cloudeteer · nrcdt · Apr 4, 2025 · Apr 3, 2025 · Apr 3, 2025 · Apr 4, 2025
diff --git a/.github/workflows/prod-stackit-terraform-50-opsstack-agent-test-server.yaml b/.github/workflows/prod-stackit-terraform-50-opsstack-agent-test-server.yaml
@@ -0,0 +1,35 @@
+name: prod-stackit-terraform-50-opsstack-agent-test-server
+
+on:
+  workflow_dispatch:
+    inputs:
+      terraform-force-unlock:
+        default: false
+        description: Terraform force unlock
+        required: false
+        type: boolean
+      terraform-force-unlock-id:
+        description: Terraform LOCK_ID
+        required: false
+        type: string
+  pull_request:
+    paths:
+      - prod-stackit/terraform/50_projects/opsstack-agent-test-server/**
+      - .github/workflows/prod-stackit-terraform-50-opsstack-agent-test-server.yaml
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  terraform:
+    name: Terraform
+    uses: cloudeteer/iac-deployment-framework/.github/workflows/terraform-deploy-stackit.yaml@wip/stackit
+    with:
+      directory: prod-stackit/terraform/50_projects/opsstack-agent-test-server
+      terraform-force-unlock-id: ${{ github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true && inputs.terraform-force-unlock-id }}
+      terraform-force-unlock: ${{ github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true && inputs.terraform-force-unlock }}
+    secrets:
+      stackit_service_account_key: ${{ secrets.CDT_LAUNCHPAD_STACKIT_SERVICE_ACCOUNT_KEY }}
+      backend_s3_secret_key: ${{ secrets.CDT_LAUNCHPAD_STACKIT_BACKEND_SECRET_ACCESS_KEY }}
+      backend_s3_access_key: ${{ secrets.CDT_LAUNCHPAD_STACKIT_BACKEND_ACCESS_KEY }}
diff --git a/...rraform/50_projects/opsstack-agent-test-server/assets/download_opsstack_agent_setup.tftpl b/...rraform/50_projects/opsstack-agent-test-server/assets/download_opsstack_agent_setup.tftpl
@@ -0,0 +1,16 @@
+#!/bin/bash -ex
+
+set -eo pipefail
+    retryCount=0
+    while ! curl -H "Authorization: Basic ${agent_login}" --fail --fail-early -sSL "https://${deepview_url}/opsstack-agent/install/linux-${agent_version}.sh" -o linux-${agent_version}.sh; do
+        retryCount=$((retryCount+1))
+
+        if [ "$${retryCount}" -eq 100 ]; then
+            echo "Request to $1 failed. Exiting" >&2
+            exit 1
+        fi
+        echo "Request to $1 failed. Retrying in $((retryCount*2)) seconds"  >&2
+        sleep $((retryCount*2));
+    done
+
+exec bash linux-${agent_version}.sh
diff --git a/...-stackit/terraform/50_projects/opsstack-agent-test-server/assets/install_stackit_agent.sh b/...-stackit/terraform/50_projects/opsstack-agent-test-server/assets/install_stackit_agent.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+#Download GPG public key
+curl https://stackit-server-agent.object.storage.eu01.onstackit.cloud/stackit-server-agent.gpg -o /tmp/stackit-server-agent.gpg
+
+# Install dependencies
+
+apt-get update && apt-get install gnupg -y
+
+# Import GPG Public key
+gpg --import /tmp/stackit-server-agent.gpg
+
+# Download STACKIT Server Agent
+curl https://stackit-server-agent.object.storage.eu01.onstackit.cloud/stackit-server-agent.deb -o /tmp/stackit-server-agent.deb
+
+# Download the package signature file
+curl https://stackit-server-agent.object.storage.eu01.onstackit.cloud/stackit-server-agent.deb.sig -o /tmp/stackit-server-agent.deb.sig
+
+if gpg --verify /tmp/stackit-server-agent.deb.sig /tmp/stackit-server-agent.deb
+then
+    echo "The STACKIT Server Agent is verified successfully"
+else
+    echo "The STACKIT Server Agent is not verified successfully"
+    rm -rf /tmp/stackit-server-agent.deb /tmp/stackit-server-agent.deb.sig /tmp/stackit-server-agent.gpg
+    exit 1
+fi
+
+dpkg -i /tmp/stackit-server-agent.deb
+rm -rf /tmp/stackit-server-agent.gpg /tmp/stackit-server-agent.deb.sig /tmp/stackit-server-agent.deb
diff --git a/prod-stackit/terraform/50_projects/opsstack-agent-test-server/data.tf b/prod-stackit/terraform/50_projects/opsstack-agent-test-server/data.tf
