refactor: add clickhouse proxy config to oonibackend proxy

ooni · Sep 9, 2024 · 739e666 · 739e666
1 parent f4d84a5
commit 739e666
Show file tree

Hide file tree

Showing 6 changed files with 122 additions and 26 deletions.
diff --git a/tf/environments/dev/.terraform.lock.hcl b/tf/environments/dev/.terraform.lock.hcl
diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
@@ -263,16 +263,22 @@ module "ooni_th_droplet" {
 module "ooni_backendproxy" {
   source = "../../modules/ooni_backendproxy"
 
-  vpc_id     = module.network.vpc_id
-  subnet_ids = module.network.vpc_subnet_public[*].id
+  stage = local.environment
+
+  vpc_id              = module.network.vpc_id
+  subnet_id           = module.network.vpc_subnet_public[0].id
+  private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block
+  dns_zone_ooni_io    = local.dns_zone_ooni_io
 
   key_name      = module.adm_iam_roles.oonidevops_key_name
   instance_type = "t2.micro"
 
   backend_url        = "https://backend-hel.ooni.org/"
   wcth_addresses     = module.ooni_th_droplet.droplet_ipv4_address
   wcth_domain_suffix = "th.ooni.dev.io"
-
+  clickhouse_url     = "backend-fsn.ooni.org"
+  clickhouse_port    = "9000"
+
   tags = merge(
     local.tags,
     { Name = "ooni-tier0-backendproxy" }

diff --git a/tf/modules/ooni_backendproxy/main.tf b/tf/modules/ooni_backendproxy/main.tf
@@ -24,6 +24,13 @@ resource "aws_security_group" "nginx_sg" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 
+  ingress { 
+    protocol    = "tcp"
+    from_port   = 9000
+    to_port     = 9000
+    cidr_blocks = var.private_subnet_cidr
+  }
+
   egress {
     from_port = 0
     to_port   = 0
@@ -57,7 +64,9 @@ data "cloudinit_config" "ooni_backendproxy" {
     content = templatefile("${path.module}/templates/cloud-init.yml", {
       wcth_addresses     = var.wcth_addresses,
       wcth_domain_suffix = var.wcth_domain_suffix,
-      backend_url        = var.backend_url
+      backend_url        = var.backend_url,
+      clickhouse_url     = var.clickhouse_url,
+      clickhouse_port    = var.clickhouse_port
     })
   }
 
@@ -78,6 +87,7 @@ resource "aws_launch_template" "ooni_backendproxy" {
   network_interfaces {
     delete_on_termination       = true
     associate_public_ip_address = true
+    subnet_id                   = var.subnet_id
     security_groups = [
       aws_security_group.nginx_sg.id,
     ]
@@ -89,7 +99,7 @@ resource "aws_launch_template" "ooni_backendproxy" {
   }
 }
 
-resource "aws_autoscaling_group" "oonibackend_proxy" {
+resource "aws_instance" "oonibackend_proxy" {
   launch_template {
     id      = aws_launch_template.ooni_backendproxy.id
     version = "$Latest"
@@ -99,19 +109,7 @@ resource "aws_autoscaling_group" "oonibackend_proxy" {
     create_before_destroy = true
   }
 
-  name_prefix = "${var.name}-asg-"
-
-  min_size            = 1
-  max_size            = 2
-  desired_capacity    = 1
-  vpc_zone_identifier = var.subnet_ids
-
-  instance_refresh {
-    strategy = "Rolling"
-    preferences {
-      min_healthy_percentage = 50
-    }
-  }
+  tags = var.tags
 }
 
 resource "aws_alb_target_group" "oonibackend_proxy" {
@@ -127,7 +125,18 @@ resource "aws_alb_target_group" "oonibackend_proxy" {
   tags = var.tags
 }
 
-resource "aws_autoscaling_attachment" "oonibackend_proxy" {
-  autoscaling_group_name = aws_autoscaling_group.oonibackend_proxy.id
-  lb_target_group_arn    = aws_alb_target_group.oonibackend_proxy.arn
+resource "aws_lb_target_group_attachment" "oonibackend_proxy" {
+  target_id = aws_instance.oonibackend_proxy.id
+  target_group_arn    = aws_alb_target_group.oonibackend_proxy.arn
+}
+
+resource "aws_route53_record" "clickhouse_proxy_alias" {
+  zone_id = var.dns_zone_ooni_io
+  name    = "clickhouse.${var.stage}.ooni.io"
+  type    = "CNAME"
+  ttl     = 300
+
+  records = [
+    aws_instance.oonibackend_proxy.public_dns
+  ]
 }
diff --git a/tf/modules/ooni_backendproxy/outputs.tf b/tf/modules/ooni_backendproxy/outputs.tf
@@ -1,6 +1,7 @@
-output "autoscaling_group_id" {
-  value = aws_autoscaling_group.oonibackend_proxy.id
+output "aws_instance_id" {
+  value = aws_instance.oonibackend_proxy.id
 }
+
 output "alb_target_group_id" {
   value = aws_alb_target_group.oonibackend_proxy.id
 }
diff --git a/tf/modules/ooni_backendproxy/templates/cloud-init.yml b/tf/modules/ooni_backendproxy/templates/cloud-init.yml
@@ -37,5 +37,21 @@ write_files:
         error_log /var/log/nginx/error.log;
       }
 
+  - path: /etc/nginx/modules-enabled/stream.conf
+    content: |
+      stream {
+        upstream clickhouse_backend {
+          server ${clickhouse_url}:${clickhouse_port};
+        }
+      
+        server {
+          listen 9000;
+
+          proxy_pass clickhouse_backend; 
+        }
+
+        error_log /var/log/nginx/error.log;
+      }
+
 runcmd:
   - service nginx restart
diff --git a/tf/modules/ooni_backendproxy/variables.tf b/tf/modules/ooni_backendproxy/variables.tf
@@ -2,11 +2,15 @@ variable "vpc_id" {
   description = "the id of the VPC to deploy the instance into"
 }
 
-variable "subnet_ids" {
-  description = "the ids of the subnet of the subnets to deploy the instance into"
+variable "subnet_id" {
+  description = "the ids of the subnet to deploy the instance into"
 }
 
-variable "tags" {
+variable "private_subnet_cidr" {
+  description = "the cidr block of the private subnet to allow traffic from for the clickhouse proxy"
+}
+
+ variable "tags" {
   description = "tags to apply to the resources"
   default     = {}
   type        = map(string)
@@ -41,3 +45,20 @@ variable "wcth_domain_suffix" {
   default     = "th.ooni.org"
   description = "domain suffix to filter web connectivity test helper requests (eg. th.ooni.org)"
 }
+
+variable "stage" {
+  default = "one of dev, stage, test, prod"
+}
+
+variable "dns_zone_ooni_io" {
+  description = "id of the DNS zone for ooni_io"
+}
+
+variable "clickhouse_url" {
+  description = "clickhouse url to proxy requests to"
+  default = "backend-fsn.ooni.org" 
+}
+
+variable "clickhouse_port" {
+  description = "clickhouse port for the backend"
+}