diff --git a/tf/environments/dev/.terraform.lock.hcl b/tf/environments/dev/.terraform.lock.hcl index 036d2518..cb0159a0 100644 --- a/tf/environments/dev/.terraform.lock.hcl +++ b/tf/environments/dev/.terraform.lock.hcl @@ -1,6 +1,30 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/digitalocean/digitalocean" { + version = "2.40.0" + constraints = "~> 2.0" + hashes = [ + "h1:71yfpCVVq+OoNzl7SX/7ObnFUQeZL4vHOOalLzEZ4U0=", + "zh:00235830abae70642ebefc4d9c00e5eb978e28b74abc6b34f16b078f242aa217", + "zh:09d77785f768bd568f85a121d3d79316083befe903ce4ccd5567689a23236fb0", + "zh:0c9c4e19b411702d316a6bd044903e2ec506a69d38495ed32cc31e3f3f26acae", + "zh:12b34c88faad5b6149e9a3ad1396680588e1bae263b20d6b19835460f111c190", + "zh:15f041fc57ea46673a828919efe2ef3f05f7c4b863b7d7881336b93e92bd1159", + "zh:45e01972de2fab1687a09ea8fb3e4519be11c93ef93a63f28665630850858a20", + "zh:4e18bf5c1d2ec1ec6b6a9f4b58045309006f510edf770168fc18e273e6a09289", + "zh:575528b7e36e3489d2309e0c6cb9bd9952595cac5459b914f2d2827de1a1e4fc", + "zh:67462192212f810875d556462c79f574a8f5713b7a869ba4fce25953bfcf2dd2", + "zh:7024637b31e8276b653265fdf3f479220182edde4b300b034562b4c287faefa5", + "zh:a7904721b2680be8330dde98dd826be15c67eb274da7876f042cbcd6592ac970", + "zh:b225d4b67037a19392b0ab00d1f5fc9e729db4dfc32d18d4b36225693270ef52", + "zh:bd1e8768819d6113b2ec16f939196a1f2ae6d2803824fde463a20d06e071b212", + "zh:c5da40dc0749548ee2e1943776fb41b952c994e50bbc404251df20a81f730242", + "zh:dabc3387392aaba297739e1e97fadf059258fc3efb4dff2f499dbc407b6e088d", + "zh:f42137cf424c3e7c9c935b3f73618e51096bd0367a8d364073e2d70588d2cbf2", + ] +} + provider "registry.terraform.io/hashicorp/aws" { version = "5.40.0" constraints = ">= 4.9.0, >= 4.66.1" @@ -25,6 +49,25 @@ provider "registry.terraform.io/hashicorp/aws" { ] } +provider "registry.terraform.io/hashicorp/cloudinit" { + version = "2.3.4" + hashes = [ + "h1:S3j8poSaLbaftlKq2STBkQEkZH253ZLaHhBHBifdpBQ=", + "zh:09f1f1e1d232da96fbf9513b0fb5263bc2fe9bee85697aa15d40bb93835efbeb", + "zh:381e74b90d7a038c3a8dcdcc2ce8c72d6b86da9f208a27f4b98cabe1a1032773", + "zh:398eb321949e28c4c5f7c52e9b1f922a10d0b2b073b7db04cb69318d24ffc5a9", + "zh:4a425679614a8f0fe440845828794e609b35af17db59134c4f9e56d61e979813", + "zh:4d955d8608ece4984c9f1dacda2a59fdb4ea6b0243872f049b388181aab8c80a", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:a48fbee1d58d55a1f4c92c2f38c83a37c8b2f2701ed1a3c926cefb0801fa446a", + "zh:b748fe6631b16a1dafd35a09377c3bffa89552af584cf95f47568b6cd31fc241", + "zh:d4b931f7a54603fa4692a2ec6e498b95464babd2be072bed5c7c2e140a280d99", + "zh:f1c9337fcfe3a7be39d179eb7986c22a979cfb2c587c05f1b3b83064f41785c5", + "zh:f58fc57edd1ee3250a28943cd84de3e4b744cdb52df0356a53403fc240240636", + "zh:f5f50de0923ff530b03e1bca0ac697534d61bb3e5fc7f60e13becb62229097a9", + ] +} + provider "registry.terraform.io/hashicorp/local" { version = "2.4.1" constraints = ">= 2.0.0" diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 3503a015..f0eaf77f 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -263,8 +263,12 @@ module "ooni_th_droplet" { module "ooni_backendproxy" { source = "../../modules/ooni_backendproxy" - vpc_id = module.network.vpc_id - subnet_ids = module.network.vpc_subnet_public[*].id + stage = local.environment + + vpc_id = module.network.vpc_id + subnet_id = module.network.vpc_subnet_public[0].id + private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block + dns_zone_ooni_io = local.dns_zone_ooni_io key_name = module.adm_iam_roles.oonidevops_key_name instance_type = "t2.micro" @@ -272,7 +276,9 @@ module "ooni_backendproxy" { backend_url = "https://backend-hel.ooni.org/" wcth_addresses = module.ooni_th_droplet.droplet_ipv4_address wcth_domain_suffix = "th.ooni.dev.io" - + clickhouse_url = "backend-fsn.ooni.org" + clickhouse_port = "9000" + tags = merge( local.tags, { Name = "ooni-tier0-backendproxy" } diff --git a/tf/modules/ooni_backendproxy/main.tf b/tf/modules/ooni_backendproxy/main.tf index f93473a8..6703270e 100644 --- a/tf/modules/ooni_backendproxy/main.tf +++ b/tf/modules/ooni_backendproxy/main.tf @@ -24,6 +24,13 @@ resource "aws_security_group" "nginx_sg" { cidr_blocks = ["0.0.0.0/0"] } + ingress { + protocol = "tcp" + from_port = 9000 + to_port = 9000 + cidr_blocks = var.private_subnet_cidr + } + egress { from_port = 0 to_port = 0 @@ -57,7 +64,9 @@ data "cloudinit_config" "ooni_backendproxy" { content = templatefile("${path.module}/templates/cloud-init.yml", { wcth_addresses = var.wcth_addresses, wcth_domain_suffix = var.wcth_domain_suffix, - backend_url = var.backend_url + backend_url = var.backend_url, + clickhouse_url = var.clickhouse_url, + clickhouse_port = var.clickhouse_port }) } @@ -78,6 +87,7 @@ resource "aws_launch_template" "ooni_backendproxy" { network_interfaces { delete_on_termination = true associate_public_ip_address = true + subnet_id = var.subnet_id security_groups = [ aws_security_group.nginx_sg.id, ] @@ -89,7 +99,7 @@ resource "aws_launch_template" "ooni_backendproxy" { } } -resource "aws_autoscaling_group" "oonibackend_proxy" { +resource "aws_instance" "oonibackend_proxy" { launch_template { id = aws_launch_template.ooni_backendproxy.id version = "$Latest" @@ -99,19 +109,7 @@ resource "aws_autoscaling_group" "oonibackend_proxy" { create_before_destroy = true } - name_prefix = "${var.name}-asg-" - - min_size = 1 - max_size = 2 - desired_capacity = 1 - vpc_zone_identifier = var.subnet_ids - - instance_refresh { - strategy = "Rolling" - preferences { - min_healthy_percentage = 50 - } - } + tags = var.tags } resource "aws_alb_target_group" "oonibackend_proxy" { @@ -127,7 +125,18 @@ resource "aws_alb_target_group" "oonibackend_proxy" { tags = var.tags } -resource "aws_autoscaling_attachment" "oonibackend_proxy" { - autoscaling_group_name = aws_autoscaling_group.oonibackend_proxy.id - lb_target_group_arn = aws_alb_target_group.oonibackend_proxy.arn +resource "aws_lb_target_group_attachment" "oonibackend_proxy" { + target_id = aws_instance.oonibackend_proxy.id + target_group_arn = aws_alb_target_group.oonibackend_proxy.arn +} + +resource "aws_route53_record" "clickhouse_proxy_alias" { + zone_id = var.dns_zone_ooni_io + name = "clickhouse.${var.stage}.ooni.io" + type = "CNAME" + ttl = 300 + + records = [ + aws_instance.oonibackend_proxy.public_dns + ] } diff --git a/tf/modules/ooni_backendproxy/outputs.tf b/tf/modules/ooni_backendproxy/outputs.tf index 54295fae..792e6958 100644 --- a/tf/modules/ooni_backendproxy/outputs.tf +++ b/tf/modules/ooni_backendproxy/outputs.tf @@ -1,6 +1,7 @@ -output "autoscaling_group_id" { - value = aws_autoscaling_group.oonibackend_proxy.id +output "aws_instance_id" { + value = aws_instance.oonibackend_proxy.id } + output "alb_target_group_id" { value = aws_alb_target_group.oonibackend_proxy.id } diff --git a/tf/modules/ooni_backendproxy/templates/cloud-init.yml b/tf/modules/ooni_backendproxy/templates/cloud-init.yml index 9004eb6e..dc5a027a 100644 --- a/tf/modules/ooni_backendproxy/templates/cloud-init.yml +++ b/tf/modules/ooni_backendproxy/templates/cloud-init.yml @@ -37,5 +37,21 @@ write_files: error_log /var/log/nginx/error.log; } + - path: /etc/nginx/modules-enabled/stream.conf + content: | + stream { + upstream clickhouse_backend { + server ${clickhouse_url}:${clickhouse_port}; + } + + server { + listen 9000; + + proxy_pass clickhouse_backend; + } + + error_log /var/log/nginx/error.log; + } + runcmd: - service nginx restart diff --git a/tf/modules/ooni_backendproxy/variables.tf b/tf/modules/ooni_backendproxy/variables.tf index 231a0953..870b547c 100644 --- a/tf/modules/ooni_backendproxy/variables.tf +++ b/tf/modules/ooni_backendproxy/variables.tf @@ -2,11 +2,15 @@ variable "vpc_id" { description = "the id of the VPC to deploy the instance into" } -variable "subnet_ids" { - description = "the ids of the subnet of the subnets to deploy the instance into" +variable "subnet_id" { + description = "the ids of the subnet to deploy the instance into" } -variable "tags" { +variable "private_subnet_cidr" { + description = "the cidr block of the private subnet to allow traffic from for the clickhouse proxy" +} + + variable "tags" { description = "tags to apply to the resources" default = {} type = map(string) @@ -41,3 +45,20 @@ variable "wcth_domain_suffix" { default = "th.ooni.org" description = "domain suffix to filter web connectivity test helper requests (eg. th.ooni.org)" } + +variable "stage" { + default = "one of dev, stage, test, prod" +} + +variable "dns_zone_ooni_io" { + description = "id of the DNS zone for ooni_io" +} + +variable "clickhouse_url" { + description = "clickhouse url to proxy requests to" + default = "backend-fsn.ooni.org" +} + +variable "clickhouse_port" { + description = "clickhouse port for the backend" +}