up terraform and ansible

- ansible users role
- up backend and region terragrunt templates
- dev default vpc
- ec2 instance example
time track: 6.83h

README.md

@@ -26,7 +26,7 @@ terraform/modules/aws/ec2/terraform_key_pair/main.tf
 ```
 
 Time track:
-- [Filipp Frizzy](https://github.com/Friz-zy/) 21.42h
+- [Filipp Frizzy](https://github.com/Friz-zy/) 28.25h
 
 ## [Terraform](https://www.terraform.io/) and [Terragrunt](https://terragrunt.gruntwork.io)
 In this setup I use terraform with terragrunt for provisioning whole infrastructure.

ansible/group_vars/all.yml

@@ -0,0 +1,3 @@
+root_users: []
+users: []
+deleted_users: []

ansible/inventory

@@ -0,0 +1 @@
+localhost ansible_connection=local

ansible/playbooks/users.yml

@@ -0,0 +1,8 @@
+---
+- name: Configure users
+  hosts: all
+  become: yes
+  gather_facts: no
+
+  roles:
+    - users

ansible/roles/users/README.md

@@ -0,0 +1,12 @@
+distro types: linux
+
+install:
+
+modify: 
+
+restart:
+
+vars:
+root_users: []
+users: []
+deleted_users: []

ansible/roles/users/defaults/main.yml

@@ -0,0 +1,3 @@
+root_users: []
+users: []
+deleted_users: []

ansible/roles/users/handlers/main.yml

@@ -0,0 +1 @@
+

ansible/roles/users/tasks/main.yml

@@ -0,0 +1,89 @@
+- name: Set authorized keys into root user
+  blockinfile:
+    path: /root/.ssh/authorized_keys
+    block: |
+      {{ lookup('file', '../files/{{ item }}') }}
+    marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item }}"
+  with_items: "{{ root_users }}"
+
+- name: Make sure we have a 'sudo' group
+  group:
+    name: sudo
+    state: present
+
+- name: Allow 'sudo' group to have passwordless sudo
+  lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: '^%sudo'
+    line: '%sudo ALL=(ALL) NOPASSWD: ALL'
+    validate: 'visudo -cf %s'
+
+- name: Create separate users with password
+  user:
+    name: "{{ item }}"
+    shell: /bin/bash
+    groups: sudo
+    append: yes
+    password: "{{ lookup('file', '../files/{{ item }}_password') }}"
+  when: "'{{ lookup('file', '../files/{{ item }}_password', errors='ignore') }}' != ''"
+  with_items: "{{ users }}"
+
+- name: Create separate users without password
+  user:
+    name: "{{ item }}"
+    shell: /bin/bash
+    groups: sudo
+    append: yes
+  with_items: "{{ users }}"
+
+- name: Add authorized keys to separate users
+  authorized_key:
+    user: "{{ item }}"
+    key: "{{ lookup('file', '../files/{{ item }}') }}"
+  with_items: "{{ users }}"
+
+- name: Copy users private rsa key
+  copy:
+    dest: "/home/{{ item }}/.ssh/id_rsa"
+    src: "{{ item }}_id_rsa"
+    mode: 0600
+    owner: "{{ item }}"
+    group: "{{ item }}"
+    backup: yes
+  when: "'{{ lookup('file', '../files/{{ item }}_id_rsa', errors='ignore') }}' != ''"
+  with_items: "{{ users }}"
+
+- name: Copy users public rsa key
+  copy:
+    dest: "/home/{{ item }}/.ssh/id_rsa.pub"
+    src: "{{ item }}_id_rsa.pub"
+    mode: 0644
+    owner: "{{ item }}"
+    group: "{{ item }}"
+    backup: yes
+  when: "'{{ lookup('file', '../files/{{ item }}_id_rsa.pub', errors='ignore') }}' != ''"
+  with_items: "{{ users }}"
+
+- name: Delete deleted users
+  user:
+    name: "{{ item }}"
+    remove: yes
+    state: absent
+  with_items: "{{ deleted_users }}"
+
+- name: Delete deleted users from root user as block
+  blockinfile:
+    state: absent
+    path: /root/.ssh/authorized_keys
+    block: |
+      {{ lookup('file', '../files/{{ item }}', errors='ignore')|default(' ') }}
+    marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item }}"
+  with_items: "{{ deleted_users }}"
+
+- name: Delete deleted users from root user as line
+  lineinfile:
+    state: absent
+    path: /root/.ssh/authorized_keys
+    regexp: "^{{ lookup('file', '../files/{{ item }}', errors='ignore')|default(' ') }}$"
+  with_items: "{{ deleted_users }}"

terraform/environments/aws-account-id/backend.hcl

@@ -1,14 +1,15 @@
-remote_state {
-  backend = "s3"
-  generate = {
+generate "backend" {
     path      = "backend.tf"
     if_exists = "overwrite_terragrunt"
-  }
-  config = {
+    contents = <<EOF
+terraform {
+  backend "s3" {
     bucket = "terraform_state_bucket"
     key = "${path_relative_to_include()}/terraform.tfstate"
     region         = "us-east-2"
     encrypt        = true
     dynamodb_table = "terraform_state"
   }
+}
+EOF
 }

terraform/environments/aws-account-id/us-east-2/dev/ec2/instance/example/main.tf

@@ -0,0 +1,108 @@
+module "ubuntu_ami" {
+  source = "../../../../../../../modules/aws/ec2/ami"
+}
+
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
+resource "aws_security_group" "dev_security_group" {
+  name        = "dev_security_group"
+  description = "Allow SSH"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    description = "SSH"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  /* ingress {
+    description = "Same group"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    self = true
+  } */
