From d6062fedb98149e354b88e85d44d2d16542402a1 Mon Sep 17 00:00:00 2001
From: zhenik <nikita.zhevnitskiy@gmail.com>
Date: Fri, 28 Aug 2020 14:04:30 +0200
Subject: [PATCH] initial implementation

---
 Makefile                         |   6 +-
 README.md                        |  90 +---------------
 Vagrantfile                      |  11 +-
 conf/nomad/presto.hcl            | 172 +++++++++++++++++++++++++++++++
 dev/ansible/02_run_terraform.yml |  10 ++
 example/main.tf                  |  94 +++++++++++++++++
 example/nomad_acl_test.tf        |  11 ++
 example/variables.tf             |   3 +
 main.tf                          |  12 +++
 outputs.tf                       |  10 ++
 variables.tf                     |  17 +++
 versions.tf                      |  13 +++
 12 files changed, 354 insertions(+), 95 deletions(-)
 create mode 100644 conf/nomad/presto.hcl
 create mode 100644 dev/ansible/02_run_terraform.yml
 create mode 100644 example/main.tf
 create mode 100644 example/nomad_acl_test.tf
 create mode 100644 example/variables.tf
 create mode 100644 versions.tf

diff --git a/Makefile b/Makefile
index 261cecf..d466541 100644
--- a/Makefile
+++ b/Makefile
@@ -33,8 +33,12 @@ else
 endif
 
 # clean commands
-destroy-box:
+# clean commands
+destroy:
 	vagrant destroy -f
+	rm terraform.tfstate || true
+	rm terraform.tfstate.backup || true
+	rm example/terraform.tfstate || true
 
 remove-tmp:
 	rm -rf ./tmp
diff --git a/README.md b/README.md
index 95c07e4..9d9c12b 100644
--- a/README.md
+++ b/README.md
@@ -1,90 +1,2 @@
-# Starter template for `fredrikhgrelland/hashistack`
+# Terraform-nomad-presto
 
-This repository can be used as a base for developing services on the hashistack.
-On github, you may use the ["Use this template"](https://github.com/fredrikhgrelland/vagrant-hashistack-template/generate) button to generate a new repository from this template.
-
-If you found this in `fredrikhgrelland/vagrant-hashistack`, you may be interested in this separate repository [vagrant-hashistack-template](https://github.com/fredrikhgrelland/vagrant-hashistack-template/generate) button to start a new repository from this repo
-.
-
-Documentation on [parent repository](https://github.com/fredrikhgrelland/vagrant-hashistack#usage).
-
-## Customizing and using the vagrant box
-
-### Building and testing docker image
-See docker [README.md](docker/README.md).
-
-### Starting a box
-The vagrant box ships with a default startup scheme. `make` from this directory will start the box, and it will run all books in [dev/ansible](dev/ansible) in lexical order (NB: `playbook.yml` is run first, but is only used to run all other playbooks) after the bootstrap-process for the hashistack is done. In the [example](test_example/dev/ansible/playbook.yml) we use it to start terraform which then starts a nomad-job.
-
-### Pre and post hashistack procedure
-You may change the hashistack configuration or add aditional pre and post steps to the startup procedure to match your needs.
-Detailed documentation in [dev/vagrant/conf/README.md](dev/vagrant/conf/README.md)
-
-### Pre packaged configuration switches
-
-The box comes standard with a set of environment switches to simplify testing of different scenarios and enable staged development efforts.
-
-NB: All lowercase variables will automatically get a corresponding TF_VAR_ prepended variant for use directly in terraform.
-To change from the default value, you may add the environment variable to [.env](dev/.env)
-
-#### Enterprise vs Open Source Software (OSS)
-As long as Enterprise is not set to `true` the box will utilise OSS version of the binaries.
