Use different variables for TF_VERSION and TF_REQUIRED_VERSION, allow…

…ing to use hashicorp/terraform:light image.

Upgraded to Kubernetes v1.7.1.
In user-data template, do not use depends_on which always causes lauch configuration change; Use attribute id for a
workaround. See hashicorp/terraform#15491.

Makefile

@@ -107,7 +107,7 @@ teardown:
 destroy-all: plan-destroy-all	## Destroy all resources
 	@rm -f /tmp/destroy_plan
 	@$(foreach resource,$(ALL_RESOURCES),cd $(ROOT_DIR)/resources/$(resource) && $(MAKE) show-destroy-plan >> /tmp/destroy_plan;)
-	@cat /tmp/destroy_plan | grep -v data.terraform
+	@cat /tmp/destroy_plan | grep -v data.terraform | grep -v data.aws
 	@echo ""
 	@echo "Will destroy these resources. Please confirm."
 	@$(MAKE) confirm

README.md

@@ -19,14 +19,14 @@ This implementation presents one of the opportunities for anyone who are interes
 
 ## Features
 
-* Kubernetes v1.6.6, Docker engine 1.12.6
+* Kubernetes v1.7.1, Docker engine 1.12.6
 * RBAC authorization mode enabled by default
 * AWS provider integration (ELB,EBS)
-* Terraform 0.9.3 (can be defined in env), which runs as a container to make sure the team uses the same version.
+* Terraform hashicorp/terraform:light (can be defined in `env.sh`), which runs as a container to make sure the team uses the same version.
 * Terraform remote state on S3 storage
 * Autoscaling group for each etcd2, master, node, and vault cluster for higher availability
 * CoreOS for self-upgrade/patching management
-* [Hashicorp Vault 0.6.5](https://www.vaultproject.io/) service with PKI mount to manage Kubernetes certificates, i.e. create and renew automatically.
+* [Hashicorp Vault 0.7.3](https://www.vaultproject.io/) service with PKI mount to manage Kubernetes certificates, i.e. create and renew automatically.
 * Using separated CA/Certs for secure communications between Kubernetes components
 * Add-ons installed:
   * kubedns

docs/00-run-book.md

@@ -95,7 +95,7 @@ Read Kubernetes release notes to make necessary configuration changes. Ideally u
 * Edit envs.sh file to change the version of Kubernetes, as shown in bellow example:
 
 ```
-export TF_VAR_kube_version="v1.6.6"
+export TF_VAR_kube_version="v1.7.1"
 ```
 
 * Update systemd install-kubernetes unit
@@ -125,7 +125,7 @@ $ /opt/bin/kubectl version
 
 ```
 # Vault release: restart vault service if changed
-export TF_VAR_vault_release=0.7.0
+export TF_VAR_vault_release=0.7.3
 ```
 
 * Change vault's configuration and restart vault

envs.sh.sample

@@ -52,7 +52,7 @@ export TF_VAR_instance_type=t2.medium
 # clash with kubernetes "cluster.local"
 export TF_VAR_cluster_internal_zone="cluster.internal"
 export TF_VAR_kube_api_dnsname=${KUBE_API_DNSNAME}
-export TF_VAR_kube_version="v1.6.6"
+export TF_VAR_kube_version="v1.7.1"
 
 # Terraform remote state bucket name, defined as ${AWS_ACCOUNT}-${CLUSTER_NAME}-terraform
 # in /resources/common/common.mk.

resources/common/common.mk

@@ -28,7 +28,6 @@ TF_VAR_build_dir := /build
 TF_VAR_artifacts_dir := ${TF_VAR_build_dir}/artifacts
 TF_VAR_secrets_path := ${TF_VAR_artifacts_dir}/secrets
 
-TF_VERSION := 0.9.6
 TF_IMAGE := hashicorp/terraform:${TF_VERSION}
 TF_CMD := docker run -i --rm --env-file=${BUILD_DIR}/tf.env \
 		-v=${HOME}/.aws:/root/.aws \
@@ -143,7 +142,7 @@ create-key: ## create AWS keypair for this module
 destroy-key: ## destroy AWS keypair for this module
 	../scripts/aws-keypair.sh -d $(CLUSTER_NAME)-${MODULE};
 
-remote-ssh: open-ssh ## Run remote ssh 
+remote-ssh: open-ssh ## Run remote ssh
 	@$(MAKE) get-ips
 	@echo "For all systemd logs, run ssh core@<ip> journalctl -f "
 	@echo "For a secific service, run ssh core@<ip> journalctl -f -u <kube-apiserver>|kube-controller-manager|kubelet|kube-proxy"

resources/common/common.tf

@@ -115,7 +115,7 @@ variable "kubelet_token" {
 }
 # Kubernetes version
 variable "kube_version" {
-    default = "v1.6.6"
+    default = "v1.7.1"
 }
 
 # Sensitive data

resources/etcd/tf/main.tf

@@ -36,15 +36,14 @@ module "etcd" {
 data "template_file" "user_data" {
     template = "${file("${var.artifacts_dir}/user-data-s3-bootstrap.sh")}"
 
