Skip to content

Add a Terraform configuration to deploy lnt.llvm.org #128

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add a Terraform configuration to deploy lnt.llvm.org #128

wants to merge 1 commit into from

Conversation

@ldionne
Copy link
Member

@ldionne ldionne commented Oct 31, 2025

This patch adds a Terraform configuration file that should allow deploying to an EC2 instance. It requires a few secrets to be made available to Github Actions.

ldionne
ldionne commented Oct 31, 2025
View reviewed changes
@ldionne
Copy link
Member Author

ldionne commented Oct 31, 2025

CC @lukel97 I went ahead and gave this a shot, I was curious to understand the whole pipeline

@ldionne
Copy link
Member Author

ldionne commented Oct 31, 2025

@boomanaiden154 I also created the appropriately-named secrets in the Github Actions of this repository, however they all have fake values at the moment.

lukel97
lukel97 reviewed Oct 31, 2025
View reviewed changes
Copy link
Contributor

@lukel97 lukel97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fleshing this out, I'm not sure if you've tried deploying this to a test AWS account yet but it looks like it's missing a security group/ingress rules etc., so the web server won't be reachable by any public traffic IIUC.

I've also got some terraform files written here, it would be good to collaborate on this. I don't want us to step on each others toes so I'll just leave review comments for now but let me know if you'd rather have me just commit directly to the branch.

@ldionne
Copy link
Member Author

ldionne commented Oct 31, 2025

I've also got some terraform files written here, it would be good to collaborate on this. I don't want us to step on each others toes so I'll just leave review comments for now but let me know if you'd rather have me just commit directly to the branch.

Please feel free to commit directly to the branch. Sorry, I didn't know you had started on this already.

I did try to deploy an EC2 instance in my personal account, however that account is blocked right now (IDK why) so I haven't gotten very far. This was intended to be a starting point.

Feel free to push whatever changes you have to the branch.

lukel97
lukel97 reviewed Oct 31, 2025
View reviewed changes
docker/lnt.llvm.org/ec2-startup.sh.tpl Outdated

LNT_DB_PASSWORD=${__db_password__}
LNT_AUTH_TOKEN=${__auth_token__}
docker compose --file compose.yaml up
Copy link
Contributor

@lukel97 lukel97 Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC these user data scripts are only called when the instance is first initialized, but not e.g. rebooted. So we probably want to change the docker-compose restart policy to be unless-stopped so the containers get relaunched on a reboot

Copy link

@boomanaiden154 boomanaiden154 Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This depends upon how we set it up. I was thinking it might be better to setup the machine to be a clean slate on every boot, and mount a persistent volume that actually contains the DB. That makes it super easy to change system software inside TF.

@lukel97
Copy link
Contributor

lukel97 commented Oct 31, 2025

I did try to deploy an EC2 instance in my personal account, however that account is blocked right now (IDK why) so I haven't gotten very far. This was intended to be a starting point.

Hah, my AWS account was also blocked, I'm currently waiting for AWS support to verify my identity. I feel your pain :)

boomanaiden154
boomanaiden154 reviewed Oct 31, 2025
View reviewed changes
docker/lnt.llvm.org/ec2-startup.sh.tpl Outdated

LNT_DB_PASSWORD=${__db_password__}
LNT_AUTH_TOKEN=${__auth_token__}
docker compose --file compose.yaml up
Copy link

@boomanaiden154 boomanaiden154 Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This depends upon how we set it up. I was thinking it might be better to setup the machine to be a clean slate on every boot, and mount a persistent volume that actually contains the DB. That makes it super easy to change system software inside TF.

docker/lnt.llvm.org/main.tf Outdated
provider "aws" {
region = "us-west-2"
}

Copy link

@boomanaiden154 boomanaiden154 Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also need a way to set the terraform state. We use a GCS bucket in the premerge cluster to do this. https://github.com/llvm/llvm-zorg/blob/87d07e600970abf419046d2ab6083b2d64240bce/premerge/main.tf#L31

Otherwise state isn't saved across checkouts, which means things won't work.

docker/lnt.llvm.org/main.tf Outdated
region = "us-west-2"
}

variable "lnt_db_password" {
Copy link

@boomanaiden154 boomanaiden154 Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These should probably be data resources that reference secrets stored inside AWS's secret manager.

https://github.com/llvm/llvm-zorg/blob/87d07e600970abf419046d2ab6083b2d64240bce/premerge/main.tf#L113 is how we set this up for premerge. Not sure exactly how to do this for AWS.

Copy link
Member Author

@ldionne ldionne Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My preference would actually be to leave it as-is and to store these secrets in the Github Actions secrets, unless you see a problem with that. That makes it easier to reuse this Terraform configuration by using their own AWS keys -- that's almost the only thing required.

@ldionne
Copy link
Member Author

ldionne commented Nov 10, 2025

Just to avoid duplicate work, @lukel97 my AWS account is functional now and I am working on addressing the PR comments. LMK if you had also made progress on your end before I invest too much time into it.

@ldionne ldionne force-pushed the review/terraform branch 3 times, most recently from f01d36e to c591f0b Compare November 13, 2025 21:07
@ldionne
Add a Terraform configuration to deploy lnt.llvm.org
469b91d 
This patch adds a Terraform configuration file that should allow
deploying to an EC2 instance. It requires a few secrets to be
made available to Github Actions.
@ldionne
Copy link
Member Author

ldionne commented Nov 13, 2025
edited
Loading

@lukel97 @boomanaiden154 This should be ready for review now. With this Terraform configuration, I'm able to deploy a server in my personal AWS account.

The only remaining steps would be:

  1. Creating the S3 bucket in the LLVM Foundation's account to store the Terraform state
  2. Adjusting the AWS credentials to use the ones from the LLVM Foundation's AWS account (in the Github secrets)
  3. Adjusting the instance size and the EBS storage size, which we can arguably do later

Also CC @petrhosek as member of the infrastructure group.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukel97 lukel97 lukel97 left review comments

@boomanaiden154 boomanaiden154 boomanaiden154 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ldionne @lukel97 @boomanaiden154