feat(matomo) add a MySQL database on the public-db instance (#497)

Related to jenkins-infra/helpdesk#3602 This PR adds a managed MySQL database for matomo with an associated user and password. The grants are also applied to this user as per https://matomo.org/faq/how-to-install/faq_23484/. Note that the `FILE` grant is not added because it would be global to the `public-db` instance while we're not even sure it is needed (or if the mentioned file load extension is present on Azure flexible instances) (edit) Note: the updatecli check is failing as usual when introducing a new dependency. In order to validate it, I ran it locally (with the `scmid` commented in the target) which updated the hcl file as expected. Signed-off-by: Damien Duportal <[email protected]>
jenkins-infra · Oct 10, 2023 · 36197e3 · 36197e3
1 parent cf8c365
commit 36197e3
Show file tree

Hide file tree

Showing 5 changed files with 133 additions and 1 deletion.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/matomo.jenkins.io.tf b/matomo.jenkins.io.tf
@@ -0,0 +1,44 @@
+## Matomo Resources
+
+# Database - ref. https://matomo.org/faq/how-to-install/faq_23484/
+resource "mysql_database" "matomo" {
+  name = "matomo"
+}
+resource "random_password" "matomo_mysql_password" {
+  length           = 81
+  lower            = true
+  min_lower        = 1
+  min_numeric      = 1
+  min_special      = 1
+  min_upper        = 1
+  numeric          = true
+  override_special = "_"
+  special          = true
+  upper            = true
+}
+resource "mysql_user" "matomo" {
+  user               = "matomo"
+  host               = "*" # Default "localhost" forbids access from clusters
+  plaintext_password = random_password.matomo_mysql_password.result
+}
+resource "mysql_grant" "matomo" {
+  user       = mysql_user.matomo.user
+  host       = mysql_user.matomo.host
+  database   = mysql_database.matomo.name
+  privileges = ["SELECT", "INSERT", "UPDATE", "DELETE", "CREATE", "INDEX", "DROP", "ALTER", "CREATE TEMPORARY TABLES", "LOCK TABLES"]
+}
+
+# This (sensitive) output is meant to be encrypted into the production secret system, to be provided as a secret to the matomo application
+output "matomo_dbconfig" {
+  # Value of the port is fixed to 3306 (https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-networking and https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_flexible_server#attributes-reference)
+  sensitive   = true
+  description = "YAML (secret) values for the Helm chart bitnami/matomo"
+  value       = <<-EOT
+externalDatabase:
+  host: ${azurerm_mysql_flexible_server.public_db_mysql.fqdn}
+  port: 3306
+  database: ${mysql_database.matomo.name}
+  user: ${mysql_user.matomo.user}
+  password: ${random_password.matomo_mysql_password.result}
+EOT
+}
diff --git a/providers.tf b/providers.tf
@@ -23,7 +23,7 @@ provider "kubernetes" {
 provider "postgresql" {
   /**
   Important: terraform must be allowed to reach this instance through the network. Check the followings:
-  - If running in Jenkins, ensure that the subnet of the agents is peered to the subnet of this pgsql instance
+  - If running in Jenkins, ensure that the subnet of the agents is peered to the subnet of this postgreSQL instance
     * Don't forget to also check the network security group rules
   - If running locally, ensure that:
     * your /etc/hosts defines an entry with <azurerm_postgresql_flexible_server.public.fqdn> to 127.0.0.1
@@ -34,3 +34,17 @@ provider "postgresql" {
   password  = random_password.public_db_pgsql_admin_password.result
   superuser = false
 }
+
+provider "mysql" {
+  /**
+  Important: terraform must be allowed to reach this instance through the network. Check the followings:
+  - If running in Jenkins, ensure that the subnet of the agents is peered to the subnet of this mysql instance
+    * Don't forget to also check the network security group rules
+  - If running locally, ensure that:
+    * your /etc/hosts defines an entry with <azurerm_mysql_flexible_server.public.fqdn> to 127.0.0.1
+    * you've opened an SSH tunnel such as `ssh -L 3306:<azurerm_mysql_flexible_server.public.fqdn>:3306` through a machine of the private network
+  **/
+  endpoint = "${azurerm_mysql_flexible_server.public_db_mysql.fqdn}:3306"
+  username = local.public_db_mysql_admin_login
+  password = random_password.public_db_mysql_admin_login.result
+}
diff --git a/updatecli/updatecli.d/terraform-providers/mysql.yaml b/updatecli/updatecli.d/terraform-providers/mysql.yaml
@@ -0,0 +1,47 @@
+name: "Bump Terraform `mysql` provider version"
+
+scms:
+  default:
+    kind: github
+    spec:
+      user: "{{ .github.user }}"
+      email: "{{ .github.email }}"
+      owner: "{{ .github.owner }}"
+      repository: "{{ .github.repository }}"
+      token: "{{ requiredEnv .github.token }}"
+      username: "{{ .github.username }}"
+      branch: "{{ .github.branch }}"
+
+sources:
+  lastVersion:
+    name: Get latest version of the `mysql` provider
+    kind: terraform/registry
+    spec:
+      type: provider
+      namespace: petoju
+      name: mysql
+
+targets:
+  updateTerraformLockFile:
+    name: Update Terraform lock file
+    kind: terraform/lock
+    sourceid: lastVersion
+    spec:
+      file: .terraform.lock.hcl
+      provider: petoju/mysql
+      platforms:
+        - linux_amd64
+        - linux_arm64
+        - darwin_amd64
+        - darwin_arm64
+    scmid: default
+
+actions:
+  default:
+    kind: github/pullrequest
+    scmid: default
+    spec:
+      title: Bump Terraform `petoju/mysql` provider version to {{ source "lastVersion" }}
+      labels:
+        - terraform-providers
+        - petoju/mysql
diff --git a/versions.tf b/versions.tf
@@ -20,5 +20,8 @@ terraform {
     random = {
       source = "hashicorp/random"
     }
+    mysql = {
+      source = "petoju/mysql"
+    }
   }
 }