├── .gitignore
├── LICENSE
├── Makefile
├── README.md
├── Vagrantfile
├── ansible
    ├── roles
    │   ├── common
    │   │   ├── tasks
    │   │   │   ├── main.yml
    │   │   │   ├── packages.yml
    │   │   │   ├── services.yml
    │   │   │   └── slack.yml
    │   │   └── templates
    │   │   │   ├── ec2tags.sh.j2
    │   │   │   ├── path.sh.j2
    │   │   │   ├── prompt.sh.j2
    │   │   │   ├── slack.j2
    │   │   │   └── slack_ssh_notify.j2
    │   ├── datadog
    │   │   ├── CHANGELOG.md
    │   │   ├── README.md
    │   │   ├── defaults
    │   │   │   └── main.yml
    │   │   ├── handlers
    │   │   │   └── main.yml
    │   │   ├── meta
    │   │   │   └── main.yml
    │   │   ├── tasks
    │   │   │   ├── checks.yml
    │   │   │   ├── main.yml
    │   │   │   └── pkg-redhat.yml
    │   │   └── templates
    │   │   │   ├── checks.yaml.j2
    │   │   │   ├── datadog.conf.j2
    │   │   │   ├── datadog.repo.j2
    │   │   │   └── process.yaml.j2
    │   ├── loggly
    │   │   ├── LICENSE
    │   │   ├── README.md
    │   │   ├── defaults
    │   │   │   └── main.yml
    │   │   ├── handlers
    │   │   │   └── main.yml
    │   │   ├── meta
    │   │   │   └── main.yml
    │   │   ├── tasks
    │   │   │   ├── CentOS.yml
    │   │   │   ├── Ubuntu.yml
    │   │   │   └── main.yml
    │   │   ├── templates
    │   │   │   ├── 22-loggly.conf.j2
    │   │   │   └── loggly_full.crt.j2
    │   │   └── vars
    │   │   │   ├── CentOS.yml
    │   │   │   ├── Ubuntu.yml
    │   │   │   └── main.yml
    │   ├── newrelic
    │   │   ├── defaults
    │   │   │   └── main.yml
    │   │   ├── handlers
    │   │   │   └── main.yml
    │   │   ├── tasks
    │   │   │   └── main.yml
    │   │   └── templates
    │   │   │   ├── newrelic.cfg.j2
    │   │   │   ├── newrelic.ini.j2
    │   │   │   └── newrelic.repo.j2
    │   ├── nginx
    │   │   ├── handlers
    │   │   │   └── main.yml
    │   │   ├── tasks
    │   │   │   ├── main.yml
    │   │   │   └── vhost.yml
    │   │   └── templates
    │   │   │   ├── 21-nginx-loggly.conf.j2
    │   │   │   ├── nginx.conf.j2
    │   │   │   └── wp.conf.j2
    │   ├── php-fpm
    │   │   ├── handlers
    │   │   │   └── main.yml
    │   │   ├── tasks
    │   │   │   └── main.yml
    │   │   └── templates
    │   │   │   └── wordpress.conf.j2
    │   ├── rsyslog
    │   │   ├── .travis.yml
    │   │   ├── LICENSE
    │   │   ├── README.md
    │   │   ├── defaults
    │   │   │   └── main.yml
    │   │   ├── handlers
    │   │   │   └── main.yml
    │   │   ├── meta
    │   │   │   └── main.yml
    │   │   ├── tasks
    │   │   │   ├── CentOS.yml
    │   │   │   ├── Ubuntu.yml
    │   │   │   ├── logs.yml
    │   │   │   └── main.yml
    │   │   ├── templates
    │   │   │   ├── app.conf.j2
    │   │   │   └── rsyslog.conf.j2
    │   │   ├── tests
    │   │   │   ├── inventory
    │   │   │   └── test.yml
    │   │   └── vars
    │   │   │   ├── CentOS.yml
    │   │   │   ├── Ubuntu.yml
    │   │   │   └── main.yml
    │   └── wordpress
    │   │   ├── tasks
    │   │       └── main.yml
    │   │   └── templates
    │   │       └── deploy_wordpress.j2
    └── wp.yml
├── examples
    ├── advanced.tf
    ├── basic-with-fastly-statuscake.tf
    ├── basic-with-fastly.tf
    ├── basic-with-statuscake.tf
    ├── basic.tf
    └── no-rds.tf
├── mikado.conf.example
├── packer
    └── wp.json
├── resources
    └── mikado-infra.png
├── scripts
    ├── aws_data.sh
    ├── deploy_ami.sh
    ├── install.py
    ├── install.yaml
    ├── mikado-boom
    └── yamlordereddictloader.py
└── terraform
    ├── asg
        ├── asg.tf
        ├── elb.tf
        ├── iam.tf
        ├── output.tf
        ├── sg.tf
        ├── variables.tf
        └── watches.tf
    ├── base.tf
    ├── base_3rdparty.tf
    ├── cloudtrail
        └── cloudtrail.tf
    ├── datadog
        └── datadog.tf
    ├── efs
        └── efs.tf
    ├── loggly
        └── loggly.tf
    ├── sg
        └── sg.tf
    ├── variables.tf
    ├── vpc
        ├── tf_aws_vpc
        │   ├── .gitignore
        │   ├── LICENSE
        │   ├── README.md
        │   ├── main.tf
        │   ├── outputs.tf
        │   └── variables.tf
        └── vpc.tf
    ├── wp-fastly
        ├── fastly.tf
        ├── fastly_service.vcl
        ├── provider.tf
        ├── r53.tf
        ├── s3.tf
        ├── sg.tf
        └── variables.tf
    ├── wp-statuscake
        └── statuscake.tf
    └── wp
        ├── ami.tf
        ├── asg.tf
        ├── r53.tf
        ├── rds.tf
        ├── sg.tf
        └── variables.tf


/.gitignore:
--------------------------------------------------------------------------------
 1 | *.mk
 2 | terraform.tfstate*
 3 | terraform.tfplan
 4 | .tfplan
 5 | .terraform
 6 | .packer-out.log
 7 | .vagrant
 8 | terraform/wpexample.com.tf
 9 | terraform-error-1480468042.log
10 | .mikado
11 | mikado.conf
12 | mikado.conf.dev
13 | __pycache__
14 | *.pyc
15 | .DS_Store
16 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2016 Nandor Sivok
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | .PHONY: build-ami deploy-ami plan apply destroy graph clean
 2 | 
 3 | -include .mikado.conf.mk
 4 | -include .aws_data.mk
 5 | 
 6 | .mikado.conf.mk:
 7 | 	@cat mikado.conf | sed 's/"//g ; s/=/:=/' > .mikado.conf.mk
 8 | 
 9 | .aws_data.mk:
10 | 	@bash ./scripts/aws_data.sh | sed 's/"//g ; s/=/:=/' > .aws_data.mk
11 | 
12 | update:
13 | 	@terraform get ./terraform
14 | 
15 | build-ami:
16 | 	@packer build packer/wp.json 2>&1 | tee .packer-out.log
17 | 	@$(MAKE) clean
18 | 
19 | deploy-ami:
20 | 	@bash ./scripts/deploy_ami.sh
21 | 	@$(MAKE) clean
22 | 
23 | # This target executes the terraform plan stage
24 | # This will not change anything in you AWS setup only displays the changes
25 | plan: update
26 | 	@terraform plan \
27 | 		-out ./.tfplan \
28 | 		./terraform
29 | 
30 | # Once you happy with the output of make plan run this target
31 | # This will change your remote resources
32 | apply: plan
33 | 	@while [ -z "$$CONTINUE" ]; do \
34 | 	    read -r -p "Dow you want to apply these changes? [y/N] " CONTINUE; \
35 | 	done ; \
36 | 	if [ ! $$CONTINUE == "y" ]; then \
37 | 	if [ ! $$CONTINUE == "Y" ]; then \
38 | 	    echo "Exiting." ; exit 1 ; \
39 | 	fi \
40 | 	fi
41 | 	@terraform apply \
42 | 		./terraform
43 | 	@$(MAKE) -s clean
44 | 
45 | graph: update
46 | 	@terraform graph \
47 | 		-draw-cycles ./terraform | dot -Tpng > graph.png
48 | 	@$(MAKE) -s clean
49 | 
50 | # Don't run this
51 | destroy: update
52 | 	@terraform plan -destroy -out ./terraform.tfplan ./terraform/
53 | 	@terraform apply ./terraform.tfplan
54 | 	@$(MAKE) -s clean
55 | 
56 | clean:
57 | 	@rm -rf ./.tmp
58 | 	@rm -rf ./.terraform
59 | 	@rm -f ./.mikado.conf.mk
60 | 	@rm -f ./.aws_data.mk
61 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Mikado
  2 | 
  3 | 
  4 | ## Intro
  5 | 
  6 | Mikado helps managing your AWS infrastructure for WordPress sites by defining an out-of-box, highly available, easy-to-deploy setup.
  7 | 
  8 | The project goals are:
  9 | - Provide an oversimplified but flexible and resilient one-click WordPress deployment
 10 | - Create a widely used standardized WordPress infrastructure
 11 | - Implement performance, security and infrastructure best practices
 12 | - Have automated, auditable, and idempotent configuration
 13 | 
 14 | 
 15 | ## Overview
 16 | 
 17 | Mikado provides a fully automated way to deploy and maintain your infrastructure built with [Terraform](https://terraform.io/) and [Packer](https://packer.io/) + [Ansible](https://www.ansible.com/) with the following services integrated optionally:
 18 | 
 19 | - [Fastly](https://fastly.com/) - CDN
 20 | - [Statuscake](https://statuscake.com/) - external monitoring
 21 | - [Datadog](http://datadog.com/) - server monitoring & AWS resource monitoring
 22 | - [Loggly](https://loggly.com/) - remote log collection
 23 | - [Newrelic](https://newrelic.com/) - application monitoring
 24 | 
 25 | ## Infrastructure overview
 26 | 
 27 | ![Mikado overview](https://github.com/dominis/mikado/blob/master/resources/mikado-infra.png)
 28 | 
 29 | - Mikado will create its own VPC with public and private subnets in all the available Availability Zones in the selected region - providing a geo-redundant highly-available setup
 30 | - The WordPress site will be deployed to an Multi-AZ Auto scaling group with a set of pre-defined but fine tunable up/down scaling rules
 31 | - Uploaded assets are stored on an EFS drive
 32 | - A Multi-AZ RDS cluster is used in the database layer
 33 | - Route53 used to manage DNS for the site
 34 | - Optionally you can deploy a Fastly service for your site to cache all your requests.
 35 | 
 36 | ## Quick start
 37 | 
 38 | ```
 39 | curl -s https://raw.githubusercontent.com/dominis/mikado/master/scripts/mikado-boom > /tmp/mikado-boom ; bash /tmp/mikado-boom
 40 | ```
 41 | 
 42 | Mikado provides a Vagrant instance for local development with all the dependencies installed.
 43 | 
 44 | Also a dialog based installer provided.
 45 | 
 46 | ![mikado](https://cloud.githubusercontent.com/assets/157738/21269257/54795560-c3b2-11e6-90d9-8432dcb38e01.gif)
 47 | 
 48 | ### Manual setup
 49 | 
 50 | If you don't want to use the installer or you want more control of what's happening you can run the following steps:
 51 | 
 52 | ```
 53 | git clone https://github.com/dominis/mikado.git
 54 | cd mikado
 55 | 
 56 | # create your configuration
 57 | cp mikado.conf.example mikado.conf
 58 | vi mikado.conf
 59 | 
 60 | # now you can build the base infra
 61 | # this will create a VPC with subnets, IAM roles, trusted SG, EFS storage for the uploads
 62 | # more info in terraform/base*.tf
 63 | # NB terraform always called through make because of the config
 64 | make apply
 65 | 
 66 | 
 67 | # the next step is building your first AMI
 68 | # this image will be used in the Auto Scaling Group
 69 | make build-ami
 70 | 
 71 | # at this point you need to deploy this AMI to your production ASG
 72 | # this step is only needed because you need an AMI id to be able to create the ASG
 73 | # in the future you can create a new AMI and only deploy it to the test ASG
 74 | # more info at: https://github.com/dominis/mikado#working-with-amis
 75 | make deploy-ami
 76 | 
 77 | # go to the examples directory and find a config suitable for you
 78 | cp examples/basic.tf terraform/mydomain.tf
 79 | sed -i -e "s|###DOMAIN###|mydomain.com|g" terraform/mydomain.tf
 80 | 
 81 | make apply
 82 | 
 83 | # Apply complete! Resources: 45 added, 0 changed, 0 destroyed.
 84 | # 👏 🍾
 85 | ```
 86 | 
 87 | 
 88 | 
 89 | ### Deploying your website
 90 | 
 91 | Mikado has a very simple automated deploy workflow based on git and branches.
 92 | 
 93 | You need to set the `site_repo` variable in your `mikado.conf` file in the following format: `https://YOUR_GITHUB_OAUTH_TOKEN:x-oauth-basic@github.com/YOUR_GITHUB_USER/wordpress.example.com.git`
 94 | 
 95 | [More info on the token creation](https://help.github.com/articles/creating-an-access-token-for-command-line-use/)
 96 | 
 97 | 
 98 | Take a look at the [example repository](https://github.com/dominis/wordpress.example.com). The simplest way to start is forking this repo.
 99 | 
100 | #### Important information about the WordPress deploy process:
101 | 
102 | - `develop` branch will be deployed to the test server
103 | - `production` branch will be deployed to the prod server
104 | - the `wp-contents/uploads` directory should be ignored in the `.gitignore` and shouldn't exists in the repo, a symlink is created pointing to the EFS mount here automatically
105 | - for the test/prod database config check out the [wp-config.php](https://github.com/dominis/wordpress.example.com/blob/develop/wp-config-sample.php#L32-L36)
106 | - [this is the script](https://github.com/dominis/mikado/blob/master/ansible/roles/wordpress/templates/deploy_wordpress.j2) which pulls the changes from git every minute on the instances
107 | 
108 | ### Working with AMIs
109 | 
110 | With `make build-ami` you can generate new AMIs and with running `make apply` the latest AMI will be rolled out to the `test` ASG.
111 | 
112 | If you happy with the result on your test site you can run `make deploy-ami` to tag the AMI as production ready and with `make apply` you can initiate a rolling update on your production ASG.
113 | 
114 | ## FAQ
115 | 
116 | - Q: How can I ssh to my instances
117 | - A: Both the test and prod ELB exposes ssh for the IP blocks in the internal SG (TF_VAR_allowed_cidrs env var), so you can simply `ssh ec2-user@origin.domain.com` or `ssh ec2-user@test.domain.com`.
118 | 
119 | 
120 | - Q: The following error is thrown during `vagrant up`:
121 |     _The box 'bento/centos-7.1' could not be found or could not be accessed in the remote catalog. If this is a private box on HashiCorp's Atlas, please verify you're logged in via `vagrant login`. Also, please double-check the name. The expanded URL and error message are shown below:_ (sic!)
122 | - A: On version 1.8.7 the embedded curl Vagrant uses had a [bug](https://github.com/mitchellh/vagrant/issues/7969).
123 |     Workaround for v1.8.7: `sudo rm -rf /opt/vagrant/embedded/bin/curl`
124 |     Or, update Vagrant to v1.8.8
125 | 
126 | ## Mailing list
127 | 
128 | https://groups.google.com/forum/#!forum/mikado-dev
129 | 


--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
 1 | # -*- mode: ruby -*-
 2 | # vi: set ft=ruby :
 3 | 
 4 | VAGRANTFILE_API_VERSION = "2"
 5 | UBUNTUVERSION = "16.04"
 6 | CPUCOUNT = "2"
 7 | RAM = "4096"
 8 | 
 9 | $script = <<SCRIPT
10 | export DEBIAN_PRIORITY=critical
11 | export DEBIAN_FRONTEND=noninteractive
12 | export DEBCONF_NONINTERACTIVE_SEEN=true
13 | APT_OPTS="--assume-yes --no-install-suggests --no-install-recommends -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\""
14 | echo "Upgrading packages ..."
15 | apt-get update ${APT_OPTS} >/dev/null 2>&1
16 | apt-get upgrade ${APT_OPTS} >/dev/null 2>&1
17 | echo "Installing prerequisites ..."
18 | apt-get install ${APT_OPTS} \
19 |   build-essential \
20 |   curl \
21 |   zip \
22 |   dialog \
23 |   jq \
24 |   unzip \
25 |   python-pip \
26 |   python-setuptools \
27 |   python3-pip \
28 |   python3-setuptools \
29 |   >/dev/null
30 | 
31 | cd /usr/src
32 | echo "Downloading terraform and packer ..."
33 | wget --quiet https://releases.hashicorp.com/terraform/0.8.0/terraform_0.8.0_linux_amd64.zip
34 | wget --quiet https://releases.hashicorp.com/packer/0.12.0/packer_0.12.0_linux_amd64.zip
35 | echo "Installing terraform and packer ..."
36 | unzip terraform_0.8.0_linux_amd64.zip >/dev/null
37 | unzip packer_0.12.0_linux_amd64.zip >/dev/null
38 | mv terraform /usr/bin/
39 | mv packer /usr/bin/
40 | 
41 | echo "Installing python dependencies for the installer ..."
42 | pip install urllib3[secure] awscli >/dev/null 2>&1
43 | pip3 install pythondialog pyyaml >/dev/null 2>&1
44 | 
45 | # this is a workaround for the dialog bug
46 | echo 'export TERM=xterm' >> /home/vagrant/.bashrc
47 | SCRIPT
48 | 
49 | Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
50 |   config.vm.box = "bento/ubuntu-#{UBUNTUVERSION}"
51 |   config.vm.hostname = "mikado"
52 | 
53 |   config.vm.provision "prepare-shell", type: "shell", inline: "sudo sed -i '/tty/!s/mesg n/tty -s \\&\\& mesg n/' /root/.profile", privileged: false
54 |   config.vm.provision "initial-setup", type: "shell", inline: $script
55 |   config.vm.synced_folder '.', '/home/vagrant/mikado'
56 | 
57 |   config.vm.provider "virtualbox" do |v|
58 |     v.memory = "#{RAM}"
59 |     v.cpus = "#{CPUCOUNT}"
60 |   end
61 | 
62 |   config.vm.provider "docker" do |v, override|
63 |     override.vm.box = "tknerr/baseimage-ubuntu-#{UBUNTUVERSION}"
64 |   end
65 | 
66 |   ["vmware_fusion", "vmware_workstation"].each do |p|
67 |     config.vm.provider p do |v|
68 |       v.vmx["memsize"] = "#{RAM}"
69 |       v.vmx["numvcpus"] = "#{CPUCOUNT}"
70 |     end
71 |   end
72 | 
73 | 
74 |   config.vm.provider "parallels" do |prl|
75 |     prl.memory = "#{RAM}"
76 |     prl.cpus = "#{CPUCOUNT}"
77 |   end
78 | end
79 | 


--------------------------------------------------------------------------------
/ansible/roles/common/tasks/main.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | - include: packages.yml
  3 | - include: services.yml
  4 | - include: slack.yml
  5 |   when: slack_webhook_url is defined
  6 | 
  7 | # add our pubkeys
  8 | - authorized_key:
  9 |     user: ec2-user
 10 |     key: "{{ item }}"
 11 |   with_items:
 12 |     - "{{ rsa_public_key }}"
 13 | # You can add extra keys here
 14 | # eg:
 15 | #   - https://github.com/dominis.keys
 16 | 
 17 | # Disable ipv6
 18 | - sysctl:
 19 |     name: net.ipv6.conf.all.disable_ipv6
 20 |     value: 1
 21 |     state: present
 22 |     sysctl_file: /etc/sysctl.conf
 23 | 
 24 | - template:
 25 |     src: prompt.sh.j2
 26 |     dest: /etc/profile.d/prompt.sh
 27 |     owner: "root"
 28 |     group: "root"
 29 |     mode: 0655
 30 | 
 31 | - template:
 32 |     src: path.sh.j2
 33 |     dest: /etc/profile.d/path.sh
 34 |     owner: "root"
 35 |     group: "root"
 36 |     mode: 0655
 37 | 
 38 | # ruby stuff
 39 | - command: alternatives --set ruby /usr/bin/ruby2.3
 40 | - command: gem install facter --no-ri --no-rdoc
 41 | 
 42 | # This makes our automated life easier
 43 | - lineinfile:
 44 |     dest: /etc/ssh/ssh_config
 45 |     line: "{{ item }}"
 46 |   with_items:
 47 |     - 'StrictHostKeyChecking no'
 48 |     - 'UserKnownHostsFile /dev/null'
 49 | 
 50 | - file:
 51 |     name: /etc/facter/facts.d
 52 |     recurse: yes
 53 |     state: directory
 54 | 
 55 | # add ec2 tags to facter
 56 | - template:
 57 |     src: ec2tags.sh.j2
 58 |     dest: /etc/facter/facts.d/ec2tags.sh
 59 |     owner: "root"
 60 |     group: "root"
 61 |     mode: 0755
 62 | 
 63 | - command: /usr/local/bin/facter
 64 |   ignore_errors: yes
 65 | 
 66 | 
 67 | #######################
 68 | # M O N I T O R I N G #
 69 | #######################
 70 | - include: ../../datadog/tasks/checks.yml
 71 |   vars:
 72 |     datadog_checks:
 73 |       process:
 74 |         init_config:
 75 |         instances:
 76 |           - name: ssh
 77 |             search_string: [ 'ssh', 'sshd' ]
 78 |             thresholds:
 79 |               critical: [1, 7]
 80 |               warning: [3, 5]
 81 |       ntp:
 82 |         init_config:
 83 |         instances:
 84 |           - offset_threshold: 60
 85 |       process:
 86 |         init_config:
 87 |         instances:
 88 |         - name: ssh
 89 |           search_string: ['ssh', 'sshd']
 90 |           tags:
 91 |             - domain:"{{ domain }}"
 92 |       system_core:
 93 |         init_config:
 94 |         instances:
 95 |           tags:
 96 |             - domain:"{{ domain }}"
 97 |       network:
 98 |         init_config:
 99 |         instances:
100 |           - collect_connection_state: false
101 |             excluded_interfaces:
102 |               - lo
103 |               - lo0
104 |   ignore_errors: True
105 | #######################
106 | 


--------------------------------------------------------------------------------
/ansible/roles/common/tasks/packages.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # Install
 3 | - yum:
 4 |     pkg: "{{ item }}"
 5 |     state: latest
 6 |   with_items:
 7 |     - procmail
 8 |     - git
 9 |     - htop
10 |     - jq
11 |     - lsof
12 |     - telnet
13 |     - strace
14 |     - mtr
15 |     - ntp
16 |     - ntpdate
17 |     - tmpwatch
18 |     - ruby23-devel
19 | 


--------------------------------------------------------------------------------
/ansible/roles/common/tasks/services.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # Enabled services
 3 | - service:
 4 |     name: "{{ item }}"
 5 |     state: restarted
 6 |     enabled: yes
 7 |   with_items:
 8 |     - ntpd
 9 | 
10 | # Disabled services
11 | - service:
12 |     name: "{{ item }}"
13 |     state: stopped
14 |     enabled: no
15 |   with_items:
16 |     - iptables
17 |   ignore_errors: True
18 | 
19 | 


--------------------------------------------------------------------------------
/ansible/roles/common/tasks/slack.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # wrapper script for messaging slack
 3 | - template:
 4 |     src: slack.j2
 5 |     dest: /usr/local/bin/slack
 6 |     owner: "root"
 7 |     group: "root"
 8 |     mode: 0755
 9 | 
10 | 
11 | # send notification on successful ssh session
12 | - template:
13 |     src: slack_ssh_notify.j2
14 |     dest: /usr/local/bin/slack_ssh_notify
15 |     owner: "root"
16 |     group: "root"
17 |     mode: 0755
18 | 
19 | - lineinfile:
20 |     dest: /etc/pam.d/sshd
21 |     line: "session optional pam_exec.so seteuid /usr/local/bin/slack_ssh_notify"
22 | 


--------------------------------------------------------------------------------
/ansible/roles/common/templates/ec2tags.sh.j2:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | instanceId=$(curl http://169.254.169.254/latest/meta-data/instance-id 2>/dev/null)
 4 | region=$(curl http://169.254.169.254/latest/meta-data/placement/availability-zone 2>/dev/null | sed 's/[a-z]$//g')
 5 | 
 6 | tags=$(/usr/bin/aws ec2 describe-tags --filters "Name=resource-id,Values=${instanceId}" --region ${region} | jq '.Tags[] | "ec2_tag_" + .Key + "=" + .Value'|tr -d '"' | tr [:upper:] [:lower:])
 7 | 
 8 | echo -ne "$tags"
 9 | 
10 | exit 0
11 | 


--------------------------------------------------------------------------------
/ansible/roles/common/templates/path.sh.j2:
--------------------------------------------------------------------------------
1 | export PATH=$PATH:/usr/local/bin
2 | 


--------------------------------------------------------------------------------
/ansible/roles/common/templates/prompt.sh.j2:
--------------------------------------------------------------------------------
 1 | name=$(/usr/local/bin/facter --external-dir /etc/facter/facts.d/ ec2_tag_name)
 2 | instance_id=$(/usr/local/bin/facter --external-dir /etc/facter/facts.d/ ec2_instance_id)
 3 | 
 4 | if [ $TERM == "xterm" ];
 5 | then
 6 |     export PROMPT_COMMAND='echo -ne "\033]0;${USER}@${name}-${instance_id}: ${PWD}\007"'
 7 | fi
 8 | 
 9 | if [ "PS1" ];
10 | then
11 |     export PS1="[\u@${name} \w]\\$ "
12 | fi
13 | 


--------------------------------------------------------------------------------
/ansible/roles/common/templates/slack.j2:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | message=$(cat)
 3 | channel="${2:-{{ slack_channel }}}"
 4 | host=$(facter --external-dir /etc/facter/facts.d/ ec2_tag_name)
 5 | ip=$(facter --external-dir /etc/facter/facts.d/ ec2_public_ipv4)
 6 | 
 7 | curl >/dev/null \
 8 |     -s \
 9 |     -X POST \
10 |     -d@- \
11 |     {{ slack_webhook_url }} << EOF
12 |     payload={
13 |         "channel": "${channel}",
14 |         "mrkdwn": true,
15 |         "username": "T-850",
16 |         "attachments": [{
17 |             "mrkdwn_in": ["text", "fallback"],
18 |             "fallback": "${message}",
19 |             "text": "${message}",
20 |             "fields": [
21 |                 {
22 |                     "title": "host",
23 |                     "value": "${host}"
24 |                 },
25 |                 {
26 |                     "title": "ip",
27 |                     "value": "${ip}"
28 |                 }
29 |             ],
30 |             "color": "#F35A00"
31 |         }],
32 |         "icon_emoji": ":robot_face:"
33 |     }
34 | EOF
35 | 


--------------------------------------------------------------------------------
/ansible/roles/common/templates/slack_ssh_notify.j2:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | channel="{{ slack_channel }}"
 3 | host=$(facter --external-dir /etc/facter/facts.d/ ec2_tag_name)
 4 | ip=$(facter --external-dir /etc/facter/facts.d/ ec2_public_ipv4)
 5 | 
 6 | curl >/dev/null \
 7 |     -s \
 8 |     -X POST \
 9 |     -d@- \
10 |     {{ slack_webhook_url }} << EOF
11 |     payload={
12 |         "channel": "${channel}",
13 |         "mrkdwn": true,
14 |         "username": "T-800",
15 |         "attachments": [{
16 |         "mrkdwn_in": ["text", "fallback"],
17 |         "fallback": "SSH login: ${PAM_USER} connected to ${host} (${ip})",
18 |         "text": "SSH login to ${host} (${ip})",
19 |         "fields": [{
20 |             "title": "User",
21 |             "value": "${PAM_USER}",
22 |             "short": true
23 |         }, {
24 |             "title": "IP Address",
25 |             "value": "${PAM_RHOST}",
26 |             "short": true
27 |         }],
28 |         "color": "#F35A00"
29 |         }],
30 |         "icon_emoji": ":computer:"
31 |     }
32 | EOF
33 | 


