Sprinkle on some dynamic blocks
This commit is contained in:
parent
cbf4e851e2
commit
05c7c2c423
225
main.tf
225
main.tf
@ -1,84 +1,88 @@
|
|||||||
|
variable "base_url" {
|
||||||
|
description = "Fully qualified https URL of the app"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "resource_prefix" {
|
||||||
|
description = "Prefix prepended to resource names"
|
||||||
|
default = "spoke-"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "node_options" {
|
||||||
|
description = "Value defined at build time and run time as NODE_OPTIONS"
|
||||||
|
default = "--max_old_space_size=8192"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "node_env" {
|
||||||
|
description = "Value defined at build time and run time as NODE_ENV"
|
||||||
|
default = "production"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "port" {
|
||||||
|
description = "TCP port used to communicate between droplet and nginx"
|
||||||
|
default = "3000"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "droplet_size" {
|
||||||
|
description = "Size value passed when provisioning app droplet"
|
||||||
|
default = "s-1vcpu-1gb"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "region" {
|
||||||
|
description = "Region in which all resources will be provisioned"
|
||||||
|
default = "nyc1"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "ssh_keys" {
|
||||||
|
type = "list"
|
||||||
|
description = "List of ssh public keys to pass to droplet provisioning"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "cert_private_key" {
|
||||||
|
description = "Certificate key to pass to nginx"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "cert_certificate" {
|
||||||
|
description = "Certificate with leaf and intermediates to pass to nginx"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "env" {
|
||||||
|
type = "map"
|
||||||
|
description = "Arbitrary *additional* environment variables passed at build time and run time"
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
resource "digitalocean_ssh_key" "app" {
|
resource "digitalocean_ssh_key" "app" {
|
||||||
count = length(var.ssh_keys)
|
count = length(var.ssh_keys)
|
||||||
name = "${var.resource_prefix}app-${count.index}"
|
name = "${var.resource_prefix}app-${count.index}"
|
||||||
public_key = element(var.ssh_keys, count.index)
|
public_key = element(var.ssh_keys, count.index)
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "digitalocean_database_cluster" "pg" {
|
|
||||||
name = "${var.resource_prefix}pg"
|
|
||||||
engine = "pg"
|
|
||||||
version = "11"
|
|
||||||
size = var.database_cluster_size
|
|
||||||
region = var.region
|
|
||||||
node_count = 1
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "digitalocean_droplet" "app" {
|
resource "digitalocean_droplet" "app" {
|
||||||
image = "ubuntu-18-04-x64"
|
image = "ubuntu-18-04-x64"
|
||||||
name = "${var.resource_prefix}app"
|
name = "${var.resource_prefix}app"
|
||||||
region = var.region
|
region = var.region
|
||||||
size = var.droplet_size
|
size = var.droplet_size
|
||||||
|
|
||||||
ssh_keys = [digitalocean_ssh_key.app.*.id]
|
ssh_keys = [digitalocean_ssh_key.app[*].id]
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "digitalocean_certificate" "app" {
|
resource "digitalocean_floating_ip" "app" {
|
||||||
name = "${var.resource_prefix}app"
|
droplet_id = digitalocean_droplet.app.id
|
||||||
private_key = var.cert_private_key
|
