diff --git a/infrastructure/base/main.tf b/infrastructure/base/main.tf index b6731b2ef8..e03597cdd3 100644 --- a/infrastructure/base/main.tf +++ b/infrastructure/base/main.tf @@ -219,33 +219,6 @@ module "sql_server_key_vault" { key_vault_access_users = var.key_vault_access_users } -module "sql_server_production" { - count = var.deploy_production ? 1 : 0 - - source = "./modules/database" - resource_group = data.azurerm_resource_group.resource_group - project_name = "${var.project_name}-production" - subnet_id = module.network.sql_subnet_id - private_dns_zone_id = module.sql_server_private_dns_zone.dns_zone_id - key_vault_id = module.sql_server_key_vault.key_vault_id - instance_size = var.production_db_instance_size - storage_size = var.production_db_storage_size -} - -module "sql_server_production_14" { - count = var.deploy_production ? 1 : 0 - - source = "./modules/database" - resource_group = data.azurerm_resource_group.resource_group - project_name = "${var.project_name}-production-14" - subnet_id = module.network.sql_subnet_id - private_dns_zone_id = module.sql_server_private_dns_zone.dns_zone_id - key_vault_id = module.sql_server_key_vault.key_vault_id - instance_size = var.production_db_instance_size - storage_size = var.production_db_storage_size - postgresql_version = "14" -} - module "sql_server_production_tulip" { count = var.deploy_production ? 1 : 0 @@ -260,17 +233,6 @@ module "sql_server_production_tulip" { postgresql_version = "14" } -module "sql_server_staging" { - source = "./modules/database" - resource_group = data.azurerm_resource_group.resource_group - project_name = "${var.project_name}-staging" - subnet_id = module.network.sql_subnet_id - private_dns_zone_id = module.sql_server_private_dns_zone.dns_zone_id - key_vault_id = module.sql_server_key_vault.key_vault_id - instance_size = var.staging_db_instance_size - storage_size = var.staging_db_storage_size -} - module "sql_server_staging_14" { source = "./modules/database" resource_group = data.azurerm_resource_group.resource_group diff --git a/infrastructure/base/outputs.tf b/infrastructure/base/outputs.tf index 6df944899f..f14ee2a76f 100644 --- a/infrastructure/base/outputs.tf +++ b/infrastructure/base/outputs.tf @@ -61,42 +61,6 @@ output "redis_password" { sensitive = true } -output "sql_server_production_name" { - value = length(module.sql_server_production) > 0 ? module.sql_server_production[0].sql_server_name : null -} - -output "sql_server_production_hostname" { - value = length(module.sql_server_production) > 0 ? module.sql_server_production[0].sql_server_url : null -} - -output "sql_server_production_username" { - value = length(module.sql_server_production) > 0 ? module.sql_server_production[0].sql_server_username : null - sensitive = true -} - -output "sql_server_production_password" { - value = length(module.sql_server_production) > 0 ? module.sql_server_production[0].sql_server_password : null - sensitive = true -} - -output "sql_server_production_14_name" { - value = length(module.sql_server_production_14) > 0 ? module.sql_server_production_14[0].sql_server_name : null -} - -output "sql_server_production_14_hostname" { - value = length(module.sql_server_production_14) > 0 ? module.sql_server_production_14[0].sql_server_url : null -} - -output "sql_server_production_14_username" { - value = length(module.sql_server_production_14) > 0 ? module.sql_server_production_14[0].sql_server_username : null - sensitive = true -} - -output "sql_server_production_14_password" { - value = length(module.sql_server_production_14) > 0 ? module.sql_server_production_14[0].sql_server_password : null - sensitive = true -} - output "sql_server_production_tulip_name" { value = length(module.sql_server_production_tulip) > 0 ? module.sql_server_production_tulip[0].sql_server_name : null } @@ -115,24 +79,6 @@ output "sql_server_production_tulip_password" { sensitive = true } -output "sql_server_staging_name" { - value = module.sql_server_staging.sql_server_name -} - -output "sql_server_staging_hostname" { - value = module.sql_server_staging.sql_server_url -} - -output "sql_server_staging_username" { - value = module.sql_server_staging.sql_server_username - sensitive = true -} - -output "sql_server_staging_password" { - value = module.sql_server_staging.sql_server_password - sensitive = true -} - output "sql_server_staging_14_name" { value = module.sql_server_staging_14.sql_server_name } diff --git a/infrastructure/kubernetes/main.tf b/infrastructure/kubernetes/main.tf index fd5747b671..e441ad28d8 100644 --- a/infrastructure/kubernetes/main.tf +++ b/infrastructure/kubernetes/main.tf @@ -82,66 +82,6 @@ module "key_vault_production" { project_tags = merge(var.project_tags, { Environment = "PRD" }) } -module "k8s_api_database_production" { - count = var.deploy_production ? 