-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathmain.tf
389 lines (317 loc) · 15 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
module "kms" {
source = "./modules/kms"
key_deletion_window = var.kms_key_deletion_window
key_alias = var.kms_key_alias == null ? "${var.namespace}-kms-alias" : var.kms_key_alias
key_policy = var.kms_key_policy
policy_administrator_arn = var.kms_key_policy_administrator_arn
create_clickhouse_key = var.enable_clickhouse
clickhouse_key_alias = var.kms_clickhouse_key_alias == null ? "${var.namespace}-kms-clickhouse-alias" : var.kms_clickhouse_key_alias
clickhouse_key_policy = var.kms_clickhouse_key_policy
}
locals {
default_kms_key = module.kms.key.arn
clickhouse_kms_key = var.enable_clickhouse ? module.kms.clickhouse_key.arn : null
database_kms_key_arn = length(var.database_kms_key_arn) > 0 ? var.database_kms_key_arn : local.default_kms_key
database_performance_insights_kms_key_arn = length(var.database_performance_insights_kms_key_arn) > 0 ? var.database_performance_insights_kms_key_arn : local.default_kms_key
use_external_bucket = var.bucket_name != ""
s3_kms_key_arn = local.use_external_bucket || var.bucket_kms_key_arn != "" ? var.bucket_kms_key_arn : local.default_kms_key
use_internal_queue = local.use_external_bucket || var.use_internal_queue
elasticache_node_type = coalesce(var.elasticache_node_type, local.deployment_size[var.size].cache)
database_instance_class = coalesce(var.database_instance_class, local.deployment_size[var.size].db)
kubernetes_instance_types = coalesce(var.kubernetes_instance_types, [local.deployment_size[var.size].node_instance])
kubernetes_min_nodes_per_az = coalesce(var.kubernetes_min_nodes_per_az, local.deployment_size[var.size].min_nodes_per_az)
kubernetes_max_nodes_per_az = coalesce(var.kubernetes_max_nodes_per_az, local.deployment_size[var.size].max_nodes_per_az)
}
module "file_storage" {
source = "./modules/file_storage"
namespace = var.namespace
create_queue = !local.use_internal_queue
sse_algorithm = "aws:kms"
kms_key_arn = local.s3_kms_key_arn
deletion_protection = var.deletion_protection
enable_s3_https_only = var.enable_s3_https_only
}
locals {
bucket_queue_name = local.use_internal_queue ? null : module.file_storage.bucket_queue_name
main_bucket_name = var.bucket_name != "" ? var.bucket_name : module.file_storage.bucket_name
}
module "networking" {
source = "./modules/networking"
namespace = var.namespace
create_vpc = var.create_vpc
enable_flow_log = var.enable_flow_log
keep_flow_log_bucket = var.keep_flow_log_bucket
cidr = var.network_cidr
private_subnet_cidrs = var.network_private_subnet_cidrs
public_subnet_cidrs = var.network_public_subnet_cidrs
database_subnet_cidrs = var.network_database_subnet_cidrs
create_elasticache_subnet = var.create_elasticache
elasticache_subnet_cidrs = var.network_elasticache_subnet_cidrs
clickhouse_endpoint_service_id = var.clickhouse_endpoint_service_id
}
locals {
network_id = var.create_vpc ? module.networking.vpc_id : var.network_id
network_private_subnets = var.create_vpc ? module.networking.private_subnets : var.network_private_subnets
network_private_subnet_cidrs = var.create_vpc ? module.networking.private_subnet_cidrs : var.network_private_subnet_cidrs
network_database_subnets = var.create_vpc ? module.networking.database_subnets : var.network_database_subnets
# tflint-ignore: terraform_unused_declarations
network_database_subnet_cidrs = var.create_vpc ? module.networking.database_subnet_cidrs : var.network_database_subnet_cidrs
network_database_create_subnet_group = !var.create_vpc
network_database_subnet_group_name = var.create_vpc ? module.networking.database_subnet_group_name : "${var.namespace}-database-subnet"
}
module "s3_endpoint" {
count = length(var.private_link_allowed_account_ids) > 0 ? 1 : 0
source = "./modules/endpoint"
service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
network_id = local.network_id
private_route_table_id = module.networking.private_route_table_ids
depends_on = [module.networking]
}
module "database" {
source = "./modules/database"
namespace = var.namespace
kms_key_arn = local.database_kms_key_arn
performance_insights_kms_key_arn = local.database_performance_insights_kms_key_arn
database_name = var.database_name
master_username = var.database_master_username
