diff --git a/services/terraform/self-host/.gitignore b/services/terraform/self-host/.gitignore index a2332f22e..d9fafa2dc 100644 --- a/services/terraform/self-host/.gitignore +++ b/services/terraform/self-host/.gitignore @@ -1,39 +1,35 @@ -# User-specific files -.sops.yaml -keyserver_secrets.json - # Local .terraform directories **/.terraform/* # .tfstate files *.tfstate *.tfstate.* .terraform.lock.hcl # Crash log files crash.log crash.*.log # Exclude all .tfvars files, which are likely to contain sensitive data, such as # password, private keys, and other secrets. These should not be part of version # control as they are data points which are potentially sensitive and subject # to change depending on the environment. *.tfvars *.tfvars.json # Ignore override files as they are usually used to override resources locally and so # are not checked in override.tf override.tf.json *_override.tf *_override.tf.json # Include override files you do wish to add to version control using negated pattern # !example_override.tf # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan # example: *tfplan* # Ignore CLI configuration files .terraformrc terraform.rc diff --git a/services/terraform/self-host/aws_db.tf b/services/terraform/self-host/aws_db.tf index cdb6b0204..1bc9e77ae 100644 --- a/services/terraform/self-host/aws_db.tf +++ b/services/terraform/self-host/aws_db.tf @@ -1,93 +1,93 @@ # MariaDB Security Group resource "aws_security_group" "keyserver_mariadb_security_group" { name = "keyserver-mariadb-sg" description = "Allow inbound traffic on port 3307 and all outbound traffic" vpc_id = aws_vpc.default.id # Inbound rules ingress { from_port = 3307 to_port = 3307 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = ["${var.allowed_ip}/32"] } # Outbound rules egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } # MariaDB RDS Instance resource "aws_db_instance" "mariadb" { allocated_storage = 100 max_allocated_storage = 3000 storage_type = "gp3" db_name = "mariadb" identifier = "mariadb-instance" engine = "mariadb" engine_version = "10.11" instance_class = "db.m6g.large" db_subnet_group_name = aws_db_subnet_group.public_db_subnet_group.name vpc_security_group_ids = [aws_security_group.keyserver_mariadb_security_group.id] - username = local.secrets["mariaDB"]["username"] - password = local.secrets["mariaDB"]["password"] + username = var.mariadb_username + password = var.mariadb_password parameter_group_name = aws_db_parameter_group.mariadb_parameter_group.name storage_encrypted = true publicly_accessible = true port = 3307 skip_final_snapshot = true } # MariaDB Parameter Group resource "aws_db_parameter_group" "mariadb_parameter_group" { name = "mariadb-parameter-group" family = "mariadb10.11" parameter { apply_method = "pending-reboot" name = "performance_schema" value = "1" } parameter { apply_method = "immediate" name = "max_allowed_packet" # 256 MiB: (1024 * 1024 * 256) value = "268435456" } parameter { apply_method = "immediate" name = "local_infile" value = "0" } parameter { apply_method = "immediate" name = "sql_mode" value = "STRICT_ALL_TABLES" } parameter { apply_method = "pending-reboot" name = "innodb_buffer_pool_size" value = "{DBInstanceClassMemory*3/4}" } parameter { apply_method = "pending-reboot" name = "innodb_ft_min_token_size" value = "1" } parameter { apply_method = "immediate" name = "innodb_ft_enable_stopword" value = "0" } } diff --git a/services/terraform/self-host/aws_vpc.tf b/services/terraform/self-host/aws_vpc.tf index 11a7b01b4..41e68efe9 100644 --- a/services/terraform/self-host/aws_vpc.tf +++ b/services/terraform/self-host/aws_vpc.tf @@ -1,56 +1,56 @@ # VPC resource "aws_vpc" "default" { cidr_block = "172.31.0.0/16" enable_dns_support = true enable_dns_hostnames = true } # Public Subnets -resource "aws_subnet" "public_a" { +resource "aws_subnet" "public_1" { vpc_id = aws_vpc.default.id