Merge pull request #5 from timoa/develop

Use Ansible with Terraform to configure the instance at boot time

Author: timoa

.github/workflows/code-review.yml

@@ -18,6 +18,11 @@ jobs:
       TF_VAR_region: ${{secrets.OCI_REGION}}
 
     steps:
+      - name: Harden GitHub Actions Runner
+        uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
 
@@ -26,16 +31,15 @@ jobs:
       #  slow due to lack of caching
       # Note: Terraform is not needed for tflint
       - name: Install Terraform
-        run: |
-          brew install terraform
+        run: brew install terraform
 
       # Run init to get module code to be able to use `--module`
       - name: Terraform init
-        run: |
-          terraform init
+        run: terraform init
+        working-directory: ./terraform
 
       # Run TFLint
-      - name: tflint with reviewdog output on the PR
+      - name: Run TFlint with reviewdog output on the PR
         uses: reviewdog/action-tflint@46e609666b039b775a150e84781ef79ea90089a8 # tag=v1.17.0
 
   # -- SECURITY ---------------------------------------------------------------
@@ -52,9 +56,14 @@ jobs:
       TF_VAR_region: ${{secrets.OCI_REGION}}
 
     steps:
+      - name: Harden GitHub Actions Runner
+        uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
 
       # Run TFSec
-      - name: Run tfsec with reviewdog output on the PR
+      - name: Run TFsec with reviewdog output on the PR
         uses: reviewdog/action-tfsec@3f1d245c545329b13061259c2f126305893ad138 # tag=v1.15.0

.github/workflows/terraform.yml

@@ -18,6 +18,11 @@ jobs:
       TF_VAR_region: ${{secrets.OCI_REGION}}
 
     steps:
+      - name: Harden GitHub Actions Runner
+        uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
 
@@ -27,14 +32,17 @@ jobs:
       - name: Terraform Format
         id: fmt
         run: terraform fmt -check
+        working-directory: ./terraform
         continue-on-error: true
 
       - name: Terraform Init
         id: init
+        working-directory: ./terraform
         run: terraform init
 
       - name: Terraform Plan
         id: apply
+        working-directory: ./terraform
         run: terraform plan
 
   # -- SAST SCAN --------------------------------------------------------------
@@ -46,6 +54,11 @@ jobs:
     if: (github.actor != 'dependabot[bot]')
 
     steps:
+      - name: Harden GitHub Actions Runner
+        uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
 
@@ -69,6 +82,11 @@ jobs:
     needs: tests
 
     steps:
+      - name: Harden GitHub Actions Runner
+        uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
 
@@ -92,6 +110,11 @@ jobs:
     if: github.ref == 'refs/heads/main'
 
     steps:
+      - name: Harden GitHub Actions Runner
+        uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
         with:

.gitignore

@@ -1,12 +1,12 @@
 # Local .terraform directories
-**/.terraform/*
+**/**/.terraform/*
 
 # .tfstate files
-*.tfstate
-*.tfstate.*
+**/*.tfstate
+**/*.tfstate.*
 
 # Crash log files
-crash.log
+**/crash.log
 
 # Ignore any .tfvars files that are generated automatically for each Terraform run. Most
 # .tfvars files are managed as part of configuration and so should be included in
@@ -16,10 +16,10 @@ crash.log
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
-override.tf
-override.tf.json
-*_override.tf
-*_override.tf.json
+**/override.tf
+**/override.tf.json
+**/*_override.tf
+**/*_override.tf.json
 
 # Include override files you do wish to add to version control using negated pattern
 #
@@ -29,4 +29,10 @@ override.tf.json
 # example: *tfplan*
 
 # Key Pair files
-keypairs/**/*
+**/keypairs/**/*
+
+# Ansible
+ansible/hosts.yml
+ansible/roles/**/*
+ansible/group_vars/**/*.yml
+ansible/host_vars/**/*.yml

README.md

@@ -6,22 +6,46 @@
 
 Terraform project that deploys VSCode Server on Oracle Cloud Infrastructure using only the free tier.
 
