viaprog/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-06-13 23:36:45 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
a10607f90a7fb916524badbc91a5beadf5d51f0c
seaweedfs/terraform/modules/security/variables.tf
T
Chris Lu a10607f90a Add Terraform support for VM-based SeaweedFS deployment (#9754) 
* terraform: add cloud-agnostic core renderer module

Renders per-node weed argv, systemd units, config files, disk-mount and secret-fetch scripts, and cloud-init from an address map. Creates zero cloud resources. Flags verified against the weed binary: volume uses -mserver for the master list, gRPC is -port.grpc (auto http+10000), minFreeSpacePercent is a string, filer store via -defaultStoreDir.

* terraform: add mTLS and JWT security module

Generates the CA, per-component certs with distinct CNs, and JWT signing keys via the tls/random providers. Emits a core_security object plus PEMs for secret-store delivery.

* terraform: add AWS deployment module and examples

Reserves stable ENIs first, renders config via the core, then creates instances, prevent_destroy EBS data disks mounted at /data, and the cluster security group. With enable_security, generates certs/JWT, stores them in SSM SecureString, grants an instance role, and fetches them at boot so secrets stay out of user_data. Keyed for_each on every stateful tier.

* terraform: add local cluster test harnesses

run_local_cluster.sh and run_local_secure.sh render a cluster with the core and run real weed processes, asserting master quorum, volume registration, filer/s3 round-trips, mutual-TLS formation, and JWT enforcement. Use an isolated high port range with a guard so they never touch a cluster already running on the machine. The weed binary defaults to $(go env GOPATH)/bin/weed.

* terraform: add CI workflow and README

fmt/validate/tofu-test plus smoke jobs that build weed and run both harnesses.

* terraform: guard against empty filesystem UUID in mount script

An empty UUID made grep -q match any fstab line, skipping the fstab entry and breaking the mount. Fail fast when blkid returns no UUID.

* terraform: sanitize cluster name in WEED_CLUSTER env keys

Hyphens or spaces in cluster_name produced invalid systemd/bash env var names; map non-alphanumerics to underscores.

* terraform: omit empty jwt.signing block from security.toml

With enable_security and no JWT key, the template emitted [jwt.signing] key="". Gate the block on a non-empty key and cover it with a test.

* terraform: mark core security input as sensitive

The security object carries JWT signing keys; keep them out of plan output and known values.

* terraform: enforce jwt_length minimum of 32

* terraform: note region/AZ coupling in HA example

* terraform: guard WORKDIR before recursive delete in test harnesses

* terraform: fix README fence language and test count

* terraform: handle embedded s3 with no filer nodes

Indexing sort(keys(var.filers))[0] errored at plan time when embedded S3 was enabled but no filers were defined; fall back to an empty config source.

* terraform: scope kms:Decrypt to a configurable key arn

Replace the hardcoded Resource="*" with a kms_key_arn variable (default "*") so production can restrict decrypt to a specific CMK.

* terraform: encrypt EBS data volumes at rest

Set encrypted = true on the volume/filer data disks and the all-in-one example disk.

* terraform: protect filer instances from API termination

Filers hold the leveldb2 metadata store, so they are stateful and get the same disable_api_termination as masters and volumes.

* terraform: stop instance before detaching in all-in-one example

* terraform: drop stale references to the removed plan doc

* terraform: correct stale mount-step comment in aws module

* terraform: mark Terraform support as experimental in README
2026-05-30 23:43:17 -07:00

90 lines
2.7 KiB
Terraform
Raw Blame History

# =============================================================================
# SeaweedFS security material generator (cloud-agnostic).
#
# Generates the CA, per-component mTLS certs with DISTINCT CommonNames, and JWT
# signing keys. Outputs a `core_security` object ready to feed the core module's
# `security` variable, plus the raw PEMs for a wrapper to deliver via a secret
# store. NOTE: TF-generated secrets live in state; prefer Vault PKI for the CA
# in production.
# =============================================================================
variable "internal_domain" {
description = "Internal domain for component CNs (e.g. master.<domain>). Drives the allowed_wildcard_domain peer-auth check."
type = string
default = "seaweedfs.internal"
}
variable "ip_sans" {
description = "IP addresses to include as SANs on every component cert (all node private IPs + 127.0.0.1 is added automatically)."
type = list(string)
default = []
}
variable "extra_dns_sans" {
description = "Additional DNS SANs to include on every component cert."
type = list(string)
default = []
}
variable "key_algorithm" {
description = "CA/leaf key algorithm: ECDSA (default, modern) or RSA."
type = string
default = "ECDSA"
validation {
condition = contains(["ECDSA", "RSA"], var.key_algorithm)
error_message = "key_algorithm must be ECDSA or RSA."
}
}
variable "ecdsa_curve" {
description = "ECDSA curve when key_algorithm = ECDSA."
type = string
default = "P256"
}
variable "rsa_bits" {
description = "RSA key size when key_algorithm = RSA."
type = number
default = 3072
}
variable "ca_validity_hours" {
description = "CA certificate validity (default 10 years)."
type = number
default = 87600
}
variable "cert_validity_hours" {
description = "Component certificate validity. Short by default; certs hot-reload so reissue is cheap."
type = number
default = 72
}
variable "cert_early_renewal_hours" {
description = "Renew component certs this many hours before expiry."
type = number
default = 24
}
variable "cert_dir" {
description = "On-host directory where certs are placed; surfaced in core_security.cert_dir."
type = string
default = "/usr/local/share/ca-certificates"
}
variable "generate_jwt" {
description = "Generate JWT signing keys (signing, signing.read, filer_signing, filer_signing.read)."
type = bool
default = true
}
variable "jwt_length" {
description = "Length of generated JWT keys (>= 32 hardened)."
type = number
default = 40
validation {
condition = var.jwt_length >= 32
error_message = "jwt_length must be >= 32 (hardened minimum)."
}
}
Reference in New Issue View Git Blame Copy Permalink