Adds monitoring behind an https lb.

665e7e3f · John Jarvis · 4a515ed8 · 665e7e3f · 665e7e3f · 665e7e3f
Commit 665e7e3f authored Feb 14, 2018 by John Jarvis
10 changed files
--- a/environments/gprd/main.tf
+++ b/environments/gprd/main.tf
@@ -35,6 +35,17 @@ resource "google_compute_firewall" "allow-internal" {
  source_ranges = ["10.0.0.0/8"]
 }

+resource "google_compute_firewall" "allow-lb-traffic" {
+  name    = "allow-lb-traffic-${var.environment}"
+  network = "${module.network.self_link}"
+
+  allow {
+    protocol = "all"
+  }
+
+  source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
+}
+
 /*
 ##################################
 #
@@ -475,11 +486,13 @@ module "monitoring" {
  project              = "${var.project}"
  public_ports         = "${var.public_ports["monitoring"]}"
  region               = "${var.region}"
-  source               = "../../modules/google/generic-stor"
+  source               = "../../modules/google/monitoring"
  tier                 = "inf"
  vpc                  = "${module.network.self_link}"
  persistent_disk_path = "/opt/prometheus"
  bootstrap_version    = 2
+  gitlab_com_zone_id   = "${var.gitlab_com_zone_id}"
+  cert_link            = "projects/gitlab-production/global/sslCertificates/gprd-wildcard"
 }

 ##################################

--- a/environments/gprd/variables.tf
+++ b/environments/gprd/variables.tf
@@ -88,7 +88,7 @@ variable "node_count" {
    "lfs"                = 1
    "pages"              = 1
    "pgb"                = 1
-    "monitoring"         = 1
+    "monitoring"         = 2
    "redis"              = 1
    "redis-cache"        = 1
    "share"              = 1

