Add Terraform templates (#316)

serverless · Jul 31, 2018 · b349a32 · b349a32
1 parent c84ddec
commit b349a32
Show file tree

Hide file tree

Showing 18 changed files with 855 additions and 0 deletions.
diff --git a/contrib/terraform/NOTICE b/contrib/terraform/NOTICE
@@ -0,0 +1,5 @@
+CoreOS Project
+Copyright 2017 CoreOS, Inc
+
+This product includes software developed at CoreOS, Inc.
+(http://www.coreos.com/).
diff --git a/contrib/terraform/README.md b/contrib/terraform/README.md
@@ -0,0 +1,85 @@
+# Event Gateway Terraform module
+
+This module creates Event Gateway running on ECS Fargate with a standalone etcd cluster.
+
+The module is an extract form the [Tectonic Installer repository](https://github.com/coreos/tectonic-installer).
+
+## Usage
+
+```hcl
+module "event-gateway" {
+  source = "github.com/serverless/event-gateway//contrib/terraform/modules/event-gateway"
+
+  aws_region = "us-east-1"
+  command_list = ["-db-hosts", "event-gateway-etcd-0.etcd:2379,event-gateway-etcd-1.etcd:2379,event-gateway-etcd-2.etcd:2379", "-log-level", "debug"]
+  tags = {
+    Application = "event-gateway"
+  }
+}
+
+output "config_url" {
+  value = "${module.event-gateway.config_url}"
+}
+
+output "events_url" {
+  value = "${module.event-gateway.events_url}"
+}
+```
+
+## Debugging etcd
+
+It's possible to enable SSH access via bastion instance, by adding parameters:
+
+```
+bastion_enabled = true
+ssh_key      = "eg-key"
+```
+
+Bastion IP can be distplayed by adding output:
+
+```
+output "bastion_ip" {
+  value = "${module.event-gateway.bastion_ip}"
+}
+```
+
+To connect to one of the etcd cluster hosts, run:
+
+```bash
+ssh -J ec2-user@<bastion_ip> core@<etcd_host_private_ip>
+```
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| aws_region | AWS region for the stack | string | - | yes |
+| bastion_enabled | Set to true enables SSH access to etcd nodes in the private subnet | string | `false` | no |
+| command_list | List of parameters for the `event-gateway` command | list | `["-log-level", "debug"]` | no |
+| config_alb_name | Config ALB name | string | `alb-config` | no |
+| config_port | Port number of the Event Gateway Config API | string | `4001` | no |
+| eg_image | Event Gateway docker image | string | `serverless/event-gateway:latest` | no |
+| eg_vpc_name | Event Gateway VPC name | string | `eg-vpc` | no |
+| etcd_base_domain | Name of the base domain for the etcd cluster | string | `etcd` | no |
+| etcd_image | etcd Docker image | string | `quay.io/coreos/etcd:v3.1.8` | no |
+| etcd_instance_count | Number of nodes in the etcd cluster | string | `3` | no |
+| etcd_instance_type | Etcd node type | string | `t2.micro` | no |
+| etcd_root_volume_iops | Number of IOPS of the etcd cluster volumes | string | `100` | no |
+| etcd_root_volume_size | Size of the etcd cluster volumes (in GiB) | string | `30` | no |
+| etcd_root_volume_type | Type of the etcd cluster volumes | string | `gp2` | no |
+| etcd_ssh_key | (optional) Name of the preexisting SSH key | string | `` | no |
+| etcd_tls_enabled | Enable TLS for the etcd cluster | string | `false` | no |
+| events_alb_name | Events ALB name | string | `alb-events` | no |
+| events_port | Event Gateway Events API port number | string | `4000` | no |
+| fargate_cpu | Fargate instance CPU units | string | `256` | no |
+| fargate_memory | Fargate instance memory | string | `512` | no |
+| tags | Additional tags | map | `<map>` | no |
+| task_count | Number of Event Gateway Fargate tasks | string | `3` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| bastion_ip | Public IP of etcd bastion instance |
