terraform-aws-single-account-starter

GitHub: StratusGrid/terraform-aws-single-account-starter

Template Documentation

This is to showcase the use of many StratusGrid and Community modules working together to configure a single account architecture using terraform version 1.x or higher.

ToDo

Wrap with templating language to output a custom from GUI. -- Primary Region and which Regions to add -- Whether to do vm import role and bucket

Init:

awsudo -u \<profile\> terraform init

Apply:

awsudo -u \<profile\> terraform apply -var region=us-east-1 -var name_prefix=\<prefix\> -var env_name=\<env\> -var source_repo=\<repo\>

Recommended first steps if using this as the account code

Enable IAM Billing access while logged in as root under My Account
Delete the default VPCs in all regions you will be using (at least all regions with config rules...)
Tag the default RDS DB Security Groups in all regions with your required tags (cli to do so is below)

awsudo -u \<profile\> aws rds add-tags-to-resource --resource-name "arn:aws:rds:us-east-1:<account_number>:secgrp:default" --tags Key=Environment,Value=prd,Key=Customer,Value=Shared --region us-east-1

awsudo -u \<profile\> aws rds add-tags-to-resource --resource-name "arn:aws:rds:us-east-2:<account_number>:secgrp:default" --tags Key=Environment,Value=prd,Key=Customer,Value=Shared --region us-east-2

awsudo -u \<profile\> aws rds add-tags-to-resource --resource-name "arn:aws:rds:us-west-1:<account_number>:secgrp:default" --tags Key=Environment,Value=prd,Key=Customer,Value=Shared --region us-west-1

awsudo -u \<profile\> aws rds add-tags-to-resource --resource-name "arn:aws:rds:us-west-2:<account_number>:secgrp:default" --tags Key=Environment,Value=prd,Key=Customer,Value=Shared --region us-west-2

Enable updated account features for ECS

awsudo -u \<profile\> aws ecs put-account-setting-default --name serviceLongArnFormat --value enabled --region us-east-1
awsudo -u \<profile\> aws ecs put-account-setting-default --name taskLongArnFormat --value enabled --region us-east-1
awsudo -u \<profile\> aws ecs put-account-setting-default --name containerInstanceLongArnFormat --value enabled --region us-east-1
awsudo -u \<profile\> aws ecs put-account-setting-default --name awsvpcTrunking --value enabled --region us-east-1
awsudo -u \<profile\> aws ecs put-account-setting-default --name containerInsights --value enabled --region us-east-1

Recommended final steps

Change Terraform backend to S3

Update state.tf using the output values from a successful terraform apply. Then rename to state.tf.
Run terraform init to update Terrafrom to use S3 bucket as a backend:

awsudo -u \<profile\> terraform init

Add existing IAM users to new groups

From the AWS Management Console, open Identity and Access Management.
Add all existing users who will require admin access to the new restricted-admin group.

Tools to Use

awsudo
tfenv (if using multiple versions of terraform)

Note: Before reading, uncomment the code for the environment that you wish to apply the code to. This goes for both the init-tfvars and apply-tfvars folders.

GitHub actions pre-commit workflow

Use the following command to pre-populate hashes for Linux and avoid error messages in the terraform_validate step of GitHub actions pre-commit workflow.

terraform providers lock -platform=linux_amd64

Execute the command in folders that contain the file .terraform.lock.hcl such as the root folder and modules folders.

Requirements

Name	Version
terraform	>= 1.0.5
archive	>= 2.2
aws	>= 3.63

Resources

Name	Type
aws_api_gateway_account.apigw_logging_us_east_1	resource
aws_cloudwatch_event_rule.required_tags	resource
aws_cloudwatch_event_target.aws_backup_to_sns	resource
aws_iam_account_password_policy.strict	resource
aws_iam_role.apigw_logging	resource
aws_iam_role_policy_attachment.apigw_logging	resource
aws_kms_alias.sns_topics	resource
aws_kms_key.sns_topics	resource
aws_sns_topic.infrastructure_alerts	resource

Inputs

Name	Description	Type	Default	Required
append_name_suffix	String to append to the name_suffix used on object names. This is optional, so start with dash if using like so: -mysuffix. This will result in prefix-objectname-env-mysuffix	`string`	`""`	no
currency	This defines the currency in the monthly_billing_threshold	`string`	`"USD"`	no
env_name	Environment name string to be used for decisions and name generation. Appended to name_suffix to create full_suffix	`string`	n/a	yes
monthly_billing_threshold	The maximum amount that can be billed after which a cloudwatch alarm triggers	`string`	`"10000"`	no
name_prefix	String to use as prefix on object names	`string`	n/a	yes
override_name_suffix	String to completely override the name_suffix	`string`	`""`	no
prepend_name_suffix	String to prepend to the name_suffix used on object names. This is optional, so start with dash if using like so: -mysuffix. This will result in prefix-objectname-mysuffix-env	`string`	`""`	no
region	AWS Region to target	`string`	n/a	yes
source_repo	name of repo which holds this code	`string`	n/a	yes

Outputs

Name	Description
common_tags	tags which should be applied to all taggable objects
iam_role_url_restricted_admin	URL to assume restricted admin role in this account
iam_role_url_restricted_read_only	URL to assume restricted read only role in this account
log_bucket_ids	ID of logging bucket
name_prefix	string to prepend to all resource names
name_suffix	string to append to all resource names
terraform_state_bucket	s3 bucket to store terraform state
terraform_state_config_s3_key	key to use for terraform state key configuration - this is the s3 object key where the config will be stored
terraform_state_dynamodb_table	dynamodb table to control terraform locking
terraform_state_kms_key_arn	kms key to use for encrytption when storing/reading terraform state configuration

Note, manual changes to the README will be overwritten when the documentation is updated. To update the documentation, run terraform-docs -c .config/.terraform-docs.yml