From af0d76d7b891ec89c27563f700c11f8bd427076f Mon Sep 17 00:00:00 2001 From: Diego OJ Date: Fri, 14 Apr 2023 22:32:20 -0300 Subject: [PATCH 01/19] Rename 'First Steps', create 'Concepts' and 'Reference', move around files and rewrite parts of it --- docs/concepts/next-steps.md | 6 + docs/concepts/our-tech-stack.md | 215 +++++++++++++++++ docs/concepts/overview.md | 19 ++ docs/concepts/what-is-leverage.md | 23 ++ .../why-leverage.md | 18 +- .../why-our-tech-stack.md} | 7 - docs/how-it-works/ref-architecture/index.md | 2 +- .../aws-account-setup.md | 0 .../introduction.md | 0 .../leverage-project-setup.md | 0 .../local-setup.md | 0 .../management-account.md | 0 .../post-deployment.md | 2 +- .../security-and-shared-accounts.md | 0 docs/user-guide/index.md | 15 -- .../infra-as-code-library/index.md | 0 .../infra-as-code-library-forks.md | 0 .../infra-as-code-library-specs.md | 0 .../modules-library-per-tech.md | 0 ...nstall-leverage-cli.md => installation.md} | 0 .../leverage-cli/overview.md} | 9 +- docs/user-guide/overview.md | 12 + .../ref-architecture-ansible/configs.md | 12 +- .../ref-architecture-ansible/workflow.md | 2 +- .../ref-architecture-aws/configs.md | 0 .../ref-architecture-aws/credentials.md | 0 .../ref-architecture-aws/dir-structure.md | 46 ++-- .../ref-architecture-aws/overview.md | 13 + .../ref-architecture-aws/tf-state-setup.md | 0 .../ref-architecture-aws/tf-state-workflow.md | 2 +- .../ref-architecture-aws/tf-workflow.md} | 2 +- .../ref-architecture-vault/configs.md | 0 .../ref-architecture-vault/dir-structure.md | 0 .../tf-state-workflow.md | 0 .../ref-architecture-vault/workflow.md | 0 .../user-guide/troubleshooting/credentials.md | 31 +++ docs/welcome.md | 67 ------ material/overrides/home-es.html | 2 +- material/overrides/home.html | 2 +- mkdocs.yml | 225 +++++++++--------- 40 files changed, 481 insertions(+), 251 deletions(-) create mode 100644 docs/concepts/next-steps.md create mode 100644 docs/concepts/our-tech-stack.md create mode 100644 docs/concepts/overview.md create mode 100644 docs/concepts/what-is-leverage.md rename docs/{how-it-works/ref-architecture/general-concepts => concepts}/why-leverage.md (94%) rename docs/{how-it-works/ref-architecture/general-concepts/why-tech-stack.md => concepts/why-our-tech-stack.md} (99%) rename docs/{first-steps => try-leverage}/aws-account-setup.md (100%) rename docs/{first-steps => try-leverage}/introduction.md (100%) rename docs/{first-steps => try-leverage}/leverage-project-setup.md (100%) rename docs/{first-steps => try-leverage}/local-setup.md (100%) rename docs/{first-steps => try-leverage}/management-account.md (100%) rename docs/{first-steps => try-leverage}/post-deployment.md (99%) rename docs/{first-steps => try-leverage}/security-and-shared-accounts.md (100%) delete mode 100644 docs/user-guide/index.md rename docs/{how-it-works => user-guide}/infra-as-code-library/index.md (100%) rename docs/{how-it-works => user-guide}/infra-as-code-library/infra-as-code-library-forks.md (100%) rename docs/{how-it-works => user-guide}/infra-as-code-library/infra-as-code-library-specs.md (100%) rename docs/{how-it-works => user-guide}/infra-as-code-library/modules-library-per-tech.md (100%) rename docs/user-guide/leverage-cli/{install-leverage-cli.md => installation.md} (100%) rename docs/{how-it-works/leverage-cli/index.md => user-guide/leverage-cli/overview.md} (89%) create mode 100644 docs/user-guide/overview.md rename docs/user-guide/{ => reference-architectures}/ref-architecture-ansible/configs.md (65%) rename docs/user-guide/{ => reference-architectures}/ref-architecture-ansible/workflow.md (87%) rename docs/user-guide/{ => reference-architectures}/ref-architecture-aws/configs.md (100%) rename docs/user-guide/{ => reference-architectures}/ref-architecture-aws/credentials.md (100%) rename docs/user-guide/{ => reference-architectures}/ref-architecture-aws/dir-structure.md (84%) create mode 100644 docs/user-guide/reference-architectures/ref-architecture-aws/overview.md rename docs/user-guide/{ => reference-architectures}/ref-architecture-aws/tf-state-setup.md (100%) rename docs/user-guide/{ => reference-architectures}/ref-architecture-aws/tf-state-workflow.md (96%) rename docs/user-guide/{ref-architecture-aws/workflow.md => reference-architectures/ref-architecture-aws/tf-workflow.md} (94%) rename docs/user-guide/{ => reference-architectures}/ref-architecture-vault/configs.md (100%) rename docs/user-guide/{ => reference-architectures}/ref-architecture-vault/dir-structure.md (100%) rename docs/user-guide/{ => reference-architectures}/ref-architecture-vault/tf-state-workflow.md (100%) rename docs/user-guide/{ => reference-architectures}/ref-architecture-vault/workflow.md (100%) create mode 100644 docs/user-guide/troubleshooting/credentials.md delete mode 100644 docs/welcome.md diff --git a/docs/concepts/next-steps.md b/docs/concepts/next-steps.md new file mode 100644 index 000000000..345c9bf0c --- /dev/null +++ b/docs/concepts/next-steps.md @@ -0,0 +1,6 @@ +# Next Steps +Now that you know the basics of Leverage feel free to give it a try or check out the reference pages to go deeper into the implementation details. + +:books: See [**Try Leverage**](../try-leverage/introduction.md) to take the tutorial that will help you deploy a basic AWS Landing Zone via Leverage. + +:books: See [**Reference**](../../user-guide/) to take the comprehensive route to learn more about Leverage. diff --git a/docs/concepts/our-tech-stack.md b/docs/concepts/our-tech-stack.md new file mode 100644 index 000000000..3719b65fc --- /dev/null +++ b/docs/concepts/our-tech-stack.md @@ -0,0 +1,215 @@ +# Tech Stack +Leverage was built around the [AWS Well Architected Framework](https://aws.amazon.com/architecture/well-architected/) and it uses a stack that includes [Terraform](https://www.terraform.io/), [Ansible](https://www.ansible.com/), [Helm](https://helm.sh/) and other tools. + +We are also adopters and supporters of Kubernetes and the Cloud Native movement, which you should become self-evident as you keep exploring our technology stack. + +## Why did we choose our tech stack? + +??? info "Why AWS❓" + Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted + cloud platform, offering over 200 fully featured services from data centers globally. + Millions of customers—including the fastest-growing startups, largest enterprises, + and leading government agencies—are using AWS to lower costs, become more agile, + and innovate faster. + + Build, Deploy, and Manage Websites, Apps or Processes On AWS' Secure, Reliable Network. + AWS is Secure, Reliable, Scalable Services. HIPAA Compliant. + Easily Manage Clusters. Global Infrastructure. Highly Scalable. + + :books: **Read More:** [What is AWS](https://aws.amazon.com/what-is-aws/) + +??? info "Why WAF (Well Architected Framework)❓" + AWS Well-Architected helps cloud architects to build secure, high-performing, resilient, + and efficient infrastructure for their applications and workloads. Based on five pillars + — operational excellence, security, reliability, performance efficiency, and cost + optimization — AWS Well-Architected provides a consistent approach for customers and + partners to evaluate architectures, and implement designs that can scale over time. + + :books: **Read More:** [AWS Well-architected](https://aws.amazon.com/architecture/well-architected) + +??? info "Why Infra as Code (IaC) & Terraform❓" + + - [x] **Confidence:** A change breaks the env? Just roll it back. Still not working? + Build a whole new env with a few keystrokes. IaC enables this. + + - [x] **Repeatability:** Allows your infra to be automatically instantiated, making it + easy to build multiple identical envs. + + - [x] **Troubleshooting:** Check source control and see exactly what changed in the env. + As long as you are diligent and don’t make manual envs changes, then IaC can be a game + changer. + + - [x] **DR:** Require the ability to set up an alternate env in a different DC or Region. + IaC makes this a much more manageable prospect. + + - [x] **Auditability:** + You will need to be able to audit both changes and access to an env, IaC gives you this + right out of the box. + + - [x] **Visibility:** As an env expands over time, is challenging to tell what has been + provisioned. In the #cloud this can be a huge #cost issue. IaC allows tracking your + resources. + + - [x] **Portability:** Some IaC techs are #multicloud. Also, translating #Terraform from + one cloud provider to another is considerably more simple than recreating your entire + envs in a cloud-specific tool. + + - [x] **Security:** See history of changes to your SG rules along with commit messages can + do wonders for being confident about the security configs of your envs. + + **Terraform** allows to codify your application infrastructure, reduce human error and + increase automation by provisioning infrastructure as code. + With TF we can manage infrastructure across clouds and provision infrastructure + across 300+ public clouds and services using a single workflow. + Moreover it helps to create reproducible infrastructure and provision consistent testing, + staging, and production environments with the same configuration. + + **Terraform** has everything we expect from a IaC framework: open source, cloud-agnostic + provisioning tool that supported immutable infrastructure, a declarative language, and + a client-only architecture. + + :books: **Read More** + + - [Why Infrastructure as Code](https://www.simplethread.com/why-infrastructure-as-code/) + - [Why Terraform by Gruntwork](https://blog.gruntwork.io/why-we-use-terraform-and-not-chef-puppet-ansible-saltstack-or-cloudformation-7989dad2865c) + +??? info "Why Organizations❓" + AWS Organizations helps you centrally manage and govern your environment as you grow + and scale your AWS resources. Using AWS Organizations, you can programmatically create + new AWS accounts and allocate resources, group accounts to organize your workflows, + apply policies to accounts or groups for governance, and simplify billing by using a + single payment method for all of your accounts. + + :books: **Read More** + + - [How it works: AWS Organizations](../../features/organization/organization/) + - [AWS Organizations](https://aws.amazon.com/organizations/) + +??? info "Why AIM and roles❓" + AWS Identity and Access Management (IAM) enables you to manage access to AWS services + and resources securely. Using IAM, you can create and manage AWS users and groups, + and use permissions to allow and deny their access to AWS resources. + + - Integration and Fine-grained access control with almost every AWS service and + its resources. + - Multi-factor authentication for highly privileged users. + - Analyze, monitor and audit access. + + :books: **Read More** + + - [How it works: AWS IAM](../../features/identities/identities/) + - [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/) + +??? info "Security | Why Web Application Firewall (WAF), Cloud Trail, Config, Guarduty❓" + Raise your security posture with AWS infrastructure and services. + Using AWS, you will gain the control and confidence you need to securely run your + business with the most flexible and secure cloud computing environment available today. + As an AWS customer, you will benefit from AWS data centers and a network architected + to protect your information, identities, applications, and devices. With AWS, you + can improve your ability to meet core security and compliance requirements, such as + data locality, protection, and confidentiality with our comprehensive services and + features. + + :books: **Read More** + + - [How it works: AWS Security](../../features/security/services/) + - [AWS Cloud Security](https://aws.amazon.com/security/) + +??? info "Why VPC❓" + Amazon Virtual Private Cloud (Amazon VPC) is a service that lets you launch AWS + resources in a logically isolated virtual network that you define. You have complete + control over your virtual networking environment, including selection of your own IP + address range, creation of subnets, and configuration of route tables and network + gateways. You can use both IPv4 and IPv6 for most resources in your virtual private + cloud, helping to ensure secure and easy access to resources and applications. + + :books: **Read More** + + - [How it works: AWS Networking](../../features/network/vpc-topology) + - [AWS Virtual Private Cloud](https://aws.amazon.com/vpc) + +??? info "Why Kubernetes (K8s) & AWS EKS❓" + **Kubernetes**, also known as K8s, is an open-source system for automating deployment, + scaling, and management of containerized applications. + It groups containers that make up an application into logical units for easy management + and discovery. Kubernetes builds upon 15 years of experience of running production + workloads at Google, combined with best-of-breed ideas and practices from the community. + + **Amazon Elastic Kubernetes Service (Amazon EKS)** gives you the flexibility to start, + run, and scale Kubernetes applications in the AWS cloud or on-premises. Amazon EKS + helps you provide highly-available and secure clusters and automates key tasks such + as patching, node provisioning, and updates. Customers such as Intel, Snap, Intuit, + GoDaddy, and Autodesk trust EKS to run their most sensitive and mission critical + applications. + + **EKS** runs upstream Kubernetes and is certified Kubernetes conformant for a predictable + experience. You can easily migrate any standard Kubernetes application to EKS without + needing to refactor your code. + + :books: **Read More** + + - [How it works: AWS EKS](../../features/compute/k8s-eks/) + - [AWS EKS](https://aws.amazon.com/eks) + - [Kubernetes](https://kubernetes.io/) + +??? info "Why S3❓" + **Amazon Simple Storage Service (Amazon S3)** is an object storage service that offers + industry-leading scalability, data availability, security, and performance. + This means customers of all sizes and industries can use it to store and protect + any amount of data for a range of use cases, such as data lakes, websites, mobile + applications, backup and restore, archive, enterprise applications, IoT devices, + and big data analytics. Amazon S3 provides easy-to-use management features so you + can organize your data and configure finely-tuned access controls to meet your + specific business, organizational, and compliance requirements. Amazon S3 is + designed for 99.999999999% (11 9's) of durability, and stores data for millions + of applications for companies all around the world. + + :books: **Read More** + + - [How it works: AWS Storage](../../features/storage/storage) + - [AWS S3](https://aws.amazon.com/s3) + +??? info "Why RDS❓" + **Amazon Relational Database Service (Amazon RDS)** makes it easy to set up, operate, + and scale a relational database in the cloud. It provides cost-efficient and resizable + capacity while automating time-consuming administration tasks such as hardware + provisioning, database setup, patching and backups. It frees you to focus on your + applications so you can give them the fast performance, high availability, security + and compatibility they need. + + Amazon RDS is available on several database instance types - optimized for memory, + performance or I/O - and provides you with six familiar database engines to choose from, + including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. + You can use the AWS Database Migration Service to easily migrate or replicate your + existing databases to Amazon RDS. + + :books: **Read More** + + - [How it works: AWS Databases](../../features/database/database/) + - [AWS RDS](https://aws.amazon.com/rds) + +??? info "Why Hashicorp Vault❓" + As many organizations migrate to the public cloud, a major concern has been how to + best secure data, preventing it from unauthorized access or exfiltration. + + Deploying a product like HashiCorp Vault gives you better control of your sensitive + credentials and helps you meet cloud security standards. + + HashiCorp Vault is designed to help organizations manage access to secrets and + transmit them safely within an organization. Secrets are defined as any form of + sensitive credentials that need to be tightly controlled and monitored and can be + used to unlock sensitive information. Secrets could be in the form of passwords, + API keys, SSH keys, RSA tokens, or OTP. + + HashiCorp Vault makes it very easy to control and manage access by providing you + with a unilateral interface to manage every secret in your infrastructure. Not only + that, you can also create detailed audit logs and keep track of who accessed what. + + Manage Secrets and Protect Sensitive Data. Secure, store and tightly control access + to tokens, passwords, certificates, encryption keys for protecting secrets and other + sensitive data using a UI, CLI, or HTTP API. + + :books: **Read More** + + - [How it works: Secrets](../../features/secrets/secrets/) + - [Hashicorp Vault Project](https://www.vaultproject.io/) diff --git a/docs/concepts/overview.md b/docs/concepts/overview.md new file mode 100644 index 000000000..dfc7522d2 --- /dev/null +++ b/docs/concepts/overview.md @@ -0,0 +1,19 @@ +--- +template: overrides/main.html +--- + +![binbash-logo](../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} + +# Overview +Welcome to Leverage's documentation! Here you will find the concepts you need to understand to work with our stack, the steps to try Leverage for yourself, and extensive documentation about every aspect of our solution. + +# Getting Started +Feel free to explore the following pages to know more about Leverage. + +:books: See [**What is Leverage**](../concepts/what-is-leverage.md) to fully understand what Leverage is. + +:books: See [**Why Leverage**](../concepts/why-leverage.md) to help you decide whether Leverage is the right tool for you. + +:books: See [**Our Tech Stack**](../concepts/our-tech-stack.md) to learn about our design choices for the technology stack. + +:books: See [**Try Leverage**](../try-leverage/introduction.md) to take the tutorial that will help you deploy a basic AWS Landing Zone via Leverage. \ No newline at end of file diff --git a/docs/concepts/what-is-leverage.md b/docs/concepts/what-is-leverage.md new file mode 100644 index 000000000..8da84b9ad --- /dev/null +++ b/docs/concepts/what-is-leverage.md @@ -0,0 +1,23 @@ +# What is Leverage? +Leverage was made of a significant amount of knowledge, acquired through several years of experience, turned into an ecosystem of code, tools and workflows that enables you to build the AWS infrastructure for your applications and services quickly and securely. + +Since all the code and modules are already built, we can get you up and running **up to 10x faster** :rocket: +than a consulting company -- :white_check_mark: *typically in just a few weeks!* -- and on top of code that is thoroughly documented, tested, and has been proven in production at dozens of other project deployments. + +Check out this **intro video** :octicons-video-16: that explains what Leverage is: + + +--- + +# Core Components +Our focus is on creating reusable, high quality ![leverage-aws](../assets/images/icons/aws-emojipack/General_AWScloud.png "AWS"){: style="width:30px"} Cloud Infrastructure code, through our core components: + +- [x] [**Reference Architecture**](../how-it-works/infra-as-code-library/index.md): Designed under optimal configs for the most popular modern web and mobile applications needs. Its design is fully based on the +[**AWS Well Architected Framework**](https://leverage.binbash.com.ar/support/#aws-well-architected-review). + +- [x] [**Infrastructure as Code (IaC) Library**](../how-it-works/ref-architecture/index.md): A collection of reusable, tested, production-ready E2E AWS Cloud infrastructure as code solutions, leveraged by modules written in: *Terraform, Ansible, Helm charts, Dockerfiles and Makefiles*. + +- [x] [**Leverage CLI**](https://github.com/binbashar/leverage): projects' command line tool. Provides the means to interact and deploy Leverage Reference Architecture on AWS and if needed it allows you to define custom tasks to run. + +# Features +TODO Write about this diff --git a/docs/how-it-works/ref-architecture/general-concepts/why-leverage.md b/docs/concepts/why-leverage.md similarity index 94% rename from docs/how-it-works/ref-architecture/general-concepts/why-leverage.md rename to docs/concepts/why-leverage.md index f3a384c92..56374257d 100644 --- a/docs/how-it-works/ref-architecture/general-concepts/why-leverage.md +++ b/docs/concepts/why-leverage.md @@ -1,23 +1,29 @@ # Why Leverage? -## The problem +## In a nutshell +If you implement our **Reference Architecture for AWS** and the **Infrastructure as Code (IaC) Library** via Leverage CLI, you will get your entire Cloud Native Application Infra in few weeks. + +:material-comment-quote: *Implement Leverage yourself or we can deploy it for you!* :muscle: + +## The problem and our solution + +### What are the problems you might be facing? ![leverage-why](../../../assets/images/diagrams/leverage-why-problem.png "Leverage"){: style="width:950px"}
Figure: Why Leverage? The problem. (Source: binbash, "Leverage Presentation: Why you should use Leverage?", accessed June 15th 2021).
-## Our solution +### What is our solution? ![leverage-why](../../../assets/images/diagrams/leverage-why-solution.png "Leverage"){: style="width:950px"}
Figure: Why Leverage? The solution. (Source: binbash, "Leverage Presentation: Why you should use Leverage?", accessed June 15th 2021).
-### The problem & our solution intro video - +## Leverage for the different roles of a company -## Why Leverage for CIOs, CTOs and VPs of Engineering? +### Leverage for CIOs, CTOs and VPs of Engineering ??? question "**Accelerate development and optimize costs**" Annual cost savings are a new standard and best practice. Profits are being targeted to business development, @@ -70,7 +76,7 @@ The `Leverage CLI` allows to build repeatable and immutable infrastructure. So your cloud development, staging and production environments will consistently be the same. -## Why Leverage for DevOps Engineers, Cloud Architects and Software Engineers? +### Leverage for DevOps Engineers, Cloud Architects and Software Engineers ??? question "**Provisioning infrastructure as code (Iac)**" Instead of manually provisioning infrastructure, the real benefits of cloud adoption come from orchestrating diff --git a/docs/how-it-works/ref-architecture/general-concepts/why-tech-stack.md b/docs/concepts/why-our-tech-stack.md similarity index 99% rename from docs/how-it-works/ref-architecture/general-concepts/why-tech-stack.md rename to docs/concepts/why-our-tech-stack.md index fb6b7ca33..74c5cdafe 100644 --- a/docs/how-it-works/ref-architecture/general-concepts/why-tech-stack.md +++ b/docs/concepts/why-our-tech-stack.md @@ -208,10 +208,3 @@ - [How it works: Secrets](../../features/secrets/secrets/) - [Hashicorp Vault Project](https://www.vaultproject.io/) - - - - - - - diff --git a/docs/how-it-works/ref-architecture/index.md b/docs/how-it-works/ref-architecture/index.md index 5abf20aa0..69a2c0317 100644 --- a/docs/how-it-works/ref-architecture/index.md +++ b/docs/how-it-works/ref-architecture/index.md @@ -12,7 +12,7 @@ Leverage Reference Architecture for AWS that will be implemented on the Projects’ AWS infrastructure. We're assuming you've already have in place your AWS Landing Zone based on the -[First Steps](../../first-steps/introduction.md) guide. +[First Steps](../../try-leverage/introduction.md) guide. !!! check "Our Purpose" * [x] **Democratize advanced technologies:** As complex as it may sound, the basic idea behind this design principle is diff --git a/docs/first-steps/aws-account-setup.md b/docs/try-leverage/aws-account-setup.md similarity index 100% rename from docs/first-steps/aws-account-setup.md rename to docs/try-leverage/aws-account-setup.md diff --git a/docs/first-steps/introduction.md b/docs/try-leverage/introduction.md similarity index 100% rename from docs/first-steps/introduction.md rename to docs/try-leverage/introduction.md diff --git a/docs/first-steps/leverage-project-setup.md b/docs/try-leverage/leverage-project-setup.md similarity index 100% rename from docs/first-steps/leverage-project-setup.md rename to docs/try-leverage/leverage-project-setup.md diff --git a/docs/first-steps/local-setup.md b/docs/try-leverage/local-setup.md similarity index 100% rename from docs/first-steps/local-setup.md rename to docs/try-leverage/local-setup.md diff --git a/docs/first-steps/management-account.md b/docs/try-leverage/management-account.md similarity index 100% rename from docs/first-steps/management-account.md rename to docs/try-leverage/management-account.md diff --git a/docs/first-steps/post-deployment.md b/docs/try-leverage/post-deployment.md similarity index 99% rename from docs/first-steps/post-deployment.md rename to docs/try-leverage/post-deployment.md index 1f7c2a9ba..4885f0b2d 100644 --- a/docs/first-steps/post-deployment.md +++ b/docs/try-leverage/post-deployment.md @@ -235,7 +235,7 @@ From here, to make sure it integrates correctly, you will most likely want to cr 2. In the step above, we are switching to the OAAR (OrganizationalAccountAccessRole) role because we are working with a brand new account that is empty, so, the only way to access it programmatically is through the OAAR role. - 3. Now it's time to configure your OAAR credentials (if haven't already done so). For that you can follow the steps in [this section](https://leverage.binbash.com.ar/first-steps/management-account/#update-the-bootstrap-credentials) of the official documentation. + 3. Now it's time to configure your OAAR credentials (if haven't already done so). For that you can follow the steps in [this section](https://leverage.binbash.com.ar/try-leverage/management-account/#update-the-bootstrap-credentials) of the official documentation. 4. Create the `base-tf-backend` layer: diff --git a/docs/first-steps/security-and-shared-accounts.md b/docs/try-leverage/security-and-shared-accounts.md similarity index 100% rename from docs/first-steps/security-and-shared-accounts.md rename to docs/try-leverage/security-and-shared-accounts.md diff --git a/docs/user-guide/index.md b/docs/user-guide/index.md deleted file mode 100644 index dd083d6ef..000000000 --- a/docs/user-guide/index.md +++ /dev/null @@ -1,15 +0,0 @@ -![binbash-logo](../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} - -# Overview -## Pre-requisites - -!!! done "Local env pre-required packages" - - * [x] **Docker engine** `>= 20.x.y`(check via `docker --version`) - * [x] **Python** `>= 3.8` (check via `python3 --version` || `python3.8 --version`) - * [x] **leverage cli** `>= 1.0.0` (check via `leverage --version`)` - -## Configurations & Workflow -- [x] [le-tf-infra-aws](ref-architecture-aws/dir-structure.md) -- [x] [le-tf-vault](ref-architecture-vault/dir-structure.md) -- [x] [le-ansible-infra](ref-architecture-ansible/configs.md) diff --git a/docs/how-it-works/infra-as-code-library/index.md b/docs/user-guide/infra-as-code-library/index.md similarity index 100% rename from docs/how-it-works/infra-as-code-library/index.md rename to docs/user-guide/infra-as-code-library/index.md diff --git a/docs/how-it-works/infra-as-code-library/infra-as-code-library-forks.md b/docs/user-guide/infra-as-code-library/infra-as-code-library-forks.md similarity index 100% rename from docs/how-it-works/infra-as-code-library/infra-as-code-library-forks.md rename to docs/user-guide/infra-as-code-library/infra-as-code-library-forks.md diff --git a/docs/how-it-works/infra-as-code-library/infra-as-code-library-specs.md b/docs/user-guide/infra-as-code-library/infra-as-code-library-specs.md similarity index 100% rename from docs/how-it-works/infra-as-code-library/infra-as-code-library-specs.md rename to docs/user-guide/infra-as-code-library/infra-as-code-library-specs.md diff --git a/docs/how-it-works/infra-as-code-library/modules-library-per-tech.md b/docs/user-guide/infra-as-code-library/modules-library-per-tech.md similarity index 100% rename from docs/how-it-works/infra-as-code-library/modules-library-per-tech.md rename to docs/user-guide/infra-as-code-library/modules-library-per-tech.md diff --git a/docs/user-guide/leverage-cli/install-leverage-cli.md b/docs/user-guide/leverage-cli/installation.md similarity index 100% rename from docs/user-guide/leverage-cli/install-leverage-cli.md rename to docs/user-guide/leverage-cli/installation.md diff --git a/docs/how-it-works/leverage-cli/index.md b/docs/user-guide/leverage-cli/overview.md similarity index 89% rename from docs/how-it-works/leverage-cli/index.md rename to docs/user-guide/leverage-cli/overview.md index 79707da2e..19b9595dc 100644 --- a/docs/how-it-works/leverage-cli/index.md +++ b/docs/user-guide/leverage-cli/overview.md @@ -1,14 +1,15 @@ ![binbash-logo](../../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} # Leverage CLI + +## Overview Leverage CLI is the tool used to manage and interact with any Leverage project. It transparently handles the most complex and error prone tasks that arise from working with a state-of-the-art infrastructure definition like our Leverage Reference Architecture. Leverage CLI uses a dockerized approach to encapsulate the tools needed to perform such tasks and to free the user from having to deal with the configuration and management of said tools. -!!! success "[:books: **Leverage CLI Documentation**](../../user-guide/leverage-cli/reference/basic-features.md)" -## Sources -- [x] [leverage-cli github](https://github.com/binbashar/leverage) -- [x] [leverage-cli pypi](https://pypi.org/project/leverage/) +## Repositories +- [x] [Source Code (Github)](https://github.com/binbashar/leverage) +- [x] [Releases Packages (PyPI)](https://pypi.org/project/leverage/) ## How Leverage CLI came about The multiple tools and technologies required to work with a Leverage project were initially handled through a Makefiles system. Not only to automate and simplify the different tasks, but also to provide a uniform user experience during the management of a project. diff --git a/docs/user-guide/overview.md b/docs/user-guide/overview.md new file mode 100644 index 000000000..342b38d00 --- /dev/null +++ b/docs/user-guide/overview.md @@ -0,0 +1,12 @@ +![binbash-logo](../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} + +# Reference Architectures + +## Overview +The pages in this section explore the architecture of Leverage with great detail. + +Start by visiting the pages below or simply use the left menu to explore on your own: + +* [Reference Architectures](./reference-architectures/) +* [Infrastructure-as-Code Library](./infra-as-code-library/) +* [Leverage CLI](./leverage-cli/) diff --git a/docs/user-guide/ref-architecture-ansible/configs.md b/docs/user-guide/reference-architectures/ref-architecture-ansible/configs.md similarity index 65% rename from docs/user-guide/ref-architecture-ansible/configs.md rename to docs/user-guide/reference-architectures/ref-architecture-ansible/configs.md index 5686eec71..886147a23 100644 --- a/docs/user-guide/ref-architecture-ansible/configs.md +++ b/docs/user-guide/reference-architectures/ref-architecture-ansible/configs.md @@ -8,29 +8,29 @@ files used to create _**binbash Leverage™**_ Reference Architecture for AWS. Check out the README.md under contained under each repo !!! important "Playbooks Documentation" - ![leverage-ansible](../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **User Management & Security** + ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **User Management & Security** - [x] [sec-users](https://github.com/binbashar/le-ansible-infra/blob/master/sec-users/README.md) - ![leverage-ansible](../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **VPN Server** + ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **VPN Server** - [x] [vpn-pritunl](https://github.com/binbashar/le-ansible-infra/blob/master/vpn-pritunl/README.md) - ![leverage-ansible](../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Monitoring & Alerting** + ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Monitoring & Alerting** - [x] [prometheus-grafana](https://github.com/binbashar/le-ansible-infra/blob/master/prometheus/README.md) - ![leverage-ansible](../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Centralized Logs** + ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Centralized Logs** - [x] [eskibana](https://github.com/binbashar/le-ansible-infra/blob/master/eskibana/README.md) - ![leverage-ansible](../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **CI/CD** + ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **CI/CD** - [x] [jenkins](https://github.com/binbashar/le-ansible-infra/blob/master/jenkins/README.md) - [x] [spinnaker](https://github.com/binbashar/le-ansible-infra/blob/master/spinnaker/README.md) - [x] [droneci](https://github.com/binbashar/le-ansible-infra/blob/master/droneci/README.md) - [x] [webhook](https://github.com/binbashar/le-ansible-infra/blob/master/webhook-proxy/README.md) - ![leverage-ansible](../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Secret Mgmt** + ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Secret Mgmt** - [x] [hashicorp-vault](https://github.com/binbashar/le-ansible-infra/blob/master/vault/README.md) diff --git a/docs/user-guide/ref-architecture-ansible/workflow.md b/docs/user-guide/reference-architectures/ref-architecture-ansible/workflow.md similarity index 87% rename from docs/user-guide/ref-architecture-ansible/workflow.md rename to docs/user-guide/reference-architectures/ref-architecture-ansible/workflow.md index c39e5829d..1a7514bd1 100644 --- a/docs/user-guide/ref-architecture-ansible/workflow.md +++ b/docs/user-guide/reference-architectures/ref-architecture-ansible/workflow.md @@ -7,7 +7,7 @@ - You are encouraged to read more about our [**`Leverage CLI`** how it works](../../how-it-works/leverage-cli/index.md) section to better understand it. -!!! example "![leverage-ansible](../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} [Ansible Infra](https://github.com/binbashar/le-ansible-infra)" +!!! example "![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} [Ansible Infra](https://github.com/binbashar/le-ansible-infra)" 1. Get into the folder that you need to work with (e.g. `ansible-playbook-vpn-pritunl`) 2. Run `leverage run init` to get all the necessary Ansible roles based on each `requirements.yml` 4. Make whatever changes you need to make as stated in each Playbook Documentation (check Documentation section above) diff --git a/docs/user-guide/ref-architecture-aws/configs.md b/docs/user-guide/reference-architectures/ref-architecture-aws/configs.md similarity index 100% rename from docs/user-guide/ref-architecture-aws/configs.md rename to docs/user-guide/reference-architectures/ref-architecture-aws/configs.md diff --git a/docs/user-guide/ref-architecture-aws/credentials.md b/docs/user-guide/reference-architectures/ref-architecture-aws/credentials.md similarity index 100% rename from docs/user-guide/ref-architecture-aws/credentials.md rename to docs/user-guide/reference-architectures/ref-architecture-aws/credentials.md diff --git a/docs/user-guide/ref-architecture-aws/dir-structure.md b/docs/user-guide/reference-architectures/ref-architecture-aws/dir-structure.md similarity index 84% rename from docs/user-guide/ref-architecture-aws/dir-structure.md rename to docs/user-guide/reference-architectures/ref-architecture-aws/dir-structure.md index 5573acc1a..cb2d44585 100644 --- a/docs/user-guide/ref-architecture-aws/dir-structure.md +++ b/docs/user-guide/reference-architectures/ref-architecture-aws/dir-structure.md @@ -14,29 +14,25 @@ The following block provides a brief explanation of the chosen files/folders lay | ├── 📂 global | │   └── 📂 base-identities | ├── 📂 us-east-1 - | │   ├── 📂 backups -- + | │   ├── 📂 backups | │   ├── 📂 base-certificates | │   ├── 📂 base-network | │   ├── 📂 base-tf-backend | │   ├── 📂 cdn-s3-frontend | │   ├── 📂 databases-aurora - | │   ├── 📂 databases-mysql -- - | │   ├── 📂 databases-pgsql -- - | │   ├── 📂 ec2-fleet-ansible -- + | │   ├── 📂 databases-mysql + | │   ├── 📂 databases-pgsql | │   ├── 📂 k8s-eks-demoapps - | │   ├── 📂 k8s-kind - | │   ├── 📂 k8s-kops -- | │   ├── 📂 notifications | │   ├── 📂 security-audit | │   ├── 📂 security-base | │   ├── 📂 security-certs - | │   ├── 📂 security-firewall -- - | │   ├── 📂 security-keys-dr + | │   ├── 📂 security-firewall | │   ├── 📂 storage | │   └── 📂 tools-cloud-nuke | └── 📂 us-east-2 |    ├── 📂 k8s-eks - |    ├── 📂 security-compliance -- + |    ├── 📂 security-compliance |    └── 📂 security-keys ├── 📂 apps-prd │   ├── 📂 config @@ -45,17 +41,16 @@ The following block provides a brief explanation of the chosen files/folders lay │   ├── 📂 global | │   └── 📂 base-identities │   └── 📂 us-east-1 - |    ├── 📂 backups -- + |    ├── 📂 backups |    ├── 📂 base-network |    ├── 📂 base-tf-backend |    ├── 📂 cdn-s3-frontend - |    ├── 📂 ec2-fleet -- |    ├── 📂 k8s-eks |    ├── 📂 notifications |    ├── 📂 security-audit |    ├── 📂 security-base |    ├── 📂 security-certs - |    ├── 📂 security-compliance -- + |    ├── 📂 security-compliance |    └── 📂 security-keys ├── 📄 build.env ├── 📄 build.py @@ -76,9 +71,8 @@ The following block provides a brief explanation of the chosen files/folders lay | │   ├── 📂 notifications | │   ├── 📂 security-audit | │   ├── 📂 security-base - | │   ├── 📂 security-compliance -- + | │   ├── 📂 security-compliance | │   ├── 📂 security-keys - | │   └── 📂 security-monitoring-dr -- │   └── 📂 us-east-2 |    └── 📂 security-monitoring ├── 📂 network @@ -94,13 +88,13 @@ The following block provides a brief explanation of the chosen files/folders lay | │   ├── 📂 notifications | │   ├── 📂 security-audit | │   ├── 📂 security-base - | │   ├── 📂 security-compliance -- + | │   ├── 📂 security-compliance | │   ├── 📂 security-keys | │   └── 📂 transit-gateway │   └── 📂 us-east-2 |    ├── 📂 base-network |    ├── 📂 network-firewall - |    ├── 📂 security-compliance -- + |    ├── 📂 security-compliance |    ├── 📂 security-keys |    └── 📂 transit-gateway ├── 📂 security @@ -115,13 +109,13 @@ The following block provides a brief explanation of the chosen files/folders lay | │   ├── 📂 notifications | │   ├── 📂 security-audit | │   ├── 📂 security-base - | │   ├── 📂 security-compliance -- + | │   ├── 📂 security-compliance | │   ├── 📂 security-keys | │   └── 📂 security-monitoring │   └── 📂 us-east-2 |    ├── 📂 security-audit - |    ├── 📂 security-compliance -- - |    └── 📂 security-monitoring -- + |    ├── 📂 security-compliance + |    └── 📂 security-monitoring └── 📂 shared ├── 📂 config │   ├── 📄 account.tfvars @@ -134,28 +128,28 @@ The following block provides a brief explanation of the chosen files/folders lay | ├── 📂 base-network | ├── 📂 base-tf-backend | ├── 📂 container-registry - | ├── 📂 ec2-fleet -- + | ├── 📂 ec2-fleet | ├── 📂 k8s-eks | ├── 📂 k8s-eks-demoapps | ├── 📂 k8s-eks-prd | ├── 📂 notifications | ├── 📂 security-audit | ├── 📂 security-base - | ├── 📂 security-compliance -- + | ├── 📂 security-compliance | ├── 📂 storage | ├── 📂 tools-cloud-scheduler-stop-start | ├── 📂 tools-eskibana | ├── 📂 tools-github-selfhosted-runners - | ├── 📂 tools-jenkins -- + | ├── 📂 tools-jenkins | ├── 📂 tools-managedeskibana | ├── 📂 tools-prometheus | ├── 📂 tools-vault | ├── 📂 tools-vpn-server - | └── 📂 tools-webhooks -- + | └── 📂 tools-webhooks    └── 📂 us-east-2 ├── 📂 base-network ├── 📂 container-registry - ├── 📂 security-compliance -- + ├── 📂 security-compliance ├── 📂 security-keys ├── 📂 tools-eskibana └── 📂 tools-prometheus @@ -168,11 +162,11 @@ resources that belong to such account environment and specific layer. !!! info "Project file structure " An extended project file structure could be found - [here](../../../first-steps/leverage-project-setup/#create-the-configured-project) + [here](../../../try-leverage/leverage-project-setup/#create-the-configured-project) While some other basic concepts and naming conventions in the context of Leverage like "project" and "layer" [here](../../../how-it-works/ref-architecture/ref-architecture-aws/#structural-concepts) -![binbash-logo](../../assets/images/diagrams/ref-architecture-aws.png "binbash"){: style="width:950px"} +![binbash-logo](../../../assets/images/diagrams/ref-architecture-aws.png "binbash"){: style="width:950px"}
Figure: AWS Organization multi-account architecture diagram. (Source: binbash Leverage, diff --git a/docs/user-guide/reference-architectures/ref-architecture-aws/overview.md b/docs/user-guide/reference-architectures/ref-architecture-aws/overview.md new file mode 100644 index 000000000..7a2498473 --- /dev/null +++ b/docs/user-guide/reference-architectures/ref-architecture-aws/overview.md @@ -0,0 +1,13 @@ +# AWS Reference Architecture + +## Overview +Our AWS Reference Architecture was created on a set of opinionated definitions and conventions on: + +* [how to organize files/folders](dir-structure.md), +* where to store [configuration files](configs.md), +* how to handle [credentials](credentials.md), +* how to [set up](tf-state-setup.md) and [manage state](tf-state-workflow.md), +* which [commands and workflows](tf-workflow.md) to run in order to perform different tasks, +* and more. + +The pages in this section are about the above concerns in connection with our AWS Reference Architecture. diff --git a/docs/user-guide/ref-architecture-aws/tf-state-setup.md b/docs/user-guide/reference-architectures/ref-architecture-aws/tf-state-setup.md similarity index 100% rename from docs/user-guide/ref-architecture-aws/tf-state-setup.md rename to docs/user-guide/reference-architectures/ref-architecture-aws/tf-state-setup.md diff --git a/docs/user-guide/ref-architecture-aws/tf-state-workflow.md b/docs/user-guide/reference-architectures/ref-architecture-aws/tf-state-workflow.md similarity index 96% rename from docs/user-guide/ref-architecture-aws/tf-state-workflow.md rename to docs/user-guide/reference-architectures/ref-architecture-aws/tf-state-workflow.md index 16b730699..0a93bb0fd 100644 --- a/docs/user-guide/ref-architecture-aws/tf-state-workflow.md +++ b/docs/user-guide/reference-architectures/ref-architecture-aws/tf-state-workflow.md @@ -4,7 +4,7 @@ Use this terraform configuration files to create the **S3 bucket** & **DynamoDB** table needed to use Terraform Remote State Storage & Locking. -![leverage-ref-arch-tf](../../assets/images/diagrams/terraform-aws-s3-backend.png "Leverage"){: style="width:350px"} +![leverage-ref-arch-tf](../../../assets/images/diagrams/terraform-aws-s3-backend.png "Leverage"){: style="width:350px"}
Figure: Terraform remote state store & locking necessary AWS S3 bucket and DynamoDB table components. diff --git a/docs/user-guide/ref-architecture-aws/workflow.md b/docs/user-guide/reference-architectures/ref-architecture-aws/tf-workflow.md similarity index 94% rename from docs/user-guide/ref-architecture-aws/workflow.md rename to docs/user-guide/reference-architectures/ref-architecture-aws/tf-workflow.md index f823c1d20..edee59d8e 100644 --- a/docs/user-guide/ref-architecture-aws/workflow.md +++ b/docs/user-guide/reference-architectures/ref-architecture-aws/tf-workflow.md @@ -30,7 +30,7 @@ rest of our tools and practices like CI/CD, in ## Running in Automation -![leverage-aws-terraform](../../assets/images/diagrams/aws-terraform-automation.png "Terraform"){: style="width:350"} +![leverage-aws-terraform](../../../assets/images/diagrams/aws-terraform-automation.png "Terraform"){: style="width:350"}
Figure: Running terraform with AWS in automation (just as reference).
