feat: add worker module (#2)

* feat: add worker module

The worker module is responsible for creating an Auto Scaling Group of
Boundary workers.

The `worker` module is dependent on the `controller` module. In order to
allow the workers to connect to the controller hosts, the `worker`
module requires the `ip_addresses` variable.

The value of the `ip_addresses` variable is a list of strings, where
each value is the private IP address of each controller EC2 instance
instance in the Auto Scaling Group.

When the `controller` module initializes the PostgreSQL database, it
writes the credentials for the `admin` user to stdout.

The `boundary` module will grep the contents of the
`/var/log/cloud-init-output.log` file and if it contains the text
"Initial auth information", then it writes the contents to an S3 bucket.

Writing the contents to an S3 bucket ensures that the admin credentials
are always available to the user, even if the Auto Scaling Group is
re-created.

* docs: update module documentation

* docs: update README

Author: jasonwalsh

README.md

@@ -1,3 +1,86 @@
+## Contents
+
+- [Usage](#usage)
+- [Life cycle](#life-cycle)
+- [Contributing](#contributing)
+- [Inputs](#inputs)
+- [Outputs](#outputs)
+- [License](#license)
+
+**Note:** Like HashiCorp Boundary, this module is relatively new and may contain some issues. If you do experience an issue, please create a [new issue](https://github.com/jasonwalsh/terraform-aws-boundary/issues) in the repository. Pull requests are also welcome!
+
+## Usage
+
+This module uses Terraform to install [HashiCorp Boundary](https://www.boundaryproject.io/) in an Amazon Web Services (AWS) account.
+
+This module uses the [official documentation](https://www.boundaryproject.io/docs/installing/high-availability) to install a highly available service.
+
+![high-availability-service](https://www.boundaryproject.io/img/production.png)
+
+This module creates the following resources:
+
+- A virtual private cloud with all associated networking resources (e.g., public and private subnets, route tables, internet gateways, NAT gateways, etc)
+- A PostgreSQL RDS instance used by the [Boundary controllers](https://www.boundaryproject.io/docs/installing/postgres)
+- Two [AWS KMS](https://www.boundaryproject.io/docs/configuration/kms/awskms) keys, one for `root` and the other for `worker-auth`
+- An application load balancer (ALB) that serves as a gateway to the Boundary UI/API
+- Two auto scaling groups, one for controller instances and the other for worker instances
+
+For more information on Boundary, please visit the [official documentation](https://www.boundaryproject.io/docs) or the [tutorials](https://learn.hashicorp.com/boundary) on HashiCorp Learn.
+
+To use this module, the following environment variables are required:
+
+| Name |
+|------|
+| `AWS_ACCESS_KEY_ID` |
+| `AWS_SECRET_ACCESS_KEY` |
+| `AWS_DEFAULT_REGION` |
+
+After exporting the environment variables, simply run the following command:
+
+```
+$ terraform apply
+```
+
+## Life cycle
+
+This module creates the controller instances *before* the worker instances. This implicit dependency ensures that the controller and worker instances share the same `worker-auth` KMS key.
+
+The [controller](modules/controller) module also initializes the PostgreSQL database using the following command:
+
+```
+$ boundary database init -config /etc/boundary/configuration.hcl
+```
+
+After initializing the database, Boundary outputs information required to authenticate as defined [here](https://learn.hashicorp.com/tutorials/boundary/getting-started-dev?in=boundary/getting-started). Notably, the Auth Method ID, Login Name, and Password are generated.
+
+Since initializing the database is a one-time operation, this module writes the output of the command to an S3 bucket so that the user always has access to this information.
+
+In order to retrieve the information, you can invoke the following command:
+
+```
+$ $(terraform output s3command)
+```
+
+**Note:** The `$` before the `(` is required to run this command.
+
+The result of running the command displays the contents of the [`cloud-init-output.log`](https://cloudinit.readthedocs.io/en/latest/topics/logging.html), which contains the output of the `boundary database init` command.
+
+After you run this command, you can visit the Boundary UI using the `dns_name` output.
+
+To authenticate to Boundary, you can reference [this](https://learn.hashicorp.com/tutorials/boundary/getting-started-connect?in=boundary/getting-started) guide.
+
+**Note:** If you attempt to run the `authenticate` command and are met with this error `Error trying to perform authentication: dial tcp 127.0.0.1:9200: connect: connection refused`, you can export the `BOUNDARY_ADDR` environment variable to the value of the DNS name of the ALB. For example:
+
+```
+export BOUNDARY_ADDR="http://$(terraform output dns_name)"
+```
+
+## Contributing
+
+As mentioned in the beginning of the README, this module is relatively new and may have issues. If you do discover an issue, please create a [new issue](https://github.com/jasonwalsh/terraform-aws-boundary/issues) or a [pull request](https://github.com/jasonwalsh/terraform-aws-boundary/pulls).
+
+As always, thanks for using this module!
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -10,6 +93,7 @@
 | Name | Version |
 |------|---------|
 | aws | n/a |
+| random | n/a |
 
 ## Inputs
 
@@ -35,5 +119,10 @@
 | Name | Description |
 |------|-------------|
 | dns\_name | The public DNS name of the controller load balancer |
+| s3command | The S3 cp command used to display the contents of the cloud-init-output.log |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## License
+
+[MIT License](LICENSE)

main.tf

@@ -25,10 +25,30 @@ data "aws_ami" "boundary" {
   owners      = ["aws-marketplace"]
 }
 
+data "aws_s3_bucket_objects" "cloudinit" {
+  bucket = aws_s3_bucket.boundary.id
+
+  depends_on = [module.controllers]
+}
+
+resource "random_string" "boundary" {
+  length  = 16
+  special = false
+  upper   = false
+}
+
+resource "aws_s3_bucket" "boundary" {
+  acl           = "private"
+  bucket        = "boundary-${random_string.boundary.result}"
+  force_destroy = true
+  tags          = local.tags
+}
+
 module "controllers" {
   source = "./modules/controller"
 
   boundary_release = var.boundary_release
+  bucket_name      = aws_s3_bucket.boundary.id
   desired_capacity = var.controller_desired_capacity
   image_id         = local.image_id
   instance_type    = var.controller_instance_type
@@ -40,6 +60,24 @@ module "controllers" {
   vpc_id           = local.vpc_id
 }
 
+module "workers" {
+  source = "./modules/worker"
+
+  boundary_release  = var.boundary_release
+  bucket_name       = aws_s3_bucket.boundary.id
+  desired_capacity  = var.worker_desired_capacity
+  image_id          = local.image_id
+  instance_type     = var.worker_instance_type
+  ip_addresses      = module.controllers.ip_addresses
+  kms_key_id        = module.controllers.kms_key_id
+  max_size          = var.worker_max_size
+  min_size          = var.worker_min_size
+  public_subnets    = local.public_subnets
+  security_group_id = module.controllers.security_group_id
+  tags              = local.tags
+  vpc_id            = local.vpc_id
+}
+
 module "vpc" {
   source = "terraform-aws-modules/vpc/aws"
 

modules/boundary/README.md

@@ -0,0 +1,37 @@
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No provider.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| auto\_scaling\_group\_name | The name of the Auto Scaling group | `string` | n/a | yes |
+| boundary\_release | The version of Boundary to install | `string` | n/a | yes |
+| bucket\_name | The name of the bucket to upload the contents of the<br>cloud-init-output.log file | `string` | n/a | yes |
+| desired\_capacity | The desired capacity is the initial capacity of the Auto Scaling group<br>at the time of its creation and the capacity it attempts to maintain. | `number` | `0` | no |
+| iam\_instance\_profile | The name or the Amazon Resource Name (ARN) of the instance profile associated<br>with the IAM role for the instance | `string` | `""` | no |
+| image\_id | The ID of the Amazon Machine Image (AMI) that was assigned during registration | `string` | n/a | yes |
+| instance\_type | Specifies the instance type of the EC2 instance | `string` | n/a | yes |
+| key\_name | The name of the key pair | `string` | `""` | no |
+| max\_size | The maximum size of the group | `number` | n/a | yes |
+| min\_size | The minimum size of the group | `number` | n/a | yes |
+| runcmd | Run arbitrary commands at a rc.local like level with output to the<br>console. Each item can be either a list or a string. | `list(string)` | `[]` | no |
+| security\_groups | A list that contains the security groups to assign to the instances in the Auto<br>Scaling group | `list(string)` | `[]` | no |
+| tags | One or more tags. You can tag your Auto Scaling group and propagate the tags to<br>the Amazon EC2 instances it launches. | `map(string)` | `{}` | no |
+| target\_group\_arns | The Amazon Resource Names (ARN) of the target groups to associate with the Auto<br>Scaling group | `list(string)` | `[]` | no |
+| vpc\_zone\_identifier | A comma-separated list of subnet IDs for your virtual private cloud | `list(string)` | n/a | yes |
+| write\_files | Write out arbitrary content to files, optionally setting permissions | <pre>list(object({<br>    content     = string<br>    owner       = string<br>    path        = string<br>    permissions = string<br>  }))</pre> | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| auto\_scaling\_group\_name | The name of the controller Auto Scaling group |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/boundary/main.tf

@@ -13,13 +13,17 @@ locals {
 
     runcmd = concat(
       [
+        "curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip",
+        "unzip awscliv2.zip",
+        "./aws/install",
         "wget -O boundary.zip ${local.download_url}",
         "unzip boundary.zip -d /usr/local/bin"
       ],
       var.runcmd,
       [
         "systemctl enable boundary",
-        "systemctl start boundary"
+        "systemctl start boundary",
+        "grep 'Initial auth information' /var/log/cloud-init-output.log && aws s3 cp /var/log/cloud-init-output.log s3://${var.bucket_name}/{{v1.local_hostname}}/cloud-init-output.log || true"
       ]
     )
 
@@ -56,6 +60,7 @@ module "autoscaling" {
   target_group_arns            = var.target_group_arns
 
   user_data = <<EOF
+## template: jinja
 #cloud-config
 ${yamlencode(local.user_data)}
 EOF

modules/boundary/outputs.tf

@@ -0,0 +1,4 @@
+output "auto_scaling_group_name" {
+  description = "The name of the controller Auto Scaling group"
+  value       = module.autoscaling.this_autoscaling_group_name
+}

modules/boundary/variables.tf

@@ -8,6 +8,15 @@ variable "boundary_release" {
   type        = string
 }
 
+variable "bucket_name" {
+  description = <<EOF
+The name of the bucket to upload the contents of the
+cloud-init-output.log file
+EOF
+
+  type = string
+}
+
 variable "desired_capacity" {
   default = 0
 
@@ -116,7 +125,6 @@ variable "write_files" {
 
   type = list(object({
     content     = string
-    encoding    = string
     owner       = string
     path        = string
     permissions = string

modules/controller/README.md

@@ -0,0 +1,39 @@
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+| random | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| boundary\_release | The version of Boundary to install | `string` | `"0.1.0"` | no |
+| bucket\_name | The name of the bucket to upload the contents of the<br>cloud-init-output.log file | `string` | n/a | yes |
+| desired\_capacity | The desired capacity is the initial capacity of the Auto Scaling group<br>at the time of its creation and the capacity it attempts to maintain. | `number` | `3` | no |
+| image\_id | The ID of the Amazon Machine Image (AMI) that was assigned during registration | `string` | n/a | yes |
+| instance\_type | Specifies the instance type of the EC2 instance | `string` | `"t3.small"` | no |
+| key\_name | The name of the key pair | `string` | `""` | no |
+| max\_size | The maximum size of the group | `number` | `3` | no |
+| min\_size | The minimum size of the group | `number` | `3` | no |
+| private\_subnets | List of private subnets | `list(string)` | n/a | yes |
+| public\_subnets | List of public subnets | `list(string)` | n/a | yes |
+| tags | One or more tags. You can tag your Auto Scaling group and propagate the tags to<br>the Amazon EC2 instances it launches. | `map(string)` | `{}` | no |
+| vpc\_id | The ID of the VPC | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| dns\_name | The public DNS name of the load balancer |
+| ip\_addresses | One or more private IPv4 addresses associated with the controllers |
+| kms\_key\_id | The unique identifier for the worker-auth key |
+| security\_group\_id | The ID of the controller security group |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->