{"id":6129,"date":"2020-03-05T19:36:31","date_gmt":"2020-03-06T00:36:31","guid":{"rendered":"\/db-blog\/?p=6129"},"modified":"2020-03-12T01:39:06","modified_gmt":"2020-03-12T05:39:06","slug":"aws-terraform-ansible-openshift-provision-an-ec2-instance-and-further-configure-it-using-infrastructure-as-code","status":"publish","type":"post","link":"https:\/\/droidbasement.com\/db-blog\/aws-terraform-ansible-openshift-provision-an-ec2-instance-and-further-configure-it-using-infrastructure-as-code\/","title":{"rendered":"AWS\/Terraform\/Ansible\/OpenShift \u2013 Provision an EC2 instance and further configure it using Infrastructure as Code"},"content":{"rendered":"\n

Note: This is a duplicate of the AWS Lightsail<\/a> article, modified for EC2 with some additional amendments.<\/em><\/p>\n\n\n\n

In this article we will Provision an EC2 host with docker\/docker-compose on it using Terraform and install\/initialize OpenShift Origin on it using Ansible.<\/p>\n\n\n\n

OpenShift<\/a> is Red Hat’s containerization platform which utilizes Kubernetes. Origin<\/a> (what we will be working with here) is the opensource implementation of it.<\/p>\n\n\n\n

We will use ‘myweb’ as an example in this article, using the same base path of ‘dev’ that was previously created<\/a>, the container-admin group<\/a> and using ~\/.local\/bin for the binaries.<\/p>\n\n\n\n

Please ensure you have gone through the previous Terraform<\/a>, Ansible<\/a> and related preceding articles.<\/p>\n\n\n\n

Please use ‘<\/a>AWS Free Tier<\/a>‘<\/a> prior to commencing with this article. <\/p>\n\n\n\n

<\/p>\n\n\n\n

–>
Go in to the dev directory\/link located within your home directory:<\/p>\n\n\n\n

