This terraform depolying Rookout Controller and Rookout Datastore on AWS ECS Fargate cluster.
The module implements the following architecture (default deployment):
Network architecture (default deployment):
- Terraform installed.
- AWS account inlcuding: AWS CLI installed.
- The AWS default profile should be set with an access key and secret (reference).
- Set profile if used non default profile. Run:
export AWS_PROFILE="<profile_name>"
- Create a
provider.tf
file (reference). - Get your organizational Rookout token, and pass it as a variable to this module
rookout_token = "..."
This module deploy the Rookout ETL Controller by default. It also allows deployment of the Rookout Datastore, and a demo application with the Rookout agent.
The components to deploy can be configured with the folloiwng boolean variables:
deploy_datastore = true/false
deploy_demo_app = true/false
There are two methods for certificates and DNS record management that will change the network architecture.
For deployments where domain_name
is provided, a rookout.YOURDOMAIN
subdomain will be created in a route53 public hosted zone, and associated by creating an NS record in your domain's public hosted zone. The subdomain will be used for the controller, datastore (optional) and demo application (optional). A certificate for this subdomain will be created in ACM. ALBs will also be created for those components. The created certificate and DNS records will be associated to those ALBs' domain names.
Note: If you don't use route53 as your DNS registry provider, please contact us.
For this type of deployment, provide the following variable:
domain_name = "YOUR_DOMAIN"
The internal_controller_alb
boolean variable (false by default) can be used to make the communication with the ETL Controller internal.
For self managed certificate deployments CNAME record should be created for the Datastore and/or Controller, so we have two options.
- Provided ACM certificate for the Datastore (example)
This deployment will use the pre-imported ARN of the certificate in ACM (Body, private key, and chain of certificate are needed). THe certificate will be used by the datastore, therefore a CNAME record of the certificate's domain should be recored at your DNS provider with the Datstore endpoint (output of the module). A Controller will be deployed with an internal load balancer and can be reached from the VPC with the Controller's endpoint (output of the module).
datastore_acm_certificate_arn = "PRE_IMPORTED_ACM_CERTIFICATE_ARN"
- Provided ACM certificate for Datastore and Controller (for internet-facing controller) (example)
Same as the previous option, but, the controller is internet facing too. Same procedure of CNAME record registration should be preformed for the Datastore and Controller endpoints that match to their certificate's domain.
datastore_acm_certificate_arn = "PRE_IMPORTED_ACM_CERTIFICATE_ARN"
controller_acm_certificate_arn = "PRE_IMPORTED_ACM_CERTIFICATE_ARN"
If a demo application is deployed, it should be configured with the Controller's CNAME record:
demo_app_controller_host = "YOUR_CONTROLLER_CNAME_RECORD"
The following matrixes demonsrate application's components network mode by key variables. HTTP means internal traffic with ALB, TLS means external secured traffic with ALB. Demo means demo flask application provided with this module.
controller.PROVIDED_DOMAIN - url of the controller, used for SDK (rooks) when DNS provided.
datastore.PROVIDED_DOMAIN - url to the datastore, used with rookout client (web browser application) when DNS provided.
demo.PROVIDE_DOMAIN - flask demo application for debuging when DNS provided.
-
Provided Domain + VPC and subnets (example)
You can configure the module to use an existing VPC (where your application is running) using the following variables:
vpc_id = "<your's existing vpc id>" vpc_public_subnets = ["<first_sub_domain>", "<second_sub_domain>"] vpc_private_subnets = ["<first_sub_domain>", "<second_sub_domain>"]
-
Provided Domain + VPC and subnets + ECS cluster (example)
You can configure the module to use an existing VPC and ECS cluster (where your application is running) using the following variables:
vpc_id = "<your's vpc id>" vpc_public_subnets = ["<first_sub_domain>", "<second_sub_domain>"] vpc_private_subnets = ["<first_sub_domain>", "<second_sub_domain>"] create_cluster = false cluster_name = "<your's existing cluster name>"
-
custom_iam_task_exec_role_arn - This variable can be used to overwrite the existing IAM Role of ECS tasks execution
-
deploy_alb - This variable can be set to false to disable the deployment of ALBs. If disabled, DNS subdomain and ACM certificate will not be generated. In this case, the following configuration should be set:
deploy_alb = false controller_target_group_arn = "arn:aws:elasticloadbalancing:AWS_REGION:ACCOUNT_ID:ARN_SUFFIX" datastore_target_group_arn = "arn:aws:elasticloadbalancing:AWS_REGION:ACCOUNT_ID:ARN_SUFFIX" #if deploy_datastore=true demo_app_target_group_arn = "arn:aws:elasticloadbalancing:AWS_REGION:ACCOUNT_ID:ARN_SUFFIX" #if deploy_demo_app=true
If target groups are not passed, the loadbalancer configuration block in task defenitaion will be disbaled.
-
internal - boolean variable wich switches the ALBs to be internal only. if provided domain_name will create private hosted zone us that domain. Usually used with wildcard certificate.
