Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

tofu setup

Browse Source
This commit is contained in:
Danijel Simeunovic
2026-04-27 21:00:07 +02:00
parent 7132f5000e
commit d3690d0597
63 changed files with 4809 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
.tofu/platforms/eks/dev/main.tf Normal file
View File

@@ -0,0 +1,39 @@
module "cluster" {
source = "../modules/cluster"
region = var.region
prefix = "devhub-dev"
# VPC
availability_zones = ["${var.region}a", "${var.region}b"]
# EKS — small dev nodes
node_instance_type = "t3.medium"
node_count = 2
node_min_count = 1
node_max_count = 4
kubernetes_version = "1.30"
# RDS — small burstable tier for dev
rds_instance_class = "db.t3.micro"
rds_allocated_storage = 20
rds_multi_az = false
# ElastiCache — small single node for dev
redis_node_type = "cache.t3.micro"
redis_num_cache_clusters = 1
redis_automatic_failover = false
# DNS — must match an existing Route53 hosted zone
domain = "dev.example.com" # TODO: set to your actual domain
# Cognito — domain prefix must be globally unique
cognito_domain_prefix = "devhub-dev-devhub" # TODO: customize to avoid conflicts
enable_deletion_protection = false
tags = {
Environment = "dev"
ManagedBy = "tofu"
}
}

17
.tofu/platforms/eks/dev/outputs.tf Normal file
View File

@@ -0,0 +1,17 @@
output "cluster_name" { value = module.cluster.cluster_name }
output "aws_region" { value = module.cluster.aws_region }
output "pg_host" { value = module.cluster.pg_host }
output "pg_port" { value = module.cluster.pg_port }
output "pg_admin_login" { value = module.cluster.pg_admin_login }
output "pg_admin_password" { value = module.cluster.pg_admin_password; sensitive = true }
output "pg_keycloak_password" { value = module.cluster.pg_keycloak_password; sensitive = true }
output "pg_gitlab_password" { value = module.cluster.pg_gitlab_password; sensitive = true }
output "redis_host" { value = module.cluster.redis_host }
output "redis_port" { value = module.cluster.redis_port }
output "gitlab_s3_bucket_prefix" { value = module.cluster.gitlab_s3_bucket_prefix }
output "gitlab_irsa_role_arn" { value = module.cluster.gitlab_irsa_role_arn }
output "cognito_user_pool_id" { value = module.cluster.cognito_user_pool_id }
output "cognito_issuer_url" { value = module.cluster.cognito_issuer_url }
output "cognito_hosted_ui_domain" { value = module.cluster.cognito_hosted_ui_domain }
output "cognito_client_id" { value = module.cluster.cognito_client_id }
output "cognito_client_secret" { value = module.cluster.cognito_client_secret; sensitive = true }

28
.tofu/platforms/eks/dev/providers.tf Normal file
View File

@@ -0,0 +1,28 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
tls = {
source = "hashicorp/tls"
version = "~> 4.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.0"
}
}
}
# Authentication: set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
# or configure an AWS profile: export AWS_PROFILE=devhub
provider "aws" {
region = var.region
}
variable "region" {
description = "AWS region for dev environment"
type = string
default = "eu-west-1"
}

