Merge pull request #2 from nextrevision/feature/v1.2.0

Updating logic for v1.2.0 version of Rancher HA

.gitignore

@@ -1,4 +1,3 @@
-*.tfvars
 *.tfstate
 *.tfstate.backup
 

README.md

@@ -1,9 +1,11 @@
 # terraform-rancher-ha-example
 Terraform files for deploying a Rancher HA cluster in AWS
 
+> Update: since v1.2.0 simplified the HA deployment process, master reflects the latest way to deploy Rancher HA. If you are looking for the previous code, it is tagged under [v1.0.0](https://github.com/nextrevision/terraform-rancher-ha-example/tree/v1.0.0).
+
 These files are meant as a companion to the following blog post:
 
-[https://thisendout.com/2016/05/04/deploying-rancher-with-ha-using-rancheros-aws-terraform-letsencrypt/](https://thisendout.com/2016/05/04/deploying-rancher-with-ha-using-rancheros-aws-terraform-letsencrypt/)
+[https://thisendout.com/2016/11/10/update-deploying-rancher-in-production-aws-terraform-rancheros/](https://thisendout.com/2016/11/10/update-deploying-rancher-in-production-aws-terraform-rancheros/)
 
 ## Usage
 
@@ -14,24 +16,20 @@ git clone https://github.com/nextrevision/terraform-rancher-ha-example
 cd terraform-rancher-ha-example
 ```
 
-Create a `terraform.tfvars` file with the following contents:
+Edit the `terraform.tfvars` file:
 
 ```
-# aws access and secret keys
-# could also be exported as ENV vars, but included here for simplicity
-access_key = ""
-secret_key = ""
+# AWS key for the instances
+key_name = "rancher-example"
 
-# certificate paths
-# after receiving certificates from Let's Encrypt, I placed
-# them in ./certs. modify these values with the paths to your
-# certificates.
-cert_body = "./certs/cert1.pem"
-cert_private_key = "./certs/privkey1.pem"
-cert_chain = "./certs/chain1.pem"
+# RDS database password
+db_pass = "rancherdbpass"
 
-# database password rancher uses to connect to RDS
-db_password = "rancherdbpass"
+# To enable SSL termination on the ELBs, uncomment the lines below.
+#enable_https = true
+#cert_body = "certs/cert1.pem"              # Signed Certificate
+#cert_private_key = "certs/privkey1.pem"    # Certificate Private Key
+#cert_chain = "certs/chain1.pem"            # CA chain
 ```
 
 To create the cluster:
@@ -46,4 +44,30 @@ To destroy:
 terraform destroy
 ```
 
-These files are only meant to create the infrastructure needed to run Rancher with HA in AWS. Configuring and deploying Rancher will need to be done independently (see blog post for details).
+## Variables
+
+### AWS Infrastructure
+* region: AWS region (default: `us-east-1`)
+* count: number of HA servers to deploy (default: `3`)
+* name_prefix: prefix for all AWS resource names (default: `rancher-ha`)
+* ami: instance AMI ID (default: `ami-dfdff3c8`; RancherOS in us-east-1)
+* key_name: SSH key name in your AWS account for AWS instances (required)
+* instance_type: AWS instance type (default: `t2.large` for RAM requirement)
+* root_volume_size: size in GB of the instance root volume (default: `16`)
+* vpc_cidr: subnet in CIDR format to assign to the VPC (default: `192.168.199.0/24`)
+* subnet_cidrs: list of subnet ranges (3 required) (default: `["192.168.199.0/26", "192.168.199.64/26", "192.168.199.128/26"`)
+* availability_zones: AZs for placing instances and subnets (may change based on your account's availability) (default: `["us-east-1a", "us-east-1b", "us-east-1d"]`)
+
+### Database
+* db_name: name of the RDS DB (default: `rancher`)
+* db_user: username used to connect to the RDS database (default: `rancher`)
+* db_pass: password used to connect to the RDS database (required)
+
+### SSL
+* enable_https: enable HTTPS termination on the loadbalancer (default: `false`)
+* cert_body: required if `enable_https` is set to `true`
+* cert_private_key: required if `enable_https` is set to `true`
+* cert_chain: required if `enable_https` is set to `true`
+
+### Rancher
+* rancher_version: Rancher version to deploy (default: `latest`)

aws.tf

@@ -2,7 +2,5 @@
 # AWS Provider Configuration
 #------------------------------------------#
 provider "aws" {
-    access_key = "${var.access_key}"
-    secret_key = "${var.secret_key}"
     region = "${var.region}"
 }

