refact: use new module variables

- Clean variables
- Use TF 12 syntaxes
- Fix TF cycle

main.tf

@@ -1,5 +1,14 @@
 terraform {
   required_version = "~> 0.12"
+  required_providers {
+    cloudflare = "~> 2.1"
+    hcloud     = "~> 1.15"
+    http       = "~> 1.1"
+    local      = "~> 1.4"
+    null       = "~> 2.1"
+    random     = "~> 2.2"
+    template   = "~> 2.1"
+  }
 }
 
 resource "random_password" "k3s_cluster_secret" {

master.tf

@@ -1,42 +1,18 @@
 locals {
-  # Generates the master public IP address
-  master_host = lookup(var.master_node.connection, "host", var.master_node.ip)
-
-  # Generates custom TLS Subject Alternative Name for the cluster
-  tls_san_values = distinct(
-    concat(
-      [var.master_node.ip, local.master_host],
-      var.additional_tls_san
-    )
-  )
-  tls_san_opts = "--tls-san ${join(" --tls-san ", local.tls_san_values)}"
-
-  # Generates the master installation arguments
-  master_install_arg_list = concat(
-    [
-      "--node-ip ${var.master_node.ip}",
-      "--cluster-domain ${var.cluster_name}",
-      "--cluster-cidr ${var.cluster_cidr}",
-      "--service-cidr ${var.cluster_service_cidr}",
-      local.tls_san_opts,
-    ],
-    var.additional_flags.master,
-    var.additional_flags.common,
-  )
-  master_install_args = join(" ", local.master_install_arg_list)
-
-  # Generates the master installation env vars
-  master_install_env_list = [
-    "INSTALL_K3S_VERSION=${local.k3s_version}",
-    "K3S_CLUSTER_SECRET=${random_password.k3s_cluster_secret.result}"
+  master_default_flags = [
+    "--node-ip ${var.master_node.ip}",
+    "--node-name ${var.master_node.name}",
+    "--cluster-domain ${var.cluster_name}",
+    "--cluster-cidr ${var.cluster_cidr.pods}",
+    "--service-cidr ${var.cluster_cidr.services}",
+    "--token ${random_password.k3s_cluster_secret.result}",
   ]
-  master_install_envs = join(" ", local.master_install_env_list)
+  master_install_flags = join(" ", concat(var.additional_flags.master, local.master_default_flags))
 }
 
-resource "null_resource" "k3s_master" {
+resource null_resource k3s_master {
   triggers = {
-    master_ip    = sha1(var.master_node.ip)
-    install_args = sha1(local.master_install_args)
+    install_args = sha1(local.master_install_flags)
   }
 
   connection {
@@ -55,11 +31,10 @@ resource "null_resource" "k3s_master" {
     agent_identity = lookup(var.master_node.connection, "agent_identity", null)
     host_key       = lookup(var.master_node.connection, "host_key", null)
 
-    # NOTE: Currently not working on Windows machines
-    # https    = lookup(var.master_node.connection, "https", null)
-    # insecure = lookup(var.master_node.connection, "insecure", null)
-    # use_ntlm = lookup(var.master_node.connection, "use_ntlm", null)
-    # cacert   = lookup(var.master_node.connection, "cacert", null)
+    https    = lookup(var.master_node.connection, "https", null)
+    insecure = lookup(var.master_node.connection, "insecure", null)
+    use_ntlm = lookup(var.master_node.connection, "use_ntlm", null)
+    cacert   = lookup(var.master_node.connection, "cacert", null)
 
     bastion_host        = lookup(var.master_node.connection, "bastion_host", null)
     bastion_host_key    = lookup(var.master_node.connection, "bastion_host_key", null)
@@ -71,14 +46,14 @@ resource "null_resource" "k3s_master" {
   }
 
   # Check if curl is installed
-  provisioner "remote-exec" {
+  provisioner remote-exec {
     inline = [
       "if ! command -V curl > /dev/null; then echo >&2 '[ERROR] curl must be installed to continue...'; exit 127; fi",
     ]
   }
 
