forked from comet-ml/terraform-aws-comet
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.tf
More file actions
417 lines (351 loc) · 17.3 KB
/
main.tf
File metadata and controls
417 lines (351 loc) · 17.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
locals {
resource_name = "comet-${var.environment}"
all_tags = merge(
{
Terraform = "true"
},
var.environment_tag != "" ? { Environment = var.environment_tag } : {},
var.common_tags
)
# Hostname for the Comet deployment (region-agnostic)
comet_hostname = coalesce(var.comet_hostname, var.environment)
# ACM certificate domain configuration
# Uses comet_hostname (not environment) to ensure region-agnostic domain names
acm_domain_name = var.enable_acm_certificate ? coalesce(var.acm_domain_name, "${local.comet_hostname}.comet-hosted.com") : null
# RDS master password - use provided value or generated one
# This ensures both RDS and Secrets Manager modules use the same password
rds_master_password = var.rds_master_password != null ? var.rds_master_password : (
var.enable_rds ? random_password.rds_master[0].result : null
)
}
#############################
#### RDS Password Generation ####
#############################
# Generate random password for RDS if not provided
# Only created when enable_rds is true AND no password is provided
resource "random_password" "rds_master" {
count = var.enable_rds && var.rds_master_password == null ? 1 : 0
length = 20
special = true
override_special = "!#$%&*()-_=+[]{}<>:?"
}
#######################
#### ACM Certificate ####
#######################
# Creates an ACM certificate for {environment}.comet-hosted.com with wildcard SAN
resource "aws_acm_certificate" "main" {
count = var.enable_acm_certificate ? 1 : 0
domain_name = local.acm_domain_name
subject_alternative_names = ["*.${local.acm_domain_name}"]
validation_method = "DNS"
tags = merge(
local.all_tags,
{
Name = local.acm_domain_name
}
)
lifecycle {
create_before_destroy = true
}
}
# DNS validation records in Route 53
resource "aws_route53_record" "acm_validation" {
for_each = var.enable_acm_certificate ? {
for dvo in aws_acm_certificate.main[0].domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
} : {}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = var.acm_route53_zone_id
}
# Wait for certificate validation to complete
resource "aws_acm_certificate_validation" "main" {
count = var.enable_acm_certificate && var.acm_wait_for_validation ? 1 : 0
certificate_arn = aws_acm_certificate.main[0].arn
validation_record_fqdns = [for record in aws_route53_record.acm_validation : record.fqdn]
}
# Validation: acm_route53_zone_id is required when enable_acm_certificate is true
resource "terraform_data" "acm_validation" {
count = var.enable_acm_certificate ? 1 : 0
lifecycle {
precondition {
condition = var.acm_route53_zone_id != null
error_message = "acm_route53_zone_id is required when enable_acm_certificate is true."
}
}
}
resource "terraform_data" "secretsmanager_validation" {
count = var.enable_secretsmanager ? 1 : 0
lifecycle {
precondition {
condition = var.enable_rds && var.enable_elasticache
error_message = "enable_secretsmanager requires both enable_rds and enable_elasticache to be true."
