Add installing the opsstack agent via run command or via cloud-init (#7)

* Add installing the opsstack agent via run command or via cloud-init

* Update prod-stackit/terraform/50_projects/opsstack-agent-test-server/terraform.tf

Co-authored-by: Roman Schwarz <rswrz@users.noreply.github.com>

* Add GitHub Actions workflow

Signed-off-by: Roman Schwarz <rs@cloudeteer.de>

* Update prod-stackit/terraform/50_projects/opsstack-agent-test-server/main.tf

Co-authored-by: Roman Schwarz <rswrz@users.noreply.github.com>

* Use other launchpad bucket

* Add missing Secrets

* lowercase url

* working agent deployment

---------

Signed-off-by: Roman Schwarz <rs@cloudeteer.de>
Co-authored-by: Roman Schwarz <rswrz@users.noreply.github.com>
Co-authored-by: Roman Schwarz <rs@cloudeteer.de>

Author: 3 people

.github/workflows/prod-stackit-terraform-50-opsstack-agent-test-server.yaml

@@ -0,0 +1,38 @@
+name: prod-stackit-terraform-50-opsstack-agent-test-server
+
+on:
+  workflow_dispatch:
+    inputs:
+      terraform-force-unlock:
+        default: false
+        description: Terraform force unlock
+        required: false
+        type: boolean
+      terraform-force-unlock-id:
+        description: Terraform LOCK_ID
+        required: false
+        type: string
+  pull_request:
+    paths:
+      - prod-stackit/terraform/50_projects/opsstack-agent-test-server/**
+      - .github/workflows/prod-stackit-terraform-50-opsstack-agent-test-server.yaml
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  terraform:
+    name: Terraform
+    uses: cloudeteer/iac-deployment-framework/.github/workflows/terraform-deploy-stackit.yaml@wip/stackit
+    with:
+      directory: prod-stackit/terraform/50_projects/opsstack-agent-test-server
+      terraform-force-unlock-id: ${{ github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true && inputs.terraform-force-unlock-id }}
+      terraform-force-unlock: ${{ github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true && inputs.terraform-force-unlock }}
+    secrets:
+      stackit_service_account_key: ${{ secrets.CDT_LAUNCHPAD_STACKIT_SERVICE_ACCOUNT_KEY }}
+      backend_s3_secret_key: ${{ secrets.CDT_LAUNCHPAD_STACKIT_BACKEND_SECRET_ACCESS_KEY }}
+      backend_s3_access_key: ${{ secrets.CDT_LAUNCHPAD_STACKIT_BACKEND_ACCESS_KEY }}
+      env: |
+        TF_VAR_agent_login: ${{ secrets.CDT_OPSSTACK_DEV_AGENT_LOGIN }}
+        TF_VAR_deepview_url: ${{ vars.CDT_OPSSTACK_DEV_DEEPVIEW_URL }}

prod-stackit/terraform/50_projects/opsstack-agent-test-server/assets/download_opsstack_agent_setup.tftpl

@@ -0,0 +1,16 @@
+#!/bin/bash -ex
+
+set -eo pipefail
+    retryCount=0
+    while ! curl -H "Authorization: Basic ${agent_login}" --fail --fail-early -sSL "https://${deepview_url}/opsstack-agent/install/linux-${agent_version}.sh" -o linux-${agent_version}.sh; do
+        retryCount=$((retryCount+1))
+
+        if [ "$${retryCount}" -eq 100 ]; then
+            echo "Request to $1 failed. Exiting" >&2
+            exit 1
+        fi
+        echo "Request to $1 failed. Retrying in $((retryCount*2)) seconds"  >&2
+        sleep $((retryCount*2));
+    done
+
+exec bash linux-${agent_version}.sh

prod-stackit/terraform/50_projects/opsstack-agent-test-server/assets/install_stackit_agent.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+#Download GPG public key
+curl https://stackit-server-agent.object.storage.eu01.onstackit.cloud/stackit-server-agent.gpg -o /tmp/stackit-server-agent.gpg
+
+# Install dependencies
+
+apt-get update && apt-get install gnupg -y
+
+# Import GPG Public key
+gpg --import /tmp/stackit-server-agent.gpg
+
+# Download STACKIT Server Agent
+curl https://stackit-server-agent.object.storage.eu01.onstackit.cloud/stackit-server-agent.deb -o /tmp/stackit-server-agent.deb
+
+# Download the package signature file
+curl https://stackit-server-agent.object.storage.eu01.onstackit.cloud/stackit-server-agent.deb.sig -o /tmp/stackit-server-agent.deb.sig
+
+if gpg --verify /tmp/stackit-server-agent.deb.sig /tmp/stackit-server-agent.deb
+then
+    echo "The STACKIT Server Agent is verified successfully"
+else
+    echo "The STACKIT Server Agent is not verified successfully"
+    rm -rf /tmp/stackit-server-agent.deb /tmp/stackit-server-agent.deb.sig /tmp/stackit-server-agent.gpg
+    exit 1
+fi
+
+dpkg -i /tmp/stackit-server-agent.deb
+rm -rf /tmp/stackit-server-agent.gpg /tmp/stackit-server-agent.deb.sig /tmp/stackit-server-agent.deb

prod-stackit/terraform/50_projects/opsstack-agent-test-server/data.tf

@@ -0,0 +1,4 @@
+data "stackit_resourcemanager_project" "this" {
+  project_id   = "7642de78-ce95-48b0-877f-a986d8f92c67"
+  container_id = "Observability"
+}

prod-stackit/terraform/50_projects/opsstack-agent-test-server/main.tf

@@ -0,0 +1,136 @@
+resource "stackit_server" "agent_test" {
+  project_id = data.stackit_resourcemanager_project.this.project_id
+  name       = "agent-test-vm"
+
+  boot_volume = {
+    size                  = 64
+    source_type           = "image"
+    delete_on_termination = true
+
+    # stackit curl https://iaas.api.eu01.stackit.cloud/v1beta1/projects/$PROJECT_ID/images |
+    #   jq '.items[] | select(.name=="Ubuntu 24.04 ARM64")'
+    #source_id = "882a8fdc-3bc9-403e-96e0-e1c92a8ed7a9" # Ubuntu 24.04 ARM64
+
+    # stackit curl https://iaas.api.eu01.stackit.cloud/v1beta1/projects/$PROJECT_ID/images |
+    #   jq '.items[] | select(.name=="Ubuntu 22.04")'
+    source_id = "117e8764-41c2-405f-aece-b53aa08b28cc" # Ubuntu 24.04
+  }
+
+  #machine_type = "g1r.1d" # ARM
+  # the stackit server agent isnt available for arm yet
+  machine_type = "g1.1" # X86
+
+  availability_zone = "eu01-1" # eu01-1, eu01-2, eu03-3, eu01-m (Metro Zone is not available for ARM machine types)
+  #keypair_name      = stackit_key_pair.agent_test.name
+  user_data         = data.cloudinit_config.agent_test.rendered
+}
+
+
+data "cloudinit_config" "agent_test" {
+  gzip          = false
+  base64_encode = false
+
+  part {
+    filename = "install-stackit-server-agent.sh"
+    content_type = "text/x-shellscript"
+    content = file("${path.module}/assets/install_stackit_agent.sh")
+  }
+
+  part {
+    filename     = "download_opsstack_agent_setup.sh"
+    content_type = "text/x-shellscript"
+
+    content = templatefile("${path.module}/assets/download_opsstack_agent_setup.tftpl", {
+      deepview_url = var.deepview_url
+      agent_version = var.agent_version
+      agent_login = var.agent_login
+    })
+  }
+
+}
+resource "stackit_network" "agent_test" {
+  project_id         = data.stackit_resourcemanager_project.this.project_id
+  name               = "opsstack-agent-test"
+  ipv4_nameservers   = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
+  ipv4_prefix_length = 24
+}
+
+resource "stackit_security_group" "agent_test" {
+  project_id = data.stackit_resourcemanager_project.this.project_id
+  name               = "opsstack-agent-test"
+  stateful   = true
+}
+
+resource "stackit_security_group_rule" "agent_test" {
+  project_id        = data.stackit_resourcemanager_project.this.project_id
+  security_group_id = stackit_security_group.agent_test.security_group_id
+  direction         = "ingress"
+  ether_type        = "IPv4"
+}
+
+resource "stackit_network_interface" "agent_test" {
+  name               = "nic"
+  project_id         = data.stackit_resourcemanager_project.this.project_id
+  network_id         = stackit_network.agent_test.network_id
+  security_group_ids = [stackit_security_group.agent_test.security_group_id]
+}
+
+resource "stackit_public_ip" "agent_test" {
+  project_id           = data.stackit_resourcemanager_project.this.project_id
+  network_interface_id = stackit_network_interface.agent_test.network_interface_id
+}
+
+resource "stackit_server_network_interface_attach" "agent_test" {
+  project_id           = data.stackit_resourcemanager_project.this.project_id
+  server_id            = stackit_server.agent_test.server_id
+  network_interface_id = stackit_network_interface.agent_test.network_interface_id
+}
+
+
+#resource "null_resource" "run_agent_install_script" {
+#  triggers = {
+#    body = jsonencode({
+#      commandTemplateName = "RunShellScript"
+#      parameters = {
+#        script    = <<-EOT
+##!/bin/bash
+#
+#set -eo pipefail
+#    retryCount=0
+#    while ! curl -H "Authorization: Basic ${var.agent_login}" --fail --fail-early -sSL "https://${var.deepview_url}/opsstack-agent/install/linux-${var.agent_version}.sh" -o linux-${var.agent_version}.sh; do
+#        retryCount=$((retryCount+1))
+#
+#        if [ "$${retryCount}" -eq 100 ]; then
+#            echo "Request to $1 failed. Exiting" >&2
+#            exit 1
+#        fi
+#        echo "Request to $1 failed. Retrying in $((retryCount*2)) seconds"  >&2
+#        sleep $((retryCount*2));
+#    done
+#
+#exec bash linux-${var.agent_version}.sh
+#        EOT
+#      }
+#    })
+#  }
+#
+#  provisioner "local-exec" {
+#    interpreter = ["bash", "-ec"]
+#    # wait a minute for the server agent to be online
+#    command = join("; ", [
+#      "sleep 60s",
+#      "tmpfile=$(mktemp)",
+#      "chmod 600 \"$tmpfile\"",
+#      "printf '%s' \"$TF_VAR_stackit_service_account_key\" > \"$tmpfile\"",
+#      "stackit auth activate-service-account --service-account-key-path \"$tmpfile\"",
+#      "shred --remove \"$tmpfile\"", # Note: On macOS, install coreutils to enable the `shred` command (e.g., via `brew install coreutils`)
+#        format(
+#          "stackit curl -X POST https://run-command.api.eu01.stackit.cloud/v1/projects/%s/servers/%s/commands --data ${jsonencode(self.triggers.body)}",
+#          data.stackit_resourcemanager_project.this.project_id,
+#          stackit_server.agent_test.server_id
+#        )
+#      ,
+#      "stackit auth logout"
+#    ])
+#  }
+#}

