20270: Refactors the VPC code so that private nodes can access the Internet.

author Lucas Di Pentima <lucas.dipentima@curii.com>

Tue, 28 Mar 2023 17:17:30 +0000 (14:17 -0300)

committer Lucas Di Pentima <lucas.dipentima@curii.com>

Tue, 28 Mar 2023 17:17:30 +0000 (14:17 -0300)
author Lucas Di Pentima <lucas.dipentima@curii.com>
Tue, 28 Mar 2023 17:17:30 +0000 (14:17 -0300)
committer Lucas Di Pentima <lucas.dipentima@curii.com>
Tue, 28 Mar 2023 17:17:30 +0000 (14:17 -0300)
diff --git a/tools/salt-install/terraform/aws/services/main.tf b/tools/salt-install/terraform/aws/services/main.tf

index 457aabc314f56b09e6afce27ffec15da52652ef1..7ec3b954eedd8dd75b14dbb465f402698a507050 100644 (file)
--- a/tools/salt-install/terraform/aws/services/main.tf
+++ b/tools/salt-install/terraform/aws/services/main.tf
@@ -52,7 +52,7 @@ resource "aws_instance" "arvados_service" {
      "hostname": each.value
    })
    private_ip = local.private_ip[each.value]
-  subnet_id = data.terraform_remote_state.vpc.outputs.arvados_subnet_id
+  subnet_id = contains(local.public_hosts, each.value) ? data.terraform_remote_state.vpc.outputs.public_subnet_id : data.terraform_remote_state.vpc.outputs.private_subnet_id
    vpc_security_group_ids = [ data.terraform_remote_state.vpc.outputs.arvados_sg_id ]
    # This should be done in a more readable way
    iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : aws_iam_instance_profile.default_instance_profile.name
diff --git a/tools/salt-install/terraform/aws/services/outputs.tf b/tools/salt-install/terraform/aws/services/outputs.tf

index 0c29420e80f09bca5b59a9fefa61bca37b64d652..9dbccf81ced586b7e101e0072b655497cb2fa02d 100644 (file)
--- a/tools/salt-install/terraform/aws/services/outputs.tf
+++ b/tools/salt-install/terraform/aws/services/outputs.tf
@@ -11,10 +11,10 @@ output "vpc_cidr" {
  }
  
  output "arvados_subnet_id" {
-  value = data.terraform_remote_state.vpc.outputs.arvados_subnet_id
+  value = data.terraform_remote_state.vpc.outputs.public_subnet_id
  }
  output "compute_subnet_id" {
-  value = data.terraform_remote_state.vpc.outputs.compute_subnet_id
+  value = data.terraform_remote_state.vpc.outputs.private_subnet_id
  }
  
  output "arvados_sg_id" {
diff --git a/tools/salt-install/terraform/aws/vpc/locals.tf b/tools/salt-install/terraform/aws/vpc/locals.tf

index ed02fb85a75a03fcdf51ad79be5f2b624915bd47..289eb3e04a841516aff4005f6a7ef4ca686edf5a 100644 (file)
--- a/tools/salt-install/terraform/aws/vpc/locals.tf
+++ b/tools/salt-install/terraform/aws/vpc/locals.tf
@@ -16,8 +16,8 @@ locals {
    private_ip = {
      "controller": "10.1.1.11",
      "workbench": "10.1.1.15",
-    "shell": "10.1.1.17",
-    "keep0": "10.1.1.13",
+    "shell": "10.1.2.17",
+    "keep0": "10.1.2.13",
    }
    aliases = {
      controller: ["ws"]
diff --git a/tools/salt-install/terraform/aws/vpc/main.tf b/tools/salt-install/terraform/aws/vpc/main.tf

index 94d245c3d618254154b985744d0e30fb0c2e7563..eba48b9f9ed320cfa93ef67060afa3f58f7a44e8 100644 (file)
--- a/tools/salt-install/terraform/aws/vpc/main.tf
+++ b/tools/salt-install/terraform/aws/vpc/main.tf
@@ -24,12 +24,12 @@ resource "aws_vpc" "arvados_vpc" {
    enable_dns_hostnames = true
    enable_dns_support = true
  }
-resource "aws_subnet" "arvados_subnet" {
+resource "aws_subnet" "public_subnet" {
    vpc_id = aws_vpc.arvados_vpc.id
    availability_zone = local.availability_zone
    cidr_block = "10.1.1.0/24"
  }
-resource "aws_subnet" "compute_subnet" {
+resource "aws_subnet" "private_subnet" {
    vpc_id = aws_vpc.arvados_vpc.id
    availability_zone = local.availability_zone
    cidr_block = "10.1.2.0/24"
@@ -42,62 +42,58 @@ resource "aws_vpc_endpoint" "s3" {
    vpc_id = aws_vpc.arvados_vpc.id
    service_name = "com.amazonaws.${var.region_name}.s3"
  }
-resource "aws_vpc_endpoint_route_table_association" "arvados_s3_route" {
-  vpc_endpoint_id = aws_vpc_endpoint.s3.id
-  route_table_id = aws_route_table.arvados_subnet_rt.id
-}
  resource "aws_vpc_endpoint_route_table_association" "compute_s3_route" {
    vpc_endpoint_id = aws_vpc_endpoint.s3.id
-  route_table_id = aws_route_table.compute_subnet_rt.id
+  route_table_id = aws_route_table.private_subnet_rt.id
  }
  