703
.tofu/platforms/eks/modules/cluster/main.tf Normal file
View File

@@ -0,0 +1,703 @@
# ─── VPC ──────────────────────────────────────────────────────────────
resource "aws_vpc" "main" {
cidr_block = var.vpc_cidr
enable_dns_hostnames = true
enable_dns_support = true
tags = merge(var.tags, { Name = "${var.prefix}-vpc" })
}
resource "aws_internet_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = merge(var.tags, { Name = "${var.prefix}-igw" })
}
# Public subnets (one per AZ) — for NAT gateways and load balancers
resource "aws_subnet" "public" {
count = length(var.availability_zones)
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.vpc_cidr, 4, count.index)
availability_zone = var.availability_zones[count.index]
map_public_ip_on_launch = true
tags = merge(var.tags, {
Name = "${var.prefix}-public-${count.index + 1}"
"kubernetes.io/cluster/${var.prefix}-eks" = "shared"
"kubernetes.io/role/elb" = "1"
})
}
# Private subnets (one per AZ) — for EKS nodes, RDS, ElastiCache
resource "aws_subnet" "private" {
count = length(var.availability_zones)
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.vpc_cidr, 4, count.index + length(var.availability_zones))
availability_zone = var.availability_zones[count.index]
tags = merge(var.tags, {
Name = "${var.prefix}-private-${count.index + 1}"
"kubernetes.io/cluster/${var.prefix}-eks" = "shared"
"kubernetes.io/role/internal-elb" = "1"
})
}
# NAT Gateway (single, in first public subnet — use one per AZ for prod HA)
resource "aws_eip" "nat" {
domain = "vpc"
tags = merge(var.tags, { Name = "${var.prefix}-nat-eip" })
}
resource "aws_nat_gateway" "main" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public[0].id
tags = merge(var.tags, { Name = "${var.prefix}-nat" })
depends_on = [aws_internet_gateway.main]
}
resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.main.id
}
tags = merge(var.tags, { Name = "${var.prefix}-public-rt" })
}
resource "aws_route_table_association" "public" {
count = length(var.availability_zones)
subnet_id = aws_subnet.public[count.index].id
route_table_id = aws_route_table.public.id
}
resource "aws_route_table" "private" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.main.id
}
tags = merge(var.tags, { Name = "${var.prefix}-private-rt" })
}
resource "aws_route_table_association" "private" {
count = length(var.availability_zones)
subnet_id = aws_subnet.private[count.index].id
route_table_id = aws_route_table.private.id
}
# ─── Security Groups ──────────────────────────────────────────────────
resource "aws_security_group" "rds" {
name_prefix = "${var.prefix}-rds-"
description = "Allow PostgreSQL access from within VPC"
vpc_id = aws_vpc.main.id
ingress {
description = "PostgreSQL from VPC"
from_port = 5432
to_port = 5432
protocol = "tcp"
cidr_blocks = [var.vpc_cidr]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = merge(var.tags, { Name = "${var.prefix}-rds-sg" })
lifecycle {
create_before_destroy = true
}
}
resource "aws_security_group" "redis" {
name_prefix = "${var.prefix}-redis-"
description = "Allow Redis access from within VPC"
vpc_id = aws_vpc.main.id
ingress {
description = "Redis from VPC"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = [var.vpc_cidr]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = merge(var.tags, { Name = "${var.prefix}-redis-sg" })
lifecycle {
create_before_destroy = true
}
}
# ─── EKS Cluster ──────────────────────────────────────────────────────
resource "aws_iam_role" "eks_cluster" {
name_prefix = "${var.prefix}-eks-cluster-"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = { Service = "eks.amazonaws.com" }
}]
})
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "eks_cluster_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.eks_cluster.name
}
resource "aws_eks_cluster" "main" {
name = "${var.prefix}-eks"
role_arn = aws_iam_role.eks_cluster.arn
version = var.kubernetes_version
vpc_config {
subnet_ids = concat(aws_subnet.private[*].id, aws_subnet.public[*].id)
endpoint_private_access = true
endpoint_public_access = true
}
# Enable OIDC issuer for IRSA (IAM Roles for Service Accounts)
access_config {
authentication_mode = "API_AND_CONFIG_MAP"
}
tags = var.tags
depends_on = [aws_iam_role_policy_attachment.eks_cluster_policy]
}
# OIDC provider — required for IRSA (IAM Roles for Service Accounts)
data "tls_certificate" "eks" {
url = aws_eks_cluster.main.identity[0].oidc[0].issuer
}
resource "aws_iam_openid_connect_provider" "eks" {
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [data.tls_certificate.eks.certificates[0].sha1_fingerprint]
url = aws_eks_cluster.main.identity[0].oidc[0].issuer
tags = var.tags
}
# EKS Node Group
resource "aws_iam_role" "eks_nodes" {
name_prefix = "${var.prefix}-eks-nodes-"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = { Service = "ec2.amazonaws.com" }
}]
})
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "eks_worker_node_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
role = aws_iam_role.eks_nodes.name
}
resource "aws_iam_role_policy_attachment" "eks_cni_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
role = aws_iam_role.eks_nodes.name
}
resource "aws_iam_role_policy_attachment" "eks_ecr_readonly" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = aws_iam_role.eks_nodes.name
}
resource "aws_eks_node_group" "main" {
cluster_name = aws_eks_cluster.main.name
node_group_name = "${var.prefix}-nodes"
node_role_arn = aws_iam_role.eks_nodes.arn
subnet_ids = aws_subnet.private[*].id
instance_types = [var.node_instance_type]
scaling_config {
desired_size = var.node_count
max_size = var.node_max_count
min_size = var.node_min_count
}
update_config {
