From 414feb48ee23a9fabd8d08d7f7cb39e5922cf361 Mon Sep 17 00:00:00 2001
From: Tamas Kiss <kiss.tamas94@gmail.com>
Date: Thu, 26 May 2022 00:40:29 +0200
Subject: [PATCH] init: copied modules from lawndale-infra

---
 9p-persistent-volume/outputs.tf    |  23 ++++
 9p-persistent-volume/providers.tf  |   9 ++
 9p-persistent-volume/variables.tf  |  15 +++
 9p-persistent-volume/volume.tf     |  37 +++++++
 kubernetes/flannel/configmap.tf    |  39 +++++++
 kubernetes/flannel/daemonset.tf    | 167 +++++++++++++++++++++++++++++
 kubernetes/flannel/outputs.tf      |  23 ++++
 kubernetes/flannel/pod_security.tf |  65 +++++++++++
 kubernetes/flannel/provider.tf     |   8 ++
 kubernetes/flannel/rbac.tf         |  52 +++++++++
 kubernetes/flannel/variables.tf    |  52 +++++++++
 kubernetes/kube-proxy/configmap.tf |  26 +++++
 kubernetes/kube-proxy/daemonset.tf | 145 +++++++++++++++++++++++++
 kubernetes/kube-proxy/outputs.tf   |  13 +++
 kubernetes/kube-proxy/provider.tf  |   8 ++
 kubernetes/kube-proxy/rbac.tf      |  22 ++++
 kubernetes/kube-proxy/service.tf   |  17 +++
 kubernetes/kube-proxy/variables.tf |  34 ++++++
 lawndale-vm-ipam/dns.tf            |  13 +++
 lawndale-vm-ipam/locals.tf         |  18 ++++
 lawndale-vm-ipam/outputs.tf        |  35 ++++++
 lawndale-vm-ipam/providers.tf      |   8 ++
 lawndale-vm-ipam/variables.tf      |  21 ++++
 lawndale-vm/compute.tf             | 119 ++++++++++++++++++++
 lawndale-vm/locals.tf              |   4 +
 lawndale-vm/outputs.tf             |   0
 lawndale-vm/providers.tf           |  13 +++
 lawndale-vm/variables.tf           | 112 +++++++++++++++++++
 remote-state-access/outputs.tf     |   9 ++
 remote-state-access/policy.tf      |  59 ++++++++++
 remote-state-access/provider.tf    |   8 ++
 remote-state-access/variables.tf   |  35 ++++++
 remote-state/bucket.tf             |  55 ++++++++++
 remote-state/dynamo.tf             |  23 ++++
 remote-state/locals.tf             |  14 +++
 remote-state/outputs.tf            |  19 ++++
 remote-state/policy.tf             |  48 +++++++++
 remote-state/provider.tf           |   8 ++
 remote-state/variables.tf          |  59 ++++++++++
 39 files changed, 1435 insertions(+)
 create mode 100644 9p-persistent-volume/outputs.tf
 create mode 100644 9p-persistent-volume/providers.tf
 create mode 100644 9p-persistent-volume/variables.tf
 create mode 100644 9p-persistent-volume/volume.tf
 create mode 100644 kubernetes/flannel/configmap.tf
 create mode 100644 kubernetes/flannel/daemonset.tf
 create mode 100644 kubernetes/flannel/outputs.tf
 create mode 100644 kubernetes/flannel/pod_security.tf
 create mode 100644 kubernetes/flannel/provider.tf
 create mode 100644 kubernetes/flannel/rbac.tf
 create mode 100644 kubernetes/flannel/variables.tf
 create mode 100644 kubernetes/kube-proxy/configmap.tf
 create mode 100644 kubernetes/kube-proxy/daemonset.tf
 create mode 100644 kubernetes/kube-proxy/outputs.tf
 create mode 100644 kubernetes/kube-proxy/provider.tf
 create mode 100644 kubernetes/kube-proxy/rbac.tf
 create mode 100644 kubernetes/kube-proxy/service.tf
 create mode 100644 kubernetes/kube-proxy/variables.tf
 create mode 100644 lawndale-vm-ipam/dns.tf
 create mode 100644 lawndale-vm-ipam/locals.tf
 create mode 100644 lawndale-vm-ipam/outputs.tf
 create mode 100644 lawndale-vm-ipam/providers.tf
 create mode 100644 lawndale-vm-ipam/variables.tf
 create mode 100644 lawndale-vm/compute.tf
 create mode 100644 lawndale-vm/locals.tf
 create mode 100644 lawndale-vm/outputs.tf
 create mode 100644 lawndale-vm/providers.tf
 create mode 100644 lawndale-vm/variables.tf
 create mode 100644 remote-state-access/outputs.tf
 create mode 100644 remote-state-access/policy.tf
 create mode 100644 remote-state-access/provider.tf
 create mode 100644 remote-state-access/variables.tf
 create mode 100644 remote-state/bucket.tf
 create mode 100644 remote-state/dynamo.tf
 create mode 100644 remote-state/locals.tf
 create mode 100644 remote-state/outputs.tf
 create mode 100644 remote-state/policy.tf
 create mode 100644 remote-state/provider.tf
 create mode 100644 remote-state/variables.tf

diff --git a/9p-persistent-volume/outputs.tf b/9p-persistent-volume/outputs.tf
new file mode 100644
index 0000000..3da3496
--- /dev/null
+++ b/9p-persistent-volume/outputs.tf
@@ -0,0 +1,23 @@
+output "namespace" {
+  value = var.namespace
+}
+
+output "host_path" {
+  value = local.host_path
+}
+
+output "pv_name" {
+  value = kubernetes_persistent_volume.this.metadata.0.name
+}
+
+output "pvc_name" {
+  value = kubernetes_persistent_volume_claim.this.metadata.0.name
+}
+
+output "persistent_volume" {
+  value = kubernetes_persistent_volume.this
+}
+
+output "persistent_volume_claim" {
+  value = kubernetes_persistent_volume_claim.this
+}
diff --git a/9p-persistent-volume/providers.tf b/9p-persistent-volume/providers.tf
new file mode 100644
index 0000000..7990369
--- /dev/null
+++ b/9p-persistent-volume/providers.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.11"
+    }
+  }
+}
+
diff --git a/9p-persistent-volume/variables.tf b/9p-persistent-volume/variables.tf
new file mode 100644
index 0000000..3bfef20
--- /dev/null
+++ b/9p-persistent-volume/variables.tf
@@ -0,0 +1,15 @@
+variable "name" {
+  type        = string
+  description = "The name of the volume"
+}
+
+variable "namespace" {
+  type        = string
+  description = "The namespace for the persistent volume claim"
+}
+