$ cd ~\/dev<\/pre>\n\n\n\n
Update PIP:<\/p>\n\n\n\n
$ python3 -m pip install --upgrade --user pip<\/pre>\n\n\n\n
If there was an update, then forget remembered location references in the shell environment:<\/p>\n\n\n\n
$ hash -r pip <\/pre>\n\n\n\n
Upgrade the AWS CLI on your host:<\/p>\n\n\n\n
$ pip3 install awscli --upgrade --user && chmod 754 ~\/.local\/bin\/aws<\/pre>\n\n\n\n
Install\/Upgrade Ansible:<\/p>\n\n\n\n
$ pip3 install ansible --upgrade --user && chmod 754 ~\/.local\/bin\/ansible ~\/.local\/bin\/ansible-playbook<\/pre>\n\n\n\n
Install\/Upgrade Boto3:<\/p>\n\n\n\n
$ pip3 install boto3 --upgrade --user<\/pre>\n\n\n\n
Grab the latest version of Terraform:<\/p>\n\n\n\n
$ wget https:\/\/releases.hashicorp.com\/terraform\/0.12.23\/terraform_0.12.23_linux_amd64.zip<\/pre>\n\n\n\n
Unzip it to ~\/.local\/bin and set permissions accordingly on it (type y and hit enter to replace if upgrading, at the prompt):<\/p>\n\n\n\n
$ unzip terraform_0.12.23_linux_amd64.zip -d ~\/.local\/bin && chmod 754 ~\/.local\/bin\/terraform<\/pre>\n\n\n\n
Change to the myweb directory inside terraform\/aws:<\/p>\n\n\n\n
$ cd terraform\/aws\/myweb<\/pre>\n\n\n\n
Change our instance from a micro to a medium, so it will have sufficient resources to run OpenShift Origin and related:<\/p>\n\n\n\n
$ sed -i s:t3a.micro:t3a.medium: ec2.tf<\/pre>\n\n\n\n
Output the Public IP of the Provisioned host (along with connection parameters and variables) in to a file which we will feed in to an Ansible playbook run.<\/p>\n\n\n\n
Note: Please re-create the file if you have went through the previous Terraform articles:<\/p>\n\n\n\n
$ cat << 'EOF' > output.tf\n> output \"static_public_ip\" {\n>   value = var.lightsail ? element(aws_lightsail_static_ip.myweb[*].ip_address, 0) : element(aws_eip.external[*].public_ip, 0)\n> }\n>\n> resource \"local_file\" \"hosts\" {\n>   content              = trimspace(\"[vps]\\n${var.lightsail ? element(aws_lightsail_static_ip.myweb[*].ip_address, 0) : element(aws_eip.external[*].public_ip, 0)} ansible_connection=ssh ansible_user=ubuntu ansible_ssh_private_key_file=~\/.ssh\/${var.prefix} instance=${var.lightsail ? element(aws_lightsail_instance.myweb[*].name, 0) : element(aws_instance.myweb[*].tags[\"Name\"], 0)} ${var.lightsail ? \"\" : \"instance_sg=${element(aws_security_group.myweb[*].name, 0)}\"} ${var.lightsail ? \"\" : \"instance_sg_id=${element(aws_security_group.myweb[*].id, 0)}\"} ${var.lightsail ? \"\" : \"instance_vpc_id=${element(aws_vpc.myweb[*].id, 0)}\"}\")\n>   filename             = pathexpand(\"~\/dev\/ansible\/hosts-aws\")\n>   directory_permission = 0754\n>   file_permission      = 0664\n> }\n> EOF<\/pre>\n\n\n\n
Amend an item from the user_data script (if you have went through the AWS\/Terraform\/Ansible\/OpenShift against Lightsail article then this can be disregarded):<\/p>\n\n\n\n
$ sed -i 's:sudo apt-key add -:apt-key add -:' scripts\/install.sh<\/pre>\n\n\n\n
Initialize the directory\/refresh module(s):<\/p>\n\n\n\n
$ terraform init<\/pre>\n\n\n
Run a dry-run to see what will occur:<\/p>\n\n\n
$ terraform plan -var 'lightsail=false'<\/pre>\n\n\n\n
Provision:<\/p>\n\n\n\n
$ terraform apply -var 'lightsail=false' -auto-approve<\/pre>\n\n\n\n
Create a work folder for an Ansible playbook:<\/p>\n\n\n\n
$ cd ..\/..\/..\/ansible\n$ mkdir -p openshift\/scripts && cd openshift<\/pre>\n\n\n\n
Create an Ansible playbook which will install\/initialize OpenShift Origin on our provisioned host.<\/p>\n\n\n\n
Note: This accommodates our previous implementation against AWS Lightsail and Microsoft Azure VM:<\/p>\n\n\n\n
$ cat << 'EOF' > openshift.yml \n> # Install, initialize OpenShift Origin and create a destroy routine for it\n> # This is a unified setup against AWS Lightsail, Microsoft Azure VM and AWS EC2\n> ---\n> - hosts: vps\n>   connection: local\n>\n>   vars:\n>     network_security_group: \"{{ hostvars[groups['vps'][0]].instance_nsg }}\"\n>     instance: \"{{ hostvars[groups['vps'][0]].instance }}\"\n>     resource_group: \"{{ hostvars[groups['vps'][0]].instance_rg }}\"\n>     security_group: \"{{ hostvars[groups['vps'][0]].instance_sg }}\"\n>     security_group_id: \"{{ hostvars[groups['vps'][0]].instance_sg_id }}\"\n>     virtual_private_cloud_id: \"{{ hostvars[groups['vps'][0]].instance_vpc_id }}\"\n>     openshift_directory: \/home\/ubuntu\/.local\/etc\/openshift\n>     ansible_python_interpreter: \/usr\/bin\/python3\n>\n>   tasks:\n>     - name: Discover Services\n>       service_facts:\n>\n>     - name: Check if openshift directory exists\n>       stat:\n>         path: \"{{ openshift_directory }}\"\n>       register: openshift_dir\n>       tags: [ 'destroy' ]\n>\n>     - name: Open Firewall Ports (AWS Lightsail)\n>       delegate_to: localhost\n>       args:\n>         executable: \/bin\/bash\n>       script: \".