Bläddra i källkod

nuxeo stack without no modules yet

Roberto Barbosa 9 år sedan
förälder
incheckning
61b0ded402
7 ändrade filer med 278 tillägg och 103 borttagningar
  1. 1 1
      example/customer.tf
  2. 12 3
      main.tf
  3. 264 30
      nuxeo/main.tf
  4. 0 10
      nuxeo/outputs.tf
  5. 0 57
      nuxeo/variables.tf
  6. 0 1
      sec-groups/main.tf
  7. 1 1
      vpc/main.tf

+ 1 - 1
example/customer.tf

@@ -7,7 +7,7 @@ provider "aws" {
 
 module "nuxeo" {
 	
-        source	             = "github.com/nuxeo/cloud-aws-stack/nuxeo"
+        source	             = "../nuxeo"
         environment          = "prod"
         name                 = "customer"
         vpc_id               = "vpc-id"

+ 12 - 3
main.tf

@@ -18,10 +18,19 @@ module "defaults" {
   cidr   = "${var.cidr}"
 }
 
-module "vpc" {
-  source             = "./vpc"
+#module "vpc" {
+#  source             = "./vpc"
+#  name               = "${var.name}"
+#  cidr               = "${var.cidr}"
+#  internal_subnets   = "${var.internal_subnets}"
+#  external_subnets   = "${var.external_subnets}"
+#  availability_zones = "${var.availability_zones}"
+#  environment        = "${var.environment}"
+#}
+module "subnets" {
+  source             = "./subnets"
   name               = "${var.name}"
-  cidr               = "${var.cidr}"
+  vpc_id             = "${var.cidr}"
   internal_subnets   = "${var.internal_subnets}"
   external_subnets   = "${var.external_subnets}"
   availability_zones = "${var.availability_zones}"

+ 264 - 30
nuxeo/main.tf

@@ -1,33 +1,193 @@
-/**
- *
- * Usage:
- *
- *      module "nuxeo" {
- *        source               = "github.com/nuxeo/stack/nuxeo-cluster"
- *        environment          = "prod"
- *        name                 = "cdn"
- *        vpc_id               = "vpc-id"
- *        image_id             = "ami-id"
- *        subnet_ids           = ["1" ,"2"]
- *        key_name             = "ssh-key"
- *        security_groups      = "1,2"
- *        region               = "us-west-2"
- *        availability_zones   = ["a", "b"]
- *        instance_type        = "t2.small"
- *      }
- *
- */
-
-resource "aws_security_group" "cluster" {
-  name        = "${var.name}-nuxeo-cluster"
-  vpc_id      = "${var.vpc_id}"
-  description = "Allows traffic from and to the EC2 instances of the ${var.name} Nuxeo cluster"
+/*
+* 1) Create Public Subnet with a /24 size (HA: create one in at least 3 different availability zones)
+* 2) Create a NAT Gateway in one of the Public Subnets
+* 3) Create a Route with the Internet Gateway as default route, associate it with the Public Subnet(s)
+* 4) Create a Route with the NAT Gateway as default route, *that should be associated to all Private Subnets when they are created*
+* 5) Create a Security Group for Bastion Hosts that accepts SSH from anywhere
+* 6) Create a Security Group for ELBs that accepts HTTP and HTTPS from anywhere
+* 7) Create a Bastion Host with bastion host SG associated to ti, install NTP and Userify on it
+*/
 
