variables.tf 13.3 KB
Newer Older
John Jarvis's avatar
John Jarvis committed
1 2
variable "oauth2_client_id_monitoring" {}
variable "oauth2_client_secret_monitoring" {}
John Jarvis's avatar
John Jarvis committed
3

John Jarvis's avatar
John Jarvis committed
4 5
variable "gitlab_net_zone_id" {}
variable "gitlab_com_zone_id" {}
6
variable "gitlab_io_zone_id" {}
John Jarvis's avatar
John Jarvis committed
7

8
variable "default_kernel_version" {
9
  default = "4.15.0-1029"
10 11
}

12
variable "bootstrap_script_version" {
13
  default = 8
14 15
}

16 17 18 19 20 21 22 23
#############################
# Default firewall
# rule for allowing
# all protocols on all
# ports
#
# 10.224.x.x: all of gstg
# 10.250.7.x: ops runner
24
# 10.250.8.11/32: nessus scanner
25
# 10.250.10.x: chatops runner
John Jarvis's avatar
John Jarvis committed
26
# 10.250.12.x: release runner
27
# 10.12.0.0/14: pod address range in gitlab-ops for runners
28 29 30 31
###########################

variable "internal_subnets" {
  type    = "list"
32
  default = ["10.224.0.0/13", "10.250.7.0/24", "10.250.8.11", "10.250.10.0/24", "10.250.12.0/24", "10.12.0.0/14"]
33 34
}

35 36 37
variable "other_monitoring_subnets" {
  type = "list"

38 39 40
  # 10.219.1.0/24: gprd
  # 10.251.17.0/24: dr
  default = ["10.219.1.0/24", "10.251.17.0/24"]
41 42
}

43 44 45 46
##################
# Network Peering
##################

47
variable "network_env" {
48 49 50
  default = "https://www.googleapis.com/compute/v1/projects/gitlab-staging-1/global/networks/gstg"
}

51 52 53 54
variable "peer_networks" {
  type = "map"

  default = {
55
    "names" = ["ops", "gprd", "dr"]
56 57 58 59

    "links" = [
      "https://www.googleapis.com/compute/v1/projects/gitlab-ops/global/networks/ops",
      "https://www.googleapis.com/compute/v1/projects/gitlab-production/global/networks/gprd",
60
      "https://www.googleapis.com/compute/v1/projects/gitlab-dr/global/networks/dr",
61 62 63 64
    ]
  }
}

John Jarvis's avatar
John Jarvis committed
65 66
######################

John Jarvis's avatar
John Jarvis committed
67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82
variable "base_chef_run_list" {
  default = "\"role[gitlab]\",\"recipe[gitlab_users::default]\",\"recipe[gitlab_sudo::default]\",\"recipe[gitlab-server::bashrc]\""
}

variable "empty_chef_run_list" {
  default = "\"\""
}

variable "dns_zone_name" {
  default = "gitlab.com"
}

variable "monitoring_hosts" {
  type = "map"

  default = {
83 84
    "names" = ["alerts", "prometheus", "prometheus-app", "prometheus-db"]
    "ports" = [9093, 9090, 9090, 9090]
John Jarvis's avatar
John Jarvis committed
85 86 87 88 89 90
  }
}

#### GCP load balancing

# The top level domain record for the GitLab deployment.
91
# For production this should be set to "gitlab.com"
John Jarvis's avatar
John Jarvis committed
92

93 94
variable "lb_fqdns" {
  type    = "list"
John Jarvis's avatar
John Jarvis committed
95
  default = ["canary.staging.gitlab.com"]
John Jarvis's avatar
John Jarvis committed
96 97
}

98 99
#####

100 101 102
variable "lb_fqdns_altssh" {
  type    = "list"
  default = ["altssh.gstg.gitlab.com"]
103 104
}

105 106
variable "lb_fqdns_registry" {
  type    = "list"
107
  default = ["registry.staging.gitlab.com"]
108 109
}

John Jarvis's avatar
John Jarvis committed
110 111
variable "lb_fqdns_cny" {
  type    = "list"
John Jarvis's avatar
John Jarvis committed
112
  default = []
John Jarvis's avatar
John Jarvis committed
113 114
}

