From 5c12db928036bbc04278070e9d072606f6741efa Mon Sep 17 00:00:00 2001 From: Alan Scherger Date: Thu, 25 Aug 2022 16:56:31 -0500 Subject: [PATCH 1/3] Add EBS Disk Encryption --- main.tf | 3 +++ modules/docker-mirror/main.tf | 2 ++ modules/docker-mirror/variables.tf | 12 ++++++++++++ modules/executors/main.tf | 2 ++ modules/executors/variables.tf | 6 ++++++ variables.tf | 18 ++++++++++++++++++ 6 files changed, 43 insertions(+) diff --git a/main.tf b/main.tf index 76f3801..916f803 100644 --- a/main.tf +++ b/main.tf @@ -14,6 +14,8 @@ module "aws-docker-mirror" { machine_ami = var.docker_mirror_machine_ami machine_type = var.docker_mirror_machine_type boot_disk_size = var.docker_mirror_boot_disk_size + boot_disk_kms_key_id = var.docker_mirror_boot_disk_kms_key_id + disk_kms_key_id = var.docker_mirror_disk_kms_key_id static_ip = var.docker_mirror_static_ip ssh_access_cidr_range = var.docker_mirror_ssh_access_cidr_range instance_tag_prefix = var.executor_instance_tag @@ -29,6 +31,7 @@ module "aws-executor" { machine_image = var.executor_machine_image machine_type = var.executor_machine_type boot_disk_size = var.executor_boot_disk_size + boot_disk_kms_key_id = var.executor_boot_disk_kms_key_id preemptible_machines = var.executor_preemptible_machines instance_tag = var.executor_instance_tag ssh_access_cidr_range = var.executor_ssh_access_cidr_range diff --git a/modules/docker-mirror/main.tf b/modules/docker-mirror/main.tf index 052927e..f045dd5 100644 --- a/modules/docker-mirror/main.tf +++ b/modules/docker-mirror/main.tf @@ -40,6 +40,7 @@ resource "aws_instance" "default" { volume_size = var.boot_disk_size volume_type = "gp3" encrypted = true + kms_key_id = var.boot_disk_kms_key_id } tags = { @@ -65,6 +66,7 @@ resource "aws_ebs_volume" "docker-storage" { availability_zone = data.aws_subnet.main.availability_zone size = var.disk_size encrypted = true + kms_key_id = var.disk_kms_key_id type = "gp3" iops = var.disk_iops throughput = var.disk_throughput diff --git a/modules/docker-mirror/variables.tf b/modules/docker-mirror/variables.tf index 144dee9..30623b1 100644 --- a/modules/docker-mirror/variables.tf +++ b/modules/docker-mirror/variables.tf @@ -26,6 +26,12 @@ variable "boot_disk_size" { description = "Docker registry mirror node disk size in GB." } +variable "boot_disk_kms_key_id" { + type = string + default = null + description = "[Optional] The KMS Key ID for EBS volume encryption." +} + variable "disk_size" { type = number default = 64 @@ -44,6 +50,12 @@ variable "disk_throughput" { description = "Persistent Docker registry mirror disk throughput in MiB/s." } +variable "disk_kms_key_id" { + type = string + default = null + description = "[Optional] The KMS Key ID for mirror disk EBS volume encryption." +} + variable "static_ip" { type = string description = "The IP to statically assign to the instance. Should be internal." diff --git a/modules/executors/main.tf b/modules/executors/main.tf index 1471efc..2361203 100644 --- a/modules/executors/main.tf +++ b/modules/executors/main.tf @@ -113,6 +113,8 @@ resource "aws_launch_template" "executor" { volume_type = "gp3" iops = var.boot_disk_iops throughput = var.boot_disk_throughput + encrypted = true + kms_key_id = var.boot_disk_kms_key_id } } diff --git a/modules/executors/variables.tf b/modules/executors/variables.tf index 2827a3b..776f958 100644 --- a/modules/executors/variables.tf +++ b/modules/executors/variables.tf @@ -44,6 +44,12 @@ variable "boot_disk_throughput" { description = "Persistent Docker registry mirror disk throughput in MiB/s." } +variable "boot_disk_kms_key_id" { + type = string + default = null + description = "[Optional] The KMS Key ID for EBS volume encryption." +} + variable "preemptible_machines" { type = bool default = false diff --git a/variables.tf b/variables.tf index 9172801..22ffcfa 100644 --- a/variables.tf +++ b/variables.tf @@ -21,6 +21,18 @@ variable "docker_mirror_boot_disk_size" { description = "Docker registry mirror node disk size in GB." } +variable "docker_mirror_boot_disk_kms_key_id" { + type = string + default = null + description = "[Optional] KMS Key ID for EBS boot disk encryption" +} + +variable "docker_mirror_disk_kms_key_id" { + type = string + default = null + description = "[Optional] KMS Key ID for EBS disk encryption" +} + variable "docker_mirror_static_ip" { type = string default = "10.0.1.4" @@ -63,6 +75,12 @@ variable "executor_boot_disk_size" { description = "Executor node disk size in GB" } +variable "executor_boot_disk_kms_key_id" { + type = string + default = null + description = "[Optional] KMS Key ID for EBS boot disk encryption" +} + variable "executor_preemptible_machines" { type = bool default = false From f47734508f01739aaa7c9e30c361a64b86661020 Mon Sep 17 00:00:00 2001 From: Alan Scherger Date: Thu, 25 Aug 2022 