## State storage terraform { backend "s3" {} } ## AWS provider "aws" { region = "us-east-1" } variable "gitlab_net_zone_id" {} variable "gitlab_com_zone_id" {} ## Google provider "google" { version = "~> 1.8.0" project = "${var.project}" region = "${var.region}" } ################################## # # Allow internal traffic # ################################# resource "google_compute_firewall" "allow-internal" { name = "allow-internal-${var.environment}" network = "${module.network.self_link}" allow { protocol = "all" } source_ranges = ["10.0.0.0/8"] } resource "google_compute_firewall" "allow-lb-traffic" { name = "allow-lb-traffic-${var.environment}" network = "${module.network.self_link}" allow { protocol = "all" } source_ranges = ["130.211.0.0/22", "35.191.0.0/16"] } /* ################################## # # NAT gateway # ################################# module "nat" { source = "GoogleCloudPlatform/nat-gateway/google" region = "${var.region}" network = "gprd" } */ ################################## # # Network # ################################# module "network" { source = "../../modules/google/vpc" project = "${var.project}" environment = "${var.environment}" } ################################## # # Network Peering # ################################# resource "google_compute_network_peering" "peering_ops" { name = "peering-ops" network = "${var.network_gprd}" peer_network = "${var.network_ops}" } ################################## # # Web front-end # ################################# module "web" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-fe-web]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["web"]}" machine_type = "${var.machine_types["web"]}" name = "web" node_count = "${var.node_count["web"]}" project = "${var.project}" public_ports = "${var.public_ports["web"]}" region = "${var.region}" source = "../../modules/google/generic-sv-with-group" tier = "sv" health_check = "tcp" service_port = 443 vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } ################################## # # API # ################################# module "api" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-fe-api]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["api"]}" machine_type = "${var.machine_types["api"]}" name = "api" node_count = "${var.node_count["api"]}" project = "${var.project}" public_ports = "${var.public_ports["api"]}" region = "${var.region}" source = "../../modules/google/generic-sv-with-group" health_check = "tcp" service_port = 443 tier = "sv" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } ################################## # # Git # ################################## module "git" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-fe-git]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["git"]}" machine_type = "${var.machine_types["git"]}" name = "git" node_count = "${var.node_count["git"]}" project = "${var.project}" public_ports = "${var.public_ports["git"]}" region = "${var.region}" source = "../../modules/google/generic-sv-with-group" health_check = "tcp" service_port = 22 tier = "sv" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } ################################## # # registry front-end # ################################# module "registry" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-fe-registry]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["registry"]}" machine_type = "${var.machine_types["registry"]}" name = "registry" node_count = "${var.node_count["registry"]}" project = "${var.project}" public_ports = "${var.public_ports["registry"]}" region = "${var.region}" source = "../../modules/google/generic-sv-with-group" health_check = "tcp" service_port = 22 tier = "sv" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } ################################## # # Database # ################################# module "postgres" { bootstrap_version = 3 data_disk_size = 5000 data_disk_type = "pd-ssd" chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-db-postgres]\",\"role[${var.environment}-base-db-postgres-replication]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["db"]}" machine_type = "${var.machine_types["db"]}" name = "postgres" node_count = "${var.node_count["db"]}" project = "${var.project}" public_ports = "${var.public_ports["db"]}" region = "${var.region}" source = "../../modules/google/generic-stor" tier = "db" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } module "pg-bouncer" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-db-pgbouncer]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["pgb"]}" machine_type = "${var.machine_types["pgb"]}" name = "pgbouncer" node_count = "${var.node_count["pgb"]}" project = "${var.project}" public_ports = "${var.public_ports["pgb"]}" region = "${var.region}" source = "../../modules/google/generic-sv-with-group" health_check = "tcp" service_port = 22 tier = "db" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } module "geo-postgres" { bootstrap_version = 3 data_disk_size = 5000 data_disk_type = "pd-ssd" chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-db-geo-postgres]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["geodb"]}" machine_type = "${var.machine_types["geodb"]}" name = "geo-postgres" node_count = "${var.node_count["geodb"]}" project = "${var.project}" public_ports = "${var.public_ports["geodb"]}" region = "${var.region}" source = "../../modules/google/generic-stor" tier = "db" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } ################################## # # Redis # ################################## module "redis" { bootstrap_version = 3 data_disk_size = 100 data_disk_type = "pd-ssd" chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-db-redis-server-single]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["redis"]}" machine_type = "${var.machine_types["redis"]}" name = "redis" node_count = "${var.node_count["redis"]}" project = "${var.project}" public_ports = "${var.public_ports["redis"]}" region = "${var.region}" service_account_email = "${var.service_account_email}" source = "../../modules/google/generic-stor" tier = "db" vpc = "${module.network.self_link}" } module "redis-cache" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["redis-cache"]}" name = "redis-cache" project = "${var.project}" public_ports = "${var.public_ports["redis-cache"]}" region = "${var.region}" redis_chef_run_list = "\"role[gprd-base-db-redis-server-cache]\"" redis_count = "${var.node_count["redis-cache"]}" redis_data_disk_size = 100 redis_data_disk_type = "pd-ssd" redis_machine_type = "${var.machine_types["redis-cache"]}" sentinel_chef_run_list = "\"role[gprd-base-db-redis-sentinel-cache]\"" sentinel_count = "${var.node_count["redis-cache-sentinel"]}" sentinel_data_disk_size = 100 sentinel_data_disk_type = "pd-ssd" sentinel_machine_type = "${var.machine_types["redis-cache-sentinel"]}" source = "../../modules/google/generic-stor-redis" tier = "db" vpc = "${module.network.self_link}" } ################################## # # Sidekiq # ################################## module "sidekiq" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-be-sidekiq-besteffort]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["sidekiq"]}" machine_type = "${var.machine_types["sidekiq-besteffort"]}" name = "sidekiq" project = "${var.project}" public_ports = "${var.public_ports["sidekiq"]}" region = "${var.region}" sidekiq_asap_count = "${var.node_count["sidekiq-asap"]}" sidekiq_asap_instance_type = "${var.machine_types["sidekiq-asap"]}" sidekiq_besteffort_count = "${var.node_count["sidekiq-besteffort"]}" sidekiq_besteffort_instance_type = "${var.machine_types["sidekiq-besteffort"]}" sidekiq_traces_count = "${var.node_count["sidekiq-traces"]}" sidekiq_traces_instance_type = "${var.machine_types["sidekiq-traces"]}" sidekiq_elasticsearch_count = "${var.node_count["sidekiq-elasticsearch"]}" sidekiq_elasticsearch_instance_type = "${var.machine_types["sidekiq-elasticsearch"]}" sidekiq_pages_count = "${var.node_count["sidekiq-pages"]}" sidekiq_pages_instance_type = "${var.machine_types["sidekiq-pages"]}" sidekiq_pipeline_count = "${var.node_count["sidekiq-pipeline"]}" sidekiq_pipeline_instance_type = "${var.machine_types["sidekiq-pipeline"]}" sidekiq_pullmirror_count = "${var.node_count["sidekiq-pullmirror"]}" sidekiq_pullmirror_instance_type = "${var.machine_types["sidekiq-pullmirror"]}" sidekiq_realtime_count = "${var.node_count["sidekiq-realtime"]}" sidekiq_realtime_instance_type = "${var.machine_types["sidekiq-realtime"]}" service_account_email = "${var.service_account_email}" source = "../../modules/google/generic-sv-sidekiq" tier = "sv" vpc = "${module.network.self_link}" } ################################## # # Mailroom # ################################## module "mailroom" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-be-mailroom]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["mailroom"]}" machine_type = "${var.machine_types["mailroom"]}" name = "mailroom" node_count = "${var.node_count["mailroom"]}" project = "${var.project}" public_ports = "${var.public_ports["mailroom"]}" region = "${var.region}" source = "../../modules/google/generic-sv-with-group" health_check = "tcp" service_port = 22 tier = "sv" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } ################################## # # Storage nodes for repositories # ################################## module "file" { bootstrap_version = 3 data_disk_size = 16000 data_disk_type = "pd-ssd" chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-stor-nfs]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["stor"]}" machine_type = "${var.machine_types["stor"]}" name = "file" node_count = "${var.node_count["stor"]}" project = "${var.project}" public_ports = "${var.public_ports["stor"]}" region = "${var.region}" source = "../../modules/google/generic-stor" tier = "stor" vpc = "${module.network.self_link}" zone = "us-east1-c" service_account_email = "${var.service_account_email}" } ################################## # # Storage nodes for # uploads/lfs/pages/artifacts/builds/cache # # share: # gitlab-ci/builds # gitlab-rails/shared/cache # gitlab-rails/shared/tmp # gitlab-rails/uploads # # lfs: # gitlab-rails/shared/lfs-objects # # pages: # gitlab-rails/shared/pages # # artifacts: # gitlab-rails/shared/artifacts # ################################## module "share" { bootstrap_version = 3 data_disk_size = 16000 data_disk_type = "pd-standard" chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-stor]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["share"]}" machine_type = "${var.machine_types["stor"]}" name = "share" node_count = "${var.node_count["share"]}" project = "${var.project}" public_ports = "${var.public_ports["stor"]}" region = "${var.region}" source = "../../modules/google/generic-stor-dynamic-ip" tier = "stor" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } module "lfs" { bootstrap_version = 3 data_disk_size = 16000 data_disk_type = "pd-standard" chef_run_list = "\"role[${var.environment}-base-stor]\"" chef_provision = "${var.chef_provision}" chef_run_list = "${var.empty_chef_run_list}" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["lfs"]}" machine_type = "${var.machine_types["stor"]}" name = "lfs" node_count = "${var.node_count["lfs"]}" project = "${var.project}" public_ports = "${var.public_ports["stor"]}" region = "${var.region}" source = "../../modules/google/generic-stor-dynamic-ip" tier = "stor" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } module "pages" { bootstrap_version = 3 chef_run_list = "\"role[${var.environment}-base-stor]\"" data_disk_size = 16000 data_disk_type = "pd-standard" chef_provision = "${var.chef_provision}" chef_run_list = "${var.empty_chef_run_list}" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["pages"]}" machine_type = "${var.machine_types["stor"]}" name = "pages" node_count = "${var.node_count["pages"]}" project = "${var.project}" public_ports = "${var.public_ports["stor"]}" region = "${var.region}" source = "../../modules/google/generic-stor-dynamic-ip" tier = "stor" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } module "artifacts" { bootstrap_version = 3 chef_run_list = "\"role[${var.environment}-base-stor]\"" data_disk_size = 32000 data_disk_type = "pd-standard" chef_provision = "${var.chef_provision}" chef_run_list = "${var.empty_chef_run_list}" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["artifacts"]}" machine_type = "${var.machine_types["stor"]}" name = "artifacts" node_count = "${var.node_count["artifacts"]}" project = "${var.project}" public_ports = "${var.public_ports["stor"]}" region = "${var.region}" source = "../../modules/google/generic-stor-dynamic-ip" tier = "stor" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } ################################## # # External LoadBalancer # ################################## module "fe-lb" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-lb-fe]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["fe-lb"]}" machine_type = "${var.machine_types["fe-lb"]}" name = "fe" node_count = "${var.node_count["fe-lb"]}" project = "${var.project}" public_ports = "${var.public_ports["fe-lb"]}" region = "${var.region}" service_account_email = "${var.service_account_email}" source = "../../modules/google/generic-sv-with-group" health_check = "http" service_port = 8002 service_path = "/-/available-https" tier = "lb" vpc = "${module.network.self_link}" create_backend_service = false } ################################## # # External LoadBalancer Pages # ################################## module "fe-lb-pages" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-lb-pages]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["fe-lb-pages"]}" machine_type = "${var.machine_types["fe-lb"]}" name = "fe-pages" node_count = "${var.node_count["fe-lb-pages"]}" project = "${var.project}" public_ports = "${var.public_ports["fe-lb"]}" region = "${var.region}" service_account_email = "${var.service_account_email}" source = "../../modules/google/generic-sv-with-group" health_check = "http" service_port = 7331 tier = "lb" vpc = "${module.network.self_link}" } ################################## # # External LoadBalancer AltSSH # ################################## module "fe-lb-altssh" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-lb-altssh]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["fe-lb-altssh"]}" machine_type = "${var.machine_types["fe-lb"]}" name = "fe-altssh" node_count = "${var.node_count["fe-lb-altssh"]}" project = "${var.project}" public_ports = "${var.public_ports["fe-lb"]}" region = "${var.region}" service_account_email = "${var.service_account_email}" source = "../../modules/google/generic-sv-with-group" health_check = "http" service_port = 7331 tier = "lb" vpc = "${module.network.self_link}" } ################################## # # GCP TCP LoadBalancers # ################################## #### Load balancer for the main site module "gcp-tcp-lb" { name = "gcp-tcp-lb" lb_count = "${length(var.tcp_lbs["names"])}" names = "${var.tcp_lbs["names"]}" fqdn = "${var.lb_fqdn}" gitlab_zone_id = "${var.gitlab_com_zone_id}" environment = "${var.environment}" region = "${var.region}" project = "${var.project}" source = "../../modules/google/tcp-lb" targets = ["fe"] forwarding_port_ranges = "${var.tcp_lbs["forwarding_port_ranges"]}" health_check_ports = "${var.tcp_lbs["health_check_ports"]}" instances = ["${module.fe-lb.instances_self_link}"] } ### The regional backend service that is required for the internal ### load balancer. Unlike global backend services every instance ### group _must_ contain at least one instance. Also you cannot ### have both a global and a regional backend service. resource "google_compute_region_backend_service" "internal-lb" { name = "${format("%v-internal-lb", var.environment)}" protocol = "TCP" backend { group = "${module.fe-lb.instance_groups_self_link[1]}" } health_checks = ["${module.fe-lb.http_health_check_self_link}"] } ###### Internal Load balancer for the main site module "gcp-tcp-lb-internal" { name = "gcp-tcp-lb-internal" lb_count = "${length(var.tcp_lbs_internal["names"])}" names = "${var.tcp_lbs_internal["names"]}" fqdn = "${var.lb_fqdn_internal}" gitlab_zone_id = "${var.gitlab_com_zone_id}" environment = "${var.environment}" region = "${var.region}" project = "${var.project}" source = "../../modules/google/tcp-lb" targets = ["fe"] forwarding_port_ranges = "${var.tcp_lbs_internal["forwarding_port_ranges"]}" health_check_ports = "${var.tcp_lbs_internal["health_check_ports"]}" instances = ["${module.fe-lb.instances_self_link}"] ### Additional options only for internal lb external = false vpc = "${module.network.self_link}" subnetwork_self_link = "${module.fe-lb.google_compute_subnetwork_self_link}" backend_service = "${google_compute_region_backend_service.internal-lb.self_link}" } #### Load balancer for pages module "gcp-tcp-lb-pages" { name = "gcp-tcp-lb-pages" lb_count = "${length(var.tcp_lbs_pages["names"])}" names = "${var.tcp_lbs_pages["names"]}" fqdn = "${var.lb_fqdn_pages}" gitlab_zone_id = "${var.gitlab_com_zone_id}" environment = "${var.environment}" region = "${var.region}" project = "${var.project}" source = "../../modules/google/tcp-lb" targets = ["fe-pages"] forwarding_port_ranges = "${var.tcp_lbs_pages["forwarding_port_ranges"]}" health_check_ports = "${var.tcp_lbs_pages["health_check_ports"]}" instances = ["${module.fe-lb-pages.instances_self_link}"] } #### Load balancer for altssh module "gcp-tcp-lb-altssh" { name = "gcp-tcp-lb-altssh" lb_count = "${length(var.tcp_lbs_altssh["names"])}" names = "${var.tcp_lbs_altssh["names"]}" fqdn = "${var.lb_fqdn_altssh}" gitlab_zone_id = "${var.gitlab_com_zone_id}" environment = "${var.environment}" region = "${var.region}" project = "${var.project}" source = "../../modules/google/tcp-lb" targets = ["fe-altssh"] forwarding_port_ranges = "${var.tcp_lbs_altssh["forwarding_port_ranges"]}" health_check_ports = "${var.tcp_lbs_altssh["health_check_ports"]}" instances = ["${module.fe-lb-altssh.instances_self_link}"] } #### Load balancer for bastion module "gcp-tcp-lb-bastion" { environment = "${var.environment}" forwarding_port_ranges = "${var.tcp_lbs_bastion["forwarding_port_ranges"]}" fqdn = "${var.lb_fqdn_bastion}" gitlab_zone_id = "${var.gitlab_com_zone_id}" health_check_ports = "${var.tcp_lbs_bastion["health_check_ports"]}" instances = ["${module.bastion.instances_self_link}"] lb_count = "${length(var.tcp_lbs_bastion["names"])}" name = "gcp-tcp-lb-bastion" names = "${var.tcp_lbs_bastion["names"]}" project = "${var.project}" region = "${var.region}" session_affinity = "CLIENT_IP" source = "../../modules/google/tcp-lb" targets = ["bastion"] } ################################## # # Consul # ################################## module "consul" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[gprd-infra-consul]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["consul"]}" machine_type = "${var.machine_types["consul"]}" name = "consul" node_count = "${var.node_count["consul"]}" project = "${var.project}" public_ports = "${var.public_ports["consul"]}" region = "${var.region}" service_port = 8300 source = "../../modules/google/generic-sv-with-group" tier = "inf" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } ################################## # # Pubsubbeats # # Machines for running the beats # that consume logs from pubsub # and send them to elastic cloud # # You must have a chef role with the # following format: # role[-infra-pubsubbeat-] # ################################## module "pubsubbeat" { bootstrap_version = 3 allow_stopping_for_update = true names = "${var.pubsubbeats["names"]}" machine_types = "${var.pubsubbeats["machine_types"]}" chef_provision = "${var.chef_provision}" chef_run_list = "\"role[gprd-infra-consul]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["pubsubbeat"]}" project = "${var.project}" public_ports = "${var.public_ports["pubsubbeat"]}" region = "${var.region}" health_check = "tcp" service_port = 22 source = "../../modules/google/pubsubbeat" tier = "inf" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } ################################## # # Monitoring # # Uses the monitoring module, this # creates a single instance behind # a load balancer with identity aware # proxy enabled. # ################################## resource "google_compute_subnetwork" "monitoring" { name = "${format("monitoring-%v", var.environment)}" network = "${module.network.self_link}" project = "${var.project}" region = "${var.region}" ip_cidr_range = "${var.subnetworks["monitoring"]}" private_ip_google_access = true } # resource "google_compute_firewall" "monitoring" { # name = "${format("monitoring-%v", var.environment)}" # network = "${module.network.self_link}" # # allow { # protocol = "tcp" # ports = ["${var.public_ports["monitoring"]}"] # } # # source_ranges = ["0.0.0.0/0"] # target_tags = ["${keys(var.monitoring_hosts)}"] # } ####################### # # load balancer for all hosts in this section # ####################### module "monitoring-lb" { subnetwork_name = "${google_compute_subnetwork.monitoring.name}" environment = "${var.environment}" source = "../../modules/google/monitoring-lb" name = "monitoring-lb" gitlab_net_zone_id = "${var.gitlab_net_zone_id}" project = "${var.project}" region = "${var.region}" gitlab_net_zone_id = "${var.gitlab_net_zone_id}" cert_link = "${var.monitoring_cert_link}" service_ports = ["${values(var.monitoring_hosts)}"] url_map = "${google_compute_url_map.monitoring-lb.self_link}" hosts = ["${keys(var.monitoring_hosts)}"] } ####################### module "performance" { attach_data_disk = true bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-private-grafana]\"" data_disk_size = 100 data_disk_type = "pd-standard" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" machine_type = "${var.machine_types["monitoring"]}" name = "performance" node_count = 1 oauth2_client_id = "${var.oauth2_client_id_monitoring}" oauth2_client_secret = "${var.oauth2_client_secret_monitoring}" persistent_disk_path = "/opt" project = "${var.project}" region = "${var.region}" service_path = "/login" service_port = "${var.monitoring_hosts["performance.${var.environment}"]}" source = "../../modules/google/monitoring-with-count" subnetwork_name = "${google_compute_subnetwork.monitoring.name}" tier = "inf" service_account_email = "${var.service_account_email}" } module "prometheus" { attach_data_disk = true bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-infra-prometheus]\"" data_disk_size = 1000 data_disk_type = "pd-standard" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" machine_type = "${var.machine_types["monitoring"]}" name = "prometheus" node_count = 1 oauth2_client_id = "${var.oauth2_client_id_monitoring}" oauth2_client_secret = "${var.oauth2_client_secret_monitoring}" persistent_disk_path = "/opt/prometheus" project = "${var.project}" region = "${var.region}" service_path = "/graph" service_port = "${var.monitoring_hosts["prometheus.${var.environment}"]}" source = "../../modules/google/monitoring-with-count" subnetwork_name = "${google_compute_subnetwork.monitoring.name}" tier = "inf" service_account_email = "${var.service_account_email}" } module "prometheus-app" { attach_data_disk = true bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-infra-prometheus-app]\"" data_disk_size = 1000 data_disk_type = "pd-standard" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" machine_type = "${var.machine_types["monitoring"]}" name = "prometheus-app" node_count = 1 oauth2_client_id = "${var.oauth2_client_id_monitoring}" oauth2_client_secret = "${var.oauth2_client_secret_monitoring}" persistent_disk_path = "/opt/prometheus" project = "${var.project}" region = "${var.region}" service_path = "/graph" service_port = "${var.monitoring_hosts["prometheus-app.