region = digitalocean_droplet.app.region
|
||||||
leaf_certificate = var.cert_leaf_certificate
|
|
||||||
|
|
||||||
lifecycle {
|
|
||||||
create_before_destroy = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "digitalocean_loadbalancer" "app" {
|
|
||||||
name = "${var.resource_prefix}lb-app"
|
|
||||||
region = var.region
|
|
||||||
droplet_ids = [digitalocean_droplet.app.id]
|
|
||||||
redirect_http_to_https = true
|
|
||||||
|
|
||||||
forwarding_rule {
|
|
||||||
entry_port = 80
|
|
||||||
entry_protocol = "http"
|
|
||||||
|
|
||||||
target_port = var.port
|
|
||||||
target_protocol = "http"
|
|
||||||
}
|
|
||||||
|
|
||||||
forwarding_rule {
|
|
||||||
entry_port = 443
|
|
||||||
entry_protocol = "https"
|
|
||||||
|
|
||||||
target_port = var.port
|
|
||||||
target_protocol = "http"
|
|
||||||
|
|
||||||
certificate_id = digitalocean_certificate.app.id
|
|
||||||
}
|
|
||||||
|
|
||||||
healthcheck {
|
|
||||||
port = var.port
|
|
||||||
protocol = "tcp"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "digitalocean_firewall" "app" {
|
resource "digitalocean_firewall" "app" {
|
||||||
name = "${var.resource_prefix}app"
|
name = "pghdsa-spoke-app"
|
||||||
|
|
||||||
droplet_ids = [digitalocean_droplet.app.id]
|
droplet_ids = [digitalocean_droplet.app.id]
|
||||||
|
|
||||||
inbound_rule {
|
dynamic "inbound_rule" {
|
||||||
protocol = "tcp"
|
for_each = ["22", "80", "443"]
|
||||||
port_range = "22"
|
content {
|
||||||
source_addresses = ["0.0.0.0/0", "::/0"]
|
protocol = "tcp"
|
||||||
}
|
port_range = inbound_rule.value
|
||||||
|
source_addresses = ["0.0.0.0/0", "::/0"]
|
||||||
inbound_rule {
|
}
|
||||||
protocol = "tcp"
|
|
||||||
port_range = "1-65535"
|
|
||||||
# FIXME: what
|
|
||||||
#port_range = var.port
|
|
||||||
source_load_balancer_uids = [digitalocean_loadbalancer.app.id]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
inbound_rule {
|
inbound_rule {
|
||||||
@ -86,16 +90,13 @@ resource "digitalocean_firewall" "app" {
|
|||||||
source_addresses = ["0.0.0.0/0", "::/0"]
|
source_addresses = ["0.0.0.0/0", "::/0"]
|
||||||
}
|
}
|
||||||
|
|
||||||
outbound_rule {
|
dynamic "outbound_rule" {
|
||||||
protocol = "tcp"
|
for_each = ["tcp", "udp"]
|
||||||
port_range = "1-65535"
|
content {
|
||||||
destination_addresses = ["0.0.0.0/0", "::/0"]
|
protocol = outbound_rule.value
|
||||||
}
|
port_range = "1-65535"
|
||||||
|
destination_addresses = ["0.0.0.0/0", "::/0"]
|
||||||
outbound_rule {
|
}
|
||||||
protocol = "udp"
|
|
||||||
port_range = "1-65535"
|
|
||||||
destination_addresses = ["0.0.0.0/0", "::/0"]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
outbound_rule {
|
outbound_rule {
|
||||||
@ -109,10 +110,13 @@ resource "random_string" "session_secret" {
|
|||||||
special = false
|
special = false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "random_string" "pg_password" {
|
||||||
|
length = 31
|
||||||
|
}
|
||||||
|
|
||||||
resource "null_resource" "app_provision" {
|
resource "null_resource" "app_provision" {
|
||||||
triggers = {
|
triggers = {
|
||||||
droplet_id = digitalocean_droplet.app.id
|
droplet_id = digitalocean_droplet.app.id
|
||||||
database_cluster_id = digitalocean_database_cluster.pg.id
|
|
||||||
provision_script_sha1 = filesha1("spoke-app-provision")
|
provision_script_sha1 = filesha1("spoke-app-provision")
|
||||||
run_script_sha1 = filesha1("spoke-app-run")
|
run_script_sha1 = filesha1("spoke-app-run")
