-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathmain.tf
More file actions
380 lines (320 loc) · 16.7 KB
/
main.tf
File metadata and controls
380 lines (320 loc) · 16.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
locals {
supported_providers = ["aws", "bare_metal"]
}
provider "aws" {
region = var.aws_region
skip_credentials_validation = var.aws_skip_credentials_validation
skip_metadata_api_check = var.aws_skip_credentials_validation
skip_requesting_account_id = var.aws_skip_credentials_validation
}
# --- Kubernetes provider (EKS) ---
# Provider config must live at root — Terraform limitation.
data "aws_eks_cluster" "this" {
count = var.infrastructure_provider == "aws" && var.compute_engine == "eks" ? 1 : 0
name = module.provider_aws[0].eks_cluster_name
}
data "aws_eks_cluster_auth" "this" {
count = var.infrastructure_provider == "aws" && var.compute_engine == "eks" ? 1 : 0
name = module.provider_aws[0].eks_cluster_name
}
provider "kubernetes" {
host = try(data.aws_eks_cluster.this[0].endpoint, "")
cluster_ca_certificate = try(base64decode(data.aws_eks_cluster.this[0].certificate_authority[0].data), "")
token = try(data.aws_eks_cluster_auth.this[0].token, "")
}
# --- Helm provider (EKS) ---
# Mirrors kubernetes provider auth. Inert when compute_engine != "eks".
provider "helm" {
kubernetes {
host = try(data.aws_eks_cluster.this[0].endpoint, "")
cluster_ca_certificate = try(base64decode(data.aws_eks_cluster.this[0].certificate_authority[0].data), "")
token = try(data.aws_eks_cluster_auth.this[0].token, "")
}
}
module "capabilities" {
source = "./modules/core/capabilities"
infrastructure_provider = var.infrastructure_provider
deployment_target = var.deployment_target
runtime_arch = var.runtime_arch
database_mode = var.database_mode
streaming_mode = var.streaming_mode
ingress_mode = var.ingress_mode
compute_engine = var.compute_engine
workload_mode = var.workload_mode
}
resource "terraform_data" "provider_guardrails" {
input = {
provider = var.infrastructure_provider
}
lifecycle {
precondition {
condition = contains(local.supported_providers, var.infrastructure_provider)
error_message = "Unsupported infrastructure_provider. Implemented adapters: aws, bare_metal."
}
precondition {
condition = !(var.ingress_mode == "cloudflare" && var.ingress_cloudflare_origin_cert == "")
error_message = "ingress_cloudflare_origin_cert is required when ingress_mode = cloudflare. Generate at Cloudflare dashboard > SSL/TLS > Origin Server."
}
precondition {
condition = !(var.ingress_mode == "cloudflare" && var.ingress_cloudflare_origin_key == "")
error_message = "ingress_cloudflare_origin_key is required when ingress_mode = cloudflare."
}
precondition {
condition = !(var.ingress_mode == "caddy" && var.ingress_tls_email == "")
error_message = "ingress_tls_email is required when ingress_mode = caddy (needed for Let's Encrypt)."
}
precondition {
condition = !(var.ingress_mode == "ingress_nginx" && var.ingress_tls_email == "")
error_message = "ingress_tls_email is required when ingress_mode = ingress_nginx (needed for cert-manager)."
}
precondition {
condition = !(var.ingress_mode == "caddy" && !contains(["ec2", "docker_compose"], var.compute_engine))
error_message = "ingress_mode = caddy requires compute_engine = ec2 or docker_compose."
}
precondition {
condition = !(var.ingress_mode == "ingress_nginx" && !contains(["k3s", "eks"], var.compute_engine))
error_message = "ingress_mode = ingress_nginx requires compute_engine = k3s or eks."
}
precondition {
condition = !(var.infrastructure_provider != "aws" && var.database_mode == "managed")
error_message = "database_mode=managed currently requires infrastructure_provider=aws."
}
precondition {
condition = !(var.infrastructure_provider != "aws" && var.streaming_mode == "managed")
error_message = "streaming_mode=managed currently requires infrastructure_provider=aws."