   # Remove old k3s installation
-  provisioner "remote-exec" {
+  provisioner remote-exec {
     inline = [
       "if ! command -V k3s-uninstall.sh > /dev/null; then exit; fi",
       "echo >&2 [WARN] K3S seems already installed on this node and will be uninstalled.",
@@ -87,12 +62,13 @@ resource "null_resource" "k3s_master" {
   }
 }
 
-resource "null_resource" "k3s_master_installer" {
+resource null_resource k3s_master_installer {
   triggers = {
     master_init = null_resource.k3s_master.id
     version     = local.k3s_version
   }
-  depends_on = [null_resource.k3s_master]
+  depends_on = [
+  null_resource.k3s_master]
 
   connection {
     type = lookup(var.master_node.connection, "type", "ssh")
@@ -110,11 +86,10 @@ resource "null_resource" "k3s_master_installer" {
     agent_identity = lookup(var.master_node.connection, "agent_identity", null)
     host_key       = lookup(var.master_node.connection, "host_key", null)
 
-    # NOTE: Currently not working on Windows machines
-    # https    = lookup(var.master_node.connection, "https", null)
-    # insecure = lookup(var.master_node.connection, "insecure", null)
-    # use_ntlm = lookup(var.master_node.connection, "use_ntlm", null)
-    # cacert   = lookup(var.master_node.connection, "cacert", null)
+    https    = lookup(var.master_node.connection, "https", null)
+    insecure = lookup(var.master_node.connection, "insecure", null)
+    use_ntlm = lookup(var.master_node.connection, "use_ntlm", null)
+    cacert   = lookup(var.master_node.connection, "cacert", null)
 
     bastion_host        = lookup(var.master_node.connection, "bastion_host", null)
     bastion_host_key    = lookup(var.master_node.connection, "bastion_host_key", null)
@@ -128,7 +103,7 @@ resource "null_resource" "k3s_master_installer" {
   # Install K3S server
   provisioner "remote-exec" {
     inline = [
-      "curl -sfL https://get.k3s.io | ${local.master_install_envs} sh -s - ${local.master_install_args}",
+      "curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=${local.k3s_version} sh -s - ${local.master_install_flags}",
       "until kubectl get nodes | grep -v '[WARN] No resources found'; do sleep 1; done"
     ]
   }

minions.tf

@@ -1,26 +1,21 @@
 locals {
-  minion_install_arg_list = concat(
-    var.additional_flags.minion,
-    var.additional_flags.common,
-  )
-  minion_install_args = join(" ", local.minion_install_arg_list)
-
-  minion_install_env_list = [
-    "INSTALL_K3S_VERSION=${local.k3s_version}",
-    "K3S_URL=https://${var.master_node.ip}:6443",
-    "K3S_CLUSTER_SECRET=${random_password.k3s_cluster_secret.result}"
+  minion_default_flags = [
+    "--server https://${var.master_node.ip}:6443",
+    "--token ${random_password.k3s_cluster_secret.result}"
   ]
-  minion_install_envs = join(" ", local.minion_install_env_list)
+  minion_install_flags = join(" ", concat(var.additional_flags.minion, local.minion_default_flags))
 }
 
-resource "null_resource" "k3s_minions" {
+resource null_resource k3s_minions {
   for_each = var.minion_nodes
 
   triggers = {
-    master    = null_resource.k3s_master.id
-    minion_ip = each.value.ip
+    master_init  = null_resource.k3s_master.id
+    install_args = sha1(local.minion_install_flags)
+    minion_ip    = each.value.ip
   }
-  depends_on = [null_resource.k3s_master_installer]
+  depends_on = [
+  null_resource.k3s_master_installer]
 
   connection {
     type = lookup(each.value.connection, "type", "ssh")
@@ -38,11 +33,10 @@ resource "null_resource" "k3s_minions" {
     agent_identity = lookup(each.value.connection, "agent_identity", null)
     host_key       = lookup(each.value.connection, "host_key", null)
 
