feat(terraform): add modular linux ci stack and network module (#87)

* feat(terraform): add modular linux ci infrastructure

Amp-Thread-ID: https://ampcode.com/threads/T-019cd19d-83ae-72b7-bce5-b2656e93c0aa

* fix(terraform): default ci env to ubuntu and ignore local tfvars

Amp-Thread-ID: https://ampcode.com/threads/T-019cd19d-83ae-72b7-bce5-b2656e93c0aa

* refactor(terraform): simplify ci env inputs and defaults

Amp-Thread-ID: https://ampcode.com/threads/T-019cd19d-83ae-72b7-bce5-b2656e93c0aa

* fix(terraform): bootstrap cleanroom agent and scope kms decrypt

Amp-Thread-ID: https://ampcode.com/threads/T-019cd215-92ff-71a8-ae09-c5a770c2761d

* fix(ci): avoid interactive sudo prompt in firecracker e2e

Amp-Thread-ID: https://ampcode.com/threads/T-019cd215-92ff-71a8-ae09-c5a770c2761d

* fix(ci): pin terraform mise tool to 1.12.2

Amp-Thread-ID: https://ampcode.com/threads/T-019cd215-92ff-71a8-ae09-c5a770c2761d

* fix(terraform): enable nested virtualization for linux ci host

Amp-Thread-ID: https://ampcode.com/threads/T-019cd215-92ff-71a8-ae09-c5a770c2761d

* fix(terraform): require deploy key parameter for ci bootstrap

Amp-Thread-ID: https://ampcode.com/threads/T-019cd215-92ff-71a8-ae09-c5a770c2761d

Author: lox

.buildkite/pipeline.yml

@@ -39,5 +39,7 @@ steps:
     env:
       CLEANROOM_KERNEL_IMAGE: /var/lib/buildkite-agent/.local/share/cleanroom/images/vmlinux.bin
       CLEANROOM_FIRECRACKER_BINARY: /usr/local/bin/firecracker
+      CLEANROOM_PRIVILEGED_MODE: helper
+      CLEANROOM_PRIVILEGED_HELPER_PATH: /usr/local/sbin/cleanroom-root-helper
     agents:
       queue: cleanroom

.gitignore

@@ -1,2 +1,9 @@
 /dist
 /release-extra
+
+# Local Terraform environment values (keep *.example committed)
+/infra/terraform/envs/ci/terraform.tfvars
+/infra/terraform/envs/ci/.terraform/
+/infra/terraform/envs/ci/*.tfstate
+/infra/terraform/envs/ci/*.tfstate.*
+/infra/terraform/envs/ci/tfplan*

.mise.toml

@@ -1,5 +1,6 @@
 [tools]
 go = "1.23"
+terraform = "1.12.2"
 shellcheck = "latest"
 hyperfine = "latest"
 svu = "3"
@@ -13,7 +14,7 @@ run = "go test ./..."
 
 [tasks.lint-shell]
 description = "Lint shell scripts"
-run = "shellcheck -x scripts/cleanroom-root-helper.sh scripts/benchmark-tti.sh scripts/build-go.sh scripts/install-go.sh scripts/install.sh scripts/release.sh"
+run = "shellcheck -x scripts/bootstrap-buildkite-agent.sh scripts/cleanroom-root-helper.sh scripts/benchmark-tti.sh scripts/build-go.sh scripts/install-go.sh scripts/install.sh scripts/release.sh"
 
 [tasks.test-full]
 description = "Run full Go test suite"

infra/terraform/envs/ci/.terraform.lock.hcl

@@ -0,0 +1,38 @@
+# Terraform Env: CI
+
+Composition root for cleanroom CI infrastructure:
+
+- `../../modules/network` for VPC/subnet/NAT
+- `../../modules/linux-ci` for the private Linux host bootstrap
+
+Default AMI behaviour:
+
+- uses latest Ubuntu 24.04 AMI from SSM public parameter
+- set `ami_id` in `terraform.tfvars` if you want to pin an explicit AMI
+
+Network behaviour:
+
+- env creates its own VPC/subnets via `modules/network`
+- network CIDRs and AZ selection are fixed in env wiring (not user vars)
+
+Bootstrap behaviour:
+
+- defaults to `scripts/bootstrap-buildkite-agent.sh`, which installs and starts a Buildkite agent for the `cleanroom` queue
+- override `setup_script_path` if you need custom host bootstrap logic
+
+## Usage
+
+```bash
+cd infra/terraform/envs/ci
+cp terraform.tfvars.example terraform.tfvars
+mise x -- terraform init
+mise x -- terraform plan
+mise x -- terraform apply
+```
+
+## Access
+
+After apply, use outputs:
+
+- `ssm_start_session_command`
+- `tailscale_ssh_pattern` (when tailscale auth key is configured)

infra/terraform/envs/ci/README.md

@@ -0,0 +1,118 @@
+package ci_test
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func requireContains(t *testing.T, path string, want string) {
+	t.Helper()
+
+	content, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatalf("read %s: %v", path, err)
+	}
+
+	if !strings.Contains(string(content), want) {
+		t.Fatalf("expected %s to contain %q", path, want)
+	}
+}
+
+func requireNotContains(t *testing.T, path string, want string) {
+	t.Helper()
+
+	content, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatalf("read %s: %v", path, err)
+	}
+
+	if strings.Contains(string(content), want) {
+		t.Fatalf("expected %s not to contain %q", path, want)
+	}
+}
+
+func readVariableBlock(t *testing.T, path string, variableName string) string {
+	t.Helper()
+
+	content, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatalf("read %s: %v", path, err)
+	}
+
+	marker := "variable \"" + variableName + "\" {"
+	src := string(content)
+	start := strings.Index(src, marker)
+	if start == -1 {
+		t.Fatalf("could not find variable %q in %s", variableName, path)
+	}
+
+	braceDepth := 0
+	for i := start; i < len(src); i++ {
+		switch src[i] {
+		case '{':
+			braceDepth++
+		case '}':
+			braceDepth--
+			if braceDepth == 0 {
+				return src[start : i+1]
+			}
+		}
+	}
+
+	t.Fatalf("unterminated variable block for %q in %s", variableName, path)
+	return ""
+}
+
+func TestLinuxCiDefaultsUseBootstrapScript(t *testing.T) {
+	t.Helper()
+
+	requireContains(t, "variables.tf", "default     = \"scripts/bootstrap-buildkite-agent.sh\"")
+	requireContains(t, filepath.Join("..", "..", "modules", "linux-ci", "variables.tf"), "default     = \"scripts/bootstrap-buildkite-agent.sh\"")
+	requireContains(t, "terraform.tfvars.example", "setup_script_path = \"scripts/bootstrap-buildkite-agent.sh\"")
+}
+
+func TestBootstrapScriptConfiguresBuildkiteAgent(t *testing.T) {
+	t.Helper()
+
+	scriptPath := filepath.Join("..", "..", "..", "..", "scripts", "bootstrap-buildkite-agent.sh")
+	requireContains(t, scriptPath, "buildkite-agent start")
+	requireContains(t, scriptPath, "BUILDKITE_TOKEN_PARAM")
+}
+
+func TestUserDataInstallsAwsCliWithoutAptAwscliDependency(t *testing.T) {
+	t.Helper()
+
+	templatePath := filepath.Join("..", "..", "modules", "linux-ci", "templates", "user_data.sh.tftpl")
+	requireNotContains(t, templatePath, "apt-get install -y git jq curl tar ca-certificates openssh-client awscli")
+	requireContains(t, templatePath, "awscli-exe-linux")
+}
+
+func TestLinuxCiEnablesNestedVirtualization(t *testing.T) {
+	t.Helper()
+
+	moduleMainPath := filepath.Join("..", "..", "modules", "linux-ci", "main.tf")
+	requireContains(t, moduleMainPath, "nested_virtualization = \"enabled\"")
+}
+
+func TestGitDeployKeyIsRequired(t *testing.T) {
+	t.Helper()
+
+	files := []string{
+		"variables.tf",
+		filepath.Join("..", "..", "modules", "linux-ci", "variables.tf"),
+	}
+
+	for _, path := range files {
+		block := readVariableBlock(t, path, "git_deploy_key_parameter_name")
+
+		if strings.Contains(block, "default") {
+			t.Fatalf("expected git_deploy_key_parameter_name to have no default in %s", path)
+		}
+
+		if !strings.Contains(block, "trimspace(var.git_deploy_key_parameter_name) != \"\"") {
+			t.Fatalf("expected git_deploy_key_parameter_name validation in %s", path)
+		}
+	}
+}

