Skip to content

Latest commit

 

History

History
221 lines (207 loc) · 32.4 KB

README.md

File metadata and controls

221 lines (207 loc) · 32.4 KB

Usage

module "datagrok_cvm" {
  # We recommend to specify an exact tag as ref argument
  source = "[email protected]:datagrok-ai/tf-module-datagrok-cvm.git//aws?ref=main"

  name                = "datagrok-cvm"
  environment         = "example"
  domain_name         = "datagrok.example"
  docker_hub_credentials = {
    create_secret = true
    user          = "exampleUser"
    password      = "examplePassword"
  }
}

Requirements

Name Version
terraform >= 1.2.0
aws >= 5.0.0
null >= 3.2.0
random >= 3.4.3

Providers

Name Version
aws >= 5.0.0
aws.datagrok-cloudwatch-r53-external >= 5.0.0
null >= 3.2.0
random >= 3.4.3

Modules

Name Source Version
acm registry.terraform.io/terraform-aws-modules/acm/aws ~> 3.5.0
ecs registry.terraform.io/terraform-aws-modules/ecs/aws ~> 4.1.1
kms registry.terraform.io/terraform-aws-modules/kms/aws ~> 1.1.0
lb_ext registry.terraform.io/terraform-aws-modules/alb/aws ~> 9.10.0
lb_int registry.terraform.io/terraform-aws-modules/alb/aws ~> 9.10.0
log_bucket registry.terraform.io/terraform-aws-modules/s3-bucket/aws ~> 3.3.0
notify_slack registry.terraform.io/terraform-aws-modules/notify-slack/aws ~> 5.4.0
sg registry.terraform.io/terraform-aws-modules/security-group/aws ~> 4.12.0
sns_topic registry.terraform.io/terraform-aws-modules/sns/aws ~> 3.3.0
vpc registry.terraform.io/terraform-aws-modules/vpc/aws ~> 5.0.0

Resources

Name Type
aws_cloudwatch_log_group.ecs resource
aws_cloudwatch_log_group.external resource
aws_cloudwatch_log_resource_policy.external resource
aws_cloudwatch_metric_alarm.datagrok_lb_5xx_count resource
aws_cloudwatch_metric_alarm.high_cpu resource
aws_cloudwatch_metric_alarm.high_ram resource
aws_cloudwatch_metric_alarm.instance_count resource
aws_cloudwatch_metric_alarm.jkg_task_count resource
aws_cloudwatch_metric_alarm.jn_task_count resource
aws_cloudwatch_metric_alarm.lb_target resource
aws_cloudwatch_metric_alarm.lb_target_5xx_count resource
aws_ecr_repository.ecr resource
aws_ecr_repository_policy.ecr resource
aws_ecs_service.jkg resource
aws_ecs_service.jn resource
aws_ecs_task_definition.jkg resource
aws_ecs_task_definition.jn resource
aws_iam_instance_profile.ec2_profile resource
aws_iam_policy.docker_hub resource
aws_iam_policy.ec2 resource
aws_iam_policy.ecr resource
aws_iam_policy.exec resource
aws_iam_role.ec2 resource
aws_iam_role.exec resource
aws_iam_role.task resource
aws_instance.ec2 resource
aws_key_pair.ec2 resource
aws_kms_ciphertext.slack_url resource
aws_route53_query_log.external resource
aws_route53_record.external resource
aws_route53_record.internal resource
aws_route53_zone.external resource
aws_route53_zone.internal resource
aws_secretsmanager_secret.docker_hub resource
aws_secretsmanager_secret_version.docker_hub resource
aws_service_discovery_private_dns_namespace.datagrok resource
aws_service_discovery_service.jkg resource
aws_service_discovery_service.jn resource
aws_sns_topic_subscription.email resource
null_resource.ecr_push resource
random_pet.this resource
random_string.lb_id resource
aws_ami.aws_optimized_ecs data source
aws_availability_zones.available data source
aws_caller_identity.current data source
aws_iam_policy_document.external data source
aws_region.current data source
aws_route53_zone.external data source
aws_secretsmanager_secret.jkg_secret data source
aws_secretsmanager_secret_version.jkg_secret data source

