Merge pull request #32 from Flaconi/OPS-5932-migrating-to-launch-temp…

…late OPS-5932: Migrating Vault and Consul to Launch Template
Flaconi · May 30, 2024 · 831f2f2 · 831f2f2
2 parents 93d109c + b4c4500
commit 831f2f2
Show file tree

Hide file tree

Showing 11 changed files with 58 additions and 72 deletions.
diff --git a/README.md b/README.md
@@ -254,8 +254,8 @@ Default: `null`
 | <a name="output_iam_role_arn_vault_cluster"></a> [iam\_role\_arn\_vault\_cluster](#output\_iam\_role\_arn\_vault\_cluster) | IAM role ARN attached to the Vault cluster. |
 | <a name="output_iam_role_id_consul_cluster"></a> [iam\_role\_id\_consul\_cluster](#output\_iam\_role\_id\_consul\_cluster) | IAM role ID attached to the Consul cluster. |
 | <a name="output_iam_role_id_vault_cluster"></a> [iam\_role\_id\_vault\_cluster](#output\_iam\_role\_id\_vault\_cluster) | IAM role ID attached to the Vault cluster. |
-| <a name="output_launch_config_name_consul_cluster"></a> [launch\_config\_name\_consul\_cluster](#output\_launch\_config\_name\_consul\_cluster) | Launch configuration name of the Consul cluster. |
-| <a name="output_launch_config_name_vault_cluster"></a> [launch\_config\_name\_vault\_cluster](#output\_launch\_config\_name\_vault\_cluster) | Launch configuration name of the Vault cluster. |
+| <a name="output_launch_template_name_consul_cluster"></a> [launch\_template\_name\_consul\_cluster](#output\_launch\_template\_name\_consul\_cluster) | Launch template name of the Consul cluster. |
+| <a name="output_launch_template_name_vault_cluster"></a> [launch\_template\_name\_vault\_cluster](#output\_launch\_template\_name\_vault\_cluster) | Launch template name of the Vault cluster. |
 | <a name="output_security_group_id_consul_cluster"></a> [security\_group\_id\_consul\_cluster](#output\_security\_group\_id\_consul\_cluster) | Security group ID of the Consul cluster to attach to other security group rules. |
 | <a name="output_security_group_id_vault_cluster"></a> [security\_group\_id\_vault\_cluster](#output\_security\_group\_id\_vault\_cluster) | Security group ID of the Vault cluster to attach to other security group rules. |
 

diff --git a/main.tf b/main.tf
@@ -6,15 +6,15 @@ module "vault_cluster" {
   instance_type = var.vault_instance_type
 
   ami_id = var.ami_id
-  user_data = templatefile("${path.module}/user-data/vault.sh.tftpl", {
+  user_data = base64encode(templatefile("${path.module}/user-data/vault.sh.tftpl", {
     enable_s3_backend        = var.enable_s3_backend ? 1 : 0
     s3_bucket_region         = data.aws_region.current.name
     s3_bucket_name           = var.s3_bucket_name
     consul_cluster_tag_key   = local.consul_cluster_tag_key
     consul_cluster_tag_value = local.consul_cluster_tag_val
     ssh_keys                 = join("\n", var.ssh_keys)
     ssh_user                 = "ubuntu"
-  })
+  }))
 
   vpc_id     = var.vpc_id
   subnet_ids = var.private_subnet_ids
@@ -82,12 +82,12 @@ module "consul_cluster" {
   instance_type = var.consul_instance_type
 
   ami_id = var.ami_id
-  user_data = templatefile("${path.module}/user-data/consul.sh.tftpl", {
+  user_data = base64encode(templatefile("${path.module}/user-data/consul.sh.tftpl", {
     consul_cluster_tag_key   = local.consul_cluster_tag_key
     consul_cluster_tag_value = local.consul_cluster_tag_val
     ssh_keys                 = join("\n", var.ssh_keys)
     ssh_user                 = "ubuntu"
-  })
+  }))
 