}
precondition {
condition = !(var.infrastructure_provider == "bare_metal" && !contains(["docker_compose", "k3s"], var.compute_engine))
error_message = "bare_metal requires compute_engine=docker_compose or compute_engine=k3s."
}
precondition {
condition = !(var.infrastructure_provider == "aws" && !contains(["ec2", "eks", "k3s"], var.compute_engine))
error_message = "aws requires compute_engine=ec2, compute_engine=eks, or compute_engine=k3s."
}
precondition {
condition = !(var.compute_engine == "k3s" && var.workload_mode != "external")
error_message = "k3s requires workload_mode=external. Use deployers/k3s/ for workload deployment."
}
precondition {
condition = !(var.compute_engine == "k3s" && var.infrastructure_provider == "aws" && var.ssh_public_key == "")
error_message = "ssh_public_key is required when compute_engine=k3s on AWS (needed for EC2 k3s host)."
}
precondition {
condition = !(contains(["ec2", "k3s"], var.compute_engine) && var.ssh_private_key_path == "") && !(var.infrastructure_provider == "bare_metal" && var.ssh_private_key_path == "")
error_message = "ssh_private_key_path is required for EC2, K3s, and bare metal deployments."
}
precondition {
condition = !(var.infrastructure_provider == "bare_metal" && var.bare_metal_host == "")
error_message = "bare_metal_host is required when infrastructure_provider=bare_metal."
}
precondition {
condition = !(var.secrets_mode == "provider" && var.infrastructure_provider != "aws")
error_message = "secrets_mode=provider requires infrastructure_provider=aws (uses AWS Secrets Manager)."
}
precondition {
condition = !(var.secrets_mode == "external" && var.external_secret_store_name == "")
error_message = "external_secret_store_name is required when secrets_mode=external."
}
precondition {
condition = !(var.secrets_mode == "external" && var.external_secret_key == "")
error_message = "external_secret_key is required when secrets_mode=external."
}
precondition {
condition = !(var.bare_metal_secrets_encryption == "sops_age")
error_message = "bare_metal_secrets_encryption=sops_age is not yet implemented. Use secrets_mode=external with ESO for bare_metal k3s secret management."
}
precondition {
condition = !(var.monitoring_enabled && !contains(["eks", "k3s"], var.compute_engine))
error_message = "monitoring_enabled requires compute_engine = eks or k3s."
}
precondition {
condition = !(var.monitoring_enabled && var.grafana_ingress_enabled && var.grafana_hostname == "")
error_message = "grafana_hostname is required when monitoring_enabled and grafana_ingress_enabled are both true."
}
precondition {
condition = !(var.loki_enabled && !var.monitoring_enabled)
error_message = "loki_enabled requires monitoring_enabled = true."