-> WARNING: This project is currently under developmnent.
+> WARNING: This project is currently under active development.
 > Please check back later.
 
+## The challenge
+
+### Goal
+
+Deploy a free and easy maintenable VSCode Server.
+
+### Limitations
+
+Currently, Oracle Cloud Free tier provides great performance (4vCPU ARM based, 24GB of RAM, and 200GB of storage), but:
+
+* The instance is preemptible, which means that they can be terminated at any time
+* We can't create custom images, so we have to install VSCode Server and other dependencies at boot time
+* Can be hard to find a OCI datacenter that has still available capacity
+
+## How to start
+
+### Create an OCI account
+
+### Configure the OCI authentication
+
+### Deploy the VSCode Server instance
+
+### Access to VSCode Server from your browser
+
 ## TODO
 
 - [x] Create the custom VCN (VPC)
 - [x] Get the latest Ubuntu image automatically
-- [x] Create the block volume for `/data` (150GB)
+- [x] Create the block volume for `/data` (100GB)
 - [x] Attach the block volume to the instance
 - [x] Create the instance on free tier (4 vCPU, 24GB memory)
 - [x] Configure the instance and install VSCode Server with Cloud Init
 - [x] Create automatically the SSH key pair
 - [x] Mount and format the block volume on `/data`
 - [x] Restrict SSH and VS Code port access
+- [x] Configure backups of the block volume only
 - [ ] Encrypt the block volume with a KMS key
-- [ ] Configure backups of the block volume only (WIP)
 - [ ] Configure Cloudflare Zero Trust to secure the instance access
 - [ ] Write the documentation for the manual steps (Oracle Cloud Infrastructure & Cloudflare accounts, etc.)
 - [ ] Explain how to avoid the "Out of Host capacity" error

USAGE.md

@@ -1,84 +1,21 @@
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_cloudinit"></a> [cloudinit](#requirement\_cloudinit) | 2.2.0 |
-| <a name="requirement_local"></a> [local](#requirement\_local) | 2.2.2 |
-| <a name="requirement_null"></a> [null](#requirement\_null) | 3.1.1 |
-| <a name="requirement_oci"></a> [oci](#requirement\_oci) | 4.72.0 |
-| <a name="requirement_tls"></a> [tls](#requirement\_tls) | 3.4.0 |
+No requirements.
 
 ## Modules
 
 No modules.
 
