forked from elastic/elasticsearch
/
variables.tf
600 lines (504 loc) · 14.8 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
variable "ems_enabled_sandboxes" {
type = list(string)
description = "List of sandboxes that should have EMS enabled"
default = []
}
# required variables (from *.tfvars or elsewhere)
variable "aws_account" {
description = "AWS account to use for deployment"
type = string
}
variable "stack_name" {
description = "Stack Name"
type = string
}
variable "key_name" {
description = "SSH key name"
type = string
}
variable "domain" {
description = "Domain for instance. Hostname will be stack_name.domain"
type = string
}
variable "r53_zone_id" {
description = "zone ID for above domain"
type = string
}
# Optional variables
# TODO can be extended to offer a mapping of account to tld
# alternatively, could drop the domain delegation and interact directly with
# the "DNS" account
variable "alternate_domain_names_account" {
description = "account into which we should find the alternate_domain_names_r53_zone_id"
type = string
default = "569129334545"
}
# TODO can do some terraform manip to get this from the alternate domain names?
# feels ugly to create another default var for this...
variable "alternate_domain_names_r53_zone_id" {
description = ""
type = string
default = "Z09116458NELLNLT4X9N"
}
variable "alternative_domain_names_excluded_sandboxes" {
description = "list of sandboxes for which we do NOT want a CNAME"
type = list(string)
default = ["class", "staging", "course"]
}
variable "alternative_domain_names_sandbox_override" {
description = "if provided, override a given sandbox hostname with a list of hostnames"
type = map(list(string))
default = {}
}
variable "stack_env" {
description = "dev|test|prod"
type = string
# default to most restrictive
default = "prod"
}
variable "region" {
description = "AWS region"
type = string
default = "us-west-2"
}
variable "vpc_cidr" {
type = string
default = "172.16.0.0/16"
}
variable "num_zones" {
default = 2
}
variable "ams_create" {
description = "Set to false to prevent creation of AMS / MongoDB instances"
type = bool
default = false
}
variable "ams_asg_min_size" {
description = "Minimum size for ant-media autoscaling cluster"
type = number
default = 0
}
variable "ams_asg_max_size" {
description = "Maximum size for ant-media autoscaling cluster"
type = number
default = 0
}
variable "ams_asg_default_cooldown" {
description = "Number of seconds to wait between autoscalings"
type = number
default = 300
}
variable "ems_asg_min_size" {
description = "Minimum size for EMS autoscaling cluster"
type = number
default = 1
}
variable "ems_asg_max_size" {
description = "Maximum size for EMS autoscaling cluster"
type = number
default = 1
}
variable "ems_asg_default_cooldown" {
description = "Number of seconds to wait between autoscalings"
type = number
default = 300
}
variable "ems_asg_hc_interval" {
description = "EMS ASG health check interval in seconds"
type = number
default = 30
}
variable "ems_asg_hc_threshold" {
description = "EMS ASG health check threshold"
type = number
default = 3
}
variable "ems_asg_hc_timeout" {
description = "EMS ASG health check timeout in seconds"
type = number
default = 5
}
variable "ami_owners" {
description = "AMI Owners"
type = list(string)
default = ["569129334545"] # shared-assets
}
variable "sw_version" {
description = "beginning of version string. E.g. v1.2.3 will match v1.2.3*"
type = string
default = ""
}
variable "ami_ids" {
description = "Use to freeze AMI IDs"
type = map(any)
default = {
"ams" = "",
"ems" = "",
"bastion" = "",
"engageli" = "",
"mongodb" = "",
"dequeue" = "",
}
}
variable "engageli_paths" {
description = "URL paths destined for engageli"
type = list(string)
default = [
"/api/*",
]
}
variable "ems_num_clusters" {
description = "(hack?) as an intermediate way to achieve scale attach multiple EMS clusters to a singel stack"
type = number
default = 1
}
variable "ams_paths" {
description = "URL paths destined for ant-media"
type = list(string)
default = [
"/*/websocket"
]
}
variable "ant_license" {
description = "Ant-Media license to use"
type = string
default = "AMS74d43380e4f886fcc9bd899fb2f565"
}
variable "sandboxes" {
description = "sandboxes to create. Needs to match provisioned ant apps"
type = list(string)
default = ["class", "staging"]
}
variable "instance_types" {
description = "Instance types to use"
type = map(any)
default = {
"bastion" = "t3.micro"
"ems" = "t3.micro"
"engageli" = "t3.micro"
"mongodb" = "t3.micro"
"postgres" = "db.t3.micro"
"redis" = "cache.t3.micro"
"ems_redis" = "cache.t3.micro"
"ams" = "t3.micro"
"recorder" = "t3.micro"
"merger" = "t3.micro"
}
}
locals {
# assume that if the instance family ends with g (e.g. c6g.large), the architecture is ARM
ems_arch = substr(regex("^\\w+", var.instance_types["ems"]), -1, 1) == "g" ? "arm64" : "amd64"
}
variable "ebs_root_volume_size" {
description = "Size of the root EBS volume in gibibytes (GiB)"
