feat(perforce): HAS, Swarm, Core example deployment

modules/perforce/examples/complete/dns.tf

@@ -0,0 +1,105 @@
+
+##########################################
+# Route53 Hosted Zone for FQDN
+##########################################
+data "aws_route53_zone" "root" {
+  name         = var.root_domain_name
+  private_zone = false
+}
+
+##########################################
+# Perforce Helix DNS
+##########################################
+resource "aws_route53_zone" "helix_private_zone" {
+  name = "helix.perforce.internal"
+  #checkov:skip=CKV2_AWS_38: Hosted zone is private (vpc association)
+  #checkov:skip=CKV2_AWS_39: Query logging disabled by design
+  vpc {
+    vpc_id = aws_vpc.perforce_vpc.id
+  }
+}
+
+
+resource "aws_route53_record" "helix_swarm" {
+  zone_id = data.aws_route53_zone.root.id
+  name    = "swarm.helix.${data.aws_route53_zone.root.name}"
+  type    = "A"
+  alias {
+    name                   = module.perforce_helix_swarm.alb_dns_name
+    zone_id                = module.perforce_helix_swarm.alb_zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_route53_record" "helix_authentication_service" {
+  zone_id = data.aws_route53_zone.root.zone_id
+  name    = "auth.helix.${data.aws_route53_zone.root.name}"
+  type    = "A"
+  alias {
+    name                   = module.perforce_helix_authentication_service.alb_dns_name
+    zone_id                = module.perforce_helix_authentication_service.alb_zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_route53_record" "perforce_helix_core" {
+  zone_id = data.aws_route53_zone.root.zone_id
+  name    = "core.helix.${data.aws_route53_zone.root.name}"
+  type    = "A"
+  ttl     = 300
+  #checkov:skip=CKV2_AWS_23:The attached resource is managed by CGD Toolkit
+  records = [module.perforce_helix_core.helix_core_eip_public_ip]
+}
+
+resource "aws_route53_record" "perforce_helix_core_pvt" {
+  zone_id = aws_route53_zone.helix_private_zone.zone_id
+  name    = "core.${aws_route53_zone.helix_private_zone.name}"
+  type    = "A"
+  ttl     = 300
+  #checkov:skip=CKV2_AWS_23:The attached resource is managed by CGD Toolkit
+  records = [module.perforce_helix_core.helix_core_eip_private_ip]
+}
+
+##########################################
+# Helix Certificate Management
+##########################################
+
+resource "aws_acm_certificate" "helix" {
+  domain_name               = "helix.${var.root_domain_name}"
+  subject_alternative_names = ["*.helix.${var.root_domain_name}"]
+
+  validation_method = "DNS"
+
+  tags = {
+    Environment = "dev"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route53_record" "helix_cert" {
+  for_each = {
+    for dvo in aws_acm_certificate.helix.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = data.aws_route53_zone.root.id
+}
+
+resource "aws_acm_certificate_validation" "helix" {
+  timeouts {
+    create = "15m"
+  }
+  certificate_arn         = aws_acm_certificate.helix.arn
+  validation_record_fqdns = [for record in aws_route53_record.helix_cert : record.fqdn]
+}

modules/perforce/examples/complete/local.tf

@@ -0,0 +1,13 @@
+data "aws_availability_zones" "available" {}
+
+locals {
+  # VPC Configuration
+  vpc_cidr_block       = "10.0.0.0/16"
+  public_subnet_cidrs  = ["10.0.1.0/24", "10.0.2.0/24"]
+  private_subnet_cidrs = ["10.0.3.0/24", "10.0.4.0/24"]
+
+  tags = {
+    environment = "cgd"
+  }
+  azs = slice(data.aws_availability_zones.available.names, 0, 2)
+}

modules/perforce/examples/complete/main.tf

@@ -0,0 +1,88 @@
+##########################################
+# Shared ECS Cluster for Services
+##########################################
+
+resource "aws_ecs_cluster" "perforce_cluster" {
+  name = "perforce-cluster"
+
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+}
+
+resource "aws_ecs_cluster_capacity_providers" "providers" {
+  cluster_name = aws_ecs_cluster.perforce_cluster.name
+
+  capacity_providers = ["FARGATE"]
+
+  default_capacity_provider_strategy {
+    base              = 1
+    weight            = 100
+    capacity_provider = "FARGATE"
+  }
+}
+
+##########################################
+# Perforce Helix Core
+##########################################
+
+module "perforce_helix_core" {
+  source                = "../../helix-core"
+  vpc_id                = aws_vpc.perforce_vpc.id
+  server_type           = "p4d_commit"
+  instance_subnet_id    = aws_subnet.public_subnets[0].id
+  instance_type         = "c6g.large"
+  instance_architecture = "arm64"
+
+  storage_type         = "EBS"
+  depot_volume_size    = 64
+  metadata_volume_size = 32
+  logs_volume_size     = 32
+
+  FQDN = "core.helix.perforce.${var.root_domain_name}"
+
+  helix_authentication_service_url = "https://${aws_route53_record.helix_authentication_service.name}"
+}
+
+##########################################
+# Perforce Helix Authentication Service
+##########################################
+
+module "perforce_helix_authentication_service" {
+  source                                   = "../../helix-authentication-service"
+  vpc_id                                   = aws_vpc.perforce_vpc.id
+  cluster_name                             = aws_ecs_cluster.perforce_cluster.name
+  helix_authentication_service_alb_subnets = aws_subnet.public_subnets[*].id
+  helix_authentication_service_subnets     = aws_subnet.private_subnets[*].id
+  certificate_arn                          = aws_acm_certificate.helix.arn
+
+  enable_web_based_administration = true
+  fqdn                            = "https://auth.helix.${var.root_domain_name}"
+
+  depends_on = [aws_ecs_cluster.perforce_cluster, aws_acm_certificate_validation.helix]
+}
+
+##########################################
+# Perforce Helix Swarm
+##########################################
+
+module "perforce_helix_swarm" {
+  source                      = "../../helix-swarm"
+  vpc_id                      = aws_vpc.perforce_vpc.id
+  cluster_name                = aws_ecs_cluster.perforce_cluster.name
+  helix_swarm_alb_subnets     = aws_subnet.public_subnets[*].id
+  helix_swarm_service_subnets = aws_subnet.private_subnets[*].id
+  certificate_arn             = aws_acm_certificate.helix.arn
+  p4d_port                    = "ssl:${aws_route53_record.perforce_helix_core_pvt.name}:1666"
+  p4d_super_user_arn          = module.perforce_helix_core.helix_core_super_user_username_secret_arn
+  p4d_super_user_password_arn = module.perforce_helix_core.helix_core_super_user_password_secret_arn
+  p4d_swarm_user_arn          = module.perforce_helix_core.helix_core_super_user_username_secret_arn
+  p4d_swarm_password_arn      = module.perforce_helix_core.helix_core_super_user_password_secret_arn
+
+  enable_sso = true
+
+  fqdn = "swarm.helix.${var.root_domain_name}"
+
+  depends_on = [aws_ecs_cluster.perforce_cluster, aws_acm_certificate_validation.helix]
+}

modules/perforce/examples/complete/security.tf

@@ -0,0 +1,33 @@
+##########################################
+# Internal Access - service to service
+##########################################
+
+# Helix Swarm -> Helix Core
+resource "aws_vpc_security_group_ingress_rule" "helix_core_inbound_swarm" {
+  security_group_id            = module.perforce_helix_core.security_group_id
+  ip_protocol                  = "TCP"
+  from_port                    = 1666
+  to_port                      = 1666
+  referenced_security_group_id = module.perforce_helix_swarm.service_security_group_id
+  description                  = "Enables Helix Swarm to access Helix Core."
+}
+
+# Helix Core -> Helix Swarm
+resource "aws_vpc_security_group_ingress_rule" "helix_swarm_inbound_core" {
+  security_group_id = module.perforce_helix_swarm.alb_security_group_id
+  ip_protocol       = "TCP"
+  from_port         = 443
+  to_port           = 443
+  cidr_ipv4         = "${module.perforce_helix_core.helix_core_eip_public_ip}/32"
+  description       = "Enables Helix Core to access Helix Swarm"
+}
+
+# Helix Core -> Helix Authentication Service
+resource "aws_vpc_security_group_ingress_rule" "helix_auth_inbound_core" {
+  security_group_id = module.perforce_helix_authentication_service.alb_security_group_id
+  ip_protocol       = "TCP"
+  from_port         = 443
+  to_port           = 443
+  cidr_ipv4         = "${module.perforce_helix_core.helix_core_eip_public_ip}/32"
+  description       = "Enables Helix Core to access Helix Authentication Service"
+}