instance_class = local.database_instance_class
engine_version = var.database_engine_version
snapshot_identifier = var.database_snapshot_identifier
sort_buffer_size = var.database_sort_buffer_size
deletion_protection = var.deletion_protection
vpc_id = local.network_id
create_db_subnet_group = local.network_database_create_subnet_group
db_subnet_group_name = local.network_database_subnet_group_name
subnets = local.network_database_subnets
allowed_cidr_blocks = local.network_private_subnet_cidrs
}
locals {
create_certificate = var.public_access && var.acm_certificate_arn == null
fqdn = var.subdomain == null ? var.domain_name : "${var.subdomain}.${var.domain_name}"
}
#Create SSL Ceritifcation if applicable
module "acm" {
source = "terraform-aws-modules/acm/aws"
version = "~> 3.0"
create_certificate = local.create_certificate
subject_alternative_names = var.extra_fqdn
domain_name = var.external_dns ? local.fqdn : var.domain_name
zone_id = var.zone_id
wait_for_validation = true
}
locals {
acm_certificate_arn = local.create_certificate ? module.acm.acm_certificate_arn : var.acm_certificate_arn
url = local.acm_certificate_arn == null ? "http://${local.fqdn}" : "https://${local.fqdn}"
domain_filter = var.custom_domain_filter == null || var.custom_domain_filter == "" ? local.fqdn : var.custom_domain_filter
}
module "app_eks" {
source = "./modules/app_eks"
fqdn = local.domain_filter
namespace = var.namespace
kms_key_arn = local.default_kms_key
instance_types = local.kubernetes_instance_types
min_nodes = local.kubernetes_min_nodes_per_az
max_nodes = local.kubernetes_max_nodes_per_az
map_accounts = var.kubernetes_map_accounts
map_roles = var.kubernetes_map_roles
map_users = var.kubernetes_map_users
bucket_kms_key_arns = compact([
local.default_kms_key,
var.bucket_kms_key_arn != "" && var.bucket_kms_key_arn != null ? var.bucket_kms_key_arn : null
])
bucket_arn = data.aws_s3_bucket.file_storage.arn
bucket_sqs_queue_arn = local.use_internal_queue ? null : data.aws_sqs_queue.file_storage[0].arn
network_id = local.network_id
network_private_subnets = local.network_private_subnets
lb_security_group_inbound_id = module.app_lb.security_group_inbound_id
database_security_group_id = module.database.security_group_id
create_elasticache_security_group = var.create_elasticache
elasticache_security_group_id = var.create_elasticache ? module.redis[0].security_group_id : null
cluster_version = var.eks_cluster_version
cluster_endpoint_public_access = var.kubernetes_public_access
cluster_endpoint_public_access_cidrs = var.kubernetes_public_access_cidrs
eks_policy_arns = var.eks_policy_arns
system_reserved_cpu_millicores = var.system_reserved_cpu_millicores
system_reserved_memory_megabytes = var.system_reserved_memory_megabytes
system_reserved_ephemeral_megabytes = var.system_reserved_ephemeral_megabytes
system_reserved_pid = var.system_reserved_pid
aws_loadbalancer_controller_tags = var.aws_loadbalancer_controller_tags
eks_addon_efs_csi_driver_version = var.eks_addon_efs_csi_driver_version
eks_addon_ebs_csi_driver_version = var.eks_addon_ebs_csi_driver_version
eks_addon_coredns_version = var.eks_addon_coredns_version
eks_addon_kube_proxy_version = var.eks_addon_kube_proxy_version
eks_addon_vpc_cni_version = var.eks_addon_vpc_cni_version
eks_addon_metrics_server_version = var.eks_addon_metrics_server_version
}
module "app_lb" {
source = "./modules/app_lb"
namespace = var.namespace
allowed_inbound_cidr = var.allowed_inbound_cidr
allowed_inbound_ipv6_cidr = var.allowed_inbound_ipv6_cidr
network_id = local.network_id
enable_private_only_traffic = var.private_only_traffic
private_endpoint_cidr = var.allowed_private_endpoint_cidr
}
module "private_link" {
count = length(var.private_link_allowed_account_ids) > 0 ? 1 : 0
source = "./modules/private_link"
namespace = var.namespace
allowed_account_ids = var.private_link_allowed_account_ids
deletion_protection = var.deletion_protection
network_private_subnets = local.network_private_subnets
alb_name = local.lb_name_truncated
vpc_id = local.network_id
enable_private_only_traffic = var.private_only_traffic
nlb_security_group = module.app_lb.nlb_security_group
depends_on = [module.app_lb]
}
locals {
network_elasticache_subnets = var.create_vpc ? module.networking.elasticache_subnets : var.network_elasticache_subnets
