Skip to content

Commit

Permalink
add auto-drive terraform resources (#400)
Browse files Browse the repository at this point in the history 
* add auto-drive terraform resources

* add RDS root module

* add RDS child module for auto-drive
  • Loading branch information
@DaMandal0rian
DaMandal0rian authored Jan 23, 2025
1 parent 45236e2 commit b6cea5b
Show file tree
Hide file tree
Showing 39 changed files with 3,334 additions and 0 deletions.
9 changes: 9 additions & 0 deletions auto-drive/backend.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
terraform {
cloud {
organization = "subspace-sre"

workspaces {
name = "auto-drive-aws"
}
}
}
155 changes: 155 additions & 0 deletions auto-drive/db.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
data "aws_caller_identity" "current" {}

################################################################################
# RDS Module
################################################################################

module "db" {
source = "../templates/terraform/aws/rds/"

identifier = local.name

engine = "postgres"
engine_version = "16"
engine_lifecycle_support = "open-source-rds-extended-support-disabled"
family = "postgres16" # DB parameter group
major_engine_version = "16" # DB option group
instance_class = "db.t4g.large"

allocated_storage = 50
max_allocated_storage = 200


db_name = "postgres"
username = "postgres"
port = 5432


manage_master_user_password_rotation = true
master_user_password_rotate_immediately = false
master_user_password_rotation_schedule_expression = "rate(15 days)"

multi_az = true
db_subnet_group_name = module.vpc_rds.database_subnet_group
vpc_security_group_ids = [module.security_group.security_group_id]

maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
create_cloudwatch_log_group = true

backup_retention_period = 1
skip_final_snapshot = true
deletion_protection = false

performance_insights_enabled = true
performance_insights_retention_period = 7
create_monitoring_role = true
monitoring_interval = 60
monitoring_role_name = "example-monitoring-role-name"
monitoring_role_use_name_prefix = true
monitoring_role_description = "Description for monitoring role"

parameters = [
{
name = "autovacuum"
value = 1
},
{
name = "client_encoding"
value = "utf8"
}
]

tags = local.tags
db_option_group_tags = {
"Sensitive" = "low"
}
db_parameter_group_tags = {
"Sensitive" = "low"
}
cloudwatch_log_group_tags = {
"Sensitive" = "high"
}
}

################################################################################
# RDS Automated Backups Replication Module
################################################################################

provider "aws" {
alias = "region2"
region = local.region2
}

module "kms" {
source = "terraform-aws-modules/kms/aws"
version = "~> 1.0"
description = "KMS key for cross region automated backups replication"

# Aliases
aliases = [local.name]
aliases_use_name_prefix = true

key_owners = [data.aws_caller_identity.current.arn]

tags = local.tags

providers = {
aws = aws.region2
}
}

module "db_automated_backups_replication" {
source = "../templates/terraform/aws/rds/modules/db_instance_automated_backups_replication"

source_db_instance_arn = module.db.db_instance_arn
kms_key_arn = module.kms.key_arn

providers = {
aws = aws.region2
}
}

################################################################################
# Supporting Resources
################################################################################

module "vpc_rds" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 5.0"

name = local.name
cidr = local.vpc_cidr

azs = local.azs
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)]
database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)]

create_database_subnet_group = true

tags = local.tags
}

module "security_group" {
source = "terraform-aws-modules/security-group/aws"
version = "~> 5.0"

name = local.name
description = "Auto Drive PostgreSQL security group"
vpc_id = module.vpc_rds.vpc_id

