Add initial Molecule framework for Runtime, incl. CDW

Signed-off-by: Webster Mudge <wmudge@cloudera.com>

Author: wmudge

roles/runtime/molecule/README.md

@@ -0,0 +1,59 @@
+# Molecule Testing
+
+Each Molecule scenario represents a networking scheme, e.g. Level0. The default
+scheme is Level1, the public/private configuration.
+
+## Dependencies
+
+```bash
+pip install "molecule[lint]==3.4"
+```
+
+Molecule is configured to execute against `localhost` rather than against a
+provisioned `platform`. You will need to ensure that all Python and OS
+dependencies are installed, except for the Ansible collections and roles, which
+will be gathered during the `dependency` stage. 
+
+In short, set up a `cldr-runner` runtime environment without the Ansible
+collections and roles.
+
+NOTE: Molecule `3.5` has a bug that prevents the use of collections, so be sure
+to pin to `3.4` until this bug is fixed upstream.
+
+## Execution
+
+From within the `platform` role, execute:
+
+* `molecule prepare` to set up the Terraform cloud provider assets
+* `molecule converge` to run the `cloudera.exe.platform` role against these
+assets
+* `molecule cleanup` to tear down the `platform` role and Terraform assets
+* or `molecule test` to run the full lifecycle
+
+You can also use `reset` to remove all of the dependencies, e.g. collections, 
+from the Molecule cache, in order to start fresh.
+
+NOTE: To run other scenarios, i.e. Level0 networking, use the `-s` flag:
+`module test -s level0`.
+
+## Configuration
+
+The `molecule.yml` configuration file can accept the following environment
+variables:
+
+- `FOUNDRY_NAME_PREFIX`, the "primary key" for the CDP deployment. Defaults to 
+scenario-specific values.
+- `FOUNDRY_INFRA_TYPE`, targeted cloud provider. Defaults to `aws`.
+- `FOUNDRY_AWS_REGION`, the AWS region for deployment. Defaults to `us-east-2`.
+
+## SSH Access
+
+The Molecule scenarios create a temporary SSH key for each `prepare`-d run. The
+private key is saved to the ephemeral `deployment` directory within the scenerio
+parent directory. The SSH key is deleted from the cloud provider during
+`cleanup`.
+
+## Terraform
+
+The Molecule scenarios each create a Terraform state directory -- the 
+`deployment` directory within the scenario parent directory.

roles/runtime/molecule/default/collections.yml

@@ -0,0 +1,25 @@
+---
+roles: []
+
+collections:
+  - name: https://github.com/cloudera-labs/cloudera.cloud
+    type: git
+    version: devel
+  - name: https://github.com/cloudera-labs/cloudera.cluster
+    type: git
+    version: main
+  - amazon.aws
+  - ansible.netcommon
+  - ansible.posix
+  - azure.azcollection
+  - community.aws
+  - community.crypto
+  - community.general
+  - community.kubernetes
+  - community.mysql
+  - community.postgresql
+  - community.docker
+  - freeipa.ansible_freeipa
+  - google.cloud
+  - kubernetes.core
+  - netapp.azure

roles/runtime/molecule/default/molecule.yml

@@ -0,0 +1,81 @@
+---
+dependency:
+  name: galaxy
+  enabled: true
+  options:
+    force: false
+driver:
+  name: delegated
+  options:
+    managed: false
+    ansible_connection_options:
+      ansible_connection: local
+platforms:
+  - name: placeholder
+provisioner:
+  name: ansible
+  log: true
+  config_options:
+    defaults:
+      callback_whitelist: profile_tasks, timer, yaml
+      enable_task_debugger: true
+    ssh_connection:
+      pipelining: false
+  vvv: true
+  playbooks:
+    prepare: ../shared/prepare.yml
+    converge: ../shared/converge.yml
+    cleanup: ../shared/cleanup.yml
+  inventory:
+    host_vars:
+      localhost:
+        globals:
+          admin_password: "@NotSecure456!"
+          name_prefix: ${FOUNDRY_NAME_PREFIX:-r01}
+          infra_type: ${FOUNDRY_INFRA_TYPE:-aws}
+        infra:
+          vpc:
+            name: ${FOUNDRY_NAME_PREFIX:-r01}-test
+          storage:
+            name: ${FOUNDRY_NAME_PREFIX:-r01}-test
+          security_group:
+            knox:
+              name: ${FOUNDRY_NAME_PREFIX:-r01}-test-knox
+            default:
+              name: ${FOUNDRY_NAME_PREFIX:-r01}-test-default
+          aws:
+            region: ${FOUNDRY_AWS_REGION:-us-east-2}
+        env:
+          tunnel: yes                   # L1 Networking
+          public_endpoint_access: yes
+        dw:
+          force_delete: yes  # Non-force delete is inconsistent until we can filter 'compactor' VWs
+          tags:
+            project: "${FOUNDRY_NAME_PREFIX:-r01}-CDW-testing"
+          definitions:
+            - name: ${FOUNDRY_NAME_PREFIX:-r01}-empty
+            - virtual_warehouses:
+                - name: ${FOUNDRY_NAME_PREFIX:-r01}-dbc-default
+                - name: ${FOUNDRY_NAME_PREFIX:-r01}-dbc-hive
+                  type: hive
+                - name: ${FOUNDRY_NAME_PREFIX:-r01}-dbc-impala
+                  type: impala
+                - name: ${FOUNDRY_NAME_PREFIX:-r01}-dbc-autoscale
+                  autoscaling:
+                    min_nodes: 0  
+            - name: ${FOUNDRY_NAME_PREFIX:-r01}-named
+              virtual_warehouses:
+                - name: ${FOUNDRY_NAME_PREFIX:-r01}-named-default
+                - name: ${FOUNDRY_NAME_PREFIX:-r01}-named-hive
+                  type: hive
+                - name: ${FOUNDRY_NAME_PREFIX:-r01}-named-impala
+                  type: impala
+                - name: ${FOUNDRY_NAME_PREFIX:-r01}-named-autoscale
+                  autoscaling:
+                    min_nodes: 0
+verifier:
+  name: ansible
+lint: |
+  set -e
+  yamllint .
+  ansible-lint .

roles/runtime/molecule/default/requirements.yml

@@ -0,0 +1,2 @@
+---
+roles: []

roles/runtime/molecule/default/terraform/level1.tf

@@ -0,0 +1,81 @@
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    aws = "~> 3.0"
+  }
+}
+
+provider "aws" {
+  region         = var.region
+  default_tags {
+    tags         = var.tags
+  }
+  ignore_tags {
+    keys         = ["kubernetes.io/role/internal-elb", "kubernetes.io/role/elb"]
+    key_prefixes = ["kubernetes.io/cluster/"]
+  }
+}
+
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "3.2.0"
+
+  tags = var.tags
+
+  name = var.vpc_name
+  cidr = "10.10.0.0/16"
+  
+  enable_nat_gateway = true
+  igw_tags           = var.tags
+  nat_eip_tags       = var.tags
+  nat_gateway_tags   = var.tags
+
+  enable_dns_hostnames = true
+
+  # azs                      = [ "us-east-2a", "us-east-2b", "us-east-2c"]
+  azs                      = data.aws_availability_zones.available.names
+  public_subnets           = [ "10.10.0.0/19", "10.10.32.0/19", "10.10.64.0/19" ]
+  public_subnet_tags       = merge({ "kubernetes.io/role/elb" = "1" }, var.tags)
+  public_route_table_tags  = var.tags
+  private_subnets          = [ "10.10.96.0/19", "10.10.128.0/19", "10.10.160.0/19" ]
+  private_subnet_tags      = merge({ "kubernetes.io/role/internal-elb" = "1" }, var.tags)
+  private_route_table_tags = var.tags
+}
+
+module "default_sg" {
+  source = "terraform-aws-modules/security-group/aws"
+
+  name            = var.sg_names.default
+  use_name_prefix = false
+  description     = "Default for Molecule integration test. Namespace: ${var.name_prefix}"
+  vpc_id          = module.vpc.vpc_id
+
+  ingress_cidr_blocks      = [ module.vpc.vpc_cidr_block ]
+  ingress_rules            = [ "all-all" ]
+  ingress_with_cidr_blocks = var.extra_rules
+  ingress_with_self        = [ { rule = "all-all" } ]
+
+  egress_cidr_blocks = [ "0.0.0.0/0" ]
+  egress_rules       = [ "all-all" ]
+}
+
+module "knox_sg" {
+  source = "terraform-aws-modules/security-group/aws"
+
+  name            = var.sg_names.knox
+  use_name_prefix = false
+  description     = "Knox for Molecule integration test. Namespace: ${var.name_prefix}"
+  vpc_id          = module.vpc.vpc_id
+
+  ingress_cidr_blocks      = [ module.vpc.vpc_cidr_block ]
+  ingress_rules            = [ "all-all" ]
+  ingress_with_cidr_blocks = var.extra_rules
+  ingress_with_self        = [ { rule = "all-all" } ]
+
+  egress_cidr_blocks = [ "0.0.0.0/0" ]
+  egress_rules       = [ "all-all" ]
+}

