From e13d4b448efd7174b1b4c8723cbc8be845470c60 Mon Sep 17 00:00:00 2001 From: clarkzjw Date: Sun, 1 Jan 2023 21:08:22 -0800 Subject: stash --- photo.jinwei.me/config/ansible.cfg | 14 ++++ photo.jinwei.me/config/inventory/aws_ec2.yaml | 7 ++ photo.jinwei.me/config/requirements.yaml | 10 +++ photo.jinwei.me/config/role.yaml | 3 + .../config/roles/debian_init/defaults/main.yaml | 1 + .../config/roles/debian_init/tasks/main.yaml | 72 ++++++++++++++++++++ photo.jinwei.me/config/roles/wordpress/Dockerfile | 5 ++ photo.jinwei.me/config/roles/wordpress/build.sh | 5 ++ .../config/roles/wordpress/defaults/main.yaml | 4 ++ .../config/roles/wordpress/tasks/main.yaml | 16 +++++ .../wordpress/templates/docker-compose.yaml.j2 | 22 ++++++ photo.jinwei.me/config/roles/wordpress/uploads.ini | 5 ++ photo.jinwei.me/config/site.yaml | 3 + photo.jinwei.me/infra/.terraform.lock.hcl | 78 +++++++++++++++++----- photo.jinwei.me/infra/data.tf | 11 +++ photo.jinwei.me/infra/keypair.tf | 4 ++ photo.jinwei.me/infra/main.tf | 74 +++++++++----------- photo.jinwei.me/infra/outputs.tf | 29 ++++++++ photo.jinwei.me/infra/rds.tf | 49 ++++++++++++++ photo.jinwei.me/infra/sg.tf | 38 +++++++++++ photo.jinwei.me/infra/variables.tf | 47 +++++++++++++ photo.jinwei.me/infra/versions.tf | 12 ++++ photo.jinwei.me/infra/vpc.tf | 29 ++++++++ 23 files changed, 479 insertions(+), 59 deletions(-) create mode 100644 photo.jinwei.me/config/ansible.cfg create mode 100644 photo.jinwei.me/config/inventory/aws_ec2.yaml create mode 100644 photo.jinwei.me/config/requirements.yaml create mode 100644 photo.jinwei.me/config/role.yaml create mode 100644 photo.jinwei.me/config/roles/debian_init/defaults/main.yaml create mode 100644 photo.jinwei.me/config/roles/debian_init/tasks/main.yaml create mode 100644 photo.jinwei.me/config/roles/wordpress/Dockerfile create mode 100755 photo.jinwei.me/config/roles/wordpress/build.sh create mode 100644 photo.jinwei.me/config/roles/wordpress/defaults/main.yaml create mode 100644 photo.jinwei.me/config/roles/wordpress/tasks/main.yaml create mode 100644 photo.jinwei.me/config/roles/wordpress/templates/docker-compose.yaml.j2 create mode 100644 photo.jinwei.me/config/roles/wordpress/uploads.ini create mode 100644 photo.jinwei.me/config/site.yaml create mode 100644 photo.jinwei.me/infra/data.tf create mode 100644 photo.jinwei.me/infra/keypair.tf create mode 100644 photo.jinwei.me/infra/outputs.tf create mode 100644 photo.jinwei.me/infra/rds.tf create mode 100644 photo.jinwei.me/infra/sg.tf create mode 100644 photo.jinwei.me/infra/variables.tf create mode 100644 photo.jinwei.me/infra/versions.tf create mode 100644 photo.jinwei.me/infra/vpc.tf (limited to 'photo.jinwei.me') diff --git a/photo.jinwei.me/config/ansible.cfg b/photo.jinwei.me/config/ansible.cfg new file mode 100644 index 0000000..9345045 --- /dev/null +++ b/photo.jinwei.me/config/ansible.cfg @@ -0,0 +1,14 @@ +[defaults] +host_key_checking = False +transport = ssh +remote_user = admin +roles_path = roles +inventory = inventory +force_color = True +interpreter_python = auto_silent + +[connection] +pipelining = True + +[privilege_escalation] +become = True diff --git a/photo.jinwei.me/config/inventory/aws_ec2.yaml b/photo.jinwei.me/config/inventory/aws_ec2.yaml new file mode 100644 index 0000000..c35e172 --- /dev/null +++ b/photo.jinwei.me/config/inventory/aws_ec2.yaml @@ -0,0 +1,7 @@ +plugin: aws_ec2 +regions: + - eu-central-1 +hostnames: + - tag:Name +compose: + ansible_host: public_ip_address diff --git a/photo.jinwei.me/config/requirements.yaml b/photo.jinwei.me/config/requirements.yaml new file mode 100644 index 0000000..5229cc7 --- /dev/null +++ b/photo.jinwei.me/config/requirements.yaml @@ -0,0 +1,10 @@ +--- +collections: + - name: amazon.aws + version: 3.2.0 + - name: community.general + version: 4.7.0 + - name: ansible.posix + version: 1.3.0 + - name: community.docker + version: 3.2.1 diff --git a/photo.jinwei.me/config/role.yaml b/photo.jinwei.me/config/role.yaml new file mode 100644 index 0000000..ab3fca5 --- /dev/null +++ b/photo.jinwei.me/config/role.yaml @@ -0,0 +1,3 @@ +- hosts: "{{ target }}" + roles: + - role: "{{ role }}" diff --git a/photo.jinwei.me/config/roles/debian_init/defaults/main.yaml b/photo.jinwei.me/config/roles/debian_init/defaults/main.yaml new file mode 100644 index 0000000..685f0b6 --- /dev/null +++ b/photo.jinwei.me/config/roles/debian_init/defaults/main.yaml @@ -0,0 +1 @@ +user_home: /home/clarkzjw diff --git a/photo.jinwei.me/config/roles/debian_init/tasks/main.yaml b/photo.jinwei.me/config/roles/debian_init/tasks/main.yaml new file mode 100644 index 0000000..19b0ed8 --- /dev/null +++ b/photo.jinwei.me/config/roles/debian_init/tasks/main.yaml @@ -0,0 +1,72 @@ +- name: Disable unattended-upgrades + ansible.builtin.systemd: + name: unattended-upgrades + state: stopped + enabled: false + +- name: install packages + apt: + update_cache: true + name: + - apt-transport-https + - build-essential + - ca-certificates + - mariadb-client + - lsb-release + - python3 + - python3-dev + - python3-pip + - unzip + - gnupg + - htop + - curl + - tree + - zip + - vim + - zsh + - git + +- name: add user + user: + name: clarkzjw + shell: /usr/bin/zsh + home: "{{ user_home }}" + system: true + +- name: Add Docker GPG apt Key + apt_key: + url: https://download.docker.com/linux/debian/gpg + keyring: /etc/apt/trusted.gpg.d/docker.gpg + state: present + +- name: Add Docker Repository + apt_repository: + repo: deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release | lower }} stable + state: present + +- name: Update apt and install docker-ce + apt: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-compose-plugin + state: latest + update_cache: true + +- name: Install Docker Module for Python + pip: + name: + - docker + - docker-compose + +- name: enable docker service + systemd: + name: docker + enabled: true + daemon_reload: true + +- name: Clean unneeded packages + ansible.builtin.apt: + autoremove: true + purge: true diff --git a/photo.jinwei.me/config/roles/wordpress/Dockerfile b/photo.jinwei.me/config/roles/wordpress/Dockerfile new file mode 100644 index 0000000..34704c0 --- /dev/null +++ b/photo.jinwei.me/config/roles/wordpress/Dockerfile @@ -0,0 +1,5 @@ +FROM wordpress:apache + +RUN apt-get update -y && apt-get install -y libgmp-dev && docker-php-ext-install gmp + +ADD uploads.ini /usr/local/etc/php/conf.d/uploads.ini diff --git a/photo.jinwei.me/config/roles/wordpress/build.sh b/photo.jinwei.me/config/roles/wordpress/build.sh new