-
Notifications
You must be signed in to change notification settings - Fork 6
/
main.tf
121 lines (107 loc) · 3.95 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
data "cloudfoundry_service" "rds" {
name = var.db_broker
}
data "cloudfoundry_domain" "domain" {
name = local.domain
}
data "cloudfoundry_domain" "internal" {
name = "apps.internal"
}
data "hsdp_config" "iam" {
service = "iam"
}
data "hsdp_config" "cf" {
service = "cf"
}
locals {
name = var.name_postfix == "" ? "gf" : "gf-${var.name_postfix}"
domain = var.cf_domain_name == "" ? data.hsdp_config.cf.domain : var.cf_domain_name
}
//noinspection HILUnresolvedReference
resource "cloudfoundry_app" "grafana" {
name = "tf-${local.name}"
space = var.cf_space_id
memory = var.memory
disk_quota = var.disk
strategy = var.strategy
docker_image = var.grafana_image
docker_credentials = {
username = var.docker_username
password = var.docker_password
}
environment = merge(
var.enable_postgres ?
{
GF_DATABASE_HOST = cloudfoundry_service_key.database_key[0].credentials.hostname
GF_DATABASE_NAME = cloudfoundry_service_key.database_key[0].credentials.db_name
GF_DATABASE_TYPE = "postgres"
GF_SERVER_ROOT_URL = "https://${cloudfoundry_route.grafana.endpoint}"
GF_DATABASE_USER = cloudfoundry_service_key.database_key[0].credentials.username
GF_DATABASE_PASSWORD = cloudfoundry_service_key.database_key[0].credentials.password
} : {
GF_DATABASE = "disabled"
},
local.iam_integration ?
{
GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS = join(",", var.email_domains)
GF_AUTH_GENERIC_OAUTH_API_URL = "${data.hsdp_config.iam.url}/authorize/oauth2/userinfo?api-version=2"
GF_AUTH_GENERIC_OAUTH_AUTH_URL = "${data.hsdp_config.iam.url}/authorize/oauth2/authorize?api-version=2"
GF_AUTH_GENERIC_OAUTH_CLIENT_ID = local.oauth2_client_id
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET = local.oauth2_client_password
GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES = "false"
GF_AUTH_GENERIC_OAUTH_ENABLED = "true"
GF_AUTH_GENERIC_OAUTH_SCOPES = "openid mail email"
GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE = "false"
GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "${data.hsdp_config.iam.url}/authorize/oauth2/token?api-version=2"
GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP = var.oauth_allow_signup
GF_USERS_AUTO_ASSIGN_ORG_ROLE = var.auto_assign_org_role
} : {},
var.environment,
{
GF_SECURITY_ADMIN_USER = var.grafana_username
GF_SECURITY_ADMIN_PASSWORD = var.grafana_password
}
)
routes {
route = cloudfoundry_route.grafana.id
}
dynamic "service_binding" {
for_each = var.grafana_service_bindings
content {
service_instance = service_binding.value.service_instance
}
}
}
resource "cloudfoundry_service_instance" "database" {
count = var.enable_postgres ? 1 : 0
name = "tf-${local.name}-rds"
space = var.cf_space_id
service_plan = data.cloudfoundry_service.rds.service_plans[var.db_plan]
json_params = var.db_json_params
}
resource "cloudfoundry_service_key" "database_key" {
count = var.enable_postgres ? 1 : 0
name = "key"
service_instance = cloudfoundry_service_instance.database[count.index].id
}
resource "cloudfoundry_route" "grafana" {
domain = data.cloudfoundry_domain.domain.id
space = var.cf_space_id
hostname = local.name
}
resource "cloudfoundry_network_policy" "grafana" {
count = length(var.network_policies) > 0 ? 1 : 0
dynamic "policy" {
for_each = [for p in var.network_policies : {
destination_app = p.destination_app
port = p.port
protocol = p.protocol
}]
content {
source_app = cloudfoundry_app.grafana.id
destination_app = policy.value.destination_app
protocol = policy.value.protocol == "" ? "tcp" : policy.value.protocol
port = policy.value.port
}
}
}