Skip to content

Commit

Permalink
feat: add clickhouse private service connect
Browse files Browse the repository at this point in the history
  • Loading branch information
raubitsj committed Sep 11, 2024
1 parent 043e541 commit 2a7cc59
Show file tree
Hide file tree
Showing 7 changed files with 123 additions and 1 deletion.
10 changes: 10 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,16 @@ module "redis" {
depends_on = [module.project_factory_project_services, module.kms_default_sql]
}

module "clickhouse" {
count = var.clickhouse_private_endpoint_service_name != "" ? 1 : 0
source = "./modules/clickhouse"
network = local.network.id
namespace = var.namespace

clickhouse_private_endpoint_service_name = var.clickhouse_private_endpoint_service_name
clickhouse_region = var.clickhouse_region
}

locals {
redis_certificate = var.create_redis ? module.redis[0].ca_cert : null
redis_connection_string = var.create_redis ? "redis://:${module.redis[0].auth_string}@${module.redis[0].connection_string}?tls=true&ttlInSeconds=604800&caCertPath=/etc/ssl/certs/server_ca.pem" : null
Expand Down
50 changes: 50 additions & 0 deletions modules/clickhouse/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
resource "google_compute_subnetwork" "psc_network" {
name = "${var.namespace}-subnet-clickhouse"

region = var.clickhouse_region
ip_cidr_range = var.clickhouse_reserved_ip_range
private_ip_google_access = true
network = var.network
}

resource "google_compute_address" "psc_endpoint_ip" {
name = "${var.namespace}-clickhouse-psc-ip"
address_type = "INTERNAL"
purpose = "GCE_ENDPOINT"
subnetwork = google_compute_subnetwork.psc_network.self_link
region = var.clickhouse_region
}

resource "google_compute_forwarding_rule" "psc_forward_rule" {
name = "${var.namespace}-clickhouse-psc-forward"
ip_address = google_compute_address.psc_endpoint_ip.self_link
network = var.network
region = var.clickhouse_region
load_balancing_scheme = ""
allow_psc_global_access = true

target = "https://www.googleapis.com/compute/v1/${var.clickhouse_private_endpoint_service_name}"
}

resource "google_dns_managed_zone" "psc_dns_zone" {
name = "${var.namespace}-clickhouse-dns-zone"
description = "Private DNS zone for accessing ClickHouse Cloud using Private Service Connect"
dns_name = "${var.clickhouse_region}.p.gcp.clickhouse.cloud."
force_destroy = true
visibility = "private"

// associate private DNS zone with network
private_visibility_config {
networks {
network_url = var.network
}
}
}

resource "google_dns_record_set" "psc_dns_record" {
name = "*.${var.clickhouse_region}.p.gcp.clickhouse.cloud."
managed_zone = google_dns_managed_zone.psc_dns_zone.name
type = "A"
rrdatas = [ google_compute_address.psc_endpoint_ip.address ]
ttl = 3600
}
4 changes: 4 additions & 0 deletions modules/clickhouse/output.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
output "psc_connection_id" {
value = google_compute_forwarding_rule.psc_forward_rule.psc_connection_id
description = "Add GCP PSC Connection ID to ClickHouse allow list."
}
37 changes: 37 additions & 0 deletions modules/clickhouse/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
variable "namespace" {
type = string
description = "The name prefix for all resources created."
}

variable "network" {
type = string
description = "Google Compute Engine network to which the cluster is connected."
}

variable "clickhouse_reserved_ip_range" {
type = string
description = "Reserved IP range for ClickHouse private link"
default = "10.20.0.0/16"
}

variable "clickhouse_private_endpoint_service_name" {
type = string
description = "ClickHouse private endpoint 'Service name' (ends in -clickhouse-cloud)."
default = ""

validation {
condition = can(regex("-clickhouse-cloud$", var.clickhouse_private_endpoint_service_name))
error_message = "ClickHouse Service name must end in '-clickhouse-cloud'."
}
}

variable "clickhouse_region" {
type = string
description = "ClickHouse region (us-east1, us-central1, etc)."
default = ""

validation {
condition = length(var.clickhouse_region) > 0
error_message = "Clickhouse Region should always be set if the private endpoint service name is specified."
}
}
1 change: 1 addition & 0 deletions modules/networking/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ resource "google_compute_network" "vpc" {
name = "${var.namespace}-vpc"
description = "Weights & Biases VPC Network"
auto_create_subnetworks = false
routing_mode = "GLOBAL"
}

resource "google_compute_subnetwork" "default" {
Expand Down
7 changes: 6 additions & 1 deletion outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -96,4 +96,9 @@ output "private_attachement_id" {
output "sa_account_email" {
description = "This output provides the email address of the service account created for workload identity, if workload identity is enabled. Otherwise, it returns null"
value = var.create_workload_identity == true ? module.service_accounts.sa_account_role : null
}
}

output "clickhouse_private_endpoint_id" {
description = "ClickHouse Private endpoint Endpoint ID to secure access inside VPC"
value = var.clickhouse_private_endpoint_service_name != "" ? module.clickhouse[0].psc_connection_id : null
}
15 changes: 15 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -353,3 +353,18 @@ variable "stackdriver_sa_name" {
type = string
default = "wandb-stackdriver"
}

###########################################
# ClickHouse endpoint #
###########################################
variable "clickhouse_private_endpoint_service_name" {
type = string
description = "ClickHouse private endpoint 'Service name' (ends in -clickhouse-cloud)."
default = ""
}

variable "clickhouse_region" {
type = string
description = "ClickHouse region (us-east1, us-central1, etc)."
default = ""
}

0 comments on commit 2a7cc59

Please sign in to comment.