## Read More diff --git a/docs/user-guide/ref-architecture-vault/configs.md b/docs/user-guide/reference-architectures/ref-architecture-vault/configs.md similarity index 100% rename from docs/user-guide/ref-architecture-vault/configs.md rename to docs/user-guide/reference-architectures/ref-architecture-vault/configs.md diff --git a/docs/user-guide/ref-architecture-vault/dir-structure.md b/docs/user-guide/reference-architectures/ref-architecture-vault/dir-structure.md similarity index 100% rename from docs/user-guide/ref-architecture-vault/dir-structure.md rename to docs/user-guide/reference-architectures/ref-architecture-vault/dir-structure.md diff --git a/docs/user-guide/ref-architecture-vault/tf-state-workflow.md b/docs/user-guide/reference-architectures/ref-architecture-vault/tf-state-workflow.md similarity index 100% rename from docs/user-guide/ref-architecture-vault/tf-state-workflow.md rename to docs/user-guide/reference-architectures/ref-architecture-vault/tf-state-workflow.md diff --git a/docs/user-guide/ref-architecture-vault/workflow.md b/docs/user-guide/reference-architectures/ref-architecture-vault/workflow.md similarity index 100% rename from docs/user-guide/ref-architecture-vault/workflow.md rename to docs/user-guide/reference-architectures/ref-architecture-vault/workflow.md diff --git a/docs/user-guide/troubleshooting/credentials.md b/docs/user-guide/troubleshooting/credentials.md new file mode 100644 index 000000000..3644553e9 --- /dev/null +++ b/docs/user-guide/troubleshooting/credentials.md @@ -0,0 +1,31 @@ +# Troubleshooting credentials issues + +### Gathering more information +Trying to get as much information of the issue as possible is key when troubleshooting. Keep reading to find out typical scenarios and how you can gather more information about each. + +If the issue happens while you are working on a layer of the reference architecture and you are using Terraform, you can use the `--verbose` flag to try to get more information about the underlying issue. +For instance, if the error shows up while running a Terraform plan command, you can enable a more verbose output like this: `leverage --verbose tf plan` + +### Determine the profile you are using +When working with the reference architecture, it is important to understand what is the AWS profile that might be causing the issue. Enabling verbose mode should help with that. Read the above section to understand how it can be turned on. +The suspect profile is likely to show right above the error line. + +### Test the failing profile with the AWS CLI +Assuming that the suspect profile is `le-shared-devops`, you can try this command: `aws sts get-caller-identity --profile le-shared-devops`. +Note: if you use the AWS CLI installed in your host machine, you will need to configure the environment variables in the section `Configure the AWS CLI for Leverage` + +### Check the profiles in your AWS config file +Once you know what AWS profile is surfacing the issue you can open the AWS config file, typically under `~/.aws/[project_name_here]/config`, to inspect that profile definition. + +Important: when using SSO, the profiles are actually created in the AWS credentials file + +Things to look out for: +- Is there a profile entry in the AWS config file that matches the suspect profile? +- Does the profile entry include all necessary fields + +### Configure the AWS CLI for Leverage +Since Leverage stores the AWS config and credentials file under a non-default path, when using the AWS CLI you'll need to point it to the right locations: +``` +export AWS_CONFIG_FILE=~/.aws/[project_name_here]/config +export AWS_SHARED_CREDENTIALS_FILE=~/.aws/[project_name_here]/credentials +``` diff --git a/docs/welcome.md b/docs/welcome.md deleted file mode 100644 index f55fa7f55..000000000 --- a/docs/welcome.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -template: overrides/main.html ---- - -![binbash-logo](./assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} - -# About Leverage - -!!! important "What's Leverage?" - Our focus is on creating reusable, high quality - ![leverage-aws](./assets/images/icons/aws-emojipack/General_AWScloud.png "AWS"){: style="width:30px"} - Cloud Infrastructure code, through our core components: - - - [x] [**Reference Architecture for AWS**](how-it-works/ref-architecture/index.md) - - [x] [**Infrastructure as Code (IaC) Library**](how-it-works/infra-as-code-library/index.md) - - [x] [**Leverage CLI**](https://github.com/binbashar/leverage) - - Because all the code and modules are already built, we can get you up and running **up to 10x faster** :rocket: - than a consulting company (:white_check_mark: *typically in just a few weeks!*). On top of code that is thoroughly - documented, tested, and has been proven in production at dozens of other project deployments. - -!!! important "Why Leverage?" - If you implement our **Reference Architecture for AWS** and the - **Infrastructure as Code (IaC) Library** via Leverage CLI , you will get your entire Cloud Native - Application Infra in few weeks. - - *Implement Leverage yourself or we can deploy it for you!* :muscle: - - - :books: **Read More:** - - - [Why our stack?](./how-it-works/ref-architecture/general-concepts/why-tech-stack.md) - - [Why Leverage?](./work-with-us/faqs/#why-leverage) - -!!! important "Core Features" - - [x] [**Reference Architecture**](how-it-works/infra-as-code-library/index.md): - Designed under optimal configs for the most popular modern web and mobile applications needs. - Its design is fully based on the - [**AWS Well Architected Framework**](https://leverage.binbash.com.ar/support/#aws-well-architected-review). - - - [x] [**Infrastructure as Code (IaC) Library**](how-it-works/ref-architecture/index.md): - A collection of reusable, tested, production-ready E2E AWS Cloud infrastructure as code solutions, leveraged by - modules written in: *Terraform, Ansible, Helm charts, Dockerfiles and Makefiles*. - - - [x] [**Leverage CLI**](https://github.com/binbashar/leverage): projects' command line tool. - Provides the means to interact and deploy Leverage Reference Architecture on AWS and if needed - it allows you to define custom tasks to run. - -# Welcome -This is the documentation for the **Leverage Reference Architecture**. - -It is built around the [AWS Well Architected Framework](https://aws.amazon.com/architecture/well-architected/) -, using a [Terraform](https://www.terraform.io/), [Ansible](https://www.ansible.com/) and [Helm](https://helm.sh/). - -An its compose of the following 3 main repos: - -- [x] [le-tf-infra-aws](https://github.com/binbashar/le-tf-infra-aws) -- [x] [le-tf-vault](https://github.com/binbashar/le-tf-vault) -- [x] [le-ansible-infra](https://github.com/binbashar/le-ansible-infra) - -## Getting Started -:books: See [**First Steps**](./first-steps/introduction.md) for an introduction to our Reference -Architecture for AWS workflow through the complete deployment of a basic AWS Landing Zone. - -:books: See [**How it works**](how-it-works/ref-architecture/index.md) for a whirlwind tour that will get you started. - -:books: See [**User guide**](./user-guide/index.md) for a hands on help. \ No newline at end of file diff --git a/material/overrides/home-es.html b/material/overrides/home-es.html index eb63161ec..9ef3a5b99 100644 --- a/material/overrides/home-es.html +++ b/material/overrides/home-es.html @@ -22,7 +22,7 @@
- -## Leverage for the different roles of a company - -### Leverage for CIOs, CTOs and VPs of Engineering - -??? question "**Accelerate development and optimize costs**" - Annual cost savings are a new standard and best practice. Profits are being targeted to business development, - regulatory and compliance needs. Resulting in a reduction of pressure on IT and development budgets, granting - the opportunity to focus in new features and boost innovation. - -??? question "**Modernize applications architecture (loosely coupled and modular)**" - Strategically decompose the monolith into a fine-grained, loosely coupled modular architecture to increase both - development and business agility. When the system architecture is designed to allow teams to test, deploy and - change systems without relying on other teams, they require little communication to get the job done. - In other words, both the architecture and the teams are loosely coupled. - -??? question "**Innovation - Rapidly adopt new technologies and reduce development time**" - Use ***Leverage Reference Architecture and for AWS + our libraries*** to provide a collection of cloud application - architecture components to build and deploy faster in the cloud. Building a cloud Landing Zone is complex, - especially since most companies have little or no expertise in this area. And it can take a significant amount - of time to get it right. ***Leverage*** a reference architecture to give you an AWS Landing Zone that provides a - consistent and solid "foundations" to bootstrap your project in the cloud. The code solution implements the best - AWS Well-Architected Framework practices as well as the battle-tested tech experience and years of knowledge of - our contributors. - -??? question "**Hours or days, not weeks or months**" - ***Leverage*** implements infrastructure as code at all times. We have rolled this out using Terraform, and has been - fully proven in AWS and other Terraform providers that are part of our reference architecture like Kubernetes, - Helm and Hashicorp Vault. By using the `Leverage CLI`, our binary will help you to quickly bootstrap your AWS - Landing Zone in a matter of hours (or at most a few days). - -??? question "**It's not just a pile of scripts**" - It's not just another layer of untested, one time and stand-alone developed scripts. The code is modularized - and well designed under best practices, our `Leverage CLI` has both unit and integration tests. While our - Terraform code has been extensively E2E tested. Moreover, 100% of the code is yours (to modify, extend, - reuse, etc), with no vendor locking and vendor licensing fees. We use the MIT license, so you can take the - code, modify it and use it as your private code. All we ask in return is a friendly greeting and that - (if possible) consider contributing to ***binbash Leverage*** project. Implement ***Leverage*** yourself or we - can deploy it for you! - -??? question "**DevOps culture and methodologies**" - Team agility and continuous improvements based on feedback loops are some of the main drivers of cloud adoption, - and IAC's goal of reducing the frequency of deployment of both infrastructure and applications are some of the - most important aspects of DevOps practices. We continue to apply these methodologies to achieve a DevOps first - culture. We have experienced and demonstrated their potential and have practiced them in dozens of projects over - the past 5 years. The ***Leverage reference architecture for AWS*** combines a set of application best practices, - technology patterns and a common CI/CD deployment approach through `Leverage CLI` for all your application - environments. As a result, we are pursuing a world-class software delivery performance through optimized - collaboration, communication, reliability, stability, scalability and security at ever-decreasing cost and effort. - -??? question "**Repeatable, composable and extensible immutable infrastructure**" - The best high-performance development teams create and recreate their development and production environments - using infrastructure as code (IaC) as part of their daily development processes. - The `Leverage CLI` allows to build repeatable and immutable infrastructure. So your cloud development, staging and - production environments will consistently be the same. - -### Leverage for DevOps Engineers, Cloud Architects and Software Engineers - -??? question "**Provisioning infrastructure as code (Iac)**" - Instead of manually provisioning infrastructure, the real benefits of cloud adoption come from orchestrating - infrastructure through code. However, this is really challenging to achieve, there are literally thousands of - tiny things and configs to consider and they all seem to take forever. Our experience is that it can take teams - up to 24 months to achieve a desired infra state in AWS. - By using ***Leverage*** you could get your AWS Landing-Zone in few weeks, or your entire - AWS Well-Architected based cloud solution within 1 to 3 months (depending on your project complexity needs). - -??? question "**We've done it before (don't reinvent the wheel)**" - Often, development teams have similar and recurring requests such as: iam, networking, security, storage, - databases, compute and secret management, etc. binbash ***Leverage*** has been proven in dozen of project to create - software-defined (IaC) AWS environments. - -??? question "**Best practices baked in the code**" - ***Leverage*** provides IaC reference architecture for AWS hosted applications infrastructure. This is baked into the - code as a combination of the best AWS Well-Architected framework practices and the experience of having - successfully orchestrated many customers to AWS cloud. - -??? question "**On-demand infra deployment**" - ***Leverage*** provides your DevOps, Cloud, SRE and Development teams with the ability to provision on-demand - infrastructure, granting that it will meet the rigorous security requirements of modern cloud native best practices. - It fully implements AWS Well-Architected Framework (WAF) and best DevOps practices, including practices, including - collaboration, version control, CI/CD, continuous testing, cloud infrastructure and losely couple architectures. - -??? question "**Easier to support and maintain**" - ***Leverage*** IaC approach significantly reduce your AWS infra deployment, config and support burden and reduce risk. - Our code backed provisioning has been rigorously tested many times, eliminating the possibility of manual errors. - Because the entire infrastructure is deployed from the same proven code, the consistency your cloud environments - will simplify your setup and maintenance. Use the versioned code to iterate and improve, extend or compose your - internal processes as your cloud operating model evolves. - -??? question "**There is no vendor lock-in. You own the solution**" - With ***Leverage*** you own 100% of the code with no lock-in clauses. If you choose to leave ***Leverage***, you will still - have your entire AWS cloud infrastructure that you can access and manage. If you drop ***Leverage***, you will still - have your entire cloud native infrastructure code (Terraform, Helm, Ansible, Python). It’s 100% Open Source - on GitHub and is free to use with no strings attached under [MIT license](https://choosealicense.com/licenses/) - (no licensing fees), and you are free to commercially and privately use, distribute and modify. - -??? question "**Consistent environments (Dev/prod parity)**" - Keep development, staging, and production cloud envs parity. - Infrastructure as code allow us to define and provisioning all infrastructure components (think networks, load - balancers, databases, security, compute and storage, etc.) using code. ***Leverage*** uses Terraform as the IaC language, - to deploy and setup all the AWS, Kubernetes and Hashicorp Vault resources (it has support for multiple cloud and - technology providers). Backed by code, your cloud environments are built exactly the identical way all the time. - Finally, this will result in no differences between development, staging and production. - -??? question "**Development in production like envs**" - IaC allows your development team to deploy and test the AWS infrastructure as if it were application code. - Your development is always done in production-like environments. Provision your cloud test and sandbox - environments on demand and tear them down when all your testing is complete. ***Leverage*** takes all the pain - out of maintaining production-like environments, with stable infra releases. It eliminates the unpredictability - of wondering if what actually worked in your development envs will work in production. diff --git a/docs/how-it-works/features/compute/k8s-kops.md b/docs/how-it-works/features/compute/k8s-kops.md deleted file mode 100644 index bc4af881c..000000000 --- a/docs/how-it-works/features/compute/k8s-kops.md +++ /dev/null @@ -1,26 +0,0 @@ -# Kubernetes Kops - -**_[Kops is an official Kubernetes project](https://github.com/kubernetes/kops)_** for managing production-grade -Kubernetes clusters. Kops is currently the best tool to deploy Kubernetes clusters to Amazon Web Services. -The project describes itself as kubectl for clusters. - -!!! check "Core Features" - - [x] Open-source & supports AWS and GCE - - [x] Deploy clusters to existing virtual private clouds (VPC) or create a new VPC from scratch - - [x] Supports public & private topologies - - [x] Provisions single or multiple master clusters - - [x] Configurable bastion machines for SSH access to individual cluster nodes - - [x] Built on a state-sync model for dry-runs and automatic idempotency - - [x] Direct infrastructure manipulation, or works with CloudFormation and Terraform - - [x] Rolling cluster updates - - [x] Supports heterogeneous clusters by creating multiple instance groups - -![leverage-aws-k8s-kops](../../../assets/images/diagrams/aws-k8s-kops.png "Leverage"){: style="width:950px"} - -
-Figure: AWS K8s Kops architecture diagram (just as reference). -(Source: Carlos Rodriguez, - -"How to deploy a Kubernetes cluster on AWS with Terraform & kops", -Nclouds.com Blog post, accessed November 18th 2020). -
\ No newline at end of file diff --git a/docs/how-it-works/features/database/mysql.md b/docs/how-it-works/features/database/mysql.md deleted file mode 100644 index aeb4eb4f5..000000000 --- a/docs/how-it-works/features/database/mysql.md +++ /dev/null @@ -1 +0,0 @@ -# RDS | MySQL \ No newline at end of file diff --git a/docs/how-it-works/features/database/postgres.md b/docs/how-it-works/features/database/postgres.md deleted file mode 100644 index 459c446b6..000000000 --- a/docs/how-it-works/features/database/postgres.md +++ /dev/null @@ -1 +0,0 @@ -# RDS | PostgresSQL \ No newline at end of file diff --git a/docs/how-it-works/features/index.md b/docs/how-it-works/features/index.md deleted file mode 100644 index a6b282244..000000000 --- a/docs/how-it-works/features/index.md +++ /dev/null @@ -1,73 +0,0 @@ -![binbash-logo](../../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} - -# AWS Reference Architecture features - -??? check "Governance | AWS Organizations" - - [x] [AWS Organizations](./organization/organization.md) - - [x] [Accounts](./organization/accounts.md) - - [X] [Consolidated Billing](./organization/billing.md) - -??? check "Identity Management" - - [x] [**Identities**](./identities/identities.md) - - [x] [**IAM Roles**](./identities/roles.md) - -??? check "Single Sign-On (SSO)" - - [x] [**AWS SSO + Jumpcloud IdP**](./sso/sso.md) - -??? check "Cost Monitoring & Optimization" - - [x] [**Costs**](./costs/costs.md) - -??? check "Security" - - [X] [Security Services](./security/services.md) - - [X] [IAM Access Analyzer](./security/iam-access-analyzer.md) - - [X] [VPN | Pritunl](./security/vpn.md) - - [X] [Certificates](./security/certificates.md) - -??? check "Networking | VPC, TGW, NFW, DNS and NACLs" - - [x] [Network](./network/vpc-topology.md) - - [x] [VPC Addressing](./network/vpc-addressing.md) - - [x] [VPC Peering](./network/vpc-peering.md) - - [x] [Transit Gateway (TGW)](./network/tgw-topology.md) - - [x] [Network Firewall & NACLs](./network/vpc-traffic-out.md) - - [x] [DNS](./network/dns.md) - -??? check "Secrets Management" - - [X] [Secrets](./secrets/secrets.md) - -??? check "Compute" - - [x] [**Compute**](./compute/overview.md) - - [x] [**K8s EKS Overview**](./compute/k8s-eks/overview.md) - - [x] [**K8s EKS VPC Addressing**](./compute/k8s-eks/vpc-addressing.md) - - [x] [**K8s Kops**](./compute/k8s-kops.md) - - [x] [**K8s Service Mesh**](./compute/k8s-service-mesh.md) - - [x] [**Serverless**](./compute/serverless.md) - -??? check "Databases" - - [x] [**Databases**](./database/database.md) - - [x] [**RDS MySql**](./database/mysql.md) - - [x] [**RDS Postgres**](./database/postgres.md) - -??? check "Storage" - - [x] [**Storage**](./storage/storage.md) - -??? check "Content Delivery Network (CDN)" - - [x] [**AWS CloudFront**](./cdn/cdn.md) - -??? check "CI/CD (Continuous Integration / Continuous Delivery)" - - [x] [**CI/CD**](./ci-cd/ci-cd.md) - - [x] [**K8s ArgoCD**](./ci-cd/k8s-argocd.md) - -??? check "Monitoring | Metrics, Logs, APM and Tracing" - - [x] [**Monitoring**](./monitoring/monitoring.md) - - [x] [Metrics](./monitoring/metrics.md) - - [x] [Logs](./monitoring/logs.md) - - [x] [Tracing](./monitoring/tracing.md) - - [x] [APM](./monitoring/apm.md) - - [x] [Notifications](./monitoring/notification_escalation.md) - -??? check "Reliability" - - [X] [Bakcups](./reliability/backups.md) - - [x] [High-Availability](./reliability/high-availability.md) - - [x] [Health-Checks](./reliability/health-checks.md) - - [X] [Disaster Recovery](./reliability/dr.md) - diff --git a/docs/how-it-works/features/network/dns.md b/docs/how-it-works/features/network/dns.md deleted file mode 100644 index d38be27b2..000000000 --- a/docs/how-it-works/features/network/dns.md +++ /dev/null @@ -1,17 +0,0 @@ -# Route53 DNS hosted zones - -!!! info "![aws-service](../../../assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} ![aws-service](../../../assets/images/icons/aws-emojipack/NetworkingContentDelivery_AmazonRoute53.png){: style="width:20px"} Route53 Considerations" - - [x] **Route53** private hosted zone will have associations with VPCs on different AWS organization accounts - - [x] **Route53** should ideally be hosted in the Shared account, although sometimes Route53 is already deployed in a Legacy - account where it can be imported and fully supported as code. - - [x] **Route53** [zero downtime migration](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-migrating.html) - (active-active hosted zones) is completely possible and achievable with Leverage terraform code - -![leverage-aws-dns](../../../assets/images/diagrams/aws-route53.png "Leverage"){: style="width:800px"} -
-Figure: AWS Organization shared account Route53 DNS diagram. -(Source: Cristian Southall, - -"Using CloudFormation Custom Resources to Configure Route53 Aliases", -Abstractable.io Blog post, accessed November 18th 2020). -
\ No newline at end of file diff --git a/docs/how-it-works/features/reliability/health-checks.md b/docs/how-it-works/features/reliability/health-checks.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/how-it-works/ref-architecture/ref-architecture-aws.md b/docs/how-it-works/ref-architecture/ref-architecture-aws.md deleted file mode 100644 index bd5c02d3d..000000000 --- a/docs/how-it-works/ref-architecture/ref-architecture-aws.md +++ /dev/null @@ -1,45 +0,0 @@ -![binbash-logo](../../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} - -# Reference Architecture - -!!! info "Overview" - **Reference Architecture for AWS** has been designed under optimal configs for the most - popular modern web and mobile applications needs. - Its design is fully based on AWS [“Well Architected Framework”](../../work-with-us/support.md). - - Reusing the [**Leverage Infrastructure as Code (IaC) Library**](../infra-as-code-library/index.md) via - [**Leverage CLI**](https://github.com/binbashar/leverage) to rapidly implement it. - - It will solve your entire infrastructure and will grant you complete control of the source - code and of course you'll be able to run it without us. - -#### Structural concepts -The Reference Architecture is designed with modularity in mind. A multi-accounts approach is leveraged in order to improve security isolation and resources separation. Furthermore each account infrastructure is divided in smaller units that we call **layers**. Each layer contains all the required resources and definitions for a specific service or feature to function. - -Each individual configuration of the Reference Architecture is referred to as a **project**. A Leverage project is comprised of all the relevant accounts and layers. - -### Reference Architecture Model -!!! check "Strengths" - - [x] Faster updates (new features and bug fixes). - - [x] Better code quality and modules maturity (proven and tested). - - [x] Supported by binbash, and public modules even by 1000's of top talented Open Source community - contributors. - - [x] Increase development cost savings. - - [x] Clients keep full rights to all commercial, modification, distribution, and private use of the code - (No Lock-In) through forks inside their own projects' repositories (open-source and commercially reusable via [license MIT and Apache 2.0](https://choosealicense.com/licenses/). - -### Reference Architecture Design -#### AWS Organizations multi-account diagram -![leverage-aws-org](../../assets/images/diagrams/ref-architecture-aws.png "Leverage"){: style="width:950px"} -
-Figure: AWS Organization multi-account reference architecture diagram. -(Source: binbash Leverage, -"Leverage Reference Architecture components", -binbash Leverage Doc, accessed August 4th 2021). -
- -## Read More - -!!! info "Related articles" - * :ledger: [Don't get locked up into avoiding lock-in](https://martinfowler.com/articles/oss-lockin.html) - * :ledger: [AWS Managed Services](https://aws.amazon.com/managed-services/) \ No newline at end of file diff --git a/docs/how-it-works/features/cdn/cdn.md b/docs/reference/features/cdn/cdn.md similarity index 99% rename from docs/how-it-works/features/cdn/cdn.md rename to docs/reference/features/cdn/cdn.md index d3099a39a..2394be8dc 100644 --- a/docs/how-it-works/features/cdn/cdn.md +++ b/docs/reference/features/cdn/cdn.md @@ -31,4 +31,4 @@ AWS Security Blog, accessed November 17th 2020). "AWS Solutions Library, AWS Solutions Implementations Serverless Image Handler", AWS Solutions Library Solutions Implementations, accessed November 17th 2020). -
\ No newline at end of file + diff --git a/docs/how-it-works/features/ci-cd/ci-cd.md b/docs/reference/features/ci-cd/ci-cd.md similarity index 100% rename from docs/how-it-works/features/ci-cd/ci-cd.md rename to docs/reference/features/ci-cd/ci-cd.md diff --git a/docs/how-it-works/features/ci-cd/k8s-argocd.md b/docs/reference/features/ci-cd/k8s-argocd.md similarity index 100% rename from docs/how-it-works/features/ci-cd/k8s-argocd.md rename to docs/reference/features/ci-cd/k8s-argocd.md diff --git a/docs/how-it-works/features/compute/k8s-eks/overview.md b/docs/reference/features/compute/k8s-eks/overview.md similarity index 100% rename from docs/how-it-works/features/compute/k8s-eks/overview.md rename to docs/reference/features/compute/k8s-eks/overview.md diff --git a/docs/how-it-works/features/compute/k8s-eks/vpc-addressing.md b/docs/reference/features/compute/k8s-eks/vpc-addressing.md similarity index 100% rename from docs/how-it-works/features/compute/k8s-eks/vpc-addressing.md rename to docs/reference/features/compute/k8s-eks/vpc-addressing.md diff --git a/docs/user-guide/features/compute/k8s-kops.md b/docs/reference/features/compute/k8s-kops.md similarity index 85% rename from docs/user-guide/features/compute/k8s-kops.md rename to docs/reference/features/compute/k8s-kops.md index 839d40b1c..b3391b99e 100644 --- a/docs/user-guide/features/compute/k8s-kops.md +++ b/docs/reference/features/compute/k8s-kops.md @@ -1,5 +1,31 @@ # AWS Kubernetes Kops Cluster +## Overview +**_[Kops is an official Kubernetes project](https://github.com/kubernetes/kops)_** for managing production-grade +Kubernetes clusters. Kops is currently the best tool to deploy Kubernetes clusters to Amazon Web Services. +The project describes itself as kubectl for clusters. + +!!! check "Core Features" + - [x] Open-source & supports AWS and GCE + - [x] Deploy clusters to existing virtual private clouds (VPC) or create a new VPC from scratch + - [x] Supports public & private topologies + - [x] Provisions single or multiple master clusters + - [x] Configurable bastion machines for SSH access to individual cluster nodes + - [x] Built on a state-sync model for dry-runs and automatic idempotency + - [x] Direct infrastructure manipulation, or works with CloudFormation and Terraform + - [x] Rolling cluster updates + - [x] Supports heterogeneous clusters by creating multiple instance groups + +![leverage-aws-k8s-kops](../../../assets/images/diagrams/aws-k8s-kops.png "Leverage"){: style="width:950px"} + +
+Figure: AWS K8s Kops architecture diagram (just as reference). +(Source: Carlos Rodriguez, + +"How to deploy a Kubernetes cluster on AWS with Terraform & kops", +Nclouds.com Blog post, accessed November 18th 2020). +
+ ## Kops Pre-requisites !!! attention "Important consideration" diff --git a/docs/how-it-works/features/compute/k8s-service-mesh.md b/docs/reference/features/compute/k8s-service-mesh.md similarity index 100% rename from docs/how-it-works/features/compute/k8s-service-mesh.md rename to docs/reference/features/compute/k8s-service-mesh.md diff --git a/docs/how-it-works/features/compute/overview.md b/docs/reference/features/compute/overview.md similarity index 100% rename from docs/how-it-works/features/compute/overview.md rename to docs/reference/features/compute/overview.md diff --git a/docs/how-it-works/features/compute/serverless.md b/docs/reference/features/compute/serverless.md similarity index 100% rename from docs/how-it-works/features/compute/serverless.md rename to docs/reference/features/compute/serverless.md diff --git a/docs/how-it-works/features/compute/tools.md b/docs/reference/features/compute/tools.md similarity index 100% rename from docs/how-it-works/features/compute/tools.md rename to docs/reference/features/compute/tools.md diff --git a/docs/how-it-works/features/costs/costs.md b/docs/reference/features/costs/costs.md similarity index 100% rename from docs/how-it-works/features/costs/costs.md rename to docs/reference/features/costs/costs.md diff --git a/docs/how-it-works/features/database/database.md b/docs/reference/features/database/database.md similarity index 100% rename from docs/how-it-works/features/database/database.md rename to docs/reference/features/database/database.md diff --git a/docs/reference/features/database/mysql.md b/docs/reference/features/database/mysql.md new file mode 100644 index 000000000..63a4bc02a --- /dev/null +++ b/docs/reference/features/database/mysql.md @@ -0,0 +1,3 @@ +# RDS | MySQL + +TODO Add this diff --git a/docs/reference/features/database/postgres.md b/docs/reference/features/database/postgres.md new file mode 100644 index 000000000..d001981e0 --- /dev/null +++ b/docs/reference/features/database/postgres.md @@ -0,0 +1,3 @@ +# RDS | PostgresSQL + +TODO Add this diff --git a/docs/user-guide/features/identities/credentials-vault.md b/docs/reference/features/identities/credentials-vault.md similarity index 100% rename from docs/user-guide/features/identities/credentials-vault.md rename to docs/reference/features/identities/credentials-vault.md diff --git a/docs/user-guide/features/identities/credentials.md b/docs/reference/features/identities/credentials.md similarity index 100% rename from docs/user-guide/features/identities/credentials.md rename to docs/reference/features/identities/credentials.md diff --git a/docs/user-guide/features/identities/gpg.md b/docs/reference/features/identities/gpg.md similarity index 100% rename from docs/user-guide/features/identities/gpg.md rename to docs/reference/features/identities/gpg.md diff --git a/docs/user-guide/features/identities/identities.md b/docs/reference/features/identities/identities.md similarity index 100% rename from docs/user-guide/features/identities/identities.md rename to docs/reference/features/identities/identities.md diff --git a/docs/how-it-works/features/identities/identities.md b/docs/reference/features/identities/identities2.md similarity index 100% rename from docs/how-it-works/features/identities/identities.md rename to docs/reference/features/identities/identities2.md diff --git a/docs/how-it-works/features/identities/roles.md b/docs/reference/features/identities/roles.md similarity index 100% rename from docs/how-it-works/features/identities/roles.md rename to docs/reference/features/identities/roles.md diff --git a/docs/how-it-works/features/monitoring/apm.md b/docs/reference/features/monitoring/apm.md similarity index 100% rename from docs/how-it-works/features/monitoring/apm.md rename to docs/reference/features/monitoring/apm.md diff --git a/docs/how-it-works/features/monitoring/logs.md b/docs/reference/features/monitoring/logs.md similarity index 100% rename from docs/how-it-works/features/monitoring/logs.md rename to docs/reference/features/monitoring/logs.md diff --git a/docs/how-it-works/features/monitoring/metrics.md b/docs/reference/features/monitoring/metrics.md similarity index 100% rename from docs/how-it-works/features/monitoring/metrics.md rename to docs/reference/features/monitoring/metrics.md diff --git a/docs/how-it-works/features/monitoring/monitoring.md b/docs/reference/features/monitoring/monitoring.md similarity index 100% rename from docs/how-it-works/features/monitoring/monitoring.md rename to docs/reference/features/monitoring/monitoring.md diff --git a/docs/how-it-works/features/monitoring/notification_escalation.md b/docs/reference/features/monitoring/notification_escalation.md similarity index 100% rename from docs/how-it-works/features/monitoring/notification_escalation.md rename to docs/reference/features/monitoring/notification_escalation.md diff --git a/docs/how-it-works/features/monitoring/tracing.md b/docs/reference/features/monitoring/tracing.md similarity index 100% rename from docs/how-it-works/features/monitoring/tracing.md rename to docs/reference/features/monitoring/tracing.md diff --git a/docs/user-guide/features/network/dns.md b/docs/reference/features/network/dns.md similarity index 59% rename from docs/user-guide/features/network/dns.md rename to docs/reference/features/network/dns.md index 9ff9252be..00db83083 100644 --- a/docs/user-guide/features/network/dns.md +++ b/docs/reference/features/network/dns.md @@ -1,7 +1,22 @@ # Route53 DNS hosted zones -!!! help "How it works" - :books: [**documentation:** DNS](../../../../how-it-works/features/network/dns/) +## How it works + +!!! info "![aws-service](../../../assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} ![aws-service](../../../assets/images/icons/aws-emojipack/NetworkingContentDelivery_AmazonRoute53.png){: style="width:20px"} Route53 Considerations" + - [x] **Route53** private hosted zone will have associations with VPCs on different AWS organization accounts + - [x] **Route53** should ideally be hosted in the Shared account, although sometimes Route53 is already deployed in a Legacy + account where it can be imported and fully supported as code. + - [x] **Route53** [zero downtime migration](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-migrating.html) + (active-active hosted zones) is completely possible and achievable with Leverage terraform code + +![leverage-aws-dns](../../../assets/images/diagrams/aws-route53.png "Leverage"){: style="width:800px"} +
+Figure: AWS Organization shared account Route53 DNS diagram. +(Source: Cristian Southall, + +"Using CloudFormation Custom Resources to Configure Route53 Aliases", +Abstractable.io Blog post, accessed November 18th 2020). +
## User guide diff --git a/docs/how-it-works/features/network/tgw-topology.md b/docs/reference/features/network/tgw-topology.md similarity index 100% rename from docs/how-it-works/features/network/tgw-topology.md rename to docs/reference/features/network/tgw-topology.md diff --git a/docs/how-it-works/features/network/vpc-addressing.md b/docs/reference/features/network/vpc-addressing.md similarity index 74% rename from docs/how-it-works/features/network/vpc-addressing.md rename to docs/reference/features/network/vpc-addressing.md index abf27a8bf..4756c31f2 100644 --- a/docs/how-it-works/features/network/vpc-addressing.md +++ b/docs/reference/features/network/vpc-addressing.md @@ -89,3 +89,31 @@ subnets in each of these VPCs defining Private and Public subnets split among di ### Considerations - Kubernetes on EKS General Requirements for Network Layer: [**K8s EKS Networking | VPC Adressing**](../compute/k8s-eks/vpc-addressing.md) + + +## User guide + +Please follow the steps below to orchestrate your `base-network` layer, 1st in your +[`project-shared`](https://github.com/binbashar/le-tf-infra-aws/tree/master/shared/us-east-1/base-network) AWS account and +afterwards in the necessary member accounts which will host network connected resources (EC2, Lambda, EKS, RDS, ALB, NLB, etc): + +* [x] [`project-apps-devstg`](https://github.com/binbashar/le-tf-infra-aws/tree/master/apps-devstg/us-east-1/base-network) account. +* [x] [`project-apps-prd`](https://github.com/binbashar/le-tf-infra-aws/tree/master/apps-prd/us-east-1/base-network) account. + +!!! example "Network layer standard creation workflow" + 1. Please follow + [Leverage's Terraform workflow](../../../base-workflow/repo-le-tf-infra/) for + each of your accounts. + 2. We'll start by `project-shared` AWS Account Update (add | remove | customize) your VPC associated code before + deploying this layer [shared/base-network](https://github.com/binbashar/le-tf-infra-aws/tree/master/shared/us-east-1/base-network) + Main files + - :file_folder: [network.tf](https://github.com/binbashar/le-tf-infra-aws/blob/master/shared/us-east-1/base-network/network.tf) + - :file_folder: [locals.tf](https://github.com/binbashar/le-tf-infra-aws/blob/master/shared/us-east-1/base-network/locals.tf) + 3. Repeat for every AWS member Account that needs its own VPC + [Access AWS Organization member account](https://aws.amazon.com/premiumsupport/knowledge-center/organizations-member-account-access/) + consider repeating step 3. but for the corresponding member accounts. + + +### Next Steps + +:books: [AWS VPC Peering](vpc-peering.md) \ No newline at end of file diff --git a/docs/how-it-works/features/network/vpc-peering.md b/docs/reference/features/network/vpc-peering.md similarity index 85% rename from docs/how-it-works/features/network/vpc-peering.md rename to docs/reference/features/network/vpc-peering.md index a3e867182..27d87b092 100644 --- a/docs/how-it-works/features/network/vpc-peering.md +++ b/docs/reference/features/network/vpc-peering.md @@ -1,5 +1,13 @@ # Diagram: Network Service (cross-account [VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)) +## How it works +TODO + +## User guide +TODO + +# Diagram: Network Service (cross-account [VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)) + ![leverage-aws-vpc-peering](../../../assets/images/diagrams/aws-vpc-peering-1.png "Leverage"){: style="width:300px"}
Figure: AWS multi account Organization VPC peering diagram. diff --git a/docs/how-it-works/features/network/vpc-topology.md b/docs/reference/features/network/vpc-topology.md similarity index 100% rename from docs/how-it-works/features/network/vpc-topology.md rename to docs/reference/features/network/vpc-topology.md diff --git a/docs/how-it-works/features/network/vpc-traffic-out.md b/docs/reference/features/network/vpc-traffic-out.md similarity index 100% rename from docs/how-it-works/features/network/vpc-traffic-out.md rename to docs/reference/features/network/vpc-traffic-out.md diff --git a/docs/how-it-works/features/organization/accounts.md b/docs/reference/features/organization/accounts.md similarity index 100% rename from docs/how-it-works/features/organization/accounts.md rename to docs/reference/features/organization/accounts.md diff --git a/docs/how-it-works/features/organization/billing.md b/docs/reference/features/organization/billing.md similarity index 100% rename from docs/how-it-works/features/organization/billing.md rename to docs/reference/features/organization/billing.md diff --git a/docs/user-guide/features/organization/organization-init.md b/docs/reference/features/organization/organization-init.md similarity index 100% rename from docs/user-guide/features/organization/organization-init.md rename to docs/reference/features/organization/organization-init.md diff --git a/docs/user-guide/features/organization/organization-legacy-accounts.md b/docs/reference/features/organization/organization-legacy-accounts.md similarity index 100% rename from docs/user-guide/features/organization/organization-legacy-accounts.md rename to docs/reference/features/organization/organization-legacy-accounts.md diff --git a/docs/how-it-works/features/organization/organization.md b/docs/reference/features/organization/organization.md similarity index 100% rename from docs/how-it-works/features/organization/organization.md rename to docs/reference/features/organization/organization.md diff --git a/docs/reference/features/overview.md b/docs/reference/features/overview.md new file mode 100644 index 000000000..bb6f8cd96 --- /dev/null +++ b/docs/reference/features/overview.md @@ -0,0 +1,64 @@ +![binbash-logo](../../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} + +# AWS Features +TODO What is this? + +## Governance | AWS Organizations +- [x] [AWS Organizations Initialization](organization/organization-init.md) +- [x] [Invite pre-exiting accounts to AWS Organizations](organization/organization-legacy-accounts.md) + +## Identity Management +- [x] [GPG Keys](identities/gpg.md) +- [x] [Identities](identities/identities.md) +- [x] [AWS Credentials](identities/credentials.md) +- [x] [Hashicorp Vault Credentials](identities/credentials-vault.md) + +## Single Sign-On (SSO) +- [x] [AWS SSO + Jumpcloud IdP](sso/sso.md) + +## Cost Monitoring & Optimization +- [x] [Costs](costs/costs.md) + +## Security +- [X] [Security Services](security/services.md) +- [X] [VPN | Pritunl](security/vpn.md) + +## Networking | VPC, TGW, NFW, DNS and NACLs +- [x] [VPC Addressing](network/vpc-addressing.md) +- [x] [VPC Peering](network/vpc-peering.md) +- [x] [DNS](network/dns.md) + +## Secrets Management +- [X] [Secrets](secrets/secrets.md) + +## Compute +- [x] [Compute](compute/overview.md) +- [x] [K8s EKS](compute/k8s-eks.md) +- [x] [K8s Kops](compute/k8s-kops.md) +- [x] [Serverless](compute/serverless.md) + +## Databases +- [x] [Databases](database/database.md) +- [x] [RDS MySql](database/mysql.md) +- [x] [RDS Postgres](database/postgres.md) + +## Storage +- [x] [Storage](storage/storage.md) + +## Content Delivery Network (CDN) +- [x] [AWS CloudFront](cdn/cdn.md) + +## CI/CD (Continuous Integration / Continuous Delivery) +- [x] [CI/CD](ci-cd/ci-cd.md) + +## Monitoring | Metrics, Logs, APM and Tracing +- [x] [Monitoring](monitoring/monitoring.md) +- [x] [Metrics](monitoring/metrics.md) +- [x] [Logs](monitoring/logs.md) +- [x] [Tracing](monitoring/tracing.md) +- [x] [APM](monitoring/apm.md) + +## Reliability +- [X] [Bakcups](reliability/backups.md) +- [x] [Health-Checks](reliability/health-checks.md) +- [X] [Disaster Recovery](reliability/dr.md) diff --git a/docs/how-it-works/features/reliability/backups.md b/docs/reference/features/reliability/backups.md similarity index 100% rename from docs/how-it-works/features/reliability/backups.md rename to docs/reference/features/reliability/backups.md diff --git a/docs/how-it-works/features/reliability/dr.md b/docs/reference/features/reliability/dr.md similarity index 100% rename from docs/how-it-works/features/reliability/dr.md rename to docs/reference/features/reliability/dr.md diff --git a/docs/how-it-works/features/reliability/high-availability.md b/docs/reference/features/reliability/high-availability.md similarity index 100% rename from docs/how-it-works/features/reliability/high-availability.md rename to docs/reference/features/reliability/high-availability.md diff --git a/docs/how-it-works/features/secrets/secrets.md b/docs/reference/features/secrets/secrets.md similarity index 100% rename from docs/how-it-works/features/secrets/secrets.md rename to docs/reference/features/secrets/secrets.md diff --git a/docs/how-it-works/features/security/audit-cloudtrail.md b/docs/reference/features/security/audit-cloudtrail.md similarity index 100% rename from docs/how-it-works/features/security/audit-cloudtrail.md rename to docs/reference/features/security/audit-cloudtrail.md diff --git a/docs/how-it-works/features/security/certificates.md b/docs/reference/features/security/certificates.md similarity index 100% rename from docs/how-it-works/features/security/certificates.md rename to docs/reference/features/security/certificates.md diff --git a/docs/how-it-works/features/security/iam-access-analyzer.md b/docs/reference/features/security/iam-access-analyzer.md similarity index 100% rename from docs/how-it-works/features/security/iam-access-analyzer.md rename to docs/reference/features/security/iam-access-analyzer.md diff --git a/docs/how-it-works/features/security/overview.md b/docs/reference/features/security/overview.md similarity index 100% rename from docs/how-it-works/features/security/overview.md rename to docs/reference/features/security/overview.md diff --git a/docs/how-it-works/features/security/services.md b/docs/reference/features/security/services.md similarity index 100% rename from docs/how-it-works/features/security/services.md rename to docs/reference/features/security/services.md diff --git a/docs/how-it-works/features/security/vpn.md b/docs/reference/features/security/vpn.md similarity index 100% rename from docs/how-it-works/features/security/vpn.md rename to docs/reference/features/security/vpn.md diff --git a/docs/user-guide/features/sso/sso.md b/docs/reference/features/sso/configuration.md similarity index 99% rename from docs/user-guide/features/sso/sso.md rename to docs/reference/features/sso/configuration.md