}
}
}
module "provider_aws" {
source = "./modules/providers/aws"
count = var.infrastructure_provider == "aws" ? 1 : 0
providers = {
aws = aws
kubernetes = kubernetes
helm = helm
}
project_name = var.project_name
deployment_target = var.deployment_target
runtime_arch = var.runtime_arch
database_mode = var.database_mode
streaming_mode = var.streaming_mode
ingress_mode = var.ingress_mode
compute_engine = var.compute_engine
workload_mode = var.workload_mode
ssh_public_key = var.ssh_public_key
ec2_instance_type = var.ec2_instance_type
ec2_rpc_proxy_mem_limit = var.ec2_rpc_proxy_mem_limit
ec2_indexer_mem_limit = var.ec2_indexer_mem_limit
ssh_private_key_path = var.ssh_private_key_path
ec2_secret_recovery_window_in_days = var.ec2_secret_recovery_window_in_days
aws_region = var.aws_region
networking_enabled = var.networking_enabled
network_environment = var.network_environment
network_vpc_cidr = var.network_vpc_cidr
network_availability_zones = var.network_availability_zones
network_enable_nat_gateway = var.network_enable_nat_gateway
network_enable_vpc_endpoints = var.network_enable_vpc_endpoints
# Postgres
postgres_enabled = var.postgres_enabled
postgres_instance_class = var.postgres_instance_class
postgres_engine_version = var.postgres_engine_version
postgres_db_name = var.postgres_db_name
postgres_db_username = var.postgres_db_username
postgres_backup_retention = var.postgres_backup_retention
postgres_manage_master_user_password = var.postgres_manage_master_user_password
postgres_master_password = var.postgres_master_password
postgres_force_ssl = var.postgres_force_ssl
# RPC Proxy
rpc_proxy_enabled = var.rpc_proxy_enabled
rpc_proxy_image = var.rpc_proxy_image
# Indexer
indexer_enabled = var.indexer_enabled
indexer_image = var.indexer_image
indexer_rpc_url = var.indexer_rpc_url
indexer_storage_backend = var.indexer_storage_backend
indexer_instances = var.indexer_instances
indexer_extra_env = var.indexer_extra_env
indexer_extra_secret_env = var.indexer_extra_secret_env
# Custom Services
custom_services = var.custom_services
# ClickHouse BYODB
indexer_clickhouse_url = var.indexer_clickhouse_url
indexer_clickhouse_user = var.indexer_clickhouse_user
indexer_clickhouse_password = var.indexer_clickhouse_password
indexer_clickhouse_db = var.indexer_clickhouse_db
# Config injection
erpc_config_yaml = var.erpc_config_yaml
rindexer_config_yaml = var.rindexer_config_yaml
rindexer_abis = var.rindexer_abis
# k3s
k3s_version = var.k3s_version
k3s_instance_type = var.k3s_instance_type
k3s_api_allowed_cidrs = var.k3s_api_allowed_cidrs
k3s_worker_nodes = var.k3s_worker_nodes
# Ingress / TLS
erpc_hostname = var.erpc_hostname
ingress_tls_email = var.ingress_tls_email
ingress_cloudflare_origin_cert = var.ingress_cloudflare_origin_cert
ingress_cloudflare_origin_key = var.ingress_cloudflare_origin_key
ingress_cloudflare_ssl_mode = var.ingress_cloudflare_ssl_mode
ingress_caddy_image = var.ingress_caddy_image
ingress_caddy_mem_limit = var.ingress_caddy_mem_limit
ingress_nginx_chart_version = var.ingress_nginx_chart_version
ingress_cert_manager_chart_version = var.ingress_cert_manager_chart_version
ingress_request_body_max_size = var.ingress_request_body_max_size
ingress_tls_staging = var.ingress_tls_staging
ingress_hsts_preload = var.ingress_hsts_preload
# Secrets
secrets_mode = var.secrets_mode
secrets_manager_secret_arn = var.secrets_manager_secret_arn
secrets_manager_kms_key_id = var.secrets_manager_kms_key_id
external_secret_store_name = var.external_secret_store_name
external_secret_key = var.external_secret_key
eso_chart_version = var.eso_chart_version
# Monitoring
monitoring_enabled = var.monitoring_enabled
kube_prometheus_stack_version = var.kube_prometheus_stack_version
grafana_admin_password_secret_name = var.grafana_admin_password_secret_name
alertmanager_slack_webhook_secret_name = var.alertmanager_slack_webhook_secret_name
alertmanager_sns_topic_arn = var.alertmanager_sns_topic_arn