   vpc_id     = var.vpc_id
   subnet_ids = var.private_subnet_ids

diff --git a/modules/consul-cluster/README.md b/modules/consul-cluster/README.md
@@ -42,7 +42,7 @@ rules.
 | [aws_autoscaling_group.autoscaling_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |
 | [aws_iam_instance_profile.instance_profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_role.instance_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_launch_configuration.launch_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration) | resource |
+| [aws_launch_template.launch_template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
 | [null_resource.tags_as_list_of_maps](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_iam_policy_document.instance_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
@@ -56,7 +56,6 @@ rules.
 | <a name="input_user_data"></a> [user\_data](#input\_user\_data) | A User Data script to execute while the server is booting. We remmend passing in a bash script that executes the run-consul script, which should have been installed in the Consul AMI by the install-consul module. | `string` | n/a | yes |
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | The type of EC2 Instances to run for each node in the cluster (e.g. t3.micro). | `string` | `"t3.micro"` | no |
 | <a name="input_cluster_size"></a> [cluster\_size](#input\_cluster\_size) | The number of nodes to have in the Consul cluster. We strongly recommended that you use either 3 or 5. | `number` | `3` | no |
-| <a name="input_tenancy"></a> [tenancy](#input\_tenancy) | The tenancy of the instance. Must be one of: empty string, default or dedicated. For EC2 Spot Instances only empty string or dedicated can be used. | `string` | `""` | no |
 | <a name="input_root_volume_ebs_optimized"></a> [root\_volume\_ebs\_optimized](#input\_root\_volume\_ebs\_optimized) | If true, the launched EC2 instance will be EBS-optimized. | `bool` | `false` | no |
 | <a name="input_root_volume_type"></a> [root\_volume\_type](#input\_root\_volume\_type) | The type of volume. Must be one of: standard, gp2, or io1. | `string` | `"standard"` | no |
 | <a name="input_root_volume_size"></a> [root\_volume\_size](#input\_root\_volume\_size) | The size, in GB, of the root EBS volume. | `number` | `50` | no |
@@ -79,7 +78,7 @@ rules.
 |------|-------------|
 | <a name="output_asg_name"></a> [asg\_name](#output\_asg\_name) | Name of the Consul autoscaling group |
 | <a name="output_cluster_size"></a> [cluster\_size](#output\_cluster\_size) | Number of Consul nodes |
-| <a name="output_launch_config_name"></a> [launch\_config\_name](#output\_launch\_config\_name) | Name of the Consul launch configuration |
+| <a name="output_launch_template"></a> [launch\_template](#output\_launch\_template) | Name of the Vault launch\_template |
 | <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | ARN of the IAM role attached to the Consul instance. |
 | <a name="output_iam_role_id"></a> [iam\_role\_id](#output\_iam\_role\_id) | ID of the IAM role attached to the Consul instance. |
 | <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | Name of the IAM role attached to the Consul instance. |

diff --git a/modules/consul-cluster/main.tf b/modules/consul-cluster/main.tf
@@ -1,7 +1,10 @@
 resource "aws_autoscaling_group" "autoscaling_group" {
   name_prefix = var.cluster_name
 
-  launch_configuration = aws_launch_configuration.launch_configuration.name
+  launch_template {
+    id      = aws_launch_template.launch_template.id
+    version = aws_launch_template.launch_template.latest_version
+  }
 
   vpc_zone_identifier = flatten(var.subnet_ids)
 
@@ -44,36 +47,33 @@ resource "aws_autoscaling_group" "autoscaling_group" {
   }
 }
 
-resource "aws_launch_configuration" "launch_configuration" {
+resource "aws_launch_template" "launch_template" {
   name_prefix   = "${var.cluster_name}-"
   image_id      = var.ami_id
   instance_type = var.instance_type
   user_data     = var.user_data
 
-  iam_instance_profile = aws_iam_instance_profile.instance_profile.name
-  placement_tenancy    = var.tenancy
+  iam_instance_profile {
+    name = aws_iam_instance_profile.instance_profile.name
+  }
 
+  vpc_security_group_ids = [
+    module.lc_security_group.security_group_id,
+    module.attach_security_group.security_group_id,
+  ]
   metadata_options {
     http_tokens                 = "required"
     http_put_response_hop_limit = 1
     http_endpoint               = "enabled"
   }
 