--- a/modules/google/generic-stor/outputs.tf
+++ b/modules/google/generic-stor/outputs.tf
-output "instances_with_attached_disk_self_link" {
+output "instances_self_link" {
  value = "${google_compute_instance.instance_with_attached_disk.*.self_link}"
 }
--- a/modules/google/monitoring/data_sources.tf
+++ b/modules/google/monitoring/data_sources.tf
+data "google_compute_zones" "available" {
+  region = "${var.region}"
+  status = "UP"
+}
--- a/modules/google/monitoring/firewall.tf
+++ b/modules/google/monitoring/firewall.tf
+resource "google_compute_firewall" "public" {
+  count   = "${length(var.public_ports) > 0 ? 1 : 0}"
+  name    = "${format("%v-%v", var.name, var.environment)}"
+  network = "${var.vpc}"
+
+  allow {
+    protocol = "tcp"
+    ports    = ["${var.public_ports}"]
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+
+  target_tags = ["${var.name}"]
+}
--- a/modules/google/monitoring/instance.tf
+++ b/modules/google/monitoring/instance.tf
+resource "google_compute_address" "static-ip-address" {
+  count        = "${var.node_count}"
+  name         = "${format("%v-%02d-%v-%v-static-ip", var.name, count.index + 1 + 100, var.tier, var.environment)}"
+  address_type = "INTERNAL"
+
+  address    = "${replace(var.ip_cidr_range, "/\\d+\\/\\d+$/", count.index + 1 + 100)}"
+  subnetwork = "${google_compute_subnetwork.subnetwork.self_link}"
+}
+
+resource "google_compute_disk" "data_disk" {
+  project = "${var.project}"
+  count   = "${(var.attach_data_disk && var.node_count > 0) ? var.node_count : 0}"
+  name    = "${format("%v-%02d-%v-%v-data", var.name, count.index + 1, var.tier, var.environment)}"
+  zone    = "${var.zone != "" ? var.zone : data.google_compute_zones.available.names[(count.index + 1) % length(data.google_compute_zones.available.names)]}"
+  size    = "${var.data_disk_size}"
+  type    = "${var.data_disk_type}"
+
+  labels {
+    environment = "${var.environment}"
+    pet_name    = "${var.name}"
+  }
+}
+
+resource "google_compute_instance" "instance_with_attached_disk" {
+  count        = "${var.attach_data_disk ? var.node_count : 0}"
+  name         = "${format("%v-%02d-%v-%v", var.name, count.index + 1, var.tier, var.environment)}"
+  machine_type = "${var.machine_type}"
+
+  metadata = {
+    "CHEF_URL"                = "${var.chef_provision.["server_url"]}"
+    "CHEF_VERSION"            = "${var.chef_provision.["version"]}"
+    "CHEF_NODE_NAME"          = "${format("%v-%02d.%v.%v.%v", var.name, count.index + 1, var.tier, var.environment, var.dns_zone_name)}"
+    "CHEF_ENVIRONMENT"        = "${var.environment}"
+    "CHEF_RUN_LIST"           = "${var.chef_run_list}"
+    "CHEF_DNS_ZONE_NAME"      = "${var.dns_zone_name}"
+    "CHEF_PROJECT"            = "${var.project}"
+    "GL_PERSISTENT_DISK_PATH" = "${var.persistent_disk_path}"
+  }
+
+  metadata_startup_script = "${file("${path.module}/../../../scripts/google/bootstrap-v${var.bootstrap_version}.sh")}"
+  project                 = "${var.project}"
+  zone                    = "${var.zone != "" ? var.zone : data.google_compute_zones.available.names[(count.index + 1) % length(data.google_compute_zones.available.names)]}"
+
+  service_account {
+    // this should be the instance under which the instance should be running, rather than the one creating it...
+    email = "[email protected]"
+
+    // all the defaults plus cloudkms to access kms
+    scopes = [
+      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+      "https://www.googleapis.com/auth/pubsub",
+      "https://www.googleapis.com/auth/service.management.readonly",
+      "https://www.googleapis.com/auth/servicecontrol",
+      "https://www.googleapis.com/auth/trace.append",
+      "https://www.googleapis.com/auth/cloudkms",
+      "https://www.googleapis.com/auth/compute.readonly",
+    ]
+  }
+
+  scheduling {
+    preemptible = "${var.preemptible}"
+  }
+
+  boot_disk {
+    auto_delete = true
+
+    initialize_params {
+      image = "${var.os_boot_image}"
+      size  = "${var.os_disk_size}"
+      type  = "${var.os_disk_type}"
+    }
+  }
+
+  attached_disk {
+    source = "${google_compute_disk.data_disk.*.self_link[count.index]}"
+  }
+
+  network_interface {
+    subnetwork    = "${google_compute_subnetwork.subnetwork.name}"
+    address       = "${google_compute_address.static-ip-address.*.address[count.index]}"
+    access_config = {}
+  }
+
+  labels {
+    environment = "${var.environment}"
+    pet_name    = "${var.name}"
+  }
+
+  tags = [
+    "${var.name}",
+    "${var.environment}",
+  ]
+
+  provisioner "local-exec" {
+    when    = "destroy"
+    command = "knife node delete ${format("%v-%02d.%v.%v.%v", var.name, count.index + 1, var.tier, var.environment, var.dns_zone_name)} -y; knife client delete ${format("%v-%02d.%v.%v.%v", var.name, count.index + 1, var.tier, var.environment, var.dns_zone_name)} -y; exit 0"
+  }
+}
--- a/modules/google/monitoring/loadbalancing.tf
+++ b/modules/google/monitoring/loadbalancing.tf
+data "google_compute_lb_ip_ranges" "ranges" {}
+
+resource "aws_route53_record" "monitoring" {
+  count   = "${var.node_count}"
+  zone_id = "${var.gitlab_com_zone_id}"
+  name    = "${format("prometheus-%02d.%v.gitlab.com.", count.index + 1, var.environment)}"
+  type    = "A"
+  ttl     = "300"
+  records = ["${google_compute_global_address.monitoring.*.address[count.index]}"]
+}
+
+resource "google_compute_global_address" "monitoring" {
+  count = "${var.node_count}"
+  name  = "${var.environment}-monitoring-${count.index + 1}"
+}
+
+resource "google_compute_global_forwarding_rule" "monitoring" {
+  count      = "${var.node_count}"
+  name       = "${var.environment}-monitoring-${count.index + 1}"
+  target     = "${google_compute_target_https_proxy.monitoring.*.self_link[count.index]}"
+  port_range = "443"
+  ip_address = "${google_compute_global_address.monitoring.*.address[count.index]}"
+}
+
+resource "google_compute_target_https_proxy" "monitoring" {
+  count            = "${var.node_count}"