alertmanager_pagerduty_routing_key_secret_name = var.alertmanager_pagerduty_routing_key_secret_name
alertmanager_route_target = var.alertmanager_route_target
alertmanager_slack_channel = var.alertmanager_slack_channel
loki_enabled = var.loki_enabled
loki_chart_version = var.loki_chart_version
promtail_chart_version = var.promtail_chart_version
loki_persistence_enabled = var.loki_persistence_enabled
clickhouse_metrics_url = var.clickhouse_metrics_url
grafana_ingress_enabled = var.grafana_ingress_enabled
grafana_hostname = var.grafana_hostname
grafana_extra_dashboards = var.grafana_extra_dashboards
ingress_class_name = var.ingress_class_name
}
module "provider_bare_metal" {
source = "./modules/providers/bare_metal"
count = var.infrastructure_provider == "bare_metal" ? 1 : 0
project_name = var.project_name
compute_engine = var.compute_engine
workload_mode = var.workload_mode
# SSH connection
host_address = var.bare_metal_host
ssh_user = var.bare_metal_ssh_user
ssh_private_key_path = var.ssh_private_key_path
ssh_port = var.bare_metal_ssh_port
# RPC Proxy
rpc_proxy_enabled = var.rpc_proxy_enabled
rpc_proxy_image = var.rpc_proxy_image
rpc_proxy_mem_limit = var.bare_metal_rpc_proxy_mem_limit
erpc_config_yaml = var.erpc_config_yaml
# Indexer
indexer_enabled = var.indexer_enabled
indexer_image = var.indexer_image
indexer_rpc_url = var.indexer_rpc_url
indexer_storage_backend = var.indexer_storage_backend
indexer_instances = var.indexer_instances
indexer_extra_env = var.indexer_extra_env
indexer_extra_secret_env = var.indexer_extra_secret_env
indexer_mem_limit = var.bare_metal_indexer_mem_limit
# Custom Services
custom_services = var.custom_services
rindexer_config_yaml = var.rindexer_config_yaml
rindexer_abis = var.rindexer_abis
# ClickHouse BYODB
indexer_clickhouse_url = var.indexer_clickhouse_url
indexer_clickhouse_user = var.indexer_clickhouse_user
indexer_clickhouse_password = var.indexer_clickhouse_password
indexer_clickhouse_db = var.indexer_clickhouse_db
# PostgreSQL BYODB
indexer_postgres_url = var.indexer_postgres_url
# k3s
k3s_version = var.k3s_version
k3s_worker_nodes = var.k3s_worker_nodes
# Ingress / TLS
ingress_mode = var.ingress_mode
erpc_hostname = var.erpc_hostname
ingress_tls_email = var.ingress_tls_email
ingress_cloudflare_origin_cert = var.ingress_cloudflare_origin_cert
ingress_cloudflare_origin_key = var.ingress_cloudflare_origin_key
ingress_cloudflare_ssl_mode = var.ingress_cloudflare_ssl_mode
ingress_caddy_image = var.ingress_caddy_image
ingress_caddy_mem_limit = var.ingress_caddy_mem_limit
ingress_nginx_chart_version = var.ingress_nginx_chart_version
ingress_cert_manager_chart_version = var.ingress_cert_manager_chart_version
ingress_request_body_max_size = var.ingress_request_body_max_size
ingress_tls_staging = var.ingress_tls_staging
ingress_hsts_preload = var.ingress_hsts_preload
# Secrets
secrets_mode = var.secrets_mode
external_secret_store_name = var.external_secret_store_name
external_secret_key = var.external_secret_key
eso_chart_version = var.eso_chart_version
# Monitoring
monitoring_enabled = var.monitoring_enabled
kube_prometheus_stack_version = var.kube_prometheus_stack_version
grafana_admin_password_secret_name = var.grafana_admin_password_secret_name
alertmanager_slack_webhook_secret_name = var.alertmanager_slack_webhook_secret_name
alertmanager_sns_topic_arn = var.alertmanager_sns_topic_arn
alertmanager_pagerduty_routing_key_secret_name = var.alertmanager_pagerduty_routing_key_secret_name
alertmanager_route_target = var.alertmanager_route_target
alertmanager_slack_channel = var.alertmanager_slack_channel
loki_enabled = var.loki_enabled
loki_chart_version = var.loki_chart_version
promtail_chart_version = var.promtail_chart_version
loki_persistence_enabled = var.loki_persistence_enabled
clickhouse_metrics_url = var.clickhouse_metrics_url
grafana_ingress_enabled = var.grafana_ingress_enabled
grafana_hostname = var.grafana_hostname
ingress_class_name = var.ingress_class_name
}