feat: add module for dns and bucket (#145)

maxsxu · web-flow · commit 8b7202b17bb7 · 2024-11-20T11:24:27.000+08:00
### Motivation For support StreamNative Cloud. ### Modifications - Add new submodule for creating dns zone and s3 bucket It will backport as `v3.4.0` in https://github.com/streamnative/terraform-aws-cloud/tree/release/v3.4.0 ### Verifying this change - [x] Verified ### Documentation - [x] `doc`
diff --git a/modules/dns-bucket/README.md b/modules/dns-bucket/README.md
@@ -0,0 +1,71 @@
+<!--
+  ~ Copyright 2023 StreamNative, Inc.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+-->
+
+# DNS and Bucket Module
+A basic module used to create Route53 Zone and S3 Buckets.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.76.0 |
+| <a name="provider_aws.source"></a> [aws.source](#provider\_aws.source) | 5.76.0 |
+| <a name="provider_aws.target"></a> [aws.target](#provider\_aws.target) | 5.76.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_route53_record.delegate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
+| [aws_s3_bucket.tiered_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_kms_key.s3_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
+| [aws_route53_zone.sn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_custom_dns_zone_id"></a> [custom\_dns\_zone\_id](#input\_custom\_dns\_zone\_id) | if specified, then a streamnative zone will not be created, and this zone will be used instead. Otherwise, we will provision a new zone and delegate access | `string` | `""` | no |
+| <a name="input_custom_dns_zone_name"></a> [custom\_dns\_zone\_name](#input\_custom\_dns\_zone\_name) | must be passed if custom\_dns\_zone\_id is passed, this is the zone name to use | `string` | `""` | no |
+| <a name="input_extra_aws_tags"></a> [extra\_aws\_tags](#input\_extra\_aws\_tags) | Additional to apply to the resources. Note that this module sets the tags Name, Type, and Vendor by default. They can be overwritten, but it is not recommended. | `map(string)` | `{}` | no |
+| <a name="input_parent_zone_name"></a> [parent\_zone\_name](#input\_parent\_zone\_name) | The parent zone in which we create the delegation records | `string` | n/a | yes |
+| <a name="input_pm_name"></a> [pm\_name](#input\_pm\_name) | The name of the poolmember, for new clusters, this should be like `pm-<xxxxx>` | `string` | n/a | yes |
+| <a name="input_s3_encryption_kms_key_arn"></a> [s3\_encryption\_kms\_key\_arn](#input\_s3\_encryption\_kms\_key\_arn) | KMS key ARN to use for S3 encryption. If not set, the default AWS S3 key will be used. | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_backup_bucket"></a> [backup\_bucket](#output\_backup\_bucket) | n/a |
+| <a name="output_backup_bucket_kms_key_id"></a> [backup\_bucket\_kms\_key\_id](#output\_backup\_bucket\_kms\_key\_id) | n/a |
+| <a name="output_tiered_storage_bucket"></a> [tiered\_storage\_bucket](#output\_tiered\_storage\_bucket) | n/a |
+| <a name="output_zone_id"></a> [zone\_id](#output\_zone\_id) | n/a |
+| <a name="output_zone_name"></a> [zone\_name](#output\_zone\_name) | n/a |
+<!-- END_TF_DOCS -->
diff --git a/modules/dns-bucket/bucket.tf b/modules/dns-bucket/bucket.tf
@@ -0,0 +1,56 @@
+# Copyright 2023 StreamNative, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "aws_s3_bucket" "velero" {
+  bucket        = format("%s-cluster-backup-snc", var.pm_name)
+  tags          = merge({ "Attributes" = "backup", "Name" = "velero-backups" }, local.tags)
+  force_destroy = true
+
+  lifecycle {
+    ignore_changes = [
+      bucket,
+    ]
+  }
+}
+
+resource "aws_s3_bucket" "tiered_storage" {
+  bucket        = format("%s-tiered-storage-snc", var.pm_name)
+  tags          = merge({ "Attributes" = "tiered-storage" }, local.tags)
+  force_destroy = true
+
+  lifecycle {
+    ignore_changes = [
+      bucket,
+    ]
+  }
+}
+
+data "aws_kms_key" "s3_default" {
+  key_id = "alias/aws/s3"
+}
+
+locals {
