) -We create a VPC-build (VPC+subnet) to create and manage AMIs build from packer. +## Terraform Cloud configuration -Also we create a custom VPC for the application and these sub-resources. -- 1 public subnet per AZ -- 1 private subnet per AZ -- 1 Internet Gateway -- 1 Route Table public +Read the [documentation](./_docs/howto-terraform-cloud.md). -### Nat Gateway +## Terraform Version + +Define your current version of Terraform in __./.terraform-version__ +And use the following command to uniformize the terraform version for all existing services. + +```shell +task init:tf:check +``` -You can configure one single NAT or multi-NAT (one NAT by subnet) -By default, one single NAT is defined for all AZs. If you activate it, that build one NAT Gateway on each AZs. +## Taskfiles (Go-task) -Inside file __vpc/_terraform/variables.tf__ , the variable __one_nat_gateway_per_az__ can change that. Of course, the variable can be overload per env in the __terraform.auto.tfvars__ file +We use here the [go-task](https://taskfile.dev/) for wrap all commands (terraform, jq, helm, and scripts) +A global file at the root of the project : __./TaskFile.yml__ +All tasks are defined in the subfolder: __\_tools/taskfiles/*.yml__. + +## Services ## Terraform Cloud usage @@ -25,15 +47,12 @@ Inside file __vpc/_terraform/variables.tf__ , the variable __one_nat_gateway_per 1. create a new key pair on [AWS Console](https://eu-west-1.console.aws.amazon.com/ec2/v2/home?region=eu-west-1#KeyPairs:) and use 'iac-aws-key' like key name -2. - Host : bastion.qa..domain.com Username : admin - ## Tree Structure for tools/libraries -``` +```txt _tools ├── ansible │ ├── playbooks @@ -51,7 +70,7 @@ _tools ## Minimum structure for one service -``` +```txt vpc ├── qa │ ├── eu-west-1 @@ -74,7 +93,8 @@ vpc ## Packer and AMIs building For some services, inside __packer__ folder, you can build AMIs from different ISO based OS (Debian / CentOS). -``` + +```shell # Validate or inspect ./packer.sh validate ./pacher.sh inspect @@ -84,33 +104,23 @@ For some services, inside __packer__ folder, you can build AMIs from different I # With argument -local ./pacher.sh -local -debug -``` + +```shell Provisioning is done with Ansible. +``` ## Usage > At first for using a new service, we need to initialise terraform, to generate needed links for terraform then use : -``` + +```shell make init ``` after that, you can launch a plan -``` + +```shell make plan make apply # or make apply-force ``` - -## TODO - -- [X] Implement module gandi-dns : up to date AWS NS inside Gandi Zone -- [ ] Secure (SSH) instances : modify SG, ssh_port, and packer build -- [ ] Implement boundary -- [X] : bastion - - [X] rewrite role_policy - - [X] : bastion module : fix ipaddress re-assign - - [ ] : bastion module : add KMS encryption -- [X] : terraform lambda + apigateway inside VPC - - [ ] : lambda layer nodejs -- [ ] : eks - - [ ] : terraform module for nodes group diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..a25453c --- /dev/null +++ b/TODO.md @@ -0,0 +1,23 @@ +# TODO + +- [X] Convert Makefile into go-task files + - [X] Implement all terraform commands + - [ ] Implement all helm commands + - [ ] Implement all packer commands +- [X] Refacto service baseline +- [X] Refacto service build +- [X] Refacto service vpc +- [ ] Refacto service lambda +- [X] Terraform module gandi-dns +- [ ] Secure (SSH) instances : modify SG, ssh_port, and packer build +- [ ] Implement boundary +- [ ] EKS evolutions + - [ ] Set karpenter plugin + - [ ] Set auto-mode nodes + - [ ] : terraform module for nodes group +- [X] : bastion + - [X] rewrite role_policy + - [X] : bastion module : fix ipaddress re-assign + - [ ] : bastion module : add KMS encryption +- [X] : terraform lambda + apigateway inside VPC + - [ ] : lambda layer nodejs diff --git a/Taskfile.yml b/Taskfile.yml new file mode 100644 index 0000000..fee8647 --- /dev/null +++ b/Taskfile.yml @@ -0,0 +1,6 @@ +version: "3" + +includes: + global: + taskfile: ./_tools/taskfiles/global.yml + flatten: true \ No newline at end of file diff --git a/_docs/how-to-terraform-cloud.md b/_docs/how-to-terraform-cloud.md deleted file mode 100644 index 191e1e6..0000000 --- a/_docs/how-to-terraform-cloud.md +++ /dev/null @@ -1,19 +0,0 @@ -# IAC - -## Setup organization and workspaces Terraform Cloud -``` -#> make init-tf -``` - -This script (_tools/scripts/tfcloud.sh) create an organization , based on informations defined inside __./organizations.json__ file. -It update all needed _backend.tf to match the organization field. -Also, create all workspaces defined by each - -# Setup ENVIRONMENT in Terraform Cloud - -for each workspaces, you must set these 2 variables : - -**AWS_ACCESS_KEY_ID** -**AWS_SECRET_ACCESS_KEY** - -don't forget to enable checkbox for sensitive data option \ No newline at end of file diff --git a/_docs/howto-iam-awsume.md b/_docs/howto-iam-awsume.md new file mode 100644 index 0000000..59673b0 --- /dev/null +++ b/_docs/howto-iam-awsume.md @@ -0,0 +1,7 @@ +# AWSume + +The tool [awsume](https://awsu.me/) is used to provided temporary session on AWS. + +## Configuration + +[https://awsu.me/general/aws-file-configuration.html](https://awsu.me/general/aws-file-configuration.html) diff --git a/_docs/howto-terraform-cloud.md b/_docs/howto-terraform-cloud.md new file mode 100644 index 0000000..952b11f --- /dev/null +++ b/_docs/howto-terraform-cloud.md @@ -0,0 +1,27 @@ +# Terraform Cloud configuration + +At fist, you need to login on Terraform Cloud: __terraform login__ to retrieve a fresh token. + +Setup as your need the file : __./organization.json__ at the root of project. +it contains the organization's name of TFC, the mail's owner, and define all the different environments. + +## Initialisation + +Launch the TFC init task: + +```shell +task tfc-init +``` + +This script (_tools/scripts/tfc-manage.py) create an organization based on informations defined in __./organizations.json__ file. +It also update all needed: __\_backend.tf__ to match the organization field. +Also, create one workspace by service (and per region if exist). + +## Configuration of environments variables + +You must define 2 variables for the project: + +- __AWS_ACCESS_KEY_ID__ +- __AWS_SECRET_ACCESS_KEY__ + +Both are type: env variables and are sensitives. diff --git a/_docs/howto-vpc.md b/_docs/howto-vpc.md new file mode 100644 index 0000000..85c561d --- /dev/null +++ b/_docs/howto-vpc.md @@ -0,0 +1,17 @@ +# VPC + +We create a VPC-build (VPC+subnet) to create and manage AMIs build from packer. + +Also we create a custom VPC for the application and these sub-resources. + +- 1 public subnet per AZ +- 1 private subnet per AZ +- 1 Internet Gateway +- 1 Route Table public + +## Nat Gateway + +You can configure one single NAT or multi-NAT (one NAT by subnet) +By default, one single NAT is defined for all AZs. If you activate it, that build one NAT Gateway on each AZs. + +Inside file __vpc/_terraform/variables.tf__ , the variable __one_nat_gateway_per_az__ can change that. Of course, the variable can be overload per env in the __terraform.auto.tfvars__ file diff --git a/_tools/ansible/ansible.cfg b/_tools/ansible/ansible.cfg index 265f627..714eb9f 100644 --- a/_tools/ansible/ansible.cfg +++ b/_tools/ansible/ansible.cfg @@ -1,8 +1,6 @@ [defaults] nocows = True -roles_path = ./roles -inventory = ./inventory - +roles_path = ./playbooks/roles:./galaxy/roles remote_tmp = $HOME/.ansible/tmp local_tmp = $HOME/.ansible/tmp pipelining = True @@ -11,7 +9,6 @@ host_key_checking = False deprecation_warnings = False callback_whitelist = profile_tasks interpreter_python = auto - hash_behaviour = merge -;vault_password_file = $HOME/.ansible/mediaserver-vault.secret \ No newline at end of file +;vault_password_file = $HOME/.ansible/mediaserver-vault.secret diff --git a/_tools/ansible/ansible.sh b/_tools/ansible/ansible.sh new file mode 100755 index 0000000..7a8904c --- /dev/null +++ b/_tools/ansible/ansible.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +export PIP_DISABLE_PIP_VERSION_CHECK=1 +export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES +export CRYPTOGRAPHY_DONT_BUILD_RUST=1 + +ANSIBLE_CONFIG="${ANSIBLE_CONFIG:-./ansible.cfg}" +export ANSIBLE_CONFIG + +# shellcheck disable=SC1090 +source ~/.venv/bin/activate + +ANSIBLE_FORCE_COLOR=1 ANSIBLE_LOAD_CALLBACK_PLUGINS=1 PYTHONUNBUFFERED=1 ansible-playbook "$@" diff --git a/_tools/ansible/galaxy/requirements.yml b/_tools/ansible/galaxy/requirements.yml new file mode 100644 index 0000000..18cbc00 --- /dev/null +++ b/_tools/ansible/galaxy/requirements.yml @@ -0,0 +1,61 @@ +#------------------------------------------------------------ +# RedHat +#------------------------------------------------------------ +# - src: 'https://github.com/ansible-lockdown/RHEL8-CIS' +# version: '1.3.0' +# scm: 'git' + +# - src: 'https://github.com/ansible-lockdown/RHEL7-CIS' +# version: '1.1.0' +# scm: 'git' + +#------------------------------------------------------------ +# Ubuntu +#------------------------------------------------------------ +- src: 'https://github.com/ansible-lockdown/UBUNTU22-CIS' + version: 'main' + scm: 'git' + +# - src: 'https://github.com/ansible-lockdown/UBUNTU20-CIS' +# version: '1.1.0' +# scm: 'git' + +# - src: 'https://github.com/ansible-lockdown/UBUNTU18-CIS' +# version: '1.3.0' +# scm: 'git' + +#------------------------------------------------------------ +# Amazon2023 +#------------------------------------------------------------ +- src: 'https://github.com/ansible-lockdown/AMAZON2023-CIS' + version: '1.2.3' + scm: 'git' + +#------------------------------------------------------------ +# Debian +#------------------------------------------------------------ +- src: 'https://github.com/ansible-lockdown/DEBIAN12-CIS' + version: '1.0.1' + scm: 'git' + +#------------------------------------------------------------ +# Windows +#------------------------------------------------------------ +# - src: 'https://github.com/ansible-lockdown/Windows-2016-CIS' +# version: '1.2.1' +# scm: 'git' + +# - src: 'https://github.com/ansible-lockdown/Windows-2019-CIS' +# version: '1.1.1' +# scm: 'git' + +#------------------------------------------------------------ +# Others +#------------------------------------------------------------ +# - src: 'https://github.com/star3am/ansible-role-win_openssh' +# version: 'ssh-playbook-test' +# scm: 'git' + +# - src: 'https://github.com/elastic/ansible-elasticsearch' +# version: 'v7.17.0' +# scm: 'git' diff --git a/_tools/ansible/playbooks/bastion.yml b/_tools/ansible/playbooks/bastion.yml index 8ae039e..c4a241d 100644 --- a/_tools/ansible/playbooks/bastion.yml +++ b/_tools/ansible/playbooks/bastion.yml @@ -1,13 +1,12 @@ - hosts: bastion become: true - become_method: sudo - become_user: root remote_user: "{{ ansible_user | default('debian') }}" roles: - - apt - - secure-ssh - - aws-cli - - attach-eip - - dehydrated + - ansible-packages + - ansible-awscli + - ansible-teleport + # - secure-ssh + # - attach-eip + # - dehydrated vars: - service_name: "{{ SERVICE }}" \ No newline at end of file + service_name: "{{ SERVICE }}" diff --git a/_tools/ansible/playbooks/group_vars/all/apt.yml b/_tools/ansible/playbooks/group_vars/all/apt.yml deleted file mode 100644 index 30004a7..0000000 --- a/_tools/ansible/playbooks/group_vars/all/apt.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apt_common_packages: - - sysstat - - jq - - git - - dnsutils \ No newline at end of file diff --git a/_tools/ansible/playbooks/group_vars/all/packages.yml b/_tools/ansible/playbooks/group_vars/all/packages.yml new file mode 100644 index 0000000..43684a7 --- /dev/null +++ b/_tools/ansible/playbooks/group_vars/all/packages.yml @@ -0,0 +1,6 @@ +--- +pkg_common: + - sysstat + - jq + - git + - dnsutils diff --git a/_tools/ansible/playbooks/group_vars/bastion/apt.yml b/_tools/ansible/playbooks/group_vars/bastion/apt.yml deleted file mode 100644 index aa38053..0000000 --- a/_tools/ansible/playbooks/group_vars/bastion/apt.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# apt_specific_packages: -# - mysql-client-core-5.7 \ No newline at end of file diff --git a/_tools/ansible/playbooks/group_vars/bastion/packages.yml b/_tools/ansible/playbooks/group_vars/bastion/packages.yml new file mode 100644 index 0000000..17b4116 --- /dev/null +++ b/_tools/ansible/playbooks/group_vars/bastion/packages.yml @@ -0,0 +1,3 @@ +--- +# pkg_specific: +# - mysql-client-core-5.7 diff --git a/_tools/ansible/playbooks/group_vars/bastion/teleport.yml b/_tools/ansible/playbooks/group_vars/bastion/teleport.yml new file mode 100644 index 0000000..6e52aec --- /dev/null +++ b/_tools/ansible/playbooks/group_vars/bastion/teleport.yml @@ -0,0 +1,3 @@ +--- +teleport_auth_servers: "auth.example.com:3025" +teleport_auth_token: "abc-xyz" diff --git a/_tools/ansible/playbooks/group_vars/haproxy/haproxy.yml b/_tools/ansible/playbooks/group_vars/haproxy/haproxy.yml index dfc226d..1cdfb3c 100644 --- a/_tools/ansible/playbooks/group_vars/haproxy/haproxy.yml +++ b/_tools/ansible/playbooks/group_vars/haproxy/haproxy.yml @@ -5,7 +5,7 @@ haproxy_daemon_enabled: no haproxy_nb_proc: '__HAPROXY_NB_PROC__' haproxy_cpu_map: '__HAPROXY_CPU_MAP__' haproxy_logs_enabled: true -haproxy_unique_id_header: X-PHENIX-TRACE-ID +haproxy_unique_id_header: X-ORG-TRACE-ID haproxy_global_vars: - 'ca-base /etc/ssl/certs' - 'crt-base /etc/ssl/private' @@ -22,8 +22,8 @@ haproxy_resolvers: resolve_retry_timeout: '1s' resolve_hold_valid: '10s' haproxy_userlists: - - name: 'phenix_users' - user: 'phenix' + - name: 'my_users' + user: 'user' password: 'b4o/FoDV' haproxy_frontends: - name: 'http' @@ -37,19 +37,19 @@ haproxy_frontends: - name: 'acl-forwarded-http' rule: 'hdr_reg(x-forwarded-proto) -i ^http$' - name: 'acl-origin' - rule: 'hdr_reg(host) -i ^[^\.]*\-origin[\.a-z]*\.wearephenix.com\.[\.a-z]*$' + rule: 'hdr_reg(host) -i ^[^\.]*\-origin[\.a-z]*\.example.com\.[\.a-z]*$' - name: 'acl-apex-com' - rule: 'hdr_reg(host) -i ^[^\.]*\.wearephenix\.com$' + rule: 'hdr_reg(host) -i ^[^\.]*\.example\.com$' - name: 'acl-admin' - rule: 'hdr_reg(host) -i ^admin[^\.]*[\.a-z]*\.wearephenix\.com$' + rule: 'hdr_reg(host) -i ^admin[^\.]*[\.a-z]*\.example\.com$' - name: 'acl-api' - rule: 'hdr_reg(host) -i ^api[^\.]*[\.a-z]*\.wearephenix\.com$' + rule: 'hdr_reg(host) -i ^api[^\.]*[\.a-z]*\.example\.com$' - name: 'acl-webapp' - rule: 'hdr_reg(host) -i ^webapp[^\.]*[\.a-z]*\.wearephenix\.com$' + rule: 'hdr_reg(host) -i ^webapp[^\.]*[\.a-z]*\.example\.com$' - name: 'acl-app' - rule: 'hdr_reg(host) -i ^app[^\.]*[\.a-z]*\.wearephenix\.com$' + rule: 'hdr_reg(host) -i ^app[^\.]*[\.a-z]*\.example\.com$' http_basic_auth: - - user_list: 'phenix_users' + - user_list: 'my_users' realm: 'Phenix HTTP Auth' default_backend: 'eks-ingress' captures: @@ -81,7 +81,7 @@ haproxy_backends: - name: 'eks-ingress' mode: 'http' add_headers: - - header: 'x-phenix-trace-id' + - header: 'x-org-trace-id' value: '%ID' servers: - name: 'eks-internal-lb' diff --git a/_tools/ansible/playbooks/inventory/all.yaml b/_tools/ansible/playbooks/inventory/all.yaml new file mode 100644 index 0000000..ac4e33b --- /dev/null +++ b/_tools/ansible/playbooks/inventory/all.yaml @@ -0,0 +1,7 @@ +--- +ungrouped: + hosts: + 127.0.0.1: +bastion: + hosts: + 127.0.0.1: diff --git a/_tools/ansible/playbooks/inventory/sandbox.yml b/_tools/ansible/playbooks/inventory/sandbox.yml deleted file mode 100644 index 03d5763..0000000 --- a/_tools/ansible/playbooks/inventory/sandbox.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -all: - vars: - ansible_become: true - ansible_user: 'vagrant' - k3s_use_docker: true - k3s_no_traefik: true - k3s_write_kubeconfig_mode: '644' - k3s_become_for_all: true - apt_specific_packages: - - python-jmespath - - python3-pip -k3s_nodes: - hosts: - k3s: - ansible_connection: 'local' - k3s_flannel_interface: enp0s8 - k3s_control_node: true diff --git a/_tools/ansible/roles/ansible-awscli/defaults/main.yml b/_tools/ansible/roles/ansible-awscli/defaults/main.yml new file mode 100644 index 0000000..1657b9c --- /dev/null +++ b/_tools/ansible/roles/ansible-awscli/defaults/main.yml @@ -0,0 +1,2 @@ +# Define the base URI for AWScli +awscli_base_uri: "https://awscli.amazonaws.com/" diff --git a/_tools/ansible/roles/ansible-awscli/tasks/main.yml b/_tools/ansible/roles/ansible-awscli/tasks/main.yml new file mode 100644 index 0000000..b2e2794 --- /dev/null +++ b/_tools/ansible/roles/ansible-awscli/tasks/main.yml @@ -0,0 +1,32 @@ +--- +# Source: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html + +- name: Remove AWSCli package. + ansible.builtin.package: + name: + - awscli + state: absent + +- name: Install package dependencies. + ansible.builtin.package: + name: + - unzip + state: present + +- name: Download and unarchive the bundle. + ansible.builtin.unarchive: + src: '{{ awscli_base_uri }}awscli-exe-{{ ansible_system | lower }}-{{ ansible_architecture }}.zip' + dest: /tmp + remote_src: yes + register: awscli_download_bundle + +- name: Install package. + ansible.builtin.command: /tmp/aws/install -i /usr/local/aws-cli -b /usr/local/bin --update + register: awscli_installed + when: awscli_download_bundle.changed + +- name: Remove downloaded archive. + ansible.builtin.file: + path: /tmp/aws + state: absent + when: awscli_installed.changed diff --git a/_tools/ansible/roles/ansible-packages/defaults/main.yml b/_tools/ansible/roles/ansible-packages/defaults/main.yml new file mode 100644 index 0000000..e888068 --- /dev/null +++ b/_tools/ansible/roles/ansible-packages/defaults/main.yml @@ -0,0 +1,4 @@ +--- +pkg_dependencies: [] +pkg_common: [] +pkg_specific: [] diff --git a/_tools/ansible/roles/ansible-packages/tasks/main.yml b/_tools/ansible/roles/ansible-packages/tasks/main.yml new file mode 100644 index 0000000..4802909 --- /dev/null +++ b/_tools/ansible/roles/ansible-packages/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: Packages update + ansible.builtin.package: + name: "*" + state: latest + update_cache: yes + +- name: install all needed packages + ansible.builtin.package: + name: "{{ pkg_dependencies + pkg_common + pkg_specific }}" + state: present diff --git a/_tools/ansible/roles/ansible-teleport/README.md b/_tools/ansible/roles/ansible-teleport/README.md new file mode 100644 index 0000000..f90d51b --- /dev/null +++ b/_tools/ansible/roles/ansible-teleport/README.md @@ -0,0 +1,133 @@ +ansible-role-teleport +========= + +Ansible role to install [Teleport Access Plane](https://goteleport.com/docs/getting-started/) on a Linux server. + +Requirements +------------ +Each server has its role. Mainly there are 3 roles : auth, proxy, node. Please see [Teleport Architecture Overview](https://goteleport.com/docs/architecture/overview/) + +For proxy node, please provide your own SSL certificate and key file. Place it under `/var/lib/teleport/webproxy_cert.pem` and `/var/lib/teleport/webproxy_key.pem`. Otherwise self-signed certificate will be used. Please make sure `openssl` package is installed. + +Role Variables +-------------- + +These variables are based on [this documentation](https://goteleport.com/docs/setup/reference/config/). + +Node name that will be registered on auth server. By default it will use the hostname of the server. + + teleport_nodename: "{{ ansible_fqdn }}" + +Predefined token for node to connect to auth server + + teleport_auth_token: "xxx-changeme-xxx" + +The IP or domain of the auth servers + + teleport_auth_servers: + - 127.0.0.1:3025 + +Where to store logs + + teleport_log_path: "/var/lib/teleport/teleport.log" + +Possible severity values are INFO, WARN and ERROR (default). + + teleport_log_level: "ERROR" + +Configuration for the storage back-end used for the cluster state and the audit log. +By default teleport uses the `data_dir` directory on a local filesystem + + teleport_storage_type: "dir" + +Turns 'auth' role on. true or false + + teleport_auth_enabled: false + +A cluster name is used as part of a signature in certificates generated by this CA. +We strongly recommend explicitly setting it to something meaningful as it becomes important when configuring trust between multiple clusters. +IMPORTANT: if you change cluster_name, it will invalidate all generated +certificates and keys (may need to wipe out /var/lib/teleport directory) + + teleport_auth_cluster_name: "main" + +Second_factor can be off, otp, or u2f + + teleport_auth_second_factor: "off" + +This section is used if second_factor is set to 'u2f' +Public address of the Teleport proxy, _including_ the `https://` prefix. If you use a port number other than 443, include it as well. `app_id` must never change in the lifetime of the cluster. + + teleport_u2f_app_id: "https://localhost:3080" + +List of allowed addresses of the Teleport proxy checked during authentication attempts. This list is used to prevent malicious websites and proxies from requesting U2F challenges on behalf of the legitimate proxy. + + teleport_u2f_facets: + - https://localhost:3080 + - https://localhost + +IP and the port to bind to. Other Teleport nodes will be connecting to this port (AKA "Auth API" or "Cluster API") to validate client certificates. + + teleport_auth_listen_address: "0.0.0.0:3025" + +Pre-defined tokens for adding new nodes to a cluster. Each token specifies the role a new node will be allowed to assume. The more secure way to add nodes is to use `tctl nodes add --ttl` command to generate auto-expiring tokens. + + teleport_auth_tokens_node: [] + teleport_auth_tokens_proxy: [] + teleport_auth_tokens_auth: [] + + +Optional setting for configuring session recording. Possible values are: + - "node" : sessions will be recorded on the node level (the default) + - "proxy" : recording on the proxy level, see [Recording Proxy Mode](https://goteleport.com/docs/architecture/proxy/#recording-proxy-mode). + "off" : session recording is turned off + +``` +teleport_session_recording: "node" +``` + +Determines if SSH sessions to cluster nodes are forcefully terminated after no activity from a client (idle client). Examples: "30m", "1h" or "1h30m" + + teleport_client_idle_timeout: "never" + +Set labels to nodes. By default it uses Ansible group name. + + teleport_ssh_labels: '{{ hostvars[inventory_hostname].group_names[0] }}' + +Turns 'proxy' role on. true or false + + teleport_proxy_enabled: false + +The HTTPS listen address to serve the Web UI and also to authenticate the command line (CLI) users via password+HOTP. Also handles the PostgreSQL proxy if database access is enabled. + + teleport_proxy_web_listen_address: "0.0.0.0:3080" + +Dependencies +------------ +None. + +Example Playbook +---------------- + +Example playbook for node servers. + + - hosts: node + vars: + teleport_auth_servers: "auth.example.com:3025" + teleport_auth_token: "abc-xyz" + roles: + - { role: roboticpuppies.teleport} + +After you deploy an auth server, you must create your first Teleport user only in auth server. For example you can use this command to create user with username `teleport-admin` with roles `editor,access` and is allowed to log into SSH hosts as any of the principals `root`, `ubuntu` or `ec2-user` + +``` +tctl users add teleport-admin --roles=editor,access --logins=root,ubuntu,ec2-user +``` +You will be provided an URL to set that user's password. + +Please see Teleport [getting started guide](https://goteleport.com/docs/getting-started/linux-server/) + +Author Information +------------------ + +This role was created in 2021 by [M. Syaifuddin K.](https://msyaifuddin.my.id) \ No newline at end of file diff --git a/_tools/ansible/roles/ansible-teleport/defaults/main.yml b/_tools/ansible/roles/ansible-teleport/defaults/main.yml new file mode 100644 index 0000000..7a155ff --- /dev/null +++ b/_tools/ansible/roles/ansible-teleport/defaults/main.yml @@ -0,0 +1,53 @@ +--- + +# Teleport package state; use `present` to make sure it's installed, or `latest` +# if you want to upgrade or switch versions using a new repo. +teleport_packages_state: present +teleport_packages: teleport +teleport_repo_url: "https://rpm.releases.teleport.dev/teleport.repo" + +teleport_service: teleport +teleport_state: started +teleport_enabled: "yes" + +teleport_configuration_path: "/etc/teleport.yaml" + +teleport_nodename: "{{ ansible_fqdn }}" +teleport_data_dir: "/var/lib/teleport" + +teleport_auth_token: "xxx-changeme-xxx" +teleport_auth_servers: + - 127.0.0.1:3025 + +teleport_log_path: "/var/lib/teleport/teleport.log" +teleport_log_level: "ERROR" + +teleport_storage_type: "dir" +teleport_dynamodb_continuous_backups: false +teleport_dynamodb_auto_scaling: false + +teleport_auth_enabled: false +teleport_auth_cluster_name: "main" +teleport_auth_second_factor: "off" +teleport_u2f_app_id: "https://localhost:3080" +teleport_u2f_facets: + - https://localhost:3080 + - https://localhost + +teleport_auth_listen_address: "0.0.0.0:3025" +teleport_auth_tokens_node: [] +teleport_auth_tokens_proxy: [] +teleport_auth_tokens_auth: [] + +teleport_session_recording: "node" +teleport_proxy_checks_host_keys: yes +teleport_client_idle_timeout: "never" + +teleport_ssh_enabled: true +teleport_ssh_listen_address: "0.0.0.0:3022" +teleport_ssh_labels: '{{ hostvars[inventory_hostname].group_names[0] }}' + +teleport_proxy_enabled: false +teleport_proxy_listen_address: "0.0.0.0:3023" +teleport_proxy_web_listen_address: "0.0.0.0:3080" +teleport_proxy_tunnel_listen_address: "0.0.0.0:3024" diff --git a/_tools/ansible/roles/ansible-teleport/handlers/main.yml b/_tools/ansible/roles/ansible-teleport/handlers/main.yml new file mode 100644 index 0000000..155c6a9 --- /dev/null +++ b/_tools/ansible/roles/ansible-teleport/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart teleport + service: + name: "{{ teleport_service }}" + state: restarted diff --git a/_tools/ansible/roles/ansible-teleport/tasks/configure.yml b/_tools/ansible/roles/ansible-teleport/tasks/configure.yml new file mode 100644 index 0000000..6764d37 --- /dev/null +++ b/_tools/ansible/roles/ansible-teleport/tasks/configure.yml @@ -0,0 +1,6 @@ +--- +- name: Configure Teleport. + ansible.builtin.template: + src: teleport.yaml.j2 + dest: /etc/teleport.yaml + notify: restart teleport diff --git a/_tools/ansible/roles/ansible-teleport/tasks/main.yml b/_tools/ansible/roles/ansible-teleport/tasks/main.yml new file mode 100644 index 0000000..65b31fe --- /dev/null +++ b/_tools/ansible/roles/ansible-teleport/tasks/main.yml @@ -0,0 +1,14 @@ +--- +# Setup/install tasks. +- include_tasks: "setup-{{ ansible_os_family }}.yml" + +# Configure tasks. +- include_tasks: "configure.yml" + +- name: Ensure Teleport has selected state and enabled on boot. + ansible.builtin.systemd: + name: "{{ teleport_service }}" + state: "{{ teleport_state }}" + enabled: "{{ teleport_enabled }}" + when: ansible_virtualization_type != "docker" + diff --git a/_tools/ansible/roles/ansible-teleport/tasks/setup-Debian.yml b/_tools/ansible/roles/ansible-teleport/tasks/setup-Debian.yml new file mode 100644 index 0000000..2264add --- /dev/null +++ b/_tools/ansible/roles/ansible-teleport/tasks/setup-Debian.yml @@ -0,0 +1,18 @@ +--- +- name: Add Teleport apt key. + ansible.builtin.apt_key: + url: https://deb.releases.teleport.dev/teleport-pubkey.asc + state: present + +- name: Add Teleport repository. + ansible.builtin.apt_repository: + repo: deb https://deb.releases.teleport.dev/ stable main + state: present + +- name: Update apt cache. + ansible.builtin.apt: update_cache=yes + +- name: Ensure Teleport is installed in Debian. + ansible.builtin.apt: + name: "{{ teleport_packages }}" + state: "{{ teleport_packages_state }}" diff --git a/_tools/ansible/roles/ansible-teleport/tasks/setup-RedHat.yml b/_tools/ansible/roles/ansible-teleport/tasks/setup-RedHat.yml new file mode 100644 index 0000000..8739e04 --- /dev/null +++ b/_tools/ansible/roles/ansible-teleport/tasks/setup-RedHat.yml @@ -0,0 +1,18 @@ +--- +# - name: Add Teleport repository. +# command: yum-config-manager --add-repo https://rpm.releases.teleport.dev/teleport.repo +# - name: Add Teleport repository. +# yum_repository: +# name: Teleport Repository +# baseurl: https://rpm.releases.teleport.dev/teleport.repo +# description: "Teleport Access Plane repository for RHEL" + +- name: Add Teleport repository. + ansible.builtin.get_url: + url: https://rpm.releases.teleport.dev/teleport.repo + dest: /etc/yum.repos.d/teleport.repo + +- name: Ensure Teleport is installed in RHEL. + ansible.builtin.package: + name: "{{ teleport_packages }}" + state: "{{ teleport_packages_state }}" diff --git a/_tools/ansible/roles/ansible-teleport/templates/teleport.yaml.j2 b/_tools/ansible/roles/ansible-teleport/templates/teleport.yaml.j2 new file mode 100644 index 0000000..48ec801 --- /dev/null +++ b/_tools/ansible/roles/ansible-teleport/templates/teleport.yaml.j2 @@ -0,0 +1,90 @@ +teleport: + nodename: {{ teleport_nodename }} + + data_dir: {{ teleport_data_dir }} + + auth_token: {{ teleport_auth_token }} + auth_servers: + {% for auth_server in teleport_auth_servers %} + - {{ auth_server }} + {% endfor %} + + connection_limits: + max_connections: 1000 + max_users: 250 + + log: + output: {{ teleport_log_path }} + severity: {{ teleport_log_level }} + format: + output: text + extra_fields: [level, timestamp, component, caller] + + storage: + type: {{ teleport_storage_type }} + audit_events_uri: ['file:///var/lib/teleport/log'] + {% if teleport_storage_type == "DynamoDB" %} + continuous_backups: {{ teleport_dynamodb_continuous_backups }} + auto_scaling: {{ teleport_dynamodb_auto_scaling }} + {% endif %} + +auth_service: +{% if teleport_auth_enabled == true %} + enabled: "yes" + cluster_name: {{ teleport_auth_cluster_name }} + authentication: + type: local + second_factor: {{ teleport_auth_second_factor }} +{% if teleport_auth_second_factor == "u2f" %} + u2f: + app_id: {{ teleport_u2f_app_id }} + facets: + {% for facet in teleport_u2f_facets %} + - {{ facet }} + {% endfor %} +{% endif %} + listen_addr: {{ teleport_auth_listen_address }} + +{% if teleport_auth_tokens_node|length > 0 or teleport_auth_tokens_proxy|length > 0 or teleport_auth_tokens_auth|length > 0 %} + tokens: + {% for token in teleport_auth_tokens_node %} + - "node:{{ token }}" + {% endfor %} + {% for token in teleport_auth_tokens_proxy %} + - "proxy:{{ token }}" + {% endfor %} + {% for token in teleport_auth_tokens_auth %} + - "auth:{{ token }}" + {% endfor %} +{% endif %} + + session_recording: {{ teleport_session_recording }} + {% if teleport_session_recording == "proxy" %} + proxy_checks_host_keys: {{ teleport_proxy_checks_host_keys }} + {% endif %} + + client_idle_timeout: {{ teleport_client_idle_timeout }} + + {% else %} + enabled: "no" + {% endif %} + +ssh_service: +{% if teleport_ssh_enabled == true %} + enabled: "yes" + listen_addr: {{ teleport_ssh_listen_address }} + labels: + group: {{ teleport_ssh_labels }} +{% else %} + enabled: "no" +{% endif %} + +proxy_service: +{% if teleport_proxy_enabled == true %} + enabled: "yes" + listen_addr: {{ teleport_proxy_listen_address }} + web_listen_addr: {{ teleport_proxy_web_listen_address }} + tunnel_listen_addr: {{ teleport_proxy_tunnel_listen_address }} +{% else %} + enabled: "no" +{% endif %} diff --git a/_tools/ansible/roles/ansible-teleport/vars/main.yml b/_tools/ansible/roles/ansible-teleport/vars/main.yml new file mode 100644 index 0000000..47ce10a --- /dev/null +++ b/_tools/ansible/roles/ansible-teleport/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for roboticpuppies.teleport diff --git a/_tools/ansible/roles/apt/defaults/main.yml b/_tools/ansible/roles/apt/defaults/main.yml deleted file mode 100644 index 5bd3670..0000000 --- a/_tools/ansible/roles/apt/defaults/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apt_dependencies: - - python-apt - -apt_common_packages: [] -apt_specific_packages: [] diff --git a/_tools/ansible/roles/apt/tasks/main.yml b/_tools/ansible/roles/apt/tasks/main.yml deleted file mode 100644 index 9ffdc51..0000000 --- a/_tools/ansible/roles/apt/tasks/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: APT update - apt: update_cache=yes force=yes - -- name: install apt packages - apt: - name: "{{ apt_dependencies + apt_common_packages + apt_specific_packages }}" - state: present diff --git a/_tools/ansible/roles/aws-cli/.yamllint b/_tools/ansible/roles/aws-cli/.yamllint deleted file mode 100644 index 2dbb779..0000000 --- a/_tools/ansible/roles/aws-cli/.yamllint +++ /dev/null @@ -1,36 +0,0 @@ ---- -# Based on ansible-lint config -extends: default - -# skip_list: -# - no-changed-when - -rules: - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error - colons: - max-spaces-after: -1 - level: error - commas: - max-spaces-after: -1 - level: error - comments: disable - comments-indentation: disable - document-start: disable - empty-lines: - max: 3 - level: error - hyphens: - level: error - indentation: disable - key-duplicates: enable - line-length: disable - new-line-at-end-of-file: disable - new-lines: - type: unix - trailing-spaces: disable - truthy: disable diff --git a/_tools/ansible/roles/aws-cli/defaults/main.yml b/_tools/ansible/roles/aws-cli/defaults/main.yml deleted file mode 100644 index 7463015..0000000 --- a/_tools/ansible/roles/aws-cli/defaults/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -AWSCLI_OS: linux -AWSCLI_URL: https://awscli.amazonaws.com/awscli-exe-{{ AWSCLI_OS }} - -BINARY_DIR: /usr/local/bin -INSTALL_DIR: /usr/local/aws-cli \ No newline at end of file diff --git a/_tools/ansible/roles/aws-cli/molecule/default/converge.yml b/_tools/ansible/roles/aws-cli/molecule/default/converge.yml deleted file mode 100644 index 3129500..0000000 --- a/_tools/ansible/roles/aws-cli/molecule/default/converge.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Converge - hosts: all - - tasks: - - name: Apt cache update - apt: - update_cache: true - cache_valid_time: 3600 - when: ansible_os_family == 'Debian' - - - name: Yum cache update - yum: - update_cache: true - when: ansible_os_family == 'RedHat' - - - name: "Include aws-cli role" - include_role: - name: "aws-cli" diff --git a/_tools/ansible/roles/aws-cli/molecule/default/molecule.yml b/_tools/ansible/roles/aws-cli/molecule/default/molecule.yml deleted file mode 100644 index 8b586fb..0000000 --- a/_tools/ansible/roles/aws-cli/molecule/default/molecule.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: | - set -e - yamllint . - ansible-lint -platforms: - - name: instance - image: geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest - command: "" - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:ro - privileged: true - pre_build_image: true -provisioner: - name: ansible -verifier: - name: ansible diff --git a/_tools/ansible/roles/aws-cli/molecule/default/verify.yml b/_tools/ansible/roles/aws-cli/molecule/default/verify.yml deleted file mode 100644 index 27d8679..0000000 --- a/_tools/ansible/roles/aws-cli/molecule/default/verify.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# This is an example playbook to execute Ansible tests. - -- name: Verify - hosts: all - gather_facts: false - tasks: - - - name: Launch aws version - command: /usr/local/bin/aws --version - ignore_errors: yes - changed_when: false - register: result - - - name: Check aws version - assert: - that: - - result.stdout is regex("aws-cli/\w+") diff --git a/_tools/ansible/roles/aws-cli/tasks/main.yml b/_tools/ansible/roles/aws-cli/tasks/main.yml deleted file mode 100644 index 45af7aa..0000000 --- a/_tools/ansible/roles/aws-cli/tasks/main.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -- name: AWSCli dependencies - package: - name: ["python3", "unzip"] - state: present - -- name: Create URL for ARM64 - set_fact: - url_download: "{{ AWSCLI_URL }}-aarch64.zip" - when: ansible_architecture == 'arm64' - -- name: Create URL for x86_64 - set_fact: - url_download: "{{ AWSCLI_URL }}-x86_64.zip" - when: ansible_architecture == 'x86_64' - -- name: Debug - debug: - msg: "{{ url_download }}" - -- name: awscli download - get_url: - url: "{{ url_download }}" - dest: /tmp/awscliv2.zip - mode: 0600 - -- name: awscli unarchive - unarchive: - remote_src: yes - src: /tmp/awscliv2.zip - dest: /tmp - -- name: awscli install - command: /tmp/aws/install --bin-dir {{ BINARY_DIR }} --install-dir {{ INSTALL_DIR }} --update - changed_when: false diff --git a/_tools/packer/Dockerfile b/_tools/packer/Dockerfile deleted file mode 100644 index b86283d..0000000 --- a/_tools/packer/Dockerfile +++ /dev/null @@ -1,38 +0,0 @@ -# See Makefile for building and usage. - -# https://hub.docker.com/_/python/ -# https://hub.docker.com/_/alpine/ - -ARG PYTHON_IMAGE=python:3.9.5-alpine -FROM ${PYTHON_IMAGE} AS generator -ARG USER=10011001 -LABEL maintainer="Tyler Tidman " -WORKDIR /tmp/ -COPY requirements.txt /tmp/ -RUN pip install -r requirements.txt -COPY generate_template.py /tmp/ -USER ${USER} -ENTRYPOINT ["python", "./generate_template.py"] -CMD ["--os_name=all"] - -FROM alpine:edge AS fetcher -ARG PACKER_VERSION=1.7.2 -LABEL maintainer="Tyler Tidman " -WORKDIR /tmp/ -USER ${USER} -RUN wget https://releases.hashicorp.com/packer/${PACKER_VERSION}/packer_${PACKER_VERSION}_linux_amd64.zip && \ - unzip packer_${PACKER_VERSION}_linux_amd64.zip - -FROM alpine:edge AS builder -LABEL maintainer="Tyler Tidman " -WORKDIR /tmp/ -COPY --from=fetcher /tmp/packer /usr/local/bin -USER ${USER} -ENV BUILDER=vbox -ENV CHECKPOINT_DISABLE=1 -ENV OS_NAME=debian -ENV OS_VERSION=10_buster -ENV PACKER_CACHE_DIR=packer_cache_dir -ENV TEMPLATE=base-uefi -ENV TEMPLATE_DIR=templates -# ENTRYPOINT ["packer", "build", "-only=${BUILDER}", "-force", "${BUILD_OPTS}", "${TEMPLATE_DIR}/${OS_NAME}/${OS_VERSION}/${TEMPLATE}.json"] \ No newline at end of file diff --git a/_tools/packer/Makefile b/_tools/packer/Makefile deleted file mode 100644 index 1596607..0000000 --- a/_tools/packer/Makefile +++ /dev/null @@ -1,92 +0,0 @@ -SHELL := /usr/bin/env bash - -# BUILDER should be 'vbox' or 'qemu' -# BUILD_OPTS and GEN_OPTS should be undefined unless needed - -BUILDER ?= vbox -BUILD_OPTS ?= -GEN_OPTS ?= -OS_NAME ?= debian -OS_VERSION ?= 10_buster -PACKER ?= packer -PACKER_CACHE_DIR ?= packer_cache -PYTHON ?= python -TEMPLATE ?= base-uefi -VENV_DIR ?= .venv - -# PACKER_CACHE_DIR=packer_cache -# PACKER_CONFIG="${HOME}/.packerconfig" -# PACKER_LOG=1 -# PACKER_LOG_PATH=vbox.log -# PACKER_NO_COLOR=0 -# PACKER_PLUGIN_MAX_PORT=25000 -# PACKER_PLUGIN_MIN_PORT=10000 -# PACKER_TMP_DIR=/tmp/packer.d -# TMPDIR=/tmp - -BUILD_DIR ?= build -SOURCE_DIR ?= source -TEMPLATE_DIR ?= template - -.SUFFIXES: -.SUFFIXES: .yaml .preseed .vagrant .json .iso .ova .box - -.PRECIOUS: .yaml .preseed .vagrant - -.PHONY: all -all: build - -ACTIVATE = $(VENV_DIR)/bin/activate -.PHONY: requirements -requirements: - @test -d $(VENV_DIR) || $(PYTHON) -m venv $(VENV_DIR) && \ - source $(ACTIVATE) && \ - $(PYTHON) -m pip install --requirement requirements_bare.txt && \ - $(PYTHON) -m pip freeze > requirements.txt && \ - rm -rf $(VENV_DIR) - -.PHONY: generator builder -generator builder: Dockerfile requirements.txt generate_template.py - @docker build \ - --build-arg USER=$(shell id -u) \ - --file Dockerfile \ - --tag $@ \ - --target $@ \ - . - -$(TEMPLATE_DIR): generator - @mkdir -p $(PWD)/$(TEMPLATE_DIR) && \ - docker run \ - --interactive \ - --rm \ - --volume $(PWD)/$(SOURCE_DIR):/tmp/$(SOURCE_DIR) \ - --volume $(PWD)/$(TEMPLATE_DIR):/tmp/$(TEMPLATE_DIR) \ - generator $(GEN_OPTS) - -.PHONY: build -build: $(TEMPLATE_DIR) - @CHECKPOINT_DISABLE=1 PACKER_CACHE_DIR=$(PACKER_CACHE_DIR) \ - $(PACKER) build \ - $(BUILD_OPTS) \ - -only=$(BUILDER) \ - -force \ - $(TEMPLATE_DIR)/$(OS_NAME)/$(OS_VERSION)/$(TEMPLATE).json - -# .PHONY: build -# build: builder $(TEMPLATE_DIR) -# @docker run \ -# --interactive \ -# --rm \ -# --volume $(PWD)/$(BUILD_DIR):/tmp/$(BUILD_DIR) \ -# --volume $(PWD)/$(PACKER_CACHE_DIR):/tmp/$(PACKER_CACHE_DIR) \ -# --volume $(PWD)/$(TEMPLATE_DIR):/tmp/$(TEMPLATE_DIR) \ -# builder $(BUILD_OPTS) - -.PHONY: clean -clean: - @rm -rf $(TEMPLATE_DIR) $(BUILD_DIR) && \ - rm -rf Vagrantfile .vagrant - -.PHONY: reallyclean -reallyclean: clean - @rm -rf $(PACKER_CACHE_DIR) \ No newline at end of file diff --git a/_tools/packer/_packer.sh b/_tools/packer/_packer.sh index 89c0d09..108a47f 100755 --- a/_tools/packer/_packer.sh +++ b/_tools/packer/_packer.sh @@ -1,201 +1,291 @@ #!/usr/bin/env bash set -e -o pipefail -set +x +# set -x + +# declare colors +RED="\e[31m" +GREEN="\e[32m" +YELLOW="\e[33m" +MAGENTA="\e[35m" +CYAN="\e[36m" +# Reset all colors +RESET="\e[0m" -# functions info() { - printf "\r\033[00;35m$1\033[0m\n" + printf "\r${MAGENTA}%s${RESET}\n" "$1" +} + +msg() { + printf "\r%s=${CYAN}%s${RESET}\n" "$1" "$2" } success() { - printf "\r\033[00;32m$1\033[0m\n" + printf "\r${GREEN}%s${RESET}\n" "$1" } fail() { - printf "\r\033[0;31m$1\033[0m\n" + printf "\r${RED}%s${RESET}\n" "$1" + exit 1 } warm() { - printf "\r\033[0;33m$1\033[0m\n" + printf "\r${YELLOW}%s${RESET}\n" "$1" +} + +_help() +{ + # Display Help + echo "Construction d'une image automatisée pour Jenkins via Packer." + echo "" + echo "Usage: $0 [-h|-v|-d] [--local ]" + echo "--local build_type : type de construction de l'image." + echo " - docker" + echo " construit une image docker pour Jenkins, basé sur AmazonLinux 2023" + echo " - vagrant" + echo " construit une image vagrant pour Jenkins, basé sur AmazonLinux 2023" + echo " - amazon-ebs (par defaut si valeur est vide)" + echo " construit une AMI sur AWS" + echo "" + echo "options:" + echo "-h Affiche cette aide." + echo "-v Affiche packer en mode TRACE." + echo "-d Utilise le mode debug (pas à pas)." + echo } # Check for required tools -declare -a req_tools=("packer" "hcl2json" "sed" "curl" "jq") +declare -a req_tools=( "packer" "hcl2json" "sed" "curl" "jq" "vagrant" ) for tool in "${req_tools[@]}"; do if ! command -v "$tool" > /dev/null; then fail "It looks like '${tool}' is not installed; please install it and run this setup script again." - exit 1 fi done -# Variables -SCRIPT_DIR="$(dirname "$(realpath "$0")")" - -PACKER_ONLY="amazon-ebs.source" +# Paths Variables +PACKER_ROOT_DIR="$(dirname "$(realpath "$0")")" PACKER_EXTRA_ARGS="${*}" -PACKER_TEMPLATE_DIR="$SCRIPT_DIR/templates" -PACKER_OUTPUT_FILE="$(pwd)/packer.out" -PACKER_CACHE_DIR="packer_cache" - -VAGRANT_SSH_PRIVATE_KEY="$HOME/.vagrant.d/insecure_private_key" -VAGRANT_BOX_HOME="$HOME/.vagrant.d/boxes" -VAGRANT_BOX_DOWNLOAD="$HOME/.vagrant.d/downloaded" +PACKER_TEMPLATE_DIR="$PACKER_ROOT_DIR/templates" +PACKER_OUTPUT_FILE="$PACKER_ROOT_DIR/packer.out" +# PACKER_CACHE_DIR="packer_cache" +PACKER_BUILD="amazon-ebs.source" +PACKER_CMD_LINE="" -# vagrant check +# shellcheck disable=SC2034 CHECKPOINT_DISABLE=1 +# shellcheck disable=SC2034 VAGRANT_CHECKPOINT_DISABLE=1 +# Vagrant variables +VAGRANT_HOME="$HOME/.vagrant.d" +VAGRANT_SSH_PRIVATE_KEY="$VAGRANT_HOME/insecure_private_key" +VAGRANT_BOX_HOME="$VAGRANT_HOME/boxes" +VAGRANT_BOX_DOWNLOAD="$VAGRANT_HOME/downloaded" +# vagrant check PACKER_VARS_FILE="$(pwd)/packer.auto.pkrvars.hcl" -PACKER_TEMPLATE="$(cat $PACKER_VARS_FILE | hcl2json | jq -r -c .template)" +PACKER_TEMPLATE="$(hcl2json < "$PACKER_VARS_FILE" | jq -r -c .template)" PACKER_TEMPLATE_PATH="${PACKER_TEMPLATE_DIR}/${PACKER_TEMPLATE}" -if [[ ! -d "${PACKER_TEMPLATE_PATH}" ]] ; then +if [ ! -d "${PACKER_TEMPLATE_PATH}" ] ; then fail "Incorrect folder for packer templates : ${PACKER_TEMPLATE_PATH}" - exit 1 fi +# Parse remaining options +while getopts ":hvdlocal" option; do + case $option in + h) # display Help + _help + exit;; + v) # packer verbose mode + export PACKER_LOG=1 + echo "==> PACKER_LOG=1" + ;; + d) # packer debug mode + PACKER_EXTRA_ARGS="-debug" + msg "==> PACKER_DEBUG=" "true" + ;; + l) # local build + PACKER_BUILD_TYPE="local" + ;; + *) + continue + ;; + esac +done -# Validate packer -if [ "$1" = "init" ]; then - packer init "${PACKER_TEMPLATE_PATH}" | tee -i "${PACKER_OUTPUT_FILE}" - exit 0 -fi - -# Validate packer -if [ "$1" = "validate" ]; then - packer validate \ - -var-file "$PACKER_VARS_FILE" \ - "${PACKER_TEMPLATE_PATH}" | tee -i "${PACKER_OUTPUT_FILE}" - exit 0 -fi - -# Inspect templates packer -if [ "$1" = "inspect" ]; then - packer validate \ - -var-file="$PACKER_VARS_FILE" \ - "${PACKER_TEMPLATE_PATH}" | tee -i "${PACKER_OUTPUT_FILE}" - exit 0 -fi - -# Build local part -if [ "$1" = "-local" ]; then - - if [ -z "$2" ] || [ "$2" != "qemu" ]; then - - info "==> starting build box" +# Remove the options from the arguments +shift $((OPTIND - 1)) - BOX_NAME="$(cat ${PACKER_TEMPLATE_PATH}/variables.pkr.hcl | hcl2json | jq -r -c .variable.box_name[].default)" - BOX_OS="${BOX_NAME%%/*}" - BOX_DISTRIB="${BOX_NAME##*/}" - PACKER_ONLY="virtualbox-ovf" +# Build local +if [ "$PACKER_BUILD_TYPE" = "local" ]; then - # info "==> packer: BOX_OS=${BOX_OS}" - # info "==> packer: BOX_NAME=${BOX_NAME}" - # info "==> packer: BOX_DISTRIB=${BOX_DISTRIB}" + PROVIDER="$1" + if [ -z "${PROVIDER}" ] ; then + fail "Incorrect provider defined: can be docker/qemu/virtualbox" + fi - # Get some metadata box from cloud repositories - # To find/fix somes URL boxes : try https://app.vagrantup.com/boxes/search - case ${BOX_OS} in - debian) - METADATA=$(curl -s https://salsa.debian.org/cloud-team/vagrant-boxes/raw/master/packer-virtualbox-vagrant/virtualbox-"${BOX_DISTRIB%%64}".SHA256SUM) - BOX_CHECKSUM=$(echo "$METADATA" | cut -d' ' -f1) - BOX_VERSION=$(echo "$METADATA" | cut -d' ' -f3) - BOX_FILENAME=$(echo "$METADATA" | cut -d' ' -f2) - BOX_URL="https://app.vagrantup.com/${BOX_OS}/boxes/${BOX_DISTRIB}/versions/${BOX_VERSION}/providers/virtualbox.box" + case "$PROVIDER" in + docker) + PACKER_BUILD="docker.source" + msg "==> Starting build template" "${PACKER_BUILD}" + PACKER_EXTRA_ARGS="-only=${PROVIDER}" ;; - bento | generic | roboxes) - BOX_VERSION="$(cat ${PACKER_TEMPLATE_PATH}/variables.pkr.hcl | hcl2json | jq -r -c .variable.box_version[].default)" - BOX_FILENAME="virtualbox.box" - BOX_URL="https://app.vagrantup.com/${BOX_OS}/boxes/${BOX_DISTRIB}/versions/${BOX_VERSION}/providers/virtualbox.box" - echo "BOX_URL: $BOX_URL" - ;; - ubuntu) - BOX_VERSION="$(jq -r -c .variables.box_version "${PACKER_TEMPLATE_PATH}")" - METADATA=$(curl -s https://cloud-images.ubuntu.com/"${BOX_DISTRIB%%64}"/"${BOX_VERSION}"/SHA256SUMS) - BOX_CHECKSUM=$(echo "$METADATA" | cut -d' ' -f1 | sed -n 5p) - BOX_FILENAME=$(echo "$METADATA" | cut -d' ' -f2 | sed -n 5p) - BOX_FILENAME=${BOX_FILENAME:1} - BOX_URL="https://cloud-images.ubuntu.com/${BOX_DISTRIB%%64}/${BOX_VERSION}/${BOX_FILENAME}" - ;; - esac - - # download box part - BOX_FULLPATH="${VAGRANT_BOX_DOWNLOAD}/${BOX_OS}-VAGRANTSLASH-${BOX_DISTRIB}/${BOX_VERSION}/${BOX_FILENAME}" - BOX_FULLPATH_FOLDER="$(dirname "$BOX_FULLPATH")" - - # Create box folder if it doesn't exist - [ ! -d "$BOX_FULLPATH_FOLDER" ] && mkdir -p "$BOX_FULLPATH_FOLDER" - cd "$BOX_FULLPATH_FOLDER" - - if [ ! -f "$BOX_FULLPATH" ]; then - curl -L "$BOX_URL" -o "$BOX_FILENAME" - else - # box already exist - read -r -p "Replace existing box ? [y/N] : " - case $REPLY in - [yY]) - echo "Ok. let's replace the box" - curl -L "$BOX_URL" -o "$BOX_FILENAME" - ;; - *) - echo "Ok. let's keep the current box" + qemu|virtualbox|libvirt) + PACKER_BUILD="$PROVIDER.source" + msg "==> Starting build template" "${PACKER_BUILD}" + + BOX_NAME="$(hcl2json < "${PACKER_TEMPLATE_PATH}/variables.pkr.hcl" | jq -r -c .variable.box_name[].default)" + BOX_OS="${BOX_NAME%%/*}" + BOX_DISTRIB="${BOX_NAME##*/}" + + msg "==> BOX_OS" "${BOX_OS}" + msg "==> BOX_NAME" "${BOX_NAME}" + msg "==> BOX_DISTRIB" "${BOX_DISTRIB}" + + # Get some metadata box from cloud repositories + # To find/fix somes URL boxes : try https://portal.cloud.hashicorp.com/vagrant/discover + case ${BOX_OS} in + debian) + METADATA=$(curl -s https://salsa.debian.org/cloud-team/vagrant-boxes/raw/master/packer-virtualbox-vagrant/virtualbox-"${BOX_DISTRIB%%64}".SHA256SUM) + BOX_CHECKSUM=$(echo "$METADATA" | cut -d' ' -f1) + BOX_VERSION=$(echo "$METADATA" | cut -d' ' -f3) + BOX_FILENAME=$(echo "$METADATA" | cut -d' ' -f2) + BOX_URL="https://app.vagrantup.com/${BOX_OS}/boxes/${BOX_DISTRIB}/versions/${BOX_VERSION}/providers/virtualbox.box" + ;; + bento | generic | roboxes) + BOX_VERSION="$(hcl2json < "${PACKER_TEMPLATE_PATH}/variables.pkr.hcl" | jq -r -c .variable.box_version[].default)" + BOX_FILENAME="$PROVIDER.box" + ## TODO : get architecture from metadata + BOX_URL="https://vagrantcloud.com/${BOX_OS}/boxes/${BOX_DISTRIB}/versions/${BOX_VERSION}/providers/${PROVIDER}/amd64/download/vagrant.box" + ;; + ubuntu) + BOX_VERSION="$(jq -r -c .variables.box_version "${PACKER_TEMPLATE_PATH}")" + METADATA=$(curl -s https://cloud-images.ubuntu.com/"${BOX_DISTRIB%%64}"/"${BOX_VERSION}"/SHA256SUMS) + BOX_CHECKSUM=$(echo "$METADATA" | cut -d' ' -f1 | sed -n 5p) + BOX_FILENAME=$(echo "$METADATA" | cut -d' ' -f2 | sed -n 5p) + BOX_FILENAME=${BOX_FILENAME:1} + BOX_URL="https://cloud-images.ubuntu.com/${BOX_DISTRIB%%64}/${BOX_VERSION}/${BOX_FILENAME}" ;; esac - fi - - # Get checksum from file box if it don't exist yet - [ -z "$BOX_CHECKSUM" ] && BOX_CHECKSUM=$(sha256sum "$BOX_FULLPATH" | cut -d' ' -f1) - - # add box into vagrant - cd - &>/dev/null && \ - vagrant box add \ - --force --name "$BOX_NAME" \ - --checksum "$BOX_CHECKSUM" \ - --checksum-type "sha256" \ - "$BOX_FULLPATH" - - VAGRANT_BOX_FOLDER="$(realpath "$VAGRANT_BOX_HOME"/"$BOX_OS"-VAGRANTSLASH-"$BOX_DISTRIB"/0/virtualbox)" - OVF_CHECKSUM="$(sha256sum "$VAGRANT_BOX_FOLDER"/box.ovf | awk '{ print $1}')" - BOX_BASE_MAC="$(sed -n 's/.*base_mac = "\(.*\)"/\1/p' "$VAGRANT_BOX_FOLDER"/Vagrantfile)" - PACKER_ONLY="virtualbox-ovf" - PACKER_EXTRA_ARGS="${*:2}" - - info "==> packer: SSH command: ssh -i ~/.vagrant.d/insecure_private_key -p 62222 vagrant@localhost" - info "==> packer: BOX_VERSION=${BOX_VERSION}" - info "==> packer: BOX_OS=${BOX_OS}" - info "==> packer: BOX_NAME=${BOX_NAME}" - info "==> packer: BOX_FILENAME=${BOX_FILENAME}" - info "==> packer: BOX_DISTRIB=${BOX_DISTRIB}" - info "==> packer: VAGRANT_BOX_FOLDER=${VAGRANT_BOX_FOLDER}" - info "==> packer: BOX_BASE_MAC=${BOX_BASE_MAC}" - info "==> packer: BOX_CHECKSUM=${BOX_CHECKSUM}" - info "==> packer: OVF_CHECKSUM=${OVF_CHECKSUM}" - - else - PACKER_EXTRA_ARGS="${*:3}" - PACKER_ONLY="qemu.debian" - fi -fi -# build image with packer -info "==> packer: PACKER_ONLY=${PACKER_ONLY}" -info "==> packer: PACKER_OUTPUT_FILE=${PACKER_OUTPUT_FILE}" -info "==> packer: PACKER_EXTRA_ARGS=${PACKER_EXTRA_ARGS}" + # download box part + BOX_FULLPATH="${VAGRANT_BOX_DOWNLOAD}/${BOX_OS}-VAGRANTSLASH-${BOX_DISTRIB}/${BOX_VERSION}/${BOX_FILENAME}" + BOX_FULLPATH_FOLDER="$(dirname "$BOX_FULLPATH")" + + msg "==> BOX_VERSION" "${BOX_VERSION}" + msg "==> BOX_URL" "${BOX_URL}" + msg "==> BOX_FULLPATH" "${BOX_FULLPATH}" + + # Create box folder if it doesn't exist + [ ! -d "$BOX_FULLPATH_FOLDER" ] && mkdir -p "$BOX_FULLPATH_FOLDER" + cd "$BOX_FULLPATH_FOLDER" + + # Check if box already exist + if [ ! -f "$BOX_FULLPATH" ]; then + curl -sL "$BOX_URL" -o "$BOX_FILENAME" + else + # box already exist + warm "Box already exist: $BOX_FULLPATH" + read -r -p "Replace existing box ? [y/N] : " + case $REPLY in + [yY]) + info "we REPLACE the existing box." + curl -sL "$BOX_URL" -o "$BOX_FILENAME" + ;; + *) + info "we KEEP the existing box." + ;; + esac + fi + + # Get checksum from file box if it don't exist yet + [ -z "$BOX_CHECKSUM" ] && BOX_CHECKSUM=$(sha256sum "$BOX_FULLPATH" | cut -d' ' -f1) + + # add box into vagrant + cd - &>/dev/null && \ + vagrant box add \ + --force \ + --name "$BOX_NAME" \ + --checksum "$BOX_CHECKSUM" \ + --checksum-type "sha256" \ + "$BOX_FULLPATH" + + if [ "$PROVIDER" = "virtualbox" ]; then + VAGRANT_BOX_FOLDER="$(realpath "$VAGRANT_BOX_HOME/$BOX_OS-VAGRANTSLASH-$BOX_DISTRIB/0/$PROVIDER")" + VAGRANT_BOX_FOLDER="$(realpath "$VAGRANT_BOX_HOME/$BOX_OS-VAGRANTSLASH-$BOX_DISTRIB/0/virtualbox")" + OVF_CHECKSUM="$(sha256sum "$VAGRANT_BOX_FOLDER"/box.ovf | awk '{ print $1}')" + BOX_BASE_MAC="$(sed -n 's/.*base_mac = "\(.