variables.tf 13.4 KB
Newer Older
John Jarvis's avatar
John Jarvis committed
1 2
variable "oauth2_client_id_monitoring" {}
variable "oauth2_client_secret_monitoring" {}
3

4 5
variable "gitlab_net_zone_id" {}
variable "gitlab_com_zone_id" {}
6
variable "gitlab_io_zone_id" {}
7

John Jarvis's avatar
John Jarvis committed
8
variable "default_kernel_version" {
9
  default = "4.15.0-1029"
John Jarvis's avatar
John Jarvis committed
10 11
}

12
variable "bootstrap_script_version" {
13
  default = 8
14 15
}

16 17 18 19 20 21 22 23
#############################
# Default firewall
# rule for allowing
# all protocols on all
# ports
#
# 10.216.x.x: all of gprd
# 10.250.7.x: ops runner
24
# 10.250.8.11/32: nessus scanner
25
# 10.250.10.x: chatops runner
John Jarvis's avatar
John Jarvis committed
26
# 10.250.12.x: release runner
27
# 10.12.0.0/14: pod address range in gitlab-ops for runners
28 29 30 31
###########################

variable "internal_subnets" {
  type    = "list"
32
  default = ["10.216.0.0/13", "10.250.7.0/24", "10.250.8.11/32", "10.250.10.0/24", "10.250.12.0/24", "10.12.0.0/14"]
33 34
}

35 36 37
variable "other_monitoring_subnets" {
  type = "list"

38 39 40
  # 10.226.1.0/24: gstg
  # 10.251.17.0/24: dr
  default = ["10.226.1.0/24", "10.251.17.0/24"]
41 42
}

43 44 45 46
variable "monitoring_hosts" {
  type = "map"

  default = {
47 48
    "names" = ["alerts", "prometheus", "prometheus-app", "prometheus-db"]
    "ports" = [9093, 9090, 9090, 9090]
49
  }
50 51
}

52 53 54 55
#### GCP load balancing

# The top level domain record for the GitLab deployment.
# For production this should be set to "gitlab.com"
John Jarvis's avatar
John Jarvis committed
56 57
# Note: Currently `gitlab.com` is set outside of terraform
#       because of the switchover.
58

59 60
variable "lb_fqdns" {
  type    = "list"
John Jarvis's avatar
John Jarvis committed
61
  default = ["canary.gitlab.com"]
62 63
}

64
##########
65 66 67
variable "lb_fqdns_altssh" {
  type    = "list"
  default = ["altssh.gprd.gitlab.com"]
68 69
}

70 71
variable "lb_fqdns_registry" {
  type    = "list"
72
  default = ["registry.gitlab.com"]
73 74
}

John Jarvis's avatar
John Jarvis committed
75 76
variable "lb_fqdns_cny" {
  type    = "list"
John Jarvis's avatar
John Jarvis committed
77
  default = []
John Jarvis's avatar
John Jarvis committed
78 79
}

80 81 82
variable "lb_fqdns_pages" {
  type    = "list"
  default = ["*.pages.gprd.gitlab.io"]
83 84
}

85 86 87
variable "lb_fqdns_bastion" {
  type    = "list"
  default = ["lb-bastion.gprd.gitlab.com"]
Ilya Frolov's avatar
Ilya Frolov committed
88 89
}

90 91 92
variable "lb_fqdns_internal" {
  type    = "list"
  default = ["int.gprd.gitlab.net"]
93 94
}

95 96 97
variable "lb_fqdns_internal_pgbouncer" {
  type    = "list"
  default = ["pgbouncer.int.gprd.gitlab.net"]
John Jarvis's avatar
John Jarvis committed
98 99
}

Ahmad Sherif's avatar
Ahmad Sherif committed
100 101 102 103 104
variable "lb_fqdns_internal_patroni" {
  type    = "list"
  default = ["patroni.int.gprd.gitlab.net"]
}

105 106 107 108 109
variable "lb_fqdns_contributors" {
  type    = "list"
  default = ["lb-contributors.gprd.gitlab.com"]
}

110 111 112 113 114 115 116 117 118 119 120 121 122 123 124
#
# For every name there must be a corresponding
# forwarding port range and health check port
#

variable "tcp_lbs" {
  type = "map"

  default = {
    "names"                  = ["http", "https", "ssh"]
    "forwarding_port_ranges" = ["80", "443", "22"]
    "health_check_ports"     = ["8001", "8002", "8003"]
  }
}