--------------------------------------------------------------------------------
/ansible/roles/datadog/CHANGELOG.md:
--------------------------------------------------------------------------------
1 | CHANGELOG
2 | =========
3 | 
4 | # 1.0.0 / 2016-06-08
5 | 
6 | Initial release, compatible with Ansible v1 & v2
7 | 


--------------------------------------------------------------------------------
/ansible/roles/datadog/README.md:
--------------------------------------------------------------------------------
 1 | Ansible Datadog Role
 2 | ========
 3 | [![Ansible Galaxy](http://img.shields.io/badge/galaxy-Datadog.datadog-660198.svg)](https://galaxy.ansible.com/Datadog/datadog/)
 4 | 
 5 | Install and configure Datadog base agent & checks.
 6 | 
 7 | Installation
 8 | ------------
 9 | 
10 | ```
11 | ansible-galaxy install Datadog.datadog
12 | ```
13 | 
14 | Role Variables
15 | --------------
16 | 
17 | - `datadog_api_key` - Your Datadog API key.
18 | - `datadog_checks` - YAML configuration for agent checks to drop into `/etc/dd-agent/conf.d`.
19 | - `datadog_config` - Settings to place in `/etc/dd-agent/datadog.conf`.
20 | - `datadog_process_checks` - Array of process checks and options (DEPRECATED: use `process` under
21 | `datadog_checks` instead)
22 | 
23 | Dependencies
24 | ------------
25 | None
26 | 
27 | Example Playbooks
28 | -------------------------
29 | ```
30 | - hosts: servers
31 |   roles:
32 |     - { role: Datadog.datadog, become: yes }  # On Ansible < 1.9, use `sudo: yes` instead of `become: yes`
33 |   vars:
34 |     datadog_api_key: "123456"
35 |     datadog_config:
36 |       tags: "mytag0, mytag1"
37 |       log_level: INFO
38 |     datadog_checks:
39 |       process:
40 |         init_config:
41 |         instances:
42 |           - name: ssh
43 |             search_string: ['ssh', 'sshd' ]
44 |           - name: syslog
45 |             search_string: ['rsyslog' ]
46 |             cpu_check_interval: 0.2
47 |             exact_match: true
48 |             ignore_denied_access: true
49 |       ssh_check:
50 |         init_config:
51 |         instances:
52 |           - host: localhost
53 |             port: 22
54 |             username: root
55 |             password: changeme
56 |             sftp_check: True
57 |             private_key_file:
58 |             add_missing_keys: True
59 |       nginx:
60 |         init_config:
61 |         instances:
62 |           - nginx_status_url: http://example.com/nginx_status/
63 |             tags:
64 |               - instance:foo
65 |           - nginx_status_url: http://example2.com:1234/nginx_status/
66 |             tags:
67 |               - instance:bar
68 | ```
69 | 
70 | ```
71 | - hosts: servers
72 |   roles:
73 |     - { role: Datadog.datadog, become: yes, datadog_api_key: "mykey" }  # On Ansible < 1.9, use `sudo: yes` instead of `become: yes`
74 | ```
75 | 
76 | License
77 | -------
78 | 
79 | Apache2
80 | 
81 | Author Information
82 | ------------------
83 | 
84 | brian@akins.org
85 | 
86 | dustinjamesbrown@gmail.com --Forked from brian@akins.org
87 | 
88 | Datadog <info@datadoghq.com> --Forked from dustinjamesbrown@gmail.com
89 | 


--------------------------------------------------------------------------------
/ansible/roles/datadog/defaults/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | datadog_enabled: yes
 3 | 
 4 | # default datadog.conf options
 5 | datadog_config: {}
 6 | 
 7 | # default checks enabled
 8 | datadog_checks: {}
 9 | 
10 | # default user/group
11 | datadog_user: dd-agent
12 | datadog_group: root
13 | 


--------------------------------------------------------------------------------
/ansible/roles/datadog/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | 
3 | - name: restart datadog-agent
4 |   action: service name=datadog-agent state=restarted
5 |   when: datadog_enabled
6 | 


--------------------------------------------------------------------------------
/ansible/roles/datadog/meta/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | galaxy_info:
 3 |   author: 'Brian Akins, Dustin Brown & Datadog'
 4 |   description: Install Datadog agent and configure checks
 5 |   license: Apache2
 6 |   min_ansible_version: 1.6
 7 |   platforms:
 8 |     - name: Ubuntu
 9 |       versions:
10 |         - lucid
11 |         - maverick
12 |         - natty
13 |         - oneiric
14 |         - precise
15 |         - quantal
16 |         - raring
17 |         - saucy
18 |         - trusty
19 |         - utopic
20 |         - vivid
21 |         - xenial
22 |     - name: Debian
23 |       versions:
24 |         - squeeze
25 |         - wheezy
26 |         - jessie
27 |     - name: EL
28 |       versions:
29 |         - 7
30 |         - 6
31 |         - 5
32 |   categories:
33 |     - monitoring
34 | dependencies: []
35 | 


--------------------------------------------------------------------------------
/ansible/roles/datadog/tasks/checks.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Create a configuration file for each Datadog check
 3 |   template:
 4 |     src=roles/datadog/templates/checks.yaml.j2
 5 |     dest=/etc/dd-agent/conf.d/{{ item }}.yaml
 6 |     owner={{ datadog_user }}
 7 |     group={{ datadog_group }}
 8 |   with_items: '{{ datadog_checks.keys() }}'
 9 |   notify:
10 |    - restart datadog-agent
11 | 


--------------------------------------------------------------------------------
/ansible/roles/datadog/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - include: pkg-redhat.yml
 3 | 
 4 | - name: Create main Datadog agent configuration file
 5 |   template:
 6 |     src=datadog.conf.j2
 7 |     dest=/etc/dd-agent/datadog.conf
 8 |     owner={{ datadog_user }}
 9 |     group={{ datadog_group }}
10 |   notify: restart datadog-agent
11 | 
12 | # DEPRECATED: Remove specific handling of the process check for next major release
13 | - template: src=process.yaml.j2 dest=/etc/dd-agent/conf.d/process.yaml
14 |   when: datadog_process_checks is defined
15 |   notify: restart datadog
16 | 
17 | - debug: 'msg="[DEPRECATION NOTICE] Using `datadog_process_checks` is deprecated, use `process` under `datadog_checks` instead"'
18 |   when: datadog_process_checks is defined
19 | 
20 | - service: name=datadog-agent state=started enabled=yes
21 |   when: datadog_enabled
22 | 
23 | - service: name=datadog-agent state=stopped enabled=no
24 |   when: not datadog_enabled
25 | 
26 | - name: Create a configuration file for each Datadog check
27 |   template:
28 |     src=checks.yaml.j2
29 |     dest=/etc/dd-agent/conf.d/{{ item }}.yaml
30 |     owner={{ datadog_user }}
31 |     group={{ datadog_group }}
32 |   with_items: '{{ datadog_checks.keys() }}'
33 |   notify:
34 |    - restart datadog-agent
35 | 


--------------------------------------------------------------------------------
/ansible/roles/datadog/tasks/pkg-redhat.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Copy repo file into place
3 |   template: src=datadog.repo.j2 dest=/etc/yum.repos.d/datadog.repo owner=root group=root mode=0644
4 | 
5 | - name: Install datadog-agent package
6 |   yum: name=datadog-agent state=latest
7 | 


--------------------------------------------------------------------------------
/ansible/roles/datadog/templates/checks.yaml.j2:
--------------------------------------------------------------------------------
1 | {{ datadog_checks[item] | to_nice_yaml }}
2 | 


--------------------------------------------------------------------------------
/ansible/roles/datadog/templates/datadog.conf.j2:
--------------------------------------------------------------------------------
 1 | # {{ ansible_managed }}
 2 | 
 3 | [Main]
 4 | 
 5 | {% if datadog_config["dd_url"] is not defined -%}
 6 |   dd_url: {{ datadog_url | default('https://app.datadoghq.com') }}
 7 | {% endif %}
 8 |   api_key: {{ datadog_api_key | default('youshouldsetthis') }}
 9 | {% if datadog_config["use_mount"] is not defined -%}
10 |   use_mount: {{ datadog_use_mount | default('no') }}
11 | {% endif %}
12 | 
13 | {# These variables are free-style, passed through a hash -#}
14 | {% if datadog_config -%}
15 |   {{ datadog_config | to_nice_yaml }}
16 | {% endif %}
17 | 
18 | log_level: WARN
19 | 


--------------------------------------------------------------------------------
/ansible/roles/datadog/templates/datadog.repo.j2:
--------------------------------------------------------------------------------
1 | [datadog]
2 | name = Datadog, Inc.
3 | baseurl = https://yum.datadoghq.com/rpm/{{ ansible_userspace_architecture }}/
4 | enabled=1
5 | gpgcheck=1
6 | gpgkey=https://yum.datadoghq.com/DATADOG_RPM_KEY.public
7 | 


--------------------------------------------------------------------------------
/ansible/roles/datadog/templates/process.yaml.j2:
--------------------------------------------------------------------------------
 1 | {# DEPRECATED: Remove specific handling of the process check for next major release -#}
 2 | init_config:
 3 | 
 4 | instances:
 5 | {% for process in datadog_process_checks %}
 6 | - name: {{ process.name }}
 7 |   search_string: {{ process.search_string }}
 8 |   {% if process.exact_match is defined -%}
 9 |   exact_match: {{ process.exact_match }}
10 |   {% endif -%}
11 |   {% if process.cpu_check_interval is defined -%}
12 |   cpu_check_interval: {{ process.cpu_check_interval }}
13 |   {% endif -%}
14 |   {% if process.ignore_denied_access is defined -%}
15 |   ignore_denied_access: {{ process.ignore_denied_access }}
16 |   {% endif %}
17 | 
18 | {% endfor %}
19 | 


--------------------------------------------------------------------------------
/ansible/roles/loggly/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2015, Kevin Brebanov
 2 | All rights reserved.
 3 | 
 4 | Redistribution and use in source and binary forms, with or without
 5 | modification, are permitted provided that the following conditions are met:
 6 | 
 7 | * Redistributions of source code must retain the above copyright notice, this
 8 |   list of conditions and the following disclaimer.
 9 | 
10 | * Redistributions in binary form must reproduce the above copyright notice,
11 |   this list of conditions and the following disclaimer in the documentation
12 |   and/or other materials provided with the distribution.
13 | 
14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
15 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
18 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
21 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
22 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 | 
25 | 


--------------------------------------------------------------------------------
/ansible/roles/loggly/README.md:
--------------------------------------------------------------------------------
 1 | loggly
 2 | ======
 3 | 
 4 | Configures Loggly
 5 | 
 6 | Requirements
 7 | ------------
 8 | 
 9 | This role requires Ansible 1.4 or higher.
10 | 
11 | Role Variables
12 | --------------
13 | 
14 | None
15 | 
16 | Dependencies
17 | ------------
18 | 
19 | None
20 | 
21 | Example Playbook
22 | ----------------
23 | 
24 | Configure loggly
25 | ```
26 | - hosts: all
27 |   roles:
28 |     - { role: kbrebanov.loggly }
29 | ```
30 | 
31 | License
32 | -------
33 | 
34 | BSD
35 | 
36 | Author Information
37 | ------------------
38 | 
39 | Kevin Brebanov
40 | 


--------------------------------------------------------------------------------
/ansible/roles/loggly/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for loggly
3 | 
4 | loggly_token: ""
5 | loggly_tag: ""
6 | 


--------------------------------------------------------------------------------
/ansible/roles/loggly/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for loggly
3 | 


--------------------------------------------------------------------------------
/ansible/roles/loggly/meta/main.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | galaxy_info:
  3 |   author: Kevin Brebanov
  4 |   description: Configures Loggly
  5 |   company:
  6 |   # If the issue tracker for your role is not on github, uncomment the
  7 |   # next line and provide a value
  8 |   # issue_tracker_url: http://example.com/issue/tracker
  9 |   # Some suggested licenses:
 10 |   # - BSD (default)
 11 |   # - MIT
 12 |   # - GPLv2
 13 |   # - GPLv3
 14 |   # - Apache
 15 |   # - CC-BY
 16 |   license: BSD
 17 |   min_ansible_version: 1.4
 18 |   #
 19 |   # Below are all platforms currently available. Just uncomment
 20 |   # the ones that apply to your role. If you don't see your
 21 |   # platform on this list, let us know and we'll get it added!
 22 |   #
 23 |   platforms:
 24 |   #- name: EL
 25 |   #  versions:
 26 |   #  - all
 27 |   #  - 5
 28 |   #  - 6
 29 |   #  - 7
 30 |   #- name: GenericUNIX
 31 |   #  versions:
 32 |   #  - all
 33 |   #  - any
 34 |   #- name: Fedora
 35 |   #  versions:
 36 |   #  - all
 37 |   #  - 16
 38 |   #  - 17
 39 |   #  - 18
 40 |   #  - 19
 41 |   #  - 20
 42 |   #- name: SmartOS
 43 |   #  versions:
 44 |   #  - all
 45 |   #  - any
 46 |   #- name: opensuse
 47 |   #  versions:
 48 |   #  - all
 49 |   #  - 12.1
 50 |   #  - 12.2
 51 |   #  - 12.3
 52 |   #  - 13.1
 53 |   #  - 13.2
 54 |   #- name: Amazon
 55 |   #  versions:
 56 |   #  - all
 57 |   #  - 2013.03
 58 |   #  - 2013.09
 59 |   #- name: GenericBSD
 60 |   #  versions:
 61 |   #  - all
 62 |   #  - any
 63 |   #- name: FreeBSD
 64 |   #  versions:
 65 |   #  - all
 66 |   #  - 8.0
 67 |   #  - 8.1
 68 |   #  - 8.2
 69 |   #  - 8.3
 70 |   #  - 8.4
 71 |   #  - 9.0
 72 |   #  - 9.1
 73 |   #  - 9.1
 74 |   #  - 9.2
 75 |   - name: Ubuntu
 76 |     versions:
 77 |   #  - all
 78 |   #  - lucid
 79 |   #  - maverick
 80 |   #  - natty
 81 |   #  - oneiric
 82 |   #  - precise
 83 |   #  - quantal
 84 |   #  - raring
 85 |   #  - saucy
 86 |     - trusty
 87 |   #- name: SLES
 88 |   #  versions:
 89 |   #  - all
 90 |   #  - 10SP3
 91 |   #  - 10SP4
 92 |   #  - 11
 93 |   #  - 11SP1
 94 |   #  - 11SP2
 95 |   #  - 11SP3
 96 |   #- name: GenericLinux
 97 |   #  versions:
 98 |   #  - all
 99 |   #  - any
100 |   #- name: Debian
101 |   #  versions:
102 |   #  - all
103 |   #  - etch
104 |   #  - lenny
105 |   #  - squeeze
106 |   #  - wheezy
107 |   #
108 |   # Below are all categories currently available. Just as with
109 |   # the platforms above, uncomment those that apply to your role.
110 |   #
111 |   categories:
112 |   #- cloud
113 |   #- cloud:ec2
114 |   #- cloud:gce
115 |   #- cloud:rax
116 |   #- clustering
117 |   #- database
118 |   #- database:nosql
119 |   #- database:sql
120 |   #- development
121 |   - monitoring
122 |   #- networking
123 |   #- packaging
124 |   - system
125 |   #- web
126 | dependencies:
127 |   #- kbrebanov.rsyslog
128 |   # List your role dependencies here, one per line.
129 |   # Be sure to remove the '[]' above if you add dependencies
130 |   # to this list.
131 | 


--------------------------------------------------------------------------------
/ansible/roles/loggly/tasks/CentOS.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # tasks file for loggly (CentOS specific)
3 | 


--------------------------------------------------------------------------------
/ansible/roles/loggly/tasks/Ubuntu.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # tasks file for loggly (Ubuntu specific)
3 | 


--------------------------------------------------------------------------------
/ansible/roles/loggly/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # tasks file for loggly
 3 | 
 4 | - name: Include distribution specific variables
 5 |   include_vars: "CentOS.yml"
 6 |   tags: loggly
 7 | 
 8 | - include: CentOS.yml
 9 | 
10 | - name: Create keys directory
11 |   file: >
12 |     path=/etc/rsyslog.d/keys
13 |     owner=root
14 |     group=root
15 |     mode=0755
16 |     state=directory
17 |   tags: loggly
18 | 
19 | - name: Create keys/ca.d directory
20 |   file: >
21 |     path=/etc/rsyslog.d/keys/ca.d
22 |     owner=root
23 |     group=root
24 |     mode=0755
25 |     state=directory
26 |   tags: loggly
27 | 
28 | - name: certs
29 |   become: yes
30 |   template:
31 |     src: loggly_full.crt.j2
32 |     dest: /etc/rsyslog.d/keys/ca.d/loggly_full.crt
33 |     owner: root
34 |     group: root
35 |     mode: 0644
36 | 
37 | - name: Create Loggly rsyslog configuration
38 |   template: >
39 |     src=22-loggly.conf.j2
40 |     dest=/etc/rsyslog.d/22-loggly.conf
41 |     owner=root
42 |     group=root
43 |     mode=0644
44 |   tags: loggly
45 | 


--------------------------------------------------------------------------------
/ansible/roles/loggly/templates/22-loggly.conf.j2:
--------------------------------------------------------------------------------
 1 | # {{ ansible_managed }}
 2 | 
 3 | 
 4 | # Define the template used for sending logs to Loggly. Do not change this format.
 5 | $template LogglyFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [{{ loggly_token }}@41058] %msg%\n"
 6 | 
 7 | $WorkDirectory /var/spool/rsyslog # where to place spool files
 8 | $ActionQueueFileName fwdRule1 # unique name prefix for spool files
 9 | $ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
10 | $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
11 | $ActionQueueType LinkedList   # run asynchronously
12 | $ActionResumeRetryCount -1    # infinite retries if host is down
13 | 
14 | # Send messages to Loggly over TCP using the template.
15 | *.*             @@logs-01.loggly.com:514;LogglyFormat
16 | 
17 | #     -------------------------------------------------------
18 | 


--------------------------------------------------------------------------------
/ansible/roles/loggly/templates/loggly_full.crt.j2:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIFBzCCA++gAwIBAgICAgEwDQYJKoZIhvcNAQEFBQAwaDELMAkGA1UEBhMCVVMx
 3 | JTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsT
 4 | KVN0YXJmaWVsZCBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2
 5 | MTExNjAxMTU0MFoXDTI2MTExNjAxMTU0MFowgdwxCzAJBgNVBAYTAlVTMRAwDgYD
 6 | VQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFy
 7 | ZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTkwNwYDVQQLEzBodHRwOi8vY2VydGlm
 8 | aWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkxMTAvBgNVBAMTKFN0
 9 | YXJmaWVsZCBTZWN1cmUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxETAPBgNVBAUT
10 | CDEwNjg4NDM1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4qddo+1m
11 | 72ovKzYf3Y3TBQKgyg9eGa44cs8W2lRKy0gK9KFzEWWFQ8lbFwyaK74PmFF6YCkN
12 | bN7i6OUVTVb/kNGnpgQ/YAdKym+lEOez+FyxvCsq3AF59R019Xoog/KTc4KJrGBt
13 | y8JIwh3UBkQXPKwBR6s+cIQJC7ggCEAgh6FjGso+g9I3s5iNMj83v6G3W1/eXDOS
14 | zz4HzrlIS+LwVVAv+HBCidGTlopj2WYN5lhuuW2QvcrchGbyOY5bplhVc8tibBvX
15 | IBY7LFn1y8hWMkpQJ7pV06gBy3KpdIsMrTrlFbYq32X43or174Q7+edUZQuAvUdF
16 | pfBE2FM7voDxLwIDAQABo4IBRDCCAUAwHQYDVR0OBBYEFElLUifRG7zyoSFqYntR
17 | QnqK19VWMB8GA1UdIwQYMBaAFL9ft9HO3R+G9FtVrNzXEMIOqYjnMBIGA1UdEwEB
18 | /wQIMAYBAf8CAQAwOQYIKwYBBQUHAQEELTArMCkGCCsGAQUFBzABhh1odHRwOi8v
19 | b2NzcC5zdGFyZmllbGR0ZWNoLmNvbTBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8v
20 | Y2VydGlmaWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvc2Zyb290
21 | LmNybDBRBgNVHSAESjBIMEYGBFUdIAAwPjA8BggrBgEFBQcCARYwaHR0cDovL2Nl
22 | cnRpZmljYXRlcy5zdGFyZmllbGR0ZWNoLmNvbS9yZXBvc2l0b3J5MA4GA1UdDwEB
23 | /wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAhlK6sx+mXmuQpmQq/EWyrp8+s2Kv
24 | 2x9nxL3KoS/HnA0hV9D4NiHOOiU+eHaz2d283vtshF8Mow0S6xE7cV+AHvEfbQ5f
25 | wezUpfdlux9MlQETsmqcC+sfnbHn7RkNvIV88xe9WWOupxoFzUfjLZZiUTIKCGhL
26 | Indf90XcYd70yysiKUQl0p8Ld3qhJnxK1w/C0Ty6DqeVmlsFChD5VV/Bl4t0zF4o
27 | aRN+0AqNnQ9gVHrEjBs1D3R6cLKCzx214orbKsayUWm/EheSYBeqPVsJ+IdlHaek
28 | KOUiAgOCRJo0Y577KM/ozS4OUiDtSss4fJ2ubnnXlSyokfOGASGRS7VApA==
29 | -----END CERTIFICATE-----
30 | -----BEGIN CERTIFICATE-----
31 | MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
32 | MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
33 | U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw
34 | NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE
35 | ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp
36 | ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3
37 | DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf
38 | 8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN
39 | +lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0
40 | X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa
41 | K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA
42 | 1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G
43 | A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR
44 | zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0
45 | YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD
46 | bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w
47 | DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3
48 | L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D
49 | eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl
50 | xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp
51 | VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY
52 | WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=
53 | -----END CERTIFICATE-----
54 | -----BEGIN CERTIFICATE-----
55 | MIIFfzCCBGegAwIBAgIILqvAG0gVC3QwDQYJKoZIhvcNAQEFBQAwgdwxCzAJBgNV
56 | BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUw
57 | IwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTkwNwYDVQQLEzBo
58 | dHRwOi8vY2VydGlmaWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkx
59 | MTAvBgNVBAMTKFN0YXJmaWVsZCBTZWN1cmUgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
60 | dHkxETAPBgNVBAUTCDEwNjg4NDM1MB4XDTE1MDQwNjA1NDIzOFoXDTE2MDQwNjA1
61 | MzgzOFowQDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRswGQYD
62 | VQQDExJsb2dzLTAxLmxvZ2dseS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
63 | ggEKAoIBAQCo6JQSJCK8y67Wfg3bVCBndVmjzF52shm/Qn+dDxk6ge06zVgfZ5cP
64 | D35YDQqdbHdyu1Jq59Ak4pu/Ta5uWvOhUuqsDUuYyfu9Bh6NGyCzvUiNFwOa9dH9
65 | W7JpFz/CUJqpsKAmwYNDeXuB0VFrLRxYCQTzqWBDuXnDvtfiMmvBvFiUKFfm4lUh
66 | WV37ixUiXtx7xu+qJOqBeRwo0X5En5pk1oSTzHZaTtEExbdezV3vOQixHtchkrRN
67 | KlbohdkrUpZZn9Z21K+FhOTmp/u03DhgiQXav6bxkW1Po8ZBPlyJRlHXe27XbqZm
68 | o1yJJn2F33M7gNuKlspO3cdS1UqDqWelAgMBAAGjggHeMIIB2jAMBgNVHRMBAf8E
69 | AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMC
70 | BaAwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdGFyZmllbGR0ZWNoLmNv
71 | bS9zZnMxLTI3LmNybDBZBgNVHSAEUjBQME4GC2CGSAGG/W4BBxcBMD8wPQYIKwYB
72 | BQUHAgEWMWh0dHA6Ly9jZXJ0aWZpY2F0ZXMuc3RhcmZpZWxkdGVjaC5jb20vcmVw
73 | b3NpdG9yeS8wgY0GCCsGAQUFBwEBBIGAMH4wKgYIKwYBBQUHMAGGHmh0dHA6Ly9v
74 | Y3NwLnN0YXJmaWVsZHRlY2guY29tLzBQBggrBgEFBQcwAoZEaHR0cDovL2NlcnRp
75 | ZmljYXRlcy5zdGFyZmllbGR0ZWNoLmNvbS9yZXBvc2l0b3J5L3NmX2ludGVybWVk
76 | aWF0ZS5jcnQwHwYDVR0jBBgwFoAUSUtSJ9EbvPKhIWpie1FCeorX1VYwNQYDVR0R
77 | BC4wLIISbG9ncy0wMS5sb2dnbHkuY29tghZ3d3cubG9ncy0wMS5sb2dnbHkuY29t
78 | MB0GA1UdDgQWBBT0MM8oRzFYKeB0kuQkvExGRBXwWjANBgkqhkiG9w0BAQUFAAOC
79 | AQEAQ9JNeNIPx+DacFSPG+AV3blBhgfZQXfLO2Wbls2Vuol7PtDKHuaoBSQE1RYE
80 | A/iyXI3OJnNivGU/V2p4weHgitpNpQ8AJ7uZVERIUCOlCYJaDSevpFfoALQK2rWr
81 | gegZZ6gVkdFanhHCRW4a2apLCRnUbt//7k1G6Fw8v+YCzyVtf31AnY/bhknWAfDc
82 | oldME9cCeAPT8WvCC3Xmrrd1FxlVkEGyshAzEpA1BNeVQM4iB17Up2tXQIv+ehsU
83 | cUJz4IKut0lglszuanEfAazOzEn37n/2Q3cNx5IDEHv3z4fBLwNfd9yT14izqKLJ
84 | ODRffuOanfiyg+bXxdmuhfXUqQ==
85 | -----END CERTIFICATE-----
86 | 


--------------------------------------------------------------------------------
/ansible/roles/loggly/vars/CentOS.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for loggly (CentOS specific)
3 | 


--------------------------------------------------------------------------------
/ansible/roles/loggly/vars/Ubuntu.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for loggly (Ubuntu specific)
3 | 


--------------------------------------------------------------------------------
/ansible/roles/loggly/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for loggly
3 | 


--------------------------------------------------------------------------------
/ansible/roles/newrelic/defaults/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # newrelic_license_key: yourkey
 3 | 
 4 | # Sets the name of the file to send log messages to.
 5 | php5_newrelic_logfile: /var/log/newrelic/php_agent.log
 6 | # Sets the level of detail to include in the log file.
 7 | php5_newrelic_loglevel: info
 8 | # Sets the name of the file to send daemon log messages to.
 9 | php5_newrelic_daemon_logfile: /var/log/newrelic/newrelic-daemon.log
10 | # Sets the level of detail to include in the daemon log.
11 | php5_newrelic_daemon_loglevel: info
12 | # Enables high security for all applications.
13 | php5_newrelic_high_security: no
14 | # Sets the name of the application that metrics will be reported into.
15 | php5_newrelic_appname: myapp
16 | 