}
}
}
module "comet_vpc" {
source = "./modules/comet_vpc"
count = var.enable_vpc ? 1 : 0
environment = var.environment
common_tags = local.all_tags
region = var.region
vpc_cidr = var.vpc_cidr
eks_enabled = var.enable_eks
single_nat_gateway = var.single_nat_gateway
}
module "comet_ec2" {
source = "./modules/comet_ec2"
count = var.enable_ec2 ? 1 : 0
environment = var.environment
common_tags = local.all_tags
vpc_id = var.enable_vpc ? module.comet_vpc[0].vpc_id : var.comet_vpc_id
comet_ec2_subnet = var.enable_vpc ? module.comet_vpc[0].public_subnets[0] : var.comet_public_subnets[0]
comet_ec2_ami_type = var.comet_ec2_ami_type
comet_ec2_ami_id = var.comet_ec2_ami_id
comet_ec2_instance_type = var.comet_ec2_instance_type
comet_ec2_instance_count = var.comet_ec2_instance_count
comet_ec2_volume_type = var.comet_ec2_volume_type
comet_ec2_volume_size = var.comet_ec2_volume_size
comet_ec2_key = var.comet_ec2_key
alb_enabled = var.enable_ec2_alb
comet_ec2_alb_sg = var.enable_ec2_alb ? module.comet_ec2_alb[0].comet_alb_sg : null
s3_enabled = var.enable_s3
comet_ec2_s3_iam_policy = var.enable_s3 ? module.comet_s3[0].comet_s3_iam_policy_arn : null
}
module "comet_ec2_alb" {
source = "./modules/comet_ec2_alb"
count = var.enable_ec2_alb ? 1 : 0
environment = var.environment
common_tags = local.all_tags
vpc_id = var.enable_vpc ? module.comet_vpc[0].vpc_id : var.comet_vpc_id
public_subnets = var.enable_vpc ? module.comet_vpc[0].public_subnets : var.comet_public_subnets
# Use provided certificate ARN, or the created ACM certificate if enabled
ssl_certificate_arn = coalesce(
var.ssl_certificate_arn,
var.enable_acm_certificate ? aws_acm_certificate.main[0].arn : null
)
}
module "comet_eks" {
source = "./modules/comet_eks"
count = var.enable_eks ? 1 : 0
environment = var.environment
region = var.region
common_tags = local.all_tags
vpc_id = var.enable_vpc ? module.comet_vpc[0].vpc_id : var.comet_vpc_id
eks_private_subnets = var.enable_vpc ? module.comet_vpc[0].private_subnets : var.comet_private_subnets
eks_cluster_name = var.eks_cluster_name
eks_cluster_version = var.eks_cluster_version
eks_cluster_endpoint_public_access = var.eks_cluster_endpoint_public_access
eks_cluster_endpoint_private_access = var.eks_cluster_endpoint_private_access
eks_cluster_security_group_additional_rules = var.eks_cluster_security_group_additional_rules
eks_private_access_cidrs = var.eks_private_access_cidrs
eks_authentication_mode = var.eks_authentication_mode
eks_enable_cluster_creator_admin_permissions = var.eks_enable_cluster_creator_admin_permissions
eks_admin_role_arns = var.eks_admin_role_arns
kms_key_administrators = var.eks_kms_key_administrators
kms_key_users = var.eks_kms_key_users
eks_mng_ami_type = var.eks_mng_ami_type
eks_admin_ami_type = var.eks_admin_ami_type
eks_comet_ami_type = var.eks_comet_ami_type
eks_clickhouse_ami_type = var.eks_clickhouse_ami_type
eks_mng_ami_id = var.eks_mng_ami_id
eks_mng_disk_size = var.eks_mng_disk_size
eks_aws_load_balancer_controller = var.eks_aws_load_balancer_controller
eks_cert_manager = var.eks_cert_manager
eks_aws_cloudwatch_metrics = var.eks_aws_cloudwatch_metrics
eks_external_dns = var.eks_external_dns
eks_external_dns_r53_zones = var.eks_external_dns_r53_zones
eks_enable_metrics_server = var.eks_enable_metrics_server
eks_metrics_server_addon_version = var.eks_metrics_server_addon_version
eks_enable_cluster_autoscaler = var.eks_enable_cluster_autoscaler
s3_enabled = var.enable_s3
comet_ec2_s3_iam_policy = var.enable_s3 ? module.comet_s3[0].comet_s3_iam_policy_arn : null
# MPM Infrastructure toggle
enable_mpm_infra = var.enable_mpm_infra
# Node Group Toggles
enable_admin_node_group = var.eks_enable_admin_node_group
enable_comet_node_group = var.eks_enable_comet_node_group
enable_druid_node_group = var.eks_enable_druid_node_group
enable_airflow_node_group = var.eks_enable_airflow_node_group
enable_clickhouse_node_group = var.eks_enable_clickhouse_node_group
# Admin Node Group
eks_admin_name = var.eks_admin_name
eks_admin_instance_types = var.eks_admin_instance_types
eks_admin_min_size = var.eks_admin_min_size
