Enable remote userdata (#42)

README.md

@@ -1,6 +1,6 @@
 # tf_kube_aws
 
-This terraform module creates a kubernetes cluster in AWS. It's designed to synergise well with [tf_kube_ignition](https://github.com/utilitywarehouse/tf_kube_ignition).
+This terraform module creates a kubernetes cluster in AWS. It assumes [ignition](https://coreos.com/ignition) userdata and it's designed to synergise well with [tf_kube_ignition](https://github.com/utilitywarehouse/tf_kube_ignition).
 
 ## Input Variables
 

cfssl.tf

@@ -1,3 +1,27 @@
+data "template_file" "cfssl" {
+  template = <<EOF
+{
+  "ignition": {
+    "version": "2.2.0",
+    "config": {
+      "replace": {
+        "source": "s3://${aws_s3_bucket.userdata.id}/cfssl-config-${sha1(var.cfssl_user_data)}.json",
+        "aws": {
+          "region": "${var.region}"
+        }
+      }
+    }
+  }
+}
+EOF
+}
+
+resource "aws_s3_bucket_object" "cfssl" {
+  bucket  = aws_s3_bucket.userdata.id
+  key     = "cfssl-config-${sha1(var.cfssl_user_data)}.json"
+  content = var.cfssl_user_data
+}
+
 // IAM instance role
 resource "aws_iam_role" "cfssl" {
   name                 = "${local.iam_prefix}${var.cluster_name}-cfssl"
@@ -26,19 +50,25 @@ resource "aws_iam_instance_profile" "cfssl" {
   path = var.iam_path
 }
 
+data "aws_iam_policy_document" "cfssl" {
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["arn:aws:s3:::${aws_s3_bucket.userdata.id}/cfssl-*"]
+  }
+}
+
 resource "aws_iam_role_policy" "cfssl" {
-  count  = var.cfssl_role_additional_permissions == "" ? 0 : 1
   name   = "${local.iam_prefix}${var.cluster_name}-cfssl"
   role   = aws_iam_role.cfssl.id
-  policy = var.cfssl_role_additional_permissions
+  policy = data.aws_iam_policy_document.cfssl.json
 }
 
 // EC2 Instance
 resource "aws_instance" "cfssl" {
   ami                    = var.containerlinux_ami_id
   instance_type          = "t2.nano"
   iam_instance_profile   = aws_iam_instance_profile.cfssl.name
-  user_data              = var.cfssl_user_data
+  user_data              = data.template_file.cfssl.rendered
   key_name               = var.key_name
   vpc_security_group_ids = [aws_security_group.cfssl.id]
   subnet_id              = var.private_subnet_ids[0]

common.tf

@@ -26,3 +26,15 @@ data "aws_subnet" "public" {
   count = var.public_subnet_count
   id    = var.public_subnet_ids[count.index]
 }
+
+resource "aws_s3_bucket" "userdata" {
+  bucket = "${var.bucket_prefix}-ignition-userdata-${var.cluster_name}"
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+}

etcd.tf

@@ -1,3 +1,30 @@
+data "template_file" "etcd" {
+  count = length(var.etcd_user_data)
+
+  template = <<EOF
+{
+  "ignition": {
+    "version": "2.2.0",
+    "config": {
+      "replace": {
+        "source": "s3://${aws_s3_bucket.userdata.id}/etcd-config-${count.index}-${sha1(var.etcd_user_data[count.index])}.json",
+        "aws": {
+          "region": "${var.region}"
+        }
+      }
+    }
+  }
+}
+EOF
+}
+
+resource "aws_s3_bucket_object" "etcd" {
+  count   = length(var.etcd_user_data)
+  bucket  = aws_s3_bucket.userdata.id
+  key     = "etcd-config-${count.index}-${sha1(var.etcd_user_data[count.index])}.json"
+  content = var.etcd_user_data[count.index]
+}
+
 // IAM instance role
 resource "aws_iam_role" "etcd" {
   name                 = "${local.iam_prefix}${var.cluster_name}-etcd"
@@ -26,19 +53,25 @@ resource "aws_iam_instance_profile" "etcd" {
   path = var.iam_path
 }
 
+data "aws_iam_policy_document" "etcd" {
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["arn:aws:s3:::${aws_s3_bucket.userdata.id}/etcd-*"]
+  }
+}
+
 resource "aws_iam_role_policy" "etcd" {
-  count  = var.etcd_role_additional_permissions == "" ? 0 : 1
   name   = "${local.iam_prefix}${var.cluster_name}-etcd"
   role   = aws_iam_role.etcd.id
-  policy = var.etcd_role_additional_permissions
+  policy = data.aws_iam_policy_document.etcd.json
 }
 
 // EC2 Instances
 resource "aws_instance" "etcd" {
   count                  = var.etcd_instance_count
   ami                    = var.containerlinux_ami_id
   instance_type          = var.etcd_instance_type
-  user_data              = var.etcd_user_data[count.index]
+  user_data              = data.template_file.etcd[count.index].rendered
   iam_instance_profile   = aws_iam_instance_profile.etcd.name
   key_name               = var.key_name
   vpc_security_group_ids = [aws_security_group.etcd.id]

masters.tf

@@ -1,3 +1,27 @@
+data "template_file" "master" {
+  template = <<EOF
+{
+  "ignition": {
+    "version": "2.2.0",
+    "config": {
+      "replace": {
+        "source": "s3://${aws_s3_bucket.userdata.id}/master-config-${sha1(var.master_user_data)}.json",
+        "aws": {
+          "region": "${var.region}"
+        }
+      }
+    }
+  }
+}
+EOF
+}
+
+resource "aws_s3_bucket_object" "master" {
+  bucket  = aws_s3_bucket.userdata.id
+  key     = "master-config-${sha1(var.master_user_data)}.json"
+  content = var.master_user_data
+}
+
 // IAM instance role
 resource "aws_iam_role" "master" {
   name                 = "${local.iam_prefix}${var.cluster_name}-master"
@@ -25,8 +49,6 @@ resource "aws_iam_instance_profile" "master" {
 }
 
 data "aws_iam_policy_document" "master" {
-  source_json = var.master_role_additional_permissions
-
   statement {
     actions = [
       "ec2:*"
@@ -53,6 +75,13 @@ data "aws_iam_policy_document" "master" {
     ]
     resources = var.master_kms_ebs_key_arns
   }
+
+  statement {
+    actions = [
+      "s3:GetObject"
+    ]
+    resources = ["arn:aws:s3:::${aws_s3_bucket.userdata.id}/master-*"]
+  }
 }
 
 resource "aws_iam_role_policy" "master" {
@@ -68,7 +97,7 @@ resource "aws_launch_configuration" "master" {
   instance_type        = var.master_instance_type
   key_name             = var.key_name
   security_groups      = [aws_security_group.master.id]
-  user_data            = var.master_user_data
+  user_data            = data.template_file.master.rendered
 
   lifecycle {
     create_before_destroy = true

variables.tf

@@ -62,7 +62,7 @@ variable "iam_path" {
 }
 
 variable "iam_prefix" {
-  description = "prefix to added to iam resources names"
+  description = "prefix to be added to iam resources names"
   default     = ""
 }
 
@@ -71,6 +71,11 @@ variable "permissions_boundary" {
   default     = ""
 }
 
+variable "bucket_prefix" {
+  description = "prefix to be added to the userdata bucket"
+  default     = ""
+}
+
 // cfssl server
 variable "cfssl_server_address" {
   description = "The address of the cfssl server"
@@ -85,11 +90,6 @@ variable "cfssl_data_device_name" {
   default     = "xvdf"
 }
 
-variable "cfssl_role_additional_permissions" {
-  default     = ""
-  description = "Additional permissions for the cfssl role"
-}
-
 // etcd nodes
 variable "etcd_instance_count" {
   description = "The number of etcd instances to launch."
@@ -115,11 +115,6 @@ variable "etcd_data_volume_size" {
   default     = "5"
 }
 
-variable "etcd_role_additional_permissions" {
-  default     = ""
-  description = "Additional permissions for the etcd role"
-}
-
 // master nodes
 variable "master_instance_count" {
   default     = "3"
@@ -135,11 +130,6 @@ variable "master_user_data" {
   description = "The user data to provide to the kubernetes master instances."
 }
 
-variable "master_role_additional_permissions" {
-  default     = ""
-  description = "Additional permissions for the master role"
-}
-
 // worker nodes
 variable "worker_ondemand_instance_count" {
   default     = "3"
@@ -164,11 +154,6 @@ variable "worker_user_data" {
   description = "The user data to provide to the kubernetes worker instances."
 }
 
-variable "worker_role_additional_permissions" {
-  default     = ""
-  description = "Additional permissions for the worker role"
-}
-
 variable "worker_elb_names" {
   description = "A list of Classic ELB names to be attached to the worker autoscaling groups."
   type        = list(string)

workers.tf

@@ -1,3 +1,27 @@
+data "template_file" "worker" {
+  template = <<EOF
+{
+  "ignition": {
+    "version": "2.2.0",
+    "config": {
+      "replace": {
+        "source": "s3://${aws_s3_bucket.userdata.id}/worker-config-${sha1(var.worker_user_data)}.json",
+        "aws": {
+          "region": "${var.region}"
+        }
+      }
+    }
+  }
+}
+EOF
+}
+
+resource "aws_s3_bucket_object" "worker" {
+  bucket  = aws_s3_bucket.userdata.id
+  key     = "worker-config-${sha1(var.worker_user_data)}.json"
+  content = var.worker_user_data
+}
+
 // IAM instance role
 resource "aws_iam_role" "worker" {
   name                 = "${local.iam_prefix}${var.cluster_name}-worker"
@@ -27,12 +51,15 @@ resource "aws_iam_instance_profile" "worker" {
 }
 
 data "aws_iam_policy_document" "worker" {
-  source_json = var.worker_role_additional_permissions
-
   statement {
     actions   = ["ec2:DescribeInstances"]
     resources = ["*"]
   }
+
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["arn:aws:s3:::${aws_s3_bucket.userdata.id}/worker-*"]
+  }
 }
 
 resource "aws_iam_role_policy" "worker" {
@@ -48,7 +75,7 @@ resource "aws_launch_configuration" "worker" {
   instance_type        = var.worker_instance_type
   key_name             = var.key_name
   security_groups      = [aws_security_group.worker.id]
-  user_data            = var.worker_user_data
+  user_data            = data.template_file.worker.rendered
 
   lifecycle {
     create_before_destroy = true