Merge pull request #107 from ovh/ava-object-storage-tf-remote-backend

Add the code associated to the blog post

Author: scraly

.gitignore

@@ -53,3 +53,5 @@ use-cases/kubeflow/kubeconfig
 my_kube_cluster.yaml
 kustomize
 containers-orchestration/managed-rancher/create-rancher-with-tf/variables.tf
+use-cases/create-and-use-object-storage-as-tf-backend/my-app/backend.tf
+use-cases/create-and-use-object-storage-as-tf-backend/object-storage-tf/variables.tf

use-cases/create-and-use-object-storage-as-tf-backend/README.md

@@ -0,0 +1,72 @@
+# 
+
+## Create an Object Storage with Terraform
+
+### General information
+ - 🔗 [Using Terraform with OVHcloud](https://help.ovhcloud.com/csm/fr-terraform-at-ovhcloud?id=kb_article_view&sysparm_article=KB0054776)
+ - 🔗 [How to use Terraform](https://help.ovhcloud.com/csm/en-gb-public-cloud-compute-terraform?id=kb_article_view&sysparm_article=KB0050787)
+ - 🔗 [cloud_project_storage](https://registry.terraform.io/providers/ovh/ovh/latest/docs/resources/cloud_project_storage)
+ - 🔗 [OVH token generation page](https://www.ovh.com/auth/api/createToken?GET=/*&POST=/*&PUT=/*&DELETE=/*)
+
+### Set up
+  - Install the [Terraform CLI](https://www.terraform.io/downloads.html)
+  - For non Linux users: Install `gettext` (that included `envsubst` command):
+```bash
+  brew install gettext
+  brew link --force gettext
+```
+  - Get the credentials from the OVHCloud Public Cloud project:
+    - `application_key`
+    - `application_secret`
+    - `consumer_key`
+  - Get the `service_name` (Public Cloud project ID)
+
+### Demo
+
+  - `cd object-storage-tf`
+
+  - set the environment variables `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY` and `OVH_CLOUD_PROJECT_SERVICE`
+
+```bash
+# OVHcloud provider needed keys
+export OVH_ENDPOINT="ovh-eu"
+export OVH_APPLICATION_KEY="xxx"
+export OVH_APPLICATION_SECRET="xxx"
+export OVH_CONSUMER_KEY="xxx"
+export OVH_CLOUD_PROJECT_SERVICE="xxx"
+```
+
+  - replace the value of your OVH_CLOUD_PROJECT_SERVICE environment variable in the `variables.tf` file (in the service_name variable)
+
+`envsubst < variables.tf.template > variables.tf`
+
+  - use the [s3.tf](./s3.tf) file to define the resources to create
+  - use the [output.tf](output.tf) file to display the bucket created at the end of Terraform execution
+  - run the `terraform init` command
+  - run the `terraform apply -var bucket_name=my-bucket` command
+
+  - save the s3 user credentials in environment variables (mandatory for the following optionnal step)
+```bash
+export AWS_ACCESS_KEY_ID=$(terraform output -raw access_key_id)
+export AWS_SECRET_ACCESS_KEY=$(terraform output -raw secret_access_key)
+```
+
+    - store the created bucket name in an environment variable (necessary for the next section).
+
+```bash
+$ export BUCKET_NAME=$(terraform output s3_bucket)
+```
+
+## Configure an OVHcloud S3-compatible Object Storage as Terraform Backend
+
+### Demo
+
+  - `cd ../my-app`
+
+  - use the [backend.tf](./my-app/backend.tf.template) file to define the resources to create
+
+  - mandatory for the `terraform init` command: replace the value of your BUCKET_NAME environment variable in the `backend.tf` file (in the bucket variable)
+
+`envsubst < backend.tf.template > backend.tf`
+
+  - run the `terraform init` command

