variables.tf 13.4 KB
Newer Older
John Jarvis's avatar
John Jarvis committed
1 2
variable "oauth2_client_id_monitoring" {}
variable "oauth2_client_secret_monitoring" {}
John Jarvis's avatar
John Jarvis committed
3

John Jarvis's avatar
John Jarvis committed
4 5
variable "gitlab_net_zone_id" {}
variable "gitlab_com_zone_id" {}
John Jarvis's avatar
John Jarvis committed
6
variable "gitlab_io_zone_id" {}
John Jarvis's avatar
John Jarvis committed
7

8
variable "bootstrap_script_version" {
9
  default = 8
10 11
}

12 13 14 15 16 17 18 19
#############################
# Default firewall
# rule for allowing
# all protocols on all
# ports
#
# 10.224.x.x: all of gstg
# 10.250.7.x: ops runner
20
# 10.250.8.11/32: nessus scanner
21
# 10.250.10.x: chatops runner
John Jarvis's avatar
John Jarvis committed
22
# 10.250.12.x: release runner
23
# 10.12.0.0/14: pod address range in gitlab-ops for runners
24 25 26 27
###########################

variable "internal_subnets" {
  type    = "list"
28
  default = ["10.224.0.0/13", "10.250.7.0/24", "10.250.8.11", "10.250.10.0/24", "10.250.12.0/24", "10.12.0.0/14"]
29 30
}

31 32 33
variable "other_monitoring_subnets" {
  type = "list"

34 35 36
  # 10.219.1.0/24: gprd
  # 10.251.17.0/24: dr
  default = ["10.219.1.0/24", "10.251.17.0/24"]
37 38
}

39 40 41 42
##################
# Network Peering
##################

43
variable "network_env" {
44 45 46
  default = "https://www.googleapis.com/compute/v1/projects/gitlab-staging-1/global/networks/gstg"
}

47 48 49 50
variable "peer_networks" {
  type = "map"

  default = {
51
    "names" = ["ops", "gprd", "dr"]
52 53 54 55

    "links" = [
      "https://www.googleapis.com/compute/v1/projects/gitlab-ops/global/networks/ops",
      "https://www.googleapis.com/compute/v1/projects/gitlab-production/global/networks/gprd",
56
      "https://www.googleapis.com/compute/v1/projects/gitlab-dr/global/networks/dr",
57 58 59 60
    ]
  }
}

John Jarvis's avatar
John Jarvis committed
61 62
######################

John Jarvis's avatar
John Jarvis committed
63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78
variable "base_chef_run_list" {
  default = "\"role[gitlab]\",\"recipe[gitlab_users::default]\",\"recipe[gitlab_sudo::default]\",\"recipe[gitlab-server::bashrc]\""
}

variable "empty_chef_run_list" {
  default = "\"\""
}

variable "dns_zone_name" {
  default = "gitlab.com"
}

variable "monitoring_hosts" {
  type = "map"

  default = {
79 80
    "names" = ["alerts", "prometheus", "prometheus-app", "prometheus-db"]
    "ports" = [9093, 9090, 9090, 9090]
John Jarvis's avatar
John Jarvis committed
81 82 83 84 85 86
  }
}

#### GCP load balancing

# The top level domain record for the GitLab deployment.
87
# For production this should be set to "gitlab.com"
John Jarvis's avatar
John Jarvis committed
88

John Jarvis's avatar
John Jarvis committed
89 90
variable "lb_fqdns" {
  type    = "list"
John Jarvis's avatar
John Jarvis committed
91
  default = ["canary.staging.gitlab.com"]
John Jarvis's avatar
John Jarvis committed
92 93
}

94 95
#####

John Jarvis's avatar
John Jarvis committed
96 97 98
variable "lb_fqdns_altssh" {
  type    = "list"
  default = ["altssh.gstg.gitlab.com"]
99 100
}

Ahmad Sherif's avatar
Ahmad Sherif committed
101 102
variable "lb_fqdns_registry" {
  type    = "list"
103
  default = ["registry.staging.gitlab.com"]
Ahmad Sherif's avatar
Ahmad Sherif committed
104 105
}

John Jarvis's avatar
John Jarvis committed
106 107
variable "lb_fqdns_cny" {
  type    = "list"
John Jarvis's avatar
John Jarvis committed
108
  default = []
John Jarvis's avatar
John Jarvis committed
109 110
}

John Jarvis's avatar
John Jarvis committed
111 112 113
variable "lb_fqdns_pages" {
  type    = "list"
  default = ["*.pages.gstg.gitlab.io"]
114 115
}

John Jarvis's avatar
John Jarvis committed
116 117 118
variable "lb_fqdns_bastion" {
  type    = "list"
  default = ["lb-bastion.gstg.gitlab.com"]
Ahmad Sherif's avatar
Ahmad Sherif committed
119 120
}

John Jarvis's avatar
John Jarvis committed
121 122 123
variable "lb_fqdns_internal" {
  type    = "list"
  default = ["int.gstg.gitlab.net"]
124 125
}

John Jarvis's avatar
John Jarvis committed
126 127 128
variable "lb_fqdns_internal_pgbouncer" {
  type    = "list"
  default = ["pgbouncer.int.gstg.gitlab.net"]
John Jarvis's avatar
John Jarvis committed
129 130
}

Ahmad Sherif's avatar
Ahmad Sherif committed
131 132 133 134 135
variable "lb_fqdns_internal_patroni" {
  type    = "list"
  default = ["patroni.int.gstg.gitlab.net"]
}

136 137 138 139 140
variable "lb_fqdns_contributors" {
  type    = "list"
  default = ["lb-contributors.gstg.gitlab.com"]
}

John Jarvis's avatar
John Jarvis committed
141 142 143 144 145 146 147 148 149 150 151 152 153 154 155
#
# For every name there must be a corresponding
# forwarding port range and health check port
#

variable "tcp_lbs" {
  type = "map"

  default = {
    "names"                  = ["http", "https", "ssh"]
    "forwarding_port_ranges" = ["80", "443", "22"]
    "health_check_ports"     = ["8001", "8002", "8003"]
  }
}

156 157 158 159 160 161 162 163 164 165
variable "tcp_lbs_internal" {
  type = "map"

  default = {
    "names"                  = ["http-internal", "https-internal", "ssh-internal"]
    "forwarding_port_ranges" = ["80", "443", "22"]
    "health_check_ports"     = ["8001", "8002", "8003"]
  }
}

166 167 168 169 170 171 172 173 174 175 176 177 178 179
variable "tcp_lbs_pages" {
  type = "map"

  default = {
    "names"                  = ["http", "https"]
    "forwarding_port_ranges" = ["80", "443"]
    "health_check_ports"     = ["8001", "8002"]
  }
}

variable "tcp_lbs_altssh" {
  type = "map"

  default = {
Ahmad Sherif's avatar
Ahmad Sherif committed
180 181 182 183
    "names"                      = ["https"]
    "forwarding_port_ranges"     = ["443"]
    "health_check_ports"         = ["8003"]
    "health_check_request_paths" = ["/-/available-ssh"]
184 185 186
  }
}

Ahmad Sherif's avatar
Ahmad Sherif committed
187 188 189 190 191 192 193 194 195 196
variable "tcp_lbs_registry" {
  type = "map"

  default = {
    "names"                  = ["http", "https"]
    "forwarding_port_ranges" = ["80", "443"]
    "health_check_ports"     = ["8001", "8002"]
  }
}

John Jarvis's avatar
John Jarvis committed
197 198 199 200
variable "tcp_lbs_cny" {
  type = "map"

  default = {
John Jarvis's avatar
John Jarvis committed
201 202 203
    "names"                  = []
    "forwarding_port_ranges" = []
    "health_check_ports"     = []
John Jarvis's avatar
John Jarvis committed
204 205 206
  }
}

Ahmad Sherif's avatar
Ahmad Sherif committed
207 208 209 210 211 212 213 214 215 216
variable "tcp_lbs_bastion" {
  type = "map"

  default = {
    "names"                  = ["ssh"]
    "forwarding_port_ranges" = ["22"]
    "health_check_ports"     = ["80"]
  }
}

217 218 219 220 221 222 223 224 225 226
variable "tcp_lbs_contributors" {
  type = "map"

  default = {
    "names"                  = ["https"]
    "forwarding_port_ranges" = ["443"]
    "health_check_ports"     = ["443"]
  }
}

