From 4f22be17096ca3d28da435f2bbe0d3700782072c Mon Sep 17 00:00:00 2001 From: shai Date: Thu, 22 Feb 2024 18:37:34 +0200 Subject: [PATCH 1/9] merging changes from previous branch --- .gitignore | 3 +- assets/scripts/bootstrap.sh | 18 +-- assets/scripts/client.sh | 6 +- assets/scripts/common/config-clients.sh | 111 +++--------------- assets/scripts/common/config-cluster.sh | 35 +++--- assets/scripts/common/config-es.sh | 13 +- assets/scripts/data.sh | 6 +- assets/scripts/gcp/autoattach-disk.sh | 2 +- assets/scripts/gcp/config-bootstrap-node.sh | 9 +- assets/scripts/gcp/config-es-discovery.sh | 3 +- assets/scripts/master.sh | 6 +- assets/scripts/singlenode.sh | 6 +- packer/README.md | 8 +- ...r.json => elasticsearch8-node.packer.json} | 15 ++- ...icsearch7.sh => install-elasticsearch8.sh} | 4 +- packer/install-grafana.sh | 8 -- ...{install-kibana7.sh => install-kibana8.sh} | 0 ...e.packer.json => kibana8-node.packer.json} | 21 ++-- templates/aws_user_data.sh | 5 +- templates/gcp_user_data.sh | 6 + terraform-aws/alb.tf | 3 +- terraform-aws/ami.tf | 1 - terraform-aws/main.tf | 22 +++- terraform-aws/variables.tf | 8 +- terraform-aws/vpc.tf | 15 ++- terraform-gcp/client.tf | 2 +- terraform-gcp/image.tf | 4 +- terraform-gcp/main.tf | 37 +++++- terraform-gcp/variables.tf | 10 ++ 29 files changed, 182 insertions(+), 205 deletions(-) rename packer/{elasticsearch7-node.packer.json => elasticsearch8-node.packer.json} (86%) rename packer/{install-elasticsearch7.sh => install-elasticsearch8.sh} (84%) delete mode 100755 packer/install-grafana.sh rename packer/{install-kibana7.sh => install-kibana8.sh} (100%) rename packer/{kibana7-node.packer.json => kibana8-node.packer.json} (76%) diff --git a/.gitignore b/.gitignore index d337924..b4caa37 100644 --- a/.gitignore +++ b/.gitignore @@ -7,4 +7,5 @@ terraform.tfvars .gcp* cluster_bootstrap_state gcp-account.json -*.iml \ No newline at end of file +*.iml +id_rsa.pub diff --git a/assets/scripts/bootstrap.sh b/assets/scripts/bootstrap.sh index 0ebe114..34e2d0e 100644 --- a/assets/scripts/bootstrap.sh +++ b/assets/scripts/bootstrap.sh @@ -10,9 +10,7 @@ set +e /opt/cloud-deploy-scripts/$cloud_provider/config-es-discovery.sh cat <<'EOF' >>/etc/elasticsearch/elasticsearch.yml -node.master: true -node.data: false -node.ingest: false +node.roles: [ master ] EOF # add bootstrap.password to the keystore, so that config-cluster scripts can run @@ -26,20 +24,14 @@ systemctl daemon-reload systemctl enable elasticsearch.service systemctl start elasticsearch.service +set -e /opt/cloud-deploy-scripts/common/config-cluster.sh -/opt/cloud-deploy-scripts/$cloud_provider/config-cluster.sh +set +e -while true -do - HEALTH="$(curl $CURL_AUTH --silent -k "$ES_HOST/_cluster/health" | jq -r '.status')" - if [ "$HEALTH" == "green" ]; then - break - fi - sleep 5 -done +/opt/cloud-deploy-scripts/$cloud_provider/config-cluster.sh if [ "$cloud_provider" == "aws" ]; then shutdown -h now elif [ "$cloud_provider" == "gcp" ]; then gcloud compute instances delete $HOSTNAME --zone $GCP_ZONE --quiet -fi \ No newline at end of file +fi diff --git a/assets/scripts/client.sh b/assets/scripts/client.sh index e05428f..4b88c9b 100644 --- a/assets/scripts/client.sh +++ b/assets/scripts/client.sh @@ -15,9 +15,7 @@ fi /opt/cloud-deploy-scripts/$cloud_provider/config-es-discovery.sh cat <<'EOF' >>/etc/elasticsearch/elasticsearch.yml -node.master: false -node.data: false -node.ingest: false +node.roles: [] EOF # Start Elasticsearch @@ -25,4 +23,4 @@ systemctl daemon-reload systemctl enable elasticsearch.service systemctl start elasticsearch.service -/opt/cloud-deploy-scripts/common/config-clients.sh \ No newline at end of file +/opt/cloud-deploy-scripts/common/config-clients.sh diff --git a/assets/scripts/common/config-clients.sh b/assets/scripts/common/config-clients.sh index 1db0c55..b8df81f 100644 --- a/assets/scripts/common/config-clients.sh +++ b/assets/scripts/common/config-clients.sh @@ -6,63 +6,9 @@ # - BIND_TO_ALL # - ES_HOST # - CURL_AUTH - - -function setup_grafana_dashboard() { - GRAFANA_BASIC_AUTH="" - if [ "$security_enabled" == "true" ]; then - GRAFANA_BASIC_AUTH=" --user $client_user:$client_pwd " - fi - - while true; do - echo "Waiting for grafana to become available..." - if curl $GRAFANA_BASIC_AUTH --output /dev/null --fail http://localhost:3000; then break; fi - sleep 5 - done - - cat <>/tmp/grafana-datasource.json -{ - "name": "Elasticsearch Monitor", - "type": "elasticsearch", - "typeLogoUrl": "public/app/plugins/datasource/elasticsearch/img/elasticsearch.svg", - "access": "proxy", - "url": "$ES_HOST", - "password": "", - "user": "", - "database": "[.monitoring-es-*-]YYYY.MM.DD", - "isDefault": true, - "jsonData": { - "esVersion": 70, - "interval": "Daily", - "logLevelField": "", - "logMessageField": "", - "maxConcurrentShardRequests": 5, - "timeField": "timestamp" - }, - "readOnly": false, -EOF - - if [ "$security_enabled" == "true" ]; then - cat <>/tmp/grafana-datasource.json - "basicAuth": true, - "basicAuthUser": "$client_user", - "secureJsonData": { "basicAuthPassword": "$client_pwd" } -} -EOF - else - echo '"basicAuth": false }' >> /tmp/grafana-datasource.json; - fi - - curl $GRAFANA_BASIC_AUTH -XPOST -H 'Content-Type: application/json' localhost:3000/api/datasources -d @/tmp/grafana-datasource.json - rm /tmp/grafana-datasource.json - - if [ -f /opt/grafana-dashboard.json ]; then - echo '{ "meta": {"isStarred": true}, "dashboard":' > /tmp/grafana-dashboard.json - cat /opt/grafana-dashboard.json | jq -r 'del(.uid) | del(.id)' >> /tmp/grafana-dashboard.json - echo '}' >> /tmp/grafana-dashboard.json - curl $GRAFANA_BASIC_AUTH -XPOST -H 'Content-Type: application/json' localhost:3000/api/dashboards/db -d @/tmp/grafana-dashboard.json - fi -} +# security_encryption_key +# reporting_encryption_key +# saved_objects_encryption_key # Setup x-pack security also on Kibana configs where applicable if [ -f "/etc/kibana/kibana.yml" ]; then @@ -72,51 +18,26 @@ if [ -f "/etc/kibana/kibana.yml" ]; then else echo "server.host: $(hostname -i)" | sudo tee -a /etc/kibana/kibana.yml fi + echo "monitoring.enabled: $monitoring_enabled" | sudo tee -a /etc/kibana/kibana.yml + echo "monitoring.kibana.collection.enabled: $monitoring_enabled" | sudo tee -a /etc/kibana/kibana.yml + + if [ ! -z "$security_encryption_key" ]; then + echo "$security_encryption_key" | /usr/share/kibana/bin/kibana-keystore add --stdin xpack.security.encryptionKey + fi + if [ ! -z "$reporting_encryption_key" ]; then + echo "$reporting_encryption_key" | /usr/share/kibana/bin/kibana-keystore add --stdin xpack.reporting.encryptionKey + fi + if [ ! -z "$saved_objects_encryption_key" ]; then + echo "$saved_objects_encryption_key" | /usr/share/kibana/bin/kibana-keystore add --stdin xpack.encryptedSavedObjects.encryptionKey + fi - echo "xpack.security.enabled: $security_enabled" | sudo tee -a /etc/kibana/kibana.yml - echo "xpack.monitoring.enabled: $monitoring_enabled" | sudo tee -a /etc/kibana/kibana.yml if [ "$security_enabled" == "true" ]; then echo "elasticsearch.username: \"kibana\"" | sudo tee -a /etc/kibana/kibana.yml - echo "elasticsearch.password: \"$client_pwd\"" | sudo tee -a /etc/kibana/kibana.yml + echo "${client_pwd}" | /usr/share/kibana/bin/kibana-keystore add --stdin elasticsearch.password fi systemctl daemon-reload systemctl enable kibana.service sudo service kibana restart fi - -if [ -f "/etc/grafana/grafana.ini" ]; then - sudo rm /etc/grafana/grafana.ini - - if [ "$security_enabled" == "true" ]; then - cat <>/etc/grafana/grafana.ini -[security] -admin_user = $client_user -admin_password = $client_pwd -EOF - else - cat <>/etc/grafana/grafana.ini -[auth.anonymous] -enabled = true -org_name = Main Org. -org_role = Admin -EOF - fi - - sudo /bin/systemctl daemon-reload - sudo /bin/systemctl enable grafana-server.service - sudo service grafana-server start - - setup_grafana_dashboard; -fi - -if [ -d "/usr/share/cerebro/" ]; then - CEREBRO_CONFIG_PATH="$(echo /usr/share/cerebro/cerebro*/conf/application.conf)" - if [ "$security_enabled" == "true" ]; then - sudo sed -i "s/.{?BASIC_AUTH_USER}/$client_user/ig" $CEREBRO_CONFIG_PATH - sudo sed -i "s/.{?BASIC_AUTH_PWD}/$client_pwd/ig" $CEREBRO_CONFIG_PATH - sudo sed -i 's/.{?AUTH_TYPE}/"basic"/ig' $CEREBRO_CONFIG_PATH - fi - sudo systemctl restart cerebro -fi diff --git a/assets/scripts/common/config-cluster.sh b/assets/scripts/common/config-cluster.sh index b831d1c..19b195f 100644 --- a/assets/scripts/common/config-cluster.sh +++ b/assets/scripts/common/config-cluster.sh @@ -3,34 +3,37 @@ # - client_pwd # - ES_HOST # - CURL_AUTH - +i=1 while true do - echo "Checking cluster health" + echo "Checking cluster health, attempt $i" HEALTH="$(curl $CURL_AUTH --silent -k "$ES_HOST/_cluster/health" | jq -r '.status')" - DATA_NODE_COUNT="$(curl $CURL_AUTH --silent -k "$ES_HOST/_cat/nodes?h=node.role" | grep 'd' | wc -l)" + DATA_NODE_COUNT="$(curl $CURL_AUTH --silent -k "$ES_HOST/_cat/nodes?h=node.role" | grep 'd\|h\|c' | wc -l)" if [ "$HEALTH" == "green" ] && [ "$DATA_NODE_COUNT" != "0" ]; then break fi sleep 5 + i=$((i+1)) done +# if any of the below fail, bootstrap failed - exit on error +set -e if [ "$security_enabled" == "true" ]; then - curl $CURL_AUTH \ - -X PUT -H 'Content-Type: application/json' -k \ - "$ES_HOST/_xpack/security/user/kibana/_password" -d '{ "password": "'"$client_pwd"'" }' + curl $CURL_AUTH \ + -X PUT -H 'Content-Type: application/json' -k \ + "$ES_HOST/_security/user/elastic/_password" -d '{ "password": "'"$client_pwd"'" }' - curl $CURL_AUTH \ - -X PUT -H 'Content-Type: application/json' -k \ - "$ES_HOST/_xpack/security/user/logstash_system/_password" -d '{ "password": "'"$client_pwd"'" }' + curl $CURL_AUTH \ + -X PUT -H 'Content-Type: application/json' -k \ + "$ES_HOST/_security/user/kibana/_password" -d '{ "password": "'"$client_pwd"'" }' - curl $CURL_AUTH \ - -X PUT -H 'Content-Type: application/json' -k \ - "$ES_HOST/_xpack/security/user/elastic/_password" -d '{ "password": "'"$client_pwd"'" }' + curl $CURL_AUTH \ + -X PUT -H 'Content-Type: application/json' -k \ + "$ES_HOST/_security/user/logstash_system/_password" -d '{ "password": "'"$client_pwd"'" }' - curl $CURL_AUTH \ - -X PUT -H 'Content-Type: application/json' -k \ - "$ES_HOST/_xpack/security/user/remote_monitoring_user/_password" -d '{ "password": "'"$client_pwd"'" }' -fi \ No newline at end of file + curl $CURL_AUTH \ + -X PUT -H 'Content-Type: application/json' -k \ + "$ES_HOST/_security/user/remote_monitoring_user/_password" -d '{ "password": "'"$client_pwd"'" }' +fi diff --git a/assets/scripts/common/config-es.sh b/assets/scripts/common/config-es.sh index a548aa6..e7b9c39 100644 --- a/assets/scripts/common/config-es.sh +++ b/assets/scripts/common/config-es.sh @@ -14,7 +14,6 @@ # Configure elasticsearch cat <>/etc/elasticsearch/elasticsearch.yml cluster.name: $es_cluster -xpack.monitoring.enabled: $monitoring_enabled xpack.monitoring.collection.enabled: $monitoring_enabled path.data: $elasticsearch_data_dir path.logs: $elasticsearch_logs_dir @@ -33,13 +32,13 @@ if [ "$security_enabled" == "true" ]; then echo -n "$ca_cert" > /etc/elasticsearch/config/certs/ca.crt echo -n "$node_cert" > /etc/elasticsearch/config/certs/tls.crt echo -n "$node_key" > /etc/elasticsearch/config/certs/tls.key - cat <<'EOF' >>/etc/elasticsearch/elasticsearch.yml xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: "certificate" xpack.security.transport.ssl.key: "/etc/elasticsearch/config/certs/tls.key" xpack.security.transport.ssl.certificate: "/etc/elasticsearch/config/certs/tls.crt" xpack.security.transport.ssl.certificate_authorities: "/etc/elasticsearch/config/certs/ca.crt" + EOF fi @@ -51,6 +50,12 @@ xpack.monitoring.exporters.xpack_remote: EOF fi +# Disable HTTP SSL. Configurations may vary for HTTP SSL - see here. +#https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#security-http-tls-ssl-key-trusted-certificate-settings +# When not using it, we need to outright disable it for the cluster to start. +cat <<'EOF' >>/etc/elasticsearch/elasticsearch.yml +xpack.security.http.ssl.enabled: false +EOF cat <<'EOF' >>/etc/security/limits.conf @@ -68,7 +73,6 @@ RestartSec=10 EOF # Setup heap size and memory locking -sudo sed -i 's/#MAX_LOCKED_MEMORY=.*$/MAX_LOCKED_MEMORY=unlimited/' /etc/init.d/elasticsearch sudo sed -i 's/#MAX_LOCKED_MEMORY=.*$/MAX_LOCKED_MEMORY=unlimited/' /etc/default/elasticsearch # Set java heap size @@ -101,6 +105,9 @@ if [ "$use_g1gc" = "true" ]; then sudo sed -i 's/[0-9]\+-:-XX:InitiatingHeapOccupancyPercent/10-:-XX:InitiatingHeapOccupancyPercent/ig' /etc/elasticsearch/jvm.options fi +# Disable heap dumps +echo "-XX:-HeapDumpOnOutOfMemoryError" | sudo tee -a /etc/elasticsearch/jvm.options + # Create log and data dirs sudo mkdir -p $elasticsearch_logs_dir sudo mkdir -p $elasticsearch_data_dir diff --git a/assets/scripts/data.sh b/assets/scripts/data.sh index 8ba5ae0..1d7f356 100644 --- a/assets/scripts/data.sh +++ b/assets/scripts/data.sh @@ -14,13 +14,11 @@ set +e if [ "$is_voting_only" == "true" ] then cat <<'EOF' >>/etc/elasticsearch/elasticsearch.yml -node.roles: [ master, data, voting_only, ingest ] +node.roles: [ data_hot, data_content, ingest, transform, master, voting_only ] EOF else cat <<'EOF' >>/etc/elasticsearch/elasticsearch.yml -node.master: false -node.data: true -node.ingest: true +node.roles: [ data_hot, data_content, ingest, transform ] EOF fi diff --git a/assets/scripts/gcp/autoattach-disk.sh b/assets/scripts/gcp/autoattach-disk.sh index a2cd0c3..5153a8a 100644 --- a/assets/scripts/gcp/autoattach-disk.sh +++ b/assets/scripts/gcp/autoattach-disk.sh @@ -6,7 +6,7 @@ while true; do INSTANCE_ROLE="$(gcloud compute instances describe $HOSTNAME --zone $GCP_ZONE --format json | jq -r ".labels.role")" echo "INSTANCE_ROLE: $INSTANCE_ROLE" - UNATTACHED_VOLUME_ID="$(gcloud compute disks list --filter="zone:$GCP_ZONE AND labels.cluster-name:$es_cluster AND labels.auto-attach-group:$INSTANCE_ROLE" --format json | jq -r '.[] | .name' | shuf -n 1)" + UNATTACHED_VOLUME_ID="$(gcloud compute disks list --filter="zone=$GCP_ZONE AND labels.cluster-name=$es_cluster AND labels.auto-attach-group=$INSTANCE_ROLE" --format json | jq -r '.[] | .name' | shuf -n 1)" echo "UNATTACHED_VOLUME_ID: $UNATTACHED_VOLUME_ID" gcloud compute instances attach-disk $HOSTNAME --disk $UNATTACHED_VOLUME_ID --device-name "espersistent" --zone $GCP_ZONE diff --git a/assets/scripts/gcp/config-bootstrap-node.sh b/assets/scripts/gcp/config-bootstrap-node.sh index 2200042..2eacf3f 100644 --- a/assets/scripts/gcp/config-bootstrap-node.sh +++ b/assets/scripts/gcp/config-bootstrap-node.sh @@ -1,24 +1,25 @@ # Required variables # - es_environment # - masters_count - +i=1 while true do echo "Fetching masters..." - MASTER_INSTANCES="$(gcloud compute instances list --filter="labels.cluster:$es_environment AND labels.role:(master OR data-voters)" --format 'get(networkInterfaces[0].networkIP)' | sort)" + MASTER_INSTANCES="$(gcloud compute instances list --filter="labels.cluster=$es_environment AND labels.role=(master OR data-voters)" --format 'get(networkInterfaces[0].networkIP)' | sort)" COUNT=`echo "$MASTER_INSTANCES" | wc -l` - echo "Found $COUNT instances, expecting $masters_count" + echo "Found $COUNT instances, expecting $masters_count, attempt $i" if [ "$COUNT" -eq "$masters_count" ]; then echo "Masters count is correct... Rechecking in 60 sec" sleep 60 - MASTER_INSTANCES_RECHECK="$(gcloud compute instances list --filter="labels.cluster:$es_environment AND labels.role:(master OR data-voters)" --format 'get(networkInterfaces[0].networkIP)' | sort)" + MASTER_INSTANCES_RECHECK="$(gcloud compute instances list --filter="labels.cluster=$es_environment AND labels.role=(master OR data-voters)" --format 'get(networkInterfaces[0].networkIP)' | sort)" if [ "$MASTER_INSTANCES" = "$MASTER_INSTANCES_RECHECK" ]; then break fi fi sleep 5 + i=$((i+1)) done echo "Fetched masters" diff --git a/assets/scripts/gcp/config-es-discovery.sh b/assets/scripts/gcp/config-es-discovery.sh index 07af37c..dc46d04 100644 --- a/assets/scripts/gcp/config-es-discovery.sh +++ b/assets/scripts/gcp/config-es-discovery.sh @@ -9,7 +9,8 @@ cloud.gce.project_id: ${gcp_project_id} cloud.gce.zone: ${gcp_zones} discovery.seed_providers: gce EOF - +# It is required to bind to all interfaces for discovery on GCP to work +# echo "network.host: 0.0.0.0" >> /etc/elasticsearch/elasticsearch.yml if [ "$BIND_TO_ALL" == "true" ]; then echo "network.host: 0.0.0.0" >> /etc/elasticsearch/elasticsearch.yml else diff --git a/assets/scripts/master.sh b/assets/scripts/master.sh index a3d5b34..1f1615d 100644 --- a/assets/scripts/master.sh +++ b/assets/scripts/master.sh @@ -12,12 +12,10 @@ set +e /opt/cloud-deploy-scripts/$cloud_provider/config-es-discovery.sh cat <<'EOF' >>/etc/elasticsearch/elasticsearch.yml -node.master: true -node.data: false -node.ingest: false +node.roles: [ master ] EOF # Start Elasticsearch systemctl daemon-reload systemctl enable elasticsearch.service -systemctl start elasticsearch.service \ No newline at end of file +systemctl start elasticsearch.service diff --git a/assets/scripts/singlenode.sh b/assets/scripts/singlenode.sh index 578eefc..b423515 100644 --- a/assets/scripts/singlenode.sh +++ b/assets/scripts/singlenode.sh @@ -18,9 +18,7 @@ fi /opt/cloud-deploy-scripts/$cloud_provider/config-es-discovery.sh cat <<'EOF' >>/etc/elasticsearch/elasticsearch.yml -node.master: true -node.data: true -node.ingest: true +node.roles: [ data_hot, data_content, ingest, transform, master ] discovery.type: single-node EOF @@ -38,4 +36,4 @@ systemctl enable elasticsearch.service systemctl start elasticsearch.service /opt/cloud-deploy-scripts/common/config-cluster.sh -/opt/cloud-deploy-scripts/$cloud_provider/config-cluster.sh \ No newline at end of file +/opt/cloud-deploy-scripts/$cloud_provider/config-cluster.sh diff --git a/packer/README.md b/packer/README.md index 684b09f..2ae0741 100644 --- a/packer/README.md +++ b/packer/README.md @@ -4,8 +4,8 @@ This Packer configuration will generate Ubuntu images with Elasticsearch, Kibana The output of running Packer here would be two machine images, as below: -* elasticsearch node image, containing latest Elasticsearch installed (latest version 7.x) and configured with best-practices. -* kibana node image, based on the elasticsearch node image, and with Kibana (7.x, latest), nginx with basic proxy and authentication setip, and Kopf. +* elasticsearch node image, containing latest Elasticsearch installed (latest version 8.x) and configured with best-practices. +* kibana node image, based on the elasticsearch node image, and with Kibana (8.x, latest), nginx with basic proxy and authentication setip, and Kopf. ## On Amazon Web Services (AWS) @@ -98,8 +98,8 @@ az account show --query "{ subscription_id: id }" Building the AMIs is done using the following commands: ```bash -packer build -only=aws -var-file=variables.json elasticsearch7-node.packer.json -packer build -only=aws -var-file=variables.json kibana7-node.packer.json +packer build -only=aws -var-file=variables.json elasticsearch8-node.packer.json +packer build -only=aws -var-file=variables.json kibana8-node.packer.json ``` Replace the `-only` parameter to `azure` to build images for Azure instead of AWS. diff --git a/packer/elasticsearch7-node.packer.json b/packer/elasticsearch8-node.packer.json similarity index 86% rename from packer/elasticsearch7-node.packer.json rename to packer/elasticsearch8-node.packer.json index 411c106..9c7eff4 100644 --- a/packer/elasticsearch7-node.packer.json +++ b/packer/elasticsearch8-node.packer.json @@ -4,7 +4,7 @@ { "name": "aws", "type": "amazon-ebs", - "ami_name": "elasticsearch7-{{isotime | clean_resource_name}}", + "ami_name": "elasticsearch8-{{isotime | clean_resource_name}}", "availability_zone": "{{user `aws_az`}}", "iam_instance_profile": "packer", "instance_type": "t2.micro", @@ -24,7 +24,7 @@ "ssh_timeout": "10m", "ssh_username": "ubuntu", "tags": { - "ImageType": "elasticsearch7-packer-image" + "ImageType": "elasticsearch8-packer-image" } }, { @@ -37,7 +37,7 @@ "subscription_id": "{{user `azure_subscription_id`}}", "managed_image_resource_group_name": "{{user `azure_resource_group_name`}}", - "managed_image_name": "elasticsearch7-{{isotime \"2006-01-02T030405\"}}", + "managed_image_name": "elasticsearch8-{{isotime \"2006-01-02T030405\"}}", "os_type": "Linux", "image_publisher": "Canonical", @@ -50,12 +50,11 @@ { "name": "gcp", "type": "googlecompute", - "account_file": "{{user `gcp_account_file`}}", "project_id": "{{user `gcp_project_id`}}", - "source_image_family": "ubuntu-1804-lts", + "source_image_family": "ubuntu-2004-lts", "zone": "{{user `gcp_zone`}}", - "image_family": "elasticsearch-7", - "image_name": "elasticsearch7-{{isotime \"20060102t030405\"}}", + "image_family": "elasticsearch-8", + "image_name": "elasticsearch8-{{isotime | clean_resource_name}}", "preemptible": true, "ssh_username": "ubuntu" } @@ -88,7 +87,7 @@ }, { "type": "shell", - "script": "install-elasticsearch7.sh", + "script": "install-elasticsearch8.sh", "environment_vars": [ "ES_VERSION={{user `elasticsearch_version`}}" ], "execute_command": "echo '' | {{ .Vars }} sudo -E -S bash '{{ .Path }}'" }, diff --git a/packer/install-elasticsearch7.sh b/packer/install-elasticsearch8.sh similarity index 84% rename from packer/install-elasticsearch7.sh rename to packer/install-elasticsearch8.sh index 56e6e52..c44ef32 100644 --- a/packer/install-elasticsearch7.sh +++ b/packer/install-elasticsearch8.sh @@ -3,7 +3,7 @@ set -e # Get the PGP Key wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - -echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-7.x.list +echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-8.x.list apt-get update if [ -z "$ES_VERSION" ]; then @@ -20,4 +20,4 @@ chown elasticsearch:elasticsearch /usr/share/elasticsearch/logs chown elasticsearch:elasticsearch /usr/share/elasticsearch/data mv elasticsearch.yml /etc/elasticsearch/elasticsearch.yml -chown elasticsearch:elasticsearch /etc/elasticsearch/elasticsearch.yml \ No newline at end of file +chown elasticsearch:elasticsearch /etc/elasticsearch/elasticsearch.yml diff --git a/packer/install-grafana.sh b/packer/install-grafana.sh deleted file mode 100755 index 516c287..0000000 --- a/packer/install-grafana.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -set -e - -sudo wget -q -O - https://packages.grafana.com/gpg.key | apt-key add - - -sudo add-apt-repository "deb https://packages.grafana.com/oss/deb stable main" -sudo apt-get update -sudo apt-get install grafana \ No newline at end of file diff --git a/packer/install-kibana7.sh b/packer/install-kibana8.sh similarity index 100% rename from packer/install-kibana7.sh rename to packer/install-kibana8.sh diff --git a/packer/kibana7-node.packer.json b/packer/kibana8-node.packer.json similarity index 76% rename from packer/kibana7-node.packer.json rename to packer/kibana8-node.packer.json index 6e86ae6..19f4163 100644 --- a/packer/kibana7-node.packer.json +++ b/packer/kibana8-node.packer.json @@ -5,7 +5,7 @@ "name": "aws", "type": "amazon-ebs", - "ami_name": "kibana7-{{isotime | clean_resource_name}}", + "ami_name": "kibana8-{{isotime | clean_resource_name}}", "availability_zone": "{{user `aws_az`}}", "iam_instance_profile": "packer", "instance_type": "t2.medium", @@ -16,7 +16,7 @@ "source_ami_filter": { "filters": { "virtualization-type": "hvm", - "name": "elasticsearch7-*", + "name": "elasticsearch8-*", "root-device-type": "ebs" }, "owners": [ @@ -27,7 +27,7 @@ "ssh_timeout": "10m", "ssh_username": "ubuntu", "tags": { - "ImageType": "kibana7-packer-image" + "ImageType": "kibana8-packer-image" } }, { @@ -40,7 +40,7 @@ "subscription_id": "{{user `azure_subscription_id`}}", "managed_image_resource_group_name": "{{user `azure_resource_group_name`}}", - "managed_image_name": "kibana7-{{isotime \"2006-01-02T030405\"}}", + "managed_image_name": "kibana8-{{isotime \"2006-01-02T030405\"}}", "os_type": "Linux", "custom_managed_image_name": "{{user `azure_elasticsearch_image_name`}}", @@ -54,10 +54,10 @@ "type": "googlecompute", "account_file": "{{user `gcp_account_file`}}", "project_id": "{{user `gcp_project_id`}}", - "source_image_family": "elasticsearch-7", + "source_image_family": "elasticsearch-8", "zone": "{{user `gcp_zone`}}", - "image_family": "kibana-7", - "image_name": "kibana7-{{isotime \"20060102t030405\"}}", + "image_family": "kibana-8", + "image_name": "kibana8-{{isotime | clean_resource_name}}", "preemptible": true, "ssh_username": "ubuntu" } @@ -65,14 +65,9 @@ "provisioners": [ { "type": "shell", - "script": "install-kibana7.sh", + "script": "install-kibana8.sh", "environment_vars": [ "ES_VERSION={{user `elasticsearch_version`}}" ], "execute_command": "echo '' | {{ .Vars }} sudo -E -S sh '{{ .Path }}'" - }, - { - "type": "shell", - "script": "install-grafana.sh", - "execute_command": "echo '' | {{ .Vars }} sudo -E -S sh '{{ .Path }}'" } ] } diff --git a/templates/aws_user_data.sh b/templates/aws_user_data.sh index c7a070e..78b7813 100644 --- a/templates/aws_user_data.sh +++ b/templates/aws_user_data.sh @@ -32,5 +32,8 @@ export node_cert="${node_cert}" export node_key="${node_key}" export log_level="${log_level}" export log_size="${log_size}" +export security_encryption_key="${security_encryption_key}" +export reporting_encryption_key="${reporting_encryption_key}" +export saved_objects_encryption_key="${saved_objects_encryption_key}" -/opt/cloud-deploy-scripts/${startup_script} \ No newline at end of file +/opt/cloud-deploy-scripts/${startup_script} diff --git a/templates/gcp_user_data.sh b/templates/gcp_user_data.sh index 2dc7f42..3cf3212 100644 --- a/templates/gcp_user_data.sh +++ b/templates/gcp_user_data.sh @@ -32,5 +32,11 @@ export bootstrap_node="${bootstrap_node}" export ca_cert="${ca_cert}" export node_cert="${node_cert}" export node_key="${node_key}" +export log_level="${log_level}" +export log_size="${log_size}" +export security_encryption_key="${security_encryption_key}" +export reporting_encryption_key="${reporting_encryption_key}" +export saved_objects_encryption_key="${saved_objects_encryption_key}" + /opt/cloud-deploy-scripts/${startup_script} diff --git a/terraform-aws/alb.tf b/terraform-aws/alb.tf index 3512993..4fc2a7b 100644 --- a/terraform-aws/alb.tf +++ b/terraform-aws/alb.tf @@ -143,7 +143,7 @@ resource "aws_lb" "elasticsearch-alb" { internal = ! var.public_facing load_balancer_type = "application" security_groups = [aws_security_group.elasticsearch-alb-sg.id] - subnets = coalescelist(var.alb_subnets, tolist(data.aws_subnet_ids.all-subnets.ids)) + subnets = coalescelist(var.alb_subnets, tolist(data.aws_subnets.all-subnets.ids)) enable_deletion_protection = false } @@ -199,4 +199,3 @@ resource "aws_lb_listener" "cerebro" { target_group_arn = aws_lb_target_group.cerebro-p9000-tg[0].arn } } - diff --git a/terraform-aws/ami.tf b/terraform-aws/ami.tf index 5bc728e..e7aecda 100644 --- a/terraform-aws/ami.tf +++ b/terraform-aws/ami.tf @@ -25,4 +25,3 @@ data "aws_ami" "kibana_client" { most_recent = true owners = ["self"] } - diff --git a/terraform-aws/main.tf b/terraform-aws/main.tf index e71eec9..d80973a 100644 --- a/terraform-aws/main.tf +++ b/terraform-aws/main.tf @@ -7,6 +7,20 @@ resource "random_string" "vm-login-password" { special = false } +resource "random_string" "security-encryption-key" { + length = 32 + special = false +} +resource "random_string" "reporting-encryption-key" { + length = 32 + special = false +} + +resource "random_string" "saved-objects-encryption-key" { + length = 32 + special = false +} + locals { masters_count = length(flatten([for _, count in var.masters_count : range(count)])) # sum(...) going to be added to TF0.12 soon @@ -18,11 +32,11 @@ locals { ))) cluster_subnet_ids = { - for i, az in local.all_availability_zones : az => lookup(var.cluster_subnet_ids, az, element(data.aws_subnet_ids.subnets-per-az.*.ids, i)) + for i, az in local.all_availability_zones : az => lookup(var.cluster_subnet_ids, az, element(data.aws_subnets.subnets-per-az.*.ids, i)) } clients_subnet_ids = { - for i, az in local.all_availability_zones : az => lookup(var.clients_subnet_ids, az, element(data.aws_subnet_ids.subnets-per-az.*.ids, i)) + for i, az in local.all_availability_zones : az => lookup(var.clients_subnet_ids, az, element(data.aws_subnets.subnets-per-az.*.ids, i)) } flat_cluster_subnet_ids = flatten(values(local.cluster_subnet_ids)) @@ -63,6 +77,10 @@ locals { node_key = var.security_enabled ? join("", tls_private_key.node[*].private_key_pem) : "" DEV_MODE_scripts_s3_bucket = var.DEV_MODE_scripts_s3_bucket + + security_encryption_key = random_string.security-encryption-key.result + reporting_encryption_key = random_string.reporting-encryption-key.result + saved_objects_encryption_key = random_string.saved-objects-encryption-key.result } } diff --git a/terraform-aws/variables.tf b/terraform-aws/variables.tf index d7e1c16..5fb956d 100644 --- a/terraform-aws/variables.tf +++ b/terraform-aws/variables.tf @@ -174,12 +174,12 @@ variable "requires_bootstrapping" { variable "elasticsearch_packer_image" { description = "The name of the image family for elasticsearch" - default = "elasticsearch7-packer-image" + default = "elasticsearch8-packer-image" } variable "kibana_packer_image" { description = "The name of the image family for kibana" - default = "kibana7-packer-image" + default = "kibana8-packer-image" } variable "ec2_vpc_endpoint_id" { @@ -204,5 +204,5 @@ variable "log_size" { variable "log_level" { description = "log4j log level" - default = "WARN" -} \ No newline at end of file + default = "INFO" +} diff --git a/terraform-aws/vpc.tf b/terraform-aws/vpc.tf index 12b56a0..0809fc0 100644 --- a/terraform-aws/vpc.tf +++ b/terraform-aws/vpc.tf @@ -2,22 +2,29 @@ data "aws_vpc" "selected" { id = var.vpc_id } -data "aws_subnet_ids" "all-subnets" { - vpc_id = var.vpc_id +data "aws_subnets" "all-subnets" { + filter { + name = "vpc-id" + values = [var.vpc_id] + } } data "aws_route_tables" "vpc_route_tables" { vpc_id = var.vpc_id } -data "aws_subnet_ids" "subnets-per-az" { +data "aws_subnets" "subnets-per-az" { count = length(local.all_availability_zones) - vpc_id = var.vpc_id filter { name = "availability-zone" values = [local.all_availability_zones[count.index]] } + filter { + name = "vpc-id" + values = [var.vpc_id] + } + } resource "aws_security_group" "vpc-endpoint" { diff --git a/terraform-gcp/client.tf b/terraform-gcp/client.tf index 56478f7..d33d76c 100644 --- a/terraform-gcp/client.tf +++ b/terraform-gcp/client.tf @@ -92,4 +92,4 @@ resource "google_compute_instance_template" "client" { lifecycle { create_before_destroy = true } -} \ No newline at end of file +} diff --git a/terraform-gcp/image.tf b/terraform-gcp/image.tf index 9b977ef..326ceb5 100644 --- a/terraform-gcp/image.tf +++ b/terraform-gcp/image.tf @@ -1,7 +1,7 @@ data "google_compute_image" "elasticsearch" { - family = "elasticsearch-7" + family = "elasticsearch-8" } data "google_compute_image" "kibana" { - family = "kibana-7" + family = "kibana-8" } diff --git a/terraform-gcp/main.tf b/terraform-gcp/main.tf index 5a12983..518e72d 100644 --- a/terraform-gcp/main.tf +++ b/terraform-gcp/main.tf @@ -1,12 +1,22 @@ +terraform { + required_providers { + tls = { + source = "hashicorp/tls" + version = "3.1.0" + } + } +} + + provider "google" { - credentials = var.gcp_credentials_path +# credentials = var.gcp_credentials_path project = var.gcp_project_id region = var.gcp_region zone = var.gcp_zone } provider "google-beta" { - credentials = var.gcp_credentials_path +# credentials = var.gcp_credentials_path project = var.gcp_project_id region = var.gcp_region zone = var.gcp_zone @@ -17,6 +27,20 @@ resource "random_string" "vm-login-password" { special = false } +resource "random_string" "security-encryption-key" { + length = 32 + special = false +} +resource "random_string" "reporting-encryption-key" { + length = 32 + special = false +} + +resource "random_string" "saved-objects-encryption-key" { + length = 32 + special = false +} + resource "google_compute_firewall" "internode" { name = "${var.es_cluster}-firewall-allow-internode" network = var.cluster_network @@ -117,12 +141,19 @@ locals { master = false data = false bootstrap_node = false + log_level = var.log_level + log_size = var.log_size + is_voting_only = false gcs_service_account_key = join("", google_service_account_key.gcs[*].private_key) ca_cert = var.security_enabled ? join("", tls_self_signed_cert.ca[*].cert_pem) : "" node_cert = var.security_enabled ? join("", tls_locally_signed_cert.node[*].cert_pem) : "" - node_key = var.security_enabled ? join("", tls_private_key.node[*].private_key_pem) : "", + node_key = var.security_enabled ? join("", tls_private_key.node[*].private_key_pem) : "" DEV_MODE_scripts_gcs_bucket = var.DEV_MODE_scripts_gcs_bucket + + security_encryption_key = random_string.security-encryption-key.result + reporting_encryption_key = random_string.reporting-encryption-key.result + saved_objects_encryption_key = random_string.saved-objects-encryption-key.result } } diff --git a/terraform-gcp/variables.tf b/terraform-gcp/variables.tf index 12b9bf3..f305420 100644 --- a/terraform-gcp/variables.tf +++ b/terraform-gcp/variables.tf @@ -155,3 +155,13 @@ variable "requires_bootstrapping" { description = "Overrides cluster bootstrap state" default = true } + +variable "log_size" { + description = "Retained log4j log size in MB" + default = "128" +} + +variable "log_level" { + description = "log4j log level" + default = "INFO" +} From 76d827fbfde27216dab4d9d1b0ee68e57bd10b0d Mon Sep 17 00:00:00 2001 From: shai Date: Wed, 6 Mar 2024 10:09:01 +0200 Subject: [PATCH 2/9] various fixes --- assets/scripts/client.sh | 2 +- assets/scripts/data.sh | 4 ++-- assets/scripts/singlenode.sh | 2 +- packer/README.md | 2 +- packer/elasticsearch8-node.packer.json | 4 ++-- packer/install-cloud-plugin.sh | 4 ---- packer/update-machine.sh | 4 ++-- terraform-gcp/client.tf | 4 ++-- terraform-gcp/datas-voters.tf | 4 ++-- terraform-gcp/datas.tf | 4 ++-- terraform-gcp/main.tf | 12 ++++++------ terraform-gcp/singlenode.tf | 6 +++--- 12 files changed, 24 insertions(+), 28 deletions(-) diff --git a/assets/scripts/client.sh b/assets/scripts/client.sh index 4b88c9b..560a602 100644 --- a/assets/scripts/client.sh +++ b/assets/scripts/client.sh @@ -15,7 +15,7 @@ fi /opt/cloud-deploy-scripts/$cloud_provider/config-es-discovery.sh cat <<'EOF' >>/etc/elasticsearch/elasticsearch.yml -node.roles: [] +node.roles: [ ingest, remote_cluster_client ] EOF # Start Elasticsearch diff --git a/assets/scripts/data.sh b/assets/scripts/data.sh index 1d7f356..0efa210 100644 --- a/assets/scripts/data.sh +++ b/assets/scripts/data.sh @@ -14,11 +14,11 @@ set +e if [ "$is_voting_only" == "true" ] then cat <<'EOF' >>/etc/elasticsearch/elasticsearch.yml -node.roles: [ data_hot, data_content, ingest, transform, master, voting_only ] +node.roles: [ data_hot, data_content, ingest, transform, master, voting_only, remote_cluster_client] EOF else cat <<'EOF' >>/etc/elasticsearch/elasticsearch.yml -node.roles: [ data_hot, data_content, ingest, transform ] +node.roles: [ data_hot, data_content, ingest, transform, remote_cluster_client ] EOF fi diff --git a/assets/scripts/singlenode.sh b/assets/scripts/singlenode.sh index b423515..250a694 100644 --- a/assets/scripts/singlenode.sh +++ b/assets/scripts/singlenode.sh @@ -18,7 +18,7 @@ fi /opt/cloud-deploy-scripts/$cloud_provider/config-es-discovery.sh cat <<'EOF' >>/etc/elasticsearch/elasticsearch.yml -node.roles: [ data_hot, data_content, ingest, transform, master ] +node.roles: [ data_hot, data_content, ingest, transform, master, remote_cluster_client ] discovery.type: single-node EOF diff --git a/packer/README.md b/packer/README.md index 2ae0741..dcfe3e7 100644 --- a/packer/README.md +++ b/packer/README.md @@ -5,7 +5,7 @@ This Packer configuration will generate Ubuntu images with Elasticsearch, Kibana The output of running Packer here would be two machine images, as below: * elasticsearch node image, containing latest Elasticsearch installed (latest version 8.x) and configured with best-practices. -* kibana node image, based on the elasticsearch node image, and with Kibana (8.x, latest), nginx with basic proxy and authentication setip, and Kopf. +* kibana node image, based on the elasticsearch node image, and with Kibana (8.x, latest). ## On Amazon Web Services (AWS) diff --git a/packer/elasticsearch8-node.packer.json b/packer/elasticsearch8-node.packer.json index 9c7eff4..1554a1b 100644 --- a/packer/elasticsearch8-node.packer.json +++ b/packer/elasticsearch8-node.packer.json @@ -15,7 +15,7 @@ "source_ami_filter": { "filters": { "virtualization-type": "hvm", - "name": "*ubuntu-focal-20.04-amd64-server-*", + "name": "*ubuntu-jammy-22.04-amd64-server-*", "root-device-type": "ebs" }, "owners": ["099720109477"], @@ -51,7 +51,7 @@ "name": "gcp", "type": "googlecompute", "project_id": "{{user `gcp_project_id`}}", - "source_image_family": "ubuntu-2004-lts", + "source_image_family": "ubuntu-2204-lts", "zone": "{{user `gcp_zone`}}", "image_family": "elasticsearch-8", "image_name": "elasticsearch8-{{isotime | clean_resource_name}}", diff --git a/packer/install-cloud-plugin.sh b/packer/install-cloud-plugin.sh index 12cf1e5..175cb69 100755 --- a/packer/install-cloud-plugin.sh +++ b/packer/install-cloud-plugin.sh @@ -5,10 +5,6 @@ cd /usr/share/elasticsearch/ if [[ $PACKER_BUILD_NAME == "aws" ]]; then sudo bin/elasticsearch-plugin install --batch discovery-ec2 - sudo bin/elasticsearch-plugin install --batch repository-s3 -elif [[ $PACKER_BUILD_NAME == "azure" ]]; then - sudo bin/elasticsearch-plugin install --batch repository-azure elif [[ $PACKER_BUILD_NAME == "gcp" ]]; then sudo bin/elasticsearch-plugin install --batch discovery-gce - sudo bin/elasticsearch-plugin install --batch repository-gcs fi diff --git a/packer/update-machine.sh b/packer/update-machine.sh index 8bc5536..ac46fc7 100755 --- a/packer/update-machine.sh +++ b/packer/update-machine.sh @@ -10,11 +10,11 @@ sleep 100 sudo apt-get update sudo -E apt-get upgrade -y -sudo -E apt-get install -y software-properties-common git python-dev htop ntp jq apt-transport-https unzip +sudo -E apt-get install -y software-properties-common git python3-dev htop ntp jq apt-transport-https unzip if [[ $PACKER_BUILD_NAME == "aws" ]]; then sudo -E apt-get install -y awscli fi # Disable daily apt unattended updates. -echo 'APT::Periodic::Enable "0";' >> /etc/apt/apt.conf.d/10periodic \ No newline at end of file +echo 'APT::Periodic::Enable "0";' >> /etc/apt/apt.conf.d/10periodic diff --git a/terraform-gcp/client.tf b/terraform-gcp/client.tf index d33d76c..25a0da3 100644 --- a/terraform-gcp/client.tf +++ b/terraform-gcp/client.tf @@ -16,7 +16,7 @@ resource "google_compute_target_pool" "client" { resource "google_compute_instance_group_manager" "client" { for_each = toset(keys(var.clients_count)) - provider = google-beta + provider = google name = "${var.es_cluster}-igm-client-${each.value}" project = "${var.gcp_project_id}" zone = each.value @@ -55,7 +55,7 @@ resource "google_compute_autoscaler" "client" { } resource "google_compute_instance_template" "client" { - provider = google-beta + provider = google name_prefix = "${var.es_cluster}-instance-template-client" project = "${var.gcp_project_id}" machine_type = "${var.master_machine_type}" diff --git a/terraform-gcp/datas-voters.tf b/terraform-gcp/datas-voters.tf index ac03dba..b186fee 100644 --- a/terraform-gcp/datas-voters.tf +++ b/terraform-gcp/datas-voters.tf @@ -10,7 +10,7 @@ data "template_file" "data_voting_userdata_script" { resource "google_compute_instance_group_manager" "data-voters" { for_each = toset(keys(var.data_voters_count)) - provider = google-beta + provider = google name = "${var.es_cluster}-igm-data-voters-${each.value}" project = var.gcp_project_id zone = each.value @@ -45,7 +45,7 @@ resource "google_compute_autoscaler" "data-voters" { } resource "google_compute_instance_template" "data-voters" { - provider = google-beta + provider = google name_prefix = "${var.es_cluster}-instance-template-data-voters" project = var.gcp_project_id machine_type = var.data_machine_type diff --git a/terraform-gcp/datas.tf b/terraform-gcp/datas.tf index ccaafe9..2ab957b 100644 --- a/terraform-gcp/datas.tf +++ b/terraform-gcp/datas.tf @@ -9,7 +9,7 @@ data "template_file" "data_userdata_script" { resource "google_compute_instance_group_manager" "data" { for_each = toset(keys(var.datas_count)) - provider = google-beta + provider = google name = "${var.es_cluster}-igm-data-${each.value}" project = var.gcp_project_id zone = each.value @@ -44,7 +44,7 @@ resource "google_compute_autoscaler" "data" { } resource "google_compute_instance_template" "data" { - provider = google-beta + provider = google name_prefix = "${var.es_cluster}-instance-template-data" project = var.gcp_project_id machine_type = var.data_machine_type diff --git a/terraform-gcp/main.tf b/terraform-gcp/main.tf index 518e72d..960d6ee 100644 --- a/terraform-gcp/main.tf +++ b/terraform-gcp/main.tf @@ -15,12 +15,12 @@ provider "google" { zone = var.gcp_zone } -provider "google-beta" { -# credentials = var.gcp_credentials_path - project = var.gcp_project_id - region = var.gcp_region - zone = var.gcp_zone -} +#provider "google-beta" { +## credentials = var.gcp_credentials_path +# project = var.gcp_project_id +# region = var.gcp_region +# zone = var.gcp_zone +#} resource "random_string" "vm-login-password" { length = 16 diff --git a/terraform-gcp/singlenode.tf b/terraform-gcp/singlenode.tf index b787c19..5febf2c 100644 --- a/terraform-gcp/singlenode.tf +++ b/terraform-gcp/singlenode.tf @@ -11,7 +11,7 @@ resource "google_compute_target_pool" "singlenode" { } resource "google_compute_instance_group_manager" "singlenode" { - provider = google-beta + provider = google name = "${var.es_cluster}-igm-singlenode" project = "${var.gcp_project_id}" @@ -41,7 +41,7 @@ resource "google_compute_autoscaler" "singlenode" { } resource "google_compute_instance_template" "singlenode" { - provider = google-beta + provider = google name_prefix = "${var.es_cluster}-instance-template-single" project = "${var.gcp_project_id}" @@ -77,4 +77,4 @@ resource "google_compute_instance_template" "singlenode" { create_before_destroy = true } -} \ No newline at end of file +} From 17613a46b9dc001ff5e4a28aaf6168cbb2419706 Mon Sep 17 00:00:00 2001 From: shai Date: Wed, 6 Mar 2024 10:09:57 +0200 Subject: [PATCH 3/9] various fixes --- terraform-aws/vpc.tf | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/terraform-aws/vpc.tf b/terraform-aws/vpc.tf index 0809fc0..de20623 100644 --- a/terraform-aws/vpc.tf +++ b/terraform-aws/vpc.tf @@ -31,9 +31,16 @@ resource "aws_security_group" "vpc-endpoint" { vpc_id = var.vpc_id ingress { - from_port = 0 - to_port = 0 - protocol = "-1" + from_port = 9200 + to_port = 9200 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 5601 + to_port = 5601 + protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } From 3a7a7b616ab66c0bd19148dc87ab9493f0243a6f Mon Sep 17 00:00:00 2001 From: shai Date: Thu, 14 Mar 2024 17:29:13 +0200 Subject: [PATCH 4/9] adding remote_cluster_client, updating ubuntu images, limiting vpc endpoint ports, adding packer manifest, adding debug bootstrap mode, fixing redundant provider, adding certs renewal --- .gitignore | 2 + assets/scripts/bootstrap.sh | 12 +-- packer/elasticsearch8-node.packer.json | 6 ++ packer/kibana8-node.packer.json | 6 ++ templates/aws_user_data.sh | 1 + templates/gcp_user_data.sh | 1 + terraform-aws/alb.tf | 86 ------------------ terraform-aws/certs.tf | 5 +- terraform-aws/client.tf | 2 - terraform-aws/lock.old | 117 +++++++++++++++++++++++++ terraform-aws/main.tf | 13 +-- terraform-aws/singlenode.tf | 2 - terraform-aws/variables.tf | 5 ++ terraform-aws/vpc.tf | 10 +-- terraform-gcp/main.tf | 1 + terraform-gcp/variables.tf | 5 ++ 16 files changed, 161 insertions(+), 113 deletions(-) create mode 100644 terraform-aws/lock.old diff --git a/.gitignore b/.gitignore index b4caa37..c17f634 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,5 @@ cluster_bootstrap_state gcp-account.json *.iml id_rsa.pub +packer-es-manifest.json +packer-kb-manifest.json diff --git a/assets/scripts/bootstrap.sh b/assets/scripts/bootstrap.sh index 34e2d0e..5436fc1 100644 --- a/assets/scripts/bootstrap.sh +++ b/assets/scripts/bootstrap.sh @@ -29,9 +29,11 @@ set -e set +e /opt/cloud-deploy-scripts/$cloud_provider/config-cluster.sh - -if [ "$cloud_provider" == "aws" ]; then - shutdown -h now -elif [ "$cloud_provider" == "gcp" ]; then - gcloud compute instances delete $HOSTNAME --zone $GCP_ZONE --quiet +if [ "$debug_bootstrap" == "false" ] +then + if [ "$cloud_provider" == "aws" ]; then + shutdown -h now + elif [ "$cloud_provider" == "gcp" ]; then + gcloud compute instances delete $HOSTNAME --zone $GCP_ZONE --quiet + fi fi diff --git a/packer/elasticsearch8-node.packer.json b/packer/elasticsearch8-node.packer.json index 1554a1b..aff19d8 100644 --- a/packer/elasticsearch8-node.packer.json +++ b/packer/elasticsearch8-node.packer.json @@ -105,5 +105,11 @@ "type": "shell", "script": "install-custom.sh" } + ], + "post-processors": [ + { + "type": "manifest", + "output": "packer-es-manifest.json" + } ] } diff --git a/packer/kibana8-node.packer.json b/packer/kibana8-node.packer.json index 19f4163..3288850 100644 --- a/packer/kibana8-node.packer.json +++ b/packer/kibana8-node.packer.json @@ -69,5 +69,11 @@ "environment_vars": [ "ES_VERSION={{user `elasticsearch_version`}}" ], "execute_command": "echo '' | {{ .Vars }} sudo -E -S sh '{{ .Path }}'" } + ], + "post-processors": [ + { + "type": "manifest", + "output": "packer-kb-manifest.json" + } ] } diff --git a/templates/aws_user_data.sh b/templates/aws_user_data.sh index 78b7813..9f0404d 100644 --- a/templates/aws_user_data.sh +++ b/templates/aws_user_data.sh @@ -35,5 +35,6 @@ export log_size="${log_size}" export security_encryption_key="${security_encryption_key}" export reporting_encryption_key="${reporting_encryption_key}" export saved_objects_encryption_key="${saved_objects_encryption_key}" +export debug_bootstrap="${debug_bootstrap}" /opt/cloud-deploy-scripts/${startup_script} diff --git a/templates/gcp_user_data.sh b/templates/gcp_user_data.sh index 3cf3212..18ac4b7 100644 --- a/templates/gcp_user_data.sh +++ b/templates/gcp_user_data.sh @@ -37,6 +37,7 @@ export log_size="${log_size}" export security_encryption_key="${security_encryption_key}" export reporting_encryption_key="${reporting_encryption_key}" export saved_objects_encryption_key="${saved_objects_encryption_key}" +export debug_bootstrap="${debug_bootstrap}" /opt/cloud-deploy-scripts/${startup_script} diff --git a/terraform-aws/alb.tf b/terraform-aws/alb.tf index 4fc2a7b..b42e250 100644 --- a/terraform-aws/alb.tf +++ b/terraform-aws/alb.tf @@ -26,32 +26,6 @@ resource "aws_security_group_rule" "elasticsearch-alb-sg-egress-rule-all" { security_group_id = aws_security_group.elasticsearch-alb-sg.id } - - -# allow Cerebro port access -resource "aws_security_group_rule" "elasticsearch-alb-sg-ingress-rule-cerebro" { - count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0 - type = "ingress" - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - from_port = 9000 - to_port = 9000 - - security_group_id = aws_security_group.elasticsearch-alb-sg.id -} - -# allow Grafana port access -resource "aws_security_group_rule" "elasticsearch-alb-sg-ingress-rule-grafana" { - count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0 - type = "ingress" - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - from_port = 3000 - to_port = 3000 - - security_group_id = aws_security_group.elasticsearch-alb-sg.id -} - # allow Kibana port access resource "aws_security_group_rule" "elasticsearch-alb-sg-ingress-rule-kibana" { count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0 @@ -102,42 +76,6 @@ resource "aws_lb_target_group" "kibana-p5601-tg" { } } -resource "aws_lb_target_group" "grafana-p3000-tg" { - count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0 - name = "${var.es_cluster}-p3000-tg" - port = 3000 - protocol = "HTTP" - vpc_id = var.vpc_id - - health_check { - healthy_threshold = 5 - unhealthy_threshold = 2 - timeout = 5 - path = "/" - port = 3000 - interval = 15 - matcher = "302" - } -} - -resource "aws_lb_target_group" "cerebro-p9000-tg" { - count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0 - name = "${var.es_cluster}-p9000-tg" - port = 9000 - protocol = "HTTP" - vpc_id = var.vpc_id - - health_check { - healthy_threshold = 5 - unhealthy_threshold = 2 - timeout = 5 - path = "/" - port = 9000 - interval = 15 - matcher = "303" - } -} - resource "aws_lb" "elasticsearch-alb" { name = "${var.es_cluster}-alb" internal = ! var.public_facing @@ -175,27 +113,3 @@ resource "aws_lb_listener" "kibana" { target_group_arn = aws_lb_target_group.kibana-p5601-tg[0].arn } } - -resource "aws_lb_listener" "grafana" { - count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0 - load_balancer_arn = aws_lb.elasticsearch-alb.arn - port = "3000" - protocol = "HTTP" - - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.grafana-p3000-tg[0].arn - } -} - -resource "aws_lb_listener" "cerebro" { - count = length(keys(var.clients_count)) > 0 || local.singlenode_mode ? 