/caravan-infra-aws

Terraform project to setup infrastructure on AWS

Primary LanguageHCLMozilla Public License 2.0MPL-2.0

Caravan Infra AWS

Caravan 2021 AWS

Prerequisites

  • AWS Credentials file at ~/.aws/credentials like
[default]
aws_access_key_id=AKIAJPZXVYEXAMPLE
aws_secret_access_key=4k6ZilhMPdshU6/kuwEExAmPlE

Prepare environment

You need an AWS bucket (and a DynamoDB table) for terraform state, so run the script project-setup.sh passing as arguments:

  1. Prefix name to give to resources (look at terraform inputs)
  2. AWS region
  3. AWS profile
./project-setup.sh <NAME> <REGION> <PROFILE>

Running

Edit the generate aws.tfvars and then run:

terraform init -reconfigure -upgrade
terraform apply --var-file aws.tfvars

Requirements

Name Version
terraform ~> 0.15.4
aws ~> 3.0

Providers

Name Version
aws 3.51.0
dns 3.2.1
local 2.1.0
null 3.1.0
random 3.1.0
tls 3.1.0

Modules

Name Source Version
caravan-bootstrap git::https://github.com/bitrockteam/caravan-bootstrap refs/tags/v0.2.12
cloud_init_control_plane git::https://github.com/bitrockteam/caravan-cloudinit refs/tags/v0.1.13
cloud_init_worker_plane git::https://github.com/bitrockteam/caravan-cloudinit refs/tags/v0.1.9
terraform_acme_le git::https://github.com/bitrockteam/caravan-acme-le refs/tags/v0.0.1
vpc terraform-aws-modules/vpc/aws n/a

Resources

Name Type
aws_acm_certificate.cert resource
aws_autoscaling_group.bastion-service resource
aws_autoscaling_group.hashicorp_workers resource
aws_ebs_volume.consul_cluster_data resource
aws_ebs_volume.csi resource
aws_ebs_volume.nomad_cluster_data resource
aws_ebs_volume.vault_cluster_data resource
aws_iam_instance_profile.control_plane resource
aws_iam_instance_profile.worker_plane resource
aws_iam_role.control_plane resource
aws_iam_role.worker_plane resource
aws_iam_role_policy.csi resource
aws_iam_role_policy.docker_pull resource
aws_iam_role_policy.vault_aws_auth resource
aws_iam_role_policy.vault_client resource
aws_iam_role_policy.vault_kms_unseal resource
aws_instance.hashicorp_cluster resource
aws_instance.monitoring resource
aws_key_pair.hashicorp_keypair resource
aws_kms_key.vault resource
aws_launch_configuration.bastion-service-host resource
aws_launch_template.hashicorp_workers resource
aws_lb.hashicorp_alb resource
aws_lb.hashicorp_nlb resource
aws_lb_listener.bastion-service resource
aws_lb_listener.http_80 resource
aws_lb_listener.http_8500 resource
aws_lb_listener.https_443 resource
aws_lb_listener.this resource
aws_lb_listener_rule.consul resource
aws_lb_listener_rule.nomad resource
aws_lb_listener_rule.vault resource
aws_lb_target_group.alb resource
aws_lb_target_group.bastion-service resource
aws_lb_target_group.consul resource
aws_lb_target_group.ingress resource
aws_lb_target_group.nomad resource
aws_lb_target_group.vault resource
aws_lb_target_group_attachment.consul resource
aws_lb_target_group_attachment.nomad resource
aws_lb_target_group_attachment.this resource
aws_lb_target_group_attachment.vault resource
aws_route53_record.all_cname resource
aws_route53_record.bastion resource
aws_route53_record.consul_cname resource
aws_route53_record.hashicorp_zone_ns resource
aws_route53_record.nomad_cname resource
aws_route53_record.vault_cname resource
aws_route53_zone.hashicorp_zone resource
aws_security_group.alb resource
aws_security_group.allow_cluster_basics resource
aws_security_group.internal_consul resource
aws_security_group.internal_nomad resource
aws_security_group.internal_vault resource
aws_security_group.internal_workers resource
aws_volume_attachment.consul_cluster_ec2 resource
aws_volume_attachment.nomad_cluster_ec2 resource
aws_volume_attachment.vault_cluster_ec2 resource
local_file.backend_tf_appsupport resource
local_file.backend_tf_platform resource
local_file.ssh_key resource
local_file.tfvars_appsupport resource
local_file.tfvars_platform resource
null_resource.ca_certs resource
null_resource.ca_certs_bundle resource
random_pet.env resource
tls_private_key.cert_private_key resource
tls_private_key.ssh_key resource
aws_ami.centos7 data source
aws_ami.debian data source
aws_iam_policy_document.assume_role data source
aws_iam_policy_document.vault_client data source
aws_iam_policy_document.vault_kms_unseal data source
aws_route53_zone.main data source
dns_a_record_set.alb data source

