Draft: [New config] Terraform resources (#23)

* [feat/tf] added initial files for terraform

* [feat/terraform] fixed variables to initial deployment

* [feat/terraform] added new patch for unifi resources

* [feat/terraform] added initial Vault module to Terraform

* [feat/terraform] updated terraform module to include vars

* [feat/terraform] updpated terraform vault-related module

* [misc] fixed commands for task files

* [feat/terraform] removed README terraform-docs on index

* Update kustomization.yaml

* [feat/terraform] added secret files to gitignore

* [feat/terraform] additional cmds to tf taskfile

* [feat/terraform] minor fix to vault secret creation

* [feat/terraform] fixes and improvements  unifi module

* [feat/terraform] fix for terraform backend config

* [feat/terraform] fix tf files endline

* [feat/terraform] updated docs

* [feat/terraform] fix endline tf file

* [feat/terraform] fix endline tf file

.gitignore

@@ -22,6 +22,14 @@ terraform/override.tf.json
 *_override.tf.json
 terraform/.terraformrc
 terraform/terraform.rc
+terraform/**/.terraform.lock.hcl
+terraform/**/*.terraform
+terraform/**/*.out
+terraform/**/.terraform
+terraform/**/*.tfvars
+terraform/**/terraform.tfstate
+terraform/**/terraform.tfstate.backup
+
 config/tls/base/tls-secret.yaml
 .vscode
 .vscode/*
@@ -33,9 +41,10 @@ config/tls/base/tls-secret.yaml
 terraform/.terraform.lock.hcl
 terraform/terraform/*.terraform
 terraform/*.out
+terraform/.terraform
+terraform/unifi/users.csv
 .env
 nohup.out
-terraform/secrets/*
 !terraform/secrets/.gitkeep
 
 postgres/*
@@ -54,8 +63,11 @@ apps/prometheus/kube-prometheus/*
 apps/kwatch/*
 !apps/kwatch/.gitkeep
 apps/argocd/base/secrets/*.yaml
-config/storage/*
-!config/storage/.gitkeep
+test/storage/*
+!test/storage/.gitkeep
+terraform/vault/secrets/*
+!terraform/vault/secrets/test/example.json
+terraform/**/secrets.json
 
 # k3s config files
 config/k3s/*.yaml

README.md

@@ -269,3 +269,17 @@
 [rsshub-badge]: https://img.shields.io/static/v1?label=No&message=version%20provided&color=gray&labelColor=gray&style=flat-square
 [mango-badge]: https://img.shields.io/github/v/release/getmango/mango?label=Github&logo=github&style=flat-square
 [jellyfin-badge]: https://img.shields.io/github/v/release/jellyfin/jellyfin?label=Github&logo=github&style=flat-square
+
+<!-- BEGIN_TF_DOCS -->
+### Modules
+
+No modules.
+
+### Inputs
+
+No inputs.
+
+### Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

Taskfile.yml

@@ -9,6 +9,7 @@ includes:
   vault: ./tasks/vault.yaml
   drone: ./tasks/drone.yaml
   vultr: ./tasks/vultr.yaml
+  tf: ./tasks/terraform.yaml
   secrets: ./tasks/secrets.yaml
   longhorn: ./tasks/longhorn.yaml
   cluster: ./tasks/cluster.yaml
@@ -64,6 +65,15 @@ tasks:
     cmds:
       - yamllint -c ./.yamllint .
 
+  docs:gen:
+    preconditions:
+      - sh: 'which terraform-docs'
+        msg: 'terraform-docs {{.PATH_ERROR}}'
+    dir: terraform
+    desc: Build documentation using Terraform-docs
+    cmds:
+      - terraform-docs markdown -c .terraform-docs.yaml . --output-file README.md
+
   local:
     desc: local-path storage
     preconditions:

apps/argocd/kustomization.yaml

@@ -13,7 +13,7 @@ resources:
 - base/core/zalando.yaml
 - base/core/redis.yaml
 - base/core/longhorn.yaml
-- base/core/storage.yaml
+#- base/core/storage.yaml
 # - base/core/router.yaml
 
 - base/utilities/reloader.yaml
@@ -77,7 +77,7 @@ patches:
     - op: replace
       path: "/spec/template/spec/containers/0/env/2"
       value:
-        name: TS_HOSTNAME
+        name: TS_HOSTNAME 
         value: "argocd"
     - op: replace
       path: "/spec/template/spec/containers/0/env/3"
@@ -98,14 +98,14 @@ patches:
     - op: add
       path: "/spec/template/spec/nodeSelector"
       value:
-        kubernetes.io/hostname: node-two
+        kubernetes.io/hostname: node-one
   target:
     kind: Deployment
 - patch: |-
     - op: add
       path: "/spec/template/spec/nodeSelector"
       value:
-        kubernetes.io/hostname: node-two
+        kubernetes.io/hostname: node-one
   target:
     kind: StatefulSet
 - patch: |-

tasks/cluster.yaml

@@ -36,6 +36,22 @@ tasks:
         --resolv-conf "{{.RESOLV_FILE}}"
     ignore_error: true
 
+  dns:update:
+    cmds:
+      - |
+        kubectl get cm -n kube-system kubelet-config -o=json | \
+        jq 'del(.metadata.resourceVersion,.metadata.uid,.metadata.selfLink,.metadata.creationTimestamp,.metadata.annotations,.metadata.generation,.metadata.ownerReferences,.status)' | \
+        sed -E 's#resolvConf: [^\n ]*\\n#resolvConf: /etc/kubeadm-resolv.conf\\n#' | \
+        kubectl replace -f -
+    ignore_error: true
+
+  dns:restart:
+    cmds:
+      - kubectl -n kube-system rollout restart daemonset/kube-proxy
+      - kubectl get pod -n kube-system -l k8s-app=kube-dns --no-headers | awk '{print $1}' | xargs -I{} kubectl delete pod -n kube-system {}
+      - kubectl wait deployment -n kube-system coredns --for condition=Available=True --timeout=90s
+      - kubectl logs deployment/coredns -n kube-system -f
+    ignore_error: true
 
   # Debian fix
   # https://docs.k3s.io/advanced#additional-os-preparations
@@ -77,4 +93,4 @@ tasks:
           - local-storage
           - metrics-server
         EOF
-    ignore_error: true
+    ignore_error: true

tasks/terraform.yaml

@@ -0,0 +1,39 @@
+version: '3'
+vars:
+  CYAN: tput setaf 6
+  RED: tput setaf 1
+  YELLOW: tput setaf 3
+  GREEN: tput setaf 2
+  BLUE: tput setaf 1
+  PURPLE: tput setaf 5
+  BG_B: tput setab 0
+  BOLD: tput bold
+  RESET: tput sgr0
+  CLEAR: tput reset
+  PATH_ERROR: is not installed or correctly configured in PATH.
+
+silent: true
+
+tasks:
+  init:
+    dir: terraform
+    cmds:
+      - terraform init
+  plan:
+    dir: terraform
+    cmds:
+      - terraform plan
+  apply:
+    dir: terraform
+    cmds:
+      - terraform apply -auto-approve
+  destroy:
+    dir: terraform
+    cmds:
+      - terraform destroy -auto-approve
+
+  docs:
+    cmds:
+      - terraform-docs markdown -c ./terraform/.terraform-docs.yaml . --output-file README.md
+      - terraform-docs markdown -c ./terraform/.terraform-docs.yaml ./terraform/modules/vault --output-file README.md
+      - terraform-docs markdown -c ./terraform/.terraform-docs.yaml ./terraform/modules/unifi --output-file README.md