max_unavailable = 1
}
tags = var.tags
depends_on = [
aws_iam_role_policy_attachment.eks_worker_node_policy,
aws_iam_role_policy_attachment.eks_cni_policy,
aws_iam_role_policy_attachment.eks_ecr_readonly,
]
}
# ─── RDS PostgreSQL ────────────────────────────────────────────────────
#
# NOTE: RDS doesn't support Terraform-managed local user creation.
# Create users post-provision via psql:
# kubectl run pg-init --rm -it --image=postgres:16 -- psql -h <rds_endpoint> -U pgadmin
resource "aws_db_subnet_group" "main" {
name_prefix = "${var.prefix}-pg-"
subnet_ids = aws_subnet.private[*].id
tags = merge(var.tags, { Name = "${var.prefix}-pg-subnet-group" })
}
resource "random_password" "pg_admin" {
length = 32
special = false
}
resource "random_password" "pg_keycloak" {
length = 32
special = false
}
resource "random_password" "pg_gitlab" {
length = 32
special = false
}
resource "aws_db_instance" "main" {
identifier = "${var.prefix}-postgresql"
engine = "postgres"
engine_version = "16"
instance_class = var.rds_instance_class
allocated_storage = var.rds_allocated_storage
storage_type = "gp3"
storage_encrypted = true
db_name = "postgres"
username = "pgadmin"
password = random_password.pg_admin.result
db_subnet_group_name = aws_db_subnet_group.main.name
vpc_security_group_ids = [aws_security_group.rds.id]
multi_az = var.rds_multi_az
deletion_protection = var.enable_deletion_protection
skip_final_snapshot = !var.enable_deletion_protection
tags = var.tags
}
# ─── ElastiCache Redis ────────────────────────────────────────────────
#
# In-VPC Redis with no TLS/auth — security via security group (VPC-only access).
# For production, consider enabling transit_encryption_enabled + auth_token.
resource "aws_elasticache_subnet_group" "main" {
name_prefix = "${var.prefix}-redis-"
subnet_ids = aws_subnet.private[*].id
tags = var.tags
}
resource "aws_elasticache_replication_group" "main" {
replication_group_id = "${var.prefix}-redis"
description = "Redis for DevHub ${var.prefix}"
node_type = var.redis_node_type
num_cache_clusters = var.redis_num_cache_clusters
automatic_failover_enabled = var.redis_automatic_failover
engine_version = "7.0"
port = 6379
subnet_group_name = aws_elasticache_subnet_group.main.name
security_group_ids = [aws_security_group.redis.id]
at_rest_encryption_enabled = true
tags = var.tags
}
# ─── S3 Buckets (GitLab Object Storage) ──────────────────────────────
#
# GitLab supports S3 natively — no shim needed.
# IRSA (IAM Role for Service Accounts) provides keyless access.
# NOTE: S3 bucket names are globally unique. Adjust var.prefix if conflicts arise.
locals {
s3_bucket_prefix = "${var.prefix}-gitlab"
}
resource "aws_s3_bucket" "gitlab_artifacts" {
bucket = "${local.s3_bucket_prefix}-artifacts"
force_destroy = true
tags = var.tags
}
resource "aws_s3_bucket" "gitlab_uploads" {
bucket = "${local.s3_bucket_prefix}-uploads"
force_destroy = true
tags = var.tags
}
resource "aws_s3_bucket" "gitlab_packages" {
bucket = "${local.s3_bucket_prefix}-packages"
force_destroy = true
tags = var.tags
}
resource "aws_s3_bucket" "gitlab_lfs" {
bucket = "${local.s3_bucket_prefix}-lfs"
force_destroy = true
tags = var.tags
}
resource "aws_s3_bucket" "gitlab_registry" {
bucket = "${local.s3_bucket_prefix}-registry"
force_destroy = true
tags = var.tags
}
resource "aws_s3_bucket" "gitlab_backups" {
bucket = "${local.s3_bucket_prefix}-backups"
force_destroy = true
tags = var.tags
}
# Block public access on all GitLab buckets
resource "aws_s3_bucket_public_access_block" "gitlab_artifacts" {
bucket = aws_s3_bucket.gitlab_artifacts.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_public_access_block" "gitlab_uploads" {
bucket = aws_s3_bucket.gitlab_uploads.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_public_access_block" "gitlab_packages" {
bucket = aws_s3_bucket.gitlab_packages.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_public_access_block" "gitlab_lfs" {
bucket = aws_s3_bucket.gitlab_lfs.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_public_access_block" "gitlab_registry" {
bucket = aws_s3_bucket.gitlab_registry.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_public_access_block" "gitlab_backups" {
bucket = aws_s3_bucket.gitlab_backups.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
# Server-side encryption for all buckets
resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_artifacts" {
bucket = aws_s3_bucket.gitlab_artifacts.id
rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
}
resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_uploads" {
bucket = aws_s3_bucket.gitlab_uploads.id
rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
}
resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_packages" {
bucket = aws_s3_bucket.gitlab_packages.id
rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
}
resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_lfs" {
bucket = aws_s3_bucket.gitlab_lfs.id
rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
}
resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_registry" {
bucket = aws_s3_bucket.gitlab_registry.id
rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
}
resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_backups" {
bucket = aws_s3_bucket.gitlab_backups.id
rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
}
# ─── Cognito User Pool (IdP for Keycloak) ────────────────────────────
#
# Keycloak federates with Cognito — users authenticate via "Sign in with AWS"
# through Keycloak, which remains the single OIDC issuer for all services.
#
# Three Cognito groups map to Keycloak groups via setup-keycloak.sh IdP mappers.
# The token's `cognito:groups` claim is an array — assign users to Cognito groups
# in the AWS console or via `aws cognito-idp admin-add-user-to-group`.
#
# NOTE: var.cognito_domain_prefix must be globally unique across ALL AWS accounts.
resource "aws_cognito_user_pool" "main" {
