Here lies a repository to construct an aws VPC with some other TBD resources..
This is mostly as a self reference on how to do a these things, but also an example of how to run some form of decent CI with Infrastructure as Code tools..
Trying to follow this randomly googled tf best practices list as well..
Lets try to attempt...
- Create a AWS VPC including multi AZ private and public subnets (basic setup)
- Use checkov to lock that down.
- Get checkov running in a CI
- Manage IAM roles.. via iamy
- Get IAM role sync checks working in CI
- Drift detection (aws moves from code, when aws moves from cf definition..)
- Make script more dynamic for checks.
- How to manage secrets eg private key / db password
- ECS cluster / EKS setup / something with more complexity.
- wip - ecs maybe
- Set up a simple app to be deployed to the ecs cluster. (Golang API)
- Bastion box to access EC2 instance (maybe via this?)
- Play with awsspec see if its any good
Stretch...
- Also attempt similar as above but maybe for GCP?..
- Check out Terratest
- Mebbe https://docs.aws.amazon.com/cdk/latest/guide/home.html ?
Fix Later..
- IAM for travis CI user..
- Parallel checks
Terraform
IaC Tool.aws-vault
for local AWS credential managment (optional).chekov
Static Code analysis tool for IaC.iamy
AWS IAM configuration into YAML files.asdf
for Terraform version management (optional).Travis CI
- Install stuff
brew install terraform iamy travis
(If you're not on a mac figure it out..soz) check the.version
file for the right version of Terraform. 1a. Install Tab auto completionterraform -install-autocomplete
- install checkov
pip install checkov
- TODO - explain directory structure.
├── README.md
├── global
│ ├── IAM
│ └── s3
├── mgmt
├── modules
│ └── vpc
├── prod
│ └── vpc
├── scripts
└── stage
Using Travis CI. There is a Travis CI user in the IAM config. Encrypting Environment Variables via the Travis CLI tool..
travis encrypt MY_SECRET_ENV=super_secret --add env.global
Inside the remote-state
there is terraform code which sets up an encrypted S3 bucket to hold the Terraform state files. Also a DynamoDB table to enable state locking.
Run this first..
terraform init
terraform apply
More info.
Yes this will create a local .tfstate
file but it should only be needed to run once. (yeah chicken egg etc..)
Using AWS Secrets Manager to hold secrets.
Refer to this on how to add a secret.
There should be clear access roles also defined about who can access these secrets.
- TODO Create a clear way to assign users permission to access and modify secrets.
.tfstate
file is super important.
Do not commit to git (at least not in plain text) it can / will have sensitive information in it.
Use remote state https://www.terraform.io/docs/state/remote.html , it can save to
Terraform Cloud, HashiCorp Consul, Amazon S3, Alibaba Cloud OSS, and more.`
TF has a state file (.tfstate
). Terraform uses this to map real world resources to your configuration, keep track of metadata, and to improve performance for large infrastructures.
It will refresh itself prior to any operation.
This is a giant dependancy graph. It uses this to optimise performance on terraform plan
executions and other processing work. More info here.
The only way you can create AWS CF stacks is via this. But it appears that this isn't something that is used often when writing TF. You seem to have to paste in the CF directly.
Terraform has a concept of modules which is a container for multiple resources that are used together. This helps mainly with reusability.