tasks/vault.yaml

@@ -14,7 +14,6 @@ vars:
 silent: true
 
 env:
-  VAULT_ADDR: "https://vault.k8s.localhost"
   VAULT_SKIP_VERIFY: "true"
 
 tasks:
@@ -51,7 +50,7 @@ tasks:
     dir: apps/argocd/overlay
     cmds:
       - kubectl config set-context --current --namespace=vault --cluster=k3d-demo
-      - kubectl exec vault-argocd-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
+      - kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
       - task: highlight_normal
       - echo -e "\nVault's Unseal Key:"
       - task: reset
@@ -137,17 +136,17 @@ tasks:
       - |
         cat << EOF > apps/argocd/base/argocd-vault.yaml
         apiVersion: v1
-        data:
+        stringData:
           VAULT_ADDR: $VAULT_ADDR
           VAULT_TOKEN: {{.VAULT_TOKEN}}
           AVP_AUTH_TYPE: token
-          AVP_TYPE: token
+          AVP_TYPE: vault
         kind: Secret
         metadata:
           name: vault-configuration
           namespace: argocd
         type: Opaque
         EOF
-      - kubectl apply -f apps/argocd/base/argocd-vault.yaml --ignore-not-found --grace-period=0
+      - kubectl apply -f apps/argocd/base/argocd-vault.yaml --grace-period=0
       - rm apps/argocd/base/argocd-vault.yaml
     ignore_error: true

terraform/.terraform-docs.yaml

@@ -0,0 +1,29 @@
+formatter: markdown
+
+sections:
+  show:
+    - inputs
+    - outputs
+    - modules
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+sort:
+  enabled: true
+  by: name
+
+settings:
+  anchor: false
+  indent: 3
+  color: true
+  html: true
+  escape: true
+  default: true
+  required: false
+  type: true
+  sensitive: true

terraform/README.md

@@ -0,0 +1,43 @@
+# Terraform
+
+### Providers
+
+> - hashicorp/vault
+> - paultyng/unifi
+
+---
+
+<details>
+  <summary>
+   <b>Variable and resources documentation</b>
+  </summary>
+
+---
+<!-- BEGIN_TF_DOCS -->
+### Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| unifi | ./unifi | n/a |
+
+### Inputs
+
+| Name | Description | Type | Default |
+|------|-------------|------|---------|
+| unifi\_api\_url | <sub>Provides a connection URI to bridge Terraform with Unifi's controller. [Reference](https://registry.terraform.io/providers/paultyng/unifi/latest/docs#api_url)</sub> | `string` | `""` |
+| unifi\_insecure | <sub>Skip TLS verification when trying to access the API. [Reference](https://registry.terraform.io/providers/paultyng/unifi/latest/docs#allow_insecure)</sub> | `string` | `""` |
+| unifi\_password | <sub>Providers a password for your Unifi controller. [Reference](https://registry.terraform.io/providers/paultyng/unifi/latest/docs#password)</sub> | `string` | `""` |
+| unifi\_site\_name | n/a | `string` | `"main"` |
+| unifi\_upstream\_dns | <sub>Skip TLS verification when trying to access the API. [Reference](https://registry.terraform.io/providers/paultyng/unifi/latest/docs#allow_insecure)</sub> | `list` | <pre>[<br>  "8.8.8.8",<br>  "1.1.1.1"<br>]</pre> |
+| unifi\_username | <sub>Provides a username for your Unifi controller. [Reference](https://registry.terraform.io/providers/paultyng/unifi/latest/docs#username).</sub> | `string` | `"example"` |
+| vault\_github\_org | <sub>[Provide a Github organization name to authorize users inside Vault.](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/github_auth_backend#organization)</sub> | `string` | `"takeru-org"` |
+| vault\_password | <sub>Vault password for the main user, used for login purposes.</sub> | `string` | `""` |
+| vault\_path | <sub>Vault password for the main user, used for login purposes.</sub> | `string` | `""` |
+| vault\_userdata | <sub>Mock variable required by Vault userpass login method.</sub> | `any` | n/a |
+| vault\_username | <sub>Vault plaintext username to login.</sub> | `string` | `"gruber"` |
+
+### Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
+</details>

