add db deps

Author: nandajavarma

.werft/installer-tests.ts

@@ -92,7 +92,7 @@ const TEST_CONFIGURATIONS: { [name: string]: TestConfig } = {
         PHASES: [
             "STANDARD_AKS_CLUSTER",
             "CERT_MANAGER",
-            "AZURE_ISSUER",
+            "CLUSTER_ISSUER",
             "EXTERNALDNS",
             "ADD_NS_RECORD",
             "GENERATE_KOTS_CONFIG",
@@ -108,13 +108,11 @@ const TEST_CONFIGURATIONS: { [name: string]: TestConfig } = {
         DESCRIPTION: "Create an EKS cluster",
         PHASES: [
             "STANDARD_GKE_CLUSTER",
+            "STANDARD_EKS_CLUSTER", // this only creates aws dependencies for now
             "CERT_MANAGER",
             "EXTERNALDNS",
-            // TODO phases are:
-            // external dns with aws
-            // 1) register domains in AWS, associate with route53
-            // 2) add the associated ns record to gcp(since we use gitpod-self-hsoted.com domain)
-            // 3) create cluster issuer with route53 as solver
+            "CLUSTER_ISSUER",
+            "ADD_NS_RECORD",
             "GENERATE_KOTS_CONFIG",
             "INSTALL_GITPOD",
             // "CHECK_INSTALLATION",
@@ -171,18 +169,18 @@ const INFRA_PHASES: { [name: string]: InfraConfig } = {
         )} db=${randomize("db", cloud)}`,
         description: `Generate KOTS Config file`,
     },
-    AZURE_ISSUER: {
-        phase: "setup-azure-cluster-issuer",
+    CLUSTER_ISSUER: {
+        phase: `setup-azure-cluster-issuer cloud=${cloud}`,
         makeTarget: "azure-issuer",
         description: "Deploys ClusterIssuer for azure",
     },
     EXTERNALDNS: {
         phase: "external-dns",
-        makeTarget: `external-dns provider=${cloud}`,
+        makeTarget: `external-dns cloud=${cloud}`,
         description: `Deploys external-dns with ${cloud} provider`,
     },
     ADD_NS_RECORD: {
-        phase: "add-ns-record",
+        phase: `add-ns-record cloud=${cloud}`,
         makeTarget: "add-ns-record",
         description: "Adds NS record for subdomain under gitpod-self-hosted.com",
     },

install/infra/terraform/eks/database.tf

@@ -0,0 +1,39 @@
+resource "aws_db_subnet_group" "gitpod_subnets" {
+  subnet_ids = data.aws_subnet_ids.subnet_ids.ids
+}
+
+resource "aws_security_group" "rdssg" {
+  name = "rdssg"
+  vpc_id = module.vpc.vpc_id
+
+  ingress {
+    from_port = 0
+    to_port = 3306
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_db_instance" "gitpod" {
+  allocated_storage    = 10
+  max_allocated_storage = 100
+  engine               = "mysql"
+  engine_version       = "5.7"
+  instance_class       = "db.t3.micro"
+  vpc_security_group_ids = [ aws_security_group.rdssg.id ]
+  identifier           = "db-${var.cluster_name}"
+  name                 = "gitpod"
+  username             = "gitpod"
+  password             = "gitpod-qwat" # we can replace this with https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version
+  parameter_group_name = "default.mysql5.7"
+  skip_final_snapshot  = true
+  db_subnet_group_name = aws_db_subnet_group.gitpod_subnets.name
+  publicly_accessible  = true
+}

install/infra/terraform/eks/dns.tf

@@ -1,25 +1,51 @@
-variable "domain_name" {}
-variable "cluster_name" {}
+resource "aws_route53_zone" "gitpod" {
+  force_destroy = true
+  name = var.domain_name
 
-terraform {
-  required_providers {
-    aws = {
-        version = " ~> 3.0"
-        source = "registry.terraform.io/hashicorp/aws"
-    }
+  tags = {
+    Environment = "test"
   }
 }
 
-provider "aws" {
-  region  = "eu-west-1"
+# This creates an SSL certificate
+resource "aws_acm_certificate" "gitpod" {
+  domain_name       = var.domain_name
+  subject_alternative_names = ["*.ws.${var.domain_name}", "ws.${var.domain_name}"]
+  validation_method = "DNS"
 }
 
-resource "aws_route53_zone" "gitpod" {
-  name = var.domain_name
+# This is a DNS record for the ACM certificate validation to prove we own the domain
+#
+# This example, we make an assumption that the certificate is for a single domain name so can just use the first value of the
+# domain_validation_options.  It allows the terraform to apply without having to be targeted.
+# This is somewhat less complex than the example at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation
+# - that above example, won't apply without targeting
 
