Commit 56d9d8b2 authored by John Jarvis's avatar John Jarvis

Merge branch 'jarv/add-geo-gce-sync' into 'master'

Add terraform module for gitlab instance on GCE

See merge request !102
parents 69eb030d 54ea1ee9
......@@ -16,10 +16,23 @@ variable "first_user_password" {}
variable "backup_aws_access_key" {}
variable "backup_aws_secret_key" {}
variable "disk_subscription" {}
variable "location" {
variable "azure_location" {
default = "East US 2"
}
variable "gce_location" { default = "us-east1-b" }
variable "gce_machine_type" { default = "n1-standard-8" }
variable "gce_name" { default = "geo-sync" }
variable "google_credentials" {}
variable "google_project" {}
variable "vpn_ips" {
default = ["52.177.194.133", "52.177.192.239"]
}
provider "google" {
credentials = "${var.google_credentials}"
project = "${var.google_project}"
region = "${var.gce_location}"
}
provider "azurerm" {
subscription_id = "${var.arm_subscription_id}"
......@@ -36,30 +49,52 @@ terraform {
backend "s3" {}
}
## Resource Group
## Azure Resource Group for GEO
resource "azurerm_resource_group" "GeoTestbed" {
name = "GeoTestbed"
location = "${var.location}"
location = "${var.azure_location}"
}
module "gitlab-single-gce" {
source = "../../modules/gitlab-single-gce"
location = "${var.gce_location}"
machine_type = "${var.gce_machine_type}"
name = "${var.gce_name}"
disk_size = "${20 * 1024}"
backup_aws_access_key = "${var.backup_aws_access_key}"
backup_aws_secret_key = "${var.backup_aws_secret_key}"
prod_ip = "${module.gitlab-restore-single.public_ip}"
vpn_ips = "${var.vpn_ips}"
}
module "gitlab-restore-single" {
source = "../../modules/gitlab-restore-single"
disk_snapshot_date = "2017-08-09"
restore_machine = "file-08"
location = "${var.location}"
location = "${var.azure_location}"
resource_group_name = "${azurerm_resource_group.GeoTestbed.name}"
first_user_username = "${var.first_user_username}"
first_user_password = "${var.first_user_password}"
backup_aws_access_key = "${var.backup_aws_access_key}"
backup_aws_secret_key = "${var.backup_aws_secret_key}"
disk_subscription = "${var.disk_subscription}"
sync_ip = "${module.gitlab-single-gce.public_ip}"
vpn_ips = "${var.vpn_ips}"
}
resource "aws_route53_record" "single" {
resource "aws_route53_record" "prod" {
zone_id = "${var.gitlab_com_zone_id}"
name = "prod.geo.gitlab.com."
type = "A"
ttl = "300"
records = ["${module.gitlab-restore-single.public_ip}"]
}
resource "aws_route53_record" "sync" {
zone_id = "${var.gitlab_com_zone_id}"
name = "sync.geo.gitlab.com."
type = "A"
ttl = "300"
records = ["${module.gitlab-single-gce.public_ip}"]
}
......@@ -47,7 +47,7 @@ restore_command = '/usr/bin/envdir /etc/wal-e.d/env /opt/wal-e/bin/wal-e wal-fet
recovery_target_action = 'promote'
recovery_target_time = '$last_backup_date'
RECOVERY
chown gitlab-psql:gitlab-psql /var/opt/gitlab/postgresql/data/recovery.conf
chown gitlab-psql:gitlab-psql /var/opt/gitlab/postgresql/data/recovery.conf.create
# create a db-restore script
cat > /tmp/start-restore.sh <<RESTORE
......
......@@ -7,6 +7,8 @@ variable "first_user_password" {}
variable "disk_subscription" {}
variable "backup_aws_access_key" {}
variable "backup_aws_secret_key" {}
variable "sync_ip" {}
variable "vpn_ips" { default = ["10.0.0.1","10.0.0.2"] }
resource "azurerm_public_ip" "single" {
name = "single-public-ip"
......
resource "azurerm_network_security_group" "single" {
count = 1
name = "singleSecurityGroup"
location = "${var.location}"
resource_group_name = "${var.resource_group_name}"
security_rule {
name = "vpn1"
name = "sync-Inbound"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "52.177.194.133"
source_address_prefix = "${var.sync_ip}"
destination_address_prefix = "*"
}
security_rule {
name = "vpn2"
name = "vpn1-Inbound"
priority = 101
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "52.177.192.239"
source_address_prefix = "${var.vpn_ips[0]}"
destination_address_prefix = "*"
}
security_rule {
name = "vpn2-Inbound"
priority = 102
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "${var.vpn_ips[1]}"
destination_address_prefix = "*"
}
security_rule {
name = "DenyAll"