16:56:48 -0500 Subject: [PATCH 2/3] Add tfenv terraform version file --- .terraform-version | 1 + 1 file changed, 1 insertion(+) create mode 100644 .terraform-version diff --git a/.terraform-version b/.terraform-version new file mode 100644 index 0000000..a5e4282 --- /dev/null +++ b/.terraform-version @@ -0,0 +1 @@ +1.1.9 \ No newline at end of file From 8f48a2f738a61238bf93298b7426c9136cede898 Mon Sep 17 00:00:00 2001 From: Alan Scherger Date: Fri, 26 Aug 2022 10:50:13 -0500 Subject: [PATCH 3/3] Fix duplicate log group error for multi-executor demo --- .gitignore | 4 +++ examples/multiple-executors/main.tf | 53 +++++++++++++++-------------- modules/executors/main.tf | 1 + modules/executors/variables.tf | 6 ++++ 4 files changed, 39 insertions(+), 25 deletions(-) diff --git a/.gitignore b/.gitignore index 3dd8917..f31a307 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ .terraform plan +terraform.tfstate +terraform.tfstate.backup +.terraform.lock.hcl +tfplan diff --git a/examples/multiple-executors/main.tf b/examples/multiple-executors/main.tf index 9e128d3..f090ddd 100644 --- a/examples/multiple-executors/main.tf +++ b/examples/multiple-executors/main.tf @@ -1,7 +1,9 @@ locals { - region = "us-west-2" - availability_zone = "us-west-2a" - docker_mirror_static_ip = "10.0.1.4" + region = "us-west-2" + availability_zone = "us-west-2a" + docker_mirror_static_ip = "10.0.1.4" + sourcegraph_external_url = "https://sourcegraph.acme.com" + executor_sourcegraph_executor_proxy_password = "hunter2" } module "networking" { @@ -25,32 +27,33 @@ module "executors-codeintel" { source = "sourcegraph/executors/aws//modules/executors" version = "3.43.0" # LATEST - vpc_id = module.networking.vpc_id - subnet_id = module.networking.subnet_id - resource_prefix = "codeintel-prod" - instance_tag = "codeintel-prod" - sourcegraph_external_url = "https://sourcegraph.acme.com" - sourcegraph_executor_proxy_password = "hunter2" - queue_name = "codeintel" - metrics_environment_label = "prod" - docker_registry_mirror = "http://${local.docker_mirror_static_ip}:5000" - # docker_registry_mirror_node_exporter_url = "http://${local.docker_mirror_static_ip}:9999" - use_firecracker = true + vpc_id = module.networking.vpc_id + subnet_id = module.networking.subnet_id + resource_prefix = "codeintel-prod" + instance_tag = "codeintel-prod" + sourcegraph_external_url = local.sourcegraph_external_url + sourcegraph_executor_proxy_password = local.executor_sourcegraph_executor_proxy_password + queue_name = "codeintel" + metrics_environment_label = "prod" + docker_registry_mirror = "http://${local.docker_mirror_static_ip}:5000" + # docker_registry_mirror_node_exporter_url = "http://${local.docker_mirror_static_ip}:9999" + use_firecracker = true } module "executors-batches" { source = "sourcegraph/executors/aws//modules/executors" version = "3.43.0" # LATEST - vpc_id = module.networking.vpc_id - subnet_id = module.networking.subnet_id - resource_prefix = "batches-prod" - instance_tag = "batches-prod" - sourcegraph_external_url = "https://sourcegraph.acme.com" - sourcegraph_executor_proxy_password = "hunter2" - queue_name = "batches" - metrics_environment_label = "prod" - docker_registry_mirror = "http://${local.docker_mirror_static_ip}:5000" - # docker_registry_mirror_node_exporter_url = "http://${local.docker_mirror_static_ip}:9999" - use_firecracker = true + vpc_id = module.networking.vpc_id + subnet_id = module.networking.subnet_id + resource_prefix = "batches-prod" + instance_tag = "batches-prod" + sourcegraph_external_url = local.sourcegraph_external_url + sourcegraph_executor_proxy_password = local.executor_sourcegraph_executor_proxy_password + queue_name = "batches" + metrics_environment_label = "prod" + docker_registry_mirror = "http://${local.docker_mirror_static_ip}:5000" + # docker_registry_mirror_node_exporter_url = "http://${local.docker_mirror_static_ip}:9999" + use_firecracker = true + need_syslogs = false } diff --git a/modules/executors/main.tf b/modules/executors/main.tf index 2361203..e112170 100644 --- a/modules/executors/main.tf +++ b/modules/executors/main.tf @@ -73,6 +73,7 @@ resource "aws_security_group" "metrics_access" { resource "aws_cloudwatch_log_group" "syslogs" { # TODO: This is hardcoded in the executor image. + count = var.need_syslogs ? 1 : 0 name = "executors" retention_in_days = 7 } diff --git a/modules/executors/variables.tf b/modules/executors/variables.tf index 776f958..d65ced1 100644 --- a/modules/executors/variables.tf +++ b/modules/executors/variables.tf @@ -188,3 +188,9 @@ variable "assign_public_ip" { default = true description = "If false, no public IP will be associated with the executors." } + +variable "need_syslogs" { + type = bool + default = true + description = "For multi-executor only 1 of these needs to be made." +}