eks_admin_max_size = var.eks_admin_max_size
eks_admin_desired_size = var.eks_admin_desired_size
# Comet Node Group
eks_comet_name = var.eks_comet_name
eks_comet_instance_types = var.eks_comet_instance_types
eks_comet_min_size = var.eks_comet_min_size
eks_comet_max_size = var.eks_comet_max_size
eks_comet_desired_size = var.eks_comet_desired_size
# Druid Node Group
eks_druid_name = var.eks_druid_name
eks_druid_instance_types = var.eks_druid_instance_types
eks_druid_min_size = var.eks_druid_min_size
eks_druid_max_size = var.eks_druid_max_size
eks_druid_desired_size = var.eks_druid_desired_size
# Airflow Node Group
eks_airflow_name = var.eks_airflow_name
eks_airflow_instance_types = var.eks_airflow_instance_types
eks_airflow_min_size = var.eks_airflow_min_size
eks_airflow_max_size = var.eks_airflow_max_size
eks_airflow_desired_size = var.eks_airflow_desired_size
# ClickHouse Node Group
eks_clickhouse_name = var.eks_clickhouse_name
eks_clickhouse_instance_types = var.eks_clickhouse_instance_types
eks_clickhouse_min_size = var.eks_clickhouse_min_size
eks_clickhouse_max_size = var.eks_clickhouse_max_size
eks_clickhouse_desired_size = var.eks_clickhouse_desired_size
eks_clickhouse_volume_size = var.eks_clickhouse_volume_size
eks_clickhouse_volume_type = var.eks_clickhouse_volume_type
eks_clickhouse_volume_encrypted = var.eks_clickhouse_volume_encrypted
eks_clickhouse_delete_on_termination = var.eks_clickhouse_delete_on_termination
eks_clickhouse_taints = var.eks_clickhouse_taints
# Additional custom node groups
additional_node_groups = var.eks_additional_node_groups
# Additional S3 bucket access
additional_s3_bucket_arns = var.eks_additional_s3_bucket_arns
# External Secrets IRSA role and Helm chart
enable_external_secrets = var.eks_enable_external_secrets
external_secrets_chart_version = var.eks_external_secrets_chart_version
secretsmanager_environment = var.secretsmanager_environment
# Storage class configuration
storage_class_reclaim_policy = var.eks_storage_class_reclaim_policy
# Loki IRSA for S3 access
enable_loki = var.enable_loki_bucket
loki_s3_bucket_arn = var.enable_s3 && var.enable_loki_bucket ? module.comet_s3[0].comet_loki_bucket_arn : null
# CloudWatch Exporter IRSA for scraping AWS managed service metrics
enable_cloudwatch_exporter = var.enable_cloudwatch_exporter
# Monitoring namespace and Grafana credentials
enable_monitoring_setup = var.enable_monitoring_setup
monitoring_namespace = var.monitoring_namespace
grafana_admin_user = var.grafana_admin_user
grafana_admin_password = var.grafana_admin_password
# Karpenter prerequisites
enable_karpenter = var.eks_enable_karpenter
# Karpenter Node Group (dedicated controller node group, created when enable_karpenter = true)
eks_karpenter_node_instance_types = var.eks_karpenter_node_instance_types
eks_karpenter_node_min_size = var.eks_karpenter_node_min_size
eks_karpenter_node_max_size = var.eks_karpenter_node_max_size
eks_karpenter_node_desired_size = var.eks_karpenter_node_desired_size
eks_karpenter_node_disk_size = var.eks_karpenter_node_disk_size
eks_admin_karpenter_instance_types = var.eks_admin_karpenter_instance_types
# Karpenter Helm chart
karpenter_chart_version = var.eks_karpenter_chart_version
karpenter_helm_username = var.eks_karpenter_helm_username
karpenter_helm_password = var.eks_karpenter_helm_password
karpenter_extra_tags = var.eks_karpenter_extra_tags
}
module "comet_elasticache" {
source = "./modules/comet_elasticache"
count = var.enable_elasticache ? 1 : 0
environment = var.environment
common_tags = local.all_tags
vpc_id = var.enable_vpc ? module.comet_vpc[0].vpc_id : var.comet_vpc_id
elasticache_private_subnets = var.enable_vpc ? module.comet_vpc[0].private_subnets : var.comet_private_subnets
elasticache_allow_from_sg = var.enable_ec2 ? module.comet_ec2[0].comet_ec2_sg_id : (
var.enable_eks ? module.comet_eks[0].nodegroup_sg_id : (
var.elasticache_allow_from_sg))
elasticache_engine = var.elasticache_engine
elasticache_engine_version = var.elasticache_engine_version
elasticache_instance_type = var.elasticache_instance_type
