Vengala Vinay

Having 12+ Years of Experience in Software Development

Home » Infrastructure as Code: Provisioning Secure Perl Clusters on OVH Using Terraform

Infrastructure as Code: Provisioning Secure Perl Clusters on OVH Using Terraform

OVH Provider Configuration for Terraform

To provision resources on OVHcloud using Terraform, we first need to configure the OVH provider. This involves obtaining API credentials and specifying them in your Terraform configuration. OVH provides two main API endpoints: one for the European region (EU) and one for North America (US). Ensure you select the correct endpoint based on your desired deployment region.

You’ll need to create an application within the OVHcloud Control Panel to generate an Application Key, Secret, and Consumer Key. For security best practices, it’s highly recommended to use environment variables or a dedicated secrets management system rather than hardcoding these credentials directly into your Terraform files.

Terraform Provider Block Example

Here’s a typical `provider` block for the OVH provider. Replace placeholders with your actual credentials and chosen region.

# main.tf

terraform {
  required_providers {
    ovh = {
      source  = "ovh/ovh"
      version = "~> 1.0" # Specify a version constraint
    }
  }
}

provider "ovh" {
  endpoint = "ovh-eu" # or "ovh-us" for North America
  application_key    = var.ovh_application_key
  application_secret = var.ovh_application_secret
  consumer_key       = var.ovh_consumer_key
}

variable "ovh_application_key" {
  description = "OVH Application Key"
  type        = string
  sensitive   = true
}

variable "ovh_application_secret" {
  description = "OVH Application Secret"
  type        = string
  sensitive   = true
}

variable "ovh_consumer_key" {
  description = "OVH Consumer Key"
  type        = string
  sensitive   = true
}

You can then set these variables via environment variables:

export TF_VAR_ovh_application_key="YOUR_APP_KEY"
export TF_VAR_ovh_application_secret="YOUR_APP_SECRET"
export TF_VAR_ovh_consumer_key="YOUR_CONSUMER_KEY"

Provisioning a Bare Metal Server for Perl

For a Perl cluster, we’ll likely start with bare metal servers to have full control over the environment. The OVH provider allows us to define and manage these servers. We’ll focus on creating a server instance, attaching a public IP, and configuring basic network settings.

Server Resource Definition

The `ovh_baremetal_server` resource is used to provision a new dedicated server. Key parameters include the `name`, `plan_code` (which defines the hardware configuration), `region`, and `os` (operating system). For a Perl environment, a Linux distribution like Ubuntu or CentOS is a common choice.

# servers.tf

resource "ovh_baremetal_server" "perl_node" {
  name        = "perl-cluster-node-01"
  plan_code   = "xxs-128" # Example plan code, consult OVH for available plans
  region      = "GRA"     # Example region code (Gravelines, France)
  os          = "ubuntu2004lts"
  ssh_key_name = "my-terraform-key" # Ensure this SSH key is uploaded to your OVH account
  install_default_ssh_key = false # Set to true if you want OVH to generate a key
  boot_id = 1 # Typically 1 for the primary disk
}

To find available `plan_code` values, you can use the OVH API or consult their documentation. Similarly, `region` codes are specific to OVH. The `ssh_key_name` refers to an SSH public key you’ve already uploaded to your OVH account for secure access.

Public IP Address Assignment

Each server needs a public IP address for external access. We can use the `ovh_public_cloud_project_ip_loadbalancer` resource to reserve a floating IP and then associate it with our bare metal server.

# networking.tf

resource "ovh_public_cloud_project_ip_loadbalancer" "perl_node_ip" {
  service_name = "your-public-cloud-service-name" # Replace with your Public Cloud service name
  region       = ovh_baremetal_server.perl_node.region
  description  = "Floating IP for Perl cluster node 01"
}

resource "ovh_baremetal_network_interface" "perl_node_nic" {
  server_id = ovh_baremetal_server.perl_node.id
  ip_address = ovh_public_cloud_project_ip_loadbalancer.perl_node_ip.ip
  # You might need to specify network_id if you have custom network configurations
}

output "perl_node_public_ip" {
  description = "The public IP address of the Perl cluster node."
  value       = ovh_public_cloud_project_ip_loadbalancer.perl_node_ip.ip
}

Note: The `ovh_public_cloud_project_ip_loadbalancer` resource is typically used for Public Cloud instances. For bare metal, you might use `ovh_ip_reverse` and `ovh_ip_service` to manage IPs. The example above assumes a Public Cloud context for IP management, which might need adjustment for pure bare metal IP provisioning. A more direct approach for bare metal might involve ordering an IP block and then assigning IPs from it.