 ## Resources
 
-| Name | Type |
-|------|------|
-| [local_file.private_key_pem](https://registry.terraform.io/providers/hashicorp/local/2.2.2/docs/resources/file) | resource |
-| [local_file.public_key_openssh](https://registry.terraform.io/providers/hashicorp/local/2.2.2/docs/resources/file) | resource |
-| [null_resource.post_install](https://registry.terraform.io/providers/hashicorp/null/3.1.1/docs/resources/resource) | resource |
-| [null_resource.private_key_chmod](https://registry.terraform.io/providers/hashicorp/null/3.1.1/docs/resources/resource) | resource |
-| [null_resource.public_key_chmod](https://registry.terraform.io/providers/hashicorp/null/3.1.1/docs/resources/resource) | resource |
-| [oci_core_default_route_table.default_rt](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_default_route_table) | resource |
-| [oci_core_instance.instance](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_instance) | resource |
-| [oci_core_internet_gateway.igw](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_internet_gateway) | resource |
-| [oci_core_security_list.security_list_ssh](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_security_list) | resource |
-| [oci_core_security_list.security_list_vscode](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_security_list) | resource |
-| [oci_core_subnet.subnet](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_subnet) | resource |
-| [oci_core_vcn.vcn](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_vcn) | resource |
-| [oci_core_volume.volume](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_volume) | resource |
-| [oci_core_volume_attachment.volume_attachment](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_volume_attachment) | resource |
-| [oci_core_volume_backup_policy_assignment.policy](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/resources/core_volume_backup_policy_assignment) | resource |
-| [tls_private_key.default](https://registry.terraform.io/providers/hashicorp/tls/3.4.0/docs/resources/private_key) | resource |
-| [cloudinit_config.cloudinit](https://registry.terraform.io/providers/hashicorp/cloudinit/2.2.0/docs/data-sources/config) | data source |
-| [oci_core_images.ubuntu_20_04_aarch64](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/data-sources/core_images) | data source |
-| [oci_core_volume_backup_policies.predefined_volume_backup_policies](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/data-sources/core_volume_backup_policies) | data source |
-| [oci_identity_availability_domains.ads](https://registry.terraform.io/providers/oracle/oci/4.72.0/docs/data-sources/identity_availability_domains) | data source |
+No resources.
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_namespace"></a> [namespace](#input\_namespace) | Project name that will be use to identifiy the resources | `string` | `"vscode"` | no |
-| <a name="input_stage"></a> [stage](#input\_stage) | Stage/environment name to tag and suffix the infrastructure composants | `string` | `"dev"` | no |
-| <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | Tenancy OCID | `string` | `null` | no |
-| <a name="input_compartment_ocid"></a> [compartment\_ocid](#input\_compartment\_ocid) | Compartment OCID | `string` | `null` | no |
-| <a name="input_user_ocid"></a> [user\_ocid](#input\_user\_ocid) | User OCID | `string` | `null` | no |
-| <a name="input_fingerprint"></a> [fingerprint](#input\_fingerprint) | Fingerprint | `string` | `null` | no |
-| <a name="input_private_key"></a> [private\_key](#input\_private\_key) | Private Key content | `string` | `null` | no |
-| <a name="input_region"></a> [region](#input\_region) | Default Region | `string` | `"uk-london-1"` | no |
-| <a name="input_allowed_ingress_ssh"></a> [allowed\_ingress\_ssh](#input\_allowed\_ingress\_ssh) | List of IPs allowed to SSH on the instance | `list(string)` | `[]` | no |
-| <a name="input_allowed_egress_ssh"></a> [allowed\_egress\_ssh](#input\_allowed\_egress\_ssh) | List of IPs the instance is allowed to connect | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
-| <a name="input_allowed_ingress_vscode"></a> [allowed\_ingress\_vscode](#input\_allowed\_ingress\_vscode) | List of IPs allowed to access to VS Code Server | `list(string)` | `[]` | no |
-| <a name="input_allowed_egress_vscode"></a> [allowed\_egress\_vscode](#input\_allowed\_egress\_vscode) | List of IPs the instance is allowed to connect | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
-| <a name="input_instance_shape"></a> [instance\_shape](#input\_instance\_shape) | Instance Shape | `string` | `"VM.Standard.A1.Flex"` | no |
-| <a name="input_instance_ocpus"></a> [instance\_ocpus](#input\_instance\_ocpus) | Number of OCPUS (CPU cores) | `string` | `4` | no |
-| <a name="input_instance_shape_config_memory_in_gbs"></a> [instance\_shape\_config\_memory\_in\_gbs](#input\_instance\_shape\_config\_memory\_in\_gbs) | Memory in GBs | `string` | `24` | no |
-| <a name="input_instance_os"></a> [instance\_os](#input\_instance\_os) | Instance OS | `string` | `"Canonical Ubuntu"` | no |
-| <a name="input_instance_os_version"></a> [instance\_os\_version](#input\_instance\_os\_version) | Instance OS Version | `string` | `"20.04"` | no |
-| <a name="input_instance_os_user"></a> [instance\_os\_user](#input\_instance\_os\_user) | Instance User | `string` | `"ubuntu"` | no |
-| <a name="input_block_volume_size"></a> [block\_volume\_size](#input\_block\_volume\_size) | Block Volume size in GBs (/data) | `string` | `100` | no |
-| <a name="input_block_volume_device_name"></a> [block\_volume\_device\_name](#input\_block\_volume\_device\_name) | Block Volume device name (/dev/oracleoci/oraclevdb) | `string` | `"/dev/oracleoci/oraclevdb"` | no |
-| <a name="input_vscode_version"></a> [vscode\_version](#input\_vscode\_version) | VS Code Server Version | `string` | `"4.4.0"` | no |
-| <a name="input_keypair_name"></a> [keypair\_name](#input\_keypair\_name) | Name of the Key Pair (instance or service for ex.) | `string` | `null` | no |
-| <a name="input_keypair_public_key"></a> [keypair\_public\_key](#input\_keypair\_public\_key) | A pregenerated OpenSSH-formatted public key. Changing this creates a new keypair. If a public key is not specified, then a public/private key pair will be automatically generated. If a pair is created, then destroying this resource means you will lose access to that keypair forever. | `string` | `null` | no |
-| <a name="input_keypair_public_key_path"></a> [keypair\_public\_key\_path](#input\_keypair\_public\_key\_path) | Path to Public Key directory (e.g. `/keypairs`) | `string` | `"./keypairs"` | no |
-| <a name="input_keypair_key_algorithm"></a> [keypair\_key\_algorithm](#input\_keypair\_key\_algorithm) | Key Pair algorithm | `string` | `"RSA"` | no |
-| <a name="input_keypair_private_key"></a> [keypair\_private\_key](#input\_keypair\_private\_key) | A pregenerated OpenSSH-formatted private key. Changing this creates a new keypair. If a private key is not specified, then a public/private key pair will be automatically generated. If a pair is created, then destroying this resource means you will lose access to that keypair forever. | `string` | `null` | no |
-| <a name="input_keypair_private_key_extension"></a> [keypair\_private\_key\_extension](#input\_keypair\_private\_key\_extension) | Private key extension | `string` | `""` | no |
-| <a name="input_keypair_public_key_extension"></a> [keypair\_public\_key\_extension](#input\_keypair\_public\_key\_extension) | Public key extension | `string` | `".pub"` | no |
-| <a name="input_keypair_chmod_command_public"></a> [keypair\_chmod\_command\_public](#input\_keypair\_chmod\_command\_public) | Template of the command executed on the public key file | `string` | `"chmod 600 %v"` | no |
-| <a name="input_keypair_chmod_command_private"></a> [keypair\_chmod\_command\_private](#input\_keypair\_chmod\_command\_private) | Template of the command executed on the private key file | `string` | `"chmod 400 %v"` | no |
-| <a name="input_labels"></a> [labels](#input\_labels) | Default labels to associate to these resources | `map(string)` | <pre>{<br>  "businessunit": "mycompany",<br>  "project": "VSCode Server",<br>  "team": "devops",<br>  "terraform": "true"<br>}</pre> | no |
+No inputs.
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| <a name="output_instance_private_ip"></a> [instance\_private\_ip](#output\_instance\_private\_ip) | VS Code Server Instance Private IP |
-| <a name="output_instance_public_ip"></a> [instance\_public\_ip](#output\_instance\_public\_ip) | VS Code Server Instance Public IP |
+No outputs.
 <!-- END_TF_DOCS -->

ansible/group_vars/server/.gitkeep

@@ -0,0 +1,11 @@
+---
+# This playbook install the common packages
+- hosts: server
+  become: true
+
+  tasks:
+    - name: Update apt-get repo and cache
+      apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
+
+    - name: Upgrade all apt packages
+      apt: upgrade=dist force_apt_get=yes

ansible/playbooks/common/os-updates.yml

@@ -0,0 +1,16 @@
+---
+# This playbook install the common packages
+- hosts: server
+  become: true
+  gather_facts: false
+
+  tasks:
+    - name: Install OpenJDK
+      apt:
+        name: openjdk-16-jdk
+        state: present
+
+    - name: Install OpenJDK JRE
+      apt:
+        name: openjdk-16-jre-headless
+        state: present

ansible/playbooks/common/playbook.yml

@@ -0,0 +1,11 @@
+---
+# This playbook install the common packages
+- hosts: server
+  become: true
+  gather_facts: false
+
+  tasks:
+    - name: Reboot the server, wait for it to go down, come back up, and respond to the command "whoami"
+      become: yes
+      reboot:
+        reboot_timeout: 600 # You can adapt the timeout to your needs