main.tf 42.2 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
## State storage
terraform {
  backend "s3" {}
}

## AWS
provider "aws" {
  region = "us-east-1"
}

variable "gitlab_com_zone_id" {}
variable "gitlab_net_zone_id" {}

## Google

provider "google" {
17
  version = "~> 1.18.0"
18 19 20 21 22 23 24 25 26 27 28
  project = "${var.project}"
  region  = "${var.region}"
}

##################################
#
#  Network
#
#################################

module "network" {
29
  source      = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/vpc.git?ref=v1.0.0"
30 31 32 33
  project     = "${var.project}"
  environment = "${var.environment}"
}

34 35 36 37 38 39 40
##################################
#
#  Network Peering
#
#################################

resource "google_compute_network_peering" "peering_gprd" {
John Northrup's avatar
John Northrup committed
41 42
  name         = "peering-gprd"
  network      = "${var.network_ops}"
43 44 45 46
  peer_network = "${var.network_gprd}"
}

resource "google_compute_network_peering" "peering_gstg" {
John Northrup's avatar
John Northrup committed
47 48
  name         = "peering-gstg"
  network      = "${var.network_ops}"
49 50 51
  peer_network = "${var.network_gstg}"
}

52 53 54 55 56 57
resource "google_compute_network_peering" "peering_dr" {
  name         = "peering-dr"
  network      = "${var.network_ops}"
  peer_network = "${var.network_dr}"
}

John Jarvis's avatar
John Jarvis committed
58 59 60 61 62 63
resource "google_compute_network_peering" "peering_pre" {
  name         = "peering-pre"
  network      = "${var.network_ops}"
  peer_network = "${var.network_pre}"
}

John Jarvis's avatar
John Jarvis committed
64 65 66 67 68 69
resource "google_compute_network_peering" "peering_testbed" {
  name         = "peering-testbed"
  network      = "${var.network_ops}"
  peer_network = "${var.network_testbed}"
}

70 71 72 73 74 75
##################################
#
#  Log Proxy
#
#################################

John Jarvis's avatar
John Jarvis committed
76 77
module "proxy-iap" {
  environment          = "${var.environment}"
78
  source               = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/web-iap.git?ref=v1.0.0"
John Jarvis's avatar
John Jarvis committed
79 80 81 82 83 84 85 86
  name                 = "proxy"
  project              = "${var.project}"
  region               = "${var.region}"
  gitlab_zone_id       = "${var.gitlab_net_zone_id}"
  cert_link            = "${var.log_gitlab_net_cert_link}"
  backend_service_link = "${module.proxy.google_compute_backend_service_iap_self_link}"
  web_ip_fqdn          = "log.gitlab.net"
  service_ports        = ["443", "80", "9090"]
John Jarvis's avatar
John Jarvis committed
87 88
}

John Jarvis's avatar
John Jarvis committed
89
module "proxy" {
90
  bootstrap_version     = "${var.bootstrap_script_version}"
91
  chef_provision        = "${var.chef_provision}"
John Jarvis's avatar
John Jarvis committed
92
  chef_run_list         = "\"role[${var.environment}-infra-proxy]\""
93
  dns_zone_name         = "${var.dns_zone_name}"
John Jarvis's avatar
John Jarvis committed
94
  enable_iap            = true
95
  environment           = "${var.environment}"
John Jarvis's avatar
John Jarvis committed
96 97 98 99 100
  health_check          = "http"
  ip_cidr_range         = "${var.subnetworks["proxy"]}"
  machine_type          = "${var.machine_types["proxy"]}"
  name                  = "proxy"
  node_count            = 1
John Jarvis's avatar
John Jarvis committed
101 102
  oauth2_client_id      = "${var.oauth2_client_id_log_proxy}"
  oauth2_client_secret  = "${var.oauth2_client_secret_log_proxy}"
103
  project               = "${var.project}"
John Jarvis's avatar
John Jarvis committed
104
  public_ports          = "${var.public_ports["proxy"]}"
105
  region                = "${var.region}"
John Jarvis's avatar
John Jarvis committed
106
  service_account_email = "${var.service_account_email}"
John Jarvis's avatar
John Jarvis committed
107
  service_port          = "9090"
108
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-sv-with-group.git?ref=v1.0.1"
109
  tier                  = "inf"
John Jarvis's avatar
John Jarvis committed
110
  use_new_node_name     = true
John Jarvis's avatar
John Jarvis committed
111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128
  vpc                   = "${module.network.self_link}"
}

##################################
#
#  Pubsubbeats
#
#  Machines for running the beats
#  that consume logs from pubsub
#  and send them to elastic cloud
#
#  You must have a chef role with the
#  following format:
#     role[<env>-infra-pubsubbeat-<beat_name>]
#
##################################

module "pubsubbeat" {
129
  bootstrap_version     = "${var.bootstrap_script_version}"
John Jarvis's avatar
John Jarvis committed
130 131 132 133 134 135 136 137 138 139 140 141
  chef_provision        = "${var.chef_provision}"
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  health_check          = "tcp"
  ip_cidr_range         = "${var.subnetworks["pubsubbeat"]}"
  machine_types         = "${var.pubsubbeats["machine_types"]}"
  names                 = "${var.pubsubbeats["names"]}"
  project               = "${var.project}"
  public_ports          = "${var.public_ports["pubsubbeat"]}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  service_port          = 22
142
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/pubsubbeat.git?ref=v1.0.1"
John Jarvis's avatar
John Jarvis committed
143 144
  tier                  = "inf"
  use_new_node_name     = true
145 146 147
  vpc                   = "${module.network.self_link}"
}

