|
|
|
|
|
|
|
terraform { |
|
required_version = ">= 1.0" |
|
required_providers { |
|
aws = { |
|
source = "hashicorp/aws" |
|
version = "~> 5.0" |
|
} |
|
kubernetes = { |
|
source = "hashicorp/kubernetes" |
|
version = "~> 2.0" |
|
} |
|
} |
|
} |
|
|
|
provider "aws" { |
|
region = var.aws_region |
|
|
|
default_tags { |
|
tags = { |
|
Project = "Cyber-LLM" |
|
Environment = var.environment |
|
Owner = "cyber-llm-team" |
|
ManagedBy = "terraform" |
|
} |
|
} |
|
} |
|
|
|
|
|
data "aws_availability_zones" "available" { |
|
filter { |
|
name = "opt-in-status" |
|
values = ["opt-in-not-required"] |
|
} |
|
} |
|
|
|
data "aws_caller_identity" "current" {} |
|
|
|
|
|
module "vpc" { |
|
source = "terraform-aws-modules/vpc/aws" |
|
|
|
name = "cyber-llm-vpc-${var.environment}" |
|
cidr = var.vpc_cidr |
|
|
|
azs = slice(data.aws_availability_zones.available.names, 0, 3) |
|
private_subnets = var.private_subnets |
|
public_subnets = var.public_subnets |
|
|
|
enable_nat_gateway = true |
|
enable_vpn_gateway = false |
|
enable_dns_hostnames = true |
|
enable_dns_support = true |
|
|
|
|
|
public_subnet_tags = { |
|
"kubernetes.io/role/elb" = "1" |
|
} |
|
|
|
private_subnet_tags = { |
|
"kubernetes.io/role/internal-elb" = "1" |
|
} |
|
} |
|
|
|
|
|
module "eks" { |
|
source = "terraform-aws-modules/eks/aws" |
|
|
|
cluster_name = "cyber-llm-${var.environment}" |
|
cluster_version = var.kubernetes_version |
|
|
|
vpc_id = module.vpc.vpc_id |
|
subnet_ids = module.vpc.private_subnets |
|
|
|
|
|
cluster_endpoint_public_access = true |
|
cluster_endpoint_private_access = true |
|
cluster_endpoint_public_access_cidrs = var.allowed_cidr_blocks |
|
|
|
|
|
cluster_encryption_config = [ |
|
{ |
|
provider_key_arn = aws_kms_key.eks.arn |
|
resources = ["secrets"] |
|
} |
|
] |
|
|
|
|
|
eks_managed_node_groups = { |
|
|
|
cpu_nodes = { |
|
name = "cpu-nodes" |
|
|
|
instance_types = ["c5.2xlarge"] |
|
min_size = 2 |
|
max_size = 10 |
|
desired_size = 3 |
|
|
|
labels = { |
|
role = "cpu-worker" |
|
} |
|
|
|
taints = [] |
|
} |
|
|
|
|
|
gpu_nodes = { |
|
name = "gpu-nodes" |
|
|
|
instance_types = ["p3.2xlarge", "g4dn.2xlarge"] |
|
min_size = 1 |
|
max_size = 5 |
|
desired_size = 2 |
|
|
|
labels = { |
|
role = "gpu-worker" |
|
} |
|
|
|
taints = [ |
|
{ |
|
key = "nvidia.com/gpu" |
|
value = "true" |
|
effect = "NO_SCHEDULE" |
|
} |
|
] |
|
} |
|
} |
|
|
|
|
|
fargate_profiles = { |
|
cyber_llm_fargate = { |
|
name = "cyber-llm-fargate" |
|
selectors = [ |
|
{ |
|
namespace = "cyber-llm" |
|
labels = { |
|
compute-type = "fargate" |
|
} |
|
} |
|
] |
|
} |
|
} |
|
|
|
|
|
cluster_identity_providers = { |
|
sts = { |
|
client_id = "sts.amazonaws.com" |
|
} |
|
} |
|
} |
|
|
|
|
|
resource "aws_kms_key" "eks" { |
|
description = "EKS Secret Encryption Key for Cyber-LLM" |
|
deletion_window_in_days = 7 |
|
enable_key_rotation = true |
|
} |
|
|
|
resource "aws_kms_alias" "eks" { |
|
name = "alias/eks-cyber-llm-${var.environment}" |
|
target_key_id = aws_kms_key.eks.key_id |
|
} |
|
|
|
|
|
resource "aws_ecr_repository" "cyber_llm" { |
|
name = "cyber-llm" |
|
image_tag_mutability = "MUTABLE" |
|
|
|
image_scanning_configuration { |
|
scan_on_push = true |
|
} |
|
|
|
encryption_configuration { |
|
encryption_type = "KMS" |
|
kms_key = aws_kms_key.ecr.arn |
|
} |
|
} |
|
|
|
resource "aws_kms_key" "ecr" { |
|
description = "ECR Encryption Key for Cyber-LLM" |
|
deletion_window_in_days = 7 |
|
enable_key_rotation = true |
|
} |
|
|
|
|
|
resource "aws_s3_bucket" "model_artifacts" { |
|
bucket = "cyber-llm-models-${var.environment}-${random_string.bucket_suffix.result}" |
|
} |
|
|
|
resource "aws_s3_bucket_encryption_configuration" "model_artifacts" { |
|
bucket = aws_s3_bucket.model_artifacts.id |
|
|
|