John Jarvis's avatar
John Jarvis committed
227 228 229 230 231 232
#######################

variable "public_ports" {
  type = "map"

  default = {
233 234 235 236 237 238 239 240 241 242 243 244
    "api"                = []
    "bastion"            = [22]
    "blackbox"           = []
    "console"            = []
    "consul"             = []
    "deploy"             = []
    "runner"             = []
    "db-dr"              = []
    "pgb"                = []
    "fe-lb"              = [22, 80, 443]
    "git"                = []
    "mailroom"           = []
245
    "patroni"            = []
246 247 248 249 250 251 252 253
    "pubsubbeat"         = []
    "redis"              = []
    "redis-cache"        = []
    "registry"           = []
    "registry-analytics" = []
    "sidekiq"            = []
    "sd-exporter"        = []
    "stor"               = []
Ahmad Sherif's avatar
Ahmad Sherif committed
254
    "thanos"             = []
255
    "contributors"       = [80, 443]
256 257 258 259
    "web"                = []
    "web-pages"          = []
    "monitoring"         = []
    "influxdb"           = []
John Jarvis's avatar
John Jarvis committed
260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283
  }
}

variable "environment" {
  default = "gstg"
}

variable "format_data_disk" {
  default = "true"
}

variable "project" {
  default = "gitlab-staging-1"
}

variable "region" {
  default = "us-east1"
}

variable "chef_provision" {
  type        = "map"
  description = "Configuration details for chef server"

  default = {
Alex Hanselka's avatar
Alex Hanselka committed
284
    bootstrap_bucket  = "gitlab-gstg-chef-bootstrap"
John Jarvis's avatar
John Jarvis committed
285 286 287 288 289 290
    bootstrap_key     = "gitlab-gstg-bootstrap-validation"
    bootstrap_keyring = "gitlab-gstg-bootstrap"

    server_url    = "https://chef.gitlab.com/organizations/gitlab/"
    user_name     = "gitlab-ci"
    user_key_path = ".chef.pem"
Ahmad Sherif's avatar
Ahmad Sherif committed
291
    version       = "12.22.5"
John Jarvis's avatar
John Jarvis committed
292 293 294
  }
}

Ahmad Sherif's avatar
Ahmad Sherif committed
295
variable "monitoring_cert_link" {
296
  default = "projects/gitlab-staging-1/global/sslCertificates/wildcard-gstg-gitlab-net-2020"
Ahmad Sherif's avatar
Ahmad Sherif committed
297 298
}

299 300 301 302
variable "data_disk_sizes" {
  type = "map"

  default = {
Ahmad Sherif's avatar
Ahmad Sherif committed
303 304 305 306 307
    "file"       = "2000"
    "share"      = "1500"
    "pages"      = "16000"
    "patroni"    = "1500"
    "prometheus" = "50"
308 309 310
  }
}

John Jarvis's avatar
John Jarvis committed
311 312 313 314
variable "machine_types" {
  type = "map"

  default = {
315
    "alerts"                = "n1-standard-1"
316
    "api"                   = "n1-standard-16"
Ahmad Sherif's avatar
Ahmad Sherif committed
317
    "bastion"               = "g1-small"
318
    "blackbox"              = "n1-standard-1"
319
    "console"               = "n1-standard-1"
John Jarvis's avatar
John Jarvis committed
320
    "consul"                = "n1-standard-4"
321 322
    "contributors"          = "g1-small"
    "contributors-db"       = "db-f1-micro"
John Jarvis's avatar
John Jarvis committed
323 324
    "deploy"                = "n1-standard-2"
    "runner"                = "n1-standard-2"
325
    "db-dr"                 = "n1-standard-8"
John Jarvis's avatar
John Jarvis committed
326
    "fe-lb"                 = "n1-standard-4"
327
    "git"                   = "n1-standard-16"
Ahmad Sherif's avatar
Ahmad Sherif committed
328
    "influxdb"              = "n1-standard-4"
John Jarvis's avatar
John Jarvis committed
329 330 331
    "pgb"                   = "n1-standard-4"
    "mailroom"              = "n1-standard-2"
    "monitoring"            = "n1-standard-4"
332
    "patroni"               = "n1-standard-8"
John Jarvis's avatar
John Jarvis committed
333
    "redis"                 = "n1-standard-8"
334
    "redis-cache"           = "n1-highmem-16"
John Jarvis's avatar
John Jarvis committed
335
    "redis-cache-sentinel"  = "n1-standard-1"
John Jarvis's avatar
John Jarvis committed
336
    "registry"              = "n1-standard-2"
337
    "registry-analytics"    = "n1-standard-1"
338
    "sd-exporter"           = "n1-standard-1"
339 340 341 342 343 344 345 346 347
    "sidekiq-asap"          = "n1-standard-4"
    "sidekiq-besteffort"    = "n1-standard-4"
    "sidekiq-elasticsearch" = "n1-standard-4"
    "sidekiq-import"        = "n1-standard-4"
    "sidekiq-pages"         = "n1-standard-4"
    "sidekiq-pipeline"      = "n1-standard-4"
    "sidekiq-pullmirror"    = "n1-standard-4"
    "sidekiq-realtime"      = "n1-standard-4"
    "sidekiq-traces"        = "n1-standard-4"
348
    "stor"                  = "n1-standard-32"
Ahmad Sherif's avatar
Ahmad Sherif committed
349 350
    "thanos-compact"        = "n1-standard-2"
    "thanos-store"          = "n1-highmem-8"
351 352
    "web"                   = "n1-standard-16"
    "web-pages"             = "n1-standard-4"
John Jarvis's avatar
John Jarvis committed
353 354 355 356 357 358 359

