Skip to content

Commit

Permalink
feat(perforce): HAS, Swarm, Core example deployment
Browse files Browse the repository at this point in the history
  • Loading branch information
henrykie committed Sep 23, 2024
1 parent aae6ee4 commit db6c82a
Show file tree
Hide file tree
Showing 7 changed files with 383 additions and 0 deletions.
105 changes: 105 additions & 0 deletions modules/perforce/examples/complete/dns.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@

##########################################
# Route53 Hosted Zone for FQDN
##########################################
data "aws_route53_zone" "root" {
name = var.root_domain_name
private_zone = false
}

##########################################
# Perforce Helix DNS
##########################################
resource "aws_route53_zone" "helix_private_zone" {
name = "helix.perforce.internal"
#checkov:skip=CKV2_AWS_38: Hosted zone is private (vpc association)
#checkov:skip=CKV2_AWS_39: Query logging disabled by design
vpc {
vpc_id = aws_vpc.perforce_vpc.id
}
}

Check warning

Code scanning / checkov

Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones Warning

Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones

Check warning

Code scanning / checkov

Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones Warning

Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones


resource "aws_route53_record" "helix_swarm" {
zone_id = data.aws_route53_zone.root.id
name = "swarm.helix.${data.aws_route53_zone.root.name}"
type = "A"
alias {
name = module.perforce_helix_swarm.alb_dns_name
zone_id = module.perforce_helix_swarm.alb_zone_id
evaluate_target_health = true
}
}

resource "aws_route53_record" "helix_authentication_service" {
zone_id = data.aws_route53_zone.root.zone_id
name = "auth.helix.${data.aws_route53_zone.root.name}"
type = "A"
alias {
name = module.perforce_helix_authentication_service.alb_dns_name
zone_id = module.perforce_helix_authentication_service.alb_zone_id
evaluate_target_health = true
}
}

resource "aws_route53_record" "perforce_helix_core" {
zone_id = data.aws_route53_zone.root.zone_id
name = "core.helix.${data.aws_route53_zone.root.name}"
type = "A"
ttl = 300
#checkov:skip=CKV2_AWS_23:The attached resource is managed by CGD Toolkit
records = [module.perforce_helix_core.helix_core_eip_public_ip]
}

Check warning

Code scanning / checkov

Route53 A Record has Attached Resource Warning

Route53 A Record has Attached Resource

resource "aws_route53_record" "perforce_helix_core_pvt" {
zone_id = aws_route53_zone.helix_private_zone.zone_id
name = "core.${aws_route53_zone.helix_private_zone.name}"
type = "A"
ttl = 300
#checkov:skip=CKV2_AWS_23:The attached resource is managed by CGD Toolkit
records = [module.perforce_helix_core.helix_core_eip_private_ip]
}

Check warning

Code scanning / checkov

Route53 A Record has Attached Resource Warning

Route53 A Record has Attached Resource

##########################################
# Helix Certificate Management
##########################################

resource "aws_acm_certificate" "helix" {
domain_name = "helix.${var.root_domain_name}"
subject_alternative_names = ["*.helix.${var.root_domain_name}"]

validation_method = "DNS"

tags = {
Environment = "dev"
}

lifecycle {
create_before_destroy = true
}
}

resource "aws_route53_record" "helix_cert" {
for_each = {
for dvo in aws_acm_certificate.helix.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}

allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = data.aws_route53_zone.root.id
}

resource "aws_acm_certificate_validation" "helix" {
timeouts {
create = "15m"
}
certificate_arn = aws_acm_certificate.helix.arn
validation_record_fqdns = [for record in aws_route53_record.helix_cert : record.fqdn]
}
13 changes: 13 additions & 0 deletions modules/perforce/examples/complete/local.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
data "aws_availability_zones" "available" {}

locals {
# VPC Configuration
vpc_cidr_block = "10.0.0.0/16"
public_subnet_cidrs = ["10.0.1.0/24", "10.0.2.0/24"]
private_subnet_cidrs = ["10.0.3.0/24", "10.0.4.0/24"]