  #
  # Internet access for Public IP instances
  #
-resource "aws_internet_gateway" "arvados_gw" {
+resource "aws_internet_gateway" "internet_gw" {
    vpc_id = aws_vpc.arvados_vpc.id
  }
  resource "aws_eip" "arvados_eip" {
    for_each = toset(local.public_hosts)
    depends_on = [
-    aws_internet_gateway.arvados_gw
+    aws_internet_gateway.internet_gw
    ]
  }
-resource "aws_route_table" "arvados_subnet_rt" {
+resource "aws_route_table" "public_subnet_rt" {
    vpc_id = aws_vpc.arvados_vpc.id
    route {
      cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.arvados_gw.id
+    gateway_id = aws_internet_gateway.internet_gw.id
    }
  }
-resource "aws_route_table_association" "arvados_subnet_assoc" {
-  subnet_id = aws_subnet.arvados_subnet.id
-  route_table_id = aws_route_table.arvados_subnet_rt.id
+resource "aws_route_table_association" "public_subnet_assoc" {
+  subnet_id = aws_subnet.public_subnet.id
+  route_table_id = aws_route_table.public_subnet_rt.id
  }
  
  #
  # Internet access for Private IP instances
  #
-resource "aws_eip" "compute_nat_gw_eip" {
+resource "aws_eip" "nat_gw_eip" {
    depends_on = [
-    aws_internet_gateway.arvados_gw
+    aws_internet_gateway.internet_gw
    ]
  }
-resource "aws_nat_gateway" "compute_nat_gw" {
+resource "aws_nat_gateway" "nat_gw" {
    # A NAT gateway should be placed on a subnet with an internet gateway
-  subnet_id = aws_subnet.arvados_subnet.id
-  allocation_id = aws_eip.compute_nat_gw_eip.id
+  subnet_id = aws_subnet.public_subnet.id
+  allocation_id = aws_eip.nat_gw_eip.id
  }
-resource "aws_route_table" "compute_subnet_rt" {
+resource "aws_route_table" "private_subnet_rt" {
    vpc_id = aws_vpc.arvados_vpc.id
    route {
      cidr_block = "0.0.0.0/0"
-    nat_gateway_id = aws_nat_gateway.compute_nat_gw.id
+    nat_gateway_id = aws_nat_gateway.nat_gw.id
    }
  }
-resource "aws_route_table_association" "compute_subnet_assoc" {
-  subnet_id = aws_subnet.compute_subnet.id
-  route_table_id = aws_route_table.compute_subnet_rt.id
+resource "aws_route_table_association" "private_subnet_assoc" {
+  subnet_id = aws_subnet.private_subnet.id
+  route_table_id = aws_route_table.private_subnet_rt.id
  }
  
  resource "aws_security_group" "arvados_sg" {
diff --git a/tools/salt-install/terraform/aws/vpc/outputs.tf b/tools/salt-install/terraform/aws/vpc/outputs.tf

index 9fe16358bea09c3a39a93c1abcacb41e401c25bd..09faa04a297f2e14f71a11c4c927068e17b70376 100644 (file)
--- a/tools/salt-install/terraform/aws/vpc/outputs.tf
+++ b/tools/salt-install/terraform/aws/vpc/outputs.tf
@@ -9,12 +9,12 @@ output "arvados_vpc_cidr" {
    value = aws_vpc.arvados_vpc.cidr_block
  }
  
-output "arvados_subnet_id" {
-  value = aws_subnet.arvados_subnet.id
+output "public_subnet_id" {
+  value = aws_subnet.public_subnet.id
  }
  
-output "compute_subnet_id" {
-  value = aws_subnet.compute_subnet.id
+output "private_subnet_id" {
+  value = aws_subnet.private_subnet.id
  }
  
  output "arvados_sg_id" {
author	Lucas Di Pentima <lucas.dipentima@curii.com>
	Tue, 28 Mar 2023 17:17:30 +0000 (14:17 -0300)
committer	Lucas Di Pentima <lucas.dipentima@curii.com>
	Tue, 28 Mar 2023 17:17:30 +0000 (14:17 -0300)
tools/salt-install/terraform/aws/services/main.tf		patch \| blob \| history
tools/salt-install/terraform/aws/services/outputs.tf		patch \| blob \| history
tools/salt-install/terraform/aws/vpc/locals.tf		patch \| blob \| history
tools/salt-install/terraform/aws/vpc/main.tf		patch \| blob \| history
tools/salt-install/terraform/aws/vpc/outputs.tf		patch \| blob \| history