-    # NOTE: Currently not working on Windows machines
-    # https    = lookup(each.value.connection, "https", null)
-    # insecure = lookup(each.value.connection, "insecure", null)
-    # use_ntlm = lookup(each.value.connection, "use_ntlm", null)
-    # cacert   = lookup(each.value.connection, "cacert", null)
+    https    = lookup(each.value.connection, "https", null)
+    insecure = lookup(each.value.connection, "insecure", null)
+    use_ntlm = lookup(each.value.connection, "use_ntlm", null)
+    cacert   = lookup(each.value.connection, "cacert", null)
 
     bastion_host        = lookup(each.value.connection, "bastion_host", null)
     bastion_host_key    = lookup(each.value.connection, "bastion_host_key", null)
@@ -54,14 +48,14 @@ resource "null_resource" "k3s_minions" {
   }
 
   # Check if curl is installed
-  provisioner "remote-exec" {
+  provisioner remote-exec {
     inline = [
       "if ! command -V curl > /dev/null; then echo >&2 '[ERROR] curl must be installed to continue...'; exit 127; fi",
     ]
   }
 
   # Remove old k3s installation
-  provisioner "remote-exec" {
+  provisioner remote-exec {
     inline = [
       "if ! command -V k3s-agent-uninstall.sh > /dev/null; then exit; fi",
       "echo >&2 [WARN] K3S seems already installed on this node and will be uninstalled.",
@@ -70,12 +64,13 @@ resource "null_resource" "k3s_minions" {
   }
 }
 
-resource "null_resource" "k3s_minions_installer" {
+resource null_resource k3s_minions_installer {
   for_each = var.minion_nodes
 
   triggers = {
-    master = null_resource.k3s_master_installer.id
-    minion = null_resource.k3s_minions[each.key].id
+    master_install = null_resource.k3s_master_installer.id
+    minion_init    = null_resource.k3s_minions[each.key].id
+    version        = local.k3s_version
   }
 
   connection {
@@ -94,11 +89,10 @@ resource "null_resource" "k3s_minions_installer" {
     agent_identity = lookup(each.value.connection, "agent_identity", null)
     host_key       = lookup(each.value.connection, "host_key", null)
 
-    # NOTE: Currently not working on Windows machines
-    # https    = lookup(each.value.connection, "https", null)
-    # insecure = lookup(each.value.connection, "insecure", null)
-    # use_ntlm = lookup(each.value.connection, "use_ntlm", null)
-    # cacert   = lookup(each.value.connection, "cacert", null)
+    https    = lookup(each.value.connection, "https", null)
+    insecure = lookup(each.value.connection, "insecure", null)
+    use_ntlm = lookup(each.value.connection, "use_ntlm", null)
+    cacert   = lookup(each.value.connection, "cacert", null)
 
     bastion_host        = lookup(each.value.connection, "bastion_host", null)
     bastion_host_key    = lookup(each.value.connection, "bastion_host_key", null)
@@ -110,18 +104,18 @@ resource "null_resource" "k3s_minions_installer" {
   }
 
   # Install K3S agent
-  provisioner "remote-exec" {
+  provisioner remote-exec {
     inline = [
-      "curl -sfL https://get.k3s.io | ${local.minion_install_envs} sh -s - --node-ip ${each.value.ip} ${local.minion_install_args}"
+      "curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=${local.k3s_version} INSTALL_K3S_EXEC=agent sh -s - ${local.minion_install_flags} --node-ip ${each.value.ip} --node-name ${each.key}"
     ]
   }
 }
 
-resource "null_resource" "k3s_minions_uninstaller" {
+resource null_resource k3s_minions_uninstaller {
   for_each = var.minion_nodes
 
   triggers = {
-    minion = null_resource.k3s_minions[each.key].id
+    minion_install = null_resource.k3s_minions_installer[each.key].id
   }
 
   connection {
@@ -140,11 +134,10 @@ resource "null_resource" "k3s_minions_uninstaller" {
     agent_identity = lookup(var.master_node.connection, "agent_identity", null)
     host_key       = lookup(var.master_node.connection, "host_key", null)
 