name = "${var.prefix}-devhub"
username_attributes = ["email"]
auto_verified_attributes = ["email"]
admin_create_user_config {
allow_admin_create_user_only = true # admins create users; disable for self-signup
}
password_policy {
minimum_length = 12
require_lowercase = true
require_numbers = true
require_symbols = false
require_uppercase = true
temporary_password_validity_days = 7
}
schema {
attribute_data_type = "String"
name = "email"
required = true
mutable = true
string_attribute_constraints {
min_length = 5
max_length = 254
}
}
tags = var.tags
}
resource "aws_cognito_user_pool_client" "keycloak_idp" {
name = "${var.prefix}-keycloak-idp"
user_pool_id = aws_cognito_user_pool.main.id
generate_secret = true
prevent_user_existence_errors = "ENABLED"
allowed_oauth_flows_user_pool_client = true
allowed_oauth_flows = ["code"]
allowed_oauth_scopes = ["openid", "email", "profile"]
supported_identity_providers = ["COGNITO"]
# Placeholder redirect URI — updated by setup-keycloak.sh via AWS CLI
callback_urls = ["https://placeholder.invalid/realms/devops/broker/aws-cognito/endpoint"]
refresh_token_validity = 30
access_token_validity = 60
id_token_validity = 60
token_validity_units {
refresh_token = "days"
access_token = "minutes"
id_token = "minutes"
}
}
resource "aws_cognito_user_pool_domain" "main" {
# Must be globally unique. Customize var.cognito_domain_prefix to avoid conflicts.
domain = var.cognito_domain_prefix
user_pool_id = aws_cognito_user_pool.main.id
}
# Cognito groups — assign users to these groups to grant platform access.
# The token's `cognito:groups` claim maps to Keycloak groups via IdP mappers.
resource "aws_cognito_user_group" "devops_admins" {
name = "devops-admins"
user_pool_id = aws_cognito_user_pool.main.id
description = "Full access to DevOps platform administration"
}
resource "aws_cognito_user_group" "developers" {
name = "developers"
user_pool_id = aws_cognito_user_pool.main.id
description = "Developer access to DevOps platform services"
}
resource "aws_cognito_user_group" "viewers" {
name = "viewers"
user_pool_id = aws_cognito_user_pool.main.id
description = "Read-only access to DevOps platform services"
}
# ─── IRSA for GitLab ─────────────────────────────────────────────────
#
# Allows GitLab pods (webservice, sidekiq) to access S3 without explicit
# AWS credentials. The K8s service account "gitlab" in the "gitlab" namespace
# exchanges its projected OIDC token for temporary AWS credentials.
data "aws_iam_policy_document" "gitlab_assume_role" {
statement {
effect = "Allow"
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.eks.arn]
}
actions = ["sts:AssumeRoleWithWebIdentity"]
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:sub"
values = ["system:serviceaccount:gitlab:gitlab"]
}
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:aud"
values = ["sts.amazonaws.com"]
}
}
}
resource "aws_iam_role" "gitlab_irsa" {
name_prefix = "${var.prefix}-gitlab-irsa-"
assume_role_policy = data.aws_iam_policy_document.gitlab_assume_role.json
tags = var.tags
}
data "aws_iam_policy_document" "gitlab_s3" {
statement {
effect = "Allow"
actions = [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
]
resources = [
"${aws_s3_bucket.gitlab_artifacts.arn}/*",
"${aws_s3_bucket.gitlab_uploads.arn}/*",
"${aws_s3_bucket.gitlab_packages.arn}/*",
"${aws_s3_bucket.gitlab_lfs.arn}/*",
"${aws_s3_bucket.gitlab_registry.arn}/*",
"${aws_s3_bucket.gitlab_backups.arn}/*",
]
}
statement {
effect = "Allow"
actions = ["s3:ListBucket"]
resources = [
aws_s3_bucket.gitlab_artifacts.arn,
aws_s3_bucket.gitlab_uploads.arn,
aws_s3_bucket.gitlab_packages.arn,
aws_s3_bucket.gitlab_lfs.arn,
aws_s3_bucket.gitlab_registry.arn,
aws_s3_bucket.gitlab_backups.arn,
]
}
}
resource "aws_iam_role_policy" "gitlab_s3" {
name_prefix = "${var.prefix}-gitlab-s3-"
role = aws_iam_role.gitlab_irsa.id
policy = data.aws_iam_policy_document.gitlab_s3.json
}
# ─── External-DNS IRSA ───────────────────────────────────────────────
# Allows external-dns to manage Route53 records for the cluster's domain.
# The K8s service account "external-dns/external-dns" assumes this role via IRSA.
data "aws_route53_zone" "main" {
name = var.domain
private_zone = false
}
data "aws_iam_policy_document" "external_dns_assume_role" {
statement {
effect = "Allow"
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.eks.arn]
}
actions = ["sts:AssumeRoleWithWebIdentity"]
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:sub"
values = ["system:serviceaccount:external-dns:external-dns"]
}
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:aud"
values = ["sts.amazonaws.com"]
}
}
}
resource "aws_iam_role" "external_dns_irsa" {
name_prefix = "${var.prefix}-external-dns-irsa-"
assume_role_policy = data.aws_iam_policy_document.external_dns_assume_role.json
tags = var.tags
}
data "aws_iam_policy_document" "external_dns_route53" {
statement {
effect = "Allow"
actions = ["route53:ChangeResourceRecordSets"]
resources = ["arn:aws:route53:::hostedzone/${data.aws_route53_zone.main.zone_id}"]
}
statement {
effect = "Allow"
actions = ["route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:ListTagsForResource"]
resources = ["*"]
}
}
resource "aws_iam_role_policy" "external_dns_route53" {
name_prefix = "${var.prefix}-external-dns-route53-"
role = aws_iam_role.external_dns_irsa.id
policy = data.aws_iam_policy_document.external_dns_route53.json
}

