move dynamic templates from bash to terraform

joecorall · joecorall · commit a0feba286c1b · 2025-11-28T09:28:40.000-05:00
diff --git a/main.tf b/main.tf
@@ -22,10 +22,43 @@ locals {
         permissions: "0644"
         content: |
           ${indent(4, file("${local.rootFs}/${file}"))}
-    EOT
+EOT
   ])
+  docker_compose_scripts = join("\n", [
+    for name, cmd in {
+      "init" = var.docker_compose_init
+      "up"   = var.docker_compose_up
+      "down" = var.docker_compose_down
+    } : <<-EOT
+      - path: "/mnt/disks/data/${name}"
+        permissions: "0755"
+        content: |
+          #!/usr/bin/env bash
+
+          set -eou pipefail
+
+          echo "Running docker compose ${name}"
+          ${cmd}
+EOT
+  ])
+  env_file_content = <<-EOT
+    - path: "/home/cloud-compose/.env"
+      permissions: "0640"
+      content: |
+        HOME=/home/cloud-compose
+        GCP_PROJECT="${var.project_id}"
+        GCP_PROJECT_NUMBER="${var.project_number}"
+        GCP_INSTANCE_NAME="${var.name}"
+        GCP_REGION="${var.region}"
+        GCP_ZONE="${var.zone}"
+        DOCKER_COMPOSE_DIR=/mnt/disks/data/compose
+        DOCKER_COMPOSE_REPO="${var.docker_compose_repo}"
+        DOCKER_COMPOSE_BRANCH="${var.docker_compose_branch}"
+EOT
   cloud_init_yaml = templatefile("${path.module}/templates/cloud-init.yml", {
-    WRITE_FILES_CONTENT = local.write_files_content,
+    WRITE_FILES_CONTENT    = local.write_files_content,
+    DOCKER_COMPOSE_SCRIPTS = local.docker_compose_scripts,
+    ENV_FILE_CONTENT       = local.env_file_content,
   })
 }
 
@@ -115,16 +148,6 @@ resource "google_compute_instance" "cloud-compose" {
     google-logging-use-fluentbit = "true"
     google-monitoring-enabled    = "true"
     user-data                    = data.cloudinit_config.ci.part[0].content
-    GCP_PROJECT                  = var.project_id
-    GCP_PROJECT_NUMBER           = var.project_number
-    GCP_INSTANCE_NAME            = var.name
-    GCP_REGION                   = var.region
-    GCP_ZONE                     = var.zone
-    DOCKER_COMPOSE_REPO          = var.docker_compose_repo
-    DOCKER_COMPOSE_BRANCH        = var.docker_compose_branch
-    DOCKER_COMPOSE_INIT_CMD      = var.docker_compose_init
-    DOCKER_COMPOSE_UP_CMD        = var.docker_compose_up
-    DOCKER_COMPOSE_DOWN_CMD      = var.docker_compose_down
   }
 
   network_interface {
diff --git a/rootfs/etc/systemd/system/cloud-compose.service b/rootfs/etc/systemd/system/cloud-compose.service
@@ -1,7 +1,5 @@
 [Unit]
 Description=Docker Compose Application
-BindsTo=docker.service
-After=docker.service
 StartLimitIntervalSec=120
 StartLimitBurst=3
 
diff --git a/rootfs/etc/systemd/system/internal-services.timer b/rootfs/etc/systemd/system/internal-services.timer
@@ -2,8 +2,8 @@
 Description=Delay Internal Services until 10m after initial boot
 
 [Timer]
-OnBootSec=10min
-RuntimeMaxSec=10min
+OnBootSec=20min
+RuntimeMaxSec=20min
 Unit=internal-services.service
 
