Initial release of the Talos Linux module

Signed-off-by: Philip Schmid <[email protected]>

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 5
+    rebase-strategy: "disabled"
+    labels:
+      - ci/dependabot
+      - kind/enhancement

.github/workflows/terraform.yml

@@ -0,0 +1,36 @@
+name: Terraform docs and formatting
+on:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+  push:
+    branches:
+      - master
+jobs:
+  formatting:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: terraform fmt
+        uses: dflook/terraform-fmt-check@2633e1cf3717ee439e126a537bacc777d620b017
+  docs:
+    needs: formatting
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+      - name: Render terraform docs inside the README.md and push changes back to PR branch
+        uses: terraform-docs/gh-actions@d1c99433f7a1e5003ef213d70f89aaa47cb0b675
+        with:
+          working-dir: .
+          output-file: README.md
+          output-method: inject
+          output-format: markdown table
+          git-push: "true"

.gitignore

@@ -0,0 +1,9 @@
+/.workspace-*/
+.terraform/
+.terraform.lock.hcl
+.terraform.tfstate.lock.info
+.vscode/
+terraform.tfstate*
+terraform.tfvars
+tf/
+*.DS_Store*

.terraform-docs.yml

@@ -0,0 +1,5 @@
+# https://terraform-docs.io/user-guide/configuration/
+formatter: "markdown table"
+output:
+  file: README.md
+  mode: inject

00-locals.tf

@@ -0,0 +1,50 @@
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+data "aws_ami" "talos" {
+  owners      = ["540036508848"] # Sidero Labs
+  most_recent = true
+  name_regex  = "^talos-${var.talos_version}-${data.aws_availability_zones.available.id}-amd64$"
+}
+
+locals {
+  common_machine_config_patch = {
+    machine = {
+      kubelet = {
+        registerWithFQDN = true
+      }
+    }
+  }
+
+  ccm_patch_cp = {
+    cluster = {
+      externalCloudProvider = {
+        enabled = true
+        manifests = [
+          "https://raw.githubusercontent.com/siderolabs/contrib/main/examples/terraform/aws/manifests/ccm.yaml"
+        ]
+      }
+    }
+  }
+
+  ccm_patch_worker = {
+    cluster = {
+      externalCloudProvider = {
+        enabled = true
+      }
+    }
+  }
+
+  config_patches_common = [
+    for path in var.config_patch_files : file(path)
+  ]
+
+  config_patches_controlplane = var.ccm ? [yamlencode(local.ccm_patch_cp)] : []
+
+  config_patches_worker = var.ccm ? [yamlencode(local.ccm_patch_worker)] : []
+
+  cluster_required_tags = {
+    "kubernetes.io/cluster/${var.cluster_name}" = "owned"
+  }
+}

00-outputs.tf

@@ -0,0 +1,11 @@
+output "path_to_talosconfig_file" {
+  description = "The generated talosconfig."
+  value       = data.talos_client_configuration.this.talos_config
+  sensitive   = true
+}
+
+output "path_to_kubeconfig_file" {
+  description = "The generated kubeconfig."
+  value       = data.talos_cluster_kubeconfig.this.kubeconfig_raw
+  sensitive   = true
+}

00-terraform.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    talos = {
+      source  = "siderolabs/talos"
+      version = "0.4.0-alpha.0"
+    }
+  }
+  required_version = ">= 1.4.0"
+}
+
+provider "aws" {
+  region = var.region
+  default_tags {
+    tags = local.tags
+  }
+}

