add s3 bucket for backup and switch to using vpc_security_group for ec2 instances

Author: anarwal

README.md

@@ -42,6 +42,8 @@ module "gitlab" {
       gitlab_lfs_s3_bucket_name         = var.gitlab_lfs_s3_bucket_name
       gitlab_packages_s3_bucket_name    = var.gitlab_packages_s3_bucket_name
       gitlab_registry_s3_bucket_name    = var.gitlab_registry_s3_bucket_name
+      gitlab_backup_s3_bucket_name      = var.gitlab_backup_s3_bucket_name
+      gitlab_kms_alias                  = var.gitlab_kms_alias
 }
 ```
 
@@ -59,6 +61,7 @@ module "gitlab" {
 | gitlab_lfs_s3_bucket_name         | Name of Gitlab LFS S3 bucket                                                                                              | `string`| ""                 | yes      |
 | gitlab_packages_s3_bucket_name    | Name of Gitlab Packages S3 bucket                                                                                         | `string`| ""                 | yes      |
 | gitlab_registry_s3_bucket_name    | Name of Gitlab Registry S3 bucket                                                                                         | `string`| ""                 | yes      |
+| gitlab_backup_s3_bucket_name      | Name of Gitlab Backup S3 bucket                                                                                           | `string`| ""                 | yes      |
 | dns_name                          | Domain name for which the certificate should be issued                                                                    | `string`| ""                 | yes      |
 | domain_name                       | ALB record53 entry domain name                                                                                            | `string`| ""                 | yes      |
 | public_subnet_id                  | List of public subnet IDs to attach                                                                                       | `list`  | `<list>`           | yes      |
@@ -73,7 +76,7 @@ module "gitlab" {
 | gitlab_alb_ideal_timeout          | Time in seconds that the connection is allowed to be idle.                                                                | `number`| `60`               | no       |
 | gitlab_application_ami            | AMI of gitlab application to be used with Gitlab instance.                                                                | `string`| ""                 | yes      |
 | zone_id                           | ID of the hosted zone to contain Route53 record.                                                                          | `string`| ""                 | yes      |
-| alias                             | Display name of KMS Key alias. Name must start with the word `alias` followed by a forward slash                          | `string`| `alias/gitlab-kms` | no       |
+| gitlab_kms_alias                  | Display name of KMS Key alias. Name must start with the word `alias` followed by a forward slash                          | `string`| ""                 | yes      |
 | enable_key_rotation               | Specifies whether key rotation is enabled                                                                                 | `bool`  | `true`             | no       |
 | ssh_key_name                      | SSH key for ec2 ssh                                                                                                       | `string`| ""                 | yes      |
 

module/single-node-omnibus/bastion.tf

@@ -1,11 +1,11 @@
 resource "aws_instance" "bastion" {
-  instance_type   = "t2.micro"
-  subnet_id       = data.aws_subnet.public_selected.id
-  security_groups = [aws_security_group.external_ssh.id]
-  key_name        = var.ssh_key_name
-  ami             = data.aws_ami.centos.id
-  volume_tags     = { "Name" = format("%s-bastion-ebs", module.gitlab_label.name), "Environment" = module.gitlab_label.stage}
-  tags            = { "Name" = format("%s-bastion", module.gitlab_label.name), "Environment" = module.gitlab_label.stage}
+  instance_type          = "t2.micro"
+  subnet_id              = data.aws_subnet.public_selected.id
+  vpc_security_group_ids = [aws_security_group.external_ssh.id]
+  key_name               = var.ssh_key_name
+  ami                    = data.aws_ami.centos.id
+  volume_tags            = { "Name" = format("%s-bastion-ebs", module.gitlab_label.name), "Environment" = module.gitlab_label.stage}
+  tags                   = { "Name" = format("%s-bastion", module.gitlab_label.name), "Environment" = module.gitlab_label.stage}
 }
 
 resource "aws_eip" "bastion" {

module/single-node-omnibus/ec2.tf

@@ -2,7 +2,7 @@ resource "aws_instance" "gitlab_application" {
   ami                         = var.gitlab_application_ami
   instance_type               = "m4.xlarge"
   subnet_id                   = data.aws_subnet.private_selected.id
-  security_groups             = flatten([aws_security_group.internal_ssh.id ,aws_security_group.internal_gitlab.id])
+  vpc_security_group_ids      = flatten([aws_security_group.internal_ssh.id ,aws_security_group.internal_gitlab.id])
   key_name                    = var.ssh_key_name
   user_data                   = data.template_cloudinit_config.config.rendered
   associate_public_ip_address = false

module/single-node-omnibus/iam.tf

@@ -67,7 +67,7 @@ EOF
 }
 
 resource "aws_iam_role" "dlm_lifecycle_role" {
-  name = "dlm-lifecycle-role"
+  name = format("%s-role",module.gitlab_label.id)
 
   assume_role_policy = <<EOF
 {
@@ -86,8 +86,8 @@ resource "aws_iam_role" "dlm_lifecycle_role" {
 EOF
 }
 
-resource "aws_iam_role_policy" "dlm_lifecycle" {
-  name = "dlm-lifecycle-policy"
+resource "aws_iam_role_policy" "dlm_lifecycle_policy" {
+  name = format("%s-role-policy",module.gitlab_label.id)
   role = aws_iam_role.dlm_lifecycle_role.id
 
   policy = <<EOF

module/single-node-omnibus/kms.tf

@@ -6,6 +6,6 @@ resource "aws_kms_key" "gitlab_kms_key" {
 }
 
 resource "aws_kms_alias" "gitlab_kms_key_alias" {
-  name          = coalesce(var.alias, format("alias/%v", module.gitlab_label.id))
+  name          = coalesce(var.gitlab_kms_alias, format("alias/%v", module.gitlab_label.id))
   target_key_id = aws_kms_key.gitlab_kms_key.key_id
 }

module/single-node-omnibus/local-resources.tf

@@ -30,18 +30,19 @@ data "template_file" "gitlab_application_user_data" {
   template = "${file("${path.module}/templates/gitlab_application_user_data.tpl")}"
 
   vars = {
-    git_data_disk                   = "${var.gitlab_data_disk_device_name}"
-    git_data_disk_mount_point       = "${var.git_data_directory}"
-    s3_bucket_name                  = "${var.gitlab_artifactory_s3_bucket_name}"
+    git_data_disk                   = var.gitlab_data_disk_device_name
+    git_data_disk_mount_point       = var.git_data_directory
+    s3_bucket_name                  = var.gitlab_artifactory_s3_bucket_name
     s3_bucket_provider              = "AWS"
     s3_bucket_region                = "us-east-1"
-    s3_bucket_user_access_key       = "${aws_iam_access_key.s3_access_key.id}"
-    s3_bucket_user_secret_key       = "${aws_iam_access_key.s3_access_key.secret}"
-    artifactory_s3_bucket_name      = "${var.gitlab_artifactory_s3_bucket_name}"
-    lfs_s3_bucket_name              = "${var.gitlab_lfs_s3_bucket_name}"
-    packages_s3_bucket_name         = "${var.gitlab_packages_s3_bucket_name}"
