init: copy from lawndale-infra

2022-05-27 22:07:43 +02:00
commit 3ca47a84ce
12 changed files with 420 additions and 0 deletions
--- a/helm.tf
+++ b/helm.tf
@@ -0,0 +1,63 @@
+resource "helm_release" "this" {
+  name      = "grafana"
+  namespace = kubernetes_namespace.this.metadata.0.name
+
+  repository = "https://grafana.github.io/helm-charts"
+  chart      = "grafana"
+
+  values = [
+    jsonencode({
+      ingress = {
+        enabled = true
+        hosts   = [local.ingress_domain]
+        annotations = {
+          "kubernetes.io/ingress.class"                             = "traefik"
+          "traefik.ingress.kubernetes.io/router.entrypoints"        = "websecure"
+          "traefik.ingress.kubernetes.io/router.tls"                = "true"
+          "traefik.ingress.kubernetes.io/router.tls.certresolver"   = "acme-thomasklein-me"
+          "traefik.ingress.kubernetes.io/router.tls.domains.0.main" = local.ingress_domain
+          "traefik.ingress.kubernetes.io/router.middlewares"        = "redirect-metrics@file" # hide /metrics from the internet
+        }
+        labels = {}
+      }
+    }),
+
+    jsonencode({
+      persistence = {
+        enabled       = "true"
+        type          = "pvc"
+        existingClaim = kubernetes_persistent_volume_claim.this.metadata.0.name
+      }
+    }),
+
+    jsonencode({
+      "grafana.ini" = {
+        server = {
+          root_url = "https://${local.ingress_domain}"
+        }
+      }
+    }),
+
+    jsonencode({
+      envRenderSecret = {
+        GF_AUTH_GENERIC_OAUTH_NAME      = "Cognito"
+        GF_AUTH_GENERIC_OAUTH_ENABLED   = "true"
+        GF_AUTH_GENERIC_OAUTH_AUTH_URL  = local.cognito_authz_url
+        GF_AUTH_GENERIC_OAUTH_TOKEN_URL = local.cognito_token_url
+        // below, the `?` is necessary to fix a bad assumtion on grafana's side
+        GF_AUTH_GENERIC_OAUTH_API_URL = "${local.cognito_userinfo_url}?"
+        GF_AUTH_GENERIC_OAUTH_SCOPES  = "email openid profile"
+      }
+    })
+  ]
+
+
+  set_sensitive {
+    name  = "envRenderSecret.GF_AUTH_GENERIC_OAUTH_CLIENT_ID"
+    value = aws_cognito_user_pool_client.this.id
+  }
+  set_sensitive {
+    name  = "envRenderSecret.GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET"
+    value = aws_cognito_user_pool_client.this.client_secret
+  }
+}