Add docker-base packer image, util terraform definitions

2019-02-01 16:29:12 +00:00 · 2019-02-01 16:29:12 +00:00 · e38c5dbe3f
--- a/ansible/migrate_db.sh
+++ b/ansible/migrate_db.sh
@ -31,7 +31,7 @@ BASTION_IP=$(echo $EC2_INFO | jq -r ".Reservations | map(.Instances) | flatten |
 if [[ $ENVIRONMENT == "local" ]] ; then
  ansible-playbook --ask-vault-pass -i "127.0.0.1," --extra-vars "env=${ENVIRONMENT} connection=local secrets_path=${HUBS_OPS_SECRETS_PATH}" -u ubuntu "migrate_db.yml"
 else
-  TARGET_IP=$(echo $EC2_INFO | jq -r ".Reservations | map(.Instances) | flatten | map(select(any(.State ; .Name == \"running\"))) | map(select(any(.Tags // [] | from_entries ; .[\"host-type\"] == \"${ENVIRONMENT}-hab\"))) | .[] | .PrivateIpAddress" | shuf | head -n1)
+  TARGET_IP=$(echo $EC2_INFO | jq -r ".Reservations | map(.Instances) | flatten | map(select(any(.State ; .Name == \"running\"))) | map(select(any(.Tags // [] | from_entries ; .[\"host-type\"] == \"${ENVIRONMENT}-util\"))) | .[] | .PrivateIpAddress" | shuf | head -n1)

  ansible-playbook --ask-vault-pass -i "${TARGET_IP}," --ssh-common-args="-i ~/.ssh/mozilla_mr_id_rsa -o ProxyCommand=\"ssh -W %h:%p -o StrictHostKeyChecking=no -i ~/.ssh/mozilla_mr_id_rsa ubuntu@${BASTION_IP}\"" --extra-vars "env=${ENVIRONMENT} connection=ssh secrets_path=${HUBS_OPS_SECRETS_PATH}" -u ubuntu "migrate_db.yml"
 fi
--- a/packer/docker-base/image.json
+++ b/packer/docker-base/image.json
@ -0,0 +1,90 @@
+{
+  "variables": {
+    "aws_access_key": "",
+    "aws_secret_key": ""
+  },
+  "builders": [{
+    "type": "amazon-ebs",
+    "access_key": "{{user `aws_access_key`}}",
+    "secret_key": "{{user `aws_secret_key`}}",
+    "region": "us-west-1",
+    "associate_public_ip_address": true,
+    "iam_instance_profile": "dev-packer",
+    "subnet_id": "subnet-abacbdf3",
+    "security_group_id": "sg-37a2c751",
+    "source_ami_filter": {
+      "filters": {
+        "virtualization-type": "hvm",
+        "name": "ubuntu/images/*ubuntu-bionic-18.04-amd64-server-*",
+        "root-device-type": "ebs"
+      },
+      "owners": ["099720109477"],
+      "most_recent": true
+    },
+    "instance_type": "m3.medium",
+    "ssh_username": "ubuntu",
+    "ami_name": "docker-base-{{timestamp}}"
+  }],
+  "provisioners": [
+    { "type": "file", "source": "../shared/files/hostname-adjectives", "destination": "hostname-adjectives" },
+    { "type": "file", "source": "../shared/files/hostname-nouns", "destination": "hostname-nouns" },
+    { "type": "file", "source": "../shared/files/set_hostname.sh", "destination": "set_hostname.sh" },
+    { "type": "file", "source": "../shared/files/set_host_type_prompt.sh", "destination": "set_host_type_prompt.sh" },
+    { "type": "file", "source": "../shared/files/set-hostname.service", "destination": "set-hostname.service" },
+    { "type": "file", "source": "../shared/files/coredump.conf", "destination": "coredump.conf" },
+    { "type": "file", "source": "../shared/files/sysctl.core.conf", "destination": "sysctl.core.conf" },
+    { "type": "file", "source": "../shared/files/limits.core.conf", "destination": "limits.core.conf" },
+    { "type": "file", "source": "../shared/files/sysctl.files.conf", "destination": "sysctl.files.conf" },
+    { "type": "file", "source": "../shared/files/limits.files.conf", "destination": "limits.files.conf" },
+    {
+      "type": "shell",