1 : 0 - load_balancer_arn = aws_lb.elasticsearch-alb.arn - port = "9000" - protocol = "HTTP" - - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.cerebro-p9000-tg[0].arn - } -} diff --git a/terraform-aws/certs.tf b/terraform-aws/certs.tf index 38cbf69..2252cec 100644 --- a/terraform-aws/certs.tf +++ b/terraform-aws/certs.tf @@ -1,6 +1,7 @@ locals { cert_common_name = "elasticsearch-cloud-deploy autogenerated CA" validity_period_hours = 365 * 24 + early_renewal_hours = 30 * 24 } resource "tls_private_key" "ca" { @@ -20,6 +21,7 @@ resource "tls_self_signed_cert" "ca" { } validity_period_hours = local.validity_period_hours + early_renewal_hours = local.early_renewal_hours is_ca_certificate = true allowed_uses = [ @@ -56,6 +58,7 @@ resource "tls_locally_signed_cert" "node" { ca_cert_pem = join("", tls_self_signed_cert.ca[*].cert_pem) validity_period_hours = local.validity_period_hours + early_renewal_hours = local.early_renewal_hours allowed_uses = [ "key_encipherment", @@ -63,4 +66,4 @@ resource "tls_locally_signed_cert" "node" { "server_auth", "client_auth" ] -} \ No newline at end of file +} diff --git a/terraform-aws/client.tf b/terraform-aws/client.tf index b631d0d..fd68ec2 100644 --- a/terraform-aws/client.tf +++ b/terraform-aws/client.tf @@ -47,8 +47,6 @@ resource "aws_autoscaling_group" "client_nodes" { target_group_arns = [ aws_lb_target_group.esearch-p9200-tg.arn, aws_lb_target_group.kibana-p5601-tg[0].arn, - aws_lb_target_group.grafana-p3000-tg[0].arn, - aws_lb_target_group.cerebro-p9000-tg[0].arn, ] launch_template { diff --git a/terraform-aws/lock.old b/terraform-aws/lock.old new file mode 100644 index 0000000..e8a42bf --- /dev/null +++ b/terraform-aws/lock.old @@ -0,0 +1,117 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.37.0" + hashes = [ + "h1:CQeYyWigNz838zjXKYH9VDkpjqlGB0phcM742YXiNh4=", + "zh:00f40a3d9593476693a7a72d993fd289f7be374fe3f2799776c6296eb6ff890a", + "zh:1010a9fbf55852a8da3473de4ec0f1fcf29efa85d66f61cbe2b086dbbd7747ae", + "zh:103a5674d1eb1cff05fe35e9baa9875afd18d740868b63f9c0c25eadb5eb4eb7", + "zh:270ac1b7a1327c1456a43df44c0b5cc3e26ed6d8861a709adeea1da684a563f5", + "zh:424362c02c8917c0586f3dd49aca27b7e0c21f5a23374b7045e9be3b5646c028", + "zh:549fa2ea187964ab9a0c354310947ead30e09b3199db1ff377c21d7547d78299", + "zh:6492d2ccc7f7d60e83cd8b7244adc53f30efc17d84b1ffc1b8fd6c385f8255fd", + "zh:66fb7b3b8a357071d26c5996c16d426edf07502a05ac86f4a6f73646ee7d1bbb", + "zh:6ecc05fb466d06ea8945564d2cdb8c2a8827d8cfca1550e9fb7eac0e95920196", + "zh:7932360b627b211dad937d278a8692a6c52bd6c0a71e4ec9e94ccbe825053822", + "zh:97ed1b4a18842c4d56a735329e87b4ef91a47e820e5a5c3c2dd64e293408bfc8", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:d5e022052011e1984b9c2f8bc5a6b05c909e3b5bf40c3baddf191bf90e3169c2", + "zh:d7e9488b2ce5904efb91c8577b3fe9b0cd599c4cd508f1f163f292930f54fdf0", + "zh:e57cd93d5cd81dd0f446076af6e47a53ce83df2947ec64ed39a1090d4bdf8f0b", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.4.1" + hashes = [ + "h1:V2G4qygMV0uHy+QTMlrjSyYgzpYmYyB6gWuE09+5CPI=", + "zh:244b445bf34ddbd167731cc6c6b95bbed231dc4493f8cc34bd6850cfe1f78528", + "zh:3c330bdb626123228a0d1b1daa6c741b4d5d484ab1c7ae5d2f48d4c9885cc5e9", + "zh:5ff5f9b791ddd7557e815449173f2db38d338e674d2d91800ac6e6d808de1d1d", + "zh:70206147104f4bf26ae67d730c995772f85bf23e28c2c2e7612c74f4dae3c46f", + "zh:75029676993accd6bef933c196b2fad51a9ec8a69a847dbbe96ec8ebf7926cdc", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7d48d5999fe1fcdae9295a7c3448ac1541f5a24c474bd82df6d4fa3732483f2b", + "zh:b766b38b027f0f84028244d1c2f990431a37d4fc3ac645962924554016507e77", + "zh:bfc7ad301dada204cf51c59d8bd6a9a87de5fddb42190b4d6ba157d6e08a1f10", + "zh:c902b527702a8c5e2c25a6637d07bbb1690cb6c1e63917a5f6dc460efd18d43f", + "zh:d68ae0e1070cf429c46586bc87580c3ed113f76241da2b6e4f1a8348126b3c46", + "zh:f4903fd89f7c92a346ae9e666c2d0b6884c4474ae109e9b4bd15e7efaa4bfc29", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.2" + hashes = [ + "h1:vWAsYRd7MjYr3adj8BVKRohVfHpWQdvkIwUQ2Jf5FVM=", + "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", + "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", + "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", + "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", + "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", + "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", + "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", + "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", + "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", + "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.6.0" + hashes = [ + "h1:p6WG1IPHnqx1fnJVKNjv733FBaArIugqy58HRZnpPCk=", + "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d", + "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211", + "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829", + "zh:30ffb297ffd1633175d6545d37c2217e2cef9545a6e03946e514c59c0859b77d", + "zh:454ce4b3dbc73e6775f2f6605d45cee6e16c3872a2e66a2c97993d6e5cbd7055", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:91df0a9fab329aff2ff4cf26797592eb7a3a90b4a0c04d64ce186654e0cc6e17", + "zh:aa57384b85622a9f7bfb5d4512ca88e61f22a9cea9f30febaa4c98c68ff0dc21", + "zh:c4a3e329ba786ffb6f2b694e1fd41d413a7010f3a53c20b432325a94fa71e839", + "zh:e2699bc9116447f96c53d55f2a00570f982e6f9935038c3810603572693712d0", + "zh:e747c0fd5d7684e5bfad8aa0ca441903f15ae7a98a737ff6aca24ba223207e2c", + "zh:f1ca75f417ce490368f047b63ec09fd003711ae48487fba90b4aba2ccf71920e", + ] +} + +provider "registry.terraform.io/hashicorp/template" { + version = "2.2.0" + hashes = [ + "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=", + "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", + "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", + "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", + "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", + "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", + "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", + "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", + "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", + "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", + "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "3.1.0" + constraints = "3.1.0" + hashes = [ + "h1:XTU9f6sGMZHOT8r/+LWCz2BZOPH127FBTPjMMEAAu1U=", + "zh:3d46616b41fea215566f4a957b6d3a1aa43f1f75c26776d72a98bdba79439db6", + "zh:623a203817a6dafa86f1b4141b645159e07ec418c82fe40acd4d2a27543cbaa2", + "zh:668217e78b210a6572e7b0ecb4134a6781cc4d738f4f5d09eb756085b082592e", + "zh:95354df03710691773c8f50a32e31fca25f124b7f3d6078265fdf3c4e1384dca", + "zh:9f97ab190380430d57392303e3f36f4f7835c74ea83276baa98d6b9a997c3698", + "zh:a16f0bab665f8d933e95ca055b9c8d5707f1a0dd8c8ecca6c13091f40dc1e99d", + "zh:be274d5008c24dc0d6540c19e22dbb31ee6bfdd0b2cddd4d97f3cd8a8d657841", + "zh:d5faa9dce0a5fc9d26b2463cea5be35f8586ab75030e7fa4d4920cd73ee26989", + "zh:e9b672210b7fb410780e7b429975adcc76dd557738ecc7c890ea18942eb321a5", + "zh:eb1f8368573d2370605d6dbf60f9aaa5b64e55741d96b5fb026dbfe91de67c0d", + "zh:fc1e12b713837b85daf6c3bb703d7795eaf1c5177aebae1afcf811dd7009f4b0", + ] +} diff --git a/terraform-aws/main.tf b/terraform-aws/main.tf index d80973a..94f7488 100644 --- a/terraform-aws/main.tf +++ b/terraform-aws/main.tf @@ -81,6 +81,7 @@ locals { security_encryption_key = random_string.security-encryption-key.result reporting_encryption_key = random_string.reporting-encryption-key.result saved_objects_encryption_key = random_string.saved-objects-encryption-key.result + debug_bootstrap = var.debug_bootstrap } } @@ -161,18 +162,6 @@ resource "aws_security_group" "elasticsearch_clients_security_group" { protocol = "tcp" security_groups = [aws_security_group.elasticsearch-alb-sg.id] } - ingress { - from_port = 3000 - to_port = 3000 - protocol = "tcp" - security_groups = [aws_security_group.elasticsearch-alb-sg.id] - } - ingress { - from_port = 9000 - to_port = 9000 - protocol = "tcp" - security_groups = [aws_security_group.elasticsearch-alb-sg.id] - } egress { from_port = 0 diff --git a/terraform-aws/singlenode.tf b/terraform-aws/singlenode.tf index 62ad1cc..21fbd24 100644 --- a/terraform-aws/singlenode.tf +++ b/terraform-aws/singlenode.tf @@ -45,8 +45,6 @@ resource "aws_autoscaling_group" "singlenode" { target_group_arns = [ aws_lb_target_group.esearch-p9200-tg.arn, aws_lb_target_group.kibana-p5601-tg[0].arn, - aws_lb_target_group.grafana-p3000-tg[0].arn, - aws_lb_target_group.cerebro-p9000-tg[0].arn, ] launch_template { diff --git a/terraform-aws/variables.tf b/terraform-aws/variables.tf index 5fb956d..6e464c1 100644 --- a/terraform-aws/variables.tf +++ b/terraform-aws/variables.tf @@ -206,3 +206,8 @@ variable "log_level" { description = "log4j log level" default = "INFO" } + +variable "debug_bootstrap" { + description = "prevent bootstrap node from shutting down" + default = false +} diff --git a/terraform-aws/vpc.tf b/terraform-aws/vpc.tf index de20623..8afecdf 100644 --- a/terraform-aws/vpc.tf +++ b/terraform-aws/vpc.tf @@ -31,19 +31,19 @@ resource "aws_security_group" "vpc-endpoint" { vpc_id = var.vpc_id ingress { - from_port = 9200 - to_port = 9200 + from_port = 80 + to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } + ingress { - from_port = 5601 - to_port = 5601 + from_port = 443 + to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } - egress { from_port = 0 to_port = 0 diff --git a/terraform-gcp/main.tf b/terraform-gcp/main.tf index 6587d7b..cf7bd7f 100644 --- a/terraform-gcp/main.tf +++ b/terraform-gcp/main.tf @@ -148,5 +148,6 @@ locals { security_encryption_key = random_string.security-encryption-key.result reporting_encryption_key = random_string.reporting-encryption-key.result saved_objects_encryption_key = random_string.saved-objects-encryption-key.result + debug_bootstrap = var.debug_bootstrap } } diff --git a/terraform-gcp/variables.tf b/terraform-gcp/variables.tf index f305420..518bc34 100644 --- a/terraform-gcp/variables.tf +++ b/terraform-gcp/variables.tf @@ -165,3 +165,8 @@ variable "log_level" { description = "log4j log level" default = "INFO" } + +variable "debug_bootstrap" { + description = "prevent bootstrap node from shutting down" + default = false +} From f0a38737e1f7bd8e69927ffba25875c97f380b2b Mon Sep 17 00:00:00 2001 From: shai Date: Sun, 24 Mar 2024 14:45:20 +0200 Subject: [PATCH 5/9] securing debug bootstrap logic --- assets/scripts/bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/scripts/bootstrap.sh b/assets/scripts/bootstrap.sh index 5436fc1..a5b5157 100644 --- a/assets/scripts/bootstrap.sh +++ b/assets/scripts/bootstrap.sh @@ -29,7 +29,7 @@ set -e set +e /opt/cloud-deploy-scripts/$cloud_provider/config-cluster.sh -if [ "$debug_bootstrap" == "false" ] +if [ "$debug_bootstrap" != "true" ] then if [ "$cloud_provider" == "aws" ]; then shutdown -h now From 1443ec931f7d465cc980df65c91181ad2c3763d9 Mon Sep 17 00:00:00 2001 From: shai Date: Tue, 16 Jul 2024 14:09:16 +0300 Subject: [PATCH 6/9] deleting lock.old --- terraform-aws/lock.old | 117 ----------------------------------------- 1 file changed, 117 deletions(-) delete mode 100644 terraform-aws/lock.old diff --git a/terraform-aws/lock.old b/terraform-aws/lock.old deleted file mode 100644 index e8a42bf..0000000 --- a/terraform-aws/lock.old +++ /dev/null @@ -1,117 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.37.0" - hashes = [ - "h1:CQeYyWigNz838zjXKYH9VDkpjqlGB0phcM742YXiNh4=", - "zh:00f40a3d9593476693a7a72d993fd289f7be374fe3f2799776c6296eb6ff890a", - "zh:1010a9fbf55852a8da3473de4ec0f1fcf29efa85d66f61cbe2b086dbbd7747ae", - "zh:103a5674d1eb1cff05fe35e9baa9875afd18d740868b63f9c0c25eadb5eb4eb7", - "zh:270ac1b7a1327c1456a43df44c0b5cc3e26ed6d8861a709adeea1da684a563f5", - "zh:424362c02c8917c0586f3dd49aca27b7e0c21f5a23374b7045e9be3b5646c028", - "zh:549fa2ea187964ab9a0c354310947ead30e09b3199db1ff377c21d7547d78299", - "zh:6492d2ccc7f7d60e83cd8b7244adc53f30efc17d84b1ffc1b8fd6c385f8255fd", - "zh:66fb7b3b8a357071d26c5996c16d426edf07502a05ac86f4a6f73646ee7d1bbb", - "zh:6ecc05fb466d06ea8945564d2cdb8c2a8827d8cfca1550e9fb7eac0e95920196", - "zh:7932360b627b211dad937d278a8692a6c52bd6c0a71e4ec9e94ccbe825053822", - "zh:97ed1b4a18842c4d56a735329e87b4ef91a47e820e5a5c3c2dd64e293408bfc8", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:d5e022052011e1984b9c2f8bc5a6b05c909e3b5bf40c3baddf191bf90e3169c2", - "zh:d7e9488b2ce5904efb91c8577b3fe9b0cd599c4cd508f1f163f292930f54fdf0", - "zh:e57cd93d5cd81dd0f446076af6e47a53ce83df2947ec64ed39a1090d4bdf8f0b", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.4.1" - hashes = [ - "h1:V2G4qygMV0uHy+QTMlrjSyYgzpYmYyB6gWuE09+5CPI=", - "zh:244b445bf34ddbd167731cc6c6b95bbed231dc4493f8cc34bd6850cfe1f78528", - "zh:3c330bdb626123228a0d1b1daa6c741b4d5d484ab1c7ae5d2f48d4c9885cc5e9", - "zh:5ff5f9b791ddd7557e815449173f2db38d338e674d2d91800ac6e6d808de1d1d", - "zh:70206147104f4bf26ae67d730c995772f85bf23e28c2c2e7612c74f4dae3c46f", - "zh:75029676993accd6bef933c196b2fad51a9ec8a69a847dbbe96ec8ebf7926cdc", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7d48d5999fe1fcdae9295a7c3448ac1541f5a24c474bd82df6d4fa3732483f2b", - "zh:b766b38b027f0f84028244d1c2f990431a37d4fc3ac645962924554016507e77", - "zh:bfc7ad301dada204cf51c59d8bd6a9a87de5fddb42190b4d6ba157d6e08a1f10", - "zh:c902b527702a8c5e2c25a6637d07bbb1690cb6c1e63917a5f6dc460efd18d43f", - "zh:d68ae0e1070cf429c46586bc87580c3ed113f76241da2b6e4f1a8348126b3c46", - "zh:f4903fd89f7c92a346ae9e666c2d0b6884c4474ae109e9b4bd15e7efaa4bfc29", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.2" - hashes = [ - "h1:vWAsYRd7MjYr3adj8BVKRohVfHpWQdvkIwUQ2Jf5FVM=", - "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", - "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", - "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", - "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", - "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", - "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", - "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", - "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", - "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", - "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.6.0" - hashes = [ - "h1:p6WG1IPHnqx1fnJVKNjv733FBaArIugqy58HRZnpPCk=", - "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d", - "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211", - "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829", - "zh:30ffb297ffd1633175d6545d37c2217e2cef9545a6e03946e514c59c0859b77d", - "zh:454ce4b3dbc73e6775f2f6605d45cee6e16c3872a2e66a2c97993d6e5cbd7055", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:91df0a9fab329aff2ff4cf26797592eb7a3a90b4a0c04d64ce186654e0cc6e17", - "zh:aa57384b85622a9f7bfb5d4512ca88e61f22a9cea9f30febaa4c98c68ff0dc21", - "zh:c4a3e329ba786ffb6f2b694e1fd41d413a7010f3a53c20b432325a94fa71e839", - "zh:e2699bc9116447f96c53d55f2a00570f982e6f9935038c3810603572693712d0", - "zh:e747c0fd5d7684e5bfad8aa0ca441903f15ae7a98a737ff6aca24ba223207e2c", - "zh:f1ca75f417ce490368f047b63ec09fd003711ae48487fba90b4aba2ccf71920e", - ] -} - -provider "registry.terraform.io/hashicorp/template" { - version = "2.2.0" - hashes = [ - "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=", - "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", - "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", - "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", - "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", - "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", - "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", - "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", - "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", - "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", - "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", - ] -} - -provider "registry.terraform.io/hashicorp/tls" { - version = "3.1.0" - constraints = "3.1.0" - hashes = [ - "h1:XTU9f6sGMZHOT8r/+LWCz2BZOPH127FBTPjMMEAAu1U=", - "zh:3d46616b41fea215566f4a957b6d3a1aa43f1f75c26776d72a98bdba79439db6", - "zh:623a203817a6dafa86f1b4141b645159e07ec418c82fe40acd4d2a27543cbaa2", - "zh:668217e78b210a6572e7b0ecb4134a6781cc4d738f4f5d09eb756085b082592e", - "zh:95354df03710691773c8f50a32e31fca25f124b7f3d6078265fdf3c4e1384dca", - "zh:9f97ab190380430d57392303e3f36f4f7835c74ea83276baa98d6b9a997c3698", - "zh:a16f0bab665f8d933e95ca055b9c8d5707f1a0dd8c8ecca6c13091f40dc1e99d", - "zh:be274d5008c24dc0d6540c19e22dbb31ee6bfdd0b2cddd4d97f3cd8a8d657841", - "zh:d5faa9dce0a5fc9d26b2463cea5be35f8586ab75030e7fa4d4920cd73ee26989", - "zh:e9b672210b7fb410780e7b429975adcc76dd557738ecc7c890ea18942eb321a5", - "zh:eb1f8368573d2370605d6dbf60f9aaa5b64e55741d96b5fb026dbfe91de67c0d", - "zh:fc1e12b713837b85daf6c3bb703d7795eaf1c5177aebae1afcf811dd7009f4b0", - ] -} From fde252e213fe8ca48c19e7a985e71eafcc9c8fc4 Mon Sep 17 00:00:00 2001 From: shai Date: Tue, 13 Aug 2024 19:11:45 +0300 Subject: [PATCH 7/9] templatefile,disk attachment, ubuntu image fixes --- assets/scripts/aws/autoattach-disk.sh | 4 ++-- packer/elasticsearch8-node.packer.json | 2 +- packer/install-elasticsearch8.sh | 1 + terraform-aws/client.tf | 13 ++++--------- terraform-aws/datas-voters.tf | 15 +++++---------- terraform-aws/datas.tf | 13 ++++--------- terraform-aws/iam.tf | 13 +++---------- terraform-aws/main.tf | 4 +--- terraform-aws/masters.tf | 26 ++++++++------------------ terraform-aws/singlenode.tf | 13 ++++--------- 10 files changed, 33 insertions(+), 71 deletions(-) diff --git a/assets/scripts/aws/autoattach-disk.sh b/assets/scripts/aws/autoattach-disk.sh index 32e7280..621e330 100644 --- a/assets/scripts/aws/autoattach-disk.sh +++ b/assets/scripts/aws/autoattach-disk.sh @@ -28,7 +28,7 @@ echo 'Waiting for 30 seconds for the disk to become mountable...' sleep 30 sudo mkdir -p $elasticsearch_data_dir -export DEVICE_NAME=$(lsblk -ip | tail -n +2 | awk '{print $1 " " ($7? "MOUNTEDPART" : "") }' | sed ':a;N;$!ba;s/\n`/ /g' | grep -v MOUNTEDPART) +export DEVICE_NAME=$(lsblk -ip | tail -n +2 | awk '{print $1 " " ($7? "MOUNTEDPART" : "") }' | sed ':a;N;$!ba;s/\n`/ /g' | sed ':a;N;$!ba;s/\n|-/ /g' | grep -v MOUNTEDPART) if sudo mount -o defaults -t ext4 $DEVICE_NAME $elasticsearch_data_dir; then echo 'Successfully mounted existing disk' else @@ -37,4 +37,4 @@ else sudo mount -o defaults -t ext4 $DEVICE_NAME $elasticsearch_data_dir && echo 'Successfully mounted a fresh disk' fi echo "$DEVICE_NAME $elasticsearch_data_dir ext4 defaults,nofail 0 2" | sudo tee -a /etc/fstab -sudo chown -R elasticsearch:elasticsearch $elasticsearch_data_dir \ No newline at end of file +sudo chown -R elasticsearch:elasticsearch $elasticsearch_data_dir diff --git a/packer/elasticsearch8-node.packer.json b/packer/elasticsearch8-node.packer.json index 2c144e7..c0c9b43 100644 --- a/packer/elasticsearch8-node.packer.json +++ b/packer/elasticsearch8-node.packer.json @@ -15,7 +15,7 @@ "source_ami_filter": { "filters": { "virtualization-type": "hvm", - "name": "*ubuntu-jammy-22.04-amd64-server-*", + "name": "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server*", "root-device-type": "ebs" }, "owners": ["099720109477"], diff --git a/packer/install-elasticsearch8.sh b/packer/install-elasticsearch8.sh index c44ef32..c154805 100644 --- a/packer/install-elasticsearch8.sh +++ b/packer/install-elasticsearch8.sh @@ -21,3 +21,4 @@ chown elasticsearch:elasticsearch /usr/share/elasticsearch/data mv elasticsearch.yml /etc/elasticsearch/elasticsearch.yml chown elasticsearch:elasticsearch /etc/elasticsearch/elasticsearch.yml +systemctl disable elasticsearch diff --git a/terraform-aws/client.tf