unified naming

.gitignore

@@ -0,0 +1,36 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# End of https://mrkandreev.name/snippets/gitignore-generator/#Terraform

.terraform.lock.hcl

@@ -0,0 +1,62 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version = "4.67.0"
+  hashes = [
+    "h1:dCRc4GqsyfqHEMjgtlM1EympBcgTmcTkWaJmtd91+KA=",
+    "zh:0843017ecc24385f2b45f2c5fce79dc25b258e50d516877b3affee3bef34f060",
+    "zh:19876066cfa60de91834ec569a6448dab8c2518b8a71b5ca870b2444febddac6",
+    "zh:24995686b2ad88c1ffaa242e36eee791fc6070e6144f418048c4ce24d0ba5183",
+    "zh:4a002990b9f4d6d225d82cb2fb8805789ffef791999ee5d9cb1fef579aeff8f1",
+    "zh:559a2b5ace06b878c6de3ecf19b94fbae3512562f7a51e930674b16c2f606e29",
+    "zh:6a07da13b86b9753b95d4d8218f6dae874cf34699bca1470d6effbb4dee7f4b7",
+    "zh:768b3bfd126c3b77dc975c7c0e5db3207e4f9997cf41aa3385c63206242ba043",
+    "zh:7be5177e698d4b547083cc738b977742d70ed68487ce6f49ecd0c94dbf9d1362",
+    "zh:8b562a818915fb0d85959257095251a05c76f3467caa3ba95c583ba5fe043f9b",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9c385d03a958b54e2afd5279cd8c7cbdd2d6ca5c7d6a333e61092331f38af7cf",
+    "zh:b3ca45f2821a89af417787df8289cb4314b273d29555ad3b2a5ab98bb4816b3b",
+    "zh:da3c317f1db2469615ab40aa6baba63b5643bae7110ff855277a1fb9d8eb4f2c",
+    "zh:dc6430622a8dc5cdab359a8704aec81d3825ea1d305bbb3bbd032b1c6adfae0c",
+    "zh:fac0d2ddeadf9ec53da87922f666e1e73a603a611c57bcbc4b86ac2821619b1d",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.4.0"
+  hashes = [
+    "h1:R97FTYETo88sT2VHfMgkPU3lzCsZLunPftjSI5vfKe8=",
+    "zh:53604cd29cb92538668fe09565c739358dc53ca56f9f11312b9d7de81e48fab9",
+    "zh:66a46e9c508716a1c98efbf793092f03d50049fa4a83cd6b2251e9a06aca2acf",
+    "zh:70a6f6a852dd83768d0778ce9817d81d4b3f073fab8fa570bff92dcb0824f732",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:82a803f2f484c8b766e2e9c32343e9c89b91997b9f8d2697f9f3837f62926b35",
+    "zh:9708a4e40d6cc4b8afd1352e5186e6e1502f6ae599867c120967aebe9d90ed04",
+    "zh:973f65ce0d67c585f4ec250c1e634c9b22d9c4288b484ee2a871d7fa1e317406",
+    "zh:c8fa0f98f9316e4cfef082aa9b785ba16e36ff754d6aba8b456dab9500e671c6",
+    "zh:cfa5342a5f5188b20db246c73ac823918c189468e1382cb3c48a9c0c08fc5bf7",
+    "zh:e0e2b477c7e899c63b06b38cd8684a893d834d6d0b5e9b033cedc06dd7ffe9e2",
+    "zh:f62d7d05ea1ee566f732505200ab38d94315a4add27947a60afa29860822d3fc",
+    "zh:fa7ce69dde358e172bd719014ad637634bbdabc49363104f4fca759b4b73f2ce",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+  version = "4.0.4"
+  hashes = [
+    "h1:pe9vq86dZZKCm+8k1RhzARwENslF3SXb9ErHbQfgjXU=",
+    "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
+    "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
+    "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
+    "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
+    "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
+    "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
+    "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
+    "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
+    "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
+    "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
+    "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}

README.md

@@ -1,14 +1,19 @@
-# k3s and Application Installer
+# k3s EC2 Terraform Script
 
-Installs k3s and a application on target machine.
-For now only application ```sock_shop``` is supported.
+Launches EC2 instance, creates private key, and saves it on the machine.
 