125 126 127 128 129 130 131 132 133 134
variable "tcp_lbs_internal" {
  type = "map"

  default = {
    "names"                  = ["http-internal", "https-internal", "ssh-internal"]
    "forwarding_port_ranges" = ["80", "443", "22"]
    "health_check_ports"     = ["8001", "8002", "8003"]
  }
}

135 136 137 138 139 140 141 142 143 144 145 146 147 148
variable "tcp_lbs_pages" {
  type = "map"

  default = {
    "names"                  = ["http", "https"]
    "forwarding_port_ranges" = ["80", "443"]
    "health_check_ports"     = ["8001", "8002"]
  }
}

variable "tcp_lbs_altssh" {
  type = "map"

  default = {
Ahmad Sherif's avatar
Ahmad Sherif committed
149 150 151 152
    "names"                      = ["https"]
    "forwarding_port_ranges"     = ["443"]
    "health_check_ports"         = ["8003"]
    "health_check_request_paths" = ["/-/available-ssh"]
153 154 155
  }
}

156 157 158 159 160 161 162 163 164 165
variable "tcp_lbs_registry" {
  type = "map"

  default = {
    "names"                  = ["http", "https"]
    "forwarding_port_ranges" = ["80", "443"]
    "health_check_ports"     = ["8001", "8002"]
  }
}

John Jarvis's avatar
John Jarvis committed
166 167 168 169
variable "tcp_lbs_cny" {
  type = "map"

  default = {
John Jarvis's avatar
John Jarvis committed
170 171 172
    "names"                  = []
    "forwarding_port_ranges" = []
    "health_check_ports"     = []
John Jarvis's avatar
John Jarvis committed
173 174 175
  }
}

Ilya Frolov's avatar
Ilya Frolov committed
176 177 178 179
variable "tcp_lbs_bastion" {
  type = "map"

  default = {
180
    "names"                  = ["ssh"]
Ilya Frolov's avatar
Ilya Frolov committed
181
    "forwarding_port_ranges" = ["22"]
182
    "health_check_ports"     = ["80"]
Ilya Frolov's avatar
Ilya Frolov committed
183 184 185
  }
}

186 187 188 189 190 191 192 193 194 195
variable "tcp_lbs_contributors" {
  type = "map"

  default = {
    "names"                  = ["https"]
    "forwarding_port_ranges" = ["443"]
    "health_check_ports"     = ["443"]
  }
}

196 197 198 199
##################
# Network Peering
##################

200
variable "network_env" {
201 202 203
  default = "https://www.googleapis.com/compute/v1/projects/gitlab-production/global/networks/gprd"
}

204 205 206 207
variable "peer_networks" {
  type = "map"

  default = {
208
    "names" = ["ops", "gstg", "dr"]
209 210 211 212

    "links" = [
      "https://www.googleapis.com/compute/v1/projects/gitlab-ops/global/networks/ops",
      "https://www.googleapis.com/compute/v1/projects/gitlab-staging-1/global/networks/gstg",
213
      "https://www.googleapis.com/compute/v1/projects/gitlab-dr/global/networks/dr",
214 215 216 217
    ]
  }
}

John Jarvis's avatar
John Jarvis committed
218
######################
219

John Jarvis's avatar
John Jarvis committed
220 221 222 223
variable "base_chef_run_list" {
  default = "\"role[gitlab]\",\"recipe[gitlab_users::default]\",\"recipe[gitlab_sudo::default]\",\"recipe[gitlab-server::bashrc]\""
}

224 225 226 227
variable "empty_chef_run_list" {
  default = "\"\""
}

John Jarvis's avatar
John Jarvis committed
228
variable "dns_zone_name" {
229
  default = "gitlab.com"
John Jarvis's avatar
John Jarvis committed
230 231
}

John Jarvis's avatar
John Jarvis committed
232 233 234 235 236 237 238 239 240
variable "run_lists" {
  type = "map"

  default = {
    "prometheus"  = "\"role[gitlab]\",\"recipe[gitlab_users::default]\",\"recipe[gitlab_sudo::default]\",\"recipe[gitlab-server::bashrc]\""
    "performance" = "\"role[gitlab]\",\"recipe[gitlab_users::default]\",\"recipe[gitlab_sudo::default]\",\"recipe[gitlab-server::bashrc]\""
  }
}