+| config_url | Event Gateway Config API URL |
+| events_url | Event Gateway Events API URL |
diff --git a/contrib/terraform/modules/etcd/bastion.tf b/contrib/terraform/modules/etcd/bastion.tf
@@ -0,0 +1,51 @@
+data "aws_ami" "amazon-linux" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["amzn-ami-*-x86_64-gp2"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  filter {
+    name   = "owner-alias"
+    values = ["amazon"]
+  }
+}
+
+resource "aws_instance" "bastion" {
+  count = "${var.bastion_enabled ? 1 : 0}"
+
+  ami                    = "${data.aws_ami.amazon-linux.id}"
+  instance_type          = "t2.micro"
+  key_name               = "${var.ssh_key}"
+  subnet_id              = "${var.bastion_subnet}"
+  vpc_security_group_ids = ["${aws_security_group.bastion.id}"]
+
+  tags = "${merge(var.tags, map("Name", var.bastion_name))}"
+}
+
+resource "aws_security_group" "bastion" {
+  count = "${var.bastion_enabled ? 1 : 0}"
+
+  name   = "eg-bastion"
+  vpc_id = "${var.vpc_id}"
+
+  ingress {
+    protocol    = "tcp"
+    from_port   = "22"
+    to_port     = "22"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
diff --git a/contrib/terraform/modules/etcd/certs.tf b/contrib/terraform/modules/etcd/certs.tf
@@ -0,0 +1,95 @@
+locals {
+  etcd_crt_id_list = [
+    "${data.ignition_file.etcd_ca.*.id}",
+    "${data.ignition_file.etcd_client_key.*.id}",
+    "${data.ignition_file.etcd_client_crt.*.id}",
+    "${data.ignition_file.etcd_server_key.*.id}",
+    "${data.ignition_file.etcd_server_crt.*.id}",
+    "${data.ignition_file.etcd_peer_key.*.id}",
+    "${data.ignition_file.etcd_peer_crt.*.id}",
+  ]
+}
+
+data "ignition_file" "etcd_ca" {
+  path       = "/etc/ssl/etcd/ca.crt"
+  mode       = 0644
+  uid        = 232
+  gid        = 232
+  filesystem = "root"
+
+  content {
+    content = "${module.etcd_certs.etcd_ca_crt_pem}"
+  }
+}
+
+data "ignition_file" "etcd_client_key" {
+  path       = "/etc/ssl/etcd/client.key"
+  mode       = 0400
+  uid        = 0
+  gid        = 0
+  filesystem = "root"
+
+  content {
+    content = "${module.etcd_certs.etcd_client_key_pem}"
+  }
+}
+
+data "ignition_file" "etcd_client_crt" {
+  path       = "/etc/ssl/etcd/client.crt"
+  mode       = 0400
+  uid        = 0
+  gid        = 0
+  filesystem = "root"
+
+  content {
+    content = "${module.etcd_certs.etcd_client_crt_pem}"
+  }
+}
+
+data "ignition_file" "etcd_server_key" {
+  path       = "/etc/ssl/etcd/server.key"
+  mode       = 0400
+  uid        = 232
+  gid        = 232
+  filesystem = "root"
+
+  content {
+    content = "${module.etcd_certs.etcd_server_key_pem}"
+  }
+}
+
+data "ignition_file" "etcd_server_crt" {
+  path       = "/etc/ssl/etcd/server.crt"
+  mode       = 0400
+  uid        = 232
+  gid        = 232
+  filesystem = "root"
+
+  content {
+    content = "${module.etcd_certs.etcd_server_crt_pem}"
+  }
+}
+
+data "ignition_file" "etcd_peer_key" {
+  path       = "/etc/ssl/etcd/peer.key"
+  mode       = 0400
+  uid        = 232
+  gid        = 232
+  filesystem = "root"
+
+  content {
+    content = "${module.etcd_certs.etcd_peer_key_pem}"
+  }
+}
+
+data "ignition_file" "etcd_peer_crt" {
+  path       = "/etc/ssl/etcd/peer.crt"
+  mode       = 0400
+  uid        = 232
+  gid        = 232
+  filesystem = "root"
+
+  content {
+    content = "${module.etcd_certs.etcd_peer_crt_pem}"
+  }
+}
diff --git a/contrib/terraform/modules/etcd/dns.tf b/contrib/terraform/modules/etcd/dns.tf
@@ -0,0 +1,16 @@
+resource "aws_route53_zone" "etcd_priv" {
+  name    = "${var.base_domain}"
+  vpc_id  = "${var.vpc_id}"