\/scripts\/firewall.sh open {{ instance }}\"\n>       when:\n>         - \"'instance_nsg' not in hostvars[groups['vps'][0]]\"\n>         - \"'instance_sg' not in hostvars[groups['vps'][0]]\"\n>         - \"'docker' in services\"\n>         - openshift_dir.stat.exists == False\n>\n>     - name: Add Network Security Group rules (Microsoft Azure VM)\n>       delegate_to: localhost\n>       azure_rm_securitygroup:\n>         name: \"{{ network_security_group }}\"\n>         resource_group: \"{{ resource_group }}\"\n>         rules:\n>          - name: OpenShift-Tcp\n>            priority: 1002\n>            direction: Inbound\n>            access: Allow\n>            protocol: Tcp\n>            source_port_range: \"*\"\n>            destination_port_range:\n>              - 80\n>              - 443\n>              - 1936\n>              - 4001\n>              - 7001\n>              - 8443\n>              - 10250-10259\n>            source_address_prefix: \"*\"\n>            destination_address_prefix: \"*\"\n>          - name: OpenShift-Udp\n>            priority: 1003\n>            direction: Inbound\n>            access: Allow\n>            protocol: Udp\n>            source_port_range: \"*\"\n>            destination_port_range:\n>              - 53\n>              - 8053\n>            source_address_prefix: \"*\"<\/em>\n>            destination_address_prefix: \"*\"\n>        state: present\n>      when:\n>        - \"'instance_nsg' in hostvars[groups['vps'][0]]\"\n>        - \"'instance_sg' not in hostvars[groups['vps'][0]]\"\n>        - \"'docker' in services\"\n>        - openshift_dir.stat.exists == False\n>\n>    - name: Add Security Group rules (AWS EC2)\n>      delegate_to: localhost\n>      ec2_group:\n>        name: \"{{ security_group }}\"\n>        description: OpenShift\n>        vpc_id: \"{{ virtual_private_cloud_id }}\"\n>        purge_rules: no\n>        rules:\n>         - proto: tcp\n>           ports:\n>             - 80\n>             - 443\n>             - 1936\n>             - 4001\n>             - 7001\n>             - 8443\n>             - 10250-10259\n>           cidr_ip: 0.0.0.0\/0\n>           rule_desc: OpenShift-Tcp\n>         - proto: udp\n>           ports:\n>             - 53\n>             - 8053\n>           cidr_ip: 0.0.0.0\/0\n>           rule_desc: OpenShift-Udp\n>       state: present\n>     when:\n>       - \"'instance_nsg' not in hostvars[groups['vps'][0]]\"\n>       - \"'instance_sg' in hostvars[groups['vps'][0]]\"\n>       - \"'docker' in services\"\n>       - openshift_dir.stat.exists == False\n>\n>   - name: Copy and Run install\n>     environment:\n>       PATH: \"{{ ansible_env.PATH}}:{{ openshift_directory }}\/..\/..\/bin\"\n>     args:\n>       executable: \/bin\/bash\n>     script: \".\/scripts\/install.sh {{ ansible_ssh_host }}\"\n>     when:\n>       - \"'docker' in services\"\n>       - openshift_dir.stat.exists == False\n>\n>   - debug: msg=\"Please install docker to proceed.\"\n>     when: \"'docker' not in services\"\n>\n>   - debug: msg=\"Install script has already been completed.  Run this playbook with the destroy tag, then run once again normally to re-intialize openshift.\"\n>     when: openshift_dir.stat.exists == True\n>\n>   - name: Destroy\n>     become: yes\n>     environment:\n>       PATH: \"{{ ansible_env.PATH }}:{{ openshift_directory }}\/..\/..\/bin\"\n>     args:\n>       executable: \/bin\/bash\n>     shell:\n>       \"cd {{ openshift_directory }} && oc cluster down && cd ..\/ && rm -rf {{ openshift_directory }}\/..\/..\/..\/.kube {{ openshift_directory }}\"\n>     when: openshift_dir.stat.exists == True\n>     tags: [ 'never', 'destroy' ]\n>\n>   - name: Close Firewall Ports (AWS Lightsail)\n>     delegate_to: localhost\n>     args:\n>       executable: \/bin\/bash\n>     script: \".\/scripts\/firewall.sh close {{ instance }}\"\n>     when:\n>       - \"'instance_nsg' not in hostvars[groups['vps'][0]]\"\n>       - \"'instance_sg' not in hostvars[groups['vps'][0]]\"\n>     tags: [ 'never', 'destroy' ]\n>\n>   - name: Delete Network Security Group rules (Microsoft Azure VM)\n>     delegate_to: localhost\n>     command:\n>       bash -ic \"az-login-sp && (az network nsg rule delete -g {{ resource_group }} --nsg-name {{ network_security_group }} -n {{ item }})\"\n>     with_items:\n>       - OpenShift-Tcp\n>       - OpenShift-Udp\n>     when:\n>       - \"'instance_nsg' in hostvars[groups['vps'][0]]\"\n>       - \"'instance_sg' not in hostvars[groups['vps'][0]]\"\n>     tags: [ 'never', 'destroy' ]\n>\n>   - name: Delete Security Group rules (AWS EC2)\n>     delegate_to: localhost\n>     command:\n>       bash -c \"[[ {{ item }} -eq 53 || {{ item }} -eq 8053 ]] && protocol=udp || protocol=tcp && aws ec2 revoke-security-group-ingress --group-id {{ security_group_id }} --port {{ item }} --protocol $protocol --cidr 0.0.0.0\/0\"\n>     with_items:\n>       - 80\n>       - 443\n>       - 1936\n>       - 4001\n>       - 7001\n>       - 8443\n>       - 10250-10259\n>       - 53\n>       - 8053\n>     when:\n>       - \"'instance_nsg' not in hostvars[groups['vps'][0]]\"\n>       - \"'instance_sg' in hostvars[groups['vps'][0]]\"\n>     tags: [ 'never', 'destroy' ]\n> EOF<\/pre>\n\n\n\n
Create a shell script which will pull the latest release of client tools from GitHub, place the needed binaries in ~\/.local\/bin, set insecure registry on Docker and initialize (if you have went through the AWS\/Terraform\/Ansible\/OpenShift against Lightsail article then this can be disregarded):<\/p>\n\n\n\n
$ cat << 'EOF' > scripts\/install.sh\n> #!\/bin\/bash\n> [[ -z $* ]] && { echo \"Please specify a Public IP or Host\/Domain name.\" && exit 1; }\n> # Fetch and Install\n> file_url=\"$(curl -sL https:\/\/github.com\/openshift\/origin\/releases\/latest | grep \"download.*client.*linux-64\" | cut -f2 -d\\\" | sed 's\/^\/https:\\\/\\\/github.com\/')\"\n> [[ -z $file_url ]] && { echo \"The URL could not be obtained.  Please try again shortly.\" && exit 1; }\n> file_name=\"$(echo $file_url | cut -f9 -d\/)\"\n> if [[ ! -f $file_name ]]; then\n>         curl -sL $file_url --output $file_name\n>         folder_name=\"$(tar ztf $file_name 2>\/dev\/null | head -1 | sed s:\/.*::)\"\n>         [[ -z $folder_name ]] && { echo \"The archive could not be read.  Please try again.\" && rm -f $file_name && exit 1; }\n>         tar zxf $file_name\n>         mv $folder_name\/oc $folder_name\/kubectl $HOME\/.local\/bin && rm -r $folder_name\n>         chmod 754 $HOME\/.local\/bin\/oc $HOME\/.local\/bin\/kubectl\n> fi\n> # Docker insecure\n> [[ $(grep insecure \/etc\/docker\/daemon.json &>\/dev\/null; echo $?) -eq 2 ]] && redirect=\">\"\n> [[ $(grep insecure \/etc\/docker\/daemon.json &>\/dev\/null; echo $?) -eq 1 ]] && redirect=\">>\"\n> [[ $(grep insecure \/etc\/docker\/daemon.json &>\/dev\/null; echo $?) -eq 0 ]] || { sudo bash -c \"cat << 'EOF' $redirect \/etc\/docker\/daemon.json\n> {\n>         \\\"insecure-registries\\\" : [ \\\"172.30.0.0\/16\\\" ]\n> }\n> EOF\" && sudo systemctl restart docker; }\n> # OpenShift Origin up\n> [[ ! -d $HOME\/.local\/etc\/openshift ]] && { mkdir -p $HOME\/.local\/etc\/openshift && cd $HOME\/.local\/etc\/openshift; } || { cd $HOME\/.local\/etc\/openshift && oc cluster down; }\n> oc cluster up --public-hostname=$1\n>\n> exit 0\n> EOF <\/pre>\n\n\n\n
<\/p>\n\n\n\n
Note:  If you have already went through the AWS\/Terraform\/Ansible\/OpenShift for Lightsail article or you don’t want to use Lightsail, then this can be disregarded.<\/p>\n\n\n\n
The Lightsail firewall functionality is currently being implemented in Terraform and is not available in Ansible.  In the interim, we will create a shell script to open and close ports needed by OpenShift Origin (using the AWS CLI).  This script will be run locally via the Playbook during the create and destroy routines.<\/p>\n\n\n\n
Note2:  Port 80 is already open when the Lightsail host is provisioned: <\/p>\n\n\n\n
$ cat << 'EOF' > scripts\/firewall.sh && chmod 754 scripts\/firewall.sh\n> #!\/bin\/bash\n> #\n> openshift_ports=\"53\/UDP 443\/TCP 1936\/TCP 4001\/TCP 7001\/TCP 8053\/UDP 8443\/TCP 10250_10259\/TCP\"  \n> #\n> [[ -z $* || $(echo $* | xargs -n1 | wc -l) -ne 2 || ! ($* =~ $(echo '\\<open\\>') || $* =~ $(echo '\\<close\\>')) ]] && { echo \"Please pass in the desired action [ open, close ] and instance [ site_myweb ].\" && exit 2; }\n> #\n> instance=\"$(echo $* | xargs -n1 | sed '\/\\<open\\>\/d; \/\\<close\\>\/d')\"\n> [[ -z $instance ]] && { echo \"Please double-check the passed in instance.\" && exit 1; }\n> action=\"$(echo $* | xargs -n1 | grep -v $instance)\"\n> #\n> for port in $openshift_ports; do\n>         aws lightsail $action-instance-public-ports --instance $instance --port-info fromPort=$(echo $port | cut -f1 -d_ | cut -f1  -d\/),protocol=$(echo $port | cut -f2 -d\/),toPort=$(echo $port | cut -f2 -d_ | cut -f1 -d\/)\n> done\n> #\n>\n> exit 0\n> EOF <\/pre>\n\n\n\n
Run the Ansible playbook after a few minutes (accept the host key by typing yes and hitting enter when prompted):<\/p>\n\n\n\n
$ ansible-playbook -i ..\/hosts-aws openshift.yml<\/pre>\n\n\n\n
Note: Disregard the warning regarding mismatch descriptions on the Security Group.  This will not be modified so the original description was not exported out to be used here.<\/p>\n\n\n\n
Note2: If a Terraform apply is run again after the security group modification (addition of rules for OpenShift), then those rules will be destroyed.  In that case, please run a Playbook destroy then run again to reinitialize.<\/p>\n\n\n\n
After a short while, log on to the instance:<\/p>\n\n\n\n
$ ssh -i ~\/.ssh\/myweb ubuntu@<The value of static_public_ip that was reported.  One can also use 'terraform output static_public_ip' to print it again.><\/pre>\n\n\n\n
To get an overview of the current project with any identified issues:<\/p>\n\n\n\n
$ oc status --suggest<\/pre>\n\n\n\n
Log on as Admin via CMD Line and switch to the default project:<\/p>\n\n\n\n
$ oc login -u system:admin -n default<\/pre>\n\n\n\n
Logout of the session:<\/p>\n\n\n\n
$ oc logout<\/pre>\n\n\n\n
Please see the Command-Line Walkthrough<\/a>.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Logout from the host:<\/p>\n\n\n\n
$ logout<\/pre>\n\n\n\n
Log on as Admin via Web Browser (replace <PUBLIC_IP>):<\/p>\n\n\n\n
https:\/\/<PUBLIC_IP>:8443\/console (You will get a Certificate\/Site warning due to a mismatch).<\/pre>\n\n\n\n
Please see the Web Console Walkthrough<\/a>.<\/p>\n\n\n\n
<\/p>\n\n\n\n
To shut down the OpenShift Origin cluster, destroy the working folder and start anew (you can re-run the playbook normally to reinitialize):<\/p>\n\n\n\n
$ ansible-playbook -i ..\/hosts openshift.yml --tags \"destroy\"<\/pre>\n\n\n\n
<\/p>\n\n\n\n
Tear down what was created by first performing a dry-run to see what will occur:<\/p>\n\n\n\n
$ cd ..\/..\/terraform\/aws\/myweb && terraform plan -var 'lightsail=false' -destroy <\/pre>\n\n\n\n
Tear down the instance:<\/p>\n\n\n\n
$ terraform destroy -var 'lightsail=false' -auto-approve<\/pre>\n\n\n\n
<–<\/p>\n\n\n\n
<\/p>\n\n\n\n
References:
how-to-install-openshift-origin-on-ubuntu-18-04<\/a><\/p>\n\n\n\n
<\/p>\n\n\n\n
Source: 
ansible_openshift<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Note: This is a duplicate of the AWS Lightsail article, modified for EC2 with some additional amendments. In this article we will Provision an EC2 host with docker\/docker-compose on it using Terraform and install\/initialize OpenShift Origin on it using Ansible. OpenShift is Red Hat’s containerization platform which utilizes Kubernetes. Origin (what we will be working […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-6129","post","type-post","status-publish","format-standard","hentry","category-devops"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/posts\/6129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/comments?post=6129"}],"version-history":[{"count":54,"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/posts\/6129\/revisions"}],"predecessor-version":[{"id":6242,"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/posts\/6129\/revisions\/6242"}],"wp:attachment":[{"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/media?parent=6129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/categories?post=6129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/droidbasement.com\/db-blog\/wp-json\/wp\/v2\/tags?post=6129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}