--------------------------------------------------------------------------------
/ansible/roles/newrelic/handlers/main.yml:
--------------------------------------------------------------------------------
 1 | - name: restart newrelic
 2 |   service:
 3 |     name: newrelic-daemon
 4 |     state: restarted
 5 |     enabled: yes
 6 | 
 7 | - name: restart newrelic-sysmond
 8 |   service:
 9 |     name: newrelic-sysmond
10 |     state: restarted
11 |     enabled: yes
12 | 
13 | 


--------------------------------------------------------------------------------
/ansible/roles/newrelic/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - template:
 3 |     src: newrelic.repo.j2
 4 |     dest: /etc/yum.repos.d/newrelic.repo
 5 |     owner: root
 6 |     group: root
 7 |     mode: 0644
 8 | 
 9 | - yum:
10 |     name: newrelic-php5
11 |     state: latest
12 | 
13 | - template:
14 |     src: "newrelic.ini.j2"
15 |     dest: "/etc/php.d/newrelic.ini"
16 |     owner: "root"
17 |     group: "root"
18 |     mode: "0644"
19 |   notify: restart newrelic
20 | 
21 | - template:
22 |     src: "newrelic.cfg.j2"
23 |     dest: "/etc/newrelic/newrelic.cfg"
24 |     owner: "root"
25 |     group: "root"
26 |     mode: "0644"
27 |   notify: restart newrelic
28 | 


--------------------------------------------------------------------------------
/ansible/roles/newrelic/templates/newrelic.cfg.j2:
--------------------------------------------------------------------------------
  1 | # {{ ansible_managed }}
  2 | #
  3 | # This is a configuration template for the New Relic daemon - a communications
  4 | # proxy between New Relic agents (such as the PHP agent) and the New Relic
  5 | # data collectors. This configuration file is required *ONLY* if you need or
  6 | # want to start the New Relic daemon at system boot time using init. In order
  7 | # to do so you must execute the following commands (as root):
  8 | #
  9 | # For CentOS and RedHat systems:
 10 | #    /sbin/chkconfig newrelic-daemon on
 11 | #
 12 | # For Ubuntu and Debian systems:
 13 | #    /usr/sbin/update-rc.d newrelic-daemon defaults 90 10
 14 | #    /usr/sbin/update-rc.d newrelic-daemon enable
 15 | #
 16 | # For FreeBSD systems:
 17 | #    /etc/rc.d/newrelic-daemon start
 18 | #
 19 | # For other systems please consult your documentation on how to enable and
 20 | # disable services.
 21 | #
 22 | # For most systems:
 23 | #    /etc/init.d/newrelic-daemon start
 24 | #
 25 | # The startup scripts will only start the daemon if there is a valid daemon
 26 | # configuration file in place. This file is, by default:
 27 | #
 28 | #    /etc/newrelic/newrelic.cfg
 29 | #
 30 | # If that file does not exist, you can copy this template file to that
 31 | # location and edit it to suit your system needs.
 32 | #
 33 | # By default the daemon is not started at system boot time, and does not use
 34 | # the /etc/newrelic/newrelic.cfg file. Rather, the daemon is started by the
 35 | # agent automatically on startup and is configured by the agent (for example
 36 | # when using the PHP agent the daemon parameters are set in the global INI
 37 | # file and all begin with 'newrelic.daemon').
 38 | #
 39 | # There are certain circumstances under which you may want the daemon to be
 40 | # started at boot time rather than by the agent. If you use a chroot jail for
 41 | # running the agent in, if you have multiple web servers or FastCGI process
 42 | # managers, or if you use PHP on the command line a lot for batch processing
 43 | # then you may want to start the daemon once at system boot rather than having
 44 | # the agent start it.
 45 | #
 46 | # Below are the various options you can change that affect the daemon. Each
 47 | # one is explained in detail along with it's default value.
 48 | #
 49 | 
 50 | #
 51 | # Setting: pidfile
 52 | # Type   : string
 53 | # Purpose: Sets the name of the file that the daemon writes its process ID
 54 | #          (PID) to. This is used by the startup and shutdown script to know
 55 | #          which process to monitor or kill.
 56 | # Default: None. Init script uses a filename of newrelic-daemon.pid in
 57 | #          the first directory from /var/run or /var/pid that is found.
 58 | #pidfile=
 59 | 
 60 | #
 61 | # Setting: logfile
 62 | # Type   : string
 63 | # Purpose: Sets the name of the file to record log messages in. If this file
 64 | #          does not exist it is created. If it cannot be created the daemon
 65 | #          will not start up. The amount of information sent to this file is
 66 | #          controlled by the loglevel settings, defined below.
 67 | # Default: /var/log/newrelic/newrelic-daemon.log
 68 | logfile=/var/log/newrelic/newrelic-daemon.log
 69 | 
 70 | #
 71 | # Setting: loglevel
 72 | # Type   : string
 73 | # Purpose: Sets the level of detail of log messages sent to the log file. This
 74 | #          variable can control the log level for different subsystem at
 75 | #          different levels, although such custom usage should only be done at
 76 | #          the request of New Relic technical support. The simplest setting is
 77 | #          to use one of the following keywords, in increasing order of detail:
 78 | #          error - only error messages
 79 | #          warning - only warning and error messages
 80 | #          info - only minimal startup and shutdown info
 81 | #          debug - very verbose, includes messages only relevant to support.
 82 | #                  The debug level may create very large log files.
 83 | #
 84 | #          The values verbose and verbosedebug are deprecated aliases for debug.
 85 | #
 86 | # Default: info
 87 | loglevel=info
 88 | 
 89 | #
 90 | # Setting: port
 91 | # Type   : String or Integer (1-65534)
 92 | # Purpose: Sets how the agent and daemon communicate. How this is set can impact
 93 | #          performance. The default is to use a UNIX-domain socket located at
 94 | #          /tmp/.newrelic.sock. If you want to use UNIX domain sockets then
 95 | #          this value must begin with a "/". If you set this to an integer
 96 | #          value in the range 1-65534, then this will instruct the daemon to
 97 | #          listen on a normal TCP socket on the port specified. This may be
 98 | #          easier to use if you are using a chroot environment. On Linux, an
 99 | #          abstract socket can be created by prefixing the socket name with '@'.
100 | #          Support for abstract sockets was added in PHP agent version 5.2.
101 | #
102 | #          In order to use a port in the range 1-1023, the daemon must be
103 | #          started by the super-user. This is a fundamental OS limitation
104 | #          and not one imposed by the daemon itself.
105 | # Default: "/tmp/.newrelic.sock"
106 | #port="/tmp/.newrelic.sock"
107 | 
108 | #
109 | # Setting: ssl
110 | # Type   : boolean
111 | # Purpose: If you prefer the daemon to use the secure HTTP (https) protocol
112 | #          when communicating with the New Relic collector servers, set this
113 | #          to true.
114 | # Default: true (as of version 3.6)
115 | #ssl=true
116 | 
117 | #
118 | # Setting: ssl_ca_bundle
119 | # Type   : string
120 | # Purpose: Sets the location of a file containing CA certificates in PEM
121 | #          format. When set, the certificates in this file will be used
122 | #          to authenticate the New Relic collector servers. If ssl_ca_path
123 | #          is also set (see below), the certificates in this file will be
124 | #          searched first, followed by the certificates contained in the
125 | #          ssl_ca_path directory. This setting has no effect when ssl
126 | #          is set to false.
127 | # Default: none
128 | #ssl_ca_bundle=
129 | 
130 | #
131 | # Setting: ssl_ca_path
132 | # Type   : string
133 | # Purpose: Sets the location of a directory containing trusted CA certificates
134 | #          in PEM format. When set, the certificates in this directory will be
135 | #          used to authenticate the New Relic collector servers. If
136 | #          ssl_ca_bundle is also set (see above), it will be searched first
137 | #          followed by the certificates contained in ssl_ca_path. This
138 | #          setting has no effect when ssl is set to false.
139 | # Default: none
140 | #ssl_ca_path=
141 | 
142 | #
143 | # Setting: proxy
144 | # Type   : string
145 | # Purpose: Some networks are configured to require the use of an egress proxy
146 | #          server in order to communicate with the outside world. Since the
147 | #          daemon needs to communicate with the New Relic data collection
148 | #          servers you may need to instruct it to use a proxy server. Your
149 | #          system or network administrator should be able to provide you with
150 | #          the details.
151 | #          This string is in the form [user[:password]]@hostname[:port] with
152 | #          the user, password and port fields being optional. Some examples:
153 | #          myusername:secret@10.1.1.1:12345
154 | #          someuser@proxy.mydomain.com:4321
155 | #          proxy.mydomain.com
156 | # Default: none
157 | #proxy=
158 | 
159 | #
160 | # Setting: auditlog
161 | # Type   : string
162 | # Purpose: Sets the name of a file to record all uncompressed, un-encoded
163 | #          content that is sent from your machine to the New Relic servers.
164 | #          This includes the full URL for each command along with the payload
165 | #          delivered with the command. This allows you to satisfy yourself
166 | #          that the agent is not sending any sensitive data to our servers.
167 | #          This file must be a different file to the logfile setting above.
168 | #          If you set it to the same name audit logging will be silently
169 | #          ignored.
170 | # Default: None
171 | #auditlog=/var/log/newrelic/audit.log
172 | 
173 | # Setting: utilization.detect_aws
174 | # Type   : boolean
175 | # Default: true
176 | # Info   : Enable detection of whether the system is running on AWS. This will
177 | #          create a small amount of network traffic on daemon startup.
178 | 
179 | # Setting: utilization.detect_docker
180 | # Type   : boolean
181 | # Default: true
182 | # Info   : Enable detection of a system running on Docker. This will be used
183 | #          to support future features.
184 | 


--------------------------------------------------------------------------------
/ansible/roles/newrelic/templates/newrelic.ini.j2:
--------------------------------------------------------------------------------
  1 | ; {{ ansible_managed }}
  2 | ;
  3 | ; This file contains the various settings for the New Relic PHP agent. There
  4 | ; are many options, all of which are described in detail at the following URL:
  5 | ; https://newrelic.com/docs/php/php-agent-phpini-settings
  6 | ;
  7 | 
  8 | ; If you use a full path to the extension you insulate yourself from the
  9 | ; extension directory changing if you change PHP installations or versions.
 10 | ; If you do not use an absolute path then the file must be installed in the
 11 | ; active configuration's extension directory.
 12 | 
 13 | [default]
 14 | extension = "newrelic.so"
 15 | 
 16 | [newrelic]
 17 | ;
 18 | ; Setting: newrelic.enabled
 19 | ; Type   : boolean
 20 | ; Scope  : per-directory
 21 | ; Default: true
 22 | ; Info   : Enable or disable the agent. Please note that you cannot globally
 23 | ;          disable the agent and then selectively enable it on a per-directory
 24 | ;          basis. If you disable the agent in the global INI file then the
 25 | ;          agent will not initialize at all. However, you can selectively
 26 | ;          disable the agent on a per-directory basis.
 27 | ;
 28 | ;newrelic.enabled = true
 29 | 
 30 | ;
 31 | ; Setting: newrelic.license
 32 | ; Type   : string
 33 | ; Scope  : per-directory
 34 | ; Default: none
 35 | ; Info   : Sets the New Relic license key to use. This can vary from directory
 36 | ;          to directory if you are running a multi-tenant system. By special
 37 | ;          dispensation if you upgraded from a previous version of the agent
 38 | ;          where the license key was set in the daemon, the installation and
 39 | ;          upgrade script will have preserved your license key from the file
 40 | ;          /etc/newrelic/newrelic.cfg, but ONLY if you installed via rpm/yum
 41 | ;          or dpkg. The key is saved in /etc/newrelic/upgrade_please.key
 42 | ;          and the agent will look for that file if you do not specify a valid
 43 | ;          license here.
 44 | ;          It is *STRONGLY* recommended that you set the license key in your
 45 | ;          INI file(s) and do not rely on the key file being present. Also
 46 | ;          please note that even if you are not letting the agent start the
 47 | ;          daemon and are still using newrelic.cfg (see below) the license
 48 | ;          keyword in that file is no longer obeyed. Instead the agent will
 49 | ;          use the preserved value of that license from the key file.
 50 | ;          Once you have updated your INI files to contain the license we
 51 | ;          urge you to remove /etc/newrelic/upgrade_please.key in order to
 52 | ;          eliminate the potential for confusion about exactly where the key
 53 | ;          is coming from.
 54 | ;
 55 | newrelic.license = "{{ newrelic_license_key }}"
 56 | 
 57 | ;
 58 | ; Setting: newrelic.logfile
 59 | ; Type   : string
 60 | ; Scope  : system
 61 | ; Default: none
 62 | ; Info   : Sets the name of the file to send log messages to.
 63 | ;
 64 | newrelic.logfile = "{{ php5_newrelic_logfile }}"
 65 | 
 66 | ;
 67 | ; Setting: newrelic.loglevel
 68 | ; Type   : string
 69 | ; Scope  : system
 70 | ; Default: "info"
 71 | ; Info   : Sets the level of detail to include in the log file. You should
 72 | ;          rarely need to change this from the default, and usually only under
 73 | ;          the guidance of technical support.
 74 | ;          Must be one of the following values:
 75 | ;            always, error, warning, info, verbose, debug, verbosedebug
 76 | ;
 77 | newrelic.loglevel = "{{ php5_newrelic_loglevel }}"
 78 | 
 79 | ;
 80 | ; Setting: newrelic.high_security
 81 | ; Type   : boolean
 82 | ; Scope  : system
 83 | ; Default: false
 84 | ; Info   : Enables high security for all applications.  When high security is
 85 | ;          enabled, the following behavior will take effect:
 86 | ;          * Data will not be sent to New Relic unless the newrelic-daemon
 87 | ;            is using SSL.  If the PHP process spawns a newrelic-daemon, it
 88 | ;            will be configured to use SSL regardless of the value of
 89 | ;            ```newrelic.daemon.ssl```.
 90 | ;          * Raw SQL strings will never be gathered, regardless of the value of
 91 | ;            newrelic.transaction_tracer.record_sql.
 92 | ;          * Request parameters will never be captured, regardless of the
 93 | ;            newrelic.attributes configuration settings.
 94 | ;          * The following API functions will have no effect, and will return
 95 | ;            false:
 96 | ;            newrelic_add_custom_parameter
 97 | ;            newrelic_set_user_attributes
 98 | ;
 99 | ;          IMPORTANT:  If you change this setting, you must also change the RPM
100 | ;          UI security setting.  If the two settings do not match, then no data
101 | ;          will be collected.
102 | ;
103 | newrelic.high_security = {{ php5_newrelic_high_security | to_nice_json }}
104 | 
105 | ;
106 | ; Setting: newrelic.appname
107 | ; Type   : string
108 | ; Scope  : per-directory
109 | ; Default: "PHP Application"
110 | ; Info   : Sets the name of the application that metrics will be reported into.
111 | ;          This can in fact be a list of up to 3 application names, each of
112 | ;          which must be separated by a semi-colon. The first name in any such
113 | ;          list is considered the 'primary' application name and must be unique
114 | ;          for each account / license key.
115 | ;
116 | newrelic.appname = "{{ php5_newrelic_appname }}"
117 | 
118 | ;
119 | ; Beginning with version 3.0 of the agent, the daemon can be automatically
120 | ; started by the agent. There is no need to start the daemon before starting
121 | ; Apache or PHP-FPM. All of the newrelic.daemon.* settings are options that
122 | ; control the behavior of the daemon. These settings are converted into the
123 | ; appropriate command line options when the agent starts the daemon. This is
124 | ; now the preferred method of starting the daemon. There are still usage cases
125 | ; (such as using a single daemon for serving multiple Apache instances) where
126 | ; you may want to start the daemon via it's init script, but for most users,
127 | ; this is the best place to configure and start the daemon.
128 | ;
129 | ; The agent will only launch the daemon if one isn't already running. Also
130 | ; note that the agent will NOT stop the daemon once it has started. If you
131 | ; want control over exactly when the daemon starts and stops you can still
132 | ; achieve that by creating a daemon configuration file (located by default at
133 | ; /etc/newrelic/newrelic.cfg) and running the chkconfig or equivalent command.
134 | ; Please see the newrelic.cfg template file for details. That template file
135 | ; is located at /usr/lib/newrelic-php5/scripts/newrelic.cfg.template.
136 | ;
137 | ; Also please note that the options here and in newrelic.cfg are identical,
138 | ; except that in this file they are preceded with "newrelic.daemon.".
139 | ;
140 | 
141 | ;
142 | ; Setting: newrelic.daemon.logfile
143 | ; Type   : string
144 | ; Scope  : system
145 | ; Default: none
146 | ; Info   : Sets the name of the file to send daemon log messages to.
147 | ;
148 | newrelic.daemon.logfile = "{{ php5_newrelic_daemon_logfile }}"
149 | 
150 | ;
151 | ; Setting: newrelic.daemon.loglevel
152 | ; Type   : string
153 | ; Scope  : system
154 | ; Default: "info"
155 | ; Info   : Sets the level of detail to include in the daemon log. You should
156 | ;          rarely need to change this from the default, and usually only under
157 | ;          the guidance of technical support.
158 | ;          Must be one of the following values:
159 | ;            always, error, warning, info, verbose, debug, verbosedebug
160 | ;
161 | newrelic.daemon.loglevel = "{{ php5_newrelic_daemon_loglevel }}"
162 | 
163 | ;
164 | ; Setting: newrelic.daemon.ssl
165 | ; Type   : boolean
166 | ; Scope  : system
167 | ; Default: true (as of version 3.6)
168 | ; Info   : Sets whether or not communication with New Relic data collectors
169 | ;          should use a secure HTTP connection or not.
170 | ;
171 | ;newrelic.daemon.ssl = true
172 | 
173 | ;
174 | ; Setting: newrelic.daemon.ssl_ca_bundle
175 | ; Type   : string
176 | ; Scope  : system
177 | ; Default: none
178 | ; Info   : Sets the location of a file containing CA certificates in PEM
179 | ;          format. When set, the certificates in this file will be used
180 | ;          to authenticate the New Relic collector servers. If
181 | ;          newrelic.daemon.ssl_ca_path is also set (see below), the
182 | ;          certificates in this file will be searched first, followed by
183 | ;          the certificates contained in the newrelic.daemon.ssl_ca_path
184 | ;          directory. This setting has no effect when newrelic.daemon.ssl
185 | ;          is set to false.
186 | ;newrelic.daemon.ssl_ca_bundle = ""
187 | 
188 | ;
189 | ; Setting: newrelic.daemon.ssl_ca_path
190 | ; Type   : string
191 | ; Scope  : system
192 | ; Default: none
193 | ; info   : Sets the location of a directory containing trusted CA certificates
194 | ;          in PEM format. When set, the certificates in this directory will be
195 | ;          used to authenticate the New Relic collector servers. If
196 | ;          newrelic.daemon.ssl_ca_bundle is also set (see above), it will be
197 | ;          searched first followed by the certificates contained in
198 | ;          newrelic.daemon.ssl_ca_path. This setting has no effect when
199 | ;          newrelic.daemon.ssl is set to false.
200 | ;newrelic.daemon.ssl_ca_path = ""
201 | 
202 | ;
203 | ; Setting: newrelic.daemon.proxy
204 | ; Type   : string
205 | ; Scope  : system
206 | ; Default: none
207 | ; Info   : Sets the host and user credentials to use as an egress proxy. This
208 | ;          is only used if your site requires a proxy in order to access
209 | ;          external servers on the internet, in this case the New Relic data
210 | ;          collection servers. This is expressed in one of the following forms:
211 | ;             hostname
212 | ;             hostname:port
213 | ;             user@hostname
214 | ;             user@hostname:port
215 | ;             user:password@hostname
216 | ;             user:password@hostname:port
217 | ;
218 | ;newrelic.daemon.proxy = ""
219 | 
220 | ;
221 | ; Setting: newrelic.daemon.pidfile
222 | ; Type   : string
223 | ; Scope  : system
224 | ; Default: OS dependent
225 | ; Info   : Sets the name of the file to store the running daemon's process ID
226 | ;          (PID) in. This file is used by the daemon startup and shutdown
227 | ;          script to determine whether or not the daemon is already running.
228 | ;
229 | ;newrelic.daemon.pidfile = ""
230 | 
231 | ;
232 | ; Setting: newrelic.daemon.location
233 | ; Type   : string
234 | ; Scope  : system
235 | ; Default: /usr/bin/newrelic-daemon
236 | ; Info   : Sets the name of the daemon executable to launch.
237 | ;          Please note that on OpenSolaris where /usr is frequently a read-only
238 | ;          file system, the default daemon location is
239 | ;          /opt/newrelic/bin/newrelic-daemon.
240 | ;
241 | ;newrelic.daemon.location = "/usr/bin/newrelic-daemon"
242 | 
243 | ;
244 | ; Setting: newrelic.daemon.collector_host
245 | ; Type   : string
246 | ; Scope  : system
247 | ; Default: collector.newrelic.com
248 | ; Info   : Sets the host name of the New Relic data collector host to use.
249 | ;          Please note that this is NOT any form of local host. It refers to
250 | ;          the New Relic provided host. There is very little reason to ever
251 | ;          change this from the default except in certain very special
252 | ;          circumstances, and then only on instruction from a New Relic sales
253 | ;          person or support staff member.
254 | ;
255 | ;newrelic.daemon.collector_host = "collector.newrelic.com"
256 | 
257 | ;
258 | ; Setting: newrelic.daemon.dont_launch
259 | ; Type   : integer (0, 1, 2 or 3)
260 | ; Scope  : system
261 | ; Default: 0
262 | ; Info   : If you prefer to have the daemon launched externally before the
263 | ;          agent starts up, set this variable to non-zero. The value you
264 | ;          choose determines exactly when the agent is allowed to start the
265 | ;          daemon:
266 | ;          0 - agent can start the daemon any time it needs to
267 | ;          1 - non-CLI (i.e Apache / php-fpm) agents can start the daemon
268 | ;          2 - only CLI agents can start the daemon
269 | ;          3 - the agent will never start the daemon
270 | ;
271 | ;newrelic.daemon.dont_launch = 0
272 | 
273 | ;
274 | ; Setting: newrelic.error_collector.enabled
275 | ; Type   : boolean
276 | ; Scope  : per-directory
277 | ; Default: true
278 | ; Info   : Enable the New Relic error collector. This will record the 20 most
279 | ;          severe errors per harvest cycle. It is rare to want to disable this.
280 | ;          Please also note that your New Relic subscription level may force
281 | ;          this to be disabled regardless of any value you set for it.
282 | ;
283 | ;newrelic.error_collector.enabled = true
284 | 
285 | ;
286 | ; Setting: newrelic.error_collector.record_database_errors
287 | ; Type   : boolean
288 | ; Scope  : per-directory
289 | ; Default: false
290 | ; Info   : Currently only supported for MySQL database functions. If enabled,
291 | ;          this will cause errors returned by various MySQL functions to be
292 | ;          treated as if they were PHP errors, and thus subject to error
293 | ;          collection. This is only obeyed if the error collector is enabled
294 | ;          above and the account subscription level permits error trapping.
295 | ;
296 | ;newrelic.error_collector.record_database_errors = false
297 | 
298 | ;
299 | ; Setting: newrelic.error_collector.prioritize_api_errors
300 | ; Type   : boolean
301 | ; Scope  : per-directory
302 | ; Default: false
303 | ; Info   : If the error collector is enabled and you use the New Relic API to
304 | ;          notice an error, if this is set to true then assign the highest
305 | ;          priority to such errors.
306 | ;
307 | ;newrelic.error_collector.prioritize_api_errors = false
308 | 
309 | ;
310 | ; Setting: newrelic.browser_monitoring.auto_instrument
311 | ; Type   : boolean
312 | ; Scope  : per-directory
313 | ; Default: true
314 | ; Info   : Enables or disables automatic real user monitoring ("auto-RUM").
315 | ;          When enabled will cause the agent to insert a header and a footer
316 | ;          in HTML output that will time the actual end-user experience.
317 | ;
318 | ;newrelic.browser_monitoring.auto_instrument = true
319 | 
320 | ;
321 | ; Setting: newrelic.transaction_tracer.enabled
322 | ; Type   : boolean
323 | ; Scope  : per-directory
324 | ; Default: true
325 | ; Info   : Enables or disables the transaction tracer. When enabled this will
326 | ;          produce a detailed call graph for any transaction that exceeds a
327 | ;          certain threshold (see next entry). Only one transaction trace per
328 | ;          application per harvest cycle is stored and it is always the slowest
329 | ;          transaction during that cycle. Transaction traces are extremely
330 | ;          useful when diagnosing problem spots in your application. Please
331 | ;          note that TT's may be disabled by your account subscription level
332 | ;          regardless of what you set here.
333 | ;
334 | ;newrelic.transaction_tracer.enabled = true
335 | 
336 | ;
337 | ; Setting: newrelic.transaction_tracer.threshold
338 | ; Type   : string with a time specification or the word "apdex_f"
339 | ; Scope  : per-directory
340 | ; Default: "apdex_f"
341 | ; Info   : Specifies the threshold above which a transaction becomes a
342 | ;          candidate for the transaction tracer. This can either be an absolute
343 | ;          time value like "200ms" or "1s250ms" or "1h30m" or "750us" or the
344 | ;          word "apdex_f". This last value, "apdex_f", means "4 times apdex_t".
345 | ;          Thus the threshold changes according to your apdex_t setting. This
346 | ;          is the default.
347 | ;
348 | ;newrelic.transaction_tracer.threshold = "apdex_f"
349 | 
350 | ;
351 | ; Setting: newrelic.transaction_tracer.detail
352 | ; Type   : integer in the range 0-1
353 | ; Scope  : per-directory
354 | ; Default: 1
355 | ; Info   : Sets the level of detail in a transaction trace. Setting this to 0
356 | ;          will only show the relatively few PHP functions that New Relic has
357 | ;          deemed to be "interesting", as well as any custom functions you set
358 | ;          (see below). A setting of 1 will trace and time all user functions.
359 | ;
360 | ;          In earlier releases of the agent this was known as "top100".
361 | ;
362 | ;newrelic.transaction_tracer.detail = 1
363 | 
364 | ;
365 | ; Setting: newrelic.transaction_tracer.slow_sql
366 | ; Type   : boolean
367 | ; Scope  : per-directory
368 | ; Default: true
369 | ; Info   : Enables or disables the "slow SQL" tracer. When enabled, this will
370 | ;          record the top 10 slowest SQL calls along with a stack trace of
371 | ;          where the call occurred in your code.
372 | ;
373 | ;newrelic.transaction_tracer.slow_sql = true
374 | 
375 | ;
376 | ; Setting: newrelic.transaction_tracer.stack_trace_threshold
377 | ; Type   : time specification string ("500ms", "1s750ms" etc)
378 | ; Scope  : per-directory
379 | ; Default: 500ms
380 | ; Info   : Sets the threshold above which the New Relic agent will record a
381 | ;          stack trace for a transaction trace.
382 | ;
383 | ;newrelic.transaction_tracer.stack_trace_threshold = 500
384 | 
385 | ;
386 | ; Setting: newrelic.transaction_tracer.explain_enabled
387 | ; Type   : boolean
388 | ; Scope  : per-directory
389 | ; Default: true
390 | ; Info   : Enables or disables requesting "explain plans" from MySQL and
391 | ;          PostgreSQL databases for slow SQL calls. The threshold for
392 | ;          requesting explain plans is defined below.
393 | ;
394 | ;newrelic.transaction_tracer.explain_enabled = true
395 | 
396 | ;
397 | ; Setting: newrelic.transaction_tracer.explain_threshold
398 | ; Type   : time specification string ("750ms", "1s 500ms" etc)
399 | ; Scope  : per-directory
400 | ; Default: 500ms
401 | ; Info   : Used by the slow SQL tracer to set the threshold above which an SQL
402 | ;          statement is considered "slow", and to set the threshold above which
403 | ;          the transaction tracer will request an "explain plan" from the data-
404 | ;          base for slow SQL. This latter feature may not be active yet, please
405 | ;          refer to the agent release notes to see when it becomes available.
406 | ;          Only relevant if explain_enabled above is set to true.
407 | ;
408 | ;newrelic.transaction_tracer.explain_threshold = 500
409 | 
410 | ;
411 | ; Setting: newrelic.transaction_tracer.record_sql
412 | ; Type   : "off", "raw" or "obfuscated"
413 | ; Scope  : per-directory
414 | ; Default: "obfuscated"
415 | ; Info   : Sets how SQL statements are recorded (if at all). If this is set to
416 | ;          "raw" then no attempt is made at obfuscating SQL statements.
417 | ;          USING "raw" IS HIGHLY DISCOURAGED IN PRODUCTION ENVIRONMENTS!
418 | ;          Setting this to "raw" has considerable security implications
419 | ;          as it can expose sensitive and private customer data.
420 | ;
421 | ;newrelic.transaction_tracer.record_sql = "obfuscated"
422 | 
423 | ; Setting: newrelic.transaction_tracer.custom
424 | ; Type   : string
425 | ; Scope  : per-directory
426 | ; Default: none
427 | ; Info   : Sets the name(s) of additional functions you want to instrument and
428 | ;          appear in transaction traces. This is only meaningful if you have
429 | ;          set newrelic.transaction_tracer.detail to 0. This can be a comma-
430 | ;          separated list of function or class method names.
431 | ;
432 | ;newrelic.transaction_tracer.custom = ""
433 | 
434 | ;
435 | ; Setting: newrelic.framework
436 | ; Type   : string
437 | ; Scope  : per-directory
438 | ; Default: empty (auto-detect framework)
439 | ; Info   : Forces the framework to be one of the supported frameworks. This
440 | ;          should only ever be used if the auto-detection fails, in which case
441 | ;          we (support.newrelic.com) would very much like to know about the
442 | ;          detection failure. Must be one of the following values:
443 | ;            cakephp, codeigniter, drupal, drupal8, joomla, kohana, laravel, magento,
444 | ;            mediawiki, symfony, wordpress, yii, zend or no_framework.
445 | ;          Note that "drupal" covers only Drupal 6 and 7.
446 | ;
447 | ;newrelic.framework = ""
448 | 
449 | ;
450 | ; Setting: newrelic.webtransaction.name.remove_trailing_path
451 | ; Type   : boolean
452 | ; Scope  : per-directory
453 | ; Default: false
454 | ; Info   : Used to aid naming transactions correctly when an unsupported
455 | ;          framework is being used. This option will cause anything after the
456 | ;          script name to be stripped from a URL. For example, setting this
457 | ;          would cause the "/xyz/zy" to be stripped from a URL such as
458 | ;          "/path/to/foo.php/xyz/zy".
459 | ;
460 | ;newrelic.webtransaction.name.remove_trailing_path = false
461 | 
462 | ;
463 | ; Setting: newrelic.webtransaction.name.functions
464 | ; Type   : string
465 | ; Scope  : per-directory
466 | ; Default: none
467 | ; Info   : Unless a specific framework such as Drupal or Wordpress has been
468 | ;          detected, transactions are named according to the first script
469 | ;          encountered, such as login.php. However, if you use a dispatcher
470 | ;          file such as index.php this produces less useful data. If you use
471 | ;          a dispatcher to redirect to actions such as "login", "show", "edit"
472 | ;          etc, you can set this to the top level functions for those actions,
473 | ;          and the function names specified here will be used to name the
474 | ;          transaction.
475 | ;
476 | ;newrelic.webtransaction.name.functions = ""
477 | 
478 | ;
479 | ; Setting: newrelic.webtransaction.name.files
480 | ; Type   : string
481 | ; Scope  : per-directory
482 | ; Default: none
483 | ; Info   : Same as newrelic.webtransaction.name.functions above but using file
484 | ;          names instead of function names. Accepts standard POSIX regular
485 | ;          expressions.
486 | ;
487 | ;newrelic.webtransaction.name.files = ""
488 | 
489 | ;
490 | ; Setting: newrelic.daemon.auditlog
491 | ; Type   : string
492 | ; Scope  : system
493 | ; Default: none
494 | ; info   : Sets the name of a file to record all uncompressed, un-encoded
495 | ;          content that is sent from your machine to the New Relic servers.
496 | ;          This includes the full URL for each command along with the payload
497 | ;          delivered with the command. This allows you to satisfy yourself
498 | ;          that the agent is not sending any sensitive data to our servers.
499 | ;          This file must be a different file the the newrelic.daemon.logfile
500 | ;          setting above. If you set it to the same name, then audit logging will be
501 | ;          silently ignored.
502 | ;newrelic.daemon.auditlog = "/var/log/newrelic/audit.log"
503 | 
504 | ;
505 | ; Setting: newrelic.transaction_events.enabled
506 | ; Type   : boolean
507 | ; Scope  : per-directory
508 | ; Default: true
509 | ; info   : Collect and report transaction analytics event data.  Event data
510 | ;          allows the New Relic UI to show additional information such as
511 | ;          histograms.  This setting was formerly called
512 | ;          newrelic.analytics_events.enabled.
513 | ;
514 | ;newrelic.transaction_events.enabled = true
515 | 
516 | ;
517 | ; Setting: newrelic.attributes.enabled
518 | ; Type   : boolean
519 | ; Scope  : per-directory
520 | ; Default: true
521 | ; info   : Enable or disable the collection of attributes generated by the
522 | ;          agent or generated by the user though newrelic_add_custom_parameter.
523 | ;          This setting will take precedence over all other attribute
524 | ;          configuration settings.  For more information, please refer to:
525 | ;          https://docs.newrelic.com/docs/subscriptions/agent-attributes
526 | ;
527 | ;newrelic.attributes.enabled = true
528 | 
529 | ;
530 | ; Setting: newrelic.transaction_events.attributes.enabled
531 | ;          newrelic.transaction_tracer.attributes.enabled
532 | ;          newrelic.error_collector.attributes.enabled
533 | ;          newrelic.browser_monitoring.attributes.enabled
534 | ; Type   : boolean
535 | ; Scope  : per-directory
536 | ; Default: true, except for browser_monitoring.attributes.enabled
537 | ; info   : Control which destinations receive attributes.
538 | ;          These configuration settings will override the .include and .exclude
539 | ;          settings below.
540 | ;          For more information, please refer to:
541 | ;          https://docs.newrelic.com/docs/subscriptions/agent-attributes
542 | ;
543 | ;          These settings were formerly called:
544 | ;          newrelic.transaction_tracer.capture_attributes
545 | ;          newrelic.error_collector.capture_attributes
546 | ;          newrelic.analytics_events.capture_attributes
547 | ;          newrelic.browser_monitoring.capture_attributes
548 | ;
549 | ;
550 | ;newrelic.transaction_events.attributes.enabled = true
551 | ;newrelic.transaction_tracer.attributes.enabled = true
552 | ;newrelic.error_collector.attributes.enabled = true
553 | ;newrelic.browser_monitoring.attributes.enabled = false
554 | 
555 | ;
556 | ; Setting: newrelic.attributes.include
557 | ;          newrelic.attributes.exclude
558 | ;
559 | ;          newrelic.transaction_events.attributes.include
560 | ;          newrelic.transaction_events.attributes.exclude
561 | ;
562 | ;          newrelic.transaction_tracer.attributes.include
563 | ;          newrelic.transaction_tracer.attributes.exclude
564 | ;
565 | ;          newrelic.error_collector.attributes.include
566 | ;          newrelic.error_collector.attributes.exclude
567 | ;
568 | ;          newrelic.browser_monitoring.attributes.include
569 | ;          newrelic.browser_monitoring.attributes.exclude
570 | ;
571 | ; Type   : string
572 | ; Scope  : per-directory
573 | ; Default: none
574 | ; info   : Each attribute has a default set of destinations. For example, the
575 | ;          'request_uri' attribute's default destinations are errors and
576 | ;          transaction traces.  The 'httpResponseCode' attribute's default
577 | ;          destinations are errors, transaction traces, and transaction events.
578 | ;
579 | ;          These configuration options allow complete control over the
580 | ;          destinations of attributes.
581 | ;
582 | ;          To include the attribute whose key is 'alpha' in errors, the
583 | ;          configuration is:
584 | ;          newrelic.error_collector.include = alpha
585 | ;
586 | ;          To exclude the attribute whose key is 'alpha' from errors, the
587 | ;          configuration is:
588 | ;          newrelic.error_collector.exclude = alpha
589 | ;
590 | ;          The newrelic.attributes.exclude and newrelic.attributes.include
591 | ;          settings affect all destinations.
592 | ;
593 | ;          To exclude the attributes 'beta' and 'gamma' from all destinations,
594 | ;          the configuration is:
595 | ;          newrelic.attributes.exclude = beta,gamma
596 | ;
597 | ;          If one of the values in the comma separated list ends in a '*',
598 | ;          it will match any suffix.  For example, to exclude any attributes
599 | ;          which begin with 'psi', the configuration is:
600 | ;          newrelic.attributes.exclude = psi*
601 | ;
602 | ;          For more information, please refer to:
603 | ;          https://docs.newrelic.com/docs/subscriptions/agent-attributes
604 | ;
605 | ;newrelic.attributes.include = ""
606 | ;newrelic.attributes.exclude = ""
607 | ;
608 | ;newrelic.transaction_events.attributes.include = ""
609 | ;newrelic.transaction_events.attributes.exclude = ""
610 | ;
611 | ;newrelic.transaction_tracer.attributes.include = ""
612 | ;newrelic.transaction_tracer.attributes.exclude = ""
613 | ;
614 | ;newrelic.error_collector.attributes.include = ""
615 | ;newrelic.error_collector.attributes.exclude = ""
616 | ;
617 | ;newrelic.browser_monitoring.attributes.include = ""
618 | ;newrelic.browser_monitoring.attributes.exclude = ""
619 | 
620 | ;
621 | ; Setting: newrelic.feature_flag
622 | ; Type   : string
623 | ; Scope  : system
624 | ; Default: none
625 | ; Info   : Enables experimental features within the PHP agent. These flags are
626 | ;          used to allow testing of features that may be provided in future
627 | ;          versions of the agent. Please note that we may be unable to provide
628 | ;          support for experimental features.
629 | ;
630 | ;newrelic.feature_flag = ""
631 | 
632 | ; Setting: newrelic.custom_insights_events.enabled
633 | ; Type   : boolean
634 | ; Scope  : per-directory
635 | ; Default: true
636 | ; Info   : Enables or disables the API function newrelic_record_custom_event.
637 | ;
638 | ;newrelic.custom_insights_events.enabled = true
639 | 
640 | ; Setting: newrelic.labels
641 | ; Type   : string (Use quotes)
642 | ; Scope  : per-directory
643 | ; Default: none
644 | ; Info   : Sets the label names and values to associate with the application.
645 | ;          The list is a semi-colon delimited list of colon-separated name and
646 | ;          value pairs.
647 | ;
648 | ;          There are a maximum of 64 label name/value pairs allowed.
649 | ;
650 | ;          The maximum length of the name and value is 255 characters each.
651 | ;
652 | ;          Leading or trailing whitespace in the name or value will be trimmed.
653 | ;
654 | ;          UTF-8 characters are allowed.
655 | ;
656 | ;          E.g., "Server:One;Data Center:Primary"
657 | ;
658 | ;newrelic.labels = ""
659 | 
660 | ; Setting: newrelic.synthetics.enabled
661 | ; Type   : boolean
662 | ; Scope  : per-directory
663 | ; Default: true
664 | ; Info   : Enables or disables support for Synthetics transactions.
665 | ;          For more information, please see:
666 | ;          https://docs.newrelic.com/docs/synthetics/new-relic-synthetics/getting-started/new-relic-synthetics
667 | ;
668 | ;newrelic.synthetics.enabled = true
669 | 


