forked from gruntwork-io/terraform-aws-couchbase
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
276 lines (223 loc) · 12.5 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
# ---------------------------------------------------------------------------------------------------------------------
# DEPLOY A COUCHBASE CLUSTER IN AWS
# This is an example of how to deploy Couchbase in AWS with all of the Couchbase services and Sync Gateway in a single
# cluster. The cluster runs on top of an Auto Scaling Group (ASG), with EBS Volumes attached, and a load balancer
# used for health checks and to distribute traffic across Sync Gateway.
# ---------------------------------------------------------------------------------------------------------------------
terraform {
# This module is now only being tested with Terraform 0.15.x. However, to make upgrading easier, we are setting
# 0.12.26 as the minimum version, as that version added support for required_providers with source URLs, making it
# forwards compatible with 0.15.x code.
required_version = ">= 0.12.26"
}
# ---------------------------------------------------------------------------------------------------------------------
# DEPLOY THE COUCHBASE CLUSTER
# ---------------------------------------------------------------------------------------------------------------------
module "couchbase" {
# When using these modules in your own code, you will need to use a Git URL with a ref attribute that pins you
# to a specific version of the modules, such as the following example:
# source = "git::[email protected]:gruntwork-io/terraform-aws-couchbase.git//modules/couchbase-cluster?ref=v0.0.1"
source = "./modules/couchbase-cluster"
cluster_name = var.cluster_name
min_size = 3
max_size = 3
instance_type = "t2.medium"
ami_id = data.template_file.ami_id.rendered
user_data = data.template_file.user_data_server.rendered
vpc_id = data.aws_vpc.default.id
subnet_ids = data.aws_subnet_ids.default.ids
# We recommend using two EBS Volumes with your Couchbase servers: one for the data directory and one for the index
# directory.
ebs_block_devices = [
{
device_name = var.data_volume_device_name
volume_type = "gp2"
volume_size = 50
encrypted = true
},
{
device_name = var.index_volume_device_name
volume_type = "gp2"
volume_size = 50
encrypted = true
},
]
# To make testing easier, we allow SSH requests from any IP address here. In a production deployment, we strongly
# recommend you limit this to the IP address ranges of known, trusted servers inside your VPC.
allowed_ssh_cidr_blocks = ["0.0.0.0/0"]
ssh_key_name = var.ssh_key_name
# To make it easy to test this example from your computer, we allow the Couchbase servers to have public IPs. In a
# production deployment, you'll probably want to keep all the servers in private subnets with only private IPs.
associate_public_ip_address = true
# We are using a load balancer for health checks so if a Couchbase node stops responding, it will automatically be
# replaced with a new one.
health_check_type = "ELB"
# An example of custom tags
tags = [
{
key = "Environment"
value = "development"
propagate_at_launch = true
},
]
}
# ---------------------------------------------------------------------------------------------------------------------
# THE USER DATA SCRIPT THAT WILL RUN ON EACH EC2 INSTANCE WHEN IT'S BOOTING
# This script will configure and start Couchbase and Sync Gateway
# ---------------------------------------------------------------------------------------------------------------------
data "template_file" "user_data_server" {
template = file("${path.module}/examples/couchbase-cluster-simple/user-data/user-data.sh")
vars = {
cluster_asg_name = var.cluster_name
cluster_port = module.couchbase_security_group_rules.rest_port
# We expose the Sync Gateway on all IPs but the Sync Gateway Admin should ONLY be accessible from localhost, as it
# provides admin access to ALL Sync Gateway data.
sync_gateway_interface = ":${module.sync_gateway_security_group_rules.interface_port}"
sync_gateway_admin_interface = "127.0.0.1:${module.sync_gateway_security_group_rules.admin_interface_port}"
# Pass in the data about the EBS volumes so they can be mounted
data_volume_device_name = var.data_volume_device_name
data_volume_mount_point = var.data_volume_mount_point
index_volume_device_name = var.index_volume_device_name
index_volume_mount_point = var.index_volume_mount_point
volume_owner = var.volume_owner
}
}
# ---------------------------------------------------------------------------------------------------------------------
# DEPLOY A LOAD BALANCER FOR COUCHBASE
# We use this load balancer to (1) perform health checks and (2) route traffic to the Couchbase Web Console. Note that
# we do NOT route any traffic to other Couchbase APIs/ports: https://blog.couchbase.com/couchbase-101-q-and-a/
# ---------------------------------------------------------------------------------------------------------------------
module "load_balancer" {
# When using these modules in your own code, you will need to use a Git URL with a ref attribute that pins you
# to a specific version of the modules, such as the following example:
# source = "git::[email protected]:gruntwork-io/terraform-aws-couchbase.git//modules/load-balancer?ref=v0.0.1"
source = "./modules/load-balancer"
name = var.cluster_name
vpc_id = data.aws_vpc.default.id
subnet_ids = data.aws_subnet_ids.default.ids
http_listener_ports = [var.couchbase_load_balancer_port, var.sync_gateway_load_balancer_port]
https_listener_ports_and_certs = []
# To make testing easier, we allow inbound connections from any IP. In production usage, you may want to only allow
# connectsion from certain trusted servers, or even use an internal load balancer, so it's only accessible from
# within the VPC
allow_inbound_from_cidr_blocks = ["0.0.0.0/0"]
internal = false
# Since Sync Gateway and Couchbase Lite can have long running connections for changes feeds, we recommend setting the
# idle timeout to the maximum value of 3,600 seconds (1 hour)
# https://developer.couchbase.com/documentation/mobile/1.5/guides/sync-gateway/nginx/index.html#aws-elastic-load-balancer-elb
idle_timeout = 3600
