reorganize into terraform modules

Author: csanquer

.gitignore

@@ -1,7 +1,8 @@
 /packer/config.json
-/terraform/terraform.tfvars
-/terraform/terraform.tfstate
-/terraform/terraform.tfstate.backup
-/tmp_ssh_host_keys
-/terraform/ssh_host_keys.tar.gz
+terraform.tfvars
+terraform.tfstate
+terraform.tfstate.backup
+/terraform/gitlab/ssh_host_keys.tar.gz
+.terraform/
 .terraform.tfstate.lock.info
+/graphs

Makefile

@@ -3,7 +3,7 @@ SHELL := $(shell which bash)
 ENV = /usr/bin/env
 # default shell options
 .SHELLFLAGS = -c
-
+format = png
 .SILENT: ; # no need for @
 .ONESHELL: ; # recipes execute in same shell
 .NOTPARALLEL: ; # wait for this target to finish
@@ -19,15 +19,15 @@ all:
 # prevent ssh client warnings about ssh host keys to be different
 # between SSH load balancer
 ssh_host_keys:
-if [ ! -f terraform/ssh_host_keys.tar.gz ]; then \
+if [ ! -f terraform/gitlab/ssh_host_keys.tar.gz ]; then \
 rm -rf tmp_ssh_host_keys ;\
 mkdir -p tmp_ssh_host_keys ;\
 cd tmp_ssh_host_keys ;\
 ssh-keygen -q -t dsa -N "" -f ssh_host_dsa_key -C "root@gitlab" ;\
 ssh-keygen -q -t rsa -N "" -f ssh_host_rsa_key -C "root@gitlab" ;\
 ssh-keygen -q -t ecdsa -N "" -f ssh_host_ecdsa_key -C "root@gitlab" ;\
 ssh-keygen -q -t ed25519 -N "" -f ssh_host_ed25519_key -C "root@gitlab" ;\
-tar -cvzf ../terraform/ssh_host_keys.tar.gz ssh_host_* ;\
+tar -cvzf ../terraform/gitlab/ssh_host_keys.tar.gz ssh_host_* ;\
 fi;
 
 config: ssh_host_keys
@@ -44,18 +44,37 @@ ami-runner: config
 cd packer
 packer build -var-file=config.json gitlab-ci-runner.json
 
-plan: config
+_get_modules: config
+cd terraform
+terraform get
+
+plan: _get_modules
 cd terraform
 terraform plan
 
-apply: config
+apply: _get_modules
 cd terraform
 terraform apply
 
-output: config
+output: _get_modules
 cd terraform
 terraform output
 
-destroy: config
+_graph_dir: _get_modules
+mkdir -p graphs
+
+_graph:
+cd terraform
+terraform graph -type=$(type) -draw-cycles | dot -T$(format) > ../graphs/infra_$(type).$(format)
+
+graphs: _graph_dir
+make _graph type=plan format=$(format)
+make _graph type=plan-destroy format=$(format)
+make _graph type=apply format=$(format)
+make _graph type=validate format=$(format)
+make _graph type=input format=$(format)
+make _graph type=refresh format=$(format)
+
+destroy: _get_modules
 cd terraform
 terraform destroy

terraform/data.tf

@@ -0,0 +1,29 @@
+resource "aws_elasticache_subnet_group" "gitlab_cache" {
+ name = "gitlab-cache-subnet"
+ subnet_ids = ["${var.private_subnet_ids["private1"]}", "${var.private_subnet_ids["private2"]}"]
+}
+
+resource "aws_elasticache_cluster" "gitlab_cache" {
+ cluster_id = "gitlab-cache"
+ engine = "redis"
+ engine_version = "3.2.4"
+ node_type = "cache.t2.small"
+ port = 6379
+ num_cache_nodes = 1
+ parameter_group_name = "default.redis3.2"
+ subnet_group_name = "${aws_elasticache_subnet_group.gitlab_cache.name}"
+ security_group_ids = ["${aws_security_group.gitlab_cache.id}"]
+}
+
+resource "aws_security_group" "gitlab_cache" {
+ name = "gitlab-cache"
+ description = "Allow traffic to gitlab cache"
+ vpc_id = "${var.vpc_id}"
+
+ ingress {
+ from_port = 6379
+ to_port = 6379
+ protocol = "TCP"
+ security_groups = ["${aws_security_group.gitlab.id}"]
+ }
+}