@@ -0,0 +1,4 @@
+data "stackit_resourcemanager_project" "this" {
+  project_id   = "7642de78-ce95-48b0-877f-a986d8f92c67"
+  container_id = "Observability"
+}
diff --git a/prod-stackit/terraform/50_projects/opsstack-agent-test-server/main.tf b/prod-stackit/terraform/50_projects/opsstack-agent-test-server/main.tf
@@ -0,0 +1,134 @@
+resource "stackit_server" "agent_test" {
+  project_id = data.stackit_resourcemanager_project.this.project_id
+  name       = "agent-test-vm"
+
+  boot_volume = {
+    size                  = 64
+    source_type           = "image"
+    delete_on_termination = true
+
+    # stackit curl https://iaas.api.eu01.stackit.cloud/v1beta1/projects/$PROJECT_ID/images |
+    #   jq '.items[] | select(.name=="Ubuntu 24.04 ARM64")'
+    #source_id = "882a8fdc-3bc9-403e-96e0-e1c92a8ed7a9" # Ubuntu 24.04 ARM64
+
+    # stackit curl https://iaas.api.eu01.stackit.cloud/v1beta1/projects/$PROJECT_ID/images |
+    #   jq '.items[] | select(.name=="Ubuntu 22.04")'
+    source_id = "117e8764-41c2-405f-aece-b53aa08b28cc" # Ubuntu 24.04
+  }
+
+  #machine_type = "g1r.1d" # ARM
+  # the stackit server agent isnt available for arm yet
+  machine_type = "g1.1" # X86
+
+  availability_zone = "eu01-1" # eu01-1, eu01-2, eu03-3, eu01-m (Metro Zone is not available for ARM machine types)
+  #keypair_name      = stackit_key_pair.agent_test.name
+  user_data         = data.cloudinit_config.agent_test.rendered
+}
+
+
+data "cloudinit_config" "agent_test" {
+  gzip          = false
+  base64_encode = false
+
+  part {
+    filename = "install-stackit-server-agent.sh"
+    content_type = "text/x-shellscript"
+    content = file("${path.module}/assets/install_stackit_agent.sh")
+  }
+
+  #part {
+  #  filename     = "download_opsstack_agent_setup.sh"
+  #  content_type = "text/x-shellscript"
+
+  #  content = templatefile("${path.module}/assets/download_opsstack_agent_setup.tftpl", {
+  #    deepview_url = var.deepview_url
+  #    agent_version = var.agent_version
+  #    agent_login = var.agent_login
+  #  })
+  #}
+
+}
+resource "stackit_network" "agent_test" {
+  project_id         = data.stackit_resourcemanager_project.this.project_id
+  name               = "opsstack-agent-test"
+  ipv4_nameservers   = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
+  ipv4_prefix_length = 24
+}
+
+resource "stackit_security_group" "agent_test" {
+  project_id = data.stackit_resourcemanager_project.this.project_id
+  name               = "opsstack-agent-test"
+  stateful   = true
+}
+
+resource "stackit_security_group_rule" "agent_test" {
+  project_id        = data.stackit_resourcemanager_project.this.project_id
+  security_group_id = stackit_security_group.agent_test.security_group_id
+  direction         = "ingress"
+  ether_type        = "IPv4"
+}
+
+resource "stackit_network_interface" "agent_test" {
+  name               = "nic"
+  project_id         = data.stackit_resourcemanager_project.this.project_id
+  network_id         = stackit_network.agent_test.network_id
+  security_group_ids = [stackit_security_group.agent_test.security_group_id]
+}
+
+resource "stackit_public_ip" "agent_test" {
+  project_id           = data.stackit_resourcemanager_project.this.project_id
+  network_interface_id = stackit_network_interface.agent_test.network_interface_id
+}
+
+resource "stackit_server_network_interface_attach" "agent_test" {
+  project_id           = data.stackit_resourcemanager_project.this.project_id
+  server_id            = stackit_server.agent_test.server_id
+  network_interface_id = stackit_network_interface.agent_test.network_interface_id
+}
+
+
+resource "null_resource" "run_agent_install_script" {
+  triggers = {
+    body = jsonencode({
+      commandTemplateName = "RunShellScript"
+      parameters = {
+        script    = <<-EOT
+#!/bin/bash
+
+set -eo pipefail
+    retryCount=0
+    while ! curl -H "Authorization: Basic ${var.agent_login}" --fail --fail-early -sSL "https://${var.deepview_url}/opsstack-agent/install/linux-${var.agent_version}.sh" -o linux-${var.agent_version}.sh; do
