Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

strip cluster bootstraps
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 59s
Details

Browse Source
This commit is contained in:
Danijel Simeunovic
2026-04-27 21:34:11 +02:00
parent 0353803d4f
commit 96dde22884
42 changed files with 65 additions and 2338 deletions
Download Patch File Download Diff File Expand all files Collapse all files

498
.tofu/platforms/eks/modules/cluster/main.tf
View File

@@ -29,7 +29,7 @@ resource "aws_subnet" "public" {
})
}
# Private subnets (one per AZ) — for EKS nodes, RDS, ElastiCache
# Private subnets (one per AZ) — for EKS nodes
resource "aws_subnet" "private" {
count = length(var.availability_zones)
vpc_id = aws_vpc.main.id
@@ -91,62 +91,6 @@ resource "aws_route_table_association" "private" {
route_table_id = aws_route_table.private.id
}
# ─── Security Groups ──────────────────────────────────────────────────
resource "aws_security_group" "rds" {
name_prefix = "${var.prefix}-rds-"
description = "Allow PostgreSQL access from within VPC"
vpc_id = aws_vpc.main.id
ingress {
description = "PostgreSQL from VPC"
from_port = 5432
to_port = 5432
protocol = "tcp"
cidr_blocks = [var.vpc_cidr]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = merge(var.tags, { Name = "${var.prefix}-rds-sg" })
lifecycle {
create_before_destroy = true
}
}
resource "aws_security_group" "redis" {
name_prefix = "${var.prefix}-redis-"
description = "Allow Redis access from within VPC"
vpc_id = aws_vpc.main.id
ingress {
description = "Redis from VPC"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = [var.vpc_cidr]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = merge(var.tags, { Name = "${var.prefix}-redis-sg" })
lifecycle {
create_before_destroy = true
}
}
# ─── EKS Cluster ──────────────────────────────────────────────────────
resource "aws_iam_role" "eks_cluster" {
@@ -261,443 +205,3 @@ resource "aws_eks_node_group" "main" {
aws_iam_role_policy_attachment.eks_ecr_readonly,
]
}
# ─── RDS PostgreSQL ────────────────────────────────────────────────────
#
# NOTE: RDS doesn't support Terraform-managed local user creation.
# Create users post-provision via psql:
# kubectl run pg-init --rm -it --image=postgres:16 -- psql -h <rds_endpoint> -U pgadmin
resource "aws_db_subnet_group" "main" {
name_prefix = "${var.prefix}-pg-"
subnet_ids = aws_subnet.private[*].id
tags = merge(var.tags, { Name = "${var.prefix}-pg-subnet-group" })
}
resource "random_password" "pg_admin" {
length = 32
special = false
}
resource "random_password" "pg_keycloak" {
length = 32
special = false
}
resource "random_password" "pg_gitlab" {
length = 32
special = false
}
resource "aws_db_instance" "main" {
identifier = "${var.prefix}-postgresql"
engine = "postgres"
engine_version = "16"
instance_class = var.rds_instance_class
allocated_storage = var.rds_allocated_storage
storage_type = "gp3"
storage_encrypted = true
db_name = "postgres"
username = "pgadmin"
password = random_password.pg_admin.result
db_subnet_group_name = aws_db_subnet_group.main.name
vpc_security_group_ids = [aws_security_group.rds.id]
multi_az = var.rds_multi_az
deletion_protection = var.enable_deletion_protection
skip_final_snapshot = !var.enable_deletion_protection
tags = var.tags
}
# ─── ElastiCache Redis ────────────────────────────────────────────────
#
# In-VPC Redis with no TLS/auth — security via security group (VPC-only access).
# For production, consider enabling transit_encryption_enabled + auth_token.
resource "aws_elasticache_subnet_group" "main" {
name_prefix = "${var.prefix}-redis-"
subnet_ids = aws_subnet.private[*].id
tags = var.tags
}
resource "aws_elasticache_replication_group" "main" {
replication_group_id = "${var.prefix}-redis"
description = "Redis for DevHub ${var.prefix}"
node_type = var.redis_node_type
num_cache_clusters = var.redis_num_cache_clusters
automatic_failover_enabled = var.redis_automatic_failover
engine_version = "7.0"
port = 6379
subnet_group_name = aws_elasticache_subnet_group.main.name
security_group_ids = [aws_security_group.redis.id]
