-
Notifications
You must be signed in to change notification settings - Fork 97
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
- Loading branch information
Showing
18 changed files
with
855 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
CoreOS Project | ||
Copyright 2017 CoreOS, Inc | ||
|
||
This product includes software developed at CoreOS, Inc. | ||
(http://www.coreos.com/). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
# Event Gateway Terraform module | ||
|
||
This module creates Event Gateway running on ECS Fargate with a standalone etcd cluster. | ||
|
||
The module is an extract form the [Tectonic Installer repository](https://github.com/coreos/tectonic-installer). | ||
|
||
## Usage | ||
|
||
```hcl | ||
module "event-gateway" { | ||
source = "github.com/serverless/event-gateway//contrib/terraform/modules/event-gateway" | ||
aws_region = "us-east-1" | ||
command_list = ["-db-hosts", "event-gateway-etcd-0.etcd:2379,event-gateway-etcd-1.etcd:2379,event-gateway-etcd-2.etcd:2379", "-log-level", "debug"] | ||
tags = { | ||
Application = "event-gateway" | ||
} | ||
} | ||
output "config_url" { | ||
value = "${module.event-gateway.config_url}" | ||
} | ||
output "events_url" { | ||
value = "${module.event-gateway.events_url}" | ||
} | ||
``` | ||
|
||
## Debugging etcd | ||
|
||
It's possible to enable SSH access via bastion instance, by adding parameters: | ||
|
||
``` | ||
bastion_enabled = true | ||
ssh_key = "eg-key" | ||
``` | ||
|
||
Bastion IP can be distplayed by adding output: | ||
|
||
``` | ||
output "bastion_ip" { | ||
value = "${module.event-gateway.bastion_ip}" | ||
} | ||
``` | ||
|
||
To connect to one of the etcd cluster hosts, run: | ||
|
||
```bash | ||
ssh -J ec2-user@<bastion_ip> core@<etcd_host_private_ip> | ||
``` | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|:----:|:-----:|:-----:| | ||
| aws_region | AWS region for the stack | string | - | yes | | ||
| bastion_enabled | Set to true enables SSH access to etcd nodes in the private subnet | string | `false` | no | | ||
| command_list | List of parameters for the `event-gateway` command | list | `["-log-level", "debug"]` | no | | ||
| config_alb_name | Config ALB name | string | `alb-config` | no | | ||
| config_port | Port number of the Event Gateway Config API | string | `4001` | no | | ||
| eg_image | Event Gateway docker image | string | `serverless/event-gateway:latest` | no | | ||
| eg_vpc_name | Event Gateway VPC name | string | `eg-vpc` | no | | ||
| etcd_base_domain | Name of the base domain for the etcd cluster | string | `etcd` | no | | ||
| etcd_image | etcd Docker image | string | `quay.io/coreos/etcd:v3.1.8` | no | | ||
| etcd_instance_count | Number of nodes in the etcd cluster | string | `3` | no | | ||
| etcd_instance_type | Etcd node type | string | `t2.micro` | no | | ||
| etcd_root_volume_iops | Number of IOPS of the etcd cluster volumes | string | `100` | no | | ||
| etcd_root_volume_size | Size of the etcd cluster volumes (in GiB) | string | `30` | no | | ||
| etcd_root_volume_type | Type of the etcd cluster volumes | string | `gp2` | no | | ||
| etcd_ssh_key | (optional) Name of the preexisting SSH key | string | `` | no | | ||
| etcd_tls_enabled | Enable TLS for the etcd cluster | string | `false` | no | | ||
| events_alb_name | Events ALB name | string | `alb-events` | no | | ||
| events_port | Event Gateway Events API port number | string | `4000` | no | | ||
| fargate_cpu | Fargate instance CPU units | string | `256` | no | | ||
| fargate_memory | Fargate instance memory | string | `512` | no | | ||
| tags | Additional tags | map | `<map>` | no | | ||
| task_count | Number of Event Gateway Fargate tasks | string | `3` | no | | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| bastion_ip | Public IP of etcd bastion instance | | ||
| config_url | Event Gateway Config API URL | | ||
| events_url | Event Gateway Events API URL | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
data "aws_ami" "amazon-linux" { | ||
most_recent = true | ||
|
||
filter { | ||
name = "name" | ||
values = ["amzn-ami-*-x86_64-gp2"] | ||
} | ||
|
||
filter { | ||
name = "virtualization-type" | ||
values = ["hvm"] | ||
} | ||
|
||
filter { | ||
name = "owner-alias" | ||
values = ["amazon"] | ||
} | ||
} | ||
|
||
resource "aws_instance" "bastion" { | ||
count = "${var.bastion_enabled ? 1 : 0}" | ||
|
||
ami = "${data.aws_ami.amazon-linux.id}" | ||
instance_type = "t2.micro" | ||
key_name = "${var.ssh_key}" | ||
subnet_id = "${var.bastion_subnet}" | ||
vpc_security_group_ids = ["${aws_security_group.bastion.id}"] | ||
|
||
tags = "${merge(var.tags, map("Name", var.bastion_name))}" | ||
} | ||
|
||
resource "aws_security_group" "bastion" { | ||
count = "${var.bastion_enabled ? 1 : 0}" | ||
|
||
name = "eg-bastion" | ||
vpc_id = "${var.vpc_id}" | ||
|
||
ingress { | ||
protocol = "tcp" | ||
from_port = "22" | ||
to_port = "22" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
|
||
egress { | ||
protocol = "-1" | ||
from_port = 0 | ||
to_port = 0 | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
locals { | ||
etcd_crt_id_list = [ | ||
"${data.ignition_file.etcd_ca.*.id}", | ||
"${data.ignition_file.etcd_client_key.*.id}", | ||
"${data.ignition_file.etcd_client_crt.*.id}", | ||
"${data.ignition_file.etcd_server_key.*.id}", | ||
"${data.ignition_file.etcd_server_crt.*.id}", | ||
"${data.ignition_file.etcd_peer_key.*.id}", | ||
"${data.ignition_file.etcd_peer_crt.*.id}", | ||
] | ||
} | ||
|
||
data "ignition_file" "etcd_ca" { | ||
path = "/etc/ssl/etcd/ca.crt" | ||
mode = 0644 | ||
uid = 232 | ||
gid = 232 | ||
filesystem = "root" | ||
|
||
content { | ||
content = "${module.etcd_certs.etcd_ca_crt_pem}" | ||
} | ||
} | ||
|
||
data "ignition_file" "etcd_client_key" { | ||
path = "/etc/ssl/etcd/client.key" | ||
mode = 0400 | ||
uid = 0 | ||
gid = 0 | ||
filesystem = "root" | ||
|
||
content { | ||
content = "${module.etcd_certs.etcd_client_key_pem}" | ||
} | ||
} | ||
|
||
data "ignition_file" "etcd_client_crt" { | ||
path = "/etc/ssl/etcd/client.crt" | ||
mode = 0400 | ||
uid = 0 | ||
gid = 0 | ||
filesystem = "root" | ||
|
||
content { | ||
content = "${module.etcd_certs.etcd_client_crt_pem}" | ||
} | ||
} | ||
|
||
data "ignition_file" "etcd_server_key" { | ||
path = "/etc/ssl/etcd/server.key" | ||
mode = 0400 | ||
uid = 232 | ||
gid = 232 | ||
filesystem = "root" | ||
|
||
content { | ||
content = "${module.etcd_certs.etcd_server_key_pem}" | ||
} | ||
} | ||
|
||
data "ignition_file" "etcd_server_crt" { | ||
path = "/etc/ssl/etcd/server.crt" | ||
mode = 0400 | ||
uid = 232 | ||
gid = 232 | ||
filesystem = "root" | ||
|
||
content { | ||
content = "${module.etcd_certs.etcd_server_crt_pem}" | ||
} | ||
} | ||
|
||
data "ignition_file" "etcd_peer_key" { | ||
path = "/etc/ssl/etcd/peer.key" | ||
mode = 0400 | ||
uid = 232 | ||
gid = 232 | ||
filesystem = "root" | ||
|
||
content { | ||
content = "${module.etcd_certs.etcd_peer_key_pem}" | ||
} | ||
} | ||
|
||
data "ignition_file" "etcd_peer_crt" { | ||
path = "/etc/ssl/etcd/peer.crt" | ||
mode = 0400 | ||
uid = 232 | ||
gid = 232 | ||
filesystem = "root" | ||
|
||
content { | ||
content = "${module.etcd_certs.etcd_peer_crt_pem}" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
