terraform-aws-braintrust-data-plane/remote_support.tf at main · nubank/terraform-aws-braintrust-data-plane · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# This optional opt-in module allows Braintrust staff to access Cloudwatch logs or a Bastion host.
# It is disabled by default and can be enabled by setting the appropriate "enable_braintrust_support_*" variables.

locals {
  has_braintrust_support_access = var.enable_braintrust_support_logs_access || var.enable_braintrust_support_shell_access
}

module "remote_support" {
  source = "./modules/remote-support"
  count  = local.has_braintrust_support_access ? 1 : 0

  deployment_name = var.deployment_name

  database_host       = module.database.postgres_database_address
  database_secret_arn = module.database.postgres_database_secret_arn
  redis_host          = module.redis.redis_endpoint
  redis_port          = module.redis.redis_port
  kms_key_arn         = local.kms_key_arn
  lambda_function_arns = [
    !var.use_deployment_mode_external_eks ? module.services[0].api_handler_arn : null,
    !var.use_deployment_mode_external_eks ? module.services[0].migrate_database_arn : null,
    !var.use_deployment_mode_external_eks ? module.services[0].ai_proxy_arn : null,
    !var.use_deployment_mode_external_eks ? module.services[0].catchup_etl_arn : null,
    !var.use_deployment_mode_external_eks ? module.services[0].quarantine_warmup_arn : null,
  ]
  enable_braintrust_support_logs_access  = var.enable_braintrust_support_logs_access
  enable_braintrust_support_shell_access = var.enable_braintrust_support_shell_access
  vpc_id                                 = local.main_vpc_id
  private_subnet_ids                     = [local.main_vpc_private_subnet_1_id]
  public_subnet_ids                      = [local.main_vpc_public_subnet_1_id]
  permissions_boundary_arn               = var.permissions_boundary_arn
  custom_tags                            = var.custom_tags
}

variable "enable_braintrust_support_logs_access" {
  type        = bool
  description = "Enable Cloudwatch logs access for Braintrust staff"
  default     = false
}

variable "enable_braintrust_support_shell_access" {
  type        = bool
  description = "Enable Bastion shell access for Braintrust staff. This will create a bastion host and a security group that allows EC2 instance connect access from the Braintrust IAM Role."
  default     = false
}

output "braintrust_support_role_arn" {
  description = "ARN of the Role that grants Braintrust team remote support. Share this with the Braintrust team."
  value       = local.has_braintrust_support_access ? module.remote_support[0].braintrust_support_role_arn : null
}

output "bastion_instance_id" {
  description = "Instance ID of the bastion host that Braintrust support staff can connect to using EC2 Instance Connect. Share this with the Braintrust team."
  value       = var.enable_braintrust_support_shell_access ? module.remote_support[0].bastion_instance_id : null
}

output "remote_support_security_group_id" {
  description = "Security Group ID for the Remote Support bastion host."
  value       = local.has_braintrust_support_access ? module.remote_support[0].remote_support_security_group_id : null
}