*\)"/\1/p' "$VAGRANT_BOX_FOLDER"/Vagrantfile)" + PACKER_CMD_LINE="-only=virtualbox-ovf.source -var box_folder=${VAGRANT_BOX_FOLDER} -var box_base_mac=${BOX_BASE_MAC} -var box_checksum=${OVF_CHECKSUM} -var vagrant_ssh_private_key=${VAGRANT_SSH_PRIVATE_KEY}" + + msg "==> VAGRANT_BOX_FOLDER" "${VAGRANT_BOX_FOLDER}" + msg "==> BOX_BASE_MAC" "${BOX_BASE_MAC}" + msg "==> OVF_CHECKSUM" "${OVF_CHECKSUM}" + else + VAGRANT_BOX_FOLDER="$(realpath "$VAGRANT_BOX_HOME/$BOX_OS-VAGRANTSLASH-$BOX_DISTRIB/0/libvirt")" + IMG_CHECKSUM="$(sha256sum "$VAGRANT_BOX_FOLDER"/box.img | awk '{ print $1}')" + PACKER_CMD_LINE="-only=qemu.source -var box_folder=${VAGRANT_BOX_FOLDER} -var box_checksum=${IMG_CHECKSUM} -var vagrant_ssh_private_key=${VAGRANT_SSH_PRIVATE_KEY}" + + msg "==> VAGRANT_BOX_FOLDER" "${VAGRANT_BOX_FOLDER}" + msg "==> IMG_CHECKSUM" "${IMG_CHECKSUM}" + fi + + # Display vagrant box information + msg "==> SSH command:" "ssh -i ~/.vagrant.d/insecure_private_key -p 62222 vagrant@localhost" + msg "==> VAGRANT_SSH_PRIVATE_KEY" "${VAGRANT_SSH_PRIVATE_KEY}" + + msg "==> BOX_FILENAME" "${BOX_FILENAME}" + msg "==> BOX_CHECKSUM" "${BOX_CHECKSUM}" + msg "==> PROVIDER" "${PROVIDER}" + ;; + *) + fail "Incorrect provider defined: can be docker/qemu/virtualbox" + ;; + esac +fi + +# Check if extra args is empty if [ -z "${PACKER_EXTRA_ARGS}" ]; then PACKER_EXTRA_ARGS="--" fi +if [ -n "${PACKER_CMD_LINE}" ]; then + PACKER_EXTRA_ARGS="${PACKER_CMD_LINE} ${PACKER_EXTRA_ARGS} --" +else + PACKER_EXTRA_ARGS="-only=amazon-ebs.source ${PACKER_EXTRA_ARGS} --" +fi + +msg "==> PACKER_VARS_FILE=" "${PACKER_VARS_FILE}" +msg "==> PACKER_TEMPLATE=" "${PACKER_TEMPLATE}" +msg "==> PACKER_TEMPLATE_PATH=" "${PACKER_TEMPLATE_PATH}" + +# build image with packer +msg "==> PACKER_BUILD" "${PACKER_BUILD}" +msg "==> PACKER_OUTPUT_FILE" "${PACKER_OUTPUT_FILE}" +msg "==> PACKER_EXTRA_ARGS" "${PACKER_EXTRA_ARGS}" + # Initialise packer template packer init "${PACKER_TEMPLATE_PATH}" -packer build -force \ --only="${PACKER_ONLY}" \ --var-file="$PACKER_VARS_FILE" \ --var "box_folder=${VAGRANT_BOX_FOLDER}" \ --var "box_base_mac=${BOX_BASE_MAC}" \ --var "box_checksum=${OVF_CHECKSUM}" \ --var "vagrant_ssh_private_key=${VAGRANT_SSH_PRIVATE_KEY}" \ -"${PACKER_EXTRA_ARGS}" \ -"${PACKER_TEMPLATE_PATH}" | tee -i "${PACKER_OUTPUT_FILE}" +# PACKER_CMD_LINE="packer build -force \ +# -var-file="$PACKER_VARS_FILE" \ +# -var "box_folder=${VAGRANT_BOX_FOLDER}" \ +# -var "box_base_mac=${BOX_BASE_MAC}" \ +# -var "box_checksum=${OVF_CHECKSUM}" \ +# -var "vagrant_ssh_private_key=${VAGRANT_SSH_PRIVATE_KEY}" \ +# ${PACKER_EXTRA_ARGS} \ +# ${PACKER_TEMPLATE_PATH} | tee -i ${PACKER_OUTPUT_FILE}" + +# -var "box_folder=${VAGRANT_BOX_FOLDER}" \ +# -var "box_base_mac=${BOX_BASE_MAC}" \ +# -var "box_checksum=${OVF_CHECKSUM}" \ +# -var "vagrant_ssh_private_key=${VAGRANT_SSH_PRIVATE_KEY}" \ + +# echo "packer build -force -var-file=$PACKER_VARS_FILE ${PACKER_EXTRA_ARGS} ${PACKER_TEMPLATE_PATH}" +# | tee -i "${PACKER_OUTPUT_FILE}" + +if packer validate -var-file "$PACKER_VARS_FILE" ${PACKER_TEMPLATE_PATH} ; then + # shellcheck disable=SC2086 + # echo "packer build -force -var-file=${PACKER_VARS_FILE} ${PACKER_EXTRA_ARGS} ${PACKER_TEMPLATE_PATH} | tee -i ${PACKER_OUTPUT_FILE}" + packer build -force -var-file=${PACKER_VARS_FILE} ${PACKER_EXTRA_ARGS} ${PACKER_TEMPLATE_PATH} | tee -i "${PACKER_OUTPUT_FILE}" +fi diff --git a/_tools/packer/all/amazonlinux-2023.pkr.hcl b/_tools/packer/all/amazonlinux-2023.pkr.hcl new file mode 120000 index 0000000..232aa50 --- /dev/null +++ b/_tools/packer/all/amazonlinux-2023.pkr.hcl @@ -0,0 +1 @@ +../linux/amazonlinux/amazonlinux-2023.pkr.hcl \ No newline at end of file diff --git a/_tools/packer/all/debian-bookworm.pkr.hcl b/_tools/packer/all/debian-bookworm.pkr.hcl new file mode 120000 index 0000000..4ccce36 --- /dev/null +++ b/_tools/packer/all/debian-bookworm.pkr.hcl @@ -0,0 +1 @@ +../linux/debian/debian-bookworm.pkr.hcl \ No newline at end of file diff --git a/_tools/packer/all/plugins.pkr.hcl b/_tools/packer/all/plugins.pkr.hcl new file mode 100644 index 0000000..5707333 --- /dev/null +++ b/_tools/packer/all/plugins.pkr.hcl @@ -0,0 +1,28 @@ +packer { + required_plugins { + docker = { + version = ">= 1.0.1" + source = "github.com/hashicorp/docker" + } + vagrant = { + source = "github.com/hashicorp/vagrant" + version = "~> 1" + } + amazon = { + source = "github.com/hashicorp/amazon" + version = "~> 1" + } + ansible = { + source = "github.com/hashicorp/ansible" + version = "~> 1" + } + # azure = { + # source = "github.com/hashicorp/azure" + # version = "~> 1" + # } + # googlecompute = { + # source = "github.com/hashicorp/googlecompute" + # version = "~> 1" + # } + } +} diff --git a/_tools/packer/all/ubuntu-2204.pkr.hcl b/_tools/packer/all/ubuntu-2204.pkr.hcl new file mode 120000 index 0000000..1ddbe4b --- /dev/null +++ b/_tools/packer/all/ubuntu-2204.pkr.hcl @@ -0,0 +1 @@ +../linux/ubuntu/ubuntu-2204.pkr.hcl \ No newline at end of file diff --git a/_tools/packer/all/variables.pkr.hcl b/_tools/packer/all/variables.pkr.hcl new file mode 120000 index 0000000..fd60b53 --- /dev/null +++ b/_tools/packer/all/variables.pkr.hcl @@ -0,0 +1 @@ +../variables.pkr.hcl \ No newline at end of file diff --git a/_tools/packer/linux/amazonlinux/amazonlinux-2023.pkr.hcl b/_tools/packer/linux/amazonlinux/amazonlinux-2023.pkr.hcl new file mode 100644 index 0000000..9691dfc --- /dev/null +++ b/_tools/packer/linux/amazonlinux/amazonlinux-2023.pkr.hcl @@ -0,0 +1,163 @@ +#-------------------------------------- +# Amazon EBS +#-------------------------------------- +source "amazon-ebs" "amazonlinux-2023" { + source_ami_filter { + filters = { + name = "al2023-ami-2023*" + architecture = "x86_64" + } + owners = ["099720109477"] + most_recent = true + } + + ami_name = format("amazonlinux-2023-%s-%s-%s", var.service, var.role, legacy_isotime("2006-01-02T15-04-05")) + ami_description = format("amazonlinux-2023-%s-%s", var.service, var.role) + + encrypt_boot = true + force_delete_snapshot = true + force_deregister = true + kms_key_id = var.aws_kms_key_id + + region = var.aws_region + instance_type = var.aws_instance_type + ssh_username = "ec2-user" + + vpc_filter { + filters = { + "tag:Name" = var.aws_vpc_name + } + } + subnet_filter { + filters = { + "tag:Name" = var.aws_subnet_name + } + most_free = true + random = true + } + + security_group_filter { + filters = { + "tag:Name" : var.aws_security_group_filter + } + } + + run_tags = { + Project = var.project_name + Env = var.project_env + Name = format("Packer Builder %s", var.service) + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "amazonlinux-2023" + } + + tags = { + Project = var.project_name + Env = var.project_env + Name = format("%s-%s", var.service, var.role) + Role = var.role + Service = var.service + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "amazonlinux-2023" + } +} + +#-------------------------------------- +# Vagrant +#-------------------------------------- +source "vagrant" "amazonlinux-2023" { + source_path = "bento/amazonlinux-2023" + template = "${path.root}/../../packer/linux/ubuntu/templates/amazonlinux-2023/Vagrantfile.tpl" + provider = "virtualbox" + teardown_method = "suspend" + skip_package = true + communicator = "ssh" + box_name = "amazonlinux-2023" + ssh_username = "vagrant" + output_dir = "${var.build_directory}/amazonlinux-2023/vagrant" +} + +#-------------------------------------- +# Docker +#-------------------------------------- +source "docker" "amazonlinux-2023" { + image = "amazonlinux:2023" + commit = true + privileged = true + tmpfs = ["/run"] + volumes = { + "/sys/fs/cgroup/" : "/sys/fs/cgroup:ro" + } + changes = [ + "ENTRYPOINT /lib/systemd/systemd" + ] +} + +# a build block invokes sources and runs provisioning steps on them. The +# documentation for build blocks can be found here: +# https://www.packer.io/docs/templates/hcl_templates/blocks/build +build { + sources = [ + "source.docker.amazonlinux-2023", + "source.vagrant.amazonlinux-2023", + "source.amazon-ebs.amazonlinux-2023" + ] + + provisioner "shell" { + inline = ["sleep 20"] + only = ["amazon-ebs"] + } + + provisioner "shell" { + scripts = [ + "${path.root}/../scripts/bootstrap.sh" + ] + } + + provisioner "ansible-local" { + playbook_file = var.playbook_file + playbook_dir = "${path.root}/../../ansible" + group_vars = "${path.root}/../../ansible/playbooks/group_vars" + role_paths = [ + "${path.root}/../../ansible/roles", + "${path.root}/../../ansible/galaxy/roles" + ] + inventory_groups = [ + var.inventory_groups + ] + extra_arguments = [ + "-vvv", + "--extra-vars", "\"SERVICE=${var.service}\"" + ] + } + + # provisioner "ansible" { + # command = "./scripts/ansible.sh" + # user = "${build.User}" + # extra_arguments = [ + # #"-v", + # "--extra-vars", "foo=bar" + # ] + # ansible_ssh_extra_args = [ + # "-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa" + # ] + # host_alias = "none" + # playbook_file = "../../ansible/galaxy/roles/AMAZON2023-CIS/site.yml" + # only = ["vagrant.ubuntu-2204", "azure-arm.ubuntu-2204", "googlecompute.ubuntu-2204"] + # } + + provisioner "shell-local" { + inline = ["curl -s https://api.ipify.org/?format=none"] + } + + # post-processor "docker-tag" { + # // repository = "${var.repository}/jenkins" + # tags = [ + # join("-", var.service, var.os_version) + # ] + # only = ["docker.amazonlinux-2023"] + # } +} diff --git a/_tools/packer/linux/amazonlinux/templates/amazonlinux-2023/Vagrantfile.tpl b/_tools/packer/linux/amazonlinux/templates/amazonlinux-2023/Vagrantfile.tpl new file mode 100644 index 0000000..1364a35 --- /dev/null +++ b/_tools/packer/linux/amazonlinux/templates/amazonlinux-2023/Vagrantfile.tpl @@ -0,0 +1,17 @@ +Vagrant.configure("2") do |config| + config.vm.define "source", autostart: false do |source| + source.vm.box = "bento/amazonlinux-2023" + config.ssh.insert_key = false + end + config.vm.define "output" do |output| + output.vm.box = "amazonlinux-2023" + output.vm.box_url = "file://package.box" + config.ssh.insert_key = false + end + config.vm.provider :virtualbox do |vb| + vb.memory = 1024 + vb.cpus = 2 + vb.customize [ "modifyvm", :id, "--uartmode1", "disconnected" ] + end + config.vm.synced_folder ".", "/vagrant", disabled: true +end diff --git a/_tools/packer/linux/debian/debian-bookworm.pkr.hcl b/_tools/packer/linux/debian/debian-bookworm.pkr.hcl new file mode 100644 index 0000000..a15ea19 --- /dev/null +++ b/_tools/packer/linux/debian/debian-bookworm.pkr.hcl @@ -0,0 +1,160 @@ +#-------------------------------------- +# Amazon EBS +#-------------------------------------- +source "amazon-ebs" "debian-bookworm" { + source_ami_filter { + filters = { + name = "debian-12-amd64*" + architecture = "x86_64" + } + owners = ["099720109477"] + most_recent = true + } + + ami_name = format("debian-bookworm-%s-%s-%s", var.service, var.role, legacy_isotime("2006-01-02T15-04-05")) + ami_description = format("debian-%s-%s", var.service, var.role) + + encrypt_boot = true + force_delete_snapshot = true + force_deregister = true + kms_key_id = var.aws_kms_key_id + + region = var.aws_region + instance_type = var.aws_instance_type + ssh_username = "debian" + + vpc_filter { + filters = { + "tag:Name" = var.aws_vpc_name + } + } + subnet_filter { + filters = { + "tag:Name" = var.aws_subnet_name + } + most_free = true + random = true + } + + security_group_filter { + filters = { + "tag:Name" : var.aws_security_group_filter + } + } + + run_tags = { + Project = var.project_name + Env = var.project_env + Name = format("Packer Builder %s", var.service) + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "debian-bookworm" + } + + tags = { + Project = var.project_name + Env = var.project_env + Name = format("%s-%s", var.service, var.role) + Role = var.role + Service = var.service + SourceAMI = var.source_ami + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "debian-bookworm" + } +} + +#-------------------------------------- +# Vagrant +#-------------------------------------- +source "vagrant" "debian-bookworm" { + source_path = "debian/jammy64" + template = "linux/debian/templates/debian/bookworm/Vagrantfile.tpl" + provider = "virtualbox" + teardown_method = "suspend" + skip_package = true + communicator = "ssh" + box_name = "debian-2204" + output_dir = "${var.build_directory}/debian-2204/vagrant" +} + +#-------------------------------------- +# Docker +#-------------------------------------- +source "docker" "debian-bookworm" { + image = "debian:bookworm" + commit = true + privileged = true + tmpfs = ["/run"] + volumes = { + "/sys/fs/cgroup/" : "/sys/fs/cgroup:ro" + } + changes = [ + "ENTRYPOINT /lib/systemd/systemd" + ] +} + +# a build block invokes sources and runs provisioning steps on them. The +# documentation for build blocks can be found here: +# https://www.packer.io/docs/templates/hcl_templates/blocks/build +build { + sources = [ + "source.docker.debian-bookworm", + "source.vagrant.debian-bookworm", + "source.amazon-ebs.debian-bookworm" + ] + + provisioner "shell" { + inline = ["sleep 20"] + only = ["amazon-ebs"] + } + + provisioner "shell" { + scripts = [ + "${path.root}/../scripts/bootstrap.sh" + ] + } + + # provisioner "ansible" { + # command = "./scripts/ansible.sh" + # user = "${build.User}" + # extra_arguments = [ + # #"-v", + # "--extra-vars", "foo=bar" + # ] + # ansible_ssh_extra_args = [ + # "-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa" + # ] + # host_alias = "none" + # playbook_file = "../../ansible/galaxy/roles/UBUNTU22-CIS/site.yml" + # only = ["vagrant.ubuntu-2204", "azure-arm.ubuntu-2204", "googlecompute.ubuntu-2204"] + # } + + provisioner "ansible-local" { + playbook_file = var.playbook_file + playbook_dir = "${path.root}/../../ansible" + group_vars = "${path.root}/../../ansible/playbooks/group_vars" + inventory_groups = [var.inventory_groups] + role_paths = [ + "${path.root}/../../ansible/roles", + "${path.root}/../../ansible/galaxy/roles" + ] + # [ var.inventory_groups ] + extra_arguments = [ + "-vvv", + "--extra-vars", "\"SERVICE=${var.service}\"" + ] + // extra_arguments = ["-vvvv", "--extra-vars", "\"jenkins_version=${var.jenkins_version}\""] + } + + + # post-processor "docker-tag" { + # // repository = "${var.repository}/jenkins" + # repository = "jenkins" + # tags = ["${var.version}"] + # only = ["docker.debian-2204", "azure-arm.ubuntu-2204", "googlecompute.ubuntu-2204"] + # } +} + diff --git a/_tools/packer/linux/debian/debian-bulleye.pkr.hcl b/_tools/packer/linux/debian/debian-bulleye.pkr.hcl new file mode 100644 index 0000000..fb4efcb --- /dev/null +++ b/_tools/packer/linux/debian/debian-bulleye.pkr.hcl @@ -0,0 +1,109 @@ +#-------------------------------------- +# Amazon EBS +#-------------------------------------- +source "amazon-ebs" "ubuntu-2004" { + source_ami_filter { + filters = { + name = "*ubuntu-focal-20.04-amd64-server*" + architecture = "x86_64" + } + owners = ["099720109477"] + most_recent = true + } + ami_name = format("ubuntu-2004-%s-%s-%s", var.service, var.role, legacy_isotime("2006-01-02T15-04-05")) + ami_description = format("debian-%s-%s", var.service, var.role) + + encrypt_boot = true + force_delete_snapshot = true + force_deregister = true + kms_key_id = var.aws_kms_key_id + + region = var.aws_region + instance_type = var.aws_instance_type + ssh_username = "ubuntu" + + vpc_filter { + filters = { + "tag:Name" = var.aws_vpc_name + } + } + subnet_filter { + filters = { + "tag:Name" = var.aws_subnet_name + } + most_free = true + random = true + } + + security_group_filter { + filters = { + "tag:Name" : var.aws_security_group_filter + } + } + + run_tags = { + Project = var.project_name + Env = var.project_env + Name = format("Packer Builder %s", var.service) + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "ubuntu-2004" + } + + tags = { + Project = var.project_name + Env = var.project_env + Name = format("%s-%s", var.service, var.role) + Role = var.role + Service = var.service + SourceAMI = var.source_ami + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "ubuntu-2004" + } +} + +#-------------------------------------- +# Vagrant +#-------------------------------------- +source "vagrant" "ubuntu-2004" { + source_path = "ubuntu/focal64" + template = "linux/ubuntu/templates/ubuntu/2004/Vagrantfile.tpl" + provider = "virtualbox" + teardown_method = "suspend" + skip_package = true + communicator = "ssh" + box_name = "ubuntu-2004" + output_dir = "${var.build_directory}/ubuntu-2004/vagrant" +} + +#-------------------------------------- +# Docker +#-------------------------------------- +source "docker" "ubuntu-2004" { + image = "ubuntu:20.04" + commit = false + discard = true +} + +# a build block invokes sources and runs provisioning steps on them. The +# documentation for build blocks can be found here: +# https://www.packer.io/docs/templates/hcl_templates/blocks/build +build { + sources = [ + "source.docker.ubuntu-2004", + "source.vagrant.ubuntu-2004", + "source.amazon-ebs.ubuntu-2004", + ] + + provisioner "shell" { + inline = ["cat /etc/os-release"] + } + + provisioner "shell-local" { + inline = ["curl -s https://api.ipify.org/?format=none"] + } +} + diff --git a/_tools/packer/linux/debian/debian-buster.pkr.hcl b/_tools/packer/linux/debian/debian-buster.pkr.hcl new file mode 100644 index 0000000..b5fb3fa --- /dev/null +++ b/_tools/packer/linux/debian/debian-buster.pkr.hcl @@ -0,0 +1,112 @@ +#-------------------------------------- +# Amazon EBS +#-------------------------------------- +source "amazon-ebs" "ubuntu-1804" { + source_ami_filter { + filters = { + name = "*/hvm-ssd/ubuntu-bionic-18.04-amd64-server*" + architecture = "x86_64" + } + owners = ["099720109477"] + most_recent = true + } + + ami_name = format("ubuntu-1804-%s-%s-%s", var.service, var.role, legacy_isotime("2006-01-02T15-04-05")) + ami_description = format("debian-%s-%s", var.service, var.role) + + encrypt_boot = true + force_delete_snapshot = true + force_deregister = true + kms_key_id = var.aws_kms_key_id + + region = var.aws_region + instance_type = var.aws_instance_type + ssh_username = "ubuntu" + + vpc_filter { + filters = { + "tag:Name" = var.aws_vpc_name + } + } + subnet_filter { + filters = { + "tag:Name" = var.aws_subnet_name + } + most_free = true + random = true + } + + security_group_filter { + filters = { + "tag:Name" : var.aws_security_group_filter + } + } + + run_tags = { + Project = var.project_name + Env = var.project_env + Name = format("Packer Builder %s", var.service) + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "ubuntu-1804" + } + + tags = { + Project = var.project_name + Env = var.project_env + Name = format("%s-%s", var.service, var.role) + Role = var.role + Service = var.service + SourceAMI = var.source_ami + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "ubuntu-1804" + } +} + +#-------------------------------------- +# Vagrant +#-------------------------------------- +source "vagrant" "ubuntu-1804" { + source_path = "ubuntu/bionic64" + template = "linux/ubuntu/templates/ubuntu/1804/Vagrantfile.tpl" + provider = "virtualbox" + teardown_method = "suspend" + skip_package = true + communicator = "ssh" + box_name = "ubuntu-1804" + output_dir = "${var.build_directory}/ubuntu-1804/vagrant" +} + +#-------------------------------------- +# Docker +#-------------------------------------- +source "docker" "ubuntu-1804" { + image = "ubuntu:18.04" + commit = false + discard = true +} + +# a build block invokes sources and runs provisioning steps on them. The +# documentation for build blocks can be found here: +# https://www.packer.io/docs/templates/hcl_templates/blocks/build +build { + sources = [ + "source.docker.ubuntu-1804", + "source.vagrant.ubuntu-1804", + "source.amazon-ebs.ubuntu-1804", + ] + + provisioner "shell" { + inline = [ + "cat /etc/os-release" + ] + } + + provisioner "shell-local" { + inline = ["curl -s https://api.ipify.org/?format=none"] + } + +} diff --git a/_tools/packer/linux/debian/templates/debian/bookworm/Vagrantfile.tpl b/_tools/packer/linux/debian/templates/debian/bookworm/Vagrantfile.tpl new file mode 100644 index 0000000..4761f0b --- /dev/null +++ b/_tools/packer/linux/debian/templates/debian/bookworm/Vagrantfile.tpl @@ -0,0 +1,17 @@ +Vagrant.configure("2") do |config| + config.vm.define "source", autostart: false do |source| + source.vm.box = "ubuntu/jammy64" + config.ssh.insert_key = false + end + config.vm.define "output" do |output| + output.vm.box = "ubuntu-2204" + output.vm.box_url = "file://package.box" + config.ssh.insert_key = false + end + config.vm.provider :virtualbox do |vb| + vb.memory = 1024 + vb.cpus = 2 + vb.customize [ "modifyvm", :id, "--uartmode1", "disconnected" ] + end + config.vm.synced_folder ".", "/vagrant", disabled: true +end diff --git a/_tools/packer/linux/debian/templates/debian/bullseye/Vagrantfile.tpl b/_tools/packer/linux/debian/templates/debian/bullseye/Vagrantfile.tpl new file mode 100644 index 0000000..398798c --- /dev/null +++ b/_tools/packer/linux/debian/templates/debian/bullseye/Vagrantfile.tpl @@ -0,0 +1,17 @@ +Vagrant.configure("2") do |config| + config.vm.define "source", autostart: false do |source| + source.vm.box = "ubuntu/focal64" + config.ssh.insert_key = false + end + config.vm.define "output" do |output| + output.vm.box = "ubuntu-2004" + output.vm.box_url = "file://package.box" + config.ssh.insert_key = false + end + config.vm.provider :virtualbox do |vb| + vb.memory = 1024 + vb.cpus = 2 + vb.customize [ "modifyvm", :id, "--uartmode1", "disconnected" ] + end + config.vm.synced_folder ".", "/vagrant", disabled: true +end diff --git a/_tools/packer/linux/debian/templates/debian/buster/Vagrantfile.tpl b/_tools/packer/linux/debian/templates/debian/buster/Vagrantfile.tpl new file mode 100644 index 0000000..766f2b5 --- /dev/null +++ b/_tools/packer/linux/debian/templates/debian/buster/Vagrantfile.tpl @@ -0,0 +1,17 @@ +Vagrant.configure("2") do |config| + config.vm.define "source", autostart: false do |source| + source.vm.box = "ubuntu/bionic64" + config.ssh.insert_key = false + end + config.vm.define "output" do |output| + output.vm.box = "ubuntu-1804" + output.vm.box_url = "file://package.box" + config.ssh.insert_key = false + end + config.vm.provider :virtualbox do |vb| + vb.memory = 1024 + vb.cpus = 2 + vb.customize [ "modifyvm", :id, "--uartmode1", "disconnected" ] + end + config.vm.synced_folder ".", "/vagrant", disabled: true +end diff --git a/_tools/packer/linux/ubuntu/templates/ubuntu/1804/Vagrantfile.tpl b/_tools/packer/linux/ubuntu/templates/ubuntu/1804/Vagrantfile.tpl new file mode 100644 index 0000000..766f2b5 --- /dev/null +++ b/_tools/packer/linux/ubuntu/templates/ubuntu/1804/Vagrantfile.tpl @@ -0,0 +1,17 @@ +Vagrant.configure("2") do |config| + config.vm.define "source", autostart: false do |source| + source.vm.box = "ubuntu/bionic64" + config.ssh.insert_key = false + end + config.vm.define "output" do |output| + output.vm.box = "ubuntu-1804" + output.vm.box_url = "file://package.box" + config.ssh.insert_key = false + end + config.vm.provider :virtualbox do |vb| + vb.memory = 1024 + vb.cpus = 2 + vb.customize [ "modifyvm", :id, "--uartmode1", "disconnected" ] + end + config.vm.synced_folder ".", "/vagrant", disabled: true +end diff --git a/_tools/packer/linux/ubuntu/templates/ubuntu/2004/Vagrantfile.tpl b/_tools/packer/linux/ubuntu/templates/ubuntu/2004/Vagrantfile.tpl new file mode 100644 index 0000000..398798c --- /dev/null +++ b/_tools/packer/linux/ubuntu/templates/ubuntu/2004/Vagrantfile.tpl @@ -0,0 +1,17 @@ +Vagrant.configure("2") do |config| + config.vm.define "source", autostart: false do |source| + source.vm.box = "ubuntu/focal64" + config.ssh.insert_key = false + end + config.vm.define "output" do |output| + output.vm.box = "ubuntu-2004" + output.vm.box_url = "file://package.box" + config.ssh.insert_key = false + end + config.vm.provider :virtualbox do |vb| + vb.memory = 1024 + vb.cpus = 2 + vb.customize [ "modifyvm", :id, "--uartmode1", "disconnected" ] + end + config.vm.synced_folder ".", "/vagrant", disabled: true +end diff --git a/_tools/packer/linux/ubuntu/templates/ubuntu/2204/Vagrantfile.tpl b/_tools/packer/linux/ubuntu/templates/ubuntu/2204/Vagrantfile.tpl new file mode 100644 index 0000000..4761f0b --- /dev/null +++ b/_tools/packer/linux/ubuntu/templates/ubuntu/2204/Vagrantfile.tpl @@ -0,0 +1,17 @@ +Vagrant.configure("2") do |config| + config.vm.define "source", autostart: false do |source| + source.vm.box = "ubuntu/jammy64" + config.ssh.insert_key = false + end + config.vm.define "output" do |output| + output.vm.box = "ubuntu-2204" + output.vm.box_url = "file://package.box" + config.ssh.insert_key = false + end + config.vm.provider :virtualbox do |vb| + vb.memory = 1024 + vb.cpus = 2 + vb.customize [ "modifyvm", :id, "--uartmode1", "disconnected" ] + end + config.vm.synced_folder ".", "/vagrant", disabled: true +end diff --git a/_tools/packer/linux/ubuntu/ubuntu-1804.pkr.hcl b/_tools/packer/linux/ubuntu/ubuntu-1804.pkr.hcl new file mode 100644 index 0000000..b5fb3fa --- /dev/null +++ b/_tools/packer/linux/ubuntu/ubuntu-1804.pkr.hcl @@ -0,0 +1,112 @@ +#-------------------------------------- +# Amazon EBS +#-------------------------------------- +source "amazon-ebs" "ubuntu-1804" { + source_ami_filter { + filters = { + name = "*/hvm-ssd/ubuntu-bionic-18.04-amd64-server*" + architecture = "x86_64" + } + owners = ["099720109477"] + most_recent = true + } + + ami_name = format("ubuntu-1804-%s-%s-%s", var.service, var.role, legacy_isotime("2006-01-02T15-04-05")) + ami_description = format("debian-%s-%s", var.service, var.role) + + encrypt_boot = true + force_delete_snapshot = true + force_deregister = true + kms_key_id = var.aws_kms_key_id + + region = var.aws_region + instance_type = var.aws_instance_type + ssh_username = "ubuntu" + + vpc_filter { + filters = { + "tag:Name" = var.aws_vpc_name + } + } + subnet_filter { + filters = { + "tag:Name" = var.aws_subnet_name + } + most_free = true + random = true + } + + security_group_filter { + filters = { + "tag:Name" : var.aws_security_group_filter + } + } + + run_tags = { + Project = var.project_name + Env = var.project_env + Name = format("Packer Builder %s", var.service) + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "ubuntu-1804" + } + + tags = { + Project = var.project_name + Env = var.project_env + Name = format("%s-%s", var.service, var.role) + Role = var.role + Service = var.service + SourceAMI = var.source_ami + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "ubuntu-1804" + } +} + +#-------------------------------------- +# Vagrant +#-------------------------------------- +source "vagrant" "ubuntu-1804" { + source_path = "ubuntu/bionic64" + template = "linux/ubuntu/templates/ubuntu/1804/Vagrantfile.tpl" + provider = "virtualbox" + teardown_method = "suspend" + skip_package = true + communicator = "ssh" + box_name = "ubuntu-1804" + output_dir = "${var.build_directory}/ubuntu-1804/vagrant" +} + +#-------------------------------------- +# Docker +#-------------------------------------- +source "docker" "ubuntu-1804" { + image = "ubuntu:18.04" + commit = false + discard = true +} + +# a build block invokes sources and runs provisioning steps on them. The +# documentation for build blocks can be found here: +# https://www.packer.io/docs/templates/hcl_templates/blocks/build +build { + sources = [ + "source.docker.ubuntu-1804", + "source.vagrant.ubuntu-1804", + "source.amazon-ebs.ubuntu-1804", + ] + + provisioner "shell" { + inline = [ + "cat /etc/os-release" + ] + } + + provisioner "shell-local" { + inline = ["curl -s https://api.ipify.org/?format=none"] + } + +} diff --git a/_tools/packer/linux/ubuntu/ubuntu-2004.pkr.hcl b/_tools/packer/linux/ubuntu/ubuntu-2004.pkr.hcl new file mode 100644 index 0000000..fb4efcb --- /dev/null +++ b/_tools/packer/linux/ubuntu/ubuntu-2004.pkr.hcl @@ -0,0 +1,109 @@ +#-------------------------------------- +# Amazon EBS +#-------------------------------------- +source "amazon-ebs" "ubuntu-2004" { + source_ami_filter { + filters = { + name = "*ubuntu-focal-20.04-amd64-server*" + architecture = "x86_64" + } + owners = ["099720109477"] + most_recent = true + } + ami_name = format("ubuntu-2004-%s-%s-%s", var.service, var.role, legacy_isotime("2006-01-02T15-04-05")) + ami_description = format("debian-%s-%s", var.service, var.role) + + encrypt_boot = true + force_delete_snapshot = true + force_deregister = true + kms_key_id = var.aws_kms_key_id + + region = var.aws_region + instance_type = var.aws_instance_type + ssh_username = "ubuntu" + + vpc_filter { + filters = { + "tag:Name" = var.aws_vpc_name + } + } + subnet_filter { + filters = { + "tag:Name" = var.aws_subnet_name + } + most_free = true + random = true + } + + security_group_filter { + filters = { + "tag:Name" : var.aws_security_group_filter + } + } + + run_tags = { + Project = var.project_name + Env = var.project_env + Name = format("Packer Builder %s", var.service) + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "ubuntu-2004" + } + + tags = { + Project = var.project_name + Env = var.project_env + Name = format("%s-%s", var.service, var.role) + Role = var.role + Service = var.service + SourceAMI = var.source_ami + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "ubuntu-2004" + } +} + +#-------------------------------------- +# Vagrant +#-------------------------------------- +source "vagrant" "ubuntu-2004" { + source_path = "ubuntu/focal64" + template = "linux/ubuntu/templates/ubuntu/2004/Vagrantfile.tpl" + provider = "virtualbox" + teardown_method = "suspend" + skip_package = true + communicator = "ssh" + box_name = "ubuntu-2004" + output_dir = "${var.build_directory}/ubuntu-2004/vagrant" +} + +#-------------------------------------- +# Docker +#-------------------------------------- +source "docker" "ubuntu-2004" { + image = "ubuntu:20.04" + commit = false + discard = true +} + +# a build block invokes sources and runs provisioning steps on them. The +# documentation for build blocks can be found here: +# https://www.packer.io/docs/templates/hcl_templates/blocks/build +build { + sources = [ + "source.docker.ubuntu-2004", + "source.vagrant.ubuntu-2004", + "source.amazon-ebs.ubuntu-2004", + ] + + provisioner "shell" { + inline = ["cat /etc/os-release"] + } + + provisioner "shell-local" { + inline = ["curl -s https://api.ipify.org/?format=none"] + } +} + diff --git a/_tools/packer/linux/ubuntu/ubuntu-2204.pkr.hcl b/_tools/packer/linux/ubuntu/ubuntu-2204.pkr.hcl new file mode 100644 index 0000000..ffdd048 --- /dev/null +++ b/_tools/packer/linux/ubuntu/ubuntu-2204.pkr.hcl @@ -0,0 +1,184 @@ +#-------------------------------------- +# Amazon EBS +#-------------------------------------- +source "amazon-ebs" "ubuntu-2204" { + source_ami_filter { + filters = { + name = "*ubuntu-jammy-22.04-amd64-server*" + architecture = "x86_64" + } + owners = ["099720109477"] + most_recent = true + } + + ami_name = format("ubuntu-2204-%s-%s-%s", var.service, var.role, legacy_isotime("2006-01-02T15-04-05")) + ami_description = format("ubuntu-%s-%s", var.service, var.role) + + encrypt_boot = true + force_delete_snapshot = true + force_deregister = true + kms_key_id = var.aws_kms_key_id + + region = var.aws_region + instance_type = var.aws_instance_type + ssh_username = "ubuntu" + + vpc_filter { + filters = { + "tag:Name" = var.aws_vpc_name + } + } + subnet_filter { + filters = { + "tag:Name" = var.aws_subnet_name + } + most_free = true + random = true + } + + security_group_filter { + filters = { + "tag:Name" : var.aws_security_group_filter + } + } + + run_tags = { + Project = var.project_name + Env = var.project_env + Name = format("Packer Builder %s", var.service) + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "ubuntu-2204" + } + + tags = { + Project = var.project_name + Env = var.project_env + Name = format("%s-%s", var.service, var.role) + Role = var.role + Service = var.service + SourceAMI = var.source_ami + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "ubuntu-2204" + } +} + +#-------------------------------------- +# Vagrant +#-------------------------------------- +source "vagrant" "ubuntu-2204" { + source_path = "ubuntu/jammy64" + template = "${path.root}/../../packer/linux/ubuntu/templates/ubuntu/2204/Vagrantfile.tpl" + provider = "virtualbox" + teardown_method = "suspend" + skip_package = true + communicator = "ssh" + box_name = "ubuntu-2204" + ssh_username = "vagrant" + output_dir = "${var.build_directory}/ubuntu-2204/vagrant" +} + +#-------------------------------------- +# Docker +#-------------------------------------- +source "docker" "ubuntu-2204" { + image = "ubuntu:22.04" + commit = true + privileged = true + tmpfs = ["/run"] + volumes = { + "/sys/fs/cgroup/" : "/sys/fs/cgroup:ro" + } + changes = [ + "ENTRYPOINT /lib/systemd/systemd" + ] +} + +# a build block invokes sources and runs provisioning steps on them. The +# documentation for build blocks can be found here: +# https://www.packer.io/docs/templates/hcl_templates/blocks/build +build { + sources = [ + "source.docker.ubuntu-2204", + "source.vagrant.ubuntu-2204", + "source.amazon-ebs.ubuntu-2204" + ] + + provisioner "shell" { + inline = ["sleep 20"] + only = ["amazon-ebs"] + } + + provisioner "shell" { + scripts = [ + "${path.root}/../scripts/bootstrap.sh" + ] + } + + provisioner "ansible-local" { + playbook_file = var.playbook_file + playbook_dir = "${path.root}/../../ansible" + group_vars = "${path.root}/../../ansible/playbooks/group_vars" + role_paths = [ + "${path.root}/../../ansible/roles", + "${path.root}/../../ansible/galaxy/roles" + ] + # [ var.inventory_groups ] + extra_arguments = [ + "-vvv", + "--extra-vars", "\"SERVICE=${var.service}\"" + ] + } + + + # provisioner "ansible" { + # command = "./scripts/ansible.sh" + # user = "${build.User}" + # extra_arguments = [ + # #"-v", + # "--extra-vars", "foo=bar" + # ] + # ansible_ssh_extra_args = [ + # "-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa" + # ] + # host_alias = "none" + # playbook_file = "../../ansible/galaxy/roles/UBUNTU22-CIS/site.yml" + # only = ["vagrant.ubuntu-2204", "azure-arm.ubuntu-2204", "googlecompute.ubuntu-2204"] + # } + + # provisioner "ansible" { + # command = "./scripts/ansible.sh" + # user = "${build.User}" + # extra_arguments = [ + # #"-v", + # "--extra-vars", "foo=bar" + # ] + # ansible_ssh_extra_args = [ + # "-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa" + # ] + # host_alias = "none" + # playbook_file = "../../ansible/galaxy/roles/UBUNTU22-CIS/site.yml" + # only = ["amazon-ebs.ubuntu-2204"] + # } + + provisioner "shell-local" { + inline = ["curl -s https://api.ipify.org/?format=none"] + } + + # provisioner "shell" { + # execute_command = "chmod +x {{ .Path }}; {{ .Vars }} sudo -E sh '{{ .Path }}'" + # inline = ["/usr/sbin/waagent -force -deprovision+user && export HISTSIZE=0 && sync"] + # inline_shebang = "/bin/sh -x" + # only = ["azure-arm.ubuntu-2204"] + # } + + # post-processor "docker-tag" { + # // repository = "${var.repository}/jenkins" + # repository = "jenkins" + # tags = ["${var.version}"] + # } +} + diff --git a/_tools/packer/run.sh b/_tools/packer/run.sh new file mode 100755 index 0000000..08fc581 --- /dev/null +++ b/_tools/packer/run.sh @@ -0,0 +1,123 @@ +#!/usr/bin/env bash + +set -e -o pipefail +# set -x + +# declare colors +CYAN="\e[36m" +# Reset all colors +RESET="\e[0m" + +msg() { + printf "\r%s=${CYAN}%s${RESET}\n" "$1" "$2" +} + +_help() +{ + # Display Help + echo "Construction d'une image automatisée via Packer." + echo "" + echo "Usage: $0 [-h|-v|-d] [-s ]" + echo "> build_type : type de source pour la construction de l'image." + echo " - docker" + echo " construit une image local sur docker" + echo " - vagrant" + echo " construit une image local via vagrant et virtualbox" + echo " - aws (par defaut si valeur est vide)" + echo " construit une AMI sur AWS" + echo "" + echo "options:" + echo "-h Affiche cette aide." + echo "-v Affiche packer en mode TRACE." + echo "-d Utilise le mode debug (pas à pas)." + echo +} + +# Check for required tools +declare -a req_tools=( "packer" "hcl2json" "sed" "curl" "jq" "vagrant" ) +for tool in "${req_tools[@]}"; do + if ! command -v "$tool" > /dev/null; then + echo "❌ It looks like '${tool}' is not installed; please install it and run this setup script again." + exit 1 + fi +done + +# Paths Variables +PACKER_BUILD_SOURCE="${PACKER_BUILD_SOURCE:=docker}" +PACKER_EXTRA_ARGS="--" + +PACKER_ROOT_DIR="$(dirname "$(realpath "$0")")" +PACKER_OUTPUT_FILE="$PACKER_ROOT_DIR/packer.out" +# +PACKER_VARS_FILE="$(pwd)/packer.auto.pkrvars.hcl" +OS_FAMILY="$(hcl2json < "$PACKER_VARS_FILE" | jq -r -c .os_family)" +OS_NAME="$(hcl2json < "$PACKER_VARS_FILE" | jq -r -c .os_name)" +OS_VERSION="$(hcl2json < "$PACKER_VARS_FILE" | jq -r -c .os_version | sed 's/\.//g')" +PACKER_TEMPLATE_PATH="${PACKER_ROOT_DIR}/${OS_FAMILY}/${OS_NAME}" + +if [ ! -d "${PACKER_TEMPLATE_PATH}" ] ; then + echo "❌ Incorrect folder for packer templates : ${PACKER_TEMPLATE_PATH}" + exit 1 +fi + +# Parse remaining options +while getopts ":hvds:" option; do + case $option in + h) # display Help + _help + exit + ;; + v) # packer verbose mode + export PACKER_LOG=1 + msg "==> PACKER_LOG=" "${PACKER_OUTPUT_FILE}" + ;; + d) # packer debug mode + PACKER_EXTRA_ARGS="-debug" + msg "==> PACKER_DEBUG=" "true" + ;; + s) + case "${OPTARG}" in + docker|vagrant) + PACKER_BUILD_SOURCE="${OPTARG}" + ;; + aws|amazon) + PACKER_BUILD_SOURCE="amazon-ebs" + ;; + *) + echo "❌ Erreur : valeur invalide pour -s. Attendu : docker, vagrant ou aws." >&2 + exit 1 + ;; + esac + ;; + \?) + echo "❌ Option invalide: -$OPTARG" >&2 + _help + exit 1 + ;; + :) + echo "❌ L'option -$OPTARG nécessite un argument." >&2 + _help + exit 1 + ;; + esac +done + +# Construct the packer build name +PACKER_BUILD="${PACKER_BUILD_SOURCE}.${OS_NAME}-${OS_VERSION}" + +msg "==> PACKER_BUILD=" "${PACKER_BUILD}" +msg "==> PACKER_VARS_FILE=" "${PACKER_VARS_FILE}" +msg "==> OS_BASE=" "${OS_FAMILY}/${OS_NAME}:${OS_VERSION}" + +# packer init -upgrade "${PACKER_ROOT_DIR}/all" + +packer validate \ + -var-file="${PACKER_VARS_FILE}" \ + -only="${PACKER_BUILD}" \ + "${PACKER_ROOT_DIR}/all" + +packer build -force \ + -var-file="${PACKER_VARS_FILE}" \ + -only="${PACKER_BUILD_SOURCE}.${OS_NAME}-${OS_VERSION}" \ + "${PACKER_EXTRA_ARGS}" \ + "${PACKER_ROOT_DIR}/all" | tee -i "${PACKER_OUTPUT_FILE}" diff --git a/_tools/packer/scripts/bootstrap.sh b/_tools/packer/scripts/bootstrap.sh index d72d0bf..6502279 100644 --- a/_tools/packer/scripts/bootstrap.sh +++ b/_tools/packer/scripts/bootstrap.sh @@ -1,13 +1,73 @@ -#!/bin/bash -set -ex -export DEBIAN_FRONTEND=noninteractive -# Update packages -sudo apt-get -qq update --yes -# Install Python3 pip -sudo apt-get -qq install --yes python3-pip python-apt aptitude cloud-init -# Print pip3 version -pip3 --version -# Install Ansible via pip3 -sudo pip3 install ansible -# Print Ansible version -ansible --version \ No newline at end of file +#!/usr/bin/env bash +set -e -o pipefail + +SUDO="" +if [ "$EUID" -ne 0 ]; then + SUDO="sudo" +fi + +# OS Detection +if [ -f /etc/os-release ]; then + # shellcheck disable=SC1091 + . /etc/os-release +fi + +# https://docs.ansible.com/ansible/latest/installation_guide/installation_distros.html#installing-ansible-on-ubuntu +case "$NAME" in + "Ubuntu") + # Install Python3 et ces dépendances (Ubuntu) + export DEBIAN_FRONTEND=noninteractive + export TZ=Etc/UTC + ${SUDO} apt-get -qq update --yes + ${SUDO} apt-get -qq install --yes python3-pip cloud-init curl software-properties-common + ${SUDO} add-apt-repository --yes --update ppa:ansible/ansible + ${SUDO} apt install ansible + ;; + "Debian GNU/Linux") + # Install Python3 et ces dépendances (Debian) + export DEBIAN_FRONTEND=noninteractive + ${SUDO} apt-get -qq update --yes + ${SUDO} apt-get -qq install --yes python3-pip cloud-init + + if [[ "$VERSION_ID" == "11" ]]; then + UBUNTU_CODENAME=jammy + wget -O- "https://keyserver.ubuntu.com/pks/lookup?fingerprint=on&op=get&search=0x6125E2A8C77F2818FB7BD15B93C4A3FD7BB9C367" | ${SUDO} gpg --dearmour -o /usr/share/keyrings/ansible-archive-keyring.gpg + ${SUDO} echo "deb [signed-by=/usr/share/keyrings/ansible-archive-keyring.gpg] http://ppa.launchpad.net/ansible/ansible/ubuntu $UBUNTU_CODENAME main" | ${SUDO} tee /etc/apt/sources.list.d/ansible.list + ${SUDO} apt update && ${SUDO} apt install ansible + elif [[ "$VERSION_ID" == "12" ]]; then + ${SUDO} apt-get -qq install --yes ansible-core + fi + + ;; + "Red Hat Enterprise Linux") + # Install Python3 et ces dépendances (RHEL8/RHEL9) + ${SUDO} yum -y update && ${SUDO} yum -y upgrade + if [[ "$VERSION" == *"9."* ]]; then + ${SUDO} yum -y install python3 python3-pip python3-cryptography python3-gssapi + #subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms && dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm + + elif [[ "$VERSION" == *"8."* ]]; then + ${SUDO} yum -y install python39 python39-pip python3-cryptography python3-gssapi + # subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms && dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm + fi + ;; + "Amazon Linux") + # Install Python3 et ces dépendances (AmazonLinux2023) + ${SUDO} yum -y update && ${SUDO} yum -y upgrade + if [[ "$VERSION" == "2023" ]]; then + ${SUDO} yum -y install python3 python3-pip python3-cryptography python3-gssapi python3-boto3 python3-certifi ansible-core + fi + if [[ "$VERSION" == "2" ]]; then + ${SUDO} yum -y install python3 python3-pip python3-cryptography python3-gssapi python3-boto3 python3-certifi ansible-core + fi + ;; + *) + echo "Unsupported OS: $NAME" + exit 1 + ;; +esac + +# Print Ansible versions +ansible --version + +exit 0 diff --git a/_tools/packer/scripts/cleanup.sh b/_tools/packer/scripts/cleanup.sh index 63e30f4..354ece6 100644 --- a/_tools/packer/scripts/cleanup.sh +++ b/_tools/packer/scripts/cleanup.sh @@ -3,4 +3,10 @@ set -ex # Remove Ansible sudo rm -rf /etc/ansible/roles/* sudo pip3 uninstall ansible --yes -sudo apt-get --yes --purge --autoremove remove python3-pip \ No newline at end of file +sudo apt-get --yes --purge --autoremove remove python3-pip + + +# "sudo apt-get autoremove -y", +# "sudo apt-get clean", +# "sudo rm -rf /tmp/*", +# "sudo history -c && sudo history -w" // Clear bash history diff --git a/_tools/packer/templates/builder-qemu.json b/_tools/packer/templates/builder-qemu.json deleted file mode 100644 index 5e03191..0000000 --- a/_tools/packer/templates/builder-qemu.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "builders": - [ - { - "type": "qemu", - "qemuargs": [[ "-m", "4096M" ]], - "iso_url": "http://cdimage.ubuntu.com/releases/18.04.1/release/ubuntu-18.04.1-server-amd64.iso", - "iso_checksum_url": "http://cdimage.ubuntu.com/releases/18.04.1/release/SHA256SUMS", - "iso_checksum_type": "sha256", - "output_directory": "output_ubuntu", - "shutdown_command": "sudo shutdown -P now", - "disk_size": 6000, - "format": "qcow2", - "headless": true, - "http_directory": "httpdir", - "http_port_min": 10082, - "http_port_max": 10089, - "ssh_host_port_min": 2222, - "ssh_host_port_max": 2229, - "ssh_username": "ubuntu", - "ssh_password": "password", - "ssh_port": 22, - "ssh_wait_timeout": "1000000s", - "vm_name": "ubuntu18.qcow2", - "net_device": "virtio-net", - "disk_interface": "virtio", - "boot_wait": "1800s", - "boot_command":[] - } - ] -} \ No newline at end of file diff --git a/_tools/packer/templates/debian-buster.json b/_tools/packer/templates/debian-buster.json deleted file mode 100644 index d4166d2..0000000 --- a/_tools/packer/templates/debian-buster.json +++ /dev/null @@ -1,140 +0,0 @@ -{ - "variables": { - "role": null, - "service": null, - "playbook_file": null, - "inventory_groups": null, - "region": "eu-west-1", - "aws_profile": "revolve", - "vpc_id": "vpc-0943350383762ea0c", - "subnet_id": "subnet-0d969f189aad02f1a", - "security_group_id": "sg-0cedabc8df636164f", - "source_ami": "ami-0964eb2dc8b836eb6", - "instance_type": "t2.micro", - "shared_account": "205168111441,432161212492", - "box_name": "bento/debian-10", - "box_version": "202105.25.0", - "box_folder": "undefined", - "box_checksum": "undefined", - "box_base_mac": "undefined", - "vagrant_ssh_private_key": "undefined", - "PROJECT_NAME": "IAC-AWS", - "PROJECT_ENV": "QA", - "PROJECT_OWNER": "frederic.willien@revolve.team", - "PROJECT_GIT": "https://github.com/freuds/iac-aws.git", - "PROJECT_CI": "https://github.com/freuds/iac-aws.git" - - }, - "builders": [ - { - "type": "amazon-ebs", - "region": "{{ user `region` }}", - "source_ami": "{{ user `source_ami` }}", - "instance_type": "{{ user `instance_type` }}", - "ssh_pty": true, - "ssh_username": "ubuntu", - "ami_name": "{{ user `service` }}-{{ user `role` }}-{{ isotime \"2006-01-02T15-04-05\" }}", - "ami_description": "ubuntu-{{ user `service` }}-{{ user `role` }}", - "ami_regions": ["eu-west-1"], - "vpc_id": "{{ user `vpc_id` }}", - "subnet_id": "{{ user `subnet_id` }}", - "ami_users": "{{ user `shared_account` }}", - "associate_public_ip_address": true, - "security_group_id": "{{ user `security_group_id` }}", - "tags": { - "Name": "{{ user `service` }}-{{ user `role` }}", - "Role": "{{ user `role` }}", - "Service": "{{ user `service` }}", - "Source AMI":"{{ user `source_ami` }}", - "Appli": "{{user `PROJECT_NAME`}}", - "owner": "{{user `PROJECT_OWNER`}}", - "Env": "{{user `PROJECT_ENV`}}", - "git": "{{user `PROJECT_GIT`}}", - "ci": "{{user `PROJECT_CI`}}" - }, - "run_tags": { - "Name": "Packer Builder {{ user `service` }}", - "Appli": "{{user `PROJECT_NAME`}}", - "owner": "{{user `PROJECT_OWNER`}}", - "Env": "{{user `PROJECT_ENV`}}", - "git": "{{user `PROJECT_GIT`}}", - "ci": "{{user `PROJECT_CI`}}" - } - }, - { - "type": "qemu", - "iso_url": "http://mirror.raystedman.net/centos/6/isos/x86_64/CentOS-6.9-x86_64-minimal.iso", - "iso_checksum": "md5:af4a1640c0c6f348c6c41f1ea9e192a2", - "output_directory": "output_centos_tdhtest", - "shutdown_command": "echo 'packer' | sudo -S shutdown -P now", - "disk_size": "5000M", - "format": "qcow2", - "accelerator": "kvm", - "http_directory": "path/to/httpdir", - "ssh_username": "root", - "ssh_password": "s0m3password", - "ssh_timeout": "20m", - "vm_name": "tdhtest", - "net_device": "virtio-net", - "disk_interface": "virtio", - "boot_wait": "10s", - "boot_command": [ - " text ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/centos6-ks.cfg" - ] - }, - { - "type": "virtualbox-ovf", - "communicator": "ssh", - "source_path": "{{ user `box_folder` }}/box.ovf", - "checksum": "{{ user `box_checksum` }}", - "guest_additions_mode": "disable", - "headless": true, - "ssh_pty": true, - "ssh_username": "vagrant", - "ssh_private_key_file": "~/.vagrant.d/insecure_private_key", - "ssh_port": "62222", - "ssh_wait_timeout": "1000s", - "ssh_skip_nat_mapping": true, - "shutdown_command": "sudo shutdown -P now", - "output_directory": "/tmp/packer_output", - "target_path": "/tmp/packer_cache", - "skip_export": true, - "vboxmanage": [ - [ "modifyvm", "{{ .Name }}", "--cpus", "2" ], - [ "modifyvm", "{{ .Name }}", "--memory", "2048" ], - [ "modifyvm", "{{ .Name }}", "--nic1", "nat" ], - [ "modifyvm", "{{ .Name }}", "--natpf1", "packerssh,tcp,127.0.0.1,62222,,22" ], - [ "modifyvm", "{{ .Name }}", "--uart1", "0x3F8", "4" ], - [ "modifyvm", "{{ .Name }}", "--macaddress1", "{{ user `box_base_mac` }}" ], - [ "modifyvm", "{{ .Name }}", "--accelerate3d", "off" ], - [ "modifyvm", "{{ .Name }}", "--graphicscontroller", "vmsvga" ], - [ "modifyvm", "{{ .Name }}", "--pae", "off" ], - [ "modifyvm", "{{ .Name }}", "--nestedpaging", "on" ], - [ "modifyvm", "{{ .Name }}", "--vram", "128" ] - ] - } - ], - "provisioners": [ - { - "type": "shell", - "inline": ["sleep 20"], - "only": ["amazon-ebs"] - }, - { - "type": "shell", - "scripts": ["{{ template_dir }}/../scripts/bootstrap.sh"] - }, - { - "type": "ansible-local", - "playbook_file": "{{ user `playbook_file` }}", - "playbook_dir": "{{ template_dir }}/../../ansible", - "group_vars": "{{ template_dir }}/../../ansible/playbooks/group_vars", - "inventory_groups": "{{ user `inventory_groups` }}", - "extra_arguments": [ "--extra-vars \"SERVICE={{ user `service` }}\"", "-e ansible_python_interpreter=/usr/bin/python3" ] - }, - { - "type": "shell", - "scripts": ["{{ template_dir }}/../scripts/cleanup.sh"] - } - ] -} diff --git a/_tools/packer/templates/debian-buster/builds.pkr.hcl b/_tools/packer/templates/debian-buster/builds.pkr.hcl deleted file mode 100644 index 5757c9c..0000000 --- a/_tools/packer/templates/debian-buster/builds.pkr.hcl +++ /dev/null @@ -1,46 +0,0 @@ -packer { - required_plugins { - amazon = { - version = ">= 1.0.0" - source = "github.com/hashicorp/amazon" - } - qemu = { - version = ">= 1.0.0" - source = "github.com/hashicorp/qemu" - } - } -} - -# documentation for build blocks can be found here: -# https://www.packer.io/docs/templates/hcl_templates/blocks/build -build { - - sources = [ - "source.amazon-ebs.source" - ] - // sources = ["source.amazon-ebs.debian", "source.qemu.ubuntu"] - // sources = ["source.qemu.debian"] - - - provisioner "shell" { - inline = ["sleep 20"] - only = ["amazon-ebs"] - } - - provisioner "shell" { - scripts = ["${path.root}/../../scripts/bootstrap.sh"] - } - - provisioner "ansible-local" { - extra_arguments = ["--extra-vars \"SERVICE=${var.service}\"", "-e ansible_python_interpreter=/usr/bin/python3"] - group_vars = "${path.root}/../../../ansible/playbooks/group_vars" - inventory_groups = ["${var.inventory_groups}"] - playbook_dir = "${path.root}/../../../ansible" - playbook_file = "${var.playbook_file}" - } - - provisioner "shell" { - scripts = ["${path.root}/../../scripts/cleanup.sh"] - } - -} \ No newline at end of file diff --git a/_tools/packer/templates/debian-buster/http/base.preseed b/_tools/packer/templates/debian-buster/http/base.preseed deleted file mode 100644 index 1d69287..0000000 --- a/_tools/packer/templates/debian-buster/http/base.preseed +++ /dev/null @@ -1,69 +0,0 @@ -# Locale Setup -d-i debian-installer/language string {{ language }} -d-i debian-installer/country string {{ country }} -d-i debian-installer/locale string {{ locale }} -# d-i localechooser/supported-locales multiselect en_CA.UTF-8 fr_CA.UTF-8 zh_CN.UTF-8 -# d-i pkgsel/install-language-support boolean true - -# Keyboard Setup -d-i keyboard-configuration/xkb-keymap select {{ keyboard }} - -# Clock Setup -# d-i time/zone string Canada/Eastern -d-i time/zone string {{ timezone }} -d-i clock-setup/utc boolean {{ system_clock_in_utc }} -# set above to false if making a bootable USB to run on same system as Windows - -# Network Setup -d-i netcfg/get_hostname string {{ vm_name }} -d-i netcfg/get_domain string -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 -d-i netcfg/choose_interface select auto -# make sure you also add "interface=auto" to your boot command too -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 - -# User Setup -d-i passwd/user-fullname string {{ ssh_fullname }} -d-i passwd/username string {{ ssh_username }} -d-i passwd/user-password password {{ ssh_password }} -d-i passwd/user-password-again password {{ ssh_password }} -# d-i passwd/user-password-crypted password $6$w5yFawT.