+  s3_kms_key = var.s3_encryption_kms_key_arn == "" ? data.aws_kms_key.s3_default.arn : var.s3_encryption_kms_key_arn
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "velero" {
+  bucket = aws_s3_bucket.velero.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = local.s3_kms_key
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
diff --git a/modules/dns-bucket/dns.tf b/modules/dns-bucket/dns.tf
@@ -0,0 +1,46 @@
+# Copyright 2023 StreamNative, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+locals {
+  new_zone_name = "${var.pm_name}.${var.parent_zone_name}"
+  zone_name     = var.custom_dns_zone_name != "" ? var.custom_dns_zone_name : try(aws_route53_zone.zone[0].name, "")
+  zone_id       = var.custom_dns_zone_id != "" ? var.custom_dns_zone_id : try(aws_route53_zone.zone[0].id, "")
+}
+
+resource "aws_route53_zone" "zone" {
+  count    = var.custom_dns_zone_id == "" ? 1 : 0
+  provider = aws.target
+
+  name          = local.new_zone_name
+  tags          = local.tags
+  force_destroy = true
+}
+
+data "aws_route53_zone" "sn" {
+  count    = var.custom_dns_zone_id == "" ? 1 : 0
+  provider = aws.source
+
+  name = var.parent_zone_name
+}
+
+resource "aws_route53_record" "delegate" {
+  count    = var.custom_dns_zone_id == "" ? 1 : 0
+  provider = aws.source
+
+  zone_id = data.aws_route53_zone.sn[0].zone_id
+  name    = aws_route53_zone.zone[0].name
+  type    = "NS"
+  ttl     = "300"
+  records = aws_route53_zone.zone[0].name_servers
+}
diff --git a/modules/dns-bucket/outputs.tf b/modules/dns-bucket/outputs.tf
@@ -0,0 +1,33 @@
+# Copyright 2023 StreamNative, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+output "zone_id" {
+  value = local.zone_id
+}
+
+output "zone_name" {
+  value = local.zone_name
+}
+
+output "backup_bucket" {
+  value = aws_s3_bucket.velero.bucket
+}
+
+output "backup_bucket_kms_key_id" {
+  value = local.s3_kms_key
+}
+
+output "tiered_storage_bucket" {
+  value = aws_s3_bucket.tiered_storage.bucket
+}
diff --git a/modules/dns-bucket/variables.tf b/modules/dns-bucket/variables.tf
@@ -0,0 +1,53 @@
+# Copyright 2023 StreamNative, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+variable "pm_name" {
+  description = "The name of the poolmember, for new clusters, this should be like `pm-<xxxxx>`"
+  type        = string
+}
+
+variable "parent_zone_name" {
+  type        = string
+  description = "The parent zone in which we create the delegation records"
+}
+
+variable "custom_dns_zone_id" {
+  type        = string
+  default     = ""
+  description = "if specified, then a streamnative zone will not be created, and this zone will be used instead. Otherwise, we will provision a new zone and delegate access"
+}
+
+variable "custom_dns_zone_name" {
+  type        = string
+  default     = ""
+  description = "must be passed if custom_dns_zone_id is passed, this is the zone name to use"
+}
+
+variable "s3_encryption_kms_key_arn" {
+  default     = ""
+  description = "KMS key ARN to use for S3 encryption. If not set, the default AWS S3 key will be used."
+  type        = string
+}
+
+variable "extra_aws_tags" {
+  default     = {}
+  description = "Additional to apply to the resources. Note that this module sets the tags Name, Type, and Vendor by default. They can be overwritten, but it is not recommended."
+  type        = map(string)
+}
+
+locals {
+  tags = merge({
+    "Vendor" = "StreamNative"
+  }, var.extra_aws_tags)
+}
diff --git a/modules/dns-bucket/versions.tf b/modules/dns-bucket/versions.tf
@@ -0,0 +1,33 @@
+# Copyright 2023 StreamNative, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_version = ">=1.2.0"
+
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      # NOTE! we required two different providers in this module this is because we need to create a zone in the target and then create the delegations in the source
+      configuration_aliases = [aws.target, aws.source]
+    }
+  }
+}
+
+provider "aws" {
+  alias = "target"
+}
+
+provider "aws" {
+  alias = "source"
+}