 [Install]
diff --git a/rootfs/home/cloud-compose/app-init.sh b/rootfs/home/cloud-compose/app-init.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+
+# shellcheck disable=SC1091
+source /home/cloud-compose/profile.sh
+export HOME
+
+if [ ! -d "$DOCKER_COMPOSE_DIR" ]; then
+  echo "Directory '$DOCKER_COMPOSE_DIR' not found. Cloning repository."
+  retry_until_success git clone -b "$DOCKER_COMPOSE_BRANCH" "$DOCKER_COMPOSE_REPO" "$DOCKER_COMPOSE_DIR"
+fi
+
+pushd "$DOCKER_COMPOSE_DIR"
+retry_until_success git pull origin "$DOCKER_COMPOSE_BRANCH"
+retry_until_success /mnt/disks/data/init
+popd
diff --git a/rootfs/home/cloud-compose/app-rollout.sh b/rootfs/home/cloud-compose/app-rollout.sh
@@ -2,25 +2,31 @@
 
 set -eou pipefail
 
-pushd "$DIR"
+# shellcheck disable=SC1091
+source /home/cloud-compose/profile.sh
+
+pushd "$DOCKER_COMPOSE_DIR"
+
+retry_until_success git pull origin "$DOCKER_COMPOSE_BRANCH"
+retry_until_success docker info
 
 # Pull all images and check if any were updated
 shopt -s nullglob
 RESTART=0
-grep "image:" ./*.{yml,yaml} | awk -F': ' '{print $2}' | while read -r IMAGE; do
+while read -r IMAGE; do
     # Skip empty lines and comments
     if [ -z "$IMAGE" ] || [[ "$IMAGE" =~ ^# ]]; then
       continue
     fi
 
     current_image_id=$(docker images --format "{{.ID}}" "$IMAGE" || echo "")
-    docker pull "$IMAGE"
+    retry_until_success docker pull "$IMAGE"
     new_image_id=$(docker images --format "{{.ID}}" "$IMAGE")
 
     if [ "$current_image_id" != "$new_image_id" ]; then
       RESTART=1
     fi
-done
+done < <(grep "image:" ./*.{yml,yaml} 2>/dev/null| awk -F': ' '{print $2}')
 shopt -u nullglob
 
 if [ "$RESTART" -eq 1 ]; then
diff --git a/rootfs/home/cloud-compose/host-conf.sh b/rootfs/home/cloud-compose/host-conf.sh
@@ -2,9 +2,13 @@
 
 set -eou pipefail
 
+# block metadata server from docker and non-root
+/sbin/iptables -I FORWARD -d 169.254.169.254/32 -i docker0 -j DROP
+/sbin/iptables -A OUTPUT -m owner ! --uid-owner 0 -d 169.254.169.254/32 -p tcp --dport 80 -j DROP
+
 # restart services we've overwritten files for
 systemctl restart fluent-bit
-systemctl restart --no-block docker
+systemctl restart docker
 
 # since COS is read only FS, install docker compose/buildx in home directory
 if [ ! -f "/home/cloud-compose/.docker/cli-plugins/docker-compose" ]; then
diff --git a/rootfs/home/cloud-compose/host-init.sh b/rootfs/home/cloud-compose/host-init.sh
@@ -3,68 +3,28 @@
 set -euo pipefail
 
 cleanup() {
-  rm tmp.attr env.tmp || echo ""
+  rm tmp.attr .env.tmp || echo ""
   popd
 }
 
-# make sure out internal services dir exists
-DIR=/mnt/disks/data/libops
-if [ ! -d "$DIR" ]; then
-  mkdir "$DIR"
-fi
-cp /etc/libops/docker-compose.yaml /mnt/disks/data/libops
-
 pushd /home/cloud-compose
 
 trap cleanup EXIT
 
-if [ ! -f env ]; then
-  touch env
+if [ -f .env ]; then
+  cp .env .env.tmp
 fi
 
 curl -sf \
   -H "Metadata-Flavor: Google" \
   "http://metadata.google.internal/computeMetadata/v1/?recursive=true" > tmp.attr
 
-echo "HOME=/home/cloud-compose" > env.tmp
-for K in $(jq -r '.instance.attributes | keys | .[]' tmp.attr | grep -E '(DOCKER|GCP|LIBOPS)'); do
-  V=$(jq -r .instance.attributes."$K" tmp.attr)
-  if [[ "$V" =~ [[:space:]\$\`\\\"\'\(\)\{\}\[\]\|\&\;\<\>\*\?] ]]; then
-    echo "$K=\"$V\"" >> env.tmp
-  else
-    echo "$K=$V" >> env.tmp
-  fi
-done
-
 {
   echo "GCP_PUBLIC_IP=$(jq -r '.instance.networkInterfaces[0].accessConfigs[0].externalIp' tmp.attr)"
   echo "GCP_PRIVATE_IP=$(jq -r '.instance.networkInterfaces[0].ip' tmp.attr)"
-} >> env.tmp
+} >> .env.tmp
 
