-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
113 lines (94 loc) · 3.6 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
provider "aws" {
version = "~> 3.0"
region = var.region
assume_role {
role_arn = var.role_arn
}
}
data "terraform_remote_state" "env_remote_state" {
backend = "s3"
workspace = terraform.workspace
config = {
bucket = var.alm_state_bucket_name
key = "operating-system"
region = "us-east-2"
role_arn = var.alm_role_arn
}
}
resource "local_file" "kubeconfig" {
filename = "${path.module}/outputs/kubeconfig"
content = data.terraform_remote_state.env_remote_state.outputs.eks_cluster_kubeconfig
}
data "aws_secretsmanager_secret_version" "lime_db_password_id" {
secret_id = data.terraform_remote_state.env_remote_state.outputs.lime_db_password_id
}
resource "local_file" "helm_vars" {
filename = "${path.module}/outputs/${terraform.workspace}.yaml"
content = <<EOF
serviceType: NodePort
ingress:
annotations:
alb.ingress.kubernetes.io/ssl-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
alb.ingress.kubernetes.io/scheme: "${var.is_internal ? "internal" : "internet-facing"}"
alb.ingress.kubernetes.io/subnets: "${join(
",",
data.terraform_remote_state.env_remote_state.outputs.public_subnets,
)}"
alb.ingress.kubernetes.io/security-groups: "${data.terraform_remote_state.env_remote_state.outputs.allow_all_security_group}"
alb.ingress.kubernetes.io/certificate-arn: "${data.terraform_remote_state.env_remote_state.outputs.tls_certificate_arn},${data.terraform_remote_state.env_remote_state.outputs.root_tls_certificate_arn}"
alb.ingress.kubernetes.io/tags: scos.delete.on.teardown=true
alb.ingress.kubernetes.io/actions.redirect: '{"Type": "redirect", "RedirectConfig":{"Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
alb.ingress.kubernetes.io/wafv2-acl-arn: "${data.terraform_remote_state.env_remote_state.outputs.eks_cluster_waf_acl_arn}"
dnsZone: "${data.terraform_remote_state.env_remote_state.outputs.internal_dns_zone_name}"
rootDnsZone: "${data.terraform_remote_state.env_remote_state.outputs.root_dns_zone_name}"
port: 80
db:
host: "${data.terraform_remote_state.env_remote_state.outputs.lime_db_address}"
user: "lime_survey"
db_name: "lime_survey"
password: "${data.aws_secretsmanager_secret_version.lime_db_password_id.secret_string}"
mysql:
enabled: false
EOF
}
resource "null_resource" "helm_deploy" {
provisioner "local-exec" {
command = <<EOF
set -x
export KUBECONFIG=${local_file.kubeconfig.filename}
export AWS_DEFAULT_REGION=us-east-2
helm upgrade --install lime-survey ./chart --namespace=lime-survey \
--values ${local_file.helm_vars.filename}
EOF
}
triggers = {
# Triggers a list of values that, when changed, will cause the resource to be recreated
# ${uuid()} will always be different thus always executing above local-exec
hack_that_always_forces_null_resources_to_execute = uuid()
}
}
variable "is_internal" {
description = "Should the ALBs be internal facing"
default = false
}
variable "region" {
description = "Region of ALM resources"
default = "us-west-2"
}
variable "role_arn" {
description = "The ARN for the assume role for ALM access"
default = "arn:aws:iam::199837183662:role/jenkins_role"
}
variable "alm_role_arn" {
description = "The ARN for the assume role for ALM access"
default = "arn:aws:iam::199837183662:role/jenkins_role"
}
variable "alm_state_bucket_name" {
description = "The name of the S3 state bucket for ALM"
default = "scos-alm-terraform-state"
}
variable "alm_workspace" {
description = "The workspace to pull ALM outputs from"
default = "alm"
}