terraform: Convert cluster creation to use Ansible

Right now, creation of the demo cluster is performed via a set of Ruby
scripts. Let's convert them to use Ansible, too, so tasks become
idempotent and we have less of a mixture between Ansible and custom Ruby
logic.

12 files changed, 87 insertions, 143 deletions

diff --git a/_support/terraform/.gitignore b/_support/terraform/.gitignore
index 5102a820f..ac6ff6fd8 100644
--- a/_support/terraform/.gitignore
+++ b/_support/terraform/.gitignore
@@ -1,4 +1,3 @@
-/*.tfstate*
-/.terraform*
 /hosts.ini
-/terraform.tfvars
+/terraform/*
+!/terraform/main.tf
diff --git a/_support/terraform/README.md b/_support/terraform/README.md
index 50b00455b..b6cdb2efd 100644
--- a/_support/terraform/README.md
+++ b/_support/terraform/README.md
@@ -21,9 +21,8 @@ page](https://www.terraform.io/downloads.html).
 ./create-demo-cluster
 ```
 
-This will open a browser to sign into GCP if necessary. Terraform will
-print a plan and ask you to confirm it before it creates anything in
-GCP.
+This will open a browser to sign into GCP if necessary. Ansible will then ask
+you a set of questions before it performs the deplyoment.
 
 When the script is done, `apt-get install gitlab-ee` is still busy
 running in the background on your new VM's.
diff --git a/_support/terraform/create-demo-cluster b/_support/terraform/create-demo-cluster
index a9aaa974c..0173ac095 100755
--- a/_support/terraform/create-demo-cluster
+++ b/_support/terraform/create-demo-cluster
@@ -1,95 +1,2 @@
-#!/usr/bin/env ruby
-# frozen_string_literal: true
-
-require 'erb'
-require 'etc'
-require 'io/console'
-require 'json'
-
-require_relative 'helper.rb'
-
-TFVARS = 'terraform.tfvars'
-HOSTS = 'hosts.ini'
-
-def main
-  unless gcloud_appliction_default_logged_in?
-    run!(%w[gcloud auth application-default login])
-  end
-
-  unless terraform_initialized?
-    run!(%w[terraform init])
-  end
-
-  unless File.exist?(TFVARS)
-    render!(TFVARS, 'terraform.tfvars.erb')
-  end
-
-  run!(%w[terraform apply])
-
-  @tfstate = JSON.parse(File.read("terraform.tfstate"))
-
-  unless File.exist?(HOSTS)
-    render!(HOSTS, 'hosts.ini.erb')
-  end
-end
-
-def praefect_demo_cluster_name
-  default_name = "#{username}-#{Time.now.utc.strftime('%Y%m%d')}"
-  get_input('Enter a name for your demo cluster', default_name)
-end
-
-def praefect_sql_password
-  @praefect_sql_password ||= get_input(
-    'Enter a password for the praefect PostgreSQL user',
-    'PRAEFECT_SQL_PASSWORD',
-    echo: false
-  )
-end
-
-def gitlab_root_password
-  get_input(
-    'Enter a password for the root GitLab user',
-    'GITLAB_ROOT_PASSWORD',
-    echo: false
-  )
-end
-
-def username
-  Etc.getlogin
-end
-
-def ssh_pubkey
-  default_path = File.join(Etc.getpwnam(username).dir, '.ssh/id_rsa.pub')
-  pubkey_path = get_input('Enter the path to your SSH public key', default_path)
-  pubkey = File.read(pubkey_path).chomp
-
-  unless pubkey.start_with?('ssh-')
-    # Protect against accidentally using the private key
-    abort "contents of #{path} do not look like an SSH pubkey"
-  end
-
-  pubkey
-end
-
-def get_input(prompt, default, echo: true)
-  puts "#{prompt} (default: #{default})."
-  print "> "
-
-  input = echo ? gets.chomp : STDIN.noecho(&:gets).chomp
-
-  input.empty? ? default : input
-end
-
-def render!(file, template_path)
-  IO.write(file, ERB.new(File.read(template_path)).result(binding))
-end
-
-def gcloud_appliction_default_logged_in?