-
-#### Nomad
-
-| default   | environment variable  |  value  |
-|:---------:|:----------------------|:-------:|
-|           | nomad_enterprise      |  true   |
-|     x     | nomad_enterprise      |  false  |
-|           | nomad_acl             |  true   |
-|     x     | nomad_acl             |  false  |
-
-When ACLs in Nomad are enabled the bootstrap token will be available in vault under `secret/nomad/management-token` with the two key-value pairs `accessor-id` and `secret-id`. `secret-id` is the token itself. These can be accessed in several ways:
-- From inside the vagrant box with `vault kv get secret/nomad-bootstrap-token`
-- From local machine with `vagrant ssh -c vault kv get secret/nomad-bootstrap-token"`
-- By going to vault's UI on `localhost:8200`, and signing in with the root token.
-
-#### Consul
-
-| default   | environment variable             |  value  |
-|:---------:|:---------------------------------|:-------:|
-|           | consul_enterprise                |  true   |
-|     x     | consul_enterprise                |  false  |
-|     x     | consul_acl                       |  true   |
-|           | consul_acl                       |  false  |
-|     x     | consul_acl_default_policy        |  allow  |
-|           | consul_acl_default_policy        |  deny   |
-
-#### Vault
-
-| default   | environment variable             |  value  |
-|:---------:|:---------------------------------|:-------:|
-|           | vault_enterprise                 |  true   |
-|     x     | vault_enterprise                 |  false  |
-
-##### Consul secrets engine
-
-If `consul_acl_default_policy` has value `deny`, it will also enable [consul secrets engine](https://www.vaultproject.io/docs/secrets/consul) in vault.  
-Ansible will provision additional custom roles (admin-team, dev-team), [policies](../ansible/templates/consul-policies) and tokens for test purpose with different access level.
-
-How to generate token:
-```text
-# generate token for dev team member
-vagrant ssh -c 'vault read consul/creds/dev-team'
-
-# generate token for admin team member
-vagrant ssh -c 'vault read consul/creds/admin-team'
-```
-
-*Tokens can be used to access UI (different access level depends on role)
-
-## Vagrant box life-cycle
-1. `/home/vagrant/.env_default` - _preloaded_ - default variables
-1. `vagrant/.env` - _user provided_ - variables override
-1. `vagrant/.env_override` - _system provided_ - variables are overridden for test purposes
-1. `vagrant/dev/vagrant/conf/pre_ansible.sh` - _user provided_ - script running before ansible bootstrap procedure
-1. `vagrant/dev/vagrant/conf/pre_bootstrap/*.yml` - _user provided_ - pre bootstrap tasks, running before hashistack software runs and ready
-1. `/etc/ansible/bootstrap.yml` - _preloaded_ - verify ansible variables and software configuration, run hashistack software & verify that it started correctly
-1. `vagrant/conf/post_bootstrap/*.yml` - _user provided_ - poststart scripts, running after hasistack software runs and ready
-1. `vagrant/dev/conf/pre_ansible.sh` - _user provided_ - script running after ansible bootstrap procedure
-1. `vagrant/ansible/*.yml` - _user provided_ - ansible tasks included in playbook
diff --git a/Vagrantfile b/Vagrantfile
index 3ad3025..938c2dd 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -3,10 +3,11 @@ Vagrant.configure("2") do |config|
     config.vm.box_version = ">= 0.3, < 0.4"
     config.vm.provider "virtualbox" do |vb|
         vb.linked_clone = true
-        vb.memory = 2048
+        vb.cpus = 3
+        vb.memory = 8192
+    end
+    config.vm.provision "ansible_local" do |ansible|
+        ansible.provisioning_path = "/vagrant/dev/ansible"
+        ansible.playbook = "playbook.yml" # Note this playbook is, in this context, /ansible/playbook.yml
     end
-        config.vm.provision "ansible_local" do |ansible|
