diff --git a/chronograf.tf b/chronograf.tf deleted file mode 100644 index 5d62285..0000000 --- a/chronograf.tf +++ /dev/null @@ -1,92 +0,0 @@ - -resource "kubernetes_persistent_volume" "chronograf" { - metadata { - name = "pv-p9hostpath-chronograf" - } - spec { - capacity = { - storage = "8Gi" - } - access_modes = ["ReadWriteMany"] - persistent_volume_source { - host_path { - path = "/mnt/datastore/chronograf" - } - } - } -} - -resource "random_password" "chronograf_token_secret" { - length = 80 - special = true -} - -resource "helm_release" "chronograf" { - name = "chronograf" - namespace = kubernetes_namespace.this.metadata.0.name - - repository = "https://helm.influxdata.com/" - chart = "chronograf" - version = "1.2.5" - - values = [ - jsonencode({ - ingress = { - enabled = true - className = "traefik" - hostname = local.chronograf_domain - tls = true - secretName = "chronograf-tls" - annotations = { - "cert-manager.io/cluster-issuer" = "acme-thomasklein-me" - # "kubernetes.io/ingress.class" = "traefik" - # "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - # "traefik.ingress.kubernetes.io/router.tls" = "true" - # "traefik.ingress.kubernetes.io/router.tls.certresolver" = "acme-thomasklein-me" - # "traefik.ingress.kubernetes.io/router.tls.domains.0.main" = local.ingress_domain - # "traefik.ingress.kubernetes.io/router.middlewares" = "redirect-metrics@file" # hide /metrics from the internet - } - labels = {} - } - }), - - jsonencode({ - updateStrategy = { - type = "Recreate" - }, - persistence = { - enabled = "true" - accessMode = "ReadWriteMany" - storageClass = "-" - } - }), - jsonencode({ - oauth = { - enabled = true - token_secret = random_password.chronograf_token_secret.result - jwks = local.jwks_url - generic = { - enabled = true - name = "Cognito" - public_url = "https://${local.chronograf_domain}/" - auth_url = local.cognito_authz_url - token_url = local.cognito_token_url - api_url = "${local.cognito_userinfo_url}" - api_key = "email" - scopes = "email openid profile" - } - } - }) - ] - - - set_sensitive { - name = "oauth.generic.client_id" - value = aws_cognito_user_pool_client.this.id - } - set_sensitive { - name = "oauth.generic.client_secret" - value = aws_cognito_user_pool_client.this.client_secret - } - -} diff --git a/influxdb.tf b/influxdb.tf deleted file mode 100644 index 3d76a7e..0000000 --- a/influxdb.tf +++ /dev/null @@ -1,53 +0,0 @@ -# resource "helm_release" "influx" { -# name = "influxdb" -# namespace = kubernetes_namespace.this.metadata.0.name - -# repository = "https://helm.influxdata.com/" -# chart = "influxdb" -# version = "4.12.0" - -# values = [ -# jsonencode({ -# ingress = { -# enabled = true -# hostname = local.influx_domain -# tls = true -# secretName = "influxdb-tls" -# annotations = { -# "cert-manager.io/cluster-issuer" = "acme-thomasklein-me" -# # "kubernetes.io/ingress.class" = "traefik" -# # "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" -# # "traefik.ingress.kubernetes.io/router.tls" = "true" -# # "traefik.ingress.kubernetes.io/router.tls.certresolver" = "acme-thomasklein-me" -# # "traefik.ingress.kubernetes.io/router.tls.domains.0.main" = local.ingress_domain -# # "traefik.ingress.kubernetes.io/router.middlewares" = "redirect-metrics@file" # hide /metrics from the internet -# } -# labels = {} -# } -# }), - -# jsonencode({ -# persistence = { -# enabled = "true" -# existingClaim = kubernetes_persistent_volume_claim.this.metadata.0.name -# } -# }), - -# jsonencode({ -# config = { -# coordinator = { -# # "max-concurrent-queries" = 10 -# "query-timeout" = "1m" -# } -# retention = { -# enabled = true -# "check-interval" = "60m0s" -# } -# monitor = { -# "store-enabled" = true -# "store-interval" = "30s" -# } -# }), - -# ] -# } diff --git a/locals.tf b/locals.tf index a83b46d..dde4213 100644 --- a/locals.tf +++ b/locals.tf @@ -1,7 +1,6 @@ locals { namespace = "influxdb" influx_domain = "influxdb.thomasklein.me" - chronograf_domain = "chronograf.thomasklein.me" } data "aws_region" "current" {} diff --git a/oidc.tf b/oidc.tf deleted file mode 100644 index b6e9468..0000000 --- a/oidc.tf +++ /dev/null @@ -1,34 +0,0 @@ - -data "aws_cognito_user_pools" "thomasklein_infra" { - name = "thomasklein-infra" -} - -resource "aws_cognito_user_pool_client" "this" { - name = "chronograf" - - user_pool_id = data.aws_cognito_user_pools.thomasklein_infra.ids[0] - - allowed_oauth_flows_user_pool_client = true - allowed_oauth_flows = ["code"] - allowed_oauth_scopes = ["profile", "email", "openid"] - - supported_identity_providers = ["COGNITO"] - - generate_secret = true - callback_urls = [ - "https://${local.chronograf_domain}/oauth/cognito/callback", - "https://${local.chronograf_domain}/oauth/Cognito/callback" - ] -} - -locals { - # these should be available as an attribute - cognito_base_url = "https://${data.aws_cognito_user_pools.thomasklein_infra.name}.auth.${data.aws_region.current.name}.amazoncognito.com" - - cognito_authz_url = "${local.cognito_base_url}/oauth2/authorize" - cognito_token_url = "${local.cognito_base_url}/oauth2/token" - cognito_userinfo_url = "${local.cognito_base_url}/oauth2/userInfo" - - jwks_url = "https://cognito-idp.${data.aws_region.current.name}.amazonaws.com/${aws_cognito_user_pool_client.this.user_pool_id}/.well-known/jwks.json" -} -# https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json \ No newline at end of file