$d51yQ513SdzariRCjomBwO9IMtMh6.TjnRwQqTBlOMwGhyyVXlJeYC9kanFp65bpoS1tn9x7r8gLP5Dg4CtEP1 -d-i user-setup/allow-password-weak boolean true -d-i user-setup/encrypt-home boolean false -d-i passwd/root-login boolean false - -# Package Setup -d-i hw-detect/load_firmware boolean false -d-i hw-detect/load_media boolean false -apt-cdrom-setup apt-setup/cdrom/set-first boolean false -d-i mirror/country string manual -d-i mirror/http/hostname string {{ mirror }} -d-i mirror/http/directory string /debian -d-i mirror/http/proxy string -# d-i mirror/http/proxy string {{ apt_cache_url }} -d-i apt-setup/contrib boolean true -d-i apt-setup/non-free boolean true -tasksel tasksel/first multiselect print-server, ssh-server, standard -d-i pkgsel/include string sudo, unattended-upgrades -popularity-contest popularity-contest/participate boolean false - -# Drive Setup -d-i grub-installer/only_debian boolean true -d-i grub-installer/with_other_os boolean true -d-i grub-installer/bootdev string default -d-i partman-auto/disk string /dev/sda -d-i partman-lvm/device_remove_lvm boolean true -d-i partman-md/device_remove_md boolean true -d-i partman-partitioning/confirm_write_new_label boolean true -d-i partman/choose_partition select finish -d-i partman/confirm boolean true -d-i partman/confirm_nooverwrite boolean true -d-i partman-auto/method string lvm -d-i partman-auto-lvm/new_vg_name string primary -d-i partman-auto-lvm/guided_size string max -d-i partman-lvm/confirm boolean true -d-i partman-lvm/confirm_nooverwrite boolean true -d-i partman-auto/choose_recipe select atomic - -# Final Setup -d-i finish-install/reboot_in_progress note diff --git a/_tools/packer/templates/debian-buster/http/preseed.cfg b/_tools/packer/templates/debian-buster/http/preseed.cfg deleted file mode 100644 index 5280192..0000000 --- a/_tools/packer/templates/debian-buster/http/preseed.cfg +++ /dev/null @@ -1,22 +0,0 @@ -choose-mirror-bin mirror/http/proxy string -d-i debian-installer/framebuffer boolean false -d-i debconf/frontend select noninteractive -d-i base-installer/kernel/override-image string linux-server -d-i clock-setup/utc boolean true -d-i clock-setup/utc-auto boolean true -d-i finish-install/reboot_in_progress note -d-i grub-installer/only_debian boolean true -d-i grub-installer/with_other_os boolean true -d-i partman-auto/method string regular -d-i partman/choose_partition select finish -d-i partman/confirm boolean true -d-i partman/confirm_nooverwrite boolean true -d-i partman/confirm_write_new_label boolean true -d-i pkgsel/include string openssh-server -d-i pkgsel/install-language-support boolean false -d-i pkgsel/update-policy select none -d-i pkgsel/upgrade select full-upgrade -d-i time/zone string UTC -d-i user-setup/allow-password-weak boolean true -d-i user-setup/encrypt-home boolean false -tasksel tasksel/first multiselect standard, ubuntu-server \ No newline at end of file diff --git a/_tools/packer/templates/debian-buster/sources.pkr.hcl b/_tools/packer/templates/debian-buster/sources.pkr.hcl deleted file mode 100644 index 11e3d3a..0000000 --- a/_tools/packer/templates/debian-buster/sources.pkr.hcl +++ /dev/null @@ -1,141 +0,0 @@ -# source. Read the documentation for source blocks here: -# https://www.packer.io/docs/templates/hcl_templates/blocks/source - -//#################################################### -// AMAZON-EBS -//#################################################### -source "amazon-ebs" "source" { - ami_description = "debian-${var.service}-${var.role}" - ami_name = "${var.service}-${var.role}-${legacy_isotime("2006-01-02T15-04-05")}" - ami_regions = ["eu-west-1"] - // ami_users = "${var.shared_account}" - associate_public_ip_address = true - instance_type = var.instance_type - region = var.region - profile = var.profile - skip_create_ami = var.skip_create_ami - source_ami = var.source_ami - - run_tags = { - Appli = var.PROJECT_NAME - Env = var.PROJECT_ENV - Name = "Packer Builder ${var.service}" - ci = var.PROJECT_CI - git = var.PROJECT_GIT - owner = var.PROJECT_OWNER - } - - security_group_id = var.security_group_id - ssh_pty = true - ssh_username = "admin" - subnet_id = var.subnet_id - vpc_id = var.vpc_id - - tags = { - Appli = var.PROJECT_NAME - Env = var.PROJECT_ENV - Name = "${var.service}-${var.role}" - Role = var.role - Service = var.service - SourceAMI = var.source_ami - ci = var.PROJECT_CI - git = var.PROJECT_GIT - owner = var.PROJECT_OWNER - } -} - -//#################################################### -// QEMU -//#################################################### -source "qemu" "source" { - boot_command = [ - "c", - "linux /install.amd/vmlinuz ", - "auto=true ", - "url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/${var.preseed_file} ", - "hostname=${var.vm_name} ", - "domain=${var.domain} ", - "interface=auto ", - "vga=788 noprompt quiet --", - "initrd=/install/initrd.gz", - "boot=" - ] - boot_wait = var.boot_wait - communicator = var.communicator - cpus = var.cpus - disk_size = var.disk_size - headless = var.headless - - disk_interface = var.disk_interface - format = var.qemu_format - host_port_max = var.http_port_max - host_port_min = var.http_port_min - http_directory = var.http_directory - http_port_max = var.http_port_max - http_port_min = var.http_port_min - iso_checksum = var.iso_checksum - iso_target_path = "${var.packer_cache_dir}/${var.iso_file}" - iso_urls = [ - "${var.iso_path_internal}/${var.iso_file}", - "${var.iso_path_external}/${var.iso_file}" - ] - memory = var.memory - output_directory = var.output_directory - shutdown_command = var.shutdown_command - shutdown_timeout = var.shutdown_timeout - vm_name = var.vm_name - - ssh_agent_auth = var.ssh_agent_auth - ssh_clear_authorized_keys = var.ssh_clear_authorized_keys - ssh_disable_agent_forwarding = var.ssh_disable_agent_forwarding - ssh_file_transfer_method = var.ssh_file_transfer_method - ssh_keep_alive_interval = var.ssh_keep_alive_interval - ssh_password = var.ssh_password - ssh_port = var.ssh_port - ssh_pty = var.ssh_pty - ssh_timeout = var.ssh_timeout - ssh_username = var.ssh_username - ssh_wait_timeout = var.ssh_wait_timeout - - accelerator = var.accelerator - disk_cache = "writeback" - disk_compression = false - disk_discard = "ignore" - disk_image = false - iso_skip_cache = false - machine_type = var.machine_type - net_device = "virtio-net" - qemu_binary = var.qemu_binary - skip_compaction = true - use_default_display = false - vnc_bind_address = var.vnc_vrdp_bind_address - vnc_port_max = var.vnc_vrdp_port_max - vnc_port_min = var.vnc_vrdp_port_min - qemuargs = [ - ["-machine", var.machine_type], - ["-cpu", var.cpu_type], - ["-smp", "4"], - ["-device", "virtio-gpu-pci"], - ["-device", "virtio-keyboard-pci"], - ["-m", "4G"] - ] -} - -// source "virtualbox-ovf" "source" { -// checksum = var.box_checksum -// communicator = "ssh" -// guest_additions_mode = "disable" -// headless = true -// output_directory = "/tmp/packer_output" -// shutdown_command = "sudo shutdown -P now" -// skip_export = true -// source_path = "${var.box_folder}/box.ovf" -// ssh_port = "62222" -// ssh_private_key_file = "~/.vagrant.d/insecure_private_key" -// ssh_pty = true -// ssh_skip_nat_mapping = true -// ssh_username = "vagrant" -// ssh_wait_timeout = "1000s" -// target_path = "/tmp/packer_cache" -// vboxmanage = [["modifyvm", "{{ .Name }}", "--cpus", "2"], ["modifyvm", "{{ .Name }}", "--memory", "2048"], ["modifyvm", "{{ .Name }}", "--nic1", "nat"], ["modifyvm", "{{ .Name }}", "--natpf1", "packerssh,tcp,127.0.0.1,62222,,22"], ["modifyvm", "{{ .Name }}", "--uart1", "0x3F8", "4"], ["modifyvm", "{{ .Name }}", "--macaddress1", "${var.box_base_mac}"], ["modifyvm", "{{ .Name }}", "--accelerate3d", "off"], ["modifyvm", "{{ .Name }}", "--graphicscontroller", "vmsvga"], ["modifyvm", "{{ .Name }}", "--pae", "off"], ["modifyvm", "{{ .Name }}", "--nestedpaging", "on"], ["modifyvm", "{{ .Name }}", "--vram", "128"]] -// } \ No newline at end of file diff --git a/_tools/packer/templates/debian-buster/variables.pkr.hcl b/_tools/packer/templates/debian-buster/variables.pkr.hcl deleted file mode 100644 index 048ffaf..0000000 --- a/_tools/packer/templates/debian-buster/variables.pkr.hcl +++ /dev/null @@ -1,333 +0,0 @@ -variable "template" { - type = string - default = "" - description = "Folder contains template pkr.hcl files" -} - -variable "PROJECT_CI" { - type = string - default = "" -} - -variable "PROJECT_ENV" { - type = string - default = "QA" -} - -variable "PROJECT_GIT" { - type = string - default = "" -} - -variable "PROJECT_NAME" { - type = string - default = "" -} - -variable "PROJECT_OWNER" { - type = string - default = "" -} - -variable "profile" { - type = string - default = "revolve" -} - -variable "box_base_mac" { - type = string - default = "undefined" -} - -variable "box_checksum" { - type = string - default = "undefined" -} - -variable "box_folder" { - type = string - default = "undefined" -} - -variable "box_name" { - type = string - default = "bento/debian-10" -} - -variable "box_version" { - type = string - default = "202105.25.0" -} - -variable "instance_type" { - type = string - default = "t2.micro" -} - -variable "inventory_groups" { - type = string -} - -variable "playbook_file" { - type = string -} - -variable "region" { - type = string - default = "eu-west-1" -} - -variable "role" { - type = string -} - -variable "country" { - default = "FR" - type = string -} - -variable "locale" { - default = "en_US.UTF-8" - type = string -} - -variable "language" { - default = "en" - type = string -} - -variable "keyboard" { - default = "us" - type = string -} - -variable "security_group_id" { - type = string - default = "" -} - -variable "service" { - type = string -} - -variable "shared_account" { - type = list(string) - default = [] -} - -variable "source_ami" { - type = string - default = "ami-0874dad5025ca362c" -} - -variable "subnet_id" { - type = string - default = "" -} - -variable "vagrant_ssh_private_key" { - type = string - default = "" -} - -variable "vpc_id" { - type = string - default = "" -} - -variable "skip_create_ami" { - type = bool - default = false -} - -variable "accelerator" { - default = "kvm" - description = "Use KVM for linux host or HVF for MacOS" -} - -variable "apt_cache_url" { - default = "http://myserver:3142" -} - -variable "boot_wait" { - default = "1800s" -} - -variable "disk_interface" { - type = string - default = "virtio" -} - -variable "disk_size" { - default = "10G" - type = string -} - -variable "domain" { - default = "" -} - -variable "qemu_format" { - type = string - default = "qcow2" - description = "Virtualization format for QEMU" -} - -variable "headless" { - default = true - type = bool -} - -variable "communicator" { - default = "ssh" -} - -variable "cpus" { - default = 1 - type = number -} - -variable "cpu_type" { - default = "" -} - -variable "preseed_file" { - default = "base-uefi.preseed" -} - -variable "host_port_max" { - type = number - default = 4444 -} - -variable "host_port_min" { - type = number - default = 2222 -} - -variable "http_port_max" { - type = number - default = 9000 -} - -variable "http_port_min" { - type = number - default = 8000 -} - -variable "http_directory" { - default = "../../_tools/packer/templates/debian-buster/http" -} - -variable "machine_type" { - default = "pc" -} - -variable "packer_cache_dir" { - default = "packer_cache" -} - -variable "iso_file" { - default = "debian-10.9.0-amd64-netinst.iso" - description = "Link to ISO file" -} - -variable "iso_checksum" { - default = "sha512:47d35187b4903e803209959434fb8b65ead3ad2a8f007eef1c3d3284f356ab9955aa7e15e24cb7af6a3859aa66837f5fa2e7441f936496ea447904f7dddfdc20" -} - -variable "iso_path_external" { - default = "http://cdimage.debian.org/cdimage/release/current/amd64/iso-cd" -} - -variable "iso_path_internal" { - default = "http://myserver:8080/debian" -} - -variable "memory" { - default = "768" - type = number -} - -variable "output_directory" { - default = "packer_cache/build" -} - -variable "shutdown_command" { - default = "echo 'Packer' | sudo shutdown -P now" -} - -variable "shutdown_timeout" { - default = "5m" -} - -variable "vm_name" { - default = "debian10" -} - -variable "ssh_agent_auth" { - default = false - type = bool -} - -variable "ssh_clear_authorized_keys" { - default = false - type = bool -} - -variable "ssh_disable_agent_forwarding" { - default = false - type = bool -} - -variable "ssh_file_transfer_method" { - default = "scp" -} - -variable "ssh_keep_alive_interval" { - default = "5s" -} - -variable "ssh_password" { - default = "ZAtr56gt0uV" - type = string - sensitive = true -} - -variable "ssh_port" { - default = 22 - type = number -} - -variable "ssh_pty" { - default = false - type = bool -} - -variable "ssh_timeout" { - default = "60m" -} - -variable "ssh_username" { - default = "debian" -} - -variable "ssh_wait_timeout" { - default = "120m" -} - -variable "qemu_binary" { - default = "qemu-system-x86_64" -} - -variable "vnc_vrdp_bind_address" { - default = "127.0.0.1" -} - -variable "vnc_vrdp_port_max" { - default = "6000" -} - -variable "vnc_vrdp_port_min" { - default = "5900" -} diff --git a/_tools/packer/templates/debian/10_buster/base-crypt-uefi.preseed b/_tools/packer/templates/debian/10_buster/base-crypt-uefi.preseed deleted file mode 100644 index 13bfdb0..0000000 --- a/_tools/packer/templates/debian/10_buster/base-crypt-uefi.preseed +++ /dev/null @@ -1,101 +0,0 @@ -# Locale Setup -d-i debian-installer/language string {{ language }} -d-i debian-installer/country string {{ country }} -d-i debian-installer/locale string {{ locale }} -# d-i localechooser/supported-locales multiselect en_CA.UTF-8 fr_CA.UTF-8 zh_CN.UTF-8 -# d-i pkgsel/install-language-support boolean true - -# Keyboard Setup -d-i keyboard-configuration/xkb-keymap select {{ keyboard }} - -# Clock Setup -# d-i time/zone string Canada/Eastern -d-i time/zone string {{ timezone }} -d-i clock-setup/utc boolean {{ system_clock_in_utc }} -# set above to false if making a bootable USB to run on same system as Windows - -# Network Setup -d-i netcfg/get_hostname string {{ vm_name }} -d-i netcfg/get_domain string -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 -d-i netcfg/choose_interface select auto -# make sure you also add "interface=auto" to your boot command too -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 - -# User Setup -d-i passwd/user-fullname string {{ ssh_fullname }} -d-i passwd/username string {{ ssh_username }} -d-i passwd/user-password password {{ ssh_password }} -d-i passwd/user-password-again password {{ ssh_password }} -# d-i passwd/user-password-crypted password $6$w5yFawT.$d51yQ513SdzariRCjomBwO9IMtMh6.TjnRwQqTBlOMwGhyyVXlJeYC9kanFp65bpoS1tn9x7r8gLP5Dg4CtEP1 -d-i user-setup/allow-password-weak boolean true -d-i user-setup/encrypt-home boolean false -d-i passwd/root-login boolean false - -# Package Setup -d-i hw-detect/load_firmware boolean false -d-i hw-detect/load_media boolean false -apt-cdrom-setup apt-setup/cdrom/set-first boolean false -d-i mirror/country string manual -d-i mirror/http/hostname string {{ mirror }} -d-i mirror/http/directory string /debian -d-i mirror/http/proxy string -# d-i mirror/http/proxy string {{ apt_cache_url }} -d-i apt-setup/contrib boolean true -d-i apt-setup/non-free boolean true -tasksel tasksel/first multiselect print-server, ssh-server, standard -d-i pkgsel/include string sudo, unattended-upgrades -popularity-contest popularity-contest/participate boolean false - -# Drive Setup -d-i grub-installer/only_debian boolean true -d-i grub-installer/with_other_os boolean true -d-i grub-installer/bootdev string default -d-i partman-auto/disk string /dev/sda -d-i partman-lvm/device_remove_lvm boolean true -d-i partman-md/device_remove_md boolean true -d-i partman-partitioning/confirm_write_new_label boolean true -d-i partman/choose_partition select finish -d-i partman/confirm boolean true -d-i partman/confirm_nooverwrite boolean true -# http://ptomusk.blogspot.ca/2012/09/ubuntu-preseedcfg-with-encrypted-lvm.html -# http://serverfault.com/questions/674137/preeseding-a-debian-stable-install-with-a-complex-partitioning-scheme-missing -# http://anonscm.debian.org/gitweb/?p=d-i/debian-installer.git;a=blob_plain;f=doc/devel/partman-auto-recipe.txt;hb=HEAD -# http://www.bishnet.net/tim/blog/2015/01/29/understanding-partman-autoexpert_recipe/ -# http://askubuntu.com/questions/361348/efi-and-working-lvm-partman-auto-expert-recipe -# http://superuser.com/questions/520068/efi-partition-vs-boot-partition -d-i partman-auto/method string crypto -d-i partman-crypto/passphrase password 1ma63b0rk3d -d-i partman-crypto/passphrase-again password 1ma63b0rk3d -d-i partman-crypto/weak_passphrase boolean true -# https://bugs.kali.org/view.php?id=1140 -d-i partman-crypto/erase_data boolean false -# https://bugs.kali.org/view.php?id=1140 -d-i partman/default_filesystem string ext4 -d-i partman-auto-lvm/new_vg_name string primary -d-i partman-auto-lvm/guided_size string max -d-i partman-lvm/confirm boolean true -d-i partman-lvm/confirm_nooverwrite boolean true -d-i partman-efi/non_efi_system boolean true -d-i partman-auto/choose_recipe select fling-the-bling -d-i partman-auto/expert_recipe string fling-the-bling :: \ - 1 1 1 free \ - $bios_boot{ } method{ biosgrub } \ - . \ - 256 256 256 fat32 \ - $primary{ } $lvmignore{ } \ - method{ efi } format{ } \ - . \ - 100% 200% 200% linux-swap \ - $lvmok{ } lv_name{ swap } in_vg{ primary } \ - method{ swap } format{ } \ - . \ - 10000 10000 -1 ext4 \ - $lvmok{ } lv_name{ root } in_vg{ primary } \ - method{ format } format{ } use_filesystem{ } filesystem{ ext4 } \ - mountpoint{ / } \ - . \ -. - -# Final Setup -d-i finish-install/reboot_in_progress note diff --git a/_tools/packer/templates/debian/10_buster/base-crypt-uefi.yaml b/_tools/packer/templates/debian/10_buster/base-crypt-uefi.yaml deleted file mode 100644 index 1f96a6e..0000000 --- a/_tools/packer/templates/debian/10_buster/base-crypt-uefi.yaml +++ /dev/null @@ -1,313 +0,0 @@ ---- -# _ -# __ _ _ __ ___| |__ ___ _ __ ___ -# / _` | '_ \ / __| '_ \ / _ \| '__/ __| -# | (_| | | | | (__| | | | (_) | | \__ \ -# \__,_|_| |_|\___|_| |_|\___/|_| |___/ -_anchors: -- &builder_common_options - boot_command: - - 'c' - - 'linux /install.amd/vmlinuz ' - - 'auto=true ' - - 'url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/{{ user `preseed_file` }} ' - - 'hostname={{ user `vm_name` }} ' - - 'domain={{ user `domain` }} ' - - 'interface=auto ' - - 'vga=788 noprompt quiet --' - - 'initrd /install.amd/initrd.gz' - - 'boot' - boot_wait: '{{ user `boot_wait` }}' - communicator: '{{ user `communicator` }}' - cpus: '{{ user `cpus` }}' - disk_size: '{{ user `disk_size` }}' -# floppy_dirs: ([]string) -# floppy_files: ([]string) -# floppy_label: (string) - headless: '{{ user `headless` }}' - host_port_max: '{{ user `host_port_max` }}' - host_port_min: '{{ user `host_port_min` }}' -# http_bind_address: 0.0.0.0 - http_directory: '{{ user `http_directory` }}' - http_port_max: '{{ user `http_port_max` }}' - http_port_min: '{{ user `http_port_min` }}' - iso_checksum: '{{ user `iso_checksum` }}' - iso_target_extension: iso - iso_target_path: '{{ user `packer_cache_dir` }}/{{ user `iso_file` }}' -# iso_url: (string) - iso_urls: - - '{{ user `iso_path_internal` }}/{{ user `iso_file` }}' - - '{{ user `iso_path_external` }}/{{ user `iso_file` }}' - memory: '{{ user `memory` }}' - output_directory: '{{ user `output_directory` }}' -# pause_before_connecting: '{{ user `pause_before_connecting` }}' - shutdown_command: echo '{{ user `ssh_password` }}' | sudo -E -S poweroff - shutdown_timeout: '{{ user `shutdown_timeout` }}' - skip_nat_mapping: false - vm_name: '{{ user `vm_name` }}' -- &communicator_ssh_options - ssh_agent_auth: '{{ user `ssh_agent_auth` }}' -# ssh_bastion_agent_auth: false -# ssh_bastion_host: (string) -# ssh_bastion_password: (string) -# ssh_bastion_port: '22' -# ssh_bastion_private_key_file: (string) -# ssh_bastion_username: (string) -# ssh_ciphers: [ 'aes128-gcm@openssh.com', 'chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', ] - ssh_clear_authorized_keys: '{{ user `ssh_clear_authorized_keys` }}' - ssh_disable_agent_forwarding: '{{ user `ssh_disable_agent_forwarding` }}' - ssh_file_transfer_method: '{{ user `ssh_file_transfer_method` }}' - ssh_handshake_attempts: '{{ user `ssh_handshake_attempts` }}' -# ssh_host: (string) - ssh_keep_alive_interval: '{{ user `ssh_keep_alive_interval` }}' - ssh_password: '{{ user `ssh_password` }}' - ssh_port: '{{ user `ssh_port` }}' -# ssh_private_key_file: (string) -# ssh_proxy_host: (string) -# ssh_proxy_password: (string) -# ssh_proxy_port: '1080' -# ssh_proxy_username: (string) - ssh_pty: '{{ user `ssh_pty` }}' -# ssh_read_write_timeout: (string) - ssh_timeout: '{{ user `ssh_timeout` }}' - ssh_username: '{{ user `ssh_username` }}' -- &provisioner_shell_options - binary: false -# environment_vars: ([]string) - execute_command: echo '{{ user `ssh_password` }}' | {{ .Vars }} sudo -E -S '{{ .Path }}' - expect_disconnect: true - inline_shebang: /bin/sh -e -# remote_file: script_nnn.sh -# remote_folder: /tmp -# remote_path: /tmp/script_nnn.sh - skip_clean: false - start_retry_timeout: '{{ user `start_retry_timeout` }}' - type: shell -# _ _ _ _ -# | |__ _ _(_) | __| | ___ _ __ ___ -# | '_ \| | | | | |/ _` |/ _ \ '__/ __| -# | |_) | |_| | | | (_| | __/ | \__ \ -# |_.__/ \__,_|_|_|\__,_|\___|_| |___/ -builders: -# _ _ _ _ _ -# __ _(_)_ __| |_ _ _ __ _| | |__ _____ __ (_)___ ___ -# \ \ / / | '__| __| | | |/ _` | | '_ \ / _ \ \/ /____| / __|/ _ \ -# \ V /| | | | |_| |_| | (_| | | |_) | (_) > <_____| \__ \ (_) | -# \_/ |_|_| \__|\__,_|\__,_|_|_.__/ \___/_/\_\ |_|___/\___/ -- <<: [*builder_common_options, *communicator_ssh_options] - bundle_iso: '{{ user `bundle_iso` }}' -# export_opts: ([]string) - format: ova -# guest_additions_interface: sata - guest_additions_mode: disable -# guest_additions_path: VBoxGuestAdditions.iso -# guest_additions_sha256: (string) -# guest_additions_url: (string) - guest_os_type: '{{ user `guest_os_type` }}' - hard_drive_discard: false - hard_drive_interface: sata - hard_drive_nonrotational: false - iso_interface: sata - keep_registered: '{{ user `keep_registered` }}' - name: vbox - post_shutdown_delay: 0s - sata_port_count: '1' - skip_export: '{{ user `skip_export` }}' - type: virtualbox-iso - vboxmanage: - - - modifyvm - - '{{ .Name }}' - - '--firmware' - - efi - - - modifyvm - - '{{ .Name }}' - - '--rtcuseutc' - - >- - {{ if user `system_clock_in_utc` | eq `true` -}} - on - {{- else -}} - off - {{- end }} -# vboxmanage_post: ([][]string) - virtualbox_version_file: '/tmp/.vbox_version' - vrdp_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vrdp_port_max: '{{ user `vnc_vrdp_port_max` }}' - vrdp_port_min: '{{ user `vnc_vrdp_port_min` }}' -# __ _ ___ _ __ ___ _ _ -# / _` |/ _ \ '_ ` _ \| | | | -# | (_| | __/ | | | | | |_| | -# \__, |\___|_| |_| |_|\__,_| -# |_| -- <<: [*builder_common_options, *communicator_ssh_options] - accelerator: kvm - disk_cache: writeback - disk_compression: false - disk_discard: ignore - disk_image: false - disk_interface: virtio-scsi - format: raw - iso_skip_cache: false - machine_type: pc - name: qemu - net_device: virtio-net - qemu_binary: '{{ user `qemu_binary` }}' - qemuargs: - - - -bios - - OVMF.fd - skip_compaction: true - type: qemu - use_default_display: false - vnc_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vnc_port_max: '{{ user `vnc_vrdp_port_max` }}' - vnc_port_min: '{{ user `vnc_vrdp_port_min` }}' -description: '{{ user `description` }}' -min_packer_version: 1.7.2 -# _ -# _ __ ___ ___| |_ _ __ _ __ ___ ___ ___ ___ ___ ___ _ __ ___ -# | '_ \ / _ \/ __| __|____| '_ \| '__/ _ \ / __/ _ \/ __/ __|/ _ \| '__/ __| -# | |_) | (_) \__ \ ||_____| |_) | | | (_) | (_| __/\__ \__ \ (_) | | \__ \ -# | .__/ \___/|___/\__| | .__/|_| \___/ \___\___||___/___/\___/|_| |___/ -# |_| |_| -post-processors: -- compression_level: 6 -# include: ([]string) - keep_input_artifact: true - only: - - vbox - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}-{{ user `version` }}-{{ build_name }}.box' - type: vagrant - vagrantfile_template: '{{ user `vagrantfile_template` }}' -- compression_level: 6 - format: .gz - keep_input_artifact: true - only: - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}.raw.gz' - type: compress -# - - files: -# - '{{ user `output_directory` }}/{{ user `vm_name` }}*.box' -# keep_input_artifact: true -# only: -# - vbox -# type: artifice -# XXX CHECKSUM -# - inline_shebang: /bin/sh -e -# # environment_vars: ([]string) -# execute_command: chmod +x "{{ .Script }}"; {{ .Vars }} "{{ .Script }}" -# inline: -# - echo '---' > {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''name: {{ user `vm_name` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo ''description: {{ user `description` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo 'versions:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''- version: {{ user `version` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo ' providers:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo '' - name: XXXPROVIDER'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' url: http://myserver/vm/{{ user `vm_name` }}/{{ user `vm_name` }}-{{ user `version` }}-''{{ build_name }}''.box'' -# >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum_type: sha256'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum: deadbeef'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - if [ 'vbox' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/virtualbox/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# - if [ 'qemu' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/libvirt/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# only: -# - vbox -# - qemu -# type: shell-local -# _ _ -# _ __ _ __ _____ _(_)___(_) ___ _ __ ___ _ __ ___ -# | '_ \| '__/ _ \ \ / / / __| |/ _ \| '_ \ / _ \ '__/ __| -# | |_) | | | (_) \ V /| \__ \ | (_) | | | | __/ | \__ \ -# | .__/|_| \___/ \_/ |_|___/_|\___/|_| |_|\___|_| |___/ -# |_| -provisioners: -- <<: *provisioner_shell_options - inline: - - echo 'FS0:\EFI\debian\grubx64.efi' > /boot/efi/startup.nsh - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - 'echo ''{{ user `ssh_username` }} ALL=(ALL) NOPASSWD: ALL'' > /etc/sudoers.d/99{{ user - `ssh_username` }}' - - chmod 0440 /etc/sudoers.d/99{{ user `ssh_username` }} - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - apt-get update - - apt-get --yes dist-upgrade - - apt-get clean - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - dd if=/dev/zero of=/ZEROFILL bs=16M || true - - rm /ZEROFILL - - sync - only: - - vbox - - qemu -# _ _ _ -# __ ____ _ _ __(_) __ _| |__ | | ___ ___ -# \ \ / / _` | '__| |/ _` | '_ \| |/ _ \/ __| -# \ V / (_| | | | | (_| | |_) | | __/\__ \ -# \_/ \__,_|_| |_|\__,_|_.__/|_|\___||___/ -variables: - apt_cache_url: http://myserver:3142 - boot_wait: 3s - bundle_iso: 'false' - communicator: ssh - country: CA - cpus: '1' - description: 'Base box (encrypted UEFI) for x86_64 Debian Buster 10.x' - disk_size: '7500' - domain: '' - guest_os_type: Debian_64 - headless: 'false' - host_port_max: '4444' - host_port_min: '2222' - http_directory: '.' - http_port_max: '9000' - http_port_min: '8000' -# iso_checksum: file:http://cdimage.debian.org/cdimage/release/current/amd64/iso-cd/SHA512SUMS - iso_checksum: sha512:47d35187b4903e803209959434fb8b65ead3ad2a8f007eef1c3d3284f356ab9955aa7e15e24cb7af6a3859aa66837f5fa2e7441f936496ea447904f7dddfdc20 - iso_file: debian-10.9.0-amd64-netinst.iso - iso_path_external: http://cdimage.debian.org/cdimage/release/current/amd64/iso-cd - iso_path_internal: http://myserver:8080/debian - keep_registered: 'false' - keyboard: us - language: en - locale: en_CA.UTF-8 - memory: '768' - min_vagrant_version: 2.2.16 - mirror: ftp.ca.debian.org - output_directory: 'build/{{ isotime "2006-01-02-15-04-05" }}' - packer_cache_dir: '{{ env `PACKER_CACHE_DIR` }}' - preseed_file: template/debian/10_buster/base-crypt-uefi.preseed - qemu_binary: qemu-system-x86_64 - shutdown_timeout: 5m - skip_export: 'false' - ssh_agent_auth: 'false' - ssh_clear_authorized_keys: 'false' - ssh_disable_agent_forwarding: 'false' - ssh_file_transfer_method: scp - ssh_fullname: Ghost Writer - ssh_handshake_attempts: '10' - ssh_keep_alive_interval: 5s - ssh_password: 1ma63b0rk3d - ssh_port: '22' - ssh_pty: 'false' - ssh_timeout: 60m - ssh_username: ghost - start_retry_timeout: 5m - system_clock_in_utc: 'true' - timezone: UTC - vagrantfile_template: template/debian/10_buster/vagrant.rb.j2 - version: 0.0.0 - vm_name: base-crypt-uefi-buster - vnc_vrdp_bind_address: 127.0.0.1 - vnc_vrdp_port_max: '6000' - vnc_vrdp_port_min: '5900' diff --git a/_tools/packer/templates/debian/10_buster/base-crypt.preseed b/_tools/packer/templates/debian/10_buster/base-crypt.preseed deleted file mode 100644 index 19d108f..0000000 --- a/_tools/packer/templates/debian/10_buster/base-crypt.preseed +++ /dev/null @@ -1,78 +0,0 @@ -# Locale Setup -d-i debian-installer/language string {{ language }} -d-i debian-installer/country string {{ country }} -d-i debian-installer/locale string {{ locale }} -# d-i localechooser/supported-locales multiselect en_CA.UTF-8 fr_CA.UTF-8 zh_CN.UTF-8 -# d-i pkgsel/install-language-support boolean true - -# Keyboard Setup -d-i keyboard-configuration/xkb-keymap select {{ keyboard }} - -# Clock Setup -# d-i time/zone string Canada/Eastern -d-i time/zone string {{ timezone }} -d-i clock-setup/utc boolean {{ system_clock_in_utc }} -# set above to false if making a bootable USB to run on same system as Windows - -# Network Setup -d-i netcfg/get_hostname string {{ vm_name }} -d-i netcfg/get_domain string -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 -d-i netcfg/choose_interface select auto -# make sure you also add "interface=auto" to your boot command too -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 - -# User Setup -d-i passwd/user-fullname string {{ ssh_fullname }} -d-i passwd/username string {{ ssh_username }} -d-i passwd/user-password password {{ ssh_password }} -d-i passwd/user-password-again password {{ ssh_password }} -# d-i passwd/user-password-crypted password $6$w5yFawT.$d51yQ513SdzariRCjomBwO9IMtMh6.TjnRwQqTBlOMwGhyyVXlJeYC9kanFp65bpoS1tn9x7r8gLP5Dg4CtEP1 -d-i user-setup/allow-password-weak boolean true -d-i user-setup/encrypt-home boolean false -d-i passwd/root-login boolean false - -# Package Setup -d-i hw-detect/load_firmware boolean false -d-i hw-detect/load_media boolean false -apt-cdrom-setup apt-setup/cdrom/set-first boolean false -d-i mirror/country string manual -d-i mirror/http/hostname string {{ mirror }} -d-i mirror/http/directory string /debian -d-i mirror/http/proxy string -# d-i mirror/http/proxy string {{ apt_cache_url }} -d-i apt-setup/contrib boolean true -d-i apt-setup/non-free boolean true -tasksel tasksel/first multiselect print-server, ssh-server, standard -d-i pkgsel/include string sudo, unattended-upgrades -popularity-contest popularity-contest/participate boolean false - -# Drive Setup -d-i grub-installer/only_debian boolean true -d-i grub-installer/with_other_os boolean true -d-i grub-installer/bootdev string default -d-i partman-auto/disk string /dev/sda -d-i partman-lvm/device_remove_lvm boolean true -d-i partman-md/device_remove_md boolean true -d-i partman-partitioning/confirm_write_new_label boolean true -d-i partman/choose_partition select finish -d-i partman/confirm boolean true -d-i partman/confirm_nooverwrite boolean true -d-i partman-auto/method string crypto -# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656710 -d-i partman-crypto/passphrase password 1ma63b0rk3d -d-i partman-crypto/passphrase-again password 1ma63b0rk3d -d-i partman-crypto/weak_passphrase boolean true -# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656710 -# https://bugs.kali.org/view.php?id=1140 -d-i partman-crypto/erase_data boolean false -# https://bugs.kali.org/view.php?id=1140 -d-i partman/default_filesystem string ext4 -d-i partman-auto-lvm/new_vg_name string primary -d-i partman-auto-lvm/guided_size string max -d-i partman-lvm/confirm boolean true -d-i partman-lvm/confirm_nooverwrite boolean true -d-i partman-auto/choose_recipe select atomic - -# Final Setup -d-i finish-install/reboot_in_progress note diff --git a/_tools/packer/templates/debian/10_buster/base-crypt.yaml b/_tools/packer/templates/debian/10_buster/base-crypt.yaml deleted file mode 100644 index e4b031c..0000000 --- a/_tools/packer/templates/debian/10_buster/base-crypt.yaml +++ /dev/null @@ -1,300 +0,0 @@ ---- -# _ -# __ _ _ __ ___| |__ ___ _ __ ___ -# / _` | '_ \ / __| '_ \ / _ \| '__/ __| -# | (_| | | | | (__| | | | (_) | | \__ \ -# \__,_|_| |_|\___|_| |_|\___/|_| |___/ -_anchors: -- &builder_common_options - boot_command: - - '' - - '/install.amd/vmlinuz ' - - 'initrd=/install.amd/initrd.gz ' - - 'auto=true ' - - 'url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/{{ user `preseed_file` }} ' - - 'hostname={{ user `vm_name` }} ' - - 'domain={{ user `domain` }} ' - - 'interface=auto ' - - 'vga=788 noprompt quiet --' - boot_wait: '{{ user `boot_wait` }}' - communicator: '{{ user `communicator` }}' - cpus: '{{ user `cpus` }}' - disk_size: '{{ user `disk_size` }}' -# floppy_dirs: ([]string) -# floppy_files: ([]string) -# floppy_label: (string) - headless: '{{ user `headless` }}' - host_port_max: '{{ user `host_port_max` }}' - host_port_min: '{{ user `host_port_min` }}' -# http_bind_address: 0.0.0.0 - http_directory: '{{ user `http_directory` }}' - http_port_max: '{{ user `http_port_max` }}' - http_port_min: '{{ user `http_port_min` }}' - iso_checksum: '{{ user `iso_checksum` }}' - iso_target_extension: iso - iso_target_path: '{{ user `packer_cache_dir` }}/{{ user `iso_file` }}' -# iso_url: (string) - iso_urls: - - '{{ user `iso_path_internal` }}/{{ user `iso_file` }}' - - '{{ user `iso_path_external` }}/{{ user `iso_file` }}' - memory: '{{ user `memory` }}' - output_directory: '{{ user `output_directory` }}' -# pause_before_connecting: '{{ user `pause_before_connecting` }}' - shutdown_command: echo '{{ user `ssh_password` }}' | sudo -E -S poweroff - shutdown_timeout: '{{ user `shutdown_timeout` }}' - skip_nat_mapping: false - vm_name: '{{ user `vm_name` }}' -- &communicator_ssh_options - ssh_agent_auth: '{{ user `ssh_agent_auth` }}' -# ssh_bastion_agent_auth: false -# ssh_bastion_host: (string) -# ssh_bastion_password: (string) -# ssh_bastion_port: '22' -# ssh_bastion_private_key_file: (string) -# ssh_bastion_username: (string) -# ssh_ciphers: [ 'aes128-gcm@openssh.com', 'chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', ] - ssh_clear_authorized_keys: '{{ user `ssh_clear_authorized_keys` }}' - ssh_disable_agent_forwarding: '{{ user `ssh_disable_agent_forwarding` }}' - ssh_file_transfer_method: '{{ user `ssh_file_transfer_method` }}' - ssh_handshake_attempts: '{{ user `ssh_handshake_attempts` }}' -# ssh_host: (string) - ssh_keep_alive_interval: '{{ user `ssh_keep_alive_interval` }}' - ssh_password: '{{ user `ssh_password` }}' - ssh_port: '{{ user `ssh_port` }}' -# ssh_private_key_file: (string) -# ssh_proxy_host: (string) -# ssh_proxy_password: (string) -# ssh_proxy_port: '1080' -# ssh_proxy_username: (string) - ssh_pty: '{{ user `ssh_pty` }}' -# ssh_read_write_timeout: (string) - ssh_timeout: '{{ user `ssh_timeout` }}' - ssh_username: '{{ user `ssh_username` }}' -- &provisioner_shell_options - binary: false -# environment_vars: ([]string) - execute_command: echo '{{ user `ssh_password` }}' | {{ .Vars }} sudo -E -S '{{ .Path }}' - expect_disconnect: true - inline_shebang: /bin/sh -e -# remote_file: script_nnn.sh -# remote_folder: /tmp -# remote_path: /tmp/script_nnn.sh - skip_clean: false - start_retry_timeout: '{{ user `start_retry_timeout` }}' - type: shell -# _ _ _ _ -# | |__ _ _(_) | __| | ___ _ __ ___ -# | '_ \| | | | | |/ _` |/ _ \ '__/ __| -# | |_) | |_| | | | (_| | __/ | \__ \ -# |_.__/ \__,_|_|_|\__,_|\___|_| |___/ -builders: -# _ _ _ _ _ -# __ _(_)_ __| |_ _ _ __ _| | |__ _____ __ (_)___ ___ -# \ \ / / | '__| __| | | |/ _` | | '_ \ / _ \ \/ /____| / __|/ _ \ -# \ V /| | | | |_| |_| | (_| | | |_) | (_) > <_____| \__ \ (_) | -# \_/ |_|_| \__|\__,_|\__,_|_|_.__/ \___/_/\_\ |_|___/\___/ -- <<: [*builder_common_options, *communicator_ssh_options] - bundle_iso: '{{ user `bundle_iso` }}' -# export_opts: ([]string) - format: ova -# guest_additions_interface: sata - guest_additions_mode: disable -# guest_additions_path: VBoxGuestAdditions.iso -# guest_additions_sha256: (string) -# guest_additions_url: (string) - guest_os_type: '{{ user `guest_os_type` }}' - hard_drive_discard: false - hard_drive_interface: sata - hard_drive_nonrotational: false - iso_interface: sata - keep_registered: '{{ user `keep_registered` }}' - name: vbox - post_shutdown_delay: 0s - sata_port_count: '1' - skip_export: '{{ user `skip_export` }}' - type: virtualbox-iso - vboxmanage: - - - modifyvm - - '{{ .Name }}' - - '--rtcuseutc' - - >- - {{ if user `system_clock_in_utc` | eq `true` -}} - on - {{- else -}} - off - {{- end }} -# vboxmanage_post: ([][]string) - virtualbox_version_file: '/tmp/.vbox_version' - vrdp_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vrdp_port_max: '{{ user `vnc_vrdp_port_max` }}' - vrdp_port_min: '{{ user `vnc_vrdp_port_min` }}' -# __ _ ___ _ __ ___ _ _ -# / _` |/ _ \ '_ ` _ \| | | | -# | (_| | __/ | | | | | |_| | -# \__, |\___|_| |_| |_|\__,_| -# |_| -- <<: [*builder_common_options, *communicator_ssh_options] - accelerator: kvm - disk_cache: writeback - disk_compression: false - disk_discard: ignore - disk_image: false - disk_interface: virtio-scsi - format: raw - iso_skip_cache: false - machine_type: pc - name: qemu - net_device: virtio-net - qemu_binary: '{{ user `qemu_binary` }}' -# qemuargs: ([][]string) - skip_compaction: true - type: qemu - use_default_display: false - vnc_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vnc_port_max: '{{ user `vnc_vrdp_port_max` }}' - vnc_port_min: '{{ user `vnc_vrdp_port_min` }}' -description: '{{ user `description` }}' -min_packer_version: 1.7.2 -# _ -# _ __ ___ ___| |_ _ __ _ __ ___ ___ ___ ___ ___ ___ _ __ ___ -# | '_ \ / _ \/ __| __|____| '_ \| '__/ _ \ / __/ _ \/ __/ __|/ _ \| '__/ __| -# | |_) | (_) \__ \ ||_____| |_) | | | (_) | (_| __/\__ \__ \ (_) | | \__ \ -# | .__/ \___/|___/\__| | .__/|_| \___/ \___\___||___/___/\___/|_| |___/ -# |_| |_| -post-processors: -- compression_level: 6 -# include: ([]string) - keep_input_artifact: true - only: - - vbox - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}-{{ user `version` }}-{{ build_name }}.box' - type: vagrant - vagrantfile_template: '{{ user `vagrantfile_template` }}' -- compression_level: 6 - format: .gz - keep_input_artifact: true - only: - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}.raw.gz' - type: compress -# - - files: -# - '{{ user `output_directory` }}/{{ user `vm_name` }}*.box' -# keep_input_artifact: true -# only: -# - vbox -# type: artifice -# XXX CHECKSUM -# - inline_shebang: /bin/sh -e -# # environment_vars: ([]string) -# execute_command: chmod +x "{{ .Script }}"; {{ .Vars }} "{{ .Script }}" -# inline: -# - echo '---' > {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''name: {{ user `vm_name` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo ''description: {{ user `description` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo 'versions:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''- version: {{ user `version` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo ' providers:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo '' - name: XXXPROVIDER'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' url: http://myserver/vm/{{ user `vm_name` }}/{{ user `vm_name` }}-{{ user `version` }}-''{{ build_name }}''.box'' -# >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum_type: sha256'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum: deadbeef'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - if [ 'vbox' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/virtualbox/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# - if [ 'qemu' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/libvirt/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# only: -# - vbox -# - qemu -# type: shell-local -# _ _ -# _ __ _ __ _____ _(_)___(_) ___ _ __ ___ _ __ ___ -# | '_ \| '__/ _ \ \ / / / __| |/ _ \| '_ \ / _ \ '__/ __| -# | |_) | | | (_) \ V /| \__ \ | (_) | | | | __/ | \__ \ -# | .__/|_| \___/ \_/ |_|___/_|\___/|_| |_|\___|_| |___/ -# |_| -provisioners: -- <<: *provisioner_shell_options - inline: - - 'echo ''{{ user `ssh_username` }} ALL=(ALL) NOPASSWD: ALL'' > /etc/sudoers.d/99{{ user - `ssh_username` }}' - - chmod 0440 /etc/sudoers.d/99{{ user `ssh_username` }} - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - apt-get update - - apt-get --yes dist-upgrade - - apt-get clean - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - dd if=/dev/zero of=/ZEROFILL bs=16M || true - - rm /ZEROFILL - - sync - only: - - vbox - - qemu -# _ _ _ -# __ ____ _ _ __(_) __ _| |__ | | ___ ___ -# \ \ / / _` | '__| |/ _` | '_ \| |/ _ \/ __| -# \ V / (_| | | | | (_| | |_) | | __/\__ \ -# \_/ \__,_|_| |_|\__,_|_.__/|_|\___||___/ -variables: - apt_cache_url: http://myserver:3142 - boot_wait: 3s - bundle_iso: 'false' - communicator: ssh - country: CA - cpus: '1' - description: 'Base box (encrypted) for x86_64 Debian Buster 10.x' - disk_size: '7500' - domain: '' - guest_os_type: Debian_64 - headless: 'false' - host_port_max: '4444' - host_port_min: '2222' - http_directory: '.' - http_port_max: '9000' - http_port_min: '8000' -# iso_checksum: file:http://cdimage.debian.org/cdimage/release/current/amd64/iso-cd/SHA512SUMS - iso_checksum: sha512:47d35187b4903e803209959434fb8b65ead3ad2a8f007eef1c3d3284f356ab9955aa7e15e24cb7af6a3859aa66837f5fa2e7441f936496ea447904f7dddfdc20 - iso_file: debian-10.9.0-amd64-netinst.iso - iso_path_external: http://cdimage.debian.org/cdimage/release/current/amd64/iso-cd - iso_path_internal: http://myserver:8080/debian - keep_registered: 'false' - keyboard: us - language: en - locale: en_CA.UTF-8 - memory: '768' - min_vagrant_version: 2.2.16 - mirror: ftp.ca.debian.org - output_directory: 'build/{{ isotime "2006-01-02-15-04-05" }}' - packer_cache_dir: '{{ env `PACKER_CACHE_DIR` }}' - preseed_file: template/debian/10_buster/base-crypt.preseed - qemu_binary: qemu-system-x86_64 - shutdown_timeout: 5m - skip_export: 'false' - ssh_agent_auth: 'false' - ssh_clear_authorized_keys: 'false' - ssh_disable_agent_forwarding: 'false' - ssh_file_transfer_method: scp - ssh_fullname: Ghost Writer - ssh_handshake_attempts: '10' - ssh_keep_alive_interval: 5s - ssh_password: 1ma63b0rk3d - ssh_port: '22' - ssh_pty: 'false' - ssh_timeout: 60m - ssh_username: ghost - start_retry_timeout: 5m - system_clock_in_utc: 'true' - timezone: UTC - vagrantfile_template: template/debian/10_buster/vagrant.rb.j2 - version: 0.0.0 - vm_name: base-crypt-buster - vnc_vrdp_bind_address: 127.0.0.1 - vnc_vrdp_port_max: '6000' - vnc_vrdp_port_min: '5900' diff --git a/_tools/packer/templates/debian/10_buster/base-uefi.preseed b/_tools/packer/templates/debian/10_buster/base-uefi.preseed deleted file mode 100644 index 5fb612f..0000000 --- a/_tools/packer/templates/debian/10_buster/base-uefi.preseed +++ /dev/null @@ -1,88 +0,0 @@ -# Locale Setup -d-i debian-installer/language string {{ language }} -d-i debian-installer/country string {{ country }} -d-i debian-installer/locale string {{ locale }} -# d-i localechooser/supported-locales multiselect en_CA.UTF-8 fr_CA.UTF-8 zh_CN.UTF-8 -# d-i pkgsel/install-language-support boolean true - -# Keyboard Setup -d-i keyboard-configuration/xkb-keymap select {{ keyboard }} - -# Clock Setup -# d-i time/zone string Canada/Eastern -d-i time/zone string {{ timezone }} -d-i clock-setup/utc boolean {{ system_clock_in_utc }} -# set above to false if making a bootable USB to run on same system as Windows - -# Network Setup -d-i netcfg/get_hostname string {{ vm_name }} -d-i netcfg/get_domain string -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 -d-i netcfg/choose_interface select auto -# make sure you also add "interface=auto" to your boot command too -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 - -# User Setup -d-i passwd/user-fullname string {{ ssh_fullname }} -d-i passwd/username string {{ ssh_username }} -d-i passwd/user-password password {{ ssh_password }} -d-i passwd/user-password-again password {{ ssh_password }} -# d-i passwd/user-password-crypted password $6$w5yFawT.$d51yQ513SdzariRCjomBwO9IMtMh6.TjnRwQqTBlOMwGhyyVXlJeYC9kanFp65bpoS1tn9x7r8gLP5Dg4CtEP1 -d-i user-setup/allow-password-weak boolean true -d-i user-setup/encrypt-home boolean false -d-i passwd/root-login boolean false - -# Package Setup -d-i hw-detect/load_firmware boolean false -d-i hw-detect/load_media boolean false -apt-cdrom-setup apt-setup/cdrom/set-first boolean false -d-i mirror/country string manual -d-i mirror/http/hostname string {{ mirror }} -d-i mirror/http/directory string /debian -d-i mirror/http/proxy string -# d-i mirror/http/proxy string {{ apt_cache_url }} -d-i apt-setup/contrib boolean true -d-i apt-setup/non-free boolean true -tasksel tasksel/first multiselect print-server, ssh-server, standard -d-i pkgsel/include string sudo, unattended-upgrades -popularity-contest popularity-contest/participate boolean false - -# Drive Setup -d-i grub-installer/only_debian boolean true -d-i grub-installer/with_other_os boolean true -d-i grub-installer/bootdev string default -d-i partman-auto/disk string /dev/sda -d-i partman-lvm/device_remove_lvm boolean true -d-i partman-md/device_remove_md boolean true -d-i partman-partitioning/confirm_write_new_label boolean true -d-i partman/choose_partition select finish -d-i partman/confirm boolean true -d-i partman/confirm_nooverwrite boolean true -d-i partman-auto/method string lvm -d-i partman-auto-lvm/new_vg_name string primary -d-i partman-auto-lvm/guided_size string max -d-i partman-lvm/confirm boolean true -d-i partman-lvm/confirm_nooverwrite boolean true -d-i partman-efi/non_efi_system boolean true -d-i partman-auto/choose_recipe select fling-the-bling -d-i partman-auto/expert_recipe string fling-the-bling :: \ - 1 1 1 free \ - $bios_boot{ } method{ biosgrub } \ - . \ - 256 256 256 fat32 \ - $primary{ } $lvmignore{ } \ - method{ efi } format{ } \ - . \ - 100% 200% 200% linux-swap \ - $lvmok{ } lv_name{ swap } in_vg{ primary } \ - method{ swap } format{ } \ - . \ - 10000 10000 -1 ext4 \ - $lvmok{ } lv_name{ root } in_vg{ primary } \ - method{ format } format{ } use_filesystem{ } filesystem{ ext4 } \ - mountpoint{ / } \ - . \ -. - -# Final Setup -d-i finish-install/reboot_in_progress note diff --git a/_tools/packer/templates/debian/10_buster/base-uefi.yaml b/_tools/packer/templates/debian/10_buster/base-uefi.yaml deleted file mode 100644 index d221363..0000000 --- a/_tools/packer/templates/debian/10_buster/base-uefi.yaml +++ /dev/null @@ -1,313 +0,0 @@ ---- -# _ -# __ _ _ __ ___| |__ ___ _ __ ___ -# / _` | '_ \ / __| '_ \ / _ \| '__/ __| -# | (_| | | | | (__| | | | (_) | | \__ \ -# \__,_|_| |_|\___|_| |_|\___/|_| |___/ -_anchors: -- &builder_common_options - boot_command: - - 'c' - - 'linux /install.amd/vmlinuz ' - - 'auto=true ' - - 'url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/{{ user `preseed_file` }} ' - - 'hostname={{ user `vm_name` }} ' - - 'domain={{ user `domain` }} ' - - 'interface=auto ' - - 'vga=788 noprompt quiet --' - - 'initrd /install.amd/initrd.gz' - - 'boot' - boot_wait: '{{ user `boot_wait` }}' - communicator: '{{ user `communicator` }}' - cpus: '{{ user `cpus` }}' - disk_size: '{{ user `disk_size` }}' -# floppy_dirs: ([]string) -# floppy_files: ([]string) -# floppy_label: (string) - headless: '{{ user `headless` }}' - host_port_max: '{{ user `host_port_max` }}' - host_port_min: '{{ user `host_port_min` }}' -# http_bind_address: 0.0.0.0 - http_directory: '{{ user `http_directory` }}' - http_port_max: '{{ user `http_port_max` }}' - http_port_min: '{{ user `http_port_min` }}' - iso_checksum: '{{ user `iso_checksum` }}' - iso_target_extension: iso - iso_target_path: '{{ user `packer_cache_dir` }}/{{ user `iso_file` }}' -# iso_url: (string) - iso_urls: - - '{{ user `iso_path_internal` }}/{{ user `iso_file` }}' - - '{{ user `iso_path_external` }}/{{ user `iso_file` }}' - memory: '{{ user `memory` }}' - output_directory: '{{ user `output_directory` }}' -# pause_before_connecting: '{{ user `pause_before_connecting` }}' - shutdown_command: echo '{{ user `ssh_password` }}' | sudo -E -S poweroff - shutdown_timeout: '{{ user `shutdown_timeout` }}' - skip_nat_mapping: false - vm_name: '{{ user `vm_name` }}' -- &communicator_ssh_options - ssh_agent_auth: '{{ user `ssh_agent_auth` }}' -# ssh_bastion_agent_auth: false -# ssh_bastion_host: (string) -# ssh_bastion_password: (string) -# ssh_bastion_port: '22' -# ssh_bastion_private_key_file: (string) -# ssh_bastion_username: (string) -# ssh_ciphers: [ 'aes128-gcm@openssh.com', 'chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', ] - ssh_clear_authorized_keys: '{{ user `ssh_clear_authorized_keys` }}' - ssh_disable_agent_forwarding: '{{ user `ssh_disable_agent_forwarding` }}' - ssh_file_transfer_method: '{{ user `ssh_file_transfer_method` }}' - ssh_handshake_attempts: '{{ user `ssh_handshake_attempts` }}' -# ssh_host: (string) - ssh_keep_alive_interval: '{{ user `ssh_keep_alive_interval` }}' - ssh_password: '{{ user `ssh_password` }}' - ssh_port: '{{ user `ssh_port` }}' -# ssh_private_key_file: (string) -# ssh_proxy_host: (string) -# ssh_proxy_password: (string) -# ssh_proxy_port: '1080' -# ssh_proxy_username: (string) - ssh_pty: '{{ user `ssh_pty` }}' -# ssh_read_write_timeout: (string) - ssh_timeout: '{{ user `ssh_timeout` }}' - ssh_username: '{{ user `ssh_username` }}' -- &provisioner_shell_options - binary: false -# environment_vars: ([]string) - execute_command: echo '{{ user `ssh_password` }}' | {{ .Vars }} sudo -E -S '{{ .Path }}' - expect_disconnect: true - inline_shebang: /bin/sh -e -# remote_file: script_nnn.sh -# remote_folder: /tmp -# remote_path: /tmp/script_nnn.sh - skip_clean: false - start_retry_timeout: '{{ user `start_retry_timeout` }}' - type: shell -# _ _ _ _ -# | |__ _ _(_) | __| | ___ _ __ ___ -# | '_ \| | | | | |/ _` |/ _ \ '__/ __| -# | |_) | |_| | | | (_| | __/ | \__ \ -# |_.__/ \__,_|_|_|\__,_|\___|_| |___/ -builders: -# _ _ _ _ _ -# __ _(_)_ __| |_ _ _ __ _| | |__ _____ __ (_)___ ___ -# \ \ / / | '__| __| | | |/ _` | | '_ \ / _ \ \/ /____| / __|/ _ \ -# \ V /| | | | |_| |_| | (_| | | |_) | (_) > <_____| \__ \ (_) | -# \_/ |_|_| \__|\__,_|\__,_|_|_.__/ \___/_/\_\ |_|___/\___/ -- <<: [*builder_common_options, *communicator_ssh_options] - bundle_iso: '{{ user `bundle_iso` }}' -# export_opts: ([]string) - format: ova -# guest_additions_interface: sata - guest_additions_mode: disable -# guest_additions_path: VBoxGuestAdditions.iso -# guest_additions_sha256: (string) -# guest_additions_url: (string) - guest_os_type: '{{ user `guest_os_type` }}' - hard_drive_discard: false - hard_drive_interface: sata - hard_drive_nonrotational: false - iso_interface: sata - keep_registered: '{{ user `keep_registered` }}' - name: vbox - post_shutdown_delay: 0s - sata_port_count: '1' - skip_export: '{{ user `skip_export` }}' - type: virtualbox-iso - vboxmanage: - - - modifyvm - - '{{ .Name }}' - - '--firmware' - - efi - - - modifyvm - - '{{ .Name }}' - - '--rtcuseutc' - - >- - {{ if user `system_clock_in_utc` | eq `true` -}} - on - {{- else -}} - off - {{- end }} -# vboxmanage_post: ([][]string) - virtualbox_version_file: '/tmp/.vbox_version' - vrdp_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vrdp_port_max: '{{ user `vnc_vrdp_port_max` }}' - vrdp_port_min: '{{ user `vnc_vrdp_port_min` }}' -# __ _ ___ _ __ ___ _ _ -# / _` |/ _ \ '_ ` _ \| | | | -# | (_| | __/ | | | | | |_| | -# \__, |\___|_| |_| |_|\__,_| -# |_| -- <<: [*builder_common_options, *communicator_ssh_options] - accelerator: kvm - disk_cache: writeback - disk_compression: false - disk_discard: ignore - disk_image: false - disk_interface: virtio-scsi - format: raw - iso_skip_cache: false - machine_type: pc - name: qemu - net_device: virtio-net - qemu_binary: '{{ user `qemu_binary` }}' - qemuargs: - - - -bios - - OVMF.fd - skip_compaction: true - type: qemu - use_default_display: false - vnc_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vnc_port_max: '{{ user `vnc_vrdp_port_max` }}' - vnc_port_min: '{{ user `vnc_vrdp_port_min` }}' -description: '{{ user `description` }}' -min_packer_version: 1.7.2 -# _ -# _ __ ___ ___| |_ _ __ _ __ ___ ___ ___ ___ ___ ___ _ __ ___ -# | '_ \ / _ \/ __| __|____| '_ \| '__/ _ \ / __/ _ \/ __/ __|/ _ \| '__/ __| -# | |_) | (_) \__ \ ||_____| |_) | | | (_) | (_| __/\__ \__ \ (_) | | \__ \ -# | .__/ \___/|___/\__| | .__/|_| \___/ \___\___||___/___/\___/|_| |___/ -# |_| |_| -post-processors: -- compression_level: 6 -# include: ([]string) - keep_input_artifact: true - only: - - vbox - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}-{{ user `version` }}-{{ build_name }}.box' - type: vagrant - vagrantfile_template: '{{ user `vagrantfile_template` }}' -- compression_level: 6 - format: .gz - keep_input_artifact: true - only: - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}.raw.gz' - type: compress -# - - files: -# - '{{ user `output_directory` }}/{{ user `vm_name` }}*.box' -# keep_input_artifact: true -# only: -# - vbox -# type: artifice -# XXX CHECKSUM -# - inline_shebang: /bin/sh -e -# # environment_vars: ([]string) -# execute_command: chmod +x "{{ .Script }}"; {{ .Vars }} "{{ .Script }}" -# inline: -# - echo '---' > {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''name: {{ user `vm_name` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo ''description: {{ user `description` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo 'versions:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''- version: {{ user `version` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo ' providers:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo '' - name: XXXPROVIDER'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' url: http://myserver/vm/{{ user `vm_name` }}/{{ user `vm_name` }}-{{ user `version` }}-''{{ build_name }}''.box'' -# >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum_type: sha256'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum: deadbeef'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - if [ 'vbox' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/virtualbox/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# - if [ 'qemu' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/libvirt/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# only: -# - vbox -# - qemu -# type: shell-local -# _ _ -# _ __ _ __ _____ _(_)___(_) ___ _ __ ___ _ __ ___ -# | '_ \| '__/ _ \ \ / / / __| |/ _ \| '_ \ / _ \ '__/ __| -# | |_) | | | (_) \ V /| \__ \ | (_) | | | | __/ | \__ \ -# | .__/|_| \___/ \_/ |_|___/_|\___/|_| |_|\___|_| |___/ -# |_| -provisioners: -- <<: *provisioner_shell_options - inline: - - echo 'FS0:\EFI\debian\grubx64.efi' > /boot/efi/startup.nsh - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - 'echo ''{{ user `ssh_username` }} ALL=(ALL) NOPASSWD: ALL'' > /etc/sudoers.d/99{{ user - `ssh_username` }}' - - chmod 0440 /etc/sudoers.d/99{{ user `ssh_username` }} - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - apt-get update - - apt-get --yes dist-upgrade - - apt-get clean - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - dd if=/dev/zero of=/ZEROFILL bs=16M || true - - rm /ZEROFILL - - sync - only: - - vbox - - qemu -# _ _ _ -# __ ____ _ _ __(_) __ _| |__ | | ___ ___ -# \ \ / / _` | '__| |/ _` | '_ \| |/ _ \/ __| -# \ V / (_| | | | | (_| | |_) | | __/\__ \ -# \_/ \__,_|_| |_|\__,_|_.