forked from aws-games/cloud-game-development-toolkit
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Henrykie/helix swarm (aws-games#306)
- Loading branch information
Showing
31 changed files
with
798 additions
and
504 deletions.
There are no files selected for viewing
112 changes: 59 additions & 53 deletions
112
docs/media/diagrams/perforce-module-architectures.drawio
Large diffs are not rendered by default.
Oops, something went wrong.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Perforce Complete Example | ||
|
||
This example provisions [Helix Core](https://www.perforce.com/products/helix-core), [Helix Swarm](https://www.perforce.com/products/helix-swarm), and the [Helix Authentication Service](https://www.perforce.com/downloads/helix-authentication-service). It also configures security groups for each of these modules to allow inter-service communication. This example takes a single input variable:`root_domain_name` is expected to correspond to an existing [AWS Route53 hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/route-53-concepts.html#route-53-concepts-hosted-zone). This hosted zone is used for provisioning DNS records used for external and internal routing, and enables this example to create validated SSL certificates on your behalf. | ||
|
||
If you do not have a domain yet you can [register one through Route53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html#domain-register-procedure-section). | ||
|
||
If you already have a domain with a different domain registrar you can leverage Route53 for DNS services. [Please review the documentation for migrating to Route53 as your DNS provider.](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/MigratingDNS.html) | ||
|
||
If you own the domain: "example.com" this example will deploy Helix Core to "core.helix.example.com" and Helix Swarm to "swarm.helix.example.com" - this can be modified from the `dns.tf` file. | ||
|
||
## Deployment Architecture | ||
|
||
![Perforce Example Architecture](../../../media/images/perforce-complete-example.jpg) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# Perforce | ||
|
||
[Perforce](https://www.perforce.com/) provides a number of products commonly used in Game development. The modules included in the Cloud Game Development Toolkit provision [Helix Core](https://www.perforce.com/products/helix-core), [Helix Swarm](https://www.perforce.com/products/helix-swarm), and the [Helix Authentication Service](https://www.perforce.com/downloads/helix-authentication-service). These modules can be stitched together to provision version control and code review tools for your developers. | ||
|
||
## Modules | ||
|
||
| Template | Description | | ||
| :--------------------------------------------------------------- | :- | | ||
| [__Helix Core__](./helix-core/helix-core.md) | A Terraform module for provisioning a [Helix Core](https://www.perforce.com/products/helix-core) version control server on AWS EC2. | | ||
| [__Helix Swarm__](./helix-swarm/helix-swarm.md) | A Terraform module for provisioning [Helix Swarm](https://www.perforce.com/products/helix-swarm) on AWS Elastic Container Service. | | ||
| [__Helix Authentication Service__](./helix-authentication-service/helix-authentication-service.md) | A Terraform module for provisioning the [Helix Authentication Service](https://www.perforce.com/downloads/helix-authentication-service) on AWS Elastic Container Service. | | ||
|
||
## Examples | ||
|
||
We currently provide a single, [complete example](./examples/complete.md) demonstrating deployment of all three modules in a single VPC. This example configures connectivity between each of the three modules and creates DNS records in an existing [AWS Route53](https://aws.amazon.com/route53/) for simple routing. Please use it as a starting point for your Perforce version control and code review deployments. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
|
||
########################################## | ||
# Route53 Hosted Zone for FQDN | ||
########################################## | ||
data "aws_route53_zone" "root" { | ||
name = var.root_domain_name | ||
private_zone = false | ||
} | ||
|
||
########################################## | ||
# Perforce Helix DNS | ||
########################################## | ||