-if ! diff <(md5sum env.tmp) <(md5sum env); then
-  mv env.tmp env
-  cp env /mnt/disks/data/libops/.env
+if ! diff <(md5sum .env.tmp) <(md5sum .env); then
+  mv .env.tmp .env
+  cp .env /mnt/disks/data/libops/
 fi
-
-# shellcheck disable=SC1091
-. ./env
-
-# generate the docker compose init/up/down commands
-# used by the systemd service
-SCRIPT_DIR="/mnt/disks/data"
-declare -A SCRIPTS=(
-  ["init"]="${DOCKER_COMPOSE_INIT_CMD}"
-  ["up"]="${DOCKER_COMPOSE_UP_CMD}"
-  ["down"]="${DOCKER_COMPOSE_DOWN_CMD}"
-)
-for name in "${!SCRIPTS[@]}"; do
-  cat << EOT > "${SCRIPT_DIR}/${name}"
-#!/usr/bin/env bash
-
-set -eou pipefail
-
-echo "Running dokcer compose ${name}"
-${SCRIPTS[${name}]}
-EOT
-  chmod +x "${SCRIPT_DIR}/${name}"
-done
diff --git a/rootfs/home/cloud-compose/init-app.sh b/rootfs/home/cloud-compose/init-app.sh
diff --git a/rootfs/home/cloud-compose/profile.sh b/rootfs/home/cloud-compose/profile.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# shellcheck disable=SC1091
+. /home/cloud-compose/.env
+
+DEFAULT_MAX_RETRIES=10
+DEFAULT_SLEEP_INCREMENT=5
+
+retry_until_success() {
+    local command_to_run=("$@")
+    local MAX_RETRIES="${MAX_RETRIES:-$DEFAULT_MAX_RETRIES}"
+    local SLEEP_INCREMENT="${SLEEP_INCREMENT:-$DEFAULT_SLEEP_INCREMENT}"
+    local RETRIES=0
+
+    while true; do
+        timeout 300 "${command_to_run[@]}"
+        local exit_code=$?
+
+        if [ "$exit_code" -eq 0 ]; then
+            return 0
+        fi
+
+        RETRIES=$((RETRIES + 1))
+
+        if [ "$RETRIES" -ge "$MAX_RETRIES" ]; then
+            echo "FAILURE: Command '${command_to_run[*]}' failed after $MAX_RETRIES attempts (Last exit code: $exit_code)." >&2
+            return 1
+        fi
+
+        local SLEEP=$(( SLEEP_INCREMENT * RETRIES ))
+        echo "Command '${command_to_run[*]}' failed (Exit code: $exit_code). Retrying in $SLEEP seconds... (Attempt $RETRIES/$MAX_RETRIES)" >&2
+        sleep "$SLEEP"
+    done
+}
diff --git a/rootfs/home/cloud-compose/rotate-keys-app.sh b/rootfs/home/cloud-compose/rotate-keys-app.sh
@@ -5,15 +5,15 @@ set -eou pipefail
 pushd /home/cloud-compose
 
 # shellcheck disable=SC1091
-. ./env
+source /home/cloud-compose/profile.sh
 
-if [ -d /mnt/disks/data/compose/secrets ]; then
+if [ -d "$DOCKER_COMPOSE_DIR/secrets" ]; then
   exit 0
 fi
 
 bash rotate-keys.sh \
     "$GCP_INSTANCE_NAME@$GCP_PROJECT.iam.gserviceaccount.com" \
     "$GCP_PROJECT" \
-    /mnt/disks/data/compose/secrets/GOOGLE_APPLICATION_CREDENTIALS
+    "$DOCKER_COMPOSE_DIR/secrets/GOOGLE_APPLICATION_CREDENTIALS"
 
 popd
diff --git a/rootfs/home/cloud-compose/rotate-keys-internal.sh b/rootfs/home/cloud-compose/rotate-keys-internal.sh
@@ -5,7 +5,7 @@ set -eou pipefail
 pushd /home/cloud-compose
 