name = "DenyAll-Inbound"
priority = 500
direction = "Inbound"
access = "Deny"
......@@ -39,33 +53,77 @@ resource "azurerm_network_security_group" "single" {
destination_address_prefix = "*"
}
security_rule {
name = "vpn1-OutBound"
name = "vpn1-Outbound"
priority = 100
direction = "Outbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "52.177.194.133"
source_address_prefix = "${var.vpn_ips[0]}"
destination_address_prefix = "*"
}
security_rule {
name = "vpn2-OutBound"
name = "vpn2-Outbound"
priority = 101
direction = "Outbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "52.177.192.239"
source_address_prefix = "${var.vpn_ips[1]}"
destination_address_prefix = "*"
}
security_rule {
name = "DenyAll-OutBound"
name = "sync-Outbound"
priority = 102
direction = "Outbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "${var.sync_ip}"
destination_address_prefix = "*"
}
security_rule {
name = "azure-archive-Outbound"
priority = 103
direction = "Outbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "13.93.151.135" # azure.archive.ubuntu.com
destination_address_prefix = "*"
}
security_rule {
name = "security-ubuntu-Outbound"
priority = 104
direction = "Outbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "91.189.91.23" # security.ubuntu.com
destination_address_prefix = "*"
}
security_rule {
name = "packages-gitlab-Outbound"
priority = 105
direction = "Outbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "54.153.54.194" # security.ubuntu.com
destination_address_prefix = "*"
}
security_rule {
name = "DenyAll-Outbound"
priority = 500
direction = "Outbound"
access = "Deny"
......@@ -75,7 +133,4 @@ resource "azurerm_network_security_group" "single" {
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
#!/bin/bash
set -ex
exec &> >(tee -a "/tmp/bootstrap.log")
useradd -u 1100 git # this uid is used for the restore
export DEBIAN_FRONTEND=noninteractive
mkdir -p /var/opt/gitlab
mkfs.ext4 -F /dev/disk/by-id/google-gitlab_var
mount /dev/disk/by-id/google-gitlab_var /var/opt/gitlab
# Set apt config, update repos and disable postfix prompt
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
debconf-set-selections <<< "postfix postfix/main_mailer_type string 'No configuration'"
# install everything in one go
apt-get -y install daemontools lzop gcc make python3 virtualenv python3-dev libssl-dev gitlab-ee ca-certificates postfix
gitlab-ctl reconfigure
# stop postgres just after reconfig
gitlab-ctl stop postgresql
sed -i 's/^max_replication_slots = 0/max_replication_slots = 100/' /var/opt/gitlab/postgresql/data/postgresql.conf
gitlab-ctl start postgresql
variable "location" {}
variable "machine_type" {}
variable "name" { default = "single" }
variable "disk_size" { default = "1024" }
variable "backup_aws_access_key" {}
variable "backup_aws_secret_key" {}
variable "prod_ip" {}
variable "vpn_ips" { default = ["10.0.0.1","10.0.0.2"] }
resource "google_compute_disk" "single" {
name = "${var.name}-disk"
type = "pd-ssd"
size = "${var.disk_size}"
zone = "${var.location}"
image = "debian-8-jessie-v20170523"
}
resource "google_compute_instance" "single" {
name = "${var.name}-instance"
machine_type = "${var.machine_type}"
zone = "${var.location}"
tags = ["${var.name}"]
boot_disk {
initialize_params {
image = "ubuntu-1604-xenial-v20170811"
}
}
network_interface {
network = "default"
access_config {
// Ephemeral IP
}
}
metadata_startup_script = "${file("${path.module}/files/bootstrap.bash")}"
attached_disk {
source = "${google_compute_disk.single.self_link}"
device_name = "gitlab_var"
}
}
output "public_ip" {
value = "${google_compute_instance.single.network_interface.0.access_config.0.assigned_nat_ip}"
}
resource "google_compute_firewall" "single" {
# egress support is not available yet
# https://github.com/terraform-providers/terraform-provider-google/pull/306
name = "${var.name}-firewall"
network = "default"
allow {
protocol = "icmp"
}
allow {
protocol = "udp"
}
allow {
protocol = "tcp"
}
source_ranges = ["${var.vpn_ips[0]}/32", "${var.vpn_ips[1]}/32", "${var.prod_ip}/32"]
target_tags = ["${var.name}"]
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment