About

This repository contains all Infrastructure as Code (IaC) related files. The infrastructure is represented through declarative configuration files written in HashiCorp Configuration Language (HCL).

Structure

The repository is structured as following:

modules: contains helper modules stages: contains infrastructure code of all stages. terraform-init contains the infrastructure code for the initial creation of the bucket for the remote terraform state. The other folders like dev-nl and tools-nl represent the different stages.

Apply changes

In general changes should be applied through a Gitlab Pipeline. Run terraform apply on own risk locally and if you know what you are doing. Applying changes to the dev environment might be necessary from time to time. Nevertheless, before applying any changes or creating a commit it is good practise to check what changes will be applied beforehand via terraform plan.

Update providers

terraform init -upgrade Remember to regularly update providers on your local installation in order to use the same versions as the gitlab pipeline which updates them every run.

Update modules

terraform get -update

Authentication

To setup terraform locally via terraform init you need to authenticate first. Therefore save your OTC Access/Secret-Key to the environment variables AWS_ACCESS_KEY_ID and ACCESS_KEY respectively to SECRET_KEY and AWS_SECRET_ACCESS_KEY. In case you already have access to the Vault instance you may use the helper functions in cloudCredentials.sh. In case you don't have the Access/Secret Key Pair yet, you have to create one in the IAM section in the OTC console.

Authentication Setup

For a general introduction on how to setup authentification with gitlab correctly, see here.

For the correct configuration of OIDC in vault use the following commands when setting it up (see link):

shell vault write auth/oidc-cloud2/config \ oidc_discovery_url="https://gitlab.lori-cloud.zbw.eu" \ oidc_client_id="[your_application_id]" \ oidc_client_secret="[your_secret]" \ default_role="developer" \ bound_issuer="localhost"

shell vault write auth/oidc-cloud2/role/developer -<<EOF { "user_claim": "sub", "allowed_redirect_uris": "https://vault-nl.zbw.eu/ui/vault/auth/oidc-cloud2/oidc/callback,http://localhost:8250/oidc/callback", "bound_audiences": "[your_application_id]", "oidc_scopes": "openid", "role_type": "oidc", "policies": "developer", "ttl": "1h", "bound_claims": { "groups": ["stb"] } } EOF

Create a new environment (dev,test,prod)

You'll temporarily need tenant admin privileges. - In OTC GUI, add user terraformci to group admin - In terraform-init(_nl)/variables.tf, section locals{projects..}, add a name for the new project - wait for >10 minutes between adding admin privileges in GUI and the following step (you don't break anything if you're too quick, but terraform is going to throw errors) - in context of directory terraform-init(_nl), type terraform apply. Do not confirm yet, but: - (!) verify that a new environment is created rather than overwriting an existing one. Thus, watch out for output line Plan: n to add, 0 to change, 0 to destroy. Resources may only be added, no resources shall be changed or destroyed. You are working with tenant-admin privileges! - confirm the terraform apply command by typing yes - verify in OTC GUI that a new project has been created - (!) remove user terraformci from group admin - continue in Terraform, in context of the newly created directory named as the new project