148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182
##################################
#
#  Monitoring
#
#  Uses the monitoring module, this
#  creates a single instance behind
#  a load balancer with identity aware
#  proxy enabled.
#
##################################

resource "google_compute_subnetwork" "monitoring" {
  ip_cidr_range            = "${var.subnetworks["monitoring"]}"
  name                     = "${format("monitoring-%v", var.environment)}"
  network                  = "${module.network.self_link}"
  private_ip_google_access = true
  project                  = "${var.project}"
  region                   = "${var.region}"
}

#######################
#
# load balancer for all hosts in this section
#
#######################

module "monitoring-lb" {
  cert_link          = "${var.monitoring_cert_link}"
  environment        = "${var.environment}"
  gitlab_net_zone_id = "${var.gitlab_net_zone_id}"
  hosts              = ["${var.monitoring_hosts["names"]}"]
  name               = "monitoring-lb"
  project            = "${var.project}"
  region             = "${var.region}"
  service_ports      = ["${var.monitoring_hosts["ports"]}"]
183
  source             = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/monitoring-lb.git?ref=v1.0.0"
184 185 186 187 188 189 190
  subnetwork_name    = "${google_compute_subnetwork.monitoring.name}"
  targets            = ["${var.monitoring_hosts["names"]}"]
  url_map            = "${google_compute_url_map.monitoring-lb.self_link}"
}

#######################
module "prometheus" {
191
  bootstrap_version     = "${var.bootstrap_script_version}"
192 193
  chef_provision        = "${var.chef_provision}"
  chef_run_list         = "\"role[${var.environment}-infra-prometheus]\""
Ahmad Sherif's avatar
Ahmad Sherif committed
194 195
  data_disk_size        = 50
  data_disk_type        = "pd-ssd"
196 197 198 199 200 201 202 203 204 205 206 207 208
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  machine_type          = "${var.machine_types["monitoring"]}"
  name                  = "prometheus"
  node_count            = "${var.node_count["prometheus"]}"
  oauth2_client_id      = "${var.oauth2_client_id_monitoring}"
  oauth2_client_secret  = "${var.oauth2_client_secret_monitoring}"
  persistent_disk_path  = "/opt/prometheus"
  project               = "${var.project}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  service_path          = "/graph"
  service_port          = "${element(var.monitoring_hosts["ports"], index(var.monitoring_hosts["names"], "prometheus"))}"
Ahmad Sherif's avatar
Ahmad Sherif committed
209
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/monitoring-with-count.git?ref=v1.0.3"
210 211
  subnetwork_name       = "${google_compute_subnetwork.monitoring.name}"
  tier                  = "inf"
212
  use_external_ip       = true
213 214 215 216
  use_new_node_name     = true
}

module "prometheus-app" {
217
  bootstrap_version     = "${var.bootstrap_script_version}"
218 219
  chef_provision        = "${var.chef_provision}"
  chef_run_list         = "\"role[${var.environment}-infra-prometheus-app]\""
Ahmad Sherif's avatar
Ahmad Sherif committed
220 221
  data_disk_size        = 50
  data_disk_type        = "pd-ssd"
222 223 224 225 226 227 228 229 230 231 232 233 234
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  machine_type          = "${var.machine_types["monitoring"]}"
  name                  = "prometheus-app"
  node_count            = "${var.node_count["prometheus-app"]}"
  oauth2_client_id      = "${var.oauth2_client_id_monitoring}"
  oauth2_client_secret  = "${var.oauth2_client_secret_monitoring}"
  persistent_disk_path  = "/opt/prometheus"
  project               = "${var.project}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  service_path          = "/graph"
  service_port          = "${element(var.monitoring_hosts["ports"], index(var.monitoring_hosts["names"], "prometheus-app"))}"
Ahmad Sherif's avatar
Ahmad Sherif committed
235
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/monitoring-with-count.git?ref=v1.0.3"
236 237
  subnetwork_name       = "${google_compute_subnetwork.monitoring.name}"
  tier                  = "inf"
238
  use_external_ip       = true
239 240 241 242
  use_new_node_name     = true
}

module "alerts" {
243
  bootstrap_version     = "${var.bootstrap_script_version}"
244 245 246 247 248 249 250
  chef_provision        = "${var.chef_provision}"
  chef_run_list         = "\"role[${var.environment}-infra-alerts]\""
  data_disk_size        = 100
  data_disk_type        = "pd-standard"
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  health_check          = "tcp"
251
  machine_type          = "${var.machine_types["alerts"]}"
252 253 254 255 256 257 258 259 260
  name                  = "alerts"
  node_count            = "${var.node_count["alerts"]}"
  oauth2_client_id      = "${var.oauth2_client_id_monitoring}"
  oauth2_client_secret  = "${var.oauth2_client_secret_monitoring}"
  persistent_disk_path  = "/opt"
  project               = "${var.project}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  service_port          = "${element(var.monitoring_hosts["ports"], index(var.monitoring_hosts["names"], "alerts"))}"
261
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/monitoring-with-count.git?ref=v1.0.1"
262 263 264 265 266
  subnetwork_name       = "${google_compute_subnetwork.monitoring.name}"
  tier                  = "inf"
  use_new_node_name     = true
}

Ahmad Sherif's avatar
Ahmad Sherif committed
267
module "thanos-query" {
268
  bootstrap_version     = "${var.bootstrap_script_version}"
Ahmad Sherif's avatar
Ahmad Sherif committed
269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291
  chef_provision        = "${var.chef_provision}"
  chef_run_list         = "\"role[${var.environment}-infra-thanos-query]\""
  data_disk_size        = 100
  data_disk_type        = "pd-standard"
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  health_check          = "tcp"
  machine_type          = "${var.machine_types["thanos-query"]}"
  name                  = "thanos-query"
  node_count            = "${var.node_count["thanos-query"]}"
  oauth2_client_id      = "${var.oauth2_client_id_monitoring}"
  oauth2_client_secret  = "${var.oauth2_client_secret_monitoring}"
  persistent_disk_path  = "/opt"
  project               = "${var.project}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  service_port          = "${element(var.monitoring_hosts["ports"], index(var.monitoring_hosts["names"], "thanos-query"))}"
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/monitoring-with-count.git?ref=v1.0.1"
  subnetwork_name       = "${google_compute_subnetwork.monitoring.name}"
  tier                  = "inf"
  use_new_node_name     = true
}

