-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathml-ops-managed-gitlab.tf
More file actions
204 lines (173 loc) · 6.33 KB
/
ml-ops-managed-gitlab.tf
File metadata and controls
204 lines (173 loc) · 6.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
# Infrastructure for the Yandex Managed Service for Gitlab and Yandex Compute Cloud Virtual Machine
#
# RU: https://yandex.cloud/ru/docs/architecture/mlops-in-managed-gitlab
# EN: https://yandex.cloud/en/docs/architecture/mlops-in-managed-gitlab
#
# Configure the parameters of the Gitlab instance and virtual machine:
locals {
# The following settings are to be specified by the user. Change them as you wish.
# Settings for the Managed Service for Gitlab:
instance_name = "" # Gitlab instance name
instance_login = "" # Gitlab instance administrator login
instance_email = "" # Gitlab instance administrator e-mail
instance_domain = "" # Gitlab instance domain name. Must be in gitlab.yandexcloud.net DNS zone.
# Settings for the Compute Cloud Virtual Machine:
vm_username = "" # Name of the VM's user
vm_public_key = "" # Path to public SSH key file
# Settings for the Service Account:
sa_folder_id = "" # ID of the folder for the service account
# The following settings are predefined. Change them only if necessary.
network_name = "net-gitlab" # Network name
subnet_name = "subnet-gitlab-a" # Subnet name
zone_a_v4_cidr_blocks = "10.16.0.0/24" # CIDR block for the subnet in the ru-central1-a availability zone
security_group_name = "gitlab-sg" # Name of the security group
sa_name = "gitlab-sa" # Name of the service account
vm_name = "vm-mlops" # Compute Cloud Virtual machine name
vm_image_id = "fd8c84dpe0epitdiqakt" # DSVM boot disk image ID
}
# Network infrastructure for the Managed Service for Gitlab instance
resource "yandex_vpc_network" "network" {
description = "Network for the Managed Service for Gitlab instance and Compute Cloud VM"
name = local.network_name
}
resource "yandex_vpc_subnet" "subnet-a" {
description = "Subnet in the ru-central1-a availability zone"
name = local.subnet_name
zone = "ru-central1-a"
network_id = yandex_vpc_network.network.id
v4_cidr_blocks = [local.zone_a_v4_cidr_blocks]
}
resource "yandex_vpc_security_group" "gitlab-security-group" {
description = "Security group for the Managed Service for Gitlab instance"
name = local.security_group_name
network_id = yandex_vpc_network.network.id
ingress {
description = "Allows connecting to VM and working with Git-repository over SSH"
protocol = "TCP"
port = 22
v4_cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "Allows working with Git-repository over SSH"
protocol = "TCP"
port = 2222
v4_cidr_blocks = [local.zone_a_v4_cidr_blocks]
}
ingress {
description = "Allows working with Git-repository over HTTPS"
protocol = "TCP"
port = 443
v4_cidr_blocks = [local.zone_a_v4_cidr_blocks]
}
ingress {
description = "Allows using Lets Encrypt certificate for HTTPS"
protocol = "TCP"
port = 80
v4_cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "Allows using Lets Encrypt certificate for HTTPS"
protocol = "TCP"
port = 443
v4_cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "Allows incoming connection for instance backup"
protocol = "TCP"
port = 443
v4_cidr_blocks = ["213.180.193.243/32"]
}
ingress {
description = "Allows incoming traffic for instance health checks by network balancer"
protocol = "TCP"
port = 80
predefined_target = "loadbalancer_healthchecks"
}
egress {
description = "Allows using Lets Encrypt certificate for HTTPS"
protocol = "TCP"
port = 443
v4_cidr_blocks = ["0.0.0.0/0"]
}
egress {
description = "Allows outgoing connection for instance backup"
protocol = "TCP"
port = 443
v4_cidr_blocks = ["213.180.193.243/32"]
}
egress {
description = "Allows outgoing connection to metadata service for instance update"
protocol = "TCP"
port = 80
v4_cidr_blocks = ["169.254.169.254/32"]
}
egress {
description = "Allows outgoing connection to DNS service"
protocol = "TCP"
port = 53
v4_cidr_blocks = ["10.16.0.2/32"]
}
egress {
description = "Allows outgoing connection to NTP service"
protocol = "TCP"
port = 123
v4_cidr_blocks = ["0.0.0.0/0"]
}
egress {
description = "Allows accessing instance workers"
protocol = "TCP"
port = 22
v4_cidr_blocks = [local.zone_a_v4_cidr_blocks]
}
}
resource "yandex_iam_service_account" "sa" {
name = local.sa_name
folder_id = local.sa_folder_id
}
resource "yandex_resourcemanager_folder_iam_member" "admin-account-compute" {
folder_id = local.sa_folder_id
role = "compute.admin"
member = "serviceAccount:${yandex_iam_service_account.sa.id}"
}
resource "yandex_resourcemanager_folder_iam_member" "admin-account-vpc" {
folder_id = local.sa_folder_id
role = "vpc.admin"
member = "serviceAccount:${yandex_iam_service_account.sa.id}"
}
resource "yandex_resourcemanager_folder_iam_member" "user-account-iam" {
folder_id = local.sa_folder_id
role = "iam.serviceAccounts.user"
member = "serviceAccount:${yandex_iam_service_account.sa.id}"
}
resource "yandex_gitlab_instance" "my_gitlab_instance" {
name = local.instance_name
resource_preset_id = "s2.micro" # 2 vCPU, 8 GB RAM
disk_size = 30 # GB
admin_login = local.instance_login
admin_email = local.instance_email
domain = local.instance_domain
subnet_id = yandex_vpc_subnet.subnet-a.id
approval_rules_id = "BASIC"
backup_retain_period_days = 10
}
resource "yandex_compute_instance" "vm-dsvm" {
name = local.vm_name
platform_id = "standard-v3" # Intel ice Lake
zone = "ru-central1-a"
resources {
cores = "2"
memory = "8"
}
boot_disk {
initialize_params {
image_id = local.vm_image_id
}
}
network_interface {
subnet_id = yandex_vpc_subnet.subnet-a.id
nat = true
}
metadata = {
ssh-keys = "${local.vm_username}:${file(local.vm_public_key)}"
}
}