Add disk name suffix to be able to create several nfs disks in the same project

.github/workflows/terraform.yml

@@ -16,6 +16,7 @@ concurrency:
 
 env:
   TF_VAR_parent_id: project-e00pjzzrtk1fs3yavy
+  TF_VAR_tenant_id: tenant-e00f3wdfzwfjgbcyfv
 
 jobs:
   terraform:
@@ -29,8 +30,9 @@ jobs:
         solution:
           - name: k8s-inference
           - name: k8s-training
-          - name: slurm
           - name: wireguard
+          - name: dsvm
+          - name: bastion
 
     defaults:
       run:
@@ -72,7 +74,7 @@ jobs:
 
     - name: Install Nebius CLI
       run: |
-        curl -sSL https://storage.ai.nebius.cloud/nebius/install.sh | bash
+        curl -sSL https://storage.eu-north1.nebius.cloud/cli/install.sh | bash
         echo "${HOME}/.nebius/bin" >> $GITHUB_PATH
 
     - name: Nebius CLI init
@@ -170,7 +172,7 @@ jobs:
 
     - name: Install Nebius CLI
       run: |
-        curl -sSL https://storage.ai.nebius.cloud/nebius/install.sh | bash
+        curl -sSL https://storage.eu-north1.nebius.cloud/cli/install.sh | bash
         echo "${HOME}/.nebius/bin" >> $GITHUB_PATH
 
     - name: Nebius CLI init

CODEOWNERS

@@ -2,4 +2,4 @@
 * @malibora @jadnov @elijah-k-nebius @rdjjke @asteny
 
 .github/workflows @malibora @d3vil-st @elijah-k-nebius
-soperator @dstaroff @asteny @rdjjke @Uburro
+soperator/ @dstaroff @asteny @rdjjke @Uburro

README.md

@@ -20,7 +20,7 @@ This repository is a curated collection of Terraform and Helm solutions designed
 
 For those who prefer containerized environments, our Kubernetes solution includes GPU-Operator and Network-Operator. This setup ensures that your training workloads use dedicated GPU resources and optimized network configurations, both of which are critical components for AI models that require a lot of computational power. . GPU-Operator simplifies the management of NVIDIA GPUs, automating the deployment of necessary drivers and plugins. Similarly, the Network-Operator improves network performance, ensuring seamless communication throughout your cluster. The cluster uses InfiniBand technology, which provides the fastest host connections for data-intensive tasks. 
 
-[SLURM](./slurm/README.md)
+[SLURM](./soperator/README.md)
 
 Our SLURM solutions offer a streamlined approach for users who prefer traditional HPC environments. These solutions include ready-to-use images pre-configured with NVIDIA drivers and are ideal for those looking to take advantage of SLURM’s robust job scheduling capabilities.  Similar to our Kubernetes offerings, the SLURM solutions are optimized for InfiniBand connectivity, ensuring peak performance and efficiency in data transfer and communication between nodes.
 