292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307
module "sd-exporter" {
  additional_scopes         = ["https://www.googleapis.com/auth/monitoring"]
  allow_stopping_for_update = true
  bootstrap_version         = 6
  chef_provision            = "${var.chef_provision}"
  chef_run_list             = "\"role[${var.environment}-infra-sd-exporter]\""
  create_backend_service    = false
  dns_zone_name             = "${var.dns_zone_name}"
  environment               = "${var.environment}"
  machine_type              = "${var.machine_types["sd-exporter"]}"
  name                      = "sd-exporter"
  node_count                = "${var.node_count["sd-exporter"]}"
  project                   = "${var.project}"
  public_ports              = "${var.public_ports["sd-exporter"]}"
  region                    = "${var.region}"
  service_account_email     = "${var.service_account_email}"
308
  source                    = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-sv-with-group.git?ref=v1.0.1"
309 310 311 312 313 314
  subnetwork_name           = "${google_compute_subnetwork.monitoring.name}"
  tier                      = "inf"
  use_new_node_name         = true
  vpc                       = "${module.network.self_link}"
}

Hendrik Meyer's avatar
Hendrik Meyer committed
315
module "blackbox" {
316
  bootstrap_version     = "${var.bootstrap_script_version}"
Hendrik Meyer's avatar
Hendrik Meyer committed
317 318 319 320 321 322 323 324 325 326 327 328 329 330
  chef_provision        = "${var.chef_provision}"
  chef_run_list         = "\"role[${var.environment}-base-blackbox]\""
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  health_check          = "tcp"
  kernel_version        = "${var.default_kernel_version}"
  machine_type          = "${var.machine_types["blackbox"]}"
  name                  = "blackbox"
  node_count            = "${var.node_count["blackbox"]}"
  project               = "${var.project}"
  public_ports          = "${var.public_ports["blackbox"]}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  service_port          = 22
331
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-sv-with-group.git?ref=v1.0.1"
Hendrik Meyer's avatar
Hendrik Meyer committed
332 333
  subnetwork_name       = "${google_compute_subnetwork.monitoring.name}"
  tier                  = "inf"
334 335 336 337 338
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
  use_external_ip       = true
}

Ahmad Sherif's avatar
Ahmad Sherif committed
339
module "thanos-store" {
Ahmad Sherif's avatar
Ahmad Sherif committed
340 341 342
  bootstrap_version     = "6"
  chef_provision        = "${var.chef_provision}"
  chef_run_list         = "\"role[${var.environment}-infra-thanos-store]\""
Ahmad Sherif's avatar
Ahmad Sherif committed
343
  data_disk_size        = 100
Ahmad Sherif's avatar
Ahmad Sherif committed
344 345 346
  data_disk_type        = "pd-ssd"
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
Ahmad Sherif's avatar
Ahmad Sherif committed
347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373
  ip_cidr_range         = "${var.subnetworks["thanos-store"]}"
  machine_type          = "${var.machine_types["thanos-store"]}"
  name                  = "thanos-store"
  node_count            = "${var.node_count["thanos-store"]}"
  persistent_disk_path  = "/opt/prometheus"
  project               = "${var.project}"
  public_ports          = "${var.public_ports["thanos"]}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-stor.git?ref=v1.0.1"
  tier                  = "inf"
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
}

module "thanos-compact" {
  bootstrap_version     = "6"
  chef_provision        = "${var.chef_provision}"
  chef_run_list         = "\"role[${var.environment}-infra-thanos-compact]\""
  data_disk_size        = 100
  data_disk_type        = "pd-ssd"
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  ip_cidr_range         = "${var.subnetworks["thanos-compact"]}"
  machine_type          = "${var.machine_types["thanos-compact"]}"
  name                  = "thanos-compact"
  node_count            = "${var.node_count["thanos-compact"]}"
Ahmad Sherif's avatar
Ahmad Sherif committed
374 375 376 377 378 379 380 381 382 383 384
  persistent_disk_path  = "/opt/prometheus"
  project               = "${var.project}"
  public_ports          = "${var.public_ports["thanos"]}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-stor.git?ref=v1.0.1"
  tier                  = "inf"
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
}

385 386 387 388 389 390 391
#######################################################
#
# Tenable.IO local Nessus scanner
#
#######################################################

module "nessus" {
392
  bootstrap_version     = 8
393 394 395 396 397 398 399 400 401 402 403 404 405 406
  chef_provision        = "${var.chef_provision}"
  chef_run_list         = "\"role[${var.environment}-base-nessus]\""
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  health_check          = "tcp"
  kernel_version        = "${var.default_kernel_version}"
  machine_type          = "${var.machine_types["nessus"]}"
  name                  = "nessus"
  node_count            = "${var.node_count["nessus"]}"
  project               = "${var.project}"
  public_ports          = "${var.public_ports["nessus"]}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  service_port          = 22
407
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-sv-with-group.git?ref=v1.0.2"
Hendrik Meyer's avatar
Hendrik Meyer committed
408 409 410 411 412 413 414
  subnetwork_name       = "${google_compute_subnetwork.monitoring.name}"
  tier                  = "inf"
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
  use_external_ip       = true
}

John Jarvis's avatar
John Jarvis committed
415
#######################################################
John Northrup's avatar
John Northrup committed
416
#
John Jarvis's avatar
John Jarvis committed
417
# Load balancer and VM for dashboards.gitlab.net
John Northrup's avatar
John Northrup committed
418
#
John Jarvis's avatar
John Jarvis committed
419
#######################################################
John Northrup's avatar
John Northrup committed
420