terraform/gitlab/cache.tf

@@ -34,3 +34,7 @@ user['username'] = "git"
 user['group'] = "git"
 user['uid'] = 998
 user['gid'] = 998
+
+nginx['real_ip_trusted_addresses'] = [ '{{ gitlab_proxy_subnets|join('\', \'') }}' ]
+nginx['real_ip_header'] = 'X-Real-IP'
+nginx['real_ip_recursive'] = 'on'

terraform/config/gitlab.rb.j2 renamed to terraform/gitlab/config/gitlab.rb.j2

@@ -11,3 +11,4 @@ gitlab_db_host: "${gitlab_db_host}"
 gitlab_db_port: ${gitlab_db_port}
 gitlab_cache_host: "${gitlab_cache_host}"
 gitlab_cache_port: ${gitlab_cache_port}
+gitlab_proxy_subnets: ["${join('", "', gitlab_proxy_subnets)}"]

terraform/config/gitlab_bootstrap.sh renamed to terraform/gitlab/config/gitlab_bootstrap.sh

@@ -0,0 +1,54 @@
+resource "aws_security_group" "db_allow" {
+ name = "db_allow"
+ description = "Allow inbound traffic to databases"
+ vpc_id = "${var.vpc_id}"
+
+ ingress {
+ from_port = 5432
+ to_port = 5432
+ protocol = "TCP"
+ security_groups = ["${aws_security_group.gitlab.id}"]
+ }
+}
+
+resource "aws_db_subnet_group" "gitlab_db_sg" {
+ name = "gitlab-db"
+ subnet_ids = ["${var.private_subnet_ids["private1"]}", "${var.private_subnet_ids["private2"]}"]
+
+ tags {
+ Name = "Gitlab DB subnet group"
+ }
+}
+
+resource "aws_db_parameter_group" "pg_default" {
+ name = "gitlab-postgres-pg"
+ family = "postgres9.5"
+
+ parameter {
+ name = "client_encoding"
+ value = "utf8"
+ }
+}
+
+resource "aws_db_instance" "gitlab" {
+ allocated_storage = 10
+ engine = "postgres"
+ engine_version = "9.5.4"
+ license_model = "postgresql-license"
+ instance_class = "db.t2.micro"
+ name = "${var.gitlab_db_name}"
+ username = "${var.gitlab_db_username}"
+ password = "${var.gitlab_db_password}"
+ db_subnet_group_name = "${aws_db_subnet_group.gitlab_db_sg.name}"
+ vpc_security_group_ids = ["${aws_security_group.db_allow.id}"]
+ // parameter_group_name = "default.postgres9.5"
+ parameter_group_name = "${aws_db_parameter_group.pg_default.name}"
+ storage_type = "gp2"
+ publicly_accessible = true
+ final_snapshot_identifier = "gitlab-db"
+ skip_final_snapshot = true
+ copy_tags_to_snapshot = true
+ backup_retention_period = 1
+ apply_immediately = true
+ multi_az = false
+}

terraform/config/gitlab_env.sh renamed to terraform/gitlab/config/gitlab_env.sh

@@ -0,0 +1,11 @@
+resource "aws_route53_record" "gitlab" {
+ zone_id = "${var.dns_zone_id}"
+ name = "${var.gitlab_dns_subdomain}.${var.dns_zone_name}"
+ type = "A"
+
+ alias {
+ name = "${aws_elb.gitlab.dns_name}"
+ zone_id = "${aws_elb.gitlab.zone_id}"
+ evaluate_target_health = true
+ }
+}