Add tofu configuration for aarch64

 * Add Tofu configuration for provisioning our aarch64 instance on AWS
 * Include supplementary documentation for our Tofu and AWS procedures

Signed-off-by: Renata <[email protected]>

Author: ravanelli

multi-arch-builders/provisioning/aarch64/README.md

@@ -0,0 +1,48 @@
+# OpenTofu
+
+ OpenTofu is a Terraform fork, is an open-source infrastructure as code (IaC) tool
+ lets you define both cloud and on-prem resources in human-readable configuration files
+ that you can version, reuse, and share.
+
+ To proceed with the next steps, ensure that 'tofu' is installed on your system.
+ See: https://github.com/opentofu/opentofu/releases
+
+## Before starting
+
+### AWS credentials
+
+```bash
+# Add your credentials to the environment.
+# Be aware for aarch64 the region is us-east-2
+HISTCONTROL='ignoreboth'
+ export AWS_DEFAULT_REGION=us-east-2
+ export AWS_ACCESS_KEY_ID=XXXX
+ export AWS_SECRET_ACCESS_KEY=YYYYYYYY
+```
+
+Make sure your AMI user has access to this policies:
+
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": "ec2:*",
+			"Resource": "*"
+		}
+	]
+}
+```
+
+## Running tofu
+```bash
+   # To begin using it, run 'init' within this directory.
+   tofu init
+   # If you don't intend to make any changes to the code, simply run it:
+   tofu apply
+   # If you plan to make changes to the code as modules/plugins, go ahead and run it:
+   tofu init -upgrade
+   # To destroy it run:
+   tofu destroy -target aws_instance.coreos-multiarch-builder-aarch64 
+```

multi-arch-builders/provisioning/aarch64/butane.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+cat ../../builder-common.bu | butane --pretty --strict > builder-common.ign
+cat ../../coreos-aarch64-builder.bu | butane --pretty --strict --files-dir=. > coreos-aarch64-builder.ign

multi-arch-builders/provisioning/aarch64/coreos-aarch64-builder.ign

@@ -0,0 +1,61 @@
+terraform {
+  required_providers {
+    ct = {
+      source  = "poseidon/ct"
+      version = "0.13.0"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = "2.1.0"
+    }
+  }
+}
+
+provider "aws" {}
+provider "ct" {}
+provider "http" {}
+
+# Get ignition created for the multiarch builder
+resource "null_resource" "butane" {
+  provisioner "local-exec" {
+    command = "bash -x ./butane.sh" 
+  }
+}
+
+data "aws_region" "aws_region" {}
+
+# Gather information about the AWS image for the current region
+data "http" "stream_metadata" {
+  url = "https://builds.coreos.fedoraproject.org/streams/stable.json"
+
+  request_headers = {
+    Accept = "application/json"
+  }
+}
+# Lookup the aarch64 AWS image for the current AWS region
+locals {
+  ami = lookup(jsondecode(data.http.stream_metadata.body).architectures.aarch64.images.aws.regions, data.aws_region.aws_region.name).image
+}
+
+resource "aws_instance" "coreos-multiarch-builder-aarch64" {
+  tags = {
+    Name = "coreos-aarch64-builder-${formatdate("YYYYMMDD", timestamp())}"
+  }
+  ami           = local.ami 
+  user_data     = file("coreos-aarch64-builder.ign")
+  instance_type = "m6g.metal"
+  vpc_security_group_ids = [aws_security_group.sg.id] 
+  subnet_id              = var.aws_subnet_internal
+  root_block_device {
+      volume_size = "200"
+      volume_type = "gp3"
+  }
+}
+
+output "instance_ip_addr" {
+  value = aws_instance.coreos-multiarch-builder-aarch64.private_ip
+} 

multi-arch-builders/provisioning/aarch64/main.tf

@@ -0,0 +1,10 @@
+variable "aws_vpc_prod" {
+  description = "RHCOS Prod US East 2"
+  default = "vpc-0e33d95334e362c7e"
+}
+
+variable "aws_subnet_internal" {
+  description = "Internal subnet"
+  default = "subnet-02014b5e587d01fd2"
+}
+

multi-arch-builders/provisioning/aarch64/networks.tf

@@ -0,0 +1,24 @@
+resource "aws_security_group" "sg" {
+  name        = "coreos-multiarch-aarch64-security-group"
+  description = "Allow SSH inbound traffic only"
+  vpc_id      = var.aws_vpc_prod
+ 
+  ingress {
+    description = "SSH access"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+ 
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+ 
+  tags = {
+    Name = "coreos-multiarch-aarch64-security-group"
+  }
+}