rule { |
|
apply_server_side_encryption_by_default { |
|
kms_master_key_id = aws_kms_key.s3.arn |
|
sse_algorithm = "aws:kms" |
|
} |
|
} |
|
} |
|
|
|
resource "aws_s3_bucket_versioning" "model_artifacts" { |
|
bucket = aws_s3_bucket.model_artifacts.id |
|
versioning_configuration { |
|
status = "Enabled" |
|
} |
|
} |
|
|
|
resource "aws_kms_key" "s3" { |
|
description = "S3 Encryption Key for Cyber-LLM" |
|
deletion_window_in_days = 7 |
|
enable_key_rotation = true |
|
} |
|
|
|
resource "random_string" "bucket_suffix" { |
|
length = 8 |
|
special = false |
|
upper = false |
|
} |
|
|
|
|
|
resource "aws_db_subnet_group" "cyber_llm" { |
|
name = "cyber-llm-${var.environment}" |
|
subnet_ids = module.vpc.database_subnets |
|
|
|
tags = { |
|
Name = "cyber-llm-${var.environment}" |
|
} |
|
} |
|
|
|
resource "aws_security_group" "rds" { |
|
name_prefix = "cyber-llm-rds-${var.environment}" |
|
vpc_id = module.vpc.vpc_id |
|
|
|
ingress { |
|
from_port = 5432 |
|
to_port = 5432 |
|
protocol = "tcp" |
|
cidr_blocks = [var.vpc_cidr] |
|
} |
|
|
|
egress { |
|
from_port = 0 |
|
to_port = 0 |
|
protocol = "-1" |
|
cidr_blocks = ["0.0.0.0/0"] |
|
} |
|
} |
|
|
|
resource "aws_db_instance" "cyber_llm" { |
|
allocated_storage = var.db_allocated_storage |
|
max_allocated_storage = var.db_max_allocated_storage |
|
storage_type = "gp3" |
|
storage_encrypted = true |
|
kms_key_id = aws_kms_key.rds.arn |
|
|
|
engine = "postgres" |
|
engine_version = "15.4" |
|
instance_class = var.db_instance_class |
|
|
|
identifier = "cyber-llm-${var.environment}" |
|
db_name = "cyber_llm" |
|
username = var.db_username |
|
password = var.db_password |
|
|
|
vpc_security_group_ids = [aws_security_group.rds.id] |
|
db_subnet_group_name = aws_db_subnet_group.cyber_llm.name |
|
|
|
backup_retention_period = 7 |
|
backup_window = "07:00-09:00" |
|
maintenance_window = "sun:09:00-sun:10:00" |
|
|
|
skip_final_snapshot = var.environment == "dev" ? true : false |
|
deletion_protection = var.environment == "prod" ? true : false |
|
|
|
performance_insights_enabled = true |
|
monitoring_interval = 60 |
|
} |
|
|
|
resource "aws_kms_key" "rds" { |
|
description = "RDS Encryption Key for Cyber-LLM" |
|
deletion_window_in_days = 7 |
|
enable_key_rotation = true |
|
} |
|
|
|
|
|
resource "aws_elasticache_subnet_group" "cyber_llm" { |
|
name = "cyber-llm-${var.environment}" |
|
subnet_ids = module.vpc.private_subnets |
|
} |
|
|
|
resource "aws_security_group" "redis" { |
|
name_prefix = "cyber-llm-redis-${var.environment}" |
|
vpc_id = module.vpc.vpc_id |
|
|
|
ingress { |
|
from_port = 6379 |
|
to_port = 6379 |
|
protocol = "tcp" |
|
cidr_blocks = [var.vpc_cidr] |
|
} |
|
} |
|
|
|
resource "aws_elasticache_replication_group" "cyber_llm" { |
|
replication_group_id = "cyber-llm-${var.environment}" |
|
description = "Redis cluster for Cyber-LLM" |
|
|
|
node_type = var.redis_node_type |
|
port = 6379 |
|
parameter_group_name = "default.redis7" |
|
|
|
num_cache_clusters = var.redis_num_cache_nodes |
|
|
|
subnet_group_name = aws_elasticache_subnet_group.cyber_llm.name |
|
security_group_ids = [aws_security_group.redis.id] |
|
|
|
at_rest_encryption_enabled = true |
|
transit_encryption_enabled = true |
|
auth_token = var.redis_auth_token |
|
|
|
automatic_failover_enabled = true |
|
multi_az_enabled = true |
|
|
|
snapshot_retention_limit = 7 |
|
snapshot_window = "07:00-09:00" |
|
|
|
log_delivery_configuration { |
|
destination = aws_cloudwatch_log_group.redis_slow.name |
|
destination_type = "cloudwatch-logs" |
|
log_format = "text" |
|
log_type = "slow-log" |
|
} |
|
} |
|
|
|
resource "aws_cloudwatch_log_group" "redis_slow" { |
|
name = "/aws/elasticache/cyber-llm-${var.environment}/slow-log" |
|
retention_in_days = 7 |
|
} |
|
|