1 : 0 - - source = "./modules/database" - resource_group = data.azurerm_resource_group.resource_group - project_name = var.project_name - namespace = "production" - name = "api" - sql_server_name = data.terraform_remote_state.core.outputs.sql_server_production_name - - providers = { - postgresql = postgres.db_tunnel_production - } -} - -module "k8s_geoprocessing_database_production" { - count = var.deploy_production ? 1 : 0 - - source = "./modules/database" - resource_group = data.azurerm_resource_group.resource_group - project_name = var.project_name - namespace = "production" - name = "geoprocessing" - sql_server_name = data.terraform_remote_state.core.outputs.sql_server_production_name - - providers = { - postgresql = postgres.db_tunnel_production - } -} - -module "k8s_api_database_production_14" { - count = var.deploy_production ? 1 : 0 - - source = "./modules/database" - resource_group = data.azurerm_resource_group.resource_group - project_name = var.project_name - namespace = "production" - name = "api" - sql_server_name = data.terraform_remote_state.core.outputs.sql_server_production_14_name - - providers = { - postgresql = postgres.db_tunnel_production_14 - } -} - -module "k8s_geoprocessing_database_production_14" { - count = var.deploy_production ? 1 : 0 - - source = "./modules/database" - resource_group = data.azurerm_resource_group.resource_group - project_name = var.project_name - namespace = "production" - name = "geoprocessing" - sql_server_name = data.terraform_remote_state.core.outputs.sql_server_production_14_name - - providers = { - postgresql = postgres.db_tunnel_production_14 - } -} - module "k8s_api_database_production_tulip" { count = var.deploy_production ? 1 : 0 @@ -204,7 +144,7 @@ module "api_production" { cloning_volume_mount_path = local.cloning_volume_mount_path depends_on = [ - module.k8s_api_database_production + module.k8s_api_database_production_tulip ] } @@ -222,7 +162,7 @@ module "geoprocessing_production" { cloning_volume_mount_path = local.cloning_volume_mount_path depends_on = [ - module.k8s_geoprocessing_database_production + module.k8s_geoprocessing_database_production_tulip ] } @@ -249,41 +189,25 @@ module "webshot_production" { module "production_cloud_secrets" { count = var.deploy_production ? 1 : 0 - source = "./modules/cloud_secrets" - project_name = var.project_name - namespace = "production" - name = "api" - key_vault_id = length(module.key_vault_production) > 0 ? module.key_vault_production[0].key_vault_id : null - redis_host = data.terraform_remote_state.core.outputs.redis_hostname - redis_password = data.terraform_remote_state.core.outputs.redis_password - redis_port = data.terraform_remote_state.core.outputs.redis_port - sparkpost_api_key = var.sparkpost_api_key - api_url = "api.${var.domain}" - postgres_api_database = length(module.k8s_api_database_production) > 0 ? module.k8s_api_database_production[0].postgresql_database : null - postgres_api_username = length(module.k8s_api_database_production) > 0 ? module.k8s_api_database_production[0].postgresql_username : null - postgres_api_password = length(module.k8s_api_database_production) > 0 ? module.k8s_api_database_production[0].postgresql_password : null - postgres_api_hostname = length(module.k8s_api_database_production) > 0 ? module.k8s_api_database_production[0].postgresql_hostname : null - postgres_geoprocessing_database = length(module.k8s_geoprocessing_database_production) > 0 ? module.k8s_geoprocessing_database_production[0].postgresql_database : null - postgres_geoprocessing_username = length(module.k8s_geoprocessing_database_production) > 0 ? module.k8s_geoprocessing_database_production[0].postgresql_username : null - postgres_geoprocessing_password = length(module.k8s_geoprocessing_database_production) > 0 ? module.k8s_geoprocessing_database_production[0].postgresql_password : null - postgres_geoprocessing_hostname = length(module.k8s_geoprocessing_database_production) > 0 ? module.k8s_geoprocessing_database_production[0].postgresql_hostname : null - postgres_14_api_database = length(module.k8s_api_database_production_14) > 0 ? module.k8s_api_database_production_14[0].postgresql_database : null - postgres_14_api_username = length(module.k8s_api_database_production_14) > 0 ? module.k8s_api_database_production_14[0].postgresql_username : null - postgres_14_api_password = length(module.k8s_api_database_production_14) > 0 ? module.k8s_api_database_production_14[0].postgresql_password : null - postgres_14_api_hostname = length(module.k8s_api_database_production_14) > 0 ? module.k8s_api_database_production_14[0].postgresql_hostname : null - postgres_14_geoprocessing_database = length(module.k8s_geoprocessing_database_production_14) > 0 ? module.k8s_geoprocessing_database_production_14[0].postgresql_database : null - postgres_14_geoprocessing_username = length(module.k8s_geoprocessing_database_production_14) > 0 ? module.k8s_geoprocessing_database_production_14[0].postgresql_username : null - postgres_14_geoprocessing_password = length(module.k8s_geoprocessing_database_production_14) > 0 ? module.k8s_geoprocessing_database_production_14[0].postgresql_password : null - postgres_14_geoprocessing_hostname = length(module.k8s_geoprocessing_database_production_14) > 0 ? module.k8s_geoprocessing_database_production_14[0].postgresql_hostname : null - postgres_tulip_api_database = length(module.k8s_api_database_production_tulip) > 0 ? module.k8s_api_database_production_tulip[0].postgresql_database : null - postgres_tulip_api_username = length(module.k8s_api_database_production_tulip) > 0 ? module.k8s_api_database_production_tulip[0].postgresql_username : null - postgres_tulip_api_password = length(module.k8s_api_database_production_tulip) > 0 ? module.k8s_api_database_production_tulip[0].postgresql_password : null - postgres_tulip_api_hostname = length(module.k8s_api_database_production_tulip) > 0 ? module.k8s_api_database_production_tulip[0].postgresql_hostname : null - postgres_tulip_geoprocessing_database = length(module.k8s_geoprocessing_database_production_tulip) > 0 ? module.k8s_geoprocessing_database_production_tulip[0].postgresql_database : null - postgres_tulip_geoprocessing_username = length(module.k8s_geoprocessing_database_production_tulip) > 0 ? module.k8s_geoprocessing_database_production_tulip[0].postgresql_username : null - postgres_tulip_geoprocessing_password = length(module.k8s_geoprocessing_database_production_tulip) > 0 ? module.k8s_geoprocessing_database_production_tulip[0].postgresql_password : null - postgres_tulip_geoprocessing_hostname = length(module.k8s_geoprocessing_database_production_tulip) > 0 ? module.k8s_geoprocessing_database_production_tulip[0].postgresql_hostname : null - azure_storage_account_key = data.azurerm_storage_account.storage_account.primary_access_key + source = "./modules/cloud_secrets" + project_name = var.project_name + namespace = "production" + name = "api" + key_vault_id = length(module.key_vault_production) > 0 ? module.key_vault_production[0].key_vault_id : null + redis_host = data.terraform_remote_state.core.outputs.redis_hostname + redis_password = data.terraform_remote_state.core.outputs.redis_password + redis_port = data.terraform_remote_state.core.outputs.redis_port + sparkpost_api_key = var.sparkpost_api_key + api_url = "api.${var.domain}" + postgres_api_database = length(module.k8s_api_database_production_tulip) > 0 ? module.k8s_api_database_production_tulip[0].postgresql_database : null + postgres_api_username = length(module.k8s_api_database_production_tulip) > 0 ? module.k8s_api_database_production_tulip[0].postgresql_username : null + postgres_api_password = length(module.k8s_api_database_production_tulip) > 0 ? module.k8s_api_database_production_tulip[0].postgresql_password : null + postgres_api_hostname = length(module.k8s_api_database_production_tulip) > 0 ? module.k8s_api_database_production_tulip[0].postgresql_hostname : null + postgres_geoprocessing_database = length(module.k8s_geoprocessing_database_production_tulip) > 0 ? module.k8s_geoprocessing_database_production_tulip[0].postgresql_database : null + postgres_geoprocessing_username = length(module.k8s_geoprocessing_database_production_tulip) > 0 ? module.k8s_geoprocessing_database_production_tulip[0].postgresql_username : null + postgres_geoprocessing_password = length(module.k8s_geoprocessing_database_production_tulip) > 0 ? module.k8s_geoprocessing_database_production_tulip[0].postgresql_password : null + postgres_geoprocessing_hostname = length(module.k8s_geoprocessing_database_production_tulip) > 0 ? module.k8s_geoprocessing_database_production_tulip[0].postgresql_hostname : null + azure_storage_account_key = data.azurerm_storage_account.storage_account.primary_access_key } module "production_kubernetes_secrets" { @@ -326,48 +250,12 @@ module "ingress_production" { project_tags = var.project_tags } -data "azurerm_postgresql_flexible_server" "marxan_production" { - count = var.deploy_production ? 1 : 0 - name = lookup(data.terraform_remote_state.core.outputs, "sql_server_production_name", null) - resource_group_name = data.azurerm_resource_group.resource_group.name -} - -data "azurerm_postgresql_flexible_server" "marxan_production_14" { - count = var.deploy_production ? 1 : 0 - name = lookup(data.terraform_remote_state.core.outputs, "sql_server_production_14_name", null) - resource_group_name = data.azurerm_resource_group.resource_group.name -} - data "azurerm_postgresql_flexible_server" "marxan_production_tulip" { count = var.deploy_production ? 1 : 0 name = lookup(data.terraform_remote_state.core.outputs, "sql_server_production_tulip_name", null) resource_group_name = data.azurerm_resource_group.resource_group.name } -module "db_tunnel_production" { - count = var.deploy_production ? 1 : 0 - - source = "git::https://github.com/tiagojsag/terraform-ssh-tunnel.git?ref=feature/disable-strict-host-key-checking" - - target_host = lookup(data.azurerm_postgresql_flexible_server.marxan_production[0], "fqdn", null) - target_port = 5432 - - gateway_host = data.terraform_remote_state.core.outputs.bastion_hostname - gateway_user = "ubuntu" -} - -module "db_tunnel_production_14" { - count = var.deploy_production ? 1 : 0 - - source = "git::https://github.com/tiagojsag/terraform-ssh-tunnel.git?ref=feature/disable-strict-host-key-checking" - - target_host = lookup(data.azurerm_postgresql_flexible_server.marxan_production_14[0], "fqdn", null) - target_port = 5432 - - gateway_host = data.terraform_remote_state.core.outputs.bastion_hostname - gateway_user = "ubuntu" -} - module "db_tunnel_production_tulip" { count = var.deploy_production ? 1 : 0 @@ -405,32 +293,6 @@ module "key_vault_staging" { project_tags = merge(var.project_tags, { Environment = "STG" }) } -module "k8s_api_database_staging" { - source = "./modules/database" - resource_group = data.azurerm_resource_group.resource_group - project_name = var.project_name - namespace = "staging" - name = "api" - sql_server_name = data.terraform_remote_state.core.outputs.sql_server_staging_name - - providers = { - postgresql = postgres.db_tunnel_staging - } -} - -module "k8s_geoprocessing_database_staging" { - source = "./modules/database" - resource_group = data.azurerm_resource_group.resource_group - project_name = var.project_name - namespace = "staging" - name = "geoprocessing" - sql_server_name = data.terraform_remote_state.core.outputs.sql_server_staging_name - - providers = { - postgresql = postgres.db_tunnel_staging - } -} - module "k8s_api_database_staging_14" { source = "./modules/database" resource_group = data.azurerm_resource_group.resource_group @@ -485,7 +347,7 @@ module "api_staging" { cloning_volume_mount_path = local.cloning_volume_mount_path depends_on = [ - module.k8s_api_database_staging + module.k8s_api_database_staging_14 ] } @@ -502,7 +364,7 @@ module "geoprocessing_staging" { cloning_volume_mount_path = local.cloning_volume_mount_path depends_on = [ - module.k8s_geoprocessing_database_staging + module.k8s_geoprocessing_database_staging_14 ] } @@ -523,41 +385,25 @@ module "webshot_staging" { } module "staging_cloud_secrets" { - source = "./modules/cloud_secrets" - project_name = var.project_name - namespace = "staging" - name = "api" - key_vault_id = module.key_vault_staging.key_vault_id - redis_host = data.terraform_remote_state.core.outputs.redis_hostname - redis_password = data.terraform_remote_state.core.outputs.redis_password - redis_port = data.terraform_remote_state.core.outputs.redis_port - sparkpost_api_key = var.sparkpost_api_key - api_url = "api.staging.