-  security_groups = [
-    module.lc_security_group.security_group_id,
-    module.attach_security_group.security_group_id,
-  ]
-
-  associate_public_ip_address = false
-
   ebs_optimized = var.root_volume_ebs_optimized
-  root_block_device {
-    volume_type           = var.root_volume_type
-    volume_size           = var.root_volume_size
-    delete_on_termination = var.root_volume_delete_on_termination
-  }
-
-  lifecycle {
-    create_before_destroy = true
+  block_device_mappings {
+    device_name = "/dev/sda1"
+    ebs {
+      volume_size = var.root_volume_size
+      delete_on_termination = var.root_volume_delete_on_termination
+      volume_type           = var.root_volume_type
+    }
   }
 }
diff --git a/modules/consul-cluster/outputs.tf b/modules/consul-cluster/outputs.tf
@@ -8,11 +8,10 @@ output "cluster_size" {
   description = "Number of Consul nodes"
 }
 
-output "launch_config_name" {
-  value       = aws_launch_configuration.launch_configuration.name
-  description = "Name of the Consul launch configuration"
+output "launch_template" {
+  value       = aws_launch_template.launch_template.name
+  description = "Name of the Vault launch_template"
 }
-
 output "iam_role_arn" {
   value       = aws_iam_role.instance_role.arn
   description = "ARN of the IAM role attached to the Consul instance."

diff --git a/modules/consul-cluster/variables.tf b/modules/consul-cluster/variables.tf
@@ -30,12 +30,6 @@ variable "cluster_size" {
   type        = number
 }
 
-variable "tenancy" {
-  description = "The tenancy of the instance. Must be one of: empty string, default or dedicated. For EC2 Spot Instances only empty string or dedicated can be used."
-  default     = ""
-  type        = string
-}
-
 variable "root_volume_ebs_optimized" {
   description = "If true, the launched EC2 instance will be EBS-optimized."
   default     = false

diff --git a/modules/vault-cluster/README.md b/modules/vault-cluster/README.md
@@ -63,7 +63,7 @@ machines.
 | [aws_iam_role.instance_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.vault_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.vault_s3_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_launch_configuration.launch_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration) | resource |
+| [aws_launch_template.launch_template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
 | [null_resource.tags_as_list_of_maps](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_iam_policy_document.instance_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.vault_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -81,7 +81,6 @@ machines.
 | <a name="input_user_data"></a> [user\_data](#input\_user\_data) | A User Data script to execute while the server is booting. We recommend passing in a bash script that executes the run-vault script, which should have been installed in the AMI by the install-vault module. | `string` | n/a | yes |
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | The type of EC2 Instances to run for each node in the cluster (e.g. t2.micro). | `string` | `"t3.micro"` | no |
 | <a name="input_cluster_size"></a> [cluster\_size](#input\_cluster\_size) | The number of nodes to have in the cluster. We strongly recommend setting this to 3 or 5. | `number` | `3` | no |
-| <a name="input_tenancy"></a> [tenancy](#input\_tenancy) | The tenancy of the instance. Must be one of: default or dedicated. | `string` | `"default"` | no |
 | <a name="input_root_volume_ebs_optimized"></a> [root\_volume\_ebs\_optimized](#input\_root\_volume\_ebs\_optimized) | If true, the launched EC2 instance will be EBS-optimized. | `bool` | `false` | no |
 | <a name="input_root_volume_type"></a> [root\_volume\_type](#input\_root\_volume\_type) | The type of volume. Must be one of: standard, gp2, or io1. | `string` | `"standard"` | no |
 | <a name="input_root_volume_size"></a> [root\_volume\_size](#input\_root\_volume\_size) | The size, in GB, of the root EBS volume. | `number` | `50` | no |
@@ -106,7 +105,7 @@ machines.
 |------|-------------|
 | <a name="output_asg_name"></a> [asg\_name](#output\_asg\_name) | Name of the Vault autoscaling group |
 | <a name="output_cluster_size"></a> [cluster\_size](#output\_cluster\_size) | Number of Vault nodes |
-| <a name="output_launch_config_name"></a> [launch\_config\_name](#output\_launch\_config\_name) | Name of the Vault launch configuration |
+| <a name="output_launch_template"></a> [launch\_template](#output\_launch\_template) | Name of the Vault launch\_template |
 | <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | ARN of the IAM role attached to the Vault instance. |
 | <a name="output_iam_role_id"></a> [iam\_role\_id](#output\_iam\_role\_id) | ID of the IAM role attached to the Vault instance. |
 | <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | Name of the IAM role attached to the Vault instance. |

diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf
@@ -1,7 +1,10 @@
 resource "aws_autoscaling_group" "autoscaling_group" {
   name_prefix = var.cluster_name
 