 Usage:
 ```
-./setup.sh -a sock_shop
+terraform apply -var="instance_type=t2.nano" -var="instance_name=k3s-box" -var="instance_ami=ami-0889a44b331db0194" -var="availability_zone=us-east-1a" -var="create_ebs_block_device=false" - var="enable_ingress_http=false" -var="duckdns_domain=<duckdns_domain>" -var="private_key_password=<your_password>" -auto-approve
 ```
 
-Help:
+Or create a tfvars file.
+
+DuckDNS.org allows 5 domain-entries for free. The token will be stored in SSM and fetched by the Terraform script from there.
+
+The command to connect via SSH to the newly created EC2 instance:
 ```
-./setup.sh -h
-```
+ssh -i ~/.ssh/your-key.pem ec2-user@ntt-example-01.duckdns.org
+```
+
+Defaults of vars are set to the ones provided in "Usage"

ec2.tf

@@ -0,0 +1,184 @@
+resource "aws_instance" "k3s_box" {
+  ami = var.instance_ami
+  instance_type = var.instance_type
+  associate_public_ip_address = true
+  key_name = aws_key_pair.k3s_box_kp.key_name
+
+  ebs_block_device {
+    device_name = "/dev/sdx"
+    volume_size = 10
+    volume_type = "gp2"
+    delete_on_termination = true
+    count = var.create_ebs_block_device ? 1 : 0
+  }
+
+  connection {
+    type = "ssh"
+    user = "ec2-user"
+    private_key = file("${local_file.k3s_box_private_key.filename}")
+    host = self.public_ip
+  }
+
+  provisioner "file" {
+    source = "./setup_scripts/install_crontab.sh"
+    destination = "/home/ec2-user/install_crontab.sh"
+  }
+
+  provisioner "file" {
+    source = "./setup_scripts/install_duckdns.sh"
+    destination = "/home/ec2-user/install_duckdns.sh"
+  }
+
+  provisioner "remote-exec" {
+    inline = [ 
+      "chmod +x /home/ec2-user/install_crontab.sh",
+      "/home/ec2-user/install_crontab.sh",
+      "chmod +x /home/ec2-user/install_duckdns.sh",
+      "/home/ec2-user/install_duckdns.sh ${var.duckdns_domain} ${data.aws_ssm_parameter.duckdns_token.token}"
+     ]
+  }
+
+  provisioner "local-exec" {
+    inline = [
+      "chmod +x ./setup_scripts/encrypt_private_key.sh",
+      "./setup_scripts/encrypt_private_key.sh ${var.private_key_password} ${local_file.k3s_box_private_key.filename}"
+    ]
+  }
+
+
+  tags = {
+    Name = var.instance_name
+  }
+}
+
+resource "aws_vpc" "k3s_box_vpc" {
+  cidr_block = "10.0.0.0/16"
+
+  tags = {
+    Name = concat(var.instance_name, "-vpc")
+  }
+}
+
+resource "aws_subnet" "k3s_box_public_subnet" {
+  vpc_id = aws_vpc.k3s_box_vpc.id
+  cidr_block = "10.0.1.0/24"
+  availability_zone = var.availability_zone
+
+  tags = {
+    Name = concat(var.instance_name, "-public-subnet")
+  }
+}
+
+resource "aws_subnet" "k3s_box_private_subnet" {
+  vpc_id = aws_vpc.k3s_box_vpc.id
+  cidr_block = "10.0.2.0/24"
+  availability_zone = var.availability_zone
+
+  tags = {
+    Name = concat(var.instance_name, "-private-subnet")
+  }
+}
+
+resource "aws_internet_gateway" "k3s_box_ig" {
+  vpc_id = aws_vpc.k3s_box_vpc.id
+
+  tags = {
+    Name = concat(var.instance_name, "-internet-gateway")
+  }
+}
+
+resource "aws_route_table" "k3s_box_rt" {
+  vpc_id = aws_vpc.k3s_box_vpc.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.k3s_box_ig.id
+  }
+
+  route {
+    ipv6_cidr_block = "::/0"
+    gateway_id = aws_internet_gateway.k3s_box_ig.id
+  }
+
+  tags = {
+    Name = concat(var.instance_name, "-route-table")
+  }
+}
+
+resource "aws_route_table_association" "k3s_box_public_1_rt_a" {
+  subnet_id = aws_subnet.k3s_box_public_subnet.id
+  route_table_id = aws_route_table.k3s_box_rt.id
+}
+
+resource "aws_security_group" "k3s_box_sg" {
+  name = "security group for k3s box"
+  description = "security group for k3s box"
+  vpc_id = aws_vpc.k3s_box_vpc.id
+
+  ingress {
+    description = "SSH"
+    from_port = 22
+    to_port = 22
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  # ALLOWS HTTPS and HTTP from anywhere
+  ingress {
+    description = "HTTPS"
+    from_port = 443
+    to_port = 443
+    protocol = "tcp"