${var.domain}" - postgres_api_database = module.k8s_api_database_staging.postgresql_database - postgres_api_username = module.k8s_api_database_staging.postgresql_username - postgres_api_password = module.k8s_api_database_staging.postgresql_password - postgres_api_hostname = module.k8s_api_database_staging.postgresql_hostname - postgres_geoprocessing_database = module.k8s_geoprocessing_database_staging.postgresql_database - postgres_geoprocessing_username = module.k8s_geoprocessing_database_staging.postgresql_username - postgres_geoprocessing_password = module.k8s_geoprocessing_database_staging.postgresql_password - postgres_geoprocessing_hostname = module.k8s_geoprocessing_database_staging.postgresql_hostname - postgres_14_api_database = module.k8s_api_database_staging_14.postgresql_database - postgres_14_api_username = module.k8s_api_database_staging_14.postgresql_username - postgres_14_api_password = module.k8s_api_database_staging_14.postgresql_password - postgres_14_api_hostname = module.k8s_api_database_staging_14.postgresql_hostname - postgres_14_geoprocessing_database = module.k8s_geoprocessing_database_staging_14.postgresql_database - postgres_14_geoprocessing_username = module.k8s_geoprocessing_database_staging_14.postgresql_username - postgres_14_geoprocessing_password = module.k8s_geoprocessing_database_staging_14.postgresql_password - postgres_14_geoprocessing_hostname = module.k8s_geoprocessing_database_staging_14.postgresql_hostname - postgres_tulip_api_database = module.k8s_api_database_staging_14.postgresql_database - postgres_tulip_api_username = module.k8s_api_database_staging_14.postgresql_username - postgres_tulip_api_password = module.k8s_api_database_staging_14.postgresql_password - postgres_tulip_api_hostname = module.k8s_api_database_staging_14.postgresql_hostname - postgres_tulip_geoprocessing_database = module.k8s_geoprocessing_database_staging_14.postgresql_database - postgres_tulip_geoprocessing_username = module.k8s_geoprocessing_database_staging_14.postgresql_username - postgres_tulip_geoprocessing_password = module.k8s_geoprocessing_database_staging_14.postgresql_password - postgres_tulip_geoprocessing_hostname = module.k8s_geoprocessing_database_staging_14.postgresql_hostname - azure_storage_account_key = data.azurerm_storage_account.storage_account.primary_access_key + source = "./modules/cloud_secrets" + project_name = var.project_name + namespace = "staging" + name = "api" + key_vault_id = module.key_vault_staging.key_vault_id + redis_host = data.terraform_remote_state.core.outputs.redis_hostname + redis_password = data.terraform_remote_state.core.outputs.redis_password + redis_port = data.terraform_remote_state.core.outputs.redis_port + sparkpost_api_key = var.sparkpost_api_key + api_url = "api.staging.${var.domain}" + postgres_api_database = module.k8s_api_database_staging_14.postgresql_database + postgres_api_username = module.k8s_api_database_staging_14.postgresql_username + postgres_api_password = module.k8s_api_database_staging_14.postgresql_password + postgres_api_hostname = module.k8s_api_database_staging_14.postgresql_hostname + postgres_geoprocessing_database = module.k8s_geoprocessing_database_staging_14.postgresql_database + postgres_geoprocessing_username = module.k8s_geoprocessing_database_staging_14.postgresql_username + postgres_geoprocessing_password = module.k8s_geoprocessing_database_staging_14.postgresql_password + postgres_geoprocessing_hostname = module.k8s_geoprocessing_database_staging_14.postgresql_hostname + azure_storage_account_key = data.azurerm_storage_account.storage_account.primary_access_key } module "staging_kubernetes_secrets" { @@ -597,26 +443,11 @@ module "ingress_staging" { project_tags = var.project_tags } -data "azurerm_postgresql_flexible_server" "marxan_staging" { - name = data.terraform_remote_state.core.outputs.sql_server_staging_name - resource_group_name = data.azurerm_resource_group.resource_group.name -} - -data "azurerm_postgresql_flexible_server" "marxan_staging_14" { +git sadata "azurerm_postgresql_flexible_server" "marxan_staging_14" { name = data.terraform_remote_state.core.outputs.sql_server_staging_14_name resource_group_name = data.azurerm_resource_group.resource_group.name } -module "db_tunnel_staging" { - source = "git::https://github.com/tiagojsag/terraform-ssh-tunnel.git?ref=feature/disable-strict-host-key-checking" - - target_host = data.azurerm_postgresql_flexible_server.marxan_staging.fqdn - target_port = 5432 - - gateway_host = data.terraform_remote_state.core.outputs.bastion_hostname - gateway_user = "ubuntu" -} - module "db_tunnel_staging_14" { source = "git::https://github.com/tiagojsag/terraform-ssh-tunnel.git?ref=feature/disable-strict-host-key-checking" diff --git a/infrastructure/kubernetes/modules/cloud_secrets/main.tf b/infrastructure/kubernetes/modules/cloud_secrets/main.tf new file mode 100644 index 0000000000..3aba2e1ef9 --- /dev/null +++ b/infrastructure/kubernetes/modules/cloud_secrets/main.tf @@ -0,0 +1,49 @@ +locals { + api_postgres_secret_json = { + username = var.postgres_api_username + password = var.postgres_api_password + database = var.postgres_api_database + } + geoprocessing_postgres_secret_json = { + username = var.postgres_geoprocessing_username + password = var.postgres_geoprocessing_password + database = var.postgres_geoprocessing_database + } + + api_auth_jwt_secret = random_password.jwt_secret.result + x_auth_api_key = random_password.x_auth_api_key.result + cloning_signing_secret = tls_private_key.cloning_signing_secret.private_key_pem + cloning_storage_backup_restic_password = random_password.cloning_storage_backup_restic_password.result +} + +resource "random_password" "jwt_secret" { + length = 24 + special = true +} + +resource "random_password" "x_auth_api_key" { + length = 24 + special = true +} + +resource "azurerm_key_vault_secret" "api_user_postgresql" { + name = "PostgresApiUserPassword" + value = jsonencode(local.api_postgres_secret_json) + key_vault_id = var.key_vault_id +} + +resource "azurerm_key_vault_secret" "geoprocessing_user_postgresql" { + name = "PostgresGeoprocessingUserPassword" + value = jsonencode(local.geoprocessing_postgres_secret_json) + key_vault_id = var.key_vault_id +} + +resource "tls_private_key" "cloning_signing_secret" { + algorithm = "RSA" + rsa_bits = 4096 +} + +resource "random_password" "cloning_storage_backup_restic_password" { + length = 16 + special = true +} diff --git a/infrastructure/kubernetes/modules/cloud_secrets/outputs.tf b/infrastructure/kubernetes/modules/cloud_secrets/outputs.tf new file mode 100644 index 0000000000..dc27d046c1 --- /dev/null +++ b/infrastructure/kubernetes/modules/cloud_secrets/outputs.tf @@ -0,0 +1,15 @@ +output "api_auth_jwt_secret" { + value = local.api_auth_jwt_secret +} + +output "x_auth_api_key" { + value = local.x_auth_api_key +} + +output "cloning_signing_secret" { + value = local.cloning_signing_secret +} + +output "cloning_storage_backup_restic_password" { + value = local.cloning_storage_backup_restic_password +} diff --git a/infrastructure/kubernetes/modules/cloud_secrets/variable.tf b/infrastructure/kubernetes/modules/cloud_secrets/variable.tf new file mode 100644 index 0000000000..949a3b14fc --- /dev/null +++ b/infrastructure/kubernetes/modules/cloud_secrets/variable.tf @@ -0,0 +1,74 @@ +variable "name" { + description = "The name of the secret" +} + +variable "namespace" { + description = "The k8s namespace in which to deploy resources" +} + +variable "key_vault_id" { + description = "Azure key vault id" +} + +variable "project_name" { + type = string + description = "A project name to use when naming resources." +} + +variable "redis_host" { + description = "The redis server hostname" +} + +variable "redis_password" { + description = "The redis server password" +} + +variable "redis_port" { + description = "The redis server port" +} + +variable "sparkpost_api_key" { + type = string + description = "The API key for Sparkpost" +} + +variable "api_url" { + type = string + description = "The URL for the Marxan API server" +} + +variable "postgres_geoprocessing_hostname" { + description = "The postgres geoprocessing database hostname" +} + +variable "postgres_geoprocessing_username" { + description = "The postgres geoprocessing database username" +} + +variable "postgres_geoprocessing_password" { + description = "The postgres geoprocessing database password" +} + +variable "postgres_geoprocessing_database" { + description = "The postgres geoprocessing database name" +} + +variable "postgres_api_hostname" { + description = "The postgres api database hostname" +} + +variable "postgres_api_username" { + description = "The postgres api database