-    registry_s3_bucket_name         = "${var.gitlab_registry_s3_bucket_name}"
-    domain_name                     = "${var.domain_name}"
+    s3_bucket_user_access_key       = aws_iam_access_key.s3_access_key.id
+    s3_bucket_user_secret_key       = aws_iam_access_key.s3_access_key.secret
+    artifactory_s3_bucket_name      = var.gitlab_artifactory_s3_bucket_name
+    lfs_s3_bucket_name              = var.gitlab_lfs_s3_bucket_name
+    packages_s3_bucket_name         = var.gitlab_packages_s3_bucket_name
+    registry_s3_bucket_name         = var.gitlab_registry_s3_bucket_name
+    backup_s3_bucket_name           = var.gitlab_backup_s3_bucket_name
+    domain_name                     = var.domain_name
   }
 }
 

module/single-node-omnibus/s3.tf

@@ -88,4 +88,27 @@ resource "aws_s3_bucket" "gitlab_registry_s3_bucket" {
   }
 
   tags = merge(module.gitlab_label.tags,  {"Bucket-Name" = format("%s-%s",module.gitlab_label.id, var.gitlab_registry_s3_bucket_name)})
+}
+
+# ---------------------------------------------------------------------------------------------------------------------------------------------
+# Create Backup S3 bucket
+# ---------------------------------------------------------------------------------------------------------------------------------------------
+resource "aws_s3_bucket" "gitlab_backup_s3_bucket" {
+  bucket        = format("%s-%s",module.gitlab_label.id, var.gitlab_backup_s3_bucket_name)
+  acl           = "private"
+  force_destroy = var.force_destroy_s3_bucket
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+      }
+    }
+  }
+
+  versioning {
+  enabled = true
+  }
+
+  tags = merge(module.gitlab_label.tags,  {"Bucket-Name" = format("%s-%s",module.gitlab_label.id, var.gitlab_backup_s3_bucket_name)})
 }

module/single-node-omnibus/templates/gitlab_application_user_data.sh

@@ -48,5 +48,4 @@ registry['storage'] = {'s3' => {'accesskey' => '${s3_bucket_user_access_key}','s
 ####! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#storing-git-data-in-an-alternative-directory
 git_data_dirs({'default' => { 'path' => '${git_data_disk_mount_point}'}}) " >> /etc/gitlab/gitlab.rb
 
-
 sudo gitlab-ctl reconfigure

module/single-node-omnibus/templates/gitlab_application_user_data.tpl

@@ -5,7 +5,7 @@ bootcmd:
     - sudo mkdir -p /etc/gitlab/ssl
     - sudo chmod 700 /etc/gitlab/ssl
     - sudo openssl req -newkey rsa:2048 -nodes -keyout /etc/gitlab/ssl/gitlabssl.key -x509 -days 3650 -out /etc/gitlab/ssl/gitlabssl.crt -subj "/CN=${domain_name}"
-    - sudo chmod 0400 /etc/gitlab/ssl/gitlabssl.*
+    - sudo chmod 600 /etc/gitlab/ssl/gitlabssl.*
 write_files:
     - content: |
         ####! External_Url
@@ -42,8 +42,13 @@ write_files:
         ####! For setting up different data storing directory
         ####! Docs: https://docs.gitlab.com/omnibus/settings/configuration.html#storing-git-data-in-an-alternative-directory
         git_data_dirs({'default' => { 'path' => '${git_data_disk_mount_point}'}})
+        ####! Backup Settings
+        ####! Docs: https://docs.gitlab.com/omnibus/settings/backups.html
+        gitlab_rails['backup_upload_connection'] = {'provider' => '${s3_bucket_provider}',    'region' => '${s3_bucket_region}',    'aws_access_key_id' => '${s3_bucket_user_access_key}', 'aws_secret_access_key' => '${s3_bucket_user_secret_key}'}
+        gitlab_rails['backup_upload_remote_directory'] = "${backup_s3_bucket_name}"
       path: /etc/gitlab/gitlab.rb
       permissions: '0600'
 runcmd:
-    - [ mount, ${git_data_disk}, ${git_data_disk_mount_point} ]
-    - [ gitlab-ctl, reconfigure ]
+    - [mount, ${git_data_disk}, ${git_data_disk_mount_point}]
+    - [chown, -R, "git:git", ${git_data_disk_mount_point}]
+    - [gitlab-ctl, reconfigure]