-            ansible.provisioning_path = "/vagrant/dev/ansible"
-            ansible.playbook = "playbook.yml" # Note this playbook is, in this context, /ansible/playbook.yml
-        end
 end
diff --git a/conf/nomad/presto.hcl b/conf/nomad/presto.hcl
new file mode 100644
index 0000000..3b0e996
--- /dev/null
+++ b/conf/nomad/presto.hcl
@@ -0,0 +1,172 @@
+job "presto" {
+  type = "service"
+  datacenters = ["dc1"]
+
+  update {
+    max_parallel      = 1
+    health_check      = "checks"
+    min_healthy_time  = "10s"
+    healthy_deadline  = "12m"
+    progress_deadline = "15m"
+    auto_revert       = true
+    auto_promote      = true
+    canary            = 1
+    stagger           = "30s"
+  }
+  group "standalone" {
+    count = 1
+
+    network {
+      mode = "bridge"
+    }
+
+    service {
+      name = "presto"
+      port = 8080
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "hive-metastore"
+              local_bind_port  = 9083
+            }
+            upstreams {
+              destination_name = "minio"
+              local_bind_port  = 9000
+            }
+          }
+        }
+      }
+//      check {
+//        task     = "server"
+//        name     = "presto-hive-availability"
+//        type     = "script"
+//        command  = "presto"
+//        args     = ["--execute", "SHOW TABLES IN hive.default"]
+//        interval = "30s"
+//        timeout  = "15s"
+//      }
+      check {
+        expose   = true
+        name     = "presto-info"
+        type     = "http"
+        path     = "/v1/info"
+        interval = "10s"
+        timeout  = "2s"
+      }
+      check {
+        expose   = true
+        name     = "presto-node"
+        type     = "http"
+        path     = "/v1/node"
+        interval = "10s"
+        timeout  = "2s"
+      }
+    }
+
+    task "waitfor-hive-metastore" {
+      restart {
+        attempts = 100
+        delay    = "5s"
+      }
+      lifecycle {
+        hook = "prestart"
+      }
+      driver = "docker"
+      resources {
+        memory = 32
+      }
+      config {
+        image = "consul:latest"
+        entrypoint = ["/bin/sh"]
+        args = ["-c", "jq </local/service.json -e '.[].Status|select(. == \"passing\")'"]
+        volumes = ["tmp/service.json:/local/service.json" ]
+      }
+      template {
+        destination = "tmp/service.json"
+        data = <<EOH
+          {{- service "hive-metastore" | toJSON -}}
+        EOH
+      }
+    }
+
+    task "waitfor-minio" {
+      restart {
+        attempts = 100
+        delay    = "5s"
+      }
+      lifecycle {
+        hook = "prestart"
+      }
+      driver = "docker"
+      resources {
+        memory = 32
+      }
+      config {
+        image = "consul:latest"
+        entrypoint = ["/bin/sh"]
+        args = ["-c", "jq </local/service.json -e '.[].Status|select(. == \"passing\")'"]
+        volumes = ["tmp/service.json:/local/service.json" ]
+      }
+      template {
+        destination = "tmp/service.json"
+        data = <<EOH
+          {{- service "minio" | toJSON -}}
+        EOH
+      }
+    }
+
+    task "server" {
+      driver = "docker"
+
+      config {
+        image = "prestosql/presto:333"
+        volumes = [
+          "local/presto/config.properties:/lib/presto/default/etc/config.properties",
+          "local/presto/catalog/hive.properties:/lib/presto/default/etc/catalog/hive.properties",
+        ]
+      }
+      template {
+        data = <<EOH
+          MINIO_ACCESS_KEY = "minio"
+          MINIO_SECRET_KEY = "minio123"
+          EOH
+        destination = "secrets/.env"
+        env         = true
+      }
+      // NB! If credentials set as env variable, during spin up of this container it could be sort of race condition and query `SELECT * FROM hive.default.iris;`
+      //     could end up with exception: The AWS Access Key Id you provided does not exist in our records.