John Jarvis's avatar
John Jarvis committed
421
module "dashboards-internal" {
John Jarvis's avatar
John Jarvis committed
422
  environment          = "${var.environment}"
423
  source               = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/web-iap.git?ref=v1.0.0"
John Jarvis's avatar
John Jarvis committed
424 425 426
  name                 = "dashboards"
  project              = "${var.project}"
  region               = "${var.region}"
427
  create_http_forward  = "true"
John Jarvis's avatar
John Jarvis committed
428 429
  gitlab_zone_id       = "${var.gitlab_net_zone_id}"
  cert_link            = "${var.dashboards_gitlab_net_cert_link}"
John Jarvis's avatar
John Jarvis committed
430
  backend_service_link = "${module.dashboards.google_compute_backend_service_noiap_self_link}"
John Jarvis's avatar
John Jarvis committed
431
  web_ip_fqdn          = "dashboards.gitlab.net"
John T Skarbek's avatar
John T Skarbek committed
432
  service_ports        = ["80", "443", "3000"]
433
}
John Northrup's avatar
John Northrup committed
434

John Jarvis's avatar
John Jarvis committed
435
module "dashboards" {
436
  bootstrap_version     = "${var.bootstrap_script_version}"
437
  chef_provision        = "${var.chef_provision}"
John Jarvis's avatar
John Jarvis committed
438
  chef_run_list         = "\"role[${var.environment}-infra-dashboards]\""
Hendrik Meyer's avatar
Hendrik Meyer committed
439
  data_disk_size        = 150
John Jarvis's avatar
John Jarvis committed
440
  data_disk_type        = "pd-ssd"
441
  dns_zone_name         = "${var.dns_zone_name}"
John Jarvis's avatar
John Jarvis committed
442
  enable_iap            = false
443
  environment           = "${var.environment}"
John Jarvis's avatar
John Jarvis committed
444
  health_check          = "http"
John T Skarbek's avatar
John T Skarbek committed
445
  health_check_port     = 3000
John Jarvis's avatar
John Jarvis committed
446 447 448
  ip_cidr_range         = "${var.subnetworks["dashboards"]}"
  machine_type          = "${var.machine_types["dashboards"]}"
  name                  = "dashboards"
449
  node_count            = 1
John Jarvis's avatar
John Jarvis committed
450
  persistent_disk_path  = "/var/lib/grafana"
451 452
  project               = "${var.project}"
  region                = "${var.region}"
453
  service_account_email = "${var.service_account_email}"
John Jarvis's avatar
John Jarvis committed
454
  service_path          = "/api/health"
455
  service_port          = 80
456
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/monitoring-with-count.git?ref=v1.0.1"
John Jarvis's avatar
John Jarvis committed
457
  tier                  = "inf"
John Jarvis's avatar
John Jarvis committed
458
  use_external_ip       = true
John Jarvis's avatar
John Jarvis committed
459
  use_new_node_name     = true
460 461
  vpc                   = "${module.network.self_link}"
}
John Northrup's avatar
John Northrup committed
462

John Jarvis's avatar
John Jarvis committed
463 464
#######################################################
#
465
# Load balancer and VM for dashboards.gitlab.com
John Jarvis's avatar
John Jarvis committed
466 467 468
#
#######################################################

469
module "dashboards-com-lb" {
John Jarvis's avatar
John Jarvis committed
470
  environment          = "${var.environment}"
471
  source               = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/web-iap.git?ref=v1.0.0"
472
  name                 = "dashboards-com"
John Jarvis's avatar
John Jarvis committed
473 474
  project              = "${var.project}"
  region               = "${var.region}"
475
  create_http_forward  = "true"
476 477 478 479
  gitlab_zone_id       = "${var.gitlab_com_zone_id}"
  cert_link            = "${var.dashboards_gitlab_com_cert_link}"
  backend_service_link = "${module.dashboards-com.google_compute_backend_service_noiap_self_link}"
  web_ip_fqdn          = "dashboards.gitlab.com"
John T Skarbek's avatar
John T Skarbek committed
480
  service_ports        = ["80", "443", "3000"]
John Jarvis's avatar
John Jarvis committed
481 482
}

483
module "dashboards-com" {
484
  bootstrap_version     = "${var.bootstrap_script_version}"
485
  chef_provision        = "${var.chef_provision}"
John Jarvis's avatar
John Jarvis committed
486
  chef_run_list         = "\"role[${var.environment}-infra-public-dashboards]\""
487 488 489
  data_disk_size        = 100
  data_disk_type        = "pd-standard"
  dns_zone_name         = "${var.dns_zone_name}"
John Jarvis's avatar
John Jarvis committed
490
  enable_iap            = false
491 492
  environment           = "${var.environment}"
  health_check          = "http"
John T Skarbek's avatar
John T Skarbek committed
493
  health_check_port     = 3000
494 495
  ip_cidr_range         = "${var.subnetworks["dashboards-com"]}"
  machine_type          = "${var.machine_types["dashboards-com"]}"
496
  name                  = "dashboards-com"
497 498 499 500 501
  node_count            = 1
  persistent_disk_path  = "/var/lib/grafana"
  project               = "${var.project}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
John Jarvis's avatar
John Jarvis committed
502
  service_path          = "/api/health"
503
  service_port          = 80
504
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/monitoring-with-count.git?ref=v1.0.1"
505
  tier                  = "inf"
John Jarvis's avatar
John Jarvis committed
506
  use_external_ip       = true
507 508 509 510
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
}