default = {
"ems" = 8
"engageli" = 8
"recorder" = 8
"merger" = 8
}
}
# Under current design, concurrent_merger_jobs_per_instance is set to 1, don't change it.
variable "concurrent_merger_jobs_per_instance" {
description = "Number of concurrent merger workers in a dequeue node"
type = number
default = 1
}
variable "merger_asg_min_size" {
description = "Minimum size for merger autoscaling cluster"
type = number
default = 3
}
variable "merger_asg_max_size" {
description = "Maximum size for merger autoscaling cluster"
type = number
default = 10
}
# Currently not used in terraform code
variable "merger_asg_desired_size" {
description = "Desired size for merger autoscaling cluster"
type = number
default = 3
}
variable "merger_asg_warm_pool_min_size" {
description = "Minimum size for merger autoscaling cluster warm pool"
type = number
default = 3
}
variable "merger_asg_warm_pool_max_size" {
description = "Maximum size for merger autoscaling cluster warm pool"
type = number
default = 3
}
variable "merger_asg_default_cooldown" {
description = "Number of seconds to wait between autoscalings"
type = number
default = 300
}
variable "concurrent_recorder_jobs_per_instance" {
description = "Number of concurrent recorder workers in a dequeue node"
type = number
default = 1
}
variable "recorder_asg_min_size" {
description = "Minimum size for recorder autoscaling cluster"
type = number
default = 1
}
variable "recorder_asg_max_size" {
description = "Maximum size for recorder autoscaling cluster"
type = number
default = 3
}
# Currently not used in terraform code
variable "recorder_asg_desired_size" {
description = "Desired size for recorder autoscaling cluster"
type = number
default = 1
}
variable "recorder_asg_warm_pool_min_size" {
description = "Minimum size for recorder autoscaling cluster warm pool"
type = number
default = 1
}
variable "recorder_asg_warm_pool_max_size" {
description = "Maximum size for recorder autoscaling cluster warm pool"
type = number
default = 3
}
variable "recorder_asg_default_cooldown" {
description = "Number of seconds to wait between autoscalings"
type = number
default = 300
}
# https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/supported-engine-versions.html
variable "redis_engine_version" {
description = "Redis Engine version to use. Keeping the wildcard (e.g. 6.x) seems to cause issues"
type = string
default = "6.x"
}
#https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/ParameterGroups.html
variable "redis_parameter_group_name" {
description = "Redis Parameter Group Name"
type = string
default = "default.redis6.x"
}
# Variables for CloudFront CDN
# https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html
variable "cf_enabled" {
description = "Set to false to prevent CloudFront from accepting end user requests"
type = bool
default = true
}
variable "cf_price_class" {
description = "Price Class determines what edge locations are included"
type = string
default = "PriceClass_100"
}
variable "cf_minimum_protocol_version" {
description = "The minimum version of the SSL protocol"
type = string
default = "TLSv1.2_2021"
}
variable "cf_ssl_support_method" {
description = "CloudFront to serve HTTPS requests - vip uses a dedicated IP"
type = string
default = "sni-only"
}
# static assets cloudfront
variable "cf_static_default_ttl" {
description = "default ttl for static assets"
type = number
default = 3600
}
variable "cf_static_max_ttl" {
description = "max ttl for static assets"
type = number
default = 86400
}
variable "cf_static_min_ttl" {
description = "min ttl for static assets"
type = number
default = 60
}
#https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
variable "aws_lb_ssl_policy" {
description = "SSL Policy for aws_lb_listener"
type = string
default = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06"
}
# Variables for CloudWatch Metrics
variable "cw_dashboard_create" {
description = "Set to false to prevent the creating CloudWatch dashboard"
type = bool
default = false
}
variable "cw_metric_period" {
description = "The period is the length of time (seconds) represented by one data point on the graph"
type = number
default = 300
}
variable "cw_metric_width" {
description = "Width of the metric widget"
type = number
default = 6