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance
+resource "aws_instance" "dev_example" {
+  ami                         = module.ubuntu_ami.id
+  instance_type               = "t3.nano"
+  key_name                    = var.terraform_key_pair_id
+  security_groups             = [aws_security_group.dev_security_group.name]
+  subnet_id                   = var.subnet_id
+  associate_public_ip_address = true
+
+  tags = {
+    Name = "dev_example"
+  }
+
+  root_block_device {
+    volume_size = 15
+  }
+
+  lifecycle {
+    prevent_destroy = true
+    ignore_changes = [
+      "associate_public_ip_address",
+      "instance_state"
+    ]
+  }
+
+  /* provisioner "local-exec" {
+    command = <<-EOT
+      echo '${var.terraform_key_pair_private_key_openssh}' > ssh-key
+      chmod 600 ssh-key
+    EOT
+    working_dir = path.module
+  } */
+
+  provisioner "file" {
+    source      = "../../../../../../../../ansible"
+    destination = "/home/ubuntu"
+
+    # https://www.terraform.io/language/resources/provisioners/connection
+    connection {
+        type     = "ssh"
+        user     = "ubuntu"
+        private_key = "${var.terraform_key_pair_private_key_openssh}"
+        host     = "${self.public_ip}"
+    }
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "cd /home/ubuntu/ansible",
+      "sudo apt update",
+      "sudo env DEBIAN_FRONTEND=noninteractive apt install -y ansible",
+      "ansible-playbook playbooks/users.yml"
+    ]
+
+    # https://www.terraform.io/language/resources/provisioners/connection
+    connection {
+        type     = "ssh"
+        user     = "ubuntu"
+        private_key = "${var.terraform_key_pair_private_key_openssh}"
+        host     = "${self.public_ip}"
+    }
+  }
+}
+
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip
+resource "aws_eip" "dev_example_eip" {
+  vpc = true
+}
+
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip_association
+resource "aws_eip_association" "dev_example_eip_association" {
+  instance_id   = aws_instance.dev_example.id
+  allocation_id = aws_eip.dev_example_eip.id
+}

terraform/environments/aws-account-id/us-east-2/dev/ec2/instance/example/output.tf

@@ -0,0 +1,3 @@
+output "instance_ip" {
+  value = aws_eip.dev_example_eip.public_ip
+}

terraform/environments/aws-account-id/us-east-2/dev/ec2/instance/example/terragrunt.hcl

@@ -0,0 +1,36 @@
+include "backend" {
+  path = find_in_parent_folders("backend.hcl")
+}
+
+include "region" {
+  path = find_in_parent_folders("region.hcl")
+}
+
+dependency "terraform_key_pair" {
+  config_path = "../../../../management/ec2/key_pair/terraform"
+
+  # Configure mock outputs for the `validate` command that are returned when there are no outputs available (e.g the
+  # module hasn't been applied yet.
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    terraform_key_pair_id = "fake-key-id"
+    terraform_key_pair_private_key_openssh = "fake-private_key-id"
+  }
+}
+
+dependency "default_vpc" {
+  config_path = "../../../vpc/default"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id = "default_vpc_id"
+    subnet_id = "default_subnet_id"
+  }
+}
+
+inputs = {
+  terraform_key_pair_id = dependency.terraform_key_pair.outputs.id
+  terraform_key_pair_private_key_openssh = dependency.terraform_key_pair.outputs.private_key_openssh
+  vpc_id = dependency.default_vpc.outputs.vpc_id
+  subnet_id = dependency.default_vpc.outputs.subnet_id
+}

terraform/environments/aws-account-id/us-east-2/dev/ec2/instance/example/variables.tf

@@ -0,0 +1,14 @@
+variable "terraform_key_pair_id" {
+  description = "Terraform key_pair id"
+  type        = string
+}
+
+variable "terraform_key_pair_private_key_openssh" {
+  description = "Terraform key_pair private_key_openssh"
+  type        = string
+}
+
+variable "vpc_id" {
+  description = "The ID of the default vpc in a region"
+  type        = string
+}

terraform/environments/aws-account-id/us-east-2/dev/vpc/default/main.tf

@@ -0,0 +1,17 @@
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc#default
+data "aws_vpc" "default" {
+  default = true
+}
+
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet
+data "aws_subnet" "default" {
+  availability_zone = data.aws_availability_zones.available.names[0]
+  default_for_az    = true
+  vpc_id            = data.aws_vpc.default.id
+  state             = "available"
+}

terraform/environments/aws-account-id/us-east-2/dev/vpc/default/output.tf

@@ -0,0 +1,9 @@
+output "vpc_id" {
+  value       = data.aws_vpc.default.id
+  description = "The ID of the default vpc in a region"
+}
+
+output "subnet_id" {
+  value       = data.aws_subnet.default.id
+  description = "The ID of the default subnet in default vpc"
+}

terraform/environments/aws-account-id/us-east-2/region.hcl

@@ -0,0 +1,9 @@
+generate "provider_aws" {
+    path      = "provider_aws.tf"
+    if_exists = "overwrite_terragrunt"
+    contents = <<EOF
+provider "aws" {
+  region = "us-east-2"
+}
+EOF
+}