# ingress
ingress_with_cidr_blocks = [
{
from_port = 5432
to_port = 5432
protocol = "tcp"
description = "PostgreSQL access from within VPC"
cidr_blocks = module.vpc_rds.vpc_cidr_block
},
]

tags = local.tags
}
204 changes: 204 additions & 0 deletions auto-drive/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,204 @@
provider "aws" {
region = var.region
}

data "aws_availability_zones" "available" {
state = "available"
}

locals {
name = basename(path.cwd)
region = var.region
region2 = "us-west-1"

vpc_cidr = var.vpc_cidr
azs = slice(data.aws_availability_zones.available.names, 0, var.az_count)

tags = merge(
{
Name = local.name
},
var.tags
)
}

################################################################################
# Auto-Drive VPC
################################################################################

module "vpc" {
source = "../templates/terraform/aws/vpc"

name = "${local.name}-vpc"
cidr = var.vpc_cidr
azs = local.azs
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

enable_nat_gateway = true
single_nat_gateway = true

tags = local.tags
}

################################################################################
# Auto-Drive Security Group
################################################################################

resource "aws_security_group" "auto_drive_sg" {
name = "auto_drive_sg"
description = "auto drive security group"
vpc_id = var.vpc_cidr

# Ingress Rules
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "Allow SSH"
}

ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "Allow HTTP"
}

ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "Allow HTTPS"
}

# Egress Rules
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
description = "Allow all outbound traffic"
}

tags = {
Name = "auto-drive-sg"
}
}

################################################################################
# AMI Data Source
################################################################################

data "aws_ami" "ubuntu_amd64" {
most_recent = true

filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
}

filter {
name = "virtualization-type"
values = ["hvm"]
}

filter {
name = "architecture"
values = ["x86_64"]
}

owners = ["099720109477"]
}

################################################################################
# Auto-Drive Instances
################################################################################

module "ec2_auto_drive" {
source = "../templates/terraform/aws/ec2"

name = "${local.name}-backend"
count = var.auto_drive_instance_count
ami = data.aws_ami.ubuntu_amd64.id
instance_type = var.auto_drive_instance_type
availability_zone = element(local.azs, count.index % length(local.azs))
subnet_id = element(module.vpc.private_subnets, count.index % length(module.vpc.private_subnets))
vpc_security_group_ids = [aws_security_group.auto_drive_sg.id]
associate_public_ip_address = false # Auto-drive instances use EIPs
ignore_ami_changes = true
root_block_device = [
{
device_name = "/dev/sdf"
encrypted = true
volume_type = "gp3"
throughput = 250
volume_size = var.auto_drive_root_volume_size
}
]
volume_tags = merge(
{ "Name" = "${local.name}-backend-root-volume-${count.index}" },
var.tags
)
tags = merge(local.tags, { Role = "auto-drive" })
}

################################################################################
# Gateway Instances
################################################################################

module "ec2_gateway" {
source = "../templates/terraform/aws/ec2"
name = "${local.name}-gateway"
count = var.gateway_instance_count
ami = data.aws_ami.ubuntu_amd64.id
instance_type = var.gateway_instance_type
availability_zone = element(local.azs, count.index % length(local.azs))
subnet_id = element(module.vpc.private_subnets, count.index % length(module.vpc.private_subnets))
vpc_security_group_ids = [aws_security_group.auto_drive_sg.id]
associate_public_ip_address = false # Gateway instances use EIPs
ignore_ami_changes = true
root_block_device = [
{
device_name = "/dev/sdf"
encrypted = true
volume_type = "gp3"
throughput = 250
volume_size = var.gateway_root_volume_size
}
]
volume_tags = merge(
{ "Name" = "${local.name}-gateway-root-volume-${count.index}" },
var.tags
)
tags = merge(local.tags, { Role = "gateway" })
}

################################################################################
# Elastic IPs for Auto-Drive Instances
################################################################################

resource "aws_eip" "auto_drive_eip" {
count = var.auto_drive_instance_count

instance = module.ec2_auto_drive[count.index].id
tags = {
Name = "${local.name}-backend-eip-${count.index}"
}
}

################################################################################
# Elastic IPs for Gateway Instances
################################################################################

resource "aws_eip" "gateway_eip" {
count = var.gateway_instance_count

instance = module.ec2_gateway[count.index].id
tags = {
Name = "${local.name}-gateway-eip-${count.index}"
}
}
Loading

0 comments on commit b6cea5b

Please sign in to comment.