generated from ministryofjustice/cloud-platform-terraform-template
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.tf
72 lines (62 loc) · 1.74 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
locals {
# Generic configuration
identifier = "cp-${random_id.name.hex}"
}
########################
# Generate identifiers #
########################
resource "random_id" "name" {
byte_length = 8
}
#########################
# Get service pod image #
#########################
data "aws_ecr_repository" "service_pod" {
name = "webops/cloud-platform-service-pod"
}
################################
# Create Kubernetes deployment #
################################
resource "kubernetes_deployment" "service_pod" {
metadata {
name = var.service_account_name == "" ? "${local.identifier}-service-pod" : "${var.service_account_name}-service-pod"
namespace = var.namespace
labels = {
app = "service-pod"
}
}
spec {
replicas = var.service_pod_count
selector {
match_labels = {
name = var.service_account_name == "" ? "${local.identifier}-service-pod" : "${var.service_account_name}-service-pod"
}
}
template {
metadata {
labels = {
name = var.service_account_name == "" ? "${local.identifier}-service-pod" : "${var.service_account_name}-service-pod"
}
}
spec {
service_account_name = var.service_account_name
container {
image = "${data.aws_ecr_repository.service_pod.repository_url}:f9619b99ffe9ae511dde5e7e6e5b67ea289bbab5" # update this hash on a new Dockerfile release
name = "service-pod"
stdin = true
tty = true
security_context {
allow_privilege_escalation = false
run_as_non_root = true
run_as_user = 1001
}
}
}
}
}
lifecycle {
ignore_changes = [
spec.0.replicas
]
}
}