In AWS, Gitlab Autoscale runner with private IP, don't want to enable Public IP.
Currently our Gitlab Autoscale runner is configured with public IP, hence the Runner Hub is connected via Public IP of autoscale runners. For that we are opening ALL TCP port in the security group.
To avoid this scenario, can stop using Public IP and use private IP's to connect the Gitlab Hub and autoscale runners?
concurrent = 100
check_interval = 0
[session_server]
session_timeout = 1800
[[runners]]
name = "aws-abc-runner-autoscale"
limit = 110
url = "https://git.abc-example.in/"
token = "xxxxxxxxxxxx"
executor = "docker+machine"
environment = ["DOCKER_AUTH_CONFIG={ \"auths\": { \"docker.dev.abc.com\": { \"auth\": \"################################################\" }, \"silicon.docker.dev.abc.com\": { \"auth\": \"################################################\" }, \"cde.dev.abc.com\": { \"auth\": \"################################################\" }, \"abcde.azurecr.io\": { \"auth\": \"##########################################\" }, \"efghijk.azurecr.io\": { \"auth\": \"###################################################\" } } }"]
[runners.custom_build_dir]
enabled = true
[runners.cache]
Type = "s3"
Shared = true
[runners.cache.s3]
ServerAddress = "ip-172-31-11-12.eu-central-1.compute.internal:9005"
AccessKey = "xxxxxxxxxx"
SecretKey = "xxxxxxxxxx"
BucketName = "runner-autoscale"
Insecure = true
[runners.docker]
tls_verify = false
image = "docker:latest"
privileged = true
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/var/run/docker.sock:/var/run/docker.sock"]
shm_size = 0
[runners.machine]
IdleCount = 4
IdleTime = 300
MachineDriver = "amazonec2"
MachineName = "abcdev-runners-%s"
MachineOptions = ["amazonec2-ami=ami-08a1a615784dd1c82f", "amazonec2-region=eu-central-1", "amazonec2-zone=b", "amazonec2-vpc-id=vpc-0f458d68", "amazonec2-subnet-id=subnet-c23438b8", "amazonec2-instance-type=t3.xlarge", "amazonec2-root-size=250", "amazonec2-volume-type=gp2", "amazonec2-use-private-address=true"]
OffPeakTimezone = ""
OffPeakIdleCount = 0
OffPeakIdleTime = 0
Can someone provide how we can implement for the same.
Your runners do not need to be network-reachable from your GitLab instance based on how you have it set up, so making them have a private IP would be as simple as changing the subnet you have set up in amazonec2-subnet-id to be one that doesn't assign a public IP. Note your private subnet will need to have a NAT gateway attached to get to your GitLab instance, or configured to use the intra-vpc network.
Related
I'm trying to script creation of an Azure API Management having a Private Endpoint within a VNET Subnet.
I'm able to create it manually no problem in Azure Portal, but can't quite figure out the terraform script.
The VNET and Subnet are created in a separate process, so they are not in the Terraform script but for the API Management piece I have:
resource "azurerm_api_management" "app" {
location = var.the_location
resource_group_name = "${var.the_resource_group}"
name = "${var.the_prefix}-api-mgmt"
publisher_email = var.api_mgmt_publisher_email
publisher_name = var.api_mgmt_publisher_name
sku_name = "${var.api_mgmt_sku}_1"
tags = var.resource_tags }
resource "azurerm_private_endpoint" "endpoint" {
name = "${var.the_prefix}-api-privateendpoint"
location = var.the_location
resource_group_name = var.the_resource_group
subnet_id = var.subnetId
tags = var.resource_tags
private_service_connection {
name = "api-privateserviceconnection"
private_connection_resource_id = azurerm_api_management.app.id
is_manual_connection = false
subresource_names = [] }}
The var.subnetId is the full id of the subnet ie.
/subscriptions/{subscriptionId}/resourceGroups/OpenEHR/providers/Microsoft.Network/virtualNetworks/OpenEHR-VNET/subnets/API-Subnet
The error I get is
Error: creating Private Endpoint "i365sabppdsdevtb-api-privateendpoint" (Resource Group "i365-uks-ehsabppds-devtb-rg"): network.PrivateEndpointsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="MissingParameterOnPrivateLinkServiceConnection" Message="Private link service connection /subscriptions/8cb2b2d3-9411-46e4-926d-22d6378349bc/resourceGroups/i365-uks-ehsabppds-devtb-rg/providers/Microsoft.Network/privateEndpoints/i365sabppdsdevtb-api-privateendpoint/privateLinkServiceConnections/api-privateserviceconnection is missing required parameter 'group Id'." Details=[]
I think the error is something to so with subresource_names but I can't work out what to put in there.
I tried [ "sites" ] but then I get the error:
│ Error: creating Private Endpoint "i365sabppdsdevtb-api-privateendpoint" (Resource Group "i365-uks-ehsabppds-devtb-rg"): network.PrivateEndpointsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PrivateEndpointBadRequest" Message="Call to Microsoft.ApiManagement/service failed. Error message: The Request has invalid groupId sites." Details=[]
Any ideas, much appreciated.