username" +} + +variable "postgres_api_password" { + description = "The postgres api database password" +} + +variable "postgres_api_database" { + description = "The postgres api database name" +} + +variable "azure_storage_account_key" { + description = "A key for the Azure storage account used for backups" +} diff --git a/infrastructure/kubernetes/modules/cloud_secrets/versions.tf b/infrastructure/kubernetes/modules/cloud_secrets/versions.tf new file mode 100644 index 0000000000..5811a0150a --- /dev/null +++ b/infrastructure/kubernetes/modules/cloud_secrets/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.32.0" + } + + random = { + source = "hashicorp/random" + version = "3.3.2" + } + } + required_version = "1.3.5" +} diff --git a/infrastructure/kubernetes/modules/kubernetes_secrets/main.tf b/infrastructure/kubernetes/modules/kubernetes_secrets/main.tf new file mode 100644 index 0000000000..6ca734dc7d --- /dev/null +++ b/infrastructure/kubernetes/modules/kubernetes_secrets/main.tf @@ -0,0 +1,76 @@ +locals { + api_postgres_secret_json = { + username = var.postgres_api_username + password = var.postgres_api_password + database = var.postgres_api_database + } + geoprocessing_postgres_secret_json = { + username = var.postgres_geoprocessing_username + password = var.postgres_geoprocessing_password + database = var.postgres_geoprocessing_database + } + + api_auth_jwt_secret = var.api_auth_jwt_secret + x_auth_api_key = var.x_auth_api_key + cloning_signing_secret = var.cloning_signing_secret + cloning_storage_backup_restic_password = var.cloning_storage_backup_restic_password +} + +resource "kubernetes_secret" "api_secret" { + metadata { + name = "api" + namespace = var.namespace + } + + data = { + API_AUTH_JWT_SECRET = sensitive(local.api_auth_jwt_secret) + API_AUTH_X_API_KEY = sensitive(local.x_auth_api_key) + CLONING_SIGNING_SECRET = sensitive(base64encode(local.cloning_signing_secret)) + + API_POSTGRES_HOST = var.postgres_api_hostname + API_POSTGRES_USER = sensitive(local.api_postgres_secret_json.username) + API_POSTGRES_PASSWORD = sensitive(local.api_postgres_secret_json.password) + API_POSTGRES_DB = sensitive(local.api_postgres_secret_json.database) + + GEO_POSTGRES_HOST = var.postgres_geoprocessing_hostname + GEO_POSTGRES_USER = sensitive(local.geoprocessing_postgres_secret_json.username) + GEO_POSTGRES_PASSWORD = sensitive(local.geoprocessing_postgres_secret_json.password) + GEO_POSTGRES_DB = sensitive(local.geoprocessing_postgres_secret_json.database) + + REDIS_HOST = var.redis_host + REDIS_PASSWORD = var.redis_password + REDIS_PORT = var.redis_port + + SPARKPOST_APIKEY = var.sparkpost_api_key + API_SERVICE_URL = var.api_url + + AZURE_STORAGE_ACCOUNT_KEY = sensitive(var.azure_storage_account_key) + CLONING_STORAGE_BACKUP_RESTIC_PASSWORD = sensitive(local.cloning_storage_backup_restic_password) + } +} + +resource "kubernetes_secret" "geoprocessing_secret" { + metadata { + name = "geoprocessing" + namespace = var.namespace + } + + data = { + API_AUTH_JWT_SECRET = sensitive(local.api_auth_jwt_secret) + API_AUTH_X_API_KEY = sensitive(local.x_auth_api_key) + + API_POSTGRES_HOST = var.postgres_api_hostname + API_POSTGRES_USER = sensitive(local.api_postgres_secret_json.username) + API_POSTGRES_PASSWORD = sensitive(local.api_postgres_secret_json.password) + API_POSTGRES_DB = sensitive(local.api_postgres_secret_json.database) + + GEO_POSTGRES_HOST = var.postgres_geoprocessing_hostname + GEO_POSTGRES_USER = sensitive(local.geoprocessing_postgres_secret_json.username) + GEO_POSTGRES_PASSWORD = sensitive(local.geoprocessing_postgres_secret_json.password) + GEO_POSTGRES_DB = sensitive(local.geoprocessing_postgres_secret_json.database) + + REDIS_HOST = var.redis_host + REDIS_PASSWORD = var.redis_password + REDIS_PORT = var.redis_port + } +} diff --git a/infrastructure/kubernetes/modules/kubernetes_secrets/variable.tf b/infrastructure/kubernetes/modules/kubernetes_secrets/variable.tf new file mode 100644 index 0000000000..8a0a41285e --- /dev/null +++ b/infrastructure/kubernetes/modules/kubernetes_secrets/variable.tf @@ -0,0 +1,86 @@ +variable "name" { + description = "The name of the secret" +} + +variable "namespace" { + description = "The k8s namespace in which to deploy resources" +} + +variable "key_vault_id" { + description = "Azure key vault id" +} + +variable "project_name" { + type = string + description = "A project name to use when naming resources." +} + +variable "redis_host" { + description = "The redis server hostname" +} + +variable "redis_password" { + description = "The redis server password" +} + +variable "redis_port" { + description = "The redis server port" +} + +variable "sparkpost_api_key" { + type = string + description = "The API key for Sparkpost" +} + +variable "api_url" { + type = string + description = "The URL for the Marxan API server" +} + +variable "postgres_geoprocessing_hostname" { + description = "The postgres geoprocessing database hostname" +} + +variable "postgres_geoprocessing_username" { + description = "The postgres geoprocessing database username" +} + +variable "postgres_geoprocessing_password" { + description = "The postgres geoprocessing database password" +} + +variable "postgres_geoprocessing_database" { + description = "The postgres geoprocessing database name" +} + +variable "postgres_api_hostname" { + description = "The postgres api database hostname" +} + +variable "postgres_api_username" { + description = "The postgres api database username" +} + +variable "postgres_api_password" { + description = "The postgres api database password" +} + +variable "postgres_api_database" { + description = "The postgres api database name" +} + +variable "api_auth_jwt_secret" { +} + +variable "x_auth_api_key" { +} + +variable "cloning_signing_secret" { +} + +variable "cloning_storage_backup_restic_password" { +} + +variable "azure_storage_account_key" { + description = "A key for the Azure storage account used for backups" +} diff --git a/infrastructure/kubernetes/modules/kubernetes_secrets/versions.tf b/infrastructure/kubernetes/modules/kubernetes_secrets/versions.tf new file mode 100644 index 0000000000..7ae9abd0bb --- /dev/null +++ b/infrastructure/kubernetes/modules/kubernetes_secrets/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = "2.16.0" + } + } + required_version = "1.3.5" +} diff --git a/infrastructure/kubernetes/versions.tf b/infrastructure/kubernetes/versions.tf index 0ad03b2589..a8450fcfe3 100644 --- a/infrastructure/kubernetes/versions.tf +++ b/infrastructure/kubernetes/versions.tf @@ -79,46 +79,13 @@ provider "kubectl" { load_config_file = false } -provider "postgresql" { - alias = "db_tunnel_production" - - host = length(module.db_tunnel_production) > 0 ? module.db_tunnel_production[0].host : null - port = length(module.db_tunnel_production) > 0 ? module.db_tunnel_production[0].port : null - username =lookup(data.terraform_remote_state.core.outputs, "sql_server_production_username", null) - password =lookup(data.terraform_remote_state.core.outputs, "sql_server_production_password", null) - sslmode = "require" - superuser = false -} - -provider "postgresql" { - alias = "db_tunnel_production_14" - - host = length(module.db_tunnel_production_14) > 0 ? module.db_tunnel_production_14[0].host : null - port = length(module.db_tunnel_production_14) > 0 ? module.db_tunnel_production_14[0].port : null - username =lookup(data.terraform_remote_state.core.outputs, "sql_server_production_14_username", null) - password =lookup(data.terraform_remote_state.core.outputs, "sql_server_production_14_password", null) - sslmode = "require" - superuser = false -} - provider "postgresql" { alias = "db_tunnel_production_tulip" host = length(module.db_tunnel_production_tulip) > 0 ? module.db_tunnel_production_tulip[0].host : null port = length(module.db_tunnel_production_tulip) > 0 ? module.db_tunnel_production_tulip[0].port : null - username =lookup(data.terraform_remote_state.core.outputs, "sql_server_production_tulip_username", null) - password =lookup(data.terraform_remote_state.core.outputs, "sql_server_production_tulip_password", null) - sslmode = "require" - superuser = false -} - -provider "postgresql" { - alias = "db_tunnel_staging" - - host = module.db_tunnel_staging.host - port = module.db_tunnel_staging.port - username = data.terraform_remote_state.core.outputs.sql_server_staging_username - password = data.terraform_remote_state.core.outputs.sql_server_staging_password + username = lookup(data.terraform_remote_state.core.outputs, "sql_server_production_tulip_username", null) + password = lookup(data.terraform_remote_state.core.outputs, "sql_server_production_tulip_password", null) sslmode = "require" superuser = false }