00-variables.tf

@@ -0,0 +1,117 @@
+variable "cluster_name" {
+  description = "Name of cluster"
+  type        = string
+}
+
+variable "region" {
+  description = "The region in which to create the RKE2 cluster."
+  type        = string
+}
+
+variable "tags" {
+  description = "The set of tags to place on the cluster."
+  type        = map(string)
+}
+
+variable "pod_cidr" {
+  description = "The CIDR to use for pods."
+  default     = "100.64.0.0/14"
+  type        = string
+}
+
+variable "service_cidr" {
+  description = "The CIDR to use for services."
+  default     = "100.68.0.0/16"
+  type        = string
+}
+
+variable "ccm" {
+  description = "Whether to deploy aws cloud controller manager"
+  type        = bool
+  default     = false
+}
+
+variable "talos_version" {
+  description = "Talos version to use for the cluster, if not set the newest Talos version. Check https://github.com/siderolabs/talos/releases for available releases."
+  type        = string
+  default     = "v1.5.3"
+
+  validation {
+    condition     = can(regex("^v\\d+\\.\\d+\\.\\d+$", var.talos_version))
+    error_message = "The talos_version value must be a valid Talos patch version, starting with 'v'."
+  }
+
+}
+
+variable "control_plane" {
+  description = "Info for control plane that will be created"
+  type = object({
+    instance_type      = optional(string, "m5.large")
+    ami_id             = optional(string, null)
+    num_instances      = optional(number, 3)
+    config_patch_files = optional(list(string), [])
+    tags               = optional(map(string), {})
+  })
+
+  validation {
+    condition     = var.control_plane.ami_id != null ? (length(var.control_plane.ami_id) > 4 && substr(var.control_plane.ami_id, 0, 4) == "ami-") : true
+    error_message = "The ami_id value must be a valid AMI id, starting with \"ami-\"."
+  }
+
+  default = {}
+}
+
+variable "worker_groups" {
+  description = "List of node worker node groups to create"
+  type = list(object({
+    name               = string
+    instance_type      = optional(string, "m5.large")
+    ami_id             = optional(string, null)
+    num_instances      = optional(number, 2)
+    config_patch_files = optional(list(string), [])
+    tags               = optional(map(string), {})
+  }))
+
+  validation {
+    condition = (
+      alltrue([
+        for wg in var.worker_groups : (
+          wg.ami_id != null ? (length(wg.ami_id) > 4 && substr(wg.ami_id, 0, 4) == "ami-") : true
+        )
+      ])
+    )
+    error_message = "The ami_id value must be a valid AMI id, starting with \"ami-\"."
+  }
+  default = [{
+    name = "default"
+  }]
+}
+
+variable "vpc_id" {
+  description = "ID of the VPC where to place the VMs."
+  type        = string
+}
+
+variable "vpc_cidr" {
+  description = "The IPv4 CIDR block for the VPC."
+  type        = string
+  default     = "10.0.0.0/16"
+}
+
+variable "talos_api_allowed_cidr" {
+  description = "The CIDR from which to allow to access the Talos API"
+  type        = string
+  default     = "0.0.0.0/0"
+}
+
+variable "kubernetes_api_allowed_cidr" {
+  description = "The CIDR from which to allow to access the Kubernetes API"
+  type        = string
+  default     = "0.0.0.0/0"
+}
+
+variable "config_patch_files" {
+  description = "Path to talos config path files that applies to all nodes"
+  type        = list(string)
+  default     = []
+}

01-vpc.tf

@@ -0,0 +1,31 @@
+// Used to make sure the VPC has been created and introduce proper dependencies between 'data' blocks.
+data "aws_vpc" "vpc" {
+  id = var.vpc_id
+}
+
+// Used to list all public subnets in the VPC.
+data "aws_subnets" "public" {
+  depends_on = [
+    null_resource.wait_for_public_subnets,
+  ]
+  filter {
+    name = "vpc-id"
+    values = [
+      data.aws_vpc.vpc.id
+    ]
+  }
+  filter {
+    name = "tag:type"
+    values = [
+      "public"
+    ]
+  }
+}
+
+// Used to wait for at least one of the subnets to exist.
+// Unfortunately there doesn't seem to be a better way to do this in Terraform.
+resource "null_resource" "wait_for_public_subnets" {
+  provisioner "local-exec" {
+    command = "${path.module}/scripts/wait-for-public-subnets.sh ${data.aws_vpc.vpc.id} ${data.aws_region.current.name}"
+  }
+}