tags = {
environment = "cgd"
}
azs = slice(data.aws_availability_zones.available.names, 0, 2)
}
88 changes: 88 additions & 0 deletions modules/perforce/examples/complete/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
##########################################
# Shared ECS Cluster for Services
##########################################

resource "aws_ecs_cluster" "perforce_cluster" {
name = "perforce-cluster"

setting {
name = "containerInsights"
value = "enabled"
}
}

resource "aws_ecs_cluster_capacity_providers" "providers" {
cluster_name = aws_ecs_cluster.perforce_cluster.name

capacity_providers = ["FARGATE"]

default_capacity_provider_strategy {
base = 1
weight = 100
capacity_provider = "FARGATE"
}
}

##########################################
# Perforce Helix Core
##########################################

module "perforce_helix_core" {
source = "../../helix-core"
vpc_id = aws_vpc.perforce_vpc.id
server_type = "p4d_commit"
instance_subnet_id = aws_subnet.public_subnets[0].id
instance_type = "c6g.large"
instance_architecture = "arm64"

storage_type = "EBS"
depot_volume_size = 64
metadata_volume_size = 32
logs_volume_size = 32

FQDN = "core.helix.perforce.${var.root_domain_name}"

helix_authentication_service_url = "https://${aws_route53_record.helix_authentication_service.name}"
}

##########################################
# Perforce Helix Authentication Service
##########################################

module "perforce_helix_authentication_service" {
source = "../../helix-authentication-service"
vpc_id = aws_vpc.perforce_vpc.id
cluster_name = aws_ecs_cluster.perforce_cluster.name
helix_authentication_service_alb_subnets = aws_subnet.public_subnets[*].id
helix_authentication_service_subnets = aws_subnet.private_subnets[*].id
certificate_arn = aws_acm_certificate.helix.arn

enable_web_based_administration = true
fqdn = "https://auth.helix.${var.root_domain_name}"

depends_on = [aws_ecs_cluster.perforce_cluster, aws_acm_certificate_validation.helix]
}

##########################################
# Perforce Helix Swarm
##########################################

module "perforce_helix_swarm" {
source = "../../helix-swarm"
vpc_id = aws_vpc.perforce_vpc.id
cluster_name = aws_ecs_cluster.perforce_cluster.name
helix_swarm_alb_subnets = aws_subnet.public_subnets[*].id
helix_swarm_service_subnets = aws_subnet.private_subnets[*].id
certificate_arn = aws_acm_certificate.helix.arn
p4d_port = "ssl:${aws_route53_record.perforce_helix_core_pvt.name}:1666"
p4d_super_user_arn = module.perforce_helix_core.helix_core_super_user_username_secret_arn
p4d_super_user_password_arn = module.perforce_helix_core.helix_core_super_user_password_secret_arn
p4d_swarm_user_arn = module.perforce_helix_core.helix_core_super_user_username_secret_arn
p4d_swarm_password_arn = module.perforce_helix_core.helix_core_super_user_password_secret_arn

enable_sso = true

fqdn = "swarm.helix.${var.root_domain_name}"

depends_on = [aws_ecs_cluster.perforce_cluster, aws_acm_certificate_validation.helix]
}
33 changes: 33 additions & 0 deletions modules/perforce/examples/complete/security.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
##########################################
# Internal Access - service to service
##########################################

# Helix Swarm -> Helix Core
resource "aws_vpc_security_group_ingress_rule" "helix_core_inbound_swarm" {
security_group_id = module.perforce_helix_core.security_group_id
ip_protocol = "TCP"
from_port = 1666
to_port = 1666
referenced_security_group_id = module.perforce_helix_swarm.service_security_group_id
description = "Enables Helix Swarm to access Helix Core."
}

# Helix Core -> Helix Swarm
resource "aws_vpc_security_group_ingress_rule" "helix_swarm_inbound_core" {
security_group_id = module.perforce_helix_swarm.alb_security_group_id
ip_protocol = "TCP"
from_port = 443
to_port = 443
cidr_ipv4 = "${module.perforce_helix_core.helix_core_eip_public_ip}/32"
description = "Enables Helix Core to access Helix Swarm"
}