-  tags = {
-    Environment = "test"
-  }
+resource "aws_route53_record" "cert_validation" {
+  allow_overwrite = true
+  name = tolist(aws_acm_certificate.gitpod.domain_validation_options)[0].resource_record_name
+  type = tolist(aws_acm_certificate.gitpod.domain_validation_options)[0].resource_record_type
+  zone_id = "${resource.aws_route53_zone.gitpod.zone_id}"
+  records = [tolist(aws_acm_certificate.gitpod.domain_validation_options)[0].resource_record_value]
+  ttl = 60
+}
+
+resource "aws_route53_record" "cert_validation_1" {
+  allow_overwrite = true
+  name = tolist(aws_acm_certificate.gitpod.domain_validation_options)[1].resource_record_name
+  type = tolist(aws_acm_certificate.gitpod.domain_validation_options)[1].resource_record_type
+  zone_id = "${resource.aws_route53_zone.gitpod.zone_id}"
+  records = [tolist(aws_acm_certificate.gitpod.domain_validation_options)[1].resource_record_value]
+  ttl = 60
+}
+
+resource "aws_route53_record" "cert_validation_2" {
+  allow_overwrite = true
+  name = tolist(aws_acm_certificate.gitpod.domain_validation_options)[2].resource_record_name
+  type = tolist(aws_acm_certificate.gitpod.domain_validation_options)[2].resource_record_type
+  zone_id = "${resource.aws_route53_zone.gitpod.zone_id}"
+  records = [tolist(aws_acm_certificate.gitpod.domain_validation_options)[2].resource_record_value]
+  ttl = 60
 }
 
 resource "aws_iam_policy" "gitpod" {
@@ -39,6 +65,15 @@ resource "aws_iam_policy" "gitpod" {
                 "arn:aws:route53:::hostedzone/*"
             ]
         },
+        {
+            Effect = "Allow",
+            Action = [
+                "route53:GetChange",
+            ],
+            Resource = [
+                "arn:aws:route53:::change/*"
+            ]
+        },
         {
             Effect = "Allow",
             Action = [
@@ -51,26 +86,20 @@ resource "aws_iam_policy" "gitpod" {
   })
 }
 
-resource "aws_iam_role" "gitpod" {
-  name = "iam-route53-${var.cluster_name}"
-
-  assume_role_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "ec2.amazonaws.com"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
+resource "aws_iam_user_policy_attachment" "test-attach" {
+  user       = aws_iam_user.edns.name
+  policy_arn = aws_iam_policy.gitpod.arn
 }
-POLICY
+
+resource "aws_iam_user" "edns" {
+  name = "${var.cluster_name}-external-dns"
+  force_destroy = true
+
+  tags = {
+    env = "test"
+  }
 }
 
-resource "aws_iam_role_policy_attachment" "route53" {
-  policy_arn = resource.aws_iam_policy.gitpod.arn
-  role       = aws_iam_role.gitpod.name
+resource "aws_iam_access_key" "edns" {
+  user = aws_iam_user.edns.name
 }