at_rest_encryption_enabled = true
tags = var.tags
}
# ─── S3 Buckets (GitLab Object Storage) ──────────────────────────────
#
# GitLab supports S3 natively — no shim needed.
# IRSA (IAM Role for Service Accounts) provides keyless access.
# NOTE: S3 bucket names are globally unique. Adjust var.prefix if conflicts arise.
locals {
s3_bucket_prefix = "${var.prefix}-gitlab"
}
resource "aws_s3_bucket" "gitlab_artifacts" {
bucket = "${local.s3_bucket_prefix}-artifacts"
force_destroy = true
tags = var.tags
}
resource "aws_s3_bucket" "gitlab_uploads" {
bucket = "${local.s3_bucket_prefix}-uploads"
force_destroy = true
tags = var.tags
}
resource "aws_s3_bucket" "gitlab_packages" {
bucket = "${local.s3_bucket_prefix}-packages"
force_destroy = true
tags = var.tags
}
resource "aws_s3_bucket" "gitlab_lfs" {
bucket = "${local.s3_bucket_prefix}-lfs"
force_destroy = true
tags = var.tags
}
resource "aws_s3_bucket" "gitlab_registry" {
bucket = "${local.s3_bucket_prefix}-registry"
force_destroy = true
tags = var.tags
}
resource "aws_s3_bucket" "gitlab_backups" {
bucket = "${local.s3_bucket_prefix}-backups"
force_destroy = true
tags = var.tags
}
# Block public access on all GitLab buckets
resource "aws_s3_bucket_public_access_block" "gitlab_artifacts" {
bucket = aws_s3_bucket.gitlab_artifacts.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_public_access_block" "gitlab_uploads" {
bucket = aws_s3_bucket.gitlab_uploads.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_public_access_block" "gitlab_packages" {
bucket = aws_s3_bucket.gitlab_packages.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_public_access_block" "gitlab_lfs" {
bucket = aws_s3_bucket.gitlab_lfs.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_public_access_block" "gitlab_registry" {
bucket = aws_s3_bucket.gitlab_registry.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_public_access_block" "gitlab_backups" {
bucket = aws_s3_bucket.gitlab_backups.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
# Server-side encryption for all buckets
resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_artifacts" {
bucket = aws_s3_bucket.gitlab_artifacts.id
rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
}
resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_uploads" {
bucket = aws_s3_bucket.gitlab_uploads.id
rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
}
resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_packages" {
bucket = aws_s3_bucket.gitlab_packages.id
rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
}
resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_lfs" {
bucket = aws_s3_bucket.gitlab_lfs.id
rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
}
resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_registry" {
bucket = aws_s3_bucket.gitlab_registry.id
rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
}
resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_backups" {
bucket = aws_s3_bucket.gitlab_backups.id
rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
}
# ─── Cognito User Pool (IdP for Keycloak) ────────────────────────────
#
# Keycloak federates with Cognito — users authenticate via "Sign in with AWS"
# through Keycloak, which remains the single OIDC issuer for all services.
#
# Three Cognito groups map to Keycloak groups via setup-keycloak.sh IdP mappers.
# The token's `cognito:groups` claim is an array — assign users to Cognito groups
# in the AWS console or via `aws cognito-idp admin-add-user-to-group`.
#
# NOTE: var.cognito_domain_prefix must be globally unique across ALL AWS accounts.
resource "aws_cognito_user_pool" "main" {
name = "${var.prefix}-devhub"
username_attributes = ["email"]
auto_verified_attributes = ["email"]
admin_create_user_config {
allow_admin_create_user_only = true # admins create users; disable for self-signup
}
password_policy {
minimum_length = 12
require_lowercase = true
require_numbers = true
require_symbols = false
require_uppercase = true
temporary_password_validity_days = 7
}
schema {
attribute_data_type = "String"
name = "email"
required = true
mutable = true
string_attribute_constraints {
min_length = 5
max_length = 254
}
}
tags = var.tags
}
resource "aws_cognito_user_pool_client" "keycloak_idp" {
name = "${var.prefix}-keycloak-idp"
user_pool_id = aws_cognito_user_pool.main.id
generate_secret = true
prevent_user_existence_errors = "ENABLED"
allowed_oauth_flows_user_pool_client = true
allowed_oauth_flows = ["code"]
allowed_oauth_scopes = ["openid", "email", "profile"]
supported_identity_providers = ["COGNITO"]
# Placeholder redirect URI — updated by setup-keycloak.sh via AWS CLI
callback_urls = ["https://placeholder.invalid/realms/devops/broker/aws-cognito/endpoint"]
refresh_token_validity = 30
access_token_validity = 60
id_token_validity = 60
token_validity_units {
refresh_token = "days"
access_token = "minutes"
id_token = "minutes"
