diff --git a/services/terraform/self-host/aws_db.tf b/services/terraform/self-host/aws_db.tf index 1bc9e77ae..7f2c68978 100644 --- a/services/terraform/self-host/aws_db.tf +++ b/services/terraform/self-host/aws_db.tf @@ -1,93 +1,92 @@ # MariaDB Security Group resource "aws_security_group" "keyserver_mariadb_security_group" { name = "keyserver-mariadb-sg" description = "Allow inbound traffic on port 3307 and all outbound traffic" - vpc_id = aws_vpc.default.id + vpc_id = local.vpc_id # Inbound rules ingress { from_port = 3307 to_port = 3307 protocol = "tcp" cidr_blocks = ["${var.allowed_ip}/32"] } # Outbound rules egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } - # MariaDB RDS Instance resource "aws_db_instance" "mariadb" { allocated_storage = 100 max_allocated_storage = 3000 storage_type = "gp3" db_name = "mariadb" identifier = "mariadb-instance" engine = "mariadb" engine_version = "10.11" instance_class = "db.m6g.large" db_subnet_group_name = aws_db_subnet_group.public_db_subnet_group.name vpc_security_group_ids = [aws_security_group.keyserver_mariadb_security_group.id] username = var.mariadb_username password = var.mariadb_password parameter_group_name = aws_db_parameter_group.mariadb_parameter_group.name storage_encrypted = true publicly_accessible = true port = 3307 skip_final_snapshot = true } # MariaDB Parameter Group resource "aws_db_parameter_group" "mariadb_parameter_group" { name = "mariadb-parameter-group" family = "mariadb10.11" parameter { apply_method = "pending-reboot" name = "performance_schema" value = "1" } parameter { apply_method = "immediate" name = "max_allowed_packet" # 256 MiB: (1024 * 1024 * 256) value = "268435456" } parameter { apply_method = "immediate" name = "local_infile" value = "0" } parameter { apply_method = "immediate" name = "sql_mode" value = "STRICT_ALL_TABLES" } parameter { apply_method = "pending-reboot" name = "innodb_buffer_pool_size" value = "{DBInstanceClassMemory*3/4}" } parameter { apply_method = "pending-reboot" name = "innodb_ft_min_token_size" value = "1" } parameter { apply_method = "immediate" name = "innodb_ft_enable_stopword" value = "0" } } diff --git a/services/terraform/self-host/aws_vpc.tf b/services/terraform/self-host/aws_vpc.tf index 41e68efe9..bd39444ca 100644 --- a/services/terraform/self-host/aws_vpc.tf +++ b/services/terraform/self-host/aws_vpc.tf @@ -1,56 +1,80 @@ -# VPC +# Default VPC Data + +data "aws_vpc" "default" { + default = true +} + +data "aws_subnets" "default" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } +} + +data "aws_internet_gateway" "default" { + filter { + name = "attachment.vpc-id" + values = [data.aws_vpc.default.id] + } +} + + +# User Created VPC resource "aws_vpc" "default" { + count = var.user_created_vpc ? 1 : 0 cidr_block = "172.31.0.0/16" enable_dns_support = true enable_dns_hostnames = true } -# Public Subnets resource "aws_subnet" "public_1" { - vpc_id = aws_vpc.default.id + count = var.user_created_vpc ? 1 : 0 + vpc_id = aws_vpc.default[0].id cidr_block = "172.31.0.0/20" availability_zone = var.availability_zone_1 map_public_ip_on_launch = true } resource "aws_subnet" "public_2" { - vpc_id = aws_vpc.default.id + count = var.user_created_vpc ? 1 : 0 + vpc_id = aws_vpc.default[0].id cidr_block = "172.31.16.0/20" availability_zone = var.availability_zone_2 map_public_ip_on_launch = true } -# Internet Gateway + resource "aws_internet_gateway" "default" { - vpc_id = aws_vpc.default.id + count = var.user_created_vpc ? 1 : 0 + vpc_id = aws_vpc.default[0].id } # Route Table for Internet Gateway resource "aws_route_table" "public_igw_route_table" { - vpc_id = aws_vpc.default.id + vpc_id = local.vpc_id route { - cidr_block = "${var.allowed_ip}/32" - gateway_id = aws_internet_gateway.default.id + cidr_block = "0.0.0.0/0" + gateway_id = var.user_created_vpc ? aws_internet_gateway.default[0].id : data.aws_internet_gateway.default.id } } resource "aws_route_table_association" "public_1_igw_route_association" { - subnet_id = aws_subnet.public_1.id + subnet_id = local.vpc_subnets[0] route_table_id = aws_route_table.public_igw_route_table.id } resource "aws_route_table_association" "public_2_igw_route_association" { - subnet_id = aws_subnet.public_2.id + subnet_id = local.vpc_subnets[1] route_table_id = aws_route_table.public_igw_route_table.id } # DB Subnet Group resource "aws_db_subnet_group" "public_db_subnet_group" { name = "public-db-subnet-group" - subnet_ids = [aws_subnet.public_1.id, aws_subnet.public_2.id] + subnet_ids = local.vpc_subnets tags = { Name = "DB subnet group associated with private vpc subnet" } } diff --git a/services/terraform/self-host/main.tf b/services/terraform/self-host/main.tf index d7d5b72f1..608ee8337 100644 --- a/services/terraform/self-host/main.tf +++ b/services/terraform/self-host/main.tf @@ -1,9 +1,14 @@ +locals { + vpc_id = var.user_created_vpc ? aws_vpc.default[0].id : data.aws_vpc.default.id + vpc_subnets = var.user_created_vpc ? [aws_subnet.public_1[0].id, aws_subnet.public_2[0].id] : [data.aws_subnets.default.ids[0], data.aws_subnets.default.ids[1]] +} + provider "aws" { region = var.region default_tags { tags = { managed_by = "terraform" } } } diff --git a/services/terraform/self-host/terraform.tfvars.example b/services/terraform/self-host/terraform.tfvars.example index 5ff4efbbd..d335a8b79 100644 --- a/services/terraform/self-host/terraform.tfvars.example +++ b/services/terraform/self-host/terraform.tfvars.example @@ -1,6 +1,4 @@ mariadb_username = "username" mariadb_password = "password" region = "us-west-1" -availability_zone_1 = "us-west-1b" -availability_zone_2 = "us-west-1c" allowed_ip = "0.0.0.0" diff --git a/services/terraform/self-host/variables.tf b/services/terraform/self-host/variables.tf index 610f4f86d..3e52f231e 100644 --- a/services/terraform/self-host/variables.tf +++ b/services/terraform/self-host/variables.tf @@ -1,34 +1,40 @@ variable "mariadb_username" { description = "MariaDB username" type = string sensitive = true } variable "mariadb_password" { description = "MariaDB password" type = string sensitive = true } variable "region" { description = "The AWS region to deploy your keyserver in" type = string default = "us-west-1" } variable "allowed_ip" { description = "IP address" type = string } +variable "user_created_vpc" { + description = "Use non-default vpc and subnets" + type = bool + default = false +} + variable "availability_zone_1" { - description = "First availability zone for vpc subnet" + description = "First availability zone for vpc subnet if user created vpc" type = string default = "us-west-1b" } variable "availability_zone_2" { - description = "Second availability zone for vpc subnet" + description = "Second availability zone for vpc subnet if user created vpc" type = string default = "us-west-1c" }