Merge pull request #29 from telia-oss/add-logrotate

Add logrotate

modules/atc/main.tf

@@ -51,7 +51,7 @@ module "atc" {
   version = "3.1.0"
 
   name_prefix          = "${var.name_prefix}-atc"
-  user_data            = local.user_data
+  user_data            = data.template_cloudinit_config.atc.rendered
   vpc_id               = var.vpc_id
   subnet_ids           = var.private_subnet_ids
   min_size             = var.min_size
@@ -67,46 +67,52 @@ module "atc" {
   tags                 = var.tags
 }
 
-locals {
-  template             = "Environment=\"%s=%s\""
-  local_user           = var.local_user != "" ? format(local.template, "CONCOURSE_ADD_LOCAL_USER", var.local_user) : ""
-  local_admin_user     = var.local_admin_user != "" ? format(local.template, "CONCOURSE_MAIN_TEAM_LOCAL_USER", var.local_admin_user) : ""
-  github_users         = length(var.github_users) > 0 ? format(local.template, "CONCOURSE_MAIN_TEAM_GITHUB_USER", join(",", var.github_users)) : ""
-  github_teams         = length(var.github_teams) > 0 ? format(local.template, "CONCOURSE_MAIN_TEAM_GITHUB_TEAM", join(",", var.github_teams)) : ""
-  prometheus_bind_ip   = var.prometheus_enabled ? format(local.template, "CONCOURSE_PROMETHEUS_BIND_IP", "0.0.0.0") : ""
-  prometheus_bind_port = var.prometheus_enabled ? format(local.template, "CONCOURSE_PROMETHEUS_BIND_PORT", var.prometheus_port) : ""
-  start_node_exporter  = var.prometheus_enabled ? "systemctl enable node_exporter.service --now" : "echo \"Prometheus disabled, not starting node-exporter\""
-  concourse_web_host   = "${lower(var.web_protocol)}://${var.domain != "" ? var.domain : module.external_lb.dns_name}:${var.web_port}"
-
-  user_data = templatefile("${path.module}/cloud-config.yml", {
-    stack_name             = "${var.name_prefix}-atc-asg"
-    region                 = data.aws_region.current.name
-    target_group           = aws_lb_target_group.internal.arn
-    atc_port               = var.atc_port
-    tsa_port               = var.tsa_port
-    local_user             = local.local_user
-    local_admin_user       = local.local_admin_user
-    github_client_id       = var.github_client_id
-    github_client_secret   = var.github_client_secret
-    github_users           = local.github_users
-    github_teams           = local.github_teams
-    prometheus_bind_ip     = local.prometheus_bind_ip
-    prometheus_bind_port   = local.prometheus_bind_port
-    start_node_exporter    = local.start_node_exporter
-    concourse_web_host     = local.concourse_web_host
-    postgres_host          = var.postgres_host
-    postgres_port          = var.postgres_port
-    postgres_username      = var.postgres_username
-    postgres_password      = var.postgres_password
-    postgres_database      = var.postgres_database
-    log_group_name         = aws_cloudwatch_log_group.atc.name
-    log_level              = var.log_level
-    tsa_host_key           = file("${var.concourse_keys}/tsa_host_key")
-    session_signing_key    = file("${var.concourse_keys}/session_signing_key")
-    authorized_worker_keys = file("${var.concourse_keys}/authorized_worker_keys")
-    encryption_key         = var.encryption_key
-    old_encryption_key     = var.old_encryption_key
-  })
+data "template_cloudinit_config" "atc" {
+  gzip          = false
+  base64_encode = true
+
+  part {
+    content_type = "text/cloud-config"
+
+    content = templatefile("${path.module}/../cloud-init/shared.yml", {
+      region             = data.aws_region.current.name
+      log_group_name     = aws_cloudwatch_log_group.atc.name
+      prometheus_enabled = var.prometheus_enabled
+    })
+  }
+
+  part {
+    content_type = "text/cloud-config"
+    merge_type   = "list(append)+dict(recurse_array)+str()"
+
+    content = templatefile("${path.module}/../cloud-init/atc.yml", {
+      region                 = data.aws_region.current.name
+      stack_name             = "${var.name_prefix}-atc-asg"
+      target_group           = aws_lb_target_group.internal.arn
+      atc_port               = var.atc_port
+      tsa_port               = var.tsa_port
+      local_user             = var.local_user
+      local_admin_user       = var.local_admin_user
+      github_client_id       = var.github_client_id
+      github_client_secret   = var.github_client_secret
+      github_users           = var.github_users
+      github_teams           = var.github_teams
+      prometheus_enabled     = var.prometheus_enabled
+      prometheus_bind_port   = var.prometheus_port
+      concourse_web_host     = "${lower(var.web_protocol)}://${var.domain != "" ? var.domain : module.external_lb.dns_name}:${var.web_port}"
+      postgres_host          = var.postgres_host
+      postgres_port          = var.postgres_port
+      postgres_username      = var.postgres_username
+      postgres_password      = var.postgres_password
+      postgres_database      = var.postgres_database
+      log_level              = var.log_level
+      tsa_host_key           = file("${var.concourse_keys}/tsa_host_key")
+      session_signing_key    = file("${var.concourse_keys}/session_signing_key")
+      authorized_worker_keys = file("${var.concourse_keys}/authorized_worker_keys")
+      encryption_key         = var.encryption_key
+      old_encryption_key     = var.old_encryption_key
+    })
+  }
 }
 
