diff --git a/README.md b/README.md index 1f68c4bd..14366dda 100644 --- a/README.md +++ b/README.md @@ -338,7 +338,7 @@ If you would like to contribute, you can add other cloud deployments like Chef o You can find an [Ansible](https://www.ansible.com/) based T-Pot deployment in the [`cloud/ansible`](cloud/ansible) folder. The Playbook in the [`cloud/ansible/openstack`](cloud/ansible/openstack) folder is reusable for all OpenStack clouds out of the box. -It first creates a new server and then installs and configures T-Pot. +It first creates all resources (security group, network, subnet, router), deploys a new server and then installs and configures T-Pot. You can have a look at the Playbook and easily adapt the deploy role for other [cloud providers](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html). diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index 714311b6..359e5bf7 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -4,7 +4,7 @@ Here you can find a ready-to-use solution for your automated T-Pot deployment us It consists of an Ansible Playbook with multiple roles, which is reusable for all [OpenStack](https://www.openstack.org/) based clouds (e.g. Open Telekom Cloud, Orange Cloud, Telefonica Open Cloud, OVH) out of the box. Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html) (e.g. AWS, Azure, Digital Ocean, Google). -The Playbook first creates a new server and then installs and configures T-Pot. +The Playbook first creates all resources (security group, network, subnet, router), deploys a new server and then installs and configures T-Pot. This example showcases the deployment on our own OpenStack based Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en). @@ -16,7 +16,6 @@ This example showcases the deployment on our own OpenStack based Public Cloud Of - [Create new project](#project) - [Create API user](#api-user) - [Import Key Pair](#key-pair) - - [Create VPC, Subnet and Security Group](#vpc-subnet-securitygroup) - [Clone Git Repository](#clone-git) - [Settings and recommended values](#settings) - [OpenStack authentication variables](#os-auth) @@ -69,8 +68,8 @@ Agent Forwarding must be enabled in order to let Ansible do its work. # Preparations in Open Telekom Cloud Console -(You can skip this if you have already set up an API account, VPC, Subnet and Security Group) -(Just make sure you know the naming for everything, as you will need it to configure the Ansible variables.) +(You can skip this if you have already set up a project and an API account with key pair) +(Just make sure you know the naming for everything, as you need to configure the Ansible variables.) Before we can start deploying, we have to prepare the Open Telekom Cloud tenant. For that, go to the [Web Console](https://auth.otc.t-systems.com/authui/login) and log in with an admin user. @@ -95,22 +94,10 @@ This ensures that the API access is limited to that project. ![Login as API user](doc/otc_3_login.gif) - Import your SSH public key. ![Import SSH Public Key](doc/otc_4_import_key.gif) - -## Create VPC, Subnet and Security Group -- VPC (Virtual Private Cloud) and Subnet: - -![Create VPC and Subnet](doc/otc_5_vpc_subnet.gif) - -- Security Group: -The configured Security Group should allow all incoming TCP / UDP traffic. -If you want to secure the management interfaces, you can limit the incoming "allow all" traffic to the port range of 1-64000 and allow access to ports > 64000 only from your trusted IPs. - -![Create Security Group](doc/otc_6_sec_group.gif) # Clone Git Repository @@ -149,12 +136,10 @@ Here you can customize your virtual machine specifications: - Choose an availability zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html). - Change the OS image (For T-Pot we need Debian 9) - (Optional) Change the volume size - - Specify your key pair + - Specify your key pair (:warning: Mandatory) - (Optional) Change the instance type (flavor) `s2.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor. A full list of Open telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0035470096.html). - - Specify the security group - - Specify the network ID (For Open Telekom Cloud you can find the ID in the Web Console under `Virtual Private Cloud --> your-vpc --> your-subnet --> Network ID`; In general for OpenStack clouds you can use the `python-openstackclient` to retrieve information about your resources) ``` region_name: eu-de @@ -163,8 +148,6 @@ image: Standard_Debian_9_latest volume_size: 128 key_name: your-KeyPair flavor: s2.medium.8 -security_groups: your-sg -network: your-network-id ``` diff --git a/cloud/ansible/doc/otc_5_vpc_subnet.gif b/cloud/ansible/doc/otc_5_vpc_subnet.gif deleted file mode 100644 index 61657002..00000000 Binary files a/cloud/ansible/doc/otc_5_vpc_subnet.gif and /dev/null differ diff --git a/cloud/ansible/doc/otc_6_sec_group.gif b/cloud/ansible/doc/otc_6_sec_group.gif deleted file mode 100644 index 272f7755..00000000 Binary files a/cloud/ansible/doc/otc_6_sec_group.gif and /dev/null differ diff --git a/cloud/ansible/openstack/roles/deploy/tasks/main.yaml b/cloud/ansible/openstack/roles/deploy/tasks/main.yaml index 78f26742..5a0ec914 100644 --- a/cloud/ansible/openstack/roles/deploy/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/deploy/tasks/main.yaml @@ -6,6 +6,65 @@ include_vars: file: roles/deploy/vars/os_auth.yaml +- name: Create security group + os_security_group: + auth: + auth_url: "{{ auth_url }}" + username: "{{ username }}" + password: "{{ password }}" + project_name: "{{ project_name }}" + os_user_domain_name: "{{ os_user_domain_name }}" + name: sg-tpot-any + description: tpot any-any + +- name: Add rules to security group + os_security_group_rule: + auth: + auth_url: "{{ auth_url }}" + username: "{{ username }}" + password: "{{ password }}" + project_name: "{{ project_name }}" + os_user_domain_name: "{{ os_user_domain_name }}" + security_group: sg-tpot-any + remote_ip_prefix: 0.0.0.0/0 + +- name: Create network + os_network: + auth: + auth_url: "{{ auth_url }}" + username: "{{ username }}" + password: "{{ password }}" + project_name: "{{ project_name }}" + os_user_domain_name: "{{ os_user_domain_name }}" + name: network-tpot + +- name: Create subnet + os_subnet: + auth: + auth_url: "{{ auth_url }}" + username: "{{ username }}" + password: "{{ password }}" + project_name: "{{ project_name }}" + os_user_domain_name: "{{ os_user_domain_name }}" + network_name: network-tpot + name: subnet-tpot + cidr: 192.168.0.0/24 + dns_nameservers: + - 1.1.1.1 + - 8.8.8.8 + +- name: Create router + os_router: + auth: + auth_url: "{{ auth_url }}" + username: "{{ username }}" + password: "{{ password }}" + project_name: "{{ project_name }}" + os_user_domain_name: "{{ os_user_domain_name }}" + name: router-tpot + interfaces: + - subnet-tpot + - name: Launch an instance os_server: auth: @@ -23,8 +82,8 @@ key_name: "{{ key_name }}" timeout: 200 flavor: "{{ flavor }}" - security_groups: "{{ security_groups }}" - network: "{{ network }}" + security_groups: sg-tpot-any + network: network-tpot register: tpot - name: Add instance to inventory diff --git a/cloud/ansible/openstack/roles/deploy/vars/main.yaml b/cloud/ansible/openstack/roles/deploy/vars/main.yaml index c0697442..ed881677 100644 --- a/cloud/ansible/openstack/roles/deploy/vars/main.yaml +++ b/cloud/ansible/openstack/roles/deploy/vars/main.yaml @@ -4,5 +4,3 @@ image: Standard_Debian_9_latest volume_size: 128 key_name: your-KeyPair flavor: s2.medium.8 -security_groups: your-sg -network: your-network-id