zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
385 Commits
183 Branches
291 MiB
Tree: 1d10217df2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1d10217df2'
${ noResults }
tendermint/terraform-digitalocean/README.rst

111 lines
4.4 KiB
Raw Normal View History

docs: use README.rst to be pulled from tendermint
7 years ago
 
  1. Using Terraform

  2. ===============

  3. 

  4. This is a generic `Terraform <https://www.terraform.io/>`__

  5. configuration that sets up DigitalOcean droplets. See the

  6. `terraform-digitalocean <https://github.com/tendermint/tools/tree/master/terraform-digitalocean>`__

  7. for the required files.

  8. 

  9. Prerequisites

  10. -------------

  11. 

  12. -  Install `HashiCorp Terraform <https://www.terraform.io>`__ on a linux

  13.    machine.

  14. -  Create a `DigitalOcean API

  15.    token <https://cloud.digitalocean.com/settings/api/tokens>`__ with

  16.    read and write capability.

  17. -  Create a private/public key pair for SSH. This is needed to log onto

  18.    your droplets as well as by Ansible to connect for configuration

  19.    changes.

  20. -  Set up the public SSH key at the `DigitalOcean security

  21.    page <https://cloud.digitalocean.com/settings/security>`__.

  22.    `Here <https://www.digitalocean.com/community/tutorials/how-to-use-ssh-keys-with-digitalocean-droplets>`__'s

  23.    a tutorial.

  24. -  Find out your SSH key ID at DigitalOcean by querying the below

  25.    command on your linux box:

  26. 

  27. ::

  28. 

  29.     DO_API_TOKEN="<The API token received from DigitalOcean>"

  30.     curl -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $DO_API_TOKEN" "https://api.digitalocean.com/v2/account/keys"

  31. 

  32. Initialization

  33. --------------

  34. 

  35. If this is your first time using terraform, you have to initialize it by

  36. running the below command. (Note: initialization can be run multiple

  37. times)

  38. 

  39. ::

  40. 

  41.     terraform init

  42. 

  43. After initialization it's good measure to create a new Terraform

  44. environment for the droplets so they are always managed together.

  45. 

  46. ::

  47. 

  48.     TESTNET_NAME="testnet-servers"

  49.     terraform env new "$TESTNET_NAME"

  50. 

  51. Note this ``terraform env`` command is only available in terraform

  52. ``v0.9`` and up.

  53. 

  54. Execution

  55. ---------

  56. 

  57. The below command will create 4 nodes in DigitalOcean. They will be

  58. named ``testnet-servers-node0`` to ``testnet-servers-node3`` and they

  59. will be tagged as ``testnet-servers``.

  60. 

  61. ::

  62. 

  63.     DO_API_TOKEN="<The API token received from DigitalOcean>"

  64.     SSH_IDS="[ \"<The SSH ID received from the curl call above.>\" ]"

  65.     terraform apply -var TESTNET_NAME="testnet-servers" -var servers=4 -var DO_API_TOKEN="$DO_API_TOKEN" -var ssh_keys="$SSH_IDS"

  66. 

  67. Note: ``ssh_keys`` is a list of strings. You can add multiple keys. For

  68. example: ``["1234567","9876543"]``.

  69. 

  70. Alternatively you can use the default settings. The number of default

  71. servers is 4 and the testnet name is ``tf-testnet1``. Variables can also

  72. be defined as environment variables instead of the command-line.

  73. Environment variables that start with ``TF_VAR_`` will be translated

  74. into the Terraform configuration. For example the number of servers can

  75. be overriden by setting the ``TF_VAR_servers`` variable.

  76. 

  77. ::

  78. 

  79.     TF_VAR_DO_API_TOKEN="<The API token received from DigitalOcean>"

  80.     TF_VAR_TESTNET_NAME="testnet-servers"

  81.     terraform-apply

  82. 

  83. Security

  84. --------

  85. 

  86. DigitalOcean uses the root user by default on its droplets. This is fine

  87. as long as SSH keys are used. However some people still would like to

  88. disable root and use an alternative user to connect to the droplets -

  89. then ``sudo`` from there. Terraform can do this but it requires SSH

  90. agent running on the machine where terraform is run, with one of the SSH

  91. keys of the droplets added to the agent. (This will be neede for ansible

  92. too, so it's worth setting it up here. Check out the

  93. `ansible <https://github.com/tendermint/tools/tree/master/ansible>`__

  94. page for more information.) After setting up the SSH key, run

  95. ``terraform apply`` with ``-var noroot=true`` to create your droplets.

  96. Terraform will create a user called ``ec2-user`` and move the SSH keys

  97. over, this way disabling SSH login for root. It also adds the

  98. ``ec2-user`` to the sudoers file, so after logging in as ec2-user you

  99. can ``sudo`` to ``root``.

  100. 

  101. DigitalOcean announced firewalls but the current version of Terraform

  102. (0.9.8 as of this writing) does not support it yet. Fortunately it is

  103. quite easy to set it up through the web interface (and not that bad

  104. through the `RESTful

  105. API <https://developers.digitalocean.com/documentation/v2/#firewalls>`__

  106. either). When adding droplets to a firewall rule, you can add tags. All

  107. droplets in a testnet are tagged with the testnet name so it's enough to

  108. define the testnet name in the firewall rule. It is not necessary to add

  109. the nodes one-by-one. Also, the firewall rule "remembers" the testnet

  110. name tag so if you change the servers but keep the name, the firewall

  111. rules will still apply.