file mode 100755 index 0000000..55d7c0e --- /dev/null +++ b/photo.jinwei.me/config/roles/wordpress/build.sh @@ -0,0 +1,5 @@ +docker_repo=docker.io/clarkzjw +docker_image=wordpress +docker_image_tag=$(date -u +%Y%m%d) +sudo docker build -t $docker_repo/$docker_image:"$docker_image_tag" . +sudo docker push $docker_repo/$docker_image:"$docker_image_tag" diff --git a/photo.jinwei.me/config/roles/wordpress/defaults/main.yaml b/photo.jinwei.me/config/roles/wordpress/defaults/main.yaml new file mode 100644 index 0000000..250e0a5 --- /dev/null +++ b/photo.jinwei.me/config/roles/wordpress/defaults/main.yaml @@ -0,0 +1,4 @@ +wordpress_image: clarkzjw/wordpress +wordpress_image_tag: 20221211 +wordpress_port: 30080 +wordpress_home: /opt/wordpress diff --git a/photo.jinwei.me/config/roles/wordpress/tasks/main.yaml b/photo.jinwei.me/config/roles/wordpress/tasks/main.yaml new file mode 100644 index 0000000..3835145 --- /dev/null +++ b/photo.jinwei.me/config/roles/wordpress/tasks/main.yaml @@ -0,0 +1,16 @@ +- name: Pull wordpress Docker image + community.docker.docker_image: + name: "{{ wordpress_image }}:{{ wordpress_image_tag }}" + source: pull + +- name: render config file + template: + src: docker-compose.yaml.j2 + dest: "{{ wordpress_home }}/docker-compose.yaml" + mode: 0644 + +- name: Start wordpress container using docker-compose + community.docker.docker_compose: + project_name: wordpress + project_src: "{{ wordpress_home }}" + register: output diff --git a/photo.jinwei.me/config/roles/wordpress/templates/docker-compose.yaml.j2 b/photo.jinwei.me/config/roles/wordpress/templates/docker-compose.yaml.j2 new file mode 100644 index 0000000..447b80b --- /dev/null +++ b/photo.jinwei.me/config/roles/wordpress/templates/docker-compose.yaml.j2 @@ -0,0 +1,22 @@ +version: '3' +services: + cloudflared: + image: cloudflare/cloudflared + container_name: cloudflare-tunnel + network_mode: host + restart: always + command: tunnel run + environment: + - TUNNEL_TOKEN={{ lookup('aws_ssm', '/jinwei-me/cloudflare/tunnel_token') }} + wordpress: + image: "{{ wordpress_image }}:{{ wordpress_image_tag }}" + volumes: + - "{{ wordpress_home }}/wp-content:/var/www/html/wp-content" + restart: always + ports: + - 30081:80 + environment: + - WORDPRESS_DB_HOST={{ lookup('aws_ssm', '/jinwei-me/mysql/host') }}:{{ lookup('aws_ssm', '/jinwei-me/mysql/port') }} + - WORDPRESS_DB_USER={{ lookup('aws_ssm', '/jinwei-me/mysql/username') }} + - WORDPRESS_DB_PASSWORD={{ lookup('aws_ssm', '/jinwei-me/mysql/password') }} + - WORDPRESS_DB_NAME={{ lookup('aws_ssm', '/jinwei-me/mysql/name') }} diff --git a/photo.jinwei.me/config/roles/wordpress/uploads.ini b/photo.jinwei.me/config/roles/wordpress/uploads.ini new file mode 100644 index 0000000..cd6e86c --- /dev/null +++ b/photo.jinwei.me/config/roles/wordpress/uploads.ini @@ -0,0 +1,5 @@ +file_uploads = On +post_max_size = 100M +upload_max_filesize = 100M +memory_limit = 512M +max_execution_time = 600 diff --git a/photo.jinwei.me/config/site.yaml b/photo.jinwei.me/config/site.yaml new file mode 100644 index 0000000..3dbcc71 --- /dev/null +++ b/photo.jinwei.me/config/site.yaml @@ -0,0 +1,3 @@ +- hosts: jinwei-me + roles: + - role: debian_init diff --git a/photo.jinwei.me/infra/.terraform.lock.hcl