roleypoly/v3
1
0
Fork 0
mirror of https://github.com/roleypoly/roleypoly.git synced 2025-06-16 17:49:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

temp tf

Browse source
This commit is contained in:
41666 2020-10-09 10:54:55 -04:00
parent a5e2fdc7a7
commit ec505739c8
31 changed files with 1394 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
terraform/platform/bootstrap/global.auto.tfvars Normal file
View file

@ -0,0 +1 @@
gcs_region = "us-east1-d"

26
terraform/platform/bootstrap/k8s.tf Normal file
View file

@ -0,0 +1,26 @@
data "digitalocean_kubernetes_versions" "versions" {
version_prefix = "1.16."
}
resource "digitalocean_kubernetes_cluster" "cluster" {
name = "roleypoly-nyc"
region = "nyc1"
version = data.digitalocean_kubernetes_versions.versions.latest_version
node_pool {
name = "default-worker-pool"
size = "s-2vcpu-2gb"
node_count = 3
labels = {
node_type = "static"
}
}
}
locals {
k8sEndpoint = digitalocean_kubernetes_cluster.cluster.endpoint
k8sToken = digitalocean_kubernetes_cluster.cluster.kube_config[0].token
k8sCert = base64decode(
digitalocean_kubernetes_cluster.cluster.kube_config[0].cluster_ca_certificate
)
}

58
terraform/platform/bootstrap/provision.tf Normal file
View file

@ -0,0 +1,58 @@
terraform {
required_version = ">=0.12.6"
backend "remote" {
organization = "Roleypoly"
workspaces {
name = "roleypoly-platform-bootstrap"
}
}
}
/*
Google Cloud
*/
variable "gcs_token" { type = string }
variable "gcs_region" { type = string }
variable "gcs_project" { type = string }
provider "google" {
version = ">=3.18.0"
project = var.gcs_project
region = var.gcs_region
credentials = var.gcs_token
scopes = [
"https://www.googleapis.com/auth/devstorage.full_control",
"https://www.googleapis.com/auth/cloud-platform",
]
}
/*
DigitalOcean
*/
variable "digitalocean_token" { type = string }
provider "digitalocean" {
version = ">=1.16.0"
token = var.digitalocean_token
}
/*
Terraform Cloud
*/
variable "tfc_token" { type = string }
variable "tfc_email" { type = string }
variable "tfc_oauth_token_id" { type = string }
variable "tfc_webhook_url" { type = string }
provider "tfe" {
version = ">=0.15.0"
token = var.tfc_token
}
/*
Cloudflare (for tfc vars)
*/
variable "cloudflare_token" { type = string }
variable "cloudflare_email" { type = string }
variable "cloudflare_zone_id" { type = string }
variable "cloudflare_origin_ca_token" { type = string }

65
terraform/platform/bootstrap/tfcloud.tf Normal file
View file

@ -0,0 +1,65 @@
locals {
repo = "roleypoly/devops"
branch = "master"
tfc_org = "Roleypoly"
}
module "tfcws-services" {
source = "github.com/roleypoly/devops.git//terraform/modules/tfc-workspace"
workspace-name = "roleypoly-platform-services"
repo = local.repo
branch = local.branch
tfc_webhook_url = var.tfc_webhook_url
directory = "terraform/platform/services"
auto_apply = false
dependent_modules = ["nginx-ingress-controller", "cloudflare-dns"]
tfc_org = local.tfc_org
tfc_oauth_token_id = var.tfc_oauth_token_id
secret-vars = {
digitalocean_token = var.digitalocean_token
cloudflare_origin_ca_token = var.cloudflare_origin_ca_token
cloudflare_zone_id = var.cloudflare_zone_id
cloudflare_token = var.cloudflare_token
cloudflare_email = var.cloudflare_email
vault_gcs_token = local.vaultGcsSvcacctKey
vault_gcs_url = local.vaultGcsUrl
k8s_endpoint = local.k8sEndpoint
k8s_token = local.k8sToken
k8s_cert = local.k8sCert
}
vars = {
gcp_region = var.gcs_region
gcp_project = var.gcs_project
}
}
module "tfcws-app" {
source = "github.com/roleypoly/devops.git//terraform/modules/tfc-workspace"
workspace-name = "roleypoly-platform-app"
repo = local.repo
branch = local.branch
tfc_webhook_url = var.tfc_webhook_url
directory = "terraform/platform/app"
auto_apply = false
dependent_modules = ["tfc-workspace", "cluster-environment"]
tfc_org = local.tfc_org
tfc_oauth_token_id = var.tfc_oauth_token_id
secret-vars = {
k8s_endpoint = local.k8sEndpoint
k8s_token = local.k8sToken
k8s_cert = local.k8sCert
cloudflare_zone_id = var.cloudflare_zone_id
cloudflare_token = var.cloudflare_token
cloudflare_email = var.cloudflare_email
tfc_email = var.tfc_email
tfc_oauth_token_id = var.tfc_oauth_token_id
tfc_webhook_url = var.tfc_webhook_url
}
env-vars = {
TFE_TOKEN = var.tfc_token
}
}

26
terraform/platform/bootstrap/vault-gcs.tf Normal file
View file

@ -0,0 +1,26 @@
locals {
vaultGcsSvcacctKey = google_service_account_key.vault-svcacct-key.private_key
vaultGcsUrl = google_storage_bucket.vault-backend.url
}
resource "google_service_account" "vault-svcacct" {
account_id = "vault-gcs"
display_name = "Vault Svcacct"
}
resource "google_service_account_key" "vault-svcacct-key" {
service_account_id = google_service_account.vault-svcacct.name
}
resource "google_storage_bucket" "vault-backend" {
name = "roleypoly-vault"
}
resource "google_storage_bucket_acl" "vault-backend-acl" {
bucket = google_storage_bucket.vault-backend.name
role_entity = [
"WRITER:user-${google_service_account.vault-svcacct.email}"
]
}

42
terraform/platform/bootstrap/vault-kms.tf Normal file
View file

@ -0,0 +1,42 @@
resource "google_kms_key_ring" "vault-kms-ring" {
name = "vault-keyring"
location = "global"
lifecycle {
prevent_destroy = true
}
}
locals {
iam_members = [
"serviceAccount:${google_service_account.vault-svcacct.email}"
]
}
data "google_iam_policy" "vault" {
binding {
role = "roles/editor"
members = local.iam_members
}
binding {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = local.iam_members
}
}
resource "google_kms_key_ring_iam_policy" "vault-binding" {
key_ring_id = google_kms_key_ring.vault-kms-ring.id
policy_data = data.google_iam_policy.vault.policy_data
}
resource "google_kms_crypto_key" "vault-key" {
name = "vault-key"
key_ring = google_kms_key_ring.vault-kms-ring.id
rotation_period = "100000s" // just over one day
lifecycle {
prevent_destroy = true
}
}