+variable "volume_storage_capacity" {
+  type        = string
+  description = "Size of the persistent volume reported to Kubernetes"
+  default     = "1Gi"
+}
diff --git a/9p-persistent-volume/volume.tf b/9p-persistent-volume/volume.tf
new file mode 100644
index 0000000..de17571
--- /dev/null
+++ b/9p-persistent-volume/volume.tf
@@ -0,0 +1,37 @@
+locals {
+  pv_name   = "pv-p9hostpath-${var.name}"
+  host_path = "/mnt/datastore/${var.name}"
+}
+
+resource "kubernetes_persistent_volume" "this" {
+  metadata {
+    name = local.pv_name
+  }
+  spec {
+    capacity = {
+      storage = var.volume_storage_capacity
+    }
+    access_modes = ["ReadWriteMany"]
+    persistent_volume_source {
+      host_path {
+        path = local.host_path
+      }
+    }
+  }
+}
+
+resource "kubernetes_persistent_volume_claim" "this" {
+  metadata {
+    name      = var.name
+    namespace = var.namespace
+  }
+  spec {
+    access_modes = ["ReadWriteMany"]
+    resources {
+      requests = {
+        storage = var.volume_storage_capacity
+      }
+    }
+    volume_name = kubernetes_persistent_volume.this.metadata.0.name
+  }
+}
diff --git a/kubernetes/flannel/configmap.tf b/kubernetes/flannel/configmap.tf
new file mode 100644
index 0000000..1415911
--- /dev/null
+++ b/kubernetes/flannel/configmap.tf
@@ -0,0 +1,39 @@
+resource "kubernetes_config_map" "this" {
+  metadata {
+    namespace = var.namespace
+    name      = "kube-flannel-cfg"
+    labels = {
+      app       = "flannel"
+      "k8s-app" = "cni"
+    }
+  }
+  data = {
+    "cni-conf.json" = jsonencode({
+      name       = "cbr0",
+      cniVersion = "0.3.1",
+      plugins = [
+        {
+          type = "flannel",
+          delegate = {
+            hairpinMode      = true,
+            isDefaultGateway = true,
+          }
+        },
+        {
+          type = "portmap",
+          capabilities = {
+            portMappings = true,
+          }
+        },
+      ]
+    })
+    "net-conf.json" = jsonencode({
+      Network = var.cluster_cidr,
+      Backend = {
+        Type = "vxlan",
+        VNI  = var.vxlan_id,
+        Port = var.vxlan_port,
+      }
+    })
+  }
+}
diff --git a/kubernetes/flannel/daemonset.tf b/kubernetes/flannel/daemonset.tf
new file mode 100644
index 0000000..05eea57
--- /dev/null
+++ b/kubernetes/flannel/daemonset.tf
@@ -0,0 +1,167 @@
+resource "kubernetes_daemonset" "this" {
+  metadata {
+    name      = var.daemonset_name
+    namespace = var.namespace
+    labels = {
+      app       = var.daemonset_name
+      "k8s-app" = "cni"
+    }
+  }
+  spec {
+    selector {
+      match_labels = {
+        app       = var.daemonset_name
+        "k8s-app" = "cni"
+      }
+    }
+
+    template {
+      metadata {
+        labels = {
+          app       = var.daemonset_name
+          "k8s-app" = "cni"
+        }
+      }
+      spec {
+        affinity {
+          node_affinity {
+            required_during_scheduling_ignored_during_execution {
+              node_selector_term {
+                match_expressions {
+                  key      = "kubernetes.io/os"
+                  operator = "In"
+                  values   = var.node_selector_os
+                }
+              }
+            }
+          }
+        }
+
+        host_network        = true
+        priority_class_name = "system-node-critical"
+
+        toleration {
+          operator = "Exists"
+          effect   = "NoSchedule"
+        }
+
+        service_account_name = kubernetes_service_account.this.metadata.0.name
+
+        init_container {
+          name    = "install-cni-plugin"
+          image   = var.flannel_cni_plugin_image
+          command = ["cp"]
+          args    = ["-f", "/flannel", "/opt/cni/bin/flannel"]
+          volume_mount {
+            name       = "cni-plugin"
+            mount_path = "/opt/cni/bin"
+          }
+        }
+
+        init_container {
+          name    = "install-cni"
+          image   = var.flannel_image
+          command = ["cp"]
+          args    = ["-f", "/etc/kube-flannel/cni-conf.json", "/etc/cni/net.d/10-flannel.conflist"]
+          volume_mount {
+            name       = "cni"
+            mount_path = "/etc/cni/net.d"
+          }
+          volume_mount {
+            name       = "flannel-cfg"
+            mount_path = "/etc/kube-flannel/"
+          }
+        }
+
+        container {
+          name    = "kube-flannel"
+          image   = var.flannel_image
+          command = ["/opt/bin/flanneld"]
+          args    = ["--ip-masq", "--kube-subnet-mgr"]
+          resources {
+            requests = {
+              cpu    = "100m"
+              memory = "50Mi"
+            }
+            limits = {
+              cpu    = "100m"
+              memory = "50Mi"
+            }
+          }
+          security_context {
+            privileged = false
+            capabilities {
+              add = ["NET_ADMIN", "NET_RAW"]
+            }
+          }
+
+          env {
+            name = "POD_NAME"
+            value_from {
+              field_ref {
+                field_path = "metadata.name"
+              }
+            }
+          }
+
+          env {
+            name = "POD_NAMESPACE"
+            value_from {
+              field_ref {
+                field_path = "metadata.namespace"
+              }
+            }
+          }
+          env {
+            name  = "EVENT_QUEUE_DEPTH"
