From 6215f5302773c2a567057204cd28dd43f0160ad7 Mon Sep 17 00:00:00 2001
From: Michele Cereda <cereda.michele@gmail.com>
Date: Thu, 19 Jan 2023 02:16:06 +0100
Subject: [PATCH] Added cloud-init to the mix

---
 .../README.md                                 | 13 ++++---
 .../data.tf                                   | 37 +++++++++++++++++++
 .../locals.tf                                 |  5 ++-
 .../outputs.tf                                |  8 +++-
 .../templates/cloud-init/docker-ce.yaml.tftpl | 23 ++++++++++++
 .../templates/cloud-init/tfe.yaml.tftpl       | 25 +++++++++++++
 .../variables.tf                              | 12 +++++-
 7 files changed, 113 insertions(+), 10 deletions(-)
 create mode 100644 terraform/airgapped terraform enterprise on azure/data.tf
 create mode 100644 terraform/airgapped terraform enterprise on azure/templates/cloud-init/docker-ce.yaml.tftpl
 create mode 100644 terraform/airgapped terraform enterprise on azure/templates/cloud-init/tfe.yaml.tftpl

diff --git a/terraform/airgapped terraform enterprise on azure/README.md b/terraform/airgapped terraform enterprise on azure/README.md
index 0b1e3cd..9313c90 100644
--- a/terraform/airgapped terraform enterprise on azure/README.md	
+++ b/terraform/airgapped terraform enterprise on azure/README.md	
@@ -9,11 +9,14 @@ Stateless active/active.
 
 ## Requirements
 
-| Requirement      | Description                                                                                                                                        |
-| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
-| TFE license file | A Terraform Enterprise license file must be provided as a Base64 encoded secret in Azure Key Vault.                                                |
-| TLS certificate  | The TLS certificate and private key files must be PEM-encoded. The TLS certificate file can contain a full chain of TLS certificates if necessary. |
-| Virtual machine  | Must be Linux.                                                                                                                                     |
+| Requirement             | Description                                                                                                                                        |
+| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Passwords               | All passwords must be stored as a Base64 encoded secret in Azure Key Vault and retrieved during runtime.                                           |
+| Replicated license file | A valid Replicated license file (`.rli`) must be stored as a Base64 encoded secret in Azure Key Vault and retrieved during runtime.                |
+| TFE airgap bundle       | The TFE airgap bundle for Replicated must be stored as a Blob in a Storage Account and retrieved by the VM after first boot.                       |
+| TLS certificate         | The TLS certificate and private key files must be PEM-encoded. The TLS certificate file can contain a full chain of TLS certificates if necessary. |
+| Tokens                  | All tokens must be stored as a Base64 encoded secret in Azure Key Vault and retrieved during runtime.                                              |
+| Virtual machine         | Must be a Linux VM.                                                                                                                                |
 
 ![requirements diagram]
 
diff --git a/terraform/airgapped terraform enterprise on azure/data.tf b/terraform/airgapped terraform enterprise on azure/data.tf
new file mode 100644
index 0000000..704cb67
--- /dev/null
+++ b/terraform/airgapped terraform enterprise on azure/data.tf	
@@ -0,0 +1,37 @@
+# See:
+# - https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs
+# - https://github.com/chrusty/terraform-multipart-userdata/blob/master/example/cloudinit.tf
+
+data "cloudinit_config" "user_data" {
+  # Disabled only to make the rendered config readable in the outputs.
+  gzip          = false
+  base64_encode = false
+
+  part {
+    content = templatefile(
+      "${path.module}/templates/cloud-init/docker-ce.yaml.tftpl",
+      {
+        docker_user = "azureuser"
+      }
+    )
+    content_type = "text/cloud-config"
+    filename     = "docker-ce"
+  }
+
+  part {
+    content = templatefile(
+      "${path.module}/templates/cloud-init/tfe.yaml.tftpl",
+      {
+        replicated_config_file_location             = var.replicated_config_file_location
+        replicated_config_file_contents_b64encoded  = base64encode(local.replicated_config_file_contents)
+        replicated_license_file_location            = var.replicated_config_license_file_location
+        replicated_license_file_contents_b64encoded = base64encode("") # FIXME: get from Key Vault
+        tfe_config_file_location                    = var.tfe_config_file_location
+        tfe_config_file_contents_b64encoded         = base64encode(local.tfe_config_file_contents)
+      }
+    )
+    content_type = "text/cloud-config"
+    merge_type   = "dict(recurse_array,no_replace)+list(append)"
+    filename     = "tfe"
+  }
+}
diff --git a/terraform/airgapped terraform enterprise on azure/locals.tf b/terraform/airgapped terraform enterprise on azure/locals.tf
index a80463d..26287e1 100644
--- a/terraform/airgapped terraform enterprise on azure/locals.tf	
+++ b/terraform/airgapped terraform enterprise on azure/locals.tf	
@@ -1,6 +1,9 @@
 locals {
   # See https://help.replicated.com/docs/native/customer-installations/automating/#configure-replicated-automatically
-  replicated_config = {}
+  replicated_config = {
+    LicenseFileLocation               = var.replicated_config_license_file_location
+    LicenseBootstrapAirgapPackagePath = var.replicated_config_license_bootstrap_airgap_package_path
+  }
 
   # Replicated's settings file is JSON formatted.
   # See https://help.replicated.com/docs/native/customer-installations/automating
diff --git a/terraform/airgapped terraform enterprise on azure/outputs.tf b/terraform/airgapped terraform enterprise on azure/outputs.tf
index 6fb0b14..0f4e30f 100644
--- a/terraform/airgapped terraform enterprise on azure/outputs.tf	
+++ b/terraform/airgapped terraform enterprise on azure/outputs.tf	
@@ -1,12 +1,16 @@
 output "replicated_config_file" {
   value = {
     contents = local.replicated_config_file_contents
-    path     = var.replicated_config_file_path
+    location = var.replicated_config_file_location
   }
 }
 output "tfe_config_file" {
   value = {
     contents = local.tfe_config_file_contents
-    path     = var.tfe_config_file_path
+    location = var.tfe_config_file_location
   }
 }
+
+output "cloudinit_config" {
+  value = data.cloudinit_config.user_data.rendered
+}
diff --git a/terraform/airgapped terraform enterprise on azure/templates/cloud-init/docker-ce.yaml.tftpl b/terraform/airgapped terraform enterprise on azure/templates/cloud-init/docker-ce.yaml.tftpl
new file mode 100644
index 0000000..a809125
--- /dev/null
+++ b/terraform/airgapped terraform enterprise on azure/templates/cloud-init/docker-ce.yaml.tftpl	
@@ -0,0 +1,23 @@
+#cloud-config
+
+# See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#package-update-upgrade-install
+packages:
+  - docker-ce
+
+# See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#runcmd
+runcmd:
+
+  # Give the user permissions to use Docker without `sudo`ing.
+  # The 'users' module overrode *both* the SSH keys *and* group assignments in
+  # previous tests. (┛◉Д◉)┛彡┻━┻
+  - grep -qE '^docker:' /etc/group && usermod -a -G docker ${docker_user} || true
+
+# See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#yum-add-repo
+yum_repos:
+  docker-ce:
+    name: Docker CE Stable - $basearch
+    enabled: true
+    baseurl: https://download.docker.com/linux/rhel/$releasever/$basearch/stable
+    priority: 1
+    gpgcheck: true
+    gpgkey: https://download.docker.com/linux/rhel/gpg
diff --git a/terraform/airgapped terraform enterprise on azure/templates/cloud-init/tfe.yaml.tftpl b/terraform/airgapped terraform enterprise on azure/templates/cloud-init/tfe.yaml.tftpl
new file mode 100644
index 0000000..dc26e05
--- /dev/null
+++ b/terraform/airgapped terraform enterprise on azure/templates/cloud-init/tfe.yaml.tftpl	
@@ -0,0 +1,25 @@
+#cloud-config
+
+# Replicated requires Docker
+# TFE requires Replicated
+
+# See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#write-files
+write_files:
+  - encoding: b64
+    path: ${replicated_config_file_location}
+    content: |
+      ${replicated_config_file_contents_b64encoded}
+    permissions: '0600'
+    defer: true
+  - encoding: b64
+    path: ${replicated_license_file_location}
+    content: |
+      ${replicated_license_file_contents_b64encoded}
+    permissions: '0600'
+    defer: true
+  - encoding: b64
+    path: ${tfe_config_file_location}
+    content: |
+      ${tfe_config_file_contents_b64encoded}
+    permissions: '0600'
+    defer: true
diff --git a/terraform/airgapped terraform enterprise on azure/variables.tf b/terraform/airgapped terraform enterprise on azure/variables.tf
index 020dad6..6a798fe 100644
--- a/terraform/airgapped terraform enterprise on azure/variables.tf	
+++ b/terraform/airgapped terraform enterprise on azure/variables.tf	
@@ -1,9 +1,17 @@
-variable "replicated_config_file_path" {
+variable "replicated_config_file_location" {
   type        = string
   default     = "/etc/replicated.conf"
   description = "Only read on initial startup."
 }
-variable "tfe_config_file_path" {
+variable "replicated_config_license_bootstrap_airgap_package_path" {
+  type = string
+}
+variable "replicated_config_license_file_location" {
+  type    = string
+  default = "/etc/license.rli"
+}
+
+variable "tfe_config_file_location" {
   type    = string
   default = "/etc/settings.conf"
 }