cleanup main.tf by separating resources logically by functionality

Author: Premdeep Saini

backup.tf

@@ -0,0 +1,95 @@
+/* Resources for setting up Gitlab remote backup on Amazon S3 */
+
+resource "aws_s3_bucket" "gitlab_backup" {
+  count  = var.enable_gitlab_backup_to_s3 ? 1 : 0
+  bucket = var.gitlab_backup_bucket_name
+
+  tags = merge(local.default_tags, var.additional_tags)
+
+  lifecycle {
+    precondition {
+      condition = anytrue([
+        (var.enable_gitlab_backup_to_s3 == false),
+        (var.enable_gitlab_backup_to_s3 == true && var.gitlab_backup_bucket_name != null)
+      ])
+      error_message = "Gitlab backup to S3 is set to ${var.enable_gitlab_backup_to_s3}. gitlab_backup_bucket_name is mandatory to create S3 bucket."
+    }
+  }
+}
+
+resource "aws_s3_bucket_acl" "gitlab_backup" {
+  count  = var.enable_gitlab_backup_to_s3 ? 1 : 0
+  bucket = aws_s3_bucket.gitlab_backup[0].id
+  acl    = "private"
+}
+
+data "aws_iam_policy_document" "gitlab_s3_backup" {
+  count = var.enable_gitlab_backup_to_s3 ? 1 : 0
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:AbortMultipartUpload",
+      "s3:GetBucketAcl",
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:GetObjectAcl",
+      "s3:ListBucketMultipartUploads",
+      "s3:PutObject",
+      "s3:PutObjectAcl"
+    ]
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.gitlab_backup[0].bucket}/*"
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:GetBucketLocation",
+      "s3:ListAllMyBuckets"
+    ]
+    resources = [
+      "*"
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket"
+    ]
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.gitlab_backup[0].bucket}"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "gitlab_backup" {
+  count  = var.enable_gitlab_backup_to_s3 ? 1 : 0
+  name   = "${local.environment_prefix}-gitlab-backup"
+  policy = data.aws_iam_policy_document.gitlab_s3_backup[0].json
+  tags = merge({
+    Name = "${local.environment_prefix}-gitlab-backup"
+  }, local.default_tags, var.additional_tags)
+}
+
+resource "aws_iam_role" "gitlab_backup" {
+  name                = "${local.environment_prefix}-gitlab-backup"
+  assume_role_policy  = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+               "Service": "ec2.amazonaws.com"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}
+EOF
+  managed_policy_arns = var.enable_gitlab_backup_to_s3 ? [aws_iam_policy.gitlab_backup[0].arn] : []
+  tags = merge({
+    Name = "${local.environment_prefix}-gitlab-backup"
+  }, local.default_tags, var.additional_tags)
+}

config.tf

@@ -0,0 +1,68 @@
+/* Resources for management of gitlab.rb from within the terraform module itself using Ansible playbooks */
+
+locals {
+  gitlab_config_file_name            = "gitlab.rb"
+  rendered_gitlab_config_file_name   = "gitlab_rendered.rb"
+  gitlab_additional_config_file_name = "gitlab_additional.rb"
+  gitlab_config_tmp_path             = "/tmp/gitlab/gitlab_config"
+  gitlab_config_template_file_path   = "${path.module}/templates"
+  gitlab_config_file_path            = "${path.cwd}/gitlab_config"
+  gitlab_config_playbook_file        = "${path.module}/playbooks/gitlab_setup.yaml"
+  gitlab_complete_url                = join("", tolist(["https://", values(module.records.route53_record_name)[0]]))
+}
+
+data "template_file" "gitlab_config_template" {
+  template = join("\n", [
+    file("${local.gitlab_config_template_file_path}/postgres.tftpl"),
+    file("${local.gitlab_config_template_file_path}/redis.tftpl"),
+    file("${local.gitlab_config_template_file_path}/nginx.tftpl"),
+    file("${local.gitlab_config_template_file_path}/rails.tftpl"),
+    var.create_ses_identity ? file("${local.gitlab_config_template_file_path}/smtp.tftpl") : "",
+  ])
+  vars = merge({
+    gitlab_url                   = local.gitlab_complete_url,
+    gitlab_db_name               = module.gitlab_pg.db_instance_name,
+    gitlab_db_username           = module.gitlab_pg.db_instance_username,
+    gitlab_db_password           = module.gitlab_pg.db_instance_password,
+    gitlab_db_host               = module.gitlab_pg.db_instance_address,
+    gitlab_redis_host            = aws_elasticache_cluster.gitlab_redis.cache_nodes[0].address,
+    aws_region                   = aws_s3_bucket.gitlab_backup[0].region,
+    gitlab_backup_s3_bucket_name = aws_s3_bucket.gitlab_backup[0].bucket
+    }, var.create_ses_identity ? {
+    smtp_address  = "email-smtp.${var.aws_region}.amazonaws.com",
+    smtp_username = aws_iam_access_key.gitlab_smtp_user[0].id,
+    smtp_password = aws_iam_access_key.gitlab_smtp_user[0].ses_smtp_password_v4,
+    smtp_domain   = data.aws_route53_zone.email_domain[0].name
+  } : {})
+}
+
+resource "local_sensitive_file" "rendered_gitlab_config_file" {
+  filename = "${local.gitlab_config_tmp_path}/${local.rendered_gitlab_config_file_name}"
+  content  = data.template_file.gitlab_config_template.rendered
+}
+
+data "local_sensitive_file" "gitlab_additional_config" {
+  count    = fileexists("${local.gitlab_config_file_path}/${local.gitlab_additional_config_file_name}") ? 1 : 0
+  filename = "${local.gitlab_config_file_path}/${local.gitlab_additional_config_file_name}"
+}
+
+resource "local_sensitive_file" "gitlab_config_file" {
+  filename = "${local.gitlab_config_tmp_path}/${local.gitlab_config_file_name}"
+  content = join("\n", tolist([
+    data.template_file.gitlab_config_template.rendered,
+    data.local_sensitive_file.gitlab_additional_config != [] ? data.local_sensitive_file.gitlab_additional_config[0].content : ""
+  ]))
+}
+
+/*
+  Adding null_resource trigger on timestamp is a hack to always check the diff in the
+  config if any and apply the config changes to Gitlab.
+*/
+resource "null_resource" "gitlab_reconfigure" {
+  triggers = {
+    timestamp = timestamp()
+  }
+  provisioner "local-exec" {
+    command = "ansible-playbook -u ubuntu -i '${aws_instance.gitlab.private_ip},' --private-key ${var.private_key} -e 'instance_ip_address=${aws_instance.gitlab.private_ip} workdir=${local.gitlab_config_tmp_path} config_file=${local_sensitive_file.gitlab_config_file.filename}' ${local.gitlab_config_playbook_file}"
+  }
+}

gitlab_config_templates/gitlab-nginx.rb.tftpl

@@ -0,0 +1,99 @@
+/* Resources for Gitlab classic load balancer */
+resource "aws_security_group" "gitlab_lb" {
+  name        = "${local.environment_prefix}-gitlab-lb"
+  vpc_id      = data.aws_vpc.vpc.id
+  description = "Security group for Gitlab load balancer"
+  ingress = [
+    {
+      from_port        = 80
+      protocol         = "tcp"
+      to_port          = 80
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = ["::/0"]
+      prefix_list_ids  = []
+      security_groups  = []
+      self             = false
+      description      = "allow http ingress from anywhere"
+    },
+    {
+      from_port        = 443
+      protocol         = "tcp"
+      to_port          = 443
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = ["::/0"]
+      prefix_list_ids  = []
+      security_groups  = []
+      self             = false
+      description      = "allow https ingress from anywhere"
+    },
+    {
+      from_port        = 22
+      protocol         = "tcp"
+      to_port          = 22
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = ["::/0"]
+      prefix_list_ids  = []
+      security_groups  = []
+      self             = false
+      description      = "allow SSH ingress from anywhere"
+    }
+  ]
+  egress = [
+    {
+      from_port        = 0
+      protocol         = "-1"
+      to_port          = 0
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = ["::/0"]
+      prefix_list_ids  = []
+      security_groups  = []
+      self             = false
+      description      = "allow all egress"
+    }
+  ]
+  tags = merge({
+    Name = "${local.environment_prefix}-gitlab-lb"
+  }, local.default_tags, var.additional_tags)
+}
+
+module "elb" {
+  source          = "terraform-aws-modules/elb/aws"
+  version         = "~> 2.0"
+  name            = "${local.environment_prefix}-gitlab"
+  subnets         = var.public_subnet_ids
+  security_groups = [aws_security_group.gitlab_lb.id]
+  internal        = false
+  listener = [
+    {
+      instance_port     = 80
+      instance_protocol = "HTTP"
+      lb_port           = 80
+      lb_protocol       = "HTTP"
+    },
+    {
+      instance_port      = 80
+      instance_protocol  = "HTTP"
+      lb_port            = 443
+      lb_protocol        = "HTTPS"
+      ssl_certificate_id = var.create_acm_certificate ? module.acm.acm_certificate_arn : var.acm_certificate_arn
+    },
+    {
+      instance_port     = 22
+      instance_protocol = "TCP"
+      lb_port           = 22
+      lb_protocol       = "TCP"
+    },
+  ]
+  health_check = {
+    target              = "${var.healthcheck_protocol}:${var.healthcheck_port}${var.healthcheck_path}"
+    interval            = var.healthcheck_interval
+    healthy_threshold   = var.healthcheck_healthy_threshold
+    unhealthy_threshold = var.healthcheck_unhealthy_threshold
+    timeout             = var.healthcheck_timeout
+  }
+  number_of_instances = 1
+  instances           = tolist([aws_instance.gitlab.id])
+  tags = merge({
+    Name = "${local.environment_prefix}-gitlab"
+  }, local.default_tags, var.additional_tags)
+}