--------------------------------------------------------------------------------
/ansible/roles/newrelic/templates/newrelic.repo.j2:
--------------------------------------------------------------------------------
1 | [newrelic]
2 | name=New Relic packages for Enterprise Linux 5 - $basearch
3 | baseurl=http://yum.newrelic.com/pub/newrelic/el5/$basearch
4 | enabled=1
5 | gpgcheck=0
6 | 


--------------------------------------------------------------------------------
/ansible/roles/nginx/handlers/main.yml:
--------------------------------------------------------------------------------
 1 | - name: restart nginx
 2 |   service: 
 3 |     name: nginx 
 4 |     state: restarted 
 5 |     enabled: yes
 6 | 
 7 | - name: reload nginx
 8 |   service: 
 9 |     name: nginx 
10 |     state: reloaded 
11 |     enabled: yes
12 | 


--------------------------------------------------------------------------------
/ansible/roles/nginx/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: install nginx
 3 |   yum:
 4 |     pkg: nginx
 5 |     state: latest
 6 |   notify: restart nginx
 7 | 
 8 | - name: set default nginx conf
 9 |   template:
10 |     src: nginx.conf.j2
11 |     dest: /etc/nginx/nginx.conf
12 |     owner: root
13 |     mode: 0600
14 |   notify: reload nginx
15 | 
16 | - include: vhost.yml
17 | 
18 | #######################
19 | # M O N I T O R I N G #
20 | #######################
21 | - include: ../../datadog/tasks/checks.yml
22 |   vars:
23 |     datadog_checks:
24 |       process:
25 |         init_config:
26 |         instances:
27 |           - name: nginx
28 |             search_string: [ 'nginx' ]
29 |       nginx:
30 |         init_config:
31 |         instances:
32 |           - nginx_status_url: http://localhost/nginx_status/
33 |             tags:
34 |               - domain:"{{ domain }}"
35 |   ignore_errors: True
36 | #######################
37 | # LOGGLY      L O G S #
38 | #######################
39 | - template:
40 |     src: 21-nginx-loggly.conf.j2
41 |     dest: /etc/rsyslog.d/21-nginx-loggly.conf
42 |     owner: root
43 |     group: root
44 |     mode: 0644
45 |   ignore_errors: True
46 | 


--------------------------------------------------------------------------------
/ansible/roles/nginx/tasks/vhost.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Remove default nginx vhost config file
 3 |   file:
 4 |     path: "/etc/nginx/sites-enabled/default"
 5 |     state: absent
 6 |   notify: reload nginx
 7 | 
 8 | - name: create /etc/nginx/sites-enabled directory
 9 |   file:
10 |     path: "/etc/nginx/sites-enabled"
11 |     state: directory
12 | 
13 | - name: wp vhost config
14 |   template:
15 |     src: wp.conf.j2
16 |     dest: "/etc/nginx/sites-enabled/{{domain}}.conf"
17 |     mode: 0644
18 |   notify: reload nginx
19 | 


--------------------------------------------------------------------------------
/ansible/roles/nginx/templates/21-nginx-loggly.conf.j2:
--------------------------------------------------------------------------------
 1 | # {{ ansible_managed }}
 2 | $ModLoad imfile
 3 | $InputFilePollInterval 10
 4 | $PrivDropToGroup adm
 5 | $WorkDirectory /var/spool/rsyslog
 6 | 
 7 | # Nginx access file:
 8 | $InputFileName /var/log/nginx/access.log
 9 | $InputFileTag nginx-access:
10 | $InputFileStateFile stat-nginx-access
11 | $InputFileSeverity info
12 | $InputFilePersistStateInterval 20000
13 | $InputRunFileMonitor
14 | 
15 | #Nginx Error file:
16 | $InputFileName /var/log/nginx/error.log
17 | $InputFileTag nginx-error:
18 | $InputFileStateFile stat-nginx-error
19 | $InputFileSeverity error
20 | $InputFilePersistStateInterval 20000
21 | $InputRunFileMonitor
22 | 
23 | #Add a tag for nginx events
24 | $template LogglyFormatNginx,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [dc849d35-7786-43d6-b324-59193b86efda@41058 tag=\"nginx\"] %msg%\n"
25 | 
26 | if $programname == 'nginx-access' then @@logs-01.loggly.com:514;LogglyFormatNginx
27 | if $programname == 'nginx-access' then ~
28 | if $programname == 'nginx-error' then @@logs-01.loggly.com:514;LogglyFormatNginx
29 | if $programname == 'nginx-error' then ~
30 | 


--------------------------------------------------------------------------------
/ansible/roles/nginx/templates/nginx.conf.j2:
--------------------------------------------------------------------------------
 1 | #{{ ansible_managed }}
 2 | user nginx;
 3 | worker_processes  {{ ansible_processor_count }};
 4 | 
 5 | pid /var/run/nginx.pid;
 6 | 
 7 | events {
 8 |     worker_connections 768;
 9 | }
10 | 
11 | http {
12 |     server_tokens off;
13 | 
14 |     default_type text/html;
15 |     charset utf-8;
16 | 
17 |     types_hash_max_size 2048;
18 |     sendfile on;
19 |     tcp_nopush on;
20 |     tcp_nodelay off;
21 |     gzip on;
22 |     gzip_disable "msie6";
23 |     server_names_hash_bucket_size 64;
24 | 
25 |     error_log /var/log/nginx/error.log;
26 | 
27 |     client_max_body_size 1000m;
28 |     client_body_timeout 3600s;
29 | 
30 |     include /etc/nginx/mime.types;
31 |     include /etc/nginx/conf.d/*.conf;
32 |     include /etc/nginx/sites-enabled/*;
33 | }
34 | 


--------------------------------------------------------------------------------
/ansible/roles/nginx/templates/wp.conf.j2:
--------------------------------------------------------------------------------
 1 | # {{ ansible_managed }}
 2 | server {
 3 |   listen 80;
 4 | 
 5 |   root /home/deploy/{{ domain }};
 6 |   index index.php index.html index.htm;
 7 |   access_log /var/log/nginx/access.log;
 8 | 
 9 |   server_name www.{{ domain }};
10 | 
11 |   location / {
12 |     try_files $uri $uri/ /index.php?q=$uri&$args;
13 |   }
14 | 
15 |   error_page 404 /404.html;
16 | 
17 |   error_page 500 502 503 504 /50x.html;
18 |   location = /50x.html {
19 |     root /usr/share/nginx/html;
20 |   }
21 | 
22 |   location ~ \.php$ {
23 |     fastcgi_pass unix:/var/run/php-fpm/{{ domain }}.sock;
24 |     fastcgi_index index.php;
25 |     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
26 |     fastcgi_param HTTP_PROXY "";
27 |     include fastcgi_params;
28 |   }
29 | 
30 |   location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
31 |     expires max;
32 |     log_not_found off;
33 |     access_log off;
34 |   }
35 | 
36 |   location = /robots.txt {
37 |     access_log off;
38 |     log_not_found off;
39 |   }
40 | 
41 |   location ~ /\. {
42 |     deny all;
43 |     access_log off;
44 |     log_not_found off;
45 |   }
46 | 
47 |   # security
48 |   location ~* /(?:uploads|files)/.*.php$ {
49 |     deny all;
50 |   }
51 | 
52 |   location ~* .(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(.php)?|xtmpl)$|^(..*|Entries.*|Repository|Root|Tag|Template)$|.php_ {
53 |     return 444;
54 |   }
55 | 
56 |   location ~* .(pl|cgi|py|sh|lua)$ {
57 |     return 444;
58 |   }
59 | 
60 |   location ~ /(.|wp-config.php|wp-comments-post.php|readme.html|license.txt|xmlrpc.php) {
61 |     deny all;
62 |   }
63 | 
64 | 
65 |   # Status endponts
66 |   location ~ ^/(fpm-status|fpm-ping)$ {
67 |     access_log off;
68 |     allow 127.0.0.1;
69 |     deny all;
70 |     include fastcgi_params;
71 |     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
72 |     fastcgi_param HTTP_PROXY "";
73 |     fastcgi_pass unix:/var/run/php-fpm/{{ domain }}.sock;
74 |   }
75 | 
76 |   location /nginx_status {
77 |     access_log off;
78 |     allow 127.0.0.1;
79 |     deny all;
80 |     stub_status;
81 |   }
82 | 
83 | }
84 | 


--------------------------------------------------------------------------------
/ansible/roles/php-fpm/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart php-fpm
3 |   service: 
4 |     name: php-fpm 
5 |     state: restarted 
6 |     enabled: yes
7 | 


--------------------------------------------------------------------------------
/ansible/roles/php-fpm/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Install php-fpm and deps
 3 |   yum:
 4 |     pkg: "{{ item }}"
 5 |     state: present
 6 |   with_items:
 7 |     - php
 8 |     - php-fpm
 9 |     - php-enchant
10 |     - php-IDNA_Convert
11 |     - php-mbstring
12 |     - php-mysql
13 |     - php-PHPMailer
14 |     - php-process
15 |     - php-simplepie
16 |     - php-xml
17 |     - mysql
18 |     - php-pecl-memcache
19 |     - php-pecl-redis
20 |     - php-pecl-imagick
21 |     - php-gd
22 | 
23 | - name: Chown nginx /var/lib/php/session
24 |   file:
25 |     path: /var/lib/php/session
26 |     state: directory
27 |     owner: nginx
28 |     group: nginx
29 | 
30 | - name: Remove default pool
31 |   file:
32 |     path: /etc/php-fpm.d/www.conf
33 |     state: absent
34 | 
35 | - name: Copy php-fpm configuration
36 |   template:
37 |     src: wordpress.conf.j2
38 |     dest: /etc/php-fpm.d/{{ domain }}.conf
39 |   notify: restart php-fpm
40 | 
41 | #######################
42 | # M O N I T O R I N G #
43 | #######################
44 | - include: ../../datadog/tasks/checks.yml
45 |   vars:
46 |     datadog_checks:
47 |       process:
48 |         init_config:
49 |         instances:
50 |           - name: php-fpm
51 |             search_string: [ 'php-fpm' ]
52 |             tags:
53 |               - domain:"{{ domain }}"
54 |       php_fpm:
55 |         init_config:
56 |         instances:
57 |           - status_url: http://localhost/fpm-status
58 |             ping_url: http://localhost/fpm-ping
59 |             ping_reply: pong
60 |             tags:
61 |               - domain:"{{ domain }}"
62 |   ignore_errors: True
63 | 