infra/terraform/envs/ci/bootstrap_defaults_test.go

@@ -0,0 +1,50 @@
+data "aws_ssm_parameter" "ubuntu_ami" {
+  name = var.ubuntu_ami_ssm_parameter_name
+}
+
+locals {
+  selected_ami_id = var.ami_id != "" ? var.ami_id : data.aws_ssm_parameter.ubuntu_ami.value
+
+  # This env owns a fixed minimal private network shape.
+  network = {
+    availability_zone   = ""
+    vpc_cidr            = "10.42.0.0/24"
+    public_subnet_cidr  = "10.42.0.0/26"
+    private_subnet_cidr = "10.42.0.64/26"
+  }
+}
+
+module "network" {
+  source = "../../modules/network"
+
+  name_prefix         = var.name_prefix
+  availability_zone   = local.network.availability_zone
+  vpc_cidr            = local.network.vpc_cidr
+  public_subnet_cidr  = local.network.public_subnet_cidr
+  private_subnet_cidr = local.network.private_subnet_cidr
+  tags                = var.tags
+}
+
+module "linux_ci" {
+  source = "../../modules/linux-ci"
+
+  aws_region                        = var.aws_region
+  name_prefix                       = var.name_prefix
+  vpc_id                            = module.network.vpc_id
+  subnet_id                         = module.network.private_subnet_id
+  ami_id                            = local.selected_ami_id
+  instance_type                     = var.instance_type
+  root_volume_size_gib              = var.root_volume_size_gib
+  buildkite_token_parameter_name    = var.buildkite_token_parameter_name
+  tailscale_auth_key_parameter_name = var.tailscale_auth_key_parameter_name
+  git_deploy_key_parameter_name     = var.git_deploy_key_parameter_name
+  repo_url                          = var.repo_url
+  repo_ref                          = var.repo_ref
+  setup_script_path                 = var.setup_script_path
+  tailscale_version                 = var.tailscale_version
+  tailscale_hostname_prefix         = var.tailscale_hostname_prefix
+  tailscale_advertise_tags          = var.tailscale_advertise_tags
+  tailscale_enable_ssh              = var.tailscale_enable_ssh
+  tailscale_accept_routes           = var.tailscale_accept_routes
+  tags                              = var.tags
+}

infra/terraform/envs/ci/main.tf

@@ -0,0 +1,34 @@
+output "vpc_id" {
+  description = "VPC ID created for ci environment."
+  value       = module.network.vpc_id
+}
+
+output "public_subnet_id" {
+  description = "Public subnet ID containing NAT gateway."
+  value       = module.network.public_subnet_id
+}
+
+output "private_subnet_id" {
+  description = "Private subnet ID containing linux-ci host."
+  value       = module.network.private_subnet_id
+}
+
+output "instance_id" {
+  description = "EC2 instance ID for linux-ci host."
+  value       = module.linux_ci.instance_id
+}
+
+output "private_ip" {
+  description = "Private IP address for linux-ci host."
+  value       = module.linux_ci.private_ip
+}
+
+output "ssm_start_session_command" {
+  description = "Command to open SSM session to linux-ci host."
+  value       = module.linux_ci.ssm_start_session_command
+}
+
+output "tailscale_ssh_pattern" {
+  description = "Tailscale SSH pattern when tailscale auth key is configured."
+  value       = module.linux_ci.tailscale_ssh_pattern
+}

infra/terraform/envs/ci/outputs.tf

@@ -0,0 +1,25 @@
+aws_region  = "ap-southeast-2"
+name_prefix = "cleanroom-ci"
+
+instance_type = "m8i.large"
+
+# Optional: pin AMI manually. Leave empty to use latest Ubuntu from SSM parameter.
+# ami_id = "ami-0123456789abcdef0"
+
+buildkite_token_parameter_name    = "/buildkite/agent-token"
+tailscale_auth_key_parameter_name = "/tailscale/authkey/ci"
+git_deploy_key_parameter_name     = "/buildkite/cleanroom/deploy-key"
+
+repo_url          = "git@github.com:buildkite/cleanroom.git"
+repo_ref          = "main"
+setup_script_path = "scripts/bootstrap-buildkite-agent.sh"
+
+tailscale_hostname_prefix = "cleanroom-ci-linux"
+tailscale_advertise_tags  = ""
+tailscale_enable_ssh      = true
+tailscale_accept_routes   = false
+
+tags = {
+  env  = "ci"
+  team = "platform"
+}