115 116 117
variable "lb_fqdns_pages" {
  type    = "list"
  default = ["*.pages.gstg.gitlab.io"]
118 119
}

120 121 122
variable "lb_fqdns_bastion" {
  type    = "list"
  default = ["lb-bastion.gstg.gitlab.com"]
Ahmad Sherif's avatar
Ahmad Sherif committed
123 124
}

125 126 127
variable "lb_fqdns_internal" {
  type    = "list"
  default = ["int.gstg.gitlab.net"]
128 129
}

130 131 132
variable "lb_fqdns_internal_pgbouncer" {
  type    = "list"
  default = ["pgbouncer.int.gstg.gitlab.net"]
John Jarvis's avatar
John Jarvis committed
133 134
}

Ahmad Sherif's avatar
Ahmad Sherif committed
135 136 137 138 139
variable "lb_fqdns_internal_patroni" {
  type    = "list"
  default = ["patroni.int.gstg.gitlab.net"]
}

140 141 142 143 144
variable "lb_fqdns_contributors" {
  type    = "list"
  default = ["lb-contributors.gstg.gitlab.com"]
}

John Jarvis's avatar
John Jarvis committed
145 146 147 148 149 150 151 152 153 154 155 156 157 158 159
#
# For every name there must be a corresponding
# forwarding port range and health check port
#

variable "tcp_lbs" {
  type = "map"

  default = {
    "names"                  = ["http", "https", "ssh"]
    "forwarding_port_ranges" = ["80", "443", "22"]
    "health_check_ports"     = ["8001", "8002", "8003"]
  }
}

160 161 162 163 164 165 166 167 168 169
variable "tcp_lbs_internal" {
  type = "map"

  default = {
    "names"                  = ["http-internal", "https-internal", "ssh-internal"]
    "forwarding_port_ranges" = ["80", "443", "22"]
    "health_check_ports"     = ["8001", "8002", "8003"]
  }
}

170 171 172 173 174 175 176 177 178 179 180 181 182 183
variable "tcp_lbs_pages" {
  type = "map"

  default = {
    "names"                  = ["http", "https"]
    "forwarding_port_ranges" = ["80", "443"]
    "health_check_ports"     = ["8001", "8002"]
  }
}

variable "tcp_lbs_altssh" {
  type = "map"

  default = {
Ahmad Sherif's avatar
Ahmad Sherif committed
184 185 186 187
    "names"                      = ["https"]
    "forwarding_port_ranges"     = ["443"]
    "health_check_ports"         = ["8003"]
    "health_check_request_paths" = ["/-/available-ssh"]
188 189 190
  }
}

191 192 193 194 195 196 197 198 199 200
variable "tcp_lbs_registry" {
  type = "map"

  default = {
    "names"                  = ["http", "https"]
    "forwarding_port_ranges" = ["80", "443"]
    "health_check_ports"     = ["8001", "8002"]
  }
}

John Jarvis's avatar
John Jarvis committed
201 202 203 204
variable "tcp_lbs_cny" {
  type = "map"

  default = {
John Jarvis's avatar
John Jarvis committed
205 206 207
    "names"                  = []
    "forwarding_port_ranges" = []
    "health_check_ports"     = []
John Jarvis's avatar
John Jarvis committed
208 209 210
  }
}

Ahmad Sherif's avatar
Ahmad Sherif committed
211 212 213 214 215 216 217 218 219 220
variable "tcp_lbs_bastion" {
  type = "map"

  default = {
    "names"                  = ["ssh"]
    "forwarding_port_ranges" = ["22"]
    "health_check_ports"     = ["80"]
  }
}

221 222 223 224 225 226 227 228 229 230
variable "tcp_lbs_contributors" {
  type = "map"

  default = {
    "names"                  = ["https"]
    "forwarding_port_ranges" = ["443"]
    "health_check_ports"     = ["443"]
  }
}