elasticache_param_group_name = var.elasticache_param_group_name
elasticache_num_cache_nodes = var.elasticache_num_cache_nodes
elasticache_transit_encryption = var.elasticache_transit_encryption
elasticache_auth_token = var.elasticache_auth_token
elasticache_automatic_failover_enabled = var.elasticache_automatic_failover_enabled
elasticache_multi_az_enabled = var.elasticache_multi_az_enabled
}
module "comet_rds" {
source = "./modules/comet_rds"
count = var.enable_rds ? 1 : 0
environment = coalesce(var.rds_environment, var.environment)
rds_cluster_identifier = var.rds_cluster_identifier
rds_instance_identifier_prefix = var.rds_instance_identifier_prefix
common_tags = local.all_tags
availability_zones = var.enable_vpc ? module.comet_vpc[0].azs : var.availability_zones
vpc_id = var.enable_vpc ? module.comet_vpc[0].vpc_id : var.comet_vpc_id
rds_private_subnets = var.enable_vpc ? module.comet_vpc[0].private_subnets : var.comet_private_subnets
rds_allow_from_sg = var.enable_ec2 ? module.comet_ec2[0].comet_ec2_sg_id : (
var.enable_eks ? module.comet_eks[0].nodegroup_sg_id : (
var.rds_allow_from_sg))
rds_engine = var.rds_engine
rds_engine_version = var.rds_engine_version
rds_instance_type = var.rds_instance_type
rds_instance_count = var.rds_instance_count
rds_storage_encrypted = var.rds_storage_encrypted
rds_iam_db_auth = var.rds_iam_db_auth
rds_backup_retention_period = var.rds_backup_retention_period
rds_preferred_backup_window = var.rds_preferred_backup_window
rds_database_name = var.rds_database_name
rds_master_username = var.rds_master_username
rds_master_password = local.rds_master_password
rds_snapshot_identifier = var.rds_snapshot_identifier
rds_kms_key_id = var.rds_kms_key_id
# Performance Insights and Enhanced Monitoring
rds_performance_insights_enabled = var.rds_performance_insights_enabled
rds_performance_insights_retention_period = var.rds_performance_insights_retention_period
rds_performance_insights_kms_key_id = var.rds_performance_insights_kms_key_id
rds_enhanced_monitoring_interval = var.rds_enhanced_monitoring_interval
# Deletion protection
rds_deletion_protection = var.rds_deletion_protection
# Storage type (aurora-iopt1 for I/O-Optimized)
rds_storage_type = var.rds_storage_type
# Additional MySQL cluster parameters (defaults include operational tunings)
rds_cluster_parameters = var.rds_cluster_parameters
}
module "comet_s3" {
source = "./modules/comet_s3"
count = var.enable_s3 ? 1 : 0
environment = var.environment
common_tags = local.all_tags
comet_s3_bucket = var.s3_bucket_name
s3_force_destroy = var.s3_force_destroy
enable_mpm_infra = var.enable_mpm_infra
enable_loki_bucket = var.enable_loki_bucket
}
module "comet_secretsmanager" {
source = "./modules/comet_secretsmanager"
count = var.enable_secretsmanager ? 1 : 0
environment = coalesce(var.secretsmanager_environment, var.environment)
common_tags = local.all_tags
# Secret toggles
enable_config_secret = var.enable_config_secret
enable_monitoring_secret = var.enable_monitoring_secret
enable_clickhouse_secret = var.enable_clickhouse_secret
# Database password (from RDS - uses provided or auto-generated password)
mysql_password = local.rds_master_password
# Redis configuration (from ElastiCache)
redis_endpoint = module.comet_elasticache[0].redis_endpoint
redis_port = module.comet_elasticache[0].redis_port
redis_transit_encryption = module.comet_elasticache[0].transit_encryption_enabled
redis_token = var.redis_token
# Secret seed (optional - will be auto-generated if not provided)
secret_seed = var.secret_seed
# SendGrid
sendgrid_api_key = var.sendgrid_api_key
# S3 configuration (defaults to IAM-ROLE)
s3_key = var.s3_key
s3_secret = var.s3_secret
s3_private_key = var.s3_private_key
s3_private_secret = var.s3_private_secret
s3_public_key = var.s3_public_key
s3_public_secret = var.s3_public_secret
# Monitoring secret configuration
grafana_admin_user = var.grafana_admin_user
grafana_admin_password = var.grafana_admin_password
# ClickHouse secret configuration
clickhouse_monitoring_password = var.clickhouse_monitoring_password
depends_on = [
module.comet_elasticache,
module.comet_rds
]
}