-  system(
-    *%w[gcloud auth application-default print-access-token],
-    out: '/dev/null',
-    err: '/dev/null'
-  )
-end
-
-main
+#!/bin/sh
+exec ansible-playbook -l localhost create.yml "$@"
diff --git a/_support/terraform/create.yml b/_support/terraform/create.yml
new file mode 100644
index 000000000..f68feec95
--- /dev/null
+++ b/_support/terraform/create.yml
@@ -0,0 +1,22 @@
+- hosts: localhost
+  vars_prompt:
+    - name: praefect_demo_cluster_name
+      prompt: "Enter a name for your demo cluster"
+      default: "{{ lookup('env', 'USER') }}-{{ lookup('pipe', 'date +%Y-%m-%d') }}"
+      private: false
+    - name: praefect_sql_password
+      prompt: "Enter a password for the Praefect PostgreSQL user"
+      default: "PRAEFECT_SQL_PASSWORD"
+    - name: gitlab_root_password
+      prompt: "Enter a password for the root GitLab user"
+      default: "GITLAB_ROOT_PASSWORD"
+    - name: ssh_username
+      prompt: "Enter the user name you want to use to connect to remote hosts via SSH"
+      default: "{{ lookup('env', 'USER') }}"
+      private: false
+    - name: ssh_pubkey
+      prompt: "Enter the path to your SSH public key"
+      default: "{{ lookup('env', 'HOME') }}/.ssh/id_rsa.pub"
+      private: false
+  roles:
+    - deploy
diff --git a/_support/terraform/helper.rb b/_support/terraform/helper.rb
deleted file mode 100644
index eddccbf33..000000000
--- a/_support/terraform/helper.rb
+++ /dev/null
@@ -1,12 +0,0 @@
-require 'json'
-
-require_relative '../run.rb'
-
-def terraform_initialized?
-  File.exist?('.terraform')
-end
-
-def terraform_any_machines?
-  state = JSON.parse(capture!(%w[terraform show -json]))
-  state.has_key?('values')
-end
diff --git a/_support/terraform/hosts.ini.erb b/_support/terraform/hosts.ini.erb
deleted file mode 100644
index 74307ca63..000000000
--- a/_support/terraform/hosts.ini.erb
+++ /dev/null
@@ -1,22 +0,0 @@
-[gitalies]<% @tfstate["outputs"]["gitaly_ssh_ip"]["value"].each do |gitaly, address| %>
-<%= address %> internal=<%= @tfstate["outputs"]["gitaly_internal_ip"]["value"][gitaly] %><% end %>
-
-[praefects]<% @tfstate["outputs"]["praefect_ssh_ip"]["value"].each do |praefect, address| %>
-<%= address %> internal=<%= @tfstate["outputs"]["praefect_internal_ip"]["value"][praefect] %><% end %>
-
-[databases]
-<%= @tfstate["outputs"]["praefect_pgbouncer_ip"]["value"] %>
-
-[gitlabs]
-<%= @tfstate["outputs"]["gitlab_external_ip"]["value"] %> internal=<%= @tfstate["outputs"]["gitlab_internal_ip"]["value"] %>
-
-[loadbalancers]
-<%= @tfstate["outputs"]["praefect_loadbalancer_ip"]["value"] %>
-
-[all:vars]
-ansible_become=yes
-praefect_database_password=<%= praefect_sql_password %>
-praefect_external_token=PRAEFECT_EXTERNAL_TOKEN
-praefect_internal_token=PRAEFECT_INTERNAL_TOKEN
-gitlab_shell_secret_token=GITLAB_SHELL_SECRET_TOKEN
-grafana_password=GRAFANA_PASSWORD
diff --git a/_support/terraform/roles/deploy/tasks/main.yml b/_support/terraform/roles/deploy/tasks/main.yml
new file mode 100644
index 000000000..bb9ac2268
--- /dev/null
+++ b/_support/terraform/roles/deploy/tasks/main.yml
@@ -0,0 +1,25 @@
+- name: GCloud login
+  block:
+    - name: GCloud login status
+      command: gcloud auth application-default print-access-token
+      changed_when: false
+  rescue:
+    - name: GCloud login
+      command: gcloud auth application-default login
+
+- name: terraform.tfvars
+  template:
+    src: terraform.tfvars.j2
+    dest: "{{ playbook_dir }}/terraform/terraform.tfvars"
+
+- name: terraform apply