__/|_|\___||___/ -variables: - apt_cache_url: http://myserver:3142 - boot_wait: 3s - bundle_iso: 'false' - communicator: ssh - country: CA - cpus: '1' - description: 'Base box (UEFI) for x86_64 Debian Buster 10.x' - disk_size: '7500' - domain: '' - guest_os_type: Debian_64 - headless: 'false' - host_port_max: '4444' - host_port_min: '2222' - http_directory: '.' - http_port_max: '9000' - http_port_min: '8000' -# iso_checksum: file:http://cdimage.debian.org/cdimage/release/current/amd64/iso-cd/SHA512SUMS - iso_checksum: sha512:47d35187b4903e803209959434fb8b65ead3ad2a8f007eef1c3d3284f356ab9955aa7e15e24cb7af6a3859aa66837f5fa2e7441f936496ea447904f7dddfdc20 - iso_file: debian-10.9.0-amd64-netinst.iso - iso_path_external: http://cdimage.debian.org/cdimage/release/current/amd64/iso-cd - iso_path_internal: http://myserver:8080/debian - keep_registered: 'false' - keyboard: us - language: en - locale: en_CA.UTF-8 - memory: '768' - min_vagrant_version: 2.2.16 - mirror: ftp.ca.debian.org - output_directory: 'build/{{ isotime "2006-01-02-15-04-05" }}' - packer_cache_dir: '{{ env `PACKER_CACHE_DIR` }}' - preseed_file: template/debian/10_buster/base-uefi.preseed - qemu_binary: qemu-system-x86_64 - shutdown_timeout: 5m - skip_export: 'false' - ssh_agent_auth: 'false' - ssh_clear_authorized_keys: 'false' - ssh_disable_agent_forwarding: 'false' - ssh_file_transfer_method: scp - ssh_fullname: Ghost Writer - ssh_handshake_attempts: '10' - ssh_keep_alive_interval: 5s - ssh_password: 1ma63b0rk3d - ssh_port: '22' - ssh_pty: 'false' - ssh_timeout: 60m - ssh_username: ghost - start_retry_timeout: 5m - system_clock_in_utc: 'true' - timezone: UTC - vagrantfile_template: template/debian/10_buster/vagrant.rb.j2 - version: 0.0.0 - vm_name: base-uefi-buster - vnc_vrdp_bind_address: 127.0.0.1 - vnc_vrdp_port_max: '6000' - vnc_vrdp_port_min: '5900' diff --git a/_tools/packer/templates/debian/10_buster/base.preseed b/_tools/packer/templates/debian/10_buster/base.preseed deleted file mode 100644 index 1d69287..0000000 --- a/_tools/packer/templates/debian/10_buster/base.preseed +++ /dev/null @@ -1,69 +0,0 @@ -# Locale Setup -d-i debian-installer/language string {{ language }} -d-i debian-installer/country string {{ country }} -d-i debian-installer/locale string {{ locale }} -# d-i localechooser/supported-locales multiselect en_CA.UTF-8 fr_CA.UTF-8 zh_CN.UTF-8 -# d-i pkgsel/install-language-support boolean true - -# Keyboard Setup -d-i keyboard-configuration/xkb-keymap select {{ keyboard }} - -# Clock Setup -# d-i time/zone string Canada/Eastern -d-i time/zone string {{ timezone }} -d-i clock-setup/utc boolean {{ system_clock_in_utc }} -# set above to false if making a bootable USB to run on same system as Windows - -# Network Setup -d-i netcfg/get_hostname string {{ vm_name }} -d-i netcfg/get_domain string -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 -d-i netcfg/choose_interface select auto -# make sure you also add "interface=auto" to your boot command too -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 - -# User Setup -d-i passwd/user-fullname string {{ ssh_fullname }} -d-i passwd/username string {{ ssh_username }} -d-i passwd/user-password password {{ ssh_password }} -d-i passwd/user-password-again password {{ ssh_password }} -# d-i passwd/user-password-crypted password $6$w5yFawT.$d51yQ513SdzariRCjomBwO9IMtMh6.TjnRwQqTBlOMwGhyyVXlJeYC9kanFp65bpoS1tn9x7r8gLP5Dg4CtEP1 -d-i user-setup/allow-password-weak boolean true -d-i user-setup/encrypt-home boolean false -d-i passwd/root-login boolean false - -# Package Setup -d-i hw-detect/load_firmware boolean false -d-i hw-detect/load_media boolean false -apt-cdrom-setup apt-setup/cdrom/set-first boolean false -d-i mirror/country string manual -d-i mirror/http/hostname string {{ mirror }} -d-i mirror/http/directory string /debian -d-i mirror/http/proxy string -# d-i mirror/http/proxy string {{ apt_cache_url }} -d-i apt-setup/contrib boolean true -d-i apt-setup/non-free boolean true -tasksel tasksel/first multiselect print-server, ssh-server, standard -d-i pkgsel/include string sudo, unattended-upgrades -popularity-contest popularity-contest/participate boolean false - -# Drive Setup -d-i grub-installer/only_debian boolean true -d-i grub-installer/with_other_os boolean true -d-i grub-installer/bootdev string default -d-i partman-auto/disk string /dev/sda -d-i partman-lvm/device_remove_lvm boolean true -d-i partman-md/device_remove_md boolean true -d-i partman-partitioning/confirm_write_new_label boolean true -d-i partman/choose_partition select finish -d-i partman/confirm boolean true -d-i partman/confirm_nooverwrite boolean true -d-i partman-auto/method string lvm -d-i partman-auto-lvm/new_vg_name string primary -d-i partman-auto-lvm/guided_size string max -d-i partman-lvm/confirm boolean true -d-i partman-lvm/confirm_nooverwrite boolean true -d-i partman-auto/choose_recipe select atomic - -# Final Setup -d-i finish-install/reboot_in_progress note diff --git a/_tools/packer/templates/debian/10_buster/base.yaml b/_tools/packer/templates/debian/10_buster/base.yaml deleted file mode 100644 index 6c246a8..0000000 --- a/_tools/packer/templates/debian/10_buster/base.yaml +++ /dev/null @@ -1,300 +0,0 @@ ---- -# _ -# __ _ _ __ ___| |__ ___ _ __ ___ -# / _` | '_ \ / __| '_ \ / _ \| '__/ __| -# | (_| | | | | (__| | | | (_) | | \__ \ -# \__,_|_| |_|\___|_| |_|\___/|_| |___/ -_anchors: -- &builder_common_options - boot_command: - - '' - - '/install.amd/vmlinuz ' - - 'initrd=/install.amd/initrd.gz ' - - 'auto=true ' - - 'url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/{{ user `preseed_file` }} ' - - 'hostname={{ user `vm_name` }} ' - - 'domain={{ user `domain` }} ' - - 'interface=auto ' - - 'vga=788 noprompt quiet --' - boot_wait: '{{ user `boot_wait` }}' - communicator: '{{ user `communicator` }}' - cpus: '{{ user `cpus` }}' - disk_size: '{{ user `disk_size` }}' -# floppy_dirs: ([]string) -# floppy_files: ([]string) -# floppy_label: (string) - headless: '{{ user `headless` }}' - host_port_max: '{{ user `host_port_max` }}' - host_port_min: '{{ user `host_port_min` }}' -# http_bind_address: 0.0.0.0 - http_directory: '{{ user `http_directory` }}' - http_port_max: '{{ user `http_port_max` }}' - http_port_min: '{{ user `http_port_min` }}' - iso_checksum: '{{ user `iso_checksum` }}' - iso_target_extension: iso - iso_target_path: '{{ user `packer_cache_dir` }}/{{ user `iso_file` }}' -# iso_url: (string) - iso_urls: - - '{{ user `iso_path_internal` }}/{{ user `iso_file` }}' - - '{{ user `iso_path_external` }}/{{ user `iso_file` }}' - memory: '{{ user `memory` }}' - output_directory: '{{ user `output_directory` }}' -# pause_before_connecting: '{{ user `pause_before_connecting` }}' - shutdown_command: echo '{{ user `ssh_password` }}' | sudo -E -S poweroff - shutdown_timeout: '{{ user `shutdown_timeout` }}' - skip_nat_mapping: false - vm_name: '{{ user `vm_name` }}' -- &communicator_ssh_options - ssh_agent_auth: '{{ user `ssh_agent_auth` }}' -# ssh_bastion_agent_auth: false -# ssh_bastion_host: (string) -# ssh_bastion_password: (string) -# ssh_bastion_port: '22' -# ssh_bastion_private_key_file: (string) -# ssh_bastion_username: (string) -# ssh_ciphers: [ 'aes128-gcm@openssh.com', 'chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', ] - ssh_clear_authorized_keys: '{{ user `ssh_clear_authorized_keys` }}' - ssh_disable_agent_forwarding: '{{ user `ssh_disable_agent_forwarding` }}' - ssh_file_transfer_method: '{{ user `ssh_file_transfer_method` }}' - ssh_handshake_attempts: '{{ user `ssh_handshake_attempts` }}' -# ssh_host: (string) - ssh_keep_alive_interval: '{{ user `ssh_keep_alive_interval` }}' - ssh_password: '{{ user `ssh_password` }}' - ssh_port: '{{ user `ssh_port` }}' -# ssh_private_key_file: (string) -# ssh_proxy_host: (string) -# ssh_proxy_password: (string) -# ssh_proxy_port: '1080' -# ssh_proxy_username: (string) - ssh_pty: '{{ user `ssh_pty` }}' -# ssh_read_write_timeout: (string) - ssh_timeout: '{{ user `ssh_timeout` }}' - ssh_username: '{{ user `ssh_username` }}' -- &provisioner_shell_options - binary: false -# environment_vars: ([]string) - execute_command: echo '{{ user `ssh_password` }}' | {{ .Vars }} sudo -E -S '{{ .Path }}' - expect_disconnect: true - inline_shebang: /bin/sh -e -# remote_file: script_nnn.sh -# remote_folder: /tmp -# remote_path: /tmp/script_nnn.sh - skip_clean: false - start_retry_timeout: '{{ user `start_retry_timeout` }}' - type: shell -# _ _ _ _ -# | |__ _ _(_) | __| | ___ _ __ ___ -# | '_ \| | | | | |/ _` |/ _ \ '__/ __| -# | |_) | |_| | | | (_| | __/ | \__ \ -# |_.__/ \__,_|_|_|\__,_|\___|_| |___/ -builders: -# _ _ _ _ _ -# __ _(_)_ __| |_ _ _ __ _| | |__ _____ __ (_)___ ___ -# \ \ / / | '__| __| | | |/ _` | | '_ \ / _ \ \/ /____| / __|/ _ \ -# \ V /| | | | |_| |_| | (_| | | |_) | (_) > <_____| \__ \ (_) | -# \_/ |_|_| \__|\__,_|\__,_|_|_.__/ \___/_/\_\ |_|___/\___/ -- <<: [*builder_common_options, *communicator_ssh_options] - bundle_iso: '{{ user `bundle_iso` }}' -# export_opts: ([]string) - format: ova -# guest_additions_interface: sata - guest_additions_mode: disable -# guest_additions_path: VBoxGuestAdditions.iso -# guest_additions_sha256: (string) -# guest_additions_url: (string) - guest_os_type: '{{ user `guest_os_type` }}' - hard_drive_discard: false - hard_drive_interface: sata - hard_drive_nonrotational: false - iso_interface: sata - keep_registered: '{{ user `keep_registered` }}' - name: vbox - post_shutdown_delay: 0s - sata_port_count: '1' - skip_export: '{{ user `skip_export` }}' - type: virtualbox-iso - vboxmanage: - - - modifyvm - - '{{ .Name }}' - - '--rtcuseutc' - - >- - {{ if user `system_clock_in_utc` | eq `true` -}} - on - {{- else -}} - off - {{- end }} -# vboxmanage_post: ([][]string) - virtualbox_version_file: '/tmp/.vbox_version' - vrdp_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vrdp_port_max: '{{ user `vnc_vrdp_port_max` }}' - vrdp_port_min: '{{ user `vnc_vrdp_port_min` }}' -# __ _ ___ _ __ ___ _ _ -# / _` |/ _ \ '_ ` _ \| | | | -# | (_| | __/ | | | | | |_| | -# \__, |\___|_| |_| |_|\__,_| -# |_| -- <<: [*builder_common_options, *communicator_ssh_options] - accelerator: kvm - disk_cache: writeback - disk_compression: false - disk_discard: ignore - disk_image: false - disk_interface: virtio-scsi - format: raw - iso_skip_cache: false - machine_type: pc - name: qemu - net_device: virtio-net - qemu_binary: '{{ user `qemu_binary` }}' -# qemuargs: ([][]string) - skip_compaction: true - type: qemu - use_default_display: false - vnc_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vnc_port_max: '{{ user `vnc_vrdp_port_max` }}' - vnc_port_min: '{{ user `vnc_vrdp_port_min` }}' -description: '{{ user `description` }}' -min_packer_version: 1.7.2 -# _ -# _ __ ___ ___| |_ _ __ _ __ ___ ___ ___ ___ ___ ___ _ __ ___ -# | '_ \ / _ \/ __| __|____| '_ \| '__/ _ \ / __/ _ \/ __/ __|/ _ \| '__/ __| -# | |_) | (_) \__ \ ||_____| |_) | | | (_) | (_| __/\__ \__ \ (_) | | \__ \ -# | .__/ \___/|___/\__| | .__/|_| \___/ \___\___||___/___/\___/|_| |___/ -# |_| |_| -post-processors: -- compression_level: 6 -# include: ([]string) - keep_input_artifact: true - only: - - vbox - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}-{{ user `version` }}-{{ build_name }}.box' - type: vagrant - vagrantfile_template: '{{ user `vagrantfile_template` }}' -- compression_level: 6 - format: .gz - keep_input_artifact: true - only: - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}.raw.gz' - type: compress -# - - files: -# - '{{ user `output_directory` }}/{{ user `vm_name` }}*.box' -# keep_input_artifact: true -# only: -# - vbox -# type: artifice -# XXX CHECKSUM -# - inline_shebang: /bin/sh -e -# # environment_vars: ([]string) -# execute_command: chmod +x "{{ .Script }}"; {{ .Vars }} "{{ .Script }}" -# inline: -# - echo '---' > {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''name: {{ user `vm_name` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo ''description: {{ user `description` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo 'versions:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''- version: {{ user `version` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo ' providers:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo '' - name: XXXPROVIDER'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' url: http://myserver/vm/{{ user `vm_name` }}/{{ user `vm_name` }}-{{ user `version` }}-''{{ build_name }}''.box'' -# >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum_type: sha256'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum: deadbeef'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - if [ 'vbox' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/virtualbox/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# - if [ 'qemu' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/libvirt/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# only: -# - vbox -# - qemu -# type: shell-local -# _ _ -# _ __ _ __ _____ _(_)___(_) ___ _ __ ___ _ __ ___ -# | '_ \| '__/ _ \ \ / / / __| |/ _ \| '_ \ / _ \ '__/ __| -# | |_) | | | (_) \ V /| \__ \ | (_) | | | | __/ | \__ \ -# | .__/|_| \___/ \_/ |_|___/_|\___/|_| |_|\___|_| |___/ -# |_| -provisioners: -- <<: *provisioner_shell_options - inline: - - 'echo ''{{ user `ssh_username` }} ALL=(ALL) NOPASSWD: ALL'' > /etc/sudoers.d/99{{ user - `ssh_username` }}' - - chmod 0440 /etc/sudoers.d/99{{ user `ssh_username` }} - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - apt-get update - - apt-get --yes dist-upgrade - - apt-get clean - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - dd if=/dev/zero of=/ZEROFILL bs=16M || true - - rm /ZEROFILL - - sync - only: - - vbox - - qemu -# _ _ _ -# __ ____ _ _ __(_) __ _| |__ | | ___ ___ -# \ \ / / _` | '__| |/ _` | '_ \| |/ _ \/ __| -# \ V / (_| | | | | (_| | |_) | | __/\__ \ -# \_/ \__,_|_| |_|\__,_|_.__/|_|\___||___/ -variables: - apt_cache_url: http://myserver:3142 - boot_wait: 3s - bundle_iso: 'false' - communicator: ssh - country: CA - cpus: '1' - description: 'Base box for x86_64 Debian Buster 10.x' - disk_size: '7500' - domain: '' - guest_os_type: Debian_64 - headless: 'false' - host_port_max: '4444' - host_port_min: '2222' - http_directory: '.' - http_port_max: '9000' - http_port_min: '8000' -# iso_checksum: file:http://cdimage.debian.org/cdimage/release/current/amd64/iso-cd/SHA512SUMS - iso_checksum: sha512:47d35187b4903e803209959434fb8b65ead3ad2a8f007eef1c3d3284f356ab9955aa7e15e24cb7af6a3859aa66837f5fa2e7441f936496ea447904f7dddfdc20 - iso_file: debian-10.9.0-amd64-netinst.iso - iso_path_external: http://cdimage.debian.org/cdimage/release/current/amd64/iso-cd - iso_path_internal: http://myserver:8080/debian - keep_registered: 'false' - keyboard: us - language: en - locale: en_CA.UTF-8 - memory: '768' - min_vagrant_version: 2.2.16 - mirror: ftp.ca.debian.org - output_directory: 'build/{{ isotime "2006-01-02-15-04-05" }}' - packer_cache_dir: '{{ env `PACKER_CACHE_DIR` }}' - preseed_file: template/debian/10_buster/base.preseed - qemu_binary: qemu-system-x86_64 - shutdown_timeout: 5m - skip_export: 'false' - ssh_agent_auth: 'false' - ssh_clear_authorized_keys: 'false' - ssh_disable_agent_forwarding: 'false' - ssh_file_transfer_method: scp - ssh_fullname: Ghost Writer - ssh_handshake_attempts: '10' - ssh_keep_alive_interval: 5s - ssh_password: 1ma63b0rk3d - ssh_port: '22' - ssh_pty: 'false' - ssh_timeout: 60m - ssh_username: ghost - start_retry_timeout: 5m - system_clock_in_utc: 'true' - timezone: UTC - vagrantfile_template: template/debian/10_buster/vagrant.rb.j2 - version: 0.0.0 - vm_name: base-buster - vnc_vrdp_bind_address: 127.0.0.1 - vnc_vrdp_port_max: '6000' - vnc_vrdp_port_min: '5900' diff --git a/_tools/packer/templates/debian/10_buster/vagrant.rb.j2 b/_tools/packer/templates/debian/10_buster/vagrant.rb.j2 deleted file mode 100644 index 1de7127..0000000 --- a/_tools/packer/templates/debian/10_buster/vagrant.rb.j2 +++ /dev/null @@ -1,7 +0,0 @@ -Vagrant.require_version '>= {{ min_vagrant_version }}' - -Vagrant.configure('2') do |config| - config.ssh.username = '{{ ssh_username }}' - config.ssh.password = '{{ ssh_password }}' - config.vm.communicator = '{{ communicator }}' -end diff --git a/_tools/packer/templates/debian/11_bullseye/base-crypt-uefi.preseed b/_tools/packer/templates/debian/11_bullseye/base-crypt-uefi.preseed deleted file mode 100644 index 13bfdb0..0000000 --- a/_tools/packer/templates/debian/11_bullseye/base-crypt-uefi.preseed +++ /dev/null @@ -1,101 +0,0 @@ -# Locale Setup -d-i debian-installer/language string {{ language }} -d-i debian-installer/country string {{ country }} -d-i debian-installer/locale string {{ locale }} -# d-i localechooser/supported-locales multiselect en_CA.UTF-8 fr_CA.UTF-8 zh_CN.UTF-8 -# d-i pkgsel/install-language-support boolean true - -# Keyboard Setup -d-i keyboard-configuration/xkb-keymap select {{ keyboard }} - -# Clock Setup -# d-i time/zone string Canada/Eastern -d-i time/zone string {{ timezone }} -d-i clock-setup/utc boolean {{ system_clock_in_utc }} -# set above to false if making a bootable USB to run on same system as Windows - -# Network Setup -d-i netcfg/get_hostname string {{ vm_name }} -d-i netcfg/get_domain string -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 -d-i netcfg/choose_interface select auto -# make sure you also add "interface=auto" to your boot command too -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 - -# User Setup -d-i passwd/user-fullname string {{ ssh_fullname }} -d-i passwd/username string {{ ssh_username }} -d-i passwd/user-password password {{ ssh_password }} -d-i passwd/user-password-again password {{ ssh_password }} -# d-i passwd/user-password-crypted password $6$w5yFawT.$d51yQ513SdzariRCjomBwO9IMtMh6.TjnRwQqTBlOMwGhyyVXlJeYC9kanFp65bpoS1tn9x7r8gLP5Dg4CtEP1 -d-i user-setup/allow-password-weak boolean true -d-i user-setup/encrypt-home boolean false -d-i passwd/root-login boolean false - -# Package Setup -d-i hw-detect/load_firmware boolean false -d-i hw-detect/load_media boolean false -apt-cdrom-setup apt-setup/cdrom/set-first boolean false -d-i mirror/country string manual -d-i mirror/http/hostname string {{ mirror }} -d-i mirror/http/directory string /debian -d-i mirror/http/proxy string -# d-i mirror/http/proxy string {{ apt_cache_url }} -d-i apt-setup/contrib boolean true -d-i apt-setup/non-free boolean true -tasksel tasksel/first multiselect print-server, ssh-server, standard -d-i pkgsel/include string sudo, unattended-upgrades -popularity-contest popularity-contest/participate boolean false - -# Drive Setup -d-i grub-installer/only_debian boolean true -d-i grub-installer/with_other_os boolean true -d-i grub-installer/bootdev string default -d-i partman-auto/disk string /dev/sda -d-i partman-lvm/device_remove_lvm boolean true -d-i partman-md/device_remove_md boolean true -d-i partman-partitioning/confirm_write_new_label boolean true -d-i partman/choose_partition select finish -d-i partman/confirm boolean true -d-i partman/confirm_nooverwrite boolean true -# http://ptomusk.blogspot.ca/2012/09/ubuntu-preseedcfg-with-encrypted-lvm.html -# http://serverfault.com/questions/674137/preeseding-a-debian-stable-install-with-a-complex-partitioning-scheme-missing -# http://anonscm.debian.org/gitweb/?p=d-i/debian-installer.git;a=blob_plain;f=doc/devel/partman-auto-recipe.txt;hb=HEAD -# http://www.bishnet.net/tim/blog/2015/01/29/understanding-partman-autoexpert_recipe/ -# http://askubuntu.com/questions/361348/efi-and-working-lvm-partman-auto-expert-recipe -# http://superuser.com/questions/520068/efi-partition-vs-boot-partition -d-i partman-auto/method string crypto -d-i partman-crypto/passphrase password 1ma63b0rk3d -d-i partman-crypto/passphrase-again password 1ma63b0rk3d -d-i partman-crypto/weak_passphrase boolean true -# https://bugs.kali.org/view.php?id=1140 -d-i partman-crypto/erase_data boolean false -# https://bugs.kali.org/view.php?id=1140 -d-i partman/default_filesystem string ext4 -d-i partman-auto-lvm/new_vg_name string primary -d-i partman-auto-lvm/guided_size string max -d-i partman-lvm/confirm boolean true -d-i partman-lvm/confirm_nooverwrite boolean true -d-i partman-efi/non_efi_system boolean true -d-i partman-auto/choose_recipe select fling-the-bling -d-i partman-auto/expert_recipe string fling-the-bling :: \ - 1 1 1 free \ - $bios_boot{ } method{ biosgrub } \ - . \ - 256 256 256 fat32 \ - $primary{ } $lvmignore{ } \ - method{ efi } format{ } \ - . \ - 100% 200% 200% linux-swap \ - $lvmok{ } lv_name{ swap } in_vg{ primary } \ - method{ swap } format{ } \ - . \ - 10000 10000 -1 ext4 \ - $lvmok{ } lv_name{ root } in_vg{ primary } \ - method{ format } format{ } use_filesystem{ } filesystem{ ext4 } \ - mountpoint{ / } \ - . \ -. - -# Final Setup -d-i finish-install/reboot_in_progress note diff --git a/_tools/packer/templates/debian/11_bullseye/base-crypt-uefi.yaml b/_tools/packer/templates/debian/11_bullseye/base-crypt-uefi.yaml deleted file mode 100644 index 2e34244..0000000 --- a/_tools/packer/templates/debian/11_bullseye/base-crypt-uefi.yaml +++ /dev/null @@ -1,313 +0,0 @@ ---- -# _ -# __ _ _ __ ___| |__ ___ _ __ ___ -# / _` | '_ \ / __| '_ \ / _ \| '__/ __| -# | (_| | | | | (__| | | | (_) | | \__ \ -# \__,_|_| |_|\___|_| |_|\___/|_| |___/ -_anchors: -- &builder_common_options - boot_command: - - 'c' - - 'linux /install.amd/vmlinuz ' - - 'auto=true ' - - 'url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/{{ user `preseed_file` }} ' - - 'hostname={{ user `vm_name` }} ' - - 'domain={{ user `domain` }} ' - - 'interface=auto ' - - 'vga=788 noprompt quiet --' - - 'initrd /install.amd/initrd.gz' - - 'boot' - boot_wait: '{{ user `boot_wait` }}' - communicator: '{{ user `communicator` }}' - cpus: '{{ user `cpus` }}' - disk_size: '{{ user `disk_size` }}' -# floppy_dirs: ([]string) -# floppy_files: ([]string) -# floppy_label: (string) - headless: '{{ user `headless` }}' - host_port_max: '{{ user `host_port_max` }}' - host_port_min: '{{ user `host_port_min` }}' -# http_bind_address: 0.0.0.0 - http_directory: '{{ user `http_directory` }}' - http_port_max: '{{ user `http_port_max` }}' - http_port_min: '{{ user `http_port_min` }}' - iso_checksum: '{{ user `iso_checksum` }}' - iso_target_extension: iso - iso_target_path: '{{ user `packer_cache_dir` }}/{{ user `iso_file` }}' -# iso_url: (string) - iso_urls: - - '{{ user `iso_path_internal` }}/{{ user `iso_file` }}' - - '{{ user `iso_path_external` }}/{{ user `iso_file` }}' - memory: '{{ user `memory` }}' - output_directory: '{{ user `output_directory` }}' -# pause_before_connecting: '{{ user `pause_before_connecting` }}' - shutdown_command: echo '{{ user `ssh_password` }}' | sudo -E -S poweroff - shutdown_timeout: '{{ user `shutdown_timeout` }}' - skip_nat_mapping: false - vm_name: '{{ user `vm_name` }}' -- &communicator_ssh_options - ssh_agent_auth: '{{ user `ssh_agent_auth` }}' -# ssh_bastion_agent_auth: false -# ssh_bastion_host: (string) -# ssh_bastion_password: (string) -# ssh_bastion_port: '22' -# ssh_bastion_private_key_file: (string) -# ssh_bastion_username: (string) -# ssh_ciphers: [ 'aes128-gcm@openssh.com', 'chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', ] - ssh_clear_authorized_keys: '{{ user `ssh_clear_authorized_keys` }}' - ssh_disable_agent_forwarding: '{{ user `ssh_disable_agent_forwarding` }}' - ssh_file_transfer_method: '{{ user `ssh_file_transfer_method` }}' - ssh_handshake_attempts: '{{ user `ssh_handshake_attempts` }}' -# ssh_host: (string) - ssh_keep_alive_interval: '{{ user `ssh_keep_alive_interval` }}' - ssh_password: '{{ user `ssh_password` }}' - ssh_port: '{{ user `ssh_port` }}' -# ssh_private_key_file: (string) -# ssh_proxy_host: (string) -# ssh_proxy_password: (string) -# ssh_proxy_port: '1080' -# ssh_proxy_username: (string) - ssh_pty: '{{ user `ssh_pty` }}' -# ssh_read_write_timeout: (string) - ssh_timeout: '{{ user `ssh_timeout` }}' - ssh_username: '{{ user `ssh_username` }}' -- &provisioner_shell_options - binary: false -# environment_vars: ([]string) - execute_command: echo '{{ user `ssh_password` }}' | {{ .Vars }} sudo -E -S '{{ .Path }}' - expect_disconnect: true - inline_shebang: /bin/sh -e -# remote_file: script_nnn.sh -# remote_folder: /tmp -# remote_path: /tmp/script_nnn.sh - skip_clean: false - start_retry_timeout: '{{ user `start_retry_timeout` }}' - type: shell -# _ _ _ _ -# | |__ _ _(_) | __| | ___ _ __ ___ -# | '_ \| | | | | |/ _` |/ _ \ '__/ __| -# | |_) | |_| | | | (_| | __/ | \__ \ -# |_.__/ \__,_|_|_|\__,_|\___|_| |___/ -builders: -# _ _ _ _ _ -# __ _(_)_ __| |_ _ _ __ _| | |__ _____ __ (_)___ ___ -# \ \ / / | '__| __| | | |/ _` | | '_ \ / _ \ \/ /____| / __|/ _ \ -# \ V /| | | | |_| |_| | (_| | | |_) | (_) > <_____| \__ \ (_) | -# \_/ |_|_| \__|\__,_|\__,_|_|_.__/ \___/_/\_\ |_|___/\___/ -- <<: [*builder_common_options, *communicator_ssh_options] - bundle_iso: '{{ user `bundle_iso` }}' -# export_opts: ([]string) - format: ova -# guest_additions_interface: sata - guest_additions_mode: disable -# guest_additions_path: VBoxGuestAdditions.iso -# guest_additions_sha256: (string) -# guest_additions_url: (string) - guest_os_type: '{{ user `guest_os_type` }}' - hard_drive_discard: false - hard_drive_interface: sata - hard_drive_nonrotational: false - iso_interface: sata - keep_registered: '{{ user `keep_registered` }}' - name: vbox - post_shutdown_delay: 0s - sata_port_count: '1' - skip_export: '{{ user `skip_export` }}' - type: virtualbox-iso - vboxmanage: - - - modifyvm - - '{{ .Name }}' - - '--firmware' - - efi - - - modifyvm - - '{{ .Name }}' - - '--rtcuseutc' - - >- - {{ if user `system_clock_in_utc` | eq `true` -}} - on - {{- else -}} - off - {{- end }} -# vboxmanage_post: ([][]string) - virtualbox_version_file: '/tmp/.vbox_version' - vrdp_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vrdp_port_max: '{{ user `vnc_vrdp_port_max` }}' - vrdp_port_min: '{{ user `vnc_vrdp_port_min` }}' -# __ _ ___ _ __ ___ _ _ -# / _` |/ _ \ '_ ` _ \| | | | -# | (_| | __/ | | | | | |_| | -# \__, |\___|_| |_| |_|\__,_| -# |_| -- <<: [*builder_common_options, *communicator_ssh_options] - accelerator: kvm - disk_cache: writeback - disk_compression: false - disk_discard: ignore - disk_image: false - disk_interface: virtio-scsi - format: raw - iso_skip_cache: false - machine_type: pc - name: qemu - net_device: virtio-net - qemu_binary: '{{ user `qemu_binary` }}' - qemuargs: - - - -bios - - OVMF.fd - skip_compaction: true - type: qemu - use_default_display: false - vnc_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vnc_port_max: '{{ user `vnc_vrdp_port_max` }}' - vnc_port_min: '{{ user `vnc_vrdp_port_min` }}' -description: '{{ user `description` }}' -min_packer_version: 1.7.2 -# _ -# _ __ ___ ___| |_ _ __ _ __ ___ ___ ___ ___ ___ ___ _ __ ___ -# | '_ \ / _ \/ __| __|____| '_ \| '__/ _ \ / __/ _ \/ __/ __|/ _ \| '__/ __| -# | |_) | (_) \__ \ ||_____| |_) | | | (_) | (_| __/\__ \__ \ (_) | | \__ \ -# | .__/ \___/|___/\__| | .__/|_| \___/ \___\___||___/___/\___/|_| |___/ -# |_| |_| -post-processors: -- compression_level: 6 -# include: ([]string) - keep_input_artifact: true - only: - - vbox - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}-{{ user `version` }}-{{ build_name }}.box' - type: vagrant - vagrantfile_template: '{{ user `vagrantfile_template` }}' -- compression_level: 6 - format: .gz - keep_input_artifact: true - only: - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}.raw.gz' - type: compress -# - - files: -# - '{{ user `output_directory` }}/{{ user `vm_name` }}*.box' -# keep_input_artifact: true -# only: -# - vbox -# type: artifice -# XXX CHECKSUM -# - inline_shebang: /bin/sh -e -# # environment_vars: ([]string) -# execute_command: chmod +x "{{ .Script }}"; {{ .Vars }} "{{ .Script }}" -# inline: -# - echo '---' > {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''name: {{ user `vm_name` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo ''description: {{ user `description` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo 'versions:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''- version: {{ user `version` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo ' providers:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo '' - name: XXXPROVIDER'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' url: http://myserver/vm/{{ user `vm_name` }}/{{ user `vm_name` }}-{{ user `version` }}-''{{ build_name }}''.box'' -# >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum_type: sha256'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum: deadbeef'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - if [ 'vbox' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/virtualbox/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# - if [ 'qemu' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/libvirt/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# only: -# - vbox -# - qemu -# type: shell-local -# _ _ -# _ __ _ __ _____ _(_)___(_) ___ _ __ ___ _ __ ___ -# | '_ \| '__/ _ \ \ / / / __| |/ _ \| '_ \ / _ \ '__/ __| -# | |_) | | | (_) \ V /| \__ \ | (_) | | | | __/ | \__ \ -# | .__/|_| \___/ \_/ |_|___/_|\___/|_| |_|\___|_| |___/ -# |_| -provisioners: -- <<: *provisioner_shell_options - inline: - - echo 'FS0:\EFI\debian\grubx64.efi' > /boot/efi/startup.nsh - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - 'echo ''{{ user `ssh_username` }} ALL=(ALL) NOPASSWD: ALL'' > /etc/sudoers.d/99{{ user - `ssh_username` }}' - - chmod 0440 /etc/sudoers.d/99{{ user `ssh_username` }} - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - apt-get update - - apt-get --yes dist-upgrade - - apt-get clean - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - dd if=/dev/zero of=/ZEROFILL bs=16M || true - - rm /ZEROFILL - - sync - only: - - vbox - - qemu -# _ _ _ -# __ ____ _ _ __(_) __ _| |__ | | ___ ___ -# \ \ / / _` | '__| |/ _` | '_ \| |/ _ \/ __| -# \ V / (_| | | | | (_| | |_) | | __/\__ \ -# \_/ \__,_|_| |_|\__,_|_.__/|_|\___||___/ -variables: - apt_cache_url: http://myserver:3142 - boot_wait: 3s - bundle_iso: 'false' - communicator: ssh - country: CA - cpus: '1' - description: 'Base box (encrypted UEFI) for x86_64 Debian Bullseye 11.x' - disk_size: '7500' - domain: '' - guest_os_type: Debian_64 - headless: 'false' - host_port_max: '4444' - host_port_min: '2222' - http_directory: '.' - http_port_max: '9000' - http_port_min: '8000' - iso_checksum: file:http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/SHA512SUMS -# iso_checksum: sha512:deadbeef - iso_file: debian-testing-amd64-netinst.iso - iso_path_external: http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd - iso_path_internal: http://myserver:8080/debian - keep_registered: 'false' - keyboard: us - language: en - locale: en_CA.UTF-8 - memory: '1024' - min_vagrant_version: 2.2.16 - mirror: ftp.ca.debian.org - output_directory: 'build/{{ isotime "2006-01-02-15-04-05" }}' - packer_cache_dir: '{{ env `PACKER_CACHE_DIR` }}' - preseed_file: template/debian/11_bullseye/base-crypt-uefi.preseed - qemu_binary: qemu-system-x86_64 - shutdown_timeout: 5m - skip_export: 'false' - ssh_agent_auth: 'false' - ssh_clear_authorized_keys: 'false' - ssh_disable_agent_forwarding: 'false' - ssh_file_transfer_method: scp - ssh_fullname: Ghost Writer - ssh_handshake_attempts: '10' - ssh_keep_alive_interval: 5s - ssh_password: 1ma63b0rk3d - ssh_port: '22' - ssh_pty: 'false' - ssh_timeout: 60m - ssh_username: ghost - start_retry_timeout: 5m - system_clock_in_utc: 'true' - timezone: UTC - vagrantfile_template: template/debian/11_bullseye/vagrant.rb.j2 - version: 0.0.0 - vm_name: base-crypt-uefi-bullseye - vnc_vrdp_bind_address: 127.0.0.1 - vnc_vrdp_port_max: '6000' - vnc_vrdp_port_min: '5900' diff --git a/_tools/packer/templates/debian/11_bullseye/base-crypt.preseed b/_tools/packer/templates/debian/11_bullseye/base-crypt.preseed deleted file mode 100644 index 19d108f..0000000 --- a/_tools/packer/templates/debian/11_bullseye/base-crypt.preseed +++ /dev/null @@ -1,78 +0,0 @@ -# Locale Setup -d-i debian-installer/language string {{ language }} -d-i debian-installer/country string {{ country }} -d-i debian-installer/locale string {{ locale }} -# d-i localechooser/supported-locales multiselect en_CA.UTF-8 fr_CA.UTF-8 zh_CN.UTF-8 -# d-i pkgsel/install-language-support boolean true - -# Keyboard Setup -d-i keyboard-configuration/xkb-keymap select {{ keyboard }} - -# Clock Setup -# d-i time/zone string Canada/Eastern -d-i time/zone string {{ timezone }} -d-i clock-setup/utc boolean {{ system_clock_in_utc }} -# set above to false if making a bootable USB to run on same system as Windows - -# Network Setup -d-i netcfg/get_hostname string {{ vm_name }} -d-i netcfg/get_domain string -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 -d-i netcfg/choose_interface select auto -# make sure you also add "interface=auto" to your boot command too -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 - -# User Setup -d-i passwd/user-fullname string {{ ssh_fullname }} -d-i passwd/username string {{ ssh_username }} -d-i passwd/user-password password {{ ssh_password }} -d-i passwd/user-password-again password {{ ssh_password }} -# d-i passwd/user-password-crypted password $6$w5yFawT.$d51yQ513SdzariRCjomBwO9IMtMh6.TjnRwQqTBlOMwGhyyVXlJeYC9kanFp65bpoS1tn9x7r8gLP5Dg4CtEP1 -d-i user-setup/allow-password-weak boolean true -d-i user-setup/encrypt-home boolean false -d-i passwd/root-login boolean false - -# Package Setup -d-i hw-detect/load_firmware boolean false -d-i hw-detect/load_media boolean false -apt-cdrom-setup apt-setup/cdrom/set-first boolean false -d-i mirror/country string manual -d-i mirror/http/hostname string {{ mirror }} -d-i mirror/http/directory string /debian -d-i mirror/http/proxy string -# d-i mirror/http/proxy string {{ apt_cache_url }} -d-i apt-setup/contrib boolean true -d-i apt-setup/non-free boolean true -tasksel tasksel/first multiselect print-server, ssh-server, standard -d-i pkgsel/include string sudo, unattended-upgrades -popularity-contest popularity-contest/participate boolean false - -# Drive Setup -d-i grub-installer/only_debian boolean true -d-i grub-installer/with_other_os boolean true -d-i grub-installer/bootdev string default -d-i partman-auto/disk string /dev/sda -d-i partman-lvm/device_remove_lvm boolean true -d-i partman-md/device_remove_md boolean true -d-i partman-partitioning/confirm_write_new_label boolean true -d-i partman/choose_partition select finish -d-i partman/confirm boolean true -d-i partman/confirm_nooverwrite boolean true -d-i partman-auto/method string crypto -# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656710 -d-i partman-crypto/passphrase password 1ma63b0rk3d -d-i partman-crypto/passphrase-again password 1ma63b0rk3d -d-i partman-crypto/weak_passphrase boolean true -# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656710 -# https://bugs.kali.org/view.php?id=1140 -d-i partman-crypto/erase_data boolean false -# https://bugs.kali.org/view.php?id=1140 -d-i partman/default_filesystem string ext4 -d-i partman-auto-lvm/new_vg_name string primary -d-i partman-auto-lvm/guided_size string max -d-i partman-lvm/confirm boolean true -d-i partman-lvm/confirm_nooverwrite boolean true -d-i partman-auto/choose_recipe select atomic - -# Final Setup -d-i finish-install/reboot_in_progress note diff --git a/_tools/packer/templates/debian/11_bullseye/base-crypt.yaml b/_tools/packer/templates/debian/11_bullseye/base-crypt.yaml deleted file mode 100644 index ba33e19..0000000 --- a/_tools/packer/templates/debian/11_bullseye/base-crypt.yaml +++ /dev/null @@ -1,300 +0,0 @@ ---- -# _ -# __ _ _ __ ___| |__ ___ _ __ ___ -# / _` | '_ \ / __| '_ \ / _ \| '__/ __| -# | (_| | | | | (__| | | | (_) | | \__ \ -# \__,_|_| |_|\___|_| |_|\___/|_| |___/ -_anchors: -- &builder_common_options - boot_command: - - '' - - '/install.amd/vmlinuz ' - - 'initrd=/install.amd/initrd.gz ' - - 'auto=true ' - - 'url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/{{ user `preseed_file` }} ' - - 'hostname={{ user `vm_name` }} ' - - 'domain={{ user `domain` }} ' - - 'interface=auto ' - - 'vga=788 noprompt quiet --' - boot_wait: '{{ user `boot_wait` }}' - communicator: '{{ user `communicator` }}' - cpus: '{{ user `cpus` }}' - disk_size: '{{ user `disk_size` }}' -# floppy_dirs: ([]string) -# floppy_files: ([]string) -# floppy_label: (string) - headless: '{{ user `headless` }}' - host_port_max: '{{ user `host_port_max` }}' - host_port_min: '{{ user `host_port_min` }}' -# http_bind_address: 0.0.0.0 - http_directory: '{{ user `http_directory` }}' - http_port_max: '{{ user `http_port_max` }}' - http_port_min: '{{ user `http_port_min` }}' - iso_checksum: '{{ user `iso_checksum` }}' - iso_target_extension: iso - iso_target_path: '{{ user `packer_cache_dir` }}/{{ user `iso_file` }}' -# iso_url: (string) - iso_urls: - - '{{ user `iso_path_internal` }}/{{ user `iso_file` }}' - - '{{ user `iso_path_external` }}/{{ user `iso_file` }}' - memory: '{{ user `memory` }}' - output_directory: '{{ user `output_directory` }}' -# pause_before_connecting: '{{ user `pause_before_connecting` }}' - shutdown_command: echo '{{ user `ssh_password` }}' | sudo -E -S poweroff - shutdown_timeout: '{{ user `shutdown_timeout` }}' - skip_nat_mapping: false - vm_name: '{{ user `vm_name` }}' -- &communicator_ssh_options - ssh_agent_auth: '{{ user `ssh_agent_auth` }}' -# ssh_bastion_agent_auth: false -# ssh_bastion_host: (string) -# ssh_bastion_password: (string) -# ssh_bastion_port: '22' -# ssh_bastion_private_key_file: (string) -# ssh_bastion_username: (string) -# ssh_ciphers: [ 'aes128-gcm@openssh.com', 'chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', ] - ssh_clear_authorized_keys: '{{ user `ssh_clear_authorized_keys` }}' - ssh_disable_agent_forwarding: '{{ user `ssh_disable_agent_forwarding` }}' - ssh_file_transfer_method: '{{ user `ssh_file_transfer_method` }}' - ssh_handshake_attempts: '{{ user `ssh_handshake_attempts` }}' -# ssh_host: (string) - ssh_keep_alive_interval: '{{ user `ssh_keep_alive_interval` }}' - ssh_password: '{{ user `ssh_password` }}' - ssh_port: '{{ user `ssh_port` }}' -# ssh_private_key_file: (string) -# ssh_proxy_host: (string) -# ssh_proxy_password: (string) -# ssh_proxy_port: '1080' -# ssh_proxy_username: (string) - ssh_pty: '{{ user `ssh_pty` }}' -# ssh_read_write_timeout: (string) - ssh_timeout: '{{ user `ssh_timeout` }}' - ssh_username: '{{ user `ssh_username` }}' -- &provisioner_shell_options - binary: false -# environment_vars: ([]string) - execute_command: echo '{{ user `ssh_password` }}' | {{ .Vars }} sudo -E -S '{{ .Path }}' - expect_disconnect: true - inline_shebang: /bin/sh -e -# remote_file: script_nnn.sh -# remote_folder: /tmp -# remote_path: /tmp/script_nnn.sh - skip_clean: false - start_retry_timeout: '{{ user `start_retry_timeout` }}' - type: shell -# _ _ _ _ -# | |__ _ _(_) | __| | ___ _ __ ___ -# | '_ \| | | | | |/ _` |/ _ \ '__/ __| -# | |_) | |_| | | | (_| | __/ | \__ \ -# |_.__/ \__,_|_|_|\__,_|\___|_| |___/ -builders: -# _ _ _ _ _ -# __ _(_)_ __| |_ _ _ __ _| | |__ _____ __ (_)___ ___ -# \ \ / / | '__| __| | | |/ _` | | '_ \ / _ \ \/ /____| / __|/ _ \ -# \ V /| | | | |_| |_| | (_| | | |_) | (_) > <_____| \__ \ (_) | -# \_/ |_|_| \__|\__,_|\__,_|_|_.__/ \___/_/\_\ |_|___/\___/ -- <<: [*builder_common_options, *communicator_ssh_options] - bundle_iso: '{{ user `bundle_iso` }}' -# export_opts: ([]string) - format: ova -# guest_additions_interface: sata - guest_additions_mode: disable -# guest_additions_path: VBoxGuestAdditions.iso -# guest_additions_sha256: (string) -# guest_additions_url: (string) - guest_os_type: '{{ user `guest_os_type` }}' - hard_drive_discard: false - hard_drive_interface: sata - hard_drive_nonrotational: false - iso_interface: sata - keep_registered: '{{ user `keep_registered` }}' - name: vbox - post_shutdown_delay: 0s - sata_port_count: '1' - skip_export: '{{ user `skip_export` }}' - type: virtualbox-iso - vboxmanage: - - - modifyvm - - '{{ .Name }}' - - '--rtcuseutc' - - >- - {{ if user `system_clock_in_utc` | eq `true` -}} - on - {{- else -}} - off - {{- end }} -# vboxmanage_post: ([][]string) - virtualbox_version_file: '/tmp/.vbox_version' - vrdp_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vrdp_port_max: '{{ user `vnc_vrdp_port_max` }}' - vrdp_port_min: '{{ user `vnc_vrdp_port_min` }}' -# __ _ ___ _ __ ___ _ _ -# / _` |/ _ \ '_ ` _ \| | | | -# | (_| | __/ | | | | | |_| | -# \__, |\___|_| |_| |_|\__,_| -# |_| -- <<: [*builder_common_options, *communicator_ssh_options] - accelerator: kvm - disk_cache: writeback - disk_compression: false - disk_discard: ignore - disk_image: false - disk_interface: virtio-scsi - format: raw - iso_skip_cache: false - machine_type: pc - name: qemu - net_device: virtio-net - qemu_binary: '{{ user `qemu_binary` }}' -# qemuargs: ([][]string) - skip_compaction: true - type: qemu - use_default_display: false - vnc_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vnc_port_max: '{{ user `vnc_vrdp_port_max` }}' - vnc_port_min: '{{ user `vnc_vrdp_port_min` }}' -description: '{{ user `description` }}' -min_packer_version: 1.7.2 -# _ -# _ __ ___ ___| |_ _ __ _ __ ___ ___ ___ ___ ___ ___ _ __ ___ -# | '_ \ / _ \/ __| __|____| '_ \| '__/ _ \ / __/ _ \/ __/ __|/ _ \| '__/ __| -# | |_) | (_) \__ \ ||_____| |_) | | | (_) | (_| __/\__ \__ \ (_) | | \__ \ -# | .__/ \___/|___/\__| | .__/|_| \___/ \___\___||___/___/\___/|_| |___/ -# |_| |_| -post-processors: -- compression_level: 6 -# include: ([]string) - keep_input_artifact: true - only: - - vbox - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}-{{ user `version` }}-{{ build_name }}.box' - type: vagrant - vagrantfile_template: '{{ user `vagrantfile_template` }}' -- compression_level: 6 - format: .gz - keep_input_artifact: true - only: - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}.raw.gz' - type: compress -# - - files: -# - '{{ user `output_directory` }}/{{ user `vm_name` }}*.box' -# keep_input_artifact: true -# only: -# - vbox -# type: artifice -# XXX CHECKSUM -# - inline_shebang: /bin/sh -e -# # environment_vars: ([]string) -# execute_command: chmod +x "{{ .Script }}"; {{ .Vars }} "{{ .Script }}" -# inline: -# - echo '---' > {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''name: {{ user `vm_name` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo ''description: {{ user `description` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo 'versions:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''- version: {{ user `version` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo ' providers:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo '' - name: XXXPROVIDER'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' url: http://myserver/vm/{{ user `vm_name` }}/{{ user `vm_name` }}-{{ user `version` }}-''{{ build_name }}''.box'' -# >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum_type: sha256'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum: deadbeef'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - if [ 'vbox' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/virtualbox/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# - if [ 'qemu' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/libvirt/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# only: -# - vbox -# - qemu -# type: shell-local -# _ _ -# _ __ _ __ _____ _(_)___(_) ___ _ __ ___ _ __ ___ -# | '_ \| '__/ _ \ \ / / / __| |/ _ \| '_ \ / _ \ '__/ __| -# | |_) | | | (_) \ V /| \__ \ | (_) | | | | __/ | \__ \ -# | .__/|_| \___/ \_/ |_|___/_|\___/|_| |_|\___|_| |___/ -# |_| -provisioners: -- <<: *provisioner_shell_options - inline: - - 'echo ''{{ user `ssh_username` }} ALL=(ALL) NOPASSWD: ALL'' > /etc/sudoers.d/99{{ user - `ssh_username` }}' - - chmod 0440 /etc/sudoers.d/99{{ user `ssh_username` }} - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - apt-get update - - apt-get --yes dist-upgrade - - apt-get clean - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - dd if=/dev/zero of=/ZEROFILL bs=16M || true - - rm /ZEROFILL - - sync - only: - - vbox - - qemu -# _ _ _ -# __ ____ _ _ __(_) __ _| |__ | | ___ ___ -# \ \ / / _` | '__| |/ _` | '_ \| |/ _ \/ __| -# \ V / (_| | | | | (_| | |_) | | __/\__ \ -# \_/ \__,_|_| |_|\__,_|_.__/|_|\___||___/ -variables: - apt_cache_url: http://myserver:3142 - boot_wait: 3s - bundle_iso: 'false' - communicator: ssh - country: CA - cpus: '1' - description: 'Base box (encrypted) for x86_64 Debian Bullseye 11.x' - disk_size: '7500' - domain: '' - guest_os_type: Debian_64 - headless: 'false' - host_port_max: '4444' - host_port_min: '2222' - http_directory: '.' - http_port_max: '9000' - http_port_min: '8000' - iso_checksum: file:http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/SHA512SUMS -# iso_checksum: sha512:deadbeef - iso_file: debian-testing-amd64-netinst.iso - iso_path_external: http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd - iso_path_internal: http://myserver:8080/debian - keep_registered: 'false' - keyboard: us - language: en - locale: en_CA.UTF-8 - memory: '1024' - min_vagrant_version: 2.2.16 - mirror: ftp.ca.debian.org - output_directory: 'build/{{ isotime "2006-01-02-15-04-05" }}' - packer_cache_dir: '{{ env `PACKER_CACHE_DIR` }}' - preseed_file: template/debian/11_bullseye/base-crypt.preseed - qemu_binary: qemu-system-x86_64 - shutdown_timeout: 5m - skip_export: 'false' - ssh_agent_auth: 'false' - ssh_clear_authorized_keys: 'false' - ssh_disable_agent_forwarding: 'false' - ssh_file_transfer_method: scp - ssh_fullname: Ghost Writer - ssh_handshake_attempts: '10' - ssh_keep_alive_interval: 5s - ssh_password: 1ma63b0rk3d - ssh_port: '22' - ssh_pty: 'false' - ssh_timeout: 60m - ssh_username: ghost - start_retry_timeout: 5m - system_clock_in_utc: 'true' - timezone: UTC - vagrantfile_template: template/debian/11_bullseye/vagrant.rb.j2 - version: 0.0.0 - vm_name: base-crypt-bullseye - vnc_vrdp_bind_address: 127.0.0.1 - vnc_vrdp_port_max: '6000' - vnc_vrdp_port_min: '5900' diff --git a/_tools/packer/templates/debian/11_bullseye/base-uefi.preseed b/_tools/packer/templates/debian/11_bullseye/base-uefi.preseed deleted file mode 100644 index 5fb612f..0000000 --- a/_tools/packer/templates/debian/11_bullseye/base-uefi.preseed +++ /dev/null @@ -1,88 +0,0 @@ -# Locale Setup -d-i debian-installer/language string {{ language }} -d-i debian-installer/country string {{ country }} -d-i debian-installer/locale string {{ locale }} -# d-i localechooser/supported-locales multiselect en_CA.UTF-8 fr_CA.UTF-8 zh_CN.UTF-8 -# d-i pkgsel/install-language-support boolean true - -# Keyboard Setup -d-i keyboard-configuration/xkb-keymap select {{ keyboard }} - -# Clock Setup -# d-i time/zone string Canada/Eastern -d-i time/zone string {{ timezone }} -d-i clock-setup/utc boolean {{ system_clock_in_utc }} -# set above to false if making a bootable USB to run on same system as Windows - -# Network Setup -d-i netcfg/get_hostname string {{ vm_name }} -d-i netcfg/get_domain string -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 -d-i netcfg/choose_interface select auto -# make sure you also add "interface=auto" to your boot command too -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 - -# User Setup -d-i passwd/user-fullname string {{ ssh_fullname }} -d-i passwd/username string {{ ssh_username }} -d-i passwd/user-password password {{ ssh_password }} -d-i passwd/user-password-again password {{ ssh_password }} -# d-i passwd/user-password-crypted password $6$w5yFawT.$d51yQ513SdzariRCjomBwO9IMtMh6.TjnRwQqTBlOMwGhyyVXlJeYC9kanFp65bpoS1tn9x7r8gLP5Dg4CtEP1 -d-i user-setup/allow-password-weak boolean true -d-i user-setup/encrypt-home boolean false -d-i passwd/root-login boolean false - -# Package Setup -d-i hw-detect/load_firmware boolean false -d-i hw-detect/load_media boolean false -apt-cdrom-setup apt-setup/cdrom/set-first boolean false -d-i mirror/country string manual -d-i mirror/http/hostname string {{ mirror }} -d-i mirror/http/directory string /debian -d-i mirror/http/proxy string -# d-i mirror/http/proxy string {{ apt_cache_url }} -d-i apt-setup/contrib boolean true -d-i apt-setup/non-free boolean true -tasksel tasksel/first multiselect print-server, ssh-server, standard -d-i pkgsel/include string sudo, unattended-upgrades -popularity-contest popularity-contest/participate boolean false - -# Drive Setup -d-i grub-installer/only_debian boolean true -d-i grub-installer/with_other_os boolean true -d-i grub-installer/bootdev string default -d-i partman-auto/disk string /dev/sda -d-i partman-lvm/device_remove_lvm boolean true -d-i partman-md/device_remove_md boolean true -d-i partman-partitioning/confirm_write_new_label boolean true -d-i partman/choose_partition select finish -d-i partman/confirm boolean true -d-i partman/confirm_nooverwrite boolean true -d-i partman-auto/method string lvm -d-i partman-auto-lvm/new_vg_name string primary -d-i partman-auto-lvm/guided_size string max -d-i partman-lvm/confirm boolean true -d-i partman-lvm/confirm_nooverwrite boolean true -d-i partman-efi/non_efi_system boolean true -d-i partman-auto/choose_recipe select fling-the-bling -d-i partman-auto/expert_recipe string fling-the-bling :: \ - 1 1 1 free \ - $bios_boot{ } method{ biosgrub } \ - . \ - 256 256 256 fat32 \ - $primary{ } $lvmignore{ } \ - method{ efi } format{ } \ - . \ - 100% 200% 200% linux-swap \ - $lvmok{ } lv_name{ swap } in_vg{ primary } \ - method{ swap } format{ } \ - . \ - 10000 10000 -1 ext4 \ - $lvmok{ } lv_name{ root } in_vg{ primary } \ - method{ format } format{ } use_filesystem{ } filesystem{ ext4 } \ - mountpoint{ / } \ - . \ -. - -# Final Setup -d-i finish-install/reboot_in_progress note diff --git a/_tools/packer/templates/debian/11_bullseye/base-uefi.yaml b/_tools/packer/templates/debian/11_bullseye/base-uefi.yaml deleted file mode 100644 index 2a536ca..0000000 --- a/_tools/packer/templates/debian/11_bullseye/base-uefi.yaml +++ /dev/null @@ -1,313 +0,0 @@ ---- -# _ -# __ _ _ __ ___| |__ ___ _ __ ___ -# / _` | '_ \ / __| '_ \ / _ \| '__/ __| -# | (_| | | | | (__| | | | (_) | | \__ \ -# \__,_|_| |_|\___|_| |_|\___/|_| |___/ -_anchors: -- &builder_common_options - boot_command: - - 'c' - - 'linux /install.amd/vmlinuz ' - - 'auto=true ' - - 'url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/{{ user `preseed_file` }} ' - - 'hostname={{ user `vm_name` }} ' - - 'domain={{ user `domain` }} ' - - 'interface=auto ' - - 'vga=788 noprompt quiet --' - - 'initrd /install.amd/initrd.gz' - - 'boot' - boot_wait: '{{ user `boot_wait` }}' - communicator: '{{ user `communicator` }}' - cpus: '{{ user `cpus` }}' - disk_size: '{{ user `disk_size` }}' -# floppy_dirs: ([]string) -# floppy_files: ([]string) -# floppy_label: (string) - headless: '{{ user `headless` }}' - host_port_max: '{{ user `host_port_max` }}' - host_port_min: '{{ user `host_port_min` }}' -# http_bind_address: 0.0.0.0 - http_directory: '{{ user `http_directory` }}' - http_port_max: '{{ user `http_port_max` }}' - http_port_min: '{{ user `http_port_min` }}' - iso_checksum: '{{ user `iso_checksum` }}' - iso_target_extension: iso - iso_target_path: '{{ user `packer_cache_dir` }}/{{ user `iso_file` }}' -# iso_url: (string) - iso_urls: - - '{{ user `iso_path_internal` }}/{{ user `iso_file` }}' - - '{{ user `iso_path_external` }}/{{ user `iso_file` }}' - memory: '{{ user `memory` }}' - output_directory: '{{ user `output_directory` }}' -# pause_before_connecting: '{{ user `pause_before_connecting` }}' - shutdown_command: echo '{{ user `ssh_password` }}' | sudo -E -S poweroff - shutdown_timeout: '{{ user `shutdown_timeout` }}' - skip_nat_mapping: false - vm_name: '{{ user `vm_name` }}' -- &communicator_ssh_options - ssh_agent_auth: '{{ user `ssh_agent_auth` }}' -# ssh_bastion_agent_auth: false -# ssh_bastion_host: (string) -# ssh_bastion_password: (string) -# ssh_bastion_port: '22' -# ssh_bastion_private_key_file: (string) -# ssh_bastion_username: (string) -# ssh_ciphers: [ 'aes128-gcm@openssh.com', 'chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', ] - ssh_clear_authorized_keys: '{{ user `ssh_clear_authorized_keys` }}' - ssh_disable_agent_forwarding: '{{ user `ssh_disable_agent_forwarding` }}' - ssh_file_transfer_method: '{{ user `ssh_file_transfer_method` }}' - ssh_handshake_attempts: '{{ user `ssh_handshake_attempts` }}' -# ssh_host: (string) - ssh_keep_alive_interval: '{{ user `ssh_keep_alive_interval` }}' - ssh_password: '{{ user `ssh_password` }}' - ssh_port: '{{ user `ssh_port` }}' -# ssh_private_key_file: (string) -# ssh_proxy_host: (string) -# ssh_proxy_password: (string) -# ssh_proxy_port: '1080' -# ssh_proxy_username: (string) - ssh_pty: '{{ user `ssh_pty` }}' -# ssh_read_write_timeout: (string) - ssh_timeout: '{{ user `ssh_timeout` }}' - ssh_username: '{{ user `ssh_username` }}' -- &provisioner_shell_options - binary: false -# environment_vars: ([]string) - execute_command: echo '{{ user `ssh_password` }}' | {{ .Vars }} sudo -E -S '{{ .Path }}' - expect_disconnect: true - inline_shebang: /bin/sh -e -# remote_file: script_nnn.sh -# remote_folder: /tmp -# remote_path: /tmp/script_nnn.sh - skip_clean: false - start_retry_timeout: '{{ user `start_retry_timeout` }}' - type: shell -# _ _ _ _ -# | |__ _ _(_) | __| | ___ _ __ ___ -# | '_ \| | | | | |/ _` |/ _ \ '__/ __| -# | |_) | |_| | | | (_| | __/ | \__ \ -# |_.