init template with docs
This commit is contained in:
parent
9efd0bb55c
commit
80739d574b
60
README.md
60
README.md
|
@ -1,2 +1,60 @@
|
||||||
# terraform-template
|
# My Personal Terraform Template
|
||||||
|
|
||||||
|
## Featuring
|
||||||
|
|
||||||
|
- Terraform without hardcoding
|
||||||
|
- [S3 Backend for Terraform State + DynamoDB Locking Table](https://blog.gruntwork.io/how-to-manage-terraform-state-28f5697e68fa) with partial configuration
|
||||||
|
- [Hashicorp Vault](https://www.vaultproject.io/) with my [personal deployment](https://git.mattmor.in/Madmin/HC-vault-personal)
|
||||||
|
- [Aws-Vault](https://github.com/99designs/aws-vault?tab=readme-ov-file#aws-vault)
|
||||||
|
- Multiple examples
|
||||||
|
|
||||||
|
## How to use
|
||||||
|
|
||||||
|
1. Template it
|
||||||
|
2. Provide S3 Backend Configuration in backend.hcl and input key in providers.tf
|
||||||
|
3. Provide Vault Configuration in vault.hcl and input key for [state file isolation](#isolation-of-state) in providers.tf
|
||||||
|
4. Configure AWS with:
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
AWS configure sso
|
||||||
|
# fill in ~profile
|
||||||
|
```
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
aws-vault exec ~profile #duration in providers.tf - 1h or less recommended
|
||||||
|
terraform init -backend-config=backend.hcl && terraform plan
|
||||||
|
```
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
terraform apply
|
||||||
|
```
|
||||||
|
|
||||||
|
## Isolation of state
|
||||||
|
|
||||||
|
To isolate within the same configuration, use workspaces. To isolate between configurations, use file layout.
|
||||||
|
|
||||||
|
### Workspaces
|
||||||
|
|
||||||
|
to list workspaces:
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
terraform workspace list
|
||||||
|
# default at start
|
||||||
|
```
|
||||||
|
|
||||||
|
to create a workspace:
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
terraform workspace new ~workspace
|
||||||
|
```
|
||||||
|
|
||||||
|
to select a workspace:
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
terraform workspace select ~workspace
|
||||||
|
```
|
||||||
|
|
||||||
|
## TODO
|
||||||
|
|
||||||
|
- Azure support
|
||||||
|
- GCP support
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
# bucket
|
||||||
|
bucket = ""
|
||||||
|
region = ""
|
||||||
|
dynamodb_table = ""
|
||||||
|
encrypt = true
|
|
@ -0,0 +1,9 @@
|
||||||
|
output "resource_name_prefix" {
|
||||||
|
description = "Resource name prefix used for tagging and naming AWS resources"
|
||||||
|
value = var.resource_name_prefix
|
||||||
|
}
|
||||||
|
|
||||||
|
output "ex module output" {
|
||||||
|
description = "ex"
|
||||||
|
value = module.ex.output
|
||||||
|
}
|
|
@ -0,0 +1,23 @@
|
||||||
|
terraform {
|
||||||
|
backend "s3" {
|
||||||
|
# PROVIDE THIS KEY ... FILE ISOLATION
|
||||||
|
key = ""
|
||||||
|
# PROVIDE THIS KEY ... FILE ISOLATION
|
||||||
|
}
|
||||||
|
required_version = ">= 1.0.0"
|
||||||
|
required_providers {
|
||||||
|
aws = {
|
||||||
|
source = "hashicorp/aws"
|
||||||
|
version = ">= 4.0.0"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
provider "aws" {
|
||||||
|
region = var.aws_region
|
||||||
|
# using aws-vault to assume a role
|
||||||
|
assume_role {
|
||||||
|
duration = "1h"
|
||||||
|
role_arn = var.role_arn
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,43 @@
|
||||||
|
--==BOUNDARY==
|
||||||
|
Content-Type: text/x-shellscript; charset="us-ascii"