110
.tofu/platforms/eks/modules/cluster/outputs.tf Normal file
View File

@@ -0,0 +1,110 @@
# ─── Cluster ─────────────────────────────────────────────────────────
output "cluster_name" {
description = "EKS cluster name"
value = aws_eks_cluster.main.name
}
output "aws_region" {
description = "AWS region"
value = var.region
}
# ─── PostgreSQL ───────────────────────────────────────────────────────
output "pg_host" {
description = "RDS PostgreSQL endpoint (private, reachable from EKS)"
value = aws_db_instance.main.address
}
output "pg_port" {
description = "PostgreSQL port"
value = aws_db_instance.main.port
}
output "pg_admin_login" {
description = "RDS administrator login"
value = aws_db_instance.main.username
}
output "pg_admin_password" {
description = "RDS administrator password"
value = random_password.pg_admin.result
sensitive = true
}
output "pg_keycloak_password" {
description = "Pre-generated password for keycloak DB user — create user post-provision"
value = random_password.pg_keycloak.result
sensitive = true
}
output "pg_gitlab_password" {
description = "Pre-generated password for gitlab DB user — create user post-provision"
value = random_password.pg_gitlab.result
sensitive = true
}
# ─── Redis ────────────────────────────────────────────────────────────
output "redis_host" {
description = "ElastiCache Redis primary endpoint"
value = aws_elasticache_replication_group.main.primary_endpoint_address
}
output "redis_port" {
description = "ElastiCache Redis port"
value = aws_elasticache_replication_group.main.port
}
# ─── S3 ──────────────────────────────────────────────────────────────
output "gitlab_s3_bucket_prefix" {
description = "S3 bucket name prefix — buckets are {prefix}-artifacts, {prefix}-uploads, etc."
value = local.s3_bucket_prefix
}
output "aws_region_output" {
description = "AWS region (for S3 connection config)"
value = var.region
}
# ─── IRSA ────────────────────────────────────────────────────────────
output "gitlab_irsa_role_arn" {
description = "IAM Role ARN for GitLab IRSA — annotate the K8s service account with this value"
value = aws_iam_role.gitlab_irsa.arn
}
output "external_dns_irsa_role_arn" {
description = "IAM Role ARN for external-dns IRSA — written to config.yaml by sync-tofu-outputs.sh"
value = aws_iam_role.external_dns_irsa.arn
}
# ─── Cognito ─────────────────────────────────────────────────────────
output "cognito_user_pool_id" {
description = "Cognito User Pool ID"
value = aws_cognito_user_pool.main.id
}
output "cognito_issuer_url" {
description = "Cognito OIDC issuer URL — used in Keycloak IdP config"
value = "https://cognito-idp.${var.region}.amazonaws.com/${aws_cognito_user_pool.main.id}"
}
output "cognito_hosted_ui_domain" {
description = "Cognito hosted UI domain (for auth/token endpoints)"
value = "${aws_cognito_user_pool_domain.main.domain}.auth.${var.region}.amazoncognito.com"
}
output "cognito_client_id" {
description = "Cognito app client ID for the Keycloak IdP"
value = aws_cognito_user_pool_client.keycloak_idp.id
}
output "cognito_client_secret" {
description = "Cognito app client secret for the Keycloak IdP"
value = aws_cognito_user_pool_client.keycloak_idp.client_secret
sensitive = true
}

