Service catalog infrastructure stack
This stack will provision an Amazon VPC along with a bastion EC2 server and various components necessary for deploying other stacks in a production environment.
- EC2 Amazon Elastic Compute Cloud
- S3 Amazon Simple Storage Service
- VPC Amazon Virtual Private Cloud
- containing subnets, key pair, security groups, ...
- SES Amazon Simple Email Service
- IAM Amazon Identity and Access Management
In order to run this task, couple elements are required within the infrastructure:
- Having an S3 bucket to store Terraform remote states Here
Note The pipeline contains a manual approval between terraform plan and terraform apply. That means if you trigger a terraform plan, to apply it, you have to go on terraform apply job and click on the
+
button to trigger it.
Jobs description
terraform-plan
: Terraform job that will simply make a plan of the infrastructure's stack.terraform-apply
: Terraform job similar to the plan one, but will actually create/update everything that needs to. Please see the plan diff for a better understanding.terraform-destroy
:⚠️ Terraform job meant to destroy the whole stack - NO CONFIRMATION ASKED. If triggered, the full project WILL be destroyed. Use with caution.deploy-bastion
: Ansible job meant to configure Amazon EC2 server used as bastion.
Params
Name | Description | Type | Default | Required |
---|---|---|---|---|
ansible_vault_password |
Password used by ansible vault to decrypt your vaulted files. | - |
((custom_ansible_vault_password)) |
True |
aws_access_key |
Amazon AWS access key for Terraform. see value format Here | - |
((aws.access_key)) |
True |
aws_default_region |
Amazon AWS region to use for Terraform. | - |
eu-west-1 |
True |
aws_secret_key |
Amazon AWS secret key for Terraform. see value format Here | - |
((aws.secret_key)) |
True |
bastion_keypair |
bastion SSH private key used by ansible to connect on aws ec2 instances and the bastion itself. | - |
((ssh_bastion.ssh_key)) |
True |
config_git_branch |
Branch of the config git repository. | - |
config |
True |
config_git_private_key |
SSH key pair to fetch the config git repository. | - |
((ssh_config_ro.ssh_key)) |
True |
config_git_repository |
Git repository url containing the config of the stack. | - |
ssh://[email protected]/v1/repos/myRepo |
True |
customer |
Name of the Cycloid Organization, used as customer variable name. | - |
($ organization_canonical $) |
True |
env |
Name of the project's environment. | - |
($ environment $) |
True |
extra_tags |
Dict of extra tags to add on aws resources. format { "foo" = "bar" }. | - |
{} |
False |
project |
Name of the project. | - |
($ project $) |
True |
stack_git_branch |
Git branch of the stack source code. | - |
master |
True |
stack_git_repository |
Url to the git repository containing infrastructure stack source code. | - |
https://github.com/cycloid-community-catalog/stack-infrastructure |
True |
terraform_storage_bucket_name |
AWS S3 bucket name to store terraform remote state file. | - |
($ organization_canonical $)-terraform-remote-state |
True |
terraform_storage_bucket_path |
AWS S3 bucket path to store terraform remote state file. | - |
($ project $)/($ environment $) |
True |
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
backup_bucket_prefix |
Prefix for the S3 backup bucket (change it if a bucket with the same name already exists) - defaults to '${var.customer}-' | - |
"" |
False |
bastion_allowed_networks |
Networks allowed to connect to the bastion using SSH | - |
0.0.0.0/0 |
False |
bastion_instance_type |
Instance type for the bastion | - |
t3.micro |
False |
create_backup_user |
If a backup user has to be created or not | int |
0 |
False |
create_infra_user |
If an admin user infra has to be created or not | int |
0 |
False |
create_s3_bucket_remote_state |
terraform_remote_state s3 bucket has to be created or not | int |
0 |
False |
enable_dynamodb_endpoint |
Should be true if you want to provision a DynamoDB endpoint to the VPC | bool |
false |
False |
enable_s3_endpoint |
Should be true if you want to provision an S3 endpoint to the VPC | bool |
false |
False |
extra_admin_users |
List of users to give the administrator access role to | list |
[] |
False |
infra_associate_vpc_to_all_private_zones |
Should be true if you want to associate the infra VPC to staging and prod privates zones. | bool |
false |
False |
infra_cidr |
The CIDR of the infra VPC | - |
10.0.0.0/16 |
False |
infra_private_subnets |
The private subnets for the infra VPC | list |
["10.0.0.0/24", "10.0.2.0/24", "10.0.4.0/24"] |
False |
infra_public_subnets |
The public subnets for the infra VPC | list |
["10.0.1.0/24", "10.0.3.0/24", "10.0.5.0/24"] |
False |
keypair_name |
The human-readable keypair name to be used for instances deployment | - |
"${var.customer}-${var.project}${var.suffix}" |
False |
keypair_public |
The public SSH key, for SSH access to newly-created instances | - |
`` | True |
metrics_allowed_sg |
If you use the prometheus stack, you can define the provider and define the metrics_allowed_sg variable after creating promeheusFirst create infra, second create prometheus, third uncomment variable | - |
