This repository has been archived by the owner on Sep 23, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mastodon.tf
142 lines (130 loc) · 4.99 KB
/
mastodon.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
locals {
mastodon_release_helm_values = templatefile(
"${path.module}/helm/values.yaml",
{
MASTODON_CREATE_ADMIN : var.app_create_admin
MASTODON_ADMIN_USERNAME : var.app_admin_username
MASTODON_ADMIN_EMAIL : var.app_admin_email
MASTODON_LOCALE : var.app_locale
MASTODON_LOCAL_DOMAIN : var.domain
MASTODON_S3_EXISTING_SECRET : var.app_s3_existing_secret != null ? var.app_s3_existing_secret : kubernetes_secret.s3_secret.metadata[0].name
MASTODON_S3_BUCKET_NAME : google_storage_bucket.bucket.name
MASTODON_SMTP_EXISTING_SECRET : var.app_smtp_existing_secret != null ? var.app_smtp_existing_secret : kubernetes_secret.mastodon_smtp_secret[0].metadata[0].name
MASTODON_SECRET_KEY_BASE : local.mastodon_secrets["SECRET_KEY_BASE"]
MASTODON_OTP_SECRET : local.mastodon_secrets["OTP_SECRET"]
MASTODON_VAPID_PUBLIC_KEY : var.app_vapid_public_key
MASTODON_VAPID_PRIVATE_KEY : var.app_vapid_private_key
MASTODON_POSTGRES_HOST : module.sql_db.private_ip_address
MASTODON_POSTGRES_USER : "mastodon"
MASTODON_POSTGRES_DB : "mastodon"
MASTODON_POSTGRES_SECRET_NAME : local.sql_k8s_secret_name
MASTODON_GLOBAL_IP_NAME : local.mastodon_gcp_app_lb_ip_name
MASTODON_REDIS_ENABLED : var.memorystore_redis_enabled ? "false" : "true"
MASTODON_REDIS_HOSTNAME : var.memorystore_redis_enabled ? google_redis_instance.mastodon_redis[0].host : ""
MASTODON_REDIS_SECRET_NAME : var.memorystore_redis_enabled ? kubernetes_secret.mastodon_memorystore_redis_secret[0].metadata[0].name : kubernetes_secret.mastodon_redis_secret[0].metadata[0].name
MASTODON_TRUSTED_PROXY_IP : google_compute_global_address.app_lb_ip.address
NAME : var.name
}
)
mastodon_gcp_managed_cert_manifest = templatefile(
"${path.module}/manifests/gcp-managed-cert.yaml",
{
MASTODON_LOCAL_DOMAIN : var.domain
NAME : var.name
}
)
}
locals {
mastodon_secrets = {
for key, value in google_secret_manager_secret.mastodon_secrets :
upper(key) => google_secret_manager_secret_version.mastodon_secrets_values[key].secret_data
}
}
# Mastodon secrets.
resource "random_password" "mastodon_secrets_random" {
for_each = var.app_keys
length = 64
special = false
}
resource "google_secret_manager_secret" "mastodon_secrets" {
for_each = var.app_keys
project = var.project_id
secret_id = format("%s-%s", var.name, each.key)
replication {
user_managed {
replicas {
location = var.region
}
}
}
}
resource "google_secret_manager_secret_version" "mastodon_secrets_values" {
for_each = var.app_keys
secret = google_secret_manager_secret.mastodon_secrets[each.key].id
secret_data = random_password.mastodon_secrets_random[each.key].result
}
resource "kubernetes_secret" "mastodon_secrets" {
metadata {
name = local.mastodon_k8s_secret_name
namespace = kubernetes_namespace.mastodon.id
}
data = local.mastodon_secrets
depends_on = [kubernetes_namespace.mastodon]
}
# Redis secret.
resource "kubernetes_secret" "mastodon_memorystore_redis_secret" {
count = var.memorystore_redis_enabled ? 1 : 0
metadata {
name = local.redis_k8s_secret_name
namespace = kubernetes_namespace.mastodon.id
}
data = { redis-password = google_redis_instance.mastodon_redis[0].auth_string }
depends_on = [kubernetes_namespace.mastodon]
}
resource "kubernetes_secret" "mastodon_redis_secret" {
count = var.memorystore_redis_enabled ? 0 : 1
metadata {
name = local.redis_k8s_secret_name
namespace = kubernetes_namespace.mastodon.id
}
data = { redis-password = random_password.mastodon_redis_secret_random[0].result }
depends_on = [kubernetes_namespace.mastodon]
}
resource "random_password" "mastodon_redis_secret_random" {
count = var.memorystore_redis_enabled ? 0 : 1
length = 32
special = false
}
resource "helm_release" "mastodon" {
name = var.name
namespace = kubernetes_namespace.mastodon.id
repository = "${path.module}/charts"
chart = "mastodon"
dependency_update = true # TODO: Remove this once the public chart is updated
timeout = 1800
values = trimspace(var.app_helm_additional_values) != "" ? [local.mastodon_release_helm_values, var.app_helm_additional_values] : [local.mastodon_release_helm_values]
depends_on = [
module.gke,
module.sql_db
]
}
resource "kubectl_manifest" "gcp_managed_cert" {
yaml_body = local.mastodon_gcp_managed_cert_manifest
depends_on = [
helm_release.mastodon
]
override_namespace = kubernetes_namespace.mastodon.id
}
# Create smtp secret.
resource "kubernetes_secret" "mastodon_smtp_secret" {
count = var.app_smtp_username != null && var.app_smtp_password != null ? 1 : 0
metadata {
name = local.smtp_k8s_secret_name
namespace = kubernetes_namespace.mastodon.id
}
data = {
username = var.app_smtp_username
password = var.app_smtp_password
}
depends_on = [kubernetes_namespace.mastodon]
}