--------------------------------------------------------------------------------
/ansible/roles/php-fpm/templates/wordpress.conf.j2:
--------------------------------------------------------------------------------
 1 | #{{ ansible_managed }}
 2 | [wordpress]
 3 | listen = /var/run/php-fpm/{{ domain }}.sock
 4 | listen.owner = nginx
 5 | listen.group = nginx
 6 | listen.mode = 0660
 7 | user = nginx
 8 | group = nginx
 9 | pm = dynamic
10 | pm.max_children = 50
11 | pm.start_servers = 5
12 | pm.min_spare_servers = 5
13 | pm.max_spare_servers = 10
14 | pm.max_requests = 500
15 | chdir = /home/deploy/{{ domain }}/
16 | pm.status_path = /fpm-status
17 | ping.path = /fpm-ping
18 | ping.response = pong
19 | slowlog = /var/log/php-fpm/slow.log
20 | request_slowlog_timeout = 10s
21 | 
22 | php_admin_value[open_basedir]           = /home/deploy/{{ domain }}/:/mnt/{{ domain }}:/tmp/:/mnt/sessions
23 | php_admin_value[expose_php]             = Off
24 | php_admin_value[upload_max_filesize]    = 1000M
25 | php_admin_value[post_max_size]          = 1020M
26 | php_admin_value[max_input_time]         = 3600
27 | php_admin_value[max_execution_time]     = 3600
28 | php_admin_value[memory_limit]           = 256M
29 | php_admin_value[error_log]              = /var/log/php-fpm/php-error.log
30 | php_admin_flag[log_errors]              = on
31 | php_admin_value[session.save_path]      = /mnt/sessions
32 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/.travis.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | sudo: required
 3 | dist: trusty
 4 | 
 5 | language: generic
 6 | 
 7 | before_install:
 8 |   - sudo apt-get -qq update
 9 |   - sudo apt-get install -y python python-pip
10 | 
11 | install:
12 |   # Install ansible
13 |   - sudo pip install ansible
14 | 
15 |   # Check ansible version
16 |   - ansible --version
17 | 
18 |   # Create ansible.cfg with correct roles_path
19 |   - printf '[defaults]\nroles_path=../' >ansible.cfg
20 | 
21 |   # Install role dependencies
22 |   # ...
23 | 
24 | script:
25 |   # Basic role syntax check
26 |   - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 | 
28 |   # Run the role/playbook with ansible-playbook
29 |   - ansible-playbook tests/test.yml -i tests/inventory --connection=local --become
30 | 
31 |   # Run the role/playbook again, checking to make sure it's idempotent
32 |   - >
33 |     ansible-playbook tests/test.yml -i tests/inventory --connection=local --become
34 |     | grep -q 'changed=0.*failed=0'
35 |     && (echo 'Idempotence test: pass' && exit 0)
36 |     || (echo 'Idempotence test: fail' && exit 1)
37 | 
38 |   # Playbook specific tests
39 |   # ...
40 | 
41 | notifications:
42 |   webhooks: https://galaxy.ansible.com/api/v1/notifications/
43 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2015, Kevin Brebanov
 2 | All rights reserved.
 3 | 
 4 | Redistribution and use in source and binary forms, with or without
 5 | modification, are permitted provided that the following conditions are met:
 6 | 
 7 | * Redistributions of source code must retain the above copyright notice, this
 8 |   list of conditions and the following disclaimer.
 9 | 
10 | * Redistributions in binary form must reproduce the above copyright notice,
11 |   this list of conditions and the following disclaimer in the documentation
12 |   and/or other materials provided with the distribution.
13 | 
14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
15 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
18 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
21 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
22 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 | 
25 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/README.md:
--------------------------------------------------------------------------------
 1 | rsyslog
 2 | =======
 3 | 
 4 | [![Build Status](https://travis-ci.org/kbrebanov/ansible-rsyslog.svg?branch=master)](https://travis-ci.org/kbrebanov/ansible-rsyslog)
 5 | 
 6 | Installs and configures rsyslog
 7 | 
 8 | Requirements
 9 | ------------
10 | 
11 | This role requires Ansible 1.9 or higher.
12 | 
13 | Role Variables
14 | --------------
15 | 
16 | | Name                                    | Default                       | Description                                   |
17 | |:----------------------------------------|:------------------------------|:----------------------------------------------|
18 | | rsyslog_repeated_msg_reduction          | "on"                          | Enable/disable repeated msg redution          |
19 | | rsyslog_action_file_default_template    | RSYSLOG_TraditionalFileFormat | Action file default template                  |
20 | | rsyslog_klog_permit_non_kernel_facility | "on"                          | Enable/disable logging of non kernel facility |
21 | | rsyslog_udp_enable                      | false                         | Enable or disable rsyslog to listen on UDP    |
22 | | rsyslog_udp_address                     | 127.0.0.1                     | Address to bind to for UDP                    |
23 | | rsyslog_udp_port                        | 514                           | UDP port                                      |
24 | | rsyslog_tcp_enable                      | false                         | Enable or disable rsyslog to listen on TCP    |
25 | | rsyslog_tcp_port                        | 514                           | TCP port                                      |
26 | | rsyslog_apps                            | []                            | List of hashes for app specific configs       |
27 | 
28 | Dependencies
29 | ------------
30 | 
31 | None
32 | 
33 | Example Playbook
34 | ----------------
35 | 
36 | Install rsyslog
37 | ```yaml
38 | - hosts: all
39 |   roles:
40 |     - kbrebanov.rsyslog
41 | ```
42 | 
43 | Install rsyslog and disable repeated msg reduction
44 | ```yaml
45 | - hosts: all
46 |   vars:
47 |     rsyslog_repeated_msg_reduction: "off"
48 |   roles:
49 |     - kbrebanov.rsyslog
50 | ```
51 | 
52 | Install rsyslog and configure logging options for HAProxy
53 | ```yaml
54 | - hosts: all
55 |   vars:
56 |     rsyslog_apps:
57 |       - name: haproxy
58 |         priority: 49
59 |         lines:
60 |           - "local0.* -/var/log/haproxy_0.log"
61 |           - "local1.* -/var/log/haproxy_1.log"
62 |           - "& ~"
63 |   roles:
64 |     - kbrebanov.rsyslog
65 | 
66 | ```
67 | 
68 | License
69 | -------
70 | 
71 | BSD
72 | 
73 | Author Information
74 | ------------------
75 | 
76 | Kevin Brebanov
77 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/defaults/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # defaults file for rsyslog
 3 | 
 4 | rsyslog_repeated_msg_reduction: "on"
 5 | rsyslog_action_file_default_template: RSYSLOG_TraditionalFileFormat
 6 | rsyslog_klog_permit_non_kernel_facility: "on"
 7 | rsyslog_udp_enable: false
 8 | rsyslog_udp_address: 127.0.0.1
 9 | rsyslog_udp_port: 514
10 | rsyslog_tcp_enable: false
11 | rsyslog_tcp_port: 514
12 | rsyslog_apps: []
13 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/handlers/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # handlers file for rsyslog
 3 | 
 4 | - name: restart rsyslog
 5 |   become: yes
 6 |   service:
 7 |     name: "{{ rsyslog_service_name }}"
 8 |     state: restarted
 9 |   tags:
10 |     - rsyslog
11 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/meta/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | galaxy_info:
 3 |   author: Kevin Brebanov
 4 |   description: Installs and configures rsyslog
 5 |   company:
 6 |   license: BSD
 7 |   min_ansible_version: 1.9
 8 |   github_branch: master
 9 |   platforms:
10 |     - name: Ubuntu
11 |       versions:
12 |         - trusty
13 |         - xenial
14 |   galaxy_tags:
15 |   - system
16 | dependencies: []
17 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/tasks/CentOS.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # tasks file for rsyslog (CentOS specific)
3 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/tasks/Ubuntu.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # tasks file for rsyslog (Ubuntu specific)
 3 | 
 4 | - name: Install rsyslog packages
 5 |   become: yes
 6 |   apt:
 7 |     name: "{{ item }}"
 8 |     state: present
 9 |     update_cache: yes
10 |   with_items:
11 |     - "{{ rsyslog_packages }}"
12 |   tags:
13 |     - rsyslog
14 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/tasks/logs.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Create application specific configuration files
 3 |   become: yes
 4 |   template:
 5 |     src: roles/rsyslog/templates/app.conf.j2
 6 |     dest: /etc/rsyslog.d/{{ item.priority }}-{{ item.name }}.conf
 7 |     owner: root
 8 |     group: root
 9 |     mode: 0644
10 |   with_items:
11 |     - "{{ rsyslog_apps }}"
12 |   notify:
13 |     - restart rsyslog
14 |   tags:
15 |     - rsyslog
16 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # tasks file for rsyslog
 3 | 
 4 | - include: CentOS.yml
 5 | 
 6 | - name: Create rsyslog.conf configuration file
 7 |   become: yes
 8 |   template:
 9 |     src: rsyslog.conf.j2
10 |     dest: /etc/rsyslog.conf
11 |     owner: root
12 |     group: root
13 |     mode: 0644
14 |   notify:
15 |     - restart rsyslog
16 |   tags:
17 |     - rsyslog
18 | 
19 | - name: Create rsyslog.d configuration directory
20 |   become: yes
21 |   file:
22 |     path: /etc/rsyslog.d
23 |     owner: root
24 |     group: root
25 |     mode: 0755
26 |     state: directory
27 |   tags:
28 |     - rsyslog
29 | 
30 | - name: Create application specific configuration files
31 |   become: yes
32 |   template:
33 |     src: app.conf.j2
34 |     dest: /etc/rsyslog.d/{{ item.priority }}-{{ item.name }}.conf
35 |     owner: root
36 |     group: root
37 |     mode: 0644
38 |   with_items:
39 |     - "{{ rsyslog_apps }}"
40 |   notify:
41 |     - restart rsyslog
42 |   tags:
43 |     - rsyslog
44 | 
45 | - name: Ensure rsyslog service is started and enabled on boot
46 |   become: yes
47 |   service:
48 |     name: "{{ rsyslog_service_name }}"
49 |     state: started
50 |     enabled: yes
51 |   tags:
52 |     - rsyslog
53 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/templates/app.conf.j2:
--------------------------------------------------------------------------------
1 | # {{ ansible_managed }}
2 | 
3 | {% for line in item.lines %}
4 | {{ line }}
5 | {% endfor %}
6 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/templates/rsyslog.conf.j2:
--------------------------------------------------------------------------------
 1 | # rsyslog v5 configuration file
 2 | $MaxMessageSize 64k
 3 | 
 4 | # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
 5 | # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
 6 | 
 7 | #### MODULES ####
 8 | 
 9 | $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
10 | $ModLoad imklog   # provides kernel logging support (previously done by rklogd)
11 | #$ModLoad immark  # provides --MARK-- message capability
12 | 
13 | # Provides UDP syslog reception
14 | #$ModLoad imudp
15 | #$UDPServerRun 514
16 | 
17 | # Provides TCP syslog reception
18 | #$ModLoad imtcp
19 | #$InputTCPServerRun 514
20 | 
21 | 
22 | #### GLOBAL DIRECTIVES ####
23 | 
24 | # Use default timestamp format
25 | $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
26 | 
27 | # File syncing capability is disabled by default. This feature is usually not required,
28 | # not useful and an extreme performance hit
29 | #$ActionFileEnableSync on
30 | 
31 | #### RULES ####
32 | 
33 | # Log all kernel messages to the console.
34 | # Logging much else clutters up the screen.
35 | # kern.*                                                 /dev/console
36 | 
37 | # Log anything (except mail) of level info or higher.
38 | # Don't log private authentication messages!
39 | *.info;mail.none;authpriv.none;cron.none                /var/log/messages
40 | 
41 | # The authpriv file has restricted access.
42 | authpriv.*                                              /var/log/secure
43 | 
44 | # Log all the mail messages in one place.
45 | mail.*                                                  -/var/log/maillog
46 | 
47 | 
48 | # Log cron stuff
49 | cron.*                                                  /var/log/cron
50 | 
51 | # Everybody gets emergency messages
52 | *.emerg                                                 *
53 | 
54 | # Save news errors of level crit and higher in a special file.
55 | uucp,news.crit                                          /var/log/spooler
56 | 
57 | # Save boot messages also to boot.log
58 | local7.*                                                /var/log/boot.log
59 | 
60 | 
61 | # ### begin forwarding rule ###
62 | # The statement between the begin ... end define a SINGLE forwarding
63 | # rule. They belong together, do NOT split them. If you create multiple
64 | # forwarding rules, duplicate the whole block!
65 | # Remote Logging (we use TCP for reliable delivery)
66 | #
67 | # An on-disk queue is created for this action. If the remote host is
68 | # down, messages are spooled to disk and sent when it is up again.
69 | #$WorkDirectory /var/lib/rsyslog # where to place spool files
70 | #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
71 | #$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
72 | #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
73 | #$ActionQueueType LinkedList   # run asynchronously
74 | #$ActionResumeRetryCount -1    # infinite retries if host is down
75 | # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
76 | #*.* @@remote-host:514
77 | # ### end of the forwarding rule ###
78 | 
79 | # Finally include all config files in /etc/rsyslog.d. This allows overrides
80 | # of the default configuration above.
81 | $IncludeConfig /etc/rsyslog.d/*.conf
82 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 |   remote_user: root
4 |   roles:
5 |     - ansible-rsyslog
6 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/vars/CentOS.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for rsyslog (CentOS specific)
3 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/vars/Ubuntu.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # vars file for rsyslog (Ubuntu specific)
 3 | 
 4 | rsyslog_packages:
 5 |   - rsyslog
 6 | rsyslog_service_name: rsyslog
 7 | rsyslog_file_owner: syslog
 8 | rsyslog_file_group: adm
 9 | rsyslog_file_create_mode: "0640"
10 | rsyslog_dir_create_mode: "0755"
11 | rsyslog_umask: "0022"
12 | rsyslog_priv_drop_to_user: syslog
13 | rsyslog_priv_drop_to_group: syslog
14 | rsyslog_work_directory: /var/spool/rsyslog
15 | rsyslog_include_config: /etc/rsyslog.d/*.conf
16 | 


--------------------------------------------------------------------------------
/ansible/roles/rsyslog/vars/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # vars file for rsyslog (CentOS specific)
 3 | 
 4 | rsyslog_packages:
 5 |   - rsyslog
 6 | rsyslog_service_name: rsyslog
 7 | rsyslog_file_owner: root
 8 | rsyslog_file_group: root
 9 | rsyslog_file_create_mode: "0640"
10 | rsyslog_dir_create_mode: "0755"
11 | rsyslog_umask: "0022"
12 | rsyslog_priv_drop_to_user: root
13 | rsyslog_priv_drop_to_group: root
14 | rsyslog_work_directory: /var/spool/rsyslog
15 | rsyslog_include_config: /etc/rsyslog.d/*.conf
16 | 


--------------------------------------------------------------------------------
/ansible/roles/wordpress/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - user:
 3 |     name: deploy
 4 |     group: nginx
 5 |     home: /home/deploy
 6 | 
 7 | - git:
 8 |     accept_hostkey: yes
 9 |     clone: yes
10 |     dest: "/home/deploy/{{ domain }}"
11 |     repo: "{{ site_repo }}"
12 |   become_user: deploy
13 | 
14 | - file:
15 |     path: /home/deploy/
16 |     state: directory
17 |     owner: deploy
18 |     mode: 0755
19 | 
20 | - file:
21 |     src: "/mnt/{{ domain }}/uploads/"
22 |     dest: "/home/deploy/{{ domain }}/wp-content/uploads"
23 |     owner: deploy
24 |     group: nginx
25 |     force: true
26 |     state: link
27 | 
28 | # set up wp-cli
29 | - get_url:
30 |     url: https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
31 |     dest: /usr/local/bin/wp
32 |     mode: 0755
33 | 
34 | - name: deploy script
35 |   template:
36 |     src: deploy_wordpress.j2
37 |     dest: "/usr/local/bin/deploy_wordpress"
38 |     mode: 0755
39 | 
40 | # This creates the PATH env variable for the deploy user's crontab
41 | - cron:
42 |     name: PATH
43 |     env: yes
44 |     value: /usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/aws/bin:/home/deploy/.local/bin:/home/deploy/bin
45 |     user: deploy
46 | 
47 | - cron:
48 |     name: update website
49 |     minute: "*/1"
50 |     user : "deploy"
51 |     job: "/usr/local/bin/deploy_wordpress"
52 | 
53 | 


--------------------------------------------------------------------------------
/ansible/roles/wordpress/templates/deploy_wordpress.j2:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | env=$(facter --external-dir /etc/facter/facts.d/ ec2_tag_env)
 4 | host=$(hostname)
 5 | 
 6 | branch="develop"
 7 | if [[ "$env" = "prod" ]]; then
 8 |     branch="production"
 9 | fi
10 | 
11 | cd /home/deploy/{{ domain | splitext | first }}
12 | git remote update
13 | git checkout ${branch}
14 | 
15 | status=$(git log HEAD..origin/${branch} --oneline)
16 | 
17 | if [ "$status" ]; then
18 |     git pull --rebase origin ${branch}
19 | 
20 |     if [[ "$env" = "prod" ]]; then
21 |         echo $(date +%s) > wp-content/uploads/last_deploy
22 |     fi
23 | 
24 |     echo $(date +%s) > wp-content/uploads/last_deploy_${env}
25 |     echo "${host} - ${branch} {{ domain }} updated" | /usr/local/bin/slack
26 | fi
27 | 


--------------------------------------------------------------------------------
/ansible/wp.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: all
 3 |   gather_facts: yes
 4 |   become: yes
 5 | 
 6 |   roles:
 7 |     - {
 8 |         role: datadog,
 9 |         become: yes,
10 |         datadog_api_key: "{{ datadog_api_key }}",
11 |         when: datadog_api_key is defined
12 |     }
13 |     - {
14 |         role: rsyslog,
15 |         when: loggly_token is defined
16 |     }
17 |     - {
18 |         role: loggly,
19 |         loggly_token: "{{ loggly_token }}",
20 |         loggly_tag: "{{ domain }}",
21 |         when: loggly_token is defined
22 |     }
23 |     - {
24 |         role: common,
25 |         domain: "{{ domain }}",
26 |         slack_webhook_url: "{{ slack_webhook_url }}",
27 |         slack_channel: "{{ slack_channel }}",
28 |         rsa_public_key: "{{ rsa_public_key }}"
29 |     }
30 |     - {
31 |         role: nginx,
32 |         domain: "{{ domain }}"
33 |     }
34 |     - {
35 |         role: php-fpm,
36 |         domain: "{{ domain }}"
37 |     }
38 |     - {
39 |         role: wordpress,
40 |         domain: "{{ domain }}",
41 |         site_repo: "{{ site_repo }}"
42 |     }
43 |     - {
44 |         role: newrelic,
45 |         php5_newrelic_appname: "{{ domain }}",
46 |         newrelic_license_key: "{{ newrelic_license_key }}",
47 |         when: newrelic_license_key is defined
48 |     }
49 | 


--------------------------------------------------------------------------------
/examples/advanced.tf:
--------------------------------------------------------------------------------
 1 | module "wp" {
 2 |   source             = "./wp"
 3 |   domain             = "###DOMAIN###"
 4 |   public_subnets     = "${module.vpc.public_subnets}"
 5 |   private_subnets    = "${module.vpc.private_subnets}"
 6 |   internal_sg        = "${module.sg.internal_sg_id}"
 7 |   availability_zones = "${module.vpc.availability_zones}"
 8 |   vpc_id             = "${module.vpc.vpc_id}"
 9 |   db_pass            = "l33tp455"
10 |   no_cdn             = false
11 | 
12 |   # here you can set the instance types
13 |   prod_instance_type     = "t2.medium"
14 |   test_instance_type     = "t2.micro"
15 |   prod_rds_instance_type = "t2.medium"
16 |   test_rds_instance_type = "t2.micro"
17 | 
18 |   # here you can define the size of your prod cluster
19 |   asg_minimum_number_of_instances = 3
20 |   asg_maximum_number_of_instances = 20
21 | 
22 |   # more advanced ELB healthcheck
23 |   health_check = "HTTP:80/wp-login.php"
24 | }
25 | 
26 | module "wp-fastly" {
27 |   source           = "./wp-fastly"
28 |   domain           = "###DOMAIN###"
29 |   domain_zone_id   = "${module.wp.route53_zone_id}"
30 |   api_key          = "${var.fastly_api_key}"
31 |   elb_public_sg_id = "${module.wp.prod-elb_public_sg_id}"
32 | }
33 | 
34 | module "wp-statuscake" {
35 |   source   = "./wp-statuscake"
36 |   domain   = "###DOMAIN###"
37 |   username = "${var.statuscake_username}"
38 |   apikey   = "${var.statuscake_apikey}"
39 | }
40 | 


--------------------------------------------------------------------------------
/examples/basic-with-fastly-statuscake.tf:
--------------------------------------------------------------------------------
 1 | module "wp" {
 2 |   source             = "./wp"
 3 |   domain             = "###DOMAIN###"
 4 |   public_subnets     = "${module.vpc.public_subnets}"
 5 |   private_subnets    = "${module.vpc.private_subnets}"
 6 |   internal_sg        = "${module.sg.internal_sg_id}"
 7 |   availability_zones = "${module.vpc.availability_zones}"
 8 |   vpc_id             = "${module.vpc.vpc_id}"
 9 |   db_pass            = "superPass34234"
10 |   no_cdn             = false
11 | }
12 | 
13 | module "wp-fastly" {
14 |   source           = "./wp-fastly"
15 |   domain           = "###DOMAIN###"
16 |   domain_zone_id   = "${module.wp.route53_zone_id}"
17 |   api_key          = "${var.fastly_api_key}"
18 |   elb_public_sg_id = "${module.wp.prod-elb_public_sg_id}"
19 | }
20 | 
21 | module "wp-statuscake" {
22 |   source   = "./wp-statuscake"
23 |   domain   = "###DOMAIN###"
24 |   username = "${var.statuscake_username}"
25 |   apikey   = "${var.statuscake_apikey}"
26 | }
27 | 


--------------------------------------------------------------------------------
/examples/basic-with-fastly.tf:
--------------------------------------------------------------------------------
 1 | module "wp" {
 2 |   source             = "./wp"
 3 |   domain             = "###DOMAIN###"
 4 |   public_subnets     = "${module.vpc.public_subnets}"
 5 |   private_subnets    = "${module.vpc.private_subnets}"
 6 |   internal_sg        = "${module.sg.internal_sg_id}"
 7 |   availability_zones = "${module.vpc.availability_zones}"
 8 |   vpc_id             = "${module.vpc.vpc_id}"
 9 |   db_pass            = "superPass34234"
10 |   no_cdn             = false
11 | }
12 | 
13 | module "wp-fastly" {
14 |   source           = "./wp-fastly"
15 |   domain           = "###DOMAIN###"
16 |   domain_zone_id   = "${module.wp.route53_zone_id}"
17 |   api_key          = "${var.fastly_api_key}"
18 |   elb_public_sg_id = "${module.wp.prod-elb_public_sg_id}"
19 | }
20 | 


--------------------------------------------------------------------------------
/examples/basic-with-statuscake.tf:
--------------------------------------------------------------------------------
 1 | module "wp" {
 2 |   source             = "./wp"
 3 |   domain             = "###DOMAIN###"
 4 |   public_subnets     = "${module.vpc.public_subnets}"
 5 |   private_subnets    = "${module.vpc.private_subnets}"
 6 |   internal_sg        = "${module.sg.internal_sg_id}"
 7 |   availability_zones = "${module.vpc.availability_zones}"
 8 |   vpc_id             = "${module.vpc.vpc_id}"
 9 |   db_pass            = "superPass34234"
10 |   no_cdn             = false
11 | }
12 | 
13 | module "wp-statuscake" {
14 |   source   = "./wp-statuscake"
15 |   domain   = "###DOMAIN###"
16 |   username = "${var.statuscake_username}"
17 |   apikey   = "${var.statuscake_apikey}"
18 | }
19 | 


--------------------------------------------------------------------------------
/examples/basic.tf:
--------------------------------------------------------------------------------
 1 | module "wp" {
 2 |   source             = "./wp"
 3 |   domain             = "###DOMAIN###"
 4 |   public_subnets     = "${module.vpc.public_subnets}"
 5 |   private_subnets    = "${module.vpc.private_subnets}"
 6 |   internal_sg        = "${module.sg.internal_sg_id}"
 7 |   availability_zones = "${module.vpc.availability_zones}"
 8 |   vpc_id             = "${module.vpc.vpc_id}"
 9 |   db_pass            = "superPass34234"
10 | }
11 | 


--------------------------------------------------------------------------------
/examples/no-rds.tf:
--------------------------------------------------------------------------------
 1 | module "wp" {
 2 |   source             = "./wp"
 3 |   domain             = "###DOMAIN###"
 4 |   public_subnets     = "${module.vpc.public_subnets}"
 5 |   private_subnets    = "${module.vpc.private_subnets}"
 6 |   internal_sg        = "${module.sg.internal_sg_id}"
 7 |   availability_zones = "${module.vpc.availability_zones}"
 8 |   vpc_id             = "${module.vpc.vpc_id}"
 9 |   db_pass            = "superPass34234"
10 |   no_cdn             = false
11 |   create_test_db     = false
12 |   create_prod_db     = false
13 | }
14 | 
15 | module "wp-fastly" {
16 |   source           = "./wp-fastly"
17 |   domain           = "###DOMAIN###"
18 |   domain_zone_id   = "${module.wp.route53_zone_id}"
19 |   api_key          = "${var.fastly_api_key}"
20 |   elb_public_sg_id = "${module.wp.prod-elb_public_sg_id}"
21 | }
22 | 


--------------------------------------------------------------------------------
/mikado.conf.example:
--------------------------------------------------------------------------------
 1 | ######################
 2 | # Mandatory variables
 3 | ######################
 4 | export AWS_ACCESS_KEY_ID=
 5 | export AWS_SECRET_ACCESS_KEY=
 6 | 
 7 | # your site's domain: example.com
 8 | export domain=wpexample.com
 9 | 
10 | # the aws region you want to deploy http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-regions.html#examples
11 | export TF_VAR_region=us-east-1
12 | 
13 | # Comma separated list of trusted CIDR blocks (the computer's ip you want to use to connect to the servers) for the security goups
14 | export TF_VAR_allowed_cidrs=0.0.0.0/0
15 | 
16 | # Your rsa public key
17 | export rsa_public_key=
18 | 
19 | # more info at https://github.com/dominis/mikado#deploying-your-website
20 | export site_repo=https://github.com/dominis/wordpress.example.com.git
21 | 
22 | # Instance type used for AMI builds
23 | # NB you can choose a big instance for faster
24 | # builds but aws bills the entire hour
25 | # even if your instance only run for a few minutes
26 | export build_instance_type=t2.micro
27 | 
28 | ###########################################
29 | # The following variables are all optional
30 | ###########################################
31 | # https://manage.fastly.com/account
32 | export TF_VAR_fastly_api_key=
33 | 
34 | # https://app.statuscake.com/APIKey.php
35 | export TF_VAR_statuscake_username=
36 | export TF_VAR_statuscake_apikey=
37 | 
38 | # https://app.datadoghq.com/account/settings#integrations/amazon_web_services
39 | export TF_VAR_datadog_external_id=
40 | 
41 | # https://app.datadoghq.com/account/settings#api
42 | export datadog_api_key=
43 | 
44 | # https://ACCOUNT.loggly.com/tokens
45 | export loggly_token=
46 | 
47 | # https://rpm.newrelic.com/accounts/
48 | export newrelic_license_key=
49 | 
50 | # https://YOURACCOUNT.slack.com/apps/A0F7XDUAZ-incoming-webhooks
51 | export slack_webhook_url=
52 | export slack_channel=#mikado-notifications
53 | 


--------------------------------------------------------------------------------
/packer/wp.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "variables": {
 3 |     "aws_access_key": "{{env `AWS_ACCESS_KEY_ID`}}",
 4 |     "aws_secret_access_key": "{{env `AWS_SECRET_ACCESS_KEY`}}",
 5 |     "vpc_id": "{{env `vpc_id`}}",
 6 |     "subnet_id": "{{env `subnet_id`}}",
 7 |     "instance_type": "{{env `build_instance_type`}}",
 8 |     "source_ami": "{{env `source_ami`}}",
 9 |     "region": "{{env `TF_VAR_region`}}",
10 |     "security_group_id": "{{env `security_group_id`}}",
11 |     "domain": "{{env `domain`}}",
12 |     "site_repo": "{{env `site_repo`}}",
13 |     "efs_filesysyem_id": "{{env `efs_filesysyem_id`}}",
14 |     "datadog_api_key": "{{env `datadog_api_key`}}",
15 |     "loggly_token": "{{env `loggly_token`}}",
16 |     "newrelic_license_key": "{{env `newrelic_license_key`}}",
17 |     "slack_webhook_url": "{{env `slack_webhook_url`}}",
18 |     "slack_channel": "{{env `slack_channel`}}",
19 |     "rsa_public_key": "{{env `rsa_public_key`}}",
20 |     "volume_type": "io1",
21 |     "ebs_optimized": "true"
22 |   },
23 |   "builders": [{
24 |     "ami_name": "{{ user `domain` }}-{{isotime \"2006-01-02_-_15-04\"}}",
25 |     "type": "amazon-ebs",
26 |     "access_key": "{{ user `aws_access_key` }}",
27 |     "secret_key": "{{ user `aws_secret_access_key` }}",
28 |     "region": "{{ user `region` }}",
29 |     "source_ami": "{{ user `source_ami` }}",
30 |     "security_group_id": "{{ user `security_group_id` }}",
31 |     "instance_type": "{{ user `instance_type` }}",
32 |     "associate_public_ip_address": true,
33 |     "ami_virtualization_type": "hvm",
34 |     "ssh_username": "ec2-user",
35 |     "vpc_id": "{{ user `vpc_id` }}",
36 |     "subnet_id": "{{ user `subnet_id` }}",
37 |     "tags": {
38 |       "Name": "{{ user `domain` }}-{{isotime \"2006-01-02_-_15-04\"}}",
39 |       "Domain": "{{ user `domain` }}"
40 |     },
41 |     "communicator": "ssh",
42 |     "ssh_pty": true
43 |   }],
44 |   "provisioners": [
45 |     {
46 |       "type": "shell",
47 |       "inline": [
48 |         "sudo yum-config-manager --enable epel",
49 |         "sudo yum update -y",
50 |         "sudo sudo easy_install pip",
51 |         "sudo pip install ansible",
52 |         "sudo sh -c 'echo \"$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone).{{ user `efs_filesysyem_id` }}.efs.{{ user `region` }}.amazonaws.com:/    /mnt   nfs4    defaults,noatime\" >> /etc/fstab'"
53 |       ]
54 |     }, {
55 |       "type": "ansible-local",
56 |       "playbook_file": "./ansible/wp.yml",
57 |       "role_paths": [
58 |           "./ansible/roles/common",
59 |           "./ansible/roles/wordpress",
60 |           "./ansible/roles/nginx",
61 |           "./ansible/roles/php-fpm",
62 |           "./ansible/roles/datadog",
63 |           "./ansible/roles/rsyslog",
64 |           "./ansible/roles/newrelic",
65 |           "./ansible/roles/loggly"
66 |       ],
67 |       "extra_arguments": [
68 |         "-v --extra-vars \"domain='{{user `domain`}}' site_repo='{{user `site_repo`}}' rsa_public_key='{{user `rsa_public_key`}}' datadog_api_key='{{user `datadog_api_key`}}' loggly_token='{{user `loggly_token`}}' newrelic_license_key='{{user `newrelic_license_key`}}' slack_webhook_url='{{user `slack_webhook_url`}}' slack_channel='{{user `slack_channel`}}'\""
69 |       ]
70 |     }
71 | ]
72 | }
73 | 


--------------------------------------------------------------------------------
/resources/mikado-infra.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dominis/mikado/5a2eb23aa9d88bbc5d4343c4e0ab05c40ca045da/resources/mikado-infra.png