cidr_block = "172.31.0.0/20" - availability_zone = "us-east-2a" + availability_zone = var.availability_zone_1 map_public_ip_on_launch = true } -resource "aws_subnet" "public_b" { +resource "aws_subnet" "public_2" { vpc_id = aws_vpc.default.id cidr_block = "172.31.16.0/20" - availability_zone = "us-east-2b" + availability_zone = var.availability_zone_2 map_public_ip_on_launch = true } # Internet Gateway resource "aws_internet_gateway" "default" { vpc_id = aws_vpc.default.id } # Route Table for Internet Gateway resource "aws_route_table" "public_igw_route_table" { vpc_id = aws_vpc.default.id route { - cidr_block = "0.0.0.0/0" + cidr_block = "${var.allowed_ip}/32" gateway_id = aws_internet_gateway.default.id } } -resource "aws_route_table_association" "public_a_igw_route_association" { - subnet_id = aws_subnet.public_a.id +resource "aws_route_table_association" "public_1_igw_route_association" { + subnet_id = aws_subnet.public_1.id route_table_id = aws_route_table.public_igw_route_table.id } -resource "aws_route_table_association" "public_b_igw_route_association" { - subnet_id = aws_subnet.public_b.id +resource "aws_route_table_association" "public_2_igw_route_association" { + subnet_id = aws_subnet.public_2.id route_table_id = aws_route_table.public_igw_route_table.id } # DB Subnet Group resource "aws_db_subnet_group" "public_db_subnet_group" { name = "public-db-subnet-group" - subnet_ids = [aws_subnet.public_a.id, aws_subnet.public_b.id] + subnet_ids = [aws_subnet.public_1.id, aws_subnet.public_2.id] tags = { Name = "DB subnet group associated with private vpc subnet" } } diff --git a/services/terraform/self-host/main.tf b/services/terraform/self-host/main.tf index 9de8a97f8..d7d5b72f1 100644 --- a/services/terraform/self-host/main.tf +++ b/services/terraform/self-host/main.tf @@ -1,19 +1,9 @@ -provider "sops" {} - -data "sops_file" "keyserver_secrets_json" { - source_file = "keyserver_secrets.json" -} - -locals { - secrets = jsondecode(data.sops_file.keyserver_secrets_json.raw) -} - provider "aws" { - region = "us-east-2" + region = var.region default_tags { tags = { managed_by = "terraform" } } } diff --git a/services/terraform/self-host/providers.tf b/services/terraform/self-host/providers.tf index 5ec120ea0..0b988a0be 100644 --- a/services/terraform/self-host/providers.tf +++ b/services/terraform/self-host/providers.tf @@ -1,13 +1,8 @@ terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.7.0" } - - sops = { - source = "carlpett/sops" - version = "0.7.2" - } } } diff --git a/services/terraform/self-host/terraform.tfvars.example b/services/terraform/self-host/terraform.tfvars.example new file mode 100644 index 000000000..5ff4efbbd --- /dev/null +++ b/services/terraform/self-host/terraform.tfvars.example @@ -0,0 +1,6 @@ +mariadb_username = "username" +mariadb_password = "password" +region = "us-west-1" +availability_zone_1 = "us-west-1b" +availability_zone_2 = "us-west-1c" +allowed_ip = "0.0.0.0" diff --git a/services/terraform/self-host/variables.tf b/services/terraform/self-host/variables.tf new file mode 100644 index 000000000..610f4f86d --- /dev/null +++ b/services/terraform/self-host/variables.tf @@ -0,0 +1,34 @@ +variable "mariadb_username" { + description = "MariaDB username" + type = string + sensitive = true +} + +variable "mariadb_password" { + description = "MariaDB password" + type = string + sensitive = true +} + +variable "region" { + description = "The AWS region to deploy your keyserver in" + type = string + default = "us-west-1" +} + +variable "allowed_ip" { + description = "IP address" + type = string +} + +variable "availability_zone_1" { + description = "First availability zone for vpc subnet" + type = string + default = "us-west-1b" +} + +variable "availability_zone_2" { + description = "Second availability zone for vpc subnet" + type = string + default = "us-west-1c" +}