viaprog/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-06-13 23:36:45 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
a10607f90a7fb916524badbc91a5beadf5d51f0c
seaweedfs/terraform/modules/security/main.tf
T
Chris Lu a10607f90a Add Terraform support for VM-based SeaweedFS deployment (#9754) 
* terraform: add cloud-agnostic core renderer module

Renders per-node weed argv, systemd units, config files, disk-mount and secret-fetch scripts, and cloud-init from an address map. Creates zero cloud resources. Flags verified against the weed binary: volume uses -mserver for the master list, gRPC is -port.grpc (auto http+10000), minFreeSpacePercent is a string, filer store via -defaultStoreDir.

* terraform: add mTLS and JWT security module

Generates the CA, per-component certs with distinct CNs, and JWT signing keys via the tls/random providers. Emits a core_security object plus PEMs for secret-store delivery.

* terraform: add AWS deployment module and examples

Reserves stable ENIs first, renders config via the core, then creates instances, prevent_destroy EBS data disks mounted at /data, and the cluster security group. With enable_security, generates certs/JWT, stores them in SSM SecureString, grants an instance role, and fetches them at boot so secrets stay out of user_data. Keyed for_each on every stateful tier.

* terraform: add local cluster test harnesses

run_local_cluster.sh and run_local_secure.sh render a cluster with the core and run real weed processes, asserting master quorum, volume registration, filer/s3 round-trips, mutual-TLS formation, and JWT enforcement. Use an isolated high port range with a guard so they never touch a cluster already running on the machine. The weed binary defaults to $(go env GOPATH)/bin/weed.

* terraform: add CI workflow and README

fmt/validate/tofu-test plus smoke jobs that build weed and run both harnesses.

* terraform: guard against empty filesystem UUID in mount script

An empty UUID made grep -q match any fstab line, skipping the fstab entry and breaking the mount. Fail fast when blkid returns no UUID.

* terraform: sanitize cluster name in WEED_CLUSTER env keys

Hyphens or spaces in cluster_name produced invalid systemd/bash env var names; map non-alphanumerics to underscores.

* terraform: omit empty jwt.signing block from security.toml

With enable_security and no JWT key, the template emitted [jwt.signing] key="". Gate the block on a non-empty key and cover it with a test.

* terraform: mark core security input as sensitive

The security object carries JWT signing keys; keep them out of plan output and known values.

* terraform: enforce jwt_length minimum of 32

* terraform: note region/AZ coupling in HA example

* terraform: guard WORKDIR before recursive delete in test harnesses

* terraform: fix README fence language and test count

* terraform: handle embedded s3 with no filer nodes

Indexing sort(keys(var.filers))[0] errored at plan time when embedded S3 was enabled but no filers were defined; fall back to an empty config source.

* terraform: scope kms:Decrypt to a configurable key arn

Replace the hardcoded Resource="*" with a kms_key_arn variable (default "*") so production can restrict decrypt to a specific CMK.

* terraform: encrypt EBS data volumes at rest

Set encrypted = true on the volume/filer data disks and the all-in-one example disk.

* terraform: protect filer instances from API termination

Filers hold the leveldb2 metadata store, so they are stateful and get the same disable_api_termination as masters and volumes.

* terraform: stop instance before detaching in all-in-one example

* terraform: drop stale references to the removed plan doc

* terraform: correct stale mount-step comment in aws module

* terraform: mark Terraform support as experimental in README
2026-05-30 23:43:17 -07:00

69 lines
2.2 KiB
Terraform
Raw Blame History

locals {
components = ["master", "volume", "filer", "client"]
ip_sans = distinct(concat(["127.0.0.1"], var.ip_sans))
}
# ---- CA ---------------------------------------------------------------------
resource "tls_private_key" "ca" {
algorithm = var.key_algorithm
ecdsa_curve = var.ecdsa_curve
rsa_bits = var.rsa_bits
}
resource "tls_self_signed_cert" "ca" {
private_key_pem = tls_private_key.ca.private_key_pem
is_ca_certificate = true
subject {
common_name = "SeaweedFS CA"
organization = "SeaweedFS"
}
validity_period_hours = var.ca_validity_hours
allowed_uses = ["cert_signing", "crl_signing", "digital_signature"]
}
# ---- per-component leaf certs (distinct CN per component) --------------------
resource "tls_private_key" "component" {
for_each = toset(local.components)
algorithm = var.key_algorithm
ecdsa_curve = var.ecdsa_curve
rsa_bits = var.rsa_bits
}
resource "tls_cert_request" "component" {
for_each = toset(local.components)
private_key_pem = tls_private_key.component[each.key].private_key_pem
subject {
# Distinct CN per component so peer-identity authZ (allowed_wildcard_domain
# / allowed_commonNames) is meaningful. Do NOT use one CN for all.
common_name = "${each.key}.${var.internal_domain}"
organization = "SeaweedFS"
}
dns_names = distinct(concat(
["${each.key}.${var.internal_domain}", "localhost"],
var.extra_dns_sans,
))
ip_addresses = local.ip_sans
}
resource "tls_locally_signed_cert" "component" {
for_each = toset(local.components)
cert_request_pem = tls_cert_request.component[each.key].cert_request_pem
ca_private_key_pem = tls_private_key.ca.private_key_pem
ca_cert_pem = tls_self_signed_cert.ca.cert_pem
validity_period_hours = var.cert_validity_hours
early_renewal_hours = var.cert_early_renewal_hours
allowed_uses = ["digital_signature", "key_agreement", "server_auth", "client_auth"]
}
# ---- JWT signing keys -------------------------------------------------------
resource "random_password" "jwt" {
for_each = var.generate_jwt ? toset(["signing", "signing_read", "filer_signing", "filer_signing_read"]) : toset([])
length = var.jwt_length
special = false # TOML-safe
}
Reference in New Issue View Git Blame Copy Permalink