mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2026-07-06 16:16:31 +00:00
a10607f90a
* terraform: add cloud-agnostic core renderer module Renders per-node weed argv, systemd units, config files, disk-mount and secret-fetch scripts, and cloud-init from an address map. Creates zero cloud resources. Flags verified against the weed binary: volume uses -mserver for the master list, gRPC is -port.grpc (auto http+10000), minFreeSpacePercent is a string, filer store via -defaultStoreDir. * terraform: add mTLS and JWT security module Generates the CA, per-component certs with distinct CNs, and JWT signing keys via the tls/random providers. Emits a core_security object plus PEMs for secret-store delivery. * terraform: add AWS deployment module and examples Reserves stable ENIs first, renders config via the core, then creates instances, prevent_destroy EBS data disks mounted at /data, and the cluster security group. With enable_security, generates certs/JWT, stores them in SSM SecureString, grants an instance role, and fetches them at boot so secrets stay out of user_data. Keyed for_each on every stateful tier. * terraform: add local cluster test harnesses run_local_cluster.sh and run_local_secure.sh render a cluster with the core and run real weed processes, asserting master quorum, volume registration, filer/s3 round-trips, mutual-TLS formation, and JWT enforcement. Use an isolated high port range with a guard so they never touch a cluster already running on the machine. The weed binary defaults to $(go env GOPATH)/bin/weed. * terraform: add CI workflow and README fmt/validate/tofu-test plus smoke jobs that build weed and run both harnesses. * terraform: guard against empty filesystem UUID in mount script An empty UUID made grep -q match any fstab line, skipping the fstab entry and breaking the mount. Fail fast when blkid returns no UUID. * terraform: sanitize cluster name in WEED_CLUSTER env keys Hyphens or spaces in cluster_name produced invalid systemd/bash env var names; map non-alphanumerics to underscores. * terraform: omit empty jwt.signing block from security.toml With enable_security and no JWT key, the template emitted [jwt.signing] key="". Gate the block on a non-empty key and cover it with a test. * terraform: mark core security input as sensitive The security object carries JWT signing keys; keep them out of plan output and known values. * terraform: enforce jwt_length minimum of 32 * terraform: note region/AZ coupling in HA example * terraform: guard WORKDIR before recursive delete in test harnesses * terraform: fix README fence language and test count * terraform: handle embedded s3 with no filer nodes Indexing sort(keys(var.filers))[0] errored at plan time when embedded S3 was enabled but no filers were defined; fall back to an empty config source. * terraform: scope kms:Decrypt to a configurable key arn Replace the hardcoded Resource="*" with a kms_key_arn variable (default "*") so production can restrict decrypt to a specific CMK. * terraform: encrypt EBS data volumes at rest Set encrypted = true on the volume/filer data disks and the all-in-one example disk. * terraform: protect filer instances from API termination Filers hold the leveldb2 metadata store, so they are stateful and get the same disable_api_termination as masters and volumes. * terraform: stop instance before detaching in all-in-one example * terraform: drop stale references to the removed plan doc * terraform: correct stale mount-step comment in aws module * terraform: mark Terraform support as experimental in README
172 lines
5.1 KiB
Terraform
172 lines
5.1 KiB
Terraform
# =============================================================================
|
|
# terraform-aws-seaweedfs - thin AWS wrapper around the cloud-agnostic core.
|
|
#
|
|
# Reserves stable per-node addressing (ENIs with fixed private IPs) FIRST, feeds
|
|
# that address map to the core to render cloud-init, then creates instances and
|
|
# protected EBS data disks. All tiers are keyed for_each (never count), so a
|
|
# middle node can be replaced without reindexing its peers/disks.
|
|
# =============================================================================
|
|
|
|
variable "name" {
|
|
description = "Name prefix for all resources."
|
|
type = string
|
|
default = "seaweedfs"
|
|
}
|
|
|
|
variable "vpc_id" {
|
|
description = "VPC to deploy into."
|
|
type = string
|
|
}
|
|
|
|
variable "ami_id" {
|
|
description = "AMI with the weed binary installed (e.g. baked with Packer)."
|
|
type = string
|
|
}
|
|
|
|
variable "weed_binary" {
|
|
description = "Path to weed on the AMI."
|
|
type = string
|
|
default = "/usr/bin/weed"
|
|
}
|
|
|
|
variable "key_name" {
|
|
description = "EC2 key pair for SSH (optional)."