John Jarvis's avatar
John Jarvis committed
511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566
#######################################################
#
# VM for dev-replacement.gitlab.net
#  This is the eventual replacement of dev.gitlab.org,
#  we aren't calling this dev.gitlab.net to avoid confusion
#  until we switch over.
#
#######################################################

resource "aws_route53_record" "gitlab-dev" {
  zone_id = "${var.gitlab_net_zone_id}"
  name    = "dev-replacement.gitlab.net"
  type    = "A"
  ttl     = "300"
  records = ["${module.gitlab-dev.instance_public_ips[0]}"]
}

resource "aws_route53_record" "dev-registry" {
  zone_id = "${var.gitlab_net_zone_id}"
  name    = "registry.dev-replacement.gitlab.net"
  type    = "A"
  ttl     = "300"
  records = ["${module.gitlab-dev.instance_public_ips[0]}"]
}

module "gitlab-dev" {
  backend_protocol      = "HTTPS"
  bootstrap_version     = "${var.bootstrap_script_version}"
  chef_provision        = "${var.chef_provision}"
  chef_run_list         = "\"role[${var.environment}-infra-gitlab-dev]\""
  data_disk_size        = 500
  data_disk_type        = "pd-ssd"
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  health_check          = "http"
  health_check_port     = 8887
  ip_cidr_range         = "${var.subnetworks["gitlab-dev"]}"
  machine_type          = "${var.machine_types["gitlab-dev"]}"
  name                  = "gitlab-dev"
  node_count            = 1
  oauth2_client_id      = "${var.oauth2_client_id_gitlab_ops}"
  oauth2_client_secret  = "${var.oauth2_client_secret_gitlab_ops}"
  persistent_disk_path  = "/var/opt/gitlab"
  project               = "${var.project}"
  public_ports          = "${var.public_ports["gitlab-dev"]}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  service_path          = "/-/liveness"
  service_port          = 443
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/monitoring-with-count.git?ref=v1.0.1"
  tier                  = "inf"
  use_external_ip       = true
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
}

John Jarvis's avatar
John Jarvis committed
567
#######################################################
John Jarvis's avatar
John Jarvis committed
568
#
569
# VM for ops.gitlab.net
John Jarvis's avatar
John Jarvis committed
570
#
John Jarvis's avatar
John Jarvis committed
571 572
#######################################################

573 574 575 576 577 578
resource "aws_route53_record" "default" {
  zone_id = "${var.gitlab_net_zone_id}"
  name    = "ops.gitlab.net"
  type    = "A"
  ttl     = "300"
  records = ["${module.gitlab-ops.instance_public_ips[0]}"]
John Jarvis's avatar
John Jarvis committed
579
}
John Jarvis's avatar
John Jarvis committed
580

581 582 583 584 585 586 587 588
resource "aws_route53_record" "ops-registry" {
  zone_id = "${var.gitlab_net_zone_id}"
  name    = "registry.ops.gitlab.net"
  type    = "A"
  ttl     = "300"
  records = ["${module.gitlab-ops.instance_public_ips[0]}"]
}

John Jarvis's avatar
John Jarvis committed
589
module "gitlab-ops" {
John Jarvis's avatar
John Jarvis committed
590
  backend_protocol      = "HTTPS"
591
  bootstrap_version     = "${var.bootstrap_script_version}"
John Jarvis's avatar
John Jarvis committed
592
  chef_provision        = "${var.chef_provision}"
593
  chef_run_list         = "\"role[${var.environment}-infra-gitlab-primary]\""
594
  data_disk_size        = 5000
John Jarvis's avatar
John Jarvis committed
595 596 597
  data_disk_type        = "pd-ssd"
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
John Jarvis's avatar
John Jarvis committed
598 599 600
  health_check          = "http"
  health_check_port     = 8887
  ip_cidr_range         = "${var.subnetworks["gitlab-ops"]}"
John Jarvis's avatar
John Jarvis committed
601 602 603 604 605 606 607
  machine_type          = "${var.machine_types["gitlab-ops"]}"
  name                  = "gitlab"
  node_count            = 1
  oauth2_client_id      = "${var.oauth2_client_id_gitlab_ops}"
  oauth2_client_secret  = "${var.oauth2_client_secret_gitlab_ops}"
  persistent_disk_path  = "/var/opt/gitlab"
  project               = "${var.project}"
608
  public_ports          = "${var.public_ports["gitlab-ops"]}"
John Jarvis's avatar
John Jarvis committed
609 610
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
611
  service_path          = "/-/liveness"
John Jarvis's avatar
John Jarvis committed
612
  service_port          = 443
613
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/monitoring-with-count.git?ref=v1.0.1"
John Jarvis's avatar
John Jarvis committed
614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630
  tier                  = "inf"
  use_external_ip       = true
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
}

#######################################################
#
# VM for ops-geo.gitlab.net
#
#######################################################

resource "aws_route53_record" "gitlab-ops-geo" {
  zone_id = "${var.gitlab_net_zone_id}"
  name    = "geo.ops.gitlab.net"
  type    = "A"
  ttl     = "300"
John Jarvis's avatar
John Jarvis committed
631
  records = ["${module.gitlab-ops-geo.instance_public_ips[0]}"]
John Jarvis's avatar
John Jarvis committed
632 633 634 635
}

module "gitlab-ops-geo" {
  backend_protocol      = "HTTPS"
636
  bootstrap_version     = "${var.bootstrap_script_version}"
John Jarvis's avatar
John Jarvis committed
637
  chef_provision        = "${var.chef_provision}"
638
  chef_run_list         = "\"role[${var.environment}-infra-gitlab-secondary]\""
John Jarvis's avatar
John Jarvis committed
639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657
  data_disk_size        = 5000
  data_disk_type        = "pd-ssd"
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  health_check          = "http"
  health_check_port     = 8887
  ip_cidr_range         = "${var.subnetworks["gitlab-ops-geo"]}"
  machine_type          = "${var.machine_types["gitlab-ops"]}"
  name                  = "gitlab-geo"
  node_count            = 1
  oauth2_client_id      = "${var.oauth2_client_id_gitlab_ops}"
  oauth2_client_secret  = "${var.oauth2_client_secret_gitlab_ops}"
  persistent_disk_path  = "/var/opt/gitlab"
  project               = "${var.project}"
  public_ports          = "${var.public_ports["gitlab-ops"]}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  service_path          = "/-/liveness"
  service_port          = 443
658
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/monitoring-with-count.git?ref=v1.0.1"
John Jarvis's avatar
John Jarvis committed
659
  tier                  = "inf"
660
  use_external_ip       = true
John Jarvis's avatar
John Jarvis committed
661
  use_new_node_name     = true
John Jarvis's avatar
John Jarvis committed
662 663 664
  vpc                   = "${module.network.self_link}"
}