b/photo.jinwei.me/infra/.terraform.lock.hcl index 6007472..26d65b6 100644 --- a/photo.jinwei.me/infra/.terraform.lock.hcl +++ b/photo.jinwei.me/infra/.terraform.lock.hcl @@ -1,24 +1,66 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. -provider "registry.terraform.io/hetznercloud/hcloud" { - version = "1.36.1" - constraints = "1.36.1" +provider "registry.terraform.io/cloudflare/cloudflare" { + version = "3.29.0" + constraints = "~> 3.29" hashes = [ - "h1:xZSvxx6aUo0oZp2uqNxi/+wqnCNEBBuu8y7GeXIO9qA=", - "zh:16558b25c7f92f187278e94e951b0ab687882b06acff5b1387f3293f27939f8c", - "zh:28fc79ac2189ff0f5e6c9535ada8f57552b6e21c978b59dc78e086c27b9e4b23", - "zh:373907f9f7f2cefa94e2d5638bf5bef3d3b17e7655dc84dd6089346c6f4f9096", - "zh:394716cd877de682a0772d660f1bdb3838c5d751eca2211105d5ede248c48c39", - "zh:3c438c6590fcc8ac65a10039b2f5ba9ee379a734cb93a59c6cf74f385d891e87", - "zh:3f777a460a62fd23b283c269f1533b3887bf0c5564581e1e96cf294e077f5a8a", - "zh:4f62967553d7ce81ec14db7685306b625970ba6640b5764dc0137675ab97af0b", - "zh:56da08f8d75f596d6f9da4f0fd16bd60d1733cabcc260e885e1d7a711d6d3d8b", - "zh:62776c885bfa8e715dba6662f1744b5251f4cdd523dd4d1e4ccb2e25489593e9", - "zh:64cbb68139aa65f95ab3e654d872f9d34ef991fbf667fc30e0f29b96b5e8b4ed", - "zh:75a4b7a73ff0a537214d12d820438b7ae7a33d660e5d793f4ae0ebe3152bff00", - "zh:7b59d72538772ada7d51eaa50c905285200b1889ab29948b533412ccdf4d18de", - "zh:b84eeaa82bf765c6dd945ae83f1a9271fa5fad53b861b18b09cb8deda67dae13", - "zh:e81c3ea971e32a6ca3fdb0cd9e644614308ab2cf2a19482dd8a109d67fe3fb6f", + "h1:iGDvVJ6kdlopyhR3ONeoh8gZWZg8+M/seP7VM7gOp1I=", + "zh:0947f7f9e0234aaeb6b5f344de4148a6379d05370937e1c255872697803c17cc", + "zh:17abb230abd852e0e4ed9921cd9aaf03336ad4a13a25b1040ed86cdbddf05123", + "zh:2ddf550dbdf5c58bbb8d14de6b2dc76627bb92787b99328300fb312c51e12d1f", + "zh:4645758bdefe52c1aa260368522aff6fcb4e508c918e9b2c263c9debd7d71684", + "zh:6047320a05d07045f7fb4b24c2540600473a94fc15a24ef99339a6690ab47dfe", + "zh:6db2d4e4bc3ab8b6107aec80a8041388c2a7722472c5efa6caf8435a453b1f33", + "zh:8b6b75a75567ae44a788128aebcbb59cebd9a9dbc4ddc1b05f4455734363d55a", + "zh:90c51deb4e96690ed73d8b8498d5ab2d7bb78597861bbef23fab18764371deb0", + "zh:9b0f89952afb5d00e31fb745f1ebb4ef677591ca62c002c744d23bcaa0d51e9a", + "zh:9cfe38d8ef5515d164f59b5f4ddc14bb8817051ea4efed54cb7834c66492dd79", + "zh:acf89e44b8643d52186ef5155c8889845681471abb60a933017cda9bc38d86ef", + "zh:c09205c6f1e39994c2f707cce0758a2cd16949b33566a724644593d2a616ea41", + "zh:c5412f2868592db091b91361b7a85fa3a1a97282e9e6e1c5883dd5f6b5f2e86c", + "zh:ff93702ca9a99863914718ae4214acffa1a72d481c8e1d3254ccf5930a2d7e10", + ] +} + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.46.0" + constraints = ">= 3.73.0, ~> 4.46" + hashes = [ + "h1:EZB4OgvytV38JpWyye9zoMQ0bfT9yB9xSXM5NY3Lrws=", + "zh:1678e6a4bdb3d81a6713adc62ca0fdb8250c584e10c10d1daca72316e9db8df2", + "zh:329903acf86ef6072502736dff4c43c2b50f762a958f76aa924e2d74c7fca1e3", + "zh:33db8131fe0ec7e1d9f30bc9f65c2440e9c1f708d681b6062757a351f1df7ce6", + "zh:3a3b010bc393784c16f4b6cdce7f76db93d5efa323fce4920bfea9e9ba6abe44", + "zh:979e2713a5759a7483a065e149e3cb69db9225326fc0457fa3fc3a48aed0c63f", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9efcf0067e16ad53da7504178a05eb2118770b4ae00c193c10ecad4cbfce308e", + "