resource "aws_route53_zone" "helix_private_zone" { | ||
name = "helix.perforce.internal" | ||
#checkov:skip=CKV2_AWS_38: Hosted zone is private (vpc association) | ||
#checkov:skip=CKV2_AWS_39: Query logging disabled by design | ||
vpc { | ||
vpc_id = aws_vpc.perforce_vpc.id | ||
} | ||
} | ||
|
||
|
||
resource "aws_route53_record" "helix_swarm" { | ||
zone_id = data.aws_route53_zone.root.id | ||
name = "swarm.helix.${data.aws_route53_zone.root.name}" | ||
type = "A" | ||
alias { | ||
name = module.perforce_helix_swarm.alb_dns_name | ||
zone_id = module.perforce_helix_swarm.alb_zone_id | ||
evaluate_target_health = true | ||
} | ||
} | ||
|
||
resource "aws_route53_record" "helix_authentication_service" { | ||
zone_id = data.aws_route53_zone.root.zone_id | ||
name = "auth.helix.${data.aws_route53_zone.root.name}" | ||
type = "A" | ||
alias { | ||
name = module.perforce_helix_authentication_service.alb_dns_name | ||
zone_id = module.perforce_helix_authentication_service.alb_zone_id | ||
evaluate_target_health = true | ||
} | ||
} | ||
|
||
resource "aws_route53_record" "perforce_helix_core" { | ||
zone_id = data.aws_route53_zone.root.zone_id | ||
name = "core.helix.${data.aws_route53_zone.root.name}" | ||
type = "A" | ||
ttl = 300 | ||
#checkov:skip=CKV2_AWS_23:The attached resource is managed by CGD Toolkit | ||
records = [module.perforce_helix_core.helix_core_eip_public_ip] | ||
} | ||
|
||
resource "aws_route53_record" "perforce_helix_core_pvt" { | ||
zone_id = aws_route53_zone.helix_private_zone.zone_id | ||
name = "core.${aws_route53_zone.helix_private_zone.name}" | ||
type = "A" | ||
ttl = 300 | ||
#checkov:skip=CKV2_AWS_23:The attached resource is managed by CGD Toolkit | ||
records = [module.perforce_helix_core.helix_core_eip_private_ip] | ||
} | ||
|
||
########################################## | ||
# Helix Certificate Management | ||
########################################## | ||
|
||
resource "aws_acm_certificate" "helix" { | ||
domain_name = "helix.${var.root_domain_name}" | ||
subject_alternative_names = ["*.helix.${var.root_domain_name}"] | ||
|
||
validation_method = "DNS" | ||
|
||
tags = { | ||
Environment = "dev" | ||
} | ||
|
||
lifecycle { | ||
create_before_destroy = true | ||
} | ||
} | ||
|
||
resource "aws_route53_record" "helix_cert" { | ||
for_each = { | ||
for dvo in aws_acm_certificate.helix.domain_validation_options : dvo.domain_name => { | ||
name = dvo.resource_record_name | ||
record = dvo.resource_record_value | ||
type = dvo.resource_record_type | ||
} | ||
} | ||
|
||
allow_overwrite = true | ||
name = each.value.name | ||
records = [each.value.record] | ||
ttl = 60 | ||
type = each.value.type | ||
zone_id = data.aws_route53_zone.root.id | ||
} | ||
|
||
resource "aws_acm_certificate_validation" "helix" { | ||
timeouts { | ||
create = "15m" | ||
} | ||
certificate_arn = aws_acm_certificate.helix.arn | ||
validation_record_fqdns = [for record in aws_route53_record.helix_cert : record.fqdn] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
data "aws_availability_zones" "available" {} | ||
|
||
locals { | ||
# VPC Configuration | ||
vpc_cidr_block = "10.0.0.0/16" | ||
public_subnet_cidrs = ["10.0.1.0/24", "10.0.2.0/24"] | ||
private_subnet_cidrs = ["10.0.3.0/24", "10.0.4.0/24"] | ||
|
||
tags = { | ||
environment = "cgd" | ||
} | ||
azs = slice(data.aws_availability_zones.available.names, 0, 2) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
########################################## | ||
# Shared ECS Cluster for Services | ||
########################################## | ||
|
||
resource "aws_ecs_cluster" "perforce_cluster" { | ||
name = "perforce-cluster" | ||
|
||
setting { | ||
name = "containerInsights" | ||
value = "enabled" | ||
} | ||
} | ||
|
||
resource "aws_ecs_cluster_capacity_providers" "providers" { | ||
cluster_name = aws_ecs_cluster.perforce_cluster.name | ||
|
||
capacity_providers = ["FARGATE"] | ||
|
||
default_capacity_provider_strategy { | ||
base = 1 | ||
weight = 100 | ||
capacity_provider = "FARGATE" | ||
} | ||
} | ||
|
||
########################################## | ||
# Perforce Helix Core | ||
########################################## | ||
|
||
module "perforce_helix_core" { | ||
source = "../../helix-core" | ||
vpc_id = aws_vpc.perforce_vpc.id | ||