|
||||||
service_sha1 = filesha1("spoke.service")
|
service_sha1 = filesha1("spoke.service")
|
||||||
@ -141,26 +145,46 @@ resource "null_resource" "app_provision" {
|
|||||||
}
|
}
|
||||||
|
|
||||||
provisioner "file" {
|
provisioner "file" {
|
||||||
content = templatefile("app.env.tpl", merge({
|
content = templatefile("nginx-sites-default.conf.tpl", {
|
||||||
ASSETS_MAP_FILE = "assets.json",
|
server_name = var.server_name,
|
||||||
ASSETS_DIR = "./build/client/assets",
|
port = var.port,
|
||||||
BASE_URL = var.base_url,
|
})
|
||||||
DATABASE_URL = digitalocean_database_cluster.pg.uri,
|
destination = "/tmp/nginx-sites-default.conf"
|
||||||
DB_HOST = digitalocean_database_cluster.pg.host,
|
}
|
||||||
DB_NAME = digitalocean_database_cluster.pg.database,
|
|
||||||
DB_PASSWORD = digitalocean_database_cluster.pg.password,
|
provisioner "file" {
|
||||||
DB_PORT = digitalocean_database_cluster.pg.port,
|
source = var.cert_pem_file
|
||||||
DB_TYPE = "pg",
|
destination = "/tmp/spoke.crt"
|
||||||
DB_USER = digitalocean_database_cluster.pg.user,
|
}
|
||||||
DB_USE_SSL = "true",
|
|
||||||
JOBS_SAME_PROCESS = "1",
|
provisioner "file" {
|
||||||
NODE_ENV = var.node_env,
|
source = var.key_pem_file
|
||||||
NODE_OPTIONS = var.node_options,
|
destination = "/tmp/spoke.key"
|
||||||
OUTPUT_DIR = "./build",
|
}
|
||||||
PORT = var.port,
|
|
||||||
REDIS_URL = "redis://127.0.0.1:6379/0",
|
provisioner "file" {
|
||||||
SESSION_SECRET = random_string.session_secret.result,
|
content = templatefile("app.env.tpl", {
|
||||||
}, var.env))
|
env = merge({
|
||||||
|
ASSETS_MAP_FILE = "assets.json",
|
||||||
|
ASSETS_DIR = "./build/client/assets",
|
||||||
|
BASE_URL = var.base_url,
|
||||||
|
DATABASE_URL = "postgres://spoke:${random_string.pg_password.result}@127.0.0.1:5432/spoke",
|
||||||
|
DB_HOST = "localhost",
|
||||||
|
DB_NAME = "spoke",
|
||||||
|
DB_PASSWORD = random_string.pg_password.result,
|
||||||
|
DB_PORT = "5432",
|
||||||
|
DB_TYPE = "pg",
|
||||||
|
DB_USER = "spoke",
|
||||||
|
DB_USE_SSL = "true",
|
||||||
|
JOBS_SAME_PROCESS = "1",
|
||||||
|
NODE_ENV = var.node_env,
|
||||||
|
NODE_OPTIONS = var.node_options,
|
||||||
|
OUTPUT_DIR = "./build",
|
||||||
|
PORT = var.port,
|
||||||
|
REDIS_URL = "redis://127.0.0.1:6379/0",
|
||||||
|
SESSION_SECRET = random_string.session_secret.result,
|
||||||
|
}, var.env)
|
||||||
|
})
|
||||||
destination = "/tmp/app.env"
|
destination = "/tmp/app.env"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -178,11 +202,14 @@ resource "null_resource" "app_provision" {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "digitalocean_database_firewall" "app_pg" {
|
output "droplet_urn" {
|
||||||
cluster_id = digitalocean_database_cluster.pg.id
|
value = digitalocean_droplet.app.urn
|
||||||
|
}
|
||||||
rule {
|
|
||||||
type = "droplet"
|
output "droplet_ipv4_address" {
|
||||||
value = digitalocean_droplet.app.id
|
value = digitalocean_droplet.app.ipv4_address
|
||||||
}
|
}
|
||||||
|
|
||||||
|
output "floating_ip_address" {
|
||||||
|
value = digitalocean_floating_ip.app.ip_address
|
||||||
}
|
}
|
||||||
|
23
nginx-sites-default.conf.tpl
Normal file
23
nginx-sites-default.conf.tpl
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
# vim:filetype=nginx
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
server_name ${server_name};
|
||||||
|
ssl_certificate spoke.crt;
|
||||||
|
ssl_certificate_key spoke.key;