Securing the Perl Cluster Nodes

Security is paramount. We’ll implement basic security measures including firewall rules and user management.

Firewall Configuration

OVH provides a robust firewall service. We can define rules to allow only necessary traffic, such as SSH (port 22), HTTP/HTTPS (ports 80/443), and any specific ports your Perl applications will use.

# firewall.tf

resource "ovh_ip_firewall" "perl_node_fw" {
  ip_address = ovh_public_cloud_project_ip_loadbalancer.perl_node_ip.ip # Or the IP assigned to the bare metal server
  depends_on = [ovh_baremetal_network_interface.perl_node_nic]
}

resource "ovh_ip_firewall_rule" "allow_ssh" {
  firewall_id = ovh_ip_firewall.perl_node_fw.id
  action      = "allow"
  protocol    = "tcp"
  destination_port = "22"
  source      = "0.0.0.0/0" # Restrict this to trusted IPs in production
}

resource "ovh_ip_firewall_rule" "allow_http" {
  firewall_id = ovh_ip_firewall.perl_node_fw.id
  action      = "allow"
  protocol    = "tcp"
  destination_port = "80"
  source      = "0.0.0.0/0"
}

resource "ovh_ip_firewall_rule" "allow_https" {
  firewall_id = ovh_ip_firewall.perl_node_fw.id
  action      = "allow"
  protocol    = "tcp"
  destination_port = "443"
  source      = "0.0.0.0/0"
}

# Add rules for your specific Perl application ports
# resource "ovh_ip_firewall_rule" "allow_perl_app" {
#   firewall_id = ovh_ip_firewall.perl_node_fw.id
#   action      = "allow"
#   protocol    = "tcp"
#   destination_port = "8080" # Example application port
#   source      = "0.0.0.0/0"
# }

resource "ovh_ip_firewall_rule" "deny_all_other" {
  firewall_id = ovh_ip_firewall.perl_node_fw.id
  action      = "deny"
  protocol    = "tcp"
  destination_port = "1-65535"
  source      = "0.0.0.0/0"
  # This rule should be last to deny all other traffic not explicitly allowed
  # Terraform applies rules in the order they are defined, so ensure this is placed correctly
  # or use explicit ordering if necessary.
}

It is crucial to replace 0.0.0.0/0 with specific IP ranges or individual IPs that are authorized to access your servers for enhanced security. The order of rules matters; a deny-all rule should typically be the last one.

Automating Perl Installation and Configuration

Once the infrastructure is provisioned, we need to install and configure Perl and its dependencies. Terraform can leverage `user_data` for cloud-init scripts or integrate with configuration management tools like Ansible, Chef, or Puppet. For simplicity in this example, we’ll use a `remote-exec` provisioner to run commands over SSH.

Using `remote-exec` Provisioner

The `remote-exec` provisioner allows you to run arbitrary scripts on a newly created resource. This is suitable for initial setup but less ideal for ongoing configuration management compared to dedicated tools.

# provisioners.tf

resource "null_resource" "configure_perl_node" {
  count = 1 # Apply this to one node for demonstration

  triggers = {
    server_ip = ovh_public_cloud_project_ip_loadbalancer.perl_node_ip.ip
  }

  connection {
    type        = "ssh"
    user        = "root" # Or a sudo-enabled user
    private_key = file("~/.ssh/id_rsa") # Path to your private SSH key
    host        = self.triggers.server_ip
  }

  provisioner "remote-exec" {
    inline = [
      "echo 'Updating package lists...'",
      "apt-get update -y",
      "echo 'Installing Perl and essential packages...'",
      "apt-get install -y perl libapache2-mod-perl2 libdbd-mysql perlmagick", # Example packages
      "echo 'Configuring Apache for Perl (mod_perl)...'",
      "a2enmod perl",
      "systemctl restart apache2",
      "echo 'Perl installation and basic configuration complete.'"
    ]
  }

  depends_on = [
    ovh_baremetal_server.perl_node,
    ovh_baremetal_network_interface.perl_node_nic
  ]
}

In this `null_resource`, we define a connection block to establish an SSH connection to the provisioned server using its public IP. The `remote-exec` provisioner then executes a series of shell commands to update the package list, install Perl and common modules (like `libapache2-mod-perl2` for web applications), enable Apache’s Perl module, and restart the web server. Remember to adjust the `private_key` path and the list of installed packages according to your specific needs.

Orchestrating Multiple Nodes for a Cluster

For a true cluster, you’ll need multiple nodes. Terraform’s `count` meta-argument or `for_each` can be used to create multiple instances of resources. We’ll demonstrate using `count` for simplicity.

# main.tf (updated)

variable "node_count" {
  description = "Number of Perl cluster nodes to provision."
  type        = number
  default     = 3
}

# ... (provider configuration remains the same) ...

resource "ovh_baremetal_server" "perl_node" {
  count       = var.node_count
  name        = "perl-cluster-node-${count.index + 1}"
  plan_code   = "xxs-128"
  region      = "GRA"
  os          = "ubuntu2004lts"
  ssh_key_name = "my-terraform-key"
  install_default_ssh_key = false
  boot_id = 1
}

resource "ovh_public_cloud_project_ip_loadbalancer" "perl_node_ip" {
  count        = var.node_count
  service_name = "your-public-cloud-service-name"
  region       = ovh_baremetal_server.perl_node[count.index].region
  description  = "Floating IP for Perl cluster node ${count.index + 1}"
}

resource "ovh_baremetal_network_interface" "perl_node_nic" {
  count      = var.node_count
  server_id  = ovh_baremetal_server.perl_node[count.index].id
  ip_address = ovh_public_cloud_project_ip_loadbalancer.perl_node_ip[count.index].ip
}

resource "null_resource" "configure_perl_node" {
  count = var.node_count

  triggers = {
    server_ip = ovh_public_cloud_project_ip_loadbalancer.perl_node_ip[count.index].ip
  }

  connection {
    type        = "ssh"
    user        = "root"
    private_key = file("~/.ssh/id_rsa")
    host        = self.triggers.server_ip
  }

  provisioner "remote-exec" {
    inline = [
      "echo 'Updating package lists on node ${count.index + 1}...'",
      "apt-get update -y",
      "echo 'Installing Perl and essential packages on node ${count.index + 1}...'",
      "apt-get install -y perl libapache2-mod-perl2 libdbd-mysql perlmagick",
      "echo 'Configuring Apache for Perl (mod_perl) on node ${count.index + 1}...'",
      "a2enmod perl",
      "systemctl restart apache2",
      "echo 'Perl installation and basic configuration complete on node ${count.index + 1}.'"
    ]
  }

  depends_on = [
    ovh_baremetal_server.perl_node,
    ovh_baremetal_network_interface.perl_node_nic
  ]
}

output "perl_node_public_ips" {
  description = "The public IP addresses of the Perl cluster nodes."
  value       = [for ip in ovh_public_cloud_project_ip_loadbalancer.perl_node_ip : ip.ip]
}

By using `count = var.node_count`, we instruct Terraform to create `var.node_count` instances of each resource. Inside the resource blocks, `count.index` is used to differentiate between the instances (e.g., `perl-cluster-node-1`, `perl-cluster-node-2`). The `connection` block within the `null_resource` will automatically target the correct IP address for each node due to the `self.triggers.server_ip` referencing the IP of the current instance being provisioned.

Next Steps and Considerations

This setup provides a foundation for a secure Perl cluster on OVHcloud. For a production-ready environment, consider the following:

  • Load Balancing: Implement a load balancer (e.g., HAProxy, or OVH’s own load balancing services) to distribute traffic across your Perl nodes.
  • Database Management: Provision and configure a managed database service (like OVH’s Managed Databases) or a dedicated database server.
  • State Management: Configure a remote backend for Terraform state (e.g., S3, Terraform Cloud) for collaborative and robust state management.
  • Secrets Management: Integrate with a dedicated secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager) for API keys and sensitive data.
  • Monitoring and Logging: Set up comprehensive monitoring and centralized logging for your cluster.
  • CI/CD Integration: Integrate your Terraform configurations into a CI/CD pipeline for automated deployments and updates.
  • Configuration Drift: Regularly run `terraform plan` and `terraform apply` to detect and correct any configuration drift.
  • Advanced Networking: For more complex setups, explore OVH’s advanced networking features like VPCs and dedicated network segments.

By leveraging Infrastructure as Code with Terraform, you can reliably and repeatably provision, manage, and scale your Perl clusters on OVHcloud, ensuring consistency and security across your deployments.

Recent Posts

Top Categories

Our Products

Our Services