region_name = data.terraform_remote_state.vpc.outputs.region_name
cluster_name = data.terraform_remote_state.vpc.outputs.cluster_name
use_external_db = data.terraform_remote_state.data-storage.outputs.use_external_db
+ private_only = data.terraform_remote_state.vpc.outputs.private_only
public_ip = data.terraform_remote_state.vpc.outputs.public_ip
private_ip = data.terraform_remote_state.vpc.outputs.private_ip
pubkey_path = pathexpand(var.pubkey_path)
- pubkey_name = "arvados-deployer-key"
+ pubkey_name = "${local.cluster_name}-arvados-deployer-key"
public_hosts = data.terraform_remote_state.vpc.outputs.public_hosts
private_hosts = data.terraform_remote_state.vpc.outputs.private_hosts
+ user_facing_hosts = data.terraform_remote_state.vpc.outputs.user_facing_hosts
+ internal_service_hosts = data.terraform_remote_state.vpc.outputs.internal_service_hosts
ssl_password_secret_name = "${local.cluster_name}-${var.ssl_password_secret_name_suffix}"
}
resource "aws_secretsmanager_secret" "ssl_password_secret" {
name = local.ssl_password_secret_name
+ recovery_window_in_days = 0
}
resource "aws_iam_instance_profile" "default_instance_profile" {
"hostname": each.value
})
private_ip = local.private_ip[each.value]
- subnet_id = contains(local.public_hosts, each.value) ? data.terraform_remote_state.vpc.outputs.public_subnet_id : data.terraform_remote_state.vpc.outputs.private_subnet_id
+ subnet_id = contains(local.user_facing_hosts, each.value) ? data.terraform_remote_state.vpc.outputs.public_subnet_id : data.terraform_remote_state.vpc.outputs.private_subnet_id
vpc_security_group_ids = [ data.terraform_remote_state.vpc.outputs.arvados_sg_id ]
# This should be done in a more readable way
iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : aws_iam_instance_profile.default_instance_profile.name
}
resource "aws_eip_association" "eip_assoc" {
- for_each = toset(local.public_hosts)
+ for_each = local.private_only ? [] : toset(local.public_hosts)
instance_id = aws_instance.arvados_service[each.value].id
allocation_id = data.terraform_remote_state.vpc.outputs.eip_id[each.value]
}
ssh: "22",
}
availability_zone = data.aws_availability_zones.available.names[0]
- public_hosts = [ "controller", "workbench" ]
- private_hosts = [ "keep0", "shell" ]
+ route53_public_zone = one(aws_route53_zone.public_zone[*])
+ iam_user_letsencrypt = one(aws_iam_user.letsencrypt[*])
+ iam_access_key_letsencrypt = one(aws_iam_access_key.letsencrypt[*])
+ public_hosts = var.private_only ? [] : var.user_facing_hosts
+ private_hosts = concat(
+ var.internal_service_hosts,
+ var.private_only ? var.user_facing_hosts : []
+ )
arvados_dns_zone = "${var.cluster_name}.${var.domain_name}"
- public_ip = { for k, v in aws_eip.arvados_eip: k => v.public_ip }
+ public_ip = {
+ for k, v in aws_eip.arvados_eip: k => v.public_ip
+ }
private_ip = {
"controller": "10.1.1.11",
"workbench": "10.1.1.15",
# PUBLIC DNS
resource "aws_route53_zone" "public_zone" {
+ count = var.private_only ? 0 : 1
name = local.arvados_dns_zone
}
resource "aws_route53_record" "public_a_record" {
- zone_id = aws_route53_zone.public_zone.id
+ zone_id = try(local.route53_public_zone.id, "")
for_each = local.public_ip
name = each.key
type = "A"
records = [ each.value ]
}
resource "aws_route53_record" "main_a_record" {
- zone_id = aws_route53_zone.public_zone.id
+ count = var.private_only ? 0 : 1
+ zone_id = try(local.route53_public_zone.id, "")
name = ""
type = "A"
ttl = 300
records = [ local.public_ip["controller"] ]
}
resource "aws_route53_record" "public_cname_record" {
- zone_id = aws_route53_zone.public_zone.id
- for_each = {for i in local.cname_by_host: i.record => "${i.cname}.${local.arvados_dns_zone}" }
+ zone_id = try(local.route53_public_zone.id, "")
+ for_each = {
+ for i in local.cname_by_host: i.record =>
+ "${i.cname}.${local.arvados_dns_zone}"
+ if var.private_only == false
+ }
name = each.key
type = "CNAME"
ttl = 300
# Route53's credentials for Let's Encrypt
#
resource "aws_iam_user" "letsencrypt" {
+ count = var.private_only ? 0 : 1
name = "${var.cluster_name}-letsencrypt"
path = "/"
}
resource "aws_iam_access_key" "letsencrypt" {
- user = aws_iam_user.letsencrypt.name
+ count = var.private_only ? 0 : 1
+ user = local.iam_user_letsencrypt.name
}
resource "aws_iam_user_policy" "letsencrypt_iam_policy" {
+ count = var.private_only ? 0 : 1
name = "${var.cluster_name}-letsencrypt_iam_policy"
- user = aws_iam_user.letsencrypt.name
+ user = local.iam_user_letsencrypt.name
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [{
"route53:ChangeResourceRecordSets"
],
"Resource" : [
- "arn:aws:route53:::hostedzone/${aws_route53_zone.public_zone.id}"
+ "arn:aws:route53:::hostedzone/${local.route53_public_zone.id}"
]
}]
})
value = local.private_hosts
}
+output "user_facing_hosts" {
+ value = var.user_facing_hosts
+}
+
+output "internal_service_hosts" {
+ value = var.internal_service_hosts
+}
+
+output "private_only" {
+ value = var.private_only
+}
+
output "route53_dns_ns" {
- value = aws_route53_zone.public_zone.name_servers
+ value = try(local.route53_public_zone.name_servers, [])
}
output "letsencrypt_iam_access_key_id" {
- value = aws_iam_access_key.letsencrypt.id
+ value = try(local.iam_access_key_letsencrypt.id, "")
}
output "letsencrypt_iam_secret_access_key" {
- value = aws_iam_access_key.letsencrypt.secret
+ value = try(local.iam_access_key_letsencrypt.secret, "")
sensitive = true
}
region_name = "us-east-1"
# cluster_name = "xarv1"
# domain_name = "example.com"
+
+# Uncomment this to create an non-publicly accessible Arvados cluster
+# private_only = true
\ No newline at end of file
variable "domain_name" {
description = "The domain name under which your Arvados cluster will be hosted"
type = string
+}
+
+variable "private_only" {
+ description = "Don't create infrastructure reachable from the public Internet"
+ type = bool
+ default = false
+}
+
+variable "user_facing_hosts" {
+ description = "List of hostnames for nodes that hold user-accesible Arvados services"
+ type = list(string)
+ default = [ "controller", "workbench" ]
+}
+
+variable "internal_service_hosts" {
+ description = "List of hostnames for nodes that hold internal Arvados services"
+ type = list(string)
+ default = [ "keep0", "shell" ]
}
\ No newline at end of file