+      "execute_command": "echo 'packer' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'",
+      "inline": [
+        "apt-get update",
+        "apt-get update",
+        "apt-get update",
+        "DEBIAN_FRONTEND=noninteractive apt-get upgrade -y",
+        "DEBIAN_FRONTEND=noninteractive apt-get install -y unattended-upgrades python3 awscli jq sysstat nfs-common apt-transport-https ca-certificates curl gnupg-agent software-properties-common",
+        "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -",
+        "apt-key fingerprint 0EBFCD88 | grep \"9DC8 5822 9FC7 DD38 854A  E2D8 8D81 803C 0EBF CD88\" || exit 1",
+        "sudo add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable\"",
+        "apt-get update",
+        "DEBIAN_FRONTEND=noninteractive apt-get install -y docker-ce",
+        "update-alternatives --install /usr/bin/python python /usr/bin/python3 1",
+        "mv coredump.conf /etc/systemd",
+        "mv sysctl.core.conf /etc/sysctl.d/60-core.conf",
+        "chown root:root /etc/sysctl.d/60-core.conf",
+        "chmod 0644 /etc/sysctl.d/60-core.conf",
+        "mv limits.core.conf /etc/security/limits.d/core.conf",
+        "chown root:root /etc/security/limits.d/core.conf",
+        "mv sysctl.files.conf /etc/sysctl.d/60-files.conf",
+        "chown root:root /etc/sysctl.d/60-files.conf",
+        "chmod 0644 /etc/sysctl.d/60-files.conf",
+        "mv limits.files.conf /etc/security/limits.d/files.conf",
+        "chown root:root /etc/security/limits.d/files.conf",
+        "mkdir -p /var/lib/coredump",
+        "chmod a+wx /var/lib/coredump",
+        "perl -p -i -e 's/false/true/g' /etc/default/sysstat",
+        "echo 'DefaultLimitCORE=infinity' >> /etc/systemd/system.conf",
+        "echo 'DefaultLimitNOFILE=infinity' >> /etc/systemd/system.conf",
+        "echo 'DefaultLimitMEMLOCK=infinity' >> /etc/systemd/system.conf",
+        "perl -p -i -e 's/preserve_hostname: false/preserve_hostname: true/g' /etc/cloud/cloud.cfg",
+        "mv hostname-nouns /usr/share/dict",
+        "mv hostname-adjectives /usr/share/dict",
+        "mv set_host_type_prompt.sh /usr/bin",
+        "mv set_hostname.sh /usr/bin",
+        "mv set-hostname.service /lib/systemd/system",
+        "chown root:root /lib/systemd/system/set-hostname.service",
+        "systemctl enable set-hostname",
+        "chown root:root /usr/share/dict/hostname-nouns",
+        "chown root:root /usr/share/dict/hostname-adjectives",
+        "chown root:root /usr/bin/set_hostname.sh",
+        "chown root:root /usr/bin/set_host_type_prompt.sh",
+        "chmod +x /usr/bin/set_host_type_prompt.sh",
+        "chmod +x /usr/bin/set_hostname.sh",
+        "echo \". /usr/bin/set_host_type_prompt.sh\" >> /home/ubuntu/.bashrc",
+        "echo \". /usr/bin/set_host_type_prompt.sh\" >> /root/.bashrc"
+      ]
+    }
+  ]
+}
--- a/packer/hab-base/image.json
+++ b/packer/hab-base/image.json
@ -32,11 +32,11 @@
    { "type": "file", "source": "../shared/files/set_host_type_prompt.sh", "destination": "set_host_type_prompt.sh" },
    { "type": "file", "source": "../shared/files/set-hostname.service", "destination": "set-hostname.service" },
    { "type": "file", "source": "../shared/files/save_service_files", "destination": "save_service_files" },
-    { "type": "file", "source": "files/coredump.conf", "destination": "coredump.conf" },
-    { "type": "file", "source": "files/sysctl.core.conf", "destination": "sysctl.core.conf" },