+    cidr_blocks = var.enable_ingress_http ? ["0.0.0.0/0"] : []
+    ipv6_cidr_blocks = var.enable_ingress_http ? ["::/0"] : []
+  }
+
+  ingress {
+    description = "HTTP"
+    from_port = 80
+    to_port = 80
+    protocol = "tcp"
+    cidr_blocks = var.enable_ingress_http ? ["0.0.0.0/0"] : []
+    ipv6_cidr_blocks = var.enable_ingress_http ? ["::/0"] : []
+  }
+
+  egress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  tags = {
+    Name = concat(var.instance_name, "-sg")
+  }
+}
+
+# create key pair
+resource "tls_private_key" "rsa" {
+  algorithm = "RSA"
+  rsa_bits = 4096
+}
+
+resource "aws_key_pair" "k3s_box_kp" {
+  key_name = concat(var.instance_name, "-key")
+  public_key = tls_private_key.rsa.public_key_openssh
+}
+
+# save key pair to machine
+resource "local_file" "k3s_box_private_key" {
+  content = tls_private_key.rsa.private_key_pem
+  filename = concat(var.instance_name, "-private_key.pem")
+  file_permission = 0400
+}
+
+# get token for duckdns from ssm
+data "aws_ssm_parameter" "duckdns_token" {
+  name = "/k3s/config/duckdns-token"
+}
+
+output "k3s_box_global_ips" {
+  value = ["${aws_instance.k3s_box.*.public_ip}"]
+}

provider.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = "us-east-1"
+}

script.sh

@@ -1,96 +0,0 @@
-#!/bin/sh
-
-
-# Author : NTT Data AG
-# Date   : 11-05-2023
-
-
-# update resources
-function update {
-		
-}
-
-
-# install necessary packages
-function install_resources {
-	sudo dnf install -y container-selinux
-	sudo dnf install -y https://rpm.rancher.io/k3s/stable/common/centos/8/noarch/k3s-selinux-1.2-2.el8.noarch.rpm
-}
-
-
-# install k3s
-# docs: https://docs.k3s.io/installation/configuration
-function get_k3s {
-	sudo curl -sfL https://get.k3s.io | INSTALL_K3S_SYMLINK="skip" K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="--disable=traefik" sh -
-	export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
-	k3s kubectl get pods -A
-}
-
-
-# fetch helm resources
-# docs: https://helm.sh/docs/intro/install/
-function install_helm {
-	curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
-	chmod 700 get_helm.sh
-	./get_helm.sh
-}
-
-
-git
-https://www.liquidweb.com/kb/how-to-install-and-configure-git-on-fedora-22/#:~:text=1%20Introduction.%20Git%20is%20a%20widely%20adopted%2C%20distributed,for%20git.%20Using%20the%20%E2%80%93global%20option...%20More%20
-
-sudo dnf -y update
-sudo dnf -y install git
-
-
-checkout sockshop
-https://microservices-demo.github.io/deployment/kubernetes-start.html
-
-git clone https://github.com/microservices-demo/microservices-demo.git
-k3s kubectl create namespace sock-shop
-k3s kubectl apply -f complete-demo.yaml
-
-
-other
-k3s kubectl get pods -n sock-shop
-
-
-
-function get_k3s {
-
-  write_progress "Installing K3s (${K3SVERSION}) with NGINX instead of Traefik Ingress"
-
-  curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL="${K3SVERSION}" INSTALL_K3S_SYMLINK="skip" K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="--disable=traefik" sh -
-
-
-
-
-  # set the kubeconfig
-
-  export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
-
-  kubectl get pods -A
-
-
-
-
-  # install ingress nginx
-
-  helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
-
-  helm repo update
-
-
-
-
-  echo "####### EW "
-
-  helm install ingress-nginx ingress-nginx/ingress-nginx --version="${NGINX_INGRESS_VERSION}"
-
-
-
-
-  # wait for nginx to be ready
-
-
-}

setup.sh

@@ -1,128 +0,0 @@
-#!/bin/sh
-
-# Author : NTT Data AG
-# Date   : 11-05-2023
-
-helm_install=false
-app_name=""
-
-# fetch helm resources
-# docs: https://helm.sh/docs/intro/install/
-install_helm () {
-	# curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
-	# chmod 700 get_helm.sh
-	# ./get_helm.sh
-    echo "Helm not support yet."
-    exit 1
-}
-
-# install resources
-# TODO: check if this works
-install_k3s () {
-    sudo dnf install -y container-selinux
-	sudo dnf install -y https://rpm.rancher.io/k3s/stable/common/centos/8/noarch/k3s-selinux-1.2-2.el8.noarch.rpm