+            value = "5000"
+          }
+          volume_mount {
+            name       = "run"
+            mount_path = "/run/flannel"
+          }
+          volume_mount {
+            name       = "flannel-cfg"
+            mount_path = "/etc/kube-flannel/"
+          }
+          volume_mount {
+            name       = "xtables-lock"
+            mount_path = "/run/xtables.lock"
+          }
+        }
+
+        volume {
+          name = "run"
+          host_path {
+            path = "/run/flannel"
+          }
+        }
+        volume {
+          name = "cni-plugin"
+          host_path {
+            path = "/opt/cni/bin"
+          }
+        }
+        volume {
+          name = "cni"
+          host_path {
+            path = "/etc/cni/net.d"
+          }
+        }
+        volume {
+          name = "flannel-cfg"
+          config_map {
+            name = kubernetes_config_map.this.metadata.0.name
+          }
+        }
+        volume {
+          name = "xtables-lock"
+          host_path {
+            path = "/run/xtables.lock"
+            type = "FileOrCreate"
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/kubernetes/flannel/outputs.tf b/kubernetes/flannel/outputs.tf
new file mode 100644
index 0000000..a571bf1
--- /dev/null
+++ b/kubernetes/flannel/outputs.tf
@@ -0,0 +1,23 @@
+output "service_account" {
+  value = kubernetes_service_account.this
+}
+
+output "cluster_role" {
+  value = kubernetes_cluster_role.this
+}
+
+output "cluster_role_binding" {
+  value = kubernetes_cluster_role_binding.this
+}
+
+output "pod_security_policy" {
+  value = kubernetes_pod_security_policy.this
+}
+
+output "daemonset" {
+  value = kubernetes_daemonset.this
+}
+
+output "configmap" {
+  value = kubernetes_config_map.this
+}
diff --git a/kubernetes/flannel/pod_security.tf b/kubernetes/flannel/pod_security.tf
new file mode 100644
index 0000000..98c7893
--- /dev/null
+++ b/kubernetes/flannel/pod_security.tf
@@ -0,0 +1,65 @@
+resource "kubernetes_pod_security_policy" "this" {
+  metadata {
+    name = "psp.flannel.unprivileged"
+    annotations = {
+      "seccomp.security.alpha.kubernetes.io/allowedProfileNames" : "docker/default",
+      "seccomp.security.alpha.kubernetes.io/defaultProfileName" : "docker/default",
+      "apparmor.security.beta.kubernetes.io/allowedProfileNames" : "runtime/default",
+      "apparmor.security.beta.kubernetes.io/defaultProfileName" : "runtime/default",
+    }
+  }
+  spec {
+    # Privilege Escalation
+    allow_privilege_escalation         = false
+    default_allow_privilege_escalation = false
+    privileged                         = false
+
+    volumes = [
+      "configMap",
+      "secret",
+      "emptyDir",
+      "hostPath",
+    ]
+    allowed_host_paths {
+      path_prefix = "/etc/cni/net.d"
+    }
+    allowed_host_paths {
+      path_prefix = "/etc/kube-flannel"
+    }
+    allowed_host_paths {
+      path_prefix = "/run/flannel"
+    }
+
+    read_only_root_filesystem = false
+
+    # Users and groups
+    run_as_user {
+      rule = "MustRunAsNonRoot"
+    }
+    supplemental_groups {
+      rule = "RunAsAny"
+    }
+    fs_group {
+      rule = "RunAsAny"
+    }
+
+    # Capabilities
+    allowed_capabilities       = ["NET_ADMIN", "NET_RAW"]
+    default_add_capabilities   = []
+    required_drop_capabilities = []
+
+    # Host namespaces
+    host_pid     = false
+    host_ipc     = false
+    host_network = true
+    host_ports {
+      min = 0
+      max = 65535
+    }
+    # SELinux
+    se_linux {
+      # SELinux is unused in CaaSP
+      rule = "RunAsAny"
+    }
+  }
+}
diff --git a/kubernetes/flannel/provider.tf b/kubernetes/flannel/provider.tf
new file mode 100644
index 0000000..5d93fc8
--- /dev/null
+++ b/kubernetes/flannel/provider.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.11"
+    }
+  }
+}
diff --git a/kubernetes/flannel/rbac.tf b/kubernetes/flannel/rbac.tf
new file mode 100644
index 0000000..0e2e2ce
--- /dev/null
+++ b/kubernetes/flannel/rbac.tf
@@ -0,0 +1,52 @@
+
+resource "kubernetes_cluster_role" "this" {
+  count = var.create_cluster_role ? 1 : 0
+
+  metadata {
+    name = var.cluster_role_name
+  }
+  rule {
+    api_groups     = ["extensions"]
+    resources      = ["podsecuritypolicies"]
+    verbs          = ["use"]
+    resource_names = [kubernetes_pod_security_policy.this.metadata.0.name]
+  }
+  rule {
+    api_groups = [""]
+    resources  = ["pods"]
+    verbs      = ["get"]
+  }
+  rule {
+    api_groups = [""]
+    resources  = ["nodes"]
+    verbs      = ["list", "watch"]
+  }
+  rule {
+    api_groups = [""]
+    resources  = ["nodes/status"]
+    verbs      = ["patch"]
+  }
+}
+
+resource "kubernetes_service_account" "this" {
+  metadata {
+    name      = "flannel"
+    namespace = var.namespace
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "this" {
+  metadata {
+    name = "flannel"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = var.cluster_role_name
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account.this.metadata.0.name
+    namespace = kubernetes_service_account.this.metadata.0.namespace
+  }
+}
diff --git a/kubernetes/flannel/variables.tf b/kubernetes/flannel/variables.tf
new file mode 100644
index 0000000..c164520
--- /dev/null
+++ b/kubernetes/flannel/variables.tf
@@ -0,0 +1,52 @@
+variable "namespace" {
+  type        = string
+  description = "namespace for resources"