John Jarvis's avatar
John Jarvis committed
231 232 233 234 235 236
#######################

variable "public_ports" {
  type = "map"

  default = {
237 238 239 240 241 242 243 244 245 246 247 248
    "api"                = []
    "bastion"            = [22]
    "blackbox"           = []
    "console"            = []
    "consul"             = []
    "deploy"             = []
    "runner"             = []
    "db-dr"              = []
    "pgb"                = []
    "fe-lb"              = [22, 80, 443]
    "git"                = []
    "mailroom"           = []
249
    "patroni"            = []
250 251 252 253 254 255 256 257
    "pubsubbeat"         = []
    "redis"              = []
    "redis-cache"        = []
    "registry"           = []
    "registry-analytics" = []
    "sidekiq"            = []
    "sd-exporter"        = []
    "stor"               = []
Ahmad Sherif's avatar
Ahmad Sherif committed
258
    "thanos"             = []
259
    "contributors"       = [80, 443]
260 261 262 263
    "web"                = []
    "web-pages"          = []
    "monitoring"         = []
    "influxdb"           = []
John Jarvis's avatar
John Jarvis committed
264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287
  }
}

variable "environment" {
  default = "gstg"
}

variable "format_data_disk" {
  default = "true"
}

variable "project" {
  default = "gitlab-staging-1"
}

variable "region" {
  default = "us-east1"
}

variable "chef_provision" {
  type        = "map"
  description = "Configuration details for chef server"

  default = {
Alex Hanselka's avatar
Alex Hanselka committed
288
    bootstrap_bucket  = "gitlab-gstg-chef-bootstrap"
John Jarvis's avatar
John Jarvis committed
289 290 291 292 293 294
    bootstrap_key     = "gitlab-gstg-bootstrap-validation"
    bootstrap_keyring = "gitlab-gstg-bootstrap"

    server_url    = "https://chef.gitlab.com/organizations/gitlab/"
    user_name     = "gitlab-ci"
    user_key_path = ".chef.pem"
Ahmad Sherif's avatar
Ahmad Sherif committed
295
    version       = "12.22.5"
John Jarvis's avatar
John Jarvis committed
296 297 298
  }
}

Ahmad Sherif's avatar
Ahmad Sherif committed
299
variable "monitoring_cert_link" {
300
  default = "projects/gitlab-staging-1/global/sslCertificates/wildcard-gstg-gitlab-net-2020"
Ahmad Sherif's avatar
Ahmad Sherif committed
301 302
}

303 304 305 306
variable "data_disk_sizes" {
  type = "map"

  default = {
Ahmad Sherif's avatar
Ahmad Sherif committed
307 308 309 310 311
    "file"       = "2000"
    "share"      = "1500"
    "pages"      = "16000"
    "patroni"    = "1500"
    "prometheus" = "50"
312 313 314
  }
}

John Jarvis's avatar
John Jarvis committed
315 316 317 318
variable "machine_types" {
  type = "map"

  default = {
319
    "alerts"                = "n1-standard-1"
320
    "api"                   = "n1-standard-16"
Ahmad Sherif's avatar
Ahmad Sherif committed
321
    "bastion"               = "g1-small"
322
    "blackbox"              = "n1-standard-1"
323
    "console"               = "n1-standard-1"
John Jarvis's avatar
John Jarvis committed
324
    "consul"                = "n1-standard-4"
325 326
    "contributors"          = "g1-small"
    "contributors-db"       = "db-f1-micro"
John Jarvis's avatar
John Jarvis committed
327 328
    "deploy"                = "n1-standard-2"
    "runner"                = "n1-standard-2"
329
    "db-dr"                 = "n1-standard-8"
John Jarvis's avatar
John Jarvis committed
330
    "fe-lb"                 = "n1-standard-4"
331
    "git"                   = "n1-standard-16"
Ahmad Sherif's avatar
Ahmad Sherif committed
332
    "influxdb"              = "n1-standard-4"
John Jarvis's avatar
John Jarvis committed
333 334 335
    "pgb"                   = "n1-standard-4"
    "mailroom"              = "n1-standard-2"
    "monitoring"            = "n1-standard-4"
336
    "patroni"               = "n1-standard-8"
John Jarvis's avatar
John Jarvis committed
337
    "redis"                 = "n1-standard-8"
338
    "redis-cache"           = "n1-highmem-16"
John Jarvis's avatar
John Jarvis committed
339
    "redis-cache-sentinel"  = "n1-standard-1"
John Jarvis's avatar
John Jarvis committed
340
    "registry"              = "n1-standard-2"
341
    "registry-analytics"    = "n1-standard-1"
342
    "sd-exporter"           = "n1-standard-1"
343 344 345 346 347 348 349 350 351
    "sidekiq-asap"          = "n1-standard-4"
    "sidekiq-besteffort"    = "n1-standard-4"
    "sidekiq-elasticsearch" = "n1-standard-4"
    "sidekiq-import"        = "n1-standard-4"
    "sidekiq-pages"         = "n1-standard-4"
    "sidekiq-pipeline"      = "n1-standard-4"
    "sidekiq-pullmirror"    = "n1-standard-4"
    "sidekiq-realtime"      = "n1-standard-4"
    "sidekiq-traces"        = "n1-standard-4"
352
    "stor"                  = "n1-standard-32"
Ahmad Sherif's avatar
Ahmad Sherif committed
353 354
    "thanos-compact"        = "n1-standard-2"
    "thanos-store"          = "n1-highmem-8"
355 356
    "web"                   = "n1-standard-16"
    "web-pages"             = "n1-standard-4"
John Jarvis's avatar
John Jarvis committed
357 358 359 360 361 362 363

