Addition of Azure Resource Manager provider terraform configuration

terraform/azurerm/README.md

@@ -0,0 +1,13 @@
+### Azure Resource Manager terraform configuration
+---------------------------------------------------
+
+This folder contains the terraform configuration for a public and private infrastructure provisioned in Azure and is created by attempting to reverse engineering and match the existing AWS architecture, https://github.com/Capgemini/Apollo/tree/master/terraform/aws.
+
+The configuration is based on Terraform's ARM provider found here, https://www.terraform.io/docs/providers/azurerm/index.html.
+Before Terrafom can create infrastructure within your Azure subscription the following information is required by the 'provider.tf' file including, subscription id, client id, client secret, tenant id. To set up oAuth authentication follow this guide https://www.terraform.io/docs/providers/azurerm/index.html.  
+
+Connection to the server instances is via ssh authenticated by a public / private key certificate in openssh format. Putty was used to generate the public / private key files. There was an issue with certificate only authentication **so please use Terraform verion v0.6.16 or higher**.
+
+The infrastructure is configured inline with the ARM architecture as shown in the diagram below. Terraform does not yet support creating Load Balance resources thus it was not possible to replicate this feature from AWS.
+
+![architecture](images/ARMArchitecture.png)

terraform/azurerm/private-cloud/agent-cloud-config.yml.tpl

@@ -0,0 +1,48 @@
+#cloud-config
+
+coreos:
+  units:
+    - name: format-ebs-volume.service
+      command: start
+      content: |
+        [Unit]
+        Description=Formats the ebs volume if needed
+        Before=docker.service
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=/bin/bash -c '(/usr/sbin/blkid -t TYPE=ext4 | grep /dev/xvdb) || (/usr/sbin/wipefs -fa /dev/xvdb && /usr/sbin/mkfs.ext4 /dev/xvdb)'
+    - name: var-lib-docker.mount
+      command: start
+      content: |
+        [Unit]
+        Description=Mount ephemeral to /var/lib/docker
+        Requires=format-ebs-volume.service
+        After=format-ebs-volume.service
+        [Mount]
+        What=/dev/xvdb
+        Where=/var/lib/docker
+        Type=ext4
+     - name: docker.service
+       drop-ins:
+        - name: 10-wait-docker.conf
+          content: |
+            [Unit]
+            After=var-lib-docker.mount
+            Requires=var-lib-docker.mount
+  etcd2:
+    proxy: on
+    listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
+    discovery: ${etcd_discovery_url}
+  fleet:
+    metadata: "role=agent,region=${region}"
+    public-ip: "$public_ipv4"
+    etcd_servers: "http://localhost:2379"
+  locksmith:
+    endpoint: "http://localhost:2379"
+  units:
+    - name: etcd2.service
+      command: start
+  update:
+    reboot-strategy: best-effort
+manage_etc_hosts: localhost

terraform/azurerm/private-cloud/bastion-cloud-config.yml.tpl

@@ -0,0 +1,20 @@
+#cloud-config 
+
+coreos:
+  etcd2:
+    proxy: on
+    listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
+    discovery: ${etcd_discovery_url}
+  fleet:
+    metadata: "role=bastion,region=${region}"
+    etcd_servers: "http://localhost:2379"
+  locksmith:
+    endpoint: "http://localhost:2379"
+  units:
+    - name: docker.service
+      command: start
+    - name: etcd2.service
+      command: start
+  update:
+    reboot-strategy: best-effort
+manage_etc_hosts: localhost

terraform/azurerm/private-cloud/bastion-publicip.tf

@@ -0,0 +1,20 @@
+#Create Public IP Address for bastion server
+resource "azurerm_public_ip" "bastion_publicip" {
+	name = "BastionPublicIp"
+	location = "${var.region}"
+	resource_group_name = "${azurerm_resource_group.resource_group.name}"
+	public_ip_address_allocation = "static"
+}
+
+#Output
+output "bastion_publicip_id" {
+	value = "${azurerm_public_ip.bastion_publicip.id}"
+}
+
+output "bastion_publicip_ipaddress" {
+	value = "${azurerm_public_ip.bastion_publicip.ip_address}"
+}
+
+output "bastion_publicip_fqdn" {
+	value = "${azurerm_public_ip.bastion_publicip.fqdn}"
+}

terraform/azurerm/private-cloud/bastion-security-group.tf

@@ -0,0 +1,63 @@
+#Create Network Security Group
+resource "azurerm_network_security_group" "bastion_security_group" {
+	name = "AzureRM_NetworkSecurityGroup"
+	location = "${var.region}"
+	resource_group_name = "${azurerm_resource_group.resource_group.name}"
+
+	security_rule {
+		name = "AzureRM_SecurityRuleSSH"
+		priority = 100
+		direction = "Inbound"
+		access = "Allow"
+		protocol = "Tcp"
+		source_port_range = "*"
+		destination_port_range = "22"
+		source_address_prefix = "*"
+		destination_address_prefix = "*"
+	}
+
+	security_rule {
+		name = "AzureRM_SecurityRuleOpenVPN"
+		priority = 101
+		direction = "Inbound"
+		access = "Allow"
+		protocol = "Tcp"
+		source_port_range = "*"
+		destination_port_range = "1194"
+		source_address_prefix = "*"
+		destination_address_prefix = "*"
+	}
+
+	security_rule {
+		name = "AzureRM_SecurityRuleOpenHTTPS"
+		priority = 102
+		direction = "Inbound"
+		access = "Allow"
+		protocol = "Tcp"
+		source_port_range = "*"
+		destination_port_range = "443"
+		source_address_prefix = "*"
+		destination_address_prefix = "*"
+	}
+
+	security_rule {
+		name = "AzureRM_SecurityRuleOpenHTTP"
+		priority = 103
+		direction = "Inbound"
+		access = "Allow"
+		protocol = "Tcp"
+		source_port_range = "*"
+		destination_port_range = "80"
+		source_address_prefix = "*"
+		destination_address_prefix = "*"
+	}
+
+	tags { 
+		Name = "bastion-apollo-sg" 
+	}
+}
+
+#Output
+output "network_security_group_id" {
+	value = "${azurerm_network_security_group.bastion_security_group.id}"
+}

terraform/azurerm/private-cloud/bastion-server.tf

@@ -0,0 +1,128 @@
+# Create a network interface for bastion server
+resource "azurerm_network_interface" "bastion_network_interface" {
+	name = "Bastion_NetworkInterface"
+	location = "${var.region}"
+	resource_group_name = "${azurerm_resource_group.resource_group.name}"
+	network_security_group_id = "${azurerm_network_security_group.bastion_security_group.id}"
+
+	ip_configuration {
+		name = "bastionipconfiguration"
+		subnet_id = "${element(azurerm_subnet.public.*.id, 0)}"
+		private_ip_address_allocation = "dynamic"
+		public_ip_address_id = "${azurerm_public_ip.bastion_publicip.id}"
+	}
+}
+
+# User profile template
+resource "template_file" "bastion_cloud_init" { 
+	template = "${file("bastion-cloud-config.yml.tpl")}" 
+	depends_on = ["template_file.etcd_discovery_url"] 
+	vars { 
+		etcd_discovery_url = "${file(var.etcd_discovery_url_file)}" 
+		size = "${var.master_count}" 
+		vpc_cidr_block = "${var.vpc_cidr_block}" 
+		region = "${var.region}" 
+	} 
+}
+
+# NAT/VPN server
+resource "azurerm_virtual_machine" "bastion" {
+	name = "apollo-bastion"
+	location = "${var.region}"
+	resource_group_name = "${azurerm_resource_group.resource_group.name}"
+	network_interface_ids = ["${azurerm_network_interface.bastion_network_interface.id}"]
+	vm_size = "${var.instance_type.bastion}"
+
+	storage_image_reference {
+		publisher = "${var.artifact_bastion.publisher}"
+		offer = "${var.artifact_bastion.offer}"
+		sku = "${var.artifact_bastion.sku}"
+		version = "${var.artifact_bastion.version}"	
+	}
+
+	storage_os_disk {
+		name = "bastiondisk"
+		vhd_uri = "${azurerm_storage_account.storage_account.primary_blob_endpoint}${azurerm_storage_container.storage_container.name}/bastiondisk.vhd"
+		caching = "ReadWrite"
+		create_option = "FromImage"
+	}
+
+	os_profile {
+		computer_name = "${var.bastion_server_computername}"
+		admin_username = "${var.bastion_server_username}"
+		admin_password = "${var.bastion_server_password}"
+		custom_data = "${base64encode(template_file.bastion_cloud_init.rendered)}"
+	}
+
+	os_profile_linux_config {
+		disable_password_authentication = true
+
+		ssh_keys {
+			path = "/home/${var.bastion_server_username}/.ssh/authorized_keys"
+			key_data = "${file("${var.ssh_public_key_file}")}" # openssh format 
+		}
+	}
+
+	tags { 
+		Name = "apollo-mesos-bastion" 
+     		role = "bastion" 
+	} 
+
+	connection {
+		host = "${azurerm_public_ip.bastion_publicip.ip_address}"
+		user = "${var.bastion_server_username}"
+		private_key = "${file("${var.ssh_private_key_file}")}" # openssh format 
+	}
+
+	# Do some early bootstrapping of the CoreOS machines. This will install
+	# python and pip so we can use as the ansible_python_interpreter in our playbooks
+	provisioner "file" { 
+		source	= "../../scripts/coreos" 
+		destination = "/tmp" 
+	}
+
+	provisioner "remote-exec" {
+    	inline = [
+     		"sudo chmod -R +x /tmp/coreos",
+      		"/tmp/coreos/bootstrap.sh",
+      		"~/bin/python /tmp/coreos/get-pip.py",
+      		"sudo mv /tmp/coreos/runner ~/bin/pip && sudo chmod 0755 ~/bin/pip",
+      		"sudo rm -rf /tmp/coreos",
+
+			# Initialize open VPN container and server config     
+			"sudo iptables -t nat -A POSTROUTING -j MASQUERADE",
+      		"sudo docker run --name ovpn-data -v /etc/openvpn busybox",
+      		"sudo docker run --volumes-from ovpn-data --rm gosuri/openvpn ovpn_genconfig -p ${var.vpc_cidr_block} -u udp://${azurerm_public_ip.bastion_publicip.ip_address}"
+		]
+	} 
+}
+
+# Bastion network interface outputs
+output "bastion_network_interface_id" {
+	value = "${azurerm_network_interface.bastion_network_interface.id}"
+}
+
+output "bastion_network_interface_macaddress" {
+	value = "${azurerm_network_interface.bastion_network_interface.mac_address}"
+}
+
+output "bastion_network_interface_privateipaddress" {
+	value = "${azurerm_network_interface.bastion_network_interface.private_ip_address}"
+}
+
+output "bastion_network_interface_virtualmachineid" {
+	value = "${azurerm_network_interface.bastion_network_interface.virtual_machine_id}"
+}
+
+output "bastion_network_interface_applieddnsservers" {
+	value = "${azurerm_network_interface.bastion_network_interface.applied_dns_servers}"
+}
+
+output "bastion_network_interface_internalfqdn" {
+	value = "${azurerm_network_interface.bastion_network_interface.internal_fqdn}"
+}
+
+# Bastion virtual machine outputs
+output "bastion_virtual_machine_id" {
+	value = "${azurerm_virtual_machine.bastion.id}"
+}