    # We currently have different instance types
    # for pages and share in gprd so these are
    # also needed for gstg.

    "stor-pages" = "n1-standard-4"
    "stor-share" = "n1-standard-4"
John Jarvis's avatar
John Jarvis committed
360 361 362 363 364 365 366
  }
}

variable "node_count" {
  type = "map"

  default = {
367
    "api"                   = 3
Ahmad Sherif's avatar
Ahmad Sherif committed
368
    "bastion"               = 1
369
    "blackbox"              = 1
370
    "console"               = 1
371
    "contributors"          = 1
John Jarvis's avatar
John Jarvis committed
372
    "deploy"                = 1
373
    "deploy-cny"            = 0
374
    "runner"                = 1
375
    "consul"                = 5
376
    "db-dr"                 = 2
377
    "fe-lb"                 = 3
378 379
    "fe-lb-pages"           = 2
    "fe-lb-altssh"          = 2
Ahmad Sherif's avatar
Ahmad Sherif committed
380
    "fe-lb-registry"        = 2
John Jarvis's avatar
John Jarvis committed
381
    "fe-lb-cny"             = 0
382
    "git"                   = 3
John Jarvis's avatar
John Jarvis committed
383 384
    "mailroom"              = 1
    "pages"                 = 1
Ahmad Sherif's avatar
Ahmad Sherif committed
385
    "patroni"               = 6
John Jarvis's avatar
John Jarvis committed
386
    "pgb"                   = 3
387
    "redis"                 = 3
John Jarvis's avatar
John Jarvis committed
388 389
    "redis-cache"           = 3
    "redis-cache-sentinel"  = 3
John Jarvis's avatar
John Jarvis committed
390
    "registry"              = 2
391
    "registry-analytics"    = 0
392
    "sd-exporter"           = 1
John Jarvis's avatar
John Jarvis committed
393 394 395 396
    "share"                 = 1
    "sidekiq-asap"          = 1
    "sidekiq-besteffort"    = 3
    "sidekiq-elasticsearch" = 1
397
    "sidekiq-import"        = 1
John Jarvis's avatar
John Jarvis committed
398 399 400 401
    "sidekiq-pages"         = 1
    "sidekiq-pipeline"      = 0
    "sidekiq-pullmirror"    = 1
    "sidekiq-realtime"      = 1
402
    "sidekiq-traces"        = 0
John Jarvis's avatar
John Jarvis committed
403
    "stor"                  = 2
Ahmad Sherif's avatar
Ahmad Sherif committed
404 405
    "thanos-compact"        = 1
    "thanos-store"          = 1
Alex Hanselka's avatar
Alex Hanselka committed
406
    "multizone-stor"        = 0
407
    "web"                   = 3
Alex Hanselka's avatar
Alex Hanselka committed
408
    "web-pages"             = 2
409 410
    "web-cny"               = 1
    "api-cny"               = 1
John Skarbek's avatar
John Skarbek committed
411
    "git-cny"               = 0
412
    "registry-cny"          = 1
John Jarvis's avatar
John Jarvis committed
413 414
    "prometheus"            = 2
    "prometheus-app"        = 2
415
    "prometheus-db"         = 2
Ben Kochie's avatar
Ben Kochie committed
416
    "alerts"                = 0
Ahmad Sherif's avatar
Ahmad Sherif committed
417
    "influxdb"              = 2
John Jarvis's avatar
John Jarvis committed
418 419 420 421 422 423 424
  }
}