__/ \__,_|_|_|\__,_|\___|_| |___/ -builders: -# _ _ _ _ _ -# __ _(_)_ __| |_ _ _ __ _| | |__ _____ __ (_)___ ___ -# \ \ / / | '__| __| | | |/ _` | | '_ \ / _ \ \/ /____| / __|/ _ \ -# \ V /| | | | |_| |_| | (_| | | |_) | (_) > <_____| \__ \ (_) | -# \_/ |_|_| \__|\__,_|\__,_|_|_.__/ \___/_/\_\ |_|___/\___/ -- <<: [*builder_common_options, *communicator_ssh_options] - bundle_iso: '{{ user `bundle_iso` }}' -# export_opts: ([]string) - format: ova -# guest_additions_interface: sata - guest_additions_mode: disable -# guest_additions_path: VBoxGuestAdditions.iso -# guest_additions_sha256: (string) -# guest_additions_url: (string) - guest_os_type: '{{ user `guest_os_type` }}' - hard_drive_discard: false - hard_drive_interface: sata - hard_drive_nonrotational: false - iso_interface: sata - keep_registered: '{{ user `keep_registered` }}' - name: vbox - post_shutdown_delay: 0s - sata_port_count: '1' - skip_export: '{{ user `skip_export` }}' - type: virtualbox-iso - vboxmanage: - - - modifyvm - - '{{ .Name }}' - - '--firmware' - - efi - - - modifyvm - - '{{ .Name }}' - - '--rtcuseutc' - - >- - {{ if user `system_clock_in_utc` | eq `true` -}} - on - {{- else -}} - off - {{- end }} -# vboxmanage_post: ([][]string) - virtualbox_version_file: '/tmp/.vbox_version' - vrdp_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vrdp_port_max: '{{ user `vnc_vrdp_port_max` }}' - vrdp_port_min: '{{ user `vnc_vrdp_port_min` }}' -# __ _ ___ _ __ ___ _ _ -# / _` |/ _ \ '_ ` _ \| | | | -# | (_| | __/ | | | | | |_| | -# \__, |\___|_| |_| |_|\__,_| -# |_| -- <<: [*builder_common_options, *communicator_ssh_options] - accelerator: kvm - disk_cache: writeback - disk_compression: false - disk_discard: ignore - disk_image: false - disk_interface: virtio-scsi - format: raw - iso_skip_cache: false - machine_type: pc - name: qemu - net_device: virtio-net - qemu_binary: '{{ user `qemu_binary` }}' - qemuargs: - - - -bios - - OVMF.fd - skip_compaction: true - type: qemu - use_default_display: false - vnc_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vnc_port_max: '{{ user `vnc_vrdp_port_max` }}' - vnc_port_min: '{{ user `vnc_vrdp_port_min` }}' -description: '{{ user `description` }}' -min_packer_version: 1.7.2 -# _ -# _ __ ___ ___| |_ _ __ _ __ ___ ___ ___ ___ ___ ___ _ __ ___ -# | '_ \ / _ \/ __| __|____| '_ \| '__/ _ \ / __/ _ \/ __/ __|/ _ \| '__/ __| -# | |_) | (_) \__ \ ||_____| |_) | | | (_) | (_| __/\__ \__ \ (_) | | \__ \ -# | .__/ \___/|___/\__| | .__/|_| \___/ \___\___||___/___/\___/|_| |___/ -# |_| |_| -post-processors: -- compression_level: 6 -# include: ([]string) - keep_input_artifact: true - only: - - vbox - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}-{{ user `version` }}-{{ build_name }}.box' - type: vagrant - vagrantfile_template: '{{ user `vagrantfile_template` }}' -- compression_level: 6 - format: .gz - keep_input_artifact: true - only: - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}.raw.gz' - type: compress -# - - files: -# - '{{ user `output_directory` }}/{{ user `vm_name` }}*.box' -# keep_input_artifact: true -# only: -# - vbox -# type: artifice -# XXX CHECKSUM -# - inline_shebang: /bin/sh -e -# # environment_vars: ([]string) -# execute_command: chmod +x "{{ .Script }}"; {{ .Vars }} "{{ .Script }}" -# inline: -# - echo '---' > {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''name: {{ user `vm_name` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo ''description: {{ user `description` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo 'versions:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''- version: {{ user `version` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo ' providers:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo '' - name: XXXPROVIDER'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' url: http://myserver/vm/{{ user `vm_name` }}/{{ user `vm_name` }}-{{ user `version` }}-''{{ build_name }}''.box'' -# >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum_type: sha256'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum: deadbeef'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - if [ 'vbox' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/virtualbox/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# - if [ 'qemu' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/libvirt/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# only: -# - vbox -# - qemu -# type: shell-local -# _ _ -# _ __ _ __ _____ _(_)___(_) ___ _ __ ___ _ __ ___ -# | '_ \| '__/ _ \ \ / / / __| |/ _ \| '_ \ / _ \ '__/ __| -# | |_) | | | (_) \ V /| \__ \ | (_) | | | | __/ | \__ \ -# | .__/|_| \___/ \_/ |_|___/_|\___/|_| |_|\___|_| |___/ -# |_| -provisioners: -- <<: *provisioner_shell_options - inline: - - echo 'FS0:\EFI\debian\grubx64.efi' > /boot/efi/startup.nsh - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - 'echo ''{{ user `ssh_username` }} ALL=(ALL) NOPASSWD: ALL'' > /etc/sudoers.d/99{{ user - `ssh_username` }}' - - chmod 0440 /etc/sudoers.d/99{{ user `ssh_username` }} - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - apt-get update - - apt-get --yes dist-upgrade - - apt-get clean - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - dd if=/dev/zero of=/ZEROFILL bs=16M || true - - rm /ZEROFILL - - sync - only: - - vbox - - qemu -# _ _ _ -# __ ____ _ _ __(_) __ _| |__ | | ___ ___ -# \ \ / / _` | '__| |/ _` | '_ \| |/ _ \/ __| -# \ V / (_| | | | | (_| | |_) | | __/\__ \ -# \_/ \__,_|_| |_|\__,_|_.__/|_|\___||___/ -variables: - apt_cache_url: http://myserver:3142 - boot_wait: 3s - bundle_iso: 'false' - communicator: ssh - country: CA - cpus: '1' - description: 'Base box (UEFI) for x86_64 Debian Bullseye 11.x' - disk_size: '7500' - domain: '' - guest_os_type: Debian_64 - headless: 'false' - host_port_max: '4444' - host_port_min: '2222' - http_directory: '.' - http_port_max: '9000' - http_port_min: '8000' - iso_checksum: file:http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/SHA512SUMS -# iso_checksum: sha512:deadbeef - iso_file: debian-testing-amd64-netinst.iso - iso_path_external: http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd - iso_path_internal: http://myserver:8080/debian - keep_registered: 'false' - keyboard: us - language: en - locale: en_CA.UTF-8 - memory: '1024' - min_vagrant_version: 2.2.16 - mirror: ftp.ca.debian.org - output_directory: 'build/{{ isotime "2006-01-02-15-04-05" }}' - packer_cache_dir: '{{ env `PACKER_CACHE_DIR` }}' - preseed_file: template/debian/11_bullseye/base-uefi.preseed - qemu_binary: qemu-system-x86_64 - shutdown_timeout: 5m - skip_export: 'false' - ssh_agent_auth: 'false' - ssh_clear_authorized_keys: 'false' - ssh_disable_agent_forwarding: 'false' - ssh_file_transfer_method: scp - ssh_fullname: Ghost Writer - ssh_handshake_attempts: '10' - ssh_keep_alive_interval: 5s - ssh_password: 1ma63b0rk3d - ssh_port: '22' - ssh_pty: 'false' - ssh_timeout: 60m - ssh_username: ghost - start_retry_timeout: 5m - system_clock_in_utc: 'true' - timezone: UTC - vagrantfile_template: template/debian/11_bullseye/vagrant.rb.j2 - version: 0.0.0 - vm_name: base-uefi-bullseye - vnc_vrdp_bind_address: 127.0.0.1 - vnc_vrdp_port_max: '6000' - vnc_vrdp_port_min: '5900' diff --git a/_tools/packer/templates/debian/11_bullseye/base.preseed b/_tools/packer/templates/debian/11_bullseye/base.preseed deleted file mode 100644 index 1d69287..0000000 --- a/_tools/packer/templates/debian/11_bullseye/base.preseed +++ /dev/null @@ -1,69 +0,0 @@ -# Locale Setup -d-i debian-installer/language string {{ language }} -d-i debian-installer/country string {{ country }} -d-i debian-installer/locale string {{ locale }} -# d-i localechooser/supported-locales multiselect en_CA.UTF-8 fr_CA.UTF-8 zh_CN.UTF-8 -# d-i pkgsel/install-language-support boolean true - -# Keyboard Setup -d-i keyboard-configuration/xkb-keymap select {{ keyboard }} - -# Clock Setup -# d-i time/zone string Canada/Eastern -d-i time/zone string {{ timezone }} -d-i clock-setup/utc boolean {{ system_clock_in_utc }} -# set above to false if making a bootable USB to run on same system as Windows - -# Network Setup -d-i netcfg/get_hostname string {{ vm_name }} -d-i netcfg/get_domain string -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 -d-i netcfg/choose_interface select auto -# make sure you also add "interface=auto" to your boot command too -# https://bugs.launchpad.net/ubuntu/+source/netcfg/+bug/713385 - -# User Setup -d-i passwd/user-fullname string {{ ssh_fullname }} -d-i passwd/username string {{ ssh_username }} -d-i passwd/user-password password {{ ssh_password }} -d-i passwd/user-password-again password {{ ssh_password }} -# d-i passwd/user-password-crypted password $6$w5yFawT.$d51yQ513SdzariRCjomBwO9IMtMh6.TjnRwQqTBlOMwGhyyVXlJeYC9kanFp65bpoS1tn9x7r8gLP5Dg4CtEP1 -d-i user-setup/allow-password-weak boolean true -d-i user-setup/encrypt-home boolean false -d-i passwd/root-login boolean false - -# Package Setup -d-i hw-detect/load_firmware boolean false -d-i hw-detect/load_media boolean false -apt-cdrom-setup apt-setup/cdrom/set-first boolean false -d-i mirror/country string manual -d-i mirror/http/hostname string {{ mirror }} -d-i mirror/http/directory string /debian -d-i mirror/http/proxy string -# d-i mirror/http/proxy string {{ apt_cache_url }} -d-i apt-setup/contrib boolean true -d-i apt-setup/non-free boolean true -tasksel tasksel/first multiselect print-server, ssh-server, standard -d-i pkgsel/include string sudo, unattended-upgrades -popularity-contest popularity-contest/participate boolean false - -# Drive Setup -d-i grub-installer/only_debian boolean true -d-i grub-installer/with_other_os boolean true -d-i grub-installer/bootdev string default -d-i partman-auto/disk string /dev/sda -d-i partman-lvm/device_remove_lvm boolean true -d-i partman-md/device_remove_md boolean true -d-i partman-partitioning/confirm_write_new_label boolean true -d-i partman/choose_partition select finish -d-i partman/confirm boolean true -d-i partman/confirm_nooverwrite boolean true -d-i partman-auto/method string lvm -d-i partman-auto-lvm/new_vg_name string primary -d-i partman-auto-lvm/guided_size string max -d-i partman-lvm/confirm boolean true -d-i partman-lvm/confirm_nooverwrite boolean true -d-i partman-auto/choose_recipe select atomic - -# Final Setup -d-i finish-install/reboot_in_progress note diff --git a/_tools/packer/templates/debian/11_bullseye/base.yaml b/_tools/packer/templates/debian/11_bullseye/base.yaml deleted file mode 100644 index 1ebb89a..0000000 --- a/_tools/packer/templates/debian/11_bullseye/base.yaml +++ /dev/null @@ -1,300 +0,0 @@ ---- -# _ -# __ _ _ __ ___| |__ ___ _ __ ___ -# / _` | '_ \ / __| '_ \ / _ \| '__/ __| -# | (_| | | | | (__| | | | (_) | | \__ \ -# \__,_|_| |_|\___|_| |_|\___/|_| |___/ -_anchors: -- &builder_common_options - boot_command: - - '' - - '/install.amd/vmlinuz ' - - 'initrd=/install.amd/initrd.gz ' - - 'auto=true ' - - 'url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/{{ user `preseed_file` }} ' - - 'hostname={{ user `vm_name` }} ' - - 'domain={{ user `domain` }} ' - - 'interface=auto ' - - 'vga=788 noprompt quiet --' - boot_wait: '{{ user `boot_wait` }}' - communicator: '{{ user `communicator` }}' - cpus: '{{ user `cpus` }}' - disk_size: '{{ user `disk_size` }}' -# floppy_dirs: ([]string) -# floppy_files: ([]string) -# floppy_label: (string) - headless: '{{ user `headless` }}' - host_port_max: '{{ user `host_port_max` }}' - host_port_min: '{{ user `host_port_min` }}' -# http_bind_address: 0.0.0.0 - http_directory: '{{ user `http_directory` }}' - http_port_max: '{{ user `http_port_max` }}' - http_port_min: '{{ user `http_port_min` }}' - iso_checksum: '{{ user `iso_checksum` }}' - iso_target_extension: iso - iso_target_path: '{{ user `packer_cache_dir` }}/{{ user `iso_file` }}' -# iso_url: (string) - iso_urls: - - '{{ user `iso_path_internal` }}/{{ user `iso_file` }}' - - '{{ user `iso_path_external` }}/{{ user `iso_file` }}' - memory: '{{ user `memory` }}' - output_directory: '{{ user `output_directory` }}' -# pause_before_connecting: '{{ user `pause_before_connecting` }}' - shutdown_command: echo '{{ user `ssh_password` }}' | sudo -E -S poweroff - shutdown_timeout: '{{ user `shutdown_timeout` }}' - skip_nat_mapping: false - vm_name: '{{ user `vm_name` }}' -- &communicator_ssh_options - ssh_agent_auth: '{{ user `ssh_agent_auth` }}' -# ssh_bastion_agent_auth: false -# ssh_bastion_host: (string) -# ssh_bastion_password: (string) -# ssh_bastion_port: '22' -# ssh_bastion_private_key_file: (string) -# ssh_bastion_username: (string) -# ssh_ciphers: [ 'aes128-gcm@openssh.com', 'chacha20-poly1305@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', ] - ssh_clear_authorized_keys: '{{ user `ssh_clear_authorized_keys` }}' - ssh_disable_agent_forwarding: '{{ user `ssh_disable_agent_forwarding` }}' - ssh_file_transfer_method: '{{ user `ssh_file_transfer_method` }}' - ssh_handshake_attempts: '{{ user `ssh_handshake_attempts` }}' -# ssh_host: (string) - ssh_keep_alive_interval: '{{ user `ssh_keep_alive_interval` }}' - ssh_password: '{{ user `ssh_password` }}' - ssh_port: '{{ user `ssh_port` }}' -# ssh_private_key_file: (string) -# ssh_proxy_host: (string) -# ssh_proxy_password: (string) -# ssh_proxy_port: '1080' -# ssh_proxy_username: (string) - ssh_pty: '{{ user `ssh_pty` }}' -# ssh_read_write_timeout: (string) - ssh_timeout: '{{ user `ssh_timeout` }}' - ssh_username: '{{ user `ssh_username` }}' -- &provisioner_shell_options - binary: false -# environment_vars: ([]string) - execute_command: echo '{{ user `ssh_password` }}' | {{ .Vars }} sudo -E -S '{{ .Path }}' - expect_disconnect: true - inline_shebang: /bin/sh -e -# remote_file: script_nnn.sh -# remote_folder: /tmp -# remote_path: /tmp/script_nnn.sh - skip_clean: false - start_retry_timeout: '{{ user `start_retry_timeout` }}' - type: shell -# _ _ _ _ -# | |__ _ _(_) | __| | ___ _ __ ___ -# | '_ \| | | | | |/ _` |/ _ \ '__/ __| -# | |_) | |_| | | | (_| | __/ | \__ \ -# |_.__/ \__,_|_|_|\__,_|\___|_| |___/ -builders: -# _ _ _ _ _ -# __ _(_)_ __| |_ _ _ __ _| | |__ _____ __ (_)___ ___ -# \ \ / / | '__| __| | | |/ _` | | '_ \ / _ \ \/ /____| / __|/ _ \ -# \ V /| | | | |_| |_| | (_| | | |_) | (_) > <_____| \__ \ (_) | -# \_/ |_|_| \__|\__,_|\__,_|_|_.__/ \___/_/\_\ |_|___/\___/ -- <<: [*builder_common_options, *communicator_ssh_options] - bundle_iso: '{{ user `bundle_iso` }}' -# export_opts: ([]string) - format: ova -# guest_additions_interface: sata - guest_additions_mode: disable -# guest_additions_path: VBoxGuestAdditions.iso -# guest_additions_sha256: (string) -# guest_additions_url: (string) - guest_os_type: '{{ user `guest_os_type` }}' - hard_drive_discard: false - hard_drive_interface: sata - hard_drive_nonrotational: false - iso_interface: sata - keep_registered: '{{ user `keep_registered` }}' - name: vbox - post_shutdown_delay: 0s - sata_port_count: '1' - skip_export: '{{ user `skip_export` }}' - type: virtualbox-iso - vboxmanage: - - - modifyvm - - '{{ .Name }}' - - '--rtcuseutc' - - >- - {{ if user `system_clock_in_utc` | eq `true` -}} - on - {{- else -}} - off - {{- end }} -# vboxmanage_post: ([][]string) - virtualbox_version_file: '/tmp/.vbox_version' - vrdp_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vrdp_port_max: '{{ user `vnc_vrdp_port_max` }}' - vrdp_port_min: '{{ user `vnc_vrdp_port_min` }}' -# __ _ ___ _ __ ___ _ _ -# / _` |/ _ \ '_ ` _ \| | | | -# | (_| | __/ | | | | | |_| | -# \__, |\___|_| |_| |_|\__,_| -# |_| -- <<: [*builder_common_options, *communicator_ssh_options] - accelerator: kvm - disk_cache: writeback - disk_compression: false - disk_discard: ignore - disk_image: false - disk_interface: virtio-scsi - format: raw - iso_skip_cache: false - machine_type: pc - name: qemu - net_device: virtio-net - qemu_binary: '{{ user `qemu_binary` }}' -# qemuargs: ([][]string) - skip_compaction: true - type: qemu - use_default_display: false - vnc_bind_address: '{{ user `vnc_vrdp_bind_address` }}' - vnc_port_max: '{{ user `vnc_vrdp_port_max` }}' - vnc_port_min: '{{ user `vnc_vrdp_port_min` }}' -description: '{{ user `description` }}' -min_packer_version: 1.7.2 -# _ -# _ __ ___ ___| |_ _ __ _ __ ___ ___ ___ ___ ___ ___ _ __ ___ -# | '_ \ / _ \/ __| __|____| '_ \| '__/ _ \ / __/ _ \/ __/ __|/ _ \| '__/ __| -# | |_) | (_) \__ \ ||_____| |_) | | | (_) | (_| __/\__ \__ \ (_) | | \__ \ -# | .__/ \___/|___/\__| | .__/|_| \___/ \___\___||___/___/\___/|_| |___/ -# |_| |_| -post-processors: -- compression_level: 6 -# include: ([]string) - keep_input_artifact: true - only: - - vbox - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}-{{ user `version` }}-{{ build_name }}.box' - type: vagrant - vagrantfile_template: '{{ user `vagrantfile_template` }}' -- compression_level: 6 - format: .gz - keep_input_artifact: true - only: - - qemu - output: '{{ user `output_directory` }}/{{ user `vm_name` }}.raw.gz' - type: compress -# - - files: -# - '{{ user `output_directory` }}/{{ user `vm_name` }}*.box' -# keep_input_artifact: true -# only: -# - vbox -# type: artifice -# XXX CHECKSUM -# - inline_shebang: /bin/sh -e -# # environment_vars: ([]string) -# execute_command: chmod +x "{{ .Script }}"; {{ .Vars }} "{{ .Script }}" -# inline: -# - echo '---' > {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''name: {{ user `vm_name` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo ''description: {{ user `description` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo 'versions:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo ''- version: {{ user `version` }}'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - echo ' providers:' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml -# - 'echo '' - name: XXXPROVIDER'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' url: http://myserver/vm/{{ user `vm_name` }}/{{ user `vm_name` }}-{{ user `version` }}-''{{ build_name }}''.box'' -# >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum_type: sha256'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - 'echo '' checksum: deadbeef'' >> {{ user `output_directory` }}/{{ user `vm_name` }}.yaml' -# - if [ 'vbox' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/virtualbox/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# - if [ 'qemu' = '{{ build_name }}' ]; then sed -i 's/XXXPROVIDER/libvirt/' '{{ user `output_directory` }}/{{ user `vm_name` }}.yaml'; fi -# only: -# - vbox -# - qemu -# type: shell-local -# _ _ -# _ __ _ __ _____ _(_)___(_) ___ _ __ ___ _ __ ___ -# | '_ \| '__/ _ \ \ / / / __| |/ _ \| '_ \ / _ \ '__/ __| -# | |_) | | | (_) \ V /| \__ \ | (_) | | | | __/ | \__ \ -# | .__/|_| \___/ \_/ |_|___/_|\___/|_| |_|\___|_| |___/ -# |_| -provisioners: -- <<: *provisioner_shell_options - inline: - - 'echo ''{{ user `ssh_username` }} ALL=(ALL) NOPASSWD: ALL'' > /etc/sudoers.d/99{{ user - `ssh_username` }}' - - chmod 0440 /etc/sudoers.d/99{{ user `ssh_username` }} - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - apt-get update - - apt-get --yes dist-upgrade - - apt-get clean - only: - - vbox - - qemu -- <<: *provisioner_shell_options - inline: - - dd if=/dev/zero of=/ZEROFILL bs=16M || true - - rm /ZEROFILL - - sync - only: - - vbox - - qemu -# _ _ _ -# __ ____ _ _ __(_) __ _| |__ | | ___ ___ -# \ \ / / _` | '__| |/ _` | '_ \| |/ _ \/ __| -# \ V / (_| | | | | (_| | |_) | | __/\__ \ -# \_/ \__,_|_| |_|\__,_|_.__/|_|\___||___/ -variables: - apt_cache_url: http://myserver:3142 - boot_wait: 3s - bundle_iso: 'false' - communicator: ssh - country: CA - cpus: '1' - description: 'Base box for x86_64 Debian Bullseye 11.x' - disk_size: '7500' - domain: '' - guest_os_type: Debian_64 - headless: 'false' - host_port_max: '4444' - host_port_min: '2222' - http_directory: '.' - http_port_max: '9000' - http_port_min: '8000' - iso_checksum: file:http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/SHA512SUMS -# iso_checksum: sha512:deadbeef - iso_file: debian-testing-amd64-netinst.iso - iso_path_external: http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd - iso_path_internal: http://myserver:8080/debian - keep_registered: 'false' - keyboard: us - language: en - locale: en_CA.UTF-8 - memory: '1024' - min_vagrant_version: 2.2.16 - mirror: ftp.ca.debian.org - output_directory: 'build/{{ isotime "2006-01-02-15-04-05" }}' - packer_cache_dir: '{{ env `PACKER_CACHE_DIR` }}' - preseed_file: template/debian/11_bullseye/base.preseed - qemu_binary: qemu-system-x86_64 - shutdown_timeout: 5m - skip_export: 'false' - ssh_agent_auth: 'false' - ssh_clear_authorized_keys: 'false' - ssh_disable_agent_forwarding: 'false' - ssh_file_transfer_method: scp - ssh_fullname: Ghost Writer - ssh_handshake_attempts: '10' - ssh_keep_alive_interval: 5s - ssh_password: 1ma63b0rk3d - ssh_port: '22' - ssh_pty: 'false' - ssh_timeout: 60m - ssh_username: ghost - start_retry_timeout: 5m - system_clock_in_utc: 'true' - timezone: UTC - vagrantfile_template: template/debian/11_bullseye/vagrant.rb.j2 - version: 0.0.0 - vm_name: base-bullseye - vnc_vrdp_bind_address: 127.0.0.1 - vnc_vrdp_port_max: '6000' - vnc_vrdp_port_min: '5900' diff --git a/_tools/packer/templates/debian/11_bullseye/vagrant.rb.j2 b/_tools/packer/templates/debian/11_bullseye/vagrant.rb.j2 deleted file mode 100644 index 1de7127..0000000 --- a/_tools/packer/templates/debian/11_bullseye/vagrant.rb.j2 +++ /dev/null @@ -1,7 +0,0 @@ -Vagrant.require_version '>= {{ min_vagrant_version }}' - -Vagrant.configure('2') do |config| - config.ssh.username = '{{ ssh_username }}' - config.ssh.password = '{{ ssh_password }}' - config.vm.communicator = '{{ communicator }}' -end diff --git a/_tools/packer/templates/ubuntu-bionic.json b/_tools/packer/templates/ubuntu-bionic.json deleted file mode 100644 index 781bfd5..0000000 --- a/_tools/packer/templates/ubuntu-bionic.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "variables": { - "role": null, - "service": null, - "playbook_file": null, - "inventory_groups": null, - "region": "eu-west-1", - "aws_profile": "revolve", - "vpc_id": "vpc-0943350383762ea0c", - "subnet_id": "subnet-0d969f189aad02f1a", - "security_group_id": "sg-0cedabc8df636164f", - "source_ami": "ami-0964eb2dc8b836eb6", - "instance_type": "t2.micro", - "shared_account": "205168111441,432161212492", - "box_name": "generic/ubuntu1804", - "box_version": "3.0.14", - "box_folder": "undefined", - "box_checksum": "undefined", - "box_base_mac": "undefined", - "vagrant_ssh_private_key": "undefined", - "PROJECT_NAME": "IAC-AWS", - "PROJECT_ENV": "QA", - "PROJECT_OWNER": "frederic.willien@revolve.team", - "PROJECT_GIT": "https://github.com/freuds/iac-aws.git", - "PROJECT_CI": "" - - }, - "builders": [ - { - "type": "amazon-ebs", - "region": "{{ user `region` }}", - "source_ami": "{{ user `source_ami` }}", - "instance_type": "{{ user `instance_type` }}", - "ssh_pty": true, - "ssh_username": "ubuntu", - "ami_name": "{{ user `service` }}-{{ user `role` }}-{{ isotime \"2006-01-02T15-04-05\" }}", - "ami_description": "ubuntu-{{ user `service` }}-{{ user `role` }}", - "ami_regions": ["eu-west-1"], - "vpc_id": "{{ user `vpc_id` }}", - "subnet_id": "{{ user `subnet_id` }}", - "ami_users": "{{ user `shared_account` }}", - "associate_public_ip_address": true, - "security_group_id": "{{ user `security_group_id` }}", - "tags": { - "Name": "{{ user `service` }}-{{ user `role` }}", - "Role": "{{ user `role` }}", - "Service": "{{ user `service` }}", - "Source AMI":"{{ user `source_ami` }}", - "Appli": "{{user `PROJECT_NAME`}}", - "owner": "{{user `PROJECT_OWNER`}}", - "Env": "{{user `PROJECT_ENV`}}", - "git": "{{user `PROJECT_GIT`}}", - "ci": "{{user `PROJECT_CI`}}" - }, - "run_tags": { - "Name": "Packer Builder {{ user `service` }}", - "Appli": "{{user `PROJECT_NAME`}}", - "owner": "{{user `PROJECT_OWNER`}}", - "Env": "{{user `PROJECT_ENV`}}", - "git": "{{user `PROJECT_GIT`}}", - "ci": "{{user `PROJECT_CI`}}" - } - }, - { - "type": "virtualbox-ovf", - "communicator": "ssh", - "source_path": "{{ user `box_folder` }}/box.ovf", - "checksum": "{{ user `box_checksum` }}", - "guest_additions_mode": "disable", - "headless": true, - "ssh_pty": true, - "ssh_username": "vagrant", - "ssh_private_key_file": "~/.vagrant.d/insecure_private_key", - "ssh_port": "62222", - "ssh_wait_timeout": "1000s", - "ssh_skip_nat_mapping": true, - "shutdown_command": "sudo shutdown -P now", - "output_directory": "/tmp/packer_output", - "target_path": "/tmp/packer_cache", - "skip_export": true, - "vboxmanage": [ - [ "modifyvm", "{{ .Name }}", "--cpus", "2" ], - [ "modifyvm", "{{ .Name }}", "--memory", "2048" ], - [ "modifyvm", "{{ .Name }}", "--nic1", "nat" ], - [ "modifyvm", "{{ .Name }}", "--natpf1", "packerssh,tcp,127.0.0.1,62222,,22" ], - [ "modifyvm", "{{ .Name }}", "--uart1", "0x3F8", "4" ], - [ "modifyvm", "{{ .Name }}", "--macaddress1", "{{ user `box_base_mac` }}" ], - [ "modifyvm", "{{ .Name }}", "--accelerate3d", "off" ], - [ "modifyvm", "{{ .Name }}", "--graphicscontroller", "vmsvga" ], - [ "modifyvm", "{{ .Name }}", "--pae", "off" ], - [ "modifyvm", "{{ .Name }}", "--nestedpaging", "on" ], - [ "modifyvm", "{{ .Name }}", "--vram", "128" ] - ] - } - ], - "provisioners": [ - { - "type": "shell", - "inline": ["sleep 20"], - "only": ["amazon-ebs"] - }, - { - "type": "shell", - "scripts": ["{{ template_dir }}/../scripts/bootstrap.sh"] - }, - { - "type": "ansible-local", - "playbook_file": "{{ user `playbook_file` }}", - "playbook_dir": "{{ template_dir }}/../../ansible", - "group_vars": "{{ template_dir }}/../../ansible/playbooks/group_vars", - "inventory_groups": "{{ user `inventory_groups` }}", - "extra_arguments": [ "--extra-vars \"SERVICE={{ user `service` }}\"", "-e ansible_python_interpreter=/usr/bin/python3" ] - }, - { - "type": "shell", - "scripts": ["{{ template_dir }}/../scripts/cleanup.sh"] - } - ] -} diff --git a/_tools/packer/templates/ubuntu-bionic/builds.pkr.hcl b/_tools/packer/templates/ubuntu-bionic/builds.pkr.hcl deleted file mode 100644 index 644b429..0000000 --- a/_tools/packer/templates/ubuntu-bionic/builds.pkr.hcl +++ /dev/null @@ -1,38 +0,0 @@ -packer { - required_plugins { - amazon = { - version = ">= 0.0.1" - source = "github.com/hashicorp/amazon" - } - } -} - -# documentation for build blocks can be found here: -# https://www.packer.io/docs/templates/hcl_templates/blocks/build -build { - - // sources = ["source.amazon-ebs.autogenerated_1", "source.qemu.autogenerated_2", "source.virtualbox-ovf.autogenerated_3"] - sources = ["source.amazon-ebs.ubuntu"] - - provisioner "shell" { - inline = ["sleep 20"] - only = ["amazon-ebs"] - } - - provisioner "shell" { - scripts = ["${path.root}/../../scripts/bootstrap.sh"] - } - - provisioner "ansible-local" { - extra_arguments = ["--extra-vars \"SERVICE=${var.service}\"", "-e ansible_python_interpreter=/usr/bin/python3"] - group_vars = "${path.root}/../../../ansible/playbooks/group_vars" - inventory_groups = ["${var.inventory_groups}"] - playbook_dir = "${path.root}/../../../ansible" - playbook_file = "${var.playbook_file}" - } - - provisioner "shell" { - scripts = ["${path.root}/../../scripts/cleanup.sh"] - } - -} \ No newline at end of file diff --git a/_tools/packer/templates/ubuntu-bionic/sources.pkr.hcl b/_tools/packer/templates/ubuntu-bionic/sources.pkr.hcl deleted file mode 100644 index 02e803a..0000000 --- a/_tools/packer/templates/ubuntu-bionic/sources.pkr.hcl +++ /dev/null @@ -1,80 +0,0 @@ -# source. Read the documentation for source blocks here: -# https://www.packer.io/docs/templates/hcl_templates/blocks/source - -source "amazon-ebs" "ubuntu" { - ami_description = "ubuntu-${var.service}-${var.role}" - ami_name = "${var.service}-${var.role}-${legacy_isotime("2006-01-02T15-04-05")}" - ami_regions = ["eu-west-1"] - // ami_users = "${var.shared_account}" - associate_public_ip_address = true - instance_type = "${var.instance_type}" - region = "${var.region}" - profile = "${var.profile}" - skip_create_ami = "${var.skip_create_ami}" - - run_tags = { - Appli = "${var.PROJECT_NAME}" - Env = "${var.PROJECT_ENV}" - Name = "Packer Builder ${var.service}" - ci = "${var.PROJECT_CI}" - git = "${var.PROJECT_GIT}" - owner = "${var.PROJECT_OWNER}" - } - - security_group_id = "${var.security_group_id}" - source_ami = "${var.source_ami}" - ssh_pty = true - ssh_username = "admin" - subnet_id = "${var.subnet_id}" - vpc_id = "${var.vpc_id}" - - tags = { - Appli = "${var.PROJECT_NAME}" - Env = "${var.PROJECT_ENV}" - Name = "${var.service}-${var.role}" - Role = "${var.role}" - Service = "${var.service}" - SourceAMI = "${var.source_ami}" - ci = "${var.PROJECT_CI}" - git = "${var.PROJECT_GIT}" - owner = "${var.PROJECT_OWNER}" - } -} - -// source "qemu" "autogenerated_2" { -// accelerator = "kvm" -// boot_command = [" text ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/centos6-ks.cfg"] -// boot_wait = "10s" -// disk_interface = "virtio" -// disk_size = "5000M" -// format = "qcow2" -// http_directory = "path/to/httpdir" -// iso_checksum = "md5:af4a1640c0c6f348c6c41f1ea9e192a2" -// iso_url = "http://mirror.raystedman.net/centos/6/isos/x86_64/CentOS-6.9-x86_64-minimal.iso" -// net_device = "virtio-net" -// output_directory = "output_centos_tdhtest" -// shutdown_command = "echo 'packer' | sudo -S shutdown -P now" -// ssh_password = "s0m3password" -// ssh_timeout = "20m" -// ssh_username = "root" -// vm_name = "tdhtest" -// } - -// source "virtualbox-ovf" "autogenerated_3" { -// checksum = "${var.box_checksum}" -// communicator = "ssh" -// guest_additions_mode = "disable" -// headless = true -// output_directory = "/tmp/packer_output" -// shutdown_command = "sudo shutdown -P now" -// skip_export = true -// source_path = "${var.box_folder}/box.ovf" -// ssh_port = "62222" -// ssh_private_key_file = "~/.vagrant.d/insecure_private_key" -// ssh_pty = true -// ssh_skip_nat_mapping = true -// ssh_username = "vagrant" -// ssh_wait_timeout = "1000s" -// target_path = "/tmp/packer_cache" -// vboxmanage = [["modifyvm", "{{ .Name }}", "--cpus", "2"], ["modifyvm", "{{ .Name }}", "--memory", "2048"], ["modifyvm", "{{ .Name }}", "--nic1", "nat"], ["modifyvm", "{{ .Name }}", "--natpf1", "packerssh,tcp,127.0.0.1,62222,,22"], ["modifyvm", "{{ .Name }}", "--uart1", "0x3F8", "4"], ["modifyvm", "{{ .Name }}", "--macaddress1", "${var.box_base_mac}"], ["modifyvm", "{{ .Name }}", "--accelerate3d", "off"], ["modifyvm", "{{ .Name }}", "--graphicscontroller", "vmsvga"], ["modifyvm", "{{ .Name }}", "--pae", "off"], ["modifyvm", "{{ .Name }}", "--nestedpaging", "on"], ["modifyvm", "{{ .Name }}", "--vram", "128"]] -// } \ No newline at end of file diff --git a/_tools/packer/templates/ubuntu-bionic/variables.pkr.hcl b/_tools/packer/templates/ubuntu-bionic/variables.pkr.hcl deleted file mode 100644 index 6468d6d..0000000 --- a/_tools/packer/templates/ubuntu-bionic/variables.pkr.hcl +++ /dev/null @@ -1,124 +0,0 @@ -variable "template" { - type = string - default = "" - description = "Folder contains template pkr.hcl files" -} - -variable "PROJECT_CI" { - type = string - default = "https://github.com/freuds/iac-aws.git" -} - -variable "PROJECT_ENV" { - type = string - default = "QA" -} - -variable "PROJECT_GIT" { - type = string - default = "https://github.com/freuds/iac-aws.git" -} - -variable "PROJECT_NAME" { - type = string - default = "IAC-AWS" -} - -variable "PROJECT_OWNER" { - type = string - default = "frederic.willien@revolve.team" -} - -variable "profile" { - type = string - default = "revolve" -} - -variable "box_base_mac" { - type = string - default = "undefined" -} - -variable "box_checksum" { - type = string - default = "undefined" -} - -variable "box_folder" { - type = string - default = "undefined" -} - -variable "box_name" { - type = string - default = "bento/debian-10" -} - -variable "box_version" { - type = string - default = "202105.25.0" -} - -variable "instance_type" { - type = string - default = "t2.micro" -} - -variable "inventory_groups" { - type = string -} - -variable "playbook_file" { - type = string -} - -variable "region" { - type = string - default = "eu-west-1" -} - -variable "role" { - type = string -} - -variable "security_group_id" { - type = string - default = "sg-0cedabc8df636164f" -} - -variable "service" { - type = string -} - -variable "shared_account" { - type = list(string) - default = [ - "205168111441", - "432161212492" - ] -} - -variable "source_ami" { - type = string - default = "ami-0874dad5025ca362c" -} - -variable "subnet_id" { - type = string - default = "subnet-0d969f189aad02f1a" -} - -variable "vagrant_ssh_private_key" { - type = string - default = "" -} - -variable "vpc_id" { - type = string - default = "vpc-0943350383762ea0c" -} - -variable "skip_create_ami" { - type = bool - default = false -} \ No newline at end of file diff --git a/_tools/packer/variables.pkr.hcl b/_tools/packer/variables.pkr.hcl new file mode 100644 index 0000000..72f45fe --- /dev/null +++ b/_tools/packer/variables.pkr.hcl @@ -0,0 +1,167 @@ +# All generated input variables will be of 'string' type as this is how Packer JSON +# views them; you can change their type later on. Read the variables type +# constraints documentation +# https://www.packer.io/docs/templates/hcl_templates/variables#type-constraints for more info. + +# locals blocks +locals { + version_number = formatdate("YYYYMMDDhhmm", timestamp()) +} + +# variables +variable "build_directory" { + type = string + default = "./output" +} + +variable "cpus" { + type = string + default = "2" +} + +variable "memory" { + type = string + default = "512" +} + +variable "disk_size" { + type = string + default = "1024" +} + +#--------------------------------------- +# AWS variables (shared between builders +#--------------------------------------- +variable "aws_region" { + type = string + default = "eu-west-1" +} + +variable "aws_instance_type" { + type = string + default = "t3.medium" +} + +variable "aws_source_ami_centos-79" { + type = string + default = "ami-0ffc7af9c06de0077" +} + +variable "aws_source_ami_centos-83" { + type = string + default = "ami-0c8ad4b0ff2d20c79" +} + +variable "aws_source_ami_redhat-79" { + type = string + default = "ami-00d05da9ad5c69bfd" +} + +variable "aws_source_ami_redhat-83" { + type = string + default = "ami-02a403e9f22ebf62b" +} + +variable "aws_source_ami_ubuntu-1804" { + type = string + default = "ami-0bd1a64868721e9ef" +} + +variable "aws_source_ami_ubuntu-2004" { + type = string + default = "ami-0b9e641f013a385af" +} + +variable "aws_subnet_name" { + type = string + default = "" + description = "Tag Name of the subnet to use" +} + +variable "aws_vpc_name" { + description = "Tag Name of the VPC" + type = string + default = "" +} + +variable "aws_security_group_filter" { + description = "Tag Name of the security group to use" + type = string + default = "" +} + +variable "aws_kms_key_id" { + type = string + default = "" +} + +#--------------------------------------- +# Common variables +#--------------------------------------- +variable "os_family" { + type = string + default = "linux" +} + +variable "os_name" { + type = string + default = "ubuntu" +} + +variable "os_version" { + type = string + default = "22.04" +} + +variable "role" { + type = string +} + +variable "service" { + type = string +} + +variable "project_ci" { + type = string + default = "" +} + +variable "project_env" { + type = string + default = "QA" +} + +variable "project_git" { + type = string + default = "" +} + +variable "project_name" { + type = string + default = "" +} + +variable "project_owner" { + type = string + default = "" +} + +variable "image_version_number" { + type = string + default = "1970.01.010000" +} + +#--------------------------------------- +# Ansible variables +#--------------------------------------- +variable "inventory_groups" { + description = "List of inventory groups for Ansible" + type = string + default = "" +} + +variable "playbook_file" { + description = "Ansible playbook file to run" + type = string + default = "" +} diff --git a/_tools/packer/windows/windowsserver/scripts/ConfigureRemotingForAnsible.ps1 b/_tools/packer/windows/windowsserver/scripts/ConfigureRemotingForAnsible.ps1 new file mode 100644 index 0000000..7e039bb --- /dev/null +++ b/_tools/packer/windows/windowsserver/scripts/ConfigureRemotingForAnsible.ps1 @@ -0,0 +1,453 @@ +#Requires -Version 3.0 + +# Configure a Windows host for remote management with Ansible +# ----------------------------------------------------------- +# +# This script checks the current WinRM (PS Remoting) configuration and makes +# the necessary changes to allow Ansible to connect, authenticate and +# execute PowerShell commands. +# +# All events are logged to the Windows EventLog, useful for unattended runs. +# +# Use option -Verbose in order to see the verbose output messages. +# +# Use option -CertValidityDays to specify how long this certificate is valid +# starting from today. So you would specify -CertValidityDays 3650 to get +# a 10-year valid certificate. +# +# Use option -ForceNewSSLCert if the system has been SysPreped and a new +# SSL Certificate must be forced on the WinRM Listener when re-running this +# script. This is necessary when a new SID and CN name is created. +# +# Use option -EnableCredSSP to enable CredSSP as an authentication option. +# +# Use option -DisableBasicAuth to disable basic authentication. +# +# Use option -SkipNetworkProfileCheck to skip the network profile check. +# Without specifying this the script will only run if the device's interfaces +# are in DOMAIN or PRIVATE zones. Provide this switch if you want to enable +# WinRM on a device with an interface in PUBLIC zone. +# +# Use option -SubjectName to specify the CN name of the certificate. This +# defaults to the system's hostname and generally should not be specified. + +# Written by Trond Hindenes +# Updated by Chris Church +# Updated by Michael Crilly +# Updated by Anton Ouzounov +# Updated by Nicolas Simond +# Updated by Dag Wieërs +# Updated by Jordan Borean +# Updated by Erwan Quélin +# Updated by David Norman +# +# Version 1.0 - 2014-07-06 +# Version 1.1 - 2014-11-11 +# Version 1.2 - 2015-05-15 +# Version 1.3 - 2016-04-04 +# Version 1.4 - 2017-01-05 +# Version 1.5 - 2017-02-09 +# Version 1.6 - 2017-04-18 +# Version 1.7 - 2017-11-23 +# Version 1.8 - 2018-02-23 +# Version 1.9 - 2018-09-21 + +# Support -Verbose option +[CmdletBinding()] + +Param ( + [string]$SubjectName = $env:COMPUTERNAME, + [int]$CertValidityDays = 1095, + [switch]$SkipNetworkProfileCheck, + $CreateSelfSignedCert = $true, + [switch]$ForceNewSSLCert, + [switch]$GlobalHttpFirewallAccess, + [switch]$DisableBasicAuth = $false, + [switch]$EnableCredSSP +) + +Function Write-Log +{ + $Message = $args[0] + Write-EventLog -LogName Application -Source $EventSource -EntryType Information -EventId 1 -Message $Message +} + +Function Write-VerboseLog +{ + $Message = $args[0] + Write-Verbose $Message + Write-Log $Message +} + +Function Write-HostLog +{ + $Message = $args[0] + Write-Output $Message + Write-Log $Message +} + +Function New-LegacySelfSignedCert +{ + Param ( + [string]$SubjectName, + [int]$ValidDays = 1095 + ) + + $hostnonFQDN = $env:computerName + $hostFQDN = [System.Net.Dns]::GetHostByName(($env:computerName)).Hostname + $SignatureAlgorithm = "SHA256" + + $name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1" + $name.Encode("CN=$SubjectName", 0) + + $key = New-Object -COM "X509Enrollment.CX509PrivateKey.1" + $key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider" + $key.KeySpec = 1 + $key.Length = 4096 + $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" + $key.MachineContext = 1 + $key.Create() + + $serverauthoid = New-Object -COM "X509Enrollment.CObjectId.1" + $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") + $ekuoids = New-Object -COM "X509Enrollment.CObjectIds.1" + $ekuoids.Add($serverauthoid) + $ekuext = New-Object -COM "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" + $ekuext.InitializeEncode($ekuoids) + + $cert = New-Object -COM "X509Enrollment.CX509CertificateRequestCertificate.1" + $cert.InitializeFromPrivateKey(2, $key, "") + $cert.Subject = $name + $cert.Issuer = $cert.Subject + $cert.NotBefore = (Get-Date).AddDays(-1) + $cert.NotAfter = $cert.NotBefore.AddDays($ValidDays) + + $SigOID = New-Object -ComObject X509Enrollment.CObjectId + $SigOID.InitializeFromValue(([Security.Cryptography.Oid]$SignatureAlgorithm).Value) + + [string[]] $AlternativeName += $hostnonFQDN + $AlternativeName += $hostFQDN + $IAlternativeNames = New-Object -ComObject X509Enrollment.CAlternativeNames + + foreach ($AN in $AlternativeName) + { + $AltName = New-Object -ComObject X509Enrollment.CAlternativeName + $AltName.InitializeFromString(0x3,$AN) + $IAlternativeNames.Add($AltName) + } + + $SubjectAlternativeName = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames + $SubjectAlternativeName.InitializeEncode($IAlternativeNames) + + [String[]]$KeyUsage = ("DigitalSignature", "KeyEncipherment") + $KeyUsageObj = New-Object -ComObject X509Enrollment.CX509ExtensionKeyUsage + $KeyUsageObj.InitializeEncode([int][Security.Cryptography.X509Certificates.X509KeyUsageFlags]($KeyUsage)) + $KeyUsageObj.Critical = $true + + $cert.X509Extensions.Add($KeyUsageObj) + $cert.X509Extensions.Add($ekuext) + $cert.SignatureInformation.HashAlgorithm = $SigOID + $CERT.X509Extensions.Add($SubjectAlternativeName) + $cert.Encode() + + $enrollment = New-Object -COM "X509Enrollment.CX509Enrollment.1" + $enrollment.InitializeFromRequest($cert) + $certdata = $enrollment.CreateRequest(0) + $enrollment.InstallResponse(2, $certdata, 0, "") + + # extract/return the thumbprint from the generated cert + $parsed_cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 + $parsed_cert.Import([System.Text.Encoding]::UTF8.GetBytes($certdata)) + + return $parsed_cert.Thumbprint +} + +Function Enable-GlobalHttpFirewallAccess +{ + Write-Verbose "Forcing global HTTP firewall access" + # this is a fairly naive implementation; could be more sophisticated about rule matching/collapsing + $fw = New-Object -ComObject HNetCfg.FWPolicy2 + + # try to find/enable the default rule first + $add_rule = $false + $matching_rules = $fw.Rules | Where-Object { $_.Name -eq "Windows Remote Management (HTTP-In)" } + $rule = $null + If ($matching_rules) { + If ($matching_rules -isnot [Array]) { + Write-Verbose "Editing existing single HTTP firewall rule" + $rule = $matching_rules + } + Else { + # try to find one with the All or Public profile first + Write-Verbose "Found multiple existing HTTP firewall rules..." + $rule = $matching_rules | ForEach-Object { $_.Profiles -band 4 }[0] + + If (-not $rule -or $rule -is [Array]) { + Write-Verbose "Editing an arbitrary single HTTP firewall rule (multiple existed)" + # oh well, just pick the first one + $rule = $matching_rules[0] + } + } + } + + If (-not $rule) { + Write-Verbose "Creating a new HTTP firewall rule" + $rule = New-Object -ComObject HNetCfg.FWRule + $rule.Name = "Windows Remote Management (HTTP-In)" + $rule.Description = "Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]" + $add_rule = $true + } + + $rule.Profiles = 0x7FFFFFFF + $rule.Protocol = 6 + $rule.LocalPorts = 5985 + $rule.RemotePorts = "*" + $rule.LocalAddresses = "*" + $rule.RemoteAddresses = "*" + $rule.Enabled = $true + $rule.Direction = 1 + $rule.Action = 1 + $rule.Grouping = "Windows Remote Management" + + If ($add_rule) { + $fw.Rules.Add($rule) + } + + Write-Verbose "HTTP firewall rule $($rule.Name) updated" +} + +# Setup error handling. +Trap +{ + $_ + Exit 1 +} +$ErrorActionPreference = "Stop" + +# Get the ID and security principal of the current user account +$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent() +$myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID) + +# Get the security principal for the Administrator role +$adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator + +# Check to see if we are currently running "as Administrator" +if (-Not $myWindowsPrincipal.IsInRole($adminRole)) +{ + Write-Output "ERROR: You need elevated Administrator privileges in order to run this script." + Write-Output " Start Windows PowerShell by using the Run as Administrator option." + Exit 2 +} + +$EventSource = $MyInvocation.MyCommand.Name +If (-Not $EventSource) +{ + $EventSource = "Powershell CLI" +} + +If ([System.Diagnostics.EventLog]::Exists('Application') -eq $False -or [System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) +{ + New-EventLog -LogName Application -Source $EventSource +} + +# Detect PowerShell version. +If ($PSVersionTable.PSVersion.Major -lt 3) +{ + Write-Log "PowerShell version 3 or higher is required." + Throw "PowerShell version 3 or higher is required." +} + +# Find and start the WinRM service. +Write-Verbose "Verifying WinRM service." +If (!(Get-Service "WinRM")) +{ + Write-Log "Unable to find the WinRM service." + Throw "Unable to find the WinRM service." +} +ElseIf ((Get-Service "WinRM").Status -ne "Running") +{ + Write-Verbose "Setting WinRM service to start automatically on boot." + Set-Service -Name "WinRM" -StartupType Automatic + Write-Log "Set WinRM service to start automatically on boot." + Write-Verbose "Starting WinRM service." + Start-Service -Name "WinRM" -ErrorAction Stop + Write-Log "Started WinRM service." + +} + +# WinRM should be running; check that we have a PS session config. +If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener))) +{ + If ($SkipNetworkProfileCheck) { + Write-Verbose "Enabling PS Remoting without checking Network profile." + Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop + Write-Log "Enabled PS Remoting without checking Network profile." + } + Else { + Write-Verbose "Enabling PS Remoting." + Enable-PSRemoting -Force -ErrorAction Stop + Write-Log "Enabled PS Remoting." + } +} +Else +{ + Write-Verbose "PS Remoting is already enabled." +} + +# Ensure LocalAccountTokenFilterPolicy is set to 1 +# https://github.com/ansible/ansible/issues/42978 +$token_path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" +$token_prop_name = "LocalAccountTokenFilterPolicy" +$token_key = Get-Item -Path $token_path +$token_value = $token_key.GetValue($token_prop_name, $null) +if ($token_value -ne 1) { + Write-Verbose "Setting LocalAccountTOkenFilterPolicy to 1" + if ($null -ne $token_value) { + Remove-ItemProperty -Path $token_path -Name $token_prop_name + } + New-ItemProperty -Path $token_path -Name $token_prop_name -Value 1 -PropertyType DWORD > $null +} + +# Make sure there is a SSL listener. +$listeners = Get-ChildItem WSMan:\localhost\Listener +If (!($listeners | Where-Object {$_.Keys -like "TRANSPORT=HTTPS"})) +{ + # We cannot use New-SelfSignedCertificate on 2012R2 and earlier + $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName -ValidDays $CertValidityDays + Write-HostLog "Self-signed SSL certificate generated; thumbprint: $thumbprint" + + # Create the hashtables of settings to be used. + $valueset = @{ + Hostname = $SubjectName + CertificateThumbprint = $thumbprint + } + + $selectorset = @{ + Transport = "HTTPS" + Address = "*" + } + + Write-Verbose "Enabling SSL listener." + New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset + Write-Log "Enabled SSL listener." +} +Else +{ + Write-Verbose "SSL listener is already active." + + # Force a new SSL cert on Listener if the $ForceNewSSLCert + If ($ForceNewSSLCert) + { + + # We cannot use New-SelfSignedCertificate on 2012R2 and earlier + $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName -ValidDays $CertValidityDays + Write-HostLog "Self-signed SSL certificate generated; thumbprint: $thumbprint" + + $valueset = @{ + CertificateThumbprint = $thumbprint + Hostname = $SubjectName + } + + # Delete the listener for SSL + $selectorset = @{ + Address = "*" + Transport = "HTTPS" + } + Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset + + # Add new Listener with new SSL cert + New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset + } +} + +# Check for basic authentication. +$basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where-Object {$_.Name -eq "Basic"} + +If ($DisableBasicAuth) +{ + If (($basicAuthSetting.Value) -eq $true) + { + Write-Verbose "Disabling basic auth support." + Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $false + Write-Log "Disabled basic auth support." + } + Else + { + Write-Verbose "Basic auth is already disabled." + } +} +Else +{ + If (($basicAuthSetting.Value) -eq $false) + { + Write-Verbose "Enabling basic auth support." + Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true + Write-Log "Enabled basic auth support." + } + Else + { + Write-Verbose "Basic auth is already enabled." + } +} + +# If EnableCredSSP if set to true +If ($EnableCredSSP) +{ + # Check for CredSSP authentication + $credsspAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where-Object {$_.Name -eq "CredSSP"} + If (($credsspAuthSetting.Value) -eq $false) + { + Write-Verbose "Enabling CredSSP auth support." + Enable-WSManCredSSP -role server -Force + Write-Log "Enabled CredSSP auth support." + } +} + +If ($GlobalHttpFirewallAccess) { + Enable-GlobalHttpFirewallAccess +} + +# Configure firewall to allow WinRM HTTPS connections. +$fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" +$fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any +If ($fwtest1.count -lt 5) +{ + Write-Verbose "Adding firewall rule to allow WinRM HTTPS." + netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow + Write-Log "Added firewall rule to allow WinRM HTTPS." +} +ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5)) +{ + Write-Verbose "Updating firewall rule to allow WinRM HTTPS for any profile." + netsh advfirewall firewall set rule name="Allow WinRM HTTPS" new profile=any + Write-Log "Updated firewall rule to allow WinRM HTTPS for any profile." +} +Else +{ + Write-Verbose "Firewall rule already exists to allow WinRM HTTPS." +} + +# Test a remoting connection to localhost, which should work. +$httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock {$env:COMPUTERNAME} -ErrorVariable httpError -ErrorAction SilentlyContinue +$httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck + +$httpsResult = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $httpsOptions -ErrorVariable httpsError -ErrorAction SilentlyContinue + +If ($httpResult -and $httpsResult) +{ + Write-Verbose "HTTP: Enabled | HTTPS: Enabled" +} +ElseIf ($httpsResult -and !$httpResult) +{ + Write-Verbose "HTTP: Disabled | HTTPS: Enabled" +} +ElseIf ($httpResult -and !$httpsResult) +{ + Write-Verbose "HTTP: Enabled | HTTPS: Disabled" +} +Else +{ + Write-Log "Unable to establish an HTTP or HTTPS remoting session." + Throw "Unable to establish an HTTP or HTTPS remoting session." +} +Write-VerboseLog "PS Remoting has been successfully configured for Ansible." diff --git a/_tools/packer/windows/windowsserver/scripts/bootstrap.txt b/_tools/packer/windows/windowsserver/scripts/bootstrap.txt new file mode 100644 index 0000000..074b42e --- /dev/null +++ b/_tools/packer/windows/windowsserver/scripts/bootstrap.txt @@ -0,0 +1,47 @@ + + +# MAKE SURE IN YOUR PACKER CONFIG TO SET: +# +# +# "winrm_username": "Administrator", +# "winrm_insecure": true, +# "winrm_use_ssl": true, +# +# + + +write-output "Running User Data Script" +write-host "(host) Running User Data Script" + +Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore + +# Don't set this before Set-ExecutionPolicy as it throws an error +$ErrorActionPreference = "stop" + +# Remove HTTP listener +Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse + +# Create a self-signed certificate to let ssl work +$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer" +New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force + +# WinRM +write-output "Setting up WinRM" +write-host "(host) setting up WinRM" + +cmd.exe /c winrm quickconfig -q +cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}' +cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}' +cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}' +cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}' +cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}' +cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}' +cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}' +cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}" +cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes +cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986" +cmd.exe /c net stop winrm +cmd.exe /c sc config winrm start= auto +cmd.exe /c net start winrm + + diff --git a/_tools/packer/windows/windowsserver/windows-2016.pkr.hcl b/_tools/packer/windows/windowsserver/windows-2016.pkr.hcl new file mode 100644 index 0000000..389b979 --- /dev/null +++ b/_tools/packer/windows/windowsserver/windows-2016.pkr.hcl @@ -0,0 +1,199 @@ +#-------------------------------------- +# Amazon EBS +#-------------------------------------- +source "amazon-ebs" "windows-2016" { + ami_name = format("windows-2016-%s-%s-%s", var.service, var.role, legacy_isotime("2006-01-02T15-04-05")) + ami_description = format("debian-%s-%s", var.service, var.role) + + encrypt_boot = true + force_delete_snapshot = true + force_deregister = true + kms_key_id = var.aws_kms_key_id + + region = var.aws_region + instance_type = var.aws_instance_type + + user_data_file = "./windows/windowsserver/scripts/bootstrap.txt" + communicator = "winrm" + winrm_username = "Administrator" + winrm_insecure = true + winrm_use_ssl = true + source_ami_filter { + filters = { + name = "Windows_Server-2016-English-Full-Base*" + root-device-type = "ebs" + virtualization-type = "hvm" + } + most_recent = true + owners = ["801119661308"] + } + + vpc_filter { + filters = { + "tag:Name" = var.aws_vpc_name + } + } + subnet_filter { + filters = { + "tag:Name" = var.aws_subnet_name + } + most_free = true + random = true + } + + security_group_filter { + filters = { + "tag:Name" : var.aws_security_group_filter + } + } + run_tags = { + Project = var.project_name + Env = var.project_env + Name = format("Packer Builder %s", var.service) + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "windows-2016" + } + + tags = { + Project = var.project_name + Env = var.project_env + Name = format("%s-%s", var.service, var.role) + Role = var.role + Service = var.service + SourceAMI = var.source_ami + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "windows-2016" + } + +} + +#-------------------------------------- +# Vagrant +#-------------------------------------- +source "vagrant" "windows-2016" { + source_path = "jborean93/WindowsServer2016" + provider = "virtualbox" + # the Vagrant builder currently only supports the ssh communicator + communicator = "ssh" + ssh_username = "vagrant" + ssh_password = "vagrant" + teardown_method = "suspend" + skip_package = true + box_name = "windows-2016" + output_dir = "${var.build_directory}/windows-2016/vagrant" +} + +# a build block invokes sources and runs provisioning steps on them. The +# documentation for build blocks can be found here: +# https://www.packer.io/docs/templates/hcl_templates/blocks/build +build { + sources = [ + "source.amazon-ebs.windows-2016", + "source.vagrant.windows-2016" + ] + + # provisioner "ansible" { + # command = "./scripts/ansible.sh" + # user = "${build.User}" + # use_proxy = false + # ansible_env_vars = [ + # "ANSIBLE_HOST_KEY_CHECKING=False", + # "ANSIBLE_SSH_ARGS='-o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'", + # "ANSIBLE_NOCOLOR=True" + # ] + # extra_arguments = [ + # #"-v", + # "--extra-vars", + # "ansible_ssh_pass=${build.User} version_number=${local.version_number} ansible_shell_type=cmd ansible_shell_executable=None" + # ] + # host_alias = "none" + # playbook_file = "../../ansible/roles/ansible-role-example-role/site.yml" + # only = ["vagrant.windows-2016"] + # } + + # provisioner "ansible" { + # command = "./scripts/ansible.sh" + # user = "${build.User}" + # use_proxy = false + # ansible_env_vars = [ + # "ANSIBLE_HOST_KEY_CHECKING=False", + # "ANSIBLE_SSH_ARGS='-o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'", + # "ANSIBLE_NOCOLOR=True" + # ] + # extra_arguments = [ + # #"-v", + # "--extra-vars", + # "ansible_ssh_pass=${build.User} version_number=${local.version_number} ansible_shell_type=cmd ansible_shell_executable=None rule_2_3_1_5=false win_skip_for_test=true rule_2_3_1_1=false" + # ] + # host_alias = "none" + # playbook_file = "../../ansible/galaxy/roles/Windows-2016-CIS/site.yml" + # only = ["vagrant.windows-2016"] + # } + + + # provisioner "ansible" { + # command = "./packer/scripts/ansible.sh" + # user = "${build.User}" + # use_proxy = false + # extra_arguments = [ + # #"-v", + # "--extra-vars", + # "ansible_winrm_server_cert_validation=ignore ansible_connection=winrm ansible_shell_type=powershell ansible_shell_executable=None ansible_user=${build.User}" + # ] + # host_alias = "none" + # playbook_file = "../../ansible/roles/ansible-role-example-role/site.yml" + # only = ["amazon-ebs.windows-2016"] + # } + + # provisioner "ansible" { + # command = "./scripts/ansible.sh" + # user = "${build.User}" + # use_proxy = false + # extra_arguments = [ + # #"-v", + # "--extra-vars", + # "ansible_winrm_server_cert_validation=ignore ansible_connection=winrm ansible_shell_type=powershell ansible_shell_executable=None ansible_user=${build.User} section01_patch=true section02_patch=false section09_patch=true section17_patch=true section18_patch=false section19_patch=false rule_2_3_1_5=false rule_2_3_1_6=false" + # ] + # host_alias = "none" + # playbook_file = "../../ansible/galaxy/roles/Windows-2016-CIS/site.yml" + # only = ["amazon-ebs.windows-2016"] + # } + + # provisioner "shell-local" { + # inline = ["curl -s https://api.ipify.org/?format=none"] + # } + + + # Install EC2Launch + provisioner "powershell" { + inline = [ + "Write-Host \"Download EC2Launch to temp folder $env:Temp\"", + "Invoke-WebRequest -Uri https://s3.amazonaws.com/ec2-downloads-windows/EC2Launch/latest/EC2-Windows-Launch.zip -OutFile $env:Temp/EC2-Windows-Launch.zip", + "Invoke-WebRequest -Uri https://s3.amazonaws.com/ec2-downloads-windows/EC2Launch/latest/install.ps1 -OutFile $env:Temp/EC2Launch-Install.ps1", + "Write-Host Install EC2Launch", + "Invoke-Expression -Command $env:Temp/EC2Launch-Install.ps1" + ] + only = ["amazon-ebs.windows-2016"] + } + + # Print out EC2Launch Version + provisioner "powershell" { + inline = [ + "Write-Host EC2Launch Version", + "Test-ModuleManifest -Path \"C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Module\\Ec2Launch.psd1\""] + only = ["amazon-ebs.windows-2016"] + } + + provisioner "powershell" { + inline = [ + "C:/ProgramData/Amazon/EC2-Windows/Launch/Scripts/InitializeInstance.ps1 -Schedule", + "C:/ProgramData/Amazon/EC2-Windows/Launch/Scripts/SysprepInstance.ps1 -NoShutdown" + ] + only = ["amazon-ebs.windows-2016"] + } + +} diff --git a/_tools/packer/windows/windowsserver/windows-2019.pkr.hcl b/_tools/packer/windows/windowsserver/windows-2019.pkr.hcl new file mode 100644 index 0000000..c489de5 --- /dev/null +++ b/_tools/packer/windows/windowsserver/windows-2019.pkr.hcl @@ -0,0 +1,238 @@ +#-------------------------------------- +# Amazon EBS +#-------------------------------------- +source "amazon-ebs" "windows-2019" { + ami_name = format("windows-2016-%s-%s-%s", var.service, var.role, legacy_isotime("2006-01-02T15-04-05")) + ami_description = format("debian-%s-%s", var.service, var.role) + + encrypt_boot = true + force_delete_snapshot = true + force_deregister = true + kms_key_id = var.aws_kms_key_id + + region = var.aws_region + instance_type = var.aws_instance_type + + user_data_file = "./windows/windowsserver/scripts/bootstrap.txt" + communicator = "winrm" + winrm_username = "Administrator" + winrm_insecure = true + winrm_use_ssl = true + source_ami_filter { + filters = { + name = "Windows_Server-2019-English-Full-Base*" + root-device-type = "ebs" + virtualization-type = "hvm" + } + most_recent = true + owners = ["801119661308"] + } + + vpc_filter { + filters = { + "tag:Name" = var.aws_vpc_name + } + } + subnet_filter { + filters = { + "tag:Name" = var.aws_subnet_name + } + most_free = true + random = true + } + + security_group_filter { + filters = { + "tag:Name" : var.aws_security_group_filter + } + } + run_tags = { + Project = var.project_name + Env = var.project_env + Name = format("Packer Builder %s", var.service) + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "windows-2019" + } + + tags = { + Project = var.project_name + Env = var.project_env + Name = format("%s-%s", var.service, var.role) + Role = var.role + Service = var.service + SourceAMI = var.source_ami + ci = var.project_ci + git = var.project_git + owner = var.project_owner + osBase = "windows-2019" + } +} + +#-------------------------------------- +# Vagrant +#-------------------------------------- +source "vagrant" "windows-2019" { + source_path = "jborean93/WindowsServer2019" + provider = "virtualbox" + # the Vagrant builder currently only supports the ssh communicator + communicator = "ssh" + ssh_username = "vagrant" + ssh_password = "vagrant" + teardown_method = "suspend" + skip_package = true + box_name = "windows-2019" + output_dir = "${var.build_directory}/windows-2019/vagrant" +} + +# a build block invokes sources and runs provisioning steps on them. The +# documentation for build blocks can be found here: +# https://www.packer.io/docs/templates/hcl_templates/blocks/build +build { + sources = [ + "source.amazon-ebs.windows-2019", + "source.vagrant.windows-2019" + ] + + provisioner "powershell" { + script = "./windows/windowsserver/scripts/ConfigureRemotingForAnsible.ps1" + only = ["azure-arm.windows-2019"] + } + + # provisioner "ansible" { + # command = "./scripts/ansible.sh" + # user = "${build.User}" + # use_proxy = false + # ansible_env_vars = [ + # "ANSIBLE_HOST_KEY_CHECKING=False", + # "ANSIBLE_SSH_ARGS='-o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'", + # "ANSIBLE_NOCOLOR=True" + # ] + # extra_arguments = [ + # #"-v", + # "--extra-vars", + # "ansible_ssh_pass=${build.User} version_number=${local.version_number} ansible_shell_type=cmd ansible_shell_executable=None" + # ] + # host_alias = "none" + # playbook_file = "../../ansible/roles/ansible-role-example-role/site.yml" + # only = ["vagrant.windows-2019"] + # } + + # provisioner "ansible" { + # command = "./scripts/ansible.sh" + # user = "vagrant" + # use_proxy = false + # ansible_env_vars = [ + # "ANSIBLE_HOST_KEY_CHECKING=False", + # "ANSIBLE_SSH_ARGS='-o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'", + # "ANSIBLE_NOCOLOR=True" + # ] + # extra_arguments = [ + # #"-v", + # "--extra-vars", + # "ansible_ssh_pass=vagrant version_number=${local.version_number} ansible_shell_type=cmd ansible_shell_executable=None rule_2_3_1_5=false win_skip_for_test=true rule_2_3_1_1=false" + # ] + # host_alias = "none" + # playbook_file = "../../ansible/galaxy/roles/Windows-2019-CIS/site.yml" + # only = ["vagrant.windows-2019"] + # } + + # provisioner "ansible" { + # command = "./scripts/ansible.sh" + # user = "vagrant" + # use_proxy = false + # ansible_env_vars = [ + # "ANSIBLE_HOST_KEY_CHECKING=False", + # "ANSIBLE_SSH_ARGS='-o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'", + # "ANSIBLE_NOCOLOR=True" + # ] + # extra_arguments = [ + # # "-vvv", + # "--extra-vars", + # "ansible_ssh_pass=vagrant version_number=${local.version_number} ansible_shell_type=cmd ansible_shell_executable=None ansbile_become=yes ansible_become_method=runas" + # ] + # host_alias = "none" + # playbook_file = "../../ansible/roles/ansible-role-vm-config/site.yml" + # only = ["vagrant.windows-2019"] + # } + + # provisioner "ansible" { + # command = "./scripts/ansible.sh" + # user = "${build.User}" + # use_proxy = false + # extra_arguments = [ + # #"-v", + # "--extra-vars", + # "ansible_winrm_server_cert_validation=ignore version_number=${local.version_number}" + # ] + # host_alias = "none" + # playbook_file = "../../ansible/roles/ansible-role-example-role/site.yml" + # only = ["amazon-ebs.windows-2019", "googlecompute.windows-2019", "azure-arm.windows-2019"] + # } + + /* + provisioner "ansible" { + command = "./scripts/ansible.sh" + user = "${build.User}" + use_proxy = false + extra_arguments = [ + #"-v", + "--extra-vars", + "ansible_winrm_server_cert_validation=ignore version_number=${local.version_number}" + ] + host_alias = "none" + playbook_file = "../../ansible/galaxy/roles/ansible-role-win_openssh/site.yml" + only = ["amazon-ebs.windows-2019", "googlecompute.windows-2019", "azure-arm.windows-2019"] + } + */ + + # provisioner "ansible" { + # command = "./scripts/ansible.sh" + # user = "${build.User}" + # use_proxy = false + # extra_arguments = [ + # #"-v", + # "--extra-vars", + # "ansible_winrm_server_cert_validation=ignore version_number=${local.version_number}" + # ] + # host_alias = "none" + # playbook_file = "../../ansible/roles/ansible-role-example-role/site.yml" + # only = ["amazon-ebs.windows-2019", "googlecompute.windows-2019", "azure-arm.windows-2019"] + # } + + # provisioner "ansible" { + # command = "./scripts/ansible.sh" + # user = "${build.User}" + # use_proxy = false + # extra_arguments = [ + # #"-v", + # "--extra-vars", + # "ansible_winrm_server_cert_validation=ignore section02_patch=false rule_2_3_1_5=false rule_2_3_1_1=false win_skip_for_test=true rule_2_3_1_5=false rule_2_3_1_6=false" + # ] + # host_alias = "none" + # playbook_file = "../../ansible/galaxy/roles/Windows-2019-CIS/site.yml" + # only = ["amazon-ebs.windows-2019", "googlecompute.windows-2019", "azure-arm.windows-2019"] + # } + + provisioner "shell-local" { + inline = ["curl -s https://api.ipify.org/?format=none"] + } + + provisioner "powershell" { + inline = [ + "Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\State", + "C:\\windows\\system32/sysprep\\sysprep.exe /oobe /generalize /quiet /quit /mode:vm", + "while($true) { $imageState = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\State | Select ImageState; if($imageState.ImageState -ne 'IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE') { Write-Output $imageState.ImageState; Start-Sleep -s 10 } else { break } }" + ] + only = ["azure-arm.windows-2019"] + } + + provisioner "powershell" { + inline = [ + "Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\State", + "GCESysprep -no_shutdown" + ] + only = ["googlecompute.windows-2019"] + } +} diff --git a/_tools/scripts/common.sh b/_tools/scripts/common.sh new file mode 100755 index 0000000..af809b8 --- /dev/null +++ b/_tools/scripts/common.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash +set -eo pipefail + +# declare colors +RED="\e[31m" +GREEN="\e[32m" +YELLOW="\e[33m" +BLUE="\e[34m" +MAGENTA="\e[35m" +CYAN="\e[36m" +WHITE="\e[37m" +BOLD="\e[1m" +UNDERLINE="\e[4m" +REVERSED="\e[7m" +BLACK="\e[30m" +# Reset all colors +RESET="\e[0m" + +info() { + printf "\r%s: ${CYAN}%s${RESET}\n" "$1" "$2" +} + +msg() { + printf "Service: ${MAGENTA}%s${RESET} is already at version: ${CYAN}%s${RESET}\n" "$1" "$2" +} + +success() { + printf "Service: ${MAGENTA}%s${RESET} is already at version: ${GREEN}%s${RESET}\n" "$1" "$2" +} + +fail() { + printf "\r${RED}%s${RESET}\n" "$1" + exit 1 +} + +warm() { + printf "\r${YELLOW}%s${RESET}\n" "$1" +} + +divider() { + printf "\r\033[0;1m========================================================================\033[0m\n" +} + +pause_for_confirmation() { + # shellcheck disable=SC2034 + read -rsp $'Press any key to continue (ctrl-c to quit):\n' -n1 key +} + +cclear() { + clear +} + +interrupt_count=0 +interrupt_handler() { + ((interrupt_count += 1)) + + echo "" + if [[ $interrupt_count -eq 1 ]]; then + fail "Really quit? Hit ctrl-c again to confirm." + else + echo "Goodbye!" + exit + fi +} + diff --git a/_tools/scripts/init-tf-cloud.sh b/_tools/scripts/init-tf-cloud.sh deleted file mode 100755 index 45bf43a..0000000 --- a/_tools/scripts/init-tf-cloud.sh +++ /dev/null @@ -1,257 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -info() { - printf "\r\033[00;35m$1\033[0m\n" -} - -success() { - printf "\r\033[00;32m$1\033[0m\n" -} - -fail() { - printf "\r\033[0;31m$1\033[0m\n" -} - -warm() { - printf "\r\033[0;33m$1\033[0m\n" -} - -divider() { - printf "\r\033[0;1m========================================================================\033[0m\n" -} - -pause_for_confirmation() { - read -rsp $'Press any key to continue (ctrl-c to quit):\n' -n1 key -} - -# Set up an interrupt handler so we can exit gracefully -interrupt_count=0 -interrupt_handler() { - ((interrupt_count += 1)) - - echo "" - if [[ $interrupt_count -eq 1 ]]; then - fail "Really quit? Hit ctrl-c again to confirm." - else - echo "Goodbye!" - exit - fi -} -trap interrupt_handler SIGINT SIGTERM - -# This setup script does all the magic. - -# Check for required tools -declare -a req_tools=("terraform" "sed" "curl" "jq") -for tool in "${req_tools[@]}"; do - if ! command -v "$tool" > /dev/null; then - fail "It looks like '${tool}' is not installed; please install it and run this setup script again." - exit 1 - fi -done - -# Check for required Terraform version -if ! terraform version -json | jq -r '.terraform_version' &> /dev/null; then - echo - fail "Terraform 0.13 or later is required for this setup script!" - echo "You are currently running:" - terraform version - exit 1 -fi - -# Set up some variables we'll need -HOST="${1:-app.terraform.io}" -TERRAFORM_VERSION=$(terraform version -json | jq -r '.terraform_version') -# Get owner email and organization_name from json -ORGANIZATION_NAME=$(jq -r '.organization_name' organization.json) -ADMIN_OWNER=$(jq -r '.admin_email' organization.json) - -###################### -# create organization -###################### -create_organization() { - local result=0 - local response - response=$(curl https://$HOST/api/v2/organizations \ - --request POST \ - --silent \ - --header "Content-Type: application/vnd.api+json" \ - --header "Authorization: Bearer $TOKEN" \ - --data @- << REQ_CREATE_ORG -{ - "data": { - "type": "organizations", - "attributes": { - "name": "${ORGANIZATION_NAME}", - "email": "${ADMIN_OWNER}" - } - } -} -REQ_CREATE_ORG -) - if [[ $(echo $response | jq -r '.errors') != null ]]; then - if [[ $(echo $response | jq -r '.errors[].status') == 422 ]]; then - info "$(echo $response | jq --raw-output .'errors[].detail')" - else - fail "An unknown error occurred: ${response}" - fi - elif [[ $(echo $response | jq -r '.data.type') == "organizations" ]]; then - success "Organization $(echo $response | jq -r '.data.attributes.name') created !!" - fi -} - -###################### -# Create workspace if needed -###################### -create_workspace() { - local result - local response - local workdir - response=$(curl https://$HOST/api/v2/organizations/${ORGANIZATION_NAME}/workspaces \ - --request POST \ - --silent \ - --header "Content-Type: application/vnd.api+json" \ - --header "Authorization: Bearer $TOKEN" \ - --data @- << REQ_CREATE_WKS -{ - "data": { - "type": "workspaces", - "attributes": { - "name": "${WORKSPACE_NAME}", - "terraform-version": "${TERRAFORM_VERSION}", - "working-directory": "${WORKING_DIRECTORY}", - "description": "${WORKSPACE_DESCRIPTION}" - } - } -} -REQ_CREATE_WKS -) - if [[ $(echo $response | jq -r '.errors') != null ]]; then - if [[ $(echo $response | jq -r '.errors[].status') == 422 ]]; then - update_workspace - else - fail "An unknown error occurred: ${response}" - fi - elif [[ $(echo $response | jq -r '.data.type') == "workspaces" ]]; then - success "Workspace $(echo $response | jq -r '.data.attributes.name') created !" - fi -} - -###################### -# Updarte workspace -###################### -update_workspace() { - local result - local response - local workdir - response=$(curl https://$HOST/api/v2/organizations/${ORGANIZATION_NAME}/workspaces/${WORKSPACE_NAME} \ - --request PATCH \ - --silent \ - --header "Content-Type: application/vnd.api+json" \ - --header "Authorization: Bearer $TOKEN" \ - --data @- << REQ_UPDATE_WKS -{ - "data": { - "type": "workspaces", - "attributes": { - "name": "${WORKSPACE_NAME}", - "terraform-version": "${TERRAFORM_VERSION}", - "working-directory": "${WORKING_DIRECTORY}", - "description": "${WORKSPACE_DESCRIPTION}", - "global-remote-state": "true" - } - } -} -REQ_UPDATE_WKS -) - if [[ $(echo $response | jq -r '.errors') != null ]]; then - fail "An unknown error occurred: ${response}" - elif [[ $(echo $response | jq -r '.data.type') == "workspaces" ]]; then - success "Workspace : $(echo $response | jq -r '.data.attributes.name') updated !" - fi -} - -############################################################################### -# Check that we've already authenticated via Terraform in the static credentials -# file. -CREDENTIALS_FILE="$HOME/.terraform.d/credentials.tfrc.json" -TOKEN=$(jq -j --arg h "$HOST" '.credentials[$h].token' $CREDENTIALS_FILE) -if [[ ! -f $CREDENTIALS_FILE || $TOKEN == null ]]; then - fail "We couldn't find a token in the Terraform credentials file at $CREDENTIALS_FILE." - fail "Please run 'terraform login', then run this setup script again." - exit 1 -fi - -# Create a Terraform Cloud organization -clear -divider -echo "Creating an organization if needed ..." -create_organization -divider -echo - -# update organizations name for each _backend.tf file -find . -type f -name "backend.tf" -print0 | while read -d $'\0' BACKEND_TF -do - echo "Found terraform backend file : ${BACKEND_TF}" - if ! grep "organization = \"${ORGANIZATION_NAME}\"" $BACKEND_TF 2>&1 >/dev/null ; then - info "Need to change this file ^^^" - TEMP=$(mktemp) - cat $BACKEND_TF | - sed -e "s/.* organization = \".*\"/ organization = \"${ORGANIZATION_NAME}\"/" \ - > $TEMP - mv $TEMP $BACKEND_TF - chmod 0644 $BACKEND_TF - terraform fmt $BACKEND_TF - fi -done - -divider -echo - -# Workspaces creation -# Based on each .terraform-config file present in service/env/region directories -find . -type f -name ".terraform-config" -print0 | while read -d $'\0' CONFIG_TF -do - echo "Found terraform config file : ${CONFIG_TF}" - - OLDIFS=$IFS - IFS='/' array=($CONFIG_TF) - IFS=$OLDIFS - - _SERVICE="${array[1]}" - _ENV="${array[2]}" - _REGION="${array[3]}" - - _LABEL_SERVICE=$(echo ${_SERVICE} | tr '[:lower:]' '[:upper:]') - _LABEL_ENV=$(echo ${_ENV} | tr '[:lower:]' '[:upper:]') - _LABEL_REGION=$(echo ${_REGION} | tr '[:lower:]' '[:upper:]') - - WORKSPACE_NAME="${_SERVICE}-${_ENV}-${_REGION}" - WORKING_DIRECTORY="${_SERVICE}/${_ENV}/${_REGION}" - WORKSPACE_DESCRIPTION="Workspace : ${_LABEL_ENV} for ${_LABEL_SERVICE} on ${_LABEL_REGION}" - - # check if .terraform-config is existing and correct - if ! grep "name = \"${WORKSPACE_NAME}\"" $CONFIG_TF 2>&1 >/dev/null ; then - info "Need to change this file ^^^" - TEMP=$(mktemp) - cat $CONFIG_TF | - sed -e "s/.*name = \".*\"/ name = \"${WORKSPACE_NAME}\"/" \ - > $TEMP - mv $TEMP $CONFIG_TF - chmod 0644 $CONFIG_TF - fi - - echo "If needed we create workspace : ${WORKSPACE_NAME} ..." - create_workspace ${WORKSPACE_NAME} ${WORKING_DIRECTORY} - echo - -done - -# Commit all changes -# echo "Commit all changes ?" -# pause_for_confirmation -# git commit -v -a -s --no-edit --amend - -exit 0 diff --git a/_tools/scripts/terraform-version.sh b/_tools/scripts/terraform-version.sh new file mode 100755 index 0000000..4ed55d5 --- /dev/null +++ b/_tools/scripts/terraform-version.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Declare Root project directory +ROOT_DIRECTORY="$1" + +# shellcheck disable=SC1091 +source "${ROOT_DIRECTORY}/_tools/scripts/common.sh" + +# Set up an interrupt handler so we can exit gracefully +trap interrupt_handler SIGINT SIGTERM + +# Version reference +VERSION_REF=$(cat "${ROOT_DIRECTORY}"/.terraform-version) +info "=> Terraform global version" "${VERSION_REF}" + +# Find all .terraform-version files +# Exclude root .terraform-version file from search (mindepth) +cd "${ROOT_DIRECTORY}" || fail "Failed to change directory to ${ROOT_DIRECTORY}" +find . -type f -name ".terraform-version" -mindepth 2 -print0 | while read -r -d $'\0' TF_VERSION_FILE +do + # Get module name with the 1 part of each string + MODULE_CUR=$(echo "${TF_VERSION_FILE}" | awk -F'/' '{print $2}') + # Get current version + VERSION_CUR=$(cat "${TF_VERSION_FILE}") + + # check if .terraform-version is existing and correct + if [ -n "${MODULE_CUR}" ] ; then + if [ "${VERSION_CUR}" != "${VERSION_REF}" ] ; then + echo -n "${VERSION_REF}" > "${TF_VERSION_FILE}" + chmod 0644 "${TF_VERSION_FILE}" + success "${MODULE_CUR}" "${VERSION_REF}" + else + msg "${MODULE_CUR}" "${VERSION_CUR}" + fi + fi +done + +# Commit all changes +# git status +# echo "Commit all changes ?" +# pause_for_confirmation +# #git commit -v -a -s --no-edit --amend +# info "Changes have been made. Consider running 'git commit -am \"Update Terraform versions\"' to save them." + +exit 0 diff --git a/_tools/scripts/tfc-manage.py b/_tools/scripts/tfc-manage.py new file mode 100755 index 0000000..9d9c866 --- /dev/null +++ b/_tools/scripts/tfc-manage.py @@ -0,0 +1,334 @@ +#!/usr/bin/env python3 +import json +import os +import sys +import logging +import re +import string +from os.path import join # Import join from os.path for path manipulation +import subprocess # Import the subprocess module to run shell commands +# import requests # Import the requests library +import requests; print(requests.get("https://astral.sh")) + +# Set up logging +logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s') + +def print_title(text): + """ + Prints a separator line, the given text, and another separator line. + + Args: + text: The text to be printed between the separator lines. + """ + separator = "=" * 79 + print(separator) + print(text) + print(separator) + +def print_sep(): + """ + Prints a separator line + """ + separator = "-" * 79 + print(separator) + print() + +def manage_organization(host, token, organization_name, admin_owner): + """ + Creates a Terraform Cloud organization if it doesn't exist. + + Args: + host (str): The Terraform Cloud host (e.g., "app.terraform.io"). + token (str): The Terraform Cloud API token. + organization_name (str): The name of the organization to create. + admin_owner (str): The email address of the organization administrator. + + Returns: + bool: True on success, False on failure. + """ + url = f"https://{host}/api/v2/organizations" + headers = { + "Content-Type": "application/vnd.api+json", + "Authorization": f"Bearer {token}", + } + payload = { + "data": { + "type": "organizations", + "attributes": { + "name": organization_name, + "email": admin_owner, + }, + }, + } + try: + response = requests.post(url, headers=headers, json=payload) + response.raise_for_status() # Raise HTTPError for bad responses (4xx or 5xx) + response_json = response.json() + + if "data" in response_json and response_json.get("data").get("type") == "organizations": + org_name = response_json.get("data").get("attributes").get("name") + logging.info(f"Organization '{org_name}' created successfully!") + return True + else: + logging.error(f"Failed to create organization. Response: {response_json}") + return False + except requests.exceptions.HTTPError as e: + if e.response.status_code == 422: + logging.info(f"Organization \"{organization_name}\" already exists. Nothing to do.") + else: + logging.error(f"HTTP error creating workspace: {e}") + return False + except requests.exceptions.RequestException as e: + print(response) + logging.error(f"Error creating organization: {e}") + return False + +def create_or_update_workspace(host, token, organization_name, workspace_name, terraform_version, working_directory, workspace_description): + """ + Creates or updates a Terraform Cloud workspace. + + Args: + host (str): The Terraform Cloud host. + token (str): The Terraform Cloud API token. + organization_name (str): The name of the Terraform Cloud organization. + workspace_name (str): The name of the workspace. + terraform_version (str): The Terraform version. + working_directory (str): The working directory for the workspace. + workspace_description (str): Description of the workspace. + + Returns: + bool: True on success, False on failure. + """ + url = f"https://{host}/api/v2/organizations/{organization_name}/workspaces" + headers = { + "Content-Type": "application/vnd.api+json", + "Authorization": f"Bearer {token}", + } + payload = { + "data": { + "type": "workspaces", + "attributes": { + "name": workspace_name, + "terraform-version": terraform_version, + "working-directory": working_directory, + "description": workspace_description, + }, + }, + } + + try: + response = requests.post(url, headers=headers, json=payload) + response.raise_for_status() # Will raise an HTTPError for bad responses (like 422) + response_json = response.json() + + if "data" in response_json and response_json.get("data").get("type") == "workspaces": + created_name = response_json.get("data").get("attributes").get("name") + logging.info(f"Workspace \"{created_name}\" created successfully!") + return True + else: + logging.error(f"Failed to create workspace. Response: {response_json}") + return False + + except requests.exceptions.HTTPError as e: + if e.response.status_code == 422: + logging.info(f"Workspace \"{workspace_name}\" already exists. Attempting to update.") + return update_workspace(host, token, organization_name, workspace_name, terraform_version, working_directory, workspace_description) + else: + logging.error(f"HTTP error creating workspace: {e}") + return False + except requests.exceptions.RequestException as e: + logging.error(f"Error creating/updating workspace: {e}") + return False + + +def update_workspace(host, token, organization_name, workspace_name, terraform_version, working_directory, workspace_description): + """ + Updates an existing Terraform Cloud workspace. + + Args: + host (str): The Terraform Cloud host. + token (str): The Terraform Cloud API token. + organization_name (str): The name of the Terraform Cloud organization. + workspace_name (str): The name of the workspace to update. + terraform_version (str): The Terraform version. + working_directory (str): The working directory for the workspace. + workspace_description (str): Description of the workspace. + + Returns: + bool: True on success, False on failure. + """ + url = f"https://{host}/api/v2/organizations/{organization_name}/workspaces/{workspace_name}" + headers = { + "Content-Type": "application/vnd.api+json", + "Authorization": f"Bearer {token}", + } + payload = { + "data": { + "type": "workspaces", + "attributes": { + "name": workspace_name, + "terraform-version": terraform_version, + "working-directory": working_directory, + "description": workspace_description, + "global-remote-state": True, + }, + }, + } + + try: + response = requests.patch(url, headers=headers, json=payload) + response.raise_for_status() + response_json = response.json() + + if "data" in response_json and response_json.get("data").get("type") == "workspaces": + updated_name = response_json.get("data").get("attributes").get("name") + logging.info(f"Workspace \"{updated_name}\" updated successfully!") + return True + else: + logging.error(f"Failed to update workspace. Response: {response_json}") + return False + except requests.exceptions.RequestException as e: + logging.error(f"Error updating workspace: {e}") + return False + + + +def update_backend_files(organization_name): + """ + Updates the organization name in all backend.tf files. + + Args: + organization_name (str): The name of the Terraform Cloud organization. + """ + try: + result = subprocess.run( + ['find', '.', '-type', 'f', '-name', 'backend.tf', '-print0'], + capture_output=True, text=True, check=True + ) + backend_files = result.stdout.split('\0')[:-1] # Split by null, remove last empty string + + for backend_tf in backend_files: + logging.info(f"Checking Terraform backend file: {backend_tf}") + with open(backend_tf, 'r') as f: + content = f.read() + + if f'organization = "{organization_name}"' not in content: + logging.info(f"Need to update this file: {backend_tf}") + # Use re.sub to replace the line + new_content = re.sub(r'(\s*organization\s*=\s*").*(")', f'\\1{organization_name}\\2', content) + + with open(backend_tf, 'w') as f: + f.write(new_content) + subprocess.run(['chmod', '0644', backend_tf], check=True) + subprocess.run(['terraform', 'fmt', backend_tf], check=True) + except subprocess.CalledProcessError as e: + logging.error(f"Error updating backend.tf files: {e}") + sys.exit(1) + except Exception as e: + logging.error(f"An unexpected error occurred: {e}") + sys.exit(1) + + + +def create_workspaces_from_config(host, token, organization_name): + """ + Creates Terraform Cloud workspaces based on config.remote.tfbackend files. + + Args: + host (str): The Terraform Cloud host. + token (str): The Terraform Cloud API token. + organization_name (str): The name of the Terraform Cloud organization. + """ + try: + result = subprocess.run( + ['find', '.', '-type', 'f', '-name', 'config.remote.tfbackend', '-print0'], + capture_output=True, text=True, check=True + ) + config_files = result.stdout.split('\0')[:-1] + + for config_tf in config_files: + logging.info(f"Found Terraform config file: {config_tf}") + parts = config_tf.split('/') + service = parts[1] + env = parts[2] + region = parts[3] + + workspace_name = "-".join([service, env, region]) + working_directory = "/".join([service, env, region]) + workspace_description = f"Workspace : {env.upper()} for {service.upper()} on {region.upper()}" + + # Check if config.remote.tfbackend exists and is correct + with open(config_tf, 'r') as f: + content = f.read() + if f'name = "{workspace_name}"' not in content: + logging.info(f"Need to change this file: {config_tf}") + new_content = re.sub(r'(\s*name\s*=\s*").*(")', f'\\1{workspace_name}\\2', content) + with open(config_tf, 'w') as f: + f.write(new_content) + subprocess.run(['chmod', '0644', config_tf], check=True) + + # Check if the .terraform-version exists and is correct + version_tf = os.path.join(os.path.dirname(os.path.dirname(os.path.dirname(config_tf))), '_terraform', '.terraform-version') + if not os.path.exists(version_tf): + logging.error(f"Missing Terraform version file: {version_tf}") + continue + with open(version_tf, 'r') as f: + terraform_version = f.read() + logging.info(f"Found Terraform version symlink: {version_tf}") + + create_or_update_workspace(host, token, organization_name, workspace_name, terraform_version, working_directory, workspace_description) + print_sep() + + except subprocess.CalledProcessError as e: + logging.error(f"Error processing .terraform-config files: {e}") + sys.exit(1) + except Exception as e: + logging.error(f"An unexpected error occurred: {e}") + sys.exit(1) + + +def main(): + """ + Main function to run the script. + """ + # Set up variables + host = os.environ.get("TERRAFORM_CLOUD_HOST", "app.terraform.io") + credentials_file = os.path.join(os.path.expanduser("~"), ".terraform.d", "credentials.tfrc.json") + + try: + with open(credentials_file, 'r') as f: + credentials = json.load(f) + token = credentials['credentials'][host]['token'] + except (FileNotFoundError, KeyError, json.JSONDecodeError): + logging.error(f"We couldn't find a token in the Terraform credentials file at {credentials_file}.") + logging.error("Please run 'terraform login', then run this setup script again.") + sys.exit(1) + + try: + with open('organization.json', 'r') as f: + org_data = json.load(f) + organization_name = org_data['organization_name'] + admin_owner = org_data['admin_email'] + except (FileNotFoundError, KeyError, json.JSONDecodeError): + logging.error("organization.json must contain 'organization_name' and 'admin_email'.") + sys.exit(1) + + # Manage organization name + print_title("Creating an organization if needed ...") + manage_organization(host, token, organization_name, admin_owner) + print_sep() + + # Update backend.tf files + print_title("Updating backend.tf files ...") + update_backend_files(organization_name) + print_sep() + + # Create workspaces + print_title("Creating or updating workspaces ...") + create_workspaces_from_config(host, token, organization_name) + + print("Script finished.") + + +if __name__ == "__main__": + main() diff --git a/_tools/scripts/uniformize-tf-version.sh b/_tools/scripts/uniformize-tf-version.sh deleted file mode 100755 index a8e7fcc..0000000 --- a/_tools/scripts/uniformize-tf-version.sh +++ /dev/null @@ -1,66 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail -set +x - -info() { - printf "\r\033[00;35m%s\033[0m\n" "$1" -} - -msg() { - printf "\r\033[00;34m%s\033[0m\n" "$1" -} - -fail() { - printf "\r\033[0;31m%s\033[0m\n" "$1" -} - -success() { - printf "\r\033[00;32m%s\033[0m\n" "$1" -} - -WORKING_DIRECTORY="$(dirname "$(realpath "$0")")" -CURRENT_DIRECTORY="$(pwd -P)" - -if [ "${CURRENT_DIRECTORY}" = "${WORKING_DIRECTORY}" ] ; then - fail "This script must be launch on the root of repository" -fi - -# test args : -fix or -show -FIX=0 -ACTION=${1} -if [ ! -z "${ACTION}" ] && [ "${ACTION}" = "-fix" ]; then - FIX=1 -fi - -# Version reference -VERSION_REF=$(cat "${CURRENT_DIRECTORY}"/.terraform-version) -info "Version reference : ${VERSION_REF}" - -# Find all .terraform-version files -# Exclude root .terraform-version file from search (mindepth) -find . -type f -name ".terraform-version" -mindepth 2 -print0 | while read -d $'\0' TF_VERSION_FILE -do - - OLDIFS=$IFS - IFS='/' array=($TF_VERSION_FILE) - IFS=$OLDIFS - MODULE_CUR=${array[1]} - - VERSION_CUR=$(cat "${TF_VERSION_FILE}") - msg "Found : version ${VERSION_CUR} in service ${MODULE_CUR}" - - # check if .terraform-version is existing and correct - if [ "${VERSION_CUR}" != "${VERSION_REF}" ] && [ "${FIX}" = 1 ] ; then - info "Need to change this file ^^^" - echo "${VERSION_REF}" > "${TF_VERSION_FILE}" - chmod 0644 "${TF_VERSION_FILE}" - fi - -done - -# Commit all changes -# echo "Commit all changes ?" -# pause_for_confirmation -# git commit -v -a -s --no-edit --amend - -exit 0 diff --git a/_tools/taskfiles/global.yml b/_tools/taskfiles/global.yml new file mode 100644 index 0000000..ddf2db8 --- /dev/null +++ b/_tools/taskfiles/global.yml @@ -0,0 +1,41 @@ +version: "3" + +includes: + requirements: + taskfile: ./terraform.yml + flatten: true + + init: + taskfile: ./init.yml + flatten: true + + keypair: + taskfile: ./keypair.yml + flatten: true + + # vagrant: + # taskfile: ./vagrant.yml + # flatten: true + +env: + +vars: + # Global variables + OS: '{{OS}}' + ARCH: '{{ARCH}}' + + # Folders variables + ROOT_DIR: '{{.ROOT_DIR}}' + TOOLS_DIR: '{{.ROOT_DIR}}/_tools' + SCRIPTS_DIR: '{{.ROOT_DIR}}/_tools/scripts' + +tasks: + default: + desc: "Display all available tasks for this project" + cmds: + - task --list-all + + printenv: + desc: "Display all environments variables" + cmds: + - env diff --git a/_tools/taskfiles/init.yml b/_tools/taskfiles/init.yml new file mode 100644 index 0000000..3caefab --- /dev/null +++ b/_tools/taskfiles/init.yml @@ -0,0 +1,97 @@ +version: "3" + +vars: + TF_VERSION: + sh: 'cat {{.ROOT_DIR}}/.terraform-version' + +tasks: + init:tf:check: + desc: "Display and Fix terraform-version files for the project" + silent: true + dir: '../scripts' + cmds: + - ./terraform-version.sh {{.ROOT_DIR}} + + init:tf:install: + desc: "Install specific version of terraform with TFenv" + silent: true + cmds: + - 'tfenv install {{.TF_VERSION}}' + + init:tf:use: + desc: "Use specific version of terraform with TFenv" + silent: true + cmds: + - 'tfenv use {{.TF_VERSION}}' + + init:links: + desc: "Generate all needed symlinks for a service" + silent: true + internal: true + cmds: + - | + CURRENT_DIR={{.USER_WORKING_DIR}} + RELATIVE_DIR="../../_terraform" + SERVICE_DIR=${CURRENT_DIR}/${RELATIVE_DIR} + + if [ ! -d "${SERVICE_DIR}" ]; then + echo "Missing terraform directory for this service" + exit 2 + fi + # cleanup existing links + find {{.USER_WORKING_DIR}} -type l -delete + + # Create links to the terraform modules + for f in $(find ${SERVICE_DIR} -type f -name '*.tf'); do + if [ -f "$f" ]; then + filename=$(basename "$f") + cd {{.USER_WORKING_DIR}} + ln -s "${RELATIVE_DIR}/${filename}" "${filename}" + fi + done + + init:tfc: + desc: "Configuration for Terraform Cloud environment" + deps: ['install:uv'] + silent: true + cmds: + - | + source ~/.venv/bin/activate + uv run '{{.SCRIPTS_DIR}}/tfc-manage.py' + + install:ansible: + desc: "Install Ansible" + deps: ['install:uv'] + silent: true + cmds: + - | + export PIP_DISABLE_PIP_VERSION_CHECK=1 + export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES + export CRYPTOGRAPHY_DONT_BUILD_RUST=1 + cd {{.ROOT_DIR}} + if [ ! -d ~/.venv ]; then + cd $HOME ; uv venv + fi + source ~/.venv/bin/activate + uv pip install ansible-core docker + + install:ansible:galaxy: + desc: "Install Ansible Galaxy Roles" + silent: true + deps: ['install:uv', 'install:ansible'] + dir: '{{.ROOT_DIR}}' + cmds: + - | + source ~/.venv/bin/activate + ansible-galaxy install -f -r ./_tools/ansible/galaxy/requirements.yml -p ./_tools/ansible/galaxy/roles + + install:uv: + desc: "Install UV Astral" + silent: true + internal: true + cmds: + - | + if ! command -v "uv" > /dev/null; then + echo "It looks like 'uv' is not installed; we install it:" + curl -LsSf https://astral.sh/uv/install.sh | sh + fi diff --git a/_tools/taskfiles/keypair.yml b/_tools/taskfiles/keypair.yml new file mode 100644 index 0000000..b0a6bd6 --- /dev/null +++ b/_tools/taskfiles/keypair.yml @@ -0,0 +1,23 @@ +version: "3" + +vars: + KEYPAIR_NAME: "iac-aws-keypair" + REGION: "eu-west-1" + +tasks: + keypair-create: + desc: "Create a new Key Pair in defined AWS Region" + cmds: + - aws ec2 create-key-pair --key-name {{.KEYPAIR_NAME}} --query 'KeyMaterial' --output text > {{.HOME}}/.ssh/{{.KEYPAIR_NAME}}.pem --region {{.REGION}} + - chmod 0600 {{.HOME}}/.ssh/{{.KEYPAIR_NAME}}.pem + + keypair-delete: + desc: "Delete the Key Pair in defined AWS Region" + cmds: + - aws ec2 delete-key-pair --key-name {{.KEYPAIR_NAME}} --region {{.REGION}} + - rm -f {{.HOME}}/.ssh/{{.KEYPAIR_NAME}}.pem + + keypair-display: + desc: "Display existing Key Pair in defined AWS Region" + cmds: + - aws ec2 describe-key-pairs --key-name {{.KEYPAIR_NAME}} --region {{.REGION}} diff --git a/_tools/taskfiles/terraform.yml b/_tools/taskfiles/terraform.yml new file mode 100644 index 0000000..37107e2 --- /dev/null +++ b/_tools/taskfiles/terraform.yml @@ -0,0 +1,101 @@ +version: "3" + +tasks: + + tf:init: + deps: [init:links] + desc: "Initialize terraform configuration" + dir: '{{.USER_WORKING_DIR}}' + silent: true + cmds: + - terraform init -reconfigure -backend-config=config.remote.tfbackend + + tf:fmt: + desc: "Apply terraform fmt recursively all .tf file" + dir: '{{.ROOT_DIR}}' + silent: false + cmds: + - terraform fmt -recursive + + tf:clean: + desc: "Clean terraform cache" + silent: true + dir: '{{.USER_WORKING_DIR}}' + cmds: + - rm -rf .terraform + + tf:validate: + desc: "Validate terraform configuration" + dir: '{{.USER_WORKING_DIR}}' + silent: true + cmds: + - terraform validate + + tf:list: + desc: "List terraform configuration" + dir: '{{.USER_WORKING_DIR}}' + cmds: + - terraform providers + - terraform state list + + tf:plan: + desc: "Plan terraform configuration" + dir: '{{.USER_WORKING_DIR}}' + silent: true + cmds: + - terraform plan #-out=tfplan + + tf:apply: + desc: "Apply terraform configuration" + dir: '{{.USER_WORKING_DIR}}' + silent: true + cmds: + - terraform apply tfplan + + tf:version: + desc: "Display terraform version" + cmds: + - terraform version + + tf:graph: + desc: "Display terraform graph" + dir: '{{.USER_WORKING_DIR}}' + cmds: + - terraform graph | dot -Tsvg > graph.svg + - open graph.svg + - echo "Graph generated in graph.svg" + + tf:state:show: + desc: "Show terraform state" + dir: '{{.USER_WORKING_DIR}}' + cmds: + - terraform show + + tf:state:pull: + desc: "Pull terraform state" + dir: '{{.USER_WORKING_DIR}}' + cmds: + - terraform state pull > state.tfstate + + tf:state:push: + desc: "Push terraform state" + dir: '{{.USER_WORKING_DIR}}' + cmds: + - terraform state push state.tfstate + + # tf:destroy: + # desc: "Destroy terraform configuration" + # cmds: + # - terraform destroy -auto-approve + + tf:output: + desc: "Show terraform output" + dir: '{{.USER_WORKING_DIR}}' + cmds: + - terraform output + + tf:doc: + desc: "Generate terraform documentation" + dir: '{{.USER_WORKING_DIR}}' + cmds: + - 'terraform-docs markdown table --anchor=false ./ --output-file=README.md --output-mode=inject' diff --git a/_tools/taskfiles/vagrant.yml b/_tools/taskfiles/vagrant.yml new file mode 100644 index 0000000..7e20d4a --- /dev/null +++ b/_tools/taskfiles/vagrant.yml @@ -0,0 +1,44 @@ +version: "3" + +vars: + +tasks: + vagrant:install: + desc: "Install Vagrant" + cmds: + - curl -fsSL XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | sudo apt-key add - + - sudo apt-add-repository "deb [arch=amd64] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX $(lsb_release -cs) main" + - sudo apt-get update && sudo apt-get install vagrant + silent: true + status: + - test -x "$(command -v vagrant)" + + vagrant:up: + desc: "Start Vagrant" + cmds: + - vagrant up + silent: true + + vagrant:ssh: + desc: "SSH into Vagrant" + cmds: + - vagrant ssh + silent: true + + vagrant:halt: + desc: "Halt Vagrant" + cmds: + - vagrant halt + silent: true + + vagrant:destroy: + desc: "Destroy Vagrant" + cmds: + - vagrant destroy + silent: true + + vagrant:status: + desc: "Show Vagrant status" + cmds: + - vagrant status + silent: true diff --git a/_tools/terraform/Makefile b/_tools/terraform/Makefile index 50808ca..60cf87e 100644 --- a/_tools/terraform/Makefile +++ b/_tools/terraform/Makefile @@ -60,11 +60,11 @@ list: ## Make terraform state list providers: ## Make terraform state list @terraform providers -install: ## Make tfenv install - @tfenv install $(shell cat .terraform-version) +# install: ## Make tfenv install +# @tfenv install $(shell cat .terraform-version) -use: ## Make tfenv use - @tfenv use $(shell cat .terraform-version) +# use: ## Make tfenv use +# @tfenv use $(shell cat .terraform-version) version: ## Show terraform version @terraform version diff --git a/_tools/terraform/modules/terraform-aws-api-gateway/main.tf b/_tools/terraform/modules/terraform-aws-api-gateway/main.tf index aa86737..e337f8d 100644 --- a/_tools/terraform/modules/terraform-aws-api-gateway/main.tf +++ b/_tools/terraform/modules/terraform-aws-api-gateway/main.tf @@ -4,12 +4,12 @@ resource "aws_apigatewayv2_api" "api" { name = format("apigw-%s-%s", var.env, var.service) protocol_type = var.protocol_type - description = var.api_description + description = var.api_description disable_execute_api_endpoint = var.disable_execute_api_endpoint cors_configuration { - allow_methods = ["OPTIONS","POST","GET"] + allow_methods = ["OPTIONS", "POST", "GET"] allow_origins = ["*"] allow_headers = ["Content-Type,Authorization"] } @@ -49,7 +49,7 @@ resource "aws_apigatewayv2_stage" "stage" { } default_route_settings { - logging_level = var.logging_level + logging_level = var.logging_level detailed_metrics_enabled = var.detailed_metrics_enabled } @@ -64,7 +64,7 @@ resource "aws_apigatewayv2_stage" "stage" { // API integration //--------------------- resource "aws_apigatewayv2_integration" "integration" { - api_id = aws_apigatewayv2_api.api.id + api_id = aws_apigatewayv2_api.api.id integration_uri = var.integration_uri integration_type = "AWS_PROXY" integration_method = "POST" diff --git a/_tools/terraform/modules/terraform-aws-api-gateway/outputs.tf b/_tools/terraform/modules/terraform-aws-api-gateway/outputs.tf index 89cfd2e..7c09868 100644 --- a/_tools/terraform/modules/terraform-aws-api-gateway/outputs.tf +++ b/_tools/terraform/modules/terraform-aws-api-gateway/outputs.tf @@ -5,5 +5,5 @@ output "base_url" { output "domain_name_arn" { description = "The ARN of the domain name" - value = aws_apigatewayv2_domain_name.domain.arn + value = aws_apigatewayv2_domain_name.domain.arn } \ No newline at end of file diff --git a/_tools/terraform/modules/terraform-aws-bootstrap/variables.tf b/_tools/terraform/modules/terraform-aws-bootstrap/variables.tf index 41ad473..55b1c79 100644 --- a/_tools/terraform/modules/terraform-aws-bootstrap/variables.tf +++ b/_tools/terraform/modules/terraform-aws-bootstrap/variables.tf @@ -26,9 +26,9 @@ variable "accounts" { type = map(string) default = { - "prod" = "devops-prod@wearephenix.com" - "staging" = "devops-staging@wearephenix.com" - "qa" = "devops-qa@wearephenix.com" + "prod" = "devops-prod@example.com" + "staging" = "devops-staging@example.com" + "qa" = "devops-qa@example.com" } } diff --git a/_tools/terraform/modules/terraform-aws-eks/addons.tf b/_tools/terraform/modules/terraform-aws-eks/addons.tf new file mode 100644 index 0000000..e69de29 diff --git a/_tools/terraform/modules/terraform-aws-eks/iam.tf b/_tools/terraform/modules/terraform-aws-eks/iam.tf new file mode 100644 index 0000000..de6ff81 --- /dev/null +++ b/_tools/terraform/modules/terraform-aws-eks/iam.tf @@ -0,0 +1,271 @@ +#------------------------------------ +# IAM cluster role +#------------------------------------ +locals { + create_iam_role = local.create && var.create_iam_role + iam_role_name = coalesce(var.iam_role_name, "${var.cluster_name}-cluster") + iam_role_policy_prefix = "arn:${local.partition}:iam::aws:policy" + + cluster_encryption_policy_name = coalesce(var.cluster_encryption_policy_name, "${local.iam_role_name}-ClusterEncryption") + + # Standard EKS cluster + eks_standard_iam_role_policies = { for k, v in { + AmazonEKSClusterPolicy = "${local.iam_role_policy_prefix}/AmazonEKSClusterPolicy", + } : k => v if !local.auto_mode_enabled } + + # EKS cluster with EKS auto mode enabled + eks_auto_mode_iam_role_policies = { for k, v in { + AmazonEKSClusterPolicy = "${local.iam_role_policy_prefix}/AmazonEKSClusterPolicy" + AmazonEKSComputePolicy = "${local.iam_role_policy_prefix}/AmazonEKSComputePolicy" + AmazonEKSBlockStoragePolicy = "${local.iam_role_policy_prefix}/AmazonEKSBlockStoragePolicy" + AmazonEKSLoadBalancingPolicy = "${local.iam_role_policy_prefix}/AmazonEKSLoadBalancingPolicy" + AmazonEKSNetworkingPolicy = "${local.iam_role_policy_prefix}/AmazonEKSNetworkingPolicy" + } : k => v if local.auto_mode_enabled } + + # Security groups for pods + eks_sgpp_iam_role_policies = { for k, v in { + AmazonEKSVPCResourceController = "${local.iam_role_policy_prefix}/AmazonEKSVPCResourceController" + } : k => v if var.enable_security_groups_for_pods && !local.auto_mode_enabled } +} + +data "aws_iam_policy_document" "assume_role_policy" { + count = local.create && var.create_iam_role ? 1 : 0 + + statement { + sid = "EKSClusterAssumeRole" + actions = [ + "sts:AssumeRole", + "sts:TagSession", + ] + + principals { + type = "Service" + identifiers = ["eks.amazonaws.com"] + } + } +} + +resource "aws_iam_role" "this" { + count = local.create_iam_role ? 1 : 0 + + name = var.iam_role_use_name_prefix ? null : local.iam_role_name + name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}${var.prefix_separator}" : null + path = var.iam_role_path + description = var.iam_role_description + + assume_role_policy = data.aws_iam_policy_document.assume_role_policy[0].json + permissions_boundary = var.iam_role_permissions_boundary + force_detach_policies = true + + tags = merge(var.tags, var.iam_role_tags) +} + +# Policies attached ref https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html +resource "aws_iam_role_policy_attachment" "this" { + for_each = { for k, v in merge( + local.eks_standard_iam_role_policies, + local.eks_auto_mode_iam_role_policies, + local.eks_sgpp_iam_role_policies, + ) : k => v if local.create_iam_role } + + policy_arn = each.value + role = aws_iam_role.this[0].name +} + +resource "aws_iam_role_policy_attachment" "additional" { + for_each = { for k, v in var.iam_role_additional_policies : k => v if local.create_iam_role } + + policy_arn = each.value + role = aws_iam_role.this[0].name +} + +# Using separate attachment due to `The "for_each" value depends on resource attributes that cannot be determined until apply` +resource "aws_iam_role_policy_attachment" "cluster_encryption" { + # Encryption config not available on Outposts + count = local.create_iam_role && var.attach_cluster_encryption_policy && local.enable_cluster_encryption_config ? 1 : 0 + + policy_arn = aws_iam_policy.cluster_encryption[0].arn + role = aws_iam_role.this[0].name +} + +resource "aws_iam_policy" "cluster_encryption" { + # Encryption config not available on Outposts + count = local.create_iam_role && var.attach_cluster_encryption_policy && local.enable_cluster_encryption_config ? 