-    # NOTE: Currently not working on Windows machines
-    # https    = lookup(var.master_node.connection, "https", null)
-    # insecure = lookup(var.master_node.connection, "insecure", null)
-    # use_ntlm = lookup(var.master_node.connection, "use_ntlm", null)
-    # cacert   = lookup(var.master_node.connection, "cacert", null)
+    https    = lookup(var.master_node.connection, "https", null)
+    insecure = lookup(var.master_node.connection, "insecure", null)
+    use_ntlm = lookup(var.master_node.connection, "use_ntlm", null)
+    cacert   = lookup(var.master_node.connection, "cacert", null)
 
     bastion_host        = lookup(var.master_node.connection, "bastion_host", null)
     bastion_host_key    = lookup(var.master_node.connection, "bastion_host_key", null)
@@ -156,13 +149,12 @@ resource "null_resource" "k3s_minions_uninstaller" {
   }
 
   # Drain and delete the removed node
-  provisioner "remote-exec" {
+  provisioner remote-exec {
     when = destroy
     inline = [
-      "NODE=$(kubectl get node -l 'k3s.io/internal-ip = ${null_resource.k3s_minions[each.key].triggers.minion_ip}' | tail -n 1 | awk '{printf $1}')",
-      "kubectl drain $${NODE} --force --delete-local-data --ignore-daemonsets --timeout ${var.drain_timeout}",
-      "kubectl delete node $${NODE}",
-      "sed -i \"/$${NODE}$/d\" /var/lib/rancher/k3s/server/cred/node-passwd",
+      "kubectl drain ${each.key} --force --delete-local-data --ignore-daemonsets --timeout ${var.drain_timeout}",
+      "kubectl delete node ${each.key}",
+      "sed -i \"/${each.key}$/d\" /var/lib/rancher/k3s/server/cred/node-passwd",
     ]
   }
 }

variables.tf

@@ -1,63 +1,56 @@
-variable "k3s_version" {
+variable k3s_version {
   description = "Specify the k3s version."
   type        = string
   default     = "latest"
 }
 
-variable "cluster_name" {
-  description = "K3s cluster domain (see --cluster-domain)."
+variable cluster_name {
+  description = "K3s cluster domain name (see https://rancher.com/docs/k3s/latest/en/installation/install-options/)."
   type        = string
   default     = "cluster.local"
 }
 
-variable "cluster_cidr" {
-  description = "Network CIDR to use for pod IPs (see --cluster-cidr)."
-  type        = string
-  default     = "10.42.0.0/16"
-}
-
-variable "cluster_service_cidr" {
-  description = "Network CIDR to use for services IPs (see --service-cidr)."
-  type        = string
-  default     = "10.43.0.0/16"
-}
-
-variable "additional_tls_san" {
-  description = "Add additional hostname or IP as a Subject Alternative Name in the TLS cert (see --tls-san)."
-  type        = list(string)
-  default     = []
+variable cluster_cidr {
+  description = "K3s network CIDRs (see https://rancher.com/docs/k3s/latest/en/installation/install-options/)."
+  type = object({
+    pods     = string
+    services = string
+  })
+  default = {
+    pods     = "10.42.0.0/16"
+    services = "10.43.0.0/16"
+  }
 }
 
-variable "additional_flags" {
+variable additional_flags {
   description = "Add additional flags during the k3s installation (see https://rancher.com/docs/k3s/latest/en/installation/install-options/)."
   type = object({
     master = list(string)
     minion = list(string)
-    common = list(string)
   })
   default = {
     master = []
     minion = []
-    common = []
   }
 }
 
-variable "master_node" {
-  description = "Configuration of the K3S master node."
+variable drain_timeout {
+  description = "The length of time to wait before giving up the node draining. Infinite by default."
+  type        = string
+  default     = "0s"
+}
+
+variable master_node {
+  description = "K3s master node definition."
   type = object({
+    name       = string
     ip         = string
     connection = map(any)
   })
 }
 
-variable "drain_timeout" {
-  description = "The length of time to wait before giving up the node draining. Infinite by default."
-  type        = string
-  default     = "0s"
-}
-
-variable "minion_nodes" {
-  description = "List of minion configuration nodes."
+variable minion_nodes {
+  description = "K3s minion nodes definitions. The name in this section has no effect on the node name (hostname by default). Use --node-name flags if you want to change the node name"
   type = map(object({
     ip         = string
     connection = map(any)