+  name             = "${var.environment}-monitoring-${count.index + 1}"
+  description      = "https proxy for monitoring-${count.index + 1}"
+  ssl_certificates = ["${var.cert_link}"]
+  url_map          = "${google_compute_url_map.monitoring.*.self_link[count.index]}"
+}
+
+resource "google_compute_url_map" "monitoring" {
+  count           = "${var.node_count}"
+  name            = "${var.environment}-monitoring-${count.index + 1}"
+  default_service = "${google_compute_backend_service.monitoring.*.self_link[count.index]}"
+
+  host_rule {
+    hosts        = ["*"]
+    path_matcher = "allpaths"
+  }
+
+  path_matcher {
+    name            = "allpaths"
+    default_service = "${google_compute_backend_service.monitoring.*.self_link[count.index]}"
+
+    path_rule {
+      paths   = ["/graph"]
+      service = "${google_compute_backend_service.monitoring.*.self_link[count.index]}"
+    }
+  }
+}
+
+resource "google_compute_instance_group" "monitoring" {
+  count       = "${var.node_count}"
+  name        = "${var.environment}-monitoring-${count.index + 1}"
+  description = "Instance group for monitoring VM."
+  zone        = "${var.zone != "" ? var.zone : data.google_compute_zones.available.names[(count.index + 1) % length(data.google_compute_zones.available.names)]}"
+
+  named_port {
+    name = "prometheus"
+    port = "9090"
+  }
+
+  instances = ["${google_compute_instance.instance_with_attached_disk.*.self_link[count.index]}"]
+}
+
+resource "google_compute_health_check" "monitoring" {
+  count = "${var.node_count}"
+  name  = "${var.environment}-monitoring-${count.index + 1}"
+
+  http_health_check {
+    port         = "9090"
+    request_path = "/graph"
+  }
+}
+
+resource "google_compute_backend_service" "monitoring" {
+  count     = "${var.node_count}"
+  name      = "${var.environment}-monitoring-${count.index + 1}"
+  protocol  = "HTTP"
+  port_name = "prometheus"
+
+  backend {
+    group = "${google_compute_instance_group.monitoring.*.self_link[count.index]}"
+  }
+
+  health_checks = ["${google_compute_health_check.monitoring.*.self_link[count.index]}"]
+}
+
+resource "google_compute_firewall" "default" {
+  name    = "monitoring-firewall"
+  network = "${var.environment}"
+
+  allow {
+    protocol = "tcp"
+    ports    = ["80"]
+  }
+
+  source_ranges = ["${data.google_compute_lb_ip_ranges.ranges.network}"]
+  target_tags   = ["${var.name}"]
+}
--- a/modules/google/monitoring/outputs.tf
+++ b/modules/google/monitoring/outputs.tf
+output "instances_self_link" {
+  value = "${google_compute_instance.instance_with_attached_disk.*.self_link}"
+}
--- a/modules/google/monitoring/subnetwork.tf
+++ b/modules/google/monitoring/subnetwork.tf
+resource "google_compute_subnetwork" "subnetwork" {
+  count                    = "${var.node_count > 0 ? 1 : 0}"
+  name                     = "${format("%v-%v", var.name, var.environment)}"
+  network                  = "${var.vpc}"
+  project                  = "${var.project}"
+  region                   = "${var.region}"
+  ip_cidr_range            = "${var.ip_cidr_range}"
+  private_ip_google_access = true
+}
--- a/modules/google/monitoring/variables.tf
+++ b/modules/google/monitoring/variables.tf
+variable "cert_link" {
+  type        = "string"
+  description = "resource link for the ssl certificate"
+}
+
+variable "gitlab_com_zone_id" {
+  type        = "string"
+  description = "Zone id for creating dns records (AWS)"
+}
+
+variable "bootstrap_version" {
+  description = "version of the bootstrap script"
+  default     = 1
+}
+
+variable "persistent_disk_path" {
+  type        = "string"
+  description = "default location for disk mount"
+  default     = "/var/opt/gitlab"
+}
+
+variable "attach_data_disk" {
+  type        = "string"
+  description = "Attach a data disk to this machine"
+  default     = false
+}
+
+variable "chef_provision" {
+  type        = "map"
+  description = "Configuration details for chef server"
+}
+
+variable "chef_run_list" {
+  type        = "string"
+  description = "run_list for the node in chef"
+}
+
+variable "data_disk_size" {
+  type        = "string"
+  description = "The size of the data disk"
+  default     = 20
+}
+
+variable "data_disk_type" {
+  type        = "string"
+  description = "The type of the data disk"
+  default     = "pd-standard"
+}
+
+variable "dns_zone_name" {
+  type        = "string"
+  description = "The GCP name of the DNS zone to use for this environment"
+}
+
+variable "environment" {
+  type        = "string"
+  description = "The environment name"
+}
+
+variable "ip_cidr_range" {
+  type        = "string"
+  description = "The IP range"
+}
+
+variable "machine_type" {
+  type        = "string"
+  description = "The machine size"
+}
+
+variable "name" {
+  type        = "string"
+  description = "The pet name"
+}
+
+variable "node_count" {
+  type        = "string"
+  description = "The nodes count"
+}
+
+variable "os_boot_image" {
+  type        = "string"
+  description = "The OS image to boot"
+  default     = "ubuntu-os-cloud/ubuntu-1604-xenial-v20180122"
+}
+
+variable "os_disk_size" {
+  type        = "string"
+  description = "The OS disk size in GiB"
+  default     = 20
+}
+
+variable "os_disk_type" {
+  type        = "string"
+  description = "The OS disk type"
+  default     = "pd-standard"
+}
+
+variable "preemptible" {
+  type        = "string"
+  description = "Use preemptible instances for this pet"
+  default     = "false"
+}
+
+variable "project" {
+  type        = "string"
+  description = "The project name"
+}
+
+variable "public_ports" {
+  type        = "list"
+  description = "The list of ports that should be publicly reachable"
+  default     = []
+}
+
+variable "region" {
+  type        = "string"
+  description = "The target region"
+}
+
+variable "tier" {
+  type        = "string"
+  description = "The tier for this service"
+}
+
+variable "vpc" {
+  type        = "string"
+  description = "The target network"
+}
+
+variable "zone" {
+  type    = "string"
+  default = ""
+}