1 : 0 + + name = var.cluster_encryption_policy_use_name_prefix ? null : local.cluster_encryption_policy_name + name_prefix = var.cluster_encryption_policy_use_name_prefix ? local.cluster_encryption_policy_name : null + description = var.cluster_encryption_policy_description + path = var.cluster_encryption_policy_path + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ListGrants", + "kms:DescribeKey", + ] + Effect = "Allow" + Resource = var.create_kms_key ? module.kms.key_arn : var.cluster_encryption_config.provider_key_arn + }, + ] + }) + + tags = merge(var.tags, var.cluster_encryption_policy_tags) +} + +data "aws_iam_policy_document" "custom" { + count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0 + + dynamic "statement" { + for_each = var.enable_auto_mode_custom_tags ? [1] : [] + + content { + sid = "Compute" + actions = [ + "ec2:CreateFleet", + "ec2:RunInstances", + "ec2:CreateLaunchTemplate", + ] + resources = ["*"] + + condition { + test = "StringEquals" + variable = "aws:RequestTag/eks:eks-cluster-name" + values = ["$${aws:PrincipalTag/eks:eks-cluster-name}"] + } + + condition { + test = "StringLike" + variable = "aws:RequestTag/eks:kubernetes-node-class-name" + values = ["*"] + } + + condition { + test = "StringLike" + variable = "aws:RequestTag/eks:kubernetes-node-pool-name" + values = ["*"] + } + } + } + + dynamic "statement" { + for_each = var.enable_auto_mode_custom_tags ? [1] : [] + + content { + sid = "Storage" + actions = [ + "ec2:CreateVolume", + "ec2:CreateSnapshot", + ] + resources = [ + "arn:${local.partition}:ec2:*:*:volume/*", + "arn:${local.partition}:ec2:*:*:snapshot/*", + ] + + condition { + test = "StringEquals" + variable = "aws:RequestTag/eks:eks-cluster-name" + values = ["$${aws:PrincipalTag/eks:eks-cluster-name}"] + } + } + } + + dynamic "statement" { + for_each = var.enable_auto_mode_custom_tags ? [1] : [] + + content { + sid = "Networking" + actions = ["ec2:CreateNetworkInterface"] + resources = ["*"] + + condition { + test = "StringEquals" + variable = "aws:RequestTag/eks:eks-cluster-name" + values = ["$${aws:PrincipalTag/eks:eks-cluster-name}"] + } + + condition { + test = "StringEquals" + variable = "aws:RequestTag/eks:kubernetes-cni-node-name" + values = ["*"] + } + } + } + + dynamic "statement" { + for_each = var.enable_auto_mode_custom_tags ? [1] : [] + + content { + sid = "LoadBalancer" + actions = [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateRule", + "ec2:CreateSecurityGroup", + ] + resources = ["*"] + + condition { + test = "StringEquals" + variable = "aws:RequestTag/eks:eks-cluster-name" + values = ["$${aws:PrincipalTag/eks:eks-cluster-name}"] + } + } + } + + dynamic "statement" { + for_each = var.enable_auto_mode_custom_tags ? [1] : [] + + content { + sid = "ShieldProtection" + actions = ["shield:CreateProtection"] + resources = ["*"] + + condition { + test = "StringEquals" + variable = "aws:RequestTag/eks:eks-cluster-name" + values = ["$${aws:PrincipalTag/eks:eks-cluster-name}"] + } + } + } + + dynamic "statement" { + for_each = var.enable_auto_mode_custom_tags ? [1] : [] + + content { + sid = "ShieldTagResource" + actions = ["shield:TagResource"] + resources = ["arn:${local.partition}:shield::*:protection/*"] + + condition { + test = "StringEquals" + variable = "aws:RequestTag/eks:eks-cluster-name" + values = ["$${aws:PrincipalTag/eks:eks-cluster-name}"] + } + } + } +} + +resource "aws_iam_policy" "custom" { + count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0 + + name = var.iam_role_use_name_prefix ? null : local.iam_role_name + name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null + path = var.iam_role_path + description = var.iam_role_description + + policy = data.aws_iam_policy_document.custom[0].json + + tags = merge(var.tags, var.iam_role_tags) +} + +resource "aws_iam_role_policy_attachment" "custom" { + count = local.create_iam_role && var.enable_auto_mode_custom_tags ? 1 : 0 + + policy_arn = aws_iam_policy.custom[0].arn + role = aws_iam_role.this[0].name +} diff --git a/_tools/terraform/modules/terraform-aws-eks/kms.tf b/_tools/terraform/modules/terraform-aws-eks/kms.tf new file mode 100644 index 0000000..e0ee6a6 --- /dev/null +++ b/_tools/terraform/modules/terraform-aws-eks/kms.tf @@ -0,0 +1,35 @@ +################################################################################ +# KMS Key +################################################################################ + +module "kms" { + source = "../terraform-aws-kms" + + create = local.create && var.create_kms_key && local.enable_cluster_encryption_config # not valid on Outposts + + description = coalesce(var.kms_key_description, "${var.cluster_name} cluster encryption key") + key_usage = "ENCRYPT_DECRYPT" + deletion_window_in_days = var.kms_key_deletion_window_in_days + enable_key_rotation = var.enable_kms_key_rotation + + # Policy + enable_default_policy = var.kms_key_enable_default_policy + key_owners = var.kms_key_owners + key_administrators = coalescelist(var.kms_key_administrators, [try(data.aws_iam_session_context.current[0].issuer_arn, "")]) + key_users = concat([local.cluster_role], var.kms_key_users) + key_service_users = var.kms_key_service_users + source_policy_documents = var.kms_key_source_policy_documents + override_policy_documents = var.kms_key_override_policy_documents + + # Aliases + aliases = var.kms_key_aliases + computed_aliases = { + # Computed since users can pass in computed values for cluster name such as random provider resources + cluster = { name = "eks/${var.cluster_name}" } + } + + tags = merge( + { terraform-aws-modules = "eks" }, + var.tags, + ) +} diff --git a/_tools/terraform/modules/terraform-aws-eks/main.tf b/_tools/terraform/modules/terraform-aws-eks/main.tf index 25b58ed..2f40ff5 100644 --- a/_tools/terraform/modules/terraform-aws-eks/main.tf +++ b/_tools/terraform/modules/terraform-aws-eks/main.tf @@ -1,248 +1,278 @@ -resource "aws_eks_cluster" "default" { - name = "${var.env}-${var.service}-${var.role}" - role_arn = aws_iam_role.eks_cluster.arn - - vpc_config { - subnet_ids = var.eks_cluster_subnets - endpoint_public_access = var.eks_endpoint_public_access - endpoint_private_access = var.eks_endpoint_private_access - public_access_cidrs = var.eks_trusted_networks - } - - tags = { - Name = "${var.env}-${var.service}-${var.role}-default-cluster" - Service = var.service - Role = var.role - Environment = var.env - } - - # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. - # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. - depends_on = [ - aws_iam_role_policy_attachment.eks_cluster_policy, - aws_iam_role_policy_attachment.eks_service_policy, - ] +data "aws_partition" "current" { + count = local.create ? 1 : 0 } - -resource "aws_iam_role" "eks_cluster" { - name = "eks-${var.env}-${var.service}-${var.role}" - - assume_role_policy = < 0 + enable_cluster_encryption_config = length(var.cluster_encryption_config) > 0 -resource "aws_iam_role_policy_attachment" "eks_worker_nodes_policy" { - policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" - role = aws_iam_role.eks_nodes.name + auto_mode_enabled = try(var.cluster_compute_config.enabled, false) } -resource "aws_iam_role_policy_attachment" "eks_cni_policy" { - policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" - role = aws_iam_role.eks_nodes.name -} +# resource "aws_eks_cluster" "default" { +# name = "${var.env}-${var.service}-${var.role}" +# role_arn = aws_iam_role.eks_cluster.arn -resource "aws_iam_role_policy_attachment" "eks_container_registry_policy" { - policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" - role = aws_iam_role.eks_nodes.name -} +# vpc_config { +# subnet_ids = var.eks_cluster_subnets +# endpoint_public_access = var.eks_endpoint_public_access +# endpoint_private_access = var.eks_endpoint_private_access +# public_access_cidrs = var.eks_trusted_networks +# } -locals { - eks_roles = [ - { - rolearn = aws_iam_role.eks_nodes.arn - username = "system:node:{{EC2PrivateDNSName}}" - groups = tolist(concat( - [ - "system:bootstrappers", - "system:nodes", - ], - [] - )) - }, - { - rolearn = var.admin_role_arn - username = "devops" - groups = tolist(concat( - [ - "system:masters" - ], - [] - )) - }, - { - rolearn = var.user_role_arn - username = "user" - groups = tolist(concat( - [ - "system:basic-user", - "system:public-info-viewer" - ], - [] - )) - } - ] -} +# tags = { +# Name = "${var.env}-${var.service}-${var.role}-default-cluster" +# Service = var.service +# Role = var.role +# Environment = var.env +# } -resource "kubernetes_config_map" "aws_auth" { - depends_on = [ - aws_eks_cluster.default] - metadata { - name = "aws-auth" - namespace = "kube-system" - } - - data = { - mapRoles = yamlencode(local.eks_roles) - mapUsers = yamlencode(var.eks_authorized_users) - mapAccounts = yamlencode(var.eks_authorized_accounts) - } -} +# # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. +# # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. +# depends_on = [ +# aws_iam_role_policy_attachment.eks_cluster_policy, +# aws_iam_role_policy_attachment.eks_service_policy, +# ] +# } -data "external" "thumbprint" { - program = [ - "${path.module}/bin/thumbprint.sh", - var.region] -} +# resource "aws_iam_role" "eks_cluster" { +# name = "eks-${var.env}-${var.service}-${var.role}" + +# assume_role_policy = < 0 ? [1] : [] + + content { + sid = "KeyOwner" + actions = ["kms:*"] + resources = ["*"] + + principals { + type = "AWS" + identifiers = var.key_owners + } + } + } + + # Key administrators - https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators + dynamic "statement" { + for_each = length(var.key_administrators) > 0 ? [1] : [] + + content { + sid = "KeyAdministration" + actions = [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:TagResource", + "kms:UntagResource", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion", + "kms:ReplicateKey", + "kms:ImportKeyMaterial" + ] + resources = ["*"] + + principals { + type = "AWS" + identifiers = var.key_administrators + } + } + } + + # Key users - https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-users + dynamic "statement" { + for_each = length(var.key_users) > 0 ? [1] : [] + + content { + sid = "KeyUsage" + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + ] + resources = ["*"] + + principals { + type = "AWS" + identifiers = var.key_users + } + } + } + + # Key service users - https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration + dynamic "statement" { + for_each = length(var.key_service_users) > 0 ? [1] : [] + + content { + sid = "KeyServiceUsage" + actions = [ + "kms:CreateGrant", + "kms:ListGrants", + "kms:RevokeGrant", + ] + resources = ["*"] + + principals { + type = "AWS" + identifiers = var.key_service_users + } + + condition { + test = "Bool" + variable = "kms:GrantIsForAWSResource" + values = [true] + } + } + } + + # Key service roles for autoscaling - https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-access + dynamic "statement" { + for_each = length(var.key_service_roles_for_autoscaling) > 0 ? [1] : [] + + content { + sid = "KeyServiceRolesASG" + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + ] + resources = ["*"] + + principals { + type = "AWS" + identifiers = var.key_service_roles_for_autoscaling + } + } + } + + dynamic "statement" { + for_each = length(var.key_service_roles_for_autoscaling) > 0 ? [1] : [] + + content { + sid = "KeyServiceRolesASGPersistentVol" + actions = [ + "kms:CreateGrant" + ] + resources = ["*"] + + principals { + type = "AWS" + identifiers = var.key_service_roles_for_autoscaling + } + + condition { + test = "Bool" + variable = "kms:GrantIsForAWSResource" + values = [true] + } + } + } + + # Key cryptographic operations - https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto + dynamic "statement" { + for_each = length(var.key_symmetric_encryption_users) > 0 ? [1] : [] + + content { + sid = "KeySymmetricEncryption" + actions = [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*", + ] + resources = ["*"] + + principals { + type = "AWS" + identifiers = var.key_symmetric_encryption_users + } + } + } + + dynamic "statement" { + for_each = length(var.key_hmac_users) > 0 ? [1] : [] + + content { + sid = "KeyHMAC" + actions = [ + "kms:DescribeKey", + "kms:GenerateMac", + "kms:VerifyMac", + ] + resources = ["*"] + + principals { + type = "AWS" + identifiers = var.key_hmac_users + } + } + } + + dynamic "statement" { + for_each = length(var.key_asymmetric_public_encryption_users) > 0 ? [1] : [] + + content { + sid = "KeyAsymmetricPublicEncryption" + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:DescribeKey", + "kms:GetPublicKey", + ] + resources = ["*"] + + principals { + type = "AWS" + identifiers = var.key_asymmetric_public_encryption_users + } + } + } + + dynamic "statement" { + for_each = length(var.key_asymmetric_sign_verify_users) > 0 ? [1] : [] + + content { + sid = "KeyAsymmetricSignVerify" + actions = [ + "kms:DescribeKey", + "kms:GetPublicKey", + "kms:Sign", + "kms:Verify", + ] + resources = ["*"] + + principals { + type = "AWS" + identifiers = var.key_asymmetric_sign_verify_users + } + } + } + + # https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-managing-permissions.html#KMS-key-policy-for-DNSSEC + dynamic "statement" { + for_each = var.enable_route53_dnssec ? [1] : [] + + content { + sid = "Route53DnssecService" + actions = [ + "kms:DescribeKey", + "kms:GetPublicKey", + "kms:Sign", + ] + resources = ["*"] + + principals { + type = "Service" + identifiers = ["dnssec-route53.${local.dns_suffix}"] + } + } + } + + # https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-managing-permissions.html#KMS-key-policy-for-DNSSEC + dynamic "statement" { + for_each = var.enable_route53_dnssec ? [1] : [] + + content { + sid = "Route53DnssecGrant" + actions = ["kms:CreateGrant"] + resources = ["*"] + + principals { + type = "Service" + identifiers = ["dnssec-route53.${local.dns_suffix}"] + } + + condition { + test = "Bool" + variable = "kms:GrantIsForAWSResource" + values = ["true"] + } + + dynamic "condition" { + for_each = var.route53_dnssec_sources + + content { + test = "StringEquals" + variable = "aws:SourceAccount" + values = try(condition.value.account_ids, [local.account_id]) + } + } + + dynamic "condition" { + for_each = var.route53_dnssec_sources + + content { + test = "ArnLike" + variable = "aws:SourceArn" + values = [try(condition.value.hosted_zone_arn, "arn:${local.partition}:route53:::hostedzone/*")] + } + } + } + } + + dynamic "statement" { + for_each = var.key_statements + + content { + sid = try(statement.value.sid, null) + actions = try(statement.value.actions, null) + not_actions = try(statement.value.not_actions, null) + effect = try(statement.value.effect, null) + resources = try(statement.value.resources, null) + not_resources = try(statement.value.not_resources, null) + + dynamic "principals" { + for_each = try(statement.value.principals, []) + + content { + type = principals.value.type + identifiers = principals.value.identifiers + } + } + + dynamic "not_principals" { + for_each = try(statement.value.not_principals, []) + + content { + type = not_principals.value.type + identifiers = not_principals.value.identifiers + } + } + + dynamic "condition" { + for_each = try(statement.value.conditions, []) + + content { + test = condition.value.test + values = condition.value.values + variable = condition.value.variable + } + } + } + } +} + +################################################################################ +# Alias +################################################################################ + +locals { + aliases = { for k, v in toset(var.aliases) : k => { name = v } } +} + +resource "aws_kms_alias" "this" { + for_each = { for k, v in merge(local.aliases, var.computed_aliases) : k => v if var.create } + + name = var.aliases_use_name_prefix ? null : "alias/${each.value.name}" + name_prefix = var.aliases_use_name_prefix ? "alias/${each.value.name}-" : null + target_key_id = try(aws_kms_key.this[0].key_id, aws_kms_external_key.this[0].id, aws_kms_replica_key.this[0].key_id, aws_kms_replica_external_key.this[0].key_id) +} + +################################################################################ +# Grant +################################################################################ + +resource "aws_kms_grant" "this" { + for_each = { for k, v in var.grants : k => v if var.create } + + name = try(each.value.name, each.key) + key_id = try(aws_kms_key.this[0].key_id, aws_kms_external_key.this[0].id, aws_kms_replica_key.this[0].key_id, aws_kms_replica_external_key.this[0].key_id) + grantee_principal = each.value.grantee_principal + operations = each.value.operations + + dynamic "constraints" { + for_each = length(lookup(each.value, "constraints", {})) == 0 ? [] : [each.value.constraints] + + content { + encryption_context_equals = try(constraints.value.encryption_context_equals, null) + encryption_context_subset = try(constraints.value.encryption_context_subset, null) + } + } + + retiring_principal = try(each.value.retiring_principal, null) + grant_creation_tokens = try(each.value.grant_creation_tokens, null) + retire_on_delete = try(each.value.retire_on_delete, null) +} diff --git a/_tools/terraform/modules/terraform-aws-kms/outputs.tf b/_tools/terraform/modules/terraform-aws-kms/outputs.tf new file mode 100644 index 0000000..d002a3c --- /dev/null +++ b/_tools/terraform/modules/terraform-aws-kms/outputs.tf @@ -0,0 +1,52 @@ +################################################################################ +# Key +################################################################################ + +output "key_arn" { + description = "The Amazon Resource Name (ARN) of the key" + value = try(aws_kms_key.this[0].arn, aws_kms_external_key.this[0].arn, aws_kms_replica_key.this[0].arn, aws_kms_replica_external_key.this[0].arn, null) +} + +output "key_id" { + description = "The globally unique identifier for the key" + value = try(aws_kms_key.this[0].key_id, aws_kms_external_key.this[0].id, aws_kms_replica_key.this[0].key_id, aws_kms_replica_external_key.this[0].key_id, null) +} + +output "key_policy" { + description = "The IAM resource policy set on the key" + value = try(aws_kms_key.this[0].policy, aws_kms_external_key.this[0].policy, aws_kms_replica_key.this[0].policy, aws_kms_replica_external_key.this[0].policy, null) +} + +output "external_key_expiration_model" { + description = "Whether the key material expires. Empty when pending key material import, otherwise `KEY_MATERIAL_EXPIRES` or `KEY_MATERIAL_DOES_NOT_EXPIRE`" + value = try(aws_kms_external_key.this[0].expiration_model, aws_kms_replica_external_key.this[0].expiration_model, null) +} + +output "external_key_state" { + description = "The state of the CMK" + value = try(aws_kms_external_key.this[0].key_state, aws_kms_replica_external_key.this[0].key_state, null) +} + +output "external_key_usage" { + description = "The cryptographic operations for which you can use the CMK" + value = try(aws_kms_external_key.this[0].key_usage, aws_kms_replica_external_key.this[0].key_usage, null) +} + +################################################################################ +# Alias +################################################################################ + +output "aliases" { + description = "A map of aliases created and their attributes" + value = aws_kms_alias.this +} + +################################################################################ +# Grant +################################################################################ + +output "grants" { + description = "A map of grants created and their attributes" + value = aws_kms_grant.this + sensitive = true +} diff --git a/_tools/terraform/modules/terraform-aws-kms/variables.tf b/_tools/terraform/modules/terraform-aws-kms/variables.tf new file mode 100644 index 0000000..b66b126 --- /dev/null +++ b/_tools/terraform/modules/terraform-aws-kms/variables.tf @@ -0,0 +1,253 @@ +variable "create" { + description = "Determines whether resources will be created (affects all resources)" + type = bool + default = true +} + +variable "tags" { + description = "A map of tags to add to all resources" + type = map(string) + default = {} +} + +################################################################################ +# Key +################################################################################ + +variable "create_external" { + description = "Determines whether an external CMK (externally provided material) will be created or a standard CMK (AWS provided material)" + type = bool + default = false +} + +variable "bypass_policy_lockout_safety_check" { + description = "A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable" + type = bool + default = null +} + +variable "customer_master_key_spec" { + description = "Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `HMAC_256`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. Defaults to `SYMMETRIC_DEFAULT`" + type = string + default = null +} + +variable "custom_key_store_id" { + description = "ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM)." + type = string + default = null +} + +variable "deletion_window_in_days" { + description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between `7` and `30`, inclusive. If you do not specify a value, it defaults to `30`" + type = number + default = null +} + +variable "description" { + description = "The description of the key as viewed in AWS console" + type = string + default = null +} + +variable "enable_key_rotation" { + description = "Specifies whether key rotation is enabled. Defaults to `true`" + type = bool + default = true +} + +variable "is_enabled" { + description = "Specifies whether the key is enabled. Defaults to `true`" + type = bool + default = null +} + +variable "key_material_base64" { + description = "Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. External key only" + type = string + default = null +} + +variable "key_usage" { + description = "Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. Defaults to `ENCRYPT_DECRYPT`" + type = string + default = null +} + +variable "multi_region" { + description = "Indicates whether the KMS key is a multi-Region (`true`) or regional (`false`) key. Defaults to `false`" + type = bool + default = false +} + +variable "policy" { + description = "A valid policy JSON document. Although this is a key policy, not an IAM policy, an `aws_iam_policy_document`, in the form that designates a principal, can be used" + type = string + default = null +} + +variable "valid_to" { + description = "Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire" + type = string + default = null +} + +variable "enable_default_policy" { + description = "Specifies whether to enable the default key policy. Defaults to `true`" + type = bool + default = true +} + +variable "key_owners" { + description = "A list of IAM ARNs for those who will have full key permissions (`kms:*`)" + type = list(string) + default = [] +} + +variable "key_administrators" { + description = "A list of IAM ARNs for [key administrators](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators)" + type = list(string) + default = [] +} + +variable "key_users" { + description = "A list of IAM ARNs for [key users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-users)" + type = list(string) + default = [] +} + +variable "key_service_users" { + description = "A list of IAM ARNs for [key service users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-service-integration)" + type = list(string) + default = [] +} + +variable "key_service_roles_for_autoscaling" { + description = "A list of IAM ARNs for [AWSServiceRoleForAutoScaling roles](https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-access)" + type = list(string) + default = [] +} + +variable "key_symmetric_encryption_users" { + description = "A list of IAM ARNs for [key symmetric encryption users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto)" + type = list(string) + default = [] +} + +variable "key_hmac_users" { + description = "A list of IAM ARNs for [key HMAC users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto)" + type = list(string) + default = [] +} + +variable "key_asymmetric_public_encryption_users" { + description = "A list of IAM ARNs for [key asymmetric public encryption users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto)" + type = list(string) + default = [] +} + +variable "key_asymmetric_sign_verify_users" { + description = "A list of IAM ARNs for [key asymmetric sign and verify users](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-users-crypto)" + type = list(string) + default = [] +} + +variable "key_statements" { + description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage" + type = any + default = {} +} + +variable "source_policy_documents" { + description = "List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s" + type = list(string) + default = [] +} + +variable "override_policy_documents" { + description = "List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid`" + type = list(string) + default = [] +} + +variable "enable_route53_dnssec" { + description = "Determines whether the KMS policy used for Route53 DNSSEC signing is enabled" + type = bool + default = false +} + +variable "route53_dnssec_sources" { + description = "A list of maps containing `account_ids` and Route53 `hosted_zone_arn` that will be allowed to sign DNSSEC records" + type = list(any) + default = [] +} + +variable "rotation_period_in_days" { + description = "Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive)" + type = number + default = null +} + +################################################################################ +# Replica Key +################################################################################ + +variable "create_replica" { + description = "Determines whether a replica standard CMK will be created (AWS provided material)" + type = bool + default = false +} + +variable "primary_key_arn" { + description = "The primary key arn of a multi-region replica key" + type = string + default = null +} + +################################################################################ +# Replica External Key +################################################################################ + +variable "create_replica_external" { + description = "Determines whether a replica external CMK will be created (externally provided material)" + type = bool + default = false +} + +variable "primary_external_key_arn" { + description = "The primary external key arn of a multi-region replica external key" + type = string + default = null +} + +################################################################################ +# Alias +################################################################################ + +variable "aliases" { + description = "A list of aliases to create. Note - due to the use of `toset()`, values must be static strings and not computed values" + type = list(string) + default = [] +} + +variable "computed_aliases" { + description = "A map of aliases to create. Values provided via the `name` key of the map can be computed from upstream resources" + type = any + default = {} +} + +variable "aliases_use_name_prefix" { + description = "Determines whether the alias name is used as a prefix" + type = bool + default = false +} + +################################################################################ +# Grant +################################################################################ + +variable "grants" { + description = "A map of grant definitions to create" + type = any + default = {} +} diff --git a/_tools/terraform/modules/terraform-aws-kms/versions.tf b/_tools/terraform/modules/terraform-aws-kms/versions.tf new file mode 100644 index 0000000..f96e1b1 --- /dev/null +++ b/_tools/terraform/modules/terraform-aws-kms/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.3" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.49" + } + } +} diff --git a/_tools/terraform/modules/terraform-aws-lambda/main.tf b/_tools/terraform/modules/terraform-aws-lambda/main.tf index 7cfa00a..61ab03e 100644 --- a/_tools/terraform/modules/terraform-aws-lambda/main.tf +++ b/_tools/terraform/modules/terraform-aws-lambda/main.tf @@ -105,28 +105,28 @@ locals { } data "archive_file" "xray-sdk-layer" { - count = var.xray_enable ? 1 : 0 - type = "zip" + count = var.xray_enable ? 1 : 0 + type = "zip" source_dir = "../../../lambdas/${local.sdk_layer_name}" output_path = "../../../lambdas/${local.sdk_layer_name}.zip" } resource "aws_s3_bucket_object" "xray-sdk-layer" { - count = var.xray_enable ? 1 : 0 + count = var.xray_enable ? 1 : 0 bucket = aws_s3_bucket.lambda_bucket.id key = "${local.sdk_layer_name}.zip" source = data.archive_file.xray-sdk-layer[0].output_path - etag = filemd5(data.archive_file.xray-sdk-layer[0].output_path) + etag = filemd5(data.archive_file.xray-sdk-layer[0].output_path) } resource "aws_lambda_layer_version" "xray-sdk-layer" { - count = var.xray_enable ? 1 : 0 - filename = "../../../lambdas/${local.sdk_layer_name}.zip" - layer_name = format("%s-layer", local.sdk_layer_name) + count = var.xray_enable ? 1 : 0 + filename = "../../../lambdas/${local.sdk_layer_name}.zip" + layer_name = format("%s-layer", local.sdk_layer_name) compatible_runtimes = toset(lookup(var.compatible_runtimes, var.layer_type_lib)) - description = var.layer_description - license_info = var.license_info - source_code_hash = data.archive_file.xray-sdk-layer[0].output_base64sha256 + description = var.layer_description + license_info = var.license_info + source_code_hash = data.archive_file.xray-sdk-layer[0].output_base64sha256 } diff --git a/_tools/terraform/modules/terraform-aws-lambda/variables.tf b/_tools/terraform/modules/terraform-aws-lambda/variables.tf index 37b3782..a120ad9 100644 --- a/_tools/terraform/modules/terraform-aws-lambda/variables.tf +++ b/_tools/terraform/modules/terraform-aws-lambda/variables.tf @@ -39,37 +39,37 @@ variable "security_group_ids" { } variable "xray_enable" { - default = false - type = bool + default = false + type = bool description = "Enable or not the AWS X-Ray service for lambda" } variable "layer_type_lib" { - default = "nodejs" - type = string + default = "nodejs" + type = string description = "Define the library used for the layer SDK" } variable "layer_description" { default = "Layer for X-Ray SDK" - type = string + type = string } variable "license_info" { default = "MIT License" - type = string + type = string } variable "compatible_runtimes" { default = { nodejs = [ "nodejs12.x", - "nodejs14.x"] + "nodejs14.x"] python = [ "python3.6", "python3.7", - "python3.8"] + "python3.8"] } - type = map(list(string)) + type = map(list(string)) description = "Define the compatible library SDK" } \ No newline at end of file diff --git a/_tools/terraform/modules/terraform-aws-packer-build/README.md b/_tools/terraform/modules/terraform-aws-packer-build/README.md index 2369d39..639b428 100644 --- a/_tools/terraform/modules/terraform-aws-packer-build/README.md +++ b/_tools/terraform/modules/terraform-aws-packer-build/README.md @@ -1 +1,53 @@ -# `terraform-aws-packer-build` \ No newline at end of file +# Documentation + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_internet_gateway.gw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource | +| [aws_route_table.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | +| [aws_route_table_association.rtap](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_security_group.packer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_subnet.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_vpc.build](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | +| [aws_vpc_endpoint.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | +| [aws_vpc_endpoint_route_table_association.s3-rt-public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_route_table_association) | resource | +| [aws_vpc_endpoint_service.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| azs | n/a | `map(list(string))` | 
{
  "eu-west-1": [
    "eu-west-1a"
  ]
}
| no | +| cidr\_block | n/a | `string` | `"10.110.0.0/20"` | no | +| enable\_dns\_hostnames | n/a | `bool` | `true` | no | +| enable\_dns\_support | n/a | `bool` | `true` | no | +| region | n/a | `string` | `"eu-west-1"` | no | +| s3\_endpoint\_enabled | n/a | `bool` | `false` | no | +| ssh\_port | n/a | `number` | `22` | no | +| subnet\_bits | n/a | `number` | `4` | no | +| trusted\_networks | n/a | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | + +## Outputs + +| Name | Description | +|------|-------------| +| public\_subnets | n/a | +| security\_group\_public\_subnet | n/a | +| vpc\_id | n/a | + \ No newline at end of file diff --git a/_tools/terraform/modules/terraform-aws-packer-build/iam.tf b/_tools/terraform/modules/terraform-aws-packer-build/iam.tf new file mode 100644 index 0000000..bd936ba --- /dev/null +++ b/_tools/terraform/modules/terraform-aws-packer-build/iam.tf @@ -0,0 +1,40 @@ +locals { + role_name = "packer-build" +} + +data "aws_caller_identity" "current" {} + +####################### +# IAM Role for Packer +####################### +resource "aws_iam_instance_profile" "packer_build" { + name = local.role_name + role = aws_iam_role.packer_build.name +} + +data "aws_iam_policy_document" "assume_ec2" { + statement { + sid = "EC2Assume" + actions = ["sts:AssumeRole"] + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + } +} + +resource "aws_iam_role" "packer_build" { + name = local.role_name + assume_role_policy = data.aws_iam_policy_document.assume_ec2.json + + tags = merge( + var.tags, + { "Name" = local.role_name } + ) +} + +# Attach managed Policies +resource "aws_iam_role_policy_attachment" "SSM_permissions" { + role = aws_iam_role.packer_build.id + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" +} diff --git a/_tools/terraform/modules/terraform-aws-packer-build/outputs.tf b/_tools/terraform/modules/terraform-aws-packer-build/outputs.tf index ea7f20f..1bfc449 100644 --- a/_tools/terraform/modules/terraform-aws-packer-build/outputs.tf +++ b/_tools/terraform/modules/terraform-aws-packer-build/outputs.tf @@ -8,4 +8,8 @@ output "public_subnets" { output "security_group_public_subnet" { value = aws_security_group.packer.id -} \ No newline at end of file +} + +output "aws_iam_role_arn" { + value = aws_iam_role.packer_build.arn +} diff --git a/_tools/terraform/modules/terraform-aws-packer-build/variables.tf b/_tools/terraform/modules/terraform-aws-packer-build/variables.tf index d5c71ac..cb90b3f 100644 --- a/_tools/terraform/modules/terraform-aws-packer-build/variables.tf +++ b/_tools/terraform/modules/terraform-aws-packer-build/variables.tf @@ -43,4 +43,11 @@ variable "s3_endpoint_enabled" { variable "ssh_port" { type = number default = 22 -} \ No newline at end of file +} + +variable "tags" { + type = map(string) + default = { + "Stack" = "packer" + } +} diff --git a/_tools/terraform/modules/terraform-aws-s3-bucket/README.md b/_tools/terraform/modules/terraform-aws-s3-bucket/README.md new file mode 100644 index 0000000..858c51c --- /dev/null +++ b/_tools/terraform/modules/terraform-aws-s3-bucket/README.md @@ -0,0 +1,64 @@ +# Documentation + + +## Requirements + +| Name | Version | +|------|---------| +| aws | ~> 5.0 | + +## Providers + +| Name | Version | +|------|---------| +| aws | ~> 5.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_s3_bucket.encrypted_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_lifecycle_configuration.lifecycle](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | +| [aws_s3_bucket_ownership_controls.object_ownership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | +| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| aes | Use AES encryption instead of KMS | `bool` | `false` | no | +| bucket\_name | Name of the S3 bucket | `any` | n/a | yes | +| bucket\_tags | The tags of the S3 bucket | `map(string)` | `{}` | no | +| environment | Environment name | `string` | n/a | yes | +| extra\_policy | policy document to add to bucket policy | `string` | `""` | no | +| force\_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no | +| force\_encrypted\_uploads | Set a bucket policy blocking non-encrypted uploads. | `bool` | `false` | no | +| lifecycle\_rules | List of lifecycle rules | `any` | `[]` | no | +| mfa\_delete | Enable MFA delete for either Change the versioning state of your bucket or Permanently delete an object version. Default is false. | `bool` | `false` | no | +| object\_ownership | Object ownership rule for objects uploaded to the bucket from the same account or another one | `string` | `"BucketOwnerEnforced"` | no | +| replicating\_shore | Indicates if we are replicating a shore bucket | `bool` | `false` | no | +| replication\_dest\_bucket\_arn | S3 bucket arn in which objects will be replicated | `string` | `""` | no | +| replication\_exclude\_prefixes | List of shores that will not be replicated in a cross-region bucket | `any` | `[]` | no | +| replication\_iam\_role\_arn | IAM role arn assumed by S3 to replicate data | `string` | `""` | no | +| replication\_kms\_key\_id | KMS Key ID used to encrypt replicated S3 objects | `string` | `""` | no | +| replication\_prefixes | List of S3 prefixes to replicate | `any` | `[]` | no | +| set\_replication | Set objects replication or not | `bool` | `false` | no | +| versioning | Define the block for default versioning\_configuration of the bucket | `map(string)` | 
{
  "mfa_delete": false,
  "status": true
}
| no | + +## Outputs + +| Name | Description | +|------|-------------| +| bucket\_arn | n/a | +| bucket\_domain\_name | n/a | +| bucket\_id | n/a | +| bucket\_regional\_domain\_name | n/a | + \ No newline at end of file diff --git a/_tools/terraform/modules/terraform-aws-s3-bucket/iam.tf b/_tools/terraform/modules/terraform-aws-s3-bucket/iam.tf new file mode 100644 index 0000000..e69de29 diff --git a/_tools/terraform/modules/terraform-aws-s3-bucket/main.tf b/_tools/terraform/modules/terraform-aws-s3-bucket/main.tf new file mode 100644 index 0000000..34adde5 --- /dev/null +++ b/_tools/terraform/modules/terraform-aws-s3-bucket/main.tf @@ -0,0 +1,189 @@ +locals { + status = { + enabled = "Enabled", + disabled = "Disabled" + } + + storage_class = { + standard = "STANDARD", + standard_ia = "STANDARD_IA", + onezone_ia = "ONEZONE_IA", + intelligent_tiering = "INTELLIGENT_TIERING", + glacier = "INTELLIGENT_TIERING", + glacier_ir = "GLACIER_IR", + deep_archive = "DEEP_ARCHIVE" + } + # Bucket policy forbidding file transfer out of VPC Endpoints + force_encrypted_uploads = var.force_encrypted_uploads ? { "key" : "value" } : {} +} + +# Extra policy for bucket +data "aws_iam_policy_document" "bucket_policy" { + count = var.extra_policy != "" ? 1 : 0 + source_policy_documents = [var.extra_policy] +} + +resource "aws_s3_bucket_policy" "policy" { + count = length(data.aws_iam_policy_document.bucket_policy) + bucket = aws_s3_bucket.encrypted_bucket.id + policy = data.aws_iam_policy_document.bucket_policy[0].json +} + +resource "aws_s3_bucket" "encrypted_bucket" { + bucket = var.bucket_name + force_destroy = var.force_destroy + + lifecycle { + create_before_destroy = true + } + + tags = merge( + { + "Name" = var.bucket_name + }, + var.bucket_tags, + ) +} + +resource "aws_s3_bucket_ownership_controls" "object_ownership" { + bucket = aws_s3_bucket.encrypted_bucket.id + rule { + object_ownership = var.object_ownership + } +} + +resource "aws_s3_bucket_versioning" "versioning" { + bucket = aws_s3_bucket.encrypted_bucket.id + + versioning_configuration { + # Valid values: "Enabled" or "Suspended" + status = try(var.versioning["enabled"] ? "Enabled" : "Suspended", tobool(var.versioning["status"]) ? "Enabled" : "Suspended", title(lower(var.versioning["status"]))) + # Valid values: "Enabled" or "Disabled" + mfa_delete = try(tobool(var.versioning["mfa_delete"]) ? "Enabled" : "Disabled", title(lower(var.versioning["mfa_delete"])), null) + } +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" { + bucket = aws_s3_bucket.encrypted_bucket.id + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" { + # Only one lifecycle_configuration per bucket is allowed + bucket = aws_s3_bucket.encrypted_bucket.id + + dynamic "rule" { + for_each = var.lifecycle_rules + content { + id = lookup(rule.value, "id", null) + status = lookup(rule.value, "enable", null) ? local.status.enabled : local.status.disabled + + # Case 1 : Simple filter based on prefix only, to stay compatible with the existing usage of the CrossModule Bucket + dynamic "filter" { + for_each = length(try(rule.value.prefix, "")) > 0 ? { prefix = rule.value.prefix } : {} + + content { + prefix = try(rule.value.prefix, null) + } + } + + # Case 2 : Dedicated filter map with only one parameter + dynamic "filter" { + for_each = [ + for v in try(flatten([rule.value.filter]), []) : v + if max(length(keys(v)), length(try(rule.value.filter.tags, rule.value.filter.tag, []))) == 1 + ] + + content { + object_size_greater_than = try(filter.value["object_size_greater_than"], null) + object_size_less_than = try(filter.value["object_size_less_than"], null) + prefix = try(filter.value["prefix"], null) + + dynamic "tag" { + for_each = try(filter.value["tags"], filter.value["tag"], []) + + content { + key = tag.key + value = tag.value + } + } + } + } + + # Case 3 : Dedicated filter map with multiple parameters + dynamic "filter" { + for_each = [ + for v in try(flatten([rule.value.filter]), []) : v + if max(length(keys(v)), length(try(rule.value.filter.tags, rule.value.filter.tag, []))) > 1 + ] + + content { + and { + object_size_greater_than = try(filter.value["object_size_greater_than"], null) + object_size_less_than = try(filter.value["object_size_less_than"], null) + prefix = try(filter.value["prefix"], null) + tags = try(filter.value["tags"], filter.value["tag"], null) + } + } + } + + # Max 1 block - abort_incomplete_multipart_upload + dynamic "abort_incomplete_multipart_upload" { + for_each = try([rule.value.abort_incomplete_multipart_upload_days], []) + + content { + days_after_initiation = try(rule.value.abort_incomplete_multipart_upload_days, null) + } + } + + # Max 1 block - expiration + dynamic "expiration" { + for_each = try(flatten([rule.value.expiration]), []) + + content { + date = try(expiration.value.date, null) + days = try(expiration.value.days, null) + expired_object_delete_marker = try(expiration.value.expired_object_delete_marker, null) + } + } + + # Max 1 block - noncurrent_version_expiration + dynamic "noncurrent_version_expiration" { + for_each = try(flatten([rule.value.noncurrent_version_expiration]), []) + + content { + newer_noncurrent_versions = try(noncurrent_version_expiration.value.newer_noncurrent_versions, null) + noncurrent_days = try(noncurrent_version_expiration.value.days, noncurrent_version_expiration.value.noncurrent_days, null) + } + } + + dynamic "transition" { + for_each = lookup(rule.value, "transition", []) + content { + days = lookup(transition.value, "transition_period", null) + storage_class = lookup(transition.value, "transition_storage_class", null) + } + } + + dynamic "noncurrent_version_transition" { + for_each = lookup(rule.value, "versions_transition", []) + content { + noncurrent_days = lookup(noncurrent_version_transition.value, "transition_period", null) + storage_class = lookup(noncurrent_version_transition.value, "transition_storage_class", null) + } + } + } + } +} + +resource "aws_s3_bucket_public_access_block" "bucket" { + bucket = aws_s3_bucket.encrypted_bucket.id + block_public_acls = true + block_public_policy = true + restrict_public_buckets = true + ignore_public_acls = true +} diff --git a/_tools/terraform/modules/terraform-aws-s3-bucket/outputs.tf b/_tools/terraform/modules/terraform-aws-s3-bucket/outputs.tf new file mode 100644 index 0000000..863d62a --- /dev/null +++ b/_tools/terraform/modules/terraform-aws-s3-bucket/outputs.tf @@ -0,0 +1,15 @@ +output "bucket_id" { + value = aws_s3_bucket.encrypted_bucket.id +} + +output "bucket_arn" { + value = aws_s3_bucket.encrypted_bucket.arn +} + +output "bucket_domain_name" { + value = aws_s3_bucket.encrypted_bucket.bucket_domain_name +} + +output "bucket_regional_domain_name" { + value = aws_s3_bucket.encrypted_bucket.bucket_regional_domain_name +} \ No newline at end of file diff --git a/_tools/terraform/modules/terraform-aws-s3-bucket/provider.tf b/_tools/terraform/modules/terraform-aws-s3-bucket/provider.tf new file mode 100644 index 0000000..fbfe584 --- /dev/null +++ b/_tools/terraform/modules/terraform-aws-s3-bucket/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + aws = { + version = "~> 5.0" + } + } +} diff --git a/_tools/terraform/modules/terraform-aws-s3-bucket/variable.tf b/_tools/terraform/modules/terraform-aws-s3-bucket/variable.tf new file mode 100644 index 0000000..93feaf4 --- /dev/null +++ b/_tools/terraform/modules/terraform-aws-s3-bucket/variable.tf @@ -0,0 +1,99 @@ +variable "bucket_name" { + description = "Name of the S3 bucket" +} + +variable "environment" { + description = "Environment name" + type = string +} + +variable "object_ownership" { + description = "Object ownership rule for objects uploaded to the bucket from the same account or another one" + default = "BucketOwnerEnforced" +} + +variable "versioning" { + default = { + status = true + mfa_delete = false + } + type = map(string) + description = "Define the block for default versioning_configuration of the bucket" +} + +variable "bucket_tags" { + description = "The tags of the S3 bucket" + default = {} + type = map(string) +} + +variable "force_encrypted_uploads" { + description = "Set a bucket policy blocking non-encrypted uploads." + default = false +} + +variable "force_destroy" { + description = "A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable." + default = false +} + +variable "mfa_delete" { + description = "Enable MFA delete for either Change the versioning state of your bucket or Permanently delete an object version. Default is false." + default = false +} + +variable "aes" { + description = "Use AES encryption instead of KMS" + default = false +} + +variable "lifecycle_rules" { + description = "List of lifecycle rules" + default = [] + type = any +} + +variable "extra_policy" { + description = "policy document to add to bucket policy" + default = "" + type = string +} + +variable "set_replication" { + description = "Set objects replication or not" + default = false + type = bool +} + +variable "replication_iam_role_arn" { + description = "IAM role arn assumed by S3 to replicate data" + default = "" +} + +variable "replication_kms_key_id" { + description = "KMS Key ID used to encrypt replicated S3 objects" + default = "" +} + +variable "replication_prefixes" { + description = "List of S3 prefixes to replicate" + default = [] + type = any +} + +variable "replication_exclude_prefixes" { + description = "List of shores that will not be replicated in a cross-region bucket" + type = any + default = [] +} + +variable "replication_dest_bucket_arn" { + description = "S3 bucket arn in which objects will be replicated" + default = "" +} + +variable "replicating_shore" { + description = "Indicates if we are replicating a shore bucket" + default = false + type = bool +} diff --git a/_tools/terraform/modules/terraform-aws-vpc/certificate.tf b/_tools/terraform/modules/terraform-aws-vpc/certificate.tf index 4b05ef6..4d34ac9 100644 --- a/_tools/terraform/modules/terraform-aws-vpc/certificate.tf +++ b/_tools/terraform/modules/terraform-aws-vpc/certificate.tf @@ -1,3 +1,7 @@ +# locals { +# external_domain_name = var.env == "prod" ? replace(var.external_domain_name, var.env, "") : var.external_domain_name +# } + resource "aws_acm_certificate" "cert" { domain_name = var.external_domain_name subject_alternative_names = [ @@ -80,4 +84,4 @@ resource "aws_acm_certificate_validation" "cert" { // provider "aws" { // region = "us-east-1" // alias = "aws-global" -// } \ No newline at end of file +// } diff --git a/_tools/terraform/modules/terraform-aws-vpc/endpoints.tf b/_tools/terraform/modules/terraform-aws-vpc/endpoints.tf new file mode 100644 index 0000000..692e68e --- /dev/null +++ b/_tools/terraform/modules/terraform-aws-vpc/endpoints.tf @@ -0,0 +1,49 @@ +#---------------------------------- +# VPC Endpoints +#---------------------------------- +resource "aws_vpc_endpoint" "s3" { + count = var.s3_endpoint_enabled ? 1 : 0 + vpc_id = aws_vpc.main.id + service_name = "com.amazonaws.${var.region}.s3" + route_table_ids = concat([ + aws_route_table.public.id], [for o in aws_route_table.private : o.id]) + tags = { + Environment = var.env, + Service = "S3", + Stack = "common", + Role = "endpoint" + } +} + +resource "aws_vpc_endpoint" "dynamodb" { + count = var.dynamodb_endpoint_enabled ? 1 : 0 + vpc_id = aws_vpc.main.id + service_name = "com.amazonaws.${var.region}.dynamodb" + route_table_ids = concat([ + aws_route_table.public.id], [for o in aws_route_table.private : o.id]) + tags = { + Environment = var.env, + Service = "DynamoDB", + Stack = "common", + Role = "endpoint" + } +} + +resource "aws_vpc_endpoint" "lambda" { + count = var.lambda_endpoint_enabled ? 1 : 0 + vpc_id = aws_vpc.main.id + service_name = "com.amazonaws.${var.region}.lambda" + vpc_endpoint_type = "Interface" + private_dns_enabled = true + security_group_ids = [ + aws_security_group.allow-lambda.id, + ] + subnet_ids = [for o in aws_subnet.private : o.id] + + tags = { + Environment = var.env, + Service = "Lambda", + Stack = "common", + Role = "endpoint" + } +} diff --git a/_tools/terraform/modules/terraform-aws-vpc/main.tf b/_tools/terraform/modules/terraform-aws-vpc/main.tf index 994715e..271e29a 100644 --- a/_tools/terraform/modules/terraform-aws-vpc/main.tf +++ b/_tools/terraform/modules/terraform-aws-vpc/main.tf @@ -1,6 +1,6 @@ -#################################### +#---------------------------------- # VPC -#################################### +#---------------------------------- resource "aws_vpc" "main" { cidr_block = var.cidr_block enable_dns_hostnames = "true" @@ -11,9 +11,9 @@ resource "aws_vpc" "main" { } } -#################################### +#---------------------------------- # Public subnets -#################################### +#---------------------------------- resource "aws_subnet" "public" { for_each = toset(lookup(var.azs, var.region)) vpc_id = aws_vpc.main.id @@ -29,9 +29,9 @@ resource "aws_subnet" "public" { ) } -#################################### +#---------------------------------- # Ressources for Publics subnets -#################################### +#---------------------------------- resource "aws_internet_gateway" "gw" { vpc_id = aws_vpc.main.id @@ -62,16 +62,16 @@ resource "aws_route_table_association" "rta-pub" { route_table_id = aws_route_table.public.id } -#################################### +#---------------------------------- # Zone Public Route53 -#################################### +#---------------------------------- resource "aws_route53_zone" "public" { name = var.external_domain_name } -#################################### +#---------------------------------- # Single-NAT-GW : EIP -#################################### +#---------------------------------- resource "aws_eip" "single-eip" { count = !var.one_nat_gateway_per_az ? 1 : 0 tags = { @@ -80,9 +80,9 @@ resource "aws_eip" "single-eip" { } } -#################################### +#---------------------------------- # Single-NAT-GW : -#################################### +#---------------------------------- resource "aws_nat_gateway" "single-natgw" { count = !var.one_nat_gateway_per_az ? 1 : 0 allocation_id = aws_eip.single-eip[count.index].id @@ -93,9 +93,9 @@ resource "aws_nat_gateway" "single-natgw" { } } -#################################### +#---------------------------------- # Single-NAT-GW : Record DNS -#################################### +#---------------------------------- resource "aws_route53_record" "single-natgw-record" { count = !var.one_nat_gateway_per_az ? 1 : 0 zone_id = aws_route53_zone.public.id @@ -107,9 +107,9 @@ resource "aws_route53_record" "single-natgw-record" { ] } -#################################### +#---------------------------------- # Multi-NAT-GW : EIP -#################################### +#---------------------------------- resource "aws_eip" "multi-eip" { for_each = var.one_nat_gateway_per_az ? toset(lookup(var.azs, var.region)) : [] tags = { @@ -118,9 +118,9 @@ resource "aws_eip" "multi-eip" { } } -#################################### +#---------------------------------- # Multi-NAT-GW : -#################################### +#---------------------------------- resource "aws_nat_gateway" "multi-natgw" { for_each = var.one_nat_gateway_per_az ? toset(lookup(var.azs, var.region)) : [] @@ -137,9 +137,9 @@ resource "aws_nat_gateway" "multi-natgw" { } } -#################################### +#---------------------------------- # Multi-NAT-GW : records public -#################################### +#---------------------------------- resource "aws_route53_record" "multi-natgw-record" { for_each = var.one_nat_gateway_per_az ? toset(lookup(var.azs, var.region)) : [] @@ -152,9 +152,9 @@ resource "aws_route53_record" "multi-natgw-record" { ] } -#################################### +#---------------------------------- # Private subnets -#################################### +#---------------------------------- resource "aws_subnet" "private" { for_each = toset(lookup(var.azs, var.region)) vpc_id = aws_vpc.main.id @@ -170,9 +170,9 @@ resource "aws_subnet" "private" { ) } -#################################### +#---------------------------------- # Private route table -#################################### +#---------------------------------- resource "aws_route_table" "private" { for_each = toset(lookup(var.azs, var.region)) vpc_id = aws_vpc.main.id @@ -182,18 +182,18 @@ resource "aws_route_table" "private" { Environment = var.env } } -#################################### +#---------------------------------- # Private route table association -#################################### +#---------------------------------- resource "aws_route_table_association" "rta-prv" { for_each = toset(lookup(var.azs, var.region)) subnet_id = element([for o in aws_subnet.private : o.id], index(lookup(var.azs, var.region), each.key)) route_table_id = aws_route_table.private[each.value].id } -#################################### +#---------------------------------- # Private route -#################################### +#---------------------------------- resource "aws_route" "private-default" { for_each = toset(lookup(var.azs, var.region)) route_table_id = aws_route_table.private[each.value].id @@ -208,84 +208,6 @@ resource "aws_route53_zone" "private" { } } -#################################### -# VPC Endpoints -#################################### -resource "aws_vpc_endpoint" "s3" { - count = var.s3_endpoint_enabled ? 1 : 0 - vpc_id = aws_vpc.main.id - service_name = "com.amazonaws.${var.region}.s3" - route_table_ids = concat([ - aws_route_table.public.id], [for o in aws_route_table.private : o.id]) - tags = { - Environment = var.env, - Service = "S3", - Stack = "common", - Role = "endpoint" - } -} - -resource "aws_vpc_endpoint" "dynamodb" { - count = var.dynamodb_endpoint_enabled ? 1 : 0 - vpc_id = aws_vpc.main.id - service_name = "com.amazonaws.${var.region}.dynamodb" - route_table_ids = concat([ - aws_route_table.public.id], [for o in aws_route_table.private : o.id]) - tags = { - Environment = var.env, - Service = "DynamoDB", - Stack = "common", - Role = "endpoint" - } -} - -resource "aws_vpc_endpoint" "lambda" { - count = var.lambda_endpoint_enabled ? 1 : 0 - vpc_id = aws_vpc.main.id - service_name = "com.amazonaws.${var.region}.lambda" - vpc_endpoint_type = "Interface" - private_dns_enabled = true - security_group_ids = [ - aws_security_group.allow-lambda.id, - ] - subnet_ids = [for o in aws_subnet.private : o.id] - - tags = { - Environment = var.env, - Service = "Lambda", - Stack = "common", - Role = "endpoint" - } -} - -//---------------------------- -# SG bastion ssh egress -//---------------------------- -resource "aws_security_group" "allow-lambda" { - name = "sgp-allow-lambda" - vpc_id = aws_vpc.main.id - description = "Security group for lambda interface VPC" - ingress { - from_port = var.inbound_port - to_port = var.inbound_port - protocol = "-1" - cidr_blocks = var.inbound_cidr_blocks - } - egress { - from_port = var.outbound_port - to_port = var.outbound_port - protocol = "-1" - cidr_blocks = var.outbound_cidr_blocks - } - tags = { - Name = "sgp-allow-lambda", - Environment = var.env - } - lifecycle { - create_before_destroy = true - } -} - ## # ElastiCache subnets ## diff --git a/_tools/terraform/modules/terraform-aws-vpc/securitygroup.tf b/_tools/terraform/modules/terraform-aws-vpc/securitygroup.tf new file mode 100644 index 0000000..e951adf --- /dev/null +++ b/_tools/terraform/modules/terraform-aws-vpc/securitygroup.tf @@ -0,0 +1,27 @@ +#---------------------------------- +# SG for Lambda +#---------------------------------- +resource "aws_security_group" "allow-lambda" { + name = "sgp-allow-lambda" + vpc_id = aws_vpc.main.id + description = "Security group for lambda interface VPC" + ingress { + from_port = var.inbound_port + to_port = var.inbound_port + protocol = "-1" + cidr_blocks = var.inbound_cidr_blocks + } + egress { + from_port = var.outbound_port + to_port = var.outbound_port + protocol = "-1" + cidr_blocks = var.outbound_cidr_blocks + } + tags = { + Name = "sgp-allow-lambda", + Environment = var.env + } + lifecycle { + create_before_destroy = true + } +} diff --git a/_tools/terraform/modules/terraform-aws-vpc/variables.tf b/_tools/terraform/modules/terraform-aws-vpc/variables.tf index 80afdba..897558b 100644 --- a/_tools/terraform/modules/terraform-aws-vpc/variables.tf +++ b/_tools/terraform/modules/terraform-aws-vpc/variables.tf @@ -45,7 +45,7 @@ variable "azs" { eu-west-1 = [ "eu-west-1a", "eu-west-1b", - # "eu-west-1c" + "eu-west-1c" ] us-east-1 = [ "us-east-1a", @@ -53,7 +53,8 @@ variable "azs" { "us-east-1c", "us-east-1d", "us-east-1e", - "us-east-1f"] + "us-east-1f" + ] } } @@ -117,4 +118,4 @@ variable "inbound_cidr_blocks" { variable "outbound_cidr_blocks" { default = [ "0.0.0.0/0"] -} \ No newline at end of file +} diff --git a/_tools/terraform/modules/terraform-gandi-dns/README.md b/_tools/terraform/modules/terraform-gandi-dns/README.md new file mode 100644 index 0000000..7bb3bcd --- /dev/null +++ b/_tools/terraform/modules/terraform-gandi-dns/README.md @@ -0,0 +1,40 @@ + +## Requirements + +| Name | Version | +|------|---------| +| gandi | 2.3.0 | + +## Providers + +| Name | Version | +|------|---------| +| gandi | 2.3.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [gandi_livedns_record.record](https://registry.terraform.io/providers/go-gandi/gandi/2.3.0/docs/resources/livedns_record) | resource | +| [gandi_domain.origin](https://registry.terraform.io/providers/go-gandi/gandi/2.3.0/docs/data-sources/domain) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| gandi\_alias\_ns | Alias Name for NS records | `string` | `""` | no | +| gandi\_aws\_ns | AWS API Route53 for delegation domain | `list(string)` | `[]` | no | +| gandi\_domain\_name | Domain Name | `string` | `"domain.com"` | no | +| gandi\_personal\_access\_token | Gandi PAT (Personal Access Token) defined in Terraform Cloud environment. | `string` | n/a | yes | +| ns\_ttl | n/a | `number` | `3600` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| gandi\_domain\_name | n/a | + \ No newline at end of file diff --git a/_tools/terraform/modules/terraform-gandi-dns/main.tf b/_tools/terraform/modules/terraform-gandi-dns/main.tf index 203a42d..f853fda 100644 --- a/_tools/terraform/modules/terraform-gandi-dns/main.tf +++ b/_tools/terraform/modules/terraform-gandi-dns/main.tf @@ -1,21 +1,21 @@ terraform { required_providers { gandi = { - version = "2.0.0-rc3" - source = "psychopenguin/gandi" + source = "go-gandi/gandi" + version = "2.3.0" } } } provider "gandi" { - key = var.gandi_apikey + personal_access_token = var.gandi_personal_access_token } data "gandi_domain" "origin" { name = var.gandi_domain_name } -resource "gandi_livedns_record" "aws-ns" { +resource "gandi_livedns_record" "record" { zone = data.gandi_domain.origin.id name = var.gandi_alias_ns type = "NS" diff --git a/_tools/terraform/modules/terraform-gandi-dns/outputs.tf b/_tools/terraform/modules/terraform-gandi-dns/outputs.tf index 9770170..0565de8 100644 --- a/_tools/terraform/modules/terraform-gandi-dns/outputs.tf +++ b/_tools/terraform/modules/terraform-gandi-dns/outputs.tf @@ -1,3 +1,3 @@ -// output "gandi_domain_name" { -// value = gandi_domain.origin.name -// } \ No newline at end of file +output "gandi_domain_name" { + value = var.gandi_domain_name +} diff --git a/_tools/terraform/modules/terraform-gandi-dns/variables.tf b/_tools/terraform/modules/terraform-gandi-dns/variables.tf index 4f3c77b..ec0036b 100644 --- a/_tools/terraform/modules/terraform-gandi-dns/variables.tf +++ b/_tools/terraform/modules/terraform-gandi-dns/variables.tf @@ -1,5 +1,6 @@ -variable "gandi_apikey" { - description = "Gandi API Key defined in Terraform Cloud environment." +variable "gandi_personal_access_token" { + description = "Gandi PAT (Personal Access Token) defined in Terraform Cloud environment." + type = string } variable "ns_ttl" { @@ -23,4 +24,4 @@ variable "gandi_alias_ns" { default = "" type = string description = "Alias Name for NS records" -} \ No newline at end of file +} diff --git a/baseline/_terraform/.terraform-version b/baseline/_terraform/.terraform-version index 90a27f9..6743780 100644 --- a/baseline/_terraform/.terraform-version +++ b/baseline/_terraform/.terraform-version @@ -1 +1 @@ -1.0.5 +1.11.4 \ No newline at end of file diff --git a/baseline/_terraform/backend.tf b/baseline/_terraform/backend.tf index 85ffaa1..407d987 100644 --- a/baseline/_terraform/backend.tf +++ b/baseline/_terraform/backend.tf @@ -1,6 +1,10 @@ terraform { backend "remote" { + hostname = "app.terraform.io" organization = "fred-iac" + + workspaces { + prefix = "baseline-" + } } - required_version = ">= 0.13.0" -} \ No newline at end of file +} diff --git a/baseline/_terraform/main.tf b/baseline/_terraform/main.tf index 32375ee..47bd0d9 100644 --- a/baseline/_terraform/main.tf +++ b/baseline/_terraform/main.tf @@ -1,8 +1,11 @@ +data "aws_caller_identity" "current" {} +data "aws_region" "current" {} + // Start / Stop // module "stop_daily" { // env = var.env // name = "stop-daily" -// source = "git@github.com:born2scale/terraform-aws-start-stop-scheduler.git" +// source = "git@github.com:example/terraform-aws-start-stop-scheduler.git" // cloudwatch_schedule_expression = "cron(0 18 ? * MON-FRI *)" // schedule_action = "stop" // rds_schedule = "true" @@ -17,7 +20,7 @@ // module "start_daily" { // env = var.env // name = "start-daily" -// source = "git@github.com:born2scale/terraform-aws-start-stop-scheduler.git" +// source = "git@github.com:example/terraform-aws-start-stop-scheduler.git" // cloudwatch_schedule_expression = "cron(0 6 ? * MON-FRI *)" // schedule_action = "start" // rds_schedule = "true" @@ -29,76 +32,39 @@ // } // } -resource "aws_s3_bucket" "access_log" { - bucket = format("%s-%s-access-log", var.org_prefix, var.env) - acl = "log-delivery-write" - - versioning { - enabled = var.versioning_enabled - } - - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } - } - - lifecycle_rule { - enabled = var.lifecycle_rule_enabled - prefix = var.lifecycle_rule_prefix - - transition { - days = var.standard_ia_transition_days - storage_class = "STANDARD_IA" - } - - transition { - days = var.glacier_transition_days - storage_class = "GLACIER" - } - - expiration { - days = var.expiration_days - } - - noncurrent_version_transition { - days = var.glacier_noncurrent_version_transition_days - storage_class = "GLACIER" - } - - noncurrent_version_expiration { - days = var.noncurrent_version_expiration_days - } - } - - force_destroy = var.force_destroy - - tags = var.bucket_tags +#------------------------------- +# S3 Bucket Access Logs +#------------------------------- +locals { + bucket_name = format("%s-%s-access-log", var.org_prefix, var.env) } -data "aws_region" "current" {} - -resource "aws_s3_bucket_policy" "access_log" { - bucket = aws_s3_bucket.access_log.id - policy = data.aws_iam_policy_document.access_log_policy.json +module "access_log" { + source = "git@github.com:example/terraform-aws-s3-bucket.git" + bucket_name = local.bucket_name + bucket_tags = var.bucket_tags + environment = var.env + + versioning = var.versioning + lifecycle_rule = var.lifecycle_rule + extra_policy = data.aws_iam_policy_document.access_log.json } -data "aws_caller_identity" "current" {} - -data "aws_iam_policy_document" "access_log_policy" { +#------------------------------- +# S3 Bucket Access Logs +#------------------------------- +data "aws_iam_policy_document" "access_log" { statement { sid = "put-object-on-bucket" actions = [ "s3:PutObject" ] resources = [ - "arn:aws:s3:::${aws_s3_bucket.access_log.bucket}/${var.bucket_prefix}/AWSLogs/${data.aws_caller_identity.current.account_id}/*" + format("arn:aws:s3:::%s/%s/AWSLogs/%s/*", local.bucket_name, var.bucket_prefix, data.aws_caller_identity.current.account_id) ] principals { type = "AWS" identifiers = [ - "arn:aws:iam::${var.elb_account_id[data.aws_region.current.name]}:root" + format("arn:aws:iam::%s:root", try(var.elb_account_id[data.aws_region.current.name], data.aws_caller_identity.current.account_id)) ] } } @@ -108,7 +74,7 @@ data "aws_iam_policy_document" "access_log_policy" { "s3:PutObject" ] resources = [ - "arn:aws:s3:::${aws_s3_bucket.access_log.bucket}/${var.bucket_prefix}/AWSLogs/${data.aws_caller_identity.current.account_id}/*" + format("arn:aws:s3:::%s/%s/AWSLogs/%s/*", local.bucket_name, var.bucket_prefix, data.aws_caller_identity.current.account_id) ] principals { type = "Service" @@ -130,7 +96,7 @@ data "aws_iam_policy_document" "access_log_policy" { "s3:GetBucketAcl" ] resources = [ - "arn:aws:s3:::${aws_s3_bucket.access_log.bucket}" + format("arn:aws:s3:::%s", local.bucket_name) ] principals { type = "Service" @@ -145,7 +111,7 @@ data "aws_iam_policy_document" "access_log_policy" { "s3:PutObject" ] resources = [ - "arn:aws:s3:::${aws_s3_bucket.access_log.bucket}/${var.bucket_prefix}/AWSLogs/${data.aws_caller_identity.current.account_id}/*" + format("arn:aws:s3:::%s/%s/AWSLogs/%s/*", local.bucket_name, var.bucket_prefix, data.aws_caller_identity.current.account_id) ] principals { type = "Service" @@ -161,19 +127,4 @@ data "aws_iam_policy_document" "access_log_policy" { variable = "s3:x-amz-acl" } } - // statement { - // sid = "read-access-dd-from-lambda" - // actions = [ - // "s3:GetObject" - // ] - // resources = [ - // "arn:aws:s3:::${aws_s3_bucket.access_log.bucket}/*" - // ] - // principals { - // type = "AWS" - // identifiers = [ - // "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/datadog-forwarder-role" - // ] - // } - // } } diff --git a/baseline/_terraform/outputs.tf b/baseline/_terraform/outputs.tf index 56cc267..72b3fe7 100644 --- a/baseline/_terraform/outputs.tf +++ b/baseline/_terraform/outputs.tf @@ -1,8 +1,8 @@ -output "s3_access_log_bucket_id" { - value = aws_s3_bucket.access_log.id -} +# output "s3_access_log_bucket_id" { +# value = aws_s3_bucket.access_log.id +# } -output "s3_access_log_bucket_arn" { - value = aws_s3_bucket.access_log.arn -} +# output "s3_access_log_bucket_arn" { +# value = aws_s3_bucket.access_log.arn +# } diff --git a/baseline/_terraform/provider.tf b/baseline/_terraform/provider.tf index 483dd84..4f666c3 100644 --- a/baseline/_terraform/provider.tf +++ b/baseline/_terraform/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 3.42.0" + version = "~> 5.0" } } } diff --git a/baseline/_terraform/variables.tf b/baseline/_terraform/variables.tf index 39523a2..819e15c 100644 --- a/baseline/_terraform/variables.tf +++ b/baseline/_terraform/variables.tf @@ -10,61 +10,16 @@ variable "region" { default = "eu-west-1" } -variable "org" { - default = "fred-iac" -} - -variable "versioning_enabled" { - default = false - type = string - description = "Enable versioning. Versioning is a means of keeping multiple variants of an object in the same bucket." -} - -variable "force_destroy" { - default = false - type = string - description = "A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error." -} -variable "lifecycle_rule_enabled" { - default = true - type = string - description = "Specifies lifecycle rule status." -} - -variable "lifecycle_rule_prefix" { - default = "" - type = string - description = "Object key prefix identifying one or more objects to which the rule applies." -} - -variable "standard_ia_transition_days" { - default = "30" - type = string - description = "Specifies a period in the object's STANDARD_IA transitions." -} - -variable "glacier_transition_days" { - default = "60" - type = string - description = "Specifies a period in the object's Glacier transitions." -} - -variable "expiration_days" { - default = "90" - type = string - description = "Specifies a period in the object's expire." -} - -variable "glacier_noncurrent_version_transition_days" { - default = "30" - type = string - description = "Specifies when noncurrent object versions transitions." +variable "versioning" { + default = {} + type = map(string) + description = "Define the block for default versioning_configuration of the bucket" } -variable "noncurrent_version_expiration_days" { - default = "60" - type = string - description = "Specifies when noncurrent object versions expire." +variable "lifecycle_rules" { + description = "List of lifecycle rules" + default = [] + type = any } variable "bucket_tags" { @@ -78,17 +33,9 @@ variable "bucket_prefix" { default = "logs" } -variable "log_filter_prefix" { - default = ["logs/AWSLogs", "cloudfront"] -} - # https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html variable "elb_account_id" { - description = "List of ID account for loadbalancer per region" + description = "List of ID account for loadbalancer per region (region: account_id)" type = map(string) - default = { - "eu-west-1" = "156460612806", - "eu-west-2" = "652711504416", - "eu-west-3" = "009996457667", - } -} \ No newline at end of file + default = {} +} diff --git a/baseline/qa/eu-west-1/.terraform-version b/baseline/qa/eu-west-1/.terraform-version deleted file mode 120000 index 22d6610..0000000 --- a/baseline/qa/eu-west-1/.terraform-version +++ /dev/null @@ -1 +0,0 @@ -../../_terraform/.terraform-version \ No newline at end of file diff --git a/baseline/qa/eu-west-1/Makefile b/baseline/qa/eu-west-1/Makefile deleted file mode 100644 index 1d3a37f..0000000 --- a/baseline/qa/eu-west-1/Makefile +++ /dev/null @@ -1 +0,0 @@ -include ../../../_tools/terraform/Makefile diff --git a/baseline/qa/eu-west-1/README.md b/baseline/qa/eu-west-1/README.md new file mode 100644 index 0000000..ccb1363 --- /dev/null +++ b/baseline/qa/eu-west-1/README.md @@ -0,0 +1,46 @@ +# Terraform Documentation + + +## Requirements + +| Name | Version | +|------|---------| +| aws | ~> 5.0 | + +## Providers + +| Name | Version | +|------|---------| +| aws | 5.97.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| access\_log | ../../../_tools/terraform/modules/terraform-aws-s3-bucket | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.access_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| bucket\_prefix | Prefix for current bucket | `string` | `"logs"` | no | +| bucket\_tags | A mapping of tags to assign to the bucket. | `map(string)` | `{}` | no | +| elb\_account\_id | List of ID account for loadbalancer per region (region: account\_id) | `map(string)` | `{}` | no | +| env | n/a | `string` | `"qa"` | no | +| lifecycle\_rules | List of lifecycle rules | `any` | `[]` | no | +| org\_prefix | n/a | `string` | `"fred-iac"` | no | +| region | n/a | `string` | `"eu-west-1"` | no | +| versioning | Define the block for default versioning\_configuration of the bucket | `map(string)` | `{}` | no | + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/baseline/qa/eu-west-1/_backend.tf b/baseline/qa/eu-west-1/backend.tf similarity index 100% rename from baseline/qa/eu-west-1/_backend.tf rename to baseline/qa/eu-west-1/backend.tf diff --git a/baseline/qa/eu-west-1/.terraform-config b/baseline/qa/eu-west-1/config.remote.tfbackend similarity index 100% rename from baseline/qa/eu-west-1/.terraform-config rename to baseline/qa/eu-west-1/config.remote.tfbackend diff --git a/baseline/qa/eu-west-1/_main.tf b/baseline/qa/eu-west-1/main.tf similarity index 100% rename from baseline/qa/eu-west-1/_main.tf rename to baseline/qa/eu-west-1/main.tf diff --git a/baseline/qa/eu-west-1/_outputs.tf b/baseline/qa/eu-west-1/outputs.tf similarity index 100% rename from baseline/qa/eu-west-1/_outputs.tf rename to baseline/qa/eu-west-1/outputs.tf diff --git a/baseline/qa/eu-west-1/override.tf b/baseline/qa/eu-west-1/override.tf index cd4ad99..ced1ba3 100644 --- a/baseline/qa/eu-west-1/override.tf +++ b/baseline/qa/eu-west-1/override.tf @@ -1,6 +1,6 @@ -// module "cdn-api" { -// source = "../../../_tools/terraform/modules/terraform-aws-cdn-api" -// } +module "access_log" { + source = "../../../_tools/terraform/modules/terraform-aws-s3-bucket" +} // module "cdn-assets" { // source = "../../../_tools/terraform/modules/terraform-aws-cdn-assets" diff --git a/baseline/qa/eu-west-1/_provider.tf b/baseline/qa/eu-west-1/provider.tf similarity index 100% rename from baseline/qa/eu-west-1/_provider.tf rename to baseline/qa/eu-west-1/provider.tf diff --git a/baseline/qa/eu-west-1/terraform.auto.tfvars b/baseline/qa/eu-west-1/terraform.auto.tfvars index 38e1ef9..663d0f1 100644 --- a/baseline/qa/eu-west-1/terraform.auto.tfvars +++ b/baseline/qa/eu-west-1/terraform.auto.tfvars @@ -1,6 +1,41 @@ env = "qa" region = "eu-west-1" + +versioning = { + "status" = "false" +} + +lifecycle_rules = [ + { + id = "log-delivery-write" + prefix = "" + enable = true + abort_incomplete_multipart_upload_days = 7 + transition = [ + { + transition_period = 30, + transition_storage_class = "STANDARD_IA" + }, + { + transition_period = 60, + transition_storage_class = "GLACIER" + } + ] + noncurrent_version_expiration = [ + { + days = 90 + } + ] + expiration = [ + { + days = 90 + } + ] + } +] + + // vpc_id = "vpc-01fe3d32b60dd8c9d" -// api_aliases_cloudfront = ["api.qa.wearephenix.com", "app.qa.wearephenix.com", "webapp.qa.wearephenix.com"] +// api_aliases_cloudfront = ["api.qa.example.com", "app.qa.example.com", "webapp.qa.example.com"] // api_records = ["api", "app", "webapp"] -// tf_s3_user_enabled = true \ No newline at end of file +// tf_s3_user_enabled = true diff --git a/baseline/qa/eu-west-1/_variables.tf b/baseline/qa/eu-west-1/variables.tf similarity index 100% rename from baseline/qa/eu-west-1/_variables.tf rename to baseline/qa/eu-west-1/variables.tf diff --git a/build/_terraform/.terraform-version b/build/_terraform/.terraform-version index 90a27f9..6743780 100644 --- a/build/_terraform/.terraform-version +++ b/build/_terraform/.terraform-version @@ -1 +1 @@ -1.0.5 +1.11.4 \ No newline at end of file diff --git a/build/_terraform/backend.tf b/build/_terraform/backend.tf index 85ffaa1..abfdf9b 100644 --- a/build/_terraform/backend.tf +++ b/build/_terraform/backend.tf @@ -2,5 +2,5 @@ terraform { backend "remote" { organization = "fred-iac" } - required_version = ">= 0.13.0" -} \ No newline at end of file + required_version = ">= 1.0" +} diff --git a/build/_terraform/main.tf b/build/_terraform/main.tf index 3f58df0..8eba004 100644 --- a/build/_terraform/main.tf +++ b/build/_terraform/main.tf @@ -1,9 +1,23 @@ module "build" { - source = "git@github.com:xxxxxxxxx/terraform-aws-packer-build.git" + source = "../../../_tools/terraform/modules/terraform-aws-packer-build" region = var.region azs = var.azs trusted_networks = var.trusted_networks cidr_block = var.cidr_block s3_endpoint_enabled = var.s3_endpoint_enabled ssh_port = var.ssh_port -} \ No newline at end of file +} + +module "kms" { + source = "../../../_tools/terraform/modules/terraform-aws-kms" + + description = "KMS key for AMI sharing" + enable_default_policy = true + key_users = [ + module.build.aws_iam_role_arn + ] + + aliases = [ + "alias/ami_kms_share" + ] +} diff --git a/build/_terraform/outputs.tf b/build/_terraform/outputs.tf index f2757de..45c517e 100644 --- a/build/_terraform/outputs.tf +++ b/build/_terraform/outputs.tf @@ -8,4 +8,8 @@ output "public_subnets" { output "security_group_public_subnet" { value = module.build.security_group_public_subnet -} \ No newline at end of file +} + +output "aws_iam_role_arn" { + value = module.build.aws_iam_role_arn +} diff --git a/build/_terraform/provider.tf b/build/_terraform/provider.tf index fce9f53..4f666c3 100644 --- a/build/_terraform/provider.tf +++ b/build/_terraform/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 3.42.0" + version = "~> 5.0" } } } @@ -14,4 +14,4 @@ provider "aws" { Owner = "fred" } } -} \ No newline at end of file +} diff --git a/build/qa/eu-west-1/.terraform-version b/build/qa/eu-west-1/.terraform-version deleted file mode 120000 index 22d6610..0000000 --- a/build/qa/eu-west-1/.terraform-version +++ /dev/null @@ -1 +0,0 @@ -../../_terraform/.terraform-version \ No newline at end of file diff --git a/build/qa/eu-west-1/Makefile b/build/qa/eu-west-1/Makefile deleted file mode 100644 index 1d3a37f..0000000 --- a/build/qa/eu-west-1/Makefile +++ /dev/null @@ -1 +0,0 @@ -include ../../../_tools/terraform/Makefile diff --git a/build/qa/eu-west-1/README.md b/build/qa/eu-west-1/README.md new file mode 100644 index 0000000..687737b --- /dev/null +++ b/build/qa/eu-west-1/README.md @@ -0,0 +1,44 @@ +# Terraform documentation + + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 0.13.0 | +| aws | ~> 5.0 | + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| build | ../../../_tools/terraform/modules/terraform-aws-packer-build | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| azs | n/a | `map(list(string))` | 
{
  "eu-west-1": [
    "eu-west-1a"
  ]
}
| no | +| cidr\_block | n/a | `string` | `"10.110.0.0/20"` | no | +| env | n/a | `string` | `"admin"` | no | +| region | n/a | `string` | `"eu-west-1"` | no | +| s3\_endpoint\_enabled | n/a | `bool` | `false` | no | +| ssh\_port | n/a | `number` | `22` | no | +| trusted\_networks | n/a | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | + +## Outputs + +| Name | Description | +|------|-------------| +| public\_subnets | n/a | +| security\_group\_public\_subnet | n/a | +| vpc\_id | n/a | + \ No newline at end of file diff --git a/build/qa/eu-west-1/_backend.tf b/build/qa/eu-west-1/backend.tf similarity index 100% rename from build/qa/eu-west-1/_backend.tf rename to build/qa/eu-west-1/backend.tf diff --git a/build/qa/eu-west-1/.terraform-config b/build/qa/eu-west-1/config.remote.tfbackend similarity index 100% rename from build/qa/eu-west-1/.terraform-config rename to build/qa/eu-west-1/config.remote.tfbackend diff --git a/build/qa/eu-west-1/_main.tf b/build/qa/eu-west-1/main.tf similarity index 100% rename from build/qa/eu-west-1/_main.tf rename to build/qa/eu-west-1/main.tf diff --git a/build/qa/eu-west-1/_outputs.tf b/build/qa/eu-west-1/outputs.tf similarity index 100% rename from build/qa/eu-west-1/_outputs.tf rename to build/qa/eu-west-1/outputs.tf diff --git a/build/qa/eu-west-1/override.tf b/build/qa/eu-west-1/override.tf index 3f05cc5..5ff0b10 100644 --- a/build/qa/eu-west-1/override.tf +++ b/build/qa/eu-west-1/override.tf @@ -1,3 +1,3 @@ -module "build" { - source = "../../../_tools/terraform/modules/terraform-aws-packer-build" -} \ No newline at end of file +# module "build" { +# source = "../../../_tools/terraform/modules/terraform-aws-packer-build" +# } diff --git a/build/qa/eu-west-1/_provider.tf b/build/qa/eu-west-1/provider.tf similarity index 100% rename from build/qa/eu-west-1/_provider.tf rename to build/qa/eu-west-1/provider.tf diff --git a/build/qa/eu-west-1/_variables.tf b/build/qa/eu-west-1/variables.tf similarity index 100% rename from build/qa/eu-west-1/_variables.tf rename to build/qa/eu-west-1/variables.tf diff --git a/cloudfront/_terraform/.terraform-version b/cloudfront/_terraform/.terraform-version index 90a27f9..6743780 100644 --- a/cloudfront/_terraform/.terraform-version +++ b/cloudfront/_terraform/.terraform-version @@ -1 +1 @@ -1.0.5 +1.11.4 \ No newline at end of file diff --git a/cloudfront/_terraform/main.tf b/cloudfront/_terraform/main.tf index c63e279..aaa2f0f 100644 --- a/cloudfront/_terraform/main.tf +++ b/cloudfront/_terraform/main.tf @@ -60,7 +60,7 @@ data "aws_acm_certificate" "assets_cloudfront_certificate" { } resource "aws_s3_bucket" "media-bucket" { - bucket = "phenix-${var.env}-media" + bucket = "s3-${var.env}-media" versioning { enabled = true } @@ -121,7 +121,7 @@ data "aws_iam_policy_document" "media_bucket_policy" { } resource "aws_s3_bucket" "static-bucket" { - bucket = "phenix-${var.env}-static" + bucket = "s3-${var.env}-static" } resource "aws_s3_bucket_policy" "static_bucket_policy" { @@ -179,4 +179,4 @@ resource "aws_iam_user_policy_attachment" "tf-s3" { count = var.tf_s3_user_enabled ? 1 : 0 user = aws_iam_user.tf-s3[count.index].name policy_arn = var.tf_s3_policy_arn -} \ No newline at end of file +} diff --git a/cloudfront/_terraform/variables.tf b/cloudfront/_terraform/variables.tf index 4dc445d..e8621a1 100644 --- a/cloudfront/_terraform/variables.tf +++ b/cloudfront/_terraform/variables.tf @@ -14,9 +14,10 @@ variable "s3_origins_paths" { } variable "organization" { - default = "phenix" + description = "Name of the organization" + type = string + default = "" } - variable "api_http_port" { type = number default = 80 @@ -53,7 +54,7 @@ variable "api_read_timeout" { } variable "api_aliases_cloudfront" { - default = ["api.qa.wearephenix.com"] + default = ["api.qa.example.com"] } variable "api_records" { @@ -127,11 +128,11 @@ variable "assets_cached_methods" { } variable "assets_comment_OAI" { - default = "origin access identity for phenix-QA" + default = "origin access identity for QA" } variable "assets_aliases_cloudfront" { - default = ["s.qa.wearephenix.com"] + default = ["s.qa.example.com"] } variable "asset_record" { diff --git a/cloudfront/qa/eu-west-1/terraform.auto.tfvars b/cloudfront/qa/eu-west-1/terraform.auto.tfvars index 161cc14..a71ce7a 100644 --- a/cloudfront/qa/eu-west-1/terraform.auto.tfvars +++ b/cloudfront/qa/eu-west-1/terraform.auto.tfvars @@ -1,6 +1,6 @@ env = "qa" region = "eu-west-1" vpc_id = "vpc-01fe3d32b60dd8c9d" -api_aliases_cloudfront = ["api.qa.wearephenix.com", "app.qa.wearephenix.com", "webapp.qa.wearephenix.com"] +api_aliases_cloudfront = ["api.qa.example.com", "app.qa.example.com", "webapp.qa.example.com"] api_records = ["api", "app", "webapp"] -tf_s3_user_enabled = true \ No newline at end of file +tf_s3_user_enabled = true diff --git a/eks/_terraform/.terraform-version b/eks/_terraform/.terraform-version index 31e5c84..6743780 100644 --- a/eks/_terraform/.terraform-version +++ b/eks/_terraform/.terraform-version @@ -1 +1 @@ -1.3.3 +1.11.4 \ No newline at end of file diff --git a/eks/_terraform/backend.tf b/eks/_terraform/backend.tf index 9bd7e64..21605c6 100644 --- a/eks/_terraform/backend.tf +++ b/eks/_terraform/backend.tf @@ -1,6 +1,6 @@ terraform { backend "remote" { - hostname = "app.terraform.io" + hostname = "app.terraform.io" organization = "fred-iac" workspaces { diff --git a/eks/_terraform/main.tf b/eks/_terraform/main.tf index 0a63fc8..9c813f4 100644 --- a/eks/_terraform/main.tf +++ b/eks/_terraform/main.tf @@ -1,65 +1,65 @@ module "eks" { - source = "git@github.com:born2scale/terraform-aws-eks.git" - providers = { - kubernetes = kubernetes.eks - } - env = var.env - region = var.region - aws_cli_install = var.tf_cloud_awscli_install - eks_cluster_subnets = data.terraform_remote_state.vpc.outputs.private_subnets - eks_node_pool_desired_size = var.eks_node_pool_desired_size - eks_trusted_networks = var.eks_trusted_networks - eks_endpoint_public_access = var.eks_endpoint_public_access - eks_endpoint_private_access = var.eks_endpoint_private_access - eks_nodes_disk_size = var.eks_nodes_disk_size - eks_nodes_instance_types = var.eks_nodes_instance_types - eks_node_pool_max_size = var.eks_node_pool_max_size - eks_node_pool_min_size = var.eks_node_pool_min_size - admin_role_arn = data.terraform_remote_state.baseline.outputs.admin_role_arn - user_role_arn = data.terraform_remote_state.baseline.outputs.user_role_arn - start_stop_enabled = var.start_stop_enabled - datadog_metrics_enabled = var.datadog_metrics_enabled - eks_nodes_release_version = var.eks_nodes_release_version + source = "../../../_tools/terraform/modules/terraform-aws-eks" + # providers = { + # kubernetes = kubernetes.eks + # } + env = var.env + region = var.region + # aws_cli_install = var.tf_cloud_awscli_install + # eks_cluster_subnets = data.terraform_remote_state.vpc.outputs.private_subnets + # eks_node_pool_desired_size = var.eks_node_pool_desired_size + # eks_trusted_networks = var.eks_trusted_networks + # eks_endpoint_public_access = var.eks_endpoint_public_access + # eks_endpoint_private_access = var.eks_endpoint_private_access + # eks_nodes_disk_size = var.eks_nodes_disk_size + # eks_nodes_instance_types = var.eks_nodes_instance_types + # eks_node_pool_max_size = var.eks_node_pool_max_size + # eks_node_pool_min_size = var.eks_node_pool_min_size + # admin_role_arn = data.terraform_remote_state.baseline.outputs.admin_role_arn + # user_role_arn = data.terraform_remote_state.baseline.outputs.user_role_arn + # start_stop_enabled = var.start_stop_enabled + # # datadog_metrics_enabled = var.datadog_metrics_enabled + # eks_nodes_release_version = var.eks_nodes_release_version } -data "aws_eks_cluster" "current" { - name = module.eks.eks_cluster_name -} +# data "aws_eks_cluster" "current" { +# name = module.eks.eks_cluster_name +# } -data "aws_eks_cluster_auth" "aws_iam_authenticator" { - name = data.aws_eks_cluster.current.name -} +# data "aws_eks_cluster_auth" "aws_iam_authenticator" { +# name = data.aws_eks_cluster.current.name +# } -module "alb_ingress_controller" { - source = "git@github.com:born2scale/terraform-aws-eks.git/modules/terraform-aws-alb-ingress" - providers = { - kubernetes = kubernetes.eks - } - env = var.env - eks_cluster_name = module.eks.eks_cluster_name +# module "alb_ingress_controller" { +# source = "git@github.com:example/terraform-aws-eks.git/modules/terraform-aws-alb-ingress" +# providers = { +# kubernetes = kubernetes.eks +# } +# env = var.env +# eks_cluster_name = module.eks.eks_cluster_name -} +# } -module "external_dns" { - source = "git@github.com:born2scale/terraform-aws-eks.git/modules/terraform-aws-external-dns" - providers = { - kubernetes = kubernetes.eks - helm = helm.eks - } - eks_cluster_name = module.eks.eks_cluster_name -} +# module "external_dns" { +# source = "git@github.com:example/terraform-aws-eks.git/modules/terraform-aws-external-dns" +# providers = { +# kubernetes = kubernetes.eks +# helm = helm.eks +# } +# eks_cluster_name = module.eks.eks_cluster_name +# } -module "k8s_dashboard" { - source = "git@github.com:born2scale/terraform-aws-eks.git/modules/terraform-aws-alb-ingress" - providers = { - kubernetes = kubernetes.eks - } - enabled = var.dashboard_enabled -} +# module "k8s_dashboard" { +# source = "git@github.com:example/terraform-aws-eks.git/modules/terraform-aws-alb-ingress" +# providers = { +# kubernetes = kubernetes.eks +# } +# enabled = var.dashboard_enabled +# } -locals { - k8s_service_account_namespace = "kube-system" - k8s_service_account_name = "cluster-autoscaler-aws-cluster-autoscaler" -} +# locals { +# k8s_service_account_namespace = "kube-system" +# k8s_service_account_name = "cluster-autoscaler-aws-cluster-autoscaler" +# } data "aws_caller_identity" "current" {} diff --git a/eks/_terraform/provider.tf b/eks/_terraform/provider.tf index 26585be..4f666c3 100644 --- a/eks/_terraform/provider.tf +++ b/eks/_terraform/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = "~> 5.0" } } } diff --git a/eks/_terraform/remote-states.tf b/eks/_terraform/remote-states.tf index 84fae42..183527a 100644 --- a/eks/_terraform/remote-states.tf +++ b/eks/_terraform/remote-states.tf @@ -1,9 +1,9 @@ -# data "terraform_remote_state" "baseline" { -# backend = "remote" -# config = { -# organization = var.organization -# workspaces = { -# name = "baseline-${var.env}-${var.region}" -# } -# } -# } \ No newline at end of file +data "terraform_remote_state" "baseline" { + backend = "remote" + config = { + organization = var.organization + workspaces = { + name = "baseline-${var.env}-${var.region}" + } + } +} diff --git a/eks/_terraform/variables.tf b/eks/_terraform/variables.tf index 46fc436..1294748 100644 --- a/eks/_terraform/variables.tf +++ b/eks/_terraform/variables.tf @@ -1,5 +1,7 @@ variable "organization" { - default = "phenix" + description = "Name of the organization" + type = string + default = "" } variable "env" {} @@ -31,7 +33,8 @@ variable "eks_nodes_disk_size" { } variable "eks_nodes_instance_types" { default = [ - "t3.large"] + "t3.large" + ] } variable "eks_node_pool_max_size" { default = 3 @@ -56,4 +59,4 @@ variable "dashboard_enabled" { variable "eks_nodes_release_version" { description = "AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version." default = "1.16.15-20201211" -} \ No newline at end of file +} diff --git a/eks/qa/eu-west-1/Makefile b/eks/qa/eu-west-1/Makefile deleted file mode 100644 index 3d46c4d..0000000 --- a/eks/qa/eu-west-1/Makefile +++ /dev/null @@ -1 +0,0 @@ -include ../../../_tools/terraform/Makefile \ No newline at end of file diff --git a/vpc/qa/eu-west-1/_backend.tf b/eks/qa/eu-west-1/backend.tf similarity index 100% rename from vpc/qa/eu-west-1/_backend.tf rename to eks/qa/eu-west-1/backend.tf diff --git a/eks/qa/eu-west-1/.terraform-config b/eks/qa/eu-west-1/config.remote.tfbackend similarity index 100% rename from eks/qa/eu-west-1/.terraform-config rename to eks/qa/eu-west-1/config.remote.tfbackend diff --git a/vpc/qa/eu-west-1/_main.tf b/eks/qa/eu-west-1/main.tf similarity index 100% rename from vpc/qa/eu-west-1/_main.tf rename to eks/qa/eu-west-1/main.tf diff --git a/eks/qa/eu-west-1/override.tf b/eks/qa/eu-west-1/override.tf new file mode 100644 index 0000000..51ac8a0 --- /dev/null +++ b/eks/qa/eu-west-1/override.tf @@ -0,0 +1,3 @@ +# module "eks" { +# source = "../../../_tools/terraform/modules/terraform-aws-eks" +# } diff --git a/vpc/qa/eu-west-1/_provider.tf b/eks/qa/eu-west-1/provider.tf similarity index 100% rename from vpc/qa/eu-west-1/_provider.tf rename to eks/qa/eu-west-1/provider.tf diff --git a/vpc/qa/eu-west-1/_remote-states.tf b/eks/qa/eu-west-1/remote-states.tf similarity index 100% rename from vpc/qa/eu-west-1/_remote-states.tf rename to eks/qa/eu-west-1/remote-states.tf diff --git a/eks/qa/eu-west-1/terraform.auto.tfvars b/eks/qa/eu-west-1/terraform.auto.tfvars index 838f69b..1a54863 100644 --- a/eks/qa/eu-west-1/terraform.auto.tfvars +++ b/eks/qa/eu-west-1/terraform.auto.tfvars @@ -1,21 +1,22 @@ -cidr_block = "10.152.0.0/16" -env = "qa" -region = "eu-west-1" -subnet_priv_bits = 4 -subnet_pub_bits = 6 -subnet_pub_offset = 32 -internal_domain_name = "qa.iac.internal" -external_domain_name = "qa.iac.freuds.me" +env = "qa" +region = "eu-west-1" -one_nat_gateway_per_az = false +# cidr_block = "10.152.0.0/16" +# subnet_priv_bits = 4 +# subnet_pub_bits = 6 +# subnet_pub_offset = 32 +# internal_domain_name = "qa.iac.internal" +# external_domain_name = "qa.iac.freuds.me" + +# one_nat_gateway_per_az = false # AWS AMI Linux 2 (64 bit x86) : ami-02b4e72b17337d6c1 # AWS AMI Linux 2 (64 bit Arm) : ami-04b149cd223547c24 -bastion_ami = "ami-02b4e72b17337d6c1" -root_keypair = "iac-aws-key" +# bastion_ami = "ami-02b4e72b17337d6c1" +# root_keypair = "iac-aws-key" -gandi_domain_name = "freuds.me" -gandi_alias_ns = "qa.iac" +# gandi_domain_name = "freuds.me" +# gandi_alias_ns = "qa.iac" -bastion_enabled = false -ssh_port = 2345 +# bastion_enabled = false +# ssh_port = 2345 diff --git a/vpc/qa/eu-west-1/_variables.tf b/eks/qa/eu-west-1/variables.tf similarity index 100% rename from vpc/qa/eu-west-1/_variables.tf rename to eks/qa/eu-west-1/variables.tf diff --git a/myapp/_terraform/.terraform-version b/myapp/_terraform/.terraform-version index 90a27f9..6743780 100644 --- a/myapp/_terraform/.terraform-version +++ b/myapp/_terraform/.terraform-version @@ -1 +1 @@ -1.0.5 +1.11.4 \ No newline at end of file diff --git a/myapp/_terraform/outputs.tf b/myapp/_terraform/outputs.tf index 13cb414..39fe38d 100644 --- a/myapp/_terraform/outputs.tf +++ b/myapp/_terraform/outputs.tf @@ -20,5 +20,5 @@ output "agw_base_uri" { output "agw_domain_arn" { description = "The ARN of the domain name" - value = module.apigateway.domain_name_arn + value = module.apigateway.domain_name_arn } \ No newline at end of file diff --git a/myapp/_terraform/variables.tf b/myapp/_terraform/variables.tf index 35a65e4..eca93f6 100644 --- a/myapp/_terraform/variables.tf +++ b/myapp/_terraform/variables.tf @@ -45,8 +45,8 @@ variable "function_name" { } variable "xray_enable" { - default = true - type = bool + default = true + type = bool description = "Enable or not the AWS X-Ray service for lambda" } @@ -54,12 +54,12 @@ variable "compatible_runtimes" { default = { nodejs = [ "nodejs12.x", - "nodejs14.x"] + "nodejs14.x"] python = [ "python3.6", "python3.7", - "python3.8"] + "python3.8"] } - type = map(list(string)) + type = map(list(string)) description = "Define the compatible library SDK" } diff --git a/vault/_terraform/.terraform-version b/vault/_terraform/.terraform-version index 90a27f9..6743780 100644 --- a/vault/_terraform/.terraform-version +++ b/vault/_terraform/.terraform-version @@ -1 +1 @@ -1.0.5 +1.11.4 \ No newline at end of file diff --git a/vpc/_packer/packer.auto.pkrvars.hcl b/vpc/_packer/packer.auto.pkrvars.hcl index e6183ab..a6bc0e2 100644 --- a/vpc/_packer/packer.auto.pkrvars.hcl +++ b/vpc/_packer/packer.auto.pkrvars.hcl @@ -1,22 +1,26 @@ -template = "debian-buster" +os_family = "linux" +os_name = "amazonlinux" #"ubuntu" +os_version = "2023" #"22.04" +# role = "server" service = "bastion" inventory_groups = "bastion" playbook_file = "../../_tools/ansible/playbooks/bastion.yml" # find values on the output of build service's -security_group_id = "sg-09856bd9e33b68d63" -subnet_id = "subnet-0b0bb84a0e4ee3d5f" -vpc_id = "vpc-015a9f3d3f5b52f4b" +aws_security_group_filter = "sg-packer" +aws_subnet_name = "subnet-0ec6b6082145e87ae" +aws_vpc_name = "build-vpc" +aws_kms_key_id = "arn:aws:kms:eu-west-1:123456789012:key/alias/packer-key" # Packer variables for apple M1 # Doc: https://gist.github.com/nrjdalal/e70249bb5d2e9d844cc203fd11f74c55 -qemu_binary = "qemu-system-aarch64" -accelerator = "hvf" -machine_type = "virt" -cpu_type = "cortex-a72" +# qemu_binary = "qemu-system-aarch64" +# accelerator = "hvf" +# machine_type = "virt" +# cpu_type = "cortex-a72" -PROJECT_NAME = "iac-aws" -PROJECT_CI = "https://github.com/freuds/iac-aws.git" -PROJECT_GIT = "https://github.com/freuds/iac-aws.git" -PROJECT_OWNER = "fred" +project_name = "iac-aws" +project_ci = "https://github.com/freuds/iac-aws.git" +project_git = "https://github.com/freuds/iac-aws.git" +project_owner = "fred" diff --git a/vpc/_packer/packer.sh b/vpc/_packer/packer.sh deleted file mode 120000 index b4eed53..0000000 --- a/vpc/_packer/packer.sh +++ /dev/null @@ -1 +0,0 @@ -../../_tools/packer/_packer.sh \ No newline at end of file diff --git a/vpc/_packer/run.sh b/vpc/_packer/run.sh new file mode 120000 index 0000000..85eefba --- /dev/null +++ b/vpc/_packer/run.sh @@ -0,0 +1 @@ +../../_tools/packer/run.sh \ No newline at end of file diff --git a/vpc/_terraform/.terraform-version b/vpc/_terraform/.terraform-version index 9d4f823..6743780 100644 --- a/vpc/_terraform/.terraform-version +++ b/vpc/_terraform/.terraform-version @@ -1 +1 @@ -1.2.9 +1.11.4 \ No newline at end of file diff --git a/vpc/_terraform/backend.tf b/vpc/_terraform/backend.tf index 3f98b29..6f92f30 100644 --- a/vpc/_terraform/backend.tf +++ b/vpc/_terraform/backend.tf @@ -1,6 +1,6 @@ terraform { backend "remote" { - hostname = "app.terraform.io" + hostname = "app.terraform.io" organization = "fred-iac" workspaces { diff --git a/vpc/_terraform/db-import.sh.tpl b/vpc/_terraform/db-import.sh.tpl index d858bda..d6d5fe8 100644 --- a/vpc/_terraform/db-import.sh.tpl +++ b/vpc/_terraform/db-import.sh.tpl @@ -1,4 +1,4 @@ -ssh -i /home/ubuntu/.ssh/id_phenix ${ db_host } 'sudo docker exec phenix.app-mariadb \ +ssh -i /home/ubuntu/.ssh/id_key ${ db_host } 'sudo docker exec key.app-mariadb \ sh -c \"mysqldump -u ${ db_user } -p\"${ db_password }\" \ --single-transaction ${ db_name } \" > /mnt/data_data_export.sql' -scp -i /home/ubuntu/.ssh/id_phenix ${ db_host }:/mnt/data_data_export.sql /tmp/. \ No newline at end of file +scp -i /home/ubuntu/.ssh/id_key ${ db_host }:/mnt/data_data_export.sql /tmp/. diff --git a/vpc/_terraform/main.tf b/vpc/_terraform/main.tf index aa1ff4c..5085490 100644 --- a/vpc/_terraform/main.tf +++ b/vpc/_terraform/main.tf @@ -11,19 +11,26 @@ module "vpc" { internal_domain_name = var.internal_domain_name external_domain_name = var.external_domain_name one_nat_gateway_per_az = var.one_nat_gateway_per_az + cf_certificate_enabled = var.cf_certificate_enabled } +#---------------------------- +# Gandi DNS +#---------------------------- module "gandi-dns" { - source = "../../../_tools/terraform/modules/terraform-gandi-dns" - gandi_apikey = var.GANDI_APIKEY - gandi_domain_name = var.gandi_domain_name - gandi_alias_ns = var.gandi_alias_ns - gandi_aws_ns = [for ns in module.vpc.public_name_servers : format("%s.", ns)] + source = "../../../_tools/terraform/modules/terraform-gandi-dns" + gandi_personal_access_token = var.PERSONAL_ACCESS_TOKEN + gandi_domain_name = var.gandi_domain_name + gandi_alias_ns = var.gandi_alias_ns + gandi_aws_ns = [for ns in module.vpc.public_name_servers : format("%s.", ns)] } +#---------------------------- +# Bastion +#---------------------------- # module "bastion" { -# source = "git@github.com:xxxxxxxxxxxxxx/terraform-aws-bastion.git" +# source = "git@github.com:example/terraform-aws-bastion.git" # region = var.region # env = var.env # vpc_id = module.vpc.vpc_id @@ -46,13 +53,6 @@ module "gandi-dns" { # # vars = { # # db_script = data.template_file.db-import.rendered -# # id_phenix_pub = var.id_phenix_pub -# # id_phenix_priv = var.id_phenix_priv - -# # datadog_api_key = var.DATADOG_API_KEY -# # datadog_tag_env = var.env -# # datadog_agent_enabled = var.datadog_agent_enabled -# # } # } # data "template_file" "db-import" { diff --git a/vpc/_terraform/provider.tf b/vpc/_terraform/provider.tf index 26585be..4f666c3 100644 --- a/vpc/_terraform/provider.tf +++ b/vpc/_terraform/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = "~> 5.0" } } } diff --git a/vpc/_terraform/variables.tf b/vpc/_terraform/variables.tf index 1fdac59..e85aea8 100644 --- a/vpc/_terraform/variables.tf +++ b/vpc/_terraform/variables.tf @@ -43,8 +43,11 @@ variable "one_nat_gateway_per_az" { description = "Define if we created one NAT GW per AZ available or not" } +#---------------------------------- variable "bastion_ami" { - default = "ami-0874dad5025ca362c" + description = "ID of the AMI to use for the bastion host" + type = string + default = "ami-0874dad5025ca362c" } variable "bastion_instance_type" { @@ -87,20 +90,22 @@ variable "ssh_port" { default = 22 } -variable "GANDI_APIKEY" { - description = "Gandi API Key defined in Terraform Cloud environment." +#----------------------------------- +variable "PERSONAL_ACCESS_TOKEN" { + description = "Gandi PAT (Personal Access Token) defined in Terraform Cloud environment." + type = string } variable "gandi_domain_name" { - default = "domain.com" + default = "example.com" type = string - description = "Domain Name" + description = "Domain Name from Gandi" } variable "gandi_alias_ns" { - default = "domain.com" + default = "env.sub" type = string - description = "Domain Name" + description = "Define subdomain for the zone" } variable "gandi_aws_ns" { @@ -109,6 +114,7 @@ variable "gandi_aws_ns" { description = "AWS API Route53 for delegation domain" } +#----------------------------------- variable "cf_certificate_enabled" { default = true type = bool diff --git a/vpc/qa/eu-west-1/.terraform-version b/vpc/qa/eu-west-1/.terraform-version deleted file mode 120000 index 22d6610..0000000 --- a/vpc/qa/eu-west-1/.terraform-version +++ /dev/null @@ -1 +0,0 @@ -../../_terraform/.terraform-version \ No newline at end of file diff --git a/vpc/qa/eu-west-1/Makefile b/vpc/qa/eu-west-1/Makefile deleted file mode 100644 index 3d46c4d..0000000 --- a/vpc/qa/eu-west-1/Makefile +++ /dev/null @@ -1 +0,0 @@ -include ../../../_tools/terraform/Makefile \ No newline at end of file diff --git a/vpc/qa/eu-west-1/README.md b/vpc/qa/eu-west-1/README.md index 19f5369..e69de29 100644 --- a/vpc/qa/eu-west-1/README.md +++ b/vpc/qa/eu-west-1/README.md @@ -1,11 +0,0 @@ -# VPC QA EU-WEST-1 - -## VPC - -Build a VPC - -### Subnets - -### Nat Gateways - -### Routage \ No newline at end of file diff --git a/vpc/qa/eu-west-1/backend.tf b/vpc/qa/eu-west-1/backend.tf new file mode 120000 index 0000000..e7a87b2 --- /dev/null +++ b/vpc/qa/eu-west-1/backend.tf @@ -0,0 +1 @@ +../../_terraform/backend.tf \ No newline at end of file diff --git a/vpc/qa/eu-west-1/.terraform-config b/vpc/qa/eu-west-1/config.remote.tfbackend similarity index 100% rename from vpc/qa/eu-west-1/.terraform-config rename to vpc/qa/eu-west-1/config.remote.tfbackend diff --git a/vpc/qa/eu-west-1/main.tf b/vpc/qa/eu-west-1/main.tf new file mode 120000 index 0000000..4177c85 --- /dev/null +++ b/vpc/qa/eu-west-1/main.tf @@ -0,0 +1 @@ +../../_terraform/main.tf \ No newline at end of file diff --git a/vpc/qa/eu-west-1/_outputs.tf b/vpc/qa/eu-west-1/outputs.tf similarity index 100% rename from vpc/qa/eu-west-1/_outputs.tf rename to vpc/qa/eu-west-1/outputs.tf diff --git a/vpc/qa/eu-west-1/override.tf b/vpc/qa/eu-west-1/override.tf index b776ac0..e1d4b54 100644 --- a/vpc/qa/eu-west-1/override.tf +++ b/vpc/qa/eu-west-1/override.tf @@ -1,11 +1,3 @@ # module "vpc" { # source = "../../../_tools/terraform/modules/terraform-aws-vpc" # } - -# module "bastion" { -# source = "../../../_tools/terraform/modules/terraform-aws-bastion" -# } - -# module "gandi-dns" { -# source = "../../../_tools/terraform/modules/terraform-gandi-dns" -# } \ No newline at end of file diff --git a/vpc/qa/eu-west-1/provider.tf b/vpc/qa/eu-west-1/provider.tf new file mode 120000 index 0000000..42b87d1 --- /dev/null +++ b/vpc/qa/eu-west-1/provider.tf @@ -0,0 +1 @@ +../../_terraform/provider.tf \ No newline at end of file diff --git a/vpc/qa/eu-west-1/remote-states.tf b/vpc/qa/eu-west-1/remote-states.tf new file mode 120000 index 0000000..00b6e44 --- /dev/null +++ b/vpc/qa/eu-west-1/remote-states.tf @@ -0,0 +1 @@ +../../_terraform/remote-states.tf \ No newline at end of file diff --git a/vpc/qa/eu-west-1/terraform.auto.tfvars b/vpc/qa/eu-west-1/terraform.auto.tfvars index 838f69b..39d0a45 100644 --- a/vpc/qa/eu-west-1/terraform.auto.tfvars +++ b/vpc/qa/eu-west-1/terraform.auto.tfvars @@ -5,7 +5,7 @@ subnet_priv_bits = 4 subnet_pub_bits = 6 subnet_pub_offset = 32 internal_domain_name = "qa.iac.internal" -external_domain_name = "qa.iac.freuds.me" +external_domain_name = "qa.iac.freuds.fr" one_nat_gateway_per_az = false @@ -14,8 +14,10 @@ one_nat_gateway_per_az = false bastion_ami = "ami-02b4e72b17337d6c1" root_keypair = "iac-aws-key" -gandi_domain_name = "freuds.me" +# Gandi +gandi_domain_name = "freuds.fr" gandi_alias_ns = "qa.iac" +# Set in TFC : TF_VAR_gandi_apikey bastion_enabled = false ssh_port = 2345 diff --git a/vpc/qa/eu-west-1/variables.tf b/vpc/qa/eu-west-1/variables.tf new file mode 120000 index 0000000..495a660 --- /dev/null +++ b/vpc/qa/eu-west-1/variables.tf @@ -0,0 +1 @@ +../../_terraform/variables.tf \ No newline at end of file diff --git a/vpc/qa/us-east-1/.terraform-config b/vpc/qa/us-east-1/.terraform-config deleted file mode 100644 index 5173b5b..0000000 --- a/vpc/qa/us-east-1/.terraform-config +++ /dev/null @@ -1,3 +0,0 @@ -workspaces { - name = "vpc-qa-us-east-1" -} \ No newline at end of file diff --git a/vpc/qa/us-east-1/.terraform-version b/vpc/qa/us-east-1/.terraform-version deleted file mode 120000 index 22d6610..0000000 --- a/vpc/qa/us-east-1/.terraform-version +++ /dev/null @@ -1 +0,0 @@ -../../_terraform/.terraform-version \ No newline at end of file diff --git a/vpc/qa/us-east-1/Makefile b/vpc/qa/us-east-1/Makefile deleted file mode 100644 index 9500b94..0000000 --- a/vpc/qa/us-east-1/Makefile +++ /dev/null @@ -1,3 +0,0 @@ - -include ../../../_tools/terraform/Makefile - diff --git a/vpc/qa/us-east-1/_override.tf b/vpc/qa/us-east-1/_override.tf deleted file mode 100644 index d77ff71..0000000 --- a/vpc/qa/us-east-1/_override.tf +++ /dev/null @@ -1,7 +0,0 @@ -module "vpc" { - source = "../../../_tools/terraform/modules/terraform-aws-vpc" -} - -# module "bastion" { -# source = "../../../_tools/terraform/modules/terraform-aws-bastion" -# } \ No newline at end of file diff --git a/vpc/qa/us-east-1/terraform.auto.tfvars b/vpc/qa/us-east-1/terraform.auto.tfvars deleted file mode 100644 index f5b338a..0000000 --- a/vpc/qa/us-east-1/terraform.auto.tfvars +++ /dev/null @@ -1,18 +0,0 @@ -cidr_block = "10.152.0.0/16" -env = "qa" -region = "us-east-1" -subnet_priv_bits = 4 -subnet_pub_bits = 6 -subnet_pub_offset = 32 -internal_domain_name = "qa.fred-iac.internal" -external_domain_name = "qa.fred-iac.com" -# bastion_ami = "ami-03d4ce558fcf83f5b" -# datadog_agent_enabled = false -# eks_private_subnet_tags = { -# "kubernetes.io/cluster/qa-eks-cluster" = "shared" -# "kubernetes.io/role/internal-elb" = "1" -# } -# eks_public_subnet_tags = { -# "kubernetes.io/cluster/qa-eks-cluster" = "shared" -# "kubernetes.io/role/elb" = "1" -# }