Sanitize company references and update Vault/Grafana endpoints
This commit is contained in:
Alexandr
@ -42,12 +42,14 @@ jobs:
|
||||
- name: Terraform init (no backend)
|
||||
working-directory: ${{ env.WORKDIR }}
|
||||
env:
|
||||
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
|
||||
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
|
||||
run: terraform init
|
||||
|
||||
- name: Terraform validate
|
||||
working-directory: ${{ env.WORKDIR }}
|
||||
env:
|
||||
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
|
||||
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
|
||||
run: terraform validate
|
||||
|
||||
@ -61,12 +63,14 @@ jobs:
|
||||
- name: Terraform init (no backend)
|
||||
working-directory: ${{ env.WORKDIR }}
|
||||
env:
|
||||
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
|
||||
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
|
||||
run: terraform init
|
||||
|
||||
- name: Terraform plan
|
||||
working-directory: ${{ env.WORKDIR }}
|
||||
env:
|
||||
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
|
||||
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
|
||||
run: terraform plan -refresh=false -lock=false -out=tfplan
|
||||
|
||||
@ -81,11 +85,13 @@ jobs:
|
||||
- name: Terraform init (no backend)
|
||||
working-directory: ${{ env.WORKDIR }}
|
||||
env:
|
||||
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
|
||||
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
|
||||
run: terraform init
|
||||
|
||||
- name: Terraform apply (manual trigger)
|
||||
working-directory: ${{ env.WORKDIR }}
|
||||
env:
|
||||
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
|
||||
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
|
||||
run: terraform apply -refresh=false -lock=false -auto-approve
|
||||
|
||||
@ -1,18 +0,0 @@
|
||||
# grafana-terraform
|
||||
Конфигурация Grafana
|
||||
## Интеграция с Hashicorp Vault
|
||||
В кластере **vault.pyn.ru** создана **approle infraservice-iac** с правами на чтение секретов из хранилища `app/data/groups/infraservice/*`.
|
||||
Все члены группы **/vault-infraservice** могут посмотреть role-id с помощью `vault read auth/approle/role/infraservice-iac/role-id`, а также создать secret-id командой cli `vault write -f auth/approle/role/infraservice-iac/secret-id`.
|
||||
Для успешной авторизации в Vault перед запуском нужно установить переменную окружения `VAULT_TOKEN` с токеном авторизации в значении.
|
||||
## Запуск
|
||||
Запуск осуществляется из директории окружения, например `environments/test`. Перед запуском необходимо задать переменные окружения из файла с переменными `.env` со следующим содержимым:
|
||||
```bash
|
||||
set -a
|
||||
# ключи для s3 backend'ов можно найти в Vault
|
||||
AWS_ACCESS_KEY_ID="<ключ для доступа к s3 бэкэнду>"
|
||||
AWS_SECRET_ACCESS_KEY="<секретный ключ для доступа к s3 бэкэнду>"
|
||||
VAULT_ROLE_ID="<role_id для approle vault>"
|
||||
VAULT_SECRET_ID="<secret_id для approle vault>"
|
||||
VAULT_TOKEN=$(curl -s -X POST -d "{\"role_id\":\"$VAULT_ROLE_ID\",\"secret_id\":\"$VAULT_SECRET_ID\"}" \
|
||||
https://vault.pyn.ru/v1/auth/approle/login | jq -r .auth.client_token)
|
||||
```
|
||||
@ -8,17 +8,4 @@ terraform {
|
||||
source = "hashicorp/vault"
|
||||
}
|
||||
}
|
||||
|
||||
backend "s3" {
|
||||
endpoints = {
|
||||
s3 = "https://storage.yandexcloud.net" }
|
||||
bucket = "monitoring-vcmt-core-deploy"
|
||||
region = "ru-central1"
|
||||
key = "dev-denis-practic/terraform.tfstate"
|
||||
skip_region_validation = true
|
||||
skip_credentials_validation = true
|
||||
skip_requesting_account_id = true
|
||||
skip_s3_checksum = true
|
||||
skip_metadata_api_check = true
|
||||
}
|
||||
}
|
||||
|
||||
@ -37,7 +37,7 @@ module "grafana_contact_points01" {
|
||||
source = "../../../modules/grafana_contact_points"
|
||||
org_id = var.org_id
|
||||
env = var.env
|
||||
grafana_url = "https://grafana-dev.hhmon.ru/"
|
||||
grafana_url = "https://grafana.pvenode.ru/"
|
||||
contact_points = local.contact_points
|
||||
providers = {
|
||||
grafana = grafana.grafana01
|
||||
|
||||
@ -1,21 +1,20 @@
|
||||
provider "vault" {
|
||||
address = "https://vault.pyn.ru"
|
||||
skip_child_token = true
|
||||
}
|
||||
|
||||
data "vault_kv_secret_v2" "secret_ext" { # Секреты для подключения к внешним источникам (mm, clickhouse и т.д.)