--------------------------------------------------------------------------------
/scripts/aws_data.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -e
 3 | 
 4 | source ./mikado.conf
 5 | 
 6 | # we need to query aws api for the available azs in the region and feed it to tf
 7 | az_count=$( \
 8 |     aws ec2 describe-availability-zones \
 9 |         --region ${TF_VAR_region} \
10 |         --filter "Name=state,Values=available" | \
11 |     jq .AvailabilityZones[].ZoneName | \
12 |     wc -l
13 | )
14 | 
15 | # Get the ami id for the latest amazon linux in your region
16 | source_ami=$( \
17 |     aws \
18 |         ec2 describe-images \
19 |         --region ${TF_VAR_region} \
20 |         --filters "Name=name,Values=amzn-ami-hvm-2016.09.0.20161028-x86_64-gp2" \
21 |         --query "Images[0].ImageId" | \
22 |     sed 's/\"//g'
23 | )
24 | 
25 | # get the id of the mikado vpc from your local state
26 | vpc_id=$( \
27 |     cat terraform.tfstate | \
28 |     jq \
29 |         '.modules[].resources[] |
30 |         select(.type == "aws_vpc") |
31 |         select(.primary.attributes["tags.Name"] == "mikado") |
32 |         .primary.id' | \
33 |     sed 's/\"//g'
34 | )
35 | 
36 | # get one public subnet id from your local state
37 | subnet_id=$( \
38 |     cat terraform.tfstate | \
39 |     jq \
40 |         '.modules[].outputs |
41 |         select(keys[] == "public_subnets") |
42 |         .public_subnets.value[0]' | \
43 |     head -1 | \
44 |     sed 's/\"//g'
45 | )
46 | 
47 | # get the efs filesystem id from the local state
48 | efs_filesysyem_id=$( \
49 |     cat terraform.tfstate | \
50 |     jq \
51 |         '.modules[].outputs |
52 |         select(keys[] == "efs_filesysyem_id") |
53 |         .efs_filesysyem_id.value' | \
54 |     head -1 | \
55 |     sed 's/\"//g'
56 | )
57 | 
58 | # print out the result in makefile format
59 | echo "export source_ami=${source_ami}"
60 | echo "export vpc_id=${vpc_id}"
61 | echo "export subnet_id=${subnet_id}"
62 | echo "export efs_filesysyem_id=${efs_filesysyem_id}"
63 | echo "export TF_VAR_az_count=${az_count}"
64 | 


--------------------------------------------------------------------------------
/scripts/deploy_ami.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -e
 3 | 
 4 | source ./mikado.conf
 5 | 
 6 | if [ -z "$TF_VAR_region" ]; then
 7 |     echo "Please run make deploy-ami instead."
 8 |     exit 1
 9 | fi
10 | 
11 | latest_ami_id=$( \
12 |     aws \
13 |         ec2 describe-images \
14 |         --region ${TF_VAR_region} \
15 |         --owners self \
16 |         --filters \
17 |             "Name=state,Values=available" \
18 |             "Name=tag-key,Values=Domain" \
19 |             "Name=tag-value,Values=${domain}" \
20 |         --query \
21 |             "Images[0].ImageId" | \
22 |     sed 's/\"//g'
23 | )
24 | 
25 | tast_asg_ami_id=$( \
26 |     cat terraform.tfstate | \
27 |     jq \
28 |         '.modules[].resources[] |
29 |         select(.type == "aws_launch_configuration") |
30 |         .primary.attributes.image_id
31 |     '
32 | )
33 | 
34 | if [ "$latest_ami_id" != "$test_asg_ami_id" ] && [ ! -z "$test_asg_ami_id" ]; then
35 |     echo "Please deploy your AMI first to your test instance"
36 |     exit 1
37 | fi
38 | 
39 | utc_date=$(date --utc +%Y-%m-%d_-_%H-%M)
40 | 
41 | res=$(aws \
42 |     ec2 create-tags \
43 |     --region ${TF_VAR_region} \
44 |     --resources ${latest_ami_id} \
45 |     --tags \
46 |         Key=Production,Value=True \
47 |         Key=deployed_at,Value=${utc_date}
48 | )
49 | 


--------------------------------------------------------------------------------
/scripts/install.py:
--------------------------------------------------------------------------------
  1 | #! /usr/bin/env python3
  2 | import locale
  3 | import sys
  4 | import os
  5 | import yaml
  6 | import yamlordereddictloader
  7 | from dialog import Dialog
  8 | import urllib.request
  9 | from subprocess import Popen, PIPE
 10 | 
 11 | 
 12 | locale.setlocale(locale.LC_ALL, '')
 13 | 
 14 | config_file = './mikado.conf'
 15 | 
 16 | d = Dialog(dialog="dialog", autowidgetsize=True)
 17 | d.set_background_title("Mikado")
 18 | 
 19 | with open("./scripts/install.yaml", 'r') as stream:
 20 |     try:
 21 |         yamlconfig = yaml.load(stream, Loader=yamlordereddictloader.Loader)
 22 |     except yaml.YAMLError as exc:
 23 |         print(exc)
 24 | 
 25 | dialogs = yamlconfig.get('dialogs')
 26 | 
 27 | 
 28 | def d_optional():
 29 |     """
 30 |     Component selector
 31 |     """
 32 |     return d.checklist(
 33 |       dialogs.get('optional').get('msg'),
 34 |       choices=[(a, "", False) for a in dialogs.get('optional').get('components')],
 35 |       title=dialogs.get('optional').get('title')
 36 |     )
 37 | 
 38 | 
 39 | def d_inputs(fields):
 40 |     """
 41 |     Input dialog generator
 42 |     """
 43 |     output = dict()
 44 |     for field in fields:
 45 |         output[field] = dict()
 46 |         for fd in dialogs.get(field):
 47 |             def_value = dialogs.get(field).get(fd).get('default', '')
 48 | 
 49 |             # set default CIDR helper
 50 |             if def_value == '@@@cidr@@@':
 51 |                 def_value = "{}/32".format(
 52 |                   urllib.request.urlopen(
 53 |                     'http://ifconfig.io/ip'
 54 |                     ).read().decode('ascii').strip()
 55 |                 )
 56 | 
 57 |             c, output[field][fd] = d.inputbox(
 58 |               dialogs.get(field).get(fd).get('msg'),
 59 |               init=def_value
 60 |             )
 61 |             if c != d.OK:
 62 |                 return False
 63 | 
 64 |     return output
 65 | 
 66 | 
 67 | def d_error(msg):
 68 |     """
 69 |     Error dialog
 70 |     """
 71 |     d.msgbox(dialogs.get('errors').get(msg))
 72 |     sys.exit(1)
 73 | 
 74 | def d_info(dialog):
 75 |     """
 76 |     Info dialog
 77 |     """
 78 |     d.msgbox(dialogs.get(dialog))
 79 | 
 80 | def write_config(config):
 81 |     """
 82 |     config file handler
 83 |     """
 84 |     output = ""
 85 |     c = [c for c in config.values()]
 86 |     for service in c:
 87 |         for k, v in service.items():
 88 |             output += "export {}=\"{}\"\n".format(k, v)
 89 | 
 90 |     with open(config_file, 'w') as out:
 91 |         out.write(output + '\n')
 92 | 
 93 | 
 94 | def execute(cmd):
 95 |     """
 96 |     shell executor
 97 |     """
 98 |     os.environ["CONTINUE"] = "y"
 99 | 
100 |     cmd = cmd.split(' ')
101 |     with Popen(cmd, stdout=PIPE, bufsize=1, universal_newlines=True) as p:
102 |         for line in p.stdout:
103 |             print(line, end='')
104 | 
105 | 
106 | def create_tf(domain, fastly=None, statuscake=None):
107 |     """
108 |     Create the initial terraform config for the domain
109 |     """
110 |     if fastly is None and statuscake is None:
111 |         file = './examples/basic.tf'
112 |     if fastly is None and statuscake:
113 |         file = './examples/basic-with-statuscake.tf'
114 |     if fastly and statuscake is None:
115 |         file = './examples/basic-with-fastly.tf'
116 |     else:
117 |         file = './examples/basic-with-fastly-statuscake.tf'
118 | 
119 |     output = ""
120 |     with open(file, 'r') as stream:
121 |         data = stream.read()
122 |         cnf = data.replace('###DOMAIN###', domain)
123 | 
124 |     with open('terraform/{}.tf'.format(domain), 'w') as out:
125 |         out.write(cnf + '\n')
126 | 
127 | 
128 | def install():
129 |     # Display welcome screen
130 |     d_info('welcome')
131 | 
132 |     c, optional_fileds = d_optional()
133 |     # get required data and validate it
134 |     base_data = d_inputs(['Mikado'])
135 |     if len([a for a in base_data.get('Mikado').values() if not a]):
136 |         return d_error('missing_data')
137 |         pass
138 | 
139 |     optional_data = d_inputs(optional_fileds)
140 | 
141 |     config = base_data.copy()
142 |     config.update(optional_data)
143 | 
144 |     write_config(config)
145 | 
146 |     d_info('tfbase')
147 |     # build base infra
148 |     execute('make apply')
149 | 
150 |     d_info('amibuild')
151 |     execute('make build-ami')
152 |     execute('make deploy-ami')
153 | 
154 |     d_info('tfmikado')
155 |     create_tf(
156 |         domain=config.get('Mikado').get('domain'),
157 |         fastly=len(list(filter(None, config.get('Datadog', {}).values()))),
158 |         statuscake=len(list(filter(None, config.get('Datadog', {}).values())))
159 |     )
160 | 
161 |     execute('make apply')
162 | 
163 |     d_info('success')
164 | 
165 | 
166 | def main():
167 |     install()
168 | 
169 | 
170 | if __name__ == '__main__':
171 |     main()
172 | 


--------------------------------------------------------------------------------
/scripts/install.yaml:
--------------------------------------------------------------------------------
  1 | dialogs:
  2 |   errors:
  3 |     missing_data: |
  4 |       Missing data!
  5 | 
  6 |       All fields all mandatory, please start again.
  7 |   welcome: |
  8 |     Hello,
  9 | 
 10 |     I'm Mikado installer, I'll help you set up your WordPress site on AWS.
 11 |   tfbase: |
 12 |     Now we set up your base infra for Mikado on AWS.
 13 | 
 14 |     - A VPC with public and private subnets in all AZs
 15 |     - A security group with the provided CIDR block
 16 |     - An EFS storage for your WordPress uploads
 17 |     - Enabling cloudtrail + a new s3 bucket for your logs
 18 |     - Optionally Datadog and Loggly read-only IAM roles
 19 |   amibuild: |
 20 |     Now we are going to provision the instance which will be used to serve the website
 21 | 
 22 |     - This will start a temporaly EC2 instance
 23 |     - Apply the roles from the ansible directory
 24 |     - Save the AMI
 25 |   tfmikado: |
 26 |     Now everything is ready so we can start building the resources for your WordPress site
 27 | 
 28 |     Get a coffee... This will take about 15 minutes.
 29 |   success: |
 30 |     If you see this message it means everything is honky-donkey
 31 | 
 32 |   optional:
 33 |     title: Please select the components you want to install
 34 |     msg: All options are optional
 35 |     components:
 36 |       - Fastly
 37 |       - Statuscake
 38 |       - Datadog
 39 |       - Loggly
 40 |       - Newrelic
 41 |       - Slack
 42 |   Mikado:
 43 |     AWS_ACCESS_KEY_ID:
 44 |       msg: |
 45 |         Please enter your AWS access key id
 46 | 
 47 |         More info: https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/
 48 |     AWS_SECRET_ACCESS_KEY:
 49 |       msg: |
 50 |         Please enter your AWS secret access key
 51 | 
 52 |         More info: https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/
 53 |     TF_VAR_region:
 54 |       msg: |
 55 |         Please enter the AWS region you want to deploy your application
 56 | 
 57 |         Available regions: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions
 58 |       default: us-east-1
 59 |     domain:
 60 |       msg: |
 61 |         Plese enter the domain name of the site you want to deploy
 62 |       default: wp-example.com
 63 |     TF_VAR_allowed_cidrs:
 64 |       msg: |
 65 |         Please enter a comma separated list of CIDR blocks you want provide ssh access to your instances
 66 |       default: "@@@cidr@@@"
 67 |     rsa_public_key:
 68 |       msg: |
 69 |         Please enter your rsa pubic key here
 70 |     site_repo:
 71 |       msg: |
 72 |         Please enter the git repo for your site
 73 | 
 74 |         More info: https://github.com/dominis/wmikado#deploying-your-website
 75 |       default: https://github.com/dominis/wordpress.example.com.git
 76 |     build_instance_type:
 77 |       msg: |
 78 |         Instance type you want to use for your Packer builds
 79 | 
 80 |         More info: https://github.com/dominis/mikado/blob/master/env.mk.template#L28-L31
 81 |       default: t2.micro
 82 |   Fastly:
 83 |     TF_VAR_fastly_api_key:
 84 |       msg: |
 85 |         Please enter your Fastly API key
 86 | 
 87 |         You can find it at: https://manage.fastly.com/account
 88 |   Statuscake:
 89 |     TF_VAR_statuscake_username:
 90 |       msg: |
 91 |         Please enter your Statuscake username
 92 |     TF_VAR_statuscake_apikey:
 93 |       msg: |
 94 |         Please enter your Statuscake API key
 95 | 
 96 |         You can find it at: https://app.statuscake.com/APIKey.php
 97 |   Datadog:
 98 |     datadog_api_key:
 99 |       msg: |
100 |         Please enter your Datadog API key
101 | 
102 |         You can find it at: https://app.datadoghq.com/account/settings#api
103 |     TF_VAR_datadog_external_id:
104 |       msg: |
105 |         Please enter your Datadog AWS external id
106 | 
107 |         You can find it at: # https://app.datadoghq.com/account/settings#integrations/amazon_web_services
108 |   Loggly:
109 |     loggly_token:
110 |       msg: |
111 |         Please enter your Loggly token
112 | 
113 |         You can find it at: https://ACCOUNT.loggly.com/tokens
114 |   Newrelic:
115 |     newrelic_license_key:
116 |       msg: |
117 |         Please enter your Newrelic license key
118 | 
119 |         You can find it at: https://rpm.newrelic.com/accounts/
120 |   Slack:
121 |     slack_webhook_url:
122 |       msg: |
123 |         Please enter your Slack webhook url
124 | 
125 |         You can find it at: https://YOURACCOUNT.slack.com/apps/A0F7XDUAZ-incoming-webhooks
126 |     slack_channel:
127 |       msg: |
128 |         Please enter the Slack channel you want to post noficiations
129 | 
130 |         eg: #mikado-rulez
131 | 
132 | 
133 | 
134 | 


--------------------------------------------------------------------------------
/scripts/mikado-boom:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -e
3 | 
4 | git clone https://github.com/dominis/mikado
5 | cd mikado
6 | vagrant up
7 | vagrant ssh -c 'cd mikado; ./scripts/install.py'
8 | 


--------------------------------------------------------------------------------
/scripts/yamlordereddictloader.py:
--------------------------------------------------------------------------------
 1 | # -*- coding: utf-8 -*-
 2 | """A YAML loader that loads mappings into ordered dictionaries.
 3 | (http://stackoverflow.com/questions/5121931/in-python-how-can-you-load-yaml-mappings-as-ordereddicts)
 4 | """
 5 | 
 6 | import yaml
 7 | import sys
 8 | if float('%d.%d' % sys.version_info[:2]) < 2.7:
 9 |     from ordereddict import OrderedDict
10 | else:
11 |     from collections import OrderedDict
12 | 
13 | 
14 | class Loader(yaml.Loader):
15 |     def __init__(self, *args, **kwargs):
16 |         yaml.Loader.__init__(self, *args, **kwargs)
17 |         self.add_constructor(
18 |             'tag:yaml.org,2002:map', type(self).construct_yaml_map)
19 |         self.add_constructor(
20 |             'tag:yaml.org,2002:omap', type(self).construct_yaml_map)
21 | 
22 |     def construct_yaml_map(self, node):
23 |         data = OrderedDict()
24 |         yield data
25 |         value = self.construct_mapping(node)
26 |         data.update(value)
27 | 
28 |     def construct_mapping(self, node, deep=False):
29 |         if isinstance(node, yaml.MappingNode):
30 |             self.flatten_mapping(node)
31 |         else:
32 |             raise yaml.constructor.ConstructError(
33 |                 None,
34 |                 None,
35 |                 'expected a mapping node, but found %s' % node.id,
36 |                 node.start_mark
37 |             )
38 | 
39 |         mapping = OrderedDict()
40 |         for key_node, value_node in node.value:
41 |             key = self.construct_object(key_node, deep=deep)
42 |             try:
43 |                 hash(key)
44 |             except TypeError as err:
45 |                 raise yaml.constructor.ConstructError(
46 |                     'while constructing a mapping', node.start_mark,
47 |                     'found unacceptable key (%s)' % err, key_node.start_mark)
48 |             value = self.construct_object(value_node, deep=deep)
49 |             mapping[key] = value
50 |         return mapping
51 | 


--------------------------------------------------------------------------------
/terraform/asg/asg.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_launch_configuration" "launch_config" {
  2 |   name_prefix = "${replace(var.name, ".", "-")}-"
  3 | 
  4 |   image_id             = "${var.ami_id}"
  5 |   instance_type        = "${var.instance_type}"
  6 |   security_groups      = ["${aws_security_group.asg-internal-http.id}", "${var.internal_sg}"]
  7 |   iam_instance_profile = "${aws_iam_instance_profile.instance.name}"
  8 |   user_data            = "${var.user_data}"
  9 | 
 10 |   lifecycle {
 11 |     create_before_destroy = true
 12 |   }
 13 | }
 14 | 
 15 | resource "aws_cloudformation_stack" "autoscaling_group" {
 16 |   name       = "${replace(var.name, ".", "-")}"
 17 |   depends_on = ["aws_launch_configuration.launch_config"]
 18 | 
 19 |   template_body = <<EOF
 20 | {
 21 |   "Resources": {
 22 |     "Asg": {
 23 |       "Type": "AWS::AutoScaling::AutoScalingGroup",
 24 |       "Properties": {
 25 |         "AvailabilityZones": [
 26 |           "${element(var.availability_zones,0)}",
 27 |           "${element(var.availability_zones,1)}",
 28 |           "${element(var.availability_zones,2)}"
 29 |         ],
 30 |         "VPCZoneIdentifier": [
 31 |           "${element(var.private_subnets,0)}",
 32 |           "${element(var.private_subnets,1)}",
 33 |           "${element(var.private_subnets,2)}"
 34 |         ],
 35 |         "LaunchConfigurationName": "${aws_launch_configuration.launch_config.name}",
 36 |         "MaxSize": "${var.maximum_number_of_instances}",
 37 |         "MinSize": "${var.minimum_number_of_instances}",
 38 |         "DesiredCapacity": "${var.number_of_instances}",
 39 |         "LoadBalancerNames": ["${aws_elb.asg-elb.name}"],
 40 |         "TerminationPolicies": ["OldestLaunchConfiguration", "OldestInstance"],
 41 |         "HealthCheckType": "ELB",
 42 |         "HealthCheckGracePeriod": 180,
 43 |         "Tags": [{
 44 |           "Key": "Name",
 45 |           "Value": "${replace(var.name, ".", "-")}",
 46 |           "PropagateAtLaunch" : "true"
 47 |         }, {
 48 |           "Key": "Env",
 49 |           "Value": "${var.env}",
 50 |           "PropagateAtLaunch": "true"
 51 |         }, {
 52 |           "Key": "Terrform",
 53 |           "Value": "True",
 54 |           "PropagateAtLaunch": "true"
 55 |         }]
 56 |       },
 57 |       "UpdatePolicy": {
 58 |         "AutoScalingRollingUpdate": {
 59 |           "MinInstancesInService": "${var.minimum_number_of_instances}",
 60 |           "MaxBatchSize": "${var.rolling_update_batch_size}",
 61 |           "PauseTime": "PT5M"
 62 |         }
 63 |       }
 64 |     }
 65 |   },
 66 |   "Outputs": {
 67 |     "AsgName": {
 68 |       "Description": "The name of the auto scaling group",
 69 |        "Value": {"Ref": "Asg"}
 70 |     }
 71 |   }
 72 | }
 73 | EOF
 74 | 
 75 |   tags {
 76 |     Mikado = "True"
 77 |   }
 78 | }
 79 | 
 80 | ###############################################
 81 | # Scaling up
 82 | ###############################################
 83 | resource "aws_autoscaling_policy" "policy-up" {
 84 |   name                   = "${replace(var.name, ".", "-")}-scaleup"
 85 |   scaling_adjustment     = 1
 86 |   adjustment_type        = "ChangeInCapacity"
 87 |   cooldown               = 300
 88 |   autoscaling_group_name = "${aws_cloudformation_stack.autoscaling_group.outputs["AsgName"]}"
 89 | }
 90 | 
 91 | ###############################################
 92 | # Scaling down
 93 | ###############################################
 94 | resource "aws_autoscaling_policy" "policy-down" {
 95 |   name                   = "${replace(var.name, ".", "-")}-scaledown"
 96 |   scaling_adjustment     = -1
 97 |   adjustment_type        = "ChangeInCapacity"
 98 |   cooldown               = 300
 99 |   autoscaling_group_name = "${aws_cloudformation_stack.autoscaling_group.outputs["AsgName"]}"
100 | }
101 | 


--------------------------------------------------------------------------------
/terraform/asg/elb.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_elb" "asg-elb" {
 2 |   name    = "${replace(var.name, ".", "-")}"
 3 |   subnets = ["${var.public_subnets}"]
 4 | 
 5 |   listener {
 6 |     instance_port     = "${var.elb_instance_port}"
 7 |     instance_protocol = "http"
 8 |     lb_port           = 80
 9 |     lb_protocol       = "http"
10 |   }
11 | 
12 |   cross_zone_load_balancing   = true
13 |   idle_timeout                = 60
14 |   connection_draining         = true
15 |   connection_draining_timeout = 60
16 | 
17 |   security_groups = [
18 |     "${aws_security_group.asg-public-http.id}",
19 |     "${aws_security_group.asg-internal-http.id}",
20 |     "${var.internal_sg}",
21 |   ]
22 | 
23 |   # SSH to the internal sg
24 |   listener {
25 |     instance_port     = 22
26 |     instance_protocol = "tcp"
27 |     lb_port           = 22
28 |     lb_protocol       = "tcp"
29 |   }
30 | 
31 |   health_check {
32 |     healthy_threshold   = 2
33 |     unhealthy_threshold = 2
34 |     timeout             = 5
35 |     target              = "${var.health_check}"
36 |     interval            = 15
37 |   }
38 | 
39 |   tags {
40 |     Name   = "${replace(var.name, ".", "-")}"
41 |     Mikado = "True"
42 |   }
43 | }
44 | 


--------------------------------------------------------------------------------
/terraform/asg/iam.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_instance_profile" "instance" {
 2 |   name  = "${replace(var.name, ".", "-")}-instance"
 3 |   roles = ["${aws_iam_role.ec2.id}"]
 4 | }
 5 | 
 6 | resource "aws_iam_role" "ec2" {
 7 |   name = "${replace(var.name, ".", "-")}-ec2"
 8 | 
 9 |   assume_role_policy = <<EOF
10 | {
11 |   "Version": "2012-10-17",
12 |   "Statement": [
13 |     {
14 |       "Action": "sts:AssumeRole",
15 |       "Principal": {
16 |         "Service": "ec2.amazonaws.com"
17 |       },
18 |       "Effect": "Allow",
19 |       "Sid": ""
20 |     }
21 |   ]
22 | }
23 | EOF
24 | }
25 | 
26 | resource "aws_iam_role_policy" "ec2-describe-tags" {
27 |   name = "${replace(var.name, ".", "-")}-ec2-describe-tags"
28 |   role = "${aws_iam_role.ec2.id}"
29 | 
30 |   policy = <<EOF
31 | {
32 |   "Version": "2012-10-17",
33 |   "Statement": [
34 |     {
35 |       "Action": [
36 |         "ec2:DescribeTags*"
37 |       ],
38 |       "Effect": "Allow",
39 |       "Resource": "*"
40 |     }
41 |   ]
42 | }
43 | EOF
44 | }
45 | 


--------------------------------------------------------------------------------
/terraform/asg/output.tf:
--------------------------------------------------------------------------------
 1 | output "elb_dns_name" {
 2 |   value = "${aws_elb.asg-elb.dns_name}"
 3 | }
 4 | 
 5 | output "elb_zone_id" {
 6 |   value = "${aws_elb.asg-elb.zone_id}"
 7 | }
 8 | 
 9 | output "asg_name" {
10 |   value = "${aws_cloudformation_stack.autoscaling_group.outputs.AsgName}"
11 | }
12 | 
13 | output "scaling_policy_down" {
14 |   value = "${aws_autoscaling_policy.policy-down.arn}"
15 | }
16 | 
17 | output "scaling_policy_up" {
18 |   value = "${aws_autoscaling_policy.policy-up.arn}"
19 | }
20 | 
21 | output "elb_public_sg_id" {
22 |   value = "${aws_security_group.asg-public-http.id}"
23 | }
24 | 


--------------------------------------------------------------------------------
/terraform/asg/sg.tf:
--------------------------------------------------------------------------------
 1 | # Security groups for the ELB
 2 | 
 3 | # Public facing rules
 4 | resource "aws_security_group" "asg-public-http" {
 5 |   name = "${replace(var.name, ".", "-")}-public-http"
 6 | 
 7 |   vpc_id = "${var.vpc_id}"
 8 | 
 9 |   tags {
10 |     Name   = "${replace(var.name, ".", "-")}-public-http"
11 |     Mikado = "True"
12 |   }
13 | }
14 | 
15 | resource "aws_security_group_rule" "public-80-in" {
16 |   type        = "ingress"
17 |   from_port   = 80
18 |   to_port     = 80
19 |   protocol    = "tcp"
20 |   cidr_blocks = ["0.0.0.0/0"]
21 | 
22 |   security_group_id = "${aws_security_group.asg-public-http.id}"
23 |   count             = "${var.elb_publicly_available}"
24 | }
25 | 
26 | resource "aws_security_group_rule" "public-443-in" {
27 |   type        = "ingress"
28 |   from_port   = 443
29 |   to_port     = 443
30 |   protocol    = "tcp"
31 |   cidr_blocks = ["0.0.0.0/0"]
32 | 
33 |   security_group_id = "${aws_security_group.asg-public-http.id}"
34 |   count             = "${var.elb_publicly_available}"
35 | }
36 | 
37 | resource "aws_security_group_rule" "public-all-out" {
38 |   type        = "egress"
39 |   from_port   = 0
40 |   to_port     = 0
41 |   protocol    = "tcp"
42 |   cidr_blocks = ["0.0.0.0/0"]
43 | 
44 |   security_group_id = "${aws_security_group.asg-public-http.id}"
45 |   count             = "${var.elb_publicly_available}"
46 | }
47 | 
48 | # This SG is for the communication between the ELB and the app nodes
49 | resource "aws_security_group" "asg-internal-http" {
50 |   name = "${replace(var.name, ".", "-")}-internal-http"
51 | 
52 |   ingress {
53 |     from_port = "${var.elb_instance_port}"
54 |     to_port   = "${var.elb_instance_port}"
55 |     protocol  = "tcp"
56 |     self      = true
57 |   }
58 | 
59 |   egress {
60 |     from_port = 0
61 |     to_port   = 0
62 |     protocol  = "-1"
63 |     self      = true
64 |   }
65 | 
66 |   vpc_id = "${var.vpc_id}"
67 | 
68 |   tags {
69 |     Name   = "${replace(var.name, ".", "-")}-internal-http"
70 |     Mikado = "True"
71 |   }
72 | }
73 | 


