- Move to terraform directory
terraform login- enter
yes - paste in the tfc secret provided by your tfc owner
terragrunt init
- Locals will typically be set in the top-most hcl file
- Notice the funcs used for the environment key; this parses the pwd to get the closest dir name, which is usually dev/prod/test/sandbox
- So you want to
cdto the workspace directory to "switch workspaces" i.e. be interraform/dev/to apply changes to your dev workspace - Common workspace configuration values (eg: ram) can created for access in the
terraform/config.yamlfile - You can also provision per-workspace S3 buckets in the
terraform/config.yamlconfiguration file
Sandbox points directly to the pathfinder team's modules. it can be used to create shared services like ECR and is similar to the tools namespace of Openshift. Note that in the case of ECR, an output will be produced showing a link to the registry.
The sandbox workspace is version controlled but currently does not have drift detected during deploys. This is because sandbox contains business critical data. eg: If the ECR is deleted, all images are deleted.
- The AWS pipeline runs on PR and detects drift via
terragruntwhich does passthrough of toterraform terraformconnects toterraform cloudand checks it's state file, which is maintained in the pathfinder team'sterraform cloudaccount- This state file is compared to current cloud resources and drift is displayed in the
plan - following a successful check via
terragrunt plan(equivalent toterraform plan) the pipeline runs aterragrunt apply - the
terragrunt applyupdates the cloud resources and state file to be equivalent based on the terraform module code.
cdto the workspace of your choice, usualydevsoterraform/dev. This will make terragrunt target the workspace based on yourpwdterragrunt planand thenterragrunt applyif successful
Note: a successful plan does not guarantee a successful apply. Provider issues such as race conditions, or cyclical dependencies can occur, especially with security groups.
terragrunt state listto fetch the list of currently provisioned cloud resourcesterragrunt taint <state.name>to mark a resource as faulty, it will be destroyed at next applyterragrunt destroytear down all cloud resources in the workspace
discord_sysdig_webhook.tf contains the resources for the web service used to connect Sysdig to Discord. At the time of writing, Sysdig's webhook messages are not in the format required for Discord's webhook API, thus, we created this service to format the messages properly so that we can get infrastructure monitoring and alerting to our Discord server.
The key "prod/mds/discord-webhook-link" is the webhook link for the #alerts channel in the Discord server. This secret was added manually and is required for the service to work. If it is removed, be sure to create a new secret in AWS Secrets Manager that contains a working webhook link to the #alerts or your desired text channel.
This project is run with terragrunt using Terraform Cloud as the backend to store its state. This project is currently deployed in prod and we only need ONE copy of this. To rebuild/deploy/redeploy this project, navigate to the prod directory and run:
terragrunt apply
There are AWS Cloudwatch log groups attached to the lambda function and the API gateway resources for this project. If you need to check the logs on either service, login to AWS and check for their log groups or navigate to each resource and check their logs.
To see the names of the log groups, you should be able to get the information from running:
terragrunt show
This section covers the Sysdig Alerts that are sourced / deployed / provisioned with Terraform.
As of September 15th, 2022, the notification channel id for Discord notifications is 77077. If you need to create a new channel, use the following request
curl -X GET https://app.sysdigcloud.com/api/notificationChannels -H 'Authorization: Bearer <sysdig_api_token>'
to get the notification channel id and use that id for each of the alerts here.
The key ____ is the Sysdig Monitor API token This secret was added manually and is required to successfully deploy/redeploy the alerts. If it is changed, update the secret within AWS Secrets Manager (currently prod).