    # We currently have different instance types
    # for pages and share in gprd so these are
    # also needed for gstg.

    "stor-pages" = "n1-standard-4"
    "stor-share" = "n1-standard-4"
John Jarvis's avatar
John Jarvis committed
364 365 366 367 368 369 370
  }
}

variable "node_count" {
  type = "map"

  default = {
371
    "api"                   = 3
Ahmad Sherif's avatar
Ahmad Sherif committed
372
    "bastion"               = 1
373
    "blackbox"              = 1
374
    "console"               = 1
375
    "contributors"          = 1
John Jarvis's avatar
John Jarvis committed
376
    "deploy"                = 1
377
    "runner"                = 1
378
    "consul"                = 5
379
    "db-dr"                 = 2
380
    "fe-lb"                 = 3
381 382
    "fe-lb-pages"           = 2
    "fe-lb-altssh"          = 2
383
    "fe-lb-registry"        = 2
John Jarvis's avatar
John Jarvis committed
384
    "fe-lb-cny"             = 0
385
    "git"                   = 3
John Jarvis's avatar
John Jarvis committed
386 387
    "mailroom"              = 1
    "pages"                 = 1
388
    "patroni"               = 6
John Jarvis's avatar
John Jarvis committed
389
    "pgb"                   = 3
390
    "redis"                 = 3
John Jarvis's avatar
John Jarvis committed
391 392
    "redis-cache"           = 3
    "redis-cache-sentinel"  = 3
393
    "registry"              = 2
394
    "registry-analytics"    = 0
395
    "sd-exporter"           = 1
John Jarvis's avatar
John Jarvis committed
396 397 398 399
    "share"                 = 1
    "sidekiq-asap"          = 1
    "sidekiq-besteffort"    = 3
    "sidekiq-elasticsearch" = 1
400
    "sidekiq-import"        = 1
John Jarvis's avatar
John Jarvis committed
401 402 403 404
    "sidekiq-pages"         = 1
    "sidekiq-pipeline"      = 0
    "sidekiq-pullmirror"    = 1
    "sidekiq-realtime"      = 1
405
    "sidekiq-traces"        = 0
John Jarvis's avatar
John Jarvis committed
406
    "stor"                  = 2
Ahmad Sherif's avatar
Ahmad Sherif committed
407 408
    "thanos-compact"        = 1
    "thanos-store"          = 1
Alex Hanselka's avatar
Alex Hanselka committed
409
    "multizone-stor"        = 0
410
    "web"                   = 3
Alex Hanselka's avatar
Alex Hanselka committed
411
    "web-pages"             = 2
412 413
    "web-cny"               = 1
    "api-cny"               = 1
414
    "git-cny"               = 0
415
    "registry-cny"          = 1
John Jarvis's avatar
John Jarvis committed
416 417
    "prometheus"            = 2
    "prometheus-app"        = 2
418
    "prometheus-db"         = 2
Ben Kochie's avatar
Ben Kochie committed
419
    "alerts"                = 0
Ahmad Sherif's avatar
Ahmad Sherif committed
420
    "influxdb"              = 2
John Jarvis's avatar
John Jarvis committed
421 422 423 424 425 426 427
  }
}

