Deployer Node Changes Specific to LSF Cluster Creation #199
Conversation
Signed-off-by: Jayesh-Kumar3 <[email protected]>
Signed-off-by: Jayesh-Kumar3 <[email protected]>
Signed-off-by: Jayesh-Kumar3 <[email protected]>
Signed-off-by: Jayesh-Kumar3 <[email protected]>
Signed-off-by: Jayesh-Kumar3 <[email protected]>
Signed-off-by: Jayesh-Kumar3 <[email protected]>
Signed-off-by: Jayesh-Kumar3 <[email protected]>
Signed-off-by: Jayesh-Kumar3 <[email protected]>
Signed-off-by: Jayesh-Kumar3 <[email protected]>
| # dependency: landing_zone -> deployer | ||
| vpc_id = var.vpc == null ? one(module.landing_zone.vpc_id) : var.vpc | ||
| vpc_id = var.vpc == null ? one(module.landing_zone.vpc_id) : var.vpc_id | ||
| vpc = var.vpc == null ? one(module.landing_zone.vpc_name) : var.vpc |
There was a problem hiding this comment.
@jayeshh123 As discussed please look at the requirement to use this vpc block for the local, as we are not using this at the code level
There was a problem hiding this comment.
@manirtm Please change the name as vpc_name
| bastion_public_key_content = module.deployer.bastion_public_key_content | ||
| bastion_private_key_content = module.deployer.bastion_private_key_content | ||
|
|
||
| deployer_hostname = var.enable_bastion ? flatten(module.deployer.deployer_vsi_data[*].list)[0].name : "" |
There was a problem hiding this comment.
@jayeshh123 As discussed, we need to check with PC about the support for existing bastion feature. Once that is done, this logic needs to be enhanced
| storage_subnets = var.vpc != null && var.storage_subnets != null ? local.existing_storage_subnets : module.landing_zone.storage_subnets | ||
| protocol_subnets = var.vpc != null && var.protocol_subnets != null ? local.existing_protocol_subnets : module.landing_zone.protocol_subnets | ||
|
|
||
| storage_subnet = [for subnet in local.storage_subnets : subnet.name] |
There was a problem hiding this comment.
@jayeshh123 As discussed over the review, please try to use the name that is already fetched from the data source blocks instead of looping to the for loop again.
| # dependency: landing_zone_vsi -> file-share | ||
| compute_subnet_id = local.compute_subnets[0].id | ||
| compute_security_group_id = module.landing_zone_vsi.compute_sg_id | ||
| compute_subnet_id = var.vpc == null && var.compute_subnets == null ? local.compute_subnets[0].id : [for subnet in data.ibm_is_subnet.existing_compute_subnets : subnet.id][0] |
There was a problem hiding this comment.
@jayeshh123 Please re-look at this logic and probably use the locals that are already been called once
| vpc_crn = var.vpc == null ? one(module.landing_zone.vpc_crn) : one(data.ibm_is_vpc.itself[*].crn) | ||
| # TODO: Fix existing subnet logic | ||
| #subnets_crn = var.vpc == null ? module.landing_zone.subnets_crn : ### | ||
| existing_compute_subnet_crns = [for subnet in data.ibm_is_subnet.existing_compute_subnets : subnet.crn] |
There was a problem hiding this comment.
@jayeshh123 Please look at this logic and try to use the same local conditions
| # dependency: landing_zone_vsi -> file-share | ||
| } | ||
|
|
||
| data "external" "get_hostname" { |
There was a problem hiding this comment.
@jayeshh123 As discussed please remove the code and this is not required
| locals { | ||
| # dependency: dns -> dns-records | ||
| dns_instance_id = module.dns.dns_instance_id | ||
| dns_instance_id = var.enable_deployer ? "" : module.dns[0].dns_instance_id |
There was a problem hiding this comment.
@jayeshh123 As discussed please work on the existing dns id support, as this solution supports the dns id. This logic needs to be enhanced in the upcoming PR. For this PR this changes should be ok
| # dependency: dns -> dns-records | ||
| dns_instance_id = module.dns.dns_instance_id | ||
| dns_instance_id = var.enable_deployer ? "" : module.dns[0].dns_instance_id | ||
| dns_custom_resolver_id = var.enable_deployer ? "" : module.dns[0].dns_custom_resolver_id |
There was a problem hiding this comment.
@jayeshh123 As discussed please work on the existing support id support, as this solution supports the dns id. This logic needs to be enhanced in the upcoming PR. For this PR this changes should be ok
| dns_domain_names = var.dns_domain_names | ||
| kms_encryption_enabled = local.kms_encryption_enabled | ||
| boot_volume_encryption_key = local.boot_volume_encryption_key | ||
| enable_bastion = var.enable_bastion |
There was a problem hiding this comment.
@jayeshh123 When we support the existing bastion, we may need to tweak this logic.Just Fyi
| "enable_vpc_flow_logs": ${var.enable_vpc_flow_logs}, | ||
| "allowed_cidr": ${local.allowed_cidr}, | ||
| "vpc_id": "${local.vpc_id}", | ||
| "vpc": "${local.vpc}", |
There was a problem hiding this comment.
@jayeshh123 This is something this needs to re-checked and remove this value
| filename = local.schematics_inputs_path | ||
| } | ||
|
|
||
| resource "null_resource" "tf_resource_provisioner" { |
There was a problem hiding this comment.