-
-    get_k3s
-}
-
-# install k3s
-# docs: https://docs.k3s.io/installation/configuration
-get_k3s () {
-	sudo curl -sfL https://get.k3s.io | INSTALL_K3S_SYMLINK="skip" K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="--disable=traefik" sh -
-	export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
-	kubectl get pods -A
-}
-
-# install git
-install_git () {
-    sudo dnf -y update
-    sudo dnf -y install git
-}
-
-install_sock_shop () {
-    git clone https://github.com/microservices-demo/microservices-demo.git
-    cd microservices-demo/deploy/kubernetes
-    kubectl create namespace sock-shop
-    kubectl apply -f complete-demo.yaml
-    echo "Getting Pods from sock-shop namespace"
-    kubectl get pods -n sock-shop
-    # TODO: create check if list with pods returns and if they are ready
-}
-
-show_help() {
-    cat <<EOF
-Usage: $0 [options]
-
-Options:
-  -h, --help           Show help information
-  -m, --helm           Install Helm. Set flag when you want to install helm.
-  -a, --app <app_name> Specify the app name
-EOF
-}
-
-show_allowed_apps () {
-    cat <<EOF
-Supported apps:
-    - socks_shop
-
-EOF
-}
-
-while [ "$#" -gt 0 ]; do
-    case "$1" in
-        -h|--help)
-            show_help
-            exit 0
-            ;;
-        -m|--helm)
-            helm_install=true
-            shift
-            ;;
-        -a|--app)
-            if [ "$2" ]; then
-                app_name="$2"
-                shift 2
-            else
-                echo "Error: Missing argument for $1 option"
-                show_help
-                exit 1
-            fi
-            ;;
-        *)
-            echo "Error: Unrecognized option $1"
-            show_help
-            exit 1
-            ;;
-    esac
-done
-
-# Validate app names
-if [ -z "$app_name" ]; then
-    echo "Please specify app"
-else
-    case $app_name in
-        "sock_shop")
-            echo "$app_name OK"
-            ;;
-        *)
-            show_allowed_apps
-            exit 1
-            ;;
-    esac
-fi
-
-# Check if --helm was set
-if [ "$helm_install" = true ]; then
-    install_helm
-else
-    echo "Skipping helm"
-fi
-
-echo "Installing GIT"
-install_git
-
-echo "Installing K3S"
-install_k3s
-
-echo "Installing $app_name"
-install_sock_shop

setup_scripts/encrypt_private_key.sh

@@ -0,0 +1,6 @@
+#! /bin/bash
+
+# assuming gpg is installed
+password="$1"
+filename="$2"
+gpg --symmetric --cipher-algo AES256 --passphrase "$password" "$filename"

setup_scripts/install_crontab.sh

@@ -0,0 +1,6 @@
+#! /bin/bash
+
+sudo yum install cronie -y
+sudo systemctl enable crond.service
+sudo systemctl start crond.service
+sudo systemctl status crond.service > /home/ec2-user/crontab-status.txt

setup_scripts/install_duckdns.sh

@@ -0,0 +1,10 @@
+#! /bin/bash
+
+mkdir /home/ec2-user/duckdns
+cd /home/ec2-user/duckdns
+touch duck.sh
+echo url="https://www.duckdns.org/update?domains=$1&token=$2&ip=" | curl -k -o ~/duckdns/duck.log -K -
+chmod 700 duck.sh
+sudo touch /var/spool/cron/root
+echo "*/5 * * * * /home/ec2-user/duckdns/duck.sh >/dev/null 2>&1" | sudo tee -a /var/spool/cron/root > /dev/null
+./duck.sh

variables.tf

@@ -0,0 +1,44 @@
+variable "instance_type" {
+  type = string
+  default = "t2.nano"
+}
+
+variable "instance_name" {
+  type = string
+  default = "k3s-box"
+}
+
+variable "instance_ami" {
+  type = string
+  default = "ami-0889a44b331db0194" # amazon linux us-east-1
+}
+
+variable "availability_zone" {
+  type = string
+  default = "us-east-1a"
+}
+
+variable "create_ebs_block_device" {
+  type = bool
+  default = false
+}
+
+variable "enable_ingress_http" {
+  type = bool
+  default = false
+}
+
+variable "duckdns_domain" {
+    type = string
+    default = "None"
+}
+
+variable "duckdns_token" {
+  type = string
+  default = "None"
+}
+
+variable "private_key_password" {
+    type = string
+    default = "password"
+}