Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions infra/environments/prod/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,12 @@ output "mqtt_password_tcm26" {
sensitive = true
}

output "mqtt_password_mapache" {
description = "Generated MQTT password for the mapache services fleet user. Read with `terraform output -raw mqtt_password_mapache` → mapache-secrets/MQTT_MAPACHE_PASSWORD or wherever the consumer reads it."
value = module.mqtt.mqtt_password_mapache
sensitive = true
}

output "clickhouse_private_ip" {
description = "Private IP of the ClickHouse EC2. In-cluster pods connect to this on 8123 (HTTP) / 9000 (native)."
value = module.clickhouse.private_ip
Expand Down
31 changes: 22 additions & 9 deletions infra/modules/mqtt-ec2/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,15 @@ resource "random_password" "mqtt_tcm26" {
special = false
}

# Credential for mapache services (the in-cluster Go services beyond gr26
# — e.g. query, foreman, future publishers). Distinct from gr26's own
# user so the service-fleet credential can rotate independently of the
# CAN-ingest pipeline.
resource "random_password" "mqtt_mapache" {
length = 32
special = false
}

resource "aws_security_group" "this" {
name = var.name
description = "NanoMQ for ${var.name}"
Expand Down Expand Up @@ -107,18 +116,22 @@ resource "aws_instance" "this" {
}

user_data = templatefile("${path.module}/user-data.sh.tftpl", {
nanomq_version = var.nanomq_version
mqtt_user = var.mqtt_user
mqtt_password = random_password.mqtt.result
mqtt_user_tcm26 = var.mqtt_user_tcm26
mqtt_password_tcm26 = random_password.mqtt_tcm26.result
nanomq_version = var.nanomq_version
mqtt_user = var.mqtt_user
mqtt_password = random_password.mqtt.result
mqtt_user_tcm26 = var.mqtt_user_tcm26
mqtt_password_tcm26 = random_password.mqtt_tcm26.result
mqtt_user_mapache = var.mqtt_user_mapache
mqtt_password_mapache = random_password.mqtt_mapache.result
})

# Don't recycle the instance on user-data churn. nanomq carries no
# persistent state we care about across replacements, so AMI bumps
# are also benign — `terraform taint` to intentionally replace.
# user_data is intentionally NOT in ignore_changes: nanomq carries no
# persistent state, so legitimate config edits (new user, ACL change)
# should flow through a normal `terraform apply` and trigger the ~90s
# broker downtime willingly. Keeping `ami` ignored so unrelated AL2023
# AMI churn doesn't silently roll the instance.
lifecycle {
ignore_changes = [user_data, ami]
ignore_changes = [ami]
}

tags = {
Expand Down
11 changes: 11 additions & 0 deletions infra/modules/mqtt-ec2/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,14 @@ output "mqtt_password_tcm26" {
value = random_password.mqtt_tcm26.result
sensitive = true
}

output "mqtt_user_mapache" {
description = "MQTT username for mapache services beyond gr26. Pair with mqtt_password_mapache."
value = var.mqtt_user_mapache
}

output "mqtt_password_mapache" {
description = "Generated MQTT password for mapache services. Read via `terraform output -raw mqtt_password_mapache` and put into the relevant k8s Secret key."
value = random_password.mqtt_mapache.result
sensitive = true
}
1 change: 1 addition & 0 deletions infra/modules/mqtt-ec2/user-data.sh.tftpl
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ EOF
cat >/etc/nanomq_pwd.conf <<EOF
"${mqtt_user}": "${mqtt_password}"
"${mqtt_user_tcm26}": "${mqtt_password_tcm26}"
"${mqtt_user_mapache}": "${mqtt_password_mapache}"
EOF
chmod 600 /etc/nanomq_pwd.conf

Expand Down
6 changes: 6 additions & 0 deletions infra/modules/mqtt-ec2/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,12 @@ variable "mqtt_user_tcm26" {
default = "tcm26"
}

variable "mqtt_user_mapache" {
description = "MQTT username for mapache services beyond gr26 (query, foreman, future publishers). Paired with the module-generated mqtt_password_mapache. Distinct from mqtt_user so the service-fleet credential can rotate independently of the CAN-ingest pipeline."
type = string
default = "mapache"
}

variable "allowed_security_group_ids" {
description = "Security group IDs allowed to connect on port 1883. Typically the EKS node SG."
type = list(string)
Expand Down
Loading