-    # explicitly wait for these configurations to be uploaded to s3 buckets
-    depends_on = [ "aws_s3_bucket_object.etcd_cloud_config" ]
-
     vars {
         "AWS_ACCOUNT" = "${var.aws_account["id"]}"
         "CLUSTER_NAME" = "${var.cluster_name}"
         "CONFIG_BUCKET" = "${var.aws_account["id"]}-${var.cluster_name}-config"
         "MODULE_NAME" = "${var.module_name}"
         "CUSTOM_TAG" = "${var.module_name}"
+        # Make sure cloud_config bucket is created first
+        "CLOUD_CONFIG_BUCKET" = "${aws_s3_bucket_object.etcd_cloud_config.id}"
     }
 }
 

resources/master/tf/main.tf

@@ -46,16 +46,17 @@ resource "aws_autoscaling_attachment" "asg_attachment_master_private" {
 # First bootstrap script, same for all modules
 data "template_file" "user_data" {
     template = "${file("${var.artifacts_dir}/user-data-s3-bootstrap.sh")}"
-
-    # explicitly wait for these configurations to be uploaded to s3 buckets
-    depends_on = ["aws_s3_bucket_object.envvars",
-                  "aws_s3_bucket_object.master_cloud_config"]
+
     vars {
         "AWS_ACCOUNT" = "${var.aws_account["id"]}"
         "CLUSTER_NAME" = "${var.cluster_name}"
         "CONFIG_BUCKET" = "${var.aws_account["id"]}-${var.cluster_name}-config"
         "MODULE_NAME" = "${var.module_name}"
         "CUSTOM_TAG" = "${var.module_name}"
+        # Implicitly wait for the below buckets to be ready. Cannot use depends_on
+       # See https://github.com/hashicorp/terraform/issues/15491
+        "ENVVARS_BUCKET" = "${aws_s3_bucket_object.envvars.id}"
+        "CLOUD_CONFIG_BUCKET" = "${aws_s3_bucket_object.master_cloud_config.id}"
     }
 }
 

resources/node/tf/main.tf

@@ -33,16 +33,19 @@ data "template_file" "user_data" {
     template = "${file("${var.artifacts_dir}/user-data-s3-bootstrap.sh")}"
 
     # explicitly wait for these configurations to be uploaded to s3 buckets
-    depends_on = [ "aws_s3_bucket_object.envvars",
-                   "aws_s3_bucket_object.node_cloud_config",
-                   "aws_s3_bucket_object.kubelet-kubeconfig",
-                   "aws_s3_bucket_object.kube-proxy-kubeconfig" ]
+
     vars {
         "AWS_ACCOUNT" = "${var.aws_account["id"]}"
         "CLUSTER_NAME" = "${var.cluster_name}"
         "CONFIG_BUCKET" = "${var.aws_account["id"]}-${var.cluster_name}-config"
         "MODULE_NAME" = "${var.module_name}"
         "CUSTOM_TAG" = "${var.module_name}"
+        # Implicitly wait for the below buckets to be ready. Cannot use depends_on
+       # See https://github.com/hashicorp/terraform/issues/15491
+       "ENVVARS_BUCKET" = "${aws_s3_bucket_object.envvars.id}"
+       "CLOUD_CONFIG_BUCKET" = "${aws_s3_bucket_object.node_cloud_config.id}"
+       "KUBECONFIG_BUCKET" = "${aws_s3_bucket_object.kubelet-kubeconfig.id}"
+       "KUBE_PROXY_BUCKET" = "${aws_s3_bucket_object.kube-proxy-kubeconfig.id}"
     }
 }
 

resources/scripts/gen-provider.sh

@@ -7,8 +7,8 @@ TF_REMOTE_STATE_BUCKET=${TF_REMOTE_STATE_BUCKET%%\"}
 TF_REMOTE_STATE_BUCKET=${TF_REMOTE_STATE_BUCKET##\"}
 TF_REMOTE_STATE_PATH=${TF_REMOTE_STATE_PATH%%\"}
 TF_REMOTE_STATE_PATH=${TF_REMOTE_STATE_PATH##\"}
-TF_VERSION=${TF_VERSION%%\"}
-TF_VERSION=${TF_VERSION##\"}
+TF_REQUIRED_VERSION=${TF_REQUIRED_VERSION%%\"}
+TF_REQUIRED_VERSION=${TF_REQUIRED_VERSION##\"}
 TF_REMOTE_STATE_REGION=${TF_REMOTE_STATE_REGION%%\"}
 TF_REMOTE_STATE_REGION=${TF_REMOTE_STATE_REGION##\"}
 AWS_PROFILE=${AWS_PROFILE%%\"}
@@ -27,7 +27,7 @@ ALLOW_SSH_CIDR="$(curl -s http://ipinfo.io/ip)/32"
 cat <<EOF
 # Generated by scripts/gen-provider.sh
 terraform {
-  required_version = "${TF_VERSION}"
+  required_version = "${TF_REQUIRED_VERSION}"
   backend "s3" {
     bucket = "${TF_REMOTE_STATE_BUCKET}"
     key    = "${TF_REMOTE_STATE_PATH}"