Inputs

Name Description Type Default Required
acm_cert_arn ACM certificate ARN for Datagrok endpoint. If it is not set it will be created string null no
acm_cert_create Specifies if the ACM certificate should be created. bool true no
ami_id The AMI ID for Datagrok EC2 instance. If it is not specified, the basic AWS ECS optimized AMI will be used. string null no
bucket_logging Bucket Logging object.
enabled - Specifies whether Logging requests using server access logging for Datagrok S3 bucket are enabled. We recommend to set it to true for production stand.
create_log_bucket - Specifies whether the S3 log bucket will be created.
log_bucket - The name of S3 logging bucket. If it is not specified, the S3 log bucket for Datagrok S3 bucket will be created.		 
object({
    log_bucket        = optional(string)
    create_log_bucket = bool
    enabled           = bool
  })
 
{
  "create_log_bucket": true,
  "enabled": true
}
 no
cidr The CIDR for the VPC. string "10.0.0.0/17" no
cloudwatch_log_group_arn The ARM of existing CloudWatch Log Group to use with Datagrok. string null no
cloudwatch_log_group_name The name of Datagrok CloudWatch Log Group. If it is not specified, the name along with the environment will be used. string null no
create_cloudwatch_log_group Specifies if the CloudWatch Log Group should be created. If it is set to false cloudwatch_log_group_arn is required. bool true no
create_route53_external_zone Specifies if the Route53 external hosted zone for the domain should be created. If not specified some other DNS service should be used instead of Route53 or existing Route53 zone. bool true no
create_route53_internal_zone Specifies if the Route53 internal hosted zone for the domain should be created. If if is set to false route53_internal_zone is required bool true no
custom_kms_key Specifies whether a custom KMS key should be used to encrypt instead of the default. We recommend to set it to true for production stand. bool false no
datlas_api_url API Url of Datagrok endpoint string n/a yes
db_dg_login The user to the Datagrok DB string "datagrok" no
db_dg_password The password to the Datagrok DB string n/a yes
db_instance_address The address of the Datagrok DB string n/a yes
db_instance_port The port of the Datagrok DB number n/a yes
docker_hub_credentials Docker Hub credentials to download images.
create_secret - Specifies if new secret with Docker Hub credentials will be created.
user - Docker Hub User to access Docker Hub and download datagrok images. Can be ommited if secret_arn is specified
password - Docker Hub Token to access Docker Hub and download datagrok images. Can be ommited if secret_arn is specified
secret_arn - The ARN of AWS Secret which contains Docker Hub Token to access Docker Hub and download datagrok images. If not specified the secret will be created using user and password variables
Either user(user) - password(password) pair or AWS Secret ARN (secret_arn) should be specified.		 
object({
    create_secret = bool
    password      = optional(string)
    user          = optional(string)
    secret_arn    = optional(string)
  })
 null no
docker_jkg_image Jupyter Kernel Gateway Docker Image registry location. By default the official image from Docker Hub will be used. string "docker.io/datagrok/jupyter_kernel_gateway" no
docker_jkg_tag Tag from Docker registry for Jupyter Kernel Gateway Docker Image string "latest" no
docker_jn_image Jupyter Notebook Docker Image registry location. By default the official image from Docker Hub will be used. string "docker.io/datagrok/jupyter_notebook" no
docker_jn_tag Tag from Docker registry for Jupyter Notebook Docker Image string "latest" no
domain_name This is the name of domain for datagrok endpoint. It is used for the external hosted zone in Route53 and to create ACM certificates. string "" no
ec2_detailed_monitoring_enabled Specifies whether Monitoring Insights for EC2 instance are enabled. We recommend to set it to true for production stand. bool true no
ec2_name The name of Datagrok EC2 instance. If it is not specified, the name along with the environment will be used. string null no
ec2_public_access Specifies whether CVM EC2 machine should be in public subnet. bool false no
ec2_root_volume_size Specifies volume size for EC2 machine number 100 no
ecr_enabled Specifies whether terraform copy images to ECR and use it instead of docker_<service>_image bool false no
ecr_image_scan_on_push Indicates whether images are scanned after being pushed to the repository (true) or not scanned (false). bool true no
ecr_policy_principal List of principal ARNs which will have access to ECR. By default it is limited to the caller ARN. list(string) [] no
ecr_principal_restrict_access Specifies whether ECR restrictive policy is enabled. We recommend to set it to true for production stand. bool false no
ecs_cluster_insights Specifies whether Monitoring Insights for ECS cluster are enabled. We recommend to set it to true for production stand. bool true no