modules/perforce/examples/complete/variables.tf

@@ -0,0 +1,4 @@
+variable "root_domain_name" {
+  type        = string
+  description = "The root domain name you would like to use for DNS."
+}

modules/perforce/examples/complete/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.66.0"
+    }
+  }
+}

modules/perforce/examples/complete/vpc.tf

@@ -0,0 +1,130 @@
+##########################################
+# VPC
+##########################################
+
+resource "aws_vpc" "perforce_vpc" {
+  cidr_block = local.vpc_cidr_block
+  tags = merge(local.tags,
+    {
+      Name = "perforce-vpc"
+    }
+  )
+  enable_dns_hostnames = true
+  #checkov:skip=CKV2_AWS_11: VPC flow logging disabled by design
+}
+
+# Set default SG to restrict all traffic
+resource "aws_default_security_group" "default" {
+  vpc_id = aws_vpc.perforce_vpc.id
+}
+
+##########################################
+# Subnets
+##########################################
+
+resource "aws_subnet" "public_subnets" {
+  count             = length(local.public_subnet_cidrs)
+  vpc_id            = aws_vpc.perforce_vpc.id
+  cidr_block        = element(local.public_subnet_cidrs, count.index)
+  availability_zone = element(local.azs, count.index)
+
+  tags = merge(local.tags,
+    {
+      Name = "pub-subnet-${count.index + 1}"
+    }
+  )
+}
+
+resource "aws_subnet" "private_subnets" {
+  count             = length(local.private_subnet_cidrs)
+  vpc_id            = aws_vpc.perforce_vpc.id
+  cidr_block        = element(local.private_subnet_cidrs, count.index)
+  availability_zone = element(local.azs, count.index)
+
+  tags = merge(local.tags,
+    {
+      Name = "pvt-subnet-${count.index + 1}"
+    }
+  )
+}
+
+##########################################
+# Internet Gateway
+##########################################
+
+resource "aws_internet_gateway" "igw" {
+  vpc_id = aws_vpc.perforce_vpc.id
+  tags = merge(local.tags,
+    {
+      Name = "perforce-igw"
+    }
+  )
+}
+
+##########################################
+# Route Tables & NAT Gateway
+##########################################
+
+resource "aws_route_table" "public_rt" {
+  vpc_id = aws_vpc.perforce_vpc.id
+
+  # public route to the internet
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.igw.id
+  }
+
+  tags = merge(local.tags,
+    {
+      Name = "perforce-public-rt"
+    }
+  )
+}
+
+resource "aws_route_table_association" "public_rt_asso" {
+  count          = length(aws_subnet.public_subnets)
+  route_table_id = aws_route_table.public_rt.id
+  subnet_id      = aws_subnet.public_subnets[count.index].id
+}
+
+resource "aws_eip" "nat_gateway_eip" {
+  depends_on = [aws_internet_gateway.igw]
+  #checkov:skip=CKV2_AWS_19:EIP associated with NAT Gateway through association ID
+  tags = merge(local.tags,
+    {
+      Name = "perforce-nat-eip"
+    }
+  )
+}
+
+resource "aws_route_table" "private_rt" {
+  vpc_id = aws_vpc.perforce_vpc.id
+
+  # route to the internet through NAT gateway
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.nat_gateway.id
+  }
+
+  tags = merge(local.tags,
+    {
+      Name = "perforce-private-rt"
+    }
+  )
+}
+
+resource "aws_route_table_association" "private_rt_asso" {
+  count          = length(aws_subnet.private_subnets)
+  route_table_id = aws_route_table.private_rt.id
+  subnet_id      = aws_subnet.private_subnets[count.index].id
+}
+
+resource "aws_nat_gateway" "nat_gateway" {
+  allocation_id = aws_eip.nat_gateway_eip.id
+  subnet_id     = aws_subnet.public_subnets[0].id
+  tags = merge(local.tags,
+    {
+      Name = "perforce-nat"
+    }
+  )
+}