resource "aws_route53_zone" "etcd_priv" { | ||
name = "${var.base_domain}" | ||
vpc_id = "${var.vpc_id}" | ||
comment = "Managed by Terraform" | ||
|
||
tags = "${var.tags}" | ||
} | ||
|
||
resource "aws_route53_record" "etcd_a_nodes" { | ||
count = "${var.instance_count}" | ||
type = "A" | ||
ttl = "60" | ||
zone_id = "${aws_route53_zone.etcd_priv.zone_id}" | ||
name = "${var.cluster_name}-etcd-${count.index}" | ||
records = ["${module.etcd.ip_addresses[count.index]}"] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
locals { | ||
scheme = "${var.tls_enabled ? "https" : "http"}" | ||
|
||
// see https://github.com/hashicorp/terraform/issues/9858 | ||
etcd_initial_cluster_list = "${concat(data.template_file.etcd_hostname_list.*.rendered, list("dummy"))}" | ||
|
||
metadata_env = "EnvironmentFile=/run/metadata/coreos" | ||
|
||
metadata_deps = <<EOF | ||
Requires=coreos-metadata.service | ||
After=coreos-metadata.service | ||
EOF | ||
|
||
cert_options = <<EOF | ||
--cert-file=/etc/ssl/etcd/server.crt \ | ||
--client-cert-auth=true \ | ||
--key-file=/etc/ssl/etcd/server.key \ | ||
--peer-cert-file=/etc/ssl/etcd/peer.crt \ | ||
--peer-key-file=/etc/ssl/etcd/peer.key \ | ||
--peer-trusted-ca-file=/etc/ssl/etcd/ca.crt \ | ||
--peer-client-cert-auth=true \ | ||
--trusted-ca-file=/etc/ssl/etcd/ca.crtEOF | ||
} | ||
data "template_file" "etcd_hostname_list" { | ||
count = "${var.instance_count}" | ||
template = "${var.cluster_name}-etcd-${count.index}.${var.base_domain}" | ||
} | ||
data "template_file" "etcd_names" { | ||
count = "${var.instance_count}" | ||
template = "${var.cluster_name}-etcd-${count.index}${var.base_domain == "" ? "" : ".${var.base_domain}"}" | ||
} | ||
data "template_file" "advertise_client_urls" { | ||
count = "${var.instance_count}" | ||
template = "${local.scheme}://${data.template_file.etcd_hostname_list.*.rendered[count.index]}:2379" | ||
} | ||
data "template_file" "initial_advertise_peer_urls" { | ||
count = "${var.instance_count}" | ||
template = "${local.scheme}://${data.template_file.etcd_hostname_list.*.rendered[count.index]}:2380" | ||
} | ||
data "template_file" "initial_cluster" { | ||
count = "${length(data.template_file.etcd_hostname_list.*.rendered) > 0 ? var.instance_count : 0}" | ||
template = "${data.template_file.etcd_names.*.rendered[count.index]}=${local.scheme}://${local.etcd_initial_cluster_list[count.index]}:2380" | ||
} | ||
data "template_file" "etcd" { | ||
count = "${var.instance_count}" | ||
template = "${file("${path.module}/resources/dropins/40-etcd-cluster.conf")}" | ||
vars = { | ||
advertise_client_urls = "${data.template_file.advertise_client_urls.*.rendered[count.index]}" | ||
cert_options = "${var.tls_enabled ? local.cert_options : ""}" | ||
container_image = "${var.container_image}" | ||
initial_advertise_peer_urls = "${data.template_file.initial_advertise_peer_urls.*.rendered[count.index]}" | ||
initial_cluster = "${length(data.template_file.etcd_hostname_list.*.rendered) > 0 ? format("--initial-cluster=%s", join(",", data.template_file.initial_cluster.*.rendered)) : ""}" | ||
metadata_deps = "${var.use_metadata ? local.metadata_deps : ""}" | ||
metadata_env = "${var.use_metadata ? local.metadata_env : ""}" | ||
name = "${data.template_file.etcd_names.*.rendered[count.index]}" | ||
scheme = "${local.scheme}" | ||
} | ||
} | ||
data "ignition_systemd_unit" "etcd" { | ||
count = "${var.instance_count}" | ||
name = "etcd-member.service" | ||
enabled = true | ||
dropin = [ | ||
{ | ||
name = "40-etcd-cluster.conf" | ||
content = "${data.template_file.etcd.*.rendered[count.index]}" | ||
}, | ||
] | ||
} |
Oops, something went wrong.