terraform/main.tf

@@ -0,0 +1,30 @@
+module "unifi" {
+  source         = "./modules/unifi"
+  site_name      = var.unifi_site_name
+  admin_username = var.unifi_username
+  admin_password = var.unifi_password
+  api_url        = var.unifi_api_url
+  controller_sec = var.unifi_insecure
+  upstream_dns   = var.unifi_upstream_dns
+}
+
+resource "unifi_network" "vlan" {
+  name               = "main"
+  purpose            = "corporate"
+  subnet             = "192.168.1.0/24"
+  dhcp_start         = "192.168.1.6"
+  dhcp_stop          = "192.168.1.254"
+  dhcp_enabled       = true
+  dhcp_relay_enabled = false
+  network_group      = "LAN"
+  site               = module.unifi.site_id
+  dhcp_dns           = var.unifi_upstream_dns
+}
+
+module "vault" {
+  source         = "./modules/vault"
+  api_url        = var.vault_api_url
+  root_token     = var.vault_token
+  admin_username = var.vault_username
+  admin_password = var.vault_password
+}

terraform/modules/unifi/README.md

@@ -0,0 +1,30 @@
+
+<details>
+  <summary>
+   <b>Module documentation</b>
+  </summary>
+
+---
+<!-- BEGIN_TF_DOCS -->
+### Modules
+
+No modules.
+
+### Inputs
+
+| Name | Description | Type | Default |
+|------|-------------|------|---------|
+| admin\_password | <sub>Providers a password for your Unifi controller. [Reference](https://registry.terraform.io/providers/paultyng/unifi/latest/docs#password)</sub> | `string` | `""` |
+| admin\_username | <sub>Provides a username for your Unifi controller. [Reference](https://registry.terraform.io/providers/paultyng/unifi/latest/docs#username).</sub> | `string` | `"example"` |
+| api\_url | <sub>Provides a connection URI to bridge Terraform with Unifi's controller. [Reference](https://registry.terraform.io/providers/paultyng/unifi/latest/docs#api_url)</sub> | `string` | `""` |
+| controller\_sec | <sub>Skip TLS verification when trying to access the API. [Reference](https://registry.terraform.io/providers/paultyng/unifi/latest/docs#allow_insecure)</sub> | `string` | `""` |
+| site\_name | <sub>Defines [a name for your controller](https://registry.terraform.io/providers/paultyng/unifi/latest/docs/resources/site#name) site name.</sub> | `string` | `"main"` |
+| upstream\_dns | <sub>Skip TLS verification when trying to access the API. [Reference](https://registry.terraform.io/providers/paultyng/unifi/latest/docs#allow_insecure)</sub> | `list` | <pre>[<br>  "8.8.8.8",<br>  "1.1.1.1"<br>]</pre> |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| site\_id | n/a |
+<!-- END_TF_DOCS -->
+</details>

terraform/modules/unifi/main.tf

@@ -0,0 +1,8 @@
+# locals {
+#   userscsv = csvdecode(file("${path.module}/users.csv"))
+#   users    = { for user in local.userscsv : user.mac => user }
+# }
+
+resource "unifi_site" "homelab" {
+  description = "Main site"
+}

terraform/modules/unifi/networks.tf

@@ -0,0 +1,9 @@
+resource "unifi_network" "wan" {
+  name    = "simDigital"
+  purpose = "wan"
+
+  wan_networkgroup = "WAN"
+  wan_type         = "dhcp"
+  site             = unifi_site.homelab.name
+  wan_dns          = var.upstream_dns
+}

terraform/modules/unifi/outputs.tf

@@ -0,0 +1,3 @@
+output "site_id" {
+  value = unifi_site.homelab.name
+}