`` | False |
prod_cidr |
The CIDR of the prod VPC | - |
10.2.0.0/16 |
False |
prod_elasticache_subnets |
The Elasticache subnets for the prod VPC | list |
[] |
False |
prod_private_subnets |
The private subnets for the prod VPC | list |
["10.2.0.0/24", "10.2.2.0/24", "10.2.4.0/24"] |
False |
prod_public_subnets |
The public subnets for the prod VPC | list |
["10.2.1.0/24", "10.2.3.0/24", "10.2.5.0/24"] |
False |
prod_rds_subnets |
The RDS subnets for the prod VPC | list |
["10.2.2.0/24", "10.2.6.0/24", "10.2.10.0/24"] |
False |
readonly_groups |
list |
[] |
False |
|
readonly_users |
List of users to give a read-only access to | list |
[] |
False |
staging_cidr |
The CIDR of the staging VPC | - |
10.1.0.0/16 |
False |
staging_elasticache_subnets |
The Elasticache subnets for the staging VPC | list |
[] |
False |
staging_private_subnets |
The private subnets for the staging VPC | list |
["10.1.0.0/24", "10.1.2.0/24", "10.1.4.0/24"] |
False |
staging_public_subnets |
The public subnets for the staging VPC | list |
["10.1.1.0/24", "10.1.3.0/24", "10.1.5.0/24"] |
False |
staging_rds_subnets |
The RDS subnets for the staging VPC | list |
["10.1.2.0/24", "10.1.6.0/24", "10.1.10.0/24"] |
False |
zones |
The availability zones you want to use | - |
[] |
False |
Outputs
Name | Description |
---|---|
bastion_ip | The EIP attached to the bastion EC2 server |
bastion_sg | The bastion security group ID. |
deployment_bucket_name | S3 bucket name for the deployment bucket |
iam_backup_user_key | The dedicated backup user |
iam_backup_user_secret | The dedicated backup user secret |
iam_policy_infra-backup | IAM read and write policy to the S3 backup bucket |
iam_policy_infra-logs | IAM write policy to AWS Cloudwatch logs |
iam_policy_s3-deployment | IAM read and write policy to the S3 deployment bucket |
iam_ses_smtp_user_key | The dedicated SES user |
iam_ses_smtp_user_secret | The dedicated SES user secret |
infra_bastion_sg_allow | The security group ID to allow SSH traffic from the bastion to the infra instances |
infra_private_subnets | The private subnets for the infra VPC |
infra_private_zone_id | The Route53 private zone ID for the infra VPC |
infra_public_subnets | The public subnets for the infra VPC |
infra_rds_parameters-mysql57 | The RDS parameter group ID for the infra VPC |
infra_vpc_id | The VPC ID for the infra VPC |
keypair_name | The deployment keypair name |
prod_bastion_sg_allow | security group ID tp allow SSH traffic from the bastion to the prod instances |
prod_elasticache_subnet_group | The elasticache subnet group for the prod VPC |
prod_elasticache_subnets | The elasticache subnets for the prod VPC |
prod_private_subnets | The private subnets for the prod VPC |
prod_private_zone_id | Route53 private zone ID for the prod VPC |
prod_public_subnets | The public subnets for the prod VPC |
prod_rds_parameters-mysql57 | RDS db parameters ID for the prod VPC |
prod_rds_subnet_group | The RDS subnet group for the prod VPC |
prod_rds_subnets | The RDS subnets for the prod VPC |
prod_redshift_subnet_group | The Redshift subnet group for the prod VPC |
prod_redshift_subnets | The redshift subnets for the prod VPC |
prod_vpc_id | The VPC ID for the prod VPC |
staging_bastion_sg_allow | security group ID tp allow SSH traffic from the bastion to the staging instances |
staging_elasticache_subnet_group | The elasticache subnet group for the staging VPC |
staging_elasticache_subnets | The elasticache subnets for the staging VPC |
staging_private_subnets | The private subnets for the staging VPC |
staging_private_zone_id | Route53 private zone ID for the staging VPC |
staging_public_subnets | The public subnets for the staging VPC |
staging_rds_parameters-mysql57 | RDS db parameters ID for the staging VPC |
staging_rds_subnet_group | The RDS subnet group for the staging VPC |
staging_rds_subnets | The RDS subnets for the staging VPC |
staging_redshift_subnet_group | The Redshift subnet group for the staging VPC |
staging_redshift_subnets | The redshift subnets for the staging VPC |
staging_vpc_id | The VPC ID for the staging VPC |
zones | AWS availability zones used |
Name | Description | Type | Default | Required |
---|---|---|---|---|
backup_snapshots |
Setup cron to trigger EC2 snapshots. | dict |
{} |
False |
base_custom_hosts |
Define extra custom hosts for the /etc/hosts file to fill with | dict |
{} |
False |
base_deps |
When set to true it will try installing extra packagesd defined afterwards | bool |
true |
False |
base_extra_packages |
The extra packages (deb/rpm) to install | list |
[] |
False |
base_extra_pip_packages |
The extra pip packages to install | list |
[] |
False |
base_hosts |
If host settings should be included | bool |
true |
False |
base_hosts_suffix |
Specify if you want specific hosts suffix | - |
"" |
False |
base_manage_host_file |
Set to true if you want the hosts file to be managed | bool |
true |
False |
base_manage_host_r53 |
Set to true if you want internal entries to be created | bool |
false |
False |
base_r53_internal_zone |
Defines in which internal zone entries should be added in R53 | - |
"" |
False |