variable "subnetworks" {
  type = "map"

  default = {
428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443
    "api"                = "10.224.12.0/24"
    "bastion"            = "10.224.20.0/24"
    "console"            = "10.224.21.0/24"
    "consul"             = "10.224.4.0/24"
    "db-dr-delayed"      = "10.224.24.0/24"
    "db-dr-archive"      = "10.224.25.0/24"
    "deploy"             = "10.224.15.0/24"
    "fe-lb"              = "10.224.14.0/24"
    "fe-lb-altssh"       = "10.224.19.0/24"
    "fe-lb-pages"        = "10.224.18.0/24"
    "fe-lb-registry"     = "10.224.23.0/24"
    "fe-lb-cny"          = "10.224.27.0/24"
    "git"                = "10.224.13.0/24"
    "influxdb"           = "10.226.3.0/24"
    "mailroom"           = "10.224.11.0/24"
    "monitoring"         = "10.226.1.0/24"
Ahmad Sherif's avatar
Ahmad Sherif committed
444
    "patroni"            = "10.224.29.0/24"
445 446 447 448 449 450 451 452 453
    "pgb"                = "10.224.9.0/24"
    "pubsubbeat"         = "10.226.2.0/24"
    "redis"              = "10.224.7.0/24"
    "redis-cache"        = "10.224.8.0/24"
    "registry"           = "10.224.10.0/24"
    "registry-analytics" = "10.224.28.0/24"
    "runner"             = "10.224.16.0/24"
    "sidekiq"            = "10.225.1.0/24"
    "stor"               = "10.224.2.0/23"
Ahmad Sherif's avatar
Ahmad Sherif committed
454 455
    "thanos-compact"     = "10.226.5.0/24"
    "thanos-store"       = "10.226.4.0/24"
456
    "web"                = "10.224.1.0/24"
457
    "singleton-svcs"     = "10.224.5.0/24"
458
    "web-pages"          = "10.224.26.0/24"
John Jarvis's avatar
John Jarvis committed
459 460 461 462 463

    ###############################
    # These will eventually (tm) be
    # moved to object storage

464 465
    "pages" = "10.224.32.0/24"
    "share" = "10.224.33.0/24"
John Jarvis's avatar
John Jarvis committed
466 467 468 469 470 471 472 473 474 475

    #############################
  }
}

variable "service_account_email" {
  type = "string"

  default = "[email protected]"
}
476 477 478 479 480

variable "gcs_service_account_email" {
  type    = "string"
  default = "[email protected]"
}
481 482 483 484 485 486

variable "gcs_postgres_backup_service_account" {
  type    = "string"
  default = "[email protected]"
}

487 488 489 490 491 492 493
# Service account used to do automated backup testing
# in https://gitlab.com/gitlab-restore/postgres-gprd
variable "gcs_postgres_restore_service_account" {
  type    = "string"
  default = "[email protected]t.com"
}

494 495 496 497 498
variable "gcs_postgres_backup_kms_key_id" {
  type    = "string"
  default = "projects/gitlab-staging-1/locations/global/keyRings/gitlab-secrets/cryptoKeys/gstg-postgres-wal-archive"
}

499 500 501 502
variable "postgres_backup_retention_days" {
  type    = "string"
  default = "5"
}
503 504 505 506 507

variable "egress_ports" {
  type    = "list"
  default = ["80", "443"]
}
508

509 510 511 512 513
variable "web_egress_ports" {
  type    = "list"
  default = ["80", "443", "9243"]
}

514 515 516 517 518 519 520
# TODO: This is a temporary variable as we're still rolling
# the egress rules to staging first and we don't want it in production yet.
# It should be removed in favor of appending port 22 to `egress_ports` in main.tf directly.
variable "deploy_egress_ports" {
  type    = "list"
  default = ["80", "443", "22"]
}
521

522
variable "console_egress_ports" {
523 524 525
  type    = "list"
  default = ["80", "443", "9243"]
}
526 527 528 529 530 531 532 533

variable "os_boot_image" {
  type = "map"

  default = {
    "fe-lb" = "ubuntu-os-cloud/ubuntu-1804-bionic-v20190404"
  }
}