+  default     = "kube-system"
+}
+
+variable "vxlan_id" {
+  type        = number
+  description = "VXLAN ID (VNI)"
+}
+
+variable "vxlan_port" {
+  type        = number
+  description = "UDP port to use for sending encapsulated packets"
+}
+
+variable "flannel_image" {
+  type    = string
+  default = "rancher/mirrored-flannelcni-flannel:v0.17.0"
+}
+
+variable "flannel_cni_plugin_image" {
+  type    = string
+  default = "rancher/mirrored-flannelcni-flannel-cni-plugin:v1.0.1"
+}
+
+variable "cluster_role_name" {
+  type        = string
+  description = "Name of the cluster role flannel will use"
+  default     = "flannel"
+}
+variable "create_cluster_role" {
+  type        = bool
+  description = "Weather or not to create a suitable cluster role or use an already exisiting specified by cluster_role_name variable"
+  default     = true
+}
+
+variable "daemonset_name" {
+  type        = string
+  description = "Name of the daeomonset"
+  default     = "flannel"
+}
+variable "node_selector_os" {
+  type        = list(string)
+  description = "Which kubernetes.io/os node-label to match for execution"
+  default     = ["linux"]
+}
+
+variable "cluster_cidr" {
+  type        = string
+  description = "ClusterCIDR"
+}
\ No newline at end of file
diff --git a/kubernetes/kube-proxy/configmap.tf b/kubernetes/kube-proxy/configmap.tf
new file mode 100644
index 0000000..47726bf
--- /dev/null
+++ b/kubernetes/kube-proxy/configmap.tf
@@ -0,0 +1,26 @@
+
+resource "kubernetes_config_map" "this" {
+  metadata {
+    name      = "${var.daemonset_name}-config"
+    namespace = var.namespace
+  }
+
+  data = {
+    "kube-proxy-config.yaml" = yamlencode(merge({
+      kind       = "KubeProxyConfiguration"
+      apiVersion = "kubeproxy.config.k8s.io/v1alpha1"
+      clientConnection = {
+        kubeconfig = "/kubeconfig/kubeconfig"
+      }
+      mode        = var.mode
+      clusterCIDR = var.cluster_cidr
+    }, var.additional_config))
+    "kubeconfig.sh" : <<EOM
+#!/bin/sh
+kubectl --kubeconfig=/kubeconfig/kubeconfig config set-cluster default --certificate-authority=/run/secrets/kubernetes.io/serviceaccount/ca.crt --server=${var.kubernetes_server}
+kubectl --kubeconfig=/kubeconfig/kubeconfig config set-credentials kube-proxy --token=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
+kubectl --kubeconfig=/kubeconfig/kubeconfig config set-context default --cluster=default --user=kube-proxy
+kubectl --kubeconfig=/kubeconfig/kubeconfig config use-context default
+EOM
+  }
+}
diff --git a/kubernetes/kube-proxy/daemonset.tf b/kubernetes/kube-proxy/daemonset.tf
new file mode 100644
index 0000000..04c8d62
--- /dev/null
+++ b/kubernetes/kube-proxy/daemonset.tf
@@ -0,0 +1,145 @@
+
+resource "kubernetes_daemonset" "this" {
+  metadata {
+    name      = var.daemonset_name
+    namespace = var.namespace
+    labels = {
+      "k8s-app" = var.daemonset_name
+    }
+  }
+
+  spec {
+    selector {
+      match_labels = {
+        "k8s-app" = var.daemonset_name
+      }
+    }
+
+    template {
+      metadata {
+        labels = {
+          "k8s-app"              = var.daemonset_name
+          "prometheus.io/scrape" = "true"
+          "prometheus.io/port"   = "10249"
+          "prometheus.io/scheme" = "http"
+        }
+      }
+
+      spec {
+        affinity {
+          node_affinity {
+            required_during_scheduling_ignored_during_execution {
+              node_selector_term {
+                match_expressions {
+                  key      = "kubernetes.io/os"
+                  operator = "In"
+                  values   = ["linux"]
+                }
+              }
+            }
+          }
+        }
+
+        host_network         = true
+        priority_class_name  = "system-node-critical"
+        service_account_name = kubernetes_service_account.this.metadata.0.name
+
+        toleration {
+          operator = "Exists"
+          effect   = "NoSchedule"
+        }
+        volume {
+          name = "kube-proxy-config"
+          config_map {
+            name = kubernetes_config_map.this.metadata.0.name
+          }
+        }
+        volume {
+          name = "kubeconfig"
+          empty_dir {
+            medium = "Memory"
+          }
+        }
+
+        volume {
+          name = "lib-modules"
+          host_path {
+            path = "/lib/modules"
+          }
+        }
+
+        init_container {
+          name    = "kubeconfig"
+          image   = "bitnami/kubectl:${var.kubernetes_version}"
+          command = ["/bin/bash"]
+          args    = ["/kubeconfig.sh"]
+
+          volume_mount {
+            name       = "kube-proxy-config"
+            mount_path = "/kubeconfig.sh"
+            sub_path   = "kubeconfig.sh"
+          }
+          volume_mount {
+            name       = "kubeconfig"
+            mount_path = "/kubeconfig"
+          }
+
+        }
+
+        container {
+          security_context {
+            privileged = true
+          }
+          image   = "k8s.gcr.io/kube-proxy:v${var.kubernetes_version}"
+          command = ["kube-proxy"]
+          args = [
+            "--config=/var/lib/kube-proxy/kube-proxy-config.yaml",
+          ]
+          name = "kube-proxy"
+
+          resources {
+            limits = {
+              cpu    = "100m"
+              memory = "50Mi"
+            }
+            requests = {
+              cpu    = "100m"
+              memory = "50Mi"
