Sprinkle on some dynamic blocks

This commit is contained in:
Dan Buch 2020-02-11 20:02:22 -05:00
parent cbf4e851e2
commit 05c7c2c423
Signed by: meatballhat
GPG Key ID: 9685130D8B763EA7
5 changed files with 187 additions and 192 deletions

225
main.tf
View File

@ -1,84 +1,88 @@
variable "base_url" {
description = "Fully qualified https URL of the app"
}
variable "resource_prefix" {
description = "Prefix prepended to resource names"
default = "spoke-"
}
variable "node_options" {
description = "Value defined at build time and run time as NODE_OPTIONS"
default = "--max_old_space_size=8192"
}
variable "node_env" {
description = "Value defined at build time and run time as NODE_ENV"
default = "production"
}
variable "port" {
description = "TCP port used to communicate between droplet and nginx"
default = "3000"
}
variable "droplet_size" {
description = "Size value passed when provisioning app droplet"
default = "s-1vcpu-1gb"
}
variable "region" {
description = "Region in which all resources will be provisioned"
default = "nyc1"
}
variable "ssh_keys" {
type = "list"
description = "List of ssh public keys to pass to droplet provisioning"
}
variable "cert_private_key" {
description = "Certificate key to pass to nginx"
}
variable "cert_certificate" {
description = "Certificate with leaf and intermediates to pass to nginx"
}
variable "env" {
type = "map"
description = "Arbitrary *additional* environment variables passed at build time and run time"
default = {}
}
resource "digitalocean_ssh_key" "app" { resource "digitalocean_ssh_key" "app" {
count = length(var.ssh_keys) count = length(var.ssh_keys)
name = "${var.resource_prefix}app-${count.index}" name = "${var.resource_prefix}app-${count.index}"
public_key = element(var.ssh_keys, count.index) public_key = element(var.ssh_keys, count.index)
} }
resource "digitalocean_database_cluster" "pg" {
name = "${var.resource_prefix}pg"
engine = "pg"
version = "11"
size = var.database_cluster_size
region = var.region
node_count = 1
}
resource "digitalocean_droplet" "app" { resource "digitalocean_droplet" "app" {
image = "ubuntu-18-04-x64" image = "ubuntu-18-04-x64"
name = "${var.resource_prefix}app" name = "${var.resource_prefix}app"
region = var.region region = var.region
size = var.droplet_size size = var.droplet_size
ssh_keys = [digitalocean_ssh_key.app.*.id] ssh_keys = [digitalocean_ssh_key.app[*].id]
} }
resource "digitalocean_certificate" "app" { resource "digitalocean_floating_ip" "app" {
name = "${var.resource_prefix}app" droplet_id = digitalocean_droplet.app.id
private_key = var.cert_private_key region = digitalocean_droplet.app.region
leaf_certificate = var.cert_leaf_certificate
lifecycle {
create_before_destroy = true
}
}
resource "digitalocean_loadbalancer" "app" {
name = "${var.resource_prefix}lb-app"
region = var.region
droplet_ids = [digitalocean_droplet.app.id]
redirect_http_to_https = true
forwarding_rule {
entry_port = 80
entry_protocol = "http"
target_port = var.port
target_protocol = "http"
}
forwarding_rule {
entry_port = 443
entry_protocol = "https"
target_port = var.port
target_protocol = "http"
certificate_id = digitalocean_certificate.app.id
}
healthcheck {
port = var.port
protocol = "tcp"
}
} }
resource "digitalocean_firewall" "app" { resource "digitalocean_firewall" "app" {
name = "${var.resource_prefix}app" name = "pghdsa-spoke-app"
droplet_ids = [digitalocean_droplet.app.id] droplet_ids = [digitalocean_droplet.app.id]
inbound_rule { dynamic "inbound_rule" {
protocol = "tcp" for_each = ["22", "80", "443"]
port_range = "22" content {
source_addresses = ["0.0.0.0/0", "::/0"] protocol = "tcp"
} port_range = inbound_rule.value
source_addresses = ["0.0.0.0/0", "::/0"]
inbound_rule { }
protocol = "tcp"
port_range = "1-65535"
# FIXME: what
#port_range = var.port
source_load_balancer_uids = [digitalocean_loadbalancer.app.id]
} }
inbound_rule { inbound_rule {
@ -86,16 +90,13 @@ resource "digitalocean_firewall" "app" {
source_addresses = ["0.0.0.0/0", "::/0"] source_addresses = ["0.0.0.0/0", "::/0"]
} }
outbound_rule { dynamic "outbound_rule" {
protocol = "tcp" for_each = ["tcp", "udp"]
port_range = "1-65535" content {
destination_addresses = ["0.0.0.0/0", "::/0"] protocol = outbound_rule.value
} port_range = "1-65535"
destination_addresses = ["0.0.0.0/0", "::/0"]
outbound_rule { }
protocol = "udp"
port_range = "1-65535"
destination_addresses = ["0.0.0.0/0", "::/0"]
} }
outbound_rule { outbound_rule {
@ -109,10 +110,13 @@ resource "random_string" "session_secret" {
special = false special = false
} }
resource "random_string" "pg_password" {
length = 31
}
resource "null_resource" "app_provision" { resource "null_resource" "app_provision" {
triggers = { triggers = {
droplet_id = digitalocean_droplet.app.id droplet_id = digitalocean_droplet.app.id
database_cluster_id = digitalocean_database_cluster.pg.id
provision_script_sha1 = filesha1("spoke-app-provision") provision_script_sha1 = filesha1("spoke-app-provision")
run_script_sha1 = filesha1("spoke-app-run") run_script_sha1 = filesha1("spoke-app-run")
service_sha1 = filesha1("spoke.service") service_sha1 = filesha1("spoke.service")
@ -141,26 +145,46 @@ resource "null_resource" "app_provision" {
} }
provisioner "file" { provisioner "file" {
content = templatefile("app.env.tpl", merge({ content = templatefile("nginx-sites-default.conf.tpl", {
ASSETS_MAP_FILE = "assets.json", server_name = var.server_name,
ASSETS_DIR = "./build/client/assets", port = var.port,
BASE_URL = var.base_url, })
DATABASE_URL = digitalocean_database_cluster.pg.uri, destination = "/tmp/nginx-sites-default.conf"
DB_HOST = digitalocean_database_cluster.pg.host, }
DB_NAME = digitalocean_database_cluster.pg.database,
DB_PASSWORD = digitalocean_database_cluster.pg.password, provisioner "file" {
DB_PORT = digitalocean_database_cluster.pg.port, source = var.cert_pem_file
DB_TYPE = "pg", destination = "/tmp/spoke.crt"
DB_USER = digitalocean_database_cluster.pg.user, }
DB_USE_SSL = "true",
JOBS_SAME_PROCESS = "1", provisioner "file" {
NODE_ENV = var.node_env, source = var.key_pem_file
NODE_OPTIONS = var.node_options, destination = "/tmp/spoke.key"
OUTPUT_DIR = "./build", }
PORT = var.port,
REDIS_URL = "redis://127.0.0.1:6379/0", provisioner "file" {
SESSION_SECRET = random_string.session_secret.result, content = templatefile("app.env.tpl", {
}, var.env)) env = merge({
ASSETS_MAP_FILE = "assets.json",
ASSETS_DIR = "./build/client/assets",
BASE_URL = var.base_url,
DATABASE_URL = "postgres://spoke:${random_string.pg_password.result}@127.0.0.1:5432/spoke",
DB_HOST = "localhost",
DB_NAME = "spoke",
DB_PASSWORD = random_string.pg_password.result,
DB_PORT = "5432",
DB_TYPE = "pg",
DB_USER = "spoke",
DB_USE_SSL = "true",
JOBS_SAME_PROCESS = "1",
NODE_ENV = var.node_env,
NODE_OPTIONS = var.node_options,
OUTPUT_DIR = "./build",
PORT = var.port,
REDIS_URL = "redis://127.0.0.1:6379/0",
SESSION_SECRET = random_string.session_secret.result,
}, var.env)
})
destination = "/tmp/app.env" destination = "/tmp/app.env"
} }
@ -178,11 +202,14 @@ resource "null_resource" "app_provision" {
} }
} }
resource "digitalocean_database_firewall" "app_pg" { output "droplet_urn" {
cluster_id = digitalocean_database_cluster.pg.id value = digitalocean_droplet.app.urn
}
rule {
type = "droplet" output "droplet_ipv4_address" {
value = digitalocean_droplet.app.id value = digitalocean_droplet.app.ipv4_address
} }
output "floating_ip_address" {
value = digitalocean_floating_ip.app.ip_address
} }

View File

@ -0,0 +1,23 @@
# vim:filetype=nginx
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name ${server_name};
ssl_certificate spoke.crt;
ssl_certificate_key spoke.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
access_log /var/log/nginx/spoke.access.log combined;
index index.html;
root /home/spoke/app/build/client;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:${port};
}
}

View File

@ -1,19 +0,0 @@
output "loadbalancer_ip" {
value = digitalocean_loadbalancer.app.ip
}
output "droplet_urn" {
value = digitalocean_droplet.app.urn
}
output "loadbalancer_urn" {
value = digitalocean_loadbalancer.app.urn
}
output "database_cluster_urn" {
value = digitalocean_database_cluster.pg.urn
}
output "droplet_ipv4_address" {
value = digitalocean_droplet.app.ipv4_address
}

View File

@ -9,6 +9,7 @@ main() {
_run_system0() { _run_system0() {
set -o xtrace set -o xtrace
cd /tmp
sudo swapon --show | if ! grep -q /swap; then sudo swapon --show | if ! grep -q /swap; then
sudo fallocate -l 8G /swap sudo fallocate -l 8G /swap
@ -35,18 +36,44 @@ _run_system0() {
curl \ curl \
git \ git \
gnupg \ gnupg \
nginx-full \
redis redis
sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" >/etc/apt/sources.list.d/pgdg.list' dpkg --get-selections || true |
curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add - if ! grep -qE '^postgresql-client-11.+install$'; then
sudo apt-get update -y echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" |
sudo apt-get install -y postgresql-client-11 sudo tee /etc/apt/sources.list.d/pgdg.list &>/dev/null
curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
sudo apt-get update -y
sudo apt-get install -y postgresql-11 postgresql-client-11
fi
curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - pg_ctlcluster 11 main start
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo -H -u postgres bash <<PGSETUP
sudo tee /etc/apt/sources.list.d/yarn.list set -o allexport
sudo apt-get update -y source /tmp/app.env
sudo apt-get install -y --no-install-recommends yarn createuser spoke || true
createdb --owner=spoke spoke || true
psql -c "GRANT ALL ON DATABASE spoke TO spoke"
set +o xtrace
psql -c "ALTER USER spoke WITH PASSWORD '\${DB_PASSWORD}';"
PGSETUP
mv -v /tmp/spoke.crt /etc/nginx/spoke.crt
mv -v /tmp/spoke.key /etc/nginx/spoke.key
chmod 0600 /etc/nginx/spoke.crt /etc/nginx/spoke.key
cp -v /tmp/nginx-sites-default.conf /etc/nginx/sites-available/default
ln -svf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
sha1sum /etc/nginx/sites-available/default
systemctl restart nginx
if ! command -v yarn; then
curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" |
sudo tee /etc/apt/sources.list.d/yarn.list
sudo apt-get update -y
sudo apt-get install -y --no-install-recommends yarn
fi
if ! getent passwd spoke; then if ! getent passwd spoke; then
sudo useradd --create-home --comment 'Spoke app' spoke sudo useradd --create-home --comment 'Spoke app' spoke
@ -91,9 +118,7 @@ _run_spoke0() {
nvm install 2>/dev/null nvm install 2>/dev/null
nvm use 2>/dev/null nvm use 2>/dev/null
if [[ -f /tmp/app.env ]]; then cp -v /tmp/app.env /home/spoke/app/.env
cp -v /tmp/app.env /home/spoke/app/.env
fi
sha1sum /home/spoke/app/.env sha1sum /home/spoke/app/.env
set -o allexport set -o allexport
@ -117,7 +142,7 @@ _run_spoke0() {
yarn run prod-build yarn run prod-build
rm -rf ./node_modules rm -rf ./node_modules
yarn install --production --ignore-scripts yarn install --production --ignore-scripts
echo "${git_ref}" >/home/spoke/yarn_prod_build_ref echo "${git_head}" >/home/spoke/yarn_prod_build_ref
} }
main "${@}" main "${@}"

View File

@ -1,61 +0,0 @@
variable "base_url" {
description = "Fully qualified https URL of the app"
}
variable "resource_prefix" {
description = "Prefix prepended to resource names"
default = "spoke-"
}
variable "node_options" {
description = "Value defined at build time and run time as NODE_OPTIONS"
default = "--max_old_space_size=8192"
}
variable "node_env" {
description = "Value defined at build time and run time as NODE_ENV"
default = "production"
}
variable "port" {
description = "TCP port used to communicate between droplet and load balancer"
default = "3000"
}
variable "droplet_size" {
description = "Size value passed when provisioning app droplet"
default = "s-1vcpu-1gb"
}
variable "database_cluster_size" {
description = "Size value passed when provisioning database cluster"
default = "db-s-1vcpu-1gb"
}
variable "database_cluster_node_count" {
default = 1
}
variable "region" {
description = "Region at which all resources will be provisioned"
default = "nyc1"
}
variable "ssh_keys" {
type = "list"
description = "List of ssh public keys to pass to droplet provisioning"
}
variable "cert_private_key" {
description = "Certificate key to use when defining th cert used with the load balancer"
}
variable "cert_leaf_certificate" {
description = "Leaf certificate to use when defining the cert used with the load balancer"
}
variable "env" {
type = "map"
description = "Arbitrary *additional* environment variables passed at build time and run time"
default = {}
}