}
}
resource "aws_cognito_user_pool_domain" "main" {
# Must be globally unique. Customize var.cognito_domain_prefix to avoid conflicts.
domain = var.cognito_domain_prefix
user_pool_id = aws_cognito_user_pool.main.id
}
# Cognito groups — assign users to these groups to grant platform access.
# The token's `cognito:groups` claim maps to Keycloak groups via IdP mappers.
resource "aws_cognito_user_group" "devops_admins" {
name = "devops-admins"
user_pool_id = aws_cognito_user_pool.main.id
description = "Full access to DevOps platform administration"
}
resource "aws_cognito_user_group" "developers" {
name = "developers"
user_pool_id = aws_cognito_user_pool.main.id
description = "Developer access to DevOps platform services"
}
resource "aws_cognito_user_group" "viewers" {
name = "viewers"
user_pool_id = aws_cognito_user_pool.main.id
description = "Read-only access to DevOps platform services"
}
# ─── IRSA for GitLab ─────────────────────────────────────────────────
#
# Allows GitLab pods (webservice, sidekiq) to access S3 without explicit
# AWS credentials. The K8s service account "gitlab" in the "gitlab" namespace
# exchanges its projected OIDC token for temporary AWS credentials.
data "aws_iam_policy_document" "gitlab_assume_role" {
statement {
effect = "Allow"
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.eks.arn]
}
actions = ["sts:AssumeRoleWithWebIdentity"]
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:sub"
values = ["system:serviceaccount:gitlab:gitlab"]
}
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:aud"
values = ["sts.amazonaws.com"]
}
}
}
resource "aws_iam_role" "gitlab_irsa" {
name_prefix = "${var.prefix}-gitlab-irsa-"
assume_role_policy = data.aws_iam_policy_document.gitlab_assume_role.json
tags = var.tags
}
data "aws_iam_policy_document" "gitlab_s3" {
statement {
effect = "Allow"
actions = [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
]
resources = [
"${aws_s3_bucket.gitlab_artifacts.arn}/*",
"${aws_s3_bucket.gitlab_uploads.arn}/*",
"${aws_s3_bucket.gitlab_packages.arn}/*",
"${aws_s3_bucket.gitlab_lfs.arn}/*",
"${aws_s3_bucket.gitlab_registry.arn}/*",
"${aws_s3_bucket.gitlab_backups.arn}/*",
]
}
statement {
effect = "Allow"
actions = ["s3:ListBucket"]
resources = [
aws_s3_bucket.gitlab_artifacts.arn,
aws_s3_bucket.gitlab_uploads.arn,
aws_s3_bucket.gitlab_packages.arn,
aws_s3_bucket.gitlab_lfs.arn,
aws_s3_bucket.gitlab_registry.arn,
aws_s3_bucket.gitlab_backups.arn,
]
}
}
resource "aws_iam_role_policy" "gitlab_s3" {
name_prefix = "${var.prefix}-gitlab-s3-"
role = aws_iam_role.gitlab_irsa.id
policy = data.aws_iam_policy_document.gitlab_s3.json
}
# ─── External-DNS IRSA ───────────────────────────────────────────────
# Allows external-dns to manage Route53 records for the cluster's domain.
# The K8s service account "external-dns/external-dns" assumes this role via IRSA.
data "aws_route53_zone" "main" {
name = var.domain
private_zone = false
}
data "aws_iam_policy_document" "external_dns_assume_role" {
statement {
effect = "Allow"
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.eks.arn]
}
actions = ["sts:AssumeRoleWithWebIdentity"]
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:sub"
values = ["system:serviceaccount:external-dns:external-dns"]
}
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:aud"
values = ["sts.amazonaws.com"]
}
}
}
resource "aws_iam_role" "external_dns_irsa" {
name_prefix = "${var.prefix}-external-dns-irsa-"
assume_role_policy = data.aws_iam_policy_document.external_dns_assume_role.json
tags = var.tags
}
data "aws_iam_policy_document" "external_dns_route53" {
statement {
effect = "Allow"
actions = ["route53:ChangeResourceRecordSets"]
resources = ["arn:aws:route53:::hostedzone/${data.aws_route53_zone.main.zone_id}"]
}
statement {
effect = "Allow"
actions = ["route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:ListTagsForResource"]
resources = ["*"]
}
}
resource "aws_iam_role_policy" "external_dns_route53" {
name_prefix = "${var.prefix}-external-dns-route53-"
role = aws_iam_role.external_dns_irsa.id
policy = data.aws_iam_policy_document.external_dns_route53.json
}