+            }
+          }
+
+          volume_mount {
+            name       = "kube-proxy-config"
+            mount_path = "/var/lib/kube-proxy"
+          }
+
+          volume_mount {
+            name       = "lib-modules"
+            mount_path = "/lib/modules"
+          }
+
+          volume_mount {
+            name       = "kubeconfig"
+            mount_path = "/kubeconfig"
+          }
+
+          #   liveness_probe {
+          #     http_get {
+          #       path = "/"
+          #       port = 80
+
+          #       http_header {
+          #         name  = "X-Custom-Header"
+          #         value = "Awesome"
+          #       }
+          #     }
+
+          #     initial_delay_seconds = 3
+          #     period_seconds        = 3
+          #   }
+
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/kubernetes/kube-proxy/outputs.tf b/kubernetes/kube-proxy/outputs.tf
new file mode 100644
index 0000000..764abe2
--- /dev/null
+++ b/kubernetes/kube-proxy/outputs.tf
@@ -0,0 +1,13 @@
+output "daemonset" {
+  value = kubernetes_daemonset.this
+}
+output "configmap" {
+  value = kubernetes_config_map.this
+}
+output "service_account" {
+  value = kubernetes_service_account.this
+}
+
+output "cluster_role_binding" {
+  value = kubernetes_cluster_role_binding.this
+}
diff --git a/kubernetes/kube-proxy/provider.tf b/kubernetes/kube-proxy/provider.tf
new file mode 100644
index 0000000..5d93fc8
--- /dev/null
+++ b/kubernetes/kube-proxy/provider.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.11"
+    }
+  }
+}
diff --git a/kubernetes/kube-proxy/rbac.tf b/kubernetes/kube-proxy/rbac.tf
new file mode 100644
index 0000000..ddc3b8b
--- /dev/null
+++ b/kubernetes/kube-proxy/rbac.tf
@@ -0,0 +1,22 @@
+resource "kubernetes_service_account" "this" {
+  metadata {
+    name      = "kube-proxy"
+    namespace = "kube-system"
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "this" {
+  metadata {
+    name = "kube-proxy-is-system-node-proxier"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "system:node-proxier"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account.this.metadata.0.name
+    namespace = "kube-system"
+  }
+}
diff --git a/kubernetes/kube-proxy/service.tf b/kubernetes/kube-proxy/service.tf
new file mode 100644
index 0000000..1436b51
--- /dev/null
+++ b/kubernetes/kube-proxy/service.tf
@@ -0,0 +1,17 @@
+resource "kubernetes_service" "prometheus" {
+  metadata {
+    name      = var.daemonset_name
+    namespace = var.namespace
+  }
+  spec {
+    selector = {
+      "k8s-app" = var.daemonset_name
+    }
+    port {
+      port        = 10249
+      target_port = 10249
+    }
+
+    type = "ClusterIP"
+  }
+}
\ No newline at end of file
diff --git a/kubernetes/kube-proxy/variables.tf b/kubernetes/kube-proxy/variables.tf
new file mode 100644
index 0000000..4c2201c
--- /dev/null
+++ b/kubernetes/kube-proxy/variables.tf
@@ -0,0 +1,34 @@
+variable "kubernetes_version" {
+  type        = string
+  description = "Kubernetes cluster version (eg: 1.23.5)"
+}
+
+variable "cluster_cidr" {
+  type        = string
+  description = "Kubernetes cluster CIDR"
+}
+
+variable "kubernetes_server" {
+  type        = string
+  description = "Kubernetes (master) server address (eg: https://k8s.my.domain:6443/)"
+}
+
+variable "mode" {
+  type    = string
+  default = "iptables"
+}
+
+variable "daemonset_name" {
+  type    = string
+  default = "kube-proxy"
+}
+
+variable "additional_config" {
+  type    = map(any)
+  default = {}
+}
+
+variable "namespace" {
+  type    = string
+  default = "kube-system"
+}
\ No newline at end of file
diff --git a/lawndale-vm-ipam/dns.tf b/lawndale-vm-ipam/dns.tf
new file mode 100644
index 0000000..7d87422
--- /dev/null
+++ b/lawndale-vm-ipam/dns.tf
@@ -0,0 +1,13 @@
+resource "dns_a_record_set" "this" {
+  zone      = "lawndale."
+  name      = "${var.name}.${var.interface}"
+  addresses = [local.ip_address]
+  ttl       = var.ttl
+}
+
+resource "dns_ptr_record" "this" {
+  zone = "168.192.in-addr.arpa."
+  name = local.ptr_name
+  ptr  = "${var.name}.${var.interface}.lawndale."
+  ttl  = var.ttl
+}
diff --git a/lawndale-vm-ipam/locals.tf b/lawndale-vm-ipam/locals.tf
new file mode 100644
index 0000000..2bd1117
--- /dev/null
+++ b/lawndale-vm-ipam/locals.tf
@@ -0,0 +1,18 @@
+locals {
+  interface_ip_map = {
+    "internal" = "192.168.254"
+    "nat"      = "192.168.253"
+  }
+  interface_ptr_map = {
+    "internal" = "254"
+    "nat"      = "253"
+  }
+
+  ip_address = "${local.interface_ip_map[var.interface]}.${var.id}"
+  ptr_name   = "${var.id}.${local.interface_ip_map[var.interface]}"
+
+  lawndale_interface_map = {
+    "internal" = "brInternal"
+    "nat"      = "brNAT"
+  }
+}
diff --git a/lawndale-vm-ipam/outputs.tf b/lawndale-vm-ipam/outputs.tf
new file mode 100644
index 0000000..981c841
--- /dev/null
+++ b/lawndale-vm-ipam/outputs.tf
@@ -0,0 +1,35 @@
+output "ip_address" {
+  value = local.ip_address
+}
+
+output "fqdn" {
+  value = "${dns_a_record_set.this.name}.${dns_a_record_set.this.zone}"
+}
+
+output "interface" {
+  value = var.interface
+}
+
+output "name" {
+  value = var.name
+}
+
+output "gateway" {
+  value = "${local.interface_ip_map[var.interface]}.254"
+}
+
+output "nameserver" {
+  value = "${local.interface_ip_map[var.interface]}.254"
+}
+
+output "search_domains" {
+  value = ["${var.interface}.lawndale.", "lawndale."]
+}
+
+output "cidr" {
+  value = 24
+}
+
+output "lawndale_interface" {
+  value = local.lawndale_interface_map[var.interface]
+}
\ No newline at end of file
diff --git a/lawndale-vm-ipam/providers.tf b/lawndale-vm-ipam/providers.tf
new file mode 100644
index 0000000..4482933
--- /dev/null
+++ b/lawndale-vm-ipam/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    dns = {
+      source  = "hashicorp/dns"
+      version = "~> 3.2"
+    }
+  }
+}
diff --git a/lawndale-vm-ipam/variables.tf b/lawndale-vm-ipam/variables.tf
new file mode 100644
index 0000000..f646b1f
--- /dev/null
+++ b/lawndale-vm-ipam/variables.tf
@@ -0,0 +1,21 @@
+variable "id" {
+  type        = number
+  description = "The ID for the VM that will be transposed into an IP address"
+}
+
+variable "name" {
+  type        = string
+  description = "The domain name for the vm"
+}
+
+variable "interface" {
+  type        = string
+  description = "Which interface should be used. Can be either nat or internal"
+}
+
+variable "ttl" {
+  type        = number
+  description = "TTL value for the new records"
+
+  default = 300
+}
diff --git a/lawndale-vm/compute.tf b/lawndale-vm/compute.tf
new file mode 100644
index 0000000..ed472ab
--- /dev/null
+++ b/lawndale-vm/compute.tf
@@ -0,0 +1,119 @@
+
+resource "libvirt_pool" "this" {
+  count = var.create_root_storage_pool ? 1 : 0
+  name  = local.root_storage_pool
+  type  = "dir"
+  path  = "/vmstore/${var.name}"
+}
+
+resource "libvirt_volume" "this" {
+  name = local.root_storage_volume_name
+  pool = local.root_storage_pool
+
+  size             = var.root_storage_volume_size_gb * 1024 * 1024 * 1024
+  base_volume_name = var.base_image_volume
+  base_volume_pool = var.base_image_pool
+}
+
+
+resource "macaddress" "this" {
+}
+
+
+module "ipam" {
+  source = "../../modules/lawndale-vm-ipam"
+
+  id        = var.id
+  name      = var.name
+  interface = var.interface
+}
+
+
+resource "libvirt_domain" "this" {
+  name        = "${var.id}-${var.name}"
+  description = var.description
+
+  vcpu   = var.vcpu
+  memory = var.memory_mb
+
+  autostart = var.autostart
+
+  cloudinit = libvirt_cloudinit_disk.this.id
+
+  network_interface {
+    bridge = module.ipam.lawndale_interface
+    mac    = macaddress.this.address
+  }
+
+  disk {
+    volume_id = libvirt_volume.this.id
+    scsi      = true
+  }
+
+  # video { type = "virtio" }
+  # graphics {}
+
+  console {
+    type        = "pty"
+    target_port = 0
+    target_type = "serial"
+  }
+
+  qemu_agent = true
+  dynamic "filesystem" {
+    for_each = var.filesystems
+    content {
+      source     = filesystem.value.source
+      target     = filesystem.value.target
+      readonly   = filesystem.value.readonly
+      accessmode = filesystem.value.accessmode
+    }
+  }
+
+  dynamic "xml" {
+    for_each = var.xslt == null ? [] : [var.xslt]
+    content {
+      xslt = xml.value
+    }
+  }
+}
+
+resource "libvirt_cloudinit_disk" "this" {
+  name = "${var.id}-${var.name}-cloudinit"
+  pool = local.root_storage_pool
+
+  meta_data      = local.meta_data
+  network_config = local.network_config
+  user_data      = var.user_data
+}
+
+locals {
+  default_network_config = {
+    version = 2
+    ethernets = {
+      eth = {
+        match = {
+          macaddress = macaddress.this.address
+        }
+        addresses = [
+          "${module.ipam.ip_address}/${module.ipam.cidr}"
+        ]
+        gateway4 = module.ipam.gateway
+        nameservers = {
+          search = module.ipam.search_domains
+          addresses = [
+            module.ipam.nameserver
+          ]
+        }
+      }
+    }
+  }
+
+  default_meta_data = <<EOM
+instance-id: ${var.id}-${var.name}
+local-hostname: ${var.name}
+EOM
+
+  meta_data      = var.meta_data != null ? var.meta_data : local.default_meta_data
+  network_config = var.network_config != null ? var.network_config : jsonencode(local.default_network_config)
+}
\ No newline at end of file
diff --git a/lawndale-vm/locals.tf b/lawndale-vm/locals.tf
new file mode 100644
index 0000000..2c22b69
--- /dev/null
+++ b/lawndale-vm/locals.tf
@@ -0,0 +1,4 @@
+locals {
+  root_storage_pool        = var.root_storage_pool != "" ? var.root_storage_pool : var.name
+  root_storage_volume_name = var.root_storage_volume_name != "" ? "${var.root_storage_volume_name}.qcow2" : "${var.name}.qcow2"
+}
diff --git a/lawndale-vm/outputs.tf b/lawndale-vm/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/lawndale-vm/providers.tf b/lawndale-vm/providers.tf
new file mode 100644
index 0000000..c28af30
--- /dev/null
+++ b/lawndale-vm/providers.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    libvirt = {
+      source  = "dmacvicar/libvirt"
+      version = "~> 0.6.14"
+    }
+
+    macaddress = {
+      source  = "ivoronin/macaddress"
+      version = "~> 0.3.0"
+    }
+  }
+}
diff --git a/lawndale-vm/variables.tf b/lawndale-vm/variables.tf
new file mode 100644
index 0000000..197594c
--- /dev/null
+++ b/lawndale-vm/variables.tf
@@ -0,0 +1,112 @@
+variable "id" {
+  type        = number
+  description = "The lawndale id of the virtual machine"
+}
+
+variable "name" {
+  type        = string
+  description = "The name of the virtual machine (must be a [-_a-z0-9])"
+
+  validation {
+    condition     = can(regex("^[-_a-z0-9]+$", var.name))
+    error_message = "A virtual machine name must be lowercase, and can only contain alphanumeral characters, dashes and underscores."
+  }
+}
+
+variable "vcpu" {
+  type        = number
+  description = "CPU count"
+  default     = 1
+}
+
+variable "memory_mb" {
+  type        = number
+  description = "VM memory allocation in megabytes"
+}
+
+variable "description" {
+  type        = string
+  description = "(Short) Description for the virtual machine"
+}
+
+variable "base_image_pool" {
+  type        = string
+  description = "Base image storage pool"
+}
+
+variable "base_image_volume" {
+  type        = string
+  description = "Base image storage pool"
+}
+
+variable "root_storage_pool" {
+  type        = string
+  description = "The name of the storage pool. It will default to the VM name"
+
+  default = ""
+}
+
+variable "create_root_storage_pool" {
+  type        = bool
+  description = "Create the storage pool as part of the module"
+
+  default = true
+}
+
+variable "root_storage_volume_size_gb" {
+  type        = number
+  description = "The size of the storage volume (in gigabytes)"
+}
+
+variable "root_storage_volume_name" {
+  type        = string
+  description = "the name of the storage volume (must be unique in the pool)"
+  default     = ""
+}
+
+variable "interface" {
+  type        = string
+  description = "Network interface to attach the vm on"
+}
+
+variable "autostart" {
+  type        = bool
+  description = "Start the VM at host start?"
+  default     = true
+}
+
+variable "user_data" {
+  type        = string
+  description = "Cloud-init userdata script to run"
+}
+
+variable "network_config" {
+  type        = string
+  description = "Cloud-init network config"
+  default     = null
+  nullable    = true
+}
+
+variable "meta_data" {
+  type        = string
+  description = "Cloud-init meta-data"
+  default     = null
+  nullable    = true
+}
+
+variable "filesystems" {
+  type = list(object({
+    source     = string
+    target     = string
+    accessmode = string
+    readonly   = bool
+  }))
+  description = "9p shared filesystem devices"
+  default     = []
+}
+
+variable "xslt" {
+  type        = string
+  description = "XSLT applied to the domain before sent to libvirt"
+  default     = null
+}
diff --git a/remote-state-access/outputs.tf b/remote-state-access/outputs.tf
new file mode 100644
index 0000000..25cac1b
--- /dev/null
+++ b/remote-state-access/outputs.tf
@@ -0,0 +1,9 @@
+output "role_arn" {
+  type  = string
+  value = var.create_role ? aws_iam_role.this.arn : null
+}
+
+output "policy_arn" {
+  type  = string
+  value = var.create_policy ? aws_iam_policy.this.arn : null
+}
diff --git a/remote-state-access/policy.tf b/remote-state-access/policy.tf
new file mode 100644
index 0000000..c2556a3
--- /dev/null
+++ b/remote-state-access/policy.tf
@@ -0,0 +1,59 @@
+data "aws_iam_policy_document" "this" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket"
+    ]
+
+    resources = [
+      "arn:aws:s3:::${var.bucket_name}",
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:DeleteObject",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${var.bucket_name}",
+    ]
+
+    condition {
+      test     = "StringLike"
+      variable = "s3:prefix"
+
+      values = var.prefixes
+    }
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:DeleteItem",
+    ]
+    resources = [
+      "arn:aws:dynamodb:*:*:table/${var.dynamodb_table}",
+    ]
+  }
+}
+
+
+resource "aws_iam_role" "this" {
+  count = var.create_role ? 1 : 0
+  name  = var.role_name
+
+  inline_policy {
+    name   = "Allow access for remote states s3 and dynamo"
+    policy = data.aws_iam_policy_document.this.json
+  }
+}
+
+resource "aws_iam_policy" "this" {
+  count = var.create_policy ? 1 : 0
+  name  = var.policy_name
+  path  = var.policy_path
+}
\ No newline at end of file
diff --git a/remote-state-access/provider.tf b/remote-state-access/provider.tf
new file mode 100644
index 0000000..e523c26
--- /dev/null
+++ b/remote-state-access/provider.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.9"
+    }
+  }
+}
diff --git a/remote-state-access/variables.tf b/remote-state-access/variables.tf
new file mode 100644
index 0000000..3c23ec2
--- /dev/null
+++ b/remote-state-access/variables.tf
@@ -0,0 +1,35 @@
+variable "bucket_name" {
+  type = string
+}
+
+variable "dynamo_table" {
+  type = string
+}
+
+variable "prefixes" {
+  type = list(string)
+}
+
+variable "role_name" {
+  type    = string
+  default = null
+}
+
+variable "policy_name" {
+  type    = string
+  default = null
+}
+variable "policy_path" {
+  type    = string
+  default = "/"
+}
+
+variable "create_role" {
+  type    = bool
+  default = false
+}
+
+variable "create_policy" {
+  type    = bool
+  default = false
+}
\ No newline at end of file
diff --git a/remote-state/bucket.tf b/remote-state/bucket.tf
new file mode 100644
index 0000000..591acf8
--- /dev/null
+++ b/remote-state/bucket.tf
@@ -0,0 +1,55 @@
+resource "aws_kms_key" "this" {
+  description             = "Enryption key for S3 remote terraform state"
+  deletion_window_in_days = 30
+}
+
+data "aws_iam_policy_document" "force_secure_transport" {
+  statement {
+    sid     = "ForceSecureTransport"
+    actions = ["s3:*"]
+    effect  = "Deny"
+    resources = [
+      module.states_bucket.s3_bucket_arn,
+      "${module.states_bucket.s3_bucket_arn}/*"
+    ]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+  }
+}
+
+module "states_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  bucket = local.bucket_name