-  launch_configuration = aws_launch_configuration.launch_configuration.name
+  launch_template {
+    id      = aws_launch_template.launch_template.id
+    version = aws_launch_template.launch_template.latest_version
+  }
 
   vpc_zone_identifier = flatten(var.subnet_ids)
 
@@ -39,36 +42,34 @@ resource "aws_autoscaling_group" "autoscaling_group" {
   }
 }
 
-resource "aws_launch_configuration" "launch_configuration" {
+# Launch Template Resource
+resource "aws_launch_template" "launch_template" {
   name_prefix   = "${var.cluster_name}-"
   image_id      = var.ami_id
   instance_type = var.instance_type
   user_data     = var.user_data
 
-  iam_instance_profile = aws_iam_instance_profile.instance_profile.name
-  placement_tenancy    = var.tenancy
+  iam_instance_profile {
+    name = aws_iam_instance_profile.instance_profile.name
+  }
 
-  security_groups = [
+  vpc_security_group_ids = [
     module.lc_security_group.security_group_id,
     module.attach_security_group.security_group_id,
   ]
-
   metadata_options {
     http_tokens                 = "required"
     http_put_response_hop_limit = 1
     http_endpoint               = "enabled"
   }
 
-  associate_public_ip_address = false
-
   ebs_optimized = var.root_volume_ebs_optimized
-  root_block_device {
-    volume_type           = var.root_volume_type
-    volume_size           = var.root_volume_size
-    delete_on_termination = var.root_volume_delete_on_termination
-  }
-
-  lifecycle {
-    create_before_destroy = true
+  block_device_mappings {
+    device_name = "/dev/sda1"
+    ebs {
+      volume_size = var.root_volume_size
+      delete_on_termination = var.root_volume_delete_on_termination
+      volume_type           = var.root_volume_type
+    }
   }
 }
diff --git a/modules/vault-cluster/outputs.tf b/modules/vault-cluster/outputs.tf
@@ -8,9 +8,9 @@ output "cluster_size" {
   description = "Number of Vault nodes"
 }
 
-output "launch_config_name" {
-  value       = aws_launch_configuration.launch_configuration.name
-  description = "Name of the Vault launch configuration"
+output "launch_template" {
+  value       = aws_launch_template.launch_template.name
+  description = "Name of the Vault launch_template"
 }
 
 output "iam_role_arn" {

diff --git a/modules/vault-cluster/variables.tf b/modules/vault-cluster/variables.tf
@@ -30,12 +30,6 @@ variable "cluster_size" {
   type        = number
 }
 
-variable "tenancy" {
-  description = "The tenancy of the instance. Must be one of: default or dedicated."
-  default     = "default"
-  type        = string
-}
-
 variable "root_volume_ebs_optimized" {
   description = "If true, the launched EC2 instance will be EBS-optimized."
   default     = false

diff --git a/outputs.tf b/outputs.tf
@@ -18,14 +18,14 @@ output "asg_name_vault_cluster" {
   description = "Autoscaling group name of the Vault cluster."
 }
 
-output "launch_config_name_consul_cluster" {
-  value       = module.consul_cluster.launch_config_name
-  description = "Launch configuration name of the Consul cluster."
+output "launch_template_name_consul_cluster" {
+  value       = module.consul_cluster.launch_template
+  description = "Launch template name of the Consul cluster."
 }
 
-output "launch_config_name_vault_cluster" {
-  value       = module.vault_cluster.launch_config_name
-  description = "Launch configuration name of the Vault cluster."
+output "launch_template_name_vault_cluster" {
+  value       = module.vault_cluster.launch_template
+  description = "Launch template name of the Vault cluster."
 }
 
 output "iam_role_arn_consul_cluster" {