Terraform GKE Autopilot mastodon module

This is a Terraform module to install and configure a Mastodon instance in a GKE Autopilot cluster.

This module is provided without any kind of warranty and is AGPL3 licensed.

Architecture

Pricing model

TODO: Pricing should be still finalized.

At the moment of writing, the architecture is composed of the following components:

Using Redis in Memorystore

1. GKE Autopilot - 1 control plane free of charge per billing account, otherwise around - 70$/monthly
2. Cloudsql tier: db-g1-small - 25$/monthly
3. Memorystore Redis 1GB - 35$/monthly
4. 5 GKE Replicas (web, streaming, worker) as "0.5 CPU / 512MB" using spot nodes - 25$/Monthly

For a total of:

• GKE Autopilot free-tier: 85$/monthly
• GKE Autopilot: 155$/monthly

Using Redis in GKE

1. Redis master - "0.250 CPU / 512MB" - 8$
2. Redis replicas 3 x 0.250 CPU / 512MB on Spot nodes - 7$

For a total of:

• GKE Autopilot free-tier: 65$/monthly
• GKE Autopilot: 135$/monthly

Providers

Name	Version
google	>= 4.51.0, < 5.0, !=4.65.0, !=4.65.1
google-beta	>= 4.51.0, < 5.0, !=4.65.0, !=4.65.1
helm	>= 2.10.1
kubectl	>= 1.14.0
kubernetes	>= 2.22
random	>= 3.5.1

Requirements

Name	Version
terraform	>= 1.3
google	>= 4.51.0, < 5.0, !=4.65.0, !=4.65.1
google-beta	>= 4.51.0, < 5.0, !=4.65.0, !=4.65.1
helm	>= 2.10.1
kubectl	>= 1.14.0
kubernetes	>= 2.22
random	>= 3.5.1

Inputs

Name	Description	Type	Default	Required
app_admin_email	Admin email	string	"not@localhost"	no
app_admin_username	Admin username	string	"not_gargron"	no
app_create_admin	Create admin account	bool	false	no
app_existing_secret_name	Mastodon existing secret name	string	null	no
app_helm_additional_values	Additional values to pass to the helm	string	""	no
app_keys	Mastodon secret keys	set(string)	[ "secret_key_base", "otp_secret" ]	no
app_locale	Mastodon locale	string	"en"	no
app_s3_existing_secret	S3 existing secret name	string	null	no
app_smtp_existing_secret	SMTP existing secret name	string	null	no
app_smtp_password	SMTP password	string	null	no
app_smtp_username	SMTP username	string	null	no
app_vapid_private_key	Mastodon vapid private key	string	null	no
app_vapid_public_key	Mastodon vapid public key	string	null	no
bucket_force_destroy	Force destroy bucket	bool	false	no
bucket_location	Bucket location	string	n/a	yes
bucket_storage_class	The Storage Class of the new bucket.	string	null	no
bucket_versioning	Enable bucket versioning	bool	true	no
cloudsql_backup_retained_count	Numeber of postgres backup to be retained. Default 30.	number	"30"	no
cloudsql_backup_start_time	HH:MM format time indicating when postgres backup configuration starts.	string	"02:00"	no
cloudsql_deletion_protection	Enable deletion protection for the cloudsql instance.	bool	false	no
cloudsql_disk_size	The disk size for the master instance.	number	10	no
cloudsql_disk_type	The disk type for the master instance.	string	"PD_SSD"	no
cloudsql_enable_backup	Setup if postgres backup configuration is enabled.Default true	bool	true	no
cloudsql_pgsql_version	value of the postgresql version	string	"POSTGRES_14"	no
cloudsql_tier	The tier of the master instance.	string	"db-g1-small"	no
cloudsql_zone	Cloudsql	string	n/a	yes
domain	This is the unique identifier of your server in the network. It cannot be safely changed later, as changing it will cause remote servers to confuse your existing accounts with entirely new ones. It has to be the domain name you are running the server under (without the protocol part, e.g. just example.com).	string	n/a	yes
gcp_default_labels	Default labels to apply to all resources	map(string)	null	no
gke_authenticator_security_group	The security group to allow access to the cluster	string	n/a	yes
gke_create_service_account	Defines if service account specified to run nodes should be created.	bool	true	no
gke_kubernetes_version	The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region.	string	"latest"	no
gke_maintenance_end_time	The end time for the maintenance window	string	"1970-01-01T04:00:00Z"	no
gke_maintenance_recurrence	The recurrence for the maintenance window	string	"FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR,SA,SU"	no
gke_maintenance_start_time	The start time for the maintenance window	string	"1970-01-01T00:00:00Z"	no
gke_service_account	The service account to run nodes as if not overridden in node_pools. The gke_create_service_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service_account_name variable.	string	""	no
gke_service_account_name	The name of the service account that will be created if gke_create_service_account is true. If you wish to use an existing service account, use gke_service_account variable.	string	""	no
gke_workload_config_audit_mode	The mode for workload identity config audit	string	""	no
gke_workload_vulnerability_mode	The mode for workload identity vulnerability	string	""	no
gke_zone	gke_zone within the region to use this cluster	list(any)	[ "europe-west1-b" ]	no
helm_chart_version	The version of the helm chart to use	string	"3.0.0"	no
kubernetes_namespace	The name of the namespace to deploy the application in	string	"mastodon"	no
memorystore_redis_enabled	Enable memorystore redis	bool	true	no
memorystore_redis_size	The size of the redis instance	string	"1"	no
memorystore_redis_tier	The tier of the redis instance	string	"BASIC"	no
name	Mastodon project name, it will be used as a prefix for all resources	string	n/a	yes
project_id	The GCP project id to install the P∏	string	n/a	yes
region	The region to host the cluster in	string	"europe-west1"	no
subnet_ip	The cidr range of the subnet	string	"10.10.10.0/24"	no