John Jarvis's avatar
John Jarvis committed
241 242 243 244
variable "public_ports" {
  type = "map"

  default = {
245 246 247 248 249 250 251 252 253 254 255 256
    "api"                = []
    "bastion"            = [22]
    "blackbox"           = []
    "consul"             = []
    "console"            = []
    "deploy"             = []
    "runner"             = []
    "db-dr"              = []
    "pgb"                = []
    "fe-lb"              = [22, 80, 443]
    "git"                = []
    "mailroom"           = []
257
    "patroni"            = []
258 259 260 261 262 263 264 265
    "pubsubbeat"         = []
    "redis"              = []
    "redis-cache"        = []
    "registry"           = []
    "registry-analytics" = []
    "sidekiq"            = []
    "sd-exporter"        = []
    "stor"               = []
Ahmad Sherif's avatar
Ahmad Sherif committed
266
    "thanos"             = []
267
    "contributors"       = [80, 443]
268 269 270 271
    "web"                = []
    "web-pages"          = []
    "monitoring"         = []
    "influxdb"           = []
John Jarvis's avatar
John Jarvis committed
272 273 274 275 276 277 278
  }
}

variable "environment" {
  default = "gprd"
}

279 280 281 282
variable "format_data_disk" {
  default = "true"
}

John Jarvis's avatar
John Jarvis committed
283
variable "project" {
Alex Hanselka's avatar
Alex Hanselka committed
284
  default = "gitlab-production"
John Jarvis's avatar
John Jarvis committed
285 286 287
}

variable "region" {
Alex Hanselka's avatar
Alex Hanselka committed
288
  default = "us-east1"
John Jarvis's avatar
John Jarvis committed
289 290 291 292 293 294 295
}

variable "chef_provision" {
  type        = "map"
  description = "Configuration details for chef server"

  default = {
Alex Hanselka's avatar
Alex Hanselka committed
296
    bootstrap_bucket  = "gitlab-gprd-chef-bootstrap"
John Jarvis's avatar
John Jarvis committed
297 298 299
    bootstrap_key     = "gitlab-gprd-bootstrap-validation"
    bootstrap_keyring = "gitlab-gprd-bootstrap"

John Jarvis's avatar
John Jarvis committed
300 301 302
    server_url    = "https://chef.gitlab.com/organizations/gitlab/"
    user_name     = "gitlab-ci"
    user_key_path = ".chef.pem"
Ahmad Sherif's avatar
Ahmad Sherif committed
303
    version       = "12.22.5"
John Jarvis's avatar
John Jarvis committed
304 305 306
  }
}

307
variable "monitoring_cert_link" {
John Jarvis's avatar
John Jarvis committed
308
  default = "projects/gitlab-production/global/sslCertificates/wildcard-gprd-gitlab-net"
309 310
}

311 312 313 314
variable "data_disk_sizes" {
  type = "map"

  default = {
Ahmad Sherif's avatar
Ahmad Sherif committed
315 316 317 318 319
    "file"       = "16000"
    "share"      = "20000"
    "pages"      = "16000"
    "patroni"    = "4000"
    "prometheus" = "100"
320 321 322
  }
}

John Jarvis's avatar
John Jarvis committed
323 324 325 326
variable "machine_types" {
  type = "map"