--------------------------------------------------------------------------------
/terraform/asg/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "name" {
 2 |   type = "string"
 3 | }
 4 | 
 5 | variable "vpc_id" {
 6 |   type = "string"
 7 | }
 8 | 
 9 | variable "availability_zones" {
10 |   type = "list"
11 | }
12 | 
13 | variable "public_subnets" {
14 |   type = "list"
15 | }
16 | 
17 | variable "private_subnets" {
18 |   type = "list"
19 | }
20 | 
21 | variable "ami_id" {
22 |   type = "string"
23 | }
24 | 
25 | variable "instance_type" {
26 |   default = "t2.micro"
27 | }
28 | 
29 | variable "maximum_number_of_instances" {
30 |   type    = "string"
31 |   default = 3
32 | }
33 | 
34 | variable "minimum_number_of_instances" {
35 |   type    = "string"
36 |   default = 1
37 | }
38 | 
39 | variable "number_of_instances" {
40 |   type    = "string"
41 |   default = 2
42 | }
43 | 
44 | variable "rolling_update_batch_size" {
45 |   type    = "string"
46 |   default = 1
47 | }
48 | 
49 | variable "elb_instance_port" {
50 |   type    = "string"
51 |   default = 80
52 | }
53 | 
54 | variable "internal_sg" {
55 |   type = "string"
56 | }
57 | 
58 | variable "user_data" {
59 |   type    = "string"
60 |   default = ""
61 | }
62 | 
63 | variable "env" {
64 |   type    = "string"
65 |   default = "prod"
66 | }
67 | 
68 | variable "health_check" {
69 |   type    = "string"
70 |   default = "HTTP:80/"
71 | }
72 | 
73 | # this variable acn be used for limit access only from the CDN range
74 | variable "elb_publicly_available" {
75 |   type        = "string"
76 |   description = "true/false if the elb should be exposed to the world"
77 |   default     = true
78 | }
79 | 


--------------------------------------------------------------------------------
/terraform/asg/watches.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_cloudwatch_metric_alarm" "metric_alarm-up-60" {
 2 |   alarm_name          = "${replace(var.name, ".", "-")}-cpu-watch-scaleup-60"
 3 |   comparison_operator = "GreaterThanOrEqualToThreshold"
 4 |   evaluation_periods  = "5"
 5 |   metric_name         = "CPUUtilization"
 6 |   namespace           = "AWS/EC2"
 7 |   period              = "60"
 8 |   statistic           = "Average"
 9 |   threshold           = "60"
10 | 
11 |   dimensions {
12 |     AutoScalingGroupName = "${aws_cloudformation_stack.autoscaling_group.outputs["AsgName"]}"
13 |   }
14 | 
15 |   alarm_description = "node cpu utilization scale up"
16 |   alarm_actions     = ["${aws_autoscaling_policy.policy-up.arn}"]
17 | }
18 | 
19 | resource "aws_cloudwatch_metric_alarm" "metric_alarm-up-85" {
20 |   alarm_name          = "${replace(var.name, ".", "-")}-cpu-watch-scaleup-85"
21 |   comparison_operator = "GreaterThanOrEqualToThreshold"
22 |   evaluation_periods  = "2"
23 |   metric_name         = "CPUUtilization"
24 |   namespace           = "AWS/EC2"
25 |   period              = "60"
26 |   statistic           = "Average"
27 |   threshold           = "85"
28 | 
29 |   dimensions {
30 |     AutoScalingGroupName = "${aws_cloudformation_stack.autoscaling_group.outputs["AsgName"]}"
31 |   }
32 | 
33 |   alarm_description = "node cpu utilization scale up"
34 |   alarm_actions     = ["${aws_autoscaling_policy.policy-up.arn}"]
35 | }
36 | 
37 | resource "aws_cloudwatch_metric_alarm" "metric_alarm-cpucredit-up" {
38 |   count               = "${replace(replace(var.instance_type, "/^[^t].*/", "0"), "/^t.*$/", "1")}"
39 |   alarm_name          = "${replace(var.name, ".", "-")}-cpucredit-up"
40 |   comparison_operator = "LessThanOrEqualToThreshold"
41 |   evaluation_periods  = "1"
42 |   metric_name         = "CPUCreditBalance"
43 |   namespace           = "AWS/EC2"
44 |   period              = "300"
45 |   statistic           = "Average"
46 |   threshold           = "29"
47 | 
48 |   dimensions {
49 |     AutoScalingGroupName = "${aws_cloudformation_stack.autoscaling_group.outputs["AsgName"]}"
50 |   }
51 | 
52 |   alarm_description = "node cpucredit scale up"
53 |   alarm_actions     = ["${aws_autoscaling_policy.policy-up.arn}"]
54 | }
55 | 
56 | resource "aws_cloudwatch_metric_alarm" "metric_alarm-down" {
57 |   alarm_name          = "${replace(var.name, ".", "-")}-cpu-watch-scaledown"
58 |   comparison_operator = "GreaterThanOrEqualToThreshold"
59 |   evaluation_periods  = "30"
60 |   metric_name         = "CPUUtilization"
61 |   namespace           = "AWS/EC2"
62 |   period              = "60"
63 |   statistic           = "Average"
64 |   threshold           = "30"
65 | 
66 |   dimensions {
67 |     AutoScalingGroupName = "${aws_cloudformation_stack.autoscaling_group.outputs["AsgName"]}"
68 |   }
69 | 
70 |   alarm_description = "node cpu utilization scale down"
71 |   ok_actions        = ["${aws_autoscaling_policy.policy-down.arn}"]
72 | }
73 | 


--------------------------------------------------------------------------------
/terraform/base.tf:
--------------------------------------------------------------------------------
 1 | ########################
 2 | # Base AWS infra
 3 | ########################
 4 | provider "aws" {
 5 |   region = "${var.region}"
 6 | }
 7 | 
 8 | # First we create a vpc
 9 | module "vpc" {
10 |   source   = "./vpc"
11 |   az_count = "${var.az_count}"
12 | }
13 | 
14 | # Internal SG
15 | module "sg" {
16 |   source = "./sg"
17 | 
18 |   external_cidr_blocks = "${split(",", var.allowed_cidrs)}"
19 | 
20 |   vpc_id = "${module.vpc.vpc_id}"
21 | }
22 | 
23 | # Create the EFS storage
24 | module "efs" {
25 |   source      = "./efs"
26 |   subnets     = "${module.vpc.private_subnets}"
27 |   internal_sg = "${module.sg.internal_sg_id}"
28 |   az_count    = "${var.az_count}"
29 | }
30 | 
31 | # Setup clodtrail logging
32 | module "cloudtrail" {
33 |   source = "./cloudtrail"
34 | }
35 | 


--------------------------------------------------------------------------------
/terraform/base_3rdparty.tf:
--------------------------------------------------------------------------------
 1 | ################################
 2 | # Optional third party services
 3 | ################################
 4 | # Datadog readonly IAM permissions
 5 | module "datadog" {
 6 |   source      = "./datadog"
 7 |   external_id = "${var.datadog_external_id}"
 8 | }
 9 | 
10 | # Loggly readonly user
11 | module "loggly" {
12 |   source = "./loggly"
13 | }
14 | 


--------------------------------------------------------------------------------
/terraform/cloudtrail/cloudtrail.tf:
--------------------------------------------------------------------------------
 1 | # Set up cloudtrail log delivery to a s3 bucket
 2 | 
 3 | # we need the account id for a unique s3 bucket name
 4 | data "aws_caller_identity" "current" {}
 5 | 
 6 | resource "aws_cloudtrail" "trail" {
 7 |   name                          = "cloudtrail"
 8 |   s3_bucket_name                = "${aws_s3_bucket.cloudtrail.id}"
 9 |   include_global_service_events = true
10 | 
11 |   tags {
12 |     Mikado = "True"
13 |   }
14 | }
15 | 
16 | resource "aws_s3_bucket" "cloudtrail" {
17 |   bucket        = "cloudtrail.${data.aws_caller_identity.current.account_id}"
18 |   force_destroy = true
19 | 
20 |   policy = <<POLICY
21 | {
22 |     "Version": "2012-10-17",
23 |     "Statement": [
24 |         {
25 |             "Sid": "AWSCloudTrailAclCheck",
26 |             "Effect": "Allow",
27 |             "Principal": {
28 |               "Service": "cloudtrail.amazonaws.com"
29 |             },
30 |             "Action": "s3:GetBucketAcl",
31 |             "Resource": "arn:aws:s3:::cloudtrail.${data.aws_caller_identity.current.account_id}"
32 |         },
33 |         {
34 |             "Sid": "AWSCloudTrailWrite",
35 |             "Effect": "Allow",
36 |             "Principal": {
37 |               "Service": "cloudtrail.amazonaws.com"
38 |             },
39 |             "Action": "s3:PutObject",
40 |             "Resource": "arn:aws:s3:::cloudtrail.${data.aws_caller_identity.current.account_id}/*",
41 |             "Condition": {
42 |                 "StringEquals": {
43 |                     "s3:x-amz-acl": "bucket-owner-full-control"
44 |                 }
45 |             }
46 |         }
47 |     ]
48 | }
49 | POLICY
50 | 
51 |   tags {
52 |     Mikado = "True"
53 |   }
54 | }
55 | 


--------------------------------------------------------------------------------
/terraform/datadog/datadog.tf:
--------------------------------------------------------------------------------
 1 | # DataDog read only IAM permissions
 2 | 
 3 | data "aws_caller_identity" "current" {}
 4 | 
 5 | variable "external_id" {
 6 |   type        = "string"
 7 |   description = "DD external id"
 8 | }
 9 | 
10 | resource "aws_iam_policy" "datadog_readonly" {
11 |   name = "DataDog_ReadOnly-${data.aws_caller_identity.current.account_id}"
12 | 
13 |   policy = <<EOF
14 | {
15 |   "Version": "2012-10-17",
16 |   "Statement": [
17 |     {
18 |       "Action": [
19 |         "autoscaling:Describe*",
20 |         "cloudtrail:DescribeTrails",
21 |         "cloudtrail:GetTrailStatus",
22 |         "cloudwatch:Describe*",
23 |         "cloudwatch:Get*",
24 |         "cloudwatch:List*",
25 |         "ec2:Describe*",
26 |         "ec2:Get*",
27 |         "ecs:Describe*",
28 |         "ecs:List*",
29 |         "elasticache:Describe*",
30 |         "elasticache:List*",
31 |         "elasticloadbalancing:Describe*",
32 |         "iam:Get*",
33 |         "iam:List*",
34 |         "kinesis:Get*",
35 |         "kinesis:List*",
36 |         "kinesis:Describe*",
37 |         "rds:Describe*",
38 |         "rds:List*",
39 |         "ses:Get*",
40 |         "ses:List*",
41 |         "sns:List*",
42 |         "sns:Publish",
43 |         "sqs:GetQueueAttributes",
44 |         "sqs:ListQueues",
45 |         "sqs:ReceiveMessage"
46 |       ],
47 |       "Effect": "Allow",
48 |       "Resource": "*"
49 |     }
50 |   ]
51 | }
52 | EOF
53 | }
54 | 
55 | resource "aws_iam_role" "datadog_assumerole" {
56 |   name = "DataDog_ReadOnly-${data.aws_caller_identity.current.account_id}"
57 | 
58 |   assume_role_policy = <<EOF
59 | {
60 |   "Version": "2012-10-17",
61 |   "Statement": [
62 |     {
63 |       "Effect": "Allow",
64 |       "Principal": {
65 |         "AWS": "arn:aws:iam::464622532012:root"
66 |       },
67 |       "Action": "sts:AssumeRole",
68 |       "Condition": {
69 |         "StringEquals": {
70 |           "sts:ExternalId": "${var.external_id}"
71 |         }
72 |       }
73 |     }
74 |   ]
75 | }
76 | EOF
77 | }
78 | 
79 | resource "aws_iam_policy_attachment" "datadog" {
80 |   name       = "DataDog-${data.aws_caller_identity.current.account_id}"
81 |   roles      = ["${aws_iam_role.datadog_assumerole.name}"]
82 |   policy_arn = "${aws_iam_policy.datadog_readonly.arn}"
83 | }
84 | 


--------------------------------------------------------------------------------
/terraform/efs/efs.tf:
--------------------------------------------------------------------------------
 1 | variable "subnets" {
 2 |   type        = "list"
 3 |   description = "list of subnet ids you want to create a mount target to your EFS storage"
 4 | }
 5 | 
 6 | variable "internal_sg" {
 7 |   type        = "string"
 8 |   description = "id of your internal sg"
 9 | }
10 | 
11 | variable "az_count" {
12 |   type        = "string"
13 |   description = "FIXME https://github.com/hashicorp/terraform/issues/3888"
14 | }
15 | 
16 | resource "aws_efs_file_system" "storage" {
17 |   creation_token = "wp-storage"
18 | 
19 |   tags {
20 |     Name   = "wp-storage"
21 |     Mikado = "True"
22 |   }
23 | }
24 | 
25 | resource "aws_efs_mount_target" "storage" {
26 |   file_system_id  = "${aws_efs_file_system.storage.id}"
27 |   subnet_id       = "${element(var.subnets, count.index)}"
28 |   security_groups = ["${var.internal_sg}"]
29 |   count           = "${var.az_count}"
30 | }
31 | 
32 | output "efs_filesysyem_id" {
33 |   value = "${aws_efs_file_system.storage.id}"
34 | }
35 | 


--------------------------------------------------------------------------------
/terraform/loggly/loggly.tf:
--------------------------------------------------------------------------------
 1 | # Loggly IAM readonly user
 2 | 
 3 | # we need the account id for a unique s3 bucket name
 4 | data "aws_caller_identity" "current" {}
 5 | 
 6 | resource "aws_iam_user" "loggly" {
 7 |   name = "loggly-${data.aws_caller_identity.current.account_id}"
 8 | }
 9 | 
10 | resource "aws_iam_access_key" "loggly" {
11 |   user = "${aws_iam_user.loggly.name}"
12 | }
13 | 
14 | resource "aws_iam_user_policy" "loggly" {
15 |   name = "loggly-${data.aws_caller_identity.current.account_id}"
16 |   user = "${aws_iam_user.loggly.name}"
17 | 
18 |   policy = <<EOF
19 | {
20 |   "Version" : "2012-10-17",
21 |   "Statement" : [
22 |     {
23 |       "Effect" : "Allow",
24 |       "Action" : [
25 |         "s3:GetObject"
26 |       ],
27 |       "Resource" : [
28 |         "arn:aws:s3:::cloudtrail.${data.aws_caller_identity.current.account_id}/*",
29 |         "arn:aws:s3:::cloudtrail.${data.aws_caller_identity.current.account_id}"
30 |       ]
31 |     },
32 |     {
33 |         "Effect": "Allow",
34 |         "Action": "s3:List*",
35 |         "Resource": "*"
36 |     }
37 |   ]
38 | }
39 | EOF
40 | }
41 | 
42 | output "loggly-iam_access_key_id" {
43 |   value = "${aws_iam_access_key.loggly.id}"
44 | }
45 | 
46 | output "loggly-iam_secret_access_key" {
47 |   value = "${aws_iam_access_key.loggly.secret}"
48 | }
49 | 


--------------------------------------------------------------------------------
/terraform/sg/sg.tf:
--------------------------------------------------------------------------------
 1 | # This is a global internal SG
 2 | 
 3 | variable "external_cidr_blocks" {
 4 |   type        = "list"
 5 |   description = "list of external CIDR blocks you want to allow"
 6 |   default     = []
 7 | }
 8 | 
 9 | variable "vpc_id" {
10 |   type        = "string"
11 |   description = "ud of the target vpc"
12 | }
13 | 
14 | resource "aws_security_group" "internal" {
15 |   name = "internal-sg"
16 | 
17 |   # Allow incomming from the same SG
18 |   ingress {
19 |     from_port = 0
20 |     to_port   = 0
21 |     protocol  = -1
22 |     self      = true
23 |   }
24 | 
25 |   # These are our ips
26 |   ingress {
27 |     from_port = 0
28 |     to_port   = 0
29 |     protocol  = "-1"
30 | 
31 |     cidr_blocks = "${var.external_cidr_blocks}"
32 |   }
33 | 
34 |   # can see the internet
35 |   egress {
36 |     from_port   = 0
37 |     to_port     = 0
38 |     protocol    = "-1"
39 |     cidr_blocks = ["0.0.0.0/0"]
40 |   }
41 | 
42 |   vpc_id = "${var.vpc_id}"
43 | 
44 |   tags {
45 |     Name   = "internal-sg"
46 |     Mikado = "True"
47 |   }
48 | }
49 | 
50 | output "internal_sg_id" {
51 |   value = "${aws_security_group.internal.id}"
52 | }
53 | 


--------------------------------------------------------------------------------
/terraform/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "region" {
 2 |   type        = "string"
 3 |   description = "the region you want to deploy your app"
 4 |   default     = "us-east-1"
 5 | }
 6 | 
 7 | variable "az_count" {
 8 |   type        = "string"
 9 |   description = "Oh terraform... https://github.com/hashicorp/terraform/issues/3888"
10 |   default     = "2"
11 | }
12 | 
13 | variable "allowed_cidrs" {
14 |   type        = "string"
15 |   description = "comma separated list of the allowed CDIR blocks"
16 | }
17 | 
18 | variable "fastly_api_key" {
19 |   type        = "string"
20 |   description = "your fastly api key"
21 |   default     = ""
22 | }
23 | 
24 | variable "datadog_external_id" {
25 |   type        = "string"
26 |   description = "datadog external id"
27 |   default     = ""
28 | }
29 | 
30 | variable "statuscake_username" {
31 |   type    = "string"
32 |   default = ""
33 | }
34 | 
35 | variable "statuscake_apikey" {
36 |   type    = "string"
37 |   default = ""
38 | }
39 | 


--------------------------------------------------------------------------------
/terraform/vpc/tf_aws_vpc/.gitignore:
--------------------------------------------------------------------------------
 1 | # used for testing
 2 | terraform.tfvars
 3 | 
 4 | ### https://raw.github.com/github/gitignore/abad92dac5a4306f72242dae3bca6e277bce3615/Terraform.gitignore
 5 | 
 6 | # Compiled files
 7 | *.tfstate
 8 | *.tfstate.backup
 9 | 
10 | # Module directory
11 | .terraform/
12 | 
13 | 
14 | ### https://raw.github.com/github/gitignore/abad92dac5a4306f72242dae3bca6e277bce3615/Global/Vim.gitignore
15 | 
16 | # swap
17 | [._]*.s[a-w][a-z]
18 | [._]s[a-w][a-z]
19 | # session
20 | Session.vim
21 | # temporary
22 | .netrwhist
23 | *~
24 | # auto-generated tag files
25 | tags
26 | 
27 | 
28 | 


--------------------------------------------------------------------------------
/terraform/vpc/tf_aws_vpc/LICENSE:
--------------------------------------------------------------------------------
 1 | Licensed under the Apache License, Version 2.0 (the "License");
 2 | you may not use this file except in compliance with the License.
 3 | You may obtain a copy of the License at
 4 | 
 5 |     http://www.apache.org/licenses/LICENSE-2.0
 6 | 
 7 | Unless required by applicable law or agreed to in writing, software
 8 | distributed under the License is distributed on an "AS IS" BASIS,
 9 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10 | See the License for the specific language governing permissions and
11 | limitations under the License.
12 | 


--------------------------------------------------------------------------------
/terraform/vpc/tf_aws_vpc/README.md:
--------------------------------------------------------------------------------
 1 | vpc terraform module
 2 | ===========
 3 | 
 4 | A terraform module to provide a VPC in AWS.
 5 | 
 6 | 
 7 | Module Input Variables
 8 | ----------------------
 9 | 
10 | - `name` - vpc name
11 | - `cidr` - vpc cidr
12 | - `public_subnets` - list of public subnet cidrs
13 | - `private_subnets` - list of private subnet cidrs
14 | - `azs` - list of AZs in which to distribute subnets
15 | - `enable_dns_hostnames` - should be true if you want to use private DNS within the VPC
16 | - `enable_dns_support` - should be true if you want to use private DNS within the VPC
17 | - `enable_nat_gateway` - should be true if you want to provision NAT Gateways for each of your private networks
18 | - `map_public_ip_on_launch` - should be false if you do not want to auto-assign public IP on launch
19 | - `private_propagating_vgws` - list of VGWs the private route table should propagate
20 | - `public_propagating_vgws` - list of VGWs the public route table should propagate
21 | 
22 | It's generally preferable to keep `public_subnets`, `private_subnets`, and
23 | `azs` to lists of the same length.
24 | 
25 | This module optionally creates NAT Gateways in each public subnet and sets them
26 | as the default gateways for the corresponding private subnets.
27 | 
28 | Usage
29 | -----
30 | 
31 | ```hcl
32 | module "vpc" {
33 |   source = "github.com/terraform-community-modules/tf_aws_vpc"
34 | 
35 |   name = "my-vpc"
36 | 
37 |   cidr = "10.0.0.0/16"
38 |   private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
39 |   public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
40 | 
41 |   enable_nat_gateway = "true"
42 | 
43 |   azs      = ["us-west-2a", "us-west-2b", "us-west-2c"]
44 | }
45 | ```
46 | 
47 | For Terraform version older than 0.7.0 use `ref=v1.0.0`:
48 | `source = "github.com/terraform-community-modules/tf_aws_vpc?ref=v1.0.0"`
49 | 
50 | Outputs
51 | =======
52 | 
53 |  - `vpc_id` - does what it says on the tin
54 |  - `private_subnets` - list of private subnet ids
55 |  - `public_subnets` - list of public subnet ids
56 |  - `public_route_table_ids` - list of public route table ids
57 |  - `private_route_table_ids` - list of private route table ids
58 |  - `default_security_group_id` - VPC default security group id string
59 |  - `nat_eips` - list of Elastic IP ids (if any are provisioned)
60 | 
61 | **NOTE**: previous versions of this module returned a single string as a route
62 | table ID, while this version returns a list.
63 | 
64 | Authors
65 | =======
66 | 
67 | Originally created and maintained by [Casey Ransom](https://github.com/cransom)
68 | Hijacked by [Paul Hinze](https://github.com/phinze)
69 | 
70 | License
71 | =======
72 | 
73 | Apache 2 Licensed. See LICENSE for full details.
74 | 


--------------------------------------------------------------------------------
/terraform/vpc/tf_aws_vpc/main.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_vpc" "mod" {
  2 |   cidr_block           = "${var.cidr}"
  3 |   enable_dns_hostnames = "${var.enable_dns_hostnames}"
  4 |   enable_dns_support   = "${var.enable_dns_support}"
  5 | 
  6 |   tags {
  7 |     Name   = "${var.name}"
  8 |     Mikado = "True"
  9 |   }
 10 | }
 11 | 
 12 | resource "aws_internet_gateway" "mod" {
 13 |   vpc_id = "${aws_vpc.mod.id}"
 14 | 
 15 |   tags {
 16 |     Name   = "${var.name}-igw"
 17 |     Mikado = "True"
 18 |   }
 19 | }
 20 | 
 21 | resource "aws_route_table" "public" {
 22 |   vpc_id           = "${aws_vpc.mod.id}"
 23 |   propagating_vgws = ["${var.public_propagating_vgws}"]
 24 | 
 25 |   tags {
 26 |     Name   = "${var.name}-rt-public"
 27 |     Mikado = "True"
 28 |   }
 29 | }
 30 | 
 31 | resource "aws_route" "public_internet_gateway" {
 32 |   route_table_id         = "${aws_route_table.public.id}"
 33 |   destination_cidr_block = "0.0.0.0/0"
 34 |   gateway_id             = "${aws_internet_gateway.mod.id}"
 35 | }
 36 | 
 37 | resource "aws_route" "private_nat_gateway" {
 38 |   route_table_id         = "${element(aws_route_table.private.*.id, count.index)}"
 39 |   destination_cidr_block = "0.0.0.0/0"
 40 |   nat_gateway_id         = "${element(aws_nat_gateway.natgw.*.id, count.index)}"
 41 |   count                  = "${var.az_count * lookup(map(var.enable_nat_gateway, 1), "true", 0)}"
 42 | }
 43 | 
 44 | resource "aws_route_table" "private" {
 45 |   vpc_id           = "${aws_vpc.mod.id}"
 46 |   propagating_vgws = ["${var.private_propagating_vgws}"]
 47 |   count            = "${var.az_count}"
 48 | 
 49 |   tags {
 50 |     Name   = "${var.name}-rt-private-${element(var.azs, count.index)}"
 51 |     Mikado = "True"
 52 |   }
 53 | }
 54 | 
 55 | resource "aws_subnet" "private" {
 56 |   vpc_id            = "${aws_vpc.mod.id}"
 57 |   cidr_block        = "${replace(var.private_subnets_cidr, "XXX", count.index)}"
 58 |   availability_zone = "${var.azs[count.index]}"
 59 |   count             = "${var.az_count}"
 60 | 
 61 |   tags {
 62 |     Name   = "${var.name}-subnet-private-${element(var.azs, count.index)}"
 63 |     Mikado = "True"
 64 |   }
 65 | 
 66 |   lifecycle {
 67 |     create_before_destroy = true
 68 |   }
 69 | }
 70 | 
 71 | resource "aws_subnet" "public" {
 72 |   vpc_id            = "${aws_vpc.mod.id}"
 73 |   cidr_block        = "${replace(var.public_subnets_cidr, "XXX", count.index + 100)}"
 74 |   availability_zone = "${var.azs[count.index]}"
 75 |   count             = "${var.az_count}"
 76 | 
 77 |   tags {
 78 |     Name   = "${var.name}-subnet-public-${element(var.azs, count.index)}"
 79 |     Mikado = "True"
 80 |   }
 81 | 
 82 |   map_public_ip_on_launch = "${var.map_public_ip_on_launch}"
 83 | 
 84 |   lifecycle {
 85 |     create_before_destroy = true
 86 |   }
 87 | }
 88 | 
 89 | resource "aws_eip" "nateip" {
 90 |   vpc   = true
 91 |   count = "${var.az_count * lookup(map(var.enable_nat_gateway, 1), "true", 0)}"
 92 | }
 93 | 
 94 | resource "aws_nat_gateway" "natgw" {
 95 |   allocation_id = "${element(aws_eip.nateip.*.id, count.index)}"
 96 |   subnet_id     = "${element(aws_subnet.public.*.id, count.index)}"
 97 |   count         = "${var.az_count * lookup(map(var.enable_nat_gateway, 1), "true", 0)}"
 98 | 
 99 |   depends_on = ["aws_internet_gateway.mod"]
100 | }
101 | 
102 | resource "aws_route_table_association" "private" {
103 |   count          = "${var.az_count}"
104 |   subnet_id      = "${element(aws_subnet.private.*.id, count.index)}"
105 |   route_table_id = "${element(aws_route_table.private.*.id, count.index)}"
106 | }
107 | 
108 | resource "aws_route_table_association" "public" {
109 |   count          = "${var.az_count}"
110 |   subnet_id      = "${element(aws_subnet.public.*.id, count.index)}"
111 |   route_table_id = "${aws_route_table.public.id}"
112 | }
113 | 


--------------------------------------------------------------------------------
/terraform/vpc/tf_aws_vpc/outputs.tf:
--------------------------------------------------------------------------------
 1 | output "private_subnets" {
 2 |   value = ["${aws_subnet.private.*.id}"]
 3 | }
 4 | 
 5 | output "public_subnets" {
 6 |   value = ["${aws_subnet.public.*.id}"]
 7 | }
 8 | 
 9 | output "vpc_id" {
10 |   value = "${aws_vpc.mod.id}"
11 | }
12 | 
13 | output "public_route_table_ids" {
14 |   value = ["${aws_route_table.public.*.id}"]
15 | }
16 | 
17 | output "private_route_table_ids" {
18 |   value = ["${aws_route_table.private.*.id}"]
19 | }
20 | 
21 | output "default_security_group_id" {
22 |   value = "${aws_vpc.mod.default_security_group_id}"
23 | }
24 | 
25 | output "nat_eips" {
26 |   value = ["${aws_eip.nateip.*.id}"]
27 | }
28 | 


