init template with docs

README.md

@@ -1,2 +1,60 @@
-# terraform-template
+# My Personal Terraform Template
 
+## Featuring
+
+- Terraform without hardcoding
+- [S3 Backend for Terraform State + DynamoDB Locking Table](https://blog.gruntwork.io/how-to-manage-terraform-state-28f5697e68fa) with partial configuration
+- [Hashicorp Vault](https://www.vaultproject.io/) with my [personal deployment](https://git.mattmor.in/Madmin/HC-vault-personal)
+- [Aws-Vault](https://github.com/99designs/aws-vault?tab=readme-ov-file#aws-vault)
+- Multiple examples
+
+## How to use
+
+1. Template it
+2. Provide S3 Backend Configuration in backend.hcl and input key in providers.tf
+3. Provide Vault Configuration in vault.hcl and input key for [state file isolation](#isolation-of-state) in providers.tf
+4. Configure AWS with:
+
+``` bash
+AWS configure sso
+# fill in ~profile
+```
+
+``` bash
+aws-vault exec ~profile #duration in providers.tf - 1h or less recommended
+terraform init -backend-config=backend.hcl && terraform plan
+```
+
+``` bash
+terraform apply
+```
+
+## Isolation of state
+
+To isolate within the same configuration, use workspaces. To isolate between configurations, use file layout.
+
+### Workspaces
+
+to list workspaces:
+
+``` bash
+terraform workspace list
+# default at start
+```
+
+to create a workspace:
+
+``` bash
+terraform workspace new ~workspace
+```
+
+to select a workspace:
+
+``` bash
+terraform workspace select ~workspace
+```
+
+## TODO
+
+- Azure support
+- GCP support

backend.hcl

@@ -0,0 +1,5 @@
+# bucket
+bucket         = ""
+region         = ""
+dynamodb_table = ""
+encrypt = true

outputs.tf

@@ -0,0 +1,9 @@
+output "resource_name_prefix" {
+    description = "Resource name prefix used for tagging and naming AWS resources"
+    value = var.resource_name_prefix
+}
+
+output "ex module output" {
+    description = "ex"
+    value = module.ex.output
+}

providers.tf

@@ -0,0 +1,23 @@
+terraform {
+    backend "s3" {
+        # PROVIDE THIS KEY ... FILE ISOLATION
+        key = ""
+        # PROVIDE THIS KEY ... FILE ISOLATION
+    }
+    required_version = ">= 1.0.0"
+    required_providers {
+        aws = {
+            source  = "hashicorp/aws"
+            version = ">= 4.0.0"
+        }
+    }
+}
+provider "aws" {
+    region = var.aws_region
+    # using aws-vault to assume a role
+    assume_role {
+        duration = "1h" 
+        role_arn = var.role_arn 
+
+  }
+}

temp/userdata.sh

@@ -0,0 +1,43 @@
+--==BOUNDARY==
+Content-Type: text/x-shellscript; charset="us-ascii"
+
+#!/bin/bash
+set -e
+
+# Run Order: 1
+# Run Frequency: only once, on first boot
+
+# Tasks:
+# - Install Dependencies
+# - Install x
+
+# Note: dollar-sign curly braces are template values from Terraform.
+# Non curly brace ones are normal bash variables...
+
+printf '%s\n' "Install X" "-----------------" "Under Usr: ${whoami}, proj: ${PWD##*/}"
+    sleep 1
+
+sudo apt update -y && sudo apt install gpg wget -y
+
+# === Install X via apt ===
+
+# Get the keyring
+wget -O- https://apt.releases.x.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/x-archive-keyring.gpg
+
+# Verify the keyring
+gpg --no-default-keyring --keyring /usr/share/keyrings/x-archive-keyring.gpg --fingerprint
+
+# Check the exit status of the last command
+if [ $? -eq 0 ]; then
+    # If the exit status is 0 (which means the previous command was successful), add the repo
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/x.gpg] https://apt.releases.x.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/x.list
+
+    # Install the vault
+    sudo apt update && sudo apt install x -y
+else
+    # If the exit status is not 0 (which means the previous command failed), print an error message and exit
+    echo "Keyring verification of X failed. Exiting."
+    exit 1
+fi
+
+--==BOUNDARY==--

terraform.tfvars.example

@@ -0,0 +1,12 @@
+# === common vars ===
+aws_region = "eu-north-1"
+role_arn = ""
+resource_name_prefix = ""
+
+
+# === config vars ===
+instance_type = "t3.micro"
+ami_id = "ami-0506d6d51f1916a96" # Debian 12 x86_64
+
+# === VPC ===
+azs = ["eu-north-1a", "eu-north-1b"]

variables.tf

@@ -0,0 +1,70 @@
+# === General ===
+
+variable "resource_name_prefix" {
+  type        = string
+  description = "Resource name prefix used for tagging and naming AWS resources"
+  default = "x"
+}
+
+variable "aws_region" {
+  type        = string
+  description = "AWS region where Vault will be deployed"
+  default = "eu-north-1"
+}
+
+variable "role_arn" {
+  type        = string
+  description = "The assumed role to use for this project."
+}
+
+variable "key_name" {
+  type        = string
+  description = "(Optional) key pair to use for SSH access to instance"
+  default     = "X"
+}
+
+variable "common_tags" {
+  type        = map(string)
+  description = "(Optional) Map of common tags for all taggable AWS resources."
+  default     = {
+    "project" = "X"
+  }
+}
+
+# === config ===
+
+variable "instance_type" {
+  type        = string
+  description = "The instance type to use"
+  default     = "t3.micro"
+}
+
+variable "ami_id" {
+    type        = string
+    description = "The AMI ID to use for the instances"
+    default     = "ami-0506d6d51f1916a96"
+}
+
+# === VPC ===
+
+variable "azs" {
+  description = "availability zones to use in AWS region"
+  type        = list(string)
+  default = [
+    "eu-north-1a",
+    "eu-north-1b",
+  ]
+}
+
+variable "allowed_inbound_cidrs_lb" {
+  type        = list(string)
+  description = "**Required** CIDR blocks to allow inbound traffic to the load balancer"
+  default     = ["0.0.0.0/0"]
+}
+
+variable "allowed_inbound_cidrs_ssh" {
+  type        = list(string)
+  description = "**Required** CIDR blocks to allow inbound SSH traffic to the Vault instances"
+  default     = ["0.0.0.0/0"]
+}
+