server_type = "p4d_commit" | ||
instance_subnet_id = aws_subnet.public_subnets[0].id | ||
instance_type = "c6g.large" | ||
instance_architecture = "arm64" | ||
|
||
storage_type = "EBS" | ||
depot_volume_size = 64 | ||
metadata_volume_size = 32 | ||
logs_volume_size = 32 | ||
|
||
fully_qualified_domain_name = "core.helix.perforce.${var.root_domain_name}" | ||
|
||
helix_authentication_service_url = "https://${aws_route53_record.helix_authentication_service.name}" | ||
} | ||
|
||
########################################## | ||
# Perforce Helix Authentication Service | ||
########################################## | ||
|
||
module "perforce_helix_authentication_service" { | ||
source = "../../helix-authentication-service" | ||
vpc_id = aws_vpc.perforce_vpc.id | ||
cluster_name = aws_ecs_cluster.perforce_cluster.name | ||
helix_authentication_service_alb_subnets = aws_subnet.public_subnets[*].id | ||
helix_authentication_service_subnets = aws_subnet.private_subnets[*].id | ||
certificate_arn = aws_acm_certificate.helix.arn | ||
|
||
enable_web_based_administration = true | ||
fully_qualified_domain_name = "auth.helix.${var.root_domain_name}" | ||
|
||
depends_on = [aws_ecs_cluster.perforce_cluster, aws_acm_certificate_validation.helix] | ||
} | ||
|
||
########################################## | ||
# Perforce Helix Swarm | ||
########################################## | ||
|
||
module "perforce_helix_swarm" { | ||
source = "../../helix-swarm" | ||
vpc_id = aws_vpc.perforce_vpc.id | ||
cluster_name = aws_ecs_cluster.perforce_cluster.name | ||
helix_swarm_alb_subnets = aws_subnet.public_subnets[*].id | ||
helix_swarm_service_subnets = aws_subnet.private_subnets[*].id | ||
certificate_arn = aws_acm_certificate.helix.arn | ||
p4d_port = "ssl:${aws_route53_record.perforce_helix_core_pvt.name}:1666" | ||
p4d_super_user_arn = module.perforce_helix_core.helix_core_super_user_username_secret_arn | ||
p4d_super_user_password_arn = module.perforce_helix_core.helix_core_super_user_password_secret_arn | ||
p4d_swarm_user_arn = module.perforce_helix_core.helix_core_super_user_username_secret_arn | ||
p4d_swarm_password_arn = module.perforce_helix_core.helix_core_super_user_password_secret_arn | ||
|
||
enable_sso = true | ||
|
||
fully_qualified_domain_name = "swarm.helix.${var.root_domain_name}" | ||
|
||
depends_on = [aws_ecs_cluster.perforce_cluster, aws_acm_certificate_validation.helix] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
########################################## | ||
# Internal Access - service to service | ||
########################################## | ||
|
||
# Helix Swarm -> Helix Core | ||
resource "aws_vpc_security_group_ingress_rule" "helix_core_inbound_swarm" { | ||
security_group_id = module.perforce_helix_core.security_group_id | ||
ip_protocol = "TCP" | ||
from_port = 1666 | ||
to_port = 1666 | ||
referenced_security_group_id = module.perforce_helix_swarm.service_security_group_id | ||
description = "Enables Helix Swarm to access Helix Core." | ||
} | ||
|
||
# Helix Core -> Helix Swarm | ||
resource "aws_vpc_security_group_ingress_rule" "helix_swarm_inbound_core" { | ||
security_group_id = module.perforce_helix_swarm.alb_security_group_id | ||
ip_protocol = "TCP" | ||
from_port = 443 | ||
to_port = 443 | ||
cidr_ipv4 = "${module.perforce_helix_core.helix_core_eip_public_ip}/32" | ||
description = "Enables Helix Core to access Helix Swarm" | ||
} | ||
|
||
# Helix Core -> Helix Authentication Service | ||
resource "aws_vpc_security_group_ingress_rule" "helix_auth_inbound_core" { | ||
security_group_id = module.perforce_helix_authentication_service.alb_security_group_id | ||
ip_protocol = "TCP" | ||
from_port = 443 | ||
to_port = 443 | ||
cidr_ipv4 = "${module.perforce_helix_core.helix_core_eip_public_ip}/32" | ||
description = "Enables Helix Core to access Helix Authentication Service" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
variable "root_domain_name" { | ||
type = string | ||
description = "The root domain name you would like to use for DNS." | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
terraform { | ||
required_version = ">= 1.0" | ||
|
||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = "5.66.0" | ||
} | ||
} | ||
} |
Oops, something went wrong.