--------------------------------------------------------------------------------
/terraform/vpc/tf_aws_vpc/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "name" {}
 2 | 
 3 | variable "cidr" {}
 4 | 
 5 | variable "public_subnets_cidr" {
 6 |   description = "CIDR for your public subnets"
 7 | }
 8 | 
 9 | variable "private_subnets_cidr" {
10 |   description = "CIDR for your private subnets"
11 | }
12 | 
13 | variable "azs" {
14 |   description = "A list of Availability zones in the region"
15 |   default     = []
16 | }
17 | 
18 | variable "az_count" {
19 |   description = "number of azs in the region"
20 | }
21 | 
22 | variable "enable_dns_hostnames" {
23 |   description = "should be true if you want to use private DNS within the VPC"
24 |   default     = false
25 | }
26 | 
27 | variable "enable_dns_support" {
28 |   description = "should be true if you want to use private DNS within the VPC"
29 |   default     = false
30 | }
31 | 
32 | variable "enable_nat_gateway" {
33 |   description = "should be true if you want to provision NAT Gateways for each of your private networks"
34 |   default     = false
35 | }
36 | 
37 | variable "map_public_ip_on_launch" {
38 |   description = "should be false if you do not want to auto-assign public IP on launch"
39 |   default     = true
40 | }
41 | 
42 | variable "private_propagating_vgws" {
43 |   description = "A list of VGWs the private route table should propagate."
44 |   default     = []
45 | }
46 | 
47 | variable "public_propagating_vgws" {
48 |   description = "A list of VGWs the public route table should propagate."
49 |   default     = []
50 | }
51 | 


--------------------------------------------------------------------------------
/terraform/vpc/vpc.tf:
--------------------------------------------------------------------------------
 1 | variable "az_count" {
 2 |   type = "string"
 3 | }
 4 | 
 5 | data "aws_availability_zones" "available" {}
 6 | 
 7 | module "vpc" {
 8 |   source = "./tf_aws_vpc"
 9 | 
10 |   name = "mikado"
11 | 
12 |   cidr = "10.0.0.0/16"
13 | 
14 |   # TODO FIXME
15 |   private_subnets_cidr = "10.0.XXX.0/24"
16 | 
17 |   # TODO FIXME
18 |   public_subnets_cidr = "10.0.XXX.0/24"
19 | 
20 |   azs      = "${data.aws_availability_zones.available.names}"
21 |   az_count = "${var.az_count}"
22 | 
23 |   map_public_ip_on_launch = "true"
24 |   enable_dns_support      = "true"
25 |   enable_dns_hostnames    = "true"
26 | }
27 | 
28 | output "vpc_id" {
29 |   value = "${module.vpc.vpc_id}"
30 | }
31 | 
32 | output "private_subnets" {
33 |   value = "${module.vpc.private_subnets}"
34 | }
35 | 
36 | output "public_subnets" {
37 |   value = "${module.vpc.public_subnets}"
38 | }
39 | 
40 | output "availability_zones" {
41 |   value = "${data.aws_availability_zones.available.names}"
42 | }
43 | 


--------------------------------------------------------------------------------
/terraform/wp-fastly/fastly.tf:
--------------------------------------------------------------------------------
 1 | resource "fastly_service_v1" "fastly-cdn" {
 2 |   name = "${var.domain}"
 3 | 
 4 |   domain {
 5 |     name    = "www.${var.domain}"
 6 |     comment = "Managed by Mikado"
 7 |   }
 8 | 
 9 |   backend {
10 |     address = "origin.${var.domain}"
11 |     name    = "origin.${var.domain}"
12 |     port    = 80
13 |   }
14 | 
15 |   gzip {
16 |     name = "static stuff"
17 | 
18 |     extensions = [
19 |       "css",
20 |       "js",
21 |       "html",
22 |       "eot",
23 |       "ico",
24 |       "otf",
25 |       "ttf",
26 |       "json",
27 |     ]
28 | 
29 |     content_types = [
30 |       "text/html",
31 |       "application/x-javascript",
32 |       "text/css",
33 |       "application/javascript",
34 |       "text/javascript",
35 |       "application/json",
36 |       "application/vnd.ms-fontobject",
37 |       "application/x-font-opentype",
38 |       "application/x-font-truetype",
39 |       "application/x-font-ttf",
40 |       "application/xml",
41 |       "font/eot",
42 |       "font/opentype",
43 |       "font/otf",
44 |       "image/svg+xml",
45 |       "image/vnd.microsoft.icon",
46 |       "text/plain",
47 |       "text/xml",
48 |     ]
49 |   }
50 | 
51 |   force_destroy = true
52 | 
53 |   vcl {
54 |     name    = "main-with-stale"
55 |     content = "${file("${path.module}/fastly_service.vcl")}"
56 |     main    = true
57 |   }
58 | }
59 | 


--------------------------------------------------------------------------------
/terraform/wp-fastly/fastly_service.vcl:
--------------------------------------------------------------------------------
  1 | sub vcl_recv {
  2 |   if (req.http.Fastly-FF) {
  3 |     set req.max_stale_while_revalidate = 0s;
  4 |   }
  5 | 
  6 | #FASTLY recv
  7 | 
  8 |   if (req.request != "HEAD" && req.request != "GET" && req.request != "FASTLYPURGE") {
  9 |     return(pass);
 10 |   }
 11 | 
 12 |   return(lookup);
 13 | }
 14 | 
 15 | sub vcl_fetch {
 16 |   /* handle 5XX (or any other unwanted status code) */
 17 |   if (beresp.status >= 500 && beresp.status < 600) {
 18 | 
 19 |     /* deliver stale if the object is available */
 20 |     if (stale.exists) {
 21 |       return(deliver_stale);
 22 |     }
 23 | 
 24 |     if (req.restarts < 1 && (req.request == "GET" || req.request == "HEAD")) {
 25 |       restart;
 26 |     }
 27 | 
 28 |     /* else go to vcl_error to deliver a synthetic */
 29 |     error 503;
 30 |   }
 31 | 
 32 |   /* set stale_if_error and stale_while_revalidate (customize these values) */
 33 |   set beresp.stale_if_error = 86400s;
 34 |   set beresp.stale_while_revalidate = 120s;
 35 | 
 36 | #FASTLY fetch
 37 | 
 38 |   if ((beresp.status == 500 || beresp.status == 503) && req.restarts < 1 && (req.request == "GET" || req.request == "HEAD")) {
 39 |     restart;
 40 |   }
 41 | 
 42 |   if (req.restarts > 0) {
 43 |     set beresp.http.Fastly-Restarts = req.restarts;
 44 |   }
 45 | 
 46 |   if (beresp.http.Set-Cookie) {
 47 |     set req.http.Fastly-Cachetype = "SETCOOKIE";
 48 |     return(pass);
 49 |   }
 50 | 
 51 |   if (beresp.http.Cache-Control ~ "private") {
 52 |     set req.http.Fastly-Cachetype = "PRIVATE";
 53 |     return(pass);
 54 |   }
 55 | 
 56 |   /* this code will never be run, commented out for clarity */
 57 |   /* if (beresp.status == 500 || beresp.status == 503) {
 58 |      set req.http.Fastly-Cachetype = "ERROR";
 59 |      set beresp.ttl = 1s;
 60 |      set beresp.grace = 5s;
 61 |      return(deliver);
 62 |   } */
 63 | 
 64 |   if (beresp.http.Expires || beresp.http.Surrogate-Control ~ "max-age" || beresp.http.Cache-Control ~ "(s-maxage|max-age)") {
 65 |     # keep the ttl here
 66 |   } else {
 67 |     # apply the default ttl
 68 |     set beresp.ttl = 3600s;
 69 |   }
 70 | 
 71 |   return(deliver);
 72 | }
 73 | 
 74 | sub vcl_hit {
 75 | #FASTLY hit
 76 | 
 77 |   if (!obj.cacheable) {
 78 |     return(pass);
 79 |   }
 80 |   return(deliver);
 81 | }
 82 | 
 83 | sub vcl_miss {
 84 | #FASTLY miss
 85 |   return(fetch);
 86 | }
 87 | 
 88 | sub vcl_deliver {
 89 |   if (resp.status >= 500 && resp.status < 600) {
 90 |     /* restart if the stale object is available */
 91 |     if (stale.exists) {
 92 |       restart;
 93 |     }
 94 |   }
 95 | 
 96 | #FASTLY deliver
 97 |   return(deliver);
 98 | }
 99 | 
100 | sub vcl_error {
101 | #FASTLY error
102 | 
103 |   /* handle 503s */
104 |   if (obj.status >= 500 && obj.status < 600) {
105 | 
106 |     /* deliver stale object if it is available */
107 |     if (stale.exists) {
108 |       return(deliver_stale);
109 |     }
110 | 
111 |     /* otherwise, return a synthetic */
112 | 
113 |     /* include your HTML response here */
114 |     synthetic {"<!DOCTYPE html><html>SORRY! Our servers are temporarily down while we work on making things better. Please come back later.</html>"};
115 |     return(deliver);
116 |   }
117 | 
118 | }
119 | 
120 | sub vcl_pass {
121 | #FASTLY pass
122 | }
123 | 


--------------------------------------------------------------------------------
/terraform/wp-fastly/provider.tf:
--------------------------------------------------------------------------------
1 | provider "fastly" {
2 |   api_key = "${var.api_key}"
3 | }
4 | 


--------------------------------------------------------------------------------
/terraform/wp-fastly/r53.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_route53_record" "www" {
 2 |   zone_id = "${var.domain_zone_id}"
 3 |   name    = "www.${var.domain}"
 4 |   type    = "CNAME"
 5 |   ttl     = "300"
 6 |   records = ["global-nossl.fastly.net"]
 7 | }
 8 | 
 9 | resource "aws_route53_record" "apex" {
10 |   zone_id = "${var.domain_zone_id}"
11 |   name    = "${var.domain}"
12 |   type    = "A"
13 | 
14 |   alias {
15 |     name                   = "${aws_s3_bucket.apex-redirect.website_domain}"
16 |     zone_id                = "${aws_s3_bucket.apex-redirect.hosted_zone_id}"
17 |     evaluate_target_health = true
18 |   }
19 | }
20 | 


--------------------------------------------------------------------------------
/terraform/wp-fastly/s3.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_s3_bucket" "apex-redirect" {
 2 |   bucket = "${var.domain}"
 3 |   acl    = "public-read"
 4 | 
 5 |   website {
 6 |     redirect_all_requests_to = "www.${var.domain}"
 7 |   }
 8 | 
 9 |   tags {
10 |     Name        = "${var.domain}"
11 |     Environment = "prod"
12 |     Role        = "${var.domain}"
13 |     Mikado      = true
14 |   }
15 | }
16 | 


--------------------------------------------------------------------------------
/terraform/wp-fastly/sg.tf:
--------------------------------------------------------------------------------
 1 | # get the list of all fastly CIDRs
 2 | data "fastly_ip_ranges" "fastly" {}
 3 | 
 4 | resource "aws_security_group_rule" "fastly-443-in" {
 5 |   type        = "ingress"
 6 |   from_port   = 443
 7 |   to_port     = 443
 8 |   protocol    = "tcp"
 9 |   cidr_blocks = ["${data.fastly_ip_ranges.fastly.cidr_blocks}"]
10 | 
11 |   security_group_id = "${var.elb_public_sg_id}"
12 | }
13 | 
14 | resource "aws_security_group_rule" "fastly-80-in" {
15 |   type        = "ingress"
16 |   from_port   = 80
17 |   to_port     = 80
18 |   protocol    = "tcp"
19 |   cidr_blocks = ["${data.fastly_ip_ranges.fastly.cidr_blocks}"]
20 | 
21 |   security_group_id = "${var.elb_public_sg_id}"
22 | }
23 | 
24 | resource "aws_security_group_rule" "fastly-out" {
25 |   type        = "egress"
26 |   from_port   = 0
27 |   to_port     = 0
28 |   protocol    = "tcp"
29 |   cidr_blocks = ["${data.fastly_ip_ranges.fastly.cidr_blocks}"]
30 | 
31 |   security_group_id = "${var.elb_public_sg_id}"
32 | }
33 | 


--------------------------------------------------------------------------------
/terraform/wp-fastly/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "api_key" {
 2 |   type    = "string"
 3 |   default = ""
 4 | }
 5 | 
 6 | variable "domain" {
 7 |   type = "string"
 8 | }
 9 | 
10 | variable "domain_zone_id" {
11 |   type = "string"
12 | }
13 | 
14 | variable "elb_public_sg_id" {
15 |   type = "string"
16 | }
17 | 


--------------------------------------------------------------------------------
/terraform/wp-statuscake/statuscake.tf:
--------------------------------------------------------------------------------
 1 | variable "domain" {
 2 |   type = "string"
 3 | }
 4 | 
 5 | variable "username" {
 6 |   type    = "string"
 7 |   default = ""
 8 | }
 9 | 
10 | variable "apikey" {
11 |   type    = "string"
12 |   default = ""
13 | }
14 | 
15 | provider "statuscake" {
16 |   username = "${var.username}"
17 |   apikey   = "${var.apikey}"
18 | }
19 | 
20 | resource "statuscake_test" "origin" {
21 |   website_name = "origin.${var.domain}"
22 |   website_url  = "http://origin.${var.domain}"
23 |   test_type    = "HTTP"
24 |   check_rate   = 300
25 | }
26 | 
27 | resource "statuscake_test" "www" {
28 |   website_name = "www.${var.domain}"
29 |   website_url  = "http://www.${var.domain}"
30 |   test_type    = "HTTP"
31 |   check_rate   = 300
32 | }
33 | 
34 | resource "statuscake_test" "test" {
35 |   website_name = "test.${var.domain}"
36 |   website_url  = "http://test.${var.domain}"
37 |   test_type    = "HTTP"
38 |   check_rate   = 300
39 | }
40 | 


--------------------------------------------------------------------------------
/terraform/wp/ami.tf:
--------------------------------------------------------------------------------
 1 | data "aws_ami" "prod" {
 2 |   filter {
 3 |     name   = "state"
 4 |     values = ["available"]
 5 |   }
 6 | 
 7 |   filter {
 8 |     name   = "name"
 9 |     values = ["${var.domain}*"]
10 |   }
11 | 
12 |   filter {
13 |     name   = "tag:Production"
14 |     values = ["True"]
15 |   }
16 | 
17 |   most_recent = true
18 | }
19 | 
20 | data "aws_ami" "test" {
21 |   filter {
22 |     name   = "state"
23 |     values = ["available"]
24 |   }
25 | 
26 |   filter {
27 |     name   = "name"
28 |     values = ["${var.domain}*"]
29 |   }
30 | 
31 |   most_recent = true
32 | }
33 | 


--------------------------------------------------------------------------------
/terraform/wp/asg.tf:
--------------------------------------------------------------------------------
 1 | module "wp-prod-asg" {
 2 |   source                      = "../asg"
 3 |   name                        = "${replace(var.domain, ".", "-")}"
 4 |   vpc_id                      = "${var.vpc_id}"
 5 |   availability_zones          = "${var.availability_zones}"
 6 |   public_subnets              = "${var.public_subnets}"
 7 |   private_subnets             = "${var.public_subnets}"
 8 |   ami_id                      = "${data.aws_ami.prod.id}"
 9 |   instance_type               = "${var.prod_instance_type}"
10 |   maximum_number_of_instances = "${var.asg_maximum_number_of_instances}"
11 |   number_of_instances         = "${var.asg_number_of_instances}"
12 |   minimum_number_of_instances = "${var.asg_minimum_number_of_instances}"
13 |   rolling_update_batch_size   = "1"
14 |   elb_instance_port           = "80"
15 |   internal_sg                 = "${var.internal_sg}"
16 |   health_check                = "${var.health_check}"
17 |   user_data                   = "${var.user_data}"
18 |   elb_publicly_available      = "${var.no_cdn}"
19 | }
20 | 
21 | module "wp-test-asg" {
22 |   source                      = "../asg"
23 |   name                        = "test-${replace(var.domain, ".", "-")}"
24 |   vpc_id                      = "${var.vpc_id}"
25 |   availability_zones          = "${var.availability_zones}"
26 |   public_subnets              = "${var.public_subnets}"
27 |   private_subnets             = "${var.public_subnets}"
28 |   ami_id                      = "${data.aws_ami.test.id}"
29 |   instance_type               = "${var.test_instance_type}"
30 |   maximum_number_of_instances = "2"
31 |   number_of_instances         = "1"
32 |   minimum_number_of_instances = "1"
33 |   rolling_update_batch_size   = "1"
34 |   elb_instance_port           = "80"
35 |   internal_sg                 = "${var.internal_sg}"
36 |   user_data                   = "${var.user_data}"
37 |   env                         = "test"
38 |   health_check                = "${var.health_check}"
39 | }
40 | 
41 | output "prod-elb_public_sg_id" {
42 |   value = "${module.wp-prod-asg.elb_public_sg_id}"
43 | }
44 | 
45 | output "test-elb_public_sg_id" {
46 |   value = "${module.wp-test-asg.elb_public_sg_id}"
47 | }
48 | 


--------------------------------------------------------------------------------
/terraform/wp/r53.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_route53_zone" "domain" {
  2 |   name = "${var.domain}"
  3 | 
  4 |   tags {
  5 |     Mikado = "True"
  6 |   }
  7 | }
  8 | 
  9 | resource "aws_route53_record" "apex" {
 10 |   zone_id = "${aws_route53_zone.domain.zone_id}"
 11 |   name    = "${var.domain}"
 12 |   type    = "A"
 13 |   count   = "${var.no_cdn}"
 14 | 
 15 |   alias {
 16 |     name                   = "${module.wp-prod-asg.elb_dns_name}"
 17 |     zone_id                = "${module.wp-prod-asg.elb_zone_id}"
 18 |     evaluate_target_health = true
 19 |   }
 20 | }
 21 | 
 22 | resource "aws_route53_record" "www" {
 23 |   zone_id = "${aws_route53_zone.domain.zone_id}"
 24 |   name    = "www.${var.domain}"
 25 |   type    = "CNAME"
 26 |   ttl     = "300"
 27 |   records = ["${var.domain}"]
 28 |   count   = "${var.no_cdn}"
 29 | }
 30 | 
 31 | resource "aws_route53_record" "origin" {
 32 |   zone_id = "${aws_route53_zone.domain.zone_id}"
 33 |   name    = "origin.${var.domain}"
 34 |   type    = "A"
 35 | 
 36 |   alias {
 37 |     name                   = "${module.wp-prod-asg.elb_dns_name}"
 38 |     zone_id                = "${module.wp-prod-asg.elb_zone_id}"
 39 |     evaluate_target_health = true
 40 |   }
 41 | }
 42 | 
 43 | resource "aws_route53_record" "test" {
 44 |   zone_id = "${aws_route53_zone.domain.zone_id}"
 45 |   name    = "test.${var.domain}"
 46 |   type    = "A"
 47 | 
 48 |   alias {
 49 |     name                   = "${module.wp-test-asg.elb_dns_name}"
 50 |     zone_id                = "${module.wp-test-asg.elb_zone_id}"
 51 |     evaluate_target_health = true
 52 |   }
 53 | }
 54 | 
 55 | ##############
 56 | # Internal DNS
 57 | ##############
 58 | resource "aws_route53_zone" "int" {
 59 |   name   = "int.${var.domain}"
 60 |   vpc_id = "${var.vpc_id}"
 61 | 
 62 |   tags {
 63 |     Mikado = "True"
 64 |   }
 65 | }
 66 | 
 67 | resource "aws_route53_record" "int-ns" {
 68 |   zone_id = "${aws_route53_zone.domain.zone_id}"
 69 |   name    = "int.${var.domain}"
 70 |   type    = "NS"
 71 |   ttl     = "30"
 72 | 
 73 |   records = [
 74 |     "${aws_route53_zone.int.name_servers.0}",
 75 |     "${aws_route53_zone.int.name_servers.1}",
 76 |     "${aws_route53_zone.int.name_servers.2}",
 77 |     "${aws_route53_zone.int.name_servers.3}",
 78 |   ]
 79 | }
 80 | 
 81 | resource "aws_route53_record" "prod-rds" {
 82 |   zone_id = "${aws_route53_zone.int.zone_id}"
 83 |   name    = "prod.db.int.${var.domain}"
 84 |   type    = "A"
 85 |   count   = "${var.create_prod_db}"
 86 | 
 87 |   alias {
 88 |     name                   = "${aws_db_instance.wp-prod.address}"
 89 |     zone_id                = "${aws_db_instance.wp-prod.hosted_zone_id}"
 90 |     evaluate_target_health = true
 91 |   }
 92 | }
 93 | 
 94 | resource "aws_route53_record" "test-rds" {
 95 |   zone_id = "${aws_route53_zone.int.zone_id}"
 96 |   name    = "test.db.int.${var.domain}"
 97 |   type    = "A"
 98 | 
 99 |   count = "${var.create_test_db}"
100 | 
101 |   alias {
102 |     name                   = "${aws_db_instance.wp-test.address}"
103 |     zone_id                = "${aws_db_instance.wp-test.hosted_zone_id}"
104 |     evaluate_target_health = true
105 |   }
106 | }
107 | 
108 | ##########
109 | # Outputs
110 | ##########
111 | output "nameservers" {
112 |   value = "${join(", ", aws_route53_zone.domain.name_servers)}"
113 | }
114 | 
115 | output "route53_zone_id" {
116 |   value = "${aws_route53_zone.domain.zone_id}"
117 | }
118 | 


--------------------------------------------------------------------------------
/terraform/wp/rds.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_db_instance" "wp-prod" {
 2 |   identifier                 = "${replace(var.domain, ".", "-")}"
 3 |   count                      = "${var.create_prod_db}"
 4 |   allocated_storage          = "10"
 5 |   engine                     = "mysql"
 6 |   engine_version             = "5.7.11"
 7 |   instance_class             = "${var.prod_rds_instance_type}"
 8 |   name                       = "${replace(var.domain, "/[^a-z0-9]+/", "")}"
 9 |   username                   = "${replace(var.domain, "/[^a-z0-9]+/", "")}"
10 |   password                   = "${var.db_pass}"
11 |   backup_retention_period    = "30"
12 |   backup_window              = "04:00-04:30"
13 |   maintenance_window         = "sun:04:30-sun:05:30"
14 |   auto_minor_version_upgrade = true
15 |   vpc_security_group_ids     = ["${aws_security_group.rds.id}", "${var.internal_sg}"]
16 |   db_subnet_group_name       = "${aws_db_subnet_group.wp.name}"
17 |   parameter_group_name       = "default.mysql5.7"
18 |   multi_az                   = true
19 |   storage_type               = "gp2"
20 | 
21 |   tags {
22 |     Name        = "${replace(var.domain, ".", "")}"
23 |     Environment = "prod"
24 |     Role        = "${var.domain}"
25 |     Mikado      = "True"
26 |   }
27 | }
28 | 
29 | resource "aws_db_subnet_group" "wp" {
30 |   name        = "${replace(var.domain, ".", "")}"
31 |   description = "wp rds"
32 |   subnet_ids  = ["${var.private_subnets}"]
33 | }
34 | 
35 | resource "aws_db_instance" "wp-test" {
36 |   apply_immediately          = true
37 |   count                      = "${var.create_test_db}"
38 |   identifier                 = "test-${replace(var.domain, ".", "-")}"
39 |   allocated_storage          = "5"
40 |   engine                     = "mysql"
41 |   engine_version             = "5.7.11"
42 |   instance_class             = "${var.test_rds_instance_type}"
43 |   name                       = "test${replace(var.domain, "/[^a-z0-9]+/", "")}"
44 |   username                   = "${replace(var.domain, "/[^a-z0-9]+/", "")}"
45 |   password                   = "${var.db_pass}"
46 |   backup_retention_period    = "30"
47 |   backup_window              = "04:00-04:30"
48 |   maintenance_window         = "sun:04:30-sun:05:30"
49 |   auto_minor_version_upgrade = true
50 |   vpc_security_group_ids     = ["${aws_security_group.rds.id}", "${var.internal_sg}"]
51 |   db_subnet_group_name       = "${aws_db_subnet_group.wp.name}"
52 |   parameter_group_name       = "default.mysql5.7"
53 |   multi_az                   = true
54 |   storage_type               = "gp2"
55 | 
56 |   tags {
57 |     Name        = "test-${replace(var.domain, ".", "")}"
58 |     Environment = "test"
59 |     Role        = "test.${var.domain}"
60 |     Mikado      = "True"
61 |   }
62 | }
63 | 


--------------------------------------------------------------------------------
/terraform/wp/sg.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_security_group" "rds" {
 2 |   name   = "${replace(var.domain, ".", "-")}-internal-mysql"
 3 |   vpc_id = "${var.vpc_id}"
 4 | 
 5 |   ingress {
 6 |     from_port = 3306
 7 |     to_port   = 3306
 8 |     protocol  = "tcp"
 9 |     self      = true
10 |   }
11 | 
12 |   egress {
13 |     from_port = 3306
14 |     to_port   = 3306
15 |     protocol  = "tcp"
16 |     self      = true
17 |   }
18 | 
19 |   tags {
20 |     Name        = "${replace(var.domain, ".", "-")}-internal-mysql"
21 |     Environment = "prod"
22 |     Role        = "${var.domain}"
23 |     Mikado      = "True"
24 |   }
25 | 
26 |   lifecycle {
27 |     create_before_destroy = true
28 |   }
29 | }
30 | 


--------------------------------------------------------------------------------
/terraform/wp/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "vpc_id" {
 2 |   type = "string"
 3 | }
 4 | 
 5 | variable "availability_zones" {
 6 |   type = "list"
 7 | }
 8 | 
 9 | variable "public_subnets" {
10 |   type = "list"
11 | }
12 | 
13 | variable "private_subnets" {
14 |   type = "list"
15 | }
16 | 
17 | variable "prod_instance_type" {
18 |   type    = "string"
19 |   default = "t2.micro"
20 | }
21 | 
22 | variable "test_instance_type" {
23 |   type    = "string"
24 |   default = "t2.micro"
25 | }
26 | 
27 | variable "prod_rds_instance_type" {
28 |   type    = "string"
29 |   default = "db.t2.micro"
30 | }
31 | 
32 | variable "test_rds_instance_type" {
33 |   type    = "string"
34 |   default = "db.t2.micro"
35 | }
36 | 
37 | variable "create_test_db" {
38 |   type    = "string"
39 |   default = true
40 | }
41 | 
42 | variable "create_prod_db" {
43 |   type    = "string"
44 |   default = true
45 | }
46 | 
47 | variable "domain" {
48 |   type = "string"
49 | }
50 | 
51 | variable "db_pass" {
52 |   type    = "string"
53 |   default = "sup3r-s3cr3t-p4ss"
54 | }
55 | 
56 | variable "internal_sg" {}
57 | 
58 | variable "user_data" {
59 |   type    = "string"
60 |   default = ""
61 | }
62 | 
63 | variable "asg_number_of_instances" {
64 |   type    = "string"
65 |   default = "1"
66 | }
67 | 
68 | variable "asg_minimum_number_of_instances" {
69 |   type    = "string"
70 |   default = "1"
71 | }
72 | 
73 | variable "asg_maximum_number_of_instances" {
74 |   type    = "string"
75 |   default = "10"
76 | }
77 | 
78 | variable "health_check" {
79 |   type    = "string"
80 |   default = "TCP:80"
81 | }
82 | 
83 | variable "no_cdn" {
84 |   type        = "string"
85 |   description = "true/false if you want to use a cdn"
86 |   default     = true
87 | }
88 | 


--------------------------------------------------------------------------------