John Jarvis's avatar
John Jarvis committed
665
###############################################
John Jarvis's avatar
John Jarvis committed
666
#
John Jarvis's avatar
John Jarvis committed
667
# Load balancer and VM for the ops bastion
John Jarvis's avatar
John Jarvis committed
668
#
John Jarvis's avatar
John Jarvis committed
669
###############################################
John Jarvis's avatar
John Jarvis committed
670

John Jarvis's avatar
John Jarvis committed
671 672 673
module "gcp-tcp-lb-bastion" {
  environment            = "${var.environment}"
  forwarding_port_ranges = "${var.tcp_lbs_bastion["forwarding_port_ranges"]}"
674
  fqdns                  = "${var.lb_fqdns_bastion}"
John Jarvis's avatar
John Jarvis committed
675 676 677 678 679 680 681 682 683
  gitlab_zone_id         = "${var.gitlab_com_zone_id}"
  health_check_ports     = "${var.tcp_lbs_bastion["health_check_ports"]}"
  instances              = ["${module.bastion.instances_self_link}"]
  lb_count               = "${length(var.tcp_lbs_bastion["names"])}"
  name                   = "gcp-tcp-lb-bastion"
  names                  = "${var.tcp_lbs_bastion["names"]}"
  project                = "${var.project}"
  region                 = "${var.region}"
  session_affinity       = "CLIENT_IP"
684
  source                 = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/tcp-lb.git?ref=v1.0.0"
John Jarvis's avatar
John Jarvis committed
685
  targets                = ["bastion"]
John Jarvis's avatar
John Jarvis committed
686 687
}

688
module "bastion" {
689
  bootstrap_version     = "${var.bootstrap_script_version}"
John Jarvis's avatar
John Jarvis committed
690 691 692 693 694 695 696 697 698 699 700 701 702 703
  chef_provision        = "${var.chef_provision}"
  chef_run_list         = "\"role[${var.environment}-base-bastion]\""
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  health_check          = "tcp"
  ip_cidr_range         = "${var.subnetworks["bastion"]}"
  machine_type          = "${var.machine_types["bastion"]}"
  name                  = "bastion"
  node_count            = "${var.node_count["bastion"]}"
  project               = "${var.project}"
  public_ports          = "${var.public_ports["bastion"]}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  service_port          = 22
704
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-sv-with-group.git?ref=v1.0.1"
John Jarvis's avatar
John Jarvis committed
705 706 707
  tier                  = "inf"
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
John Northrup's avatar
John Northrup committed
708
}
John Jarvis's avatar
John Jarvis committed
709

John Jarvis's avatar
John Jarvis committed
710 711 712 713 714 715 716
##################################
#
#  Runner
#
##################################

module "runner" {
717
  bootstrap_version     = "${var.bootstrap_script_version}"
John Jarvis's avatar
John Jarvis committed
718
  chef_provision        = "${var.chef_provision}"
719
  chef_run_list         = "\"role[${var.environment}-base-runner-build]\""
John Jarvis's avatar
John Jarvis committed
720 721 722 723
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  health_check          = "tcp"
  ip_cidr_range         = "${var.subnetworks["runner"]}"
724
  machine_type          = "${var.machine_types["runner-build"]}"
John Jarvis's avatar
John Jarvis committed
725 726
  name                  = "runner"
  node_count            = "${var.node_count["runner"]}"
727
  os_disk_size          = 100
John Jarvis's avatar
John Jarvis committed
728 729 730
  project               = "${var.project}"
  public_ports          = "${var.public_ports["runner"]}"
  region                = "${var.region}"
John Jarvis's avatar
John Jarvis committed
731 732
  service_account_email = "${var.service_account_email}"
  service_port          = 22
733
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-sv-with-group.git?ref=v1.0.1"
John Jarvis's avatar
John Jarvis committed
734
  tier                  = "inf"
John Jarvis's avatar
John Jarvis committed
735 736 737 738 739 740 741 742 743 744 745
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
}

##################################
#
#  Runner for ChatOps
#
##################################

module "runner-chatops" {
746
  bootstrap_version     = "${var.bootstrap_script_version}"
John Jarvis's avatar
John Jarvis committed
747
  chef_provision        = "${var.chef_provision}"
748
  chef_run_list         = "\"role[${var.environment}-base-runner-chatops]\""
John Jarvis's avatar
John Jarvis committed
749 750 751 752
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  health_check          = "tcp"
  ip_cidr_range         = "${var.subnetworks["runner-chatops"]}"
753
  machine_type          = "${var.machine_types["runner-chatops"]}"
John Jarvis's avatar
John Jarvis committed
754 755 756 757 758 759
  name                  = "runner-chatops"
  node_count            = "${var.node_count["runner"]}"
  os_disk_size          = 100
  project               = "${var.project}"
  public_ports          = "${var.public_ports["runner"]}"
  region                = "${var.region}"
John Jarvis's avatar
John Jarvis committed
760 761
  service_account_email = "${var.service_account_email}"
  service_port          = 22
762
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-sv-with-group.git?ref=v1.0.1"
John Jarvis's avatar
John Jarvis committed
763 764 765 766 767 768 769 770 771 772 773 774
  tier                  = "inf"
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
}