Inputs

Name Description Type Default Required
awsprofile AWS user profile string n/a yes
personal_ip_list IP address list for SSH connection to the VMs list(string) n/a yes
prefix The prefix of the objects' names string n/a yes
region AWS region to use string n/a yes
shared_credentials_file AWS credential file path string n/a yes
ami_filter_name Regexp to find AMI to use built with caravan-baking string "*caravan-centos-image-os-*" no
ca_certs Fake certificates from staging Let's Encrypt 
map(object({
    filename = string
    pemurl   = string
  }))
 
{
  "stg-int-r3": {
    "filename": "letsencrypt-stg-int-r3.pem",
    "pemurl": "https://letsencrypt.org/certs/staging/letsencrypt-stg-int-r3.pem"
  },
  "stg-root-x1": {
    "filename": "letsencrypt-stg-root-x1.pem",
    "pemurl": "https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem"
  }
}
 no
consul_license_file Path to Consul Enterprise license string null no
control_plane_instance_count Control plane instances number number 3 no
control_plane_machine_type Control plane instance machine type string "t3.micro" no
csi_volumes Example:
{
"jenkins" : {
"availability_zone" : "eu-west-1a"
"size" : "30"
"type" : "gp3"
"tags" : { "application": "jenkins_master" }
}
}		 map(map(string)) {} no
dc_name Hashicorp cluster name string "aws-dc" no
enable_monitoring Enable monitoring bool true no
external_domain Domain used for endpoints and certs string "" no
monitoring_machine_type Monitoring instance machine type string "t3.xlarge" no
nomad_license_file Path to Nomad Enterprise license string null no
ports n/a map(number) 
{
  "http": 80,
  "https": 443
}
 no
tfstate_bucket_name S3 Bucket where Terraform state is stored string "" no
tfstate_region AWS Region where Terraform state resources are string "" no
tfstate_table_name DynamoDB Table where Terraform state lock is acquired string "" no
use_le_staging Use staging Let's Encrypt endpoint bool true no
vault_license_file Path to Vault Enterprise license string null no
volume_data_size Volume size of control plan data disk number 20 no
volume_root_size Volume size of control plan root disk number 20 no
volume_size Volume size of workers disk number 100 no
volume_type Volume type of disks string "gp3" no
vpc_cidr VPC cidr string "10.0.0.0/16" no
vpc_private_subnets VCP private subnets list(string) 
[
  "10.0.1.0/24",
  "10.0.2.0/24",
  "10.0.3.0/24"
]
 no
vpc_public_subnets VCP public subnets list(string) 
[
  "10.0.101.0/24",
  "10.0.102.0/24",
  "10.0.103.0/24"
]
 no
worker_plane_machine_type Working plane instance machine type string "t3.large" no
workers_group_size Worker plane instances number number 3 no

Outputs

Name Description
PROJECT_APPSUPP_TFVAR Caravan Application Support tfvars
PROJECT_PLATFORM_TFVAR Caravan Platform tfvars
PROJECT_WORKLOAD_TFVAR Caravan Workload tfvars
ca_certs Let's Encrypt staging CA certificates
cluster_public_ips Control plane public IP addresses
control_plane_iam_role_arns Control plane iam role list
control_plane_role_name Control plane role name
csi_volumes n/a
hashicorp_endpoints Hashicorp clusters endpoints
load_balancer_ip_address Load Balancer IP address
region AWS region
vpc_id VPC ID
worker_node_service_account Worker plane ARN
worker_plane_iam_role_arns Worker plane iam role list
worker_plane_role_name Worker plane role name

Cleaning up

After terraform destroy -var-file=aws.tfvars, for removing bucket and dynamodb table, run the project-cleanup.sh script:

./project-cleanup.sh <NAME> <REGION> <PROFILE>