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
variable "monitoring_enabled" {
|
|
description = "Bind metrics ports and pass them through to the core."
|
|
type = bool
|
|
default = false
|
|
}
|
|
|
|
variable "enable_security" {
|
|
description = "Enable mTLS (security.toml). Cert material must be supplied via the security variable / secret store."
|
|
type = bool
|
|
default = false
|
|
}
|
|
|
|
variable "security" {
|
|
description = "Passed through to the core security variable when enable_security=false. When enable_security=true this is ignored and certs/JWT are generated by the security submodule."
|
|
type = any
|
|
default = {}
|
|
}
|
|
|
|
variable "internal_domain" {
|
|
description = "Internal domain for generated component cert CNs / peer-auth wildcard (enable_security=true)."
|
|
type = string
|
|
default = "seaweedfs.internal"
|
|
}
|
|
|
|
variable "cert_dir" {
|
|
description = "On-host directory where certs are fetched/placed."
|
|
type = string
|
|
default = "/usr/local/share/ca-certificates"
|
|
}
|
|
|
|
variable "kms_key_arn" {
|
|
description = "KMS key ARN the instance role may use to decrypt SSM SecureStrings. Defaults to \"*\" (the SSM default key); set to a specific CMK ARN in production."
|
|
type = string
|
|
default = "*"
|
|
}
|
|
|
|
variable "termination_protection" {
|
|
description = "Set disable_api_termination on stateful instances (masters, volumes)."
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
# ---- stateful tiers: keyed node maps ---------------------------------------
|
|
variable "masters" {
|
|
description = "Master nodes keyed by stable id (m0/m1/m2). Quorum size must be odd."
|
|
type = map(object({
|
|
subnet_id = string
|
|
private_ip = string
|
|
instance_type = optional(string, "t3.medium")
|
|
}))
|
|
validation {
|
|
condition = length(var.masters) % 2 == 1
|
|
error_message = "Master quorum must be an odd number of nodes (1, 3, 5)."
|
|
}
|
|
}
|
|
|
|
variable "volumes" {
|
|
description = "Volume nodes keyed by stable id. Each owns one protected EBS data disk."
|
|
type = map(object({
|
|
subnet_id = string
|
|
availability_zone = string
|
|
private_ip = string
|
|
instance_type = optional(string, "m5.large")
|
|
rack = optional(string)
|
|
data_center = optional(string)
|
|
data_volume_size_gb = optional(number, 100)
|
|
data_volume_type = optional(string, "gp3")
|
|
data_volume_iops = optional(number, null)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "filers" {
|
|
description = "Filer nodes keyed by stable id. Each owns a protected EBS disk for its leveldb2 store."
|
|
type = map(object({
|
|
subnet_id = string
|
|
availability_zone = string
|
|
private_ip = string
|
|
instance_type = optional(string, "t3.medium")
|
|
data_volume_size_gb = optional(number, 50)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "s3_nodes" {
|
|
description = "Standalone S3 gateway nodes keyed by stable id (stateless)."
|
|
type = map(object({
|
|
subnet_id = string
|
|
private_ip = string
|
|
instance_type = optional(string, "t3.medium")
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "embedded_s3" {
|
|
description = "Embed the S3 gateway in the filer instead of standalone nodes."
|
|
type = object({
|
|
enabled = optional(bool, false)
|
|
port = optional(number, 8333)
|
|
domain_name = optional(string, "")
|
|
})
|
|
default = {}
|
|
}
|
|
|
|
variable "s3_identities" {
|
|
description = "Non-admin S3 identities for the gateway config (admin key goes via EnvironmentFile)."
|
|
type = list(object({
|
|
name = string
|
|
access_key = string
|
|
secret_key = string
|
|
actions = list(string)
|
|
}))
|
|
default = []
|
|
sensitive = true
|
|
}
|
|
|
|
# ---- networking ------------------------------------------------------------
|
|
variable "client_ingress_cidrs" {
|
|
description = "CIDRs allowed to reach the client-facing S3 (8333) and filer (8888) ports."
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
variable "ssh_ingress_cidrs" {
|
|
description = "CIDRs allowed SSH (22)."
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
variable "tags" {
|
|
description = "Extra tags applied to all resources."
|
|
type = map(string)
|
|
default = {}
|
|
}
|