Skip to content

w-k-s/Terraform-Experiment

BranchesTags

Repository files navigation

Terraform Experiments

Experiments

  • 1. Static Website Route 53 -> Cloudfront -> S3 Website
  • 2. API Gateway Route 53 -> Api Gateway (Edge) -> Existing API
  • 3. Simple Service Route 53 -> Api Gateway (Edge) -> EC2
  • 4. LoadBalanced Service Route 53 -> Api Gateway (Edge) -> ELB -> EC2
  • 5. LoadBalanced Data Service Route 53 -> Api Gateway (Edge) -> VPC Link -> ELB -> EC2 -> RDS
  • 6. ECS Cluster Route 53 -> Api Gateway (Edge) -> VPC Link -> ELB -> ECS -> RDS
  • 7. EKS Cluster Route 53 -> Api Gateway (Edge) -> VPC Link -> ELB -> EKS -> RDS

Required Environment Variables

This project requires the following Repository Secrets to be setup in Github Actions.

Secret Name Description Example Value
AWS_ACCESS_KEY_ID The Programmatic Access Key Id of the IAM User that will be used to deploy resources on AWS. The necessary IAM permissions are described below N/A
AWS_SECRET_ACCESS_KEY The Programmatic Access Secret Key of the IAM user that will be used to deploy resources on AWS. The necessary IAM permissions are described below N/A
AWS_REGION The region in which the AWS resources will be deployed. us-east-1
HOSTED_ZONE_NAME The Name of the Route 53 Hosted Zone in which the DNS records for the deployed websites/APIs will be added. example.io
NEUTRINO_USER_ID 2-ApiGateway proxies to Neutrino's convert API. Create an account with NeutrinoAPI with a user-id of your choice and provide this user id in the secret. my-user-id
NEUTRINO_API_KEY 2-ApiGateway proxies to Neutrino's convert API. Use the testing API key generated when you created an account with Neutrino API N/A
STATIC_WEBSITE_BUCKET_NAME For 1-StaticWebsite, this is the bucket in which the source code of the static website is saved. I believe this bucket should have the same name as the value STATIC_WEBSITE_HOST terraform.example.io
STATIC_WEBSITE_HOST For 1-StaticWebsite, this is the host name at which the static website will be hosted. terraform.example.io
API_GATEWAY_HOST For 2-ApiGateway, this is the host name at which the API will be hosted api.example.io
SIMPLE_SERVICE_HOST For 3-SimpleService, this is the host name at which the API will be hosted todo.example.io
LOAD_BALANCED_SERVICE_HOST For 4-LoadBalancedService, this is the host name at which the API will be hosted measurements.example.io
DATA_SERVICE_HOST For 5-DataService, this is the host name at which the API will be hosted noticeboard.example.io
CONTAINERIZED_APP_HOST For 6-ContainerizedService, this is the host name at which the API will be hosted taskmonkey.example.io
RDS_PSQL_INSTANCE_IDENTIFIER The DB identifier of a RDS PostgreSQL instance my-postgresqldb-on-aws
RDS_PSQL_MASTER_USERNAME The username to connect to the RDS PSQL instance. This role should eb able to create a database, create roles, and grant permissions N/A
RDS_PSQL_MASTER_PASSWORD The password for the RDS master username provided earlier N/A

Required IAM Permissions:

To use S3 as Backend:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::mybucket"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::mybucket/path/to/my/key"
    }
  ]
}

The IAM policy used by the terraform user (that runs these experiments):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cognito-identity:*",
                "cognito-idp:*"
            ],
            "Resource": [
                "arn:aws:cognito-identity:ap-south-1:838107339577:identitypool/*",
                "arn:aws:wafv2:ap-south-1:838107339577:*/webacl/*/*",
                "arn:aws:cognito-idp:ap-south-1:838107339577:userpool/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "waf:ListWebACLs",
                "rds:*",
                "wafv2:GetWebACL",
                "kinesis:ListStreams",
                "route53domains:*",
                "waf:GetWebACL",
                "apigateway:*",
                "cloudwatch:*",
                "ecs:*",
                "ec2:*",
                "wafv2:ListWebACLs",
                "sns:ListTopics",
                "elasticfilesystem:*",
                "s3:*",
                "kinesis:DescribeStream",
                "ssm:*",
                "ecr:*",
                "acm:*",
                "application-autoscaling:*",
                "logs:*",
                "autoscaling:*",
                "servicediscovery:*",
                "cloudfront:*",
                "events:*",
                "cloudformation:*",
                "iam:*",
                "cognito-idp:*",
                "cognito-identity:*",
                "codedeploy:*",
                "elasticloadbalancing:*",
                "route53:*",
                "lambda:*",
                "cognito-idp:ConfirmDevice"
            ],
            "Resource": "*"
        }
    ]
}
  • Don't count on me to update the IAM policy above
  • TODO: Figure out the minimum set of permissions for each experiment. This article describes how it can be done using iamlive by Ian Mckay.

About

Trying out Terraform

Topics

kotlin terraform aws-s3 spring-data-rest grpc aws-elb aws-sqs aws-ecr aws-ec2 aws-ecs aws-rds aws-parameter-store system-design spring-data-jdbc aws-session-manager

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Languages