  default = {
327
    "alerts"                = "n1-standard-1"
John Jarvis's avatar
John Jarvis committed
328
    "api"                   = "n1-standard-16"
Ilya Frolov's avatar
Ilya Frolov committed
329
    "bastion"               = "g1-small"
330
    "blackbox"              = "n1-standard-1"
John Jarvis's avatar
John Jarvis committed
331
    "consul"                = "n1-standard-4"
332
    "contributors"          = "n1-standard-4"
333
    "contributors-db"       = "db-custom-1-4096"
334
    "db-dr"                 = "n1-standard-8"
John Jarvis's avatar
John Jarvis committed
335
    "console"               = "n1-standard-1"
Ilya Frolov's avatar
Ilya Frolov committed
336
    "deploy"                = "n1-standard-2"
John Jarvis's avatar
John Jarvis committed
337 338
    "fe-lb"                 = "n1-standard-4"
    "git"                   = "n1-standard-16"
Ahmad Sherif's avatar
Ahmad Sherif committed
339
    "influxdb"              = "n1-standard-8"
John Jarvis's avatar
John Jarvis committed
340 341
    "mailroom"              = "n1-standard-4"
    "monitoring"            = "n1-standard-8"
342
    "patroni"               = "n1-highmem-64"
Ilya Frolov's avatar
Ilya Frolov committed
343
    "pgb"                   = "n1-standard-4"
344
    "redis"                 = "n1-standard-8"
John Jarvis's avatar
John Jarvis committed
345
    "redis-cache"           = "n1-highmem-16"
346
    "redis-cache-sentinel"  = "n1-standard-1"
John Jarvis's avatar
John Jarvis committed
347
    "registry"              = "n1-standard-2"
348
    "registry-analytics"    = "n1-highmem-8"
Ilya Frolov's avatar
Ilya Frolov committed
349
    "runner"                = "n1-standard-2"
350
    "sd-exporter"           = "n1-standard-1"
Ahmad Sherif's avatar
Ahmad Sherif committed
351
    "sidekiq-asap"          = "custom-4-20480"
352
    "sidekiq-besteffort"    = "n1-standard-8"
John Jarvis's avatar
John Jarvis committed
353
    "sidekiq-elasticsearch" = "n1-standard-8"
Ahmad Sherif's avatar
Ahmad Sherif committed
354 355 356 357 358
    "sidekiq-import"        = "n1-standard-4"
    "sidekiq-pages"         = "n1-standard-4"
    "sidekiq-pipeline"      = "n1-standard-4"
    "sidekiq-pullmirror"    = "n1-standard-4"
    "sidekiq-realtime"      = "n1-standard-8"
John Jarvis's avatar
John Jarvis committed
359
    "sidekiq-traces"        = "n1-standard-8"
John Jarvis's avatar
John Jarvis committed
360
    "stor"                  = "n1-standard-32"
Ahmad Sherif's avatar
Ahmad Sherif committed
361
    "thanos-compact"        = "n1-standard-2"
362
    "thanos-store"          = "n1-highmem-16"
Ilya Frolov's avatar
Ilya Frolov committed
363
    "web"                   = "n1-standard-16"
Alex Hanselka's avatar
Alex Hanselka committed
364
    "web-pages"             = "n1-standard-8"
365 366 367 368 369 370

    # pages and share should eventually be upgraded
    # to n1-standard-32 for better IO.

    "stor-pages" = "n1-highmem-8"
    "stor-share" = "n1-highmem-8"
John Jarvis's avatar
John Jarvis committed
371 372 373 374 375 376 377
  }
}

variable "node_count" {
  type = "map"

  default = {
John Jarvis's avatar
John Jarvis committed
378
    "api"                   = 20
Ilya Frolov's avatar
Ilya Frolov committed
379
    "bastion"               = 3
380
    "blackbox"              = 1
John Jarvis's avatar
John Jarvis committed
381
    "console"               = 1
382
    "consul"                = 5
383
    "db-dr"                 = 2
Ilya Frolov's avatar
Ilya Frolov committed
384
    "deploy"                = 1
385
    "fe-lb"                 = 16
386 387
    "fe-lb-altssh"          = 2
    "fe-lb-pages"           = 2
388
    "fe-lb-registry"        = 2
John Jarvis's avatar
John Jarvis committed
389
    "fe-lb-cny"             = 0
390
    "git"                   = 25
John Jarvis's avatar
John Jarvis committed
391
    "mailroom"              = 2
392
    "patroni"               = 6
John Jarvis's avatar
John Jarvis committed
393
    "pages"                 = 1
John Jarvis's avatar
John Jarvis committed
394
    "pgb"                   = 3
395 396
    "redis"                 = 3
    "redis-cache"           = 3
397
    "redis-cache-sentinel"  = 3
398
    "registry"              = 4
399
    "registry-analytics"    = 1
Ilya Frolov's avatar
Ilya Frolov committed
400
    "runner"                = 1
John Jarvis's avatar
John Jarvis committed
401
    "share"                 = 1
402
    "sd-exporter"           = 1
403
    "sidekiq-asap"          = 5
John T Skarbek's avatar
John T Skarbek committed
404
    "sidekiq-besteffort"    = 4
405
    "sidekiq-elasticsearch" = 0
406
    "sidekiq-import"        = 2
407 408 409 410
    "sidekiq-pages"         = 6
    "sidekiq-pipeline"      = 3
    "sidekiq-pullmirror"    = 5
    "sidekiq-realtime"      = 4
411
    "sidekiq-traces"        = 0
412
    "stor"                  = 20
Ahmad Sherif's avatar
Ahmad Sherif committed
413 414
    "thanos-compact"        = 1
    "thanos-store"          = 1
415
    "contributors"          = 1
416
    "multizone-stor"        = 12
417
    "web"                   = 28
418
    "web-pages"             = 8
419 420 421
    "web-cny"               = 2
    "api-cny"               = 2
    "git-cny"               = 2
422
    "registry-cny"          = 2
John Jarvis's avatar
John Jarvis committed
423 424 425
    "alerts"                = 2
    "prometheus"            = 2
    "prometheus-app"        = 2
426
    "prometheus-db"         = 2
Ahmad Sherif's avatar
Ahmad Sherif committed
427
    "influxdb"              = 2
John Jarvis's avatar
John Jarvis committed
428 429 430 431 432 433 434
  }
}