tags = {
Name = var.cluster_name
}
}
module "couchbase_target_group" {
# When using these modules in your own code, you will need to use a Git URL with a ref attribute that pins you
# to a specific version of the modules, such as the following example:
# source = "git::[email protected]:gruntwork-io/terraform-aws-couchbase.git//modules/load-balancer-target-group?ref=v0.0.1"
source = "./modules/load-balancer-target-group"
target_group_name = "${var.cluster_name}-cb"
asg_name = module.couchbase.asg_name
port = module.couchbase_security_group_rules.rest_port
health_check_path = "/ui/index.html"
vpc_id = data.aws_vpc.default.id
listener_arns = [module.load_balancer.http_listener_arns[var.couchbase_load_balancer_port]]
num_listener_arns = 1
listener_rule_starting_priority = 100
# The Couchbase Web Console uses web sockets, so it's best to enable stickiness so each user is routed to the same
# server
enable_stickiness = true
}
module "sync_gateway_target_group" {
# When using these modules in your own code, you will need to use a Git URL with a ref attribute that pins you
# to a specific version of the modules, such as the following example:
# source = "git::[email protected]:gruntwork-io/terraform-aws-couchbase.git//modules/load-balancer-target-group?ref=v0.0.1"
source = "./modules/load-balancer-target-group"
target_group_name = "${var.cluster_name}-sg"
asg_name = module.couchbase.asg_name
port = module.sync_gateway_security_group_rules.interface_port
health_check_path = "/"
vpc_id = data.aws_vpc.default.id
listener_arns = [module.load_balancer.http_listener_arns[var.sync_gateway_load_balancer_port]]
num_listener_arns = 1
listener_rule_starting_priority = 100
}
# ---------------------------------------------------------------------------------------------------------------------
# CONFIGURE THE SECURITY GROUP RULES FOR COUCHBASE AND SYNC GATEWAY
# This controls which ports are exposed and who can connect to them
# ---------------------------------------------------------------------------------------------------------------------
module "couchbase_security_group_rules" {
# When using these modules in your own code, you will need to use a Git URL with a ref attribute that pins you
# to a specific version of the modules, such as the following example:
# source = "git::[email protected]:gruntwork-io/terraform-aws-couchbase.git//modules/couchbase-server-security-group-rules?ref=v0.0.1"
source = "./modules/couchbase-server-security-group-rules"
security_group_id = module.couchbase.security_group_id
# To keep this example simple, we allow these client-facing ports to be accessed from any IP. In a production
# deployment, you may want to lock these down just to trusted servers.
rest_port_cidr_blocks = ["0.0.0.0/0"]
capi_port_cidr_blocks = ["0.0.0.0/0"]
query_port_cidr_blocks = ["0.0.0.0/0"]
fts_port_cidr_blocks = ["0.0.0.0/0"]
memcached_port_cidr_blocks = ["0.0.0.0/0"]
moxi_port_cidr_blocks = ["0.0.0.0/0"]
}
module "sync_gateway_security_group_rules" {
# When using these modules in your own code, you will need to use a Git URL with a ref attribute that pins you
# to a specific version of the modules, such as the following example:
# source = "git::[email protected]:gruntwork-io/terraform-aws-couchbase.git//modules/sync-gateway-security-group-rules?ref=v0.0.1"
source = "./modules/sync-gateway-security-group-rules"
security_group_id = module.couchbase.security_group_id
# To keep this example simple, we allow these interface port to be accessed from any IP. In a production
# deployment, you may want to lock this down just to trusted servers.
interface_port_cidr_blocks = ["0.0.0.0/0"]
}
# ---------------------------------------------------------------------------------------------------------------------
# ATTACH IAM POLICIES TO THE CLUSTER
# These policies allow the cluster to automatically bootstrap itself
# ---------------------------------------------------------------------------------------------------------------------
module "iam_policies" {
# When using these modules in your own code, you will need to use a Git URL with a ref attribute that pins you
# to a specific version of the modules, such as the following example:
# source = "git::[email protected]:gruntwork-io/terraform-aws-couchbase.git//modules/couchbase-server-security-group-rules?ref=v0.0.1"
source = "./modules/couchbase-iam-policies"
iam_role_id = module.couchbase.iam_role_id
}
# ---------------------------------------------------------------------------------------------------------------------
# USE THE PUBLIC EXAMPLE AMIS IF VAR.AMI_ID IS NOT SPECIFIED
# We have published some example AMIs publicly that will be used if var.ami_id is not specified. This makes it easier
# to try these examples out, but we recommend you build your own AMIs for production use.
# ---------------------------------------------------------------------------------------------------------------------
data "aws_ami" "couchbase_ubuntu_example" {
most_recent = true
owners = ["562637147889"] # Gruntwork
filter {
name = "virtualization-type"
values = ["hvm"]
}
filter {
name = "architecture"
values = ["x86_64"]
}
filter {
name = "image-type"
values = ["machine"]
}
filter {
name = "name"
values = ["*couchbase-ubuntu-example*"]
}
}
data "template_file" "ami_id" {
template = var.ami_id == null ? data.aws_ami.couchbase_ubuntu_example.id : var.ami_id
}
# ---------------------------------------------------------------------------------------------------------------------
# DEPLOY COUCHBASE IN THE DEFAULT VPC AND SUBNETS
# Using the default VPC and subnets makes this example easy to run and test, but it means Couchbase is accessible from
# the public Internet. For a production deployment, we strongly recommend deploying into a custom VPC with private
# subnets.
# ---------------------------------------------------------------------------------------------------------------------
data "aws_vpc" "default" {
default = true
}
data "aws_subnet_ids" "default" {
vpc_id = data.aws_vpc.default.id
}