+#-------------------
+# VARIABLES
+#-------------------
+variable "name" {}
+variable "region" {}
+variable "vpc" {}
+
+variable "public_subnets" {
+  description = "A list of public subnets inside the VPC."
+  default     = ["10.0.10.0/24"]
+}
+
+variable "private_subnets" {
+  description = "A list of private subnets inside the VPC."
+  default     = ["10.0.11.0/24","10.0.12.0/24","10.0.13.0/24"]
+}
+
+variable "azs" {
+  description = "A list of Availability zones in the region"
+  default     = ["a","b","c"]
+}
+
+variable "enable_nat_gateway" {
+  description = "should be true if you want to provision NAT Gateways for each of your private networks"
+  default     = false
+}
+variable "private_propagating_vgws" {
+  description = "A list of VGWs the private route table should propagate."
+  default     = []
+}
+
+variable "public_propagating_vgws" {
+  description = "A list of VGWs the public route table should propagate."
+  default     = []
+}
+
+variable "ssl_certificate_id" {
+  description = "SSL Certificate ID on AWS for nuxeocloud.com"
+  default = "ASCAI627UM4G2NSLWDTMM"
+}
+
+#-------------
+# CREATE SUBNETS 
+#-------------
+resource "aws_subnet" "private" {
+  vpc_id            = "${var.vpc}"
+  cidr_block        = "${var.private_subnets[count.index]}"
+  availability_zone = "${var.azs[count.index]}"
+  count             = "${length(var.private_subnets)}"
+
+  tags {
+    Name = "${var.name}-subnet-private-${var.region}${element(var.azs, count.index)}"
+  }
+}
+
+resource "aws_subnet" "public" {
+  vpc_id            = "${var.vpc}"
+  cidr_block        = "${var.public_subnets[count.index]}"
+  availability_zone = "${var.azs[count.index]}"
+  count             = "${length(var.public_subnets)}"
+
+  tags {
+    Name = "${var.name}-subnet-public-${var.region}${element(var.azs, count.index)}"
+  }
+
+  map_public_ip_on_launch = "true"
+}
+
+#-------------
+# CREATE NAT GATEWAY
+#-------------
+# > Create EIP to associate to NAT GW
+resource "aws_eip" "nateip" {
+  vpc   = true
+  count = "${length(var.private_subnets) * lookup(map(var.enable_nat_gateway, 1), "true", 0)}"
+}
+
+# > Create NAT GW
+resource "aws_nat_gateway" "natgw" {
+  allocation_id = "${element(aws_eip.nateip.*.id, count.index)}"
+  subnet_id     = "${element(aws_subnet.public.*.id, count.index)}"
+  count         = "${length(var.private_subnets) * lookup(map(var.enable_nat_gateway, 1), "true", 0)}"
+
+  depends_on = ["aws_internet_gateway.igw"]
+}
+
+# > Create IGW
+resource "aws_internet_gateway" "igw" {
+  vpc_id = "${var.vpc}"
+
+  tags {
+    Name = "${var.name}-igw"
+  }
+}
+
+#-------------
+# CREATE ROUTES
+#-------------
+
+# > Route Tables
+
+# >> Route Table for Public Subnets
+resource "aws_route_table" "public" {
+  vpc_id           = "${var.vpc}"
+  propagating_vgws = ["${var.public_propagating_vgws}"]
+
+  tags {
+    Name = "${var.name}-rt-public"
+  }
+}
+
+# >> Route Table for Private Subnets
+resource "aws_route_table" "private" {
+  vpc_id           = "${var.vpc}"
+  propagating_vgws = ["${var.private_propagating_vgws}"]
+  count            = "${length(var.private_subnets)}"
+
+  tags {
+    Name = "${var.name}-rt-private-${element(var.azs, count.index)}"
+  }
+}
+
+
+# > Routes
+# >> Route for IGW
+resource "aws_route" "public_internet_gateway" {
+  route_table_id         = "${aws_route_table.public.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_internet_gateway.igw.id}"
+}
+
+# Route for NAT GW
+resource "aws_route" "private_nat_gateway" {
+  route_table_id         = "${element(aws_route_table.private.*.id, count.index)}"
+  destination_cidr_block = "0.0.0.0/0"
+  nat_gateway_id         = "${element(aws_nat_gateway.natgw.*.id, count.index)}"
+  count                  = "${length(var.private_subnets) * lookup(map(var.enable_nat_gateway, 1), "true", 0)}"
+}
+
+# > Associations
+# >> for Private Subnets
+resource "aws_route_table_association" "private" {
+  count          = "${length(var.private_subnets)}"
+  subnet_id      = "${element(aws_subnet.private.*.id, count.index)}"
+  route_table_id = "${element(aws_route_table.private.*.id, count.index)}"
+}
+
+# >> for Public Subnets
+resource "aws_route_table_association" "public" {
+  count          = "${length(var.public_subnets)}"
+  subnet_id      = "${element(aws_subnet.public.*.id, count.index)}"
+  route_table_id = "${aws_route_table.public.id}"
+}
+
+#-------------------
+# Security Groups
+#-------------------
+resource "aws_security_group" "sg_external_elb" {
+  name        = "${format("%s-sg-external-elb", var.name)}"
+  vpc_id      = "${var.vpc}"
+  description = "Allows external ELB traffic"
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
   ingress {
-    from_port       = 0
-    to_port         = 0
-    protocol        = -1
-    security_groups = ["${split(",", var.security_groups)}"]
+    from_port   = 8080
+    to_port     = 8080
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
   }
 
   egress {
@@ -37,13 +197,87 @@ resource "aws_security_group" "cluster" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags {
-    Name        = "Nuxeo cluster (${var.name})"
-    Environment = "${var.environment}"
+    Name        = "${format("%s external elb", var.name)}"
+  }
+}
+
+resource "aws_security_group" "external_ssh" {
+  name        = "${format("%s-sg-external-ssh", var.name)}"
+  description = "Allows ssh from the world"
+  vpc_id      = "${var.vpc}"
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
   }
 
   lifecycle {
     create_before_destroy = true
   }
+
+  tags {
+    Name        = "${format("%s external ssh", var.name)}"
+  }
 }
 
+
+#-------------------
+# ELB
+#-------------------
+resource "aws_elb" "elb" {
+  name = "elb-${var.name}"
+
+  internal                  = true
+  cross_zone_load_balancing = true
+  subnets                   = ["${aws_subnet.public.id}"]
+  security_groups 	    = ["${aws_security_group.sg_external_elb.id}"]
+
+  idle_timeout                = 30
+  connection_draining         = true
+  connection_draining_timeout = 15
+
+  listener {
+    lb_port           = 80
+    lb_protocol       = "http"
+    instance_port     = 80
+    instance_protocol = "http"
+  }
+
+  listener {
+    lb_port           = 443
+    lb_protocol       = "https"
+    instance_port     = 80
+    instance_protocol = "http"
+    ssl_certificate_id = "${var.ssl_certificate_id}"
+  }
+
+  health_check {
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+    timeout             = 5
+    target              = "TCP:8080"
+    interval            = 30
+  }
+
+#  access_logs {
+#    bucket = "${var.log_bucket}"
+#  }
+
+  tags {
+    Name        = "elb-${var.name}"
+  }
+}

+ 0 - 10
nuxeo/outputs.tf

@@ -1,10 +0,0 @@
-// The cluster name, e.g cdn
-output "name" {
-  value = "${var.name}"
-}
-
-// The cluster security group ID.
-output "security_group_id" {
-  value = "${aws_security_group.cluster.id}"
-}
-

+ 0 - 57
nuxeo/variables.tf

@@ -1,57 +0,0 @@
-variable "name" {
-  description = "The cluster name, e.g cdn"
-}
-
-variable "environment" {
-  description = "Environment tag, e.g prod"
-}
-
-variable "vpc_id" {
-  description = "VPC ID"
-}
-
-variable "image_id" {
-  description = "AMI Image ID"
-}
-
-variable "subnet_ids" {
-  description = "List of subnet IDs"
-  type        = "list"
-}
-
-variable "key_name" {
-  description = "SSH key name to use"
-}
-
-variable "security_groups" {
-  description = "Comma separated list of security groups"
-}
-
-
-variable "region" {
-  description = "AWS Region"
-}
-
-variable "availability_zones" {
-  description = "List of AZs"
-  type        = "list"
-}
-
-variable "instance_type" {
-  description = "The instance type to use, e.g t2.small"
-}
-
-variable "instance_ebs_optimized" {
-  description = "When set to true the instance will be launched with EBS optimized turned on"
-  default     = true
-}
-
-variable "associate_public_ip_address" {
-  description = "Should created instances be publicly accessible (if the SG allows)"
-  default = false
-}
-
-variable "root_volume_size" {
-  description = "Root volume size in GB"
-  default     = 25
-}

+ 0 - 1
sec-groups/main.tf

@@ -1,4 +1,3 @@
-
 resource "aws_security_group" "internal_elb" {
   name        = "${format("%s-%s-internal-elb", var.name, var.environment)}"
   vpc_id      = "${var.vpc_id}"

+ 1 - 1
vpc/main.tf

@@ -1,5 +1,5 @@
 /**
- * VPC
+ * VPC 
  */
 resource "aws_vpc" "main" {
   cidr_block           = "${var.cidr}"