ec2.tf

@@ -1,72 +1,61 @@
 #------------------------------------------#
-# EC2 Instance Configuration
+# AWS EC2 Configuration
 #------------------------------------------#
-resource "aws_key_pair" "rancher" {
-    key_name = "${var.key_name}"
-    public_key = "${file("${var.key_path}.pub")}"
-}
-
-resource "aws_instance" "rancher_ha_a" {
-    ami                         = "${lookup(var.ami, var.region)}"
+resource "aws_instance" "rancher_ha" {
+    count                       = "${var.count}"
+    ami                         = "${var.ami}"
     instance_type               = "${var.instance_type}"
-    availability_zone           = "${var.region}a"
-    key_name                    = "${aws_key_pair.rancher.key_name}"
-    subnet_id                   = "${aws_subnet.rancher_ha_a.id}"
-    security_groups             = ["${aws_security_group.rancher_ha.id}"]
-    associate_public_ip_address = true
-
-    tags {
-        Name = "${var.tag_name}-instance-a"
-    }
+    key_name                    = "${var.key_name}"
+    user_data                   = "${data.template_file.install.rendered}"
+    subnet_id                   = "${element(sort(aws_subnet.rancher_ha.*.id), count.index)}"
 
-    root_block_device {
-        volume_size = "100"
-        delete_on_termination = true
-    }
-}
-
-resource "aws_instance" "rancher_ha_b" {
-    ami                         = "${lookup(var.ami, var.region)}"
-    instance_type               = "${var.instance_type}"
-    availability_zone           = "${var.region}b"
-    key_name                    = "${aws_key_pair.rancher.key_name}"
-    subnet_id                   = "${aws_subnet.rancher_ha_b.id}"
-    security_groups             = ["${aws_security_group.rancher_ha.id}"]
-    associate_public_ip_address = true
+    vpc_security_group_ids = ["${aws_security_group.rancher_ha.id}"]
 
     tags {
-        Name = "${var.tag_name}-instance-b"
+        Name = "${var.name_prefix}-${count.index}"
     }
 
     root_block_device {
-        volume_size = "100"
+        volume_size = "${var.root_volume_size}"
         delete_on_termination = true
     }
+    depends_on = ["aws_rds_cluster_instance.rancher_ha"]
 }
 
-resource "aws_instance" "rancher_ha_d" {
-    ami                         = "${lookup(var.ami, var.region)}"
-    instance_type               = "${var.instance_type}"
-    availability_zone           = "${var.region}d"
-    key_name                    = "${aws_key_pair.rancher.key_name}"
-    subnet_id                   = "${aws_subnet.rancher_ha_b.id}"
-    subnet_id                   = "${aws_subnet.rancher_ha_d.id}"
-    security_groups             = ["${aws_security_group.rancher_ha.id}"]
-    associate_public_ip_address = true
-
-    tags {
-        Name = "${var.tag_name}-instance-d"
-    }
-
-    root_block_device {
-        volume_size = "100"
-        delete_on_termination = true
+data "template_file" "install" {
+    template = <<-EOF
+                #cloud-config
+                write_files:
+                - content: |
+                    #!/bin/bash
+                    wait-for-docker
+                    docker run -d --restart=unless-stopped \
+                      -p 8080:8080 -p 9345:9345 \
+                      rancher/server:$${rancher_version} \
+                      --db-host $${db_host} \
+                      --db-name $${db_name} \
+                      --db-port $${db_port} \
+                      --db-user $${db_user} \
+                      --db-pass $${db_pass} \
+                      --advertise-address $(ip route get 8.8.8.8 | awk '{print $NF;exit}')
+                  path: /etc/rc.local
+                  permissions: "0755"
+                  owner: root
+                EOF
+
+    vars {
+        rancher_version = "${var.rancher_version}"
+        db_host         = "${aws_rds_cluster.rancher_ha.endpoint}"
+        db_name         = "${aws_rds_cluster.rancher_ha.database_name}"
+        db_port         = "${aws_rds_cluster.rancher_ha.port}"
+        db_user         = "${var.db_user}"
+        db_pass         = "${var.db_pass}"
     }
 }
 
 resource "aws_security_group" "rancher_ha" {
-    name        = "${var.tag_name}-secgroup"
-    description = "Rancher HA Ports"
+    name        = "${var.name_prefix}-server"
+    description = "Rancher HA Server Ports"
     vpc_id      = "${aws_vpc.rancher_ha.id}"
 