${var.environment}"]}" source = "../../modules/google/monitoring-with-count" subnetwork_name = "${google_compute_subnetwork.monitoring.name}" tier = "inf" service_account_email = "${var.service_account_email}" } module "alerts" { node_count = 1 bootstrap_version = 3 subnetwork_name = "${google_compute_subnetwork.monitoring.name}" attach_data_disk = true data_disk_size = 100 data_disk_type = "pd-standard" chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-infra-alerts]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" machine_type = "${var.machine_types["monitoring"]}" name = "alerts" project = "${var.project}" region = "${var.region}" source = "../../modules/google/monitoring-with-count" tier = "inf" persistent_disk_path = "/opt" service_port = "${var.monitoring_hosts["alerts.${var.environment}"]}" oauth2_client_id = "${var.oauth2_client_id_monitoring}" oauth2_client_secret = "${var.oauth2_client_secret_monitoring}" health_check = "tcp" service_account_email = "${var.service_account_email}" } ################################## # # Console # ################################## module "console" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-console-node]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["console"]}" machine_type = "${var.machine_types["console"]}" name = "console" node_count = "${var.node_count["console"]}" project = "${var.project}" public_ports = "${var.public_ports["console"]}" region = "${var.region}" source = "../../modules/google/generic-sv-with-group" health_check = "tcp" service_port = 22 tier = "sv" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } ################################## # # Deploy # ################################## module "deploy" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-deploy-node]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["deploy"]}" machine_type = "${var.machine_types["deploy"]}" name = "deploy" node_count = "${var.node_count["deploy"]}" project = "${var.project}" public_ports = "${var.public_ports["deploy"]}" region = "${var.region}" source = "../../modules/google/generic-sv-with-group" health_check = "tcp" service_port = 22 tier = "sv" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } ################################## # # Runner # ################################## module "runner" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-runner]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["runner"]}" machine_type = "${var.machine_types["runner"]}" name = "runner" node_count = "${var.node_count["runner"]}" project = "${var.project}" public_ports = "${var.public_ports["runner"]}" region = "${var.region}" source = "../../modules/google/generic-sv-with-group" health_check = "tcp" service_port = 22 tier = "sv" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } ################################## # # VPN connection to Azure # # Currently disabled as it isn't # necessary # ################################## module "google-azure-vpn" { source = "../../modules/google/vpn" name = "gcp-azure-${var.environment}" network_name = "${module.network.self_link}" network_link = "${module.network.name}" region = "${var.region}" peer_ip = "${var.vpn_peer_address}" shared_secret = "${var.vpn_shared_secret}" dest_subnet = "${var.vpn_dest_subnet}" source_subnet = "${var.vpn_source_subnet}" } ################################## # # Bastion # ################################## module "bastion" { bootstrap_version = 3 chef_provision = "${var.chef_provision}" chef_run_list = "\"role[${var.environment}-base-bastion]\"" dns_zone_name = "${var.dns_zone_name}" environment = "${var.environment}" ip_cidr_range = "${var.subnetworks["bastion"]}" machine_type = "${var.machine_types["bastion"]}" name = "bastion" node_count = "${var.node_count["bastion"]}" project = "${var.project}" public_ports = "${var.public_ports["bastion"]}" region = "${var.region}" source = "../../modules/google/generic-sv-with-group" health_check = "http" service_port = 80 tier = "inf" vpc = "${module.network.self_link}" service_account_email = "${var.service_account_email}" } ################################## # # Logging for StackDriver # ################################## resource "google_storage_bucket" "log" { name = "gitlab-${var.environment}-logging-archive" } resource "google_logging_project_sink" "log" { name = "${var.environment}-logging-sink" destination = "storage.googleapis.com/${google_storage_bucket.log.name}" filter = "resource.type = gce_instance" # Use a unique writer (creates a unique service account used for writing) unique_writer_identity = true } resource "google_project_iam_binding" "log" { role = "roles/storage.objectCreator" members = [ "${google_logging_project_sink.log.writer_identity}", ] }