+      //     Looks like, slow render of env variables (when one template depends on other template). Maybe because, all runs on local machine
+      template {
+        destination = "/local/presto/catalog/hive.properties"
+        data = <<EOH
+connector.name=hive-hadoop2
+hive.metastore.uri=thrift://{{ env "NOMAD_UPSTREAM_ADDR_hive-metastore" }}
+hive.metastore-timeout=1m
+hive.s3.aws-access-key=minio
+hive.s3.aws-secret-key=minio123
+#hive.s3.aws-access-key={{ env "MINIO_ACCESS_KEY" }}
+#hive.s3.aws-secret-key={{ env "MINIO_SECRET_KEY" }}
+#hive.s3.aws-access-key=$$MINIO_ACCESS_KEY
+#hive.s3.aws-secret-key=$$MINIO_SECRET_KEY
+hive.s3.endpoint=http://{{ env "NOMAD_UPSTREAM_ADDR_minio" }}
+hive.s3.path-style-access=true
+hive.s3.ssl.enabled=false
+hive.s3.socket-timeout=15m
+EOH
+      }
+      template {
+        destination   = "local/presto/config.properties"
+        data = <<EOH
+node-scheduler.include-coordinator=true
+http-server.http.port=8080
+discovery-server.enabled=true
+discovery.uri=http://127.0.0.1:8080
+EOH
+      }
+      resources {
+        memory = 2048
+      }
+    }
+  }
+}
diff --git a/dev/ansible/02_run_terraform.yml b/dev/ansible/02_run_terraform.yml
new file mode 100644
index 0000000..7121005
--- /dev/null
+++ b/dev/ansible/02_run_terraform.yml
@@ -0,0 +1,10 @@
+- name: Terraform
+  terraform:
+    project_path: ../../example
+    force_init: true
+    state: present
+  register: terraform
+
+- name: Terraform stdout
+  debug:
+    msg: "{{terraform.stdout}}"
diff --git a/example/main.tf b/example/main.tf
new file mode 100644
index 0000000..4c46d31
--- /dev/null
+++ b/example/main.tf
@@ -0,0 +1,94 @@
+locals {
+  nomad_namespace = "default"
+  nomad_datacenters = ["dc1"]
+}
+
+module "presto" {
+  depends_on = [
+    module.minio,
+    module.hive
+  ]
+
+  source = "../."
+}
+
+module "minio" {
+  source        = "github.com/fredrikhgrelland/terraform-nomad-minio.git?ref=0.0.2"
+
+  # nomad
+  nomad_datacenters   = local.nomad_datacenters
+  nomad_namespace     = local.nomad_namespace
+
+  # minio
+  service_name = "minio"
+  host = "127.0.0.1"
+  port = 9000
+  container_image = "minio/minio:latest" # todo: avoid using tag latest in future releases
+  access_key = "minio"
+  secret_key = "minio123"
+  buckets = ["default", "hive"]
+  container_environment_variables = ["JUST_EXAMPLE_VAR1=some-value", "ANOTHER_EXAMPLE2=some-other-value"]
+
+  # mc
+  mc_service_name = "mc"
+  mc_container_image = "minio/mc:latest" # todo: avoid using tag latest in future releases
+  mc_container_environment_variables = ["JUST_EXAMPLE_VAR3=some-value", "ANOTHER_EXAMPLE4=some-other-value"]
+}
+
+module "postgres" {
+  source                  = "github.com/fredrikhgrelland/terraform-nomad-postgres.git?ref=0.0.1"
+
+  # nomad
+  nomad_datacenters   = local.nomad_datacenters
+  nomad_namespace     = local.nomad_namespace
+
+  # postgres
+  postgres_service_name = "postgres"
+  postgres_container_image = "postgres:12-alpine"
+  postgres_container_port = 5432
+  postgres_admin_user     = "hive"
+  postgres_admin_password = "hive"
+  postgres_database       = "metastore"
+  postgres_container_environment_variables = ["PGDATA=/var/lib/postgresql/data"]
+}
+
+module "hive" {
+  source = "github.com/fredrikhgrelland/terraform-nomad-hive.git?ref=0.0.1"
+
+  # nomad
+  nomad_datacenters   = local.nomad_datacenters