index f9f06b62b..64306ca4e 100644 --- a/docs/user-guide/features/sso/sso.md +++ b/docs/reference/features/sso/configuration.md @@ -1,5 +1,6 @@ -# AWS SSO +# Configuration +## Authentication Before deploying your AWS SSO definition in the project, it will first have to be manually enabled in the AWS Management Console. !!! note ":books: [Prerequisites](https://docs.aws.amazon.com/singlesignon/latest/userguide/prereqs.html)" @@ -13,11 +14,9 @@ After that, choosing and configuring an Identity Provider (IdP) is the next step Once this is set up, the SSO layer can be safely deployed. ## Preparing the project to use AWS SSO - To implement SSO authentication in your IaC definition, some configuration values need to be present in your project. ### Global configuration - In the global configuration file, or `common.tfvars`, found in the root of the project, under the `config` directory !!! info "" @@ -80,7 +79,6 @@ This step needs to be performed every time the user works in a new account that This step simply writes over the credentials files for AWS CLI without asking for confirmation from the user. So it's recommended to backup/wipe old credentials before executing this step in order to avoid loss of credentials or conflicts with profiles having similar names to the ones generated by Leverage. ### 2. Logging in - This step is executed as part of the previous one. So if the user has just configured SSO, this step is not required. Having SSO configured, the user will proceed to log in. @@ -92,12 +90,9 @@ In this step, the user is prompted to manually authorize the log in process via When logging in, Leverage obtains a token from SSO. This token is later used to obtain the credentials needed for the layer the user is working on. This token has a relatively short life span to strike a balance between security and convenience for the user. ### 3. Working on a layer - When SSO is enabled in the project, Leverage will automatically figure out the required credentials for the current layer, and attempt to get them from AWS every time the user executes a command on it. These credentials are short lived (30 minutes) for security reasons, and will be refreshed automatically whenever they expire. ### 4. Logging out - When the user has finished working, running `leverage sso logout` wipes out all remaining valid credentials and voids the token obtained from logging in. - diff --git a/docs/user-guide/features/sso/managing-users.md b/docs/reference/features/sso/managing-users.md similarity index 100% rename from docs/user-guide/features/sso/managing-users.md rename to docs/reference/features/sso/managing-users.md diff --git a/docs/how-it-works/features/sso/sso.md b/docs/reference/features/sso/overview.md similarity index 98% rename from docs/how-it-works/features/sso/sso.md rename to docs/reference/features/sso/overview.md index 39a096cda..f4766dba4 100644 --- a/docs/how-it-works/features/sso/sso.md +++ b/docs/reference/features/sso/overview.md @@ -1,5 +1,7 @@ # AWS SSO +TODO Replace JumpCloud with AWS SSO + ## Single Sign-On (SSO) JumpCloud will be configured as the Identity Provider (IdP) that we will integrate with AWS SSO in order to grant users access to AWS resources from a centralized service. diff --git a/docs/how-it-works/features/storage/storage.md b/docs/reference/features/storage/storage.md similarity index 99% rename from docs/how-it-works/features/storage/storage.md rename to docs/reference/features/storage/storage.md index 6d81ee9b7..deff705b7 100644 --- a/docs/how-it-works/features/storage/storage.md +++ b/docs/reference/features/storage/storage.md @@ -37,4 +37,4 @@ As for EBS volumes, our recommendation is to create all encrypted by default. Ov - :orange_book: [Amazon S3 FAQs](https://aws.amazon.com/s3/faqs/) - :orange_book: [Amazon S3 storage classes - Developer Guide](https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html) - - :orange_book: [Amazon S3 Storage Classes](https://aws.amazon.com/s3/storage-classes/) \ No newline at end of file + - :orange_book: [Amazon S3 Storage Classes](https://aws.amazon.com/s3/storage-classes/) diff --git a/docs/reference/index.md b/docs/reference/index.md new file mode 100644 index 000000000..941e2135e --- /dev/null +++ b/docs/reference/index.md @@ -0,0 +1,12 @@ +![binbash-logo](../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} + +# Reference + +## Overview +The pages in this section explore, with great detail, the architecture of the components that make up Leverage. + +- [x] [Reference Architectures](./reference-architectures/) +- [x] [Infrastructure-as-Code Library](./infra-as-code-library/) +- [x] [Leverage CLI](./leverage-cli/) + +But don't feel constrained to the links above, feel free to use the left menu to explore more on your own. diff --git a/docs/user-guide/infra-as-code-library/infra-as-code-library-forks.md b/docs/reference/infra-as-code-library/infra-as-code-library-forks.md similarity index 100% rename from docs/user-guide/infra-as-code-library/infra-as-code-library-forks.md rename to docs/reference/infra-as-code-library/infra-as-code-library-forks.md diff --git a/docs/user-guide/infra-as-code-library/infra-as-code-library-specs.md b/docs/reference/infra-as-code-library/infra-as-code-library-specs.md similarity index 100% rename from docs/user-guide/infra-as-code-library/infra-as-code-library-specs.md rename to docs/reference/infra-as-code-library/infra-as-code-library-specs.md diff --git a/docs/user-guide/infra-as-code-library/modules-library-per-tech.md b/docs/reference/infra-as-code-library/modules-library-by-technology.md similarity index 98% rename from docs/user-guide/infra-as-code-library/modules-library-per-tech.md rename to docs/reference/infra-as-code-library/modules-library-by-technology.md index 10ae4b706..b1e665c14 100644 --- a/docs/user-guide/infra-as-code-library/modules-library-per-tech.md +++ b/docs/reference/infra-as-code-library/modules-library-by-technology.md @@ -1,4 +1,4 @@ -# Infrastructure as Code (IaC) library modules +# Modules by Technology ## **Open Source Modules Repos** diff --git a/docs/user-guide/infra-as-code-library/index.md b/docs/reference/infra-as-code-library/overview.md similarity index 92% rename from docs/user-guide/infra-as-code-library/index.md rename to docs/reference/infra-as-code-library/overview.md index ae4246dc1..3c1977afe 100644 --- a/docs/user-guide/infra-as-code-library/index.md +++ b/docs/reference/infra-as-code-library/overview.md @@ -1,16 +1,15 @@ -# Leverage Infrastructure as Code (IaC) Library +# Infrastructure as Code (IaC) Library ## Overview A collection of reusable, tested, production-ready E2E infrastructure as code solutions, leveraged by modules written in Terraform, Ansible, Dockerfiles, Helm charts and Makefiles. -### Model - +## Model Our development model is strongly based on code reusability. ![infra-as-code-library](../../assets/images/diagrams/infra-as-code-library-specs.png "Leverage"){: style="width:750px"} -### Reusability +## Reusability High level summary of the the code reusability efficiency. ![infra-as-code-library](../../assets/images/diagrams/infra-as-code-library-reuse.png "Leverage"){: style="width:750px"} @@ -22,8 +21,6 @@ High level summary of the the code reusability efficiency. - :cloud: :lock: [AWS HIPAA Reference article](https://aws.amazon.com/compliance/hipaa-compliance/) - :cloud: :lock: [AWS GDPR Reference article](https://aws.amazon.com/compliance/gdpr-center/) -### Modules +## Modules Infrastructure as Code (IaC) Library development and implementation workflow. ![infra-as-code-library](../../assets/images/diagrams/infra-as-code-library-workflow.png "Leverage"){: style="width:850px"} - - diff --git a/docs/user-guide/leverage-cli/reference/basic-features.md b/docs/reference/leverage-cli/basic-features.md similarity index 100% rename from docs/user-guide/leverage-cli/reference/basic-features.md rename to docs/reference/leverage-cli/basic-features.md diff --git a/docs/user-guide/leverage-cli/extending-leverage/build.env.md b/docs/reference/leverage-cli/extending-leverage/build.env.md similarity index 100% rename from docs/user-guide/leverage-cli/extending-leverage/build.env.md rename to docs/reference/leverage-cli/extending-leverage/build.env.md diff --git a/docs/user-guide/leverage-cli/extending-leverage/index.md b/docs/reference/leverage-cli/extending-leverage/how-to-extend.md similarity index 100% rename from docs/user-guide/leverage-cli/extending-leverage/index.md rename to docs/reference/leverage-cli/extending-leverage/how-to-extend.md diff --git a/docs/user-guide/leverage-cli/extending-leverage/tasks.md b/docs/reference/leverage-cli/extending-leverage/tasks.md similarity index 100% rename from docs/user-guide/leverage-cli/extending-leverage/tasks.md rename to docs/reference/leverage-cli/extending-leverage/tasks.md diff --git a/docs/user-guide/leverage-cli/overview.md b/docs/reference/leverage-cli/history.md similarity index 69% rename from docs/user-guide/leverage-cli/overview.md rename to docs/reference/leverage-cli/history.md index 19b9595dc..03356a0b7 100644 --- a/docs/user-guide/leverage-cli/overview.md +++ b/docs/reference/leverage-cli/history.md @@ -1,15 +1,4 @@ -![binbash-logo](../../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} - -# Leverage CLI - -## Overview -Leverage CLI is the tool used to manage and interact with any Leverage project. - -It transparently handles the most complex and error prone tasks that arise from working with a state-of-the-art infrastructure definition like our Leverage Reference Architecture. Leverage CLI uses a dockerized approach to encapsulate the tools needed to perform such tasks and to free the user from having to deal with the configuration and management of said tools. - -## Repositories -- [x] [Source Code (Github)](https://github.com/binbashar/leverage) -- [x] [Releases Packages (PyPI)](https://pypi.org/project/leverage/) +# A bit of history ## How Leverage CLI came about The multiple tools and technologies required to work with a Leverage project were initially handled through a Makefiles system. Not only to automate and simplify the different tasks, but also to provide a uniform user experience during the management of a project. diff --git a/docs/user-guide/leverage-cli/installation.md b/docs/reference/leverage-cli/installation.md similarity index 99% rename from docs/user-guide/leverage-cli/installation.md rename to docs/reference/leverage-cli/installation.md index fce731c14..214ddb6fd 100644 --- a/docs/user-guide/leverage-cli/installation.md +++ b/docs/reference/leverage-cli/installation.md @@ -1,4 +1,4 @@ -# Install Leverage CLI +# Installation To use Leverage CLI you need to install it from the Python Package Index (Pypi). Currently, only Linux and Mac OS are supported operative systems. diff --git a/docs/reference/leverage-cli/overview.md b/docs/reference/leverage-cli/overview.md new file mode 100644 index 000000000..8193a70c8 --- /dev/null +++ b/docs/reference/leverage-cli/overview.md @@ -0,0 +1,12 @@ +![binbash-logo](../../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} + +# Leverage CLI + +## Overview +Leverage CLI is the tool used to manage and interact with any Leverage project. + +It transparently handles the most complex and error prone tasks that arise from working with a state-of-the-art infrastructure definition like our Leverage Reference Architecture. Leverage CLI uses a dockerized approach to encapsulate the tools needed to perform such tasks and to free the user from having to deal with the configuration and management of said tools. + +## Repositories +- [x] [Source Code (Github)](https://github.com/binbashar/leverage) +- [x] [Releases Packages (PyPI)](https://pypi.org/project/leverage/) diff --git a/docs/user-guide/leverage-cli/reference/private-repos.md b/docs/reference/leverage-cli/private-repositories.md similarity index 81% rename from docs/user-guide/leverage-cli/reference/private-repos.md rename to docs/reference/leverage-cli/private-repositories.md index 95b4ebc19..27d9d489c 100644 --- a/docs/user-guide/leverage-cli/reference/private-repos.md +++ b/docs/reference/leverage-cli/private-repositories.md @@ -1,9 +1,7 @@ -# Working with Terraform modules in private repos - -If it is the case that the layer is using a module from a private repository read the following. - -E.g.: +# Private Repositories +## Working with Terraform modules in private repos +If it is the case that the layer is using a module from a private repository read the following. E.g.: ```yaml module "themodule" { source = "git@gitlab.com:some-org/some-project/the-private-repo.git//modules/the-module?ref=v0.0.1" @@ -12,14 +10,12 @@ module "themodule" { ``` where `gitlab.com:some-org/some-project/the-private-repo.git` is a private repo. - ## SSH accessed repository - To source a Terraform module from a private repository in a layer via an SSH connection these considerations have to be kept in mind. Leverage CLI will mount the host's SSH-Agent socket into the Leverage Toolbox container, this way your keys are accessed in a secure way. -So, if an SSH private repo has to be reached, the keys for such repo should be loaded in the SSH-Agent. +So, if an SSH private reporitory has to be accessed, the corresponding keys need to be loaded to the SSH-Agent. If the agent is automatically started and the needed keys added in the host system, it should work as it is. diff --git a/docs/user-guide/leverage-cli/reference/aws.md b/docs/reference/leverage-cli/reference/aws.md similarity index 100% rename from docs/user-guide/leverage-cli/reference/aws.md rename to docs/reference/leverage-cli/reference/aws.md diff --git a/docs/user-guide/leverage-cli/reference/credentials.md b/docs/reference/leverage-cli/reference/credentials.md similarity index 100% rename from docs/user-guide/leverage-cli/reference/credentials.md rename to docs/reference/leverage-cli/reference/credentials.md diff --git a/docs/user-guide/leverage-cli/reference/kubectl.md b/docs/reference/leverage-cli/reference/kubectl.md similarity index 100% rename from docs/user-guide/leverage-cli/reference/kubectl.md rename to docs/reference/leverage-cli/reference/kubectl.md diff --git a/docs/user-guide/leverage-cli/reference/project.md b/docs/reference/leverage-cli/reference/project.md similarity index 100% rename from docs/user-guide/leverage-cli/reference/project.md rename to docs/reference/leverage-cli/reference/project.md diff --git a/docs/user-guide/leverage-cli/reference/run.md b/docs/reference/leverage-cli/reference/run.md similarity index 100% rename from docs/user-guide/leverage-cli/reference/run.md rename to docs/reference/leverage-cli/reference/run.md diff --git a/docs/user-guide/leverage-cli/reference/terraform.md b/docs/reference/leverage-cli/reference/terraform.md similarity index 100% rename from docs/user-guide/leverage-cli/reference/terraform.md rename to docs/reference/leverage-cli/reference/terraform.md diff --git a/docs/user-guide/leverage-cli/reference/terraform/layers.md b/docs/reference/leverage-cli/reference/terraform/layers.md similarity index 100% rename from docs/user-guide/leverage-cli/reference/terraform/layers.md rename to docs/reference/leverage-cli/reference/terraform/layers.md diff --git a/docs/user-guide/leverage-cli/reference/tfautomv.md b/docs/reference/leverage-cli/reference/tfautomv.md similarity index 100% rename from docs/user-guide/leverage-cli/reference/tfautomv.md rename to docs/reference/leverage-cli/reference/tfautomv.md diff --git a/docs/user-guide/leverage-cli/shell.md b/docs/reference/leverage-cli/shell.md similarity index 94% rename from docs/user-guide/leverage-cli/shell.md rename to docs/reference/leverage-cli/shell.md index e7621b495..852afa084 100644 --- a/docs/user-guide/leverage-cli/shell.md +++ b/docs/reference/leverage-cli/shell.md @@ -1,5 +1,7 @@ -# Shell environment +# Getting Shell Access + +## The shell environment When launching a Terraform shell, Leverage provides the user with a completely isolated environment tailored to operate in the current project via a Docker container. The whole project is mounted on a directory named after the value for `project_long` in the global configuration file, or simply named `"project"` if this value is not defined. A project named `myexample`, would be mounted in `/myexample`. @@ -7,7 +9,7 @@ The whole project is mounted on a directory named after the value for `project_l The `.gitconfig` user's file is also mounted on `/etc/gitconfig` for convenience, while (if `ssh-agent` is running), the socket stated in `SSH_AUTH_SOCK` is mounted on `/ssh-agent`. Also, the credentials files (`credentials` and `config`) found in the project AWS credentials directory (`~/.aws/myexample`), are mapped to the locations given by the environment variables `AWS_SHARED_CREDENTIALS_FILE` and `AWS_CONFIG_FILE` respectively within the container. ## Authentication -Determining which credentials are needed to operate on a layer, and retrieving those credentials, may prove cumbersome for many complex layer definitions. In addition to that, correctly configuring them can also become a tedious an error prone process. For that reason Leverage automates this process upon launching the shell if requested by the user via the [`shell` command options](./reference/terraform.md#shell). +Determining which credentials are needed to operate on a layer, and retrieving those credentials, may prove cumbersome for many complex layer definitions. In addition to that, correctly configuring them can also become a tedious an error prone process. For that reason Leverage automates this process upon launching the shell if requested by the user via the [`shell` command options](reference/terraform.md#shell). Bear in mind, that an authenticated shell session's credentials are obtained for the layer in which the session was launched. These credentials may not be valid for other layers in which different roles need to be assumed or require more permissions. @@ -23,7 +25,7 @@ The user's programmatic keys must be configured beforehand via `leverage credent ### Single-Sign On -If authentication via SSO is required, the user will need to [configure](./reference/aws.md#configure-sso) or [login](./reference/aws.md#sso-login) into SSO before launching the shell via +If authentication via SSO is required, the user will need to [configure](reference/aws.md#configure-sso) or [login](./reference/aws.md#sso-login) into SSO before launching the shell via ``` bash leverage terraform shell --sso diff --git a/docs/user-guide/reference-architectures/ref-architecture-ansible/configs.md b/docs/reference/reference-architectures/ref-architecture-ansible/configs.md similarity index 100% rename from docs/user-guide/reference-architectures/ref-architecture-ansible/configs.md rename to docs/reference/reference-architectures/ref-architecture-ansible/configs.md diff --git a/docs/reference/reference-architectures/ref-architecture-ansible/overview.md b/docs/reference/reference-architectures/ref-architecture-ansible/overview.md new file mode 100644 index 000000000..e37c8b4d8 --- /dev/null +++ b/docs/reference/reference-architectures/ref-architecture-ansible/overview.md @@ -0,0 +1,4 @@ +# Ansible Reference Architecture + +## Overview +TODO What is? diff --git a/docs/user-guide/reference-architectures/ref-architecture-ansible/workflow.md b/docs/reference/reference-architectures/ref-architecture-ansible/workflow.md similarity index 100% rename from docs/user-guide/reference-architectures/ref-architecture-ansible/workflow.md rename to docs/reference/reference-architectures/ref-architecture-ansible/workflow.md diff --git a/docs/user-guide/reference-architectures/ref-architecture-aws/configs.md b/docs/reference/reference-architectures/ref-architecture-aws/configs.md similarity index 100% rename from docs/user-guide/reference-architectures/ref-architecture-aws/configs.md rename to docs/reference/reference-architectures/ref-architecture-aws/configs.md diff --git a/docs/user-guide/reference-architectures/ref-architecture-aws/credentials.md b/docs/reference/reference-architectures/ref-architecture-aws/credentials.md similarity index 100% rename from docs/user-guide/reference-architectures/ref-architecture-aws/credentials.md rename to docs/reference/reference-architectures/ref-architecture-aws/credentials.md diff --git a/docs/user-guide/reference-architectures/ref-architecture-aws/dir-structure.md b/docs/reference/reference-architectures/ref-architecture-aws/dir-structure.md similarity index 100% rename from docs/user-guide/reference-architectures/ref-architecture-aws/dir-structure.md rename to docs/reference/reference-architectures/ref-architecture-aws/dir-structure.md diff --git a/docs/reference/reference-architectures/ref-architecture-aws/overview.md b/docs/reference/reference-architectures/ref-architecture-aws/overview.md new file mode 100644 index 000000000..84adc55fc --- /dev/null +++ b/docs/reference/reference-architectures/ref-architecture-aws/overview.md @@ -0,0 +1,43 @@ +# AWS Reference Architecture + +## Overview +The AWS Reference Architecture was created on a set of opinionated definitions and conventions on: + +* [how to organize files/folders](dir-structure.md), +* where to store [configuration files](configs.md), +* how to handle [credentials](credentials.md), +* how to [set up](tf-state-setup.md) and [manage state](tf-state-workflow.md), +* which [commands and workflows](tf-workflow.md) to run in order to perform different tasks, +* and more. + +!!! info "Key Concept" + Although the **Reference Architecture for AWS** was initially designed to be compatible with web, mobile and microservices application stacks, it can also accommodate other types of workloads such as machine learning, blockchain, media, and more. + + Its design is strongly based on the [AWS Well Architected Framework](../../work-with-us/support.md). + +It was designed with modularity in mind. A multi-accounts approach is leveraged in order to improve security isolation and resources separation. Furthermore each account infrastructure is divided in smaller units that we call **layers**. Each layer contains all the required resources and definitions for a specific service or feature to function. + +Each individual configuration of the Reference Architecture is referred to as a **project**. A Leverage project is comprised of all the relevant accounts and layers. + +!!! check "Core Strengths" + - [x] Faster updates (new features and bug fixes). + - [x] Better code quality and modules maturity (proven and tested). + - [x] Supported by binbash, and public modules even by 1000's of top talented Open Source community + contributors. + - [x] Increase development cost savings. + - [x] Clients keep full rights to all commercial, modification, distribution, and private use of the code + (No Lock-In) through forks inside their own projects' repositories (open-source and commercially reusable via [license MIT and Apache 2.0](https://choosealicense.com/licenses/). + +## Reference Architecture Design +The following diagram shows an example of the type of AWS multi-account setup you can achieve with this Reference Architecture: +![leverage-aws-org](../../../assets/images/diagrams/ref-architecture-aws.png "Leverage"){: style="width:950px"} +
+Figure: AWS Organization multi-account reference architecture diagram. +(Source: binbash Leverage, +"Leverage Reference Architecture components", +binbash Leverage Doc, accessed August 4th 2021). +
+ +!!! info "Read more" + * :ledger: [Don't get locked up into avoiding lock-in](https://martinfowler.com/articles/oss-lockin.html) + * :ledger: [AWS Managed Services](https://aws.amazon.com/managed-services/) diff --git a/docs/user-guide/reference-architectures/ref-architecture-aws/tf-state-workflow.md b/docs/reference/reference-architectures/ref-architecture-aws/tf-state.md similarity index 91% rename from docs/user-guide/reference-architectures/ref-architecture-aws/tf-state-workflow.md rename to docs/reference/reference-architectures/ref-architecture-aws/tf-state.md index 0a93bb0fd..1b911217c 100644 --- a/docs/user-guide/reference-architectures/ref-architecture-aws/tf-state-workflow.md +++ b/docs/reference/reference-architectures/ref-architecture-aws/tf-state.md @@ -1,5 +1,8 @@ # Terraform - S3 & DynamoDB for Remote State Storage & Locking +TODO What is? Why? +TODO Set up + ## Overview Use this terraform configuration files to create the **S3 bucket** & **DynamoDB** table needed to use Terraform Remote State Storage & Locking. @@ -53,3 +56,9 @@ Terraform modules registry, accessed December 3rd 2020). ## Expected workflow after set up :warning: this tape must be updated [![asciicast](https://asciinema.org/a/377220.svg)](https://asciinema.org/a/377220) + +# Terraform Remote State +In the `base-tf-backend` folder you should find the definition of the infrastructure that needs to be deployed before +you can get to work with anything else. + +**IMPORTANT:** THIS IS ONLY NEEDED IF THE BACKEND WAS NOT CREATED YET. IF THE BACKEND ALREADY EXISTS YOU JUST USE IT. diff --git a/docs/user-guide/reference-architectures/ref-architecture-aws/tf-workflow.md b/docs/reference/reference-architectures/ref-architecture-aws/workflow.md similarity index 96% rename from docs/user-guide/reference-architectures/ref-architecture-aws/tf-workflow.md rename to docs/reference/reference-architectures/ref-architecture-aws/workflow.md index edee59d8e..b1a9fa930 100644 --- a/docs/user-guide/reference-architectures/ref-architecture-aws/tf-workflow.md +++ b/docs/reference/reference-architectures/ref-architecture-aws/workflow.md @@ -1,5 +1,8 @@ # Workflow +## Intro +TODO What is the Terraform Workflow? + ## Steps !!! check "Terraform Workflow" 1. Make sure you've read and prepared your local development environment following the @@ -33,8 +36,5 @@ ![leverage-aws-terraform](../../../assets/images/diagrams/aws-terraform-automation.png "Terraform"){: style="width:350"}
Figure: Running terraform with AWS in automation (just as reference).
-## Read More - -!!! info "Extra resources" +!!! info "Read More" * :ledger: [Running Terraform in automation](https://learn.hashicorp.com/terraform/development/running-terraform-in-automation) - diff --git a/docs/how-it-works/ref-architecture/ref-architecture-eks.md b/docs/reference/reference-architectures/ref-architecture-eks/overview.md similarity index 88% rename from docs/how-it-works/ref-architecture/ref-architecture-eks.md rename to docs/reference/reference-architectures/ref-architecture-eks/overview.md index 558819eaf..5d67b91cb 100644 --- a/docs/how-it-works/ref-architecture/ref-architecture-eks.md +++ b/docs/reference/reference-architectures/ref-architecture-eks/overview.md @@ -1,5 +1,3 @@ -![binbash-logo](../../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} - # AWS EKS Reference Architecture ## Amazon EKS Resources @@ -37,7 +35,7 @@ We have 3 options here: ## Amazon EKS Architecture Diagram ### Higl-Level components diagram -![leverage-aws-eks](../../assets/images/diagrams/ref-architecture-eks.png "Leverage"){: style="width:750px"} +![leverage-aws-eks](../../../assets/images/diagrams/ref-architecture-eks.png "Leverage"){: style="width:750px"}
Figure: K8S EKS reference architecture components diagram. (Source: binbash Leverage Confluence Doc, @@ -47,11 +45,11 @@ binbash Leverage Doc, accessed January 5th 2022).
### Detailed components diagram -![leverage-aws-eks-detailed](../../assets/images/diagrams/ref-architecture-eks-components.png "Leverage"){: style="width:750px"} +![leverage-aws-eks-detailed](../../../assets/images/diagrams/ref-architecture-eks-components.png "Leverage"){: style="width:750px"}
Figure: K8S EKS reference architecture detailed components diagram. (Source: binbash Leverage Confluence Doc, "Implementation Diagrams", binbash Leverage Doc, accessed January 5th 2022). -
\ No newline at end of file +
diff --git a/docs/user-guide/reference-architectures/ref-architecture-vault/configs.md b/docs/reference/reference-architectures/ref-architecture-vault/configs.md similarity index 100% rename from docs/user-guide/reference-architectures/ref-architecture-vault/configs.md rename to docs/reference/reference-architectures/ref-architecture-vault/configs.md diff --git a/docs/user-guide/reference-architectures/ref-architecture-vault/dir-structure.md b/docs/reference/reference-architectures/ref-architecture-vault/dir-structure.md similarity index 100% rename from docs/user-guide/reference-architectures/ref-architecture-vault/dir-structure.md rename to docs/reference/reference-architectures/ref-architecture-vault/dir-structure.md diff --git a/docs/user-guide/reference-architectures/ref-architecture-vault/tf-state-workflow.md b/docs/reference/reference-architectures/ref-architecture-vault/tf-state-workflow.md similarity index 100% rename from docs/user-guide/reference-architectures/ref-architecture-vault/tf-state-workflow.md rename to docs/reference/reference-architectures/ref-architecture-vault/tf-state-workflow.md diff --git a/docs/user-guide/reference-architectures/ref-architecture-vault/workflow.md b/docs/reference/reference-architectures/ref-architecture-vault/workflow.md similarity index 100% rename from docs/user-guide/reference-architectures/ref-architecture-vault/workflow.md rename to docs/reference/reference-architectures/ref-architecture-vault/workflow.md diff --git a/docs/user-guide/troubleshooting/credentials.md b/docs/reference/troubleshooting/credentials.md similarity index 100% rename from docs/user-guide/troubleshooting/credentials.md rename to docs/reference/troubleshooting/credentials.md diff --git a/docs/try-leverage/aws-account-setup.md b/docs/try-leverage/aws-account-setup.md index 8322ff9d8..eed914127 100644 --- a/docs/try-leverage/aws-account-setup.md +++ b/docs/try-leverage/aws-account-setup.md @@ -1,4 +1,4 @@ -# Set Up your AWS Management account +# Creating your AWS Management account ## Create an AWS account First and foremost you'll need to [create an AWS account](../user-guide/features/organization/organization-init.md) for your project. This will be the management account of your [AWS Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) and the email address you use for signing up will be the [root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) of this account -- you can see this user represented in the [architecture diagram](../introduction/#introduction). diff --git a/docs/try-leverage/introduction.md b/docs/try-leverage/index.md similarity index 95% rename from docs/try-leverage/introduction.md rename to docs/try-leverage/index.md index 7c3581e53..b35714216 100644 --- a/docs/try-leverage/introduction.md +++ b/docs/try-leverage/index.md @@ -1,6 +1,8 @@ ![binbash-logo](../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} -# Introduction +# Try Leverage + +## Overview The objective of this guide is to introduce the user to our [**binbash Leverage Reference Architecture for AWS**](../../how-it-works/ref-architecture/) workflow @@ -20,7 +22,8 @@ their specific needs. Figure: Leverage Landing Zone architecture components diagram. -On this guide you will learn how to: +## About this guide +In this guide you will learn how to: - [X] Create and configure your AWS account. - [X] Work with the Leverage CLI to manage your credentials, infrastructure and the whole Leverage stack. diff --git a/docs/try-leverage/management-account.md b/docs/try-leverage/management-account.md index ae714bff8..5e742b276 100644 --- a/docs/try-leverage/management-account.md +++ b/docs/try-leverage/management-account.md @@ -1,13 +1,13 @@ -# Orchestrate the Management account +# Configure the Management account Finally we reach the point in which you'll get to actually create the infrastructure in our AWS environment. -Some accounts and layers rely on other accounts/layers being already deployed, creating dependencies between each other and establishing an order in which all layers should be deployed. We will go through these dependency chains in order. +Some accounts and layers rely on other accounts or layers to be deployed first, which creates dependencies between them and establishes an order in which all layers should be deployed. We will go through these dependencies in order. + +The **management** account is used to configure and access all the accounts in the AWS Organization. Consolidated Billing and Cost Management are also enforced though this account. !!! success "Costs associated with this solution" By default this AWS Reference Architecture configuration should not incur in any costs. -The **management** account is used to configure and access all the accounts in the AWS Organization. Consolidated Billing and Cost Management are also enforced though this account. - ## Deploy the Management account's layers To begin, place yourself in the `management` account directory. ``` bash diff --git a/docs/try-leverage/security-and-shared-accounts.md b/docs/try-leverage/security-and-shared-accounts.md index 42470fd93..727af0c8c 100644 --- a/docs/try-leverage/security-and-shared-accounts.md +++ b/docs/try-leverage/security-and-shared-accounts.md @@ -1,4 +1,5 @@ -# Orchestrate the Security and Shared accounts +# Configure the Security and Shared accounts +Just a couple more accounts to get ready. Let's go! ## Deploy the Security account's layers The next account to orchestrate is the **security** account. diff --git a/docs/user-guide/features/cdn/cdn.md b/docs/user-guide/features/cdn/cdn.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/ci-cd/ci-cd.md b/docs/user-guide/features/ci-cd/ci-cd.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/compute/k8s-eks.md b/docs/user-guide/features/compute/k8s-eks.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/compute/overview.md b/docs/user-guide/features/compute/overview.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/compute/serverless.md b/docs/user-guide/features/compute/serverless.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/costs/costs.md b/docs/user-guide/features/costs/costs.md deleted file mode 100644 index 908ec7857..000000000 --- a/docs/user-guide/features/costs/costs.md +++ /dev/null @@ -1,11 +0,0 @@ -# Cost Management Layer - -!!! help "How it works" - :books: [**documentation:** Costs]() - -## User guide -TODO - - -### Next Steps -TODO \ No newline at end of file diff --git a/docs/user-guide/features/database/database.md b/docs/user-guide/features/database/database.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/database/mysql.md b/docs/user-guide/features/database/mysql.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/database/postgres.md b/docs/user-guide/features/database/postgres.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/features-overview.md b/docs/user-guide/features/features-overview.md deleted file mode 100644 index fc7bd1cc1..000000000 --- a/docs/user-guide/features/features-overview.md +++ /dev/null @@ -1,64 +0,0 @@ -![binbash-logo](../../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} - -# AWS Reference Architecture features - -??? check "Governance | AWS Organizations" - - [x] [AWS Organizations Initialization](./organization/organization-init.md) - - [x] [Invite pre-exiting accounts to AWS Organizations](./organization/organization-legacy-accounts.md) - -??? check "Identity Management" - - [x] [**GPG Keys**](./identities/gpg.md) - - [x] [**Identities**](./identities/identities.md) - - [x] [**AWS Credentials**](./identities/credentials.md) - - [x] [**Hashicorp Vault Credentials**](./identities/credentials-vault.md) - -??? check "Single Sign-On (SSO)" - - [x] [**AWS SSO + Jumpcloud IdP**](./sso/sso.md) - -??? check "Cost Monitoring & Optimization" - - [x] [**Costs**](./costs/costs.md) - -??? check "Security" - - [X] [Security Services](./security/services.md) - - [X] [VPN | Pritunl](./security/vpn.md) - -??? check "Networking | VPC, TGW, NFW, DNS and NACLs" - - [x] [VPC Addressing](./network/vpc-addressing.md) - - [x] [VPC Peering](./network/vpc-peering.md) - - [x] [DNS](./network/dns.md) - -??? check "Secrets Management" - - [X] [Secrets](./secrets/secrets.md) - -??? check "Compute" - - [x] [**Compute**](./compute/overview.md) - - [x] [**K8s EKS**](./compute/k8s-eks.md) - - [x] [**K8s Kops**](./compute/k8s-kops.md) - - [x] [**Serverless**](./compute/serverless.md) - -??? check "Databases" - - [x] [**Databases**](./database/database.md) - - [x] [**RDS MySql**](./database/mysql.md) - - [x] [**RDS Postgres**](./database/postgres.md) - -??? check "Storage" - - [x] [**Storage**](./storage/storage.md) - -??? check "Content Delivery Network (CDN)" - - [x] [**AWS CloudFront**](./cdn/cdn.md) - -??? check "CI/CD (Continuous Integration / Continuous Delivery)" - - [x] [**CI/CD**](./ci-cd/ci-cd.md) - -??? check "Monitoring | Metrics, Logs, APM and Tracing" - - [x] [**Monitoring**](./monitoring/monitoring.md) - - [x] [Metrics](./monitoring/metrics.md) - - [x] [Logs](./monitoring/logs.md) - - [x] [Tracing](./monitoring/tracing.md) - - [x] [APM](./monitoring/apm.md) - -??? check "Reliability" - - [X] [Bakcups](./reliability/backups.md) - - [x] [Health-Checks](./reliability/health-checks.md) - - [X] [Disaster Recovery](./reliability/dr.md) - diff --git a/docs/user-guide/features/monitoring/apm.md b/docs/user-guide/features/monitoring/apm.md deleted file mode 100644 index 0d3958031..000000000 --- a/docs/user-guide/features/monitoring/apm.md +++ /dev/null @@ -1,7 +0,0 @@ -# Application Performance Monitoring (APM) and Business Performance - -!!! help "How it works" - :books: [**documentation:** APM](../../../../how-it-works/features/monitoring/apm/) - -## User guide -TODO \ No newline at end of file diff --git a/docs/user-guide/features/monitoring/logs.md b/docs/user-guide/features/monitoring/logs.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/monitoring/metrics.md b/docs/user-guide/features/monitoring/metrics.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/monitoring/monitoring.md b/docs/user-guide/features/monitoring/monitoring.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/monitoring/tracing.md b/docs/user-guide/features/monitoring/tracing.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/network/vpc-addressing.md b/docs/user-guide/features/network/vpc-addressing.md deleted file mode 100644 index 1b47b4374..000000000 --- a/docs/user-guide/features/network/vpc-addressing.md +++ /dev/null @@ -1,31 +0,0 @@ -# Network Layer - -!!! help "How it works" - :books: [**documentation:** Networking](../../../../how-it-works/features/network/vpc-addressing/) - -## User guide - -Please follow the steps below to orchestrate your `base-network` layer, 1st in your -[`project-shared`](https://github.com/binbashar/le-tf-infra-aws/tree/master/shared/us-east-1/base-network) AWS account and -afterwards in the necessary member accounts which will host network connected resources (EC2, Lambda, EKS, RDS, ALB, NLB, etc): - -* [x] [`project-apps-devstg`](https://github.com/binbashar/le-tf-infra-aws/tree/master/apps-devstg/us-east-1/base-network) account. -* [x] [`project-apps-prd`](https://github.com/binbashar/le-tf-infra-aws/tree/master/apps-prd/us-east-1/base-network) account. - -!!! example "Network layer standard creation workflow" - 1. Please follow - [Leverage's Terraform workflow](../../../base-workflow/repo-le-tf-infra/) for - each of your accounts. - 2. We'll start by `project-shared` AWS Account Update (add | remove | customize) your VPC associated code before - deploying this layer [shared/base-network](https://github.com/binbashar/le-tf-infra-aws/tree/master/shared/us-east-1/base-network) - Main files - - :file_folder: [network.tf](https://github.com/binbashar/le-tf-infra-aws/blob/master/shared/us-east-1/base-network/network.tf) - - :file_folder: [locals.tf](https://github.com/binbashar/le-tf-infra-aws/blob/master/shared/us-east-1/base-network/locals.tf) - 3. Repeat for every AWS member Account that needs its own VPC - [Access AWS Organization member account](https://aws.amazon.com/premiumsupport/knowledge-center/organizations-member-account-access/) - consider repeating step 3. but for the corresponding member accounts. - - -### Next Steps - -:books: [AWS VPC Peering](vpc-peering.md) \ No newline at end of file diff --git a/docs/user-guide/features/network/vpc-peering.md b/docs/user-guide/features/network/vpc-peering.md deleted file mode 100644 index ec602dd79..000000000 --- a/docs/user-guide/features/network/vpc-peering.md +++ /dev/null @@ -1,7 +0,0 @@ -# Diagram: Network Service (cross-account [VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)) - -## How it works -TODO - -## User guide -TODO \ No newline at end of file diff --git a/docs/user-guide/features/reliability/backups.md b/docs/user-guide/features/reliability/backups.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/reliability/dr.md b/docs/user-guide/features/reliability/dr.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/reliability/health-checks.md b/docs/user-guide/features/reliability/health-checks.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/secrets/secrets.md b/docs/user-guide/features/secrets/secrets.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/features/security/services.md b/docs/user-guide/features/security/services.md deleted file mode 100644 index aecab8438..000000000 --- a/docs/user-guide/features/security/services.md +++ /dev/null @@ -1,7 +0,0 @@ -# AWS Security & Compliance Services - -## How it works -TODO - -## User guide -TODO \ No newline at end of file diff --git a/docs/user-guide/features/security/vpn.md b/docs/user-guide/features/security/vpn.md deleted file mode 100644 index 8cefe5212..000000000 --- a/docs/user-guide/features/security/vpn.md +++ /dev/null @@ -1,7 +0,0 @@ -# VPN Server - -## How it works -TODO - -## User guide -TODO \ No newline at end of file diff --git a/docs/user-guide/features/storage/storage.md b/docs/user-guide/features/storage/storage.