init template with docs
This commit is contained in:
parent
9efd0bb55c
commit
80739d574b
60
README.md
60
README.md
|
@ -1,2 +1,60 @@
|
|||
# terraform-template
|
||||
# My Personal Terraform Template
|
||||
|
||||
## Featuring
|
||||
|
||||
- Terraform without hardcoding
|
||||
- [S3 Backend for Terraform State + DynamoDB Locking Table](https://blog.gruntwork.io/how-to-manage-terraform-state-28f5697e68fa) with partial configuration
|
||||
- [Hashicorp Vault](https://www.vaultproject.io/) with my [personal deployment](https://git.mattmor.in/Madmin/HC-vault-personal)
|
||||
- [Aws-Vault](https://github.com/99designs/aws-vault?tab=readme-ov-file#aws-vault)
|
||||
- Multiple examples
|
||||
|
||||
## How to use
|
||||
|
||||
1. Template it
|
||||
2. Provide S3 Backend Configuration in backend.hcl and input key in providers.tf
|
||||
3. Provide Vault Configuration in vault.hcl and input key for [state file isolation](#isolation-of-state) in providers.tf
|
||||
4. Configure AWS with:
|
||||
|
||||
``` bash
|
||||
AWS configure sso
|
||||
# fill in ~profile
|
||||
```
|
||||
|
||||
``` bash
|
||||
aws-vault exec ~profile #duration in providers.tf - 1h or less recommended
|
||||
terraform init -backend-config=backend.hcl && terraform plan
|
||||
```
|
||||
|
||||
``` bash
|
||||
terraform apply
|
||||
```
|
||||
|
||||
## Isolation of state
|
||||
|
||||
To isolate within the same configuration, use workspaces. To isolate between configurations, use file layout.
|
||||
|
||||
### Workspaces
|
||||
|
||||
to list workspaces:
|
||||
|
||||
``` bash
|
||||
terraform workspace list
|
||||
# default at start
|
||||
```
|
||||
|
||||
to create a workspace:
|
||||
|
||||
``` bash
|
||||
terraform workspace new ~workspace
|
||||
```
|
||||
|
||||
to select a workspace:
|
||||
|
||||
``` bash
|
||||
terraform workspace select ~workspace
|
||||
```
|
||||
|
||||
## TODO
|
||||
|
||||
- Azure support
|
||||
- GCP support
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
# bucket
|
||||
bucket = ""
|
||||
region = ""
|
||||
dynamodb_table = ""
|
||||
encrypt = true
|
|
@ -0,0 +1,9 @@
|
|||
output "resource_name_prefix" {
|
||||
description = "Resource name prefix used for tagging and naming AWS resources"
|
||||
value = var.resource_name_prefix
|
||||
}
|
||||
|
||||
output "ex module output" {
|
||||
description = "ex"
|
||||
value = module.ex.output
|
||||
}
|
|
@ -0,0 +1,23 @@
|
|||
terraform {
|
||||
backend "s3" {
|
||||
# PROVIDE THIS KEY ... FILE ISOLATION
|
||||
key = ""
|
||||
# PROVIDE THIS KEY ... FILE ISOLATION
|
||||
}
|
||||
required_version = ">= 1.0.0"
|
||||
required_providers {
|
||||
aws = {
|
||||
source = "hashicorp/aws"
|
||||
version = ">= 4.0.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
provider "aws" {
|
||||
region = var.aws_region
|
||||
# using aws-vault to assume a role
|
||||
assume_role {
|
||||
duration = "1h"
|
||||
role_arn = var.role_arn
|
||||
|
||||
}
|
||||
}
|
|
@ -0,0 +1,43 @@
|
|||
--==BOUNDARY==
|
||||
Content-Type: text/x-shellscript; charset="us-ascii"