Thanks.
Issue was caused because of the private service connection resource id and sub resource names. Please use below configuration
private_connection_resource_id = azurerm_api_management.app.id
subresource_names = ["Gateway"]
Find below code snippets for references
Step1:
Copy below code from main tf file.
provider "azurerm" {
features {}
}
variable "prefix" {
default = "rg_swar"
}
resource "azurerm_resource_group" "example" {
name = "rg_swar-resources"
location = "West Europe"
}
resource "azurerm_virtual_network" "example" {
name = "example-network"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "service" {
name = "service"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.1.0/24"]
enforce_private_link_service_network_policies = true
}
resource "azurerm_subnet" "endpoint" {
name = "endpoint"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.2.0/24"]
enforce_private_link_endpoint_network_policies = true
}
resource "azurerm_public_ip" "example" {
name = "example-pip"
sku = "Standard"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
allocation_method = "Static"
}
resource "azurerm_lb" "example" {
name = "example-lb"
sku = "Standard"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
frontend_ip_configuration {
name = azurerm_public_ip.example.name
public_ip_address_id = azurerm_public_ip.example.id
}
}
resource "azurerm_private_link_service" "example" {
name = "example-privatelink"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
nat_ip_configuration {
name = azurerm_public_ip.example.name
primary = true
subnet_id = azurerm_subnet.service.id
}
load_balancer_frontend_ip_configuration_ids = [
azurerm_lb.example.frontend_ip_configuration.0.id,
]
}
resource "azurerm_api_management" "app" {
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
name = "swar-api-mgmt"
publisher_email = "test#demo.com"
publisher_name = "Swarna Demo"
sku_name = "Developer_1"
//tags = var.resource_tags
}
resource "azurerm_private_endpoint" "example" {
name = "example-endpoint"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
subnet_id = azurerm_subnet.endpoint.id
private_service_connection {
name = "example-privateserviceconnection"
//private_connection_resource_id = azurerm_private_link_service.example.id
private_connection_resource_id = azurerm_api_management.app.id
subresource_names = ["Gateway"]
is_manual_connection = false
}
}
Step2:
run below commands
terraform plan
terraform apply -auto-approve
Review:
Above code snippet will host the services into Azure Portal.
Hope this helps!
How to point to custom DNS IP using terraform IP Configuration block, sample code show below, is this valid?
resource "azurerm_network_interface" "example" {
name = "example-nic"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.example.id
private_ip_address_allocation = "Dynamic"
dns_servers = 8.8.8.8,8.8,8.8
}
}
as per terraform documentation
resource "azurerm_network_interface" "example" {
name = "example-nic"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
dns_servers = ["8.8.8.8","1.1.1.1"]
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.example.id
private_ip_address_allocation = "Dynamic"
}
}
I'm trying to set up one mailbox to be shared with another one using steps described here but for some reason I do not see that option in my mailbox (logged as an admin) even I have set ACL as a true in the IMP configuration.
From dovecot -n:
auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = *
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = yes
dict {
acl = mysql:/usr/etc/dovecot/dovecot-dict-sql.conf.ext
}
disable_plaintext_auth = no
lda_mailbox_autosubscribe = yes
log_path = /var/log/dovecot.log
mail_home = mdbox:/mnt/homedirs/%2Mu/%2.2Mu/%u
mail_location = mdbox:/mnt/mailboxes/%2Mu/%2.2Mu/%u
mail_plugins = acl
mail_shared_explicit_inbox = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vnd.dovecot.pipe vnd.dovecot.filter vnd.dovecot.execute
namespace {
list = children
location = mdbox:/mnt/mailboxes/%%2Mu/%%2.2Mu/%%u
prefix = shared/%%u/
separator = /
subscriptions = yes
type = shared
}
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox INBOX {
auto = subscribe
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
separator = /
subscriptions = yes
}
passdb {
args = /usr/etc/dovecot/mastership-sql.conf
driver = sql
master = yes
pass = yes
}
passdb {
args = /usr/etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
acl = vfile
acl_defaults_from_inbox = yes
acl_shared_dict = proxy::acl
sieve_execute_socket_dir = sieve-execute
sieve_extensions = +vnd.dovecot.execute +vnd.dovecot.filter +vnd.dovecot.pipe
sieve_filter_socket_dir = sieve-filter
sieve_pipe_socket_dir = sieve-pipe
sieve_plugins = sieve_extprograms
}
service dict {
unix_listener dict {
user = dovecot
}
}
service imap-postlogin {
executable = script-login /usr/etc/dovecot/imappostlogin
user = $default_internal_user
}
service imap {
executable = imap imap-postlogin
}
ssl = no
ssl_cert = </etc/pki/tls/certs/hostname.bundle
userdb {
args = uid=dovecot gid=dovecot home=/mnt/mailboxes/%%2Mu/%%2.2Mu/%%u
driver = static
}
protocol lmtp {
mail_plugins = acl sieve
}
protocol lda {
mail_plugins = acl sieve
}
protocol imap {
mail_plugins = acl imap_acl
}
Any tips on that?
