tofu setup

.tofu/platforms/upc/modules/cluster/main.tf

@@ -0,0 +1,205 @@
+# Router for the private network
+resource "upcloud_router" "kubernetes" {
+  name = "${var.prefix}-${var.cluster_name}-router"
+}
+
+# Gateway for internet connectivity
+resource "upcloud_gateway" "kubernetes" {
+  name     = "${var.prefix}-${var.cluster_name}-gateway"
+  zone     = var.zone
+  features = ["nat"]
+  router {
+    id = upcloud_router.kubernetes.id
+  }
+}
+
+# Private network for the Kubernetes cluster
+resource "upcloud_network" "kubernetes" {
+  name   = "${var.prefix}-${var.cluster_name}-network"
+  zone   = var.zone
+  router = upcloud_router.kubernetes.id
+
+  ip_network {
+    address            = var.network_cidr
+    dhcp               = true
+    dhcp_default_route = true
+    family             = "IPv4"
+    gateway            = cidrhost(var.network_cidr, 1)
+  }
+
+  depends_on = [upcloud_gateway.kubernetes]
+}
+
+# Kubernetes cluster
+resource "upcloud_kubernetes_cluster" "main" {
+  name                    = "${var.prefix}-${var.cluster_name}"
+  zone                    = var.zone
+  network                 = upcloud_network.kubernetes.id
+  control_plane_ip_filter = var.control_plane_ip_filter
+
+  private_node_groups = true
+}
+
+# Node group for worker nodes
+resource "upcloud_kubernetes_node_group" "workers" {
+  cluster       = upcloud_kubernetes_cluster.main.id
+  name          = "${var.prefix}-${var.cluster_name}-workers"
+  node_count    = var.node_count
+  plan          = var.node_plan
+  anti_affinity = var.node_count > 1
+  labels = {
+    prefix  = var.prefix
+    cluster = var.cluster_name
+    role    = "worker"
+    env     = lookup(var.tags, "Environment", "dev")
+  }
+}
+
+# ─── Managed PostgreSQL ──────────────────────────────────────────────
+
+resource "upcloud_managed_database_postgresql" "main" {
+  name  = "${var.prefix}-postgresql"
+  plan  = var.pg_plan
+  title = "${var.prefix} PostgreSQL"
+  zone  = var.zone
+
+  termination_protection = var.termination_protection
+
+  network {
+    family = "IPv4"
+    name   = "pg-private"
+    type   = "private"
+    uuid   = upcloud_network.kubernetes.id
+  }
+
+  properties {
+    public_access = false
+    version       = var.pg_version
+  }
+
+  labels = var.tags
+}
+
+resource "upcloud_managed_database_logical_database" "keycloak" {
+  service = upcloud_managed_database_postgresql.main.id
+  name    = "keycloak"
+}
+
+resource "upcloud_managed_database_logical_database" "gitlab" {
+  service = upcloud_managed_database_postgresql.main.id
+  name    = "gitlabhq_production"
+}
+
+resource "upcloud_managed_database_user" "keycloak" {
+  service  = upcloud_managed_database_postgresql.main.id
+  username = "keycloak"
+}
+
+resource "upcloud_managed_database_user" "gitlab" {
+  service  = upcloud_managed_database_postgresql.main.id
+  username = "gitlab"
+}
+
+# ─── Managed Valkey ──────────────────────────────────────────────────
+
+resource "upcloud_managed_database_valkey" "main" {
+  name  = "${var.prefix}-valkey"
+  plan  = var.valkey_plan
+  title = "${var.prefix} Valkey"
+  zone  = var.zone
+
+  termination_protection = var.termination_protection
+
+  network {
+    family = "IPv4"
+    name   = "valkey-private"
+    type   = "private"
+    uuid   = upcloud_network.kubernetes.id
+  }
+
+  properties {
+    public_access = false
+  }
+
+  labels = var.tags
+}
+
+# ─── Managed Object Storage ─────────────────────────────────────────
+
+resource "upcloud_managed_object_storage" "main" {
+  name              = "${var.prefix}-objsto"
+  region            = var.objstore_region
+  configured_status = "started"
+
+  network {
+    family = "IPv4"
+    name   = "objsto-private"
+    type   = "private"
+    uuid   = upcloud_network.kubernetes.id
+  }
+
+  labels = var.tags
+}
+
+resource "upcloud_managed_object_storage_user" "gitlab" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  username     = "${var.prefix}-gitlab"
+}
+
+resource "upcloud_managed_object_storage_user_access_key" "gitlab" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  username     = upcloud_managed_object_storage_user.gitlab.username
+  status       = "Active"
+}
+
+resource "upcloud_managed_object_storage_policy" "gitlab" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  name         = "gitlab-full-access"
+  description  = "Full S3 access for GitLab"
+  document = urlencode(jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = ["s3:*"]
+        Resource = "*"
+      }
+    ]
+  }))
+}
+
+resource "upcloud_managed_object_storage_user_policy" "gitlab" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  username     = upcloud_managed_object_storage_user.gitlab.username
+  name         = upcloud_managed_object_storage_policy.gitlab.name
+}
+
+resource "upcloud_managed_object_storage_bucket" "gitlab_artifacts" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  name         = "${var.prefix}-gitlab-artifacts"
+}
+
+resource "upcloud_managed_object_storage_bucket" "gitlab_uploads" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  name         = "${var.prefix}-gitlab-uploads"
+}
+
+resource "upcloud_managed_object_storage_bucket" "gitlab_packages" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  name         = "${var.prefix}-gitlab-packages"
+}
+
+resource "upcloud_managed_object_storage_bucket" "gitlab_lfs" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  name         = "${var.prefix}-gitlab-lfs"
+}
+
+resource "upcloud_managed_object_storage_bucket" "gitlab_registry" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  name         = "${var.prefix}-gitlab-registry"
+}
+
+resource "upcloud_managed_object_storage_bucket" "gitlab_backups" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  name         = "${var.prefix}-gitlab-backups"
+}