add support for gitlab backup upload to S3

Premdeep Saini · Premdeep Saini · commit 2dcf470866bd · 2023-01-19T17:29:20.000+05:30
diff --git a/gitlab_config_templates/gitlab.rb.tftpl b/gitlab_config_templates/gitlab.rb.tftpl
@@ -0,0 +1,27 @@
+external_url '${gitlab_url}'
+gitlab_rails['monitoring_whitelist'] = ['0.0.0.0/0','127.0.0.0/8', '::1/128']
+gitlab_rails['db_adapter'] = "postgresql"
+gitlab_rails['db_encoding'] = "unicode"
+gitlab_rails['db_database'] = "${gitlab_db_name}"
+gitlab_rails['db_username'] = "${gitlab_db_username}"
+gitlab_rails['db_password'] = "${gitlab_db_password}"
+gitlab_rails['db_host'] = "${gitlab_db_host}"
+gitlab_rails['redis_host'] = "${gitlab_redis_host}"
+gitlab_rails['redis_port'] = 6379
+postgresql['enable'] = false
+redis['enable'] = false
+nginx['redirect_http_to_https'] = false
+nginx['listen_port'] = 80
+nginx['listen_https'] = false
+letsencrypt['enable'] = false
+
+################
+# S3 Backup
+################
+gitlab_rails['backup_upload_connection'] = {
+  'provider' => 'AWS',
+  'region' => '${aws_region}',
+  # If using an IAM Profile, don't configure aws_access_key_id & aws_secret_access_key
+  'use_iam_profile' => true
+}
+gitlab_rails['backup_upload_remote_directory'] = '${gitlab_backup_s3_bucket_name}'
diff --git a/main.tf b/main.tf
@@ -1,5 +1,9 @@
 locals {
-  managed_by = "Terraform"
+  managed_by                   = "Terraform"
+  gitlab_config_template_file  = "${path.module}/gitlab_config_templates/gitlab.rb.tftpl"
+  gitlab_config_generated_file = "${path.cwd}/gitlab_config/gitlab.rb"
+  gitlab_config_playbook_file  = "${path.module}/playbooks/gitlab_setup.yaml"
+  gitlab_complete_url          = join("", tolist(["https://", values(module.records.route53_record_name)[0]]))
 }
 
 resource "aws_instance" "gitlab" {
@@ -10,16 +14,22 @@ resource "aws_instance" "gitlab" {
   associate_public_ip_address = false
   vpc_security_group_ids      = [aws_security_group.gitlab.id]
   key_name                    = var.gitlab_ssh_public_key != null ? aws_key_pair.gitlab_ssh[0].key_name : null
+  iam_instance_profile        = aws_iam_instance_profile.gitlab.name
   root_block_device {
     volume_type           = var.volume_type
     volume_size           = var.volume_size
     delete_on_termination = false
   }
+
+  provisioner "local-exec" {
+    command = "ansible-playbook -u ubuntu -i '${self.private_ip},' --private-key ${var.private_key} -e 'instance_ip_address=${self.private_ip} file_path=${local_file.gitlab_config_file.filename}' ${local.gitlab_config_playbook_file}"
+  }
   tags = {
     Name        = "${var.environment_prefix}-gitlab"
     Environment = var.environment_prefix
     ManagedBy   = local.managed_by
   }
+  depends_on = [local_file.gitlab_config_file]
 }
 
 resource "aws_key_pair" "gitlab_ssh" {
@@ -357,3 +367,108 @@ resource "aws_security_group" "gitlab_redis" {
     ManagedBy   = local.managed_by
   }
 }
+
+resource "aws_s3_bucket" "gitlab_backup" {
+  count  = var.enable_gitlab_backup_to_s3 ? 1 : 0
+  bucket = var.gitlab_backup_bucket_name
+  lifecycle {
+    precondition {
+      condition = anytrue([
+        (var.enable_gitlab_backup_to_s3 == false),
+        (var.enable_gitlab_backup_to_s3 == true && var.gitlab_backup_bucket_name != null)
+      ])
+      error_message = "Gitlab backup to S3 is set to ${var.enable_gitlab_backup_to_s3}. gitlab_backup_bucket_name is mandatory to create S3 bucket."
+    }
+
+  }
+}
+
+resource "aws_s3_bucket_acl" "gitlab_backup" {
+  count  = var.enable_gitlab_backup_to_s3 ? 1 : 0
+  bucket = aws_s3_bucket.gitlab_backup[0].id
+  acl    = "private"
+}
+
+data "aws_iam_policy_document" "gitlab_s3_backup" {
+  count = var.enable_gitlab_backup_to_s3 ? 1 : 0
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:AbortMultipartUpload",
+      "s3:GetBucketAcl",
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:GetObjectAcl",
+      "s3:ListBucketMultipartUploads",
+      "s3:PutObject",
+      "s3:PutObjectAcl"
+    ]
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.gitlab_backup[0].bucket}/*"
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:GetBucketLocation",
+      "s3:ListAllMyBuckets"
+    ]
+    resources = [
+      "*"
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket"
+    ]
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.gitlab_backup[0].bucket}"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "gitlab_backup" {
+  count  = var.enable_gitlab_backup_to_s3 ? 1 : 0
+  name   = "gitlab-backup"
+  policy = data.aws_iam_policy_document.gitlab_s3_backup[0].json
+}
+
+resource "aws_iam_role" "gitlab_backup" {
+  name                = "gitlab-backup"
+  assume_role_policy  = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+               "Service": "ec2.amazonaws.com"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}
+EOF
+  managed_policy_arns = var.enable_gitlab_backup_to_s3 ? [aws_iam_policy.gitlab_backup[0].arn] : []
+}
+
+resource "aws_iam_instance_profile" "gitlab" {
+  name = "gitlab"
+  role = aws_iam_role.gitlab_backup.name
+}
+
+resource "local_file" "gitlab_config_file" {
+  filename = local.gitlab_config_generated_file
+  content = templatefile(local.gitlab_config_template_file, {
+    gitlab_url                   = local.gitlab_complete_url,
+    gitlab_db_name               = module.gitlab_pg.db_instance_name,
+    gitlab_db_username           = module.gitlab_pg.db_instance_username,
+    gitlab_db_password           = module.gitlab_pg.db_instance_password,
+    gitlab_db_host               = module.gitlab_pg.db_instance_address,
+    gitlab_redis_host            = aws_elasticache_cluster.gitlab_redis.cache_nodes[0].address,
+    aws_region                   = aws_s3_bucket.gitlab_backup[0].region
+    gitlab_backup_s3_bucket_name = aws_s3_bucket.gitlab_backup[0].bucket
+  })
+}
diff --git a/outputs.tf b/outputs.tf
@@ -37,3 +37,7 @@ output "gitlab_redis_address" {
   value       = aws_elasticache_cluster.gitlab_redis.cache_nodes[0].address
   description = "Gitlab Redis cluster address"
 }
+
+output "gitlab_complete_url" {
+  value = local.gitlab_complete_url
+}
diff --git a/playbooks/gitlab_setup.yaml b/playbooks/gitlab_setup.yaml
@@ -0,0 +1,19 @@
+---
+- name: Configure Gitlab
+  hosts: "{{ instance_ip_address }}"
+  gather_facts: no
+  vars:
+    ansible_host_key_checking: false
+  tasks:
+    - local_action: wait_for port=22 host="{{ instance_ip_address }}" delay=10 timeout=300
+    - name: copy gitlab.rb to /etc/gitlab/
+      become: true
+      copy:
+        src: "{{ file_path }}"
+        dest: "/etc/gitlab/gitlab.rb"
+        owner: "root"
+        group: "root"
+        mode: 0600
+    - name: reconfigure Gitlab
+      become: true
+      command: gitlab-ctl reconfigure
diff --git a/variables.tf b/variables.tf
@@ -256,3 +256,20 @@ variable "gitlab_redis_parameter_group" {
     family = null
   }
 }
+
+variable "enable_gitlab_backup_to_s3" {
+  type        = bool
+  default     = false
+  description = "Enable Gitlab backup on S3 bucket"
+}
+
+variable "gitlab_backup_bucket_name" {
+  type        = string
+  default     = null
+  description = "Name of S3 bucket to be used for Gitlab backup"
+}
+
+variable "private_key" {
+  type        = string
+  description = "Private key to execute ansible playbook on Gitlab instance."
+}

Original file line number	Diff line number	Diff line change
`@@ -37,3 +37,7 @@ output "gitlab_redis_address" {`
`37`	`37`	`value = aws_elasticache_cluster.gitlab_redis.cache_nodes[0].address`
`38`	`38`	`description = "Gitlab Redis cluster address"`
`39`	`39`	`}`
	`40`	`+`
	`41`	`+output "gitlab_complete_url" {`
	`42`	`+ value = local.gitlab_complete_url`
	`43`	`+}`