Skip to content

Commit

Permalink
TES-304: Added configuration overrides for GraphDB
Browse files Browse the repository at this point in the history
- Added optional cluster token configuration (if empty, it generates a random secret)
- Added insertion of additional optional graphdb.properties configurations
- Added optional GraphDB environment variables configurations
  • Loading branch information
mihailradkov committed Nov 12, 2023
1 parent 9e19115 commit 2682063
Show file tree
Hide file tree
Showing 7 changed files with 130 additions and 7 deletions.
9 changes: 6 additions & 3 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -84,10 +84,13 @@ module "configuration" {
source = "./modules/configuration"

resource_group_name = azurerm_resource_group.graphdb.name
identity_name = module.identity.identity_name
key_vault_name = module.vault.key_vault_name

identity_name = module.identity.identity_name
graphdb_license_path = var.graphdb_license_path
key_vault_name = module.vault.key_vault_name
graphdb_license_path = var.graphdb_license_path
graphdb_cluster_token = var.graphdb_cluster_token
graphdb_properties_path = var.graphdb_properties_path
graphdb_java_options = var.graphdb_java_options

tags = local.tags

Expand Down
44 changes: 44 additions & 0 deletions modules/configuration/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,16 @@ data "azurerm_key_vault" "graphdb" {
resource_group_name = var.resource_group_name
}

resource "random_password" "graphdb-cluster-token" {
count = var.graphdb_cluster_token != null ? 0 : 1
length = 16
special = true
}

locals {
graphdb_cluster_token = var.graphdb_cluster_token != null ? var.graphdb_cluster_token : random_password.graphdb-cluster-token[0].result
}

resource "azurerm_key_vault_secret" "graphdb-license" {
key_vault_id = data.azurerm_key_vault.graphdb.id

Expand All @@ -17,7 +27,41 @@ resource "azurerm_key_vault_secret" "graphdb-license" {
tags = var.tags
}

resource "azurerm_key_vault_secret" "graphdb-cluster-token" {
count = var.graphdb_java_options != null ? 1 : 0

key_vault_id = data.azurerm_key_vault.graphdb.id

name = var.graphdb_cluster_token_name
value = base64encode(local.graphdb_cluster_token)

tags = var.tags
}

resource "azurerm_key_vault_secret" "graphdb-properties" {
count = var.graphdb_properties_path != null ? 1 : 0

key_vault_id = data.azurerm_key_vault.graphdb.id

name = var.graphdb_properties_secret_name
value = filebase64(var.graphdb_properties_path)

tags = var.tags
}

resource "azurerm_key_vault_secret" "graphdb-java-options" {
count = var.graphdb_java_options != null ? 1 : 0

key_vault_id = data.azurerm_key_vault.graphdb.id

name = var.graphdb_java_options_secret_name
value = base64encode(var.graphdb_java_options)

tags = var.tags
}

# TODO: Cannot assign the secret resource as scope for some reason... it doesn't show in the console and it does not work in the VMs
# TODO: Not the right place for this to be here if we cannot give more granular access

# Give rights to the provided identity to be able to read it from the vault
resource "azurerm_role_assignment" "graphdb-license-reader" {
Expand Down
38 changes: 37 additions & 1 deletion modules/configuration/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ variable "resource_group_name" {
type = string
}

# Dependencies
# Security dependencies

variable "identity_name" {
description = "Name of a user assigned identity for assigning permissions"
Expand All @@ -35,3 +35,39 @@ variable "graphdb_license_secret_name" {
type = string
default = "graphdb-license"
}

variable "graphdb_cluster_token" {
description = "Secret token used to secure the internal GraphDB cluster communication."
type = string
default = null
}

variable "graphdb_cluster_token_name" {
description = "Name of the Key Vault secret that contains the GraphDB cluster secret token."
type = string
default = "graphdb-cluster-token"
}

variable "graphdb_properties_path" {
description = "Path to a local file containing GraphDB properties (graphdb.properties) that would be appended to the default in the VM."
type = string
default = null
}

variable "graphdb_properties_secret_name" {
description = "Name of the Key Vault secret that contains the GraphDB properties."
type = string
default = "graphdb-properties"
}

