28 lines
1.4 KiB
Markdown
28 lines
1.4 KiB
Markdown
# Terraform K3s Master Scaffold
|
|
|
|
## Purpose
|
|
This module provisions K3s control-plane virtual machines on vSphere. It only includes the provider bootstrap today; VM resources and data sources are added in future iterations.
|
|
|
|
## Required Inputs
|
|
| Variable | Description |
|
|
| --- | --- |
|
|
| `vsphere_user` / `vsphere_password` | Service account stored in CI secrets (never commit plaintext). |
|
|
| `vsphere_server` | vCenter hostname or IP. |
|
|
| `datacenter`, `cluster`, `resource_pool` | Target placement scope. |
|
|
| `datastore` | Datastore or datastore cluster for disks. |
|
|
| `template` | Hardened golden image for K3s masters. |
|
|
| `network` | Portgroup for primary NIC. |
|
|
| `vm_count`, `vm_cpu`, `vm_memory_mb` | Control-plane sizing knobs. |
|
|
| `tags` | Optional key/value metadata for governance. |
|
|
|
|
## Security Notes
|
|
- Inject credentials via Terraform Cloud/Enterprise variables, Vault, or Gitea Actions secrets.
|
|
- Rotate the vSphere service account per security policy; constrain RBAC to cloning and tagging only.
|
|
- Validate SSL certificates where possible; set `allow_unverified_ssl` only for lab use.
|
|
- Store generated Terraform state in a remote backend with encryption-at-rest (e.g., Consul, S3 compatible).
|
|
|
|
## Next Steps
|
|
1. Wire vSphere data sources (datacenter, datastore, network).
|
|
2. Define `vsphere_virtual_machine` resources aligned with K3s sizing guidance.
|
|
3. Emit provisioning outputs consumed by Ansible inventory generation.
|