 # shellcheck disable=SC1091
-. ./env
+source /home/cloud-compose/profile.sh
 
 bash rotate-keys.sh \
     "internal-services-$GCP_INSTANCE_NAME@$GCP_PROJECT.iam.gserviceaccount.com" \
diff --git a/rootfs/home/cloud-compose/run.sh b/rootfs/home/cloud-compose/run.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+set -x
+
+# shellcheck disable=SC1091
+source /home/cloud-compose/profile.sh
+
+bash /home/cloud-compose/host-conf.sh
+bash /home/cloud-compose/host-init.sh
+bash /home/cloud-compose/app-init.sh
+
+systemctl start cloud-compose
+systemctl start internal-services.timer
+systemctl start cron.timer
diff --git a/rootfs/mnt/disks/data/libops/docker-compose.yaml b/rootfs/mnt/disks/data/libops/docker-compose.yaml
@@ -1,7 +1,7 @@
 networks:
   internal:
 services:
-  libops-lightsout:
+  lightsout:
     image: ghcr.io/libops/lightsout:main@sha256:4d38ac380c86514d72efbcce0af9ea8ffd7ff86e97abea3d0b3c946cf204eaae
     ports:
       - "8808:8808"
@@ -18,7 +18,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /mnt/disks/data:/mnt/disks/data
       - ./GOOGLE_APPLICATION_CREDENTIALS:/app/GOOGLE_APPLICATION_CREDENTIALS:r
-  libops-cadvisor:
+  cadvisor:
     image: ghcr.io/google/cadvisor:v0.53.0@sha256:c3770bd6fc6c6a9cb2b47143e6b3cc3fdd9d20a8453dffbb7e09a145e7e0c4e4
     command:
       - -disable_metrics
@@ -37,7 +37,7 @@ services:
       - /sys:/sys:ro
       - /mnt/disks/data/docker/:/var/lib/docker:ro
       - /dev/disk/:/dev/disk:ro
-  libops-cap:
+  cap:
     image: ghcr.io/libops/cap:main@sha256:e81950f30fd31dcbbe5ce024b87335aa6be4e24553df2744769267715e404364
     networks:
       - internal
@@ -46,9 +46,9 @@ services:
       GCP_PROJECT: ${GCP_PROJECT}
       GCP_ZONE: ${GCP_ZONE}
       GCP_INSTANCE_NAME: ${GCP_INSTANCE_NAME}
-      CADVISOR_HOST: "libops-cadvisor:8080"
+      CADVISOR_HOST: "cadvisor:8080"
       GOOGLE_APPLICATION_CREDENTIALS: /app/GOOGLE_APPLICATION_CREDENTIALS
     volumes:
       - ./GOOGLE_APPLICATION_CREDENTIALS:/app/GOOGLE_APPLICATION_CREDENTIALS:r
     depends_on:
-      - libops-cadvisor
+      - cadvisor
diff --git a/templates/cloud-init.yml b/templates/cloud-init.yml
@@ -12,13 +12,8 @@ bootcmd:
 
 write_files:
 ${WRITE_FILES_CONTENT}
+${DOCKER_COMPOSE_SCRIPTS}
+${ENV_FILE_CONTENT}
 
 runcmd:
-# block metadata server from docker and non-root
-- /sbin/iptables -I FORWARD -d 169.254.169.254/32 -i docker0 -j DROP
-- /sbin/iptables -A OUTPUT -m owner ! --uid-owner 0 -d 169.254.169.254/32 -p tcp --dport 80 -j DROP
-- bash /home/cloud-compose/host-conf.sh
-- bash /home/cloud-compose/host-init.sh
-- bash /home/cloud-compose/init-app.sh
-- systemctl start internal-services.timer
-- systemctl start cron.timer
+- bash -lx /home/cloud-compose/run.sh > /home/cloud-compose/run.log 2>&1