 resource "aws_cloudwatch_log_group" "atc" {

modules/atc/cloud-config.yml → modules/cloud-init/atc.yml

@@ -15,25 +15,6 @@ write_files:
     owner: "root"
     encoding: base64
     content: ${base64encode(authorized_worker_keys)}
-  - path: "/etc/awslogs/awscli.template"
-    permissions: "0644"
-    owner: "root"
-    content: |
-      [plugins]
-      cwlogs = cwlogs
-      [default]
-      region = ${region}
-  - path: "/etc/awslogs/awslogs.template"
-    permissions: "0644"
-    owner: "root"
-    content: |
-      [general]
-      state_file = /var/lib/awslogs/agent-state
-
-      [/var/log/concourse.log]
-      file = /var/log/concourse.log
-      log_group_name = ${log_group_name}
-      log_stream_name = {instance_id}
   - path: "/etc/systemd/system/concourse.service"
     permissions: "0644"
     owner: "root"
@@ -52,17 +33,11 @@ write_files:
 
       Environment="CONCOURSE_GITHUB_CLIENT_ID=${github_client_id}"
       Environment="CONCOURSE_GITHUB_CLIENT_SECRET=${github_client_secret}"
-      ${github_users}
-      ${github_teams}
-      ${local_user}
-      ${local_admin_user}
-
       Environment="CONCOURSE_POSTGRES_HOST=${postgres_host}"
       Environment="CONCOURSE_POSTGRES_PORT=${postgres_port}"
       Environment="CONCOURSE_POSTGRES_USER=${postgres_username}"
       Environment="CONCOURSE_POSTGRES_PASSWORD=${postgres_password}"
       Environment="CONCOURSE_POSTGRES_DATABASE=${postgres_database}"
-
       Environment="CONCOURSE_EXTERNAL_URL=${concourse_web_host}"
       Environment="CONCOURSE_LOG_LEVEL=${log_level}"
       Environment="CONCOURSE_TSA_LOG_LEVEL=${log_level}"
@@ -73,45 +48,16 @@ write_files:
       Environment="CONCOURSE_OLD_ENCRYPTION_KEY=${old_encryption_key}"
       Environment="CONCOURSE_AWS_SECRETSMANAGER_REGION=${region}"
 