|
||||
mount = "app"
|
||||
name = "groups/infraservice/monitoring/grafana/dev/ext"
|
||||
name = "groups/monitoring/grafana/dev/ext"
|
||||
}
|
||||
|
||||
data "vault_kv_secret_v2" "secret_int" { # Секреты для работы самой графаны
|
||||
mount = "app"
|
||||
name = "groups/infraservice/monitoring/grafana/dev/int"
|
||||
name = "groups/monitoring/grafana/dev/int"
|
||||
}
|
||||
|
||||
provider "grafana" {
|
||||
alias = "grafana01"
|
||||
url = "https://grafana-dev.hhmon.ru/"
|
||||
url = "https://grafana.pvenode.ru/"
|
||||
auth = data.vault_kv_secret_v2.secret_int.data["grafana_local_admin_password"]
|
||||
http_headers = local.grafana_headers
|
||||
}
|
||||
@ -8,17 +8,4 @@ terraform {
|
||||
source = "hashicorp/vault"
|
||||
}
|
||||
}
|
||||
|
||||
backend "s3" {
|
||||
endpoints = {
|
||||
s3 = "https://storage.yandexcloud.net" }
|
||||
bucket = "monitoring-vcmt-core-deploy"
|
||||
region = "ru-central1"
|
||||
key = "a.dibrov-practic/terraform.tfstate"
|
||||
skip_region_validation = true
|
||||
skip_credentials_validation = true
|
||||
skip_requesting_account_id = true
|
||||
skip_s3_checksum = true
|
||||
skip_metadata_api_check = true
|
||||
}
|
||||
}
|
||||
|
||||
@ -37,7 +37,7 @@ module "grafana_contact_points01" {
|
||||
source = "../../../modules/grafana_contact_points"
|
||||
org_id = var.org_id
|
||||
env = var.env
|
||||
grafana_url = "https://grafana-dev.hhmon.ru/"
|
||||
grafana_url = "https://grafana.pvenode.ru/"
|
||||
contact_points = local.contact_points
|
||||
providers = {
|
||||
grafana = grafana.grafana01
|
||||
|
||||
@ -1,21 +1,20 @@
|
||||
provider "vault" {
|
||||
address = "https://vault.pyn.ru"
|
||||
skip_child_token = true
|
||||
}
|
||||
|
||||
data "vault_kv_secret_v2" "secret_ext" { # Секреты для подключения к внешним источникам (mm, clickhouse и т.д.)
|
||||
mount = "app"
|
||||
name = "groups/infraservice/monitoring/grafana/dev/ext"
|
||||
name = "groups/monitoring/grafana/dev/ext"
|
||||
}
|
||||
|
||||
data "vault_kv_secret_v2" "secret_int" { # Секреты для работы самой графаны
|
||||
mount = "app"
|
||||
name = "groups/infraservice/monitoring/grafana/dev/int"
|
||||
name = "groups/monitoring/grafana/dev/int"
|
||||
}
|
||||
|
||||
provider "grafana" {
|
||||
alias = "grafana01"
|
||||
url = "https://grafana-dev.hhmon.ru/"
|
||||
url = "https://grafana.pvenode.ru/"
|
||||
auth = data.vault_kv_secret_v2.secret_int.data["grafana_local_admin_password"]
|
||||
http_headers = local.grafana_headers
|
||||
}
|
||||
Reference in New Issue
Block a user