     ingress {
@@ -87,35 +76,14 @@ resource "aws_security_group" "rancher_ha" {
         from_port   = 8080
         to_port     = 8080
         protocol    = "tcp"
-        cidr_blocks = ["0.0.0.0/0"]
-    }
-
-    ingress {
-        from_port   = 22
-        to_port     = 22
-        protocol    = "tcp"
-        cidr_blocks = ["0.0.0.0/0"]
+        cidr_blocks = ["${var.vpc_cidr}"]
     }
 
     ingress {
-        from_port   = 0
-        to_port     = 65535
+        from_port   = 9345
+        to_port     = 9345
         protocol    = "tcp"
-        cidr_blocks = ["192.168.99.0/24"]
-    }
-
-    ingress {
-        from_port   = 0
-        to_port     = 65535
-        protocol    = "udp"
-        cidr_blocks = ["192.168.99.0/24"]
-    }
-
-    ingress {
-        from_port   = -1
-        to_port     = -1
-        protocol    = "icmp"
-        cidr_blocks = ["0.0.0.0/0"]
+        cidr_blocks = ["${var.vpc_cidr}"]
     }
 
     egress {

elb.tf

@@ -1,73 +1,9 @@
 #------------------------------------------#
 # Elastic Load Balancer Configuration
 #------------------------------------------#
-resource "aws_elb" "rancher_ha" {
-    name                        = "${var.tag_name}-elb"
-    internal                    = false
-    idle_timeout                = 60
-    connection_draining         = true
-    connection_draining_timeout = 30
-    cross_zone_load_balancing   = true
-
-    subnets = [
-        "${aws_subnet.rancher_ha_a.id}",
-        "${aws_subnet.rancher_ha_b.id}",
-        "${aws_subnet.rancher_ha_d.id}",
-    ]
-
-    security_groups = ["${aws_security_group.rancher_ha_elb.id}"]
-
-    instances = [
-        "${aws_instance.rancher_ha_a.id}",
-        "${aws_instance.rancher_ha_b.id}",
-        "${aws_instance.rancher_ha_d.id}"
-    ]
-
-    listener {
-        instance_port = 80
-        instance_protocol = "tcp"
-        lb_port = 80
-        lb_protocol = "tcp"
-    }
-
-    listener {
-        instance_port = 443
-        instance_protocol = "ssl"
-        lb_port = 443
-        lb_protocol = "ssl"
-        ssl_certificate_id = "${aws_iam_server_certificate.rancher_ha.arn}"
-    }
-
-    listener {
-        instance_port = 18080
-        instance_protocol = "tcp"
-        lb_port = 18080
-        lb_protocol = "tcp"
-    }
-
-    health_check {
-        healthy_threshold = 2
-        unhealthy_threshold = 2
-        timeout = 3
-        target = "SSL:443"
-        interval = 30
-    }
-
-    tags {
-        Name = "${var.tag_name}-elb"
-    }
-}
-
-resource "aws_iam_server_certificate" "rancher_ha" {
-    name              = "${var.tag_name}-certificate"
-    certificate_body  = "${file("${var.cert_body}")}"
-    private_key       = "${file("${var.cert_private_key}")}"
-    certificate_chain = "${file("${var.cert_chain}")}"
-}
-
 resource "aws_security_group" "rancher_ha_elb" {
-    name        = "${var.tag_name}-elb-secgroup"
-    description = "Rancher HA Public Ports"
+    name        = "${var.name_prefix}-elb-default"
+    description = "Rancher HA ELB Common Traffic"
     vpc_id      = "${aws_vpc.rancher_ha.id}"
 
     ingress {
@@ -84,27 +20,6 @@ resource "aws_security_group" "rancher_ha_elb" {
         self      = true
     }
 
-    ingress {
-        from_port   = 80
-        to_port     = 80
-        protocol    = "tcp"
-        cidr_blocks = ["0.0.0.0/0"]
-    }
-
-    ingress {
-        from_port   = 443
-        to_port     = 443
-        protocol    = "tcp"
-        cidr_blocks = ["0.0.0.0/0"]
-    }
-
-    ingress {
-        from_port   = 18080
-        to_port     = 18080
-        protocol    = "tcp"
-        cidr_blocks = ["0.0.0.0/0"]
-    }
-
     ingress {
         from_port   = -1
         to_port     = -1