ecs_launch_type Launch type for datagrok containers. FARGATE and EC2 are available options. We recommend FARGATE for production stand. string "FARGATE" no
ecs_name The name of ECS cluster for Datagrok. If it is not specified, the name along with the environment will be used. string null no
egress_rules List of egress rules to create by name list(any) 
[
  {
    "cidr_blocks": "0.0.0.0/0",
    "description": "Allow all outbound traffic",
    "from_port": 0,
    "protocol": "-1",
    "to_port": 65535
  }
]
 no
enable_flow_logs Enable Flow logs for the VPC? bool true no
enable_route53_logging Specifies whether Logging requests using server access logging for Datagrok Route53 zone are enabled. We recommend to set it to true for production stand. bool true no
environment The environment of a stand. It will be used to name resources along with the name. string n/a yes
flow_log_cloudwatch_log_group_name_prefix Flow logs CloudWatch Log Group name prefix. string "/aws/vpc-flow-log/" no
flow_log_log_format Flow logs format. string null no
gpu_enabled Specifies whether CVM should use GPU. bool false no
instance_type EC2 instance type. The default value is the minimum recommended type. string "c5.xlarge" no
jkg_container_cpu The number of cpu units the Amazon ECS container agent reserves for the Jupyter Kernel Gateway container. number 256 no
jkg_container_memory_reservation The soft limit (in MiB) of memory to reserve for the Jupyter Kernel Gateway container. number 512 no
jkg_cpu Number of cpu units used by the Jupyter Kernel Gateway FARGATE task. The hard limit of CPU units to present for the task. number 1024 no
jkg_memory Amount (in MiB) of memory used by the Jupyter Kernel Gateway FARGATE task. The hard limit of memory (in MiB) to present to the task. number 3072 no
jkg_secret The jupyter kernel gateway secret name string n/a yes
jn_container_cpu The number of cpu units the Amazon ECS container agent reserves for the Jupyter Notebook container. number 256 no
jn_container_memory_reservation The soft limit (in MiB) of memory to reserve for the Jupyter Notebook container. number 512 no
jn_cpu Number of cpu units used by the Jupyter Notebook FARGATE task. The hard limit of CPU units to present for the task. number 512 no
jn_memory Amount (in MiB) of memory used by the Jupyter Notebook FARGATE task. The hard limit of memory (in MiB) to present to the task. number 2048 no
key_pair_name Existing SSH Key Pair name for access to EC2 instance. If not set public_key is required. string null no
kms_admins https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators list(string) null no
kms_key The ID of custom KMS Key to encrypt resources. string null no
kms_owners ARNs of who will be able to do all key operations/ list(string) null no
kms_users https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-users list(string) null no
lb_access_cidr_blocks The CIDR to from which the access Datagrok load balancer is allowed. list(string) 
[
  "0.0.0.0/0"
]
 no
lb_name The name of Datagrok load balancer. If it is not specified, the name along with the environment will be used. string null no
monitoring Monitoring object.
alarms_enabled - Specifies whether CloudWatch Alarms are enabled. We recommend to set it to true for production stand.
create_sns_topic - Specifies whether Datagrok SNS topic should be created. If it is set to false, sns_topic_arn is required.
sns_topic_name - The name of Datagrok SNS topic. If it is not specified, the name along with the environment will be used.
sns_topic_arn - An ARN of the custom SNS topic for CloudWatch alarms.
email_alerts - Specifies whether CloudWatch Alarms are forwarded to Email. We recommend to set it to true for production stand.
email_recipients - List of email addresses to receive CloudWatch Alarms.
email_alerts_datagrok - Specifies whether CloudWatch Alarms are forwarded to Datagrok Email. We recommend to set it to true for production stand.
slack_alerts - Specifies whether CloudWatch Alarms are forwarded to Slack. We recommend to set it to true for production stand.
slack_emoji - A custom emoji that will appear on Slack messages from CloudWatch alarms.
slack_webhook_url - The URL of Slack webhook for CloudWatch alarm notifications.
slack_channel - The name of the channel in Slack for notifications from CloudWatch alarms.
slack_username - The username that will appear on Slack messages from CloudWatch alarms.		 
object({
    alarms_enabled        = bool
    create_sns_topic      = bool
    sns_topic_arn         = optional(string)
    sns_topic_name        = optional(string)
    email_alerts          = optional(bool, true)
    email_recipients      = optional(list(string), [])
    email_alerts_datagrok = bool
    slack_alerts          = optional(bool, false)
    slack_emoji           = optional(string)
    slack_webhook_url     = optional(string)
    slack_channel         = optional(string)
    slack_username        = optional(string)
  })
 