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
|
access_log /var/log/nginx/spoke.access.log combined;
|
||||||
|
index index.html;
|
||||||
|
root /home/spoke/app/build/client;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_pass http://127.0.0.1:${port};
|
||||||
|
}
|
||||||
|
}
|
19
outputs.tf
19
outputs.tf
@ -1,19 +0,0 @@
|
|||||||
output "loadbalancer_ip" {
|
|
||||||
value = digitalocean_loadbalancer.app.ip
|
|
||||||
}
|
|
||||||
|
|
||||||
output "droplet_urn" {
|
|
||||||
value = digitalocean_droplet.app.urn
|
|
||||||
}
|
|
||||||
|
|
||||||
output "loadbalancer_urn" {
|
|
||||||
value = digitalocean_loadbalancer.app.urn
|
|
||||||
}
|
|
||||||
|
|
||||||
output "database_cluster_urn" {
|
|
||||||
value = digitalocean_database_cluster.pg.urn
|
|
||||||
}
|
|
||||||
|
|
||||||
output "droplet_ipv4_address" {
|
|
||||||
value = digitalocean_droplet.app.ipv4_address
|
|
||||||
}
|
|
@ -9,6 +9,7 @@ main() {
|
|||||||
|
|
||||||
_run_system0() {
|
_run_system0() {
|
||||||
set -o xtrace
|
set -o xtrace
|
||||||
|
cd /tmp
|
||||||
|
|
||||||
sudo swapon --show | if ! grep -q /swap; then
|
sudo swapon --show | if ! grep -q /swap; then
|
||||||
sudo fallocate -l 8G /swap
|
sudo fallocate -l 8G /swap
|
||||||
@ -35,18 +36,44 @@ _run_system0() {
|
|||||||
curl \
|
curl \
|
||||||
git \
|
git \
|
||||||
gnupg \
|
gnupg \
|
||||||
|
nginx-full \
|
||||||
redis
|
redis
|
||||||
|
|
||||||
sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" >/etc/apt/sources.list.d/pgdg.list'
|
dpkg --get-selections || true |
|
||||||
curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
|
if ! grep -qE '^postgresql-client-11.+install$'; then
|
||||||
sudo apt-get update -y
|
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" |
|
||||||
sudo apt-get install -y postgresql-client-11
|
sudo tee /etc/apt/sources.list.d/pgdg.list &>/dev/null
|
||||||
|
curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
|
||||||
|
sudo apt-get update -y
|
||||||
|
sudo apt-get install -y postgresql-11 postgresql-client-11
|
||||||
|
fi
|
||||||
|
|
||||||
curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
|
pg_ctlcluster 11 main start
|
||||||
echo "deb https://dl.yarnpkg.com/debian/ stable main" |
|
sudo -H -u postgres bash <<PGSETUP
|
||||||
sudo tee /etc/apt/sources.list.d/yarn.list
|
set -o allexport
|
||||||
sudo apt-get update -y
|
source /tmp/app.env
|
||||||
sudo apt-get install -y --no-install-recommends yarn
|
createuser spoke || true
|
||||||
|
createdb --owner=spoke spoke || true
|
||||||
|
psql -c "GRANT ALL ON DATABASE spoke TO spoke"
|
||||||
|
set +o xtrace
|
||||||
|
psql -c "ALTER USER spoke WITH PASSWORD '\${DB_PASSWORD}';"
|
||||||
|
PGSETUP
|
||||||
|
|
||||||
|
mv -v /tmp/spoke.crt /etc/nginx/spoke.crt
|
||||||
|
mv -v /tmp/spoke.key /etc/nginx/spoke.key
|
||||||
|
chmod 0600 /etc/nginx/spoke.crt /etc/nginx/spoke.key
|
||||||
|
cp -v /tmp/nginx-sites-default.conf /etc/nginx/sites-available/default
|
||||||
|
ln -svf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
|
||||||
|
sha1sum /etc/nginx/sites-available/default
|
||||||
|
systemctl restart nginx
|
||||||
|
|
||||||
|
if ! command -v yarn; then
|
||||||
|
curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
|
||||||
|
echo "deb https://dl.yarnpkg.com/debian/ stable main" |
|
||||||
|
sudo tee /etc/apt/sources.list.d/yarn.list
|
||||||
|
sudo apt-get update -y
|
||||||
|