}
variable "cw_metric_height" {
description = "Height of the metric widget"
type = number
default = 6
}
# Variables for lambda function logging
variable "lamdba_vod_log_days_retention" {
description = "Number of days to retain logs for lamdbda VOD function"
type = number
default = 14
}
variable "lamdba_scale_log_days_retention" {
description = "Number of days to retain logs for lamdbda scale function"
type = number
default = 14
}
# Variables for RDS Logging
variable "rds_log_days_retention" {
description = "Number of days to retain RDS CloudWatch log group"
type = number
default = 30
}
variable "rds_audit_log" {
description = "Set to false to prevent logging and audit to CloudWatch"
type = bool
default = false
}
variable "deprecated_recorder_bucket_management_enabled" {
description = "Set to false to prevent deprecated recorder bucket creation"
type = bool
default = false
}
variable "extra_ssh_ips" {
description = "Extra IPs to be allowed to SSH to a stack, but is not supposed to be part of dev/qa/prod user ip lists"
type = list(string)
default = []
}
locals {
recorder_metric_name = "recorder_job_count_"
recorder_metric_namespace = "recorder_metric_ns_"
subnet_cidrs = [
cidrsubnet(var.vpc_cidr, 8, 0),
cidrsubnet(var.vpc_cidr, 8, 1)
]
# e.g. from curl https://checkip.amazonaws.com
dev_user_ips = [
"85.250.219.183/32", # nikita
"71.202.208.152/32", # alan
"98.33.38.126/32", # ttang2
"212.150.192.110/32", # Israel office
"172.74.132.138/32", # andre
"66.205.91.88/32", # andrei
"45.58.106.194/32", # nicolas
"74.15.122.231/32", # benoit
"195.24.157.34/32", # stas
]
qa_user_ips = [
"76.244.39.139/32", # marlon @ home
"166.216.158.160/32", # marlon @ car
"79.179.38.142/32", # ori
"66.75.98.181/32", # warren
"76.220.53.183/32", # warren
]
prod_user_ips = [
"99.88.40.90/32", # gideon
"73.162.20.47/32", # serge
"82.81.50.35/32", # matan
"96.230.246.113/32", # cany
"69.209.25.98/32", # jj
"77.125.0.214/32", # igor
"24.48.75.28/32", # fabien
]
# IPs allowed for ssh access to stack, see populate-os-users.sh for how users are created
management_ips = var.stack_env == "prod" ? concat(local.prod_user_ips, var.extra_ssh_ips) : concat(local.dev_user_ips, local.qa_user_ips, local.prod_user_ips, var.extra_ssh_ips)
}
locals {
merger_metric_name = "merger_job_count_"
merger_metric_namespace = "merger_metric_ns_"
students_per_gallery = 20
galleries_per_instance = 1
}
variable "bastion_key_name" {
description = "bastion key name"
type = string
default = "bastion_key"
}
variable "bastion_public_key_file" {
description = "bastion public key file"
type = string
}
variable "recorder_key_name" {
description = "recorder key name"
type = string
default = "recorder_key"
}
variable "merger_key_name" {
description = "merger key name"
type = string
default = "merger_key"
}
variable "ssh_public_key_file" {
description = "public key file for recorder/merger instance"
type = string
}
variable "recorder_low_water_mark" {
description = "threshold to trigger instance scaling in"
type = number
default = 0.4
}
variable "recorder_high_water_mark" {
description = "threshold to trigger instance scaling out"
type = number
default = 0.9
}
variable "merger_low_water_mark" {
description = "threshold to trigger instance scaling in"
type = number
default = 0.4
}
variable "merger_high_water_mark" {
description = "threshold to trigger instance scaling out"
type = number
default = 0.9
}
variable "rds_snapshot_id" {
description = "Snapshot to create the db from"
type = string
default = null
}
variable "wazuh_agent_enabled" {
description = "Determines if wazuh agent should be installed to instances of the stack"
type = bool
default = false
}
# TODO clean this up when grafana cloud is GA
variable "cloudwatch_agent_enabled" {
description = "Determines if the cloudwatch agent is running on ec2 nodes"
type = bool
default = false
}
variable "telegraf_enabled" {
description = "Determines if telegraf is running on ec2 nodes"
type = bool
default = true
}
variable "asg_enabled_metrics" {
description = "metrics enabled for asg"
type = list(any)
default = [
"GroupMinSize",
"GroupMaxSize",
"GroupDesiredCapacity",
"GroupInServiceInstances",
"GroupPendingInstances",
"GroupStandbyInstances",
"GroupTerminatingInstances",
"GroupTotalInstances"
]
}