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/docs/user-guide/overview.md b/docs/user-guide/overview.md deleted file mode 100644 index 342b38d00..000000000 --- a/docs/user-guide/overview.md +++ /dev/null @@ -1,12 +0,0 @@ -![binbash-logo](../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} - -# Reference Architectures - -## Overview -The pages in this section explore the architecture of Leverage with great detail. - -Start by visiting the pages below or simply use the left menu to explore on your own: - -* [Reference Architectures](./reference-architectures/) -* [Infrastructure-as-Code Library](./infra-as-code-library/) -* [Leverage CLI](./leverage-cli/) diff --git a/docs/user-guide/reference-architectures/ref-architecture-aws/overview.md b/docs/user-guide/reference-architectures/ref-architecture-aws/overview.md deleted file mode 100644 index 7a2498473..000000000 --- a/docs/user-guide/reference-architectures/ref-architecture-aws/overview.md +++ /dev/null @@ -1,13 +0,0 @@ -# AWS Reference Architecture - -## Overview -Our AWS Reference Architecture was created on a set of opinionated definitions and conventions on: - -* [how to organize files/folders](dir-structure.md), -* where to store [configuration files](configs.md), -* how to handle [credentials](credentials.md), -* how to [set up](tf-state-setup.md) and [manage state](tf-state-workflow.md), -* which [commands and workflows](tf-workflow.md) to run in order to perform different tasks, -* and more. - -The pages in this section are about the above concerns in connection with our AWS Reference Architecture. diff --git a/docs/user-guide/reference-architectures/ref-architecture-aws/tf-state-setup.md b/docs/user-guide/reference-architectures/ref-architecture-aws/tf-state-setup.md deleted file mode 100644 index 1edcc132d..000000000 --- a/docs/user-guide/reference-architectures/ref-architecture-aws/tf-state-setup.md +++ /dev/null @@ -1,32 +0,0 @@ -# Terraform Remote State -In the `base-tf-backend` folder you should find the definition of the infrastructure that needs to be deployed before -you can get to work with anything else. - -**IMPORTANT:** THIS IS ONLY NEEDED IF THE BACKEND WAS NOT CREATED YET. IF THE BACKEND ALREADY EXISTS YOU JUST USE IT. - -!!! info "Read More" - * [x] [Terraform - S3 & DynamoDB for Remote State Storage & Locking](tf-state-workflow.md) - -## Configuration - -!!! tips "Config files can be found under each `config` folders" - - :file_folder: **Global config file** - [`/config/common.tfvars`](https://github.com/binbashar/le-tf-infra-aws/blob/master/config/common.tfvars.example) - contains global context TF variables that we inject to TF commands which are used by all sub-directories such as - `leverage terraform plan` or `leverage terraform apply` and which cannot be stored in `backend.config` due to TF. - - :file_folder: **Account config files** - - [`backend.tfvars`](https://github.com/binbashar/le-tf-infra-aws/blob/master/shared/config/backend.tfvars) - contains TF variables that are mainly used to configure TF backend but since - `profile` and `region` are defined there, we also use them to inject those values into other TF commands. - - [`account.tfvars`](https://github.com/binbashar/le-tf-infra-aws/blob/master/shared/config/account.tfvars) - contains TF variables that are specific to an AWS account. - -## AWS Profile -- File `backend.tfvars` will inject the profile name that TF will use to make changes on AWS. -- Such profile is usually one that relies on another profile to assume a role to get access to each corresponding account. -- Please follow to correctly setup your AWS Credentials - - [user-guide/features/identities](../features/identities/identities.md) - - [user-guide/features/identities/credentials](../features/identities/credentials.md) -- Read the following page leverage doc to understand [how to set up a profile to assume -a role](https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html) - diff --git a/mkdocs.yml b/mkdocs.yml index 43d03afa6..81385bca9 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -154,33 +154,158 @@ nav: - Welcome: "welcome.md" - First steps: "try-leverage/introduction.md" - How it works: "how-it-works/ref-architecture/index.md" - - User guide: "user-guide/index.md" + - User guide: "reference/index.md" - Work with us: "work-with-us/index.md" - License: "license.md" - Try Leverage: - - Introduction: "try-leverage/introduction.md" - - Set Up your AWS Management account: "try-leverage/aws-account-setup.md" + - Index: "try-leverage/index.md" + - Creating your AWS Management account: "try-leverage/aws-account-setup.md" - Install Leverage CLI: "try-leverage/local-setup.md" - Create a Leverage project: "try-leverage/leverage-project-setup.md" - - Orchestrate the Management account: "try-leverage/management-account.md" - - Orchestrate the Security and Shared accounts: "try-leverage/security-and-shared-accounts.md" + - Configure the Management account: "try-leverage/management-account.md" + - Configure the Security and Shared accounts: "try-leverage/security-and-shared-accounts.md" - Post-deployment: "try-leverage/post-deployment.md" - Concepts: - - Overview: "concepts/overview.md" + - Index: "concepts/index.md" - What is Leverage?: "concepts/what-is-leverage.md" - Why Leverage?: "concepts/why-leverage.md" + - What can Leverange do for you?: "concepts/what-leverage-can-do-for-you.md" - Our Tech Stack: "concepts/our-tech-stack.md" - Next Steps: "concepts/next-steps.md" + - Reference: + - Index: "reference/index.md" + - AWS Reference Architecture: + - Overview: "reference/reference-architectures/ref-architecture-aws/overview.md" + - Project Structure: "reference/reference-architectures/ref-architecture-aws/dir-structure.md" + - Configuration: "reference/reference-architectures/ref-architecture-aws/configs.md" + - Credentials: "reference/reference-architectures/ref-architecture-aws/credentials.md" + - Workflow: "reference/reference-architectures/ref-architecture-aws/workflow.md" + - Terraform State: "reference/reference-architectures/ref-architecture-aws/tf-state.md" + - Features: + - Overview: "reference/features/overview.md" + - AWS Organization: + - Organization: "reference/features/organization/organization.md" + - Accounts: "reference/features/organization/accounts.md" + - Billing: "reference/features/organization/billing.md" + - Organization Init: "reference/features/organization/organization-init.md" + - Invite Legacy accounts: "reference/features/organization/organization-legacy-accounts.md" + - Identities: + - gpg: "reference/features/identities/gpg.md" + - Identities: "reference/features/identities/identities.md" + - Credentials: "reference/features/identities/credentials.md" + - Credentials Vault: "reference/features/identities/credentials-vault.md" + - Identities2: "reference/features/identities/identities2.md" + - Roles: "reference/features/identities/roles.md" + - SSO: + - Overview: "reference/features/sso/overview.md" + - Configuration: "reference/features/sso/configuration.md" + - Onboarding Users: "reference/features/sso/managing-users.md" + - Costs: "reference/features/costs/costs.md" + - Security: + - Overview: "reference/features/security/overview.md" + - VPN: "reference/features/security/vpn.md" + - Services: "reference/features/security/services.md" + - CloudTrail: "reference/features/security/audit-cloudtrail.md" + - Certificates: "reference/features/security/certificates.md" + - IAM Access Anayzer: "reference/features/security/iam-access-analyzer.md" + - Network: + - VPC: "reference/features/network/vpc-addressing.md" + - VPC Peering: "reference/features/network/vpc-peering.md" + - VPC Topology: "reference/features/network/vpc-topology.md" + - VPC Traffic Out: "reference/features/network/vpc-traffic-out.md" + - DNS: "reference/features/network/dns.md" + - Transit Gateway: "reference/features/network/tgw-topology.md" + - Secrets: "reference/features/secrets/secrets.md" + - Compute: + - Overview: "reference/features/compute/overview.md" + - K8s Kops: "reference/features/compute/k8s-kops.md" + - K8s EKS: "reference/features/compute/k8s-eks/overview.md" + - K8s EKS VPC: "reference/features/compute/k8s-eks/vpc-addressing.md" + - K8s Service Mesh: "reference/features/compute/k8s-service-mesh.md" + - Serverless: "reference/features/compute/serverless.md" + - Tools: "reference/features/compute/tools.md" + - Database: + - Databases: "reference/features/database/database.md" + - MySQL: "reference/features/database/mysql.md" + - PostgresSQL: "reference/features/database/postgres.md" + - Storage: "reference/features/storage/storage.md" + - CDN: "reference/features/cdn/cdn.md" + - CI/CD: "reference/features/ci-cd/ci-cd.md" + - Monitoring: + - Monitoring: "reference/features/monitoring/monitoring.md" + - Metrics: "reference/features/monitoring/metrics.md" + - Logs: "reference/features/monitoring/logs.md" + - Tracing: "reference/features/monitoring/tracing.md" + - APM: "reference/features/monitoring/apm.md" + - Reliability: + - Backups: "reference/features/reliability/backups.md" + - Disaster Recovery: "reference/features/reliability/dr.md" + - High Availability: "reference/features/reliability/high-availability.md" + - EKS Reference Architecture: + - Overview: "reference/reference-architectures/ref-architecture-eks/overview.md" + - Ansible Reference Architecture: + - Overview: "reference/reference-architectures/ref-architecture-ansible/overview.md" + - Configs: "reference/reference-architectures/ref-architecture-ansible/configs.md" + - Workflow: "reference/reference-architectures/ref-architecture-ansible/workflow.md" + - Leverage CLI: + - Overview: "reference/leverage-cli/overview.md" + - Installation: "reference/leverage-cli/installation.md" + - Basic features: "reference/leverage-cli/basic-features.md" + - Commands Reference: + - project: "reference/leverage-cli/reference/project.md" + - credentials: "reference/leverage-cli/reference/credentials.md" + - aws: "reference/leverage-cli/reference/aws.md" + - terraform: + - commands: "reference/leverage-cli/reference/terraform.md" + - layers: "reference/leverage-cli/reference/terraform/layers.md" + - tfautomv: "reference/leverage-cli/reference/tfautomv.md" + - run: "reference/leverage-cli/reference/run.md" + - kubectl: "reference/leverage-cli/reference/kubectl.md" + - Extending Leverage: + - How to extend Leverage: "reference/leverage-cli/extending-leverage/how-to-extend.md" + - The build.env file: "reference/leverage-cli/extending-leverage/build.env.md" + - Custom tasks: "reference/leverage-cli/extending-leverage/tasks.md" + - Private Repositories: "reference/leverage-cli/private-repositories.md" + - Getting shell access: "reference/leverage-cli/shell.md" + - A bit of history: "reference/leverage-cli/history.md" + - Infra-as-Code Library: + - Overview: "reference/infra-as-code-library/overview.md" + - Forks workflow: "reference/infra-as-code-library/infra-as-code-library-forks.md" + - Specifications: "reference/infra-as-code-library/infra-as-code-library-specs.md" + - Modules by Technology: "reference/infra-as-code-library/modules-library-by-technology.md" + - Work with us: + - Overview: "work-with-us/index.md" + - Support: + - Support: "work-with-us/support.md" + - Releases: + - Releases and Versions: "work-with-us/releases/releases-and-versions.md" + - Versions compatibility matrix: "work-with-us/releases/versions-compatibility-matrix.md" + - Leverage vs Competition: "work-with-us/leverage-vs-competition.md" + #- Subscription Plans: "work-with-us/subscription-plans.md" + - Contribute: "work-with-us/contribute.md" + - Roadmap: + - Reference Architecture: + - Overview: "work-with-us/roadmap/ref-arch/overview.md" + - Operational Excellence: "work-with-us/roadmap/ref-arch/operational-excellence.md" + - Reliability & Performance: "work-with-us/roadmap/ref-arch/reliability-performance.md" + - Security: "work-with-us/roadmap/ref-arch/security.md" + - Cost Optimization: "work-with-us/roadmap/ref-arch/cost-optimization.md" + - Demo Applications: "work-with-us/roadmap/ref-arch/demo-apps.md" + - Leverage CLI: "work-with-us/roadmap/leverage-cli/overview.md" + - Careers: "work-with-us/careers.md" + #- Team: "work-with-us/team.md" + #- Testimonials: "work-with-us/testimonials.md" + - FAQs: "work-with-us/faqs.md" + - Contact Us: https://www.binbash.com.ar/contact + # - Reference Architecture: # - Overview: "how-it-works/ref-architecture/index.md" # - Reference Architecture | AWS: "how-it-works/ref-architecture/ref-architecture-aws.md" # - Reference Architecture | EKS: "how-it-works/ref-architecture/ref-architecture-eks.md" # - Considerations: "how-it-works/ref-architecture/considerations.md" - # - Leverage CLI: - # - Overview: "how-it-works/leverage-cli/index.md" # - Features: # - Overview: "how-it-works/features/index.md" # - AWS Organization: @@ -237,113 +362,3 @@ nav: # - High Availability: "how-it-works/features/reliability/high-availability.md" # - Health Checks: "how-it-works/features/reliability/health-checks.md" # - Disaster Recovery: "how-it-works/features/reliability/dr.md" - - - Reference: - - Overview: "user-guide/overview.md" - - Reference Architectures: - - AWS Reference Architecture: - - Overview: "user-guide/reference-architectures/ref-architecture-aws/overview.md" - - Project Structure: "user-guide/reference-architectures/ref-architecture-aws/dir-structure.md" - - Configs: "user-guide/reference-architectures/ref-architecture-aws/configs.md" - - Credentials: "user-guide/reference-architectures/ref-architecture-aws/credentials.md" - - Terraform state setup: "user-guide/reference-architectures/ref-architecture-aws/tf-state-setup.md" - - Terraform state workflow: "user-guide/reference-architectures/ref-architecture-aws/tf-state-workflow.md" - - Terraform Workflow: "user-guide/reference-architectures/ref-architecture-aws/tf-workflow.md" - - Ansible Reference Architecture: - - Configs: "user-guide/reference-architectures/ref-architecture-ansible/configs.md" - - Workflow: "user-guide/reference-architectures/ref-architecture-ansible/workflow.md" - - Leverage CLI: - - Overview: "user-guide/leverage-cli/overview.md" - - Installation: "user-guide/leverage-cli/installation.md" - - Basic features: "user-guide/leverage-cli/reference/basic-features.md" - - Commands Reference: - - project: "user-guide/leverage-cli/reference/project.md" - - credentials: "user-guide/leverage-cli/reference/credentials.md" - - aws: "user-guide/leverage-cli/reference/aws.md" - - terraform: - - commands: "user-guide/leverage-cli/reference/terraform.md" - - layers: "user-guide/leverage-cli/reference/terraform/layers.md" - - tfautomv: "user-guide/leverage-cli/reference/tfautomv.md" - - run: "user-guide/leverage-cli/reference/run.md" - - kubectl: "user-guide/leverage-cli/reference/kubectl.md" - - Extending Leverage: - - Overview: "user-guide/leverage-cli/extending-leverage/index.md" - - build.env : "user-guide/leverage-cli/extending-leverage/build.env.md" - - Custom tasks: "user-guide/leverage-cli/extending-leverage/tasks.md" - - Private Repositories: "user-guide/leverage-cli/reference/private-repos.md" - - Shell environment: "user-guide/leverage-cli/shell.md" - - Infra-as-Code Library: - - Overview: "how-it-works/infra-as-code-library/index.md" - - Forks workflow: "how-it-works/infra-as-code-library/infra-as-code-library-forks.md" - - Specifications: "how-it-works/infra-as-code-library/infra-as-code-library-specs.md" - - Modules per Tech: "how-it-works/infra-as-code-library/modules-library-per-tech.md" - - Features: - - Overview: "user-guide/features/features-overview.md" - - AWS Organization: - - Organization Init: "user-guide/features/organization/organization-init.md" - - Invite Legacy accounts: "user-guide/features/organization/organization-legacy-accounts.md" - - Identities: - - gpg: "user-guide/features/identities/gpg.md" - - Identities: "user-guide/features/identities/identities.md" - - Credentials: "user-guide/features/identities/credentials.md" - - Credentials Vault: "user-guide/features/identities/credentials-vault.md" - - SSO: - - Authentication: "user-guide/features/sso/sso.md" - - Onboarding Users: "user-guide/features/sso/managing-users.md" - - Costs: "user-guide/features/costs/costs.md" - - Security: - - VPN: "user-guide/features/security/vpn.md" - - Services: "user-guide/features/security/services.md" - - Network: - - VPC: "user-guide/features/network/vpc-addressing.md" - - VPC Peering: "user-guide/features/network/vpc-peering.md" - - DNS: "user-guide/features/network/dns.md" - - Secrets: "user-guide/features/secrets/secrets.md" - - Compute: - - Overview: "user-guide/features/compute/overview.md" - - K8s Kops: "user-guide/features/compute/k8s-kops.md" - - K8s EKS: "user-guide/features/compute/k8s-eks.md" - - Serverless: "user-guide/features/compute/serverless.md" - - Database: - - Databases: "user-guide/features/database/database.md" - - MySQL: "user-guide/features/database/mysql.md" - - PostgresSQL: "user-guide/features/database/postgres.md" - - Storage: "user-guide/features/storage/storage.md" - - CDN: "user-guide/features/cdn/cdn.md" - - CI/CD: "user-guide/features/ci-cd/ci-cd.md" - - Monitoring: - - Monitoring: "user-guide/features/monitoring/monitoring.md" - - Metrics: "user-guide/features/monitoring/metrics.md" - - Logs: "user-guide/features/monitoring/logs.md" - - Tracing: "user-guide/features/monitoring/tracing.md" - - APM: "user-guide/features/monitoring/apm.md" - - Reliability: - - Backups: "user-guide/features/reliability/backups.md" - - Disaster Recovery: "user-guide/features/reliability/dr.md" - - Health Checks: "user-guide/features/reliability/health-checks.md" - - - Work with us: - - Overview: "work-with-us/index.md" - - Support: - - Support: "work-with-us/support.md" - - Releases: - - Releases and Versions: "work-with-us/releases/releases-and-versions.md" - - Versions compatibility matrix: "work-with-us/releases/versions-compatibility-matrix.md" - - Leverage vs Competition: "work-with-us/leverage-vs-competition.md" - #- Subscription Plans: "work-with-us/subscription-plans.md" - - Contribute: "work-with-us/contribute.md" - - Roadmap: - - Reference Architecture: - - Overview: "work-with-us/roadmap/ref-arch/overview.md" - - Operational Excellence: "work-with-us/roadmap/ref-arch/operational-excellence.md" - - Reliability & Performance: "work-with-us/roadmap/ref-arch/reliability-performance.md" - - Security: "work-with-us/roadmap/ref-arch/security.md" - - Cost Optimization: "work-with-us/roadmap/ref-arch/cost-optimization.md" - - Demo Applications: "work-with-us/roadmap/ref-arch/demo-apps.md" - - Leverage CLI: "work-with-us/roadmap/leverage-cli/overview.md" - - Careers: "work-with-us/careers.md" - #- Team: "work-with-us/team.md" - #- Testimonials: "work-with-us/testimonials.md" - - FAQs: "work-with-us/faqs.md" - - Contact Us: https://www.binbash.com.ar/contact - From 4ee7649b29b952d7c0a75b6d3db16325feec637b Mon Sep 17 00:00:00 2001 From: Diego OJ Date: Sun, 16 Apr 2023 23:39:39 -0300 Subject: [PATCH 03/19] Move around features between AWS and EKS, and several other refactors --- docs/concepts/next-steps.md | 2 +- docs/concepts/our-tech-stack.md | 16 +- docs/concepts/what-is-leverage.md | 6 +- docs/concepts/why-our-tech-stack.md | 16 +- docs/reference/features/security/overview.md | 18 -- docs/reference/features/security/services.md | 56 ---- docs/reference/index.md | 12 - .../ref-architecture-aws/credentials.md | 11 - .../ref-architecture-aws/workflow.md | 40 --- .../ref-architecture-eks/overview.md | 55 ---- docs/try-leverage/aws-account-setup.md | 6 +- docs/try-leverage/leverage-project-setup.md | 2 +- docs/try-leverage/post-deployment.md | 8 +- docs/user-guide/index.md | 15 ++ .../infra-as-code-library-forks.md | 0 .../infra-as-code-library-specs.md | 0 .../modules-library-by-technology.md | 0 .../infra-as-code-library/overview.md | 0 .../leverage-cli/basic-features.md | 0 .../extending-leverage/build.env.md | 0 .../extending-leverage/how-to-extend.md | 0 .../leverage-cli/extending-leverage/tasks.md | 0 .../leverage-cli/history.md | 0 .../leverage-cli/installation.md | 0 .../leverage-cli/overview.md | 0 .../leverage-cli/private-repositories.md | 0 .../leverage-cli/reference/aws.md | 0 .../leverage-cli/reference/credentials.md | 2 +- .../leverage-cli/reference/kubectl.md | 0 .../leverage-cli/reference/project.md | 0 .../leverage-cli/reference/run.md | 0 .../leverage-cli/reference/terraform.md | 0 .../reference/terraform/layers.md | 0 .../leverage-cli/reference/tfautomv.md | 0 .../leverage-cli/shell.md | 0 .../ref-architecture-ansible/configs.md | 0 .../ref-architecture-ansible/overview.md | 0 .../ref-architecture-ansible/workflow.md | 0 .../ref-architecture-aws/configuration.md} | 10 +- .../ref-architecture-aws/dir-structure.md | 0 .../ref-architecture-aws}/features/cdn/cdn.md | 6 +- .../features/ci-cd/ci-cd.md | 4 +- .../features/ci-cd/k8s-argocd.md | 2 +- .../features/compute/k8s-kops.md | 6 +- .../features/compute/k8s-service-mesh.md | 4 +- .../features/compute/overview.md | 2 +- .../features/compute/serverless.md | 4 +- .../features/compute/tools.md | 0 .../features/costs/costs.md | 8 +- .../features/database/database.md | 0 .../features/database/mysql.md | 0 .../features/database/postgres.md | 0 .../features/identities/credentials-vault.md | 2 +- .../features/identities/credentials.md | 0 .../features/identities/gpg.md | 11 +- .../features/identities/identities.md | 15 +- .../features/identities/overview.md} | 10 +- .../features/identities/roles.md | 8 +- .../ref-architecture-aws/features/index.md} | 11 +- .../features/monitoring/apm.md | 0 .../features/monitoring/logs.md | 2 +- .../features/monitoring/metrics.md | 8 +- .../features/monitoring/monitoring.md | 0 .../monitoring/notification_escalation.md | 0 .../features/monitoring/tracing.md | 2 +- .../features/network/dns.md | 4 +- .../features/network/tgw-topology.md | 2 +- .../features/network/vpc-addressing.md | 0 .../features/network/vpc-peering.md | 4 +- .../features/network/vpc-topology.md | 4 +- .../features/network/vpc-traffic-out.md | 2 +- .../features/organization/accounts.md | 7 +- .../features/organization/billing.md | 7 +- .../features/organization/configuration.md} | 14 +- .../features/organization/legacy-accounts.md} | 9 +- .../features/organization/overview.md} | 7 +- .../features/reliability/backups.md | 8 +- .../features/reliability/dr.md | 4 +- .../features/reliability/high-availability.md | 6 +- .../features/secrets/secrets.md | 4 +- .../features/security/audit-cloudtrail.md | 8 +- .../features/security/certificates.md | 4 +- .../features/security/firewall-manager.md | 14 + .../features/security/iam-access-analyzer.md | 6 +- .../features/security/overview.md | 32 +++ .../features/security/vpn.md | 2 +- .../features/sso/configuration.md | 2 +- .../features/sso/managing-users.md | 0 .../features/sso/overview.md | 2 +- .../features/storage/storage.md | 6 +- .../ref-architecture-aws/overview.md | 32 ++- .../ref-architecture-aws/tf-state.md | 2 +- .../ref-architecture-aws/workflow.md | 50 ++++ .../ref-architecture-eks/components.md | 15 ++ .../ref-architecture-eks}/overview.md | 39 ++- .../ref-architecture-eks/vpc.md} | 2 +- .../ref-architecture-vault/configs.md | 4 +- .../ref-architecture-vault/dir-structure.md | 0 .../tf-state-workflow.md | 0 .../ref-architecture-vault/workflow.md | 4 +- .../troubleshooting/credentials.md | 0 mkdocs.yml | 242 +++++++----------- 102 files changed, 406 insertions(+), 522 deletions(-) delete mode 100644 docs/reference/features/security/overview.md delete mode 100644 docs/reference/features/security/services.md delete mode 100644 docs/reference/index.md delete mode 100644 docs/reference/reference-architectures/ref-architecture-aws/credentials.md delete mode 100644 docs/reference/reference-architectures/ref-architecture-aws/workflow.md delete mode 100644 docs/reference/reference-architectures/ref-architecture-eks/overview.md create mode 100644 docs/user-guide/index.md rename docs/{reference => user-guide}/infra-as-code-library/infra-as-code-library-forks.md (100%) rename docs/{reference => user-guide}/infra-as-code-library/infra-as-code-library-specs.md (100%) rename docs/{reference => user-guide}/infra-as-code-library/modules-library-by-technology.md (100%) rename docs/{reference => user-guide}/infra-as-code-library/overview.md (100%) rename docs/{reference => user-guide}/leverage-cli/basic-features.md (100%) rename docs/{reference => user-guide}/leverage-cli/extending-leverage/build.env.md (100%) rename docs/{reference => user-guide}/leverage-cli/extending-leverage/how-to-extend.md (100%) rename docs/{reference => user-guide}/leverage-cli/extending-leverage/tasks.md (100%) rename docs/{reference => user-guide}/leverage-cli/history.md (100%) rename docs/{reference => user-guide}/leverage-cli/installation.md (100%) rename docs/{reference => user-guide}/leverage-cli/overview.md (100%) rename docs/{reference => user-guide}/leverage-cli/private-repositories.md (100%) rename docs/{reference => user-guide}/leverage-cli/reference/aws.md (100%) rename docs/{reference => user-guide}/leverage-cli/reference/credentials.md (93%) rename docs/{reference => user-guide}/leverage-cli/reference/kubectl.md (100%) rename docs/{reference => user-guide}/leverage-cli/reference/project.md (100%) rename docs/{reference => user-guide}/leverage-cli/reference/run.md (100%) rename docs/{reference => user-guide}/leverage-cli/reference/terraform.md (100%) rename docs/{reference => user-guide}/leverage-cli/reference/terraform/layers.md (100%) rename docs/{reference => user-guide}/leverage-cli/reference/tfautomv.md (100%) rename docs/{reference => user-guide}/leverage-cli/shell.md (100%) rename docs/{reference/reference-architectures => user-guide}/ref-architecture-ansible/configs.md (100%) rename docs/{reference/reference-architectures => user-guide}/ref-architecture-ansible/overview.md (100%) rename docs/{reference/reference-architectures => user-guide}/ref-architecture-ansible/workflow.md (100%) rename docs/{reference/reference-architectures/ref-architecture-aws/configs.md => user-guide/ref-architecture-aws/configuration.md} (89%) rename docs/{reference/reference-architectures => user-guide}/ref-architecture-aws/dir-structure.md (100%) rename docs/{reference => user-guide/ref-architecture-aws}/features/cdn/cdn.md (82%) rename docs/{reference => user-guide/ref-architecture-aws}/features/ci-cd/ci-cd.md (77%) rename docs/{reference => user-guide/ref-architecture-aws}/features/ci-cd/k8s-argocd.md (84%) rename docs/{reference => user-guide/ref-architecture-aws}/features/compute/k8s-kops.md (96%) rename docs/{reference => user-guide/ref-architecture-aws}/features/compute/k8s-service-mesh.md (86%) rename docs/{reference => user-guide/ref-architecture-aws}/features/compute/overview.md (94%) rename docs/{reference => user-guide/ref-architecture-aws}/features/compute/serverless.md (89%) rename docs/{reference => user-guide/ref-architecture-aws}/features/compute/tools.md (100%) rename docs/{reference => user-guide/ref-architecture-aws}/features/costs/costs.md (82%) rename docs/{reference => user-guide/ref-architecture-aws}/features/database/database.md (100%) rename docs/{reference => user-guide/ref-architecture-aws}/features/database/mysql.md (100%) rename docs/{reference => user-guide/ref-architecture-aws}/features/database/postgres.md (100%) rename docs/{reference => user-guide/ref-architecture-aws}/features/identities/credentials-vault.md (97%) rename docs/{reference => user-guide/ref-architecture-aws}/features/identities/credentials.md (100%) rename docs/{reference => user-guide/ref-architecture-aws}/features/identities/gpg.md (98%) rename docs/{reference => user-guide/ref-architecture-aws}/features/identities/identities.md (93%) rename docs/{reference/features/identities/identities2.md => user-guide/ref-architecture-aws/features/identities/overview.md} (90%) rename docs/{reference => user-guide/ref-architecture-aws}/features/identities/roles.md (93%) rename docs/{reference/features/overview.md => user-guide/ref-architecture-aws/features/index.md} (82%) rename docs/{reference => user-guide/ref-architecture-aws}/features/monitoring/apm.md (100%) rename docs/{reference => user-guide/ref-architecture-aws}/features/monitoring/logs.md (94%) rename docs/{reference => user-guide/ref-architecture-aws}/features/monitoring/metrics.md (88%) rename docs/{reference => user-guide/ref-architecture-aws}/features/monitoring/monitoring.md (100%) rename docs/{reference => user-guide/ref-architecture-aws}/features/monitoring/notification_escalation.md (100%) rename docs/{reference => user-guide/ref-architecture-aws}/features/monitoring/tracing.md (88%) rename docs/{reference => user-guide/ref-architecture-aws}/features/network/dns.md (88%) rename docs/{reference => user-guide/ref-architecture-aws}/features/network/tgw-topology.md (79%) rename docs/{reference => user-guide/ref-architecture-aws}/features/network/vpc-addressing.md (100%) rename docs/{reference => user-guide/ref-architecture-aws}/features/network/vpc-peering.md (79%) rename docs/{reference => user-guide/ref-architecture-aws}/features/network/vpc-topology.md (93%) rename docs/{reference => user-guide/ref-architecture-aws}/features/network/vpc-traffic-out.md (94%) rename docs/{reference => user-guide/ref-architecture-aws}/features/organization/accounts.md (94%) rename docs/{reference => user-guide/ref-architecture-aws}/features/organization/billing.md (92%) rename docs/{reference/features/organization/organization-init.md => user-guide/ref-architecture-aws/features/organization/configuration.md} (91%) rename docs/{reference/features/organization/organization-legacy-accounts.md => user-guide/ref-architecture-aws/features/organization/legacy-accounts.md} (84%) rename docs/{reference/features/organization/organization.md => user-guide/ref-architecture-aws/features/organization/overview.md} (96%) rename docs/{reference => user-guide/ref-architecture-aws}/features/reliability/backups.md (82%) rename docs/{reference => user-guide/ref-architecture-aws}/features/reliability/dr.md (94%) rename docs/{reference => user-guide/ref-architecture-aws}/features/reliability/high-availability.md (88%) rename docs/{reference => user-guide/ref-architecture-aws}/features/secrets/secrets.md (91%) rename docs/{reference => user-guide/ref-architecture-aws}/features/security/audit-cloudtrail.md (90%) rename docs/{reference => user-guide/ref-architecture-aws}/features/security/certificates.md (92%) create mode 100644 docs/user-guide/ref-architecture-aws/features/security/firewall-manager.md rename docs/{reference => user-guide/ref-architecture-aws}/features/security/iam-access-analyzer.md (88%) create mode 100644 docs/user-guide/ref-architecture-aws/features/security/overview.md rename docs/{reference => user-guide/ref-architecture-aws}/features/security/vpn.md (93%) rename docs/{reference => user-guide/ref-architecture-aws}/features/sso/configuration.md (95%) rename docs/{reference => user-guide/ref-architecture-aws}/features/sso/managing-users.md (100%) rename docs/{reference => user-guide/ref-architecture-aws}/features/sso/overview.md (95%) rename docs/{reference => user-guide/ref-architecture-aws}/features/storage/storage.md (94%) rename docs/{reference/reference-architectures => user-guide}/ref-architecture-aws/overview.md (64%) rename docs/{reference/reference-architectures => user-guide}/ref-architecture-aws/tf-state.md (98%) create mode 100644 docs/user-guide/ref-architecture-aws/workflow.md create mode 100644 docs/user-guide/ref-architecture-eks/components.md rename docs/{reference/features/compute/k8s-eks => user-guide/ref-architecture-eks}/overview.md (52%) rename docs/{reference/features/compute/k8s-eks/vpc-addressing.md => user-guide/ref-architecture-eks/vpc.md} (98%) rename docs/{reference/reference-architectures => user-guide}/ref-architecture-vault/configs.md (89%) rename docs/{reference/reference-architectures => user-guide}/ref-architecture-vault/dir-structure.md (100%) rename docs/{reference/reference-architectures => user-guide}/ref-architecture-vault/tf-state-workflow.md (100%) rename docs/{reference/reference-architectures => user-guide}/ref-architecture-vault/workflow.md (91%) rename docs/{reference => user-guide}/troubleshooting/credentials.md (100%) diff --git a/docs/concepts/next-steps.md b/docs/concepts/next-steps.md index 0df60c21c..4cc3568b6 100644 --- a/docs/concepts/next-steps.md +++ b/docs/concepts/next-steps.md @@ -3,6 +3,6 @@ Now that you know the basic concepts about Leverage feel free to give it a try o :books: See [**Try Leverage**](../../try-leverage/) to take the tutorial that will help you deploy a basic AWS Landing Zone via Leverage. -:books: See [**Reference**](../../reference/) to take the comprehensive route to learn more about Leverage. +:books: See [**User Guide**](../../user-guide/) to take the comprehensive route to learn more about Leverage. :books: See [**Work with us**](../../work-with-us/) if you want to join us or know more about the team behind Leverage. diff --git a/docs/concepts/our-tech-stack.md b/docs/concepts/our-tech-stack.md index 3719b65fc..37894ec11 100644 --- a/docs/concepts/our-tech-stack.md +++ b/docs/concepts/our-tech-stack.md @@ -82,7 +82,7 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: AWS Organizations](../../features/organization/organization/) + - [How it works: AWS Organizations](../../user-guide/organization/organization/) - [AWS Organizations](https://aws.amazon.com/organizations/) ??? info "Why AIM and roles❓" @@ -97,7 +97,7 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: AWS IAM](../../features/identities/identities/) + - [How it works: AWS IAM](../../user-guide/identities/identities/) - [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/) ??? info "Security | Why Web Application Firewall (WAF), Cloud Trail, Config, Guarduty❓" @@ -112,7 +112,7 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: AWS Security](../../features/security/services/) + - [How it works: AWS Security](../../user-guide/security/services/) - [AWS Cloud Security](https://aws.amazon.com/security/) ??? info "Why VPC❓" @@ -125,7 +125,7 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: AWS Networking](../../features/network/vpc-topology) + - [How it works: AWS Networking](../../user-guide/network/vpc-topology) - [AWS Virtual Private Cloud](https://aws.amazon.com/vpc) ??? info "Why Kubernetes (K8s) & AWS EKS❓" @@ -148,7 +148,7 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: AWS EKS](../../features/compute/k8s-eks/) + - [How it works: AWS EKS](../../user-guide/compute/k8s-eks/) - [AWS EKS](https://aws.amazon.com/eks) - [Kubernetes](https://kubernetes.io/) @@ -166,7 +166,7 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: AWS Storage](../../features/storage/storage) + - [How it works: AWS Storage](../../user-guide/storage/storage) - [AWS S3](https://aws.amazon.com/s3) ??? info "Why RDS❓" @@ -185,7 +185,7 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: AWS Databases](../../features/database/database/) + - [How it works: AWS Databases](../../user-guide/database/database/) - [AWS RDS](https://aws.amazon.com/rds) ??? info "Why Hashicorp Vault❓" @@ -211,5 +211,5 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: Secrets](../../features/secrets/secrets/) + - [How it works: Secrets](../../user-guide/secrets/secrets/) - [Hashicorp Vault Project](https://www.vaultproject.io/) diff --git a/docs/concepts/what-is-leverage.md b/docs/concepts/what-is-leverage.md index 4b3feab0c..3a05bdc02 100644 --- a/docs/concepts/what-is-leverage.md +++ b/docs/concepts/what-is-leverage.md @@ -7,12 +7,12 @@ than a consulting company -- :white_check_mark: *typically in just a few weeks!* ## Core Components Our focus is on creating reusable, high quality ![leverage-aws](../assets/images/icons/aws-emojipack/General_AWScloud.png "AWS"){: style="width:30px"} Cloud Infrastructure code, through our core components: -- [x] [**Reference Architecture**](../how-it-works/infra-as-code-library/index.md): Designed under optimal configs for the most popular modern web and mobile applications needs. Its design is fully based on the +- [x] [**Reference Architecture**](../../user-guide/ref-architecture-aws/overview/): Designed under optimal configs for the most popular modern web and mobile applications needs. Its design is fully based on the [**AWS Well Architected Framework**](https://leverage.binbash.com.ar/support/#aws-well-architected-review). -- [x] [**Infrastructure as Code (IaC) Library**](../how-it-works/ref-architecture/index.md): A collection of reusable, tested, production-ready E2E AWS Cloud infrastructure as code solutions, leveraged by modules written in: *Terraform, Ansible, Helm charts, Dockerfiles and Makefiles*. +- [x] [**Infrastructure as Code (IaC) Library**](../../user-guide/infra-as-code-library/overview/): A collection of reusable, tested, production-ready E2E AWS Cloud infrastructure as code solutions, leveraged by modules written in: *Terraform, Ansible, Helm charts, Dockerfiles and Makefiles*. -- [x] [**Leverage CLI**](https://github.com/binbashar/leverage): projects' command line tool. Provides the means to interact and deploy Leverage Reference Architecture on AWS and if needed it allows you to define custom tasks to run. +- [x] [**Leverage CLI**](../../user-guide/leverage-cli/overview/): projects' command line tool. Provides the means to interact and deploy Leverage Reference Architecture on AWS and if needed it allows you to define custom tasks to run. ## Video Presentation Check out this **intro video** :octicons-video-16: that explains what Leverage is in less than 5 minutes: diff --git a/docs/concepts/why-our-tech-stack.md b/docs/concepts/why-our-tech-stack.md index 74c5cdafe..8c38706e9 100644 --- a/docs/concepts/why-our-tech-stack.md +++ b/docs/concepts/why-our-tech-stack.md @@ -77,7 +77,7 @@ :books: **Read More** - - [How it works: AWS Organizations](../../features/organization/organization/) + - [How it works: AWS Organizations](../../user-guide/organization/organization/) - [AWS Organizations](https://aws.amazon.com/organizations/) ??? info "Why AIM and roles❓" @@ -92,7 +92,7 @@ :books: **Read More** - - [How it works: AWS IAM](../../features/identities/identities/) + - [How it works: AWS IAM](../../user-guide/identities/identities/) - [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/) ??? info "Security | Why Web Application Firewall (WAF), Cloud Trail, Config, Guarduty❓" @@ -107,7 +107,7 @@ :books: **Read More** - - [How it works: AWS Security](../../features/security/services/) + - [How it works: AWS Security](../../user-guide/security/services/) - [AWS Cloud Security](https://aws.amazon.com/security/) ??? info "Why VPC❓" @@ -120,7 +120,7 @@ :books: **Read More** - - [How it works: AWS Networking](../../features/network/vpc-topology) + - [How it works: AWS Networking](../../user-guide/network/vpc-topology) - [AWS Virtual Private Cloud](https://aws.amazon.com/vpc) ??? info "Why Kubernetes (K8s) & AWS EKS❓" @@ -143,7 +143,7 @@ :books: **Read More** - - [How it works: AWS EKS](../../features/compute/k8s-eks/) + - [How it works: AWS EKS](../../user-guide/compute/k8s-eks/) - [AWS EKS](https://aws.amazon.com/eks) - [Kubernetes](https://kubernetes.io/) @@ -161,7 +161,7 @@ :books: **Read More** - - [How it works: AWS Storage](../../features/storage/storage) + - [How it works: AWS Storage](../../user-guide/storage/storage) - [AWS S3](https://aws.amazon.com/s3) ??? info "Why RDS❓" @@ -180,7 +180,7 @@ :books: **Read More** - - [How it works: AWS Databases](../../features/database/database/) + - [How it works: AWS Databases](../../user-guide/database/database/) - [AWS RDS](https://aws.amazon.com/rds) ??? info "Why Hashicorp Vault❓" @@ -206,5 +206,5 @@ :books: **Read More** - - [How it works: Secrets](../../features/secrets/secrets/) + - [How it works: Secrets](../../user-guide/secrets/secrets/) - [Hashicorp Vault Project](https://www.vaultproject.io/) diff --git a/docs/reference/features/security/overview.md b/docs/reference/features/security/overview.md deleted file mode 100644 index 6968c3e80..000000000 --- a/docs/reference/features/security/overview.md +++ /dev/null @@ -1,18 +0,0 @@ -![binbash-logo](../../../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} - -# AWS Reference Architecture security features - -??? check "VPN" - - [x] [VPN](./vpn.md) - -??? check "Services" - - [x] [Services](./services.md) - -??? check "Certificates" - - [x] [Certificates](./certificates.md) - -??? check "Audit" - - [x] [CloudTrail](./audit-cloudtrail.md) - -??? check "Monitoring" - - [x] [IAM Access Analyzer](./iam-access-analyzer.md) \ No newline at end of file diff --git a/docs/reference/features/security/services.md b/docs/reference/features/security/services.md deleted file mode 100644 index 63b77a9b0..000000000 --- a/docs/reference/features/security/services.md +++ /dev/null @@ -1,56 +0,0 @@ -# AWS Security & Compliance Services - -!!! danger "Security Directives" - There will not be any instance port or service port open to general access, unless justified by business reasons, - and we’ll take alternative means of security to mitigate any possible risk. - - Every account will have a set of active services that will allow for administrative users (SecOps) to audit all - actions and track potentially dangerous behavior. All services will be enabled via IaC (Terraform or SDK and tracked - in the proper git repo). - -!!! important "AWS Managed Security Services" - - [x] ![aws-service](../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_IAM.png){: style="width:30px"} - **AWS IAM Access Analyzer:** Generates comprehensive findings that identify resources policies for public or - cross-account accessibility, monitors and helps you refine permissions. Provides the highest levels of security assurance. - - [x] ![aws-service](../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_Config.png){: style="width:30px"} - **AWS Config:** Tracks changes made to AWS resources over time, making possible to return to a previous state. - Monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded - configurations against desired compliance rule set. Adds accountability factor. - - [x] ![aws-service](../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_CloudTrail.png){: style="width:30px"} - **AWS Cloudtrail:** Stores logs over all calls made to AWS APIs, coming from web console, command line or any - other. Allowing us to monitor it via CW Dashboards and notifications. - - [x] ![aws-service](../../../assets/images/icons/aws-emojipack/NetworkingContentDelivery_AmazonVPC_flowlogs.png){: style="width:30px"} - **AWS VPC Flow Logs:** Enables us to examine individual Network Interfaces logs, to address network issues and - also monitor suspicious behavior. - - [x] ![aws-service](../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_AWSWAF.png){: style="width:30px"} - **AWS Web Application Firewall:** Optional but if not used, it is recommended that a similar service is used, - such as Cloudflare. When paired to an Application Load Balancer or Cloudfront distribution, it checks incoming - requests to detect and block OWASP Top10 attacks, such as SQL injection, XSS and others. - - [x] ![aws-service](../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_AmazonInspector.png){: style="width:30px"} - **AWS Inspector:** Is an automated security assessment service that helps improve the security and compliance - of infrastructure and applications deployed on AWS. - - [x] ![aws-service](../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_AmazonGuardDuty.png){: style="width:30px"} - **AWS Guard Duty:** Is a managed [threat](https://youtu.be/czsuZXQvD8E?t=947) detection service that - continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and - workloads. Detects unusual API calls or potentially unauthorized deployments (possible account compromise) - and potentially compromised instances or reconnaissance by attackers. - - [x] ![aws-service](../../../assets/images/icons/aws-emojipack/ManagementTools_AmazonCloudWatch.png){: style="width:30px"} - **AWS Security Logs** Other access logs from client-facing resources will be stored in the Security account. - - [x] ![aws-service](../../../assets/images/icons/aws-emojipack/AWS_Firewall_Manager.png){: style="width:30px"} - **AWS Firewall Manager** Is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. This service lets you build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your entire infrastructure, from a central administrator account. - -# Security Layer - -## AWS Firewall Manager - -!!! summary "Scenarios" - - [x] **Network Firewall rules**: Security administrators will be able to deploy firewall rules for AWS Network Firewall to control traffic leaving and entering your network across accounts and Amazon VPCs, from the Security account. - - [x] **WAF & WAF v2**: Your security administrators will able to deploy WAF and WAF v2 rules, and Managed rules for WAF to be used on Application Load Balancers, API Gateways and Amazon CloudFront distributions. - - [x] **Route 53 Resolver DNS Firewall rules**: Deploy Route 53 Resolver DNS Firewall rules from the Security account to enforce firewall rules across your organization. - - [x] **Audit Security Groups**: You can create policies to set guardrails that define what security groups are allowed/disallowed across your VPCs. AWS Firewall Manager continuously monitors security groups to detect overly permissive rules, and helps improve firewall posture. You can get notifications of accounts and resources that are non-compliant or allow AWS Firewall Manager to take action directly through auto-remediation. - - [x] **Security Groups**: Use AWS Firewall Manager to create a common primary security group across your EC2 instances in your VPCs. - -![Firewall Manager Service](../../../assets/images/diagrams/aws-fms.png) - -### Read More -- [x] [AWS Firewall Manager](https://aws.amazon.com/firewall-manager/) \ No newline at end of file diff --git a/docs/reference/index.md b/docs/reference/index.md deleted file mode 100644 index 941e2135e..000000000 --- a/docs/reference/index.md +++ /dev/null @@ -1,12 +0,0 @@ -![binbash-logo](../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} - -# Reference - -## Overview -The pages in this section explore, with great detail, the architecture of the components that make up Leverage. - -- [x] [Reference Architectures](./reference-architectures/) -- [x] [Infrastructure-as-Code Library](./infra-as-code-library/) -- [x] [Leverage CLI](./leverage-cli/) - -But don't feel constrained to the links above, feel free to use the left menu to explore more on your own. diff --git a/docs/reference/reference-architectures/ref-architecture-aws/credentials.md b/docs/reference/reference-architectures/ref-architecture-aws/credentials.md deleted file mode 100644 index a2fdf8df4..000000000 --- a/docs/reference/reference-architectures/ref-architecture-aws/credentials.md +++ /dev/null @@ -1,11 +0,0 @@ -# Project Credentials - -## AWS Profile -- File `backend.tfvars` will inject the profile name that TF will use to make changes on AWS. -- Such profile is usually one that relies on another profile to assume a role to get access to each corresponding account. -- Please follow to correctly setup your AWS Credentials - - [user-guide/features/identities](../features/identities/identities.md) - - [user-guide/features/identities/credentials](../features/identities/credentials.md) -- Read the following page leverage doc to understand [how to set up a profile to assume -a role](https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html) - diff --git a/docs/reference/reference-architectures/ref-architecture-aws/workflow.md b/docs/reference/reference-architectures/ref-architecture-aws/workflow.md deleted file mode 100644 index b1a9fa930..000000000 --- a/docs/reference/reference-architectures/ref-architecture-aws/workflow.md +++ /dev/null @@ -1,40 +0,0 @@ -# Workflow - -## Intro -TODO What is the Terraform Workflow? - -## Steps -!!! check "Terraform Workflow" - 1. Make sure you've read and prepared your local development environment following the - [Overview base-configurations](../index.md) section. - 2. Depending in which Terraform Ref Architecture repo you are working, please review and assure you meet - all the [terraform aws pre-requisites](./configs.md) or - [terraform aws pre-requisites](./dir-structure.md) - - [x] [Remote State](tf-state-workflow.md) - - [x] Configuration files - - [x] [AWS Profile and credentials](../features/identities/credentials.md) - - [x] [Vault token secret](../features/identities/credentials-vault.md) - 3. Get into the folder that you need to work with (e.g. `2_identities`) - 4. Run `leverage terraform init` - 5. Make whatever changes you need to make - 6. Run `leverage terraform plan` if you only mean to preview those changes - 7. Run `leverage terraform apply` if you want to review and likely apply those changes - -!!! info - Please note you can make use of the `--layers` parameter to apply Terraform commands to more than one layer. - - For more information see [here](../leverage-cli/reference/terraform/layers.md) - -!!! note - If desired, at step **#5** you could submit a PR, allowing you and the rest of the team to - understand and review what changes would be made to your AWS Cloud Architecture components before executing - `leverage terraform apply` (`terraform apply`). This brings the huge benefit of treating changes with a **GitOps** oriented - approach, basically as we should treat any other code & infrastructure change, and integrate it with the - rest of our tools and practices like CI/CD, in - -## Running in Automation -![leverage-aws-terraform](../../../assets/images/diagrams/aws-terraform-automation.png "Terraform"){: style="width:350"} -
Figure: Running terraform with AWS in automation (just as reference).
