This terraform plan makes use of chef-backend and chef-server-core to create a Chef HA architecture spread across multiple AWS availability zones within one AWS region. Cross region deployment is not supported with this plan or with chef-backend at this time.
By default, this terraform plan will create a VPC, subnets, security groups, security group rules, frontend nodes (chef-server-core), backend nodes (chef-backend), and an AWS ELB comprised of the frontend nodes.
This plan is rather large and complex. Be sure to read through the README in full.
This terraform plan is designed for near-production use. Please take note as the requirements are extensive
- Requires:
- AWS (duh!)
- Route53 internal and external zones
- Uploaded to AWS a SSL certificate (wildcard preferred)
- SSL certificate/key for created instance (local files to upload to instances)
- Terraform >= 0.7.3
- Uses public IPs and public DNS
- Creates default security group as follows:
- Frontend:
- 443/tcp: HTTPS from anywhere
- 80/tcp: HTTP from anywhere
- Backend:
- ALL: inside security group
- 2379/tcp: etcd from Frontend SG
- 5432/tcp: PostgreSQL from Frontend SG
- 7331/tcp: leaderl from Frontend SG
- 9200/tcp: Elasticsearch from Frontend SG
- SSH Security Group:
- 22/tcp: SSH from anywhere (default), restrict with
${ssh_cidrs}list
- 22/tcp: SSH from anywhere (default), restrict with
- Frontend:
- Creates subnets spread across AWS AZs
- Minimum three (3) chef-backend instances required (
chef["backend_count"]) - Minimum two (2) chef-server-core instances required (
chef["frontend_count"]) - Understand Terraform and ability to read the source
Usage as a module has not been tested, however in Terraform 0.7.0 many things are first-class which were not before. Choose to run this way at your own risk
- Clone this repo:
git clone https://github.com/mengesb/tf_hachef.git - Make a local terraform.tfvars file:
cp terraform.tfvars.example terraform.tfvars - Edit
terraform.tfvarswith your editor of choice, ensuringvar.chef["accept_mlsa"]is set totrue - Test the plan:
terraform plan - Apply the plan:
terraform apply
All supported OSes are 64-bit and HVM (though PV should be supported)
- Ubuntu 12.04 LTS
- Ubuntu 14.04 LTS (default)
- Ubuntu 16.04 LTS (pending)
- CentOS 6
- CentOS 7 (pending)
- Others (here be dragons! Please see Map Variables)
These resources will incur charges on your AWS bill. It is your responsibility to delete the resources.
The defaults set forth in the variables.tf file have been set for good reasons. Please note that a good amount of testing went into defining these defaults and necessary inputs are defined, for your convenience in terraform.tfvars.example
| Variable | Key | Description | Type | Default Value |
|---|---|---|---|---|
| provider | AWS provider map | map | ||
| access_key | AWS access key | string | ||
| region | AWS region for deployment | string | us-east-1 | |
| secret_key | AWS secret | string | ||
| vpc | AWS VPC settings map | map | ||
| cidr | CIDR block for VPC | string | 10.20.30.0/24 | |
| dns_hostnames | Support DNS hostnames (required) | boolean | true | |
| dns_support | Support DNS in VPC (required) | boolean | true | |
| tags_desc | Description tag | string | Chef HA VPC | |
| tenancy | AWS instance tenancy | string | default | |
| subnets | AWS subnet settings | map | ||
| `key` | AWS AZ to create subnet | string | us-east-1a us-east-1c us-east-1d us-east-1e |
|
| `value` | Subnet to configure for `key` | string | 10.20.30.0/26 10.20.30.64/26 10.20.30.128/26 10.20.30.192/26 |
|
| ssh_cidrs | List of CIDRs allowing SSH | list | 0.0.0.0/0 | |
| ami | AWS AMI map | map | ||
| `key` | Key comprised of of os-type-region | string | View [variables.tf](variables.tf) | |
| `value` | AWS AMI identifier | string | View [variables.tf](variables.tf) | |
| os | AWS AMI operating system | string | ubuntu14 | |
| ami_user | Mapping of AMI OS to AMI username | map | ubuntu | |
| `key` | AMI OS | string | centos7 centos6 ubuntu16 ubuntu14 ubuntu12 |
|
| `value` | Username for `key` | string | centos centos ubuntu ubuntu ubuntu |
|
| ssl_certificate | SSL certificate information | map | ||
| cert_file | Full path to SSL certificate file | string | ||
| key_file | Full path to SSL certificate key file | string | ||
| elb | AWS ELB settings | map | ||
| certificate | AWS identifier for SSL certificate | string | ||
| hostname | Base hostname for AWS ELB | string | chefelb | |
| tags_desc | Description tag | string | Created using Terraform | |
| chef_backend | Chef backend settings | map | ||
| count | Count of chef-backend instances | integer | 3 | |
| version | Version of chef-backend to install | string | 1.1.2 | |
| chef_client | Version of chef-client to install | string | 12.12.15 | |
| chef_mlsa | Chef MLSA licese acceptance | string | false | |
| chef_org | Chef server organization settings | map | ||
| short | Chef server organization short name | string | chef | |
| long | Chef server organization long name | Chef Organization | string | |
| chef_server | Chef server core settings | map | ||