+
+  versioning = {
+    enabled = true
+  }
+
+  server_side_encryption_configuration = {
+    rule = {
+      apply_server_side_encryption_by_default = {
+        kms_master_key_id = aws_kms_key.this.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
+  acl                     = "private"
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+
+  attach_policy = true
+  policy        = data.aws_iam_policy_document.force_secure_transport.json
+
+  create_bucket = true
+}
diff --git a/remote-state/dynamo.tf b/remote-state/dynamo.tf
new file mode 100644
index 0000000..088c386
--- /dev/null
+++ b/remote-state/dynamo.tf
@@ -0,0 +1,23 @@
+locals {
+  dynamodb_lock_key_id = "LockID"
+}
+
+resource "aws_dynamodb_table" "lock" {
+  name     = local.table_name
+  hash_key = local.dynamodb_lock_key_id
+
+  billing_mode   = var.table_billing_mode
+  write_capacity = var.table_write_capacity
+  read_capacity  = var.table_read_capacity
+
+  attribute {
+    name = local.dynamodb_lock_key_id
+    type = "S"
+  }
+
+  server_side_encryption {
+    enabled     = var.table_encryption_at_rest
+    kms_key_arn = aws_kms_key.this.arn
+  }
+
+}
diff --git a/remote-state/locals.tf b/remote-state/locals.tf
new file mode 100644
index 0000000..fb99aca
--- /dev/null
+++ b/remote-state/locals.tf
@@ -0,0 +1,14 @@
+data "aws_region" "current" {}
+
+locals {
+  region_name = data.aws_region.current.name
+
+  default_bucket_name = try("${var.name_prefix}-${local.region_name}-states", "")
+  bucket_name         = var.bucket_name_override != null ? var.bucket_name_override : local.default_bucket_name
+
+  default_table_name = try("${var.name_prefix}-${local.region_name}-tf-state-locks", "")
+  table_name         = var.table_name_override != null ? var.table_name_override : local.default_table_name
+
+  default_terraform_iam_policy_name = "terraforming-${local.table_name}"
+  terraform_iam_policy_name         = local.default_terraform_iam_policy_name
+}
diff --git a/remote-state/outputs.tf b/remote-state/outputs.tf
new file mode 100644
index 0000000..19a4748
--- /dev/null
+++ b/remote-state/outputs.tf
@@ -0,0 +1,19 @@
+output "kms_key" {
+  value = aws_kms_key.this
+}
+
+output "lock_table" {
+  value = aws_dynamodb_table.lock
+}
+
+output "terraform_policy" {
+  value = aws_iam_policy.terraform
+}
+
+output "bucket_name" {
+  value = local.bucket_name
+}
+
+output "lock_table_name" {
+  value = local.table_name
+}
diff --git a/remote-state/policy.tf b/remote-state/policy.tf
new file mode 100644
index 0000000..10a0d98
--- /dev/null
+++ b/remote-state/policy.tf
@@ -0,0 +1,48 @@
+data "aws_iam_policy_document" "access_state" {
+  statement {
+    effect    = "Allow"
+    actions   = ["s3:ListBucket", "s3:GetBucketVersioning"]
+    resources = [module.states_bucket.s3_bucket_arn]
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["s3:GetObject", "s3:PutObject"]
+    resources = ["${module.states_bucket.s3_bucket_arn}/*"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:DeleteItem",
+      "dynamodb:DescribeTable",
+    ]
+    resources = [aws_dynamodb_table.lock.arn]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:ListKeys"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:DescribeKey",
+      "kms:GenerateDataKey",
+    ]
+    resources = [aws_kms_key.this.arn]
+  }
+}
+
+resource "aws_iam_policy" "terraform" {
+  name   = local.terraform_iam_policy_name
+  policy = data.aws_iam_policy_document.access_state.json
+}
diff --git a/remote-state/provider.tf b/remote-state/provider.tf
new file mode 100644
index 0000000..e523c26
--- /dev/null
+++ b/remote-state/provider.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.9"
+    }
+  }
+}
diff --git a/remote-state/variables.tf b/remote-state/variables.tf
new file mode 100644
index 0000000..8e49d1c
--- /dev/null
+++ b/remote-state/variables.tf
@@ -0,0 +1,59 @@
+## Naming
+
+variable "name_prefix" {
+  description = "Resource names prefixed by this string."
+
+  type     = string
+  nullable = true
+  default  = null
+}
+
+## Bucket options
+
+variable "bucket_name_override" {
+  description = "Explicit name for the remote state bucket. If not specified, the bucket will be named as {name_prefix}-{region_name}-states"
+
+  type     = string
+  nullable = true
+  default  = null
+}
+
+
+## DynamoDB Table for locks
+
+variable "table_name_override" {
+  description = "Explicit name for the remote state lock DynamoDB table. If not specified, the table will be named as {name_prefix}-{region_name}-tf-state-locks"
+
+  type     = string
+  nullable = true
+  default  = null
+}
+
+
+variable "table_encryption_at_rest" {
+  description = "Wheather or not apply encryption at rest for the DynamoDB."
+
+  type    = bool
+  default = false
+}
+
+variable "table_billing_mode" {
+  description = "Table billing mode. Can be PAY_PER_REQUEST or PROVISIONED"
+  type        = string
+
+  default = "PAY_PER_REQUEST"
+}
+
+variable "table_write_capacity" {
+  description = "(Optional) The number of write units for the lock table. If the billing_mode is PROVISIONED, this field is required"
+  type        = number
+
+  default = 0
+}
+
+variable "table_read_capacity" {
+  description = "(Optional) The number of read units for this table. If the billing_mode is PROVISIONED, this field is required"
+  type        = number
+
+  default = 0
+}