mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2026-06-13 23:36:45 +03:00
Chris Lu
a10607f90a
* terraform: add cloud-agnostic core renderer module Renders per-node weed argv, systemd units, config files, disk-mount and secret-fetch scripts, and cloud-init from an address map. Creates zero cloud resources. Flags verified against the weed binary: volume uses -mserver for the master list, gRPC is -port.grpc (auto http+10000), minFreeSpacePercent is a string, filer store via -defaultStoreDir. * terraform: add mTLS and JWT security module Generates the CA, per-component certs with distinct CNs, and JWT signing keys via the tls/random providers. Emits a core_security object plus PEMs for secret-store delivery. * terraform: add AWS deployment module and examples Reserves stable ENIs first, renders config via the core, then creates instances, prevent_destroy EBS data disks mounted at /data, and the cluster security group. With enable_security, generates certs/JWT, stores them in SSM SecureString, grants an instance role, and fetches them at boot so secrets stay out of user_data. Keyed for_each on every stateful tier. * terraform: add local cluster test harnesses run_local_cluster.sh and run_local_secure.sh render a cluster with the core and run real weed processes, asserting master quorum, volume registration, filer/s3 round-trips, mutual-TLS formation, and JWT enforcement. Use an isolated high port range with a guard so they never touch a cluster already running on the machine. The weed binary defaults to $(go env GOPATH)/bin/weed. * terraform: add CI workflow and README fmt/validate/tofu-test plus smoke jobs that build weed and run both harnesses. * terraform: guard against empty filesystem UUID in mount script An empty UUID made grep -q match any fstab line, skipping the fstab entry and breaking the mount. Fail fast when blkid returns no UUID. * terraform: sanitize cluster name in WEED_CLUSTER env keys Hyphens or spaces in cluster_name produced invalid systemd/bash env var names; map non-alphanumerics to underscores. * terraform: omit empty jwt.signing block from security.toml With enable_security and no JWT key, the template emitted [jwt.signing] key="". Gate the block on a non-empty key and cover it with a test. * terraform: mark core security input as sensitive The security object carries JWT signing keys; keep them out of plan output and known values. * terraform: enforce jwt_length minimum of 32 * terraform: note region/AZ coupling in HA example * terraform: guard WORKDIR before recursive delete in test harnesses * terraform: fix README fence language and test count * terraform: handle embedded s3 with no filer nodes Indexing sort(keys(var.filers))[0] errored at plan time when embedded S3 was enabled but no filers were defined; fall back to an empty config source. * terraform: scope kms:Decrypt to a configurable key arn Replace the hardcoded Resource="*" with a kms_key_arn variable (default "*") so production can restrict decrypt to a specific CMK. * terraform: encrypt EBS data volumes at rest Set encrypted = true on the volume/filer data disks and the all-in-one example disk. * terraform: protect filer instances from API termination Filers hold the leveldb2 metadata store, so they are stateful and get the same disable_api_termination as masters and volumes. * terraform: stop instance before detaching in all-in-one example * terraform: drop stale references to the removed plan doc * terraform: correct stale mount-step comment in aws module * terraform: mark Terraform support as experimental in README
35 lines
1.0 KiB
Terraform
35 lines
1.0 KiB
Terraform
output "security_group_id" {
|
|
description = "Cluster security group id."
|
|
value = aws_security_group.cluster.id
|
|
}
|
|
|
|
output "master_private_ips" {
|
|
description = "Master private IPs keyed by node id."
|
|
value = { for k, v in var.masters : k => v.private_ip }
|
|
}
|
|
|
|
output "master_peers" {
|
|
description = "Master peer list passed to the weed processes."
|
|
value = module.core.master_peers
|
|
}
|
|
|
|
output "filer_private_ips" {
|
|
description = "Filer private IPs keyed by node id."
|
|
value = { for k, v in var.filers : k => v.private_ip }
|
|
}
|
|
|
|
output "s3_private_ips" {
|
|
description = "Standalone S3 gateway private IPs keyed by node id."
|
|
value = { for k, v in var.s3_nodes : k => v.private_ip }
|
|
}
|
|
|
|
output "instance_ids" {
|
|
description = "All instance ids keyed by role-node."
|
|
value = merge(
|
|
{ for k, v in aws_instance.master : "master-${k}" => v.id },
|
|
{ for k, v in aws_instance.volume : "volume-${k}" => v.id },
|
|
{ for k, v in aws_instance.filer : "filer-${k}" => v.id },
|
|
{ for k, v in aws_instance.s3 : "s3-${k}" => v.id },
|
|
)
|
|
}
|