b/terraform-aws/client.tf index fd68ec2..61237a5 100644 --- a/terraform-aws/client.tf +++ b/terraform-aws/client.tf @@ -1,16 +1,11 @@ -data "template_file" "client_userdata_script" { - template = file("${path.module}/../templates/aws_user_data.sh") - vars = merge(local.user_data_common, { - startup_script = "client.sh", - heap_size = var.client_heap_size - }) -} - resource "aws_launch_template" "client" { name_prefix = "elasticsearch-${var.es_cluster}-client-nodes" image_id = data.aws_ami.kibana_client.id instance_type = var.master_instance_type - user_data = base64encode(data.template_file.client_userdata_script.rendered) + user_data = base64encode(templatefile("${path.module}/../templates/aws_user_data.sh",merge(local.user_data_common, { + startup_script = "client.sh", + heap_size = var.client_heap_size + }))) key_name = var.key_name iam_instance_profile { diff --git a/terraform-aws/datas-voters.tf b/terraform-aws/datas-voters.tf index 2879622..df640ab 100644 --- a/terraform-aws/datas-voters.tf +++ b/terraform-aws/datas-voters.tf @@ -1,17 +1,12 @@ -data "template_file" "data_voters_userdata_script" { - template = file("${path.module}/../templates/aws_user_data.sh") - vars = merge(local.user_data_common, { - heap_size = var.data_heap_size - is_voting_only = "true" - startup_script = "data.sh" - }) -} - resource "aws_launch_template" "data_voters" { name_prefix = "elasticsearch-${var.es_cluster}-data-voters-nodes" image_id = data.aws_ami.elasticsearch.id instance_type = var.data_instance_type - user_data = base64encode(data.template_file.data_voters_userdata_script.rendered) + user_data = base64encode(templatefile("${path.module}/../templates/aws_user_data.sh",merge(local.user_data_common, { + heap_size = var.data_heap_size + is_voting_only = "true" + startup_script = "data.sh" + }))) key_name = var.key_name ebs_optimized = var.ebs_optimized diff --git a/terraform-aws/datas.tf b/terraform-aws/datas.tf index bf80f8f..d271c2f 100644 --- a/terraform-aws/datas.tf +++ b/terraform-aws/datas.tf @@ -1,16 +1,11 @@ -data "template_file" "data_userdata_script" { - template = file("${path.module}/../templates/aws_user_data.sh") - vars = merge(local.user_data_common, { - startup_script = "data.sh", - heap_size = var.data_heap_size - }) -} - resource "aws_launch_template" "data" { name_prefix = "elasticsearch-${var.es_cluster}-data-nodes" image_id = data.aws_ami.elasticsearch.id instance_type = var.data_instance_type - user_data = base64encode(data.template_file.data_userdata_script.rendered) + user_data = base64encode(templatefile("${path.module}/../templates/aws_user_data.sh",merge(local.user_data_common, { + startup_script = "data.sh", + heap_size = var.data_heap_size + }))) key_name = var.key_name ebs_optimized = var.ebs_optimized diff --git a/terraform-aws/iam.tf b/terraform-aws/iam.tf index 1137d6a..64bdab9 100644 --- a/terraform-aws/iam.tf +++ b/terraform-aws/iam.tf @@ -1,11 +1,3 @@ -data "template_file" "data_s3_backup" { - template = file("${path.module}/../assets/s3-backup.json") - - vars = { - s3_backup_bucket = var.s3_backup_bucket - } -} - resource "aws_iam_role" "elasticsearch" { name = "${var.es_cluster}-elasticsearch-discovery-role" assume_role_policy = file("${path.module}/../assets/ec2-role-trust-policy.json") @@ -22,7 +14,9 @@ resource "aws_iam_role_policy" "elasticsearch" { resource "aws_iam_role_policy" "s3_backup" { count = var.s3_backup_bucket != "" ? 1 : 0 name = "${var.es_cluster}-elasticsearch-backup-policy" - policy = data.template_file.data_s3_backup.rendered + policy = templatefile("${path.module}/../assets/s3-backup.json",{ + s3_backup_bucket = var.s3_backup_bucket + }) role = aws_iam_role.elasticsearch.id } @@ -31,4 +25,3 @@ resource "aws_iam_instance_profile" "elasticsearch" { path = "/" role = aws_iam_role.elasticsearch.name } - diff --git a/terraform-aws/main.tf b/terraform-aws/main.tf index 73597ec..bbad094 100644 --- a/terraform-aws/main.tf +++ b/terraform-aws/main.tf @@ -22,8 +22,6 @@ resource "random_string" "saved-objects-encryption-key" { } locals { -# masters_count = length(flatten([for _, count in var.masters_count : range(count)])) # sum(...) going to be added to TF0.12 soon - masters_count = sum(concat(values(var.masters_count), values(var.data_voters_count))) all_availability_zones = compact(tolist(setunion( keys(var.masters_count), keys(var.datas_count), @@ -47,7 +45,7 @@ locals { singlenode_mode = (length(keys(var.masters_count)) + length(keys(var.datas_count)) + length(keys(var.data_voters_count)) + length(keys(var.clients_count))) == 0 singlenode_subnet_id = local.singlenode_mode ? local.cluster_subnet_ids[var.singlenode_az][0] : "" - + masters_count = local.singlenode_mode ? 0 : sum(concat(values(var.masters_count), values(var.data_voters_count))) is_cluster_bootstrapped = data.local_file.cluster_bootstrap_state.content == "1" || !var.requires_bootstrapping user_data_common = { diff --git a/terraform-aws/masters.tf b/terraform-aws/masters.tf index c5a163b..0ffa17a 100644 --- a/terraform-aws/masters.tf +++ b/terraform-aws/masters.tf @@ -2,27 +2,14 @@ data "local_file" "cluster_bootstrap_state" { filename = "${path.module}/cluster_bootstrap_state" } -data "template_file" "master_userdata_script" { - template = file("${path.module}/../templates/aws_user_data.sh") - vars = merge(local.user_data_common, { - startup_script = "master.sh", - heap_size = var.master_heap_size - }) -} - -data "template_file" "bootstrap_userdata_script" { - template = file("${path.module}/../templates/aws_user_data.sh") - vars = merge(local.user_data_common, { - startup_script = "bootstrap.sh", - heap_size = var.master_heap_size - }) -} - resource "aws_launch_template" "master" { name_prefix = "elasticsearch-${var.es_cluster}-master-nodes" image_id = data.aws_ami.elasticsearch.id instance_type = var.master_instance_type - user_data = base64encode(data.template_file.master_userdata_script.rendered) + user_data = base64encode(templatefile("${path.module}/../templates/aws_user_data.sh",merge(local.user_data_common, { + startup_script = "master.sh", + heap_size = var.master_heap_size + }))) key_name = var.key_name iam_instance_profile { @@ -103,7 +90,10 @@ resource "aws_instance" "bootstrap_node" { var.additional_security_groups, ) iam_instance_profile = aws_iam_instance_profile.elasticsearch.id - user_data = data.template_file.bootstrap_userdata_script.rendered + user_data = base64encode(templatefile("${path.module}/../templates/aws_user_data.sh",merge(local.user_data_common, { + startup_script = "bootstrap.sh", + heap_size = var.master_heap_size + }))) key_name = var.key_name subnet_id = local.bootstrap_node_subnet_id diff --git a/terraform-aws/singlenode.tf b/terraform-aws/singlenode.tf index 21fbd24..96d5d62 100644 --- a/terraform-aws/singlenode.tf +++ b/terraform-aws/singlenode.tf @@ -1,16 +1,11 @@ -data "template_file" "singlenode_userdata_script" { - template = file("${path.module}/../templates/aws_user_data.sh") - vars = merge(local.user_data_common, { - startup_script = "singlenode.sh", - heap_size = var.master_heap_size - }) -} - resource "aws_launch_template" "single_node" { name_prefix = "elasticsearch-${var.es_cluster}-single-node" image_id = data.aws_ami.kibana_client.id instance_type = var.data_instance_type - user_data = base64encode(data.template_file.singlenode_userdata_script.rendered) + user_data = base64encode(templatefile("${path.module}/../templates/aws_user_data.sh",merge(local.user_data_common, { + startup_script = "singlenode.sh", + heap_size = var.master_heap_size + }))) key_name = var.key_name ebs_optimized = var.ebs_optimized From f6ee414e945227fc87fb856e131ccb7d9a17854b Mon Sep 17 00:00:00 2001 From: shai Date: Tue, 19 Nov 2024 16:41:50 +0200 Subject: [PATCH 8/9] changing disk type to gp3 --- terraform-aws/disks.tf | 8 ++++---- terraform-aws/variables.tf | 5 +++++ 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/terraform-aws/disks.tf b/terraform-aws/disks.tf index b84c7f4..2692f88 100644 --- a/terraform-aws/disks.tf +++ b/terraform-aws/disks.tf @@ -23,7 +23,7 @@ resource "aws_ebs_volume" "master" { availability_zone = jsondecode(each.value)["az"] size = 10 - type = "gp2" + type = var.disk_type encrypted = var.volume_encryption tags = { @@ -39,7 +39,7 @@ resource "aws_ebs_volume" "data" { availability_zone = jsondecode(each.value)["az"] size = var.elasticsearch_volume_size - type = "gp2" + type = var.disk_type encrypted = var.volume_encryption tags = { @@ -55,7 +55,7 @@ resource "aws_ebs_volume" "data-voter" { availability_zone = jsondecode(each.value)["az"] size = var.elasticsearch_volume_size - type = "gp2" + type = var.disk_type encrypted = var.volume_encryption tags = { @@ -72,7 +72,7 @@ resource "aws_ebs_volume" "singlenode" { availability_zone = var.singlenode_az size = var.elasticsearch_volume_size - type = "gp2" + type = var.disk_type encrypted = var.volume_encryption tags = { diff --git a/terraform-aws/variables.tf b/terraform-aws/variables.tf index 63941f6..add19e8 100644 --- a/terraform-aws/variables.tf +++ b/terraform-aws/variables.tf @@ -217,3 +217,8 @@ variable "auto_shut_down_bootstrap_node" { description = "disable to prevent bootstrap node from shutting down" default = true } + +variable "disk_type" { + description = "disk type" + default = "gp3" +} From 69f3ae2d73a79e42aaa2e82d8dbfc07878ea8cdd Mon Sep 17 00:00:00 2001 From: shai Date: Tue, 19 Nov 2024 16:44:06 +0200 Subject: [PATCH 9/9] reverting disks to gp2 for compatibility, but leaving variable --- terraform-aws/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform-aws/variables.tf b/terraform-aws/variables.tf index add19e8..b8d8dd0 100644 --- a/terraform-aws/variables.tf +++ b/terraform-aws/variables.tf @@ -220,5 +220,5 @@ variable "auto_shut_down_bootstrap_node" { variable "disk_type" { description = "disk type" - default = "gp3" + default = "gp2" }