roles/runtime/molecule/default/terraform/storage.tf

@@ -0,0 +1,37 @@
+module "s3_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  bucket        = var.s3_bucket_name
+  acl           = "private"
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_object" "cml" {
+  bucket       = module.s3_bucket.s3_bucket_id
+  key          = "datasci/"
+  content_type = "application/x-directory"
+}
+
+resource "aws_s3_bucket_object" "cde" {
+  bucket       = module.s3_bucket.s3_bucket_id
+  key          = "dataeng/"
+  content_type = "application/x-directory"
+}
+
+resource "aws_s3_bucket_object" "log" {
+  bucket       = module.s3_bucket.s3_bucket_id
+  key          = "logs/"
+  content_type = "application/x-directory"
+}
+
+resource "aws_s3_bucket_object" "data" {
+  bucket       = module.s3_bucket.s3_bucket_id
+  key          = "data/"
+  content_type = "application/x-directory"
+}
+
+resource "aws_s3_bucket_object" "audit" {
+  bucket       = module.s3_bucket.s3_bucket_id
+  key          = "ranger/audit/"
+  content_type = "application/x-directory"
+}

roles/runtime/molecule/default/terraform/vars.tf

@@ -0,0 +1,38 @@
+variable "name_prefix" {
+  type = string
+  description = "An unique identifer"
+}
+
+variable "region" {
+  type = string
+  description = "AWS region name"
+}
+
+variable "vpc_name" {
+  type = string
+  description = "AWS VPC name"
+}
+
+variable "sg_names" {
+  type = object({
+    knox = string
+    default = string
+  })
+  description = "AWS Security Group names for Knox and Default"
+}
+
+variable "tags" {
+  type = map(string)
+  description = "Key-Value pairs of tags applied to AWS assets"
+}
+
+variable "extra_rules" {
+  type = list(map(any))
+  description = "A list of maps representing the additional rules added to the Knox and Default security groups"
+  default = []
+}
+
+variable "s3_bucket_name" {
+  type = string
+  description = "AWS S3 bucket name for logs, audit, and data (all-in-one)"
+}

roles/runtime/molecule/default/verify.yml

@@ -0,0 +1,10 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+  - name: Example assertion
+    assert:
+      that: true

roles/runtime/molecule/level0/collections.yml

@@ -0,0 +1,24 @@
+---
+
+collections:
+  - name: https://github.com/cloudera-labs/cloudera.cloud
+    type: git
+    version: devel
+  - name: https://github.com/cloudera-labs/cloudera.cluster
+    type: git
+    version: main
+  - amazon.aws
+  - ansible.netcommon
+  - ansible.posix
+  - azure.azcollection
+  - community.aws
+  - community.crypto
+  - community.general
+  - community.kubernetes
+  - community.mysql
+  - community.postgresql
+  - community.docker
+  - freeipa.ansible_freeipa
+  - google.cloud
+  - kubernetes.core
+  - netapp.azure