16
.tofu/platforms/eks/modules/cluster/providers.tf Normal file
View File

@@ -0,0 +1,16 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
tls = {
source = "hashicorp/tls"
version = "~> 4.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.0"
}
}
}

119
.tofu/platforms/eks/modules/cluster/variables.tf Normal file
View File

@@ -0,0 +1,119 @@
# ─── Region ──────────────────────────────────────────────────────────
variable "region" {
description = "AWS region (e.g., eu-west-1, us-east-1)"
type = string
}
variable "prefix" {
description = "Prefix for resource names (e.g., devhub-dev)"
type = string
}
# ─── Networking ───────────────────────────────────────────────────────
variable "vpc_cidr" {
description = "VPC CIDR block"
type = string
default = "10.100.0.0/16"
}
variable "availability_zones" {
description = "List of AZs for subnets (23 recommended)"
type = list(string)
}
# ─── EKS Cluster ─────────────────────────────────────────────────────
variable "node_instance_type" {
description = "EKS node instance type (e.g., t3.medium, m5.xlarge)"
type = string
}
variable "node_count" {
description = "Desired number of EKS worker nodes"
type = number
}
variable "node_min_count" {
description = "Minimum number of EKS worker nodes"
type = number
default = 1
}
variable "node_max_count" {
description = "Maximum number of EKS worker nodes"
type = number
}
variable "kubernetes_version" {
description = "Kubernetes version for EKS (e.g., \"1.30\")"
type = string
default = "1.30"
}
variable "enable_deletion_protection" {
description = "Enable deletion protection on stateful resources (RDS)"
type = bool
default = false
}
# ─── RDS (PostgreSQL) ────────────────────────────────────────────────
variable "rds_instance_class" {
description = "RDS instance class (e.g., db.t3.micro, db.r5.large)"
type = string
}
variable "rds_allocated_storage" {
description = "RDS allocated storage in GB"
type = number
default = 20
}
variable "rds_multi_az" {
description = "Enable RDS Multi-AZ deployment"
type = bool
default = false
}
# ─── ElastiCache (Redis) ──────────────────────────────────────────────
variable "redis_node_type" {
description = "ElastiCache node type (e.g., cache.t3.micro, cache.r5.large)"
type = string
}
variable "redis_num_cache_clusters" {
description = "Number of Redis cache clusters (1 = single, 2 = primary+replica)"
type = number
default = 1
}
variable "redis_automatic_failover" {
description = "Enable automatic Redis failover (requires num_cache_clusters >= 2)"
type = bool
default = false
}
# ─── DNS ─────────────────────────────────────────────────────────────
variable "domain" {
description = "Public domain name for the cluster (e.g., dev.example.com) — must have an existing Route53 hosted zone"
type = string
}
# ─── Cognito (IdP for Keycloak) ───────────────────────────────────────
variable "cognito_domain_prefix" {
description = "Cognito hosted UI domain prefix — must be globally unique across all AWS accounts"
type = string
}
# ─── Tags ─────────────────────────────────────────────────────────────
variable "tags" {
description = "Tags applied to all resources"
type = map(string)
default = {}
}

39
.tofu/platforms/eks/prod/main.tf Normal file
View File

@@ -0,0 +1,39 @@
module "cluster" {
source = "../modules/cluster"
region = var.region
prefix = "devhub"
# VPC
availability_zones = ["${var.region}a", "${var.region}b", "${var.region}c"]
# EKS — general-purpose nodes for production
node_instance_type = "m5.xlarge"
node_count = 3
node_min_count = 3
node_max_count = 6
kubernetes_version = "1.30"
# RDS — larger instance with Multi-AZ for production
rds_instance_class = "db.r5.large"
rds_allocated_storage = 100
rds_multi_az = true
# ElastiCache — larger instance with replica for production
redis_node_type = "cache.r5.large"
redis_num_cache_clusters = 2
redis_automatic_failover = true
# DNS — must match an existing Route53 hosted zone
domain = "example.com" # TODO: set to your actual domain
# Cognito — domain prefix must be globally unique
cognito_domain_prefix = "devhub-prod-devhub" # TODO: customize to avoid conflicts
enable_deletion_protection = true
tags = {
Environment = "prod"
ManagedBy = "tofu"
}
}