| count | Count of chef-server-core instances | integer | 2 | |
| version | Version of chef-server-core to install | string | 12.8.0 | |
| chef_user | Chef initial user settings | map | ||
| Chef user e-mail address | string | [email protected] | ||
| first_name | Chef user first name | string | Chef | |
| last_name | Chef user last name | string | User | |
| username | Chef user username | string | chef | |
| instance | AWS instance settings | map | ||
| backend_flavor | AWS instance type for chef-backend | string | r3.xlarge | |
| backend_iops | Root volume IOPs on chef-backend instance (`io1`) | integer | 0 | |
| backend_public | Associate public IP to chef-backend instance | boolean | true | |
| backend_size | Root volume size (GB) on chef-backend instance | integer | 40 | |
| backend_term | Root volume delete on chef-backend instance termination | boolean | true | |
| backend_type | Root volume type on chef-backend instance | string | gp2 | |
| ebs_optimized | Deploy EBS optimized root volume | boolean | true | |
| frontend_flavor | AWS instance type for chef-server-core | string | m4.large | |
| frontend_iops | Root volume IOPs on chef-server-core instance (`io1`). | integer | 0 | |
| frontend_public | Associate public IP to chef-server-core instance | true | ||
| frontend_size | Root volume size (GB) on chef-server-core instance | integer | 40 | |
| frontend_term | Root volume delete on chef-server-core instance termination | true | ||
| frontend_type | Root volume type on chef-server-core instance | string | gp2 | |
| tags_desc | Description name tag for instances. | Created using Terraform | ||
| instance_hostname | AWS instance base hostname | map | ||
| backend | Chef backend base hostname | string | chefbe | |
| frontend | Chef server core base hostname | string | chefbe | |
| instance_keys | AWS SSH key settings | map | ||
| key_name | AWS key pair | string | ||
| key_file | Full path to matching private key | string | ||
| instance_store | AWS instance store settings | map | ||
| device | AWS instance store device name | string | xvdb | |
| enabled | Use AWS instance store | boolean | true | |
| filesystem | AWS instance store filesystem | string | ext4 | |
| mount | AWS instance store mount point | string | /mnt/xvdb | |
| mount_options | AWS instance store mount options | string | defaults,noatime,errors=remount-ro | |
| domain | Domain name | string | localdomain | |
| r53_zones | AWS Route53 zone settings | map | ||
| internal | AWS Route53 internal zone ID | string | ||
| external | AWS Route53 external zone ID | string | ||
| r53_ttls | AWS Route53 TTL settings | map | ||
| internal | Internal record TTL setting | integer | 180 | |
| external | External record TTL setting | integer | 180 | |
| etcd_path | Path to configure ETCD settings | `/opt/chef-backend/service/etcd/env` | ||
| etcd_settings | Map of settings for ETCD configuration. Key is setting name, value is the value | ETCD_HEARTBEAT_INTERVAL = 600 ETCD_ELECTION_TIMEOUT = 6000 ETCD_SNAPSHOT_COUNT = 5000 |
||
| etcd_restart_cmd | Command issued to restart ETCD service | sudo chef-backend-ctl restart etcd |
There following variables work in concert with each other to set a number of required settings ffor this plan to succeed.
ami: Map ofos-instance[..._type]-provider[region]to AMI IDami_user: Map of AMI OS to default AMI usernameos: String containing OS+Version (i.e. Ubuntu 14.04.x LTS =ubuntu14)provider[region]: AWS region
Normally you will not interract with the ami map directly, however if you
want to override the AMI selected take note of the following example.
Example: Use newer AMI for default ubuntu14 requires a simple ami override:
ami = {
ubuntu14-gp2-us-east-1 = "ami-ffffffff"
}Example: Custom AMI user with custom AMI image
os = "myos"
ami = {
myos-gp2-us-east-1 = "ami-ffffffff"
}
ami_user = {
myos = "someuser"
}Example: Using existing AMIs but with an io1 root volume on chef-backend
instance = {
backend_flavor = "r3.xlarge"
backend_iops = 6000
backend_public = true
backend_size = 200
backend_term = true
backend_type = "io1"
ebs_optimized = true
frontend_flavor = "m4.large"
frontend_iops = 0
frontend_public = true
frontend_size = 40
frontend_term = true
frontend_type = "gp2"
tags_desc = "Created using Terraform"
}Defaults in ami_user map:
| Key | Value |
|---|---|
| centos7 | centos |
| centos6 | centos |
| ubuntu16 | ubuntu |
| ubuntu14 | ubuntu |
| ubuntu12 | ubuntu |
chef_manage_url: URL of the chef server's management interfacechef_username: Username for the chef user createdchef_user_password: Password for the chef user createdknife_rb: Path to the knife.rb file
You can view a runtime output sample here: tf_hachef_runtime.txt
Please understand that this is a work in progress and is subject to change rapidly. Be sure to keep up to date with the repo should you fork, and feel free to contact me regarding development and suggested direction. Familiarize yoursef with the contributing before making/submitting changes.
Please refer to the CHANGELOG.md
This is licensed under the Apache 2.0 license.