# Note the IPs in this example are shared between roles, as suggested in
# https://doc.arvados.org/main/install/salt-multi-host.html
-CONTROLLER_INT_IP=10.1.1.1
-WEBSOCKET_INT_IP=10.1.1.1
-KEEP_INT_IP=10.1.1.2
+CONTROLLER_INT_IP=10.1.1.11
+WEBSOCKET_INT_IP=10.1.1.11
+KEEP_INT_IP=10.1.1.12
# Both for collections and downloads
-KEEPWEB_INT_IP=10.1.1.2
-KEEPSTORE0_INT_IP=10.1.1.3
-KEEPSTORE1_INT_IP=10.1.1.4
-WORKBENCH1_INT_IP=10.1.1.5
-WORKBENCH2_INT_IP=10.1.1.5
-WEBSHELL_INT_IP=10.1.1.5
-DATABASE_INT_IP=10.1.1.1
-SHELL_INT_IP=10.1.1.7
+KEEPWEB_INT_IP=10.1.1.12
+KEEPSTORE0_INT_IP=10.1.1.13
+KEEPSTORE1_INT_IP=10.1.1.14
+WORKBENCH1_INT_IP=10.1.1.15
+WORKBENCH2_INT_IP=10.1.1.15
+WEBSHELL_INT_IP=10.1.1.15
+DATABASE_INT_IP=10.1.1.11
+SHELL_INT_IP=10.1.1.17
INITIAL_USER="admin"
https: "443",
ssh: "22",
}
+ availability_zone = data.aws_availability_zones.available.names[0]
hostnames = [ "controller", "workbench", "keep0", "keep1", "keepproxy", "shell" ]
arvados_dns_zone = "${var.cluster_name}.${var.domain_name}"
public_ip = { for k, v in aws_eip.arvados_eip: k => v.public_ip }
private_ip = {
- "controller": "10.1.1.1",
- "workbench": "10.1.1.5",
- "keepproxy": "10.1.1.2",
- "shell": "10.1.1.7",
- "keep0": "10.1.1.3",
- "keep1": "10.1.1.4"
+ "controller": "10.1.1.11",
+ "workbench": "10.1.1.15",
+ "keepproxy": "10.1.1.12",
+ "shell": "10.1.1.17",
+ "keep0": "10.1.1.13",
+ "keep1": "10.1.1.14"
}
aliases = {
controller: ["ws"]
}
resource "aws_subnet" "arvados_subnet" {
vpc_id = aws_vpc.arvados_vpc.id
- availability_zone = "${var.region_name}a"
- cidr_block = aws_vpc.arvados_vpc.cidr_block
+ availability_zone = local.availability_zone
+ cidr_block = "10.1.1.0/24"
+}
+resource "aws_subnet" "compute_subnet" {
+ vpc_id = aws_vpc.arvados_vpc.id
+ availability_zone = local.availability_zone
+ cidr_block = "10.1.2.0/24"
}
#
vpc_id = aws_vpc.arvados_vpc.id
service_name = "com.amazonaws.${var.region_name}.s3"
}
-resource "aws_vpc_endpoint_route_table_association" "s3_route" {
+resource "aws_vpc_endpoint_route_table_association" "arvados_s3_route" {
vpc_endpoint_id = aws_vpc_endpoint.s3.id
- route_table_id = aws_route_table.arvados_rt.id
+ route_table_id = aws_route_table.arvados_subnet_rt.id
+}
+resource "aws_vpc_endpoint_route_table_association" "compute_s3_route" {
+ vpc_endpoint_id = aws_vpc_endpoint.s3.id
+ route_table_id = aws_route_table.compute_subnet_rt.id
}
#
-# VPC Internet access
+# Internet access for Public IP instances
#
resource "aws_internet_gateway" "arvados_gw" {
vpc_id = aws_vpc.arvados_vpc.id
aws_internet_gateway.arvados_gw
]
}
-resource "aws_route_table" "arvados_rt" {
+resource "aws_route_table" "arvados_subnet_rt" {
vpc_id = aws_vpc.arvados_vpc.id
route {
cidr_block = "0.0.0.0/0"
}
resource "aws_route_table_association" "arvados_subnet_assoc" {
subnet_id = aws_subnet.arvados_subnet.id
- route_table_id = aws_route_table.arvados_rt.id
+ route_table_id = aws_route_table.arvados_subnet_rt.id
+}
+
+#
+# Internet access for Private IP instances
+#
+resource "aws_eip" "compute_nat_gw_eip" {
+ depends_on = [
+ aws_internet_gateway.arvados_gw
+ ]
+}
+resource "aws_nat_gateway" "compute_nat_gw" {
+ # A NAT gateway should be placed on a subnet with an internet gateway
+ subnet_id = aws_subnet.arvados_subnet.id
+ allocation_id = aws_eip.compute_nat_gw_eip.id
+}
+resource "aws_route_table" "compute_subnet_rt" {
+ vpc_id = aws_vpc.arvados_vpc.id
+ route {
+ cidr_block = "0.0.0.0/0"
+ nat_gateway_id = aws_nat_gateway.compute_nat_gw.id
+ }
}
+resource "aws_route_table_association" "compute_subnet_assoc" {
+ subnet_id = aws_subnet.compute_subnet.id
+ route_table_id = aws_route_table.compute_subnet_rt.id
+}
+
resource "aws_security_group" "arvados_sg" {
name = "arvados_sg"
vpc_id = aws_vpc.arvados_vpc.id