{
  "alarms_enabled": true,
  "create_sns_topic": true,
  "email_alerts": true,
  "email_alerts_datagrok": true,
  "slack_alerts": false
}
 no
name The name for a stand. It will be used to name resources along with the environment. string n/a yes
private_subnet_ids The IDs of private subnets to place resources. Required if 'vpc_id' is specified. list(string) [] no
public_key SSH Public Key to create keypair in AWS and access EC2 instance. If not set key_pair_name is required. string null no
public_subnet_ids The IDs of public subnets to place resources. Required if 'vpc_id' is specified. list(string) [] no
root_volume_throughput EC2 root volume throughput. number null no
route53_enabled Specifies if the Route53 is used for DNS. bool true no
route53_internal_zone Route53 internal hosted zone ID. If it is not set create_route53_internal_zone is required to be true string null no
route53_record_name This is the name of record in Route53 for Datagrok. If if is not set the name along with environment will be used. string null no
service_discovery_namespace Service discovery namespace for FARGATE tasks. Set 'create' to 'true' to create new one. Or set 'create' to 'false' and 'id' to AWS Service Discovery Namespace ID to use the existing one. 
object({
    create = bool
    id     = optional(string)
  })
 
{
  "create": true
}
 no
subject_alternative_names List for alternative names for ACM certificate list(string) [] no
tags Key-value map of resource tags. map(string) {} no
task_iam_policies List of additional IAM policies to attach to tasks list(string) [] no
termination_protection Termination protection for the resources created by module. bool true no
vpc_create Specifies if new VPC should be created. bool true no
vpc_id The ID of VPC to place resources. If it is not specified, the VPC for Datagrok will be created. string null no
vpc_name The name of VPC to place resources. If it is not specified, the name along with the environment will be used. string null no
vpc_single_nat_gateway Should be true if you want to provision a single shared NAT Gateway across all of your private networks. We DO NOT recommend it for production usage. bool false no
vpc_subnets_count The count of subnets to create; one subnet per availability zone in the region. If there are fewer availability zones than the subnets count, the availability zones count will take precedence. We recommend a minimum of 3 for production usage. number 3 no

Outputs

Name Description
alb_external_arn The ARN of the external Application Load balancer
alb_internal_arn The ARN of the external Application Load balancer
cloudwatch_log_group_arn The ARN of the CloudWatch Log group
cloudwatch_log_group_name The name of the CloudWatch Log group
docker_hub_secret The ARN of the Secret for Docker Hub Authorisation
domain_name This is the name of domain for datagrok endpoint. It is used for the external hosted zone in Route53 and to create ACM certificates.
ec2_name The EC2 instance name of a stand.
ecs_name The ECS Cluster name of a stand.
environment The environment of a stand.
full_name The full name of a stand.
lb_name The Load Balancer name of a stand.
log_bucket The ID of the S3 bucket for logs
name The name for a stand.
private_subnets List of IDs of private subnets
public_subnets List of IDs of public subnets
r53_record The Route53 record for a stand.
route53_external_cloudwatch_log_group_arn The ARN of the CloudWatch Log group for External Route53 Zone
route53_external_cloudwatch_log_group_name The name of the CloudWatch Log group for External Route53 Zone
route53_external_zone The ID of the Route53 public zone for Datagrok
route53_internal_zone The ID of the Route53 internal zone for Datagrok
service_discovery_namespace The ID of the CloudMap for Datagrok
sns_topic The ARN of the SNS topic from which messages will be sent
sns_topic_name The SNS Topic name of a stand.
vpc_cidr_block The CIDR block of the VPC
vpc_flow_log_destination_arn The ARN of the destination for VPC Flow Logs
vpc_flow_log_id The ID of the Flow Log resource
vpc_id The ID of the VPC
vpc_name The VPC name for a stand.