+        retryCount=$((retryCount+1))
+
+        if [ "$${retryCount}" -eq 100 ]; then
+            echo "Request to $1 failed. Exiting" >&2
+            exit 1
+        fi
+        echo "Request to $1 failed. Retrying in $((retryCount*2)) seconds"  >&2
+        sleep $((retryCount*2));
+    done
+
+exec bash linux-${var.agent_version}.sh
+        EOT
+      }
+    })
+  }
+
+  provisioner "local-exec" {
+    interpreter = ["bash", "-ec"]
+    # wait a minute for the server agent to be online
+    command = join("; ", [
+      "sleep 60s",
+      "printf '%s' \"$TF_VAR_stackit_service_account_key\" > ${path.cwd}/key.json",
+      "stackit auth activate-service-account --service-account-key-path ${path.cwd}/key.json",
+      "rm ${path.cwd}/key.json",
+        format(
+          "stackit curl -X POST https://run-command.api.eu01.stackit.cloud/v1/projects/%s/servers/%s/commands --data ${jsonencode(self.triggers.body)}",
+          data.stackit_resourcemanager_project.this.project_id,
+          stackit_server.agent_test.server_id
+        )
+      ,
+      "stackit auth logout"
+    ])
+  }
+}
diff --git a/prod-stackit/terraform/50_projects/opsstack-agent-test-server/providers.tf b/prod-stackit/terraform/50_projects/opsstack-agent-test-server/providers.tf
@@ -0,0 +1,21 @@
+provider "stackit" {
+
+  # Region will be used as the default location for regional services.
+  # Not all services require a region, some are global
+  region = "eu01"
+
+  # NOTE: There are no environment variables available for the parameters stackit_service_account_key and private_key.
+  # Alternatively, we use TF_VAR_stackit_service_account_key and TF_VAR_stackit_service_account_private_key.
+
+  # Service account key used for authentication
+  service_account_key = var.stackit_service_account_key
+
+  # Private RSA key used for authentication, relevant for the key flow.
+  # It takes precedence over the private key that is included in the service account key.
+  private_key = var.stackit_service_account_private_key
+
+  # Enable beta resources.
+  enable_beta_resources = true
+}
+
+# These variables are mandatory and used on the provider configuration above.
diff --git a/prod-stackit/terraform/50_projects/opsstack-agent-test-server/terraform.tf b/prod-stackit/terraform/50_projects/opsstack-agent-test-server/terraform.tf
@@ -0,0 +1,30 @@
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = "~> 0.43"
+    }
+  }
+
+  # Terraform Remote State Backend Configuration
+  # https://developer.hashicorp.com/terraform/language/backend/s3#configuration
+  backend "s3" {
+    bucket = "opsstackagentconfig"
+    region = "eu01"
+    key    = "prod-stackit/terraform/50_project/opsstack-agent-test/terraform.tfstate"
+
+    endpoints = {
+      s3 = "https://object.storage.eu01.onstackit.cloud"
+    }
+
+    # AWS specific checks must be skipped as they do not work on STACKIT
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    skip_requesting_account_id  = true
+    skip_s3_checksum            = true
+
+    # Credentials supplied by environment variables
+    # access_key = null # AWS_ACCESS_KEY_ID
+    # secret_key = null # AWS_SECRET_ACCESS_KEY
+  }
+}
diff --git a/prod-stackit/terraform/50_projects/opsstack-agent-test-server/variables.tf b/prod-stackit/terraform/50_projects/opsstack-agent-test-server/variables.tf
@@ -0,0 +1,27 @@
+variable "stackit_service_account_key" {
+  type      = string
+  sensitive = true
+}
+
+variable "stackit_service_account_private_key" {
+  type      = string
+  default   = null
+  sensitive = true
+}
+
+variable "agent_login" {
+  type = string
+  sensitive = true
+  description = "Username and Password for the Agent User as hash "
+}
+
+variable "deepview_url" {
+  type = string
+  description = "Public URL of the Opsstack Deployment"
+}
+
+variable "agent_version" {
+  type = string
+  default = "latest"
+}
+