terraform/azurerm/private-cloud/gateway-local-network.tf

@@ -0,0 +1,13 @@
+#Create Public IP Address for local network gateway
+resource "azurerm_local_network_gateway" "gateway" {
+	name = "AzureRM_LocalNetworkGateway"
+	resource_group_name = "${azurerm_resource_group.resource_group.name}"
+	location = "${var.region}"
+	gateway_address = "${azurerm_public_ip.bastion_publicip.ip_address}"
+	address_space = ["${var.vpc_cidr_block}"]
+}
+
+#Output
+output "gateway_local_network_id" {
+	value = "${azurerm_local_network_gateway.gateway.id}"
+}

terraform/azurerm/private-cloud/master-cloud-config.yml.tpl

@@ -0,0 +1,22 @@
+#cloud-config
+
+coreos:
+  etcd2:
+    # $private_ipv4 is populated by the cloud provider
+    # we don't have a $public_ipv4 in the private VPC
+    advertise-client-urls: http://$private_ipv4:2379,http://$private_ipv4:4001
+    initial-advertise-peer-urls: http://$private_ipv4:2380
+    # listen on both the official ports and the legacy ports
+    # legacy ports can be omitted if your application doesn't depend on them
+    listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
+    listen-peer-urls: http://$private_ipv4:2380,http://$private_ipv4:7001
+    # Discovery is populated by Terraform
+    discovery: ${etcd_discovery_url}
+  fleet:
+    metadata: "role=master,region=${region}"
+  units:
+    - name: etcd2.service
+      command: start
+  update:
+    reboot-strategy: best-effort
+manage_etc_hosts: localhost

terraform/azurerm/private-cloud/mesos-agents-availability-set.tf

@@ -0,0 +1,11 @@
+# Create an availability set for agent servers
+resource "azurerm_availability_set" "agent" {
+	name = "Agent_AvailabilitySet" 
+	resource_group_name = "${azurerm_resource_group.resource_group.name}"
+	location = "${var.region}"
+}
+
+# Mesos agent availability set outputs
+output "mesos_agent_virtual_machine_ids" {
+	value = "${azurerm_availability_set.agent.id}"
+}