diff options
| author | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-04 14:18:08 +0200 |
|---|---|---|
| committer | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-04 14:18:08 +0200 |
| commit | 15b9dea7a95765f1f3c09fe0dcb2ea5b5cb669c1 (patch) | |
| tree | c0c192e00c419ade1779ae62b3aed91bbb3e8778 | |
| parent | initial commit (diff) | |
| download | infra-terraform-15b9dea7a95765f1f3c09fe0dcb2ea5b5cb669c1.tar.gz infra-terraform-15b9dea7a95765f1f3c09fe0dcb2ea5b5cb669c1.zip | |
import some common modulesv0.0.1
| -rw-r--r-- | digitalocean/data_volume/main.tf | 16 | ||||
| -rw-r--r-- | digitalocean/data_volume/outputs.tf | 3 | ||||
| -rw-r--r-- | digitalocean/data_volume/providers.tf | 8 | ||||
| -rw-r--r-- | digitalocean/data_volume/variables.tf | 14 | ||||
| -rw-r--r-- | digitalocean/domain/main.tf | 16 | ||||
| -rw-r--r-- | digitalocean/domain/providers.tf | 8 | ||||
| -rw-r--r-- | digitalocean/domain/variables.tf | 10 | ||||
| -rw-r--r-- | digitalocean/firewall/main.tf | 34 | ||||
| -rw-r--r-- | digitalocean/firewall/providers.tf | 8 | ||||
| -rw-r--r-- | digitalocean/firewall/variables.tf | 10 | ||||
| -rw-r--r-- | digitalocean/server/alerts.tf | 28 | ||||
| -rw-r--r-- | digitalocean/server/etc/cloud-init.cfg | 13 | ||||
| -rw-r--r-- | digitalocean/server/etc/sshd_config | 39 | ||||
| -rw-r--r-- | digitalocean/server/main.tf | 34 | ||||
| -rw-r--r-- | digitalocean/server/outputs.tf | 3 | ||||
| -rw-r--r-- | digitalocean/server/providers.tf | 8 | ||||
| -rw-r--r-- | digitalocean/server/variables.tf | 40 | ||||
| -rw-r--r-- | s3_state/main.tf | 44 | ||||
| -rw-r--r-- | s3_state/variables.tf | 6 |
19 files changed, 342 insertions, 0 deletions
diff --git a/digitalocean/data_volume/main.tf b/digitalocean/data_volume/main.tf new file mode 100644 index 0000000..9a58c50 --- /dev/null +++ b/digitalocean/data_volume/main.tf @@ -0,0 +1,16 @@ +resource "digitalocean_volume" "this" { + region = var.region + name = var.name + size = var.size + initial_filesystem_type = "ext4" + initial_filesystem_label = "data" + + lifecycle { + prevent_destroy = true + } +} + +resource "digitalocean_project_resources" "this" { + project = var.project_id + resources = [digitalocean_volume.this.urn] +} diff --git a/digitalocean/data_volume/outputs.tf b/digitalocean/data_volume/outputs.tf new file mode 100644 index 0000000..a0393f3 --- /dev/null +++ b/digitalocean/data_volume/outputs.tf @@ -0,0 +1,3 @@ +output "volume_id" { + value = digitalocean_volume.this.id +} diff --git a/digitalocean/data_volume/providers.tf b/digitalocean/data_volume/providers.tf new file mode 100644 index 0000000..68aba8c --- /dev/null +++ b/digitalocean/data_volume/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + digitalocean = { + source = "digitalocean/digitalocean" + version = "~> 2.0" + } + } +} diff --git a/digitalocean/data_volume/variables.tf b/digitalocean/data_volume/variables.tf new file mode 100644 index 0000000..2d96a42 --- /dev/null +++ b/digitalocean/data_volume/variables.tf @@ -0,0 +1,14 @@ +variable "region" { + type = string +} +variable "project_id" { + type = string +} + +variable "name" { + type = string +} +variable "size" { + type = number + default = 10 +} diff --git a/digitalocean/domain/main.tf b/digitalocean/domain/main.tf new file mode 100644 index 0000000..a5980ea --- /dev/null +++ b/digitalocean/domain/main.tf @@ -0,0 +1,16 @@ +resource "digitalocean_domain" "this" { + name = var.name +} + +resource "digitalocean_project_resources" "domain" { + project = var.project_id + resources = [digitalocean_domain.this.urn] +} + +resource "digitalocean_record" "a" { + type = "A" + domain = digitalocean_domain.this.id + value = var.ip_address + name = "@" + ttl = 3600 +} diff --git a/digitalocean/domain/providers.tf b/digitalocean/domain/providers.tf new file mode 100644 index 0000000..68aba8c --- /dev/null +++ b/digitalocean/domain/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + digitalocean = { + source = "digitalocean/digitalocean" + version = "~> 2.0" + } + } +} diff --git a/digitalocean/domain/variables.tf b/digitalocean/domain/variables.tf new file mode 100644 index 0000000..bcff122 --- /dev/null +++ b/digitalocean/domain/variables.tf @@ -0,0 +1,10 @@ +variable "project_id" { + type = string +} + +variable "name" { + type = string +} +variable "ip_address" { + type = string +} diff --git a/digitalocean/firewall/main.tf b/digitalocean/firewall/main.tf new file mode 100644 index 0000000..937a76a --- /dev/null +++ b/digitalocean/firewall/main.tf @@ -0,0 +1,34 @@ +resource "digitalocean_firewall" "this" { + name = var.name + droplet_ids = var.droplet_ids + + inbound_rule { + protocol = "icmp" + source_addresses = ["0.0.0.0/0", "::/0"] + } + outbound_rule { + protocol = "icmp" + destination_addresses = ["0.0.0.0/0", "::/0"] + } + + dynamic "inbound_rule" { + for_each = var.open_ports + + content { + protocol = "tcp" + port_range = inbound_rule.value + source_addresses = ["0.0.0.0/0", "::/0"] + } + } + + outbound_rule { + protocol = "tcp" + port_range = "1-65535" + destination_addresses = ["0.0.0.0/0", "::/0"] + } + outbound_rule { + protocol = "udp" + port_range = "1-65535" + destination_addresses = ["0.0.0.0/0", "::/0"] + } +} diff --git a/digitalocean/firewall/providers.tf b/digitalocean/firewall/providers.tf new file mode 100644 index 0000000..68aba8c --- /dev/null +++ b/digitalocean/firewall/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + digitalocean = { + source = "digitalocean/digitalocean" + version = "~> 2.0" + } + } +} diff --git a/digitalocean/firewall/variables.tf b/digitalocean/firewall/variables.tf new file mode 100644 index 0000000..6512f00 --- /dev/null +++ b/digitalocean/firewall/variables.tf @@ -0,0 +1,10 @@ +variable "name" { + type = string +} +variable "open_ports" { + type = list(string) + default = ["22"] +} +variable "droplet_ids" { + type = list(string) +} diff --git a/digitalocean/server/alerts.tf b/digitalocean/server/alerts.tf new file mode 100644 index 0000000..e8a2c19 --- /dev/null +++ b/digitalocean/server/alerts.tf @@ -0,0 +1,28 @@ +data "digitalocean_account" "this" { +} + +resource "digitalocean_monitor_alert" "cpu" { + alerts { + email = [data.digitalocean_account.this.email] + } + description = "CPU utilization on ${digitalocean_droplet.this.name}" + window = "5m" + type = "v1/insights/droplet/cpu" + compare = "GreaterThan" + value = 70 + enabled = true + entities = [digitalocean_droplet.this.id] +} + +resource "digitalocean_monitor_alert" "load1" { + alerts { + email = [data.digitalocean_account.this.email] + } + description = "1-min load avg on ${digitalocean_droplet.this.name}" + window = "5m" + type = "v1/insights/droplet/load_1" + compare = "GreaterThan" + value = 5 + enabled = true + entities = [digitalocean_droplet.this.id] +} diff --git a/digitalocean/server/etc/cloud-init.cfg b/digitalocean/server/etc/cloud-init.cfg new file mode 100644 index 0000000..8ed371c --- /dev/null +++ b/digitalocean/server/etc/cloud-init.cfg @@ -0,0 +1,13 @@ +#cloud-config + +users: + - name: ${jsonencode(user)} + lock_passwd: false + hashed_passwd: '*' + sudo: ALL=(ALL) NOPASSWD:ALL + ssh_authorized_keys: ${jsonencode(ssh_keys)} + shell: /bin/bash + +write_files: + - path: /etc/ssh/sshd_config + content: ${jsonencode(sshd_config)} diff --git a/digitalocean/server/etc/sshd_config b/digitalocean/server/etc/sshd_config new file mode 100644 index 0000000..ae08408 --- /dev/null +++ b/digitalocean/server/etc/sshd_config @@ -0,0 +1,39 @@ +Protocol 2 +Port ${port} + +# Drop idle sessions: +ClientAliveCountMax 3 +ClientAliveInterval 15 + +# Allow reverse tunnels: +GatewayPorts yes + +# Miscellaneous: +PrintMotd no + +# Hardening. +# Source: https://infosec.mozilla.org/guidelines/openssh.html + +# Only Ed25519: +HostKey /etc/ssh/ssh_host_ed25519_key + +# Only the first choices for ciphers: +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + +# No password login: +PasswordAuthentication no +AuthenticationMethods publickey +# Whitelist users: +PermitRootLogin no +AllowGroups ${join(" ", users)} + +# Log things: +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO + +# Whitelist accepted environment variables: +AcceptEnv LANG LC_* + +# Why the fuck would I need X11 forwarding? +X11Forwarding no diff --git a/digitalocean/server/main.tf b/digitalocean/server/main.tf new file mode 100644 index 0000000..78298f4 --- /dev/null +++ b/digitalocean/server/main.tf @@ -0,0 +1,34 @@ +locals { + sshd_config = templatefile("${path.module}/etc/sshd_config", { + port = var.ssh_port + users = [var.user] + }) +} + +resource "digitalocean_droplet" "this" { + image = var.image + name = var.name + region = var.region + size = var.size + monitoring = true + ipv6 = false + vpc_uuid = var.vpc_id + user_data = templatefile("${path.module}/etc/cloud-init.cfg", { + user = var.user + ssh_keys = var.ssh_keys + sshd_config = local.sshd_config + }) + volume_ids = var.volume_ids + droplet_agent = false + graceful_shutdown = true +} + +resource "digitalocean_project_resources" "this" { + project = var.project_id + resources = [digitalocean_droplet.this.urn] +} + +resource "digitalocean_floating_ip_assignment" "this" { + ip_address = var.ip_address + droplet_id = digitalocean_droplet.this.id +} diff --git a/digitalocean/server/outputs.tf b/digitalocean/server/outputs.tf new file mode 100644 index 0000000..3d6a541 --- /dev/null +++ b/digitalocean/server/outputs.tf @@ -0,0 +1,3 @@ +output "droplet_id" { + value = digitalocean_droplet.this.id +} diff --git a/digitalocean/server/providers.tf b/digitalocean/server/providers.tf new file mode 100644 index 0000000..68aba8c --- /dev/null +++ b/digitalocean/server/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + digitalocean = { + source = "digitalocean/digitalocean" + version = "~> 2.0" + } + } +} diff --git a/digitalocean/server/variables.tf b/digitalocean/server/variables.tf new file mode 100644 index 0000000..a3620fc --- /dev/null +++ b/digitalocean/server/variables.tf @@ -0,0 +1,40 @@ +variable "region" { + type = string +} +variable "project_id" { + type = string +} + +variable "name" { + type = string +} +variable "vpc_id" { + type = string +} +variable "ip_address" { + type = string +} +variable "volume_ids" { + type = list(string) + default = [] +} + +variable "user" { + type = string +} +variable "ssh_keys" { + type = list(string) +} +variable "ssh_port" { + type = string + default = "22" +} + +variable "image" { + type = string + default = "debian-12-x64" +} +variable "size" { + type = string + default = "s-1vcpu-2gb" +} diff --git a/s3_state/main.tf b/s3_state/main.tf new file mode 100644 index 0000000..1190892 --- /dev/null +++ b/s3_state/main.tf @@ -0,0 +1,44 @@ +resource "aws_s3_bucket" "state" { + bucket = var.bucket_name + + lifecycle { + prevent_destroy = true + } +} + +resource "aws_s3_bucket_versioning" "default" { + bucket = aws_s3_bucket.state.id + + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "default" { + bucket = aws_s3_bucket.state.id + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +resource "aws_s3_bucket_public_access_block" "default" { + bucket = aws_s3_bucket.state.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +resource "aws_dynamodb_table" "locks" { + name = var.dynamodb_table_name + billing_mode = "PAY_PER_REQUEST" + hash_key = "LockID" + + attribute { + name = "LockID" + type = "S" + } +} diff --git a/s3_state/variables.tf b/s3_state/variables.tf new file mode 100644 index 0000000..861b754 --- /dev/null +++ b/s3_state/variables.tf @@ -0,0 +1,6 @@ +variable "bucket_name" { + type = string +} +variable "dynamodb_table_name" { + type = string +} |