variable "subnetworks" {
  type = "map"

  default = {
435 436 437 438 439 440 441 442 443
    "fe-lb"              = "10.216.1.0/24"
    "fe-lb-pages"        = "10.216.2.0/24"
    "fe-lb-altssh"       = "10.216.3.0/24"
    "fe-lb-registry"     = "10.216.5.0/24"
    "fe-lb-cny"          = "10.216.6.0/24"
    "bastion"            = "10.216.4.0/24"
    "redis"              = "10.217.2.0/24"
    "db-dr-delayed"      = "10.217.3.0/24"
    "db-dr-archive"      = "10.217.7.0/24"
444
    "patroni"            = "10.220.16.0/24"
445 446 447 448 449 450 451 452 453
    "pgb"                = "10.217.4.0/24"
    "redis-cache"        = "10.217.5.0/24"
    "consul"             = "10.218.1.0/24"
    "deploy"             = "10.218.3.0/24"
    "runner"             = "10.218.4.0/24"
    "console"            = "10.218.5.0/24"
    "monitoring"         = "10.219.1.0/24"
    "pubsubbeat"         = "10.219.2.0/24"
    "registry"           = "10.220.10.0/23"
454
    "registry-analytics" = "10.218.6.0/24"
455 456 457
    "mailroom"           = "10.220.14.0/23"
    "api"                = "10.220.2.0/23"
    "git"                = "10.220.4.0/23"
458
    "singleton-svcs"     = "10.219.4.0/24"
459
    "sidekiq"            = "10.220.6.0/23"
Ahmad Sherif's avatar
Ahmad Sherif committed
460 461
    "thanos-compact"     = "10.220.18.0/24"
    "thanos-store"       = "10.220.17.0/24"
462 463 464 465
    "web"                = "10.220.8.0/23"
    "web-pages"          = "10.220.12.0/23"
    "stor"               = "10.221.2.0/23"
    "influxdb"           = "10.219.3.0/24"
John Jarvis's avatar
John Jarvis committed
466 467 468 469 470

    ###############################
    # These will eventually (tm) be
    # moved to object storage

471 472
    "pages" = "10.221.6.0/24"
    "share" = "10.221.7.0/24"
John Jarvis's avatar
John Jarvis committed
473 474

    #############################
John Jarvis's avatar
John Jarvis committed
475 476
  }
}
477

John Jarvis's avatar
John Jarvis committed
478 479 480 481 482
variable "service_account_email" {
  type = "string"

  default = "[email protected]"
}
483 484 485 486 487

variable "gcs_service_account_email" {
  type    = "string"
  default = "[email protected]com"
}
488 489 490 491 492 493

variable "gcs_postgres_backup_service_account" {
  type    = "string"
  default = "[email protected]"
}

494 495 496 497 498 499 500
# Service account used to do automated backup testing
# in https://gitlab.com/gitlab-restore/postgres-gprd
variable "gcs_postgres_restore_service_account" {
  type    = "string"
  default = "[email protected]t.com"
}

501 502 503 504 505
variable "gcs_postgres_backup_kms_key_id" {
  type    = "string"
  default = "projects/gitlab-production/locations/global/keyRings/gitlab-secrets/cryptoKeys/gprd-postgres-wal-archive"
}

506 507 508 509
variable "postgres_backup_retention_days" {
  type    = "string"
  default = "14"
}
510 511 512 513 514

variable "egress_ports" {
  type    = "list"
  default = []
}
515 516 517 518 519

variable "deploy_egress_ports" {
  type    = "list"
  default = []
}
520

521
variable "console_egress_ports" {
522 523 524
  type    = "list"
  default = []
}
525 526 527 528 529

variable "os_boot_image" {
  type = "map"

  default = {
530
    "fe-lb" = "ubuntu-os-cloud/ubuntu-1804-bionic-v20190404"
531 532
  }
}