17
.tofu/platforms/eks/prod/outputs.tf Normal file
View File

@@ -0,0 +1,17 @@
output "cluster_name" { value = module.cluster.cluster_name }
output "aws_region" { value = module.cluster.aws_region }
output "pg_host" { value = module.cluster.pg_host }
output "pg_port" { value = module.cluster.pg_port }
output "pg_admin_login" { value = module.cluster.pg_admin_login }
output "pg_admin_password" { value = module.cluster.pg_admin_password; sensitive = true }
output "pg_keycloak_password" { value = module.cluster.pg_keycloak_password; sensitive = true }
output "pg_gitlab_password" { value = module.cluster.pg_gitlab_password; sensitive = true }
output "redis_host" { value = module.cluster.redis_host }
output "redis_port" { value = module.cluster.redis_port }
output "gitlab_s3_bucket_prefix" { value = module.cluster.gitlab_s3_bucket_prefix }
output "gitlab_irsa_role_arn" { value = module.cluster.gitlab_irsa_role_arn }
output "cognito_user_pool_id" { value = module.cluster.cognito_user_pool_id }
output "cognito_issuer_url" { value = module.cluster.cognito_issuer_url }
output "cognito_hosted_ui_domain" { value = module.cluster.cognito_hosted_ui_domain }
output "cognito_client_id" { value = module.cluster.cognito_client_id }
output "cognito_client_secret" { value = module.cluster.cognito_client_secret; sensitive = true }

26
.tofu/platforms/eks/prod/providers.tf Normal file
View File

@@ -0,0 +1,26 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
tls = {
source = "hashicorp/tls"
version = "~> 4.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.0"
}
}
}
provider "aws" {
region = var.region
}
variable "region" {
description = "AWS region for prod environment"
type = string
default = "eu-west-1"
}

339
.tofu/platforms/eks/workload/main.tf Normal file
View File

@@ -0,0 +1,339 @@
# =============================================================================
# AWS Workload Cluster
# =============================================================================
# A lean EKS cluster for running application workloads. No managed data
# services — those live on the platform cluster. ArgoCD (on the platform
# cluster) deploys apps to this cluster via the app-of-apps pattern.
#
# Platform components deployed by deploy-workload.sh:
# nginx-ingress, cert-manager, external-dns, external-secrets, alloy
#
# Usage:
# tofu init && tofu plan && tofu apply
# ./sync-tofu-outputs.sh --env aws-workload
# ./deploy-workload.sh --env aws-workload
# =============================================================================
variable "prefix" {
description = "Prefix for resource names (e.g., devhub-workload)"
type = string
default = "devhub-workload"
}
variable "availability_zones" {
description = "List of AZs for subnets"
type = list(string)
default = ["eu-west-1a", "eu-west-1b"]
}
variable "vpc_cidr" {
description = "VPC CIDR block"
type = string
default = "10.110.0.0/16"
}
variable "node_instance_type" {
description = "EKS node instance type"
type = string
default = "t3.medium"
}
variable "node_count" {
description = "Desired number of EKS worker nodes"
type = number
default = 2
}
variable "node_min_count" {
description = "Minimum number of EKS worker nodes"
type = number
default = 1
}
variable "node_max_count" {
description = "Maximum number of EKS worker nodes"
type = number
default = 4
}
variable "kubernetes_version" {
description = "Kubernetes version for EKS"
type = string
default = "1.30"
}
variable "domain" {
description = "Public domain name — must have an existing Route53 hosted zone"
type = string
}
variable "tags" {
description = "Tags applied to all resources"
type = map(string)
default = {
Environment = "workload"
ManagedBy = "tofu"
}
}
# ─── VPC ──────────────────────────────────────────────────────────────
resource "aws_vpc" "main" {
cidr_block = var.vpc_cidr
enable_dns_hostnames = true
enable_dns_support = true
tags = merge(var.tags, { Name = "${var.prefix}-vpc" })
}
resource "aws_internet_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = merge(var.tags, { Name = "${var.prefix}-igw" })
}
resource "aws_subnet" "public" {
count = length(var.availability_zones)
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.vpc_cidr, 4, count.index)
availability_zone = var.availability_zones[count.index]
map_public_ip_on_launch = true
tags = merge(var.tags, {
Name = "${var.prefix}-public-${count.index + 1}"
"kubernetes.io/cluster/${var.prefix}-eks" = "shared"
"kubernetes.io/role/elb" = "1"
})
}
resource "aws_subnet" "private" {
count = length(var.availability_zones)
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.vpc_cidr, 4, count.index + length(var.availability_zones))
availability_zone = var.availability_zones[count.index]
tags = merge(var.tags, {
Name = "${var.prefix}-private-${count.index + 1}"
"kubernetes.io/cluster/${var.prefix}-eks" = "shared"
"kubernetes.io/role/internal-elb" = "1"
})
}
resource "aws_eip" "nat" {
domain = "vpc"
tags = merge(var.tags, { Name = "${var.prefix}-nat-eip" })
}
resource "aws_nat_gateway" "main" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public[0].id
tags = merge(var.tags, { Name = "${var.prefix}-nat" })
depends_on = [aws_internet_gateway.main]
}
resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.main.id
}
tags = merge(var.tags, { Name = "${var.prefix}-public-rt" })
}
resource "aws_route_table_association" "public" {
count = length(var.availability_zones)
subnet_id = aws_subnet.public[count.index].id
route_table_id = aws_route_table.public.id
}
resource "aws_route_table" "private" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.main.id
}
tags = merge(var.tags, { Name = "${var.prefix}-private-rt" })
}
resource "aws_route_table_association" "private" {
count = length(var.availability_zones)
subnet_id = aws_subnet.private[count.index].id
route_table_id = aws_route_table.private.id
}
# ─── EKS Cluster ──────────────────────────────────────────────────────
resource "aws_iam_role" "eks_cluster" {
name_prefix = "${var.prefix}-eks-cluster-"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = { Service = "eks.amazonaws.com" }
}]
})
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "eks_cluster_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.eks_cluster.name
}
resource "aws_eks_cluster" "main" {
name = "${var.prefix}-eks"
role_arn = aws_iam_role.eks_cluster.arn
version = var.kubernetes_version
vpc_config {
subnet_ids = concat(aws_subnet.private[*].id, aws_subnet.public[*].id)
endpoint_private_access = true
endpoint_public_access = true
}
access_config {
authentication_mode = "API_AND_CONFIG_MAP"
}
tags = var.tags
depends_on = [aws_iam_role_policy_attachment.eks_cluster_policy]
}
# OIDC provider — required for IRSA
data "tls_certificate" "eks" {
url = aws_eks_cluster.main.identity[0].oidc[0].issuer
}
resource "aws_iam_openid_connect_provider" "eks" {
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [data.tls_certificate.eks.certificates[0].sha1_fingerprint]
url = aws_eks_cluster.main.identity[0].oidc[0].issuer
tags = var.tags
}
resource "aws_iam_role" "eks_nodes" {
name_prefix = "${var.prefix}-eks-nodes-"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = { Service = "ec2.amazonaws.com" }
}]
})
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "eks_worker_node_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
role = aws_iam_role.eks_nodes.name
}
resource "aws_iam_role_policy_attachment" "eks_cni_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
role = aws_iam_role.eks_nodes.name
}
resource "aws_iam_role_policy_attachment" "eks_ecr_readonly" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = aws_iam_role.eks_nodes.name
}
resource "aws_eks_node_group" "main" {
cluster_name = aws_eks_cluster.main.name
node_group_name = "${var.prefix}-nodes"
node_role_arn = aws_iam_role.eks_nodes.arn
subnet_ids = aws_subnet.private[*].id
instance_types = [var.node_instance_type]
scaling_config {
desired_size = var.node_count
max_size = var.node_max_count
min_size = var.node_min_count
}
update_config {
max_unavailable = 1
}
tags = var.tags
depends_on = [
aws_iam_role_policy_attachment.eks_worker_node_policy,
aws_iam_role_policy_attachment.eks_cni_policy,
aws_iam_role_policy_attachment.eks_ecr_readonly,
]
}
# ─── External-DNS IRSA ───────────────────────────────────────────────
# Allows external-dns to manage Route53 records for app ingresses.
data "aws_route53_zone" "main" {
name = var.domain
private_zone = false
}
data "aws_iam_policy_document" "external_dns_assume_role" {
statement {
effect = "Allow"
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.eks.arn]
}
actions = ["sts:AssumeRoleWithWebIdentity"]
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:sub"
values = ["system:serviceaccount:external-dns:external-dns"]
}
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:aud"
values = ["sts.amazonaws.com"]
}
}
}
resource "aws_iam_role" "external_dns_irsa" {
name_prefix = "${var.prefix}-external-dns-irsa-"
assume_role_policy = data.aws_iam_policy_document.external_dns_assume_role.json
tags = var.tags
}
data "aws_iam_policy_document" "external_dns_route53" {
statement {
effect = "Allow"
actions = ["route53:ChangeResourceRecordSets"]
resources = ["arn:aws:route53:::hostedzone/${data.aws_route53_zone.main.zone_id}"]
}
statement {
effect = "Allow"
actions = ["route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:ListTagsForResource"]
resources = ["*"]
}
}
resource "aws_iam_role_policy" "external_dns_route53" {
name_prefix = "${var.prefix}-external-dns-route53-"
role = aws_iam_role.external_dns_irsa.id
policy = data.aws_iam_policy_document.external_dns_route53.json
}

3
.tofu/platforms/eks/workload/outputs.tf Normal file
View File

@@ -0,0 +1,3 @@
output "cluster_name" { value = aws_eks_cluster.main.name }
output "aws_region" { value = var.region }
output "external_dns_irsa_role_arn" { value = aws_iam_role.external_dns_irsa.arn }

24
.tofu/platforms/eks/workload/providers.tf Normal file
View File

@@ -0,0 +1,24 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
tls = {
source = "hashicorp/tls"
version = "~> 4.0"
}
}
}
# Authentication: set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
# or configure an AWS profile: export AWS_PROFILE=devhub
provider "aws" {
region = var.region
}
variable "region" {
description = "AWS region for the workload environment"
type = string
default = "eu-west-1"
}