Update for Utility repo changes (#236)

* add proxy settings * add values for http/s port * reverting http/s port, adding cond'l for tls ca * add trusted_proxies * remove tls_ca_bundle_file var declaration * ca_certificate_secret not ca_certificate_secret_id
hashicorp · Nov 1, 2023 · 3e76c83 · 3e76c83
1 parent f4adfbd
commit 3e76c83
Show file tree

Hide file tree

Showing 8 changed files with 75 additions and 42 deletions.
diff --git a/locals.tf b/locals.tf
@@ -48,6 +48,17 @@ locals {
 
   # User Data
   # ---------
+  no_proxy = concat([
+    "127.0.0.1",
+    "localhost",
+    "169.254.169.254",
+    ".azure.com",
+    ".windows.net",
+    ".microsoft.com",
+    module.load_balancer.fqdn,
+    var.network_cidr,
+  ], var.no_proxy)
+
   trusted_proxies = concat(
     var.trusted_proxies,
     [var.network_frontend_subnet_cidr]

diff --git a/main.tf b/main.tf
@@ -176,22 +176,23 @@ module "docker_compose_config" {
   source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/docker_compose_config?ref=main"
   count  = var.is_replicated_deployment ? 0 : 1
 
-  hostname                  = module.load_balancer.fqdn
-  tfe_license               = var.hc_license
   license_reporting_opt_out = var.license_reporting_opt_out
-  cert_file                 = "/etc/ssl/private/terraform-enterprise/cert.pem"
-  key_file                  = "/etc/ssl/private/terraform-enterprise/key.pem"
-  operational_mode          = local.active_active ? "active-active" : var.production_type
-  tfe_image                 = var.tfe_image
-  tls_ca_bundle_file        = var.tls_ca_bundle_file
-  tls_ciphers               = var.tls_ciphers
-  tls_version               = var.tls_version
-  run_pipeline_image        = var.run_pipeline_image
+  hostname                  = module.load_balancer.fqdn
   capacity_concurrency      = var.capacity_concurrency
   capacity_cpu              = var.capacity_cpu
   capacity_memory           = var.capacity_memory
   iact_subnets              = join(",", var.iact_subnet_list)
   iact_time_limit           = var.iact_subnet_time_limit
+  operational_mode          = local.active_active ? "active-active" : var.production_type
+  run_pipeline_image        = var.run_pipeline_image
+  tfe_image                 = var.tfe_image
+  tfe_license               = var.hc_license
+  tls_ciphers               = var.tls_ciphers
+  tls_version               = var.tls_version
+
+  cert_file          = "/etc/ssl/private/terraform-enterprise/cert.pem"
+  key_file           = "/etc/ssl/private/terraform-enterprise/key.pem"
+  tls_ca_bundle_file = var.ca_certificate_secret != null ? "/etc/ssl/private/terraform-enterprise/bundle.pem" : null
 
   database_user       = local.database.server.administrator_login
   database_password   = local.database.server.administrator_password
@@ -205,6 +206,13 @@ module "docker_compose_config" {
   azure_account_name = local.object_storage.storage_account_name
   azure_container    = local.object_storage.storage_account_container_name
 
+  http_port       = var.http_port
+  https_port      = var.https_port
+  http_proxy      = var.proxy_ip != null ? "${var.proxy_ip}:${var.proxy_port}" : null
+  https_proxy     = var.proxy_ip != null ? "${var.proxy_ip}:${var.proxy_port}" : null
+  no_proxy        = local.no_proxy
+  trusted_proxies = local.trusted_proxies
+
   redis_host     = local.redis.hostname
   redis_user     = ""
   redis_password = local.redis.primary_access_key
@@ -237,15 +245,7 @@ module "settings" {
   release_sequence              = var.release_sequence
   trusted_proxies               = local.trusted_proxies
 
-  extra_no_proxy = [
-    "127.0.0.1",
-    "169.254.169.254",
-    ".azure.com",
-    ".windows.net",
-    ".microsoft.com",
-    module.load_balancer.fqdn,
-    var.network_cidr
-  ]
+  extra_no_proxy = local.no_proxy
 
   # Replicated Base Configuration
   hostname                                  = module.load_balancer.fqdn

diff --git a/tests/private-active-active/main.tf b/tests/private-active-active/main.tf
@@ -65,9 +65,6 @@ module "private_active_active" {
   # Private Active / Active Scenario
   consolidated_services_enabled      = var.consolidated_services_enabled
   distribution                       = "rhel"
-  vm_node_count                      = 2
-  vm_sku                             = "Standard_D16as_v4"
-  vm_image_id                        = "rhel"
   load_balancer_public               = false
   load_balancer_type                 = "application_gateway"
   load_balancer_sku_name             = "WAF_v2"
@@ -76,13 +73,18 @@ module "private_active_active" {
   redis_use_password_auth            = true
   redis_use_tls                      = false
   production_type                    = "external"
+  vm_image_id                        = "rhel"
+  vm_node_count                      = 2
+  vm_sku                             = "Standard_D16as_v4"
 
   create_bastion = false
   tags           = local.common_tags
 
   # FDO Specific Values
   is_replicated_deployment  = var.is_replicated_deployment
   hc_license                = var.hc_license
+  http_port                 = 8080
+  https_port                = 8443
   license_reporting_opt_out = true
   registry_password         = var.registry_password
   registry_username         = var.registry_username

diff --git a/tests/private-tcp-active-active/main.tf b/tests/private-tcp-active-active/main.tf
@@ -67,23 +67,25 @@ module "private_tcp_active_active" {
   # Private Active / Active Scenario
   consolidated_services_enabled = var.consolidated_services_enabled
   distribution                  = "rhel"
-  vm_node_count                 = 2
-  vm_sku                        = "Standard_D32a_v4"
-  vm_image_id                   = "rhel"
   load_balancer_public          = false
   load_balancer_type            = "load_balancer"
   redis_use_password_auth       = true
   redis_use_tls                 = true
   redis_rdb_backup_enabled      = true
   redis_rdb_backup_frequency    = 60
   production_type               = "external"
+  vm_node_count                 = 2
+  vm_sku                        = "Standard_D32a_v4"
+  vm_image_id                   = "rhel"
 
   create_bastion = false
   tags           = local.common_tags
 
   # FDO Specific Values
   is_replicated_deployment  = var.is_replicated_deployment
   hc_license                = var.hc_license
+  http_port                 = 8080
+  https_port                = 8443
   license_reporting_opt_out = true
   registry_password         = var.registry_password
   registry_username         = var.registry_username

diff --git a/tests/public-active-active/main.tf b/tests/public-active-active/main.tf
@@ -27,21 +27,23 @@ module "public_active_active" {
   # Public Active / Active Scenario
   consolidated_services_enabled = var.consolidated_services_enabled
   distribution                  = "ubuntu"
-  production_type               = "external"
   iact_subnet_list              = var.iact_subnet_list
-  vm_node_count                 = 2
-  vm_sku                        = "Standard_D4_v3"
-  vm_image_id                   = "ubuntu"
   load_balancer_public          = true
   load_balancer_type            = "application_gateway"
+  production_type               = "external"
   redis_use_password_auth       = false
   redis_use_tls                 = false
+  vm_node_count                 = 2
+  vm_sku                        = "Standard_D4_v3"
+  vm_image_id                   = "ubuntu"
 
   tags = local.common_tags
 
   # FDO Specific Values
   is_replicated_deployment  = var.is_replicated_deployment
   hc_license                = var.hc_license
+  http_port                 = 8080
+  https_port                = 8443
   license_reporting_opt_out = true
   registry_password         = var.registry_password
   registry_username         = var.registry_username

diff --git a/tests/standalone-external/main.tf b/tests/standalone-external/main.tf
@@ -41,13 +41,13 @@ module "standalone_external" {
   consolidated_services_enabled = var.consolidated_services_enabled
   distribution                  = "ubuntu"
   database_version              = var.database_version
-  production_type               = "external"
   iact_subnet_list              = ["0.0.0.0/0"]
+  load_balancer_public          = true
+  load_balancer_type            = "load_balancer"
+  production_type               = "external"
   vm_node_count                 = 1
   vm_sku                        = "Standard_D4_v3"
   vm_image_id                   = "ubuntu"
-  load_balancer_public          = true
-  load_balancer_type            = "load_balancer"
 
   enable_ssh     = true
   create_bastion = false
@@ -56,6 +56,8 @@ module "standalone_external" {
   # FDO Specific Values
   is_replicated_deployment  = var.is_replicated_deployment
   hc_license                = var.hc_license
+  http_port                 = 8080
+  https_port                = 8443
   license_reporting_opt_out = true
   registry_password         = var.registry_password
   registry_username         = var.registry_username

diff --git a/tests/standalone-mounted-disk/main.tf b/tests/standalone-mounted-disk/main.tf
@@ -42,15 +42,15 @@ module "standalone_mounted_disk" {
   distribution                  = var.distribution
   production_type               = "disk"
   disk_path                     = "/opt/hashicorp/data"
-  vm_node_count                 = 1
-  vm_sku                        = "Standard_D4_v3"
+  load_balancer_public          = true
+  load_balancer_type            = "load_balancer"
   vm_image_id                   = local.vm_image_id
   vm_image_publisher            = local.vm_image_publisher
   vm_image_offer                = local.vm_image_offer
   vm_image_sku                  = local.vm_image_sku
   vm_image_version              = local.vm_image_version
-  load_balancer_public          = true
-  load_balancer_type            = "load_balancer"
+  vm_node_count                 = 1
+  vm_sku                        = "Standard_D4_v3"
 
   # VM Data Disk
   vm_data_disk_caching              = "ReadWrite"
@@ -66,6 +66,8 @@ module "standalone_mounted_disk" {
   # FDO Specific Values
   is_replicated_deployment  = var.is_replicated_deployment
   hc_license                = var.hc_license
+  http_port                 = 8080
+  https_port                = 8443
   license_reporting_opt_out = true
   registry_password         = var.registry_password
   registry_username         = var.registry_username

diff --git a/variables.tf b/variables.tf
@@ -865,12 +865,6 @@ variable "tls_bootstrap_key_pathname" {
   description = "The path on the TFE instance to put the key. ex. '/var/lib/terraform-enterprise/key.pem'"
 }
 
-variable "tls_ca_bundle_file" {
-  default     = null
-  type        = string
-  description = "(Not needed if is_replicated_deployment is true) Path to a file containing TLS CA certificates to be added to the OS CA certificates bundle. Leave blank to not add CA certificates to the OS CA certificates bundle. Defaults to ''."
-}
-
 variable "tls_ciphers" {
   default     = null
   type        = string
@@ -1004,6 +998,24 @@ variable "vm_key_secret" {
 
 # Proxy
 # -----
+variable "http_port" {
+  default     = 80
+  type        = number
+  description = "(Optional if is_replicated_deployment is false) Port application listens on for HTTP. Default is 80."
+}
+
+variable "https_port" {
+  default     = 443
+  type        = number
+  description = "(Optional if is_replicated_deployment is false) Port application listens on for HTTPS. Default is 443."
+}
+
+variable "no_proxy" {
+  type        = list(string)
+  description = "(Optional) List of IP addresses to not proxy"
+  default     = []
+}
+
 variable "proxy_ip" {
   default     = null
   type        = string