bastion/README.md

@@ -0,0 +1,140 @@
+# Bastion instance
+
+This Terraform solution deploys a Bastion instance that serves as a secure jump host for your infrastructure. 
+It improves the security by minimizing the use of Public IPs and limiting access to the rest of the environment. 
+
+Also create a Service Account with generated Auhorization key pair to authentificate Nebius CLI on the host.
+
+Also installed on the host:
+- Wireguard VPN solution with UI
+- Nebius CLI and configured with profile authentificated by Service account
+- kubectl and configured to connect to first mk8s cluster available in project by --internal flag
+  (scanned by: `nebius mk8s v1 cluster list`)
+
+## How to connect over bastion
+
+### Edit you local ssh config
+
+`~/.ssh/config`
+
+```
+Host bastion
+    HostName <public_ip_of_bastion_host>
+    User bastion
+    IdentityFile ~/.ssh/private.key
+
+Host target
+    HostName <private_ip_of_host_after_bastion>
+    User ubuntu
+    IdentityFile ~/.ssh/private.key
+    ProxyJump bastion
+```
+
+### Login to remote VM behind bastion
+```
+ssh target
+```
+
+## Prerequisites
+
+1. Install [Nebius CLI](https://docs.nebius.dev/en/cli/#installation):
+   ```bash
+   curl -sSL https://storage.eu-north1.nebius.cloud/cli/install.sh | bash
+   ```
+
+2. Reload your shell session:
+
+   ```bash
+   exec -l $SHELL
+   ```
+
+   or
+
+   ```bash
+   source ~/.bashrc
+   ```
+
+3. [Configure](https://docs.nebius.ai/cli/configure/) Nebius CLI (we recommend using [service account](https://docs.nebius.ai/iam/service-accounts/manage/)):
+   ```bash
+   nebius init
+   ```
+
+4. Install JQuery (for Debian-based distributions):
+   ```bash
+   sudo apt install jq -y
+   ```
+
+## Installation
+
+To deploy the solution, follow these steps:
+
+1. Load environment variables:
+   ```bash
+   source ./environment.sh
+   ```
+2. Initialize Terraform:
+   ```bash
+   terraform init
+   ```
+3. Replace the placeholder content in `terraform.tfvars` with the configuration values that you need. See the details [below](#configuration-variables).
+4. Preview the deployment plan:
+   ```bash
+   terraform plan
+   ```
+5. Apply the configuration:
+   ```bash
+   terraform apply
+   ```
+   Wait for the operation to complete.
+
+## Configuration variables
+
+Update the following variables in the `terraform.tfvars` file with your own values:
+
+- `tenant-id`
+- `parent_id`
+- `subnet_id`
+- `ssh_user_name`
+- `ssh_public_key`
+
+## Creating and using a public IP allocation
+
+This step allows you to retain the IP address even if the VM is deleted. If you don’t need to keep the IP adress, skip section.
+
+1. Create a public IP allocation:
+   ```bash
+   nebius vpc v1 allocation create  --ipv-4-public \
+   --parent-id <project-id> --name wireguard_allocation_pub \
+   --format json | jq -r '.metadata.id'
+   ```
+2. Assign the value from the previous step to the `public_ip_allocation_id` variable in [variables.tf](./variables.tf):
+
+```bash
+public_ip_allocation_id = <public_ip_allocation_id>
+```
+
+### Logging into Wireguard UI
+
+1. SSH into the Wireguard instance:
+   ```bash
+   ssh -i <path_to_private_ssh_key> <ssh_user_name>@<instance_public_ip>
+   ```
+
+2. Retrieve the Wireguard UI password:
+   ```bash
+   sudo cat /var/lib/wireguard-ui/initial_password
+   ```
+
+3. Open the Wireguard UI in your browser:
+   ```
+   http://<instance_public_ip>:5000
+   ```
+
+4. Log in with the following credentials:
+   - **Username:** `admin`
+   - **Password:** [password retrieved in step 2]
+
+### Notes
+
+- **Apply Config:** After creating, deleting or changing Wireguard users, select "Apply Config".
+- **Allowed IPs:** When adding new users, specify the CIDRs of your existing infrastructure in the "Allowed IPs" field.

bastion/disks.tf

@@ -0,0 +1,8 @@
+resource "nebius_compute_v1_disk" "bastion-boot-disk" {
+  parent_id           = var.parent_id
+  name                = "bastion-boot-disk"
+  block_size_bytes    = 4096
+  size_bytes          = 64424509440
+  type                = "NETWORK_SSD"
+  source_image_family = { image_family = "ubuntu22.04-driverless" }
+}

slurm/environment.sh → bastion/environment.sh

@@ -1,3 +1,4 @@
 #/bin/sh
 unset NEBIUS_IAM_TOKEN
 export NEBIUS_IAM_TOKEN=$(nebius iam get-access-token)
+export TF_VAR_iam_token=$NEBIUS_IAM_TOKEN

bastion/locals.tf

@@ -0,0 +1,4 @@
+locals {
+  ssh_public_key = var.ssh_public_key.key != null ? var.ssh_public_key.key : (
+  fileexists(var.ssh_public_key.path) ? file(var.ssh_public_key.path) : null)
+}

bastion/main.tf

@@ -0,0 +1,32 @@
+resource "nebius_compute_v1_instance" "bastion_instance" {
+  parent_id = var.parent_id
+  name      = "bastion-instance"
+
+  boot_disk = {
+    attach_mode   = "READ_WRITE"
+    existing_disk = nebius_compute_v1_disk.bastion-boot-disk
+  }
+
+  network_interfaces = [
+    {
+      name              = "eth0"
+      subnet_id         = var.subnet_id
+      ip_address        = {}
+      public_ip_address = {}
+    }
+  ]
+
+  resources = {
+    platform = "cpu-e2"
+    preset   = "4vcpu-16gb"
+  }
+
+  cloud_init_user_data = templatefile("../modules/cloud-init/bastion-cloud-init.tftpl", {
+    ssh_user_name      = var.ssh_user_name
+    ssh_public_key     = local.ssh_public_key
+    sa_private_key     = local.sa_private_key
+    parent_id          = var.parent_id
+    sa_public_key_id   = local.sa_public_key_id
+    service_account_id = local.service_account_id
+  })
+}