@jayeshh123 You cannot have any individual resources being created from the main.tf file. Instead this should be called from a module directly
| ] | ||
| } | ||
|
|
||
| resource "null_resource" "cluster_destroyer" { |
There was a problem hiding this comment.
@jayeshh123 You cannot have any individual resources being created from the main.tf file. Instead this should be called from a module directly
| # Code for SCC Instance | ||
| module "scc_instance_and_profile" { | ||
| count = var.scc_enable ? 1 : 0 | ||
| count = var.enable_deployer == true && var.scc_enable ? 1 : 0 |
There was a problem hiding this comment.
@jayeshh123 Lets talk to Nupur and PC about this and update the logic accordingly
| @@ -0,0 +1,39 @@ | |||
| --- | |||
There was a problem hiding this comment.
@jayeshh123 As discussed if this is not used, please remove this file
modules/landing_zone/locals.tf
Outdated
| # Calculate network acl rules (can be done inplace in vpcs) | ||
| # TODO: VPN expectation | ||
| cidrs_network_acl_rules = compact(flatten([local.schematics_reserved_cidrs, var.allowed_cidr, var.network_cidr, "161.26.0.0/16", "166.8.0.0/14"])) | ||
| cidrs_network_acl_rules = compact(flatten([local.schematics_reserved_cidrs, var.allowed_cidr, var.network_cidr, "161.26.0.0/16", "166.8.0.0/14", "0.0.0.0/0"])) |
There was a problem hiding this comment.
@jayeshh123 This is something that we need to discuss and configure the ACL as we are not allowed to add 0.0.0.0/0
| acl_name = "hpc-acl" | ||
| cidr = var.bastion_subnets_cidr[0] | ||
| public_gateway = false | ||
| public_gateway = true |
There was a problem hiding this comment.
@jayeshh123 When we review this PR for the next changes, please validate if we need the PGW for the bastion node. As we dont support the PGW on bastion nodes. just an FYI
| count = local.enable_storage ? 1 : 0 | ||
| source = "./../key" | ||
| private_key_path = "./../../modules/ansible-roles/storage_id_rsa" #checkov:skip=CKV_SECRET_6 | ||
| private_key_path = var.enable_bastion ? "${path.root}/../../modules/ansible-roles/storage_id_rsa" : "${path.root}/modules/ansible-roles/storage_id_rsa" #checkov:skip=CKV_SECRET_6 |
There was a problem hiding this comment.
This also needs an enhancements when we implement the existing bastion feature
| vpc_id = var.vpc_id | ||
| } | ||
|
|
||
| resource "ibm_is_security_group_rule" "add_comp_sg_bastion" { |
There was a problem hiding this comment.
@jayeshh123 As we discussed this resource blocks are not something we must be calling directly.
Although I understand that this was a hack that you brought in. But in the next upcoming PR, lets get to use the fix that has been provided by the DA team . Lets work on the same
| output "lsf" { | ||
| value = module.lsf | ||
| } | ||
| # output "ssh_to_compute" { |
There was a problem hiding this comment.
All the unwanted output please remove form the code to avoid confusions @jayeshh123
| ) | ||
| default = null | ||
| default = [{ | ||
| mount_path = "/mnt/binaries" |
There was a problem hiding this comment.
@jayeshh123 This is something that we may need to think through. Since at the solutions level we are using the /mnt/vpcstorage as the mount paths. We need to use a common point for all the solutions
| description = "Run landing zone module." | ||
| } | ||
|
|
||
| variable "vpc_id" { |
There was a problem hiding this comment.
@jayeshh123 As discussed please take a look if this variable is still required as we take the var.vpc and through data block we can fetch the ID
There was a problem hiding this comment.
Approved.
There are certain changes those are commented and from the discussion we are merging this PR to unblock and in the upcoming PR all of these should be tracked down, since this is on the development stage have taken a leverage to merge this code.
On the real time prod enc this cannot be done as the above.
Approved
|
Similar changes are merged from another branch. Now develop branch is having all changes along with other enhancements. Hence this PR can be closed. |
There was a problem hiding this comment.
@manirtm Please change the name "itself" to an appropriate name on the below code block.Please check if there is a general name used and all that needs to be changed
vpc_crn = var.vpc == null ? one(module.landing_zone.vpc_crn) : one(data.ibm_is_vpc.itself[*].crn)
Also please remove any one of the data source blocks as both of them are performing the same operations. like below from the datasource.tf file.
data "ibm_is_vpc" "itself" {
count = var.vpc == null ? 0 : 1
name = var.vpc
}
There was a problem hiding this comment.
@manirtm Please make sure to run the pre-commit before merging any changes to develop branch. Without this, tracking things at the end of the PR will take a lot of efforts.
Only after the pre-commit is passing i can approve the PR
There was a problem hiding this comment.
@manirtm Please make the changes on the root main.tf file and on the solutions main.tf to point the resource group name to existing_resource_group.
Please make the necessary changes.
And where ever we have the cluster_id for LSF, please make that changes as cluster_name and make the necessary changes
|
All the changes are done and merged. All comments are taken care of. Hence this PR can be closed. |
2 participants
Description
Release required?
x.x.X)x.X.x)X.x.x)Release notes content
Run the pipeline
If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.
Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:
Checklist for reviewers
For mergers