-    { "type": "file", "source": "files/limits.core.conf", "destination": "limits.core.conf" },
-    { "type": "file", "source": "files/sysctl.files.conf", "destination": "sysctl.files.conf" },
-    { "type": "file", "source": "files/limits.files.conf", "destination": "limits.files.conf" },
+    { "type": "file", "source": "../shared/files/coredump.conf", "destination": "coredump.conf" },
+    { "type": "file", "source": "../shared/files/sysctl.core.conf", "destination": "sysctl.core.conf" },
+    { "type": "file", "source": "../shared/files/limits.core.conf", "destination": "limits.core.conf" },
+    { "type": "file", "source": "../shared/files/sysctl.files.conf", "destination": "sysctl.files.conf" },
+    { "type": "file", "source": "../shared/files/limits.files.conf", "destination": "limits.files.conf" },
    {
      "type": "shell",
      "execute_command": "echo 'packer' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'",
--- a/packer/shared/files/coredump.conf
+++ b/packer/shared/files/coredump.conf
@ -0,0 +1,8 @@
+[Coredump]
+Storage=external
+Compress=yes
+ProcessSizeMax=2G
+ExternalSizeMax=2G
+JournalSizeMax=767M
+MaxUse=
+KeepFree=
--- a/packer/shared/files/limits.core.conf
+++ b/packer/shared/files/limits.core.conf
@ -0,0 +1,2 @@
+*	hard	core	unlimited
+*	soft	core	unlimited
--- a/packer/shared/files/limits.files.conf
+++ b/packer/shared/files/limits.files.conf
@ -0,0 +1,2 @@
+*	soft	nofile	262144
+*	hard	nofile	262144
--- a/packer/shared/files/sysctl.core.conf
+++ b/packer/shared/files/sysctl.core.conf
@ -0,0 +1,3 @@
+kernel.core_pattern = /var/lib/coredump/core-%e-sig%s-user%u-group%g-pid%p-time%t
+kernel.core_uses_pid = 1
+fs.suid_dumpable = 2
--- a/packer/shared/files/sysctl.files.conf
+++ b/packer/shared/files/sysctl.files.conf
@ -0,0 +1 @@
+fs.file-max=262144
--- a/terraform/live/dev/util/terraform.tfvars
+++ b/terraform/live/dev/util/terraform.tfvars
@ -0,0 +1,15 @@
+terragrunt = {
+  terraform {
+    source = "git::git@github.com:mozilla/mr-ops.git//terraform/modules/postgrest"
+  }
+
+  include {
+    path = "${find_in_parent_folders()}"
+  }
+
+  dependencies {
+    paths = ["../vpc", "../base", "../bastion", "../ret-db"]
+  }
+}
+
+util_instance_type = "t3.small"
--- a/terraform/live/prod/util/terraform.tfvars
+++ b/terraform/live/prod/util/terraform.tfvars
@ -0,0 +1,15 @@
+terragrunt = {
+  terraform {
+    source = "git::git@github.com:mozilla/mr-ops.git//terraform/modules/postgrest"
+  }
+
+  include {
+    path = "${find_in_parent_folders()}"
+  }
+
+  dependencies {
+    paths = ["../vpc", "../base", "../bastion", "../ret-db"]
+  }
+}
+
+util_instance_type = "t3.small"
--- a/terraform/modules/util/main.tf
+++ b/terraform/modules/util/main.tf
@ -0,0 +1,103 @@
+variable "shared" { type = "map" }
+terraform { backend "s3" {} }
+provider "aws" { region = "${var.shared["region"]}", version = "~> 1.15" }
+provider "aws" { alias = "east", region = "us-east-1", version = "~> 1.15" }
+data "aws_availability_zones" "all" {}
+
+data "terraform_remote_state" "vpc" { backend = "s3", config = { key = "vpc/terraform.tfstate", bucket = "${var.shared["state_bucket"]}", region = "${var.shared["region"]}", dynamodb_table = "${var.shared["dynamodb_table"]}", encrypt = "true" } }
+data "terraform_remote_state" "base" { backend = "s3", config = { key = "base/terraform.tfstate", bucket = "${var.shared["state_bucket"]}", region = "${var.shared["region"]}", dynamodb_table = "${var.shared["dynamodb_table"]}", encrypt = "true" } }