sudo apt-get install -y --no-install-recommends yarn
|
||||||
|
fi
|
||||||
|
|
||||||
if ! getent passwd spoke; then
|
if ! getent passwd spoke; then
|
||||||
sudo useradd --create-home --comment 'Spoke app' spoke
|
sudo useradd --create-home --comment 'Spoke app' spoke
|
||||||
@ -91,9 +118,7 @@ _run_spoke0() {
|
|||||||
nvm install 2>/dev/null
|
nvm install 2>/dev/null
|
||||||
nvm use 2>/dev/null
|
nvm use 2>/dev/null
|
||||||
|
|
||||||
if [[ -f /tmp/app.env ]]; then
|
cp -v /tmp/app.env /home/spoke/app/.env
|
||||||
cp -v /tmp/app.env /home/spoke/app/.env
|
|
||||||
fi
|
|
||||||
sha1sum /home/spoke/app/.env
|
sha1sum /home/spoke/app/.env
|
||||||
|
|
||||||
set -o allexport
|
set -o allexport
|
||||||
@ -117,7 +142,7 @@ _run_spoke0() {
|
|||||||
yarn run prod-build
|
yarn run prod-build
|
||||||
rm -rf ./node_modules
|
rm -rf ./node_modules
|
||||||
yarn install --production --ignore-scripts
|
yarn install --production --ignore-scripts
|
||||||
echo "${git_ref}" >/home/spoke/yarn_prod_build_ref
|
echo "${git_head}" >/home/spoke/yarn_prod_build_ref
|
||||||
}
|
}
|
||||||
|
|
||||||
main "${@}"
|
main "${@}"
|
||||||
|
61
variables.tf
61
variables.tf
@ -1,61 +0,0 @@
|
|||||||
variable "base_url" {
|
|
||||||
description = "Fully qualified https URL of the app"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "resource_prefix" {
|
|
||||||
description = "Prefix prepended to resource names"
|
|
||||||
default = "spoke-"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "node_options" {
|
|
||||||
description = "Value defined at build time and run time as NODE_OPTIONS"
|
|
||||||
default = "--max_old_space_size=8192"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "node_env" {
|
|
||||||
description = "Value defined at build time and run time as NODE_ENV"
|
|
||||||
default = "production"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "port" {
|
|
||||||
description = "TCP port used to communicate between droplet and load balancer"
|
|
||||||
default = "3000"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "droplet_size" {
|
|
||||||
description = "Size value passed when provisioning app droplet"
|
|
||||||
default = "s-1vcpu-1gb"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "database_cluster_size" {
|
|
||||||
description = "Size value passed when provisioning database cluster"
|
|
||||||
default = "db-s-1vcpu-1gb"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "database_cluster_node_count" {
|
|
||||||
default = 1
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "region" {
|
|
||||||
description = "Region at which all resources will be provisioned"
|
|
||||||
default = "nyc1"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "ssh_keys" {
|
|
||||||
type = "list"
|
|
||||||
description = "List of ssh public keys to pass to droplet provisioning"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "cert_private_key" {
|
|
||||||
description = "Certificate key to use when defining th cert used with the load balancer"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "cert_leaf_certificate" {
|
|
||||||
description = "Leaf certificate to use when defining the cert used with the load balancer"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "env" {
|
|
||||||
type = "map"
|
|
||||||
description = "Arbitrary *additional* environment variables passed at build time and run time"
|
|
||||||
default = {}
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user