diff --git a/mongo/mongo.tf b/mongo/mongo.tf new file mode 100644 index 0000000..49f618a --- /dev/null +++ b/mongo/mongo.tf @@ -0,0 +1,126 @@ +locals { + app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance) + mongo-password = data.kubernetes_secret_v1.prj_mongo_secret.data["password"] + username = var.username==""?var.component==""?var.instance:var.component:var.username + db_name = var.db_name==""?var.component==""?var.instance:var.component:var.db_name + mongo-labels = merge(local.labels, { + "app.kubernetes.io/component" = "mongo" + }) +} +resource "kubectl_manifest" "prj_mongo_secret" { + ignore_fields = ["metadata.annotations"] + yaml_body = <<-EOF + apiVersion: "secretgenerator.mittwald.de/v1alpha1" + kind: "StringSecret" + metadata: + name: "${local.app_slug}-mongo" + namespace: "${var.namespace}" + labels: ${jsonencode(local.mongo-labels)} + spec: + forceRegenerate: false + fields: + - fieldName: "password" + length: "16" + EOF +} +data "kubernetes_secret_v1" "prj_mongo_secret" { + depends_on = [ kubectl_manifest.prj_mongo_secret ] + metadata { + name = "${local.app_slug}-mongo" + namespace = var.namespace + } +} +resource "kubectl_manifest" "prj_mongo" { + yaml_body = <<-EOF + apiVersion: mongodbcommunity.mongodb.com/v1 + kind: MongoDBCommunity + metadata: + name: "${local.app_slug}-mongo" + namespace: "${var.namespace}" + labels: ${jsonencode(local.mongo-labels)} + spec: + members: 1 + type: ReplicaSet + version: "7.0.2" + statefulSet: + spec: + template: + metadata: + annotations: + "k8up.io/backupcommand": "sh -c 'mongodump --username=$MONGODB_USER --password=$MONGODB_PASSWORD mongodb://localhost/$MONGODB_NAME --archive'" + "k8up.io/file-extension": ".archive" + spec: + containers: + - name: mongod + imagePullPolicy: "${var.pullPolicy}" + resources: ${jsonencode(var.resources)} + env: + - name: MONGODB_NAME + value: ${local.db_name} + - name: MONGODB_USER + value: ${local.username} + - name: MONGODB_PASSWORD + valueFrom: + secretKeyRef: + name: "${local.app_slug}-mongo" + key: password + security: + authentication: + modes: ["SCRAM"] + additionalMongodConfig: + storage.wiredTiger.engineConfig.cacheSizeGB: 1 + users: + - name: ${local.username} + db: ${local.db_name} + passwordSecretRef: + name: "${local.app_slug}-mongo" + roles: + - db: ${local.db_name} + name: readWrite + scramCredentialsSecretName: "${local.app_slug}-mongo-scram" + EOF +} +resource "kubectl_manifest" "prj_mongo_sa" { + yaml_body = <<-EOF + apiVersion: v1 + kind: ServiceAccount + metadata: + name: "mongodb-database" + namespace: "${var.namespace}" + labels: ${jsonencode(local.mongo-labels)} + EOF +} +resource "kubectl_manifest" "prj_mongo_role" { + yaml_body = <<-EOF + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: "mongodb-database" + namespace: "${var.namespace}" + labels: ${jsonencode(local.mongo-labels)} + rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["patch", "delete", "get"] + EOF +} +resource "kubectl_manifest" "prj_mongo_rb" { + yaml_body = <<-EOF + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "mongodb-database" + namespace: "${var.namespace}" + labels: ${jsonencode(local.mongo-labels)} + subjects: + - kind: ServiceAccount + name: mongodb-database + roleRef: + kind: Role + name: mongodb-database + apiGroup: rbac.authorization.k8s.io + EOF +} diff --git a/mongo/outputs.tf b/mongo/outputs.tf new file mode 100644 index 0000000..db5158e --- /dev/null +++ b/mongo/outputs.tf @@ -0,0 +1,21 @@ +output "url" { + value = "mongodb://${local.username}:${local.mongo-password}@${local.app_slug}-mongo-svc.${var.namespace}.svc:27017/${local.db_name}" +} +output "service" { + value = "${local.app_slug}-mongo-svc.${var.namespace}.svc" +} +output "password" { + value = local.mongo-password +} +output "username" { + value = local.username +} +output "db_name" { + value = local.db_name +} +output "secret" { + value = { + name = "${local.app_slug}-mongo" + key = "password" + } +} diff --git a/mongo/providers.tf b/mongo/providers.tf new file mode 100644 index 0000000..45aaada --- /dev/null +++ b/mongo/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14.0" + } + } +} diff --git a/mongo/variables.tf b/mongo/variables.tf new file mode 100644 index 0000000..50ad5f6 --- /dev/null +++ b/mongo/variables.tf @@ -0,0 +1,55 @@ +variable "component" { + type = string +} +variable "instance" { + type = string +} +variable "namespace" { + type = string +} +variable "labels" { + type = map(string) +} +variable "db_name" { + type = string + default = "" +} +variable "username" { + type = string + default = "" +} +variable "version" { + type = string + default = "6.3.2" +} +variable "type" { + type = string + default = "ReplicaSet" +} +variable "pullPolicy" { + type = string + default = "IfNotPresent" +} +variable "resources" { + type = object({ + limits = optional(object({ + cpu = string + memory = string + })) + requests = optional(object({ + cpu = string + memory = string + })) + }) + default = { + limits = { + cpu = "1" + memory = "1100M" + } + requests = { + cpu = "0.3" + memory = "400M" + } + } + +} \ No newline at end of file