feat: add clickhouse proxy instance

ooni · Sep 7, 2024 · 96dbb9e · 96dbb9e
1 parent 8edde89
commit 96dbb9e
Show file tree

Hide file tree

Showing 5 changed files with 199 additions and 0 deletions.
diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
@@ -265,6 +265,30 @@ module "ooni_backendproxy" {
   )
 }
 
+### OONI clickhouse proxy
+
+module "ooni_clickhouse_proxy" {
+  source = "../../modules/clickhouse_proxy"
+
+  stage      = local.environment
+
+  vpc_id     = module.network.vpc_id
+  subnet_id = module.network.vpc_subnet_public[0].id
+  private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block 
+  dns_zone_ooni_io = local.dns_zone_ooni_io
+
+  key_name      = module.adm_iam_roles.oonidevops_key_name
+  instance_type = "t2.micro"
+
+  clickhouse_url = "backend-fsn.ooni.org"
+  clickhouse_port = "9000"
+
+  tags = merge(
+    local.tags,
+    { Name = "ooni-clickhouse-proxy" }
+  ) 
+}
+
 ### OONI Services Clusters
 
 module "ooniapi_cluster" {

diff --git a/tf/modules/clickhouse_proxy/main.tf b/tf/modules/clickhouse_proxy/main.tf
@@ -0,0 +1,104 @@
+data "aws_ssm_parameter" "ubuntu_22_ami" {
+  name = "/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id"
+}
+
+# Important note about security groups:
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#recreating-a-security-group
+resource "aws_security_group" "ckprx_sg" {
+  description = "security group for nginx"
+  name_prefix = "ooni-clickhouse"
+
+  vpc_id = var.vpc_id
+
+  ingress {
+    protocol    = "tcp"
+    from_port   = 22
+    to_port     = 22
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress { 
+    protocol    = "tcp"
+    from_port   = 9000
+    to_port     = 9000
+    cidr_blocks = var.private_subnet_cidr
+  }
+
+  egress {
+    from_port = 0
+    to_port   = 0
+    protocol  = "-1"
+
+    cidr_blocks = [
+      "0.0.0.0/0",
+    ]
+  }
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = var.tags
+}
+
+resource "aws_launch_template" "clickhouse_proxy" {
+  name_prefix   = "${var.name}-ckprx-tmpl-"
+  image_id      = data.aws_ssm_parameter.ubuntu_22_ami.value
+  instance_type = var.instance_type
+  key_name      = var.key_name
+
+  user_data = base64encode(templatefile("${path.module}/templates/setup-clickhouse-proxy.sh", {
+    clickhouse_url = var.clickhouse_url,
+    clickhouse_port = var.clickhouse_port
+  }))
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  network_interfaces {
+    delete_on_termination       = true
+    associate_public_ip_address = true
+    security_groups = [
+      aws_security_group.ckprx_sg.id,
+    ]
+  }
+
+  tag_specifications {
+    resource_type = "instance"
+    tags          = var.tags
+  }
+}
+
+resource "aws_instance" "clickhouse_proxy" {
+  launch_template {
+    id      = aws_launch_template.clickhouse_proxy.id
+    version = "$Latest"
+  }
+
+  subnet_id = var.subnet_id
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = merge(var.tags, { Name = "ansible-controller" })
+}
+
+resource "aws_route53_record" "clickhouse_proxy_alias" {
+  zone_id = var.dns_zone_ooni_io
+  name    = "clickhouse.${var.stage}.ooni.io"
+  type    = "CNAME"
+  ttl     = 300
+
+  records = [
+    aws_instance.clickhouse_proxy.public_dns
+  ]
+}
diff --git a/tf/modules/clickhouse_proxy/outputs.tf b/tf/modules/clickhouse_proxy/outputs.tf
diff --git a/tf/modules/clickhouse_proxy/templates/setup-clickhouse-proxy.sh b/tf/modules/clickhouse_proxy/templates/setup-clickhouse-proxy.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+set -e
+
+sudo apt update
+sudo apt install -y nginx
+
+tmpfile=$(mktemp /tmp/nginx-config.XXXXXX)
+cat > $tmpfile <<EOF
+stream {
+    upstream clickhouse_backend {
+        server ${clickhouse_url}:${clickhouse_port};
+    }
+
+    server {
+        listen 9000;
+
+       proxy_pass clickhouse_backend; 
+    } 
+}
+EOF
+sudo mv $tmpfile /etc/nginx/sites-available/default
+
+sudo nginx -t
+sudo systemctl reload nginx
diff --git a/tf/modules/clickhouse_proxy/variables.tf b/tf/modules/clickhouse_proxy/variables.tf
@@ -0,0 +1,47 @@
+variable "vpc_id" {
+  description = "the id of the VPC to deploy the instance into"
+}
+
+variable "subnet_id" {
+  description = "the id of the subnet to deploy the instance into"
+}
+
+variable "private_subnet_cidr" {
+  description = "the cidr block of the private subnet to allow traffic from"
+}
+
+variable "tags" {
+  description = "tags to apply to the resources"
+  default     = {}
+  type        = map(string)
+}
+
+variable "key_name" {
+  description = "Name of AWS key pair"
+}
+
+variable "name" {
+  description = "Name of the resources"
+  default     = "ooni-clickhouse-proxy"
+}
+
+variable "instance_type" {
+  default = "t2.micro"
+}
+
+variable "stage" {
+  default = "one of dev, stage, test, prod"
+}
+
+variable "dns_zone_ooni_io" {
+  description = "id of the DNS zone for ooni_io"
+}
+
+variable "clickhouse_url" {
+  description = "clickhouse url to proxy requests to"
+  default = "backend-fsn.ooni.org" 
+}
+
+variable "clickhouse_port" {
+  description = "clickhouse port for the backend"
+}