multi-arch-builders/tofu: add distro var; rework networking

Now with the distro var we can conditionally choose to use the
created network (vpc/subnet) or the one that was already provided
for us in the RHCOS account case.

Author: dustymabe

multi-arch-builders/provisioning/aarch64/README.md

@@ -35,6 +35,15 @@ Make sure your AMI user has access to this policies:
 }
 ```
 
+### TF vars via environment variables
+
+If you'd like to override the target distro (defaults to `fcos`) you
+can:
+
+```
+export TF_VAR_distro=rhcos
+```
+
 ## Running tofu
 ```bash
    # To begin using it, run 'init' within this directory.

multi-arch-builders/provisioning/aarch64/main.tf

@@ -24,6 +24,21 @@ variable "project" {
  default = "coreos-aarch64-builder"
 }
 
+# Which distro are we deploying a builder for? Override the
+# default by setting the env var: TF_VAR_distro=rhcos
+variable "distro" {
+ type    = string
+ default = "fcos"
+}
+check "health_check_distro" {
+  assert {
+    condition = anytrue([
+                    var.distro == "fcos",
+                    var.distro == "rhcos"
+                    ])
+    error_message = "Distro must be 'fcos' or 'rhcos'"
+  }
+}
 
 # Get ignition created for the multiarch builder
 resource "null_resource" "butane" {
@@ -47,6 +62,22 @@ locals {
   ami = lookup(jsondecode(data.http.stream_metadata.body).architectures.aarch64.images.aws.regions, data.aws_region.aws_region.name).image
 }
 
+variable "rhcos_aws_vpc_prod" {
+  description = "RHCOS Prod US East 2"
+  default = "vpc-0e33d95334e362c7e"
+}
+variable "rhcos_aws_subnet_internal" {
+  description = "RHCOS Prod US East 2 subnet"
+  default = "subnet-02014b5e587d01fd2"
+}
+# If we are RHCOS we'll be using an already existing VPC/subnet rather
+# than the newly created one.
+locals {
+  aws_vpc_id = var.distro == "rhcos" ? var.rhcos_aws_vpc_prod : aws_vpc.vpc.id
+  aws_subnet_id = var.distro == "rhcos" ? var.rhcos_aws_subnet_internal : aws_subnet.private_subnets[0].id
+}
+
+
 resource "aws_instance" "coreos-aarch64-builder" {
   tags = {
     Name = "${var.project}-${formatdate("YYYYMMDD", timestamp())}"
@@ -55,7 +86,7 @@ resource "aws_instance" "coreos-aarch64-builder" {
   user_data     = file("coreos-aarch64-builder.ign")
   instance_type = "m6g.metal"
   vpc_security_group_ids = [aws_security_group.sg.id] 
-  subnet_id              = var.aws_subnet_internal
+  subnet_id              = local.aws_subnet_id
   root_block_device {
       volume_size = "200"
       volume_type = "gp3"

multi-arch-builders/provisioning/aarch64/networks.tf

@@ -1,10 +1,47 @@
-variable "aws_vpc_prod" {
-  description = "RHCOS Prod US East 2"
-  default = "vpc-0e33d95334e362c7e"
+resource "aws_vpc" "vpc" {
+  cidr_block           = "172.31.0.0/16"
+  tags = {
+    Name = "${var.project}-vpc"
+  }
 }
 
-variable "aws_subnet_internal" {
-  description = "Internal subnet"
-  default = "subnet-02014b5e587d01fd2"
+resource "aws_internet_gateway" "gw" {
+  vpc_id   = aws_vpc.vpc.id
 }
 
+data "aws_availability_zones" "azs" {
+  state    = "available"
+}
+
+variable "private_subnet_cidrs" {
+ type        = list(string)
+ description = "Private Subnet CIDR values"
+ default     = ["172.31.1.0/24", "172.31.2.0/24", "172.31.3.0/24", "172.31.4.0/24", "172.31.5.0/24", "172.31.6.0/24", "172.31.7.0/24", "172.31.8.0/24"]
+}
+
+resource "aws_subnet" "private_subnets" {
+ count      = length(data.aws_availability_zones.azs.names)
+ vpc_id     = aws_vpc.vpc.id
+ cidr_block = element(var.private_subnet_cidrs, count.index)
+ availability_zone = element(data.aws_availability_zones.azs.names, count.index)
+ tags = {
+   Name = "${var.project}-private-subnet-${count.index + 1}"
+ }
+}
+
+
+resource "aws_route_table" "internet_route" {
+  vpc_id   = aws_vpc.vpc.id
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.gw.id
+  }
+  tags = {
+    Name = "${var.project}-ig"
+  }
+}
+
+resource "aws_main_route_table_association" "public-set-main-default-rt-assoc" {
+  vpc_id         = aws_vpc.vpc.id
+  route_table_id = aws_route_table.internet_route.id
+}

multi-arch-builders/provisioning/aarch64/security-groups.tf

@@ -1,8 +1,8 @@
 resource "aws_security_group" "sg" {
   name        = "${var.project}-security-group"
   description = "Allow SSH inbound traffic only"
-  vpc_id      = var.aws_vpc_prod
- 
+  vpc_id      = local.aws_vpc_id
+
   ingress {
     description = "SSH access"
     from_port   = 22