
Trying out Terraform

Primary LanguageHCL

Terraform Experiments


  • 1. Static Website Route 53 -> Cloudfront -> S3 Website
  • 2. API Gateway Route 53 -> Api Gateway (Edge) -> Existing API
  • 3. Simple Service Route 53 -> Api Gateway (Edge) -> EC2
  • 4. LoadBalanced Service Route 53 -> Api Gateway (Edge) -> ELB -> EC2
  • 5. LoadBalanced Data Service Route 53 -> Api Gateway (Edge) -> VPC Link -> ELB -> EC2 -> RDS
  • 6. ECS Cluster Route 53 -> Api Gateway (Edge) -> VPC Link -> ELB -> ECS -> RDS
  • 7. EKS Cluster Route 53 -> Api Gateway (Edge) -> VPC Link -> ELB -> EKS -> RDS

Required Environment Variables

This project requires the following Repository Secrets to be setup in Github Actions.

Secret Name Description Example Value
AWS_ACCESS_KEY_ID The Programmatic Access Key Id of the IAM User that will be used to deploy resources on AWS. The necessary IAM permissions are described below N/A
AWS_SECRET_ACCESS_KEY The Programmatic Access Secret Key of the IAM user that will be used to deploy resources on AWS. The necessary IAM permissions are described below N/A
AWS_REGION The region in which the AWS resources will be deployed. us-east-1
HOSTED_ZONE_NAME The Name of the Route 53 Hosted Zone in which the DNS records for the deployed websites/APIs will be added. example.io
NEUTRINO_USER_ID 2-ApiGateway proxies to Neutrino's convert API. Create an account with NeutrinoAPI with a user-id of your choice and provide this user id in the secret. my-user-id
NEUTRINO_API_KEY 2-ApiGateway proxies to Neutrino's convert API. Use the testing API key generated when you created an account with Neutrino API N/A
STATIC_WEBSITE_BUCKET_NAME For 1-StaticWebsite, this is the bucket in which the source code of the static website is saved. I believe this bucket should have the same name as the value STATIC_WEBSITE_HOST terraform.example.io
STATIC_WEBSITE_HOST For 1-StaticWebsite, this is the host name at which the static website will be hosted. terraform.example.io
API_GATEWAY_HOST For 2-ApiGateway, this is the host name at which the API will be hosted api.example.io
SIMPLE_SERVICE_HOST For 3-SimpleService, this is the host name at which the API will be hosted todo.example.io
LOAD_BALANCED_SERVICE_HOST For 4-LoadBalancedService, this is the host name at which the API will be hosted measurements.example.io
DATA_SERVICE_HOST For 5-DataService, this is the host name at which the API will be hosted noticeboard.example.io
CONTAINERIZED_APP_HOST For 6-ContainerizedService, this is the host name at which the API will be hosted taskmonkey.example.io
RDS_PSQL_INSTANCE_IDENTIFIER The DB identifier of a RDS PostgreSQL instance my-postgresqldb-on-aws
RDS_PSQL_MASTER_USERNAME The username to connect to the RDS PSQL instance. This role should eb able to create a database, create roles, and grant permissions N/A
RDS_PSQL_MASTER_PASSWORD The password for the RDS master username provided earlier N/A

Required IAM Permissions:

To use S3 as Backend:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::mybucket"
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::mybucket/path/to/my/key"

The IAM policy used by the terraform user (that runs these experiments):

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
  • Don't count on me to update the IAM policy above
  • TODO: Figure out the minimum set of permissions for each experiment. This article describes how it can be done using iamlive by Ian Mckay.