|
||||
|
||||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
# Run Order: 1
|
||||
# Run Frequency: only once, on first boot
|
||||
|
||||
# Tasks:
|
||||
# - Install Dependencies
|
||||
# - Install x
|
||||
|
||||
# Note: dollar-sign curly braces are template values from Terraform.
|
||||
# Non curly brace ones are normal bash variables...
|
||||
|
||||
printf '%s\n' "Install X" "-----------------" "Under Usr: ${whoami}, proj: ${PWD##*/}"
|
||||
sleep 1
|
||||
|
||||
sudo apt update -y && sudo apt install gpg wget -y
|
||||
|
||||
# === Install X via apt ===
|
||||
|
||||
# Get the keyring
|
||||
wget -O- https://apt.releases.x.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/x-archive-keyring.gpg
|
||||
|
||||
# Verify the keyring
|
||||
gpg --no-default-keyring --keyring /usr/share/keyrings/x-archive-keyring.gpg --fingerprint
|
||||
|
||||
# Check the exit status of the last command
|
||||
if [ $? -eq 0 ]; then
|
||||
# If the exit status is 0 (which means the previous command was successful), add the repo
|
||||
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/x.gpg] https://apt.releases.x.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/x.list
|
||||
|
||||
# Install the vault
|
||||
sudo apt update && sudo apt install x -y
|
||||
else
|
||||
# If the exit status is not 0 (which means the previous command failed), print an error message and exit
|
||||
echo "Keyring verification of X failed. Exiting."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
--==BOUNDARY==--
|
|
@ -0,0 +1,12 @@
|
|||
# === common vars ===
|
||||
aws_region = "eu-north-1"
|
||||
role_arn = ""
|
||||
resource_name_prefix = ""
|
||||
|
||||
|
||||
# === config vars ===
|
||||
instance_type = "t3.micro"
|
||||
ami_id = "ami-0506d6d51f1916a96" # Debian 12 x86_64
|
||||
|
||||
# === VPC ===
|
||||
azs = ["eu-north-1a", "eu-north-1b"]
|
|
@ -0,0 +1,70 @@
|
|||
# === General ===
|
||||
|
||||
variable "resource_name_prefix" {
|
||||
type = string
|
||||
description = "Resource name prefix used for tagging and naming AWS resources"
|
||||
default = "x"
|
||||
}
|
||||
|
||||
variable "aws_region" {
|
||||
type = string
|
||||
description = "AWS region where Vault will be deployed"
|
||||
default = "eu-north-1"
|
||||
}
|
||||
|
||||
variable "role_arn" {
|
||||
type = string
|
||||
description = "The assumed role to use for this project."
|
||||
}
|
||||
|
||||
variable "key_name" {
|
||||
type = string
|
||||
description = "(Optional) key pair to use for SSH access to instance"
|
||||
default = "X"
|
||||
}
|
||||
|
||||
variable "common_tags" {
|
||||
type = map(string)
|
||||
description = "(Optional) Map of common tags for all taggable AWS resources."
|
||||
default = {
|
||||
"project" = "X"
|
||||
}
|
||||
}
|
||||
|
||||
# === config ===
|
||||
|
||||
variable "instance_type" {
|
||||
type = string
|
||||
description = "The instance type to use"
|
||||
default = "t3.micro"
|
||||
}
|
||||
|
||||
variable "ami_id" {
|
||||
type = string
|
||||
description = "The AMI ID to use for the instances"
|
||||
default = "ami-0506d6d51f1916a96"
|
||||
}
|
||||
|
||||
# === VPC ===
|
||||
|
||||
variable "azs" {
|
||||
description = "availability zones to use in AWS region"
|
||||
type = list(string)
|
||||
default = [
|
||||
"eu-north-1a",
|
||||
"eu-north-1b",
|
||||
]
|
||||
}
|
||||
|
||||
variable "allowed_inbound_cidrs_lb" {
|
||||
type = list(string)
|
||||
description = "**Required** CIDR blocks to allow inbound traffic to the load balancer"
|
||||
default = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
variable "allowed_inbound_cidrs_ssh" {
|
||||
type = list(string)
|
||||
description = "**Required** CIDR blocks to allow inbound SSH traffic to the Vault instances"
|
||||
default = ["0.0.0.0/0"]
|
||||
}
|
||||
|
Loading…
Reference in New Issue