-
wildcard certificate can be used with datastore_acm_certificate_arn and controller_acm_certificate_arn variables. when those used, please create CNAME records for controller and datastore out of outputs of this module (controller_endpoint, datastore_endpoint) to match the certificate's domain.
Name | Version |
---|---|
terraform | >= 0.14 |
aws | >= 5.0 |
awsutils | >= 0.11.0 |
Name | Version |
---|---|
aws | 5.1.0 |
Name | Source | Version |
---|---|---|
acm | terraform-aws-modules/acm/aws | ~> 3.0 |
vpc | terraform-aws-modules/vpc/aws | 4.0.2 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_controller_env_vars | Additional env variables of contorller, configure as map of key=values | any |
{} |
no |
additional_datastore_env_vars | Additional env variables of contorller, configure as map of key=values | any |
{} |
no |
additional_demo_app_env_vars | Additional env variables of contorller, configure as map of key=values | any |
{} |
no |
cluster_name | ECS cluster name, if we want to deploy to existing one | string |
"" |
no |
controller_acm_certificate_arn | ARN of pre-imported SSL certificate to ACM for Rookouts controller public access, if datastore ACM provided controller alb will be internal | string |
"" |
no |
controller_alb_sg_igress_cidr_blocks | Ingress CIDRs for controller's ALB security group | list(string) |
[ |
no |
controller_image | Controller image name | string |
"rookout/controller" |
no |
controller_replicas | Rookout's onprem controller replica count | string |
2 |
no |
controller_resource | Rookout's onprem controller resource map | map(any) |
{ |
no |
controller_sg_igress_cidr_blocks | Ingress CIDRs of controller security group | list(string) |
[ |
no |
controller_target_group_arn | Target group used by controller ECS tasks | string |
"" |
no |
controller_version | Controller image version | string |
"latest" |
no |
create_cluster | whether create a cluster or use existing one | bool |
true |
no |
create_vpc | # VPC variables. | bool |
true |
no |
custom_iam_task_exec_role_arn | ECS execution IAM Role overwrite, please pass arn of existing IAM Role | string |
"" |
no |
datastore_acm_certificate_arn | ARN of pre-imported SSL certificate to ACM for Rookouts datastore public access | string |
"" |
no |
datastore_alb_sg_igress_cidr_blocks | Ingress CIDRs datastore's ALB security group | list(string) |
[ |
no |
datastore_image | Datastore image name | string |
"rookout/data-on-prem" |
no |
datastore_resource | Rookout's onprem datastore resource map | map(any) |
{ |
no |
datastore_sg_igress_cidr_blocks | Ingress CIDRs of datastore security group | list(string) |
[ |
no |
datastore_target_group_arn | Target group used by datastore ECS tasks | string |
"" |
no |
datastore_version | Datastore image version | string |
"latest" |
no |
demo_app_alb_sg_igress_cidr_blocks | Ingress CIDRs datastore's ALB security group | list(string) |
[ |
no |
demo_app_controller_host | Host which the demo rook connect to controller using WebSocket | string |
"" |
no |
demo_app_sg_igress_cidr_blocks | Ingress CIDRs of datastore security group | list(string) |
[ |
no |
demo_app_target_group_arn | Target group used by demo applicatino ECS tasks | string |
"" |
no |
deploy_alb | Radio button to not deploy ALB for ECS tasks, if false please provide target group for each | bool |
true |
no |
deploy_datastore | (Optional) If true will deploy demo Rookout's datastore locally | bool |
true |
no |
deploy_demo_app | (Optional) If true will deploy demo flask application to start debuging | bool |
false |
no |
domain_name | DNS domain which sub | string |
"" |
no |
enforce_token | Whether to enforce the token in controller | bool |
true |
no |
environment | Environment name | string |
"rookout" |
no |
internal | Flag to switch the deployment to be internal | bool |
false |
no |
internal_controller_alb | If domain provided, switching in on will make controller be reachable internaly only | bool |
false |
no |
region | AWS region, using providers region as default | string |
"" |
no |
rookout_token | Rookout token | string |
"" |
no |
subdomain_vpc_association | flag for association of a hosted zone with a vpc | bool |
true |
no |
vpc_availability_zones | n/a | list(string) |
[ |
no |
vpc_cidr | n/a | string |
"172.30.1.0/25" |
no |
vpc_id | VPC id should be passed only if create_vpc = false | string |
"" |
no |
vpc_private_subnets | n/a | list(string) |
[ |
no |
vpc_public_subnets | n/a | list(string) |
[ |
no |
Name | Description |
---|---|
controller_dns | Rookout's on-prem controller dns |
controller_endpoint | Rookout's on-prem controller endpoint |
datastore_dns | Rookout's on-prem datastore DNS |
datastore_endpoint | Rookout's on-prem datastore endpoint |
demo_dns | Rookout's flask application DNS |
demo_endpoint | Rookout's flask application endpoint |
ecs_cluster_id | ECS cluster |
vpc_id | VPC id that created |