feat: INFRA-403 config to forward logs with fluentd

Ferlab-Ste-Justine · Sep 18, 2023 · a601365 · a601365
1 parent 1b6dc81
commit a601365
Show file tree

Hide file tree

Showing 4 changed files with 128 additions and 23 deletions.
diff --git a/README.md b/README.md
@@ -39,6 +39,19 @@ The module takes the following variables as input:
 - **postgres_user**: User that will be used to access the database
 - **postgres_database**: Name of the database that will be accessed
 - **postgres_password**: Password that will be used to access the database. If omitted, a random password is generated
+- **fluentd**: Optional fluentd configuration to securely route logs to a fluentd node using the forward plugin. It has the following keys:
+  - **enabled**: If set to false (the default), fluentd will not be installed.
+  - **postgres_tag**: Tag to assign to logs coming from haproxy
+  - **node_exporter_tag** Tag to assign to logs coming from the prometheus node exporter
+  - **forward**: Configuration for the forward plugin that will talk to the external fluentd node. It has the following keys:
+    - **domain**: Ip or domain name of the remote fluentd node.
+    - **port**: Port the remote fluentd node listens on
+    - **hostname**: Unique hostname identifier for the vm
+    - **shared_key**: Secret shared key with the remote fluentd node to authentify the client
+    - **ca_cert**: CA certificate that signed the remote fluentd node's server certificate (used to authentify it)
+  - **buffer**: Configuration for the buffering of outgoing fluentd traffic
+    - **customized**: Set to false to use the default buffering configurations. If you wish to customize it, set this to true.
+    - **custom_value**: Custom buffering configuration to provide that will override the default one. Should be valid fluentd configuration syntax, including the opening and closing ```<buffer>``` tags.
 
 The following input variables are also required for postgres' certificate for tls communication:
 - **key_length**: Length of the certificate's RSA key (defaults to 4096)

diff --git a/main.tf b/main.tf
@@ -6,39 +6,84 @@ resource "random_string" "postgres_password" {
 locals {
   postgres_password = var.postgres_password != "" ? var.postgres_password : random_string.postgres_password.result
   postgres_params = "-c ssl=on -c ssl_cert_file=/opt/pg.pem -c ssl_key_file=/opt/pg.key ${var.postgres_params}"
+  postgres_fluentd = {
+    enabled            = var.fluentd.enabled
+    tag                = var.fluentd.postgres_tag
+    port               = 28080
+  }
   block_devices = var.image_source.volume_id != "" ? [{
     uuid                  = var.image_source.volume_id
     source_type           = "volume"
     boot_index            = 0
     destination_type      = "volume"
     delete_on_termination = false
   }] : []
+  cloudinit_templates = concat([
+      {
+        filename     = "postgres.cfg"
+        content_type = "text/cloud-config"
+        content      = templatefile(
+          "${path.module}/templates/cloud_config.yaml",
+          {
+            postgres_orchestration = templatefile(
+                "${path.module}/templates/docker-compose.yml",
+                {
+                    image    = var.postgres_image
+                    data     = var.postgres_data
+                    user     = var.postgres_user
+                    database = var.postgres_database
+                    password = local.postgres_password
+                    params   = local.postgres_params
+                    fluentd  = local.postgres_fluentd
+                }
+            )
+            tls_key         = tls_private_key.key.private_key_pem
+            tls_certificate = "${tls_locally_signed_cert.certificate.cert_pem}\n${var.ca.certificate}"
+            postgres_image  = var.postgres_image
+          }
+        )
+      }
+    ],
+    var.fluentd.enabled ? [{
+      filename     = "fluentd.cfg"
+      content_type = "text/cloud-config"
+      content      = module.fluentd_configs.configuration
+    }] : []
+  )
+}
+
+module "fluentd_configs" {
+  source               = "git::https://github.com/Ferlab-Ste-Justine/terraform-cloudinit-templates.git//fluentd?ref=v0.13.1"
+  install_dependencies = true
+  fluentd              = {
+    docker_services        = [
+      {
+        tag                = local.postgres_fluentd.tag
+        service            = "postgres"
+        local_forward_port = local.postgres_fluentd.port
+      }
+    ]
+    systemd_services = [
+      {
+        tag     = var.fluentd.node_exporter_tag
+        service = "node-exporter"
+      }
+    ]
+    forward = var.fluentd.forward,
+    buffer  = var.fluentd.buffer
+  }
 }
 
 data "template_cloudinit_config" "postgres_config" {
   gzip = true
   base64_encode = true
-  part {
-    content_type = "text/cloud-config"
-    content = templatefile(
-      "${path.module}/templates/cloud_config.yaml", 
-      {
-        postgres_orchestration  = templatefile(
-            "${path.module}/templates/docker-compose.yml",
-            {
-                image = var.postgres_image
-                params = local.postgres_params
-                data = var.postgres_data
-                user = var.postgres_user
-                password = local.postgres_password
-                database = var.postgres_database
-            }
-        )
-        tls_key = tls_private_key.key.private_key_pem
-        tls_certificate = "${tls_locally_signed_cert.certificate.cert_pem}\n${var.ca.certificate}"
-        postgres_image = var.postgres_image
-      }
-    )
+  dynamic "part" {
+    for_each = local.cloudinit_templates
+    content {
+      filename     = part.value["filename"]
+      content_type = part.value["content_type"]
+      content      = part.value["content"]
+    }
   }
 }
 

diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml
@@ -15,4 +15,14 @@ services:
       PGDATA:            "${data}"
       POSTGRES_USER:     "${user}"
       POSTGRES_PASSWORD: "${password}"
-      POSTGRES_DB:       "${database}"
+      POSTGRES_DB:       "${database}"
+%{ if fluentd.enabled ~}
+    logging:
+      driver: fluentd
+      options:
+        fluentd-address: 127.0.0.1:${fluentd.port}
+        fluentd-retry-wait: 1s
+        fluentd-max-retries: 3600
+        fluentd-sub-second-precision: true
+        tag: ${fluentd.tag}
+%{ endif ~}
diff --git a/variable.tf b/variable.tf
@@ -98,4 +98,41 @@ variable "key_length" {
   description = "The key length of the certificate's private key"
   type = number
   default = 4096
-}
+}
+
+variable "fluentd" {
+  description = "Fluentd configurations"
+  sensitive   = true
+  type = object({
+    enabled = bool,
+    postgres_tag = string,
+    node_exporter_tag = string,
+    forward = object({
+      domain = string,
+      port = number,
+      hostname = string,
+      shared_key = string,
+      ca_cert = string,
+    }),
+    buffer = object({
+      customized = bool,
+      custom_value = string,
+    })
+  })
+  default = {
+    enabled = false
+    postgres_tag = ""
+    node_exporter_tag = ""
+    forward = {
+      domain = ""
+      port = 0
+      hostname = ""
+      shared_key = ""
+      ca_cert = ""
+    }
+    buffer = {
+      customized = false
+      custom_value = ""
+    }
+  }
+}