+  nomad_namespace     = local.nomad_namespace
+
+  nomad_job_switch_local = false
+
+  # hive
+  hive_service_name = "hive-metastore"
+  hive_container_port = 9083
+  hive_container_environment_variables = ["SOME_EXAMPLE=example-value"]
+
+  # hive - minio
+  hive_bucket = {
+    default     = "default",
+    hive        = "hive"
+  }
+  minio_service = {
+    service_name = module.minio.minio_service_name,
+    port         = 9000,  # todo: minio 0.0.1 does not have output variable port
+    access_key   = module.minio.minio_access_key,
+    secret_key   = module.minio.minio_secret_key,
+  }
+
+  # hive - postgres
+  postgres_service = {
+    service_name  = module.postgres.service_name
+    port          = module.postgres.port
+    database_name = module.postgres.database_name
+    username      = module.postgres.username
+    password      = module.postgres.password
+  }
+
+  depends_on = [
+    module.minio,
+    module.postgres
+  ]
+}
diff --git a/example/nomad_acl_test.tf b/example/nomad_acl_test.tf
new file mode 100644
index 0000000..2a74819
--- /dev/null
+++ b/example/nomad_acl_test.tf
@@ -0,0 +1,11 @@
+data "vault_generic_secret" "nomad_secret_id" {
+  # Set count of this data source to 1 if ACLs are enabled in Nomad, and 0 if not
+  count = var.nomad_acl ? 1 : 0
+  path  = "nomad/creds/write"
+}
+
+provider "nomad" {
+  address = "http://127.0.0.1:4646"
+  # Add a secret_id if ACLs are enabled in nomad
+  secret_id = var.nomad_acl ? data.vault_generic_secret.nomad_secret_id[0].data.secret_id : null
+}
diff --git a/example/variables.tf b/example/variables.tf
new file mode 100644
index 0000000..3d60448
--- /dev/null
+++ b/example/variables.tf
@@ -0,0 +1,3 @@
+variable "nomad_acl" {
+  type = bool
+}
diff --git a/main.tf b/main.tf
index e69de29..2a6422c 100644
--- a/main.tf
+++ b/main.tf
@@ -0,0 +1,12 @@
+locals {
+  datacenters = join(",", var.nomad_datacenters)
+}
+
+data "template_file" "template-nomad-job-presto" {
+  template = file("${path.module}/conf/nomad/presto.hcl")
+}
+
+resource "nomad_job" "nomad-job-presto" {
+  jobspec = data.template_file.template-nomad-job-presto.rendered
+  detach = false
+}
diff --git a/outputs.tf b/outputs.tf
index e69de29..c9ddf61 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -0,0 +1,10 @@
+output "presto_service_name" {
+  description = "Presto service name"
+  #todo
+}
+
+output "presto_port" {
+  description = "Presto local bind port"
+  #todo
+}
+
diff --git a/variables.tf b/variables.tf
index e69de29..5d7e589 100644
--- a/variables.tf
+++ b/variables.tf
@@ -0,0 +1,17 @@
+# Nomad
+variable "nomad_provider_address" {
+  type        = string
+  description = "Nomad address"
+  default     = "http://127.0.0.1:4646"
+}
+variable "nomad_datacenters" {
+  type        = list(string)
+  description = "Nomad data centers"
+  default     = ["dc1"]
+}
+variable "nomad_namespace" {
+  type        = string
+  description = "[Enterprise] Nomad namespace"
+  default     = "default"
+}
+
diff --git a/versions.tf b/versions.tf
new file mode 100644
index 0000000..960bd4b
--- /dev/null
+++ b/versions.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    nomad = {
+      source  = "hashicorp/nomad"
+      version = "~> 1.4.9"
+    }
+    template = {
+      source  = "hashicorp/template"
+      version = "~> 2.1.2"
+    }
+  }
+  required_version = ">= 0.13"
+}