+data "terraform_remote_state" "bastion" { backend = "s3", config = { key = "bastion/terraform.tfstate", bucket = "${var.shared["state_bucket"]}", region = "${var.shared["region"]}", dynamodb_table = "${var.shared["dynamodb_table"]}", encrypt = "true" } }
+data "terraform_remote_state" "ret-db" { backend = "s3", config = { key = "ret-db/terraform.tfstate", bucket = "${var.shared["state_bucket"]}", region = "${var.shared["region"]}", dynamodb_table = "${var.shared["dynamodb_table"]}", encrypt = "true" } }
+
+data "aws_ami" "docker-base-ami" {
+  most_recent = true
+  owners = ["self"]
+
+  filter {
+    name = "name"
+    values = ["docker-base-*"]
+  }
+}
+
+resource "aws_security_group" "util" {
+  name = "${var.shared["env"]}-util"
+  vpc_id = "${data.terraform_remote_state.vpc.vpc_id}"
+
+  egress {
+    from_port = "80"
+    to_port = "80"
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port = "443"
+    to_port = "443"
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # SSH
+  ingress {
+    from_port = "22"
+    to_port = "22"
+    protocol = "tcp"
+    security_groups = ["${data.terraform_remote_state.bastion.bastion_security_group_id}"]
+  }
+
+  # NTP
+  egress {
+    from_port = "123"
+    to_port = "123"
+    protocol = "udp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_iam_role" "util" {
+  name = "${var.shared["env"]}-util"
+  assume_role_policy = "${var.shared["ec2_role_policy"]}"
+}
+
+resource "aws_iam_role_policy_attachment" "bastion-base-policy" {
+  role = "${aws_iam_role.util.name}"
+  policy_arn = "${data.terraform_remote_state.base.base_policy_arn}"
+}
+
+resource "aws_iam_instance_profile" "util" {
+  name = "${var.shared["env"]}-util"
+  role = "${aws_iam_role.util.id}"
+}
+
+resource "aws_launch_configuration" "util" {
+  image_id = "${data.aws_ami.docker-base-ami.id}"
+  instance_type = "${var.util_instance_type}"
+  security_groups = [
+    "${aws_security_group.util.id}",
+    "${data.terraform_remote_state.ret-db.ret_db_consumer_security_group_id}"
+  ]
+  key_name = "${data.terraform_remote_state.base.mr_ssh_key_id}"
+  iam_instance_profile = "${aws_iam_instance_profile.util.id}"
+  associate_public_ip_address = false
+  lifecycle { create_before_destroy = true }
+  root_block_device { volume_size = 64 }
+  user_data = <<EOF
+#!/usr/bin/env bash
+systemctl restart systemd-sysctl.service
+EOF
+}
+
+resource "aws_autoscaling_group" "util" {
+  name = "${var.shared["env"]}-util"
+  launch_configuration = "${aws_launch_configuration.util.id}"
+  availability_zones = ["${data.aws_availability_zones.all.names}"]
+  vpc_zone_identifier = ["${data.terraform_remote_state.vpc.private_subnet_ids}"]
+
+  min_size = "1"
+  max_size = "1"
+
+  lifecycle { create_before_destroy = true }
+  tag { key = "env", value = "${var.shared["env"]}", propagate_at_launch = true }
+  tag { key = "host-type", value = "${var.shared["env"]}-util", propagate_at_launch = true }
+}
+
--- a/terraform/modules/util/output.tf
+++ b/terraform/modules/util/output.tf
@ -0,0 +1,3 @@
+output "util_security_group_id" {
+  value = "${aws_security_group.util.id}"
+}
--- a/terraform/modules/util/vars.tf
+++ b/terraform/modules/util/vars.tf
@ -0,0 +1,3 @@
+variable "util_instance_type" {
+  description = "util server instance type"
+}