|
||||||
|
|
||||||
|
#!/bin/bash
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Run Order: 1
|
||||||
|
# Run Frequency: only once, on first boot
|
||||||
|
|
||||||
|
# Tasks:
|
||||||
|
# - Install Dependencies
|
||||||
|
# - Install x
|
||||||
|
|
||||||
|
# Note: dollar-sign curly braces are template values from Terraform.
|
||||||
|
# Non curly brace ones are normal bash variables...
|
||||||
|
|
||||||
|
printf '%s\n' "Install X" "-----------------" "Under Usr: ${whoami}, proj: ${PWD##*/}"
|
||||||
|
sleep 1
|
||||||
|
|
||||||
|
sudo apt update -y && sudo apt install gpg wget -y
|
||||||
|
|
||||||
|
# === Install X via apt ===
|
||||||
|
|
||||||
|
# Get the keyring
|
||||||
|
wget -O- https://apt.releases.x.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/x-archive-keyring.gpg
|
||||||
|
|
||||||
|
# Verify the keyring
|
||||||
|
gpg --no-default-keyring --keyring /usr/share/keyrings/x-archive-keyring.gpg --fingerprint
|
||||||
|
|
||||||
|
# Check the exit status of the last command
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
# If the exit status is 0 (which means the previous command was successful), add the repo
|
||||||
|
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/x.gpg] https://apt.releases.x.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/x.list
|
||||||
|
|
||||||
|
# Install the vault
|
||||||
|
sudo apt update && sudo apt install x -y
|
||||||
|
else
|
||||||
|
# If the exit status is not 0 (which means the previous command failed), print an error message and exit
|
||||||
|
echo "Keyring verification of X failed. Exiting."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
--==BOUNDARY==--
|
|
@ -0,0 +1,12 @@
|
||||||
|
# === common vars ===
|
||||||
|
aws_region = "eu-north-1"
|
||||||
|
role_arn = ""
|
||||||
|
resource_name_prefix = ""
|
||||||
|
|
||||||
|
|
||||||
|
# === config vars ===
|
||||||
|
instance_type = "t3.micro"
|
||||||
|
ami_id = "ami-0506d6d51f1916a96" # Debian 12 x86_64
|
||||||
|
|
||||||
|
# === VPC ===
|
||||||
|
azs = ["eu-north-1a", "eu-north-1b"]
|
|
@ -0,0 +1,70 @@
|
||||||
|
# === General ===
|
||||||
|
|
||||||
|
variable "resource_name_prefix" {
|
||||||
|
type = string
|
||||||
|
description = "Resource name prefix used for tagging and naming AWS resources"
|
||||||
|
default = "x"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "aws_region" {
|
||||||
|
type = string
|
||||||
|
description = "AWS region where Vault will be deployed"
|
||||||
|
default = "eu-north-1"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "role_arn" {
|
||||||
|
type = string
|
||||||
|
description = "The assumed role to use for this project."
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "key_name" {
|
||||||
|
type = string
|
||||||
|
description = "(Optional) key pair to use for SSH access to instance"
|
||||||
|
default = "X"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "common_tags" {
|
||||||
|
type = map(string)
|
||||||
|
description = "(Optional) Map of common tags for all taggable AWS resources."
|
||||||
|
default = {
|
||||||
|
"project" = "X"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# === config ===
|
||||||
|
|
||||||
|
variable "instance_type" {
|
||||||
|
type = string
|
||||||
|
description = "The instance type to use"
|
||||||
|
default = "t3.micro"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "ami_id" {
|
||||||
|
type = string
|
||||||
|
description = "The AMI ID to use for the instances"
|
||||||
|
default = "ami-0506d6d51f1916a96"
|
||||||
|
}
|
||||||
|
|
||||||
|
# === VPC ===
|
||||||
|
|
||||||
|
variable "azs" {
|
||||||
|
description = "availability zones to use in AWS region"
|
||||||
|
type = list(string)
|
||||||
|
default = [
|
||||||
|
"eu-north-1a",
|
||||||
|
"eu-north-1b",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "allowed_inbound_cidrs_lb" {
|
||||||
|
type = list(string)
|
||||||
|
description = "**Required** CIDR blocks to allow inbound traffic to the load balancer"
|
||||||
|
default = ["0.0.0.0/0"]
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "allowed_inbound_cidrs_ssh" {
|
||||||
|
type = list(string)
|
||||||
|
description = "**Required** CIDR blocks to allow inbound SSH traffic to the Vault instances"
|
||||||
|
default = ["0.0.0.0/0"]
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue