-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathlocals.tf
132 lines (125 loc) · 4.78 KB
/
locals.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
locals {
aws_account_id = "326712726440"
region = "us-east-2"
common_tags = {
"scope" = "terraform-managed"
"repository" = "jenkins-infra/terraform-aws-sponsorship"
}
ci_jenkins_io = {
service_fqdn = "ci.jenkins.io"
controller_vm_fqdn = "aws.ci.jenkins.io"
}
cijenkinsio_agents_2_cluster_addons_coredns_addon_version = "v1.11.4-eksbuild.2"
cijenkinsio_agents_2_cluster_addons_kubeProxy_addon_version = "v1.29.11-eksbuild.2"
cijenkinsio_agents_2_cluster_addons_vpcCni_addon_version = "v1.19.2-eksbuild.1"
cijenkinsio_agents_2_cluster_addons_eksPodIdentityAgent_addon_version = "v1.3.4-eksbuild.1"
cijenkinsio_agents_2_cluster_addons_awsEbsCsiDriver_addon_version = "v1.38.1-eksbuild.1"
cijenkinsio_agents_2 = {
api-ipsv4 = ["10.0.131.86/32", "10.0.133.102/32"]
autoscaler = {
namespace = "autoscaler",
serviceaccount = "autoscaler",
},
awslb = {
namespace = "awslb"
serviceaccount = "awslb",
},
ebs-csi = {
namespace = "kube-system",
serviceaccount = "ebs-csi-controller-sa",
},
artifact_caching_proxy = {
ips = [for subnet in local.vpc_private_subnets : cidrhost(subnet.cidr, "-8")],
}
kubernetes_groups = ["ci-jenkins-io"],
node_groups = {
"applications" = {
name = "applications"
tolerations = [
{
"effect" : "NoSchedule",
"key" : "${local.ci_jenkins_io["service_fqdn"]}/applications",
"operator" : "Equal",
"value" : "true"
},
],
},
},
subnets = ["eks-1", "eks-2"]
}
toleration_taint_effects = {
"NoSchedule" = "NO_SCHEDULE",
"NoExecute" = "NO_EXECUTE",
"PreferNoSchedule" = "PREFER_NO_SCHEDULE",
}
#####
## External and outbounds IP used by resources for network restrictions.
## Note: we use scalar (strings with space separator) to manage type changes by updatecli's HCL parser
## and a map with complex type (list or strings). Ref. https://github.com/updatecli/updatecli/issues/1859#issuecomment-1884876679
#####
# Tracked by 'updatecli' from the following source: https://reports.jenkins.io/jenkins-infra-data-reports/azure-net.json
outbound_ips_infracijenkinsioagents1_jenkins_io = "20.122.14.108 20.186.70.154"
# Tracked by 'updatecli' from the following source: https://reports.jenkins.io/jenkins-infra-data-reports/azure-net.json
outbound_ips_private_vpn_jenkins_io = "172.176.126.194"
outbound_ips = {
# Terraform management and Docker-packaging build
"infracijenkinsioagents1.jenkins.io" = split(" ", local.outbound_ips_infracijenkinsioagents1_jenkins_io)
# Connections routed through the VPN
"private.vpn.jenkins.io" = split(" ", local.outbound_ips_private_vpn_jenkins_io)
}
external_ips = {
# Jenkins Puppet Master
# TODO: automate retrieval of this IP with updatecli
"puppet.jenkins.io" = "20.12.27.65",
# TODO: automate retrieval of this IP with updatecli
"ldap.jenkins.io" = "20.7.180.148",
# TODO: automate retrieval of this IP with updatecli
"s390x.ci.jenkins.io" = "148.100.84.76",
}
ssh_admin_ips = [
for ip in flatten(concat(
# Allow Terraform management from infra.ci agents
local.outbound_ips["infracijenkinsioagents1.jenkins.io"],
# Connections routed through the VPN
local.outbound_ips["private.vpn.jenkins.io"],
)) : ip
if can(cidrnetmask("${ip}/32"))
]
## VPC Setup
vpc_cidr = "10.0.0.0/16" # cannot be less then /16 (more ips)
# Public subnets use the first partition of the vpc_cidr (index 0)
vpc_public_subnets = [
{
name = "controller",
az = format("${local.region}%s", "b"),
# First /23 of the first subset of the VPC (split in 2)
cidr = cidrsubnet(cidrsubnets(local.vpc_cidr, 1, 1)[0], 6, 0)
},
{
name = "eks-public-1",
az = format("${local.region}%s", "a"),
# First /23 of the first subset of the VPC (split in 2)
cidr = cidrsubnet(cidrsubnets(local.vpc_cidr, 1, 1)[0], 6, 1)
},
]
# Public subnets use the second partition of the vpc_cidr (index 1)
vpc_private_subnets = [
{
name = "vm-agents-1",
az = format("${local.region}%s", "b"),
# First /23 of the second subset of the VPC (split in 2)
cidr = cidrsubnet(cidrsubnets(local.vpc_cidr, 1, 1)[1], 6, 0)
},
{
name = "eks-1",
az = format("${local.region}%s", "a"),
# Second /23 of the second subset of the VPC (split in 2)
cidr = cidrsubnet(cidrsubnets(local.vpc_cidr, 1, 1)[1], 6, 1)
},
{ name = "eks-2",
az = format("${local.region}%s", "c"),
# Third /23 of the second subset of the VPC (split in 2)
cidr = cidrsubnet(cidrsubnets(local.vpc_cidr, 1, 1)[1], 6, 2)
}
]
}