/Terraform-Experiment

Trying out Terraform

Primary LanguageHCL

Terraform Experiments

Experiments

  • 1. Static Website Route 53 -> Cloudfront -> S3 Website
  • 2. API Gateway Route 53 -> Api Gateway (Edge) -> Existing API
  • 3. Simple Service Route 53 -> Api Gateway (Edge) -> EC2
  • 4. LoadBalanced Service Route 53 -> Api Gateway (Edge) -> ELB -> EC2
  • 5. LoadBalanced Data Service Route 53 -> Api Gateway (Edge) -> VPC Link -> ELB -> EC2 -> RDS
  • 6. ECS Cluster Route 53 -> Api Gateway (Edge) -> VPC Link -> ELB -> ECS -> RDS
  • 7. EKS Cluster Route 53 -> Api Gateway (Edge) -> VPC Link -> ELB -> EKS -> RDS

Required Environment Variables

This project requires the following Repository Secrets to be setup in Github Actions.

Secret Name Description Example Value
AWS_ACCESS_KEY_ID The Programmatic Access Key Id of the IAM User that will be used to deploy resources on AWS. The necessary IAM permissions are described below N/A
AWS_SECRET_ACCESS_KEY The Programmatic Access Secret Key of the IAM user that will be used to deploy resources on AWS. The necessary IAM permissions are described below N/A
AWS_REGION The region in which the AWS resources will be deployed. us-east-1
HOSTED_ZONE_NAME The Name of the Route 53 Hosted Zone in which the DNS records for the deployed websites/APIs will be added. example.io
NEUTRINO_USER_ID 2-ApiGateway proxies to Neutrino's convert API. Create an account with NeutrinoAPI with a user-id of your choice and provide this user id in the secret. my-user-id
NEUTRINO_API_KEY 2-ApiGateway proxies to Neutrino's convert API. Use the testing API key generated when you created an account with Neutrino API N/A
STATIC_WEBSITE_BUCKET_NAME For 1-StaticWebsite, this is the bucket in which the source code of the static website is saved. I believe this bucket should have the same name as the value STATIC_WEBSITE_HOST terraform.example.io
STATIC_WEBSITE_HOST For 1-StaticWebsite, this is the host name at which the static website will be hosted. terraform.example.io
API_GATEWAY_HOST For 2-ApiGateway, this is the host name at which the API will be hosted api.example.io
SIMPLE_SERVICE_HOST For 3-SimpleService, this is the host name at which the API will be hosted todo.example.io
LOAD_BALANCED_SERVICE_HOST For 4-LoadBalancedService, this is the host name at which the API will be hosted measurements.example.io
DATA_SERVICE_HOST For 5-DataService, this is the host name at which the API will be hosted noticeboard.example.io
CONTAINERIZED_APP_HOST For 6-ContainerizedService, this is the host name at which the API will be hosted taskmonkey.example.io
RDS_PSQL_INSTANCE_IDENTIFIER The DB identifier of a RDS PostgreSQL instance my-postgresqldb-on-aws
RDS_PSQL_MASTER_USERNAME The username to connect to the RDS PSQL instance. This role should eb able to create a database, create roles, and grant permissions N/A
RDS_PSQL_MASTER_PASSWORD The password for the RDS master username provided earlier N/A

Required IAM Permissions:

To use S3 as Backend:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::mybucket"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::mybucket/path/to/my/key"
    }
  ]
}

The IAM policy used by the terraform user (that runs these experiments):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cognito-identity:*",
                "cognito-idp:*"
            ],
            "Resource": [
                "arn:aws:cognito-identity:ap-south-1:838107339577:identitypool/*",
                "arn:aws:wafv2:ap-south-1:838107339577:*/webacl/*/*",
                "arn:aws:cognito-idp:ap-south-1:838107339577:userpool/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "waf:ListWebACLs",
                "rds:*",
                "wafv2:GetWebACL",
                "kinesis:ListStreams",
                "route53domains:*",
                "waf:GetWebACL",
                "apigateway:*",
                "cloudwatch:*",
                "ecs:*",
                "ec2:*",
                "wafv2:ListWebACLs",
                "sns:ListTopics",
                "elasticfilesystem:*",
                "s3:*",
                "kinesis:DescribeStream",
                "ssm:*",
                "ecr:*",
                "acm:*",
                "application-autoscaling:*",
                "logs:*",
                "autoscaling:*",
                "servicediscovery:*",
                "cloudfront:*",
                "events:*",
                "cloudformation:*",
                "iam:*",
                "cognito-idp:*",
                "cognito-identity:*",
                "codedeploy:*",
                "elasticloadbalancing:*",
                "route53:*",
                "lambda:*",
                "cognito-idp:ConfirmDevice"
            ],
            "Resource": "*"
        }
    ]
}
  • Don't count on me to update the IAM policy above
  • TODO: Figure out the minimum set of permissions for each experiment. This article describes how it can be done using iamlive by Ian Mckay.