-      ${prometheus_bind_ip}
-      ${prometheus_bind_port}
+      %{ if local_user != "" }Environment="CONCOURSE_ADD_LOCAL_USER=${local_user}"%{ endif }
+      %{ if local_admin_user != "" }Environment="CONCOURSE_MAIN_TEAM_LOCAL_USER=${local_admin_user}"%{ endif }
+      %{ if length(github_users) > 0 }Environment="CONCOURSE_MAIN_TEAM_GITHUB_USER=${join(",", github_users)}"%{ endif }
+      %{ if length(github_teams) > 0 }Environment="CONCOURSE_MAIN_TEAM_GITHUB_TEAM=${join(",", github_teams)}"%{ endif }
+      %{ if prometheus_enabled }Environment="CONCOURSE_PROMETHEUS_BIND_IP=0.0.0.0"%{ endif }
+      %{ if prometheus_enabled }Environment="CONCOURSE_PROMETHEUS_BIND_PORT=${prometheus_bind_port}"%{ endif }
 
       ExecStartPre=/bin/bash -c "/bin/systemctl set-environment CONCOURSE_PEER_ADDRESS=$(curl -L http://169.254.169.254/latest/meta-data/local-ipv4)"
       ExecStart=/usr/local/bin/aws-env exec -- /usr/local/concourse/bin/concourse web
 
-      [Install]
-      WantedBy=multi-user.target
-  - path: "/etc/systemd/system/node_exporter.service"
-    permissions: "0644"
-    owner: "root"
-    content: |
-      [Unit]
-      Description=Node exporter for Prometheus to scrape
-      Requires=network-online.target
-      After=network-online.target
-
-      [Service]
-      Type=simple
-      Restart=always
-      ExecStart=/usr/local/bin/node_exporter
-
-      [Install]
-      WantedBy=multi-user.target
-  - path: "/etc/systemd/system/concourse-logging.service"
-    permissions: "0644"
-    owner: "root"
-    content: |
-      [Unit]
-      Description=Service for Concourse logging
-      After=rc-local.service
-
-      [Service]
-      Type=simple
-      Restart=always
-      TimeoutSec=infinity
-
-      ExecStart=/bin/bash -c '/usr/bin/journalctl -u concourse --no-tail -f -o cat > /var/log/concourse.log'
-
       [Install]
       WantedBy=multi-user.target
   - path: "/usr/local/scripts/cloudformation-signal.sh"
@@ -134,14 +80,6 @@ write_files:
           echo "State is $${state}"
       done
 runcmd:
-  - |
-    cp /etc/awslogs/awscli.template /etc/awslogs/awscli.conf
-    cp /etc/awslogs/awslogs.template /etc/awslogs/awslogs.conf
-  - |
-    systemctl enable concourse-logging.service --now
-    systemctl enable awslogsd.service --now
-    systemctl enable concourse.service --now
-    ${start_node_exporter}
   - |
     /usr/local/scripts/cloudformation-signal.sh
     /opt/aws/bin/cfn-signal -e $? --stack ${stack_name} --resource AutoScalingGroup --region ${region}

modules/cloud-init/shared.yml

@@ -0,0 +1,76 @@
+#cloud-config
+write_files:
+  - path: "/etc/awslogs/awscli.template"
+    permissions: "0644"
+    owner: "root"
+    content: |
+      [plugins]
+      cwlogs = cwlogs
+      [default]
+      region = ${region}
+  - path: "/etc/awslogs/awslogs.template"
+    permissions: "0644"
+    owner: "root"
+    content: |
+      [general]
+      state_file = /var/lib/awslogs/agent-state
+
+      [/var/log/concourse.log]
+      file = /var/log/concourse.log
+      log_group_name = ${log_group_name}
+      log_stream_name = {instance_id}
+  - path: "/etc/systemd/system/node_exporter.service"
+    permissions: "0644"
+    owner: "root"
+    content: |
+      [Unit]
+      Description=Node exporter for Prometheus to scrape
+      Requires=network-online.target
+      After=network-online.target
+
+      [Service]
+      Type=simple
+      Restart=always
+      ExecStart=/usr/local/bin/node_exporter
+
+      [Install]
+      WantedBy=multi-user.target
+  - path: "/etc/systemd/system/concourse-logging.service"
+    permissions: "0644"
+    owner: "root"
+    content: |
+      [Unit]
+      Description=Service for Concourse logging
+      After=rc-local.service
+
+      [Service]
+      Type=simple
+      Restart=always
+      TimeoutSec=infinity
+
+      ExecStart=/bin/bash -c '/usr/bin/journalctl -u concourse --no-tail -f -o cat > /var/log/concourse.log'
+
+      [Install]
+      WantedBy=multi-user.target
+  - path: "/etc/logrotate.d/concourse"
+    permissions: "0644"
+    owner: "root"
+    content: |
+      /var/log/concourse.log {
+          create 0644 root root
+          daily
+          rotate 1
+          size 100M
+          postrotate
+              systemctl restart concourse-logging awslogsd
+          endscript
+      }
+runcmd:
+  - |
+    cp /etc/awslogs/awscli.template /etc/awslogs/awscli.conf
+    cp /etc/awslogs/awslogs.template /etc/awslogs/awslogs.conf
+  - |
+    systemctl enable concourse-logging.service --now
+    systemctl enable awslogsd.service --now
+    systemctl enable concourse.service --now
+    %{if prometheus_enabled } systemctl enable node_exporter.service --now %{ endif }