install/infra/terraform/eks/network.tf

@@ -0,0 +1,104 @@
+# get all available AZs in our region
+data "aws_availability_zones" "available_azs" {
+  state = "available"
+}
+
+# reserve Elastic IP to be used in our NAT gateway
+resource "aws_eip" "nat_gw_elastic_ip" {
+  vpc = true
+
+  tags = {
+    Name = "${var.cluster_name}-nat-eip"
+  }
+}
+
+# create VPC using the official AWS module
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "3.14.0"
+
+  name = "${var.cluster_name}-vpc"
+  cidr = var.main_network_block
+  azs  = data.aws_availability_zones.available_azs.names
+
+  private_subnets = [
+    # this loop will create a one-line list as ["10.0.0.0/20", "10.0.16.0/20", "10.0.32.0/20", ...]
+    # with a length depending on how many Zones are available
+    for zone_id in data.aws_availability_zones.available_azs.zone_ids :
+    cidrsubnet(var.main_network_block, var.subnet_prefix_extension, tonumber(substr(zone_id, length(zone_id) - 1, 1)) - 1)
+  ]
+
+  public_subnets = [
+    # this loop will create a one-line list as ["10.0.128.0/20", "10.0.144.0/20", "10.0.160.0/20", ...]
+    # with a length depending on how many Zones are available
+    # there is a zone Offset variable, to make sure no collisions are present with private subnet blocks
+    for zone_id in data.aws_availability_zones.available_azs.zone_ids :
+    cidrsubnet(var.main_network_block, var.subnet_prefix_extension, tonumber(substr(zone_id, length(zone_id) - 1, 1)) + var.zone_offset - 1)
+  ]
+
+  # enable single NAT Gateway to save some money
+  # WARNING: this could create a single point of failure, since we are creating a NAT Gateway in one AZ only
+  # feel free to change these options if you need to ensure full Availability without the need of running 'terraform apply'
+  # reference: https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/2.44.0#nat-gateway-scenarios
+  enable_nat_gateway     = true
+  single_nat_gateway     = true
+  one_nat_gateway_per_az = false
+  enable_dns_hostnames   = true
+  reuse_nat_ips          = true
+  external_nat_ip_ids    = [aws_eip.nat_gw_elastic_ip.id]
+
+  # add VPC/Subnet tags required by EKS
+  tags = {
+    "kubernetes.io/cluster/${var.cluster_name}" = "shared"
+  }
+  public_subnet_tags = {
+    "kubernetes.io/cluster/${var.cluster_name}" = "shared"
+    "kubernetes.io/role/elb"                    = "1"
+  }
+  private_subnet_tags = {
+    "kubernetes.io/cluster/${var.cluster_name}" = "shared"
+    "kubernetes.io/role/internal-elb"           = "1"
+  }
+}
+
+# create security group to be used later by the ingress ALB
+resource "aws_security_group" "alb" {
+  name   = "${var.cluster_name}-alb"
+  vpc_id = module.vpc.vpc_id
+
+  ingress {
+    description      = "http"
+    from_port        = 80
+    to_port          = 80
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  ingress {
+    description      = "https"
+    from_port        = 443
+    to_port          = 443
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  tags = {
+    "Name" = "${var.cluster_name}-alb"
+  }
+}
+
+data "aws_subnet_ids" "subnet_ids" {
+  depends_on = [module.vpc]
+  vpc_id     = module.vpc.vpc_id
+
+}

install/infra/terraform/eks/output.tf

@@ -1,5 +1,3 @@
-data "aws_caller_identity" "current" {}
-
 output "external_dns_settings" {
   value = [
     {
@@ -11,20 +9,63 @@ output "external_dns_settings" {
         "value" = "eu-west-1"
     },
     {
-        "name" = "aws.roleArn",
-        "value" = resource.aws_iam_role.gitpod.arn
+        "name" = "aws.credentials.secretKey",
+        "value" = aws_iam_access_key.edns.secret
+    },
+    {
+        "name" = "aws.credentials.accessKey",
+        "value" = aws_iam_access_key.edns.id
     }
     ]
 }
 
+output "secretAccessKey" {
+    value = try("${aws_iam_access_key.edns.secret}", "")
+}
+
 output "cert_manager_issuer" {
   value = try({
         region = "eu-west-1"
-        role   = resource.aws_iam_role.gitpod.arn
-        hostedZoneID  = resource.aws_route53_zone.gitpod.zone_id
+        secretAccessKeySecretRef = {
+            name = "route53-credentials"
+            key = "secret-access-key"
+        }
+
+        hostedZoneID  = aws_route53_zone.gitpod.zone_id
+        accessKeyID = aws_iam_access_key.edns.id
   }, {})
 }
 
 output "domain_nameservers" {
-  value = resource.aws_route53_zone.gitpod.name_servers
+  value = formatlist("%s.", resource.aws_route53_zone.gitpod.name_servers)
+}
+
+output "database" {
+  sensitive = true
+  value = try({
+    host     = "${aws_db_instance.gitpod.address}"
+    password = "gitpod-qwat" # FIXME hardcoded at this point
+    port     = 3306
+    username = "${aws_db_instance.gitpod.username}"
+  }, {})
+}
+
+output "registry" {
+  sensitive = true
+  value = try({
+    server  = data.aws_ecr_authorization_token.gitpod.proxy_endpoint
+    username = data.aws_ecr_authorization_token.gitpod.user_name
+    password = data.aws_ecr_authorization_token.gitpod.password
+  }, {})
+}
+
+output "storage" {
+  sensitive = true
+  value = try({
+    access_key_id     = aws_iam_access_key.bucket_storage_user.id
+    secret_access_key = aws_iam_access_key.bucket_storage_user.secret
+    region            = aws_s3_bucket.gitpod-storage.region
+    bucket_name       = aws_s3_bucket.gitpod-storage.id
+    endpoint          = "s3.amazonaws.com"
+  }, {})
 }