koboltmarky/gist:04d9da1ac0aefb82a0887ccef66f742e

## gistfile1.txt
resource "rancher2_cluster" "rancher-cluster" {
  provider = rancher2

  name        = var.rancher_cluster_name
  description = var.rancher_cluster_description

  rke_config {
    kubernetes_version = var.k8sversion

    private_registries {
      url        = var.docker_registry_url
      user       = var.docker_registry_user
      password   = var.docker_registry_password
      is_default = true
    }

    ssh_key_path = var.ssh_key_file_name

    dynamic "nodes" {
      iterator = node
      for_each = var.nodes
      content {
        address           = node.value["address"]
        user              = var.node_username
        role              = node.value["role"]
        hostname_override = node.value["hostname_override"]
      }
    }

    services {

      etcd {
        gid = "52034"
        uid = "52034"

        extra_args = {
          "data-dir" = "/var/lib/rancher/etcd/data/"
          "wal-dir"  = "/var/lib/rancher/etcd/wal/wal_dir"
        }

        extra_binds = [
          "/var/lib/etcd/data:/var/lib/rancher/etcd/data",
          "/var/lib/etcd/wal:/var/lib/rancher/etcd/wal",
        ]

      }

      kubelet {
        extra_args = {
          "feature-gates"                     = "VolumeSnapshotDataSource=true,CSIDriverRegistry=true,RotateKubeletServerCertificate=true",
          "anonymous-auth"                    = "false",
          "make-iptables-util-chains"         = "true",
          "protect-kernel-defaults"           = "true",
          "streaming-connection-idle-timeout" = "1800s",
          "tls-cipher-suites"                 = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256",
        }

        fail_swap_on                 = false
        generate_serving_certificate = true
        cluster_domain               = var.cluster_domain

      }

      kube_controller {
        extra_args = {
          "address"                     = "127.0.0.1",
          "feature-gates"               = "RotateKubeletServerCertificate=true",
          "profiling"                   = "false",
          "terminated-pod-gc-threshold" = "1000",
        }
      }

      scheduler {
        extra_args = {
          "address"   = "127.0.0.1",
          "profiling" = "false",
        }
      }

      kube_api {
        extra_args = {
          "feature-gates" = "VolumeSnapshotDataSource=true,CSIDriverRegistry=true",
        }

        secrets_encryption_config {
          enabled = true
        }

        event_rate_limit {
          enabled = true
        }

        pod_security_policy = true

        audit_log {
          enabled = true
        }
      }
    }
    addons = <<EOL
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted-psp
spec:
  requiredDropCapabilities:
  - NET_RAW
  privileged: false
  allowPrivilegeEscalation: false
  defaultAllowPrivilegeEscalation: false
  fsGroup:
    rule: MustRunAs
    ranges:
      - min: 1
        max: 65535
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - emptyDir
  - secret
  - persistentVolumeClaim
  - downwardAPI
  - configMap
  - projected
EOL

    addons_include = [
      "${path.module}/files/common.yaml",
      "${path.module}/files/operator.yaml",
      "${path.module}/files/cluster.yaml",
    ]

  }

  enable_network_policy                   = true
  default_pod_security_policy_template_id = "restricted"
  enable_cluster_monitoring               = true

  cluster_monitoring_input {
    answers = {
      "exporter-kubelets.https"                   = "true"
      "exporter-node.enabled"                     = "true"
      "exporter-node.ports.metrics.port"          = 9796
      "exporter-node.resources.limits.cpu"        = "200m"
      "exporter-node.resources.limits.memory"     = "200Mi"
      "grafana.persistence.enabled"               = "false"
      "grafana.persistence.size"                  = "10Gi"
      "grafana.persistence.storageClass"          = "ssd"
      "operator.resources.limits.memory"          = "500Mi"
      "prometheus.persistence.enabled"            = "false"
      "prometheus.persistence.size"               = "50Gi"
      "prometheus.persistence.storageClass"       = "ssd"
      "prometheus.persistent.useReleaseName"      = "true"
      "prometheus.resources.core.limits.cpu"      = "1000m",
      "prometheus.resources.core.limits.memory"   = "1500Mi"
      "prometheus.resources.core.requests.cpu"    = "750m"
      "prometheus.resources.core.requests.memory" = "750Mi"
      "prometheus.retention"                      = "12h"
    }
    version = "0.7.0"
  }

}

resource "null_resource" "init_cluster" {
  count = length(var.nodes)

  connection {
    host        = var.nodes[count.index].address
    user        = var.node_username
    private_key = file(var.ssh_key_file_name)
  }

  provisioner "remote-exec" {
    # Bootstrap script called with private_ip of each node in the cluster
    inline = [
      "docker login -u ${var.docker_registry_user} -p ${var.docker_registry_password} ${var.docker_registry_url}",
      "${substr(rancher2_cluster.rancher-cluster.cluster_registration_token.0.node_command, 5, length(rancher2_cluster.rancher-cluster.cluster_registration_token.0.node_command))} --etcd --controlplane --worker",
      "docker logout ${var.docker_registry_password}",
    ]
  }
}
	resource "rancher2_cluster" "rancher-cluster" {
	provider = rancher2

	name = var.rancher_cluster_name
	description = var.rancher_cluster_description

	rke_config {
	kubernetes_version = var.k8sversion

	private_registries {
	url = var.docker_registry_url
	user = var.docker_registry_user
	password = var.docker_registry_password
	is_default = true
	}

	ssh_key_path = var.ssh_key_file_name

	dynamic "nodes" {
	iterator = node
	for_each = var.nodes
	content {
	address = node.value["address"]
	user = var.node_username
	role = node.value["role"]
	hostname_override = node.value["hostname_override"]
	}
	}

	services {

	etcd {
	gid = "52034"
	uid = "52034"

	extra_args = {
	"data-dir" = "/var/lib/rancher/etcd/data/"
	"wal-dir" = "/var/lib/rancher/etcd/wal/wal_dir"
	}

	extra_binds = [
	"/var/lib/etcd/data:/var/lib/rancher/etcd/data",
	"/var/lib/etcd/wal:/var/lib/rancher/etcd/wal",
	]

	}

	kubelet {
	extra_args = {
	"feature-gates" = "VolumeSnapshotDataSource=true,CSIDriverRegistry=true,RotateKubeletServerCertificate=true",
	"anonymous-auth" = "false",
	"make-iptables-util-chains" = "true",
	"protect-kernel-defaults" = "true",
	"streaming-connection-idle-timeout" = "1800s",
	"tls-cipher-suites" = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256",
	}

	fail_swap_on = false
	generate_serving_certificate = true
	cluster_domain = var.cluster_domain

	}

	kube_controller {
	extra_args = {
	"address" = "127.0.0.1",
	"feature-gates" = "RotateKubeletServerCertificate=true",
	"profiling" = "false",
	"terminated-pod-gc-threshold" = "1000",
	}
	}

	scheduler {
	extra_args = {
	"address" = "127.0.0.1",
	"profiling" = "false",
	}
	}

	kube_api {
	extra_args = {
	"feature-gates" = "VolumeSnapshotDataSource=true,CSIDriverRegistry=true",
	}

	secrets_encryption_config {
	enabled = true
	}

	event_rate_limit {
	enabled = true
	}

	pod_security_policy = true

	audit_log {
	enabled = true
	}
	}
	}
	addons = <<EOL
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: restricted-psp
	spec:
	requiredDropCapabilities:
	- NET_RAW
	privileged: false
	allowPrivilegeEscalation: false
	defaultAllowPrivilegeEscalation: false
	fsGroup:
	rule: MustRunAs
	ranges:
	- min: 1
	max: 65535
	runAsUser:
	rule: MustRunAsNonRoot
	seLinux:
	rule: RunAsAny
	supplementalGroups:
	rule: RunAsAny
	volumes:
	- emptyDir
	- secret
	- persistentVolumeClaim
	- downwardAPI
	- configMap
	- projected
	EOL

	addons_include = [
	"${path.module}/files/common.yaml",
	"${path.module}/files/operator.yaml",
	"${path.module}/files/cluster.yaml",
	]

	}

	enable_network_policy = true
	default_pod_security_policy_template_id = "restricted"
	enable_cluster_monitoring = true

	cluster_monitoring_input {
	answers = {
	"exporter-kubelets.https" = "true"
	"exporter-node.enabled" = "true"
	"exporter-node.ports.metrics.port" = 9796
	"exporter-node.resources.limits.cpu" = "200m"
	"exporter-node.resources.limits.memory" = "200Mi"
	"grafana.persistence.enabled" = "false"
	"grafana.persistence.size" = "10Gi"
	"grafana.persistence.storageClass" = "ssd"
	"operator.resources.limits.memory" = "500Mi"
	"prometheus.persistence.enabled" = "false"
	"prometheus.persistence.size" = "50Gi"
	"prometheus.persistence.storageClass" = "ssd"
	"prometheus.persistent.useReleaseName" = "true"
	"prometheus.resources.core.limits.cpu" = "1000m",
	"prometheus.resources.core.limits.memory" = "1500Mi"
	"prometheus.resources.core.requests.cpu" = "750m"
	"prometheus.resources.core.requests.memory" = "750Mi"
	"prometheus.retention" = "12h"
	}
	version = "0.7.0"
	}

	}

	resource "null_resource" "init_cluster" {
	count = length(var.nodes)

	connection {
	host = var.nodes[count.index].address
	user = var.node_username
	private_key = file(var.ssh_key_file_name)
	}

	provisioner "remote-exec" {
	# Bootstrap script called with private_ip of each node in the cluster
	inline = [
	"docker login -u ${var.docker_registry_user} -p ${var.docker_registry_password} ${var.docker_registry_url}",
	"${substr(rancher2_cluster.rancher-cluster.cluster_registration_token.0.node_command, 5, length(rancher2_cluster.rancher-cluster.cluster_registration_token.0.node_command))} --etcd --controlplane --worker",
	"docker logout ${var.docker_registry_password}",
	]
	}
	}