feat: add gcloud template and tailscale for oci

Signed-off-by: Mateusz Urbanek <[email protected]>

.github/workflows/autopilot.yaml

@@ -1,5 +1,7 @@
 name: autopilot
+
 on: pull_request_target
+
 jobs:
   auto-approve:
     runs-on: ubuntu-latest

.github/workflows/semantic-pr.yaml

@@ -1,13 +1,16 @@
 name: semantic-pr
+
 on:
   pull_request_target:
     types:
       - opened
       - reopened
       - edited
       - synchronize
+
 permissions:
   pull-requests: read
+
 jobs:
   pr-title:
     runs-on: ubuntu-latest

.github/workflows/tofu.yaml

@@ -1,12 +1,15 @@
 name: tofu
+
 on:
   push:
     branches:
       - "main"
   schedule:
     - cron: "0 4 * * *"
+
 concurrency:
   group: ${{ github.workflow }}
+
 jobs:
   linode:
     runs-on: ubuntu-latest
@@ -30,6 +33,7 @@ jobs:
         run: |
           tofu -chdir=./terraform/linode \
             apply -auto-approve -input=false -lock=true -no-color
+
   oci:
     runs-on: ubuntu-latest
     steps:
@@ -40,6 +44,8 @@ jobs:
           TF_VAR_fingerprint: ${{ secrets.OCI_FINGERPRINT }}
           TF_VAR_private_key: ${{ secrets.OCI_PEM_PRV }}
           TF_VAR_ssh_public_keys: ${{ secrets.SSH_PUB_KEY }}
+          TF_VAR_tailscale_oauth_client_id: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}
+          TF_VAR_tailscale_oauth_secret: ${{ secrets.TAILSCALE_OAUTH_SECRET }}
           TF_VAR_tenancy_ocid: ${{ secrets.OCI_TENANCY_OCID }}
           TF_VAR_user_ocid: ${{ secrets.OCI_USER_OCID }}
         run: |
@@ -49,8 +55,25 @@ jobs:
           TF_VAR_fingerprint: ${{ secrets.OCI_FINGERPRINT }}
           TF_VAR_private_key: ${{ secrets.OCI_PEM_PRV }}
           TF_VAR_ssh_public_keys: ${{ secrets.SSH_PUB_KEY }}
+          TF_VAR_tailscale_oauth_client_id: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}
+          TF_VAR_tailscale_oauth_secret: ${{ secrets.TAILSCALE_OAUTH_SECRET }}
           TF_VAR_tenancy_ocid: ${{ secrets.OCI_TENANCY_OCID }}
           TF_VAR_user_ocid: ${{ secrets.OCI_USER_OCID }}
         run: |
           tofu -chdir=./terraform/oci \
             apply -auto-approve -input=false -lock=true -no-color
+
+  gcloud:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: opentofu/setup-opentofu@v1
+      - env:
+          PG_CONN_STR: ${{ secrets.PG_CONN_STR }}
+        run: |
+          tofu -chdir=./terraform/gcloud init -upgrade
+      - env:
+          PG_CONN_STR: ${{ secrets.PG_CONN_STR }}
+        run: |
+          tofu -chdir=./terraform/gcloud \
+            apply -auto-approve -input=false -lock=true -no-color

terraform/gcloud/README.md

@@ -0,0 +1,28 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.8 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | 6.14.1 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+No modules.
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

terraform/gcloud/modules/always_free/README.md

@@ -0,0 +1,25 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+No modules.
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

terraform/gcloud/modules/always_free/versions.tf

@@ -0,0 +1,9 @@
+# tflint-ignore: terraform_required_version
+terraform {
+  required_providers {
+    # tflint-ignore: terraform_required_providers
+    google = {
+      source = "hashicorp/google"
+    }
+  }
+}

terraform/gcloud/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.8"
+
+  backend "pg" {
+    schema_name = "tofu_remote_state_gcloud"
+  }
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "6.14.1"
+    }
+  }
+}

terraform/oci/README.md

@@ -5,6 +5,7 @@
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.8 |
 | <a name="requirement_oci"></a> [oci](#requirement\_oci) | 6.23.0 |
+| <a name="requirement_tailscale"></a> [tailscale](#requirement\_tailscale) | 0.17.2 |
 
 ## Providers
 
@@ -30,6 +31,8 @@ No resources.
 | <a name="input_private_key"></a> [private\_key](#input\_private\_key) | Contents of OCI API Private Key used. | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The oci region where resources will be created. | `string` | `"eu-frankfurt-1"` | no |
 | <a name="input_ssh_public_keys"></a> [ssh\_public\_keys](#input\_ssh\_public\_keys) | Public SSH keys to be included in the ~/.ssh/authorized\_keys file for the default user on the instance. | `string` | n/a | yes |
+| <a name="input_tailscale_oauth_client_id"></a> [tailscale\_oauth\_client\_id](#input\_tailscale\_oauth\_client\_id) | OAuth Client ID for Tailscale. | `string` | n/a | yes |
+| <a name="input_tailscale_oauth_secret"></a> [tailscale\_oauth\_secret](#input\_tailscale\_oauth\_secret) | OAuth Secret for Tailscale. | `string` | n/a | yes |
 | <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | Tenancy ocid where to create the sources. | `string` | n/a | yes |
 | <a name="input_user_ocid"></a> [user\_ocid](#input\_user\_ocid) | Ocid of user that terraform will use to create the resources. | `string` | n/a | yes |
 

terraform/oci/main.tf

@@ -22,7 +22,9 @@ module "oci_amd" {
   instance_shape = "VM.Standard.E2.1.Micro"
   subnet_id      = module.oci_core.subnet_id
 
-  tenancy_ocid        = var.tenancy_ocid
-  ssh_public_keys     = var.ssh_public_keys
-  availability_domain = var.availability_domain
+  tenancy_ocid              = var.tenancy_ocid
+  ssh_public_keys           = var.ssh_public_keys
+  availability_domain       = var.availability_domain
+  tailscale_oauth_client_id = var.tailscale_oauth_client_id
+  tailscale_oauth_secret    = var.tailscale_oauth_secret
 }

terraform/oci/modules/always_free/README.md

@@ -8,6 +8,7 @@ No requirements.
 | Name | Version |
 |------|---------|
 | <a name="provider_oci"></a> [oci](#provider\_oci) | n/a |
+| <a name="provider_tailscale"></a> [tailscale](#provider\_tailscale) | n/a |
 
 ## Modules
 
@@ -18,6 +19,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [oci_core_instance.instance](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance) | resource |
+| [tailscale_tailnet_key.tailscale_key](https://registry.terraform.io/providers/tailscale/tailscale/latest/docs/resources/tailnet_key) | resource |
 | [oci_core_images.instance_images](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/core_images) | data source |
 | [oci_identity_availability_domain.ad](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_availability_domain) | data source |
 
@@ -32,6 +34,8 @@ No modules.
 | <a name="input_region"></a> [region](#input\_region) | The oci region where resources will be created. | `string` | `"eu-frankfurt-1"` | no |
 | <a name="input_ssh_public_keys"></a> [ssh\_public\_keys](#input\_ssh\_public\_keys) | Public SSH keys to be included in the ~/.ssh/authorized\_keys file for the default user on the instance. | `string` | n/a | yes |
 | <a name="input_subnet_id"></a> [subnet\_id](#input\_subnet\_id) | Name of the instance. | `string` | n/a | yes |
+| <a name="input_tailscale_oauth_client_id"></a> [tailscale\_oauth\_client\_id](#input\_tailscale\_oauth\_client\_id) | OAuth Client ID for Tailscale. | `string` | n/a | yes |
+| <a name="input_tailscale_oauth_secret"></a> [tailscale\_oauth\_secret](#input\_tailscale\_oauth\_secret) | OAuth Secret for Tailscale. | `string` | n/a | yes |
 | <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | Tenancy ocid where to create the sources. | `string` | n/a | yes |
 
 ## Outputs

terraform/oci/modules/always_free/always_free.tf → terraform/oci/modules/always_free/main.tf

@@ -20,6 +20,15 @@ locals {
   boot_volume = var.instance_shape == "VM.Standard.E2.1.Micro" ? 100 : 200
 }
 
+resource "tailscale_tailnet_key" "tailscale_key" {
+  description         = "OCI Always-Free VM key"
+  expiry              = 3600
+  reusable            = true
+  preauthorized       = true
+  recreate_if_invalid = "always"
+  tags                = ["${var.instance_shape}", "OCI", "Always-Free-VM"]
+}
+
 resource "oci_core_instance" "instance" {
   count               = local.count
   availability_domain = data.oci_identity_availability_domain.ad.name
@@ -49,6 +58,12 @@ resource "oci_core_instance" "instance" {
 
   metadata = {
     ssh_authorized_keys = var.ssh_public_keys
+    user_data = base64encode(templatefile(
+      "./templates/user_data.tftpl",
+      {
+        tailscale_key = tailscale_tailnet_key.key,
+      }
+    ))
   }
 
   timeouts {

terraform/oci/modules/always_free/templates/user_data.tftpl

@@ -0,0 +1,8 @@
+#cloud-config
+
+runcmd:
+  # Tailscale install
+  - ['sh', '-c', 'curl -fsSL https://tailscale.com/install.sh | sh']
+  - ['sh', '-c', "echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf && echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf && sudo sysctl -p /etc/sysctl.d/99-tailscale.conf" ]
+  - ['tailscale', 'up', '--auth-key=${tailscale_key}']
+  - ['tailscale', 'set', '--ssh']

terraform/oci/modules/always_free/variables.tf

@@ -45,3 +45,13 @@ variable "instance_source_type" {
   description = "The source type for the instance."
   default     = "image"
 }
+
+variable "tailscale_oauth_client_id" {
+  type        = string
+  description = "OAuth Client ID for Tailscale."
+}
+
+variable "tailscale_oauth_secret" {
+  type        = string
+  description = "OAuth Secret for Tailscale."
+}

terraform/oci/modules/always_free/versions.tf

@@ -5,5 +5,14 @@ terraform {
     oci = {
       source = "oracle/oci"
     }
+
+    # tflint-ignore: terraform_required_providers
+    tailscale = {
+      source = "tailscale/tailscale"
+    }
   }
 }
+
+provider "tailscale" {
+  api_key = var.tailscale_api_key
+}

terraform/oci/variables.tf

@@ -34,3 +34,13 @@ variable "availability_domain" {
   description = "Availability Domain of the instance."
   default     = 3
 }
+
+variable "tailscale_oauth_client_id" {
+  type        = string
+  description = "OAuth Client ID for Tailscale."
+}
+
+variable "tailscale_oauth_secret" {
+  type        = string
+  description = "OAuth Secret for Tailscale."
+}

terraform/oci/versions.tf

@@ -10,5 +10,10 @@ terraform {
       source  = "oracle/oci"
       version = "6.23.0"
     }
+
+    tailscale = {
+      source  = "tailscale/tailscale"
+      version = "0.17.2"
+    }
   }
 }