zh:a10655bf1b6376ab7f3e55efadf54dc70f7bd07ca11369557c312095076f9d62", + "zh:b0394dd42cbd2a718a7dd7ae0283f04769aaf8b3d52664e141da59c0171a11ab", + "zh:b958e614c2cf6d9c05a6ad5e94dc5c04b97ebfb84415da068be5a081b5ebbe24", + "zh:ba5069e624210c63ad9e633a8eb0108b21f2322bc4967ba2b82d09168c466888", + "zh:d7dfa597a17186e7f4d741dd7111849f1c0dd6f7ebc983043d8262d2fb37b408", + "zh:e8a641ca2c99f96d64fa2725875e797273984981d3e54772a2823541c44e3cd3", + "zh:f89898b7067c4246293a8007f59f5cfcac7b8dd251d39886c7a53ba596251466", + "zh:fb1e1df1d5cc208e08a850f8e84423bce080f01f5e901791c79df369d3ed52f2", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.4.3" + hashes = [ + "h1:xZGZf18JjMS06pFa4NErzANI98qi59SEcBsOcS2P2yQ=", + "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752", + "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b", + "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3", + "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5", + "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda", + "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6", + "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1", + "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d", + "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8", + "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93", ] } diff --git a/photo.jinwei.me/infra/data.tf b/photo.jinwei.me/infra/data.tf new file mode 100644 index 0000000..2102273 --- /dev/null +++ b/photo.jinwei.me/infra/data.tf @@ -0,0 +1,11 @@ +data "aws_ami" "debian" { + most_recent = true + owners = ["136693071363"] + + filter { + name = "name" + values = ["debian-11-amd64-*"] + } +} + +data "aws_availability_zones" "available" {} diff --git a/photo.jinwei.me/infra/keypair.tf b/photo.jinwei.me/infra/keypair.tf new file mode 100644 index 0000000..a73a0af --- /dev/null +++ b/photo.jinwei.me/infra/keypair.tf @@ -0,0 +1,4 @@ +resource "aws_key_pair" "framework" { + key_name = "framework" + public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILS2i5/x9r+cv2j2/SUZ2x2fgQeGnJP1I7PUHC0UdWN6 framework" +} diff --git a/photo.jinwei.me/infra/main.tf b/photo.jinwei.me/infra/main.tf index aabde19..5d3a001 100644 --- a/photo.jinwei.me/infra/main.tf +++ b/photo.jinwei.me/infra/main.tf @@ -1,54 +1,46 @@ -terraform { - required_providers { - hcloud = { - source = "hetznercloud/hcloud" - version = "1.36.1" - } - } -} - -variable "hcloud_token" { - sensitive = true +locals { + name = var.name } -variable "ip_range" { - default = "10.0.1.0/24" +data "aws_subnet" "ec2" { + filter { + name = "availability-zone" + values = [aws_db_instance.jinwei-me.availability_zone] + } + filter { + name = "subnet-id" + values = module.vpc.public_subnets + } } -resource "hcloud_ssh_key" "framework" { - name = "framework" - public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILS2i5/x9r+cv2j2/SUZ2x2fgQeGnJP1I7PUHC0UdWN6 framework" -} +resource "aws_instance" "jinwei_me" { + ami = data.aws_ami.debian.id + instance_type = var.ec2_instance_type -data "hcloud_image" "debian" { - name = "debian-11" -} + subnet_id = data.aws_subnet.ec2.id + key_name = "framework" -resource "hcloud_server" "default" { - name = "photo" - image = data.hcloud_image.debian.name - server_type = "cpx11" - location = "fsn1" - ssh_keys = [hcloud_ssh_key.framework.id] + vpc_security_group_ids = [aws_security_group.backend.id] - public_net { - ipv4_enabled = true - ipv4 = hcloud_primary_ip.primary_ip_1.id + root_block_device { + volume_type = "gp3" + // how to resize partition and file system after resizing ebs volume + // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recognize-expanded-volume-linux.html + volume_size = "30" + tags = { + Name = "${local.name}-root" + } } - delete_protection = false - rebuild_protection = false - firewall_ids = [hcloud_firewall.default.id] -} + tags = { + Name = local.name + } -resource "hcloud_primary_ip" "primary_ip_1" { - name = "primary_ip_test" - datacenter = "fsn1-dc14" - type = "ipv4" - assignee_type = "server" - auto_delete = true + lifecycle { + ignore_changes = [ami] + } } -resource "hcloud_firewall" "default" { - name = "default" +resource "aws_eip" "jinwei-me" { + instance = aws_instance.jinwei_me.id } diff --git a/photo.jinwei.me/infra/outputs.tf b/photo.jinwei.me/infra/outputs.tf new file mode 100644 index 0000000..d24426f --- /dev/null +++ b/photo.jinwei.me/infra/outputs.tf @@ -0,0 +1,29 @@ +output "rds_hostname" { + description = "RDS instance hostname" + value = aws_db_instance.jinwei-me.address +} + +output "rds_port" { + description = "RDS instance port" + value = aws_db_instance.jinwei-me.port +} + +output "rds_username" { + description = "RDS instance username" + value = aws_db_instance.jinwei-me.username +} + +output "rds_password" { + description = "RDS instance password" + value = random_password.rds_password.result + sensitive = true +} + +output "instance" { + description = "The main EC2 instance." + value = { + arn = aws_instance.jinwei_me.arn + public_ip = aws_eip.jinwei-me.public_ip + private_ip = aws_instance.jinwei_me.private_ip + } +} diff --git a/photo.jinwei.me/infra/rds.tf b/photo.jinwei.me/infra/rds.tf new file mode 100644 index 0000000..f596107 --- /dev/null +++ b/photo.jinwei.me/infra/rds.tf @@ -0,0 +1,49 @@ +resource "aws_db_parameter_group" "jinwei-me" { + name = var.name + family = var.rds_parameter_group +} + +resource "aws_db_instance" "jinwei-me" { + identifier = var.name + instance_class = var.rds_instance_class + allocated_storage = var.rds_storage + engine = var.rds_engine + engine_version = var.rds_engine_version + username = var.rds_username + password = random_password.rds_password.result + port = var.rds_port + db_subnet_group_name = aws_db_subnet_group.jinwei-me.name + vpc_security_group_ids = [aws_security_group.rds.id] + parameter_group_name = aws_db_parameter_group.jinwei-me.name + publicly_accessible = true + skip_final_snapshot = true +} + +resource "random_password" "rds_password" { + length = 16 + special = false +} + +resource "aws_ssm_parameter" "rds_host" { + name = "/${var.name}/mysql/host" + type = "String" + value = aws_db_instance.jinwei-me.address +} + +resource "aws_ssm_parameter" "rds_port" { + name = "/${var.name}/mysql/port" + type = "String" + value = aws_db_instance.jinwei-me.port +} + +resource "aws_ssm_parameter" "rds_user" { + name = "/${local.name}/mysql/username" + type = "String" + value = aws_db_instance.jinwei-me.username +} + +resource "aws_ssm_parameter" "rds_password" { + name = "/${local.name}/mysql/password" + type = "SecureString" + value = random_password.rds_password.result +} diff --git a/photo.jinwei.me/infra/sg.tf b/photo.jinwei.me/infra/sg.tf new file mode 100644 index 0000000..4d5ecaa --- /dev/null +++ b/photo.jinwei.me/infra/sg.tf @@ -0,0 +1,38 @@ +# EC 2 +resource "aws_security_group" "backend" { + name = local.name + vpc_id = module.vpc.vpc_id +} + +resource "aws_security_group_rule" "backend_ingress_ssh" { + security_group_id = aws_security_group.backend.id + type = "ingress" + protocol = "tcp" + from_port = 22 + to_port = 22 + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "backend_egress_all" { + security_group_id = aws_security_group.backend.id + type = "egress" + protocol = "all" + from_port = 0 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] +} + +# RDS +resource "aws_security_group" "rds" { + name = "${local.name}-db" + vpc_id = module.vpc.vpc_id +} + +resource "aws_security_group_rule" "db_ingress_backend" { + security_group_id = aws_security_group.rds.id + type = "ingress" + protocol = "tcp" + from_port = var.rds_port + to_port = var.rds_port + source_security_group_id = aws_security_group.backend.id +} diff --git a/photo.jinwei.me/infra/variables.tf b/photo.jinwei.me/infra/variables.tf new file mode 100644 index 0000000..7a62b4d --- /dev/null +++ b/photo.jinwei.me/infra/variables.tf @@ -0,0 +1,47 @@ +provider "aws" { + region = var.region +} + +variable "name" { + description = "Name of the service. It will be used to name EC2, and RDS instances." + default = "jinwei-me" +} + +variable "region" { + default = "eu-central-1" + description = "AWS region" +} + +# RDS +variable "rds_instance_class" { + default = "db.t3.micro" +} + +variable "rds_storage" { + default = 5 +} + +variable "rds_username" { + default = "jinweime" +} + +variable "rds_engine" { + default = "mariadb" +} + +variable "rds_engine_version" { + default = "10.6" +} + +variable "rds_parameter_group" { + default = "mariadb10.6" +} + +variable "rds_port" { + default = 33060 +} + +# EC 2 +variable "ec2_instance_type" { + default = "t3.micro" +} diff --git a/photo.jinwei.me/infra/versions.tf b/photo.jinwei.me/infra/versions.tf new file mode 100644 index 0000000..844ac4b --- /dev/null +++ b/photo.jinwei.me/infra/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.46" + } + cloudflare = { + source = "cloudflare/cloudflare" + version = "~> 3.29" + } + } +} diff --git a/photo.jinwei.me/infra/vpc.tf b/photo.jinwei.me/infra/vpc.tf new file mode 100644 index 0000000..0776178 --- /dev/null +++ b/photo.jinwei.me/infra/vpc.tf @@ -0,0 +1,29 @@ +locals { + cidr_block = "10.31.0.0/16" + subnets = cidrsubnets(local.cidr_block, 4, 4, 4, 4, 4, 4) + subnet_groups = chunklist(local.subnets, 3) +} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.18.1" + + name = local.name + cidr = local.cidr_block + azs = data.aws_availability_zones.available.names + private_subnets = local.subnet_groups[0] + public_subnets = local.subnet_groups[1] + enable_dns_hostnames = true + enable_dns_support = true + enable_nat_gateway = false + single_nat_gateway = true +} + +resource "aws_db_subnet_group" "jinwei-me" { + name = var.name + subnet_ids = module.vpc.public_subnets + + tags = { + Name = var.name + } +} -- cgit v1.2.3