variable "subnetworks" {
  type = "map"

  default = {
425 426 427 428 429 430 431
    "api"                = "10.224.12.0/24"
    "bastion"            = "10.224.20.0/24"
    "console"            = "10.224.21.0/24"
    "consul"             = "10.224.4.0/24"
    "db-dr-delayed"      = "10.224.24.0/24"
    "db-dr-archive"      = "10.224.25.0/24"
    "deploy"             = "10.224.15.0/24"
John Jarvis's avatar
John Jarvis committed
432
    "deploy-cny"         = "10.224.17.0/24" # This is a placeholder, as there is not currently a deploy canary
433 434 435 436 437 438 439 440 441
    "fe-lb"              = "10.224.14.0/24"
    "fe-lb-altssh"       = "10.224.19.0/24"
    "fe-lb-pages"        = "10.224.18.0/24"
    "fe-lb-registry"     = "10.224.23.0/24"
    "fe-lb-cny"          = "10.224.27.0/24"
    "git"                = "10.224.13.0/24"
    "influxdb"           = "10.226.3.0/24"
    "mailroom"           = "10.224.11.0/24"
    "monitoring"         = "10.226.1.0/24"
Ahmad Sherif's avatar
Ahmad Sherif committed
442
    "patroni"            = "10.224.29.0/24"
443 444 445 446 447 448 449 450 451
    "pgb"                = "10.224.9.0/24"
    "pubsubbeat"         = "10.226.2.0/24"
    "redis"              = "10.224.7.0/24"
    "redis-cache"        = "10.224.8.0/24"
    "registry"           = "10.224.10.0/24"
    "registry-analytics" = "10.224.28.0/24"
    "runner"             = "10.224.16.0/24"
    "sidekiq"            = "10.225.1.0/24"
    "stor"               = "10.224.2.0/23"
Ahmad Sherif's avatar
Ahmad Sherif committed
452 453
    "thanos-compact"     = "10.226.5.0/24"
    "thanos-store"       = "10.226.4.0/24"
454
    "web"                = "10.224.1.0/24"
455
    "singleton-svcs"     = "10.224.5.0/24"
456
    "web-pages"          = "10.224.26.0/24"
John Jarvis's avatar
John Jarvis committed
457 458 459 460 461

    ###############################
    # These will eventually (tm) be
    # moved to object storage

462 463
    "pages" = "10.224.32.0/24"
    "share" = "10.224.33.0/24"
John Jarvis's avatar
John Jarvis committed
464 465 466 467 468 469 470 471 472 473

    #############################
  }
}

variable "service_account_email" {
  type = "string"

  default = "[email protected]"
}
474 475 476 477 478

variable "gcs_service_account_email" {
  type    = "string"
  default = "[email protected]"
}
479 480 481 482 483 484

variable "gcs_postgres_backup_service_account" {
  type    = "string"
  default = "[email protected]"
}

485 486 487 488 489 490 491
# Service account used to do automated backup testing
# in https://gitlab.com/gitlab-restore/postgres-gprd
variable "gcs_postgres_restore_service_account" {
  type    = "string"
  default = "[email protected]t.com"
}

492 493 494 495 496
variable "gcs_postgres_backup_kms_key_id" {
  type    = "string"
  default = "projects/gitlab-staging-1/locations/global/keyRings/gitlab-secrets/cryptoKeys/gstg-postgres-wal-archive"
}

497 498 499 500
variable "postgres_backup_retention_days" {
  type    = "string"
  default = "5"
}
501 502 503 504 505

variable "egress_ports" {
  type    = "list"
  default = ["80", "443"]
}
506

507 508 509 510 511
variable "web_egress_ports" {
  type    = "list"
  default = ["80", "443", "9243"]
}

512 513 514 515 516 517 518
# TODO: This is a temporary variable as we're still rolling
# the egress rules to staging first and we don't want it in production yet.
# It should be removed in favor of appending port 22 to `egress_ports` in main.tf directly.
variable "deploy_egress_ports" {
  type    = "list"
  default = ["80", "443", "22"]
}
519

520
variable "console_egress_ports" {
521 522 523
  type    = "list"
  default = ["80", "443", "9243"]
}
524 525 526 527 528 529 530 531

variable "os_boot_image" {
  type = "map"

  default = {
    "fe-lb" = "ubuntu-os-cloud/ubuntu-1804-bionic-v20190404"
  }
}