Outputs

Name	Description
bucket_name	Mastodon bucket name
bucket_service_account	Mastodon bucket service account
gke_kubernetes_version	Mastodon GKE kubernetes version
gke_min_master_version	Mastodon GKE min master version
gke_service_account	Mastodon GKE service account
k8s_bucket_secret_name	Mastodon k8s bucket secret name
mastodon_cloud_nat_ip	Mastodon cloud NAT IP
mastodon_global_ip	Mastodon global IP

Resources

Name	Type
google-beta_google_compute_global_address.mastodon_sql	resource
google-beta_google_service_networking_connection.private_vpc_connection	resource
google_compute_address.cloud_nat_ip	resource
google_compute_global_address.app_lb_ip	resource
google_redis_instance.mastodon_redis	resource
google_secret_manager_secret.mastodon_secrets	resource
google_secret_manager_secret_version.mastodon_secrets_values	resource
google_service_account.service_account	resource
google_sql_database.mastodon_sql_database	resource
google_sql_ssl_cert.postgres_client_cert	resource
google_sql_user.mastodon_sql_user	resource
google_storage_bucket.bucket	resource
google_storage_bucket.log_bucket	resource
google_storage_bucket_iam_member.bucket_members	resource
google_storage_hmac_key.bucket_sa_hmac_key	resource
helm_release.mastodon	resource
kubectl_manifest.gcp_managed_cert	resource
kubernetes_namespace.mastodon	resource
kubernetes_secret.mastodon_memorystore_redis_secret	resource
kubernetes_secret.mastodon_redis_secret	resource
kubernetes_secret.mastodon_secrets	resource
kubernetes_secret.mastodon_smtp_secret	resource
kubernetes_secret.postgresql_mtls_secret	resource
kubernetes_secret.s3_secret	resource
random_password.mastodon_redis_secret_random	resource
random_password.mastodon_secrets_random	resource
google_client_config.default	data source

Modules

Name	Source	Version
cloud_nat	terraform-google-modules/cloud-nat/google	2.2.1
enabled_google_apis	terraform-google-modules/project-factory/google//modules/project_services	14.1.0
gke	terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster	~> 27.0.0
mastodon_db_pass	sparkfabrik/gke-gitlab/sparkfabrik//modules/secret_manager	2.14.0
sql_db	GoogleCloudPlatform/sql-db/google//modules/postgresql	13.0.1
vpc	terraform-google-modules/network/google	6.0.1