modules/worker/cloud-config.yml → modules/cloud-init/worker.yml

@@ -15,25 +15,6 @@ write_files:
     owner: "root"
     encoding: base64
     content: ${base64encode(pub_worker_key)}
-  - path: "/etc/awslogs/awscli.template"
-    permissions: "0644"
-    owner: "root"
-    content: |
-      [plugins]
-      cwlogs = cwlogs
-      [default]
-      region = ${region}
-  - path: "/etc/awslogs/awslogs.template"
-    permissions: "0644"
-    owner: "root"
-    content: |
-      [general]
-      state_file = /var/lib/awslogs/agent-state
-
-      [/var/log/concourse.log]
-      file = /var/log/concourse.log
-      log_group_name = ${log_group_name}
-      log_stream_name = {instance_id}
   - path: "/etc/systemd/system/concourse.service"
     permissions: "0644"
     owner: "root"
@@ -68,39 +49,6 @@ write_files:
       ExecStop=/usr/local/concourse/bin/concourse retire-worker
       ExecStop=/bin/bash -c "while pgrep concourse >> /dev/null; do echo draining worker... && sleep 5; done; echo done draining!"
 
-      [Install]
-      WantedBy=multi-user.target
-  - path: "/etc/systemd/system/node_exporter.service"
-    permissions: "0644"
-    owner: "root"
-    content: |
-      [Unit]
-      Description=Node exporter for Prometheus to scrape
-      Requires=network-online.target
-      After=network-online.target
-
-      [Service]
-      Type=simple
-      Restart=always
-      ExecStart=/usr/local/bin/node_exporter
-
-      [Install]
-      WantedBy=multi-user.target
-  - path: "/etc/systemd/system/concourse-logging.service"
-    permissions: "0644"
-    owner: "root"
-    content: |
-      [Unit]
-      Description=Service for Concourse logging
-      After=rc-local.service
-
-      [Service]
-      Type=simple
-      Restart=always
-      TimeoutSec=infinity
-
-      ExecStart=/bin/bash -c '/usr/bin/journalctl -u concourse --no-tail -f -o cat > /var/log/concourse.log'
-
       [Install]
       WantedBy=multi-user.target
   - path: "/etc/systemd/system/lifecycled.service"
@@ -155,15 +103,9 @@ write_files:
 
       systemctl stop concourse.service
 runcmd:
-  - |
-    cp /etc/awslogs/awscli.template /etc/awslogs/awscli.conf
-    cp /etc/awslogs/awslogs.template /etc/awslogs/awslogs.conf
   - |
     systemctl enable lifecycled.service --now
-    systemctl enable concourse-logging.service --now
-    systemctl enable awslogsd.service --now
-    systemctl enable concourse.service --now
-    ${start_node_exporter}
   - |
     /usr/local/scripts/cloudformation-signal.sh
     /opt/aws/bin/cfn-signal -e $? --stack ${stack_name} --resource AutoScalingGroup --region ${region}
+