##################################
#
#  Runner for Release
#
##################################

module "runner-release" {
775
  bootstrap_version     = "${var.bootstrap_script_version}"
John Jarvis's avatar
John Jarvis committed
776
  chef_provision        = "${var.chef_provision}"
777
  chef_run_list         = "\"role[${var.environment}-base-runner-release]\""
John Jarvis's avatar
John Jarvis committed
778 779 780 781
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  health_check          = "tcp"
  ip_cidr_range         = "${var.subnetworks["runner-release"]}"
782
  machine_type          = "${var.machine_types["runner-release"]}"
John Jarvis's avatar
John Jarvis committed
783 784 785 786 787 788 789 790
  name                  = "runner-release"
  node_count            = "${var.node_count["runner"]}"
  os_disk_size          = 100
  project               = "${var.project}"
  public_ports          = "${var.public_ports["runner"]}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  service_port          = 22
791
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-sv-with-group.git?ref=v1.0.1"
John Jarvis's avatar
John Jarvis committed
792
  tier                  = "inf"
John Jarvis's avatar
John Jarvis committed
793 794 795 796
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
}

797 798 799 800 801 802 803 804 805
# This is a special release runner with a concurrency of 1 so
# that we can enforce single pipeline execution. This prevents
# multiple release pipelines from deploying simultaneously.
#
# This runner is used for the first job and the regular release
# release number (with high concurrency) is used for the later
# stages where there are many jobs in parallel.

module "runner-release-single" {
806
  bootstrap_version     = "${var.bootstrap_script_version}"
807 808 809 810 811 812 813 814 815 816 817 818 819 820 821
  chef_provision        = "${var.chef_provision}"
  chef_run_list         = "\"role[${var.environment}-base-runner-release-single]\""
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  health_check          = "tcp"
  ip_cidr_range         = "${var.subnetworks["runner-release"]}"
  machine_type          = "${var.machine_types["runner-release-single"]}"
  name                  = "runner-release-single"
  node_count            = "${var.node_count["runner"]}"
  os_disk_size          = 100
  project               = "${var.project}"
  public_ports          = "${var.public_ports["runner"]}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  service_port          = 22
822
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-sv-with-group.git?ref=v1.0.1"
823 824 825 826 827 828
  subnetwork_name       = "${module.runner-release.google_compute_subnetwork_name}"
  tier                  = "inf"
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
}

829 830 831 832 833 834 835
##################################
#
#  Runner for drive snapshot creation and restoring
#
##################################

module "runner-snapshots" {
836
  bootstrap_version     = "${var.bootstrap_script_version}"
837 838 839 840 841 842 843 844 845 846 847 848 849 850 851
  chef_provision        = "${var.chef_provision}"
  chef_run_list         = "\"role[${var.environment}-base-runner-snapshots]\""
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  health_check          = "tcp"
  ip_cidr_range         = "${var.subnetworks["runner-snapshots"]}"
  machine_type          = "${var.machine_types["runner-snapshots"]}"
  name                  = "runner-snapshots"
  node_count            = "${var.node_count["runner"]}"
  os_disk_size          = 100
  project               = "${var.project}"
  public_ports          = "${var.public_ports["runner"]}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  service_port          = 22
852
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-sv-with-group.git?ref=v1.0.1"
853 854 855 856 857
  tier                  = "inf"
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
}

Ahmad Sherif's avatar
Ahmad Sherif committed
858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876
##################################
#
#  Sentry
#
##################################

module "sentry-lb" {
  environment                = "${var.environment}"
  forwarding_port_ranges     = "${var.tcp_lbs_sentry["forwarding_port_ranges"]}"
  fqdns                      = ["sentry.gitlab.net"]
  gitlab_zone_id             = "${var.gitlab_net_zone_id}"
  health_check_ports         = "${var.tcp_lbs_sentry["health_check_ports"]}"
  health_check_request_paths = "${var.tcp_lbs_sentry["health_check_request_paths"]}"
  instances                  = ["${module.sentry.instances_self_link}"]
  lb_count                   = "${length(var.tcp_lbs_sentry["names"])}"
  name                       = "ops-gcp-tcp-lb-sentry"
  names                      = "${var.tcp_lbs_sentry["names"]}"
  project                    = "${var.project}"
  region                     = "${var.region}"
877
  source                     = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/tcp-lb.git?ref=v1.0.0"
Ahmad Sherif's avatar
Ahmad Sherif committed
878 879 880 881
  targets                    = ["sentry"]
}

module "sentry" {
882
  bootstrap_version     = "${var.bootstrap_script_version}"
Ahmad Sherif's avatar
Ahmad Sherif committed
883 884 885 886 887 888 889 890 891 892
  chef_provision        = "${var.chef_provision}"
  chef_run_list         = "\"role[${var.environment}-infra-sentry]\""
  data_disk_size        = 2000
  data_disk_type        = "pd-ssd"
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  ip_cidr_range         = "${var.subnetworks["sentry"]}"
  machine_type          = "${var.machine_types["sentry"]}"
  name                  = "sentry"
  node_count            = "${var.node_count["sentry"]}"
John Jarvis's avatar
John Jarvis committed
893
  os_disk_size          = 100
Ahmad Sherif's avatar
Ahmad Sherif committed
894 895 896 897 898
  persistent_disk_path  = "/var/lib/postgresql"
  project               = "${var.project}"
  public_ports          = "${var.public_ports["sentry"]}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
899
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-stor.git?ref=v1.0.1"
Ahmad Sherif's avatar
Ahmad Sherif committed
900 901 902 903 904
  tier                  = "sv"
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
}

905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948
##################################
#
#  Aptly
#
##################################

module "aptly-lb" {
  environment            = "${var.environment}"
  forwarding_port_ranges = "${var.tcp_lbs_aptly["forwarding_port_ranges"]}"
  fqdns                  = ["aptly.gitlab.com"]
  gitlab_zone_id         = "${var.gitlab_net_zone_id}"
  health_check_ports     = "${var.tcp_lbs_aptly["health_check_ports"]}"
  instances              = ["${module.aptly.instances_self_link}"]
  lb_count               = "${length(var.tcp_lbs_aptly["names"])}"
  name                   = "ops-gcp-tcp-lb-aptly"
  names                  = "${var.tcp_lbs_aptly["names"]}"
  project                = "${var.project}"
  region                 = "${var.region}"
  source                 = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/tcp-lb.git?ref=v1.0.0"
  targets                = ["aptly"]
}

module "aptly" {
  bootstrap_version     = "${var.bootstrap_script_version}"
  chef_provision        = "${var.chef_provision}"
  chef_run_list         = "\"role[aptly-gitlab-com]\""
  dns_zone_name         = "${var.dns_zone_name}"
  environment           = "${var.environment}"
  ip_cidr_range         = "${var.subnetworks["aptly"]}"
  machine_type          = "${var.machine_types["aptly"]}"
  name                  = "aptly"
  node_count            = 1
  persistent_disk_path  = "/opt"
  project               = "${var.project}"
  public_ports          = "${var.public_ports["aptly"]}"
  region                = "${var.region}"
  service_account_email = "${var.service_account_email}"
  source                = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/generic-stor.git?ref=v1.0.1"
  tier                  = "sv"
  use_external_ip       = true
  use_new_node_name     = true
  vpc                   = "${module.network.self_link}"
}

John Jarvis's avatar
John Jarvis committed
949 950 951 952 953 954 955
##################################
#
#  Google storage buckets
#
##################################

module "storage" {
956 957 958 959
  environment                       = "${var.environment}"
  versioning                        = "${var.versioning}"
  artifact_age                      = "${var.artifact_age}"
  lfs_object_age                    = "${var.lfs_object_age}"
960
  package_repo_age                  = "${var.package_repo_age}"
961 962 963
  upload_age                        = "${var.upload_age}"
  storage_log_age                   = "${var.storage_log_age}"
  storage_class                     = "${var.storage_class}"
964
  service_account_email             = "${var.service_account_email}"
965 966
  gcs_service_account_email         = "${var.gcs_service_account_email}"
  gcs_storage_analytics_group_email = "${var.gcs_storage_analytics_group_email}"
967
  source                            = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/storage-buckets.git?ref=v1.0.0"
John Jarvis's avatar
John Jarvis committed
968
}
Alex Hanselka's avatar
Alex Hanselka committed
969 970 971 972 973 974 975 976 977 978 979

##################################
#
#  GitLab Billing bucket
#
##################################

resource "google_storage_bucket" "gitlab-billing" {
  name = "gitlab-billing"

  versioning = {
980
    enabled = "false"
Alex Hanselka's avatar
Alex Hanselka committed
981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004
  }

  storage_class = "NEARLINE"

  labels = {
    tfmanaged = "yes"
  }
}

resource "google_storage_bucket_iam_binding" "billing-viewer-binding" {
  bucket = "gitlab-billing"
  role   = "roles/storage.objectViewer"

  members = [
    "serviceAccount:[email protected]",
  ]
}

resource "google_storage_bucket_iam_binding" "billing-legacy-bucket-binding" {
  bucket = "gitlab-billing"
  role   = "roles/storage.legacyBucketReader"

  members = [
    "serviceAccount:[email protected]",
1005
    "projectViewer:gitlab-ops",
Alex Hanselka's avatar
Alex Hanselka committed
1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016
  ]
}

resource "google_storage_bucket_iam_binding" "billing-legacy-object-binding" {
  bucket = "gitlab-billing"
  role   = "roles/storage.legacyObjectReader"

  members = [
    "serviceAccount:[email protected]",
  ]
}
John Jarvis's avatar
John Jarvis committed
1017 1018 1019 1020 1021 1022 1023

##################################
#
#  GKE Cluster for runners
#
##################################

John Jarvis's avatar
John Jarvis committed
1024 1025 1026 1027
# After provisioning you will need to configure
# the cluster for gitlab-runner. Instructions
# for this are in https://gitlab.com/gitlab-com/runbooks/tree/master/gke-runner

John Jarvis's avatar
John Jarvis committed
1028 1029 1030 1031
module "gke-runner" {
  environment        = "${var.environment}"
  name               = "gke-runner"
  vpc                = "${module.network.self_link}"
1032
  source             = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/gke.git?ref=v1.0.0"
John Jarvis's avatar
John Jarvis committed
1033 1034 1035 1036 1037 1038 1039
  initial_node_count = 1
  ip_cidr_range      = "${var.subnetworks["gke-runner"]}"
  dns_zone_name      = "${var.dns_zone_name}"
  machine_type       = "${var.machine_types["gke-runner"]}"
  project            = "${var.project}"
  region             = "${var.region}"
}
Yun Guo's avatar
Yun Guo committed
1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051

##################################
#
#  GCS Bucket for postgres backup
#
##################################

module "postgres-backup" {
  environment                         = "${var.environment}"
  gcs_postgres_backup_service_account = "${var.gcs_postgres_backup_service_account}"
  restore_service_account             = "${var.gcs_postgres_restore_service_account}"
  kms_key_id                          = "${var.gcs_postgres_backup_kms_key_id}"
1052
  source                              = "git::ssh://[email protected]/gitlab-com/gl-infra/terraform-modules/google/database-backup-bucket.git?ref=v1.0.0"
Yun Guo's avatar
Yun Guo committed
1053
  retention_days                      = "${var.postgres_backup_retention_days}"
Yun Guo's avatar
format  
Yun Guo committed
1054
}
1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068

##################################
#
#  Service accounts
#
##################################

## Service account used for granting ops
## write access to asset buckets

resource "google_service_account" "assets" {
  account_id   = "asset-uploader"
  display_name = "Service account that allows ops to write to assets buckets in other projects"
}