Migrate azure to ignition #71
Conversation
|
Should be final, this now works nicely, I tried recreating from freash few times and all seem to be good. |
modules/azure/master-as/variables.tf
Outdated
|
|
||
| variable "boot_diagnostics_storage_uri" { | ||
| type = "string" | ||
| description = "storage account uri fro boot diagnostics" |
There was a problem hiding this comment.
nitpick. Please start from upper case and there is typo in fro
platforms/azure/giantnetes/main.tf
Outdated
| filename = "${path.cwd}/generated/master-ignition.yaml" | ||
| } | ||
|
|
||
| resource "azurerm_storage_account" "storage_acc" { |
There was a problem hiding this comment.
can you please move all storage related part to separate module. Like it's done for S3 buckets
https://github.com/giantswarm/giantnetes-terraform/tree/master/modules/aws/s3
platforms/azure/giantnetes/main.tf
Outdated
| container_access_type = "container" | ||
| } | ||
|
|
||
| resource "azurerm_storage_blob" "ignition_blob" { |
There was a problem hiding this comment.
please move ignition_blob and loader to master module. Like done for aws
| type = "string" | ||
| type = "string" | ||
|
|
||
| #default = "Standard_D2s_v3" |
There was a problem hiding this comment.
Let's switch to v3 in separate PR
platforms/azure/giantnetes/main.tf
Outdated
| } | ||
|
|
||
| # Convert ignition config to raw json and merge users part. | ||
| data "ct_config" "master_big" { |
There was a problem hiding this comment.
may be remove _big suffix as you switched to ignition_config already.
platforms/azure/giantnetes/main.tf
Outdated
| pretty_print = false | ||
| } | ||
|
|
||
| resource "local_file" "master_ignition_big" { |
There was a problem hiding this comment.
let's also move this to master module
platforms/azure/giantnetes/main.tf
Outdated
| name = "${var.cluster_name}machine" | ||
| resource_group_name = "${module.resource_group.name}" | ||
| location = "westeurope" | ||
| account_tier = "Standard" |
There was a problem hiding this comment.
also account_kind=BlobStorage and access_tier=Cold , because we need only objects and not going to host VM disks there.
platforms/azure/giantnetes/main.tf
Outdated
| name = "ignition" | ||
| resource_group_name = "${module.resource_group.name}" | ||
| storage_account_name = "${azurerm_storage_account.storage_acc.name}" | ||
| container_access_type = "container" |
There was a problem hiding this comment.
This actually gives full anonymous access to container
modules/azure/master-as/master-as.tf
Outdated
| @@ -93,6 +93,11 @@ resource "azurerm_virtual_machine" "master" { | |||
| } | |||
| } | |||
|
|
|||
| boot_diagnostics { | |||
There was a problem hiding this comment.
Do we really need boot diagnostics? we are experts already 
There was a problem hiding this comment.
Well, it gives us logs for instance if something fuck ups. If nothing breaks we don't need it.
I am fine with removing it.
|
moved storage to separate module |
| for n in bastion master vault; do | ||
| ed --quiet ${WORKDIR}/cloud-config/${n}.yaml.tmpl << EOF | ||
| 3i | ||
| cat >> ${WORKDIR}/ignition/users.yaml << EOF |
There was a problem hiding this comment.
cool, can you please also remove ed installation above?
|
@r7vme I took a look at container restriction and it seems not to be implemented in terraform. this is the functionality: https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1 Here is the issue in terraform: hashicorp/terraform-provider-azurerm#90 And we can see that only resource quota is available in terraform: https://www.terraform.io/docs/providers/azurerm/r/storage_share.html |
|
For storage access we can use following:
The only concern that MSI can be not available on really early stage of ignition retrieval. I think MSI smth to do with waagent, that runs later. |
|
The easiest solution would be to restrict access to storage account only from virtual network, but it's not implemented yet. |
|
Here we go, azure is green. |
migrate azure to ignition - start with bastion,vault and worker
Update added also master.
Few notes: