Created
November 18, 2020 13:40
-
-
Save zimbatm/31063d74ae94354e0090cae5fd479ea0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Fetch the latest NixOS AMI from 20.03 | |
module "nixos_image" { | |
source = "git@github.com:tweag/terraform-nixos.git//aws_image_nixos?ref=dbba649db86d90166d7573bb60ba40ac790e17d1" | |
release = "20.03" | |
} | |
# Get the NIX_PATH to avoid inheriting it from the environment. | |
data "external" "nix_path" { | |
program = ["${path.module}/get_nix_path.sh"] | |
} | |
# Generate a SSH key-pair | |
resource "tls_private_key" "machine" { | |
algorithm = "RSA" | |
} | |
# Record the SSH public key into AWS | |
resource "aws_key_pair" "machine" { | |
key_name = "${var.name}-machine" | |
public_key = tls_private_key.machine.public_key_openssh | |
} | |
# Store the private key locally | |
resource "local_file" "machine_ssh_key" { | |
sensitive_content = tls_private_key.machine.private_key_pem | |
filename = "${path.module}/id_rsa.pem" | |
file_permission = "0600" | |
} | |
# This is the security group that will be attached to the instance | |
resource "aws_security_group" "machine" { | |
name = "${var.name}-machine" | |
description = "Machine SG" | |
tags = var.tags | |
vpc_id = var.vpc_id | |
} | |
# A bunch of rules for the group | |
resource "aws_security_group_rule" "machine_ingress_ssh" { | |
description = "Allow SSH from everywhere" | |
type = "ingress" | |
from_port = 22 | |
to_port = 22 | |
protocol = "tcp" | |
cidr_blocks = ["0.0.0.0/0"] | |
security_group_id = aws_security_group.machine.id | |
} | |
resource "aws_security_group_rule" "machine_egress_all" { | |
description = "Allow to connect to the whole Internet" | |
type = "egress" | |
from_port = 0 | |
to_port = 0 | |
protocol = "-1" | |
cidr_blocks = ["0.0.0.0/0"] | |
security_group_id = aws_security_group.machine.id | |
} | |
# Permissions for the AWS instance | |
data "aws_iam_policy_document" "machine" { | |
statement { | |
sid = "EmailWithSES" | |
actions = [ | |
"ses:SendRawEmail", | |
] | |
resources = [ | |
"arn:aws:ses:*" | |
] | |
} | |
} | |
# A bunch of IAM resources needed to give permissions to the instance | |
resource "aws_iam_role" "machine" { | |
name = "${var.name}-machine" | |
tags = var.tags | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": "sts:AssumeRole", | |
"Principal": { | |
"Service": "ec2.amazonaws.com" | |
}, | |
"Effect": "Allow", | |
"Sid": "" | |
} | |
] | |
} | |
EOF | |
} | |
resource "aws_iam_role_policy" "machine" { | |
name = "${var.name}-machine" | |
role = aws_iam_role.machine.name | |
policy = data.aws_iam_policy_document.machine.json | |
} | |
resource "aws_iam_instance_profile" "machine" { | |
name = "${var.name}-machine" | |
role = aws_iam_role.machine.name | |
depends_on = [aws_iam_role_policy.machine] | |
} | |
# The actual AWS instance | |
resource "aws_instance" "machine" { | |
# Base image to start the instance with | |
ami = module.nixos_image.ami | |
iam_instance_profile = aws_iam_instance_profile.machine.name | |
instance_type = "c5.large" | |
key_name = aws_key_pair.machine.key_name | |
vpc_security_group_ids = [aws_security_group.machine.id] | |
# always deploy in the first subnet | |
subnet_id = var.vpc_subnets[1] | |
tags = merge(var.tags, { "Name" = var.name }) | |
root_block_device { | |
volume_type = "gp2" | |
volume_size = "50" # GiB | |
} | |
lifecycle { | |
create_before_destroy = true | |
} | |
} | |
# This deploys the NixOS configuration onto the VM | |
module "machine_deploy" { | |
source = "git@github.com:tweag/terraform-nixos.git//deploy_nixos?ref=fa6ba97b51873817b279840dcb619725ea9793ac" | |
NIX_PATH = data.external.nix_path.result.nix_path | |
nixos_config = "${path.module}/configuration.nix" | |
target_host = aws_instance.machine.public_ip | |
target_user = "root" | |
# Pass the SSH key generated by Terraform | |
ssh_private_key_file = local_file.machine_ssh_key.filename | |
# Needed if the build is impure | |
extra_build_args = ["--option", "sandbox", "relaxed"] | |
# Add the secrets here. Those will be written to /var/keys/<key-name> | |
keys = { } | |
triggers = { | |
# Force a new deployment if the instance ID has changed. The ID changes if | |
# the instance is re-created for example. | |
machine_id = aws_instance.machine.id | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -euo pipefail | |
here=$(dirname "$0") | |
nixpkgs=$(nix-instantiate "${here}/../nix" -A path --eval --strict) | |
echo "{ \"nix_path\": \"nixpkgs=$nixpkgs\" }" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment