diff --git a/.gitignore b/.gitignore index 3dd8917..f31a307 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ .terraform plan +terraform.tfstate +terraform.tfstate.backup +.terraform.lock.hcl +tfplan diff --git a/.terraform-version b/.terraform-version new file mode 100644 index 0000000..a5e4282 --- /dev/null +++ b/.terraform-version @@ -0,0 +1 @@ +1.1.9 \ No newline at end of file diff --git a/examples/multiple-executors/main.tf b/examples/multiple-executors/main.tf index 9e128d3..f090ddd 100644 --- a/examples/multiple-executors/main.tf +++ b/examples/multiple-executors/main.tf @@ -1,7 +1,9 @@ locals { - region = "us-west-2" - availability_zone = "us-west-2a" - docker_mirror_static_ip = "10.0.1.4" + region = "us-west-2" + availability_zone = "us-west-2a" + docker_mirror_static_ip = "10.0.1.4" + sourcegraph_external_url = "https://sourcegraph.acme.com" + executor_sourcegraph_executor_proxy_password = "hunter2" } module "networking" { @@ -25,32 +27,33 @@ module "executors-codeintel" { source = "sourcegraph/executors/aws//modules/executors" version = "3.43.0" # LATEST - vpc_id = module.networking.vpc_id - subnet_id = module.networking.subnet_id - resource_prefix = "codeintel-prod" - instance_tag = "codeintel-prod" - sourcegraph_external_url = "https://sourcegraph.acme.com" - sourcegraph_executor_proxy_password = "hunter2" - queue_name = "codeintel" - metrics_environment_label = "prod" - docker_registry_mirror = "http://${local.docker_mirror_static_ip}:5000" - # docker_registry_mirror_node_exporter_url = "http://${local.docker_mirror_static_ip}:9999" - use_firecracker = true + vpc_id = module.networking.vpc_id + subnet_id = module.networking.subnet_id + resource_prefix = "codeintel-prod" + instance_tag = "codeintel-prod" + sourcegraph_external_url = local.sourcegraph_external_url + sourcegraph_executor_proxy_password = local.executor_sourcegraph_executor_proxy_password + queue_name = "codeintel" + metrics_environment_label = "prod" + docker_registry_mirror = "http://${local.docker_mirror_static_ip}:5000" + # docker_registry_mirror_node_exporter_url = "http://${local.docker_mirror_static_ip}:9999" + use_firecracker = true } module "executors-batches" { source = "sourcegraph/executors/aws//modules/executors" version = "3.43.0" # LATEST - vpc_id = module.networking.vpc_id - subnet_id = module.networking.subnet_id - resource_prefix = "batches-prod" - instance_tag = "batches-prod" - sourcegraph_external_url = "https://sourcegraph.acme.com" - sourcegraph_executor_proxy_password = "hunter2" - queue_name = "batches" - metrics_environment_label = "prod" - docker_registry_mirror = "http://${local.docker_mirror_static_ip}:5000" - # docker_registry_mirror_node_exporter_url = "http://${local.docker_mirror_static_ip}:9999" - use_firecracker = true + vpc_id = module.networking.vpc_id + subnet_id = module.networking.subnet_id + resource_prefix = "batches-prod" + instance_tag = "batches-prod" + sourcegraph_external_url = local.sourcegraph_external_url + sourcegraph_executor_proxy_password = local.executor_sourcegraph_executor_proxy_password + queue_name = "batches" + metrics_environment_label = "prod" + docker_registry_mirror = "http://${local.docker_mirror_static_ip}:5000" + # docker_registry_mirror_node_exporter_url = "http://${local.docker_mirror_static_ip}:9999" + use_firecracker = true + need_syslogs = false } diff --git a/main.tf b/main.tf index 76f3801..916f803 100644 --- a/main.tf +++ b/main.tf @@ -14,6 +14,8 @@ module "aws-docker-mirror" { machine_ami = var.docker_mirror_machine_ami machine_type = var.docker_mirror_machine_type boot_disk_size = var.docker_mirror_boot_disk_size + boot_disk_kms_key_id = var.docker_mirror_boot_disk_kms_key_id + disk_kms_key_id = var.docker_mirror_disk_kms_key_id static_ip = var.docker_mirror_static_ip ssh_access_cidr_range = var.docker_mirror_ssh_access_cidr_range instance_tag_prefix = var.executor_instance_tag @@ -29,6 +31,7 @@ module "aws-executor" { machine_image = var.executor_machine_image machine_type = var.executor_machine_type boot_disk_size = var.executor_boot_disk_size + boot_disk_kms_key_id = var.executor_boot_disk_kms_key_id preemptible_machines = var.executor_preemptible_machines instance_tag = var.executor_instance_tag ssh_access_cidr_range = var.executor_ssh_access_cidr_range diff --git a/modules/docker-mirror/main.tf b/modules/docker-mirror/main.tf index 052927e..f045dd5 100644 --- a/modules/docker-mirror/main.tf +++ b/modules/docker-mirror/main.tf @@ -40,6 +40,7 @@ resource "aws_instance" "default" { volume_size = var.boot_disk_size volume_type = "gp3" encrypted = true + kms_key_id = var.boot_disk_kms_key_id } tags = { @@ -65,6 +66,7 @@ resource "aws_ebs_volume" "docker-storage" { availability_zone = data.aws_subnet.main.availability_zone size = var.disk_size encrypted = true + kms_key_id = var.disk_kms_key_id type = "gp3" iops = var.disk_iops throughput = var.disk_throughput diff --git a/modules/docker-mirror/variables.tf b/modules/docker-mirror/variables.tf index 144dee9..30623b1 100644 --- a/modules/docker-mirror/variables.tf +++ b/modules/docker-mirror/variables.tf @@ -26,6 +26,12 @@ variable "boot_disk_size" { description = "Docker registry mirror node disk size in GB." } +variable "boot_disk_kms_key_id" { + type = string + default = null + description = "[Optional] The KMS Key ID for EBS volume encryption." +} + variable "disk_size" { type = number default = 64 @@ -44,6 +50,12 @@ variable "disk_throughput" { description = "Persistent Docker registry mirror disk throughput in MiB/s." } +variable "disk_kms_key_id" { + type = string + default = null + description = "[Optional] The KMS Key ID for mirror disk EBS volume encryption." +} + variable "static_ip" { type = string description = "The IP to statically assign to the instance. Should be internal." diff --git a/modules/executors/main.tf b/modules/executors/main.tf index 1471efc..e112170 100644 --- a/modules/executors/main.tf +++ b/modules/executors/main.tf @@ -73,6 +73,7 @@ resource "aws_security_group" "metrics_access" { resource "aws_cloudwatch_log_group" "syslogs" { # TODO: This is hardcoded in the executor image. + count = var.need_syslogs ? 1 : 0 name = "executors" retention_in_days = 7 } @@ -113,6 +114,8 @@ resource "aws_launch_template" "executor" { volume_type = "gp3" iops = var.boot_disk_iops throughput = var.boot_disk_throughput + encrypted = true + kms_key_id = var.boot_disk_kms_key_id } } diff --git a/modules/executors/variables.tf b/modules/executors/variables.tf index 2827a3b..d65ced1 100644 --- a/modules/executors/variables.tf +++ b/modules/executors/variables.tf @@ -44,6 +44,12 @@ variable "boot_disk_throughput" { description = "Persistent Docker registry mirror disk throughput in MiB/s." } +variable "boot_disk_kms_key_id" { + type = string + default = null + description = "[Optional] The KMS Key ID for EBS volume encryption." +} + variable "preemptible_machines" { type = bool default = false @@ -182,3 +188,9 @@ variable "assign_public_ip" { default = true description = "If false, no public IP will be associated with the executors." } + +variable "need_syslogs" { + type = bool + default = true + description = "For multi-executor only 1 of these needs to be made." +} diff --git a/variables.tf b/variables.tf index 9172801..22ffcfa 100644 --- a/variables.tf +++ b/variables.tf @@ -21,6 +21,18 @@ variable "docker_mirror_boot_disk_size" { description = "Docker registry mirror node disk size in GB." } +variable "docker_mirror_boot_disk_kms_key_id" { + type = string + default = null + description = "[Optional] KMS Key ID for EBS boot disk encryption" +} + +variable "docker_mirror_disk_kms_key_id" { + type = string + default = null + description = "[Optional] KMS Key ID for EBS disk encryption" +} + variable "docker_mirror_static_ip" { type = string default = "10.0.1.4" @@ -63,6 +75,12 @@ variable "executor_boot_disk_size" { description = "Executor node disk size in GB" } +variable "executor_boot_disk_kms_key_id" { + type = string + default = null + description = "[Optional] KMS Key ID for EBS boot disk encryption" +} + variable "executor_preemptible_machines" { type = bool default = false