Allow OpenStack API authentication config for Terraform and deployed CitC to differ

.gitignore

@@ -9,5 +9,7 @@ __pycache__
 terraform.*.tfstate
 terraform.*.tfstate.backup
 terraform.*.tfvars
+terraform.tfvars
+.terraform.lock.hcl
 venv
 test_ssh_key*

openstack/.gitignore

@@ -0,0 +1,2 @@
+clouds.yaml
+citc_clouds.yaml

openstack/citc_clouds.yaml.example

@@ -0,0 +1,14 @@
+clouds:
+  openstack:
+    # Project name: <OpenStack project name>
+    # Credential name: <OpenStack app cred name>
+    # Credential creator: <OpenStack user name>
+    # Expires: <Expiry date, usually "Never">
+    auth:
+      auth_url: <URL for identity service API>
+      application_credential_id: <ID of application credential>
+      application_credential_secret: <application credential secret>
+    auth_type: v3applicationcredential
+    region_name: "RegionOne"
+    interface: "public"
+    identity_api_version: 3

openstack/compute.tf

@@ -81,6 +81,6 @@ resource "openstack_compute_floatingip_associate_v2" "mgmt" {
 
   provisioner "local-exec" {
     # TODO HACK This is a temporary solution I hope
-    command = "for i in {1..60}; do echo Attempt $i; scp -A -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null clouds.yaml cloud-user@${openstack_compute_floatingip_v2.mgmt.address}:. && break || sleep 1; done"
+    command = "for i in {1..60}; do echo Attempt $i; scp ${var.ssh_extra_flags} -A -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null ${var.clouds_yaml} cloud-user@${openstack_compute_floatingip_v2.mgmt.address}:clouds.yaml && break || sleep 1; done"
   }
 }

openstack/provider.tf

@@ -9,6 +9,12 @@ terraform {
 }
 
 provider openstack {
-  cloud = "openstack"
-  tenant_name = "demo"
+  # Recommend using environment variables to set up OpenStack authentication for Terraform, see
+  # https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs
+  # e.g. set OS_CLOUD to the name of a cloud specified in a clouds.yaml file.
+
+  # Note that the OpenStack authentication information used by Terraform does not need to be the
+  # same as used by the deployed CitC instance. A different application credential can be used by
+  # setting the clouds_yaml Terraform variable to a file containing CitC-specific application
+  # credential information
 }

openstack/terraform.tfvars.example

@@ -0,0 +1,12 @@
+# The public keys you will use to log in to the admin `citc` account on the cluster
+admin_public_keys = <<EOT
+ssh-rsa UmFuZG9tIGtleSBjb250ZW50cy4gUHV0IHlvdXIgb3duIGtleSBpbiBoZXJlIG9idmlvdXNseS4= user@computer
+ssh-rsa QW5vdGhlciBwdWJsaWMga2V5IGhlcmUuIEkgY2FuJ3QgYmVsaWV2ZSB5b3UgYm90aGVyZWQgdG8gZGVjb2RlIHRoaXMh user@anothercomputer
+EOT
+
+# Branch of Ansible configuration repository ("ansible_repo" Terraform variable) to use
+ansible_branch = "openstack"
+
+# OpenStack clouds.yaml file used by CitC instance to authenticate to OpenStack API
+# (This can be different to the method Terraform uses to authenticate to OpenStack)
+clouds_yaml = "citc_clouds.yaml"

openstack/variables.tf

@@ -38,3 +38,20 @@ variable "ansible_branch" {
   nullable = false
   sensitive = false
 }
+
+variable "clouds_yaml" {
+  default = "clouds.yaml"
+  type = string
+  description = "Path to OpenStack clouds.yaml to be used by CitC instance to authenticate to OpenStack API. The file should contain a single application credential defined for cloud 'openstack'. This does not have to be named 'clouds.yaml'."
+  nullable = false
+  sensitive = false
+}
+
+# TODO HACK This supports the temporary solution to scp clouds.yaml to mgmt in compute.tf
+variable "ssh_extra_flags" {
+  default = ""
+  type = string
+  description = "Additional flags for ssh/scp command necessary to connect to deployed instances, e.g. jump host"
+  nullable = false
+  sensitive = false
+}