variable "graphdb_java_options" {
description = "GraphDB options to pass to GraphDB with GRAPHDB_JAVA_OPTS environment variable."
type = string
default = null
}

variable "graphdb_java_options_secret_name" {
description = "Name of the Key Vault secret that contains the GraphDB GRAPHDB_JAVA_OPTS configurations."
type = string
default = "graphdb-java-options"
}
4 changes: 4 additions & 0 deletions modules/configuration/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,9 @@ terraform {
source = "hashicorp/azurerm"
version = ">=3.71.0"
}
random = {
source = "hashicorp/random"
version = "~>3.0"
}
}
}
4 changes: 3 additions & 1 deletion modules/vm/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

This module provisions a scaling set of GraphDB instances. It also offers basic networking.
The following variables should be set:

* graphdb_subnets
* instance_type
* lb_subnets
Expand All @@ -15,13 +16,14 @@ The following variables should be set:
* source_ssh_blocks

The following external resources should be created before this module runs:

* A resource group.
* An image.
* A virtual network with two subnets:
* A main subnet.
* A subnet for load balancers.

TODO: At the moment, the module creates static IPs for instances in the scale set.
TODO: At the moment, the module creates static IPs for instances in the scale set.
This should be changed to load balancer when the `load_balancer` module is implemented.

## How to use this module
Expand Down
20 changes: 18 additions & 2 deletions modules/vm/templates/entrypoint.sh.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ echo "Configuring GraphDB instance"

systemctl stop graphdb

# TODO: If GraphDB is behind closed network, this would break the whole initialization...
until ping -c 1 google.com &> /dev/null; do
echo "waiting for outbound connectivity"
sleep 5
Expand All @@ -28,11 +29,13 @@ node_dns=$(hostname)
# GraphDB configuration overrides
#

secrets=$(az keyvault secret list --vault-name ${key_vault_name} --output json | jq .[].name)

# Get the license
az keyvault secret download --vault-name ${key_vault_name} --name graphdb-license --file /etc/graphdb/graphdb.license --encoding base64

# TODO: Should come from app config or be randomly generated
graphdb_cluster_token="xxxxxxxxxxxx"
# Get the cluster token
graphdb_cluster_token=$(az keyvault secret show --vault-name ${key_vault_name} --name graphdb-cluster-token | jq -rj .value | base64 -d)

# TODO: where is the vhost here?
cat << EOF > /etc/graphdb/graphdb.properties
Expand All @@ -51,6 +54,19 @@ graphdb.rpc.address=$${node_dns}:7301
graphdb.proxy.hosts=$${node_dns}:7300
EOF

# TODO: overrides for the proxy?
# Appends configuration overrides to graphdb.properties
if [[ $secrets == *"graphdb-properties"* ]]; then
az keyvault secret show --vault-name ${key_vault_name} --name graphdb-properties | jq -rj .value | base64 -d >> /etc/graphdb/graphdb.properties
fi

# Appends environment overrides to GDB_JAVA_OPTS
if [[ $secrets == *"graphdb-java-options"* ]]; then
extra_graphdb_java_options=$(az keyvault secret show --vault-name ${key_vault_name} --name graphdb-java-options | jq -rj .value | base64 -d)
# TODO: Finish this override after the image starts supporting /etc/graphdb/graphdb.env
echo $extra_graphdb_java_options
fi

# TODO: Backup cron

# TODO: Monitoring/instrumenting
Expand Down
18 changes: 18 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,24 @@ variable "graphdb_license_path" {
type = string
}

variable "graphdb_cluster_token" {
description = "Secret token used to secure the internal GraphDB cluster communication. Will generate one if left undeclared."
type = string
default = null
}

variable "graphdb_properties_path" {
description = "Path to a local file containing GraphDB properties (graphdb.properties) that would be appended to the default in the VM."
type = string
default = null
}

variable "graphdb_java_options" {
description = "GraphDB options to pass to GraphDB with GRAPHDB_JAVA_OPTS environment variable."
type = string
default = null
}

# GraphDB VM

variable "node_count" {
Expand Down

0 comments on commit 2682063

Please sign in to comment.