base contains rds

vpc and subnets moved to base from infra deptrack in its own state
TykTechnologies · Apr 24, 2024 · d48a955 · d48a955
1 parent 9c27c5d
commit d48a955
Show file tree

Hide file tree

Showing 25 changed files with 441 additions and 264 deletions.
diff --git a/infra/Makefile → base/Makefile b/infra/Makefile → base/Makefile
@@ -3,8 +3,8 @@
 .PHONY: prod upgrade
 
 prod:
-	@echo Generating plan upto vpc, for mount targets, and r53, for cloudflare NS entries
-	terraform plan -target=module.vpc -target=aws_route53_zone.dev_tyk_tech -out=$(@).plan
+	@echo Generating plan upto cloudflare NS entries
+	terraform plan -target=aws_route53_zone.dev_tyk_tech -out=$(@).plan
 	terraform apply $(@).plan
 	@echo Generating plan for remaining resouces
 	terraform plan -out=$(@).plan

diff --git a/base/README.md b/base/README.md
@@ -3,7 +3,9 @@
 - ECR
 - Github OIDC
 - efs volumes
+- RDS
+- VPC and subnets
 
 Kept outside the infra module as they have a different lifecycle from the other infra components. Infra can be destroyed if needed. This directory hosts all the components that need persistance.
 
-Check `terraform output`.
+Use the Makefile to see the resource targetting that is required to bring this env up from scartch. `terraform output` will show you the outputs that are available for use in other states.
diff --git a/base/base-secrets.yaml b/base/base-secrets.yaml
@@ -0,0 +1,16 @@
+cf-apitoken: ENC[AES256_GCM,data:A2YLlySRGyu+ep7z3BzDncW1NNaQZNE6cgTuT5gOY1ABevCzsn4GvQ==,iv:XLfigdcS6frnGgZF8aNkwd44NuzpRoyDJVSmwmICnxI=,tag:qPXXFaJuB1cA0YiD6QNpUA==,type:str]
+sops:
+    kms:
+        - arn: arn:aws:kms:eu-central-1:754489498669:key/215a7274-5652-4521-8a88-b18e02b8f13e
+          created_at: "2024-04-22T11:26:03Z"
+          enc: AQICAHiDjTyDzev9deXqMt8qn7IIVL95PjWZTOOP+RjKHUtt0AGB9x1TONOwrvyTm8MFZsdEAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMbN0DMeuAO5lF4MCYAgEQgDv/bkLvMrGB6MKBVBUH7DrYBYFAVjfNHDFp24p+sz1CENoWPEukBJ29LokE7qvxBqxop7d+Ft7oRjfxIg==
+          aws_profile: ""
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-04-22T11:26:08Z"
+    mac: ENC[AES256_GCM,data:9qXuXGLkR9zMAXewMuFmSnPF8Ecga6aJ/9DixPCkeEd/3Ku/N2RbkPTERV5F5SzpFq0n7ObXZnbjTDJKsMGdj7f5t7Vl9Ou+civ/m97IJO4cFaCPGMBiipVRzmJrGXkLTG/VqC/e4+Hpi0DrKJ9B55qwwkbAoxzvEEpmaI9cOY8=,iv:4fKo4a3QdXgy8lbYYVRnT0+bm/F+CwqRoxslnBD5Lpw=,tag:nguzQpfCz2kCUTIpZDNxTQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/base/base.tf b/base/base.tf
@@ -27,7 +27,6 @@ locals {
     "purpose" = "ci",
     "env"     = local.name
   }
-
 }
 
 resource "aws_ecr_repository" "integration" {
@@ -59,9 +58,7 @@ resource "aws_ecr_lifecycle_policy" "high_cadence" {
 
   depends_on = [aws_ecr_repository.integration]
   repository = each.key
-
-  policy = local.combined_policy
-
+  policy     = local.combined_policy
 }
 
 # Dependency Track filesystem
@@ -97,10 +94,3 @@ resource "aws_s3_object" "testreports" {
   source = "/dev/null"
 }
 
-# terraform apply -target=null_resource.debug will show the rendered template
-# resource "null_resource" "debug" {
-#   triggers = {
-#     json = "${data.template_file.tyk_repo_access.rendered}"
-#   }
-# }
-
diff --git a/base/devenv-euc1-test.tfvars b/base/devenv-euc1-test.tfvars
diff --git a/base/dns.tf b/base/dns.tf
@@ -0,0 +1,50 @@
+# DNS and wildcard certificate for *.dev.tyk.technology
+
+provider "cloudflare" {
+  api_token = data.sops_file.secrets.data["cf-apitoken"]
+  # account_id = "35b8134b47c7d01ee8198bb2b82a8dc5"
+}
+
+resource "cloudflare_record" "dev_tyk_tech" {
+  for_each = toset(aws_route53_zone.dev_tyk_tech.name_servers)
+  depends_on = [aws_route53_zone.dev_tyk_tech]
+
+  # This is the tyk.technology zone
+  zone_id = "f3ee9e1c1e0e47f8ab60fae66d39aa8f"
+  name    = "dev"
+  type    = "NS"
+  value = each.value
+}
+
+resource "aws_route53_zone" "dev_tyk_tech" {
+  name = "dev.tyk.technology"
+}
+
+# One wildcard cert
+
+resource "aws_acm_certificate" "dev_tyk_tech" {
+  domain_name       = "*.dev.tyk.technology"
+  validation_method = "DNS"
+}
+
+resource "aws_route53_record" "dev_tyk_tech" {
+  for_each = {
+    for dvo in aws_acm_certificate.dev_tyk_tech.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = aws_route53_zone.dev_tyk_tech.zone_id
+}
+
+resource "aws_acm_certificate_validation" "dev_tyk_tech" {
+  certificate_arn         = aws_acm_certificate.dev_tyk_tech.arn
+  validation_record_fqdns = [for record in aws_route53_record.dev_tyk_tech : record.fqdn]
+}
diff --git a/base/outputs.tf b/base/outputs.tf
@@ -22,3 +22,30 @@ output "key_name" {
   value       = aws_key_pair.devacc.key_name
   description = "Key pair for EC2 instances. Private key in secrets.yaml."
 }
+
+output "vpc" {
+  description = "A map of VPC information"
+  value = {
+    id              = module.vpc.vpc_id
+    cidr            = module.vpc.vpc_cidr_block
+    public_subnets  = module.vpc.public_subnets
+    private_subnets = module.vpc.private_subnets
+  }
+}
+
+output "rds" {
+  description = "Shared PostgreSQL RDS instance"
+  value = {
+    address     = module.rds.db_instance_address
+    port        = module.rds.db_instance_port
+    mpasswd_arn = aws_ssm_parameter.rds_master.arn
+  }
+}
+
+output "dns" {
+  description = "R53 hosted zone details for dev.tyk.technology"
+  value = {
+    zone_id = aws_route53_zone.dev_tyk_tech.zone_id
+    cert    = aws_acm_certificate.dev_tyk_tech.arn
+  }
+}
diff --git a/base/rds.tf b/base/rds.tf
@@ -0,0 +1,98 @@
+locals {
+  pg_port = 5432
+}
+
+module "rds_sg" {
+  source = "terraform-aws-modules/security-group/aws"
+
+  name        = "deptrack-db"
+  description = "RDS PostgreSQL"
+  vpc_id      = module.vpc.vpc_id
+
+  # ingress
+  ingress_with_cidr_blocks = [
+    {
+      from_port   = local.pg_port
+      to_port     = local.pg_port
+      protocol    = "tcp"
+      description = "PostgreSQL access from within VPC"
+      cidr_blocks = module.vpc.vpc_cidr_block
+    },
+  ]
+}
+
+resource "random_password" "rds_master" {
+  length = 16
+  lower  = false
+}
+
+module "rds" {
+  source = "terraform-aws-modules/rds/aws"
+
+  identifier = "postgres15"
+
+  # All available versions: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts
+  engine                = "postgres"
+  engine_version        = "15"
+  family                = "postgres15" # DB parameter group
+  major_engine_version  = "15"         # DB option group
+  instance_class        = "db.t4g.medium"
+  allocated_storage     = 10
+  max_allocated_storage = 50
+
+  # NOTE: Do NOT use 'user' as the value for 'username' as it throws:
+  # "Error creating DB Instance: InvalidParameterValue: MasterUsername
+  # user cannot be used as it is a reserved word used by the engine"
+  username = "master"
+  # The password is stored in the state
+  password = random_password.rds_master.result
+  port     = local.pg_port
+
+  create_db_subnet_group = false
+  multi_az               = true
+  db_subnet_group_name   = module.vpc.database_subnet_group_name
+  vpc_security_group_ids = [module.rds_sg.security_group_id]
+
+  maintenance_window              = "Mon:00:00-Mon:03:00"
+  backup_window                   = "03:00-06:00"
+  enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
+  create_cloudwatch_log_group     = true
+
+  backup_retention_period = 1
+  skip_final_snapshot     = true
+  # TODO: turn on deletion protection when stable
+  deletion_protection = false
+
+  performance_insights_enabled          = true
+  performance_insights_retention_period = 7
+  create_monitoring_role                = true
+  monitoring_interval                   = 60
+  monitoring_role_name                  = "rds-monitoring"
+  monitoring_role_use_name_prefix       = false
+  monitoring_role_description           = "Role to ship enhanced monitoring to CloudWatch"
+
+  parameters = [
+    {
+      name  = "autovacuum"
+      value = 1
+    },
+    {
+      name  = "client_encoding"
+      value = "utf8"
+    }
+  ]
+
+  db_option_group_tags = {
+    "Sensitive" = "low"
+  }
+  db_parameter_group_tags = {
+    "Sensitive" = "low"
+  }
+}
+
+resource "aws_ssm_parameter" "rds_master" {
+  name        = "/${local.name}/rds/master"
+  type        = "SecureString"
+  description = "Password for the RDS master user"
+  value       = random_password.rds_master.result
+}
diff --git a/infra/secrets.tf → base/secrets.tf b/infra/secrets.tf → base/secrets.tf
@@ -1,5 +1,5 @@
 provider "sops" {}
 
 data "sops_file" "secrets" {
-  source_file = "secrets.yaml"
+  source_file = "base-secrets.yaml"
 }
diff --git a/base/versions.tf b/base/versions.tf
@@ -12,6 +12,14 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 4.52.0"
     }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = ">= 4.20.0"
+    }
+    sops = {
+      source  = "carlpett/sops"
+      version = ">= 1.0.0"
+    }
   }
   required_version = ">= 1.3"
 }
diff --git a/base/vpc.tf b/base/vpc.tf
@@ -0,0 +1,64 @@
+locals {
+  cidr = "10.91.0.0/16"
+}
+
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+module "private_subnets" {
+  source = "hashicorp/subnets/cidr"
+
+  base_cidr_block = cidrsubnet(local.cidr, 4, 1)
+  networks = [
+    { name = "privaz1", new_bits = 4 },
+    { name = "privaz2", new_bits = 4 },
+    { name = "privaz3", new_bits = 4 },
+  ]
+}
+
+module "db_subnets" {
+  source = "hashicorp/subnets/cidr"
+
+  base_cidr_block = cidrsubnet(local.cidr, 4, 8)
+  networks = [
+    { name = "pubaz1", new_bits = 4 },
+    { name = "pubaz2", new_bits = 4 },
+    { name = "pubaz3", new_bits = 4 },
+  ]
+}
+
+module "public_subnets" {
+  source = "hashicorp/subnets/cidr"
+
+  base_cidr_block = cidrsubnet(local.cidr, 4, 15)
+  networks = [
+    { name = "pubaz1", new_bits = 4 },
+    { name = "pubaz2", new_bits = 4 },
+    { name = "pubaz3", new_bits = 4 },
+  ]
+}
+
+module "vpc" {
+  source = "terraform-aws-modules/vpc/aws"
+
+  name = "infra"
+  cidr = local.cidr
+
+  azs                  = data.aws_availability_zones.available.names
+  private_subnets      = module.private_subnets.networks[*].cidr_block
+  private_subnet_tags  = { Type = "private" }
+  database_subnets     = module.db_subnets.networks[*].cidr_block
+  database_subnet_tags = { Type = "rds" }
+  public_subnets       = module.public_subnets.networks[*].cidr_block
+  public_subnet_tags   = { Type = "public" }
+
+  create_database_subnet_group = true
+  enable_nat_gateway           = true
+  single_nat_gateway           = true
+  map_public_ip_on_launch      = true
+
+  # Need DNS to address EFS by name
+  enable_dns_support   = true
+  enable_dns_hostnames = true
+}
diff --git a/bin/del-cluster.sh b/bin/del-cluster.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+for s in $(aws ecs list-services --cluster $1 | jq -r ".serviceArns[]")
+do
+    aws ecs update-service --cluster $1 --service $s --desired-count 0 > ${1}.log
+    aws ecs delete-service --cluster $1 --service $s >> ${1}.log
+done
+echo Waiting for services to become inactive for $1 ...
+aws ecs wait services-inactive --cluster $1 --services tyk tyk-analytics tyk-pump redis
+aws ecs delete-cluster --cluster $1 >> ${1}.log || cat $1.log
+rm ${1}.log