use-cases/create-and-use-object-storage-as-tf-backend/my-app-tf-1.5.6/backend.tf

@@ -0,0 +1,10 @@
+terraform {
+    backend "s3" {
+      bucket = "<my-bucket>"
+      key    = "my-app-tf-1.5.6.tfstate"
+      region = "gra"
+      endpoint = "s3.gra.io.cloud.ovh.net"
+      skip_credentials_validation = true
+      skip_region_validation      = true
+    }
+}

use-cases/create-and-use-object-storage-as-tf-backend/my-app-tf-1.5.6/provider.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    ovh = {
+      source  = "ovh/ovh"
+    }
+  }
+}
+
+provider "ovh" {
+}

use-cases/create-and-use-object-storage-as-tf-backend/my-app/backend.tf.template

@@ -0,0 +1,14 @@
+terraform {
+    backend "s3" {
+      bucket = $BUCKET_NAME
+      key    = "my-app.tfstate"
+      region = "gra"
+      endpoints = {
+        s3 = "https://s3.gra.io.cloud.ovh.net/"
+      }
+      skip_credentials_validation = true
+      skip_region_validation      = true
+      skip_requesting_account_id  = true
+      skip_s3_checksum            = true
+    }
+}

use-cases/create-and-use-object-storage-as-tf-backend/my-app/provider.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    ovh = {
+      source  = "ovh/ovh"
+    }
+  }
+}
+
+provider "ovh" {
+}

use-cases/create-and-use-object-storage-as-tf-backend/object-storage-tf/output.tf

@@ -0,0 +1,12 @@
+output "s3_bucket" {
+  value = "${ovh_cloud_project_storage.s3_bucket.name}"
+}
+
+output "access_key_id" {
+    value = ovh_cloud_project_user_s3_credential.s3_user_cred.access_key_id
+}
+
+output "secret_access_key" {
+    value = ovh_cloud_project_user_s3_credential.s3_user_cred.secret_access_key
+    sensitive = true
+}

use-cases/create-and-use-object-storage-as-tf-backend/object-storage-tf/provider.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    ovh = {
+      source  = "ovh/ovh"
+    }
+    
+    random = {
+      source  = "hashicorp/random"
+      version = "3.6.3"
+    }
+  }
+}
+
+provider "ovh" {
+}

use-cases/create-and-use-object-storage-as-tf-backend/object-storage-tf/s3.tf

@@ -0,0 +1,34 @@
+resource "random_string" "bucket_name_suffix" {
+  length  = 16
+  special = false
+  lower   = true
+  upper   = false
+}
+
+resource "ovh_cloud_project_storage" "s3_bucket" {
+  service_name = var.service_name
+  region_name = var.bucket_region
+  name = "${var.bucket_name}-${random_string.bucket_name_suffix.result}" # the name must be unique within OVHcloud
+}
+
+resource "ovh_cloud_project_user" "s3_user" {
+  description	= "${var.bucket_name}-${random_string.bucket_name_suffix.result}"
+  role_name	= "objectstore_operator"
+}
+
+resource "ovh_cloud_project_user_s3_credential" "s3_user_cred" {
+  user_id	= ovh_cloud_project_user.s3_user.id
+}
+
+resource "ovh_cloud_project_user_s3_policy" "s3_user_policy" {
+  service_name = var.service_name
+  user_id      = ovh_cloud_project_user.s3_user.id
+  policy = jsonencode({
+    "Statement": [{
+      "Action": ["s3:*"],
+      "Effect": "Allow",
+      "Resource": ["arn:aws:s3:::${ovh_cloud_project_storage.s3_bucket.name}","arn:aws:s3:::${ovh_cloud_project_storage.s3_bucket.name}/*"],
+      "Sid": "AdminContainer"
+    }]
+  })
+}

use-cases/create-and-use-object-storage-as-tf-backend/object-storage-tf/variables.tf.template

@@ -0,0 +1,13 @@
+variable "service_name" {
+  default = "$OVH_CLOUD_PROJECT_SERVICE"
+}
+
+
+variable bucket_name {
+  type        = string
+}
+
+variable bucket_region {
+  type        = string
+  default     = "GRA"
+}