prod-stackit/terraform/50_projects/opsstack-agent-test-server/providers.tf

@@ -0,0 +1,21 @@
+provider "stackit" {
+
+  # Region will be used as the default location for regional services.
+  # Not all services require a region, some are global
+  region = "eu01"
+
+  # NOTE: There are no environment variables available for the parameters stackit_service_account_key and private_key.
+  # Alternatively, we use TF_VAR_stackit_service_account_key and TF_VAR_stackit_service_account_private_key.
+
+  # Service account key used for authentication
+  service_account_key = var.stackit_service_account_key
+
+  # Private RSA key used for authentication, relevant for the key flow.
+  # It takes precedence over the private key that is included in the service account key.
+  private_key = var.stackit_service_account_private_key
+
+  # Enable beta resources.
+  enable_beta_resources = true
+}
+
+# These variables are mandatory and used on the provider configuration above.

prod-stackit/terraform/50_projects/opsstack-agent-test-server/terraform.tf

@@ -0,0 +1,30 @@
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = "~> 0.43"
+    }
+  }
+
+  # Terraform Remote State Backend Configuration
+  # https://developer.hashicorp.com/terraform/language/backend/s3#configuration
+  backend "s3" {
+    bucket = "launchpad"
+    region = "eu01"
+    key    = "prod-stackit/terraform/50_project/opsstack-agent-test/terraform.tfstate"
+
+    endpoints = {
+      s3 = "https://object.storage.eu01.onstackit.cloud"
+    }
+
+    # AWS specific checks must be skipped as they do not work on STACKIT
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    skip_requesting_account_id  = true
+    skip_s3_checksum            = true
+
+    # Credentials supplied by environment variables
+    # access_key = null # AWS_ACCESS_KEY_ID
+    # secret_key = null # AWS_SECRET_ACCESS_KEY
+  }
+}

prod-stackit/terraform/50_projects/opsstack-agent-test-server/variables.tf

@@ -0,0 +1,27 @@
+variable "stackit_service_account_key" {
+  type      = string
+  sensitive = true
+}
+
+variable "stackit_service_account_private_key" {
+  type      = string
+  default   = null
+  sensitive = true
+}
+
+variable "agent_login" {
+  type = string
+  sensitive = true
+  description = "Username and Password for the Agent User as hash "
+}
+
+variable "deepview_url" {
+  type = string
+  description = "Public URL of the Opsstack Deployment"
+}
+
+variable "agent_version" {
+  type = string
+  default = "latest"
+}
+