- -!!! info "Read More" - * :ledger: [Running Terraform in automation](https://learn.hashicorp.com/terraform/development/running-terraform-in-automation) diff --git a/docs/reference/reference-architectures/ref-architecture-eks/overview.md b/docs/reference/reference-architectures/ref-architecture-eks/overview.md deleted file mode 100644 index 5d67b91cb..000000000 --- a/docs/reference/reference-architectures/ref-architecture-eks/overview.md +++ /dev/null @@ -1,55 +0,0 @@ -# AWS EKS Reference Architecture - -## Amazon EKS Resources - -### Control Plane (aka. Master Nodes) -This is the primary resource which defines the cluster. We will create one cluster on each -account: - -- [x] [apps-devstg/us-east-1/k8s-eks](https://github.com/binbashar/le-tf-infra-aws/tree/master/apps-devstg/us-east-1/k8s-eks) -- [x] [apps-prd/us-east-1/k8s-eks](https://github.com/binbashar/le-tf-infra-aws/tree/master/apps-prd/us-east-1/k8s-eks) - -!!! info "Important" - In case of multiple environments hosted in the same cluster as for the one with - Apps Dev and Stage, the workload isolation will be achieved through Kubernetes - features such as namespaces, network policies, RBAC, and others. - -### Data Plane (Worker Nodes) -We have 3 options here: - -- Managed Nodes -- Fargate -- Fargate Spot - -!!! info "Considerations" - Each option has its pros and cons with regard to cost, operation complexity, extensibility, - customization capabilities, features, and management. - - In general we implement Managed Nodes. The main reasons being: - - 1. They allow a high degree of control in terms of the components we can deploy and the features those components can provide to us. For instance we can run ingress controllers and service mesh, among other very customizable resources. - 2. AWS takes care of provisioning and lifecycle management of nodes which is one less task to worry about. - 3. Upgrading Kubernetes versions becomes much simpler and quicker to perform. - 4. We still can, at any time, start using Fargate and Fargate Spot by simply creating a profile for one or both of them, then we only need to move the workloads that we want to run on Fargate profiles of our choice. - -## Amazon EKS Architecture Diagram - -### Higl-Level components diagram -![leverage-aws-eks](../../../assets/images/diagrams/ref-architecture-eks.png "Leverage"){: style="width:750px"} -
-Figure: K8S EKS reference architecture components diagram. -(Source: binbash Leverage Confluence Doc, - -"Implementation Diagrams", -binbash Leverage Doc, accessed January 5th 2022). -
- -### Detailed components diagram -![leverage-aws-eks-detailed](../../../assets/images/diagrams/ref-architecture-eks-components.png "Leverage"){: style="width:750px"} -
-Figure: K8S EKS reference architecture detailed components diagram. -(Source: binbash Leverage Confluence Doc, - -"Implementation Diagrams", -binbash Leverage Doc, accessed January 5th 2022). -
diff --git a/docs/try-leverage/aws-account-setup.md b/docs/try-leverage/aws-account-setup.md index eed914127..9391a0f93 100644 --- a/docs/try-leverage/aws-account-setup.md +++ b/docs/try-leverage/aws-account-setup.md @@ -1,19 +1,19 @@ # Creating your AWS Management account ## Create an AWS account -First and foremost you'll need to [create an AWS account](../user-guide/features/organization/organization-init.md) for your project. This will be the management account of your [AWS Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) and the email address you use for signing up will be the [root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) of this account -- you can see this user represented in the [architecture diagram](../introduction/#introduction). +First and foremost you'll need to [create an AWS account](../user-guide/user-guide/organization/organization-init.md) for your project. This will be the management account of your [AWS Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) and the email address you use for signing up will be the [root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) of this account -- you can see this user represented in the [architecture diagram](../introduction/#introduction). Since the root user is the main access point to your account it is strongly recommended that you keep its credentials (email, password) safe by following [AWS best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html). !!! tip To protect your management account, [enabling Multi Factor Authentication](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa) is **highly** encouraged. Also, reviewing the [account's billing setup](https://console.aws.amazon.com/billing/home?#/account) is always a good idea before proceeding. -!!! info "For more details on setting up your AWS account: [:books: Organization account setup guide](../../user-guide/features/organization/organization-init#user-guide)" +!!! info "For more details on setting up your AWS account: [:books: Organization account setup guide](../../user-guide/user-guide/organization/organization-init#user-guide)" ## Create a bootstrap user with temporary administrator permissions Leverage needs a user with temporary administrator permissions in order to deploy the initial resources that will form the foundations you will then use to keep building on. That initial deployment is called the bootstrap process and thus the user required for that is called "the bootstrap user". -To create that user, navigate to the [IAM page](https://console.aws.amazon.com/iam/) and create a user named `mgmt-org-admin` [following step 2 of this leverage doc](https://leverage.binbash.com.ar/user-guide/features/organization/organization-init/#reference-aws-organization-init-workflow). +To create that user, navigate to the [IAM page](https://console.aws.amazon.com/iam/) and create a user named `mgmt-org-admin` [following step 2 of this leverage doc](https://leverage.binbash.com.ar/user-guide/user-guide/organization/organization-init/#reference-aws-organization-init-workflow). !!! info Bear in mind that the page for creating users may change from time to time but the key settings for configuring the bootstrap user are the following: diff --git a/docs/try-leverage/leverage-project-setup.md b/docs/try-leverage/leverage-project-setup.md index 202901d90..e5a42fcbf 100644 --- a/docs/try-leverage/leverage-project-setup.md +++ b/docs/try-leverage/leverage-project-setup.md @@ -6,7 +6,7 @@ The account's name will be given by your project's name followed by `-management Along the same line, we'll use the `example.com` domain for the email address used to register the account. Adding a `-aws` suffix to the project's name to indicate that this email address is related to the project's AWS account, we end up with a registration email that looks like `myexample-aws@example.com`. !!! info "Email addresses for AWS accounts." - Each AWS account requires having a unique email address associated to it. The Leverage Reference Architecture for AWS makes use of multiple accounts to better manage the infrastructure, as such, you will need different addresses for each one. Creating a new email account for each AWS is not a really viable solution to this problem, a better approach is to take advantage of mail services that support aliases. For information regarding how this works: [:books: Email setup for your AWS account.](../../user-guide/features/organization/organization-init/#pre-requisites) + Each AWS account requires having a unique email address associated to it. The Leverage Reference Architecture for AWS makes use of multiple accounts to better manage the infrastructure, as such, you will need different addresses for each one. Creating a new email account for each AWS is not a really viable solution to this problem, a better approach is to take advantage of mail services that support aliases. For information regarding how this works: [:books: Email setup for your AWS account.](../../user-guide/user-guide/organization/organization-init/#pre-requisites) ## Create the project directory Each Leverage project lives in its own working directory. Create a directory for your project as follows: diff --git a/docs/try-leverage/post-deployment.md b/docs/try-leverage/post-deployment.md index 4885f0b2d..fbfb24155 100644 --- a/docs/try-leverage/post-deployment.md +++ b/docs/try-leverage/post-deployment.md @@ -25,7 +25,7 @@ sso_start_url = "https://d-xyz01234567.awsapps.com/start" !!! info "Further info on configuring SSO" - There is more information on how to configure SSO [here](/user-guide/features/sso/sso/#preparing-the-project-to-use-aws-sso). + There is more information on how to configure SSO [here](/user-guide/user-guide/sso/sso/#preparing-the-project-to-use-aws-sso). ### Update backend profiles in the management account It's time to set the right profile names in the backend configuration files. Open this file: `management/config/backend.tfvars` and change the `profile` value from this: @@ -60,9 +60,9 @@ profile = "me-shared-devops" ``` ## Activate your SSO user and set up your password -The SSO users you created when you provisioned the SSO layer need to go through an email activation procedure. Find the [instructions here](/user-guide/features/sso/managing-users/#trigger-user-email-activation). +The SSO users you created when you provisioned the SSO layer need to go through an email activation procedure. Find the [instructions here](/user-guide/user-guide/sso/managing-users/#trigger-user-email-activation). -Once SSO user's have been activated, they will need to get their initial password so they are able to log in. Check out the [steps for that here](/user-guide/features/sso/managing-users/#reset-a-user-password). +Once SSO user's have been activated, they will need to get their initial password so they are able to log in. Check out the [steps for that here](/user-guide/user-guide/sso/managing-users/#reset-a-user-password). ## Configure the CLI for SSO Almost there. Let's try the SSO integration now. @@ -70,7 +70,7 @@ Almost there. Let's try the SSO integration now. ### Configure your SSO profiles Since this is your first time using that you will need to configure it by running this: `leverage aws configure sso` -Follow the wizard to get your AWS config file created for you. There is [more info about that here](/user-guide/features/sso/sso/#1-configuring-aws-sso). +Follow the wizard to get your AWS config file created for you. There is [more info about that here](/user-guide/user-guide/sso/sso/#1-configuring-aws-sso). ### Verify on a layer in the management account To ensure that worked, let's run a few commands to verify: diff --git a/docs/user-guide/index.md b/docs/user-guide/index.md new file mode 100644 index 000000000..e22fc953f --- /dev/null +++ b/docs/user-guide/index.md @@ -0,0 +1,15 @@ +![binbash-logo](../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} + +# User Guide + +## Overview +The pages in this section explore, with great detail, the architecture of the components that make up Leverage. + +- [x] Reference Architectures + - [x] [Reference Architecture for AWS](ref-architecture-aws/overview/) + - [x] [Reference Architecture for EKS](ref-architecture-eks/overview/) + - [x] [Reference Architecture for Ansible](ref-architecture-ansible/overview/) +- [x] [Infrastructure-as-Code Library](infra-as-code-library/overview/) +- [x] [Leverage CLI](leverage-cli/overview/) + +But don't feel constrained to the links above, feel free to use the left menu to explore more on your own. diff --git a/docs/reference/infra-as-code-library/infra-as-code-library-forks.md b/docs/user-guide/infra-as-code-library/infra-as-code-library-forks.md similarity index 100% rename from docs/reference/infra-as-code-library/infra-as-code-library-forks.md rename to docs/user-guide/infra-as-code-library/infra-as-code-library-forks.md diff --git a/docs/reference/infra-as-code-library/infra-as-code-library-specs.md b/docs/user-guide/infra-as-code-library/infra-as-code-library-specs.md similarity index 100% rename from docs/reference/infra-as-code-library/infra-as-code-library-specs.md rename to docs/user-guide/infra-as-code-library/infra-as-code-library-specs.md diff --git a/docs/reference/infra-as-code-library/modules-library-by-technology.md b/docs/user-guide/infra-as-code-library/modules-library-by-technology.md similarity index 100% rename from docs/reference/infra-as-code-library/modules-library-by-technology.md rename to docs/user-guide/infra-as-code-library/modules-library-by-technology.md diff --git a/docs/reference/infra-as-code-library/overview.md b/docs/user-guide/infra-as-code-library/overview.md similarity index 100% rename from docs/reference/infra-as-code-library/overview.md rename to docs/user-guide/infra-as-code-library/overview.md diff --git a/docs/reference/leverage-cli/basic-features.md b/docs/user-guide/leverage-cli/basic-features.md similarity index 100% rename from docs/reference/leverage-cli/basic-features.md rename to docs/user-guide/leverage-cli/basic-features.md diff --git a/docs/reference/leverage-cli/extending-leverage/build.env.md b/docs/user-guide/leverage-cli/extending-leverage/build.env.md similarity index 100% rename from docs/reference/leverage-cli/extending-leverage/build.env.md rename to docs/user-guide/leverage-cli/extending-leverage/build.env.md diff --git a/docs/reference/leverage-cli/extending-leverage/how-to-extend.md b/docs/user-guide/leverage-cli/extending-leverage/how-to-extend.md similarity index 100% rename from docs/reference/leverage-cli/extending-leverage/how-to-extend.md rename to docs/user-guide/leverage-cli/extending-leverage/how-to-extend.md diff --git a/docs/reference/leverage-cli/extending-leverage/tasks.md b/docs/user-guide/leverage-cli/extending-leverage/tasks.md similarity index 100% rename from docs/reference/leverage-cli/extending-leverage/tasks.md rename to docs/user-guide/leverage-cli/extending-leverage/tasks.md diff --git a/docs/reference/leverage-cli/history.md b/docs/user-guide/leverage-cli/history.md similarity index 100% rename from docs/reference/leverage-cli/history.md rename to docs/user-guide/leverage-cli/history.md diff --git a/docs/reference/leverage-cli/installation.md b/docs/user-guide/leverage-cli/installation.md similarity index 100% rename from docs/reference/leverage-cli/installation.md rename to docs/user-guide/leverage-cli/installation.md diff --git a/docs/reference/leverage-cli/overview.md b/docs/user-guide/leverage-cli/overview.md similarity index 100% rename from docs/reference/leverage-cli/overview.md rename to docs/user-guide/leverage-cli/overview.md diff --git a/docs/reference/leverage-cli/private-repositories.md b/docs/user-guide/leverage-cli/private-repositories.md similarity index 100% rename from docs/reference/leverage-cli/private-repositories.md rename to docs/user-guide/leverage-cli/private-repositories.md diff --git a/docs/reference/leverage-cli/reference/aws.md b/docs/user-guide/leverage-cli/reference/aws.md similarity index 100% rename from docs/reference/leverage-cli/reference/aws.md rename to docs/user-guide/leverage-cli/reference/aws.md diff --git a/docs/reference/leverage-cli/reference/credentials.md b/docs/user-guide/leverage-cli/reference/credentials.md similarity index 93% rename from docs/reference/leverage-cli/reference/credentials.md rename to docs/user-guide/leverage-cli/reference/credentials.md index 3e0e85448..f276e0a2e 100644 --- a/docs/reference/leverage-cli/reference/credentials.md +++ b/docs/user-guide/leverage-cli/reference/credentials.md @@ -14,7 +14,7 @@ leverage credentials configure --type [BOOTSTRAP|MANAGEMENT|SECURITY] [options] The `credentials configure` command sets up the credentials needed to interact with the AWS environment, from the initial deployment process (`BOOTSTRAP`) to everyday management (`MANAGEMENT`) and development or use (`SECURITY`) of it. -It attempts to retrieve the structure of the organization in order to generate all the [AWS CLI profiles required to interact with the environment](../../features/identities/credentials.md) and update the terraform configuration with the id of all relevant accounts. +It attempts to retrieve the structure of the organization in order to generate all the [AWS CLI profiles required to interact with the environment](../../user-guide/identities/credentials.md) and update the terraform configuration with the id of all relevant accounts. Backups of the previous configured credentials files are always created when overwriting or updating the current ones. diff --git a/docs/reference/leverage-cli/reference/kubectl.md b/docs/user-guide/leverage-cli/reference/kubectl.md similarity index 100% rename from docs/reference/leverage-cli/reference/kubectl.md rename to docs/user-guide/leverage-cli/reference/kubectl.md diff --git a/docs/reference/leverage-cli/reference/project.md b/docs/user-guide/leverage-cli/reference/project.md similarity index 100% rename from docs/reference/leverage-cli/reference/project.md rename to docs/user-guide/leverage-cli/reference/project.md diff --git a/docs/reference/leverage-cli/reference/run.md b/docs/user-guide/leverage-cli/reference/run.md similarity index 100% rename from docs/reference/leverage-cli/reference/run.md rename to docs/user-guide/leverage-cli/reference/run.md diff --git a/docs/reference/leverage-cli/reference/terraform.md b/docs/user-guide/leverage-cli/reference/terraform.md similarity index 100% rename from docs/reference/leverage-cli/reference/terraform.md rename to docs/user-guide/leverage-cli/reference/terraform.md diff --git a/docs/reference/leverage-cli/reference/terraform/layers.md b/docs/user-guide/leverage-cli/reference/terraform/layers.md similarity index 100% rename from docs/reference/leverage-cli/reference/terraform/layers.md rename to docs/user-guide/leverage-cli/reference/terraform/layers.md diff --git a/docs/reference/leverage-cli/reference/tfautomv.md b/docs/user-guide/leverage-cli/reference/tfautomv.md similarity index 100% rename from docs/reference/leverage-cli/reference/tfautomv.md rename to docs/user-guide/leverage-cli/reference/tfautomv.md diff --git a/docs/reference/leverage-cli/shell.md b/docs/user-guide/leverage-cli/shell.md similarity index 100% rename from docs/reference/leverage-cli/shell.md rename to docs/user-guide/leverage-cli/shell.md diff --git a/docs/reference/reference-architectures/ref-architecture-ansible/configs.md b/docs/user-guide/ref-architecture-ansible/configs.md similarity index 100% rename from docs/reference/reference-architectures/ref-architecture-ansible/configs.md rename to docs/user-guide/ref-architecture-ansible/configs.md diff --git a/docs/reference/reference-architectures/ref-architecture-ansible/overview.md b/docs/user-guide/ref-architecture-ansible/overview.md similarity index 100% rename from docs/reference/reference-architectures/ref-architecture-ansible/overview.md rename to docs/user-guide/ref-architecture-ansible/overview.md diff --git a/docs/reference/reference-architectures/ref-architecture-ansible/workflow.md b/docs/user-guide/ref-architecture-ansible/workflow.md similarity index 100% rename from docs/reference/reference-architectures/ref-architecture-ansible/workflow.md rename to docs/user-guide/ref-architecture-ansible/workflow.md diff --git a/docs/reference/reference-architectures/ref-architecture-aws/configs.md b/docs/user-guide/ref-architecture-aws/configuration.md similarity index 89% rename from docs/reference/reference-architectures/ref-architecture-aws/configs.md rename to docs/user-guide/ref-architecture-aws/configuration.md index 693dbfadd..81ca1cc25 100644 --- a/docs/reference/reference-architectures/ref-architecture-aws/configs.md +++ b/docs/user-guide/ref-architecture-aws/configuration.md @@ -1,5 +1,6 @@ -# Project Configurations +# Configuration +## Configuration Files !!! tips "Config files can be found under each `config` folders" - :file_folder: **Global config file** [`/config/common.tfvars`](https://github.com/binbashar/le-tf-infra-aws/blob/master/config/common.tfvars.example) @@ -19,12 +20,11 @@ you can easily change some default behaviors of the CLI. Read more in its dedicated ["Override defaults via `build.env` file" section](../leverage-cli/extending-leverage/build.env.md). -## AWS Profile +## Setting credentials for Terraform via AWS profiles - File `backend.tfvars` will inject the profile name that TF will use to make changes on AWS. - Such profile is usually one that relies on another profile to assume a role to get access to each corresponding account. - Please follow to correctly setup your AWS Credentials - - [user-guide/features/identities](../features/identities/identities.md) - - [user-guide/features/identities/credentials](../features/identities/credentials.md) + - [user-guide/user-guide/identities](../user-guide/identities/identities.md) + - [user-guide/user-guide/identities/credentials](../user-guide/identities/credentials.md) - Read the following page leverage doc to understand [how to set up a profile to assume a role](https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html) - diff --git a/docs/reference/reference-architectures/ref-architecture-aws/dir-structure.md b/docs/user-guide/ref-architecture-aws/dir-structure.md similarity index 100% rename from docs/reference/reference-architectures/ref-architecture-aws/dir-structure.md rename to docs/user-guide/ref-architecture-aws/dir-structure.md diff --git a/docs/reference/features/cdn/cdn.md b/docs/user-guide/ref-architecture-aws/features/cdn/cdn.md similarity index 82% rename from docs/reference/features/cdn/cdn.md rename to docs/user-guide/ref-architecture-aws/features/cdn/cdn.md index 2394be8dc..e4451d125 100644 --- a/docs/reference/features/cdn/cdn.md +++ b/docs/user-guide/ref-architecture-aws/features/cdn/cdn.md @@ -1,6 +1,6 @@ # CDN -!!! quote "![leverage-aws-ec2](../../../assets/images/icons/aws-emojipack/NetworkingContentDelivery_AmazonCloudFront.png "Leverage"){: style="width:20px"} AWS Cloud Front" +!!! quote "![leverage-aws-ec2](../../../../assets/images/icons/aws-emojipack/NetworkingContentDelivery_AmazonCloudFront.png "Leverage"){: style="width:20px"} AWS Cloud Front" [**Amazon CloudFront**](https://aws.amazon.com/cloudfront/) is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront is integrated with AWS – both physical locations that are directly connected to the AWS @@ -13,7 +13,7 @@ ## Load Balancer (ALB | NLB) & S3 Cloudfront Origins -![leverage-aws-cloudfront](../../../assets/images/diagrams/aws-cloudfront-acm-elb-s3.png "Leverage"){: style="width:950px"} +![leverage-aws-cloudfront](../../../../assets/images/diagrams/aws-cloudfront-acm-elb-s3.png "Leverage"){: style="width:950px"}
Figure: AWS CloudFront with ELB and S3 as origin diagram. (Source: Lee Atkinson, @@ -24,7 +24,7 @@ AWS Security Blog, accessed November 17th 2020). ## API Gateway Cloudfront Origins -![leverage-aws-cloudfront](../../../assets/images/diagrams/aws-cloudfront-api-gw.png "Leverage"){: style="width:950px"} +![leverage-aws-cloudfront](../../../../assets/images/diagrams/aws-cloudfront-api-gw.png "Leverage"){: style="width:950px"}
Figure: AWS CloudFront with API Gateway as origin diagram. (Source: AWS, diff --git a/docs/reference/features/ci-cd/ci-cd.md b/docs/user-guide/ref-architecture-aws/features/ci-cd/ci-cd.md similarity index 77% rename from docs/reference/features/ci-cd/ci-cd.md rename to docs/user-guide/ref-architecture-aws/features/ci-cd/ci-cd.md index 51113bfea..3d5c4ea26 100644 --- a/docs/reference/features/ci-cd/ci-cd.md +++ b/docs/user-guide/ref-architecture-aws/features/ci-cd/ci-cd.md @@ -1,7 +1,7 @@ # Continuous Integration / Continuous Delivery (CI/CD) ## Opt-1: Jenkins + ArgoCD -![leverage-ci-cd-argocd](../../../assets/images/diagrams/ci-cd-argocd.png "Leverage"){: style="width:750px"} +![leverage-ci-cd-argocd](../../../../assets/images/diagrams/ci-cd-argocd.png "Leverage"){: style="width:750px"}
Figure: ACI/CD with Jenkins + ArgoCD architecture diagram. @@ -12,7 +12,7 @@ ArgoCD documentation, accessed November 18th 2020).
## Opt-2: [Jenkins + Spinnaker](https://drive.google.com/file/d/1VtKHzBkw5a3zGKFwgI_2rllL9M7ceuCD/view?usp=sharing) -![leverage-ci-cd-spinnaker](../../../assets/images/diagrams/ci-cd-spinnaker.png "Leverage"){: style="width:950px"} +![leverage-ci-cd-spinnaker](../../../../assets/images/diagrams/ci-cd-spinnaker.png "Leverage"){: style="width:950px"}
Figure: CI/CD with Jenkins + Spinnaker diagram. diff --git a/docs/reference/features/ci-cd/k8s-argocd.md b/docs/user-guide/ref-architecture-aws/features/ci-cd/k8s-argocd.md similarity index 84% rename from docs/reference/features/ci-cd/k8s-argocd.md rename to docs/user-guide/ref-architecture-aws/features/ci-cd/k8s-argocd.md index bf8fd900b..7308c3041 100644 --- a/docs/reference/features/ci-cd/k8s-argocd.md +++ b/docs/user-guide/ref-architecture-aws/features/ci-cd/k8s-argocd.md @@ -5,7 +5,7 @@ The below diagram is based on our [binbash Leverage Reference Architecture CI-CD official documentation](https://binbash.atlassian.net/wiki/external/1962410007/YWMxMmY1NzM4MmIyNDRmMDkxMDIwNDY3OWU4ZDYwZjA) -![leverage-aws-demoapps](../../../assets/images/diagrams/aws-k8s-eks-ci-cd-argocd.png "Leverage"){: style="width:750px"} +![leverage-aws-demoapps](../../../../assets/images/diagrams/aws-k8s-eks-ci-cd-argocd.png "Leverage"){: style="width:750px"}
Figure: K8S reference architecture CI/CD with ArgoCD diagram. (Source: binbash Leverage Confluence Doc, diff --git a/docs/reference/features/compute/k8s-kops.md b/docs/user-guide/ref-architecture-aws/features/compute/k8s-kops.md similarity index 96% rename from docs/reference/features/compute/k8s-kops.md rename to docs/user-guide/ref-architecture-aws/features/compute/k8s-kops.md index b3391b99e..493f3068a 100644 --- a/docs/reference/features/compute/k8s-kops.md +++ b/docs/user-guide/ref-architecture-aws/features/compute/k8s-kops.md @@ -16,7 +16,7 @@ The project describes itself as kubectl for clusters. - [x] Rolling cluster updates - [x] Supports heterogeneous clusters by creating multiple instance groups -![leverage-aws-k8s-kops](../../../assets/images/diagrams/aws-k8s-kops.png "Leverage"){: style="width:950px"} +![leverage-aws-k8s-kops](../../../../assets/images/diagrams/aws-k8s-kops.png "Leverage"){: style="width:950px"}
Figure: AWS K8s Kops architecture diagram (just as reference). @@ -65,7 +65,7 @@ Nclouds.com Blog post, accessed November 18th 2020). ``` #### Resulting Solutions Architecture -![leverage-aws-k8s-kops](../../../assets/images/diagrams/aws-k8s-kops.png "Leverage"){: style="width:950px"} +![leverage-aws-k8s-kops](../../../../assets/images/diagrams/aws-k8s-kops.png "Leverage"){: style="width:950px"}
Figure: AWS K8s Kops architecture diagram (just as reference).
@@ -84,7 +84,7 @@ fully customize any AWS component without having to alter our Kubernetes cluster 2. This is a fully declarative coding style approach to manage your infrastructure so being able to declare the state of our cluster in YAML files fits **100% as code & GitOps** based approach. -![leverage-aws-k8s-kops](../../../assets/images/diagrams/aws-k8s-kops-tf.png "Leverage"){: style="width:950px"} +![leverage-aws-k8s-kops](../../../../assets/images/diagrams/aws-k8s-kops-tf.png "Leverage"){: style="width:950px"}
Figure: [Workflow diagram](https://medium.com/bench-engineering/deploying-kubernetes-clusters-with-kops-and-terraform-832b89250e8e).
## Kops Cluster Management diff --git a/docs/reference/features/compute/k8s-service-mesh.md b/docs/user-guide/ref-architecture-aws/features/compute/k8s-service-mesh.md similarity index 86% rename from docs/reference/features/compute/k8s-service-mesh.md rename to docs/user-guide/ref-architecture-aws/features/compute/k8s-service-mesh.md index 853ee130a..c0507086a 100644 --- a/docs/reference/features/compute/k8s-service-mesh.md +++ b/docs/user-guide/ref-architecture-aws/features/compute/k8s-service-mesh.md @@ -15,7 +15,7 @@ reliability to Kubernetes, without the complexity. CNCF-hosted and 100% open sou without introducing excessive latency. ### Architecture -![leverage-k8s-networking](../../../assets/images/diagrams/k8s-linkerd-control-plane.png "Leverage"){: style="width:750px"} +![leverage-k8s-networking](../../../../assets/images/diagrams/k8s-linkerd-control-plane.png "Leverage"){: style="width:750px"}
Figure: Figure: Linkerd v2.10 architecture diagram. (Source: Linkerd official documentation, @@ -25,7 +25,7 @@ Linkerd Doc, accessed June 14th 2021).
### Dashboard -![leverage-k8s-networking](../../../assets/images/diagrams/k8s-linkerd-dashboard.png "Leverage"){: style="width:750px"} +![leverage-k8s-networking](../../../../assets/images/diagrams/k8s-linkerd-dashboard.png "Leverage"){: style="width:750px"}
Figure: Figure: Linkerd v2.10 dashboard. (Source: Linkerd official documentation, diff --git a/docs/reference/features/compute/overview.md b/docs/user-guide/ref-architecture-aws/features/compute/overview.md similarity index 94% rename from docs/reference/features/compute/overview.md rename to docs/user-guide/ref-architecture-aws/features/compute/overview.md index 60a7a7b06..37c0697ae 100644 --- a/docs/reference/features/compute/overview.md +++ b/docs/user-guide/ref-architecture-aws/features/compute/overview.md @@ -15,7 +15,7 @@ Clusters will be provisioned with [**_Kops_**](https://github.com/kubernetes/kop [**_AWS EKS_**](https://aws.amazon.com/eks/), which are solutions meant to orchestrate this compute engine in AWS. Whenever possible the initial version deployed will be the latest stable release. -![leverage-k8s-architecture](../../../assets/images/diagrams/k8s-architecture.png "Leverage"){: style="width:700"} +![leverage-k8s-architecture](../../../../assets/images/diagrams/k8s-architecture.png "Leverage"){: style="width:700"}
Figure: Kubernetes high level components architecture. diff --git a/docs/reference/features/compute/serverless.md b/docs/user-guide/ref-architecture-aws/features/compute/serverless.md similarity index 89% rename from docs/reference/features/compute/serverless.md rename to docs/user-guide/ref-architecture-aws/features/compute/serverless.md index 7110f8274..60110d1e6 100644 --- a/docs/reference/features/compute/serverless.md +++ b/docs/user-guide/ref-architecture-aws/features/compute/serverless.md @@ -16,7 +16,7 @@ As stated by [AWS Serverless definitions](https://aws.amazon.com/serverless/) about managing and operating servers or runtimes, either in the cloud or on-premises. This reduced overhead lets developers reclaim time and energy that can be spent on developing great products which scale and that are reliable. -![leverage-aws-serverless](../../../assets/images/diagrams/aws-serverless.png "Leverage"){: style="width:950px"} +![leverage-aws-serverless](../../../../assets/images/diagrams/aws-serverless.png "Leverage"){: style="width:950px"}
Figure: AWS serverless architecture diagram (just as reference). @@ -26,7 +26,7 @@ As stated by [AWS Serverless definitions](https://aws.amazon.com/serverless/) Containers-on-AWS Medium Blog post, accessed November 18th 2020).
-!!! info "Serverless Compute ![aws-service](../../../assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} Services" +!!! info "Serverless Compute ![aws-service](../../../../assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} Services" * [x] [AWS Lambda](https://aws.amazon.com/lambda/) lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running. * [x] [Lambda@Edge](https://aws.amazon.com/lambda/edge/) allows you to run Lambda functions at AWS Edge locations in diff --git a/docs/reference/features/compute/tools.md b/docs/user-guide/ref-architecture-aws/features/compute/tools.md similarity index 100% rename from docs/reference/features/compute/tools.md rename to docs/user-guide/ref-architecture-aws/features/compute/tools.md diff --git a/docs/reference/features/costs/costs.md b/docs/user-guide/ref-architecture-aws/features/costs/costs.md similarity index 82% rename from docs/reference/features/costs/costs.md rename to docs/user-guide/ref-architecture-aws/features/costs/costs.md index 86d4f05c6..78c2a17d4 100644 --- a/docs/reference/features/costs/costs.md +++ b/docs/user-guide/ref-architecture-aws/features/costs/costs.md @@ -2,7 +2,7 @@ ## Opportunity to optimize resources -!!! tip "![leverage-aws-ec2](../../../assets/images/icons/aws-emojipack/Compute_AmazonEC2.png "Leverage"){: style="width:20px"} Compute" +!!! tip "![leverage-aws-ec2](../../../../assets/images/icons/aws-emojipack/Compute_AmazonEC2.png "Leverage"){: style="width:20px"} Compute" * Usage of reserved EC2 instances for stable workloads (AWS Cost Explorer Reserved Optimization | Compute Optimizer - get a -$ of up to 42% vs On-Demand) * Usage of Spot EC2 instances for fault-tolerant workloads (-$ by up to 90%). @@ -11,10 +11,10 @@ * Compute Savings Plans to reduce EC2, Fargate and Lambda $ (Compute Savings Plans OK regardless of EC2 family, size, AZ, reg, OS or tenancy, OK for Fargate / Lambda too). -!!! tip "![leverage-aws-rds](../../../assets/images/icons/aws-emojipack/Database_AmazonRDS.png "Leverage"){: style="width:20px"} Databases" +!!! tip "![leverage-aws-rds](../../../../assets/images/icons/aws-emojipack/Database_AmazonRDS.png "Leverage"){: style="width:20px"} Databases" * Usage of reserved RDS instances for stable workload databases. -!!! tip "![leverage-aws-cw](../../../assets/images/icons/aws-emojipack/ManagementTools_AmazonCloudWatch.png "Leverage"){: style="width:20px"} Monitoring & Automation" +!!! tip "![leverage-aws-cw](../../../../assets/images/icons/aws-emojipack/ManagementTools_AmazonCloudWatch.png "Leverage"){: style="width:20px"} Monitoring & Automation" * AWS billing alarms + AWS Budget (forecasted account cost / RI Coverage) Notifications to Slack * Activate AWS Trusted Advisor cost related results * Id EBS w/ low-utiliz and -$ by snapshotting and then rm them @@ -23,7 +23,7 @@ * Setup Lambda nuke to automatically clean up AWS account resources. * Setup lambda scheduler for stop and start resources on AWS (EC2, ASG & RDS) -!!! tip "![leverage-aws-s3](../../../assets/images/icons/aws-emojipack/Storage_AmazonS3.png "Leverage"){: style="width:20px"} Storage & Network Traffic" +!!! tip "![leverage-aws-s3](../../../../assets/images/icons/aws-emojipack/Storage_AmazonS3.png "Leverage"){: style="width:20px"} Storage & Network Traffic" * Check S3 usage and -$ by leveraging lower $ storage tiers. * Use S3 Analytics, or automate mv for these objects into lower $ storage tier w/ Life Cycle Policies or w/ S3 Intelligent-Tiering. diff --git a/docs/reference/features/database/database.md b/docs/user-guide/ref-architecture-aws/features/database/database.md similarity index 100% rename from docs/reference/features/database/database.md rename to docs/user-guide/ref-architecture-aws/features/database/database.md diff --git a/docs/reference/features/database/mysql.md b/docs/user-guide/ref-architecture-aws/features/database/mysql.md similarity index 100% rename from docs/reference/features/database/mysql.md rename to docs/user-guide/ref-architecture-aws/features/database/mysql.md diff --git a/docs/reference/features/database/postgres.md b/docs/user-guide/ref-architecture-aws/features/database/postgres.md similarity index 100% rename from docs/reference/features/database/postgres.md rename to docs/user-guide/ref-architecture-aws/features/database/postgres.md diff --git a/docs/reference/features/identities/credentials-vault.md b/docs/user-guide/ref-architecture-aws/features/identities/credentials-vault.md similarity index 97% rename from docs/reference/features/identities/credentials-vault.md rename to docs/user-guide/ref-architecture-aws/features/identities/credentials-vault.md index 03de0cea5..6de193c49 100644 --- a/docs/reference/features/identities/credentials-vault.md +++ b/docs/user-guide/ref-architecture-aws/features/identities/credentials-vault.md @@ -82,7 +82,7 @@ to show an example using the Github personal access token, one of our supported Open your preferred web browser choose Github auth method and paste your GH token and you'll be able to login to your instance. -![leverage-vault-ui-auth](../../../assets/images/screenshots/vault-ui-auth-github.png "Leverage"){: style="width:1200px"} +![leverage-vault-ui-auth](../../../../assets/images/screenshots/vault-ui-auth-github.png "Leverage"){: style="width:1200px"}
Figure: Vault HCP UI user authentication screen. (Source: binbash Leverage, diff --git a/docs/reference/features/identities/credentials.md b/docs/user-guide/ref-architecture-aws/features/identities/credentials.md similarity index 100% rename from docs/reference/features/identities/credentials.md rename to docs/user-guide/ref-architecture-aws/features/identities/credentials.md diff --git a/docs/reference/features/identities/gpg.md b/docs/user-guide/ref-architecture-aws/features/identities/gpg.md similarity index 98% rename from docs/reference/features/identities/gpg.md rename to docs/user-guide/ref-architecture-aws/features/identities/gpg.md index 704c8530b..53df255d2 100644 --- a/docs/reference/features/identities/gpg.md +++ b/docs/user-guide/ref-architecture-aws/features/identities/gpg.md @@ -1,7 +1,6 @@ -# GPG keys helper - -## Why to use GPG? +# GPG Keys +## Why do we use GPG keys? By default our [Leverage Reference Architectre base-identities layer](https://github.com/binbashar/le-tf-infra-aws/blob/master/security/global/base-identities/users.tf) approach is to use [IAM module]([https://github.com/binbashar/terraform-aws-iam/tree/master/modules/iam-user]) to manage AWS IAM Users credentials with **encryption to grant strong security**. @@ -17,8 +16,7 @@ user's password and user's secret key. When `gpg_key` is specified as `keybase:username`, make sure that the user public key has already been uploaded to the [Reference Architecture base-identities layer `keys` folder](https://github.com/binbashar/le-tf-infra-aws/tree/master/security/global/base-identities/keys) -## How to manage your GPG keys? - +## Managing your GPG keys !!! info "Create a key pair" - NOTE: the user for whom this account is being created needs to do this - Install `gpg` @@ -64,7 +62,6 @@ user's password and user's secret key. 4. If all went well, the decrypted password should be there ## Workaround for Mac users - There are some situations where gpg keys generated on Mac don't work properly, generating errors like the following: ```bash @@ -107,4 +104,4 @@ find ~/.gnupg -type d -exec chmod 700 {} \; ```bash echo "YOUR ENCRYPTED STRING PASSWORD HERE" | base64 --decode > a_file_with_your_pass gpg --decrypt a_file_with_your_pass -``` \ No newline at end of file +``` diff --git a/docs/reference/features/identities/identities.md b/docs/user-guide/ref-architecture-aws/features/identities/identities.md similarity index 93% rename from docs/reference/features/identities/identities.md rename to docs/user-guide/ref-architecture-aws/features/identities/identities.md index 87879fc42..afb842f69 100644 --- a/docs/reference/features/identities/identities.md +++ b/docs/user-guide/ref-architecture-aws/features/identities/identities.md @@ -1,10 +1,6 @@ # Identity and Access Management (IAM) Layer - -!!! help "How it works" - :books: [**documentation:** identities](../../../../how-it-works/features/identities/identities/) -## User guide - +## Setting up user credentials Please follow the steps below to orchestrate your `base-identities` layer 1st in your [`project-root`](https://github.com/binbashar/le-tf-infra-aws/tree/master/root/global/base-identities) AWS account and afterwards in your [`project-security`](https://github.com/binbashar/le-tf-infra-aws/tree/master/security/global/base-identities) account. @@ -37,8 +33,7 @@ afterwards in your [`project-security`](https://github.com/binbashar/le-tf-infra - [apps-devstg/global/base-identities](https://github.com/binbashar/le-tf-infra-aws/tree/master/apps-devstg/global/base-identities) - [app-prd/global/base-identities](https://github.com/binbashar/le-tf-infra-aws/tree/master/apps-prd/global/base-identities) -### Recommended post-task - +## Recommended Post-tasks !!! attention "Deactivating AWS STS in not in use AWS Region" *When you activate STS endpoints for a Region, AWS STS can issue temporary credentials to users and roles in your account that make an AWS STS request. Those credentials can then be used in any Region that is enabled by default or @@ -57,11 +52,9 @@ afterwards in your [`project-security`](https://github.com/binbashar/le-tf-infra --- :ledger: Source | :earth_americas: [AWS Documentation IAM User Guide | Activating and deactivating AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) -![leverage-aws-iam-roles](../../../assets/images/screenshots/aws-iam-sts-regions.png "Leverage"){: style="width:900px"} +![leverage-aws-iam-roles](../../../../assets/images/screenshots/aws-iam-sts-regions.png "Leverage"){: style="width:900px"} **Figure:** *Deactivating AWS STS in not in use AWS Region. Only in used Regions must have STS activated.* -### Next Steps - +## Next Steps :books: [Setup your AWS Credentials](credentials.md) - diff --git a/docs/reference/features/identities/identities2.md b/docs/user-guide/ref-architecture-aws/features/identities/overview.md similarity index 90% rename from docs/reference/features/identities/identities2.md rename to docs/user-guide/ref-architecture-aws/features/identities/overview.md index fd8dead5e..7fc7a2f53 100644 --- a/docs/reference/features/identities/identities2.md +++ b/docs/user-guide/ref-architecture-aws/features/identities/overview.md @@ -1,10 +1,10 @@ -# Identity and Access Management (IAM) Layer +# Identity and Access Management (IAM) -## Summary +## Overview Having this [official AWS resource](https://d0.awsstatic.com/aws-answers/AWS_Multi_Account_Security_Strategy.pdf) as reference we've define a security account structure for managing multiple accounts. -!!! tip "User Management Definitions ![aws-service](../../../assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} ![aws-service](../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_IAM.png){: style="width:15px"}" +!!! tip "User Management Definitions ![aws-service](../../../../assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_IAM.png){: style="width:15px"}" * [x] IAM users will strictly be created and centralized in the Security account (member accounts IAM Users could be exceptionally created for very specific tools that still don’t support IAM roles for cross-account auth). * [x] All access to resources within the Client organization will be assigned via policy documents attached to IAM roles or groups. * [x] All IAM roles and groups will have the least privileges required to properly work. @@ -20,7 +20,7 @@ as reference we've define a security account structure for managing multiple ac of AWS-based deployments, centralize security monitoring and management, manage identity and access, and provide audit and compliance monitoring services -![leverage-aws-iam](../../../assets/images/diagrams/aws-iam.png "Leverage"){: style="width:600px"} +![leverage-aws-iam](../../../../assets/images/diagrams/aws-iam.png "Leverage"){: style="width:600px"}
Figure: AWS Organization Security account structure for managing multiple accounts (just as reference). @@ -183,4 +183,4 @@ Gruntwork.io Blog, accessed November 18th 2020). x - \ No newline at end of file + diff --git a/docs/reference/features/identities/roles.md b/docs/user-guide/ref-architecture-aws/features/identities/roles.md similarity index 93% rename from docs/reference/features/identities/roles.md rename to docs/user-guide/ref-architecture-aws/features/identities/roles.md index 722dd02ba..e10d1880f 100644 --- a/docs/reference/features/identities/roles.md +++ b/docs/user-guide/ref-architecture-aws/features/identities/roles.md @@ -1,6 +1,6 @@ -# IAM roles +# IAM Roles -!!! info "What are AWS IAM Roles? ![aws-service](../../../assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} ![aws-service](../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_IAM.png){: style="width:15px"}" +!!! info "What are AWS IAM Roles? ![aws-service](../../../../assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_IAM.png){: style="width:15px"}" For the Leverage AWS Reference Architecture we heavily depend on **AWS IAM roles**, which is a standalone IAM entity that: @@ -28,7 +28,7 @@ ## How IAM roles work? -![leverage-aws-iam-roles](../../../assets/images/diagrams/aws-iam-role-cross-account.png "Leverage"){: style="width:600px"} +![leverage-aws-iam-roles](../../../../assets/images/diagrams/aws-iam-role-cross-account.png "Leverage"){: style="width:600px"}
Figure: Example of AWS cross-account AWS access. @@ -94,7 +94,7 @@ AWS Security Blog, accessed November 17th 2020). first authenticate to AWS using some other mechanism. For example, for an IAM user to assume an IAM role, the workflow looks like this: -![leverage-aws-iam-roles](../../../assets/images/diagrams/aws-iam-role-assume.png "Leverage"){: style="width:900px"} +![leverage-aws-iam-roles](../../../../assets/images/diagrams/aws-iam-role-assume.png "Leverage"){: style="width:900px"}
Figure: Assuming an AWS IAM role. diff --git a/docs/reference/features/overview.md b/docs/user-guide/ref-architecture-aws/features/index.md similarity index 82% rename from docs/reference/features/overview.md rename to docs/user-guide/ref-architecture-aws/features/index.md index bb6f8cd96..cc26bc3de 100644 --- a/docs/reference/features/overview.md +++ b/docs/user-guide/ref-architecture-aws/features/index.md @@ -1,10 +1,13 @@ -![binbash-logo](../../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} +![binbash-logo](../../../../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} -# AWS Features -TODO What is this? +# Features + +## Overview +This reference architecture supports a growing number of AWS services. This section lists all of them and goes through each in depth. ## Governance | AWS Organizations -- [x] [AWS Organizations Initialization](organization/organization-init.md) +- [x] [Overview](organization/overview.md) +- [x] [Configuration](organization/configuration.md) - [x] [Invite pre-exiting accounts to AWS Organizations](organization/organization-legacy-accounts.md) ## Identity Management diff --git a/docs/reference/features/monitoring/apm.md b/docs/user-guide/ref-architecture-aws/features/monitoring/apm.md similarity index 100% rename from docs/reference/features/monitoring/apm.md rename to docs/user-guide/ref-architecture-aws/features/monitoring/apm.md diff --git a/docs/reference/features/monitoring/logs.md b/docs/user-guide/ref-architecture-aws/features/monitoring/logs.md similarity index 94% rename from docs/reference/features/monitoring/logs.md rename to docs/user-guide/ref-architecture-aws/features/monitoring/logs.md index e0b105b43..c2bb00ad4 100644 --- a/docs/reference/features/monitoring/logs.md +++ b/docs/user-guide/ref-architecture-aws/features/monitoring/logs.md @@ -10,7 +10,7 @@ request logs, application error logs. Access logs on AWS based resources can be stored in a centralized bucket for that purpose, on the security account and given the need these can be streamed to Elasticsearch as well if needed. -![leverage-monitoring](../../../assets/images/diagrams/monitoring-metrics-logs.png "Leverage"){: style="width:750px"} +![leverage-monitoring](../../../../assets/images/diagrams/monitoring-metrics-logs.png "Leverage"){: style="width:750px"}
Figure: Monitoring metrics and log architecture diagram (just as reference). (Source: binbash Leverage, diff --git a/docs/reference/features/monitoring/metrics.md b/docs/user-guide/ref-architecture-aws/features/monitoring/metrics.md similarity index 88% rename from docs/reference/features/monitoring/metrics.md rename to docs/user-guide/ref-architecture-aws/features/monitoring/metrics.md index 1ad71b625..f38bfdc23 100644 --- a/docs/reference/features/monitoring/metrics.md +++ b/docs/user-guide/ref-architecture-aws/features/monitoring/metrics.md @@ -16,7 +16,7 @@ Prometheus and [AWS CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudW include a library in your own application that provides you with the ability to create an endpoint that publishes certain metrics about your own application, that we can graph or alert based on them. -![leverage-monitoring](../../../assets/images/diagrams/monitoring-metrics-logs.png "Leverage"){: style="width:750px"} +![leverage-monitoring](../../../../assets/images/diagrams/monitoring-metrics-logs.png "Leverage"){: style="width:750px"}
Figure: Monitoring metrics and log architecture diagram (just as reference). (Source: binbash Leverage, @@ -33,7 +33,7 @@ binbash Leverage Doc, accessed November 18th 2020). Grafana as well, and build dashboards that integrate these metrics and even do some intelligence on them coming from multiple origins. -![leverage-monitoring](../../../assets/images/screenshots/monitoring-metrics-k8s-cluster.png){: style="width:750px"} +![leverage-monitoring](../../../../assets/images/screenshots/monitoring-metrics-k8s-cluster.png){: style="width:750px"}
Figure: Grafana K8s cluster metrics monitoring dashboard reference screenshot. (Source: DevOpsProdigy, @@ -42,7 +42,7 @@ binbash Leverage Doc, accessed November 18th 2020). Grafana plugins, accessed November 18th 2020).
-![leverage-monitoring](../../../assets/images/screenshots/monitoring-metrics-k8s-nodes.png "Leverage"){: style="width:750px"} +![leverage-monitoring](../../../../assets/images/screenshots/monitoring-metrics-k8s-nodes.png "Leverage"){: style="width:750px"}
Figure: Grafana K8s cluster metrics monitoring dashboard reference screenshot. (Source: DevOpsProdigy, @@ -56,7 +56,7 @@ Grafana plugins, accessed November 18th 2020). engine configured, because we can have really customize and specify alerts. We can have them as code in their extremely readable syntax. Example: -![leverage-monitoring](../../../assets/images/screenshots/monitoring-metrics-alerts.png "Leverage"){: style="width:750px"} +![leverage-monitoring](../../../../assets/images/screenshots/monitoring-metrics-alerts.png "Leverage"){: style="width:750px"}
Figure: Prometheus Alert Manager `CriticalRamUsage` alert screenshot (just as reference). (Source: binbash Leverage). diff --git a/docs/reference/features/monitoring/monitoring.md b/docs/user-guide/ref-architecture-aws/features/monitoring/monitoring.md similarity index 100% rename from docs/reference/features/monitoring/monitoring.md rename to docs/user-guide/ref-architecture-aws/features/monitoring/monitoring.md diff --git a/docs/reference/features/monitoring/notification_escalation.md b/docs/user-guide/ref-architecture-aws/features/monitoring/notification_escalation.md similarity index 100% rename from docs/reference/features/monitoring/notification_escalation.md rename to docs/user-guide/ref-architecture-aws/features/monitoring/notification_escalation.md diff --git a/docs/reference/features/monitoring/tracing.md b/docs/user-guide/ref-architecture-aws/features/monitoring/tracing.md similarity index 88% rename from docs/reference/features/monitoring/tracing.md rename to docs/user-guide/ref-architecture-aws/features/monitoring/tracing.md index 96e6f2a7b..2bc6c3be2 100644 --- a/docs/reference/features/monitoring/tracing.md +++ b/docs/user-guide/ref-architecture-aws/features/monitoring/tracing.md @@ -5,7 +5,7 @@ especially those built using a microservices architecture. Distributed tracing helps pinpoint where failures occur and what causes poor performance. -![leverage-monitoring](../../../assets/images/diagrams/monitoring-tracing.png "Leverage"){: style="width:750px"} +![leverage-monitoring](../../../../assets/images/diagrams/monitoring-tracing.png "Leverage"){: style="width:750px"}
Figure: Figure: Distributed tracing architecture diagram (just as reference). (Source: binbash Leverage, diff --git a/docs/reference/features/network/dns.md b/docs/user-guide/ref-architecture-aws/features/network/dns.md similarity index 88% rename from docs/reference/features/network/dns.md rename to docs/user-guide/ref-architecture-aws/features/network/dns.md index 00db83083..a55bc1804 100644 --- a/docs/reference/features/network/dns.md +++ b/docs/user-guide/ref-architecture-aws/features/network/dns.md @@ -2,14 +2,14 @@ ## How it works -!!! info "![aws-service](../../../assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} ![aws-service](../../../assets/images/icons/aws-emojipack/NetworkingContentDelivery_AmazonRoute53.png){: style="width:20px"} Route53 Considerations" +!!! info "![aws-service](../../../../assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} ![aws-service](../../../../assets/images/icons/aws-emojipack/NetworkingContentDelivery_AmazonRoute53.png){: style="width:20px"} Route53 Considerations" - [x] **Route53** private hosted zone will have associations with VPCs on different AWS organization accounts - [x] **Route53** should ideally be hosted in the Shared account, although sometimes Route53 is already deployed in a Legacy account where it can be imported and fully supported as code. - [x] **Route53** [zero downtime migration](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-migrating.html) (active-active hosted zones) is completely possible and achievable with Leverage terraform code -![leverage-aws-dns](../../../assets/images/diagrams/aws-route53.png "Leverage"){: style="width:800px"} +![leverage-aws-dns](../../../../assets/images/diagrams/aws-route53.png "Leverage"){: style="width:800px"}
Figure: AWS Organization shared account Route53 DNS diagram. (Source: Cristian Southall, diff --git a/docs/reference/features/network/tgw-topology.md b/docs/user-guide/ref-architecture-aws/features/network/tgw-topology.md similarity index 79% rename from docs/reference/features/network/tgw-topology.md rename to docs/user-guide/ref-architecture-aws/features/network/tgw-topology.md index 3a54ea5a7..c07fca7ab 100644 --- a/docs/reference/features/network/tgw-topology.md +++ b/docs/user-guide/ref-architecture-aws/features/network/tgw-topology.md @@ -3,7 +3,7 @@ ## Transit Gateway ### Dedicated TGW Network Account Architecture -![leverage-aws-tgw](../../../assets/images/diagrams/aws-tgw.png "Leverage"){: style="width:1600px"} +![leverage-aws-tgw](../../../../assets/images/diagrams/aws-tgw.png "Leverage"){: style="width:1600px"}
Figure: Multi-account dedicated network transit gateway architecture diagram. (Source: binbash Leverage, diff --git a/docs/reference/features/network/vpc-addressing.md b/docs/user-guide/ref-architecture-aws/features/network/vpc-addressing.md similarity index 100% rename from docs/reference/features/network/vpc-addressing.md rename to docs/user-guide/ref-architecture-aws/features/network/vpc-addressing.md diff --git a/docs/reference/features/network/vpc-peering.md b/docs/user-guide/ref-architecture-aws/features/network/vpc-peering.md similarity index 79% rename from docs/reference/features/network/vpc-peering.md rename to docs/user-guide/ref-architecture-aws/features/network/vpc-peering.md index 27d87b092..dbd05ab2b 100644 --- a/docs/reference/features/network/vpc-peering.md +++ b/docs/user-guide/ref-architecture-aws/features/network/vpc-peering.md @@ -8,7 +8,7 @@ TODO # Diagram: Network Service (cross-account [VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)) -![leverage-aws-vpc-peering](../../../assets/images/diagrams/aws-vpc-peering-1.png "Leverage"){: style="width:300px"} +![leverage-aws-vpc-peering](../../../../assets/images/diagrams/aws-vpc-peering-1.png "Leverage"){: style="width:300px"}
Figure: AWS multi account Organization VPC peering diagram. (Source: AWS, @@ -17,7 +17,7 @@ TODO AWS Documentation Amazon VPC User Guide, accessed November 18th 2020).
-![leverage-aws-vpc-peering](../../../assets/images/diagrams/aws-vpc-peering-2.png "Leverage"){: style="width:300px"} +![leverage-aws-vpc-peering](../../../../assets/images/diagrams/aws-vpc-peering-2.png "Leverage"){: style="width:300px"}
Figure: AWS multi account Organization peering detailed diagram. (Source: AWS, diff --git a/docs/reference/features/network/vpc-topology.md b/docs/user-guide/ref-architecture-aws/features/network/vpc-topology.md similarity index 93% rename from docs/reference/features/network/vpc-topology.md rename to docs/user-guide/ref-architecture-aws/features/network/vpc-topology.md index 0c6e4bf90..61914a9c2 100644 --- a/docs/reference/features/network/vpc-topology.md +++ b/docs/user-guide/ref-architecture-aws/features/network/vpc-topology.md @@ -29,7 +29,7 @@ traffic goes to those instances, the NAT device translates the address back to those instances’ private IPv4 addresses. -![leverage-aws-vpc-ngw](../../../assets/images/diagrams/aws-vpc-nat-gateway.png "Leverage"){: style="width:900px"} +![leverage-aws-vpc-ngw](../../../../assets/images/diagrams/aws-vpc-nat-gateway.png "Leverage"){: style="width:900px"}
Figure: VPC topology diagram. (Source: AWS, @@ -38,7 +38,7 @@ AWS Documentation Amazon VPC User Guide, accessed November 18th 2020).
-![leverage-aws-vpc-ngw-ha](../../../assets/images/diagrams/aws-vpc-nat-gateway-ha.png "Leverage"){: style="width:900px"} +![leverage-aws-vpc-ngw-ha](../../../../assets/images/diagrams/aws-vpc-nat-gateway-ha.png "Leverage"){: style="width:900px"}
Figure: VPC topology diagram with multiple Nat Gateways for HA. (Source: Andreas Wittig, diff --git a/docs/reference/features/network/vpc-traffic-out.md b/docs/user-guide/ref-architecture-aws/features/network/vpc-traffic-out.md similarity index 94% rename from docs/reference/features/network/vpc-traffic-out.md rename to docs/user-guide/ref-architecture-aws/features/network/vpc-traffic-out.md index f8cbd6f22..48ca24b08 100644 --- a/docs/reference/features/network/vpc-traffic-out.md +++ b/docs/user-guide/ref-architecture-aws/features/network/vpc-traffic-out.md @@ -26,7 +26,7 @@ [Centralized Network Firewall deployment model](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/), North-South: Centralized internet egress (VPC to internet via Transit Gateway) and NAT gateway. -![leverage-aws-tgw](../../../assets/images/diagrams/aws-tgw-nfw.png "Leverage"){: style="width:1600px"} +![leverage-aws-tgw](../../../../assets/images/diagrams/aws-tgw-nfw.png "Leverage"){: style="width:1600px"}
Figure: Multi-account dedicated network transit gateway + network firewall architecture diagram. (Source: binbash Leverage, diff --git a/docs/reference/features/organization/accounts.md b/docs/user-guide/ref-architecture-aws/features/organization/accounts.md similarity index 94% rename from docs/reference/features/organization/accounts.md rename to docs/user-guide/ref-architecture-aws/features/organization/accounts.md index a8c7bad3b..a89863847 100644 --- a/docs/reference/features/organization/accounts.md +++ b/docs/user-guide/ref-architecture-aws/features/organization/accounts.md @@ -1,6 +1,5 @@ -# AWS Organization Accounts description -Our default AWS Organizations terraform layout solution includes `5 accounts + 1` or **N Accts** (if you invite pre-existing AWS Account/s). - +# Managing Accounts +Our default AWS Organizations terraform layout solution includes `5 accounts + 1` or **N accounts** (if you invite pre-existing AWS Accounts). | Account | Description | |-----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -10,4 +9,4 @@ Our default AWS Organizations terraform layout solution includes `5 accounts + 1 | Network | Intended for centralized networking management via Transit Gateway (TGW), supports a centralized outbound traffic setup and the integration of AWS Network Firewall (NFW) | | Legacy | Your pre existing AWS Accounts to be invited as members of the new AWS Organization, probably several services and workloads are going to be progressively migrated to your new Accounts. | | Apps DevStg | Host your DEV, QA and STG environment workloads Compute / Web App Servers (K8s Clusters and Lambda Functions), Load Balancers, DB Servers, Caching Services, Job queues & Servers, Data, Storage, CDN | -| Apps Prod | Host your PROD environment workloads Compute / Web App Servers (K8s Clusters and Lambda Functions), Load Balancers, DB Servers, Caching Services, Job queues & Servers, Data, Storage, CDN | \ No newline at end of file +| Apps Prod | Host your PROD environment workloads Compute / Web App Servers (K8s Clusters and Lambda Functions), Load Balancers, DB Servers, Caching Services, Job queues & Servers, Data, Storage, CDN | diff --git a/docs/reference/features/organization/billing.md b/docs/user-guide/ref-architecture-aws/features/organization/billing.md similarity index 92% rename from docs/reference/features/organization/billing.md rename to docs/user-guide/ref-architecture-aws/features/organization/billing.md index cd868d051..07f74bb27 100644 --- a/docs/reference/features/organization/billing.md +++ b/docs/user-guide/ref-architecture-aws/features/organization/billing.md @@ -1,11 +1,10 @@ -# AWS Organizations Billing +# Billing ## Overview - Each month AWS charges your payer **Root Account** for all the linked accounts in a consolidated bill. The following illustration shows an example of a consolidated bill. -![leverage-aws-org](../../../assets/images/diagrams/aws-organizations-scp.png "Leverage"){: style="width:750px"} +![leverage-aws-org](../../../../assets/images/diagrams/aws-organizations-scp.png "Leverage"){: style="width:750px"}
Figure: AWS Organization Multi-Account structure (just as reference). (Source: Andreas Wittig, @@ -14,7 +13,7 @@ The following illustration shows an example of a consolidated bill. Cloudonaut.io Blog, accessed November 18th 2020).
-![leverage-aws-org](../../../assets/images/diagrams/aws-organizations-billing.png "Leverage"){: style="width:750px"} +![leverage-aws-org](../../../../assets/images/diagrams/aws-organizations-billing.png "Leverage"){: style="width:750px"}
Figure: AWS Organization Multi-Account billing structure (just as reference). (Source: AWS, diff --git a/docs/reference/features/organization/organization-init.md b/docs/user-guide/ref-architecture-aws/features/organization/configuration.md similarity index 91% rename from docs/reference/features/organization/organization-init.md rename to docs/user-guide/ref-architecture-aws/features/organization/configuration.md index b3f1b2d3c..13a8a48b5 100644 --- a/docs/reference/features/organization/organization-init.md +++ b/docs/user-guide/ref-architecture-aws/features/organization/configuration.md @@ -1,15 +1,9 @@ -# Reference Architecture: Terraform AWS Organizations account baseline - -!!! help "How it works" - :books: [**documentation:** organization](../../../../how-it-works/features/organization/organization/) - - :books: [**documentation:** organization accounts](../../../../how-it-works/features/organization/accounts/) +# Configuration ## User guide ### Pre-requisites - -You'll need an email to [create and register your AWS Organization Root Account](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/). +You'll need an email to [create and register your AWS Organization Management Account](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/). For this purpose we recommend to avoid using a personal email account. Instead, whenever possible, it should ideally be associated, with a **distribution list email** such as a [**GSuite Group**](https://support.google.com/a/answer/2727156?hl=en) to ensure the proper admins member's team @@ -59,13 +53,13 @@ the aliases automatically implicitly when running Terraform's Leverage code. 3. Via AWS Web Console: in `project-management` account create `mgmt-org-admin` IAM user AWS ACCESS KEYS - :ledger: **NOTE:** This could be created all in one in the previous step (Nº 2). - ![leverage-org](../../../assets/images/screenshots/aws-iam-org-mgmt-admin-user-permissions.png "Leverage"){: style="width:950px"} + ![leverage-org](../../../../assets/images/screenshots/aws-iam-org-mgmt-admin-user-permissions.png "Leverage"){: style="width:950px"}
Figure: AWS Web Console screenshot. (Source: binbash, "AWs Organization management account init IAM admin user", accessed June 16th 2021).
- ![leverage-org](../../../assets/images/screenshots/aws-iam-org-mgmt-admin-user-keys.png "Leverage"){: style="width:950px"} + ![leverage-org](../../../../assets/images/screenshots/aws-iam-org-mgmt-admin-user-keys.png "Leverage"){: style="width:950px"}
Figure: AWS Web Console screenshot. (Source: binbash, "AWs Organization management account init IAM admin user", accessed June 16th 2021). diff --git a/docs/reference/features/organization/organization-legacy-accounts.md b/docs/user-guide/ref-architecture-aws/features/organization/legacy-accounts.md similarity index 84% rename from docs/reference/features/organization/organization-legacy-accounts.md rename to docs/user-guide/ref-architecture-aws/features/organization/legacy-accounts.md index 800d0f529..f88960695 100644 --- a/docs/reference/features/organization/organization-legacy-accounts.md +++ b/docs/user-guide/ref-architecture-aws/features/organization/legacy-accounts.md @@ -1,15 +1,14 @@ -# Reference Architecture: Terraform AWS Organizations invite pre-existing (legacy) accounts +# Managing legacy (pre-existing) accounts !!! help "How it works" - :books: [**documentation:** organization](../../../../how-it-works/features/organization/organization/) + :books: [**documentation:** organization](../../../../how-it-works/user-guide/organization/organization/) - :books: [**documentation:** organization accounts](../../../../how-it-works/features/organization/accounts/) + :books: [**documentation:** organization accounts](../../../../how-it-works/user-guide/organization/accounts/) ## User guide ### Pre-requisites - You must have your AWS Organization deployed and access to your Management account as -described in the [/user-guide/features/organization/organization-init](./organization-init.md) section. +described in the [/user-guide/user-guide/organization/organization-init](./organization-init.md) section. ## Invite AWS pre-existing (legacy) accounts to your AWS Organization !!! example "AWS Org pre-existing accounts invitation" diff --git a/docs/reference/features/organization/organization.md b/docs/user-guide/ref-architecture-aws/features/organization/overview.md similarity index 96% rename from docs/reference/features/organization/organization.md rename to docs/user-guide/ref-architecture-aws/features/organization/overview.md index 8e8cff3bb..bca29797c 100644 --- a/docs/reference/features/organization/organization.md +++ b/docs/user-guide/ref-architecture-aws/features/organization/overview.md @@ -1,4 +1,4 @@ -# Reference Architecture: Terraform AWS Organizations Account Baseline +# AWS Organizations ## Overview This repository contains all Terraform configuration files used to create binbash Leverage Reference @@ -36,7 +36,7 @@ The following block provides a brief explanation of the chosen AWS Organization ... ``` -![leverage-aws-org](../../../assets/images/diagrams/ref-architecture-aws-landing-zone-full.png "Leverage"){: style="width:750px"} +![leverage-aws-org](../../../../assets/images/diagrams/ref-architecture-aws-landing-zone-full.png "Leverage"){: style="width:750px"}
Figure: AWS Organization multi-account architecture diagram (just as reference). (Source: binbash Leverage, @@ -81,7 +81,6 @@ binbash Leverage Doc, accessed August 4th 2021). to be migrated. ## Read more - !!! info "AWS reference links" Consider the following AWS official links as reference: @@ -90,4 +89,4 @@ binbash Leverage Doc, accessed August 4th 2021). - :orange_book: [**AWS Muttiple Account Security Strategy**](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharing-logs.html) - :orange_book: [**AWS Multiple Account Billing Strategy**](https://aws.amazon.com/answers/account-management/aws-multi-account-billing-strategy/) - :orange_book: [**AWS Secure Account Setup**](https://aws.amazon.com/answers/security/aws-secure-account-setup/) - - :orange_book: [**Authentication and Access Control for AWS Organizations**](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions.html) (keep in mind EC2 and other services can also use AWS IAM Roles to get secure cross-account access) \ No newline at end of file + - :orange_book: [**Authentication and Access Control for AWS Organizations**](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions.html) (keep in mind EC2 and other services can also use AWS IAM Roles to get secure cross-account access) diff --git a/docs/reference/features/reliability/backups.md b/docs/user-guide/ref-architecture-aws/features/reliability/backups.md similarity index 82% rename from docs/reference/features/reliability/backups.md rename to docs/user-guide/ref-architecture-aws/features/reliability/backups.md index c503b8798..40dfa16ac 100644 --- a/docs/reference/features/reliability/backups.md +++ b/docs/user-guide/ref-architecture-aws/features/reliability/backups.md @@ -20,7 +20,7 @@ and retention management. AWS Backup provides a fully managed, policy-based backup solution, simplifying your backup management, enabling you to meet your business and regulatory backup compliance requirements. -![leverage-aws-backup](../../../assets/images/diagrams/aws-backup.png "Leverage"){: style="width:950px"} +![leverage-aws-backup](../../../../assets/images/diagrams/aws-backup.png "Leverage"){: style="width:950px"}
Figure: AWS Backup service diagram (just as reference). (Source: AWS, @@ -28,11 +28,11 @@ AWS Documentation, accessed November 18th 2020).
-## ![leverage-aws-s3](../../../assets/images/icons/aws-emojipack/Storage_AmazonS3.png "Leverage"){: style="width:30px"} S3 bucket region replication -* ![leverage-aws-s3](../../../assets/images/icons/aws-emojipack/Storage_AmazonS3_bucket.png "Leverage"){: style="width:20px"} +## ![leverage-aws-s3](../../../../assets/images/icons/aws-emojipack/Storage_AmazonS3.png "Leverage"){: style="width:30px"} S3 bucket region replication +* ![leverage-aws-s3](../../../../assets/images/icons/aws-emojipack/Storage_AmazonS3_bucket.png "Leverage"){: style="width:20px"} Buckets that hold data critical to business or to application operation can be replicated to another region almost synchronously. -* ![leverage-aws-s3](../../../assets/images/icons/aws-emojipack/Storage_AmazonS3_bucket.png "Leverage"){: style="width:20px"} +* ![leverage-aws-s3](../../../../assets/images/icons/aws-emojipack/Storage_AmazonS3_bucket.png "Leverage"){: style="width:20px"} This can be setup on request to increase durability and along with database backup can constitute the base for a Business Continuity strategy. diff --git a/docs/reference/features/reliability/dr.md b/docs/user-guide/ref-architecture-aws/features/reliability/dr.md similarity index 94% rename from docs/reference/features/reliability/dr.md rename to docs/user-guide/ref-architecture-aws/features/reliability/dr.md index d08361145..4de66a716 100644 --- a/docs/reference/features/reliability/dr.md +++ b/docs/user-guide/ref-architecture-aws/features/reliability/dr.md @@ -38,7 +38,7 @@ After deciding RTO and RPO we have options available to achieve the time objecti that is available, this can even be performed automatically with Route53 or other DNS services that provide health check mechanisms as well as load balancing. -![leverage-aws-dr](../../../assets/images/diagrams/aws-route53-dns-dr.png "Leverage"){: style="width:800px"} +![leverage-aws-dr](../../../../assets/images/diagrams/aws-route53-dns-dr.png "Leverage"){: style="width:800px"}
Figure: 2 sets of app instances, each behind an elastic load balancer in two separate regions (just as reference). (Source: Randika Rathugamage, @@ -47,7 +47,7 @@ After deciding RTO and RPO we have options available to achieve the time objecti Medium blogpost, accessed December 1st 2020).
-![leverage-aws-dr](../../../assets/images/diagrams/aws-route53-dns-health-checks.png "Leverage"){: style="width:800px"} +![leverage-aws-dr](../../../../assets/images/diagrams/aws-route53-dns-health-checks.png "Leverage"){: style="width:800px"}
Figure: AWS calculated — or parent — health check, we can fail on any number of child health checks (just as reference). (Source: Simon Tabor, diff --git a/docs/reference/features/reliability/high-availability.md b/docs/user-guide/ref-architecture-aws/features/reliability/high-availability.md similarity index 88% rename from docs/reference/features/reliability/high-availability.md rename to docs/user-guide/ref-architecture-aws/features/reliability/high-availability.md index 3303a5839..cbfe7a310 100644 --- a/docs/reference/features/reliability/high-availability.md +++ b/docs/user-guide/ref-architecture-aws/features/reliability/high-availability.md @@ -6,7 +6,7 @@ It keeps an AWS environment reliable. Using logs and metrics from CloudWatch, designing a system where the failures themselves trigger recovery is the way to move forward. -![leverage-aws-reliability](../../../assets/images/diagrams/aws-reliability-ha-recovery-failure.png "Leverage"){: style="width:750px"} +![leverage-aws-reliability](../../../../assets/images/diagrams/aws-reliability-ha-recovery-failure.png "Leverage"){: style="width:750px"}
Figure: AWS HA architecture diagrams (just as reference).
## Recovery Procedures @@ -17,7 +17,7 @@ that can be done using these insights. Real points of failure are exploited and the way the environment reacts to the emergency shows just how reliable the system it. -![leverage-aws-reliability](../../../assets/images/diagrams/aws-reliability-ha-recovery-procs.png "Leverage"){: style="width:750px"} +![leverage-aws-reliability](../../../../assets/images/diagrams/aws-reliability-ha-recovery-procs.png "Leverage"){: style="width:750px"}
Figure: AWS HA architecture diagrams (just as reference).
## Scalability and Availability @@ -27,7 +27,7 @@ measures. Of course, multiple redundancies require good management and maintenance for them to remain active through the environment’s lifecycle. -![leverage-aws-reliability](../../../assets/images/diagrams/aws-reliability-ha-recovery-scaling.png "Leverage"){: style="width:750px"} +![leverage-aws-reliability](../../../../assets/images/diagrams/aws-reliability-ha-recovery-scaling.png "Leverage"){: style="width:750px"}
Figure: AWS HA scalable architecture diagrams (just as reference).
## Healthchecks & Self-healing diff --git a/docs/reference/features/secrets/secrets.md b/docs/user-guide/ref-architecture-aws/features/secrets/secrets.md similarity index 91% rename from docs/reference/features/secrets/secrets.md rename to docs/user-guide/ref-architecture-aws/features/secrets/secrets.md index 05bd09e1c..23822e886 100644 --- a/docs/reference/features/secrets/secrets.md +++ b/docs/user-guide/ref-architecture-aws/features/secrets/secrets.md @@ -1,4 +1,4 @@ -# Secret and password mgmt tools +# Secrets and Passwords Management ## Overview @@ -20,4 +20,4 @@ Ensure scalability, availability and persistence, as well as secure, hierarchica !!! info "Related articles" * :ledger: [A Comparison of Secrets Managers for AWS](https://blog.scalesec.com/a-comparison-of-secrets-managers-for-aws-ba64e8029314) - * :ledger: [Clean Up Your Secrets & Credential Management](https://www.hashicorp.com/resources/clean-up-your-secrets-and-credential-management-first-steps-with-hashicorp-vault/) \ No newline at end of file + * :ledger: [Clean Up Your Secrets & Credential Management](https://www.hashicorp.com/resources/clean-up-your-secrets-and-credential-management-first-steps-with-hashicorp-vault/) diff --git a/docs/reference/features/security/audit-cloudtrail.md b/docs/user-guide/ref-architecture-aws/features/security/audit-cloudtrail.md similarity index 90% rename from docs/reference/features/security/audit-cloudtrail.md rename to docs/user-guide/ref-architecture-aws/features/security/audit-cloudtrail.md index 35dedf560..f95c6e5d1 100644 --- a/docs/reference/features/security/audit-cloudtrail.md +++ b/docs/user-guide/ref-architecture-aws/features/security/audit-cloudtrail.md @@ -1,7 +1,6 @@ # Audit | CloudTrail -## Feature Overview - +## Overview AWS CloudTrail monitors and records account activity across your AWS infrastructure, giving you control over storage, analysis, and remediation actions. @@ -14,14 +13,14 @@ giving you control over storage, analysis, and remediation actions. time will be available through a centralized S3 bucket.
- ![Cloudtrail Diagram](../../../assets/images/diagrams/aws-cloudtrail.svg){ width="600" } + ![Cloudtrail Diagram](../../../../assets/images/diagrams/aws-cloudtrail.svg){ width="600" }
Figure: AWS CloudTrail components architecture diagram (just as reference). (Source: binbash Leverage diagrams, accessed July 6th 2022).
-!!! example "![leverage-tf](../../../assets/images/logos/terraform.png "Terraform"){: style="width:25px"} IaC Terraform Codebase <>" +!!! example "![leverage-tf](../../../../assets/images/logos/terraform.png "Terraform"){: style="width:25px"} IaC Terraform Codebase <>" - [x] `binbash-management` account | Audit: Cloudtrail - **Code:** [management/us-east-1/security-audit](https://github.com/binbashar/le-tf-infra-aws/tree/master/management/us-east-1/security-audit) - [x] `binbash-security` account | Audit: Cloudtrail & S3 Bucket @@ -36,7 +35,6 @@ giving you control over storage, analysis, and remediation actions. - **Code:** [network/us-east-1/security-audit](https://github.com/binbashar/le-tf-infra-aws/tree/master/network/us-east-1/security-audit) ## Read more - !!! info "AWS reference links" Consider the following AWS official links as reference: diff --git a/docs/reference/features/security/certificates.md b/docs/user-guide/ref-architecture-aws/features/security/certificates.md similarity index 92% rename from docs/reference/features/security/certificates.md rename to docs/user-guide/ref-architecture-aws/features/security/certificates.md index 6d7e7af56..7b621f814 100644 --- a/docs/reference/features/security/certificates.md +++ b/docs/user-guide/ref-architecture-aws/features/security/certificates.md @@ -28,7 +28,7 @@ With AWS Certificate Manager Private Certificate Authority, you pay monthly for the operation of the private CA and for the private certificates you issue."_ -![leverage-aws-acm](../../../assets/images/diagrams/aws-acm.png "Leverage ACM"){: style="width:450px"} +![leverage-aws-acm](../../../../assets/images/diagrams/aws-acm.png "Leverage ACM"){: style="width:450px"}
Figure: AWS certificate manager (ACM) service integration diagram. (Source: AWS, @@ -50,7 +50,7 @@ AWS Documentation Amazon ACM User Guide, accessed August 4th 2021). - [x] It is loosely based upon the work of kube-lego and has borrowed some wisdom from other similar projects such as kube-cert-manager. -![leverage-aws-vpc-peering](../../../assets/images/diagrams/cert-manager.svg "Leverage Cert-manager"){: style="width:800px"} +![leverage-aws-vpc-peering](../../../../assets/images/diagrams/cert-manager.svg "Leverage Cert-manager"){: style="width:800px"}
Figure: Certificate manager high level components architecture diagram. (Source: Cert-manager official documentation, diff --git a/docs/user-guide/ref-architecture-aws/features/security/firewall-manager.md b/docs/user-guide/ref-architecture-aws/features/security/firewall-manager.md new file mode 100644 index 000000000..26baba314 --- /dev/null +++ b/docs/user-guide/ref-architecture-aws/features/security/firewall-manager.md @@ -0,0 +1,14 @@ +# Firewall Manager + +![Firewall Manager Service](../../../../assets/images/diagrams/aws-fms.png) + +## Use Cases + +- [x] **Network Firewall rules**: Security administrators will be able to deploy firewall rules for AWS Network Firewall to control traffic leaving and entering your network across accounts and Amazon VPCs, from the Security account. +- [x] **WAF & WAF v2**: Your security administrators will able to deploy WAF and WAF v2 rules, and Managed rules for WAF to be used on Application Load Balancers, API Gateways and Amazon CloudFront distributions. +- [x] **Route 53 Resolver DNS Firewall rules**: Deploy Route 53 Resolver DNS Firewall rules from the Security account to enforce firewall rules across your organization. +- [x] **Audit Security Groups**: You can create policies to set guardrails that define what security groups are allowed/disallowed across your VPCs. AWS Firewall Manager continuously monitors security groups to detect overly permissive rules, and helps improve firewall posture. You can get notifications of accounts and resources that are non-compliant or allow AWS Firewall Manager to take action directly through auto-remediation. +- [x] **Security Groups**: Use AWS Firewall Manager to create a common primary security group across your EC2 instances in your VPCs. + +### Read More +- [x] [AWS Firewall Manager](https://aws.amazon.com/firewall-manager/) diff --git a/docs/reference/features/security/iam-access-analyzer.md b/docs/user-guide/ref-architecture-aws/features/security/iam-access-analyzer.md similarity index 88% rename from docs/reference/features/security/iam-access-analyzer.md rename to docs/user-guide/ref-architecture-aws/features/security/iam-access-analyzer.md index 4e84bb2b6..fdde311f7 100644 --- a/docs/reference/features/security/iam-access-analyzer.md +++ b/docs/user-guide/ref-architecture-aws/features/security/iam-access-analyzer.md @@ -13,11 +13,11 @@ Supported resource types: - [x] Amazon Simple Queue Service queues - [x] AWS Secrets Manager secrets -![leverage-vpn](../../../assets/images/diagrams/aws-iam-access-analyzer.png "Leverage"){: style="width:650px"} +![leverage-vpn](../../../../assets/images/diagrams/aws-iam-access-analyzer.png "Leverage"){: style="width:650px"}
Figure: AWS IAM access analysis features. (Source: AWS, - + "How it works - monitoring external access to resources", AWS Documentation, accessed June 11th 2021).
@@ -50,7 +50,7 @@ AWS Documentation, accessed June 11th 2021). ``` ## AWS Web Console -![leverage-security-iam](../../../assets/images/screenshots/aws-iam-access-analyzer.png "Leverage"){: style="width:950px"} +![leverage-security-iam](../../../../assets/images/screenshots/aws-iam-access-analyzer.png "Leverage"){: style="width:950px"}
Figure: AWS Web Console screenshot. (Source: binbash, "IAM access analyzer service", accessed June 11th 2021). diff --git a/docs/user-guide/ref-architecture-aws/features/security/overview.md b/docs/user-guide/ref-architecture-aws/features/security/overview.md new file mode 100644 index 000000000..0edb3cd9e --- /dev/null +++ b/docs/user-guide/ref-architecture-aws/features/security/overview.md @@ -0,0 +1,32 @@ +# Security + +## Supported AWS Security Services +- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_IAM.png){: style="width:30px"} + **AWS IAM Access Analyzer:** Generates comprehensive findings that identify resources policies for public or + cross-account accessibility, monitors and helps you refine permissions. Provides the highest levels of security assurance. +- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_Config.png){: style="width:30px"} + **AWS Config:** Tracks changes made to AWS resources over time, making possible to return to a previous state. + Monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded + configurations against desired compliance rule set. Adds accountability factor. +- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_CloudTrail.png){: style="width:30px"} + **AWS Cloudtrail:** Stores logs over all calls made to AWS APIs, coming from web console, command line or any + other. Allowing us to monitor it via CW Dashboards and notifications. +- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/NetworkingContentDelivery_AmazonVPC_flowlogs.png){: style="width:30px"} + **AWS VPC Flow Logs:** Enables us to examine individual Network Interfaces logs, to address network issues and + also monitor suspicious behavior. +- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_AWSWAF.png){: style="width:30px"} + **AWS Web Application Firewall:** Optional but if not used, it is recommended that a similar service is used, + such as Cloudflare. When paired to an Application Load Balancer or Cloudfront distribution, it checks incoming + requests to detect and block OWASP Top10 attacks, such as SQL injection, XSS and others. +- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_AmazonInspector.png){: style="width:30px"} + **AWS Inspector:** Is an automated security assessment service that helps improve the security and compliance + of infrastructure and applications deployed on AWS. +- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_AmazonGuardDuty.png){: style="width:30px"} + **AWS GuardDuty:** Is a managed [threat](https://youtu.be/czsuZXQvD8E?t=947) detection service that + continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and + workloads. Detects unusual API calls or potentially unauthorized deployments (possible account compromise) + and potentially compromised instances or reconnaissance by attackers. +- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/ManagementTools_AmazonCloudWatch.png){: style="width:30px"} + **AWS Security Logs** Other access logs from client-facing resources will be stored in the Security account. +- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/AWS_Firewall_Manager.png){: style="width:30px"} + **AWS Firewall Manager** Is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. This service lets you build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your entire infrastructure, from a central administrator account. diff --git a/docs/reference/features/security/vpn.md b/docs/user-guide/ref-architecture-aws/features/security/vpn.md similarity index 93% rename from docs/reference/features/security/vpn.md rename to docs/user-guide/ref-architecture-aws/features/security/vpn.md index 0015230a9..6b81a201a 100644 --- a/docs/reference/features/security/vpn.md +++ b/docs/user-guide/ref-architecture-aws/features/security/vpn.md @@ -14,7 +14,7 @@ 2. Each VPN user can be required to use MFA to connect via VPN (as well as strong passwords). This combination makes almost impossible for an outsider to gain access via VPN. 3. Centralized access and audit logs. -![leverage-vpn](../../../assets/images/diagrams/ref-architecture-vpn.png "Leverage"){: style="width:650px"} +![leverage-vpn](../../../../assets/images/diagrams/ref-architecture-vpn.png "Leverage"){: style="width:650px"}
Figure: Securing access to a private network with Pritunl diagram. (Source: Pritunl, diff --git a/docs/reference/features/sso/configuration.md b/docs/user-guide/ref-architecture-aws/features/sso/configuration.md similarity index 95% rename from docs/reference/features/sso/configuration.md rename to docs/user-guide/ref-architecture-aws/features/sso/configuration.md index 64306ca4e..0261a025f 100644 --- a/docs/reference/features/sso/configuration.md +++ b/docs/user-guide/ref-architecture-aws/features/sso/configuration.md @@ -6,7 +6,7 @@ Before deploying your AWS SSO definition in the project, it will first have to b !!! note ":books: [Prerequisites](https://docs.aws.amazon.com/singlesignon/latest/userguide/prereqs.html)" !!! info ":books: [Enable AWS SSO](https://docs.aws.amazon.com/singlesignon/latest/userguide/step1.html)" -After that, choosing and configuring an Identity Provider (IdP) is the next step. For this, we will make use of JumpCloud, as described in the [how it works](../../../how-it-works/features/sso/sso.md) section. These resources point to all requirements and procedures to have your JumpCloud account setup and synched with AWS SSO: +After that, choosing and configuring an Identity Provider (IdP) is the next step. For this, we will make use of JumpCloud, as described in the [how it works](../../../how-it-works/user-guide/sso/sso.md) section. These resources point to all requirements and procedures to have your JumpCloud account setup and synched with AWS SSO: !!! info ":books: [AWS JumpCloud support guide](https://docs.aws.amazon.com/singlesignon/latest/userguide/jumpcloud-idp.html)" !!! info ":books: [JumpCloud guide on how to configure as IdP for AWS SSO](https://docs.aws.amazon.com/singlesignon/latest/userguide/jumpcloud-idp.html)" diff --git a/docs/reference/features/sso/managing-users.md b/docs/user-guide/ref-architecture-aws/features/sso/managing-users.md similarity index 100% rename from docs/reference/features/sso/managing-users.md rename to docs/user-guide/ref-architecture-aws/features/sso/managing-users.md diff --git a/docs/reference/features/sso/overview.md b/docs/user-guide/ref-architecture-aws/features/sso/overview.md similarity index 95% rename from docs/reference/features/sso/overview.md rename to docs/user-guide/ref-architecture-aws/features/sso/overview.md index f4766dba4..080ac0ac4 100644 --- a/docs/reference/features/sso/overview.md +++ b/docs/user-guide/ref-architecture-aws/features/sso/overview.md @@ -7,7 +7,7 @@ JumpCloud will be configured as the Identity Provider (IdP) that we will integra in order to grant users access to AWS resources from a centralized service. Users will be able to log in to JumpCloud in order to access AWS accounts, using specific permission sets that will in turn determine what kind of actions they are allowed on AWS resources. -![leverage-aws-sso](../../../assets/images/diagrams/aws-sso.png "Leverage"){: style="width:750px"} +![leverage-aws-sso](../../../../assets/images/diagrams/aws-sso.png "Leverage"){: style="width:750px"}
Figure: AWS Organization with SSO + JumpCloud IdP diagram. (Source: binbash Leverage, diff --git a/docs/reference/features/storage/storage.md b/docs/user-guide/ref-architecture-aws/features/storage/storage.md similarity index 94% rename from docs/reference/features/storage/storage.md rename to docs/user-guide/ref-architecture-aws/features/storage/storage.md index deff705b7..18b8a6ec9 100644 --- a/docs/reference/features/storage/storage.md +++ b/docs/user-guide/ref-architecture-aws/features/storage/storage.md @@ -1,10 +1,12 @@ # Storage + +## Overview We will review all S3 buckets in the existing account to determine if it’s necessary to copy over to the new account, evaluate existing bucket policy and tightening permissions to be absolutely minimum required for users and applications. As for EBS volumes, our recommendation is to create all encrypted by default. Overhead created by this process is negligible. -## ![leverage-aws-s3](../../../assets/images/icons/aws-emojipack/Storage_AmazonS3.png "Leverage"){: style="width:30px"} S3 buckets +## ![leverage-aws-s3](../../../../assets/images/icons/aws-emojipack/Storage_AmazonS3.png "Leverage"){: style="width:30px"} S3 buckets !!! important "Tech specs" * [x] **Encryption:** Yes (by default) @@ -23,7 +25,7 @@ As for EBS volumes, our recommendation is to create all encrypted by default. Ov | S3 Glacier Deep Archive | Archiving rarely accessed data with a default retrieval time of 12 hours | 99.999999999% | 99.99% (after you restore objects) | >= 3 | 180 days | 40 KB | Per GB retrieval fees apply. You must first restore archived objects before you can access them. For more information, see Restoring archived objects. | | RRS (Not recommended) | Frequently accessed, non-critical data | 99.99% | 99.99% | >= 3 | None | None | None | -## ![leverage-aws-ebs](../../../assets/images/icons/aws-emojipack/Storage_AmazonEBS.png "Leverage"){: style="width:25px"} EBS Volumes +## ![leverage-aws-ebs](../../../../assets/images/icons/aws-emojipack/Storage_AmazonEBS.png "Leverage"){: style="width:25px"} EBS Volumes !!! Important "Tech specs" * [x] **Backups:** Periodic EBS snapshots with retention policy diff --git a/docs/reference/reference-architectures/ref-architecture-aws/overview.md b/docs/user-guide/ref-architecture-aws/overview.md similarity index 64% rename from docs/reference/reference-architectures/ref-architecture-aws/overview.md rename to docs/user-guide/ref-architecture-aws/overview.md index 84adc55fc..5080254b9 100644 --- a/docs/reference/reference-architectures/ref-architecture-aws/overview.md +++ b/docs/user-guide/ref-architecture-aws/overview.md @@ -13,29 +13,27 @@ The AWS Reference Architecture was created on a set of opinionated definitions a !!! info "Key Concept" Although the **Reference Architecture for AWS** was initially designed to be compatible with web, mobile and microservices application stacks, it can also accommodate other types of workloads such as machine learning, blockchain, media, and more. - Its design is strongly based on the [AWS Well Architected Framework](../../work-with-us/support.md). - It was designed with modularity in mind. A multi-accounts approach is leveraged in order to improve security isolation and resources separation. Furthermore each account infrastructure is divided in smaller units that we call **layers**. Each layer contains all the required resources and definitions for a specific service or feature to function. +!!! info "Key Concept" + The design is strongly based on the [AWS Well Architected Framework](../../work-with-us/support.md). + Each individual configuration of the Reference Architecture is referred to as a **project**. A Leverage project is comprised of all the relevant accounts and layers. -!!! check "Core Strengths" - - [x] Faster updates (new features and bug fixes). - - [x] Better code quality and modules maturity (proven and tested). - - [x] Supported by binbash, and public modules even by 1000's of top talented Open Source community - contributors. - - [x] Increase development cost savings. - - [x] Clients keep full rights to all commercial, modification, distribution, and private use of the code - (No Lock-In) through forks inside their own projects' repositories (open-source and commercially reusable via [license MIT and Apache 2.0](https://choosealicense.com/licenses/). - -## Reference Architecture Design -The following diagram shows an example of the type of AWS multi-account setup you can achieve with this Reference Architecture: +## Core Strengths +- [x] Faster updates (new features and bug fixes). +- [x] Better code quality and modules maturity (proven and tested). +- [x] Supported by binbash, and public modules even by 1000's of top talented Open Source community + contributors. +- [x] Increase development cost savings. +- [x] Clients keep full rights to all commercial, modification, distribution, and private use of the code + (No Lock-In) through forks inside their own projects' repositories (open-source and commercially reusable via [license MIT and Apache 2.0](https://choosealicense.com/licenses/). + +## A More Visual Example +The following diagram shows the type of AWS multi-account setup you can achieve by using this Reference Architecture: ![leverage-aws-org](../../../assets/images/diagrams/ref-architecture-aws.png "Leverage"){: style="width:950px"}
-Figure: AWS Organization multi-account reference architecture diagram. -(Source: binbash Leverage, -"Leverage Reference Architecture components", -binbash Leverage Doc, accessed August 4th 2021). +Figure: AWS Organization multi-account reference architecture diagram. (Source: binbash Leverage, "Leverage Reference Architecture components", binbash Leverage Doc, accessed August 4th 2021).