bastion/output.tf

@@ -0,0 +1,6 @@
+output "bastion_host_public_ip" {
+  value = trimsuffix(nebius_compute_v1_instance.bastion_instance.status.network_interfaces[0].public_ip_address.address, "/32")
+}
+output "bastion_service_account" {
+  value = nebius_iam_v1_service_account.bastion-sa.id
+}

bastion/provider.tf

@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    nebius = {
+      source = "terraform-provider.storage.eu-north1.nebius.cloud/nebius/nebius"
+    }
+  }
+}
+
+provider "nebius" {
+  domain = "api.eu.nebius.cloud:443"
+}

bastion/sa.tf

@@ -0,0 +1,37 @@
+resource "tls_private_key" "bastion_sa_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "nebius_iam_v1_service_account" "bastion-sa" {
+  parent_id = var.parent_id
+  name      = "bastion-sa"
+}
+
+data "nebius_iam_v1_group" "admins-group" {
+  name      = "editors"
+  parent_id = var.tenant_id
+}
+
+resource "nebius_iam_v1_group_membership" "bastion-sa-admin" {
+  parent_id = data.nebius_iam_v1_group.admins-group.id
+  member_id = nebius_iam_v1_service_account.bastion-sa.id
+}
+
+resource "nebius_iam_v1_auth_public_key" "bastion-sa-public-key" {
+  parent_id  = var.parent_id
+  expires_at = timeadd(timestamp(), "8760h") # 1 Year expiration time
+  account = {
+    service_account = {
+      id = nebius_iam_v1_service_account.bastion-sa.id
+    }
+  }
+  data = tls_private_key.bastion_sa_key.public_key_pem
+}
+
+locals {
+  sa_public_key      = tls_private_key.bastion_sa_key.public_key_pem
+  sa_private_key     = tls_private_key.bastion_sa_key.private_key_pem
+  sa_public_key_id   = nebius_iam_v1_auth_public_key.bastion-sa-public-key.id
+  service_account_id = nebius_iam_v1_service_account.bastion-sa.id
+}

bastion/terraform.tfvars

@@ -0,0 +1,8 @@
+# tenant-id = ""
+# parent_id = ""
+# subnet_id = ""
+# ssh_user_name = "bastion"
+# ssh_public_key = {
+#   key  = "put your public ssh key here"
+#   path = "put path to ssh key here"
+# }

bastion/test-resource.tf

@@ -0,0 +1,22 @@
+locals {
+  test_bst_host = trimsuffix(nebius_compute_v1_instance.bastion_instance.status.network_interfaces[0].public_ip_address.address, "/32")
+}
+
+resource "null_resource" "check_bastion_instance" {
+  count = var.test_mode ? 1 : 0
+
+  connection {
+    user = var.ssh_user_name
+    host = local.test_bst_host
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "set -eu",
+      "cloud-init status --wait",
+      "ip link show wg0",
+      "systemctl -q status [email protected] > /dev/null",
+      ".nebius/bin/nebius iam whoami > /dev/null"
+    ]
+  }
+}

bastion/tests/main.tftest.hcl

@@ -0,0 +1,7 @@
+run "test_mode_bastion_apply" {
+  command = apply
+
+  variables {
+    test_mode = true
+  }
+}

bastion/variables.tf

@@ -0,0 +1,47 @@
+variable "tenant_id" {
+  description = "Tenant ID."
+  type        = string
+}
+
+variable "parent_id" {
+  description = "Project ID."
+  type        = string
+}
+
+variable "subnet_id" {
+  description = "Subnet ID."
+  type        = string
+}
+
+# SSH access
+variable "ssh_user_name" {
+  description = "SSH username."
+  type        = string
+  default     = "bastion"
+}
+
+variable "ssh_public_key" {
+  description = "SSH Public Key to access the cluster nodes."
+  type = object({
+    key  = optional(string),
+    path = optional(string, "~/.ssh/id_rsa.pub")
+  })
+  default = {}
+  validation {
+    condition     = var.ssh_public_key.key != null || fileexists(var.ssh_public_key.path)
+    error_message = "SSH Public Key must be set by `key` or file `path` ${var.ssh_public_key.path}"
+  }
+}
+
+# Access By IP
+variable "public_ip_allocation_id" {
+  description = "Id of a manually created public_ip_allocation."
+  type        = string
+  default     = null
+}
+
+variable "test_mode" {
+  description = "Switch between real usage and testing."
+  type        = bool
+  default     = false
+}