+  terraform:
+    project_path: "{{ playbook_dir }}/terraform"
+    variables_file: terraform.tfvars
+    force_init: true
+  register: tfstate
+
+- name: hosts.ini
+  template:
+    src: hosts.ini.j2
+    dest: "{{ playbook_dir }}/hosts.ini"
diff --git a/_support/terraform/roles/deploy/templates/hosts.ini.j2 b/_support/terraform/roles/deploy/templates/hosts.ini.j2
new file mode 100644
index 000000000..dbce0ae1c
--- /dev/null
+++ b/_support/terraform/roles/deploy/templates/hosts.ini.j2
@@ -0,0 +1,26 @@
+[gitalies]
+{% for gitaly, address in tfstate.outputs.gitaly_ssh_ip.value.items() %}
+{{ address }} internal={{ tfstate.outputs.gitaly_internal_ip.value[gitaly] }}
+{% endfor %}
+
+[praefects]
+{% for praefect, address in tfstate.outputs.praefect_ssh_ip.value.items() %}
+{{ address }} internal={{ tfstate.outputs.praefect_internal_ip.value[praefect] }}
+{% endfor %}
+
+[databases]
+{{ tfstate.outputs.praefect_pgbouncer_ip.value }}
+
+[gitlabs]
+{{ tfstate.outputs.gitlab_external_ip.value }} internal={{ tfstate.outputs.gitlab_internal_ip.value }}
+
+[loadbalancers]
+{{ tfstate.outputs.praefect_loadbalancer_ip.value }}
+
+[all:vars]
+ansible_become=yes
+praefect_sql_password={{ praefect_sql_password }}
+praefect_external_token=PRAEFECT_EXTERNAL_TOKEN
+praefect_internal_token=PRAEFECT_INTERNAL_TOKEN
+gitlab_shell_secret_token=GITLAB_SHELL_SECRET_TOKEN
+grafana_password=GRAFANA_PASSWORD
diff --git a/_support/terraform/roles/deploy/templates/terraform.tfvars.j2 b/_support/terraform/roles/deploy/templates/terraform.tfvars.j2
new file mode 100644
index 000000000..83573a841
--- /dev/null
+++ b/_support/terraform/roles/deploy/templates/terraform.tfvars.j2
@@ -0,0 +1,7 @@
+# This variable will be prefixed to all machines created by terraform
+praefect_demo_cluster_name = "{{ praefect_demo_cluster_name }}"
+
+ssh_user = "{{ ssh_username }}"
+ssh_pubkey = "{{ lookup('file', ssh_pubkey) }}"
+praefect_sql_password = "{{ praefect_sql_password }}"
+gitlab_root_password = "{{ gitlab_root_password }}"
diff --git a/_support/terraform/roles/praefect/templates/praefect-gitlab.rb.j2 b/_support/terraform/roles/praefect/templates/praefect-gitlab.rb.j2
index 9eb2a11a3..6a06d1322 100644
--- a/_support/terraform/roles/praefect/templates/praefect-gitlab.rb.j2
+++ b/_support/terraform/roles/praefect/templates/praefect-gitlab.rb.j2
@@ -28,7 +28,7 @@ praefect['auth_token'] = '{{ praefect_external_token }}'
 praefect['database_host'] = '{{ groups['databases'][0] }}'
 praefect['database_port'] = 5432
 praefect['database_user'] = 'praefect'
-praefect['database_password'] = '{{ praefect_database_password }}'
+praefect['database_password'] = '{{ praefect_sql_password }}'
 praefect['database_dbname'] = 'praefect_production'
 praefect['database_sslmode'] = 'disable'
 
diff --git a/_support/terraform/terraform.tfvars.erb b/_support/terraform/terraform.tfvars.erb
deleted file mode 100644
index ab231506a..000000000
--- a/_support/terraform/terraform.tfvars.erb
+++ /dev/null
@@ -1,7 +0,0 @@
-# This variable will be prefixed to all machines created by terraform
-praefect_demo_cluster_name = "<%= praefect_demo_cluster_name %>"
-
-ssh_user = "<%= username %>"
-ssh_pubkey = "<%= ssh_pubkey %>"
-praefect_sql_password = "<%= praefect_sql_password %>"
-gitlab_root_password = "<%= gitlab_root_password %>"
diff --git a/_support/terraform/main.tf b/_support/terraform/terraform/main.tf
index 5482359fb..5482359fb 100644
--- a/_support/terraform/main.tf
+++ b/_support/terraform/terraform/main.tf