!!! info "Read more" diff --git a/docs/reference/reference-architectures/ref-architecture-aws/tf-state.md b/docs/user-guide/ref-architecture-aws/tf-state.md similarity index 98% rename from docs/reference/reference-architectures/ref-architecture-aws/tf-state.md rename to docs/user-guide/ref-architecture-aws/tf-state.md index 1b911217c..cbbe84973 100644 --- a/docs/reference/reference-architectures/ref-architecture-aws/tf-state.md +++ b/docs/user-guide/ref-architecture-aws/tf-state.md @@ -23,7 +23,7 @@ Terraform modules registry, accessed December 3rd 2020). 1. Ensure you have [`Leverage CLI`](../../how-it-works/leverage-cli/index.md) installed in your system 2. Refer to [Configuration Pre-requisites](./configs.md) to understand how to set up the configuration files required for this layer. Where you must build your - [Terraform Reference Architecture account structure](../../how-it-works/features/organization/organization.md) + [Terraform Reference Architecture account structure](../../how-it-works/user-guide/organization/organization.md) 3. Leveraged by the [Infrastructure as Code (IaC) Library](../../how-it-works/infra-as-code-library/index.md) through the [terraform-aws-tfstate-backend module](https://registry.terraform.io/modules/binbashar/tfstate-backend/aws/latest) - [/management/base-tf-backend](https://github.com/binbashar/le-tf-infra-aws/tree/master/root/us-east-1/base-tf-backend) diff --git a/docs/user-guide/ref-architecture-aws/workflow.md b/docs/user-guide/ref-architecture-aws/workflow.md new file mode 100644 index 000000000..7aa3924ee --- /dev/null +++ b/docs/user-guide/ref-architecture-aws/workflow.md @@ -0,0 +1,50 @@ +# Workflow + +## Overview +The sequence of commands that you run to operate on each layer is called **the Terraform workflow**. In other words, it's what you would typically run in order to create, update, or delete the resources defined in a given layer. + +## The basic workflow +Assuming that you have everything configured, the frequent commands you'll need to run are these: +``` +# 1. Initialize +leverage terraform init + +# 2. Preview any changes +leverage terraform plan + +# 3. Apply any changes +leverage terraform apply +``` + +## The extended workflow +Now, the extended workflow is annotated with more explanations and it is intended for users who haven't yet worked with Leverage on a daily basis: + +!!! check "Terraform Workflow" + 1. Make sure you understood the basic concepts: + - [x] [Overview](overview.md) + - [x] [Configuration](configuration.md) + - [x] [Directory Structure](dir-structure.md) + - [x] [Remote State](tf-state.md) + 2. Make sure you installed the [Leverage CLI](../leverage-cli/overview.md). + 3. Go to the layer (directory) you need to work with, e.g. `shared/global/base-identities/`. + 4. Run `leverage terraform init` -- only the first time you work on this layer, or if you upgraded modules or providers versions, or if you made changes to the Terraform remote backend configuration. + 5. Make any changes you need to make. For instance: modify a resource definition, add an output, add a new resource, etc. + 6. Run `leverage terraform plan` to preview any changes. + 7. Run `leverage terraform apply` to give it a final review and to apply any changes. + +!!! info "Tip" + You can use the `--layers` argument to run Terraform commands on more than one layer. For more information see [here](../leverage-cli/reference/terraform/layers.md) + +!!! note + If desired, at step **#5** you could submit a PR, allowing you and the rest of the team to + understand and review what changes would be made to your AWS Cloud Architecture components before executing + `leverage terraform apply` (`terraform apply`). This brings the huge benefit of treating changes with a **GitOps** oriented + approach, basically as we should treat any other code & infrastructure change, and integrate it with the + rest of our tools and practices like CI/CD, in + +## Running in Automation +![leverage-aws-terraform](../../../assets/images/diagrams/aws-terraform-automation.png "Terraform"){: style="width:350"} +
Figure: Running terraform with AWS in automation (just as reference).
+ +!!! info "Read More" + * :ledger: [Running Terraform in automation](https://learn.hashicorp.com/terraform/development/running-terraform-in-automation) diff --git a/docs/user-guide/ref-architecture-eks/components.md b/docs/user-guide/ref-architecture-eks/components.md new file mode 100644 index 000000000..2560f94a0 --- /dev/null +++ b/docs/user-guide/ref-architecture-eks/components.md @@ -0,0 +1,15 @@ +# Components + +## Overview +![leverage-aws-eks](../../../assets/images/diagrams/ref-architecture-eks.png "Leverage"){: style="width:750px"} +
+Figure: K8S EKS reference architecture components diagram. (Source: binbash Leverage Confluence Doc, +"Implementation Diagrams", binbash Leverage Doc, accessed January 5th 2022). +
+ +## Components List +![leverage-aws-eks-detailed](../../../assets/images/diagrams/ref-architecture-eks-components.png "Leverage"){: style="width:750px"} +
+Figure: K8S EKS reference architecture detailed components diagram. (Source: binbash Leverage Confluence Doc, + "Implementation Diagrams", binbash Leverage Doc, accessed January 5th 2022). +
diff --git a/docs/reference/features/compute/k8s-eks/overview.md b/docs/user-guide/ref-architecture-eks/overview.md similarity index 52% rename from docs/reference/features/compute/k8s-eks/overview.md rename to docs/user-guide/ref-architecture-eks/overview.md index 1a631d650..5934e6483 100644 --- a/docs/reference/features/compute/k8s-eks/overview.md +++ b/docs/user-guide/ref-architecture-eks/overview.md @@ -1,5 +1,6 @@ -# Kubernetes AWS EKS +# AWS EKS Reference Architecture +## Overview [**Amazon Elastic Kubernetes Services** (EKS)](https://aws.amazon.com/eks/) is a managed service that makes it easy for you to run **Kubernetes** on AWS without needing to install and operate your own Kubernetes control plane or worker nodes. @@ -12,7 +13,7 @@ to run **Kubernetes** on AWS without needing to install and operate your own Kub - [x] Built with the Community: AWS actively works with the Kubernetes community, including making contributions to the Kubernetes code base helping you take advantage of AWS services. -![leverage-aws-eks](../../../../assets/images/diagrams/aws-k8s-eks.png "Leverage"){: style="width:950px"} +![leverage-aws-eks](../../../../../assets/images/diagrams/aws-k8s-eks.png "Leverage"){: style="width:950px"}
Figure: AWS K8s EKS architecture diagram (just as reference). @@ -22,7 +23,7 @@ to run **Kubernetes** on AWS without needing to install and operate your own Kub AWS Infrastructure & Automation Blog post, accessed November 18th 2020).
-## Version support convention +## Version Support At Leverage we support the last 3 latest stable [Kubernetes version](https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html) releases (at best effort) within our @@ -32,3 +33,35 @@ and [IaC Library EKS module](https://github.com/binbashar/terraform-aws-eks) We think this is a good balance between management overhead and an acceptable level of supported versions (at best effort). If your project have and older legacy version we could work along your CloudOps team to safely migrate it to a Leverage supported EKS version. + +## Resources + +### Control Plane +This is the primary resource which defines the cluster. We will create one cluster on each +account: + +- [x] [apps-devstg/us-east-1/k8s-eks](https://github.com/binbashar/le-tf-infra-aws/tree/master/apps-devstg/us-east-1/k8s-eks) +- [x] [apps-prd/us-east-1/k8s-eks](https://github.com/binbashar/le-tf-infra-aws/tree/master/apps-prd/us-east-1/k8s-eks) + +!!! info "Important" + In case of multiple environments hosted in the same cluster as for the one with + Apps Dev and Stage, the workload isolation will be achieved through Kubernetes + features such as namespaces, network policies, RBAC, and others. + +### Data Plane +We have 3 options here: + +- Managed Nodes +- Fargate +- Fargate Spot + +!!! info "Considerations" + Each option has its pros and cons with regard to cost, operation complexity, extensibility, + customization capabilities, features, and management. + + In general we implement Managed Nodes. The main reasons being: + + 1. They allow a high degree of control in terms of the components we can deploy and the features those components can provide to us. For instance we can run ingress controllers and service mesh, among other very customizable resources. + 2. AWS takes care of provisioning and lifecycle management of nodes which is one less task to worry about. + 3. Upgrading Kubernetes versions becomes much simpler and quicker to perform. + 4. We still can, at any time, start using Fargate and Fargate Spot by simply creating a profile for one or both of them, then we only need to move the workloads that we want to run on Fargate profiles of our choice. diff --git a/docs/reference/features/compute/k8s-eks/vpc-addressing.md b/docs/user-guide/ref-architecture-eks/vpc.md similarity index 98% rename from docs/reference/features/compute/k8s-eks/vpc-addressing.md rename to docs/user-guide/ref-architecture-eks/vpc.md index b4d1c3b65..d05f9fea3 100644 --- a/docs/reference/features/compute/k8s-eks/vpc-addressing.md +++ b/docs/user-guide/ref-architecture-eks/vpc.md @@ -95,4 +95,4 @@ subnets in each of these VPCs defining Private and Public subnets split among di ## Read More !!! info "EKS Reference Architecture Specs" - In case you would like to further understand the different tech specs and configs for this Ref Arch you could find some details like at the [Features/Compute/K8s EKS](./overview.md) \ No newline at end of file + In case you would like to further understand the different tech specs and configs for this Ref Arch you could find some details like at the [user-guide/Compute/K8s EKS](./overview.md) \ No newline at end of file diff --git a/docs/reference/reference-architectures/ref-architecture-vault/configs.md b/docs/user-guide/ref-architecture-vault/configs.md similarity index 89% rename from docs/reference/reference-architectures/ref-architecture-vault/configs.md rename to docs/user-guide/ref-architecture-vault/configs.md index 4a7f4df46..5ca2e804a 100644 --- a/docs/reference/reference-architectures/ref-architecture-vault/configs.md +++ b/docs/user-guide/ref-architecture-vault/configs.md @@ -16,8 +16,8 @@ - File `backend.tfvars` will inject the profile name that TF will use to make changes on AWS. - Such profile is usually one that relies on another profile to assume a role to get access to each corresponding account. - Please follow to correctly setup your AWS Credentials - - [user-guide/features/identities](../features/identities/identities.md) - - [user-guide/features/identities/credentials](../features/identities/credentials.md) + - [user-guide/user-guide/identities](../user-guide/identities/identities.md) + - [user-guide/user-guide/identities/credentials](../user-guide/identities/credentials.md) - Read the following page leverage doc to understand [how to set up a profile to assume a role](https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html) diff --git a/docs/reference/reference-architectures/ref-architecture-vault/dir-structure.md b/docs/user-guide/ref-architecture-vault/dir-structure.md similarity index 100% rename from docs/reference/reference-architectures/ref-architecture-vault/dir-structure.md rename to docs/user-guide/ref-architecture-vault/dir-structure.md diff --git a/docs/reference/reference-architectures/ref-architecture-vault/tf-state-workflow.md b/docs/user-guide/ref-architecture-vault/tf-state-workflow.md similarity index 100% rename from docs/reference/reference-architectures/ref-architecture-vault/tf-state-workflow.md rename to docs/user-guide/ref-architecture-vault/tf-state-workflow.md diff --git a/docs/reference/reference-architectures/ref-architecture-vault/workflow.md b/docs/user-guide/ref-architecture-vault/workflow.md similarity index 91% rename from docs/reference/reference-architectures/ref-architecture-vault/workflow.md rename to docs/user-guide/ref-architecture-vault/workflow.md index 8449ef1e0..03dee7164 100644 --- a/docs/reference/reference-architectures/ref-architecture-vault/workflow.md +++ b/docs/user-guide/ref-architecture-vault/workflow.md @@ -9,8 +9,8 @@ [terraform vault pre-requisites](./dir-structure.md) - [x] [Remote State](tf-state-workflow.md) - [x] Configuration files - - [x] [AWS Profile and credentials](../features/identities/credentials.md) - - [x] [Vault token secret](../features/identities/credentials-vault.md) + - [x] [AWS Profile and credentials](../user-guide/identities/credentials.md) + - [x] [Vault token secret](../user-guide/identities/credentials-vault.md) 3. Get into the folder that you need to work with (e.g. `2_identities`) 4. Run `leverage terraform init` 5. Make whatever changes you need to make diff --git a/docs/reference/troubleshooting/credentials.md b/docs/user-guide/troubleshooting/credentials.md similarity index 100% rename from docs/reference/troubleshooting/credentials.md rename to docs/user-guide/troubleshooting/credentials.md diff --git a/mkdocs.yml b/mkdocs.yml index 81385bca9..5f262abb3 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -154,7 +154,7 @@ nav: - Welcome: "welcome.md" - First steps: "try-leverage/introduction.md" - How it works: "how-it-works/ref-architecture/index.md" - - User guide: "reference/index.md" + - User guide: "user-guide/index.md" - Work with us: "work-with-us/index.md" - License: "license.md" @@ -175,111 +175,109 @@ nav: - Our Tech Stack: "concepts/our-tech-stack.md" - Next Steps: "concepts/next-steps.md" - - Reference: - - Index: "reference/index.md" - - AWS Reference Architecture: - - Overview: "reference/reference-architectures/ref-architecture-aws/overview.md" - - Project Structure: "reference/reference-architectures/ref-architecture-aws/dir-structure.md" - - Configuration: "reference/reference-architectures/ref-architecture-aws/configs.md" - - Credentials: "reference/reference-architectures/ref-architecture-aws/credentials.md" - - Workflow: "reference/reference-architectures/ref-architecture-aws/workflow.md" - - Terraform State: "reference/reference-architectures/ref-architecture-aws/tf-state.md" + - User Guide: + - Index: "user-guide/index.md" + - Reference Architecture for AWS: + - Overview: "user-guide/ref-architecture-aws/overview.md" + - Project Structure: "user-guide/ref-architecture-aws/dir-structure.md" + - Configuration: "user-guide/ref-architecture-aws/configuration.md" + - Workflow: "user-guide/ref-architecture-aws/workflow.md" + - Terraform State: "user-guide/ref-architecture-aws/tf-state.md" - Features: - - Overview: "reference/features/overview.md" - - AWS Organization: - - Organization: "reference/features/organization/organization.md" - - Accounts: "reference/features/organization/accounts.md" - - Billing: "reference/features/organization/billing.md" - - Organization Init: "reference/features/organization/organization-init.md" - - Invite Legacy accounts: "reference/features/organization/organization-legacy-accounts.md" - - Identities: - - gpg: "reference/features/identities/gpg.md" - - Identities: "reference/features/identities/identities.md" - - Credentials: "reference/features/identities/credentials.md" - - Credentials Vault: "reference/features/identities/credentials-vault.md" - - Identities2: "reference/features/identities/identities2.md" - - Roles: "reference/features/identities/roles.md" + - Index: "user-guide/ref-architecture-aws/features/index.md" + - AWS Organizations: + - Overview: "user-guide/ref-architecture-aws/features/organization/overview.md" + - Managing Accounts: "user-guide/ref-architecture-aws/features/organization/accounts.md" + - Configuration: "user-guide/ref-architecture-aws/features/organization/configuration.md" + - Billing: "user-guide/ref-architecture-aws/features/organization/billing.md" + - Legacy Accounts: "user-guide/ref-architecture-aws/features/organization/legacy-accounts.md" - SSO: - - Overview: "reference/features/sso/overview.md" - - Configuration: "reference/features/sso/configuration.md" - - Onboarding Users: "reference/features/sso/managing-users.md" - - Costs: "reference/features/costs/costs.md" + - Overview: "user-guide/ref-architecture-aws/features/sso/overview.md" + - Configuration: "user-guide/ref-architecture-aws/features/sso/configuration.md" + - Onboarding Users: "user-guide/ref-architecture-aws/features/sso/managing-users.md" + - Identities: + - Overview: "user-guide/ref-architecture-aws/features/identities/overview.md" + - GPG Keys: "user-guide/ref-architecture-aws/features/identities/gpg.md" + - Identities: "user-guide/ref-architecture-aws/features/identities/identities.md" + - Credentials: "user-guide/ref-architecture-aws/features/identities/credentials.md" + # - Credentials Vault: "user-guide/ref-architecture-aws/features/identities/credentials-vault.md" + - IAM Roles: "user-guide/ref-architecture-aws/features/identities/roles.md" + - Costs: "user-guide/ref-architecture-aws/features/costs/costs.md" - Security: - - Overview: "reference/features/security/overview.md" - - VPN: "reference/features/security/vpn.md" - - Services: "reference/features/security/services.md" - - CloudTrail: "reference/features/security/audit-cloudtrail.md" - - Certificates: "reference/features/security/certificates.md" - - IAM Access Anayzer: "reference/features/security/iam-access-analyzer.md" + - Overview: "user-guide/ref-architecture-aws/features/security/overview.md" + - VPN: "user-guide/ref-architecture-aws/features/security/vpn.md" + - CloudTrail: "user-guide/ref-architecture-aws/features/security/audit-cloudtrail.md" + - Certificates: "user-guide/ref-architecture-aws/features/security/certificates.md" + - IAM Access Anayzer: "user-guide/ref-architecture-aws/features/security/iam-access-analyzer.md" + - Firewall Manager: "user-guide/ref-architecture-aws/features/security/firewall-manager.md" - Network: - - VPC: "reference/features/network/vpc-addressing.md" - - VPC Peering: "reference/features/network/vpc-peering.md" - - VPC Topology: "reference/features/network/vpc-topology.md" - - VPC Traffic Out: "reference/features/network/vpc-traffic-out.md" - - DNS: "reference/features/network/dns.md" - - Transit Gateway: "reference/features/network/tgw-topology.md" - - Secrets: "reference/features/secrets/secrets.md" + - VPC: "user-guide/ref-architecture-aws/features/network/vpc-addressing.md" + - VPC Peering: "user-guide/ref-architecture-aws/features/network/vpc-peering.md" + - VPC Topology: "user-guide/ref-architecture-aws/features/network/vpc-topology.md" + - VPC Traffic Out: "user-guide/ref-architecture-aws/features/network/vpc-traffic-out.md" + - DNS: "user-guide/ref-architecture-aws/features/network/dns.md" + - Transit Gateway: "user-guide/ref-architecture-aws/features/network/tgw-topology.md" + - Secrets: "user-guide/ref-architecture-aws/features/secrets/secrets.md" - Compute: - - Overview: "reference/features/compute/overview.md" - - K8s Kops: "reference/features/compute/k8s-kops.md" - - K8s EKS: "reference/features/compute/k8s-eks/overview.md" - - K8s EKS VPC: "reference/features/compute/k8s-eks/vpc-addressing.md" - - K8s Service Mesh: "reference/features/compute/k8s-service-mesh.md" - - Serverless: "reference/features/compute/serverless.md" - - Tools: "reference/features/compute/tools.md" + - Overview: "user-guide/ref-architecture-aws/features/compute/overview.md" + - K8s Kops: "user-guide/ref-architecture-aws/features/compute/k8s-kops.md" + - K8s Service Mesh: "user-guide/ref-architecture-aws/features/compute/k8s-service-mesh.md" + - Serverless: "user-guide/ref-architecture-aws/features/compute/serverless.md" + - Tools: "user-guide/ref-architecture-aws/features/compute/tools.md" - Database: - - Databases: "reference/features/database/database.md" - - MySQL: "reference/features/database/mysql.md" - - PostgresSQL: "reference/features/database/postgres.md" - - Storage: "reference/features/storage/storage.md" - - CDN: "reference/features/cdn/cdn.md" - - CI/CD: "reference/features/ci-cd/ci-cd.md" + - Databases: "user-guide/ref-architecture-aws/features/database/database.md" + - MySQL: "user-guide/ref-architecture-aws/features/database/mysql.md" + - PostgresSQL: "user-guide/ref-architecture-aws/features/database/postgres.md" + - Storage: "user-guide/ref-architecture-aws/features/storage/storage.md" + - CDN: "user-guide/ref-architecture-aws/features/cdn/cdn.md" + - CI/CD: "user-guide/ref-architecture-aws/features/ci-cd/ci-cd.md" - Monitoring: - - Monitoring: "reference/features/monitoring/monitoring.md" - - Metrics: "reference/features/monitoring/metrics.md" - - Logs: "reference/features/monitoring/logs.md" - - Tracing: "reference/features/monitoring/tracing.md" - - APM: "reference/features/monitoring/apm.md" + - Monitoring: "user-guide/ref-architecture-aws/features/monitoring/monitoring.md" + - Metrics: "user-guide/ref-architecture-aws/features/monitoring/metrics.md" + - Logs: "user-guide/ref-architecture-aws/features/monitoring/logs.md" + - Tracing: "user-guide/ref-architecture-aws/features/monitoring/tracing.md" + - APM: "user-guide/ref-architecture-aws/features/monitoring/apm.md" - Reliability: - - Backups: "reference/features/reliability/backups.md" - - Disaster Recovery: "reference/features/reliability/dr.md" - - High Availability: "reference/features/reliability/high-availability.md" - - EKS Reference Architecture: - - Overview: "reference/reference-architectures/ref-architecture-eks/overview.md" - - Ansible Reference Architecture: - - Overview: "reference/reference-architectures/ref-architecture-ansible/overview.md" - - Configs: "reference/reference-architectures/ref-architecture-ansible/configs.md" - - Workflow: "reference/reference-architectures/ref-architecture-ansible/workflow.md" + - Backups: "user-guide/ref-architecture-aws/features/reliability/backups.md" + - Disaster Recovery: "user-guide/ref-architecture-aws/features/reliability/dr.md" + - High Availability: "user-guide/ref-architecture-aws/features/reliability/high-availability.md" + - Reference Architecture for EKS: + - Overview: "user-guide/ref-architecture-eks/overview.md" + - VPC: "user-guide/ref-architecture-eks/vpc.md" + - Components: "user-guide/ref-architecture-eks/components.md" + - Reference Architecture for Ansible: + - Overview: "user-guide/ref-architecture-ansible/overview.md" + - Configs: "user-guide/ref-architecture-ansible/configs.md" + - Workflow: "user-guide/ref-architecture-ansible/workflow.md" - Leverage CLI: - - Overview: "reference/leverage-cli/overview.md" - - Installation: "reference/leverage-cli/installation.md" - - Basic features: "reference/leverage-cli/basic-features.md" + - Overview: "user-guide/leverage-cli/overview.md" + - Installation: "user-guide/leverage-cli/installation.md" + - Basic features: "user-guide/leverage-cli/basic-features.md" - Commands Reference: - - project: "reference/leverage-cli/reference/project.md" - - credentials: "reference/leverage-cli/reference/credentials.md" - - aws: "reference/leverage-cli/reference/aws.md" + - project: "user-guide/leverage-cli/user-guide/project.md" + - credentials: "user-guide/leverage-cli/user-guide/credentials.md" + - aws: "user-guide/leverage-cli/user-guide/aws.md" - terraform: - - commands: "reference/leverage-cli/reference/terraform.md" - - layers: "reference/leverage-cli/reference/terraform/layers.md" - - tfautomv: "reference/leverage-cli/reference/tfautomv.md" - - run: "reference/leverage-cli/reference/run.md" - - kubectl: "reference/leverage-cli/reference/kubectl.md" + - commands: "user-guide/leverage-cli/user-guide/terraform.md" + - layers: "user-guide/leverage-cli/user-guide/terraform/layers.md" + - tfautomv: "user-guide/leverage-cli/user-guide/tfautomv.md" + - run: "user-guide/leverage-cli/user-guide/run.md" + - kubectl: "user-guide/leverage-cli/user-guide/kubectl.md" - Extending Leverage: - - How to extend Leverage: "reference/leverage-cli/extending-leverage/how-to-extend.md" - - The build.env file: "reference/leverage-cli/extending-leverage/build.env.md" - - Custom tasks: "reference/leverage-cli/extending-leverage/tasks.md" - - Private Repositories: "reference/leverage-cli/private-repositories.md" - - Getting shell access: "reference/leverage-cli/shell.md" - - A bit of history: "reference/leverage-cli/history.md" + - How to extend Leverage: "user-guide/leverage-cli/extending-leverage/how-to-extend.md" + - The build.env file: "user-guide/leverage-cli/extending-leverage/build.env.md" + - Custom tasks: "user-guide/leverage-cli/extending-leverage/tasks.md" + - Private Repositories: "user-guide/leverage-cli/private-repositories.md" + - Getting shell access: "user-guide/leverage-cli/shell.md" + - A bit of history: "user-guide/leverage-cli/history.md" - Infra-as-Code Library: - - Overview: "reference/infra-as-code-library/overview.md" - - Forks workflow: "reference/infra-as-code-library/infra-as-code-library-forks.md" - - Specifications: "reference/infra-as-code-library/infra-as-code-library-specs.md" - - Modules by Technology: "reference/infra-as-code-library/modules-library-by-technology.md" + - Overview: "user-guide/infra-as-code-library/overview.md" + - Forks workflow: "user-guide/infra-as-code-library/infra-as-code-library-forks.md" + - Specifications: "user-guide/infra-as-code-library/infra-as-code-library-specs.md" + - Modules by Technology: "user-guide/infra-as-code-library/modules-library-by-technology.md" - Work with us: - Overview: "work-with-us/index.md" - - Support: - - Support: "work-with-us/support.md" + - Support: "work-with-us/support.md" - Releases: - Releases and Versions: "work-with-us/releases/releases-and-versions.md" - Versions compatibility matrix: "work-with-us/releases/versions-compatibility-matrix.md" @@ -300,65 +298,3 @@ nav: #- Testimonials: "work-with-us/testimonials.md" - FAQs: "work-with-us/faqs.md" - Contact Us: https://www.binbash.com.ar/contact - - # - Reference Architecture: - # - Overview: "how-it-works/ref-architecture/index.md" - # - Reference Architecture | AWS: "how-it-works/ref-architecture/ref-architecture-aws.md" - # - Reference Architecture | EKS: "how-it-works/ref-architecture/ref-architecture-eks.md" - # - Considerations: "how-it-works/ref-architecture/considerations.md" - # - Features: - # - Overview: "how-it-works/features/index.md" - # - AWS Organization: - # - Organization: "how-it-works/features/organization/organization.md" - # - Accounts: "how-it-works/features/organization/accounts.md" - # - Billing: "how-it-works/features/organization/billing.md" - # - Identities: - # - Overview: "how-it-works/features/identities/identities.md" - # - IAM Roles: "how-it-works/features/identities/roles.md" - # - SSO: "how-it-works/features/sso/sso.md" - # - Costs: "how-it-works/features/costs/costs.md" - # - Security: - # - Overview: "how-it-works/features/security/overview.md" - # - VPN: "how-it-works/features/security/vpn.md" - # - Services: "how-it-works/features/security/services.md" - # - Certificates: "how-it-works/features/security/certificates.md" - # - Audit | CloudTrail: "how-it-works/features/security/audit-cloudtrail.md" - # - IAM Access Analyzer: "how-it-works/features/security/iam-access-analyzer.md" - # - Network: - # - VPC Topology: "how-it-works/features/network/vpc-topology.md" - # - VPC Addressing: "how-it-works/features/network/vpc-addressing.md" - # - VPC Peering: "how-it-works/features/network/vpc-peering.md" - # - TGW Topology: "how-it-works/features/network/tgw-topology.md" - # - VPC Outbound Traffic: "how-it-works/features/network/vpc-traffic-out.md" - # - DNS: "how-it-works/features/network/dns.md" - # - Secrets: "how-it-works/features/secrets/secrets.md" - # - Compute: - # - Overview: "how-it-works/features/compute/overview.md" - # - K8s Kops: "how-it-works/features/compute/k8s-kops.md" - # - K8s EKS: - # - Overview: "how-it-works/features/compute/k8s-eks/overview.md" - # - VPC Addressing: "how-it-works/features/compute/k8s-eks/vpc-addressing.md" - # - K8s Service Mesh: "how-it-works/features/compute/k8s-service-mesh.md" - # - Serverless: "how-it-works/features/compute/serverless.md" - # - Tools: "how-it-works/features/compute/tools.md" - # - Database: - # - Databases: "how-it-works/features/database/database.md" - # - MySQL: "how-it-works/features/database/mysql.md" - # - PostgresSQL: "how-it-works/features/database/postgres.md" - # - Storage: "how-it-works/features/storage/storage.md" - # - CDN: "how-it-works/features/cdn/cdn.md" - # - CI/CD: - # - Overview: "how-it-works/features/ci-cd/ci-cd.md" - # - ArgoCD: "how-it-works/features/ci-cd/k8s-argocd.md" - # - Monitoring: - # - Monitoring: "how-it-works/features/monitoring/monitoring.md" - # - Metrics: "how-it-works/features/monitoring/metrics.md" - # - Logs: "how-it-works/features/monitoring/logs.md" - # - Tracing: "how-it-works/features/monitoring/tracing.md" - # - APM: "how-it-works/features/monitoring/apm.md" - # - Notifications: "how-it-works/features/monitoring/notification_escalation.md" - # - Reliability: - # - Backups: "how-it-works/features/reliability/backups.md" - # - High Availability: "how-it-works/features/reliability/high-availability.md" - # - Health Checks: "how-it-works/features/reliability/health-checks.md" - # - Disaster Recovery: "how-it-works/features/reliability/dr.md" From ed4e1b9389bc12725a8b5af67b7383d68876dcc2 Mon Sep 17 00:00:00 2001 From: Diego OJ Date: Sun, 16 Apr 2023 23:42:18 -0300 Subject: [PATCH 04/19] Refactor ansible ref arch --- .../ref-architecture-ansible/configs.md | 36 ------------------- .../ref-architecture-ansible/overview.md | 34 +++++++++++++++++- mkdocs.yml | 1 - 3 files changed, 33 insertions(+), 38 deletions(-) delete mode 100644 docs/user-guide/ref-architecture-ansible/configs.md diff --git a/docs/user-guide/ref-architecture-ansible/configs.md b/docs/user-guide/ref-architecture-ansible/configs.md deleted file mode 100644 index 886147a23..000000000 --- a/docs/user-guide/ref-architecture-ansible/configs.md +++ /dev/null @@ -1,36 +0,0 @@ -# Configuration: Ansible Playbooks - -## Overview -This repository contains all the [Ansible Playbooks](https://github.com/binbashar/le-ansible-infra) configuration -files used to create _**binbash Leverage™**_ Reference Architecture for AWS. - -## Ansible Playbook Documentation -Check out the README.md under contained under each repo - -!!! important "Playbooks Documentation" - ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **User Management & Security** - - - [x] [sec-users](https://github.com/binbashar/le-ansible-infra/blob/master/sec-users/README.md) - - ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **VPN Server** - - - [x] [vpn-pritunl](https://github.com/binbashar/le-ansible-infra/blob/master/vpn-pritunl/README.md) - - ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Monitoring & Alerting** - - - [x] [prometheus-grafana](https://github.com/binbashar/le-ansible-infra/blob/master/prometheus/README.md) - - ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Centralized Logs** - - - [x] [eskibana](https://github.com/binbashar/le-ansible-infra/blob/master/eskibana/README.md) - - ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **CI/CD** - - - [x] [jenkins](https://github.com/binbashar/le-ansible-infra/blob/master/jenkins/README.md) - - [x] [spinnaker](https://github.com/binbashar/le-ansible-infra/blob/master/spinnaker/README.md) - - [x] [droneci](https://github.com/binbashar/le-ansible-infra/blob/master/droneci/README.md) - - [x] [webhook](https://github.com/binbashar/le-ansible-infra/blob/master/webhook-proxy/README.md) - - ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Secret Mgmt** - - - [x] [hashicorp-vault](https://github.com/binbashar/le-ansible-infra/blob/master/vault/README.md) diff --git a/docs/user-guide/ref-architecture-ansible/overview.md b/docs/user-guide/ref-architecture-ansible/overview.md index e37c8b4d8..edad79289 100644 --- a/docs/user-guide/ref-architecture-ansible/overview.md +++ b/docs/user-guide/ref-architecture-ansible/overview.md @@ -1,4 +1,36 @@ # Ansible Reference Architecture ## Overview -TODO What is? +This repository contains all the [Ansible Playbooks](https://github.com/binbashar/le-ansible-infra) configuration +files used to create _**binbash Leverage™**_ Reference Architecture for AWS. + +## Ansible Playbook Documentation +Check out the README.md under contained under each repo + +!!! important "Playbooks Documentation" + ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **User Management & Security** + + - [x] [sec-users](https://github.com/binbashar/le-ansible-infra/blob/master/sec-users/README.md) + + ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **VPN Server** + + - [x] [vpn-pritunl](https://github.com/binbashar/le-ansible-infra/blob/master/vpn-pritunl/README.md) + + ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Monitoring & Alerting** + + - [x] [prometheus-grafana](https://github.com/binbashar/le-ansible-infra/blob/master/prometheus/README.md) + + ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Centralized Logs** + + - [x] [eskibana](https://github.com/binbashar/le-ansible-infra/blob/master/eskibana/README.md) + + ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **CI/CD** + + - [x] [jenkins](https://github.com/binbashar/le-ansible-infra/blob/master/jenkins/README.md) + - [x] [spinnaker](https://github.com/binbashar/le-ansible-infra/blob/master/spinnaker/README.md) + - [x] [droneci](https://github.com/binbashar/le-ansible-infra/blob/master/droneci/README.md) + - [x] [webhook](https://github.com/binbashar/le-ansible-infra/blob/master/webhook-proxy/README.md) + + ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Secret Mgmt** + + - [x] [hashicorp-vault](https://github.com/binbashar/le-ansible-infra/blob/master/vault/README.md) diff --git a/mkdocs.yml b/mkdocs.yml index 5f262abb3..537712528 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -247,7 +247,6 @@ nav: - Components: "user-guide/ref-architecture-eks/components.md" - Reference Architecture for Ansible: - Overview: "user-guide/ref-architecture-ansible/overview.md" - - Configs: "user-guide/ref-architecture-ansible/configs.md" - Workflow: "user-guide/ref-architecture-ansible/workflow.md" - Leverage CLI: - Overview: "user-guide/leverage-cli/overview.md" From 5ee4e84b2618fcb60bae4237a6d050740241e455 Mon Sep 17 00:00:00 2001 From: Diego OJ Date: Fri, 21 Apr 2023 18:55:00 -0300 Subject: [PATCH 05/19] Fix links and a few other updates --- docs/concepts/index.md | 2 +- docs/concepts/next-steps.md | 3 +- docs/concepts/our-tech-stack.md | 2 +- docs/concepts/why-our-tech-stack.md | 210 ------------------ docs/try-leverage/aws-account-setup.md | 6 +- docs/try-leverage/index.md | 8 +- docs/try-leverage/leverage-project-setup.md | 6 +- docs/try-leverage/local-setup.md | 4 +- docs/try-leverage/management-account.md | 4 +- docs/try-leverage/post-deployment.md | 6 +- .../features/identities/gpg.md | 2 +- .../features/identities/identities.md | 2 +- .../features/organization/legacy-accounts.md | 2 +- .../ref-architecture-aws/overview.md | 8 +- .../ref-architecture-aws/tf-state.md | 19 +- mkdocs.yml | 16 +- 16 files changed, 45 insertions(+), 255 deletions(-) delete mode 100644 docs/concepts/why-our-tech-stack.md diff --git a/docs/concepts/index.md b/docs/concepts/index.md index 4c627c64b..51afa408e 100644 --- a/docs/concepts/index.md +++ b/docs/concepts/index.md @@ -6,7 +6,7 @@ template: overrides/main.html # Concepts -## Overview +## Welcome! Welcome to Leverage's documentation! Here you will find the concepts you need to understand to work with our stack, the steps to try Leverage for yourself, and extensive documentation about every aspect of our solution. ## Getting Started diff --git a/docs/concepts/next-steps.md b/docs/concepts/next-steps.md index 4cc3568b6..78203afc9 100644 --- a/docs/concepts/next-steps.md +++ b/docs/concepts/next-steps.md @@ -1,6 +1,7 @@ # Next Steps -Now that you know the basic concepts about Leverage feel free to give it a try or check out the Reference section to go deeper into the implementation details. Links down below: +Now that you know the basic concepts about Leverage feel free to [give it a try](../../try-leverage/) or check out the [User Guide](../../user-guide/) section to go deeper into the implementation details. Links down below: +## Learn More :books: See [**Try Leverage**](../../try-leverage/) to take the tutorial that will help you deploy a basic AWS Landing Zone via Leverage. :books: See [**User Guide**](../../user-guide/) to take the comprehensive route to learn more about Leverage. diff --git a/docs/concepts/our-tech-stack.md b/docs/concepts/our-tech-stack.md index 37894ec11..ea845cf77 100644 --- a/docs/concepts/our-tech-stack.md +++ b/docs/concepts/our-tech-stack.md @@ -1,4 +1,4 @@ -# Tech Stack +# Our Tech Stack Leverage was built around the [AWS Well Architected Framework](https://aws.amazon.com/architecture/well-architected/) and it uses a stack that includes [Terraform](https://www.terraform.io/), [Ansible](https://www.ansible.com/), [Helm](https://helm.sh/) and other tools. We are also adopters and supporters of Kubernetes and the Cloud Native movement, which you should become self-evident as you keep exploring our technology stack. diff --git a/docs/concepts/why-our-tech-stack.md b/docs/concepts/why-our-tech-stack.md deleted file mode 100644 index 8c38706e9..000000000 --- a/docs/concepts/why-our-tech-stack.md +++ /dev/null @@ -1,210 +0,0 @@ -## Why we choose our tech stack - -??? info "Why AWS❓" - Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted - cloud platform, offering over 200 fully featured services from data centers globally. - Millions of customers—including the fastest-growing startups, largest enterprises, - and leading government agencies—are using AWS to lower costs, become more agile, - and innovate faster. - - Build, Deploy, and Manage Websites, Apps or Processes On AWS' Secure, Reliable Network. - AWS is Secure, Reliable, Scalable Services. HIPAA Compliant. - Easily Manage Clusters. Global Infrastructure. Highly Scalable. - - :books: **Read More:** [What is AWS](https://aws.amazon.com/what-is-aws/) - -??? info "Why WAF (Well Architected Framework)❓" - AWS Well-Architected helps cloud architects to build secure, high-performing, resilient, - and efficient infrastructure for their applications and workloads. Based on five pillars - — operational excellence, security, reliability, performance efficiency, and cost - optimization — AWS Well-Architected provides a consistent approach for customers and - partners to evaluate architectures, and implement designs that can scale over time. - - :books: **Read More:** [AWS Well-architected](https://aws.amazon.com/architecture/well-architected) - -??? info "Why Infra as Code (IaC) & Terraform❓" - - - [x] **Confidence:** A change breaks the env? Just roll it back. Still not working? - Build a whole new env with a few keystrokes. IaC enables this. - - - [x] **Repeatability:** Allows your infra to be automatically instantiated, making it - easy to build multiple identical envs. - - - [x] **Troubleshooting:** Check source control and see exactly what changed in the env. - As long as you are diligent and don’t make manual envs changes, then IaC can be a game - changer. - - - [x] **DR:** Require the ability to set up an alternate env in a different DC or Region. - IaC makes this a much more manageable prospect. - - - [x] **Auditability:** - You will need to be able to audit both changes and access to an env, IaC gives you this - right out of the box. - - - [x] **Visibility:** As an env expands over time, is challenging to tell what has been - provisioned. In the #cloud this can be a huge #cost issue. IaC allows tracking your - resources. - - - [x] **Portability:** Some IaC techs are #multicloud. Also, translating #Terraform from - one cloud provider to another is considerably more simple than recreating your entire - envs in a cloud-specific tool. - - - [x] **Security:** See history of changes to your SG rules along with commit messages can - do wonders for being confident about the security configs of your envs. - - **Terraform** allows to codify your application infrastructure, reduce human error and - increase automation by provisioning infrastructure as code. - With TF we can manage infrastructure across clouds and provision infrastructure - across 300+ public clouds and services using a single workflow. - Moreover it helps to create reproducible infrastructure and provision consistent testing, - staging, and production environments with the same configuration. - - **Terraform** has everything we expect from a IaC framework: open source, cloud-agnostic - provisioning tool that supported immutable infrastructure, a declarative language, and - a client-only architecture. - - :books: **Read More** - - - [Why Infrastructure as Code](https://www.simplethread.com/why-infrastructure-as-code/) - - [Why Terraform by Gruntwork](https://blog.gruntwork.io/why-we-use-terraform-and-not-chef-puppet-ansible-saltstack-or-cloudformation-7989dad2865c) - -??? info "Why Organizations❓" - AWS Organizations helps you centrally manage and govern your environment as you grow - and scale your AWS resources. Using AWS Organizations, you can programmatically create - new AWS accounts and allocate resources, group accounts to organize your workflows, - apply policies to accounts or groups for governance, and simplify billing by using a - single payment method for all of your accounts. - - :books: **Read More** - - - [How it works: AWS Organizations](../../user-guide/organization/organization/) - - [AWS Organizations](https://aws.amazon.com/organizations/) - -??? info "Why AIM and roles❓" - AWS Identity and Access Management (IAM) enables you to manage access to AWS services - and resources securely. Using IAM, you can create and manage AWS users and groups, - and use permissions to allow and deny their access to AWS resources. - - - Integration and Fine-grained access control with almost every AWS service and - its resources. - - Multi-factor authentication for highly privileged users. - - Analyze, monitor and audit access. - - :books: **Read More** - - - [How it works: AWS IAM](../../user-guide/identities/identities/) - - [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/) - -??? info "Security | Why Web Application Firewall (WAF), Cloud Trail, Config, Guarduty❓" - Raise your security posture with AWS infrastructure and services. - Using AWS, you will gain the control and confidence you need to securely run your - business with the most flexible and secure cloud computing environment available today. - As an AWS customer, you will benefit from AWS data centers and a network architected - to protect your information, identities, applications, and devices. With AWS, you - can improve your ability to meet core security and compliance requirements, such as - data locality, protection, and confidentiality with our comprehensive services and - features. - - :books: **Read More** - - - [How it works: AWS Security](../../user-guide/security/services/) - - [AWS Cloud Security](https://aws.amazon.com/security/) - -??? info "Why VPC❓" - Amazon Virtual Private Cloud (Amazon VPC) is a service that lets you launch AWS - resources in a logically isolated virtual network that you define. You have complete - control over your virtual networking environment, including selection of your own IP - address range, creation of subnets, and configuration of route tables and network - gateways. You can use both IPv4 and IPv6 for most resources in your virtual private - cloud, helping to ensure secure and easy access to resources and applications. - - :books: **Read More** - - - [How it works: AWS Networking](../../user-guide/network/vpc-topology) - - [AWS Virtual Private Cloud](https://aws.amazon.com/vpc) - -??? info "Why Kubernetes (K8s) & AWS EKS❓" - **Kubernetes**, also known as K8s, is an open-source system for automating deployment, - scaling, and management of containerized applications. - It groups containers that make up an application into logical units for easy management - and discovery. Kubernetes builds upon 15 years of experience of running production - workloads at Google, combined with best-of-breed ideas and practices from the community. - - **Amazon Elastic Kubernetes Service (Amazon EKS)** gives you the flexibility to start, - run, and scale Kubernetes applications in the AWS cloud or on-premises. Amazon EKS - helps you provide highly-available and secure clusters and automates key tasks such - as patching, node provisioning, and updates. Customers such as Intel, Snap, Intuit, - GoDaddy, and Autodesk trust EKS to run their most sensitive and mission critical - applications. - - **EKS** runs upstream Kubernetes and is certified Kubernetes conformant for a predictable - experience. You can easily migrate any standard Kubernetes application to EKS without - needing to refactor your code. - - :books: **Read More** - - - [How it works: AWS EKS](../../user-guide/compute/k8s-eks/) - - [AWS EKS](https://aws.amazon.com/eks) - - [Kubernetes](https://kubernetes.io/) - -??? info "Why S3❓" - **Amazon Simple Storage Service (Amazon S3)** is an object storage service that offers - industry-leading scalability, data availability, security, and performance. - This means customers of all sizes and industries can use it to store and protect - any amount of data for a range of use cases, such as data lakes, websites, mobile - applications, backup and restore, archive, enterprise applications, IoT devices, - and big data analytics. Amazon S3 provides easy-to-use management features so you - can organize your data and configure finely-tuned access controls to meet your - specific business, organizational, and compliance requirements. Amazon S3 is - designed for 99.999999999% (11 9's) of durability, and stores data for millions - of applications for companies all around the world. - - :books: **Read More** - - - [How it works: AWS Storage](../../user-guide/storage/storage) - - [AWS S3](https://aws.amazon.com/s3) - -??? info "Why RDS❓" - **Amazon Relational Database Service (Amazon RDS)** makes it easy to set up, operate, - and scale a relational database in the cloud. It provides cost-efficient and resizable - capacity while automating time-consuming administration tasks such as hardware - provisioning, database setup, patching and backups. It frees you to focus on your - applications so you can give them the fast performance, high availability, security - and compatibility they need. - - Amazon RDS is available on several database instance types - optimized for memory, - performance or I/O - and provides you with six familiar database engines to choose from, - including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. - You can use the AWS Database Migration Service to easily migrate or replicate your - existing databases to Amazon RDS. - - :books: **Read More** - - - [How it works: AWS Databases](../../user-guide/database/database/) - - [AWS RDS](https://aws.amazon.com/rds) - -??? info "Why Hashicorp Vault❓" - As many organizations migrate to the public cloud, a major concern has been how to - best secure data, preventing it from unauthorized access or exfiltration. - - Deploying a product like HashiCorp Vault gives you better control of your sensitive - credentials and helps you meet cloud security standards. - - HashiCorp Vault is designed to help organizations manage access to secrets and - transmit them safely within an organization. Secrets are defined as any form of - sensitive credentials that need to be tightly controlled and monitored and can be - used to unlock sensitive information. Secrets could be in the form of passwords, - API keys, SSH keys, RSA tokens, or OTP. - - HashiCorp Vault makes it very easy to control and manage access by providing you - with a unilateral interface to manage every secret in your infrastructure. Not only - that, you can also create detailed audit logs and keep track of who accessed what. - - Manage Secrets and Protect Sensitive Data. Secure, store and tightly control access - to tokens, passwords, certificates, encryption keys for protecting secrets and other - sensitive data using a UI, CLI, or HTTP API. - - :books: **Read More** - - - [How it works: Secrets](../../user-guide/secrets/secrets/) - - [Hashicorp Vault Project](https://www.vaultproject.io/) diff --git a/docs/try-leverage/aws-account-setup.md b/docs/try-leverage/aws-account-setup.md index 9391a0f93..12ff19891 100644 --- a/docs/try-leverage/aws-account-setup.md +++ b/docs/try-leverage/aws-account-setup.md @@ -1,19 +1,19 @@ # Creating your AWS Management account ## Create an AWS account -First and foremost you'll need to [create an AWS account](../user-guide/user-guide/organization/organization-init.md) for your project. This will be the management account of your [AWS Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) and the email address you use for signing up will be the [root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) of this account -- you can see this user represented in the [architecture diagram](../introduction/#introduction). +First and foremost you'll need to [create an AWS account](../../user-guide/ref-architecture-aws/features/organization/configuration/) for your project. This will be the management account of your [AWS Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) and the email address you use for signing up will be the [root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) of this account -- you can see this user represented in the [architecture diagram](../#leverage-landing-zone). Since the root user is the main access point to your account it is strongly recommended that you keep its credentials (email, password) safe by following [AWS best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html). !!! tip To protect your management account, [enabling Multi Factor Authentication](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa) is **highly** encouraged. Also, reviewing the [account's billing setup](https://console.aws.amazon.com/billing/home?#/account) is always a good idea before proceeding. -!!! info "For more details on setting up your AWS account: [:books: Organization account setup guide](../../user-guide/user-guide/organization/organization-init#user-guide)" +!!! info "For more details on setting up your AWS account: [:books: Organization account setup guide](../../user-guide/ref-architecture-aws/features/organization/configuration/)" ## Create a bootstrap user with temporary administrator permissions Leverage needs a user with temporary administrator permissions in order to deploy the initial resources that will form the foundations you will then use to keep building on. That initial deployment is called the bootstrap process and thus the user required for that is called "the bootstrap user". -To create that user, navigate to the [IAM page](https://console.aws.amazon.com/iam/) and create a user named `mgmt-org-admin` [following step 2 of this leverage doc](https://leverage.binbash.com.ar/user-guide/user-guide/organization/organization-init/#reference-aws-organization-init-workflow). +To create that user, navigate to the [IAM page](https://console.aws.amazon.com/iam/) and create a user named `mgmt-org-admin` [following step 2 of this leverage doc](../../user-guide/ref-architecture-aws/features/organization/configuration/#reference-aws-organization-init-workflow). !!! info Bear in mind that the page for creating users may change from time to time but the key settings for configuring the bootstrap user are the following: diff --git a/docs/try-leverage/index.md b/docs/try-leverage/index.md index b35714216..a2c532ca8 100644 --- a/docs/try-leverage/index.md +++ b/docs/try-leverage/index.md @@ -2,13 +2,13 @@ # Try Leverage -## Overview +## Before you begin -The objective of this guide is to introduce the user to our -[**binbash Leverage Reference Architecture for AWS**](../../how-it-works/ref-architecture/) workflow +The objective of this guide is to introduce you to our +[**binbash Leverage Reference Architecture for AWS**](../../user-guide/ref-architecture-aws/overview/) workflow through the complete deployment of a basic landing zone configuration. -The Leverage landing zone is the smallest possible fully functional configuration. +The Leverage Landing Zone is the smallest possible fully functional configuration. It lays out the base infrastructure required to manage the environment: billing and financial management, user management, security enforcement, and shared services and resources. Always following the best practices layed out by the diff --git a/docs/try-leverage/leverage-project-setup.md b/docs/try-leverage/leverage-project-setup.md index e5a42fcbf..0bf8b6bad 100644 --- a/docs/try-leverage/leverage-project-setup.md +++ b/docs/try-leverage/leverage-project-setup.md @@ -6,7 +6,7 @@ The account's name will be given by your project's name followed by `-management Along the same line, we'll use the `example.com` domain for the email address used to register the account. Adding a `-aws` suffix to the project's name to indicate that this email address is related to the project's AWS account, we end up with a registration email that looks like `myexample-aws@example.com`. !!! info "Email addresses for AWS accounts." - Each AWS account requires having a unique email address associated to it. The Leverage Reference Architecture for AWS makes use of multiple accounts to better manage the infrastructure, as such, you will need different addresses for each one. Creating a new email account for each AWS is not a really viable solution to this problem, a better approach is to take advantage of mail services that support aliases. For information regarding how this works: [:books: Email setup for your AWS account.](../../user-guide/user-guide/organization/organization-init/#pre-requisites) + Each AWS account requires having a unique email address associated to it. The Leverage Reference Architecture for AWS makes use of multiple accounts to better manage the infrastructure, as such, you will need different addresses for each one. Creating a new email account for each AWS is not a really viable solution to this problem, a better approach is to take advantage of mail services that support aliases. For information regarding how this works: [:books: Email setup for your AWS account.](../../user-guide/ref-architecture-aws/features/organization/configuration/#pre-requisites) ## Create the project directory Each Leverage project lives in its own working directory. Create a directory for your project as follows: @@ -123,7 +123,7 @@ To be able to interact with your AWS environment you first need to configure the [09:37:55.344] INFO Skipping assumable roles configuration. -!!! info "More information on [`credentials configure`](../../user-guide/base-workflow/leverage-cli/reference/credentials#configure)" +!!! info "More information on [`credentials configure`](../../user-guide/leverage-cli/reference/credentials/#configure)" During the credentials setup, the AWS account id is filled in for us in the project configuration file. @@ -169,7 +169,7 @@ leverage project create [09:40:55.743] INFO Finished setting up project. -!!! info "More information on [`project create`](../../user-guide/base-workflow/leverage-cli/reference/project#create)" +!!! info "More information on [`project create`](../../user-guide/leverage-cli/reference/project#create)" In this step, the directory structure for the project and all definition files are created using the information from the `project.yaml` file and checked for correct formatting. diff --git a/docs/try-leverage/local-setup.md b/docs/try-leverage/local-setup.md index 3d77f0966..9890d4e29 100644 --- a/docs/try-leverage/local-setup.md +++ b/docs/try-leverage/local-setup.md @@ -8,13 +8,13 @@ In order to install the CLI you should have the following installed in your syst - [X] [Python 3](https://www.python.org/) `version 3.8 and up` - [X] [Docker](https://docs.docker.com/engine/install/) -## Install [Leverage CLI](../../how-it-works/leverage-cli/) +## Install [Leverage CLI](../../user-guide/leverage-cli/overview/) Leverage CLI is distributed as a python package that you can install it via `pip` as follows: ``` bash pip install leverage ``` -!!! info "For further details on installing Leverage CLI: [:books: Install Leverage CLI](../../user-guide/base-workflow/leverage-cli/install-leverage-cli/)" +!!! info "For further details on installing Leverage CLI: [:books: Install Leverage CLI](../../user-guide/leverage-cli/installation/)" ## Verify your Leverage CLI installation Verify that your Leverage CLI installation was successful by running the following command: diff --git a/docs/try-leverage/management-account.md b/docs/try-leverage/management-account.md index 5e742b276..9f7acf5f1 100644 --- a/docs/try-leverage/management-account.md +++ b/docs/try-leverage/management-account.md @@ -86,7 +86,7 @@ And run: leverage terraform import aws_organizations_account.management 000123456789 ``` -!!! info "More information on [`terraform import`](../../user-guide/base-workflow/leverage-cli/reference/terraform#import)" +!!! info "More information on [`terraform import`](../../user-guide/leverage-cli/reference/terraform#import)" !!! info "Getting errors with zsh?" Zsh users may need to prepend `noglob` to the import command for it to be recognized correctly, as an alternative, square brackets can be escaped as `\[\]` @@ -117,7 +117,7 @@ $ leverage credentials configure --type BOOTSTRAP --skip-access-keys-setup [09:09:08.307] INFO Updating project's Terraform common configuration. ``` -!!! info "More information on [`credentials configure`](../../user-guide/base-workflow/leverage-cli/reference/credentials#configure)" +!!! info "More information on [`credentials configure`](../../user-guide/leverage-cli/reference/credentials#configure)" ### SSO layer Before working on the SSO layer you have to navigate to the [AWS IAM Identity Center page](https://console.aws.amazon.com/singlesignon/) and enable Single Sign-On (SSO) by clicking on the `Enable` button. diff --git a/docs/try-leverage/post-deployment.md b/docs/try-leverage/post-deployment.md index fbfb24155..f1cff8b20 100644 --- a/docs/try-leverage/post-deployment.md +++ b/docs/try-leverage/post-deployment.md @@ -60,9 +60,9 @@ profile = "me-shared-devops" ``` ## Activate your SSO user and set up your password -The SSO users you created when you provisioned the SSO layer need to go through an email activation procedure. Find the [instructions here](/user-guide/user-guide/sso/managing-users/#trigger-user-email-activation). +The SSO users you created when you provisioned the SSO layer need to go through an email activation procedure. Find the [instructions here](../../user-guide/ref-architecture-aws/features/sso/managing-users/#trigger-user-email-activation). -Once SSO user's have been activated, they will need to get their initial password so they are able to log in. Check out the [steps for that here](/user-guide/user-guide/sso/managing-users/#reset-a-user-password). +Once SSO user's have been activated, they will need to get their initial password so they are able to log in. Check out the [steps for that here](../../user-guide/ref-architecture-aws/features/sso/managing-users/#reset-a-user-password). ## Configure the CLI for SSO Almost there. Let's try the SSO integration now. @@ -70,7 +70,7 @@ Almost there. Let's try the SSO integration now. ### Configure your SSO profiles Since this is your first time using that you will need to configure it by running this: `leverage aws configure sso` -Follow the wizard to get your AWS config file created for you. There is [more info about that here](/user-guide/user-guide/sso/sso/#1-configuring-aws-sso). +Follow the wizard to get your AWS config file created for you. There is [more info about that here](../../user-guide/ref-architecture-aws/features/sso/configuration/#authentication-via-sso). ### Verify on a layer in the management account To ensure that worked, let's run a few commands to verify: diff --git a/docs/user-guide/ref-architecture-aws/features/identities/gpg.md b/docs/user-guide/ref-architecture-aws/features/identities/gpg.md index 53df255d2..0af859ff8 100644 --- a/docs/user-guide/ref-architecture-aws/features/identities/gpg.md +++ b/docs/user-guide/ref-architecture-aws/features/identities/gpg.md @@ -2,7 +2,7 @@ ## Why do we use GPG keys? By default our [Leverage Reference Architectre base-identities layer](https://github.com/binbashar/le-tf-infra-aws/blob/master/security/global/base-identities/users.tf) -approach is to use [IAM module]([https://github.com/binbashar/terraform-aws-iam/tree/master/modules/iam-user]) +approach is to use [IAM module](https://github.com/binbashar/terraform-aws-iam/tree/master/modules/iam-user) to manage AWS IAM Users credentials with **encryption to grant strong security**. This **module** outputs commands and GPG messages which can be decrypted either using command line to get AWS Web Console diff --git a/docs/user-guide/ref-architecture-aws/features/identities/identities.md b/docs/user-guide/ref-architecture-aws/features/identities/identities.md index afb842f69..f328f3283 100644 --- a/docs/user-guide/ref-architecture-aws/features/identities/identities.md +++ b/docs/user-guide/ref-architecture-aws/features/identities/identities.md @@ -8,7 +8,7 @@ afterwards in your [`project-security`](https://github.com/binbashar/le-tf-infra !!! example "IAM user standard creation workflow" 1. Pre-requisite add Public PGP Key following the [documentation](./gpg.md) 2. For steps 3. and 4. consider following - [Leverage's Terraform workflow](../../../base-workflow/repo-le-tf-infra/) + [Leverage's Terraform workflow](../../../workflow/) 3. Update (add | remove) your IAM Users associated code and deploy [security/global/base-identities/users.tf](https://github.com/binbashar/le-tf-infra-aws/blob/master/security/global/base-identities/users.tf) - :file_folder: Consider customizing your [account Alias and Password Policy](https://github.com/binbashar/le-tf-infra-aws/blob/master/security/global/base-identities/account.tf) diff --git a/docs/user-guide/ref-architecture-aws/features/organization/legacy-accounts.md b/docs/user-guide/ref-architecture-aws/features/organization/legacy-accounts.md index f88960695..56fa6a059 100644 --- a/docs/user-guide/ref-architecture-aws/features/organization/legacy-accounts.md +++ b/docs/user-guide/ref-architecture-aws/features/organization/legacy-accounts.md @@ -8,7 +8,7 @@ ### Pre-requisites You must have your AWS Organization deployed and access to your Management account as -described in the [/user-guide/user-guide/organization/organization-init](./organization-init.md) section. +described in the [/user-guide/user-guide/organization/organization-init](./configuration.md) section. ## Invite AWS pre-existing (legacy) accounts to your AWS Organization !!! example "AWS Org pre-existing accounts invitation" diff --git a/docs/user-guide/ref-architecture-aws/overview.md b/docs/user-guide/ref-architecture-aws/overview.md index 5080254b9..e99d2c260 100644 --- a/docs/user-guide/ref-architecture-aws/overview.md +++ b/docs/user-guide/ref-architecture-aws/overview.md @@ -4,10 +4,10 @@ The AWS Reference Architecture was created on a set of opinionated definitions and conventions on: * [how to organize files/folders](dir-structure.md), -* where to store [configuration files](configs.md), -* how to handle [credentials](credentials.md), -* how to [set up](tf-state-setup.md) and [manage state](tf-state-workflow.md), -* which [commands and workflows](tf-workflow.md) to run in order to perform different tasks, +* where to store [configuration files](configuration.md), +* how to handle [credentials](configuration.md#setting-credentials-for-terraform-via-aws-profiles), +* how to [set up](tf-state.md) and [manage state](workflow.md), +* which [commands and workflows](workflow.md) to run in order to perform different tasks, * and more. !!! info "Key Concept" diff --git a/docs/user-guide/ref-architecture-aws/tf-state.md b/docs/user-guide/ref-architecture-aws/tf-state.md index cbbe84973..4c8cff63a 100644 --- a/docs/user-guide/ref-architecture-aws/tf-state.md +++ b/docs/user-guide/ref-architecture-aws/tf-state.md @@ -1,11 +1,10 @@ # Terraform - S3 & DynamoDB for Remote State Storage & Locking -TODO What is? Why? -TODO Set up - ## Overview -Use this terraform configuration files to create the **S3 bucket** & **DynamoDB** table needed to use Terraform Remote -State Storage & Locking. +Use this terraform configuration files to create the **S3 bucket** & **DynamoDB** table needed to use Terraform Remote State Storage & Locking. + +!!! info "What is the Terraform Remote State?" + Read the [official definition](https://developer.hashicorp.com/terraform/language/state/remote) by Hashicorp. ![leverage-ref-arch-tf](../../../assets/images/diagrams/terraform-aws-s3-backend.png "Leverage"){: style="width:350px"} @@ -20,11 +19,11 @@ Terraform modules registry, accessed December 3rd 2020). ## Prerequisites !!! example "Terraform repo structure + state backend initialization" - 1. Ensure you have [`Leverage CLI`](../../how-it-works/leverage-cli/index.md) installed in your system - 2. Refer to [Configuration Pre-requisites](./configs.md) to understand how to set up the + 1. Ensure you have [`Leverage CLI`](../../user-guide/leverage-cli/overview.md) installed in your system + 2. Refer to [Configuration Pre-requisites](./configuration.md) to understand how to set up the configuration files required for this layer. Where you must build your - [Terraform Reference Architecture account structure](../../how-it-works/user-guide/organization/organization.md) - 3. Leveraged by the [Infrastructure as Code (IaC) Library](../../how-it-works/infra-as-code-library/index.md) through the + [Terraform Reference Architecture account structure](features/organization/overview.md) + 3. Leveraged by the [Infrastructure as Code (IaC) Library](../../user-guide/infra-as-code-library/overview.md) through the [terraform-aws-tfstate-backend module](https://registry.terraform.io/modules/binbashar/tfstate-backend/aws/latest) - [/management/base-tf-backend](https://github.com/binbashar/le-tf-infra-aws/tree/master/root/us-east-1/base-tf-backend) - [/security/base-tf-backend](https://github.com/binbashar/le-tf-infra-aws/tree/master/security/us-east-1/base-tf-backend) @@ -54,7 +53,7 @@ Terraform modules registry, accessed December 3rd 2020). - Done. You can remove `terraform.tfstate` now (and also `terraform.tfstate.backup` if available) ## Expected workflow after set up -:warning: this tape must be updated +:warning: This video is outdated! [![asciicast](https://asciinema.org/a/377220.svg)](https://asciinema.org/a/377220) # Terraform Remote State diff --git a/mkdocs.yml b/mkdocs.yml index 537712528..24d207f0a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -253,15 +253,15 @@ nav: - Installation: "user-guide/leverage-cli/installation.md" - Basic features: "user-guide/leverage-cli/basic-features.md" - Commands Reference: - - project: "user-guide/leverage-cli/user-guide/project.md" - - credentials: "user-guide/leverage-cli/user-guide/credentials.md" - - aws: "user-guide/leverage-cli/user-guide/aws.md" + - project: "user-guide/leverage-cli/reference/project.md" + - credentials: "user-guide/leverage-cli/reference/credentials.md" + - aws: "user-guide/leverage-cli/reference/aws.md" - terraform: - - commands: "user-guide/leverage-cli/user-guide/terraform.md" - - layers: "user-guide/leverage-cli/user-guide/terraform/layers.md" - - tfautomv: "user-guide/leverage-cli/user-guide/tfautomv.md" - - run: "user-guide/leverage-cli/user-guide/run.md" - - kubectl: "user-guide/leverage-cli/user-guide/kubectl.md" + - commands: "user-guide/leverage-cli/reference/terraform.md" + - layers: "user-guide/leverage-cli/reference/terraform/layers.md" + - tfautomv: "user-guide/leverage-cli/reference/tfautomv.md" + - run: "user-guide/leverage-cli/reference/run.md" + - kubectl: "user-guide/leverage-cli/reference/kubectl.md" - Extending Leverage: - How to extend Leverage: "user-guide/leverage-cli/extending-leverage/how-to-extend.md" - The build.env file: "user-guide/leverage-cli/extending-leverage/build.env.md" From 3bbea8c6c643e7a46b5c706a2c97039febed6927 Mon Sep 17 00:00:00 2001 From: Diego OJ Date: Sun, 23 Apr 2023 00:44:39 -0300 Subject: [PATCH 06/19] Fix broken links --- docs/concepts/index.md | 10 ++++----- docs/concepts/next-steps.md | 8 +++---- docs/concepts/our-tech-stack.md | 16 +++++++------- docs/concepts/what-is-leverage.md | 10 ++++----- docs/concepts/why-leverage.md | 4 ++-- docs/es/bienvenido.md | 2 +- docs/how-it-works/ref-architecture/index.md | 8 +++---- docs/try-leverage/aws-account-setup.md | 6 ++--- docs/try-leverage/index.md | 6 ++--- docs/try-leverage/leverage-project-setup.md | 8 +++---- docs/try-leverage/local-setup.md | 6 ++--- docs/try-leverage/management-account.md | 6 ++--- docs/try-leverage/post-deployment.md | 10 ++++----- .../security-and-shared-accounts.md | 4 ++-- docs/user-guide/index.md | 2 +- .../infra-as-code-library-specs.md | 4 ++-- .../infra-as-code-library/overview.md | 6 ++--- .../extending-leverage/how-to-extend.md | 2 +- .../leverage-cli/extending-leverage/tasks.md | 6 ++--- docs/user-guide/leverage-cli/overview.md | 2 +- .../leverage-cli/reference/credentials.md | 2 +- .../ref-architecture-ansible/overview.md | 12 +++++----- .../ref-architecture-ansible/workflow.md | 6 ++--- .../ref-architecture-aws/configuration.md | 4 ++-- .../ref-architecture-aws/dir-structure.md | 8 +++---- .../ref-architecture-aws/features/cdn/cdn.md | 6 ++--- .../features/ci-cd/ci-cd.md | 4 ++-- .../features/ci-cd/k8s-argocd.md | 2 +- .../features/compute/k8s-eks.md | 4 ++++ .../features/compute/k8s-kops.md | 6 ++--- .../features/compute/k8s-service-mesh.md | 4 ++-- .../features/compute/overview.md | 2 +- .../features/compute/serverless.md | 4 ++-- .../features/costs/costs.md | 8 +++---- .../features/identities/credentials-vault.md | 2 +- .../features/identities/identities.md | 2 +- .../features/identities/overview.md | 4 ++-- .../features/identities/roles.md | 6 ++--- .../ref-architecture-aws/features/index.md | 10 ++++----- .../features/monitoring/logs.md | 2 +- .../features/monitoring/metrics.md | 8 +++---- .../features/monitoring/tracing.md | 2 +- .../features/network/dns.md | 10 ++++----- .../features/network/tgw-topology.md | 2 +- .../features/network/vpc-addressing.md | 2 +- .../features/network/vpc-peering.md | 4 ++-- .../features/network/vpc-topology.md | 4 ++-- .../features/network/vpc-traffic-out.md | 2 +- .../features/organization/billing.md | 4 ++-- .../features/organization/configuration.md | 6 ++--- .../features/organization/legacy-accounts.md | 4 ++-- .../features/organization/overview.md | 2 +- .../features/reliability/backups.md | 8 +++---- .../features/reliability/dr.md | 4 ++-- .../features/reliability/high-availability.md | 6 ++--- .../features/security/audit-cloudtrail.md | 4 ++-- .../features/security/certificates.md | 4 ++-- .../features/security/firewall-manager.md | 2 +- .../features/security/iam-access-analyzer.md | 4 ++-- .../features/security/overview.md | 18 +++++++-------- .../features/security/vpn.md | 2 +- .../features/sso/configuration.md | 2 +- .../features/sso/overview.md | 2 +- .../features/storage/storage.md | 4 ++-- .../ref-architecture-aws/overview.md | 2 +- .../ref-architecture-aws/tf-state.md | 6 ++--- .../ref-architecture-aws/workflow.md | 2 +- .../ref-architecture-eks/components.md | 4 ++-- .../ref-architecture-eks/overview.md | 2 +- .../ref-architecture-vault/configs.md | 4 ++-- .../tf-state-workflow.md | 8 +++---- .../ref-architecture-vault/workflow.md | 8 +++---- docs/work-with-us/archived/team.md.back | 16 +++++++------- .../archived/testimonials.md.back | 22 +++++++++---------- docs/work-with-us/careers.md | 6 ++--- docs/work-with-us/contribute.md | 2 +- docs/work-with-us/index.md | 4 ++-- .../releases/releases-and-versions.md | 6 ++--- docs/work-with-us/support.md | 8 +++---- material/overrides/home.html | 10 ++++----- mkdocs.yml | 5 +++-- 81 files changed, 226 insertions(+), 223 deletions(-) create mode 100644 docs/user-guide/ref-architecture-aws/features/compute/k8s-eks.md diff --git a/docs/concepts/index.md b/docs/concepts/index.md index 51afa408e..cee870f4b 100644 --- a/docs/concepts/index.md +++ b/docs/concepts/index.md @@ -2,7 +2,7 @@ template: overrides/main.html --- -![binbash-logo](../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} +![binbash-logo](/assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} # Concepts @@ -12,7 +12,7 @@ Welcome to Leverage's documentation! Here you will find the concepts you need to ## Getting Started Feel free to explore the following pages to know more about Leverage. -- [x] :books: See [**What is Leverage**](../concepts/what-is-leverage.md) to fully understand what Leverage is. -- [x] :books: See [**Why Leverage**](../concepts/why-leverage.md) to help you decide whether Leverage is the right tool for you. -- [x] :books: See [**What can Leverage do for you**](../concepts/what-leverage-can-do-for-you.md) to understand more about the capabilities of Leverage. -- [x] :books: See [**Our Tech Stack**](../concepts/our-tech-stack.md) to learn about our design choices for the technology stack. +- [x] :books: See [**What is Leverage**](/concepts/what-is-leverage/) to fully understand what Leverage is. +- [x] :books: See [**Why Leverage**](/concepts/why-leverage/) to help you decide whether Leverage is the right tool for you. +- [x] :books: See [**What can Leverage do for you**](/concepts/what-leverage-can-do-for-you/) to understand more about the capabilities of Leverage. +- [x] :books: See [**Our Tech Stack**](/concepts/our-tech-stack/) to learn about our design choices for the technology stack. diff --git a/docs/concepts/next-steps.md b/docs/concepts/next-steps.md index 78203afc9..115f6148b 100644 --- a/docs/concepts/next-steps.md +++ b/docs/concepts/next-steps.md @@ -1,9 +1,9 @@ # Next Steps -Now that you know the basic concepts about Leverage feel free to [give it a try](../../try-leverage/) or check out the [User Guide](../../user-guide/) section to go deeper into the implementation details. Links down below: +Now that you know the basic concepts about Leverage feel free to [give it a try](/try-leverage/) or check out the [User Guide](/user-guide/) section to go deeper into the implementation details. Links down below: ## Learn More -:books: See [**Try Leverage**](../../try-leverage/) to take the tutorial that will help you deploy a basic AWS Landing Zone via Leverage. +:books: See [**Try Leverage**](/try-leverage/) to take the tutorial that will help you deploy a basic AWS Landing Zone via Leverage. -:books: See [**User Guide**](../../user-guide/) to take the comprehensive route to learn more about Leverage. +:books: See [**User Guide**](/user-guide/) to take the comprehensive route to learn more about Leverage. -:books: See [**Work with us**](../../work-with-us/) if you want to join us or know more about the team behind Leverage. +:books: See [**Work with us**](/work-with-us/) if you want to join us or know more about the team behind Leverage. diff --git a/docs/concepts/our-tech-stack.md b/docs/concepts/our-tech-stack.md index ea845cf77..953851eb5 100644 --- a/docs/concepts/our-tech-stack.md +++ b/docs/concepts/our-tech-stack.md @@ -82,7 +82,7 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: AWS Organizations](../../user-guide/organization/organization/) + - [How it works: AWS Organizations](/user-guide/organization/organization/) - [AWS Organizations](https://aws.amazon.com/organizations/) ??? info "Why AIM and roles❓" @@ -97,7 +97,7 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: AWS IAM](../../user-guide/identities/identities/) + - [How it works: AWS IAM](/user-guide/identities/identities/) - [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/) ??? info "Security | Why Web Application Firewall (WAF), Cloud Trail, Config, Guarduty❓" @@ -112,7 +112,7 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: AWS Security](../../user-guide/security/services/) + - [How it works: AWS Security](/user-guide/security/services/) - [AWS Cloud Security](https://aws.amazon.com/security/) ??? info "Why VPC❓" @@ -125,7 +125,7 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: AWS Networking](../../user-guide/network/vpc-topology) + - [How it works: AWS Networking](/user-guide/network/vpc-topology) - [AWS Virtual Private Cloud](https://aws.amazon.com/vpc) ??? info "Why Kubernetes (K8s) & AWS EKS❓" @@ -148,7 +148,7 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: AWS EKS](../../user-guide/compute/k8s-eks/) + - [How it works: AWS EKS](/user-guide/compute/k8s-eks/) - [AWS EKS](https://aws.amazon.com/eks) - [Kubernetes](https://kubernetes.io/) @@ -166,7 +166,7 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: AWS Storage](../../user-guide/storage/storage) + - [How it works: AWS Storage](/user-guide/storage/storage) - [AWS S3](https://aws.amazon.com/s3) ??? info "Why RDS❓" @@ -185,7 +185,7 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: AWS Databases](../../user-guide/database/database/) + - [How it works: AWS Databases](/user-guide/database/database/) - [AWS RDS](https://aws.amazon.com/rds) ??? info "Why Hashicorp Vault❓" @@ -211,5 +211,5 @@ We are also adopters and supporters of Kubernetes and the Cloud Native movement, :books: **Read More** - - [How it works: Secrets](../../user-guide/secrets/secrets/) + - [How it works: Secrets](/user-guide/secrets/secrets/) - [Hashicorp Vault Project](https://www.vaultproject.io/) diff --git a/docs/concepts/what-is-leverage.md b/docs/concepts/what-is-leverage.md index 3a05bdc02..56e5d18ac 100644 --- a/docs/concepts/what-is-leverage.md +++ b/docs/concepts/what-is-leverage.md @@ -5,14 +5,14 @@ Since all the code and modules are already built, we can get you up and running than a consulting company -- :white_check_mark: *typically in just a few weeks!* -- and on top of code that is thoroughly documented, tested, and has been proven in production at dozens of other project deployments. ## Core Components -Our focus is on creating reusable, high quality ![leverage-aws](../assets/images/icons/aws-emojipack/General_AWScloud.png "AWS"){: style="width:30px"} Cloud Infrastructure code, through our core components: +Our focus is on creating reusable, high quality ![leverage-aws](/assets/images/icons/aws-emojipack/General_AWScloud.png "AWS"){: style="width:30px"} Cloud Infrastructure code, through our core components: -- [x] [**Reference Architecture**](../../user-guide/ref-architecture-aws/overview/): Designed under optimal configs for the most popular modern web and mobile applications needs. Its design is fully based on the -[**AWS Well Architected Framework**](https://leverage.binbash.com.ar/support/#aws-well-architected-review). +- [x] [**Reference Architecture**](/user-guide/ref-architecture-aws/overview/): Designed under optimal configs for the most popular modern web and mobile applications needs. Its design is fully based on the +[**AWS Well Architected Framework**](/work-with-us/support/#aws-well-architected-review). -- [x] [**Infrastructure as Code (IaC) Library**](../../user-guide/infra-as-code-library/overview/): A collection of reusable, tested, production-ready E2E AWS Cloud infrastructure as code solutions, leveraged by modules written in: *Terraform, Ansible, Helm charts, Dockerfiles and Makefiles*. +- [x] [**Infrastructure as Code (IaC) Library**](/user-guide/infra-as-code-library/overview/): A collection of reusable, tested, production-ready E2E AWS Cloud infrastructure as code solutions, leveraged by modules written in: *Terraform, Ansible, Helm charts, Dockerfiles and Makefiles*. -- [x] [**Leverage CLI**](../../user-guide/leverage-cli/overview/): projects' command line tool. Provides the means to interact and deploy Leverage Reference Architecture on AWS and if needed it allows you to define custom tasks to run. +- [x] [**Leverage CLI**](/user-guide/leverage-cli/overview/): projects' command line tool. Provides the means to interact and deploy Leverage Reference Architecture on AWS and if needed it allows you to define custom tasks to run. ## Video Presentation Check out this **intro video** :octicons-video-16: that explains what Leverage is in less than 5 minutes: diff --git a/docs/concepts/why-leverage.md b/docs/concepts/why-leverage.md index 4f9dade18..72e5517ca 100644 --- a/docs/concepts/why-leverage.md +++ b/docs/concepts/why-leverage.md @@ -7,14 +7,14 @@ By implementing our **Reference Architecture for AWS** and the **Infrastructure ## The problem and our solution ### What are the problems you might be facing? -![leverage-why](../../../assets/images/diagrams/leverage-why-problem.png "Leverage"){: style="width:950px"} +![leverage-why](/assets/images/diagrams/leverage-why-problem.png "Leverage"){: style="width:950px"}
Figure: Why Leverage? The problem. (Source: binbash, "Leverage Presentation: Why you should use Leverage?", accessed June 15th 2021).
### What is our solution? -![leverage-why](../../../assets/images/diagrams/leverage-why-solution.png "Leverage"){: style="width:950px"} +![leverage-why](/assets/images/diagrams/leverage-why-solution.png "Leverage"){: style="width:950px"}
Figure: Why Leverage? The solution. (Source: binbash, "Leverage Presentation: Why you should use Leverage?", accessed June 15th 2021). diff --git a/docs/es/bienvenido.md b/docs/es/bienvenido.md index d06f7d1ae..c3eadea38 100644 --- a/docs/es/bienvenido.md +++ b/docs/es/bienvenido.md @@ -2,6 +2,6 @@ template: overrides/main.html --- -![binbash-logo](../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} +![binbash-logo](/assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} # Próximamente \ No newline at end of file diff --git a/docs/how-it-works/ref-architecture/index.md b/docs/how-it-works/ref-architecture/index.md index 69a2c0317..9ecb5f172 100644 --- a/docs/how-it-works/ref-architecture/index.md +++ b/docs/how-it-works/ref-architecture/index.md @@ -1,18 +1,16 @@ -![binbash-logo](../../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} +![binbash-logo](/assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} # How it works - The objective of this document is to explain how the **binbash Leverage Reference Architecture for AWS** works, in particular how the Reference Architecture model is built and why we need it. ## Overview - This documentation contains all the guidelines to create binbash Leverage Reference Architecture for AWS that will be implemented on the Projects’ AWS infrastructure. We're assuming you've already have in place your AWS Landing Zone based on the -[First Steps](../../try-leverage/introduction.md) guide. +[First Steps](/try-leverage/index.md) guide. !!! check "Our Purpose" * [x] **Democratize advanced technologies:** As complex as it may sound, the basic idea behind this design principle is @@ -25,4 +23,4 @@ We're assuming you've already have in place your AWS Landing Zone based on the !!! info This documentation will provide a detailed reference of the tools and techs used, - the needs they address and how they fit with the multiple practices we will be implementing. \ No newline at end of file + the needs they address and how they fit with the multiple practices we will be implementing. diff --git a/docs/try-leverage/aws-account-setup.md b/docs/try-leverage/aws-account-setup.md index 12ff19891..1caaf9546 100644 --- a/docs/try-leverage/aws-account-setup.md +++ b/docs/try-leverage/aws-account-setup.md @@ -1,19 +1,19 @@ # Creating your AWS Management account ## Create an AWS account -First and foremost you'll need to [create an AWS account](../../user-guide/ref-architecture-aws/features/organization/configuration/) for your project. This will be the management account of your [AWS Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) and the email address you use for signing up will be the [root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) of this account -- you can see this user represented in the [architecture diagram](../#leverage-landing-zone). +First and foremost you'll need to [create an AWS account](/user-guide/ref-architecture-aws/features/organization/configuration/) for your project. This will be the management account of your [AWS Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) and the email address you use for signing up will be the [root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) of this account -- you can see this user represented in the [architecture diagram](../#leverage-landing-zone). Since the root user is the main access point to your account it is strongly recommended that you keep its credentials (email, password) safe by following [AWS best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html). !!! tip To protect your management account, [enabling Multi Factor Authentication](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa) is **highly** encouraged. Also, reviewing the [account's billing setup](https://console.aws.amazon.com/billing/home?#/account) is always a good idea before proceeding. -!!! info "For more details on setting up your AWS account: [:books: Organization account setup guide](../../user-guide/ref-architecture-aws/features/organization/configuration/)" +!!! info "For more details on setting up your AWS account: [:books: Organization account setup guide](/user-guide/ref-architecture-aws/features/organization/configuration/)" ## Create a bootstrap user with temporary administrator permissions Leverage needs a user with temporary administrator permissions in order to deploy the initial resources that will form the foundations you will then use to keep building on. That initial deployment is called the bootstrap process and thus the user required for that is called "the bootstrap user". -To create that user, navigate to the [IAM page](https://console.aws.amazon.com/iam/) and create a user named `mgmt-org-admin` [following step 2 of this leverage doc](../../user-guide/ref-architecture-aws/features/organization/configuration/#reference-aws-organization-init-workflow). +To create that user, navigate to the [IAM page](https://console.aws.amazon.com/iam/) and create a user named `mgmt-org-admin` [following step 2 of this leverage doc](/user-guide/ref-architecture-aws/features/organization/configuration/#reference-aws-organization-init-workflow). !!! info Bear in mind that the page for creating users may change from time to time but the key settings for configuring the bootstrap user are the following: diff --git a/docs/try-leverage/index.md b/docs/try-leverage/index.md index a2c532ca8..bd5f9e7f3 100644 --- a/docs/try-leverage/index.md +++ b/docs/try-leverage/index.md @@ -1,11 +1,11 @@ -![binbash-logo](../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} +![binbash-logo](/assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} # Try Leverage ## Before you begin The objective of this guide is to introduce you to our -[**binbash Leverage Reference Architecture for AWS**](../../user-guide/ref-architecture-aws/overview/) workflow +[**binbash Leverage Reference Architecture for AWS**](/user-guide/ref-architecture-aws/overview/) workflow through the complete deployment of a basic landing zone configuration. The Leverage Landing Zone is the smallest possible fully functional configuration. @@ -17,7 +17,7 @@ to ensure quality and to provide a solid base to build upon. This is the startin any Leverage user can and will develop all the features and capabilities they may require to satisfy their specific needs. -![leverage-landing-zone](../assets/images/diagrams/ref-architecture-aws-landing-zone.png "Leverage Landing Zone"){: style="width: 650px"} +![leverage-landing-zone](/assets/images/diagrams/ref-architecture-aws-landing-zone.png "Leverage Landing Zone"){: style="width: 650px"}
Figure: Leverage Landing Zone architecture components diagram.
diff --git a/docs/try-leverage/leverage-project-setup.md b/docs/try-leverage/leverage-project-setup.md index 0bf8b6bad..d107352d0 100644 --