network_elasticache_subnet_cidrs = var.create_vpc ? module.networking.elasticache_subnet_cidrs : var.network_elasticache_subnet_cidrs
network_elasticache_create_subnet_group = !var.create_vpc
network_elasticache_subnet_group_name = var.create_vpc ? module.networking.elasticache_subnet_group_name : "${var.namespace}-elasticache-subnet"
}
module "redis" {
count = var.create_elasticache ? 1 : 0
redis_create_subnet_group = local.network_elasticache_create_subnet_group
redis_subnets = local.network_elasticache_subnets
source = "./modules/redis"
namespace = var.namespace
vpc_id = local.network_id
redis_subnet_group_name = local.network_elasticache_subnet_group_name
vpc_subnets_cidr_blocks = local.network_elasticache_subnet_cidrs
node_type = local.elasticache_node_type
kms_key_arn = local.database_kms_key_arn
}
locals {
max_lb_name_length = 32 - length("-alb-k8s")
lb_name_truncated = "${substr(var.namespace, 0, local.max_lb_name_length)}-alb-k8s"
}
module "iam_role" {
count = var.enable_yace ? 1 : 0
source = "./modules/iam_role"
yace_sa_name = var.yace_sa_name
namespace = var.namespace
aws_iam_openid_connect_provider_url = module.app_eks.aws_iam_openid_connect_provider
}
locals {
weave_trace_sa_name = "wandb-weave-trace"
}
module "wandb" {
source = "wandb/wandb/helm"
version = "2.0.0"
depends_on = [
module.database,
module.app_eks,
module.redis,
]
operator_chart_version = var.operator_chart_version
controller_image_tag = var.controller_image_tag
enable_helm_release = var.enable_helm_release
spec = {
values = {
global = {
host = local.url
license = var.license
cloudProvider = "aws"
extraEnv = var.other_wandb_env
bucket = var.bucket_name != "" ? {
provider = "s3"
name = var.bucket_name
path = var.bucket_path
region = data.aws_s3_bucket.file_storage.region
kmsKey = var.bucket_kms_key_arn
} : {}
defaultBucket = {
provider = "s3"
name = module.file_storage.bucket_name
region = module.file_storage.bucket_region
kmsKey = module.kms.key.arn
}
mysql = {
host = module.database.endpoint
password = module.database.password
user = module.database.username
database = module.database.database_name
port = module.database.port
}
redis = {
host = module.redis[0].host
port = "${module.redis[0].port}?tls=true&ttlInSeconds=604800"
}
}
ingress = {
class = "alb"
additionalHosts = concat(var.extra_fqdn, length(var.private_link_allowed_account_ids) > 0 ? [""] : [])
annotations = merge({
"alb.ingress.kubernetes.io/load-balancer-name" = local.lb_name_truncated
"alb.ingress.kubernetes.io/inbound-cidrs" = <<-EOF
${join("\\,", var.allowed_inbound_cidr)}
EOF
"external-dns.alpha.kubernetes.io/ingress-hostname-source" = "annotation-only"
"alb.ingress.kubernetes.io/scheme" = var.kubernetes_alb_internet_facing ? "internet-facing" : "internal"
"alb.ingress.kubernetes.io/target-type" = "ip"
"alb.ingress.kubernetes.io/listen-ports" = "[{\\\"HTTPS\\\": 443}]"
"alb.ingress.kubernetes.io/certificate-arn" = local.acm_certificate_arn
},
length(var.extra_fqdn) > 0 ? {
"external-dns.alpha.kubernetes.io/hostname" = <<-EOF
${local.fqdn}\,${join("\\,", var.extra_fqdn)}\,${local.fqdn}
EOF
} : {
"external-dns.alpha.kubernetes.io/hostname" = local.fqdn
},
length(var.kubernetes_alb_subnets) > 0 ? {
"alb.ingress.kubernetes.io/subnets" = <<-EOF
${join("\\,", var.kubernetes_alb_subnets)}
EOF
} : {})
}
app = {
internalJWTMap = [
{
"subject" = "system:serviceaccount:default:${local.weave_trace_sa_name}",
"issuer" = var.kubernetes_cluster_oidc_issuer_url
}
]
}
console = {
extraEnv = {
"BUCKET_ACCESS_IDENTITY" = module.app_eks.node_role.arn
}
}
# To support otel rds and redis metrics, we need operator-wandb chart min version 0.13.8 (yace subchart)
yace = var.enable_yace ? {
install = true
regions = [data.aws_region.current.name]
serviceAccount = { annotations = { "eks.amazonaws.com/role-arn" = module.iam_role[0].role_arn } }
searchTags = {
"Namespace" = var.namespace
}
} : {
install = false
regions = []
serviceAccount = {}
searchTags = {}
}
mysql = { install = false }
redis = { install = false }
weave = {
persistence = {
provider = "efs"
efs = {
fileSystemId = module.app_eks.efs_id
}
}
extraEnv = var.weave_wandb_env
}
parquet = {
extraEnv = var.parquet_wandb_env
}
}
}
}
moved {
from = module.file_storage[0]
to = module.file_storage
}