It came up that for some reason backends.local.php shouldn't be a modified copy of backends.php. Simple - avoid default array notification for config but rather to set it as
<?php
$servers['imap']['disabled'] = true;
$servers['advanced']['disabled'] = false;
$servers['advanced']['secure'] = 'tls';
$servers['advanced']['debug'] = '/tmp/imp_imap.log';
$servers['advanced']['debug_raw'] = true;
My terraform file looks like this:
resource "google_compute_instance" "virtual_instance" {
name = "${var.instance_name}"
machine_type = "${var.instance_type}"
zone = "${var.zone}"
lifecycle {
ignore_changes = ["boot_disk.0.initialize_params.0.image"]
}
boot_disk {
initialize_params {
image = "ubuntu-os-cloud/ubuntu-1604-lts"
size = "30"
type = "pd-standard"
}
}
network_interface {
network = "default"
access_config {}
}
attached_disk {
source = "${google_compute_disk.managed_data_disk.name}"
mode = "READ_WRITE"
}
metadata {
}
}
This above code created the instance. But when i change then network_interface block as mentioned below
network_interface {
network = "${module.vpc.vpc_name}"
subnetwork = "${module.vpc.subnet_name}"
access_config {}
}
The VPC module is :
resource "google_compute_network" "vpc" {
name = "${var.name}-vpc"
auto_create_subnetworks = "false"
}
resource "google_compute_subnetwork" "subnet_public" {
name = "${var.subnet_name_public}"
ip_cidr_range = "${var.subnet_cidr_public}"
network = "${var.name}-vpc"
depends_on = ["google_compute_network.vpc"]
region = "${var.region}"
}
resource "google_compute_firewall" "firewall" {
name = "${var.name}-firewall"
network = "${google_compute_network.vpc.name}"
allow {
protocol = "icmp"
}
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = ["0.0.0.0/0"]
}
when I changed into network_interface to custom values. It's throwing the error is
google_compute_instance.virtual_instance: Error creating network interfaces: exactly one of network or subnetwork must be provided
Please help me on this
Advance Thanks to #ydaetskcoR. If you choose custom values of network_interface. You can't mention both network and subnetwork. You will choose only subnetwork values mentioned below.
network_interface {
subnetwork = "${module.vpc.subnet_name}"
access_config {}
}
I'm using Gcloud-java to manage some VM instances. The code to create a new instance is clear and is the following:
Address externalIp = compute.getAddress(addressId);
InstanceId instanceId = InstanceId.of("us-central1-a", "test-instance");
NetworkId networkId = NetworkId.of("default");
PersistentDiskConfiguration attachConfiguration =
PersistentDiskConfiguration.builder(diskId).boot(true).build();
AttachedDisk attachedDisk = AttachedDisk.of("dev0", attachConfiguration);
NetworkInterface networkInterface = NetworkInterface.builder(networkId)
.accessConfigurations(AccessConfig.of(externalIp.address()))
.build();
MachineTypeId machineTypeId = MachineTypeId.of("us-central1-a", "n1-standard-1");
InstanceInfo instance =
InstanceInfo.of(instanceId, machineTypeId, attachedDisk, networkInterface);
Operation operation = compute.create(instance);
// Wait for operation to complete
operation = operation.waitFor();
if (operation.errors() == null) {
System.out.println("Instance " + instanceId + " was successfully created");
} else {
// inspect operation.errors()
throw new RuntimeException("Instance creation failed");
}
But what should I do if I have en existing instance that I want to start and I want to attach an external IP?
I've tried in this way: first I create a RegionAddressId and get an Address with which I create the networkInterface.
RegionAddressId addressId = RegionAddressId.of("europe-west1", "test-address");
Operation operationAdd = compute.create(AddressInfo.of(addressId));
operationAdd = operationAdd.waitFor();
Address externalIp = compute.getAddress(addressId);
NetworkId networkId = NetworkId.of("default");
NetworkInterface networkInterface = NetworkInterface.builder(networkId)
.accessConfigurations(NetworkInterface.AccessConfig.of(externalIp.address()))
.build();
The I get my instance and add the accessConfig
InstanceId instanceId = InstanceId.of("my-server", "europe-west1-b","my-instance");
Instance instance = compute.getInstance(instanceId);
instance.addAccessConfig("default", NetworkInterface.AccessConfig.of(externalIp.address()));
Operation operation = instance.start();
The result is that my instance is booted with another external IP that I don't know how to obtain.
What is the correct procedure?
Thanks
I've found by myself the solution.
Compute compute = ComputeOptions.defaultInstance().service();
InstanceId instanceId = InstanceId.of("my-server", "europe-west1-b","my-instance");
Operation operation = compute.start(instanceId);
Operation completedOperation = operation.waitFor();
if (completedOperation == null) {
// operation no longer exists
} else if (completedOperation.errors() != null) {
// operation failed, handle error
}
Instance instance = compute.getInstance(instanceId);
String publicIp =
instance.networkInterfaces().get(0).accessConfigurations().get(0).natIp();
I start the instance using the start method of Compute and then (after the operation is completed) I get the instance