+  comment = "Managed by Terraform"
+
+  tags = "${var.tags}"
+}
+
+resource "aws_route53_record" "etcd_a_nodes" {
+  count   = "${var.instance_count}"
+  type    = "A"
+  ttl     = "60"
+  zone_id = "${aws_route53_zone.etcd_priv.zone_id}"
+  name    = "${var.cluster_name}-etcd-${count.index}"
+  records = ["${module.etcd.ip_addresses[count.index]}"]
+}
diff --git a/contrib/terraform/modules/etcd/ignition.tf b/contrib/terraform/modules/etcd/ignition.tf
@@ -0,0 +1,79 @@
+locals {
+  scheme = "${var.tls_enabled ? "https" : "http"}"
+
+  // see https://github.com/hashicorp/terraform/issues/9858
+  etcd_initial_cluster_list = "${concat(data.template_file.etcd_hostname_list.*.rendered, list("dummy"))}"
+
+  metadata_env = "EnvironmentFile=/run/metadata/coreos"
+
+  metadata_deps = <<EOF
+Requires=coreos-metadata.service
+After=coreos-metadata.service
+EOF
+
+  cert_options = <<EOF
+--cert-file=/etc/ssl/etcd/server.crt \
+  --client-cert-auth=true \
+  --key-file=/etc/ssl/etcd/server.key \
+  --peer-cert-file=/etc/ssl/etcd/peer.crt \
+  --peer-key-file=/etc/ssl/etcd/peer.key \
+  --peer-trusted-ca-file=/etc/ssl/etcd/ca.crt \
+  --peer-client-cert-auth=true \
+  --trusted-ca-file=/etc/ssl/etcd/ca.crtEOF
+}
+
+data "template_file" "etcd_hostname_list" {
+  count = "${var.instance_count}"
+
+  template = "${var.cluster_name}-etcd-${count.index}.${var.base_domain}"
+}
+
+data "template_file" "etcd_names" {
+  count    = "${var.instance_count}"
+  template = "${var.cluster_name}-etcd-${count.index}${var.base_domain == "" ? "" : ".${var.base_domain}"}"
+}
+
+data "template_file" "advertise_client_urls" {
+  count    = "${var.instance_count}"
+  template = "${local.scheme}://${data.template_file.etcd_hostname_list.*.rendered[count.index]}:2379"
+}
+
+data "template_file" "initial_advertise_peer_urls" {
+  count    = "${var.instance_count}"
+  template = "${local.scheme}://${data.template_file.etcd_hostname_list.*.rendered[count.index]}:2380"
+}
+
+data "template_file" "initial_cluster" {
+  count    = "${length(data.template_file.etcd_hostname_list.*.rendered) > 0 ? var.instance_count : 0}"
+  template = "${data.template_file.etcd_names.*.rendered[count.index]}=${local.scheme}://${local.etcd_initial_cluster_list[count.index]}:2380"
+}
+
+data "template_file" "etcd" {
+  count    = "${var.instance_count}"
+  template = "${file("${path.module}/resources/dropins/40-etcd-cluster.conf")}"
+
+  vars = {
+    advertise_client_urls       = "${data.template_file.advertise_client_urls.*.rendered[count.index]}"
+    cert_options                = "${var.tls_enabled ? local.cert_options : ""}"
+    container_image             = "${var.container_image}"
+    initial_advertise_peer_urls = "${data.template_file.initial_advertise_peer_urls.*.rendered[count.index]}"
+    initial_cluster             = "${length(data.template_file.etcd_hostname_list.*.rendered) > 0 ? format("--initial-cluster=%s", join(",", data.template_file.initial_cluster.*.rendered)) : ""}"
+    metadata_deps               = "${var.use_metadata ? local.metadata_deps : ""}"
+    metadata_env                = "${var.use_metadata ? local.metadata_env : ""}"
+    name                        = "${data.template_file.etcd_names.*.rendered[count.index]}"
+    scheme                      = "${local.scheme}"
+  }
+}
+
+data "ignition_systemd_unit" "etcd" {
+  count   = "${var.instance_count}"
+  name    = "etcd-member.service"
+  enabled = true
+
+  dropin = [
+    {
+      name    = "40-etcd-cluster.conf"
+      content = "${data.template_file.etcd.*.rendered[count.index]}"
+    },
+  ]
+}