# Helix Core -> Helix Authentication Service
resource "aws_vpc_security_group_ingress_rule" "helix_auth_inbound_core" {
security_group_id = module.perforce_helix_authentication_service.alb_security_group_id
ip_protocol = "TCP"
from_port = 443
to_port = 443
cidr_ipv4 = "${module.perforce_helix_core.helix_core_eip_public_ip}/32"
description = "Enables Helix Core to access Helix Authentication Service"
}
4 changes: 4 additions & 0 deletions modules/perforce/examples/complete/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
variable "root_domain_name" {
type = string
description = "The root domain name you would like to use for DNS."
}
10 changes: 10 additions & 0 deletions modules/perforce/examples/complete/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
terraform {
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = "5.66.0"
}
}
}
130 changes: 130 additions & 0 deletions modules/perforce/examples/complete/vpc.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
##########################################
# VPC
##########################################

resource "aws_vpc" "perforce_vpc" {
cidr_block = local.vpc_cidr_block
tags = merge(local.tags,
{
Name = "perforce-vpc"
}
)
enable_dns_hostnames = true
#checkov:skip=CKV2_AWS_11: VPC flow logging disabled by design
}

Check warning

Code scanning / checkov

Ensure VPC flow logging is enabled in all VPCs Warning

Ensure VPC flow logging is enabled in all VPCs

# Set default SG to restrict all traffic
resource "aws_default_security_group" "default" {
vpc_id = aws_vpc.perforce_vpc.id
}

##########################################
# Subnets
##########################################

resource "aws_subnet" "public_subnets" {
count = length(local.public_subnet_cidrs)
vpc_id = aws_vpc.perforce_vpc.id
cidr_block = element(local.public_subnet_cidrs, count.index)
availability_zone = element(local.azs, count.index)

tags = merge(local.tags,
{
Name = "pub-subnet-${count.index + 1}"
}
)
}

resource "aws_subnet" "private_subnets" {
count = length(local.private_subnet_cidrs)
vpc_id = aws_vpc.perforce_vpc.id
cidr_block = element(local.private_subnet_cidrs, count.index)
availability_zone = element(local.azs, count.index)

tags = merge(local.tags,
{
Name = "pvt-subnet-${count.index + 1}"
}
)
}

##########################################
# Internet Gateway
##########################################

resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.perforce_vpc.id
tags = merge(local.tags,
{
Name = "perforce-igw"
}
)
}

##########################################
# Route Tables & NAT Gateway
##########################################

resource "aws_route_table" "public_rt" {
vpc_id = aws_vpc.perforce_vpc.id

# public route to the internet
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw.id
}

tags = merge(local.tags,
{
Name = "perforce-public-rt"
}
)
}

resource "aws_route_table_association" "public_rt_asso" {
count = length(aws_subnet.public_subnets)
route_table_id = aws_route_table.public_rt.id
subnet_id = aws_subnet.public_subnets[count.index].id
}

resource "aws_eip" "nat_gateway_eip" {
depends_on = [aws_internet_gateway.igw]
#checkov:skip=CKV2_AWS_19:EIP associated with NAT Gateway through association ID
tags = merge(local.tags,
{
Name = "perforce-nat-eip"
}
)
}

Check warning

Code scanning / checkov

Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances Warning

Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances

resource "aws_route_table" "private_rt" {
vpc_id = aws_vpc.perforce_vpc.id

# route to the internet through NAT gateway
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat_gateway.id
}

tags = merge(local.tags,
{
Name = "perforce-private-rt"
}
)
}

resource "aws_route_table_association" "private_rt_asso" {
count = length(aws_subnet.private_subnets)
route_table_id = aws_route_table.private_rt.id
subnet_id = aws_subnet.private_subnets[count.index].id
}

resource "aws_nat_gateway" "nat_gateway" {
allocation_id = aws_eip.nat_gateway_eip.id
subnet_id = aws_subnet.public_subnets[0].id
tags = merge(local.tags,
{
Name = "perforce-nat"
}
)
}

0 comments on commit db6c82a

Please sign in to comment.