diff --git a/examples/terraform/aws/eks-iam-roles.tf b/examples/terraform/aws/eks-iam-roles.tf deleted file mode 100644 index 16bb41f..0000000 --- a/examples/terraform/aws/eks-iam-roles.tf +++ /dev/null @@ -1,129 +0,0 @@ -data "aws_caller_identity" "current" {} -data "aws_partition" "current" {} -data "tls_certificate" "cluster" { - url = module.eks.cluster_oidc_issuer_url -} - -locals { - role_to_user_map = { - EksAdmin = "admin", - EksDeveloper = "developer" - } - - role_map_users = [ - for role_name, user in local.role_to_user_map : { - rolearn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/${role_name}" - username = user - groups = (user == "admin") ? ["system:masters"] : ["none"] - } - ] -} - -resource "aws_iam_role" "admin" { - name = "EksAdmin" - max_session_duration = 43200 - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Sid = "" - Principal = { - AWS = var.assume_admin_role - } - }, - ] - }) - - inline_policy { - name = "eks_admin_policy" - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = ["eks:*"] - Effect = "Allow" - Resource = "*" - }, - ] - }) - } -} - -resource "aws_iam_role" "developer" { - name = "EksDeveloper" - max_session_duration = 43200 - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Sid = "" - Principal = { - AWS = var.assume_developer_role - } - }, - ] - }) - - inline_policy { - name = "eks_developer_policy" - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = ["eks:DescribeCluster"] - Effect = "Allow" - Resource = "*" - }, - ] - }) - } -} - -# create the IAM OIDC provider for the cluster -resource "aws_iam_openid_connect_provider" "eks-cluster" { - client_id_list = ["sts.amazonaws.com"] - thumbprint_list = [data.tls_certificate.cluster.certificates[0].sha1_fingerprint] - url = module.eks.cluster_oidc_issuer_url -} - -#resource "aws_iam_role" "eks-service-account-role" { -# name = "workload_sa" -# -# assume_role_policy = jsonencode({ -# Version = "2012-10-17" -# Statement = [ -# { -# Action = ["sts:AssumeRoleWithWebIdentity"] -# Effect = "Allow" -# Sid = "" -# Principal = { -# Federated = aws_iam_openid_connect_provider.eks-cluster.arn -# } -# }, -# ] -# }) -# -# inline_policy { -# name = "eks_service_account_policy" -# -# policy = jsonencode({ -# Version = "2012-10-17" -# Statement = [ -# { -# Action = ["s3:GetBucket", "s3:GetObject", "s3:PutObject"] -# Effect = "Allow" -# Resource = "*" -# }, -# ] -# }) -# } -#} - diff --git a/examples/terraform/aws/eks.tf b/examples/terraform/aws/eks.tf deleted file mode 100644 index a652b65..0000000 --- a/examples/terraform/aws/eks.tf +++ /dev/null @@ -1,50 +0,0 @@ -locals { - cluster_name = "${var.cluster_name}-${random_string.suffix.result}" -} - -resource "random_string" "suffix" { - length = 4 - special = false -} - -module "eks" { - source = "terraform-aws-modules/eks/aws" - version = "17.24.0" - cluster_name = local.cluster_name - cluster_version = var.cluster_version - subnets = module.vpc.private_subnets - map_roles = local.role_map_users - - vpc_id = module.vpc.vpc_id - - workers_group_defaults = { - root_volume_type = "gp2" - } - - worker_groups = [ - { - name = "worker-group-1" - instance_type = var.node_group_default_instance_type - additional_security_group_ids = [aws_security_group.worker_group_mgmt_one.id] - asg_desired_capacity = var.node_group_desired_capacity - asg_max_size = var.node_group_max_capacity - asg_min_size = var.node_group_min_capacity - }, - { - name = "worker-group-2" - instance_type = var.node_group_default_instance_type - additional_security_group_ids = [aws_security_group.worker_group_mgmt_two.id] - asg_desired_capacity = var.node_group_desired_capacity - asg_max_size = var.node_group_max_capacity - asg_min_size = var.node_group_min_capacity - }, - ] -} - -data "aws_eks_cluster" "cluster" { - name = module.eks.cluster_id -} - -data "aws_eks_cluster_auth" "cluster" { - name = module.eks.cluster_id -} \ No newline at end of file diff --git a/examples/terraform/aws/outputs.tf b/examples/terraform/aws/outputs.tf deleted file mode 100644 index ce79421..0000000 --- a/examples/terraform/aws/outputs.tf +++ /dev/null @@ -1,34 +0,0 @@ -output "cluster_id" { - description = "EKS cluster ID." - value = module.eks.cluster_id -} - -output "cluster_endpoint" { - description = "Endpoint for EKS control plane." - value = module.eks.cluster_endpoint -} - -output "cluster_security_group_id" { - description = "Security group ids attached to the cluster control plane." - value = module.eks.cluster_security_group_id -} - -output "kubectl_config" { - description = "kubectl config as generated by the module." - value = module.eks.kubeconfig -} - -output "config_map_aws_auth" { - description = "A kubernetes configuration to authenticate to this EKS cluster." - value = module.eks.config_map_aws_auth -} - -output "region" { - description = "AWS region" - value = var.region -} - -output "cluster_name" { - description = "Kubernetes Cluster Name" - value = local.cluster_name -} \ No newline at end of file diff --git a/examples/terraform/aws/postgresql-rds.tf b/examples/terraform/aws/postgresql-rds.tf deleted file mode 100644 index f6c308c..0000000 --- a/examples/terraform/aws/postgresql-rds.tf +++ /dev/null @@ -1,43 +0,0 @@ -##################################################################################### -# Terraform Examples: -# These are pieces of code added as configuration examples for guidance, -# therefore they may require additional resources and variable or local declarations. -##################################################################################### - -locals { - name = "carto-postgresql" - region = "us-east-1" -} - -# RDS PostgreSQL instance, using the official RDS module -module "db_default" { - source = "terraform-aws-modules/rds/aws" - version = "4.2.0" - identifier = "${local.name}-default" - - create_db_option_group = false - create_db_parameter_group = false - - # All available versions: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts - engine = "postgres" - engine_version = "13.5" - family = "postgres13" # DB parameter group - major_engine_version = "13" # DB option group - instance_class = "db.t4g.large" - - allocated_storage = 20 - - # NOTE: Do NOT use 'user' as the value for 'username' as it throws: - # "Error creating DB Instance: InvalidParameterValue: MasterUsername - # user cannot be used as it is a reserved word used by the engine" - db_name = "postgres" - username = "postgres" - port = 5432 - - db_subnet_group_name = module.vpc.database_subnet_group - vpc_security_group_ids = [module.postgresql_security_group.security_group_id] - - maintenance_window = "Mon:00:00-Mon:03:00" - backup_window = "03:00-06:00" - backup_retention_period = 0 -} diff --git a/examples/terraform/aws/redis.tf b/examples/terraform/aws/redis.tf deleted file mode 100644 index 674624e..0000000 --- a/examples/terraform/aws/redis.tf +++ /dev/null @@ -1,27 +0,0 @@ -##################################################################################### -# Terraform Examples: -# These are pieces of code added as configuration examples for guidance, -# therefore they may require additional resources and variable or local declarations. -##################################################################################### - -locals { - # Instance name - redis_instance_name = "${var.redis_name}-${random_integer.random_redis.id}" -} - -# Name suffix -resource "random_integer" "random_redis" { - min = 1000 - max = 9999 -} - -# Redis instance -resource "aws_elasticache_cluster" "example" { - cluster_id = local.redis_instance_name - engine = "redis" - node_type = "cache.m4.large" - num_cache_nodes = 1 - parameter_group_name = "default.redis6.x" - engine_version = "6.0" - port = 6379 -} diff --git a/examples/terraform/aws/security-groups.tf b/examples/terraform/aws/security-groups.tf deleted file mode 100644 index 66b8735..0000000 --- a/examples/terraform/aws/security-groups.tf +++ /dev/null @@ -1,50 +0,0 @@ - -resource "aws_security_group" "worker_group_mgmt_one" { - description = "Security group for workers management" - name_prefix = "worker_group_mgmt_one" - vpc_id = module.vpc.vpc_id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - - cidr_blocks = [ - "10.0.0.0/8", - ] - } -} - -resource "aws_security_group" "worker_group_mgmt_two" { - description = "Security group for workers management" - name_prefix = "worker_group_mgmt_two" - vpc_id = module.vpc.vpc_id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - - cidr_blocks = [ - "192.168.0.0/16", - ] - } -} - -resource "aws_security_group" "all_worker_mgmt" { - description = "Security group for workers management" - name_prefix = "all_worker_management" - vpc_id = module.vpc.vpc_id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - - cidr_blocks = [ - "10.0.0.0/8", - "172.16.0.0/12", - "192.168.0.0/16", - ] - } -} \ No newline at end of file diff --git a/examples/terraform/aws/settings.tf b/examples/terraform/aws/settings.tf deleted file mode 100644 index 65fa641..0000000 --- a/examples/terraform/aws/settings.tf +++ /dev/null @@ -1,44 +0,0 @@ -terraform { - required_version = "~> 1.0" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.72" - } - null = { - source = "hashicorp/null" - version = ">= 3.1" - } - local = { - source = "hashicorp/local" - version = "2.1.0" - } - random = { - source = "hashicorp/random" - version = "3.1.0" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.0.1" - } - } - - backend "gcs" {} - -} - -provider "aws" {} - -# Kubernetes provider -# https://learn.hashicorp.com/terraform/kubernetes/provision-eks-cluster#optional-configure-terraform-kubernetes-provider -# To learn how to schedule deployments and services using the provider, go here: https://learn.hashicorp.com/terraform/kubernetes/deploy-nginx-kubernetes - -# The Kubernetes provider is included in this file so the EKS module can complete successfully. Otherwise, it throws an error when creating `kubernetes_config_map.aws_auth`. -# You should **not** schedule deployments and services in this workspace. This keeps workspaces modular (one for provision EKS, another for scheduling Kubernetes resources) as per best practices. - -provider "kubernetes" { - host = data.aws_eks_cluster.cluster.endpoint - token = data.aws_eks_cluster_auth.cluster.token - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) -} diff --git a/examples/terraform/aws/storage.tf b/examples/terraform/aws/storage.tf deleted file mode 100644 index 4cc9d92..0000000 --- a/examples/terraform/aws/storage.tf +++ /dev/null @@ -1,59 +0,0 @@ -##################################################################################### -# Terraform Examples: -# These are pieces of code added as configuration examples for guidance, -# therefore they may require additional resources and variable or local declarations. -##################################################################################### - -locals { - # List of storage buckets to create - storage_buckets = [ - "mycarto-import-s3-bucket", - "mycarto-client-s3-bucket", - "mycarto-thumbnails-s3-bucket", - ] -} - -# S3 Buckets -resource "aws_s3_bucket" "default" { - for_each = toset(local.storage_buckets) - bucket = each.value - acl = "private" - - cors_rule { - allowed_origins = ["*"] - allowed_methods = ["GET", "PUT", "POST"] - allowed_headers = [ - "Content-Type", - "Content-MD5", - "Content-Disposition", - "Cache-Control" - ] - } - versioning { - enabled = false - } - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = aws_kms_key.default.arn - sse_algorithm = "aws:kms" - } - } - } -} - -# Block public access setting -resource "aws_s3_bucket_public_access_block" "default" { - for_each = aws_s3_bucket.default - bucket = each.value.id - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true -} - -#KMS key for data encryption -resource "aws_kms_key" "default" { - description = "Default" - enable_key_rotation = true -} diff --git a/examples/terraform/aws/terraform.tfvars b/examples/terraform/aws/terraform.tfvars deleted file mode 100644 index a6fab15..0000000 --- a/examples/terraform/aws/terraform.tfvars +++ /dev/null @@ -1,15 +0,0 @@ -additional_tags = {} - -# EKS -cluster_name = "eks" -cluster_version = "1.20" -node_group_default_instance_type = "m5.large" -node_group_desired_capacity = 1 -node_group_min_capacity = 1 -node_group_max_capacity = 3 - -# arn thag can assume the eks developer role -assume_developer_role = [] - -# arn thag can assume the eks admin role -assume_admin_role = [] diff --git a/examples/terraform/aws/variables.tf b/examples/terraform/aws/variables.tf deleted file mode 100644 index 0ee6415..0000000 --- a/examples/terraform/aws/variables.tf +++ /dev/null @@ -1,59 +0,0 @@ -variable "tags" { - description = "Tags assigned to all the resources" - type = map(string) - default = { - Product = "Carto" - } -} - -variable "region" { - description = "AWS region" - type = string - default = "us-east-1" -} - -variable "cluster_name" { - description = "Name of the EKS cluster" - type = string -} - -variable "cluster_version" { - description = "Kubernetes version to use for the EKS cluster" - type = string -} - -variable "node_group_default_instance_type" { - description = "Default EC2 instance type for the node group" - type = string - default = "m5.large" -} - -variable "node_group_desired_capacity" { - description = "The desired number of EC2 instances in the node group" - type = string - default = "1" -} - -variable "node_group_min_capacity" { - description = "The minimum number of EC2 instances in the node group at a given time" - type = string - default = "1" -} - -variable "node_group_max_capacity" { - description = "The maximum number of EC2 instances in the node group at a given time. Used when auto scaling is enabled" - type = string - default = "3" -} - -variable "assume_developer_role" { - description = "A list of ARN's of users/roles that can assume the cluster_developer role" - type = list(string) - default = [""] -} - -variable "assume_admin_role" { - description = "A list of ARN's of users/roles that can assume the cluster_admin role" - type = list(string) - default = [""] -} \ No newline at end of file diff --git a/examples/terraform/aws/vpc.tf b/examples/terraform/aws/vpc.tf deleted file mode 100644 index bae1a3c..0000000 --- a/examples/terraform/aws/vpc.tf +++ /dev/null @@ -1,55 +0,0 @@ -data "aws_availability_zones" "available" {} - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "3.2.0" - - name = "vpc-${local.cluster_name}" - cidr = "10.0.0.0/16" - azs = data.aws_availability_zones.available.names - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] - database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"] - - enable_nat_gateway = true - single_nat_gateway = true - enable_dns_hostnames = true - create_database_subnet_group = true - create_database_subnet_route_table = true - - tags = { - "kubernetes.io/cluster/${local.cluster_name}" = "shared" - } - - public_subnet_tags = { - "kubernetes.io/cluster/${local.cluster_name}" = "shared" - "kubernetes.io/role/elb" = "1" - } - - private_subnet_tags = { - "kubernetes.io/cluster/${local.cluster_name}" = "shared" - "kubernetes.io/role/internal-elb" = "1" - } -} - -module "postgresql_security_group" { - source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" - - name = "postgresql-sg" - description = "Complete PostgreSQL example security group" - vpc_id = module.vpc.vpc_id - - # ingress - ingress_with_cidr_blocks = [ - { - from_port = 5432 - to_port = 5432 - protocol = "tcp" - description = "PostgreSQL access from within VPC" - cidr_blocks = module.vpc.vpc_cidr_block - }, - ] - - tags = local.tags -} diff --git a/examples/terraform/azure/aks.tf b/examples/terraform/azure/aks.tf deleted file mode 100644 index c0fe8f9..0000000 --- a/examples/terraform/azure/aks.tf +++ /dev/null @@ -1,90 +0,0 @@ -# https://docs.microsoft.com/en-us/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks - -locals { - cluster_name = "aks-${random_integer.aks_suffix.result}" -} - -resource "random_integer" "aks_suffix" { - min = 1000 - max = 9999 -} - -# They are enabled but they way tfsec expect it it's deprecated -# tfsec:ignore:azure-container-logging -# tfsec:ignore:azure-container-use-rbac-permissions -resource "azurerm_kubernetes_cluster" "default" { - name = local.cluster_name - location = azurerm_resource_group.default.location - resource_group_name = azurerm_resource_group.default.name - dns_prefix = local.cluster_name - - kubernetes_version = "1.21.9" - - # Performance - ## Worker nodes - default_node_pool { - name = "agentpool" - vm_size = "Standard_B2s" - enable_auto_scaling = true - min_count = 1 - max_count = 5 - } - - # Security - public_network_access_enabled = true - api_server_authorized_ip_ranges = ["0.0.0.0/0"] # ! World-wide access - role_based_access_control_enabled = true - - identity { - type = "SystemAssigned" - } - - # Allow connecting to Kubernetes nodes via SSH - # linux_profile { - # admin_username = "ubuntu" - # ssh_key { - # key_data = file(var.ssh_public_key) - # } - # } - - # Networking - # Changing this forces a new resource to be created. - network_profile { - load_balancer_sku = "Standard" - network_plugin = "kubenet" - network_policy = "calico" - } - - # Logging and Monitoring - oms_agent { - log_analytics_workspace_id = azurerm_log_analytics_workspace.default.id - } - - # tags = { - # Environment = "Development" - # } -} - -# Logging & Monitoring - -# refer https://azure.microsoft.com/pricing/details/monitor/ for log analytics pricing -resource "azurerm_log_analytics_workspace" "default" { - # The WorkSpace name has to be unique across the whole of azure, not just the current subscription/tenant. - name = "CartoDefaultLogAnalyticsWorkspace" - location = azurerm_resource_group.default.location - resource_group_name = azurerm_resource_group.default.name - sku = "PerGB2018" -} - -resource "azurerm_log_analytics_solution" "default" { - solution_name = "ContainerInsights" - location = azurerm_resource_group.default.location - resource_group_name = azurerm_resource_group.default.name - workspace_resource_id = azurerm_log_analytics_workspace.default.id - workspace_name = azurerm_log_analytics_workspace.default.name - - plan { - publisher = "Microsoft" - product = "OMSGallery/ContainerInsights" - } -} diff --git a/examples/terraform/azure/outputs.tf b/examples/terraform/azure/outputs.tf deleted file mode 100644 index aa75d7c..0000000 --- a/examples/terraform/azure/outputs.tf +++ /dev/null @@ -1,46 +0,0 @@ -# AKS - -output "kube_config" { - description = "AKS cluster kubeconfig for kubectl" - value = azurerm_kubernetes_cluster.default.kube_config_raw - sensitive = true -} - -# Redis - -output "redis_access_key" { - description = "Redis access key" - value = azurerm_redis_cache.default.primary_access_key - sensitive = true -} - -output "redis_host" { - description = "Redis host" - value = azurerm_redis_cache.default.hostname -} - -# Postgresql - -output "postgres_host" { - description = "Postgresql FQDN" - value = azurerm_postgresql_server.default.fqdn -} - -output "postgres_admin_user" { - description = "Postgresql admin username" - value = azurerm_postgresql_server.default.administrator_login - sensitive = true -} - -output "postgres_admin_password" { - description = "Postgresql admin password" - value = azurerm_postgresql_server.default.administrator_login_password - sensitive = true -} - -# Storage -output "storage_account_primary_access_key" { - description = "Storage Account Primary Access Key" - value = azurerm_storage_account.default.primary_access_key - sensitive = true -} diff --git a/examples/terraform/azure/postgresql.tf b/examples/terraform/azure/postgresql.tf deleted file mode 100644 index 221626c..0000000 --- a/examples/terraform/azure/postgresql.tf +++ /dev/null @@ -1,80 +0,0 @@ -##################################################################################### -# Terraform Examples: -# These are pieces of code added as configuration examples for guidance, -# therefore they may require additional resources and variable or local declarations. -##################################################################################### - -locals { - postgresql_name = "postgresql-${random_integer.postgres_suffix.result}" - postgres_admin_user = "postgres_admin_${random_integer.postgres_admin_user.result}" -} - -# Name suffix -resource "random_integer" "postgres_suffix" { - min = 1000 - max = 9999 -} - -# Database instance -resource "azurerm_postgresql_server" "default" { - name = local.postgresql_name - location = azurerm_resource_group.default.location - resource_group_name = azurerm_resource_group.default.name - - # Security - administrator_login = local.postgres_admin_user - administrator_login_password = random_password.postgres_admin_password.result - - # Version - version = "11" - - # Performance - sku_name = "B_Gen5_1" # Basic - storage_mb = 10240 # 10 GB - - # Backups - backup_retention_days = 7 - geo_redundant_backup_enabled = false - auto_grow_enabled = true - - # Networking - public_network_access_enabled = true - ssl_enforcement_enabled = true - ssl_minimal_tls_version_enforced = "TLS1_2" -} - -# Database configuration -resource "azurerm_postgresql_configuration" "default" { - for_each = toset([ - "connection_throttling", - "log_checkpoints", - "log_connections" - ]) - name = each.value - resource_group_name = azurerm_resource_group.default.name - server_name = azurerm_postgresql_server.default.name - value = "on" -} - -# Firewall -resource "azurerm_postgresql_firewall_rule" "default" { - name = "AllowAll" - resource_group_name = azurerm_resource_group.default.name - server_name = azurerm_postgresql_server.default.name - # Warning: The instance will be publicly accessible - start_ip_address = "0.0.0.0" - end_ip_address = "255.255.255.255" -} - -# Postgres user -resource "random_integer" "postgres_admin_user" { - min = 1000 - max = 9999 -} - -# Postgres user's password -resource "random_password" "postgres_admin_password" { - length = 64 - special = true - override_special = "!#$%&*()-_=+[]" -} diff --git a/examples/terraform/azure/redis.tf b/examples/terraform/azure/redis.tf deleted file mode 100644 index 29e1ef5..0000000 --- a/examples/terraform/azure/redis.tf +++ /dev/null @@ -1,46 +0,0 @@ -##################################################################################### -# Terraform Examples: -# These are pieces of code added as configuration examples for guidance, -# therefore they may require additional resources and variable or local declarations. -##################################################################################### - -locals { - # Instance name - redis_instance_name = "${var.redis_name}-${random_integer.random_redis.id}" -} - -# Name suffix -resource "random_integer" "random_redis" { - min = 1000 - max = 9999 -} - -# Redis instance -resource "azurerm_redis_cache" "default" { - # name needs to be globally unique - name = local.redis_instance_name - location = azurerm_resource_group.default.location - resource_group_name = azurerm_resource_group.default.name - - redis_version = 6 - - # Performance - capacity = 0 - family = "C" # Basic/Satandard - sku_name = "Basic" - - # Networking - public_network_access_enabled = true - enable_non_ssl_port = false - minimum_tls_version = "1.2" -} - -# Firewall -resource "azurerm_redis_firewall_rule" "default" { - name = "AllowAll" - resource_group_name = azurerm_resource_group.default.name - redis_cache_name = azurerm_redis_cache.default.name - # Warning: The instance will be publicly accessible - start_ip = "0.0.0.0" - end_ip = "255.255.255.255" -} diff --git a/examples/terraform/azure/storage.tf b/examples/terraform/azure/storage.tf deleted file mode 100644 index 2beb3e3..0000000 --- a/examples/terraform/azure/storage.tf +++ /dev/null @@ -1,60 +0,0 @@ -locals { - # We remove everything that it's not a letter or a number - resource_group_name_parsed = replace(var.resource_group_name, "/[^a-z0-9]/", "") -} - -# FIXME: For rp -# tfsec:ignore:azure-storage-queue-services-logging-enabled -resource "azurerm_storage_account" "default" { - # The name must be unique across all existing storage account names in Azure. - # It must be 3 to 24 characters long, and can contain only lowercase letters - # and numbers. - name = local.resource_group_name_parsed - resource_group_name = azurerm_resource_group.default.name - location = azurerm_resource_group.default.location - - # Performance - account_kind = "StorageV2" - account_tier = "Standard" - account_replication_type = "LRS" # For production ready use GRS or higher - - # Networking - allow_blob_public_access = true - min_tls_version = "TLS1_2" # Older versions are not secure anymore - - # Security - blob_properties { - cors_rule { - allowed_origins = ["*"] - allowed_methods = ["GET", "PUT", "POST"] - allowed_headers = [ - "Access-Control-Request-Headers", - "Cache-Control", - "Content-Disposition", - "Content-MD5", - "Content-Type", - "X-MS-Blob-Type" - ] - exposed_headers = ["*"] - max_age_in_seconds = 3600 - } - } -} - -locals { - # List of storage containers to create. - storage_container = [ - - ] -} - -resource "azurerm_storage_container" "default" { - for_each = toset(local.storage_container) - # This name may only contain lowercase letters, numbers, and hyphens, and must - # begin with a letter or a number. Each hyphen must be preceded and followed - # by a non-hyphen character. The name must also be between 3 and 63 characters - # long. - name = each.value - storage_account_name = azurerm_storage_account.default.name - container_access_type = "private" -} diff --git a/examples/terraform/gcp/gke-autopilot.tf b/examples/terraform/gcp/gke-autopilot.tf deleted file mode 100644 index ca782fb..0000000 --- a/examples/terraform/gcp/gke-autopilot.tf +++ /dev/null @@ -1,87 +0,0 @@ -# Please see the Autopilot documentation -# https://github.com/CartoDB/carto-selfhosted-helm/blob/main/doc/gke/gke-autopilot.md - -# VPC -resource "google_compute_network" "gke_autopilot_network" { - name = "gke-autopilot-network" - project = local.project_id - auto_create_subnetworks = false -} - -# Subnet -resource "google_compute_subnetwork" "gke_autopilot_subnet" { - name = "gke-autopilot-subnet" - project = local.project_id - ip_cidr_range = "10.5.0.0/16" - region = var.region - network = google_compute_network.gke_autopilot_network.id -} - -# GKE Autopilot private cluster -resource "google_container_cluster" "default" { - name = "gke-autopilot" - project = local.project_id - location = var.region - - # Private clusters use nodes that do not have external IP addresses. - # This means that clients on the internet cannot connect to the IP addresses of the nodes. - private_cluster_config { - enable_private_nodes = true - enable_private_endpoint = true - # Control plane nodes are not accessible globally - master_global_access_config { - enabled = false - } - } - - release_channel { - channel = "STABLE" - } - - network = google_compute_network.gke_autopilot_network.name - subnetwork = google_compute_subnetwork.gke_autopilot_subnet.name - - ip_allocation_policy { - # There settings are permanent and they cannot be changed once the cluster is deployed - # Cluster default pod address range. All pods in the cluster are assigned an IP address from this range. Enter a range (in CIDR notation) within a network range, a mask, or leave this field blank to use a default range. - # We recommend at least /21 mask for pods - cluster_ipv4_cidr_block = "/21" - # Service address range. Cluster services will be assigned an IP address from this IP address range. Enter a range (in CIDR notation) within a network range, a mask, or leave this field blank to use a default range. - # We recommend at least /24 mask for services - services_ipv4_cidr_block = "/24" - } - - # At this point, these are the only IP addresses that have access to the control plane: - # - The primary range for the subnet: google_compute_subnetwork.gke_autopilot_subnet - # - The secondary range for the pods: google_container_cluster.default.ip_allocation_policy.cluster_ipv4_cidr_block - # If you need to allow external networks to access Kubernetes master through HTTPS, please see: - # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#master_authorized_networks_config - - # Enabling Autopilot for this cluster - enable_autopilot = true -} - -# ServiceAccount to be using in workload identity -resource "google_service_account" "workload_identity_sa" { - project = local.project_id - account_id = "workload-identity-iam-sa" - display_name = "A service account to be used by GKE Workload Identity" -} - -# Binding between IAM SA and Kubernetes SA -resource "google_service_account_iam_binding" "gke_iam_binding" { - service_account_id = google_service_account.workload_identity_sa.name - role = "roles/iam.workloadIdentityUser" - - members = [ - # "serviceAccount:.svc.id.goog[/-common-backend]" - "serviceAccount:${local.project_id}.svc.id.goog[carto/carto-common-backend]", - ] -} - -# This role enables impersonation of service accounts to create OAuth2 access tokens, sign blobs, or sign JWTs -resource "google_service_account_iam_member" "workload_identity_sa_sign_urls" { - service_account_id = google_service_account.workload_identity_sa.name - role = "roles/iam.serviceAccountTokenCreator" - member = "serviceAccount:${google_service_account.workload_identity_sa.email}" -} diff --git a/examples/terraform/gcp/gke.tf b/examples/terraform/gcp/gke.tf deleted file mode 100644 index a05bb3b..0000000 --- a/examples/terraform/gcp/gke.tf +++ /dev/null @@ -1,60 +0,0 @@ - -locals { - cluster_type = "nodepool" - cluster_name = "${var.gke_cluster_name}-${random_integer.suffix.result}" -} - -resource "random_integer" "suffix" { - min = 1000 - max = 9999 -} - -data "google_client_config" "default" {} - -provider "kubernetes" { - host = "https://${module.gke.endpoint}" - token = data.google_client_config.default.access_token - cluster_ca_certificate = base64decode(module.gke.ca_certificate) -} - -# tflint-ignore: terraform_module_version -module "gke" { - source = "terraform-google-modules/kubernetes-engine/google" - project_id = local.project_id - name = local.cluster_name - region = var.region - zones = var.zones - network = google_compute_network.carto_selfhosted_network.name - subnetwork = google_compute_subnetwork.carto_selfhosted_subnet.name - ip_range_pods = var.ip_range_pods_name - ip_range_services = var.ip_range_services_name - create_service_account = true - remove_default_node_pool = true - disable_legacy_metadata_endpoints = false - default_max_pods_per_node = 16 - node_pools = [ - { - name = "pool-01" - machine_type = var.node_pool_instance_type - node_locations = "${var.region}-b" - autoscaling = true - min_count = 1 - max_count = 5 - disk_size_gb = 30 - disk_type = "pd-standard" - auto_upgrade = false - }, - { - name = "pool-02" - machine_type = var.node_pool_instance_type - node_locations = "${var.region}-d" - autoscaling = true - min_count = 1 - max_count = 5 - disk_size_gb = 30 - disk_type = "pd-standard" - auto_upgrade = false - }, - ] - -} diff --git a/examples/terraform/gcp/main.tf b/examples/terraform/gcp/main.tf deleted file mode 100644 index 3ec10cf..0000000 --- a/examples/terraform/gcp/main.tf +++ /dev/null @@ -1,32 +0,0 @@ -locals { - # project_id = - - # Postgresql - postgresql_availability_type = var.production_mode ? "REGIONAL" : "ZONAL" - postgreql_maintenance_window = var.production_mode ? { - day = 1 - hour = 5 - update_track = "stable" - } : { - day = 5 - hour = 7 - update_track = "canary" - } - postgreql_backup_configuration = var.enable_create_internal_sql_backups ? { - enabled = true - pitr_enabled = true - } : { - enabled = false - pitr_enabled = false - } - postgresql_deletion_protection = var.postgresql_deletion_protection != null ? var.postgresql_deletion_protection : var.production_mode - - # Redis - redis_maintenance_window = var.production_mode ? { - day = "MONDAY" - hour = 5 - } : { - day = "FRIDAY" - hour = 7 - } -} diff --git a/examples/terraform/gcp/postgresql.tf b/examples/terraform/gcp/postgresql.tf deleted file mode 100644 index 76468e0..0000000 --- a/examples/terraform/gcp/postgresql.tf +++ /dev/null @@ -1,118 +0,0 @@ -##################################################################################### -# Terraform Examples: -# These are pieces of code added as configuration examples for guidance, -# therefore they may require additional resources and variable or local declarations. -##################################################################################### - -# Cloud SQL instance -resource "google_sql_database_instance" "default" { - name = var.postgresl_name - project = local.project_id - database_version = var.postgresql_version - deletion_protection = local.postgresql_deletion_protection - region = var.region - settings { - disk_autoresize = var.postgresql_disk_autoresize - disk_size = var.postgresql_disk_size_gb - disk_type = var.production_mode ? "PD_SSD" : "PD_HDD" - tier = var.postgresql_tier - availability_type = local.postgresql_availability_type - - user_labels = { - "owner" = "product" - } - - dynamic "database_flags" { - for_each = { - log_checkpoints = "on" - log_connections = "on" - log_disconnections = "on" - log_lock_waits = "on" - log_temp_files = "0" - } - iterator = flag - - content { - name = flag.key - value = flag.value - } - } - - ip_configuration { - # Necessary to connect via Unix sockets - # https://cloud.google.com/sql/docs/mysql/connect-run#connecting_to - ipv4_enabled = true - private_network = google_compute_network.carto_selfhosted_network.id - require_ssl = false - } - - location_preference { - zone = var.zone - } - - maintenance_window { - day = local.postgreql_maintenance_window.day - hour = local.postgreql_maintenance_window.hour - update_track = local.postgreql_maintenance_window.update_track - } - - backup_configuration { - enabled = local.postgreql_backup_configuration.enabled - point_in_time_recovery_enabled = local.postgreql_backup_configuration.pitr_enabled - backup_retention_settings { - retained_backups = 30 - } - } - - insights_config { - query_insights_enabled = true - query_string_length = 1024 - record_application_tags = false - record_client_address = true - } - } - - lifecycle { - create_before_destroy = true - } -} - -# Credentials - -## Postgres Admin User - -resource "google_sql_user" "postgres_admin_user" { - name = "postgres" - project = local.project_id - instance = google_sql_database_instance.default.name - type = "BUILT_IN" - password = random_password.postgres-admin-user-password.result - lifecycle { - ignore_changes = [ - type - ] - } -} - -## Postgres Admin Password - -resource "random_password" "postgres-admin-user-password" { - length = 16 - special = false - upper = true - lower = true - number = true -} - -resource "google_secret_manager_secret" "postgres_admin_user_password_secret" { - secret_id = "postgres-admin-password-${google_sql_database_instance.default.name}" - project = local.project_id - replication { - automatic = true - } -} - -resource "google_secret_manager_secret_version" "cloudrun_admin_user_password_secret_version" { - secret = google_secret_manager_secret.postgres_admin_user_password_secret.id - secret_data = random_password.postgres-admin-user-password.result -} diff --git a/examples/terraform/gcp/private-service-access.tf b/examples/terraform/gcp/private-service-access.tf deleted file mode 100644 index f4f29d8..0000000 --- a/examples/terraform/gcp/private-service-access.tf +++ /dev/null @@ -1,14 +0,0 @@ -resource "google_compute_global_address" "service_range" { - name = "address" - project = local.project_id - purpose = "VPC_PEERING" - address_type = "INTERNAL" - prefix_length = 16 - network = google_compute_network.carto_selfhosted_network.name -} - -resource "google_service_networking_connection" "private_service_connection" { - network = google_compute_network.carto_selfhosted_network.id - service = "servicenetworking.googleapis.com" - reserved_peering_ranges = [google_compute_global_address.service_range.name] -} diff --git a/examples/terraform/gcp/redis.tf b/examples/terraform/gcp/redis.tf deleted file mode 100644 index 048857a..0000000 --- a/examples/terraform/gcp/redis.tf +++ /dev/null @@ -1,55 +0,0 @@ -##################################################################################### -# Terraform Examples: -# These are pieces of code added as configuration examples for guidance, -# therefore they may require additional resources and variable or local declarations. -##################################################################################### - -locals { - # Instance name - redis_instance_name = "${var.redis_name}-${random_integer.random_redis.id}" -} - -# Name suffix -resource "random_integer" "random_redis" { - min = 1000 - max = 9999 -} - -# Redis instance -resource "google_redis_instance" "default" { - name = local.redis_instance_name - project = local.project_id - region = var.region - location_id = var.zone - memory_size_gb = var.redis_memory_size_gb - auth_enabled = true - tier = var.redis_tier - redis_version = var.redis_version - connect_mode = "PRIVATE_SERVICE_ACCESS" - authorized_network = google_compute_network.carto_selfhosted_network.id - depends_on = [google_service_networking_connection.private_service_connection] - - maintenance_policy { - weekly_maintenance_window { - day = local.redis_maintenance_window.day - start_time { - hours = local.redis_maintenance_window.hour - } - } - } -} - -# Credentials stored in Google Secret Manager - -resource "google_secret_manager_secret" "redis_password" { - secret_id = "redis-auth-string-${google_redis_instance.default.name}" - project = local.project_id - replication { - automatic = true - } -} - -resource "google_secret_manager_secret_version" "redis_password" { - secret = google_secret_manager_secret.redis_password.id - secret_data = google_redis_instance.default.auth_string -} diff --git a/examples/terraform/gcp/settings.tf b/examples/terraform/gcp/settings.tf deleted file mode 100644 index 49512df..0000000 --- a/examples/terraform/gcp/settings.tf +++ /dev/null @@ -1,18 +0,0 @@ -terraform { - required_providers { - google = { - source = "hashicorp/google" - version = "~> 4.0" - } - kubernetes = { - source = "hashicorp/kubernetes" - } - random = { - source = "hashicorp/random" - version = ">= 2.2" - } - } - required_version = "~> 1.0" - - backend "gcs" {} -} \ No newline at end of file diff --git a/examples/terraform/gcp/storage.tf b/examples/terraform/gcp/storage.tf deleted file mode 100644 index 5ade563..0000000 --- a/examples/terraform/gcp/storage.tf +++ /dev/null @@ -1,120 +0,0 @@ -locals { - bucket_client_name = "${local.project_id}-client-storage" - bucket_thumbnails_name = "${local.project_id}-thumbnails-storage" - bucket_import_name = "${local.project_id}-import-storage" - carto_service_account_id = "carto-selfhosted-serv-account" -} - -## GCS - -# Client storage bucket -resource "google_storage_bucket" "client_storage" { - name = local.bucket_client_name - project = local.project_id - location = var.region - - uniform_bucket_level_access = true - - cors { - origin = ["*"] - method = ["GET", "PUT", "POST", ] - response_header = [ - "Content-Type", - "Content-MD5", - "Content-Disposition", - "Cache-Control", - "x-goog-content-length-range", - "x-goog-meta-filename" - ] - max_age_seconds = 3600 - } - - lifecycle_rule { - condition { - age = 30 - } - action { - type = "Delete" - } - } -} - -resource "google_storage_bucket_iam_binding" "bucket_client_storage_workspace_api" { - bucket = local.bucket_client_name - role = "roles/storage.admin" - members = ["serviceAccount:${google_service_account.carto_selfhosted_service_account.email}"] -} - -# Thumbnails storage bucket -resource "google_storage_bucket" "thumbnails_storage" { - name = local.bucket_thumbnails_name - project = local.project_id - location = var.region - - uniform_bucket_level_access = true - - cors { - origin = ["*"] - method = ["GET", "PUT", "POST", ] - response_header = [ - "Content-Type", - "Content-MD5", - "Content-Disposition", - "Cache-Control", - "x-goog-content-length-range", - "x-goog-meta-filename" - ] - max_age_seconds = 3600 - } - - versioning { - enabled = true - } -} - -resource "google_storage_bucket_iam_binding" "bucket_thumbnails_storage_workspace_api" { - bucket = local.bucket_thumbnails_name - role = "roles/storage.admin" - members = ["serviceAccount:${google_service_account.carto_selfhosted_service_account.email}"] -} - -# Import storage bucket -resource "google_storage_bucket" "import_storage" { - name = local.bucket_import_name - project = local.project_id - location = var.region - - uniform_bucket_level_access = true - - lifecycle_rule { - condition { - age = 30 - } - action { - type = "Delete" - } - } -} - -resource "google_storage_bucket_iam_binding" "import_storage_import" { - bucket = local.bucket_import_name - role = "roles/storage.admin" - members = ["serviceAccount:${google_service_account.carto_selfhosted_service_account.email}"] -} - - -## IAM - -# Service account for the self hosted -resource "google_service_account" "carto_selfhosted_service_account" { - project = local.project_id - account_id = local.carto_service_account_id - display_name = "Carto Self Hosted Service Account" -} - -# Allows Carto self hosted service account to create signedUrls -resource "google_service_account_iam_member" "carto_selfhosted_service_account_token_creator" { - service_account_id = google_service_account.carto_selfhosted_service_account.id - role = "roles/iam.serviceAccountTokenCreator" - member = "serviceAccount:${google_service_account.carto_selfhosted_service_account.email}" -} diff --git a/examples/terraform/gcp/terraform.tfvars b/examples/terraform/gcp/terraform.tfvars deleted file mode 100644 index f504aa2..0000000 --- a/examples/terraform/gcp/terraform.tfvars +++ /dev/null @@ -1,26 +0,0 @@ - -# GKE -gke_cluster_name = "gke-default" -region = "europe-west1" -zones = ["europe-west1-b", "europe-west1-c", "europe-west1-d"] -node_pool_instance_type = "e2-standard-8" -ip_range_pods_name = "pod-ranges" -ip_range_services_name = "services-range" - -activate_apis_custom = [ - "container.googleapis.com", - "secretmanager.googleapis.com", -] - -# Postgresql -postgresl_name = "carto-selfhosted-postgres" -postgresql_version = "POSTGRES_13" -enable_create_internal_sql_backups = true -postgresql_tier = "db-custom-1-3840" - -# Redis -redis_name = "carto-selfhosted-redis" - -# common -production_mode = false -zone = "europe-west1-b" diff --git a/examples/terraform/gcp/variables.tf b/examples/terraform/gcp/variables.tf deleted file mode 100644 index c22df16..0000000 --- a/examples/terraform/gcp/variables.tf +++ /dev/null @@ -1,112 +0,0 @@ -# GKE - -variable "gke_cluster_name" { - type = string - description = "Name of the EKS cluster" -} - -variable "region" { - type = string - description = "GCP region" -} - -variable "zones" { - type = list(string) - description = "The zone to host the cluster in (required if is a zonal cluster)" -} - -variable "node_pool_instance_type" { - type = string - description = "Node pool machine types to deploy pods in gke cluster" -} - -variable "ip_range_pods_name" { - type = string - description = "IP range subnet name for pods" -} - -variable "ip_range_services_name" { - type = string - description = "IP range subnet name for services" -} - -# common - -variable "production_mode" { - description = "If production_mode is enabled we enable backup, PITR and HA" - type = bool -} - -variable "zone" { - description = "Gcloud project zone" - type = string -} - -# redis - -variable "redis_name" { - type = string - description = "Name of the Redis instance" -} - -variable "redis_memory_size_gb" { - type = number - description = "Redis memory size" - default = 1 -} - -variable "redis_tier" { - type = string - description = "Redis tier. If we are going to really use in production, we must use `var.production_mode`" - default = "BASIC" -} - -variable "redis_version" { - type = string - description = "Redis version to use.\nhttps://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/redis_instance#redis_version" - default = "REDIS_6_X" -} - -# Postgres - -variable "postgresl_name" { - type = string - description = "Name of the postgresql instance" -} - -variable "postgresql_version" { - type = string - description = "Version of postgres to use.\nhttps://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#database_version" - default = "POSTGRES_13" -} - -variable "postgresql_deletion_protection" { - type = bool - description = "Enable the deletion_protection for the database please. By default, it's the same as `production_mode` variable" - default = null -} - -variable "postgresql_disk_autoresize" { - type = bool - description = "Enable postgres autoresize" - default = true -} - -variable "postgresql_disk_size_gb" { - type = number - description = "Default postgres disk_size. Keep in mind that the value could be auto-increased using `postgresql_disk_autoresize` variable" - default = 10 - -} - -variable "postgresql_tier" { - description = "Postgres machine type to use" - type = string -} - -## Backups - -variable "enable_create_internal_sql_backups" { - description = "Indicate if create internal db backups managed by cloud-sql" - type = bool -} diff --git a/examples/terraform/gcp/vpc.tf b/examples/terraform/gcp/vpc.tf deleted file mode 100644 index eae54b0..0000000 --- a/examples/terraform/gcp/vpc.tf +++ /dev/null @@ -1,23 +0,0 @@ -#tfsec:ignore:google-compute-enable-vpc-flow-logs -resource "google_compute_subnetwork" "carto_selfhosted_subnet" { - name = "carto-selfhosted-subnet" - project = local.project_id - ip_cidr_range = "10.2.0.0/16" - region = var.region - network = google_compute_network.carto_selfhosted_network.id - secondary_ip_range { - range_name = var.ip_range_services_name - ip_cidr_range = "192.168.1.0/24" - } - - secondary_ip_range { - range_name = var.ip_range_pods_name - ip_cidr_range = "192.168.64.0/22" - } -} - -resource "google_compute_network" "carto_selfhosted_network" { - name = "carto-selfhosted-network" - project = local.project_id - auto_create_subnetworks = false -} diff --git a/proxy/config/whitelisted_domains.md b/proxy/config/whitelisted_domains.md deleted file mode 100644 index 631c6fa..0000000 --- a/proxy/config/whitelisted_domains.md +++ /dev/null @@ -1,133 +0,0 @@ -# Whitelisted domains - -In case you are setting up some firewall to control the outgoing connections from CARTO Self Hosted, the following -domains needs to be accepted: - -
-Full whitelisted domain list - -``` -## Global -auth.carto.com -bigquery.googleapis.com -cloudresourcemanager.googleapis.com -gcr.io -iamcredentials.googleapis.com -logging.googleapis.com -pubsub.googleapis.com -storage.googleapis.com -tools.google.com -www.googleapis.com -clientstream.launchdarkly.com -events.launchdarkly.com -stream.launchdarkly.com - -## Datawarehouses -.snowflakecomputing.com - -## Mapbox geocoding -api.mapbox.com - -## Tomtom geocoding -api.tomtom.com - -## Here geocoding -isoline.router.hereapi.com - -## Google geocoding and basemaps -maps.googleapis.com - -## Custom external dabases -sqladmin.googleapis.com - -## AWS S3 buckets -.amazonaws.com - -## Azure storage buckets -.blob.core.windows.net - -## Bigquery Oauth connections -oauth2.googleapis.com -``` - -
- -## General setup - -| URL | -|---| -| auth.carto.com | -| bigquery.googleapis.com | -| cloudresourcemanager.googleapis.com | -| gcr.io | -| iamcredentials.googleapis.com | -| logging.googleapis.com | -| pubsub.googleapis.com | -| storage.googleapis.com | -| tools.google.com | -| www.googleapis.com | -| clientstream.launchdarkly.com | -| events.launchdarkly.com | -| stream.launchdarkly.com | - - -## Datawarehouses - -### Snowflake - -| URL | -|---| -| *.snowflakecomputing.com | - -## Custom Geocoding configurations - -### Tomtom geocoding -| URL | -|---| -| api.tomtom.com | - -### Mapbox geocoding - -| URL | -|---| -| api.mapbox.com | - -### Here geocoding and isolines - -| URL | -|---| -| isoline.router.hereapi.com | - -### Google Maps geocoding and basemaps - -| URL | -|---| -| maps.googleapis.com | - -## Custom external dabases - -### Google Cloud SQL - -| URL | -|---| -| sqladmin.googleapis.com | - -## Custom Buckets - -### AWS S3 buckets - -| URL | -|---| -|*.amazonaws.com (or your full bucket URLs) | - -### Azure Blob Storage - -| URL | -|---| -| *.blob.core.windows.net (or your full bucket URLs) | - -## BigQuery Oauth connections - -| URL | -|---| -| oauth2.googleapis.com |