Self Service - Template Registry¶
Reading time: 5 minutes
Terraform configurations held in VCS repositories can be added to the Scalr Template Registry to provide self service deployment.
Users can make requests for infrastructure via dynamically created request forms based on the input variables in the configuration. Scalr automatically creates a workspace for the user and runs the configuration to deploy the infrastructure.
Input controls can be added to the Terraform configuration to constrain the values users can enter and to provide drop down based selections on the request form.
To use the template registry it is necessary to create a VCS provider if this has not already been done.
Note
Terraform configurations used in the registry can make use of Cloud Credentials to inject provider credentials into the workspaces.
Registering a Template¶
Template Registry is accessed in environments (blue).
Go to “Template Registry”, and click on “Management”:
Click on “New Template” and enter the information for the VCS provider, branch and directory where the Terraform configuration is stored
Set “Track” as required
Click “Save & Fetch”. Scalr will now fetch the Terraform configuration metadata from the VCS provider and the status will go to “Active” within a few seconds.
The Template Registry form will automatically create, any Terraform variables will be presented as inputs in the form.
Template Registry Request¶
Go to “Template Registry”, and click on “Request”:
Select an item, click “Request” and enter values for all required inputs and click “Deploy”.
The workspace page is displayed where the progress of the deployment can be tracked.
Input Controls¶
Input controls restrict the values a user can enter on the request form and provide drop down lists that simplify the request process.
Input controls are implemented using Scalr Policies. These are mapped to the input variables in the configuration by adding an additional HCL file to the repository called scalr-module.hcl
Scalr Policies¶
Not to be confused with OPA policies, the Scalr policies are a library of pre-defined policies for the major cloud providers. These policies enable the definition of custom lists of allowed values from the values offered by the cloud. This can cover things like
regions
instance_types
networks
subnets
Scalr policies can also be conditional thus allowing different settings for different Cloud Credentials, regions etc. A full list, including available conditions, is provided in the Policy Reference.
Policies are created in the account (green) within the “Policy Engine” section.
Example to create a group of AWS policies that limits the regions, instances types and more.
Click on “New Policy Group” and select “AWS” as the type:
Create the above policies “New Policy” and save.
Policy group must be linked to the environment. Click on “Environments”, “Policies”, then click on the green link on the right and save:
Now “map” the policies to the input variables in the Terraform configuration. This is done in a new file in the repository called scalr-module.hcl.
For purposes of illustration we have a config with these input variables.
variable "region" {} variable "subnet" {} variable "vpc_id" {}
Create or edit
scalr-module.hcland add the mappings with all the required conditions that match the policyversion = "v1" # Bind region to a Policy that restricts to specific cloud locations. # This acts an automatic look-up. IaCP queries the cloud api to obtain the possible values variable "region" { policy = "cloud.locations" conditions = { cloud = "ec2" } } # Bind vpc_id to a networks policy. Note the policy is region specific so this works in any region variable "vpc_id" { policy = "cloud.networks" conditions = { cloud = "ec2", cloud.location = "${var.region}" } } variable "subnet" { policy = "cloud.subnets" conditions = { cloud = "ec2", cloud.location = "${var.region}", cloud.network = "${var.vpc_id}" } }
After committing this change to the repository Scalr will automatically re-sync the template registry. The request form will now show drop down fields with the lists defined in each policy.
Policy Reference¶
Below is a list of possible cloud types with their aliases in the Scalr policy Engine.
ec2 - Amazon Web Services
gce - Google Cloud Platform
azure - Microsoft Azure
vmare - VMWare
All cloud-dependent policies require “cloud” conditions as seen below or in the example above.
Below is a list of the policy types which are supported by each cloud. The only differences are in conditions, where it is required to specify cloud-dependent values (e.g., cloud, cloud.location, etc.).
Common Policies¶
Policy |
Condition |
Required |
Condition value |
Supported TF Variable types |
|---|---|---|---|---|
cloud.instance.name.template (Sets a naming convention for instance names) |
cloud.location |
No |
Cloud location identifier |
string |
os.type |
No |
One of: [linux, windows] |
||
cloud.instance.types (Restricts instance types that can be used) |
cloud.location |
No |
Cloud location identifier |
string |
os.type |
No |
One of: [linux, windows] |
||
cloud.locations (Restricts locations that can be used on a cloud) |
string |
|||
cloud.networks (Restricts networks (VPCs, VLANs) that can be used) |
cloud.location |
ec2, openstack, otc, rackspacengus - yes, azure, gce - absent |
Cloud location identifier |
string, list |
cloud.storage.maximum_size (Sets a maximum size for storage in GB) |
cloud.location |
No |
Cloud location identifier |
number |
cloud.subnets (Restricts subnets that can be used inside networks) |
cloud.location |
Yes |
Cloud location identifier |
string, list |
cloud.network |
Yes |
Network identifier |
||
resource.group (for azure only) |
Yes |
Resource group identifier |
||
cloud.tags (Sets list of tags that will be applied to resources) |
cloud.location |
No |
Cloud location identifier |
map |
os.type |
No |
One of: [linux, windows] |
scalr-module.hcl example for a common policy type:
version = "v1"
variable "region" {
policy = "cloud.locations"
conditions = {
cloud = "ec2"
}
}
variable "vpc_id" {
policy = "cloud.networks"
conditions = {
cloud = "ec2"
cloud.location = "${var.region}"
}
}
Amazon Web Services¶
Policy |
Condition |
Required |
Condition value |
Supported TF Variable types |
|---|---|---|---|---|
aws.iam.instance_profiles (Restricts IAM instance profiles that can be applied to instances) |
string, list |
|||
aws.iam.roles (Restricts IAM Roles that can be used) |
cloud.location |
Yes |
string, list |
|
cloud.service |
Yes |
One of: [emr, lambda, applicationAutoScaling] |
||
aws.kms.keys (Restricts KMS keys available for storage encryption) |
cloud.location |
Yes |
AWS cloud location identifier |
string, list |
cloud.service |
No |
One of: [ec2, rds, efs, lamda] |
||
aws.rds.instance_types (Restricts Instance Types that can be used by RDS) |
cloud.location |
No |
AWS cloud location identifier |
string, list |
aws.rds.db_engine |
No |
One of: [mysql, oracle-se, oracle-se1, oracle-se2, sqlserver-ee, sqlserver-se, sqlserver-ex, sqlserver-web, postgres, aurora, aurora-postgresql, mariadb] |
||
cloud.resource.name.prefix (Sets a prefix for cloud resource names) |
cloud.service |
Yes |
One of: [elb, rds, s3] |
string |
cloud.location |
No |
AWS cloud location identifier |
||
cloud.security_groups (Sets or Restricts Security Groups that can be used) |
cloud.location |
No (Required with cloud.network) |
AWS cloud location identifier |
string, list |
cloud.network |
No |
VPC identifier |
||
cloud.service |
No |
One of: [ec2, rds, elb, alb, efs, lamda] |
||
os.type |
No |
One of: [linux, windows] |
||
cloud.storage.volume_types (Restricts volume types that can be used) |
cloud.location |
No |
AWS cloud location identifier |
string, list |
scalr-module.hcl example for an AWS policy type:
version = "v1"
variable "region" {
policy = "cloud.locations"
conditions = {
cloud = "ec2"
}
}
variable "vpc_id" {
policy = "cloud.networks"
conditions = {
cloud = "ec2"
cloud.location = "${var.region}"
}
}
variable "subnet" {
policy = "cloud.subnets"
conditions = {
cloud = "ec2",
cloud.location = "${var.region}",
cloud.network = "${var.vpc_id}"
}
}
Microsoft Azure¶
Policy |
Condition |
Required |
Condition value |
Supported TF Variable types |
|---|---|---|---|---|
azure.availability_sets (Restricts Availability Sets that can be used) |
resource.group |
Yes |
Resource group identifier |
string, list |
azure.resource_groups (Restricts Resource Groups that can be used) |
cloud.location |
No |
Region identifier |
string, list |
cloud.service |
No |
One of: [compute, network] |
||
azure.storage_accounts (Restricts Storage Accounts that can be used) |
string, list |
|||
cloud.security_groups (Sets or Restricts Security Groups that can be used) |
cloud.location |
No |
Region identifier |
string, list |
cloud.network |
No |
Network identifier |
||
resource.group |
No (Yes if cloud.network specified) |
Resource group identifier |
scalr-module.hcl example for Azure:
version = "v1"
variable "region" {
policy = "cloud.locations"
conditions = {
cloud = "azure"
}
}
variable "resourcegroup" {
policy = "azure.resource_groups"
conditions = {
cloud = "azure"
}
}
Google Cloud Platform¶
Policy |
Condition |
Required |
Condition value |
Supported TF Variable types |
|---|---|---|---|---|
gce.custom_instance_type.maximum_ram (Sets a maximum size for custom instance types in GB) |
cloud.location |
No |
GCP region identifier |
number |
gce.custom_instance_type.maximum_vcpus (Sets a maximum number of VCPUs for custom instance types) |
cloud.location |
No |
GCP region identifier |
number |
gce.network_tags (Sets or Restricts Network Tags that can be used) |
cloud.location |
No |
GCP region identifier |
list |
gce.service_accounts (Restricts service accounts that can be applied to instances) |
string, list |
VMWare¶
Policy |
Condition |
Required |
Condition value |
Supported TF Variable types |
|---|---|---|---|---|
vmware.compute_resources (Restricts Compute Resources that can be used) |
cloud.location |
Yes |
Datacenter identifier |
string |
vmware.custom_instance_type.maximum_cpu (Sets a maximum number of VCPUs for custom instance types) |
cloud.location |
No |
Datacenter identifier |
number |
vmware.custom_instance_type.maximum_ram (Sets a maximum size for custom instance types in GB) |
cloud.location |
No |
Datacenter identifier |
number |
vmware.custom_specs (Restricts customization specs can be used) |
cloud.location |
No |
Datacenter identifier |
string |
cloud.compute_resource |
No |
Compute resource identifier |
||
vmware.host_systems (Restricts Hosts that can be used) |
cloud.location |
Yes |
Datacenter identifier |
string |
cloud.compute_resource |
Yes |
Compute resource identifier |
||
vmware.resource_pools (Restricts Resources pools that can be used) |
cloud.location |
Yes |
Datacenter identifier |
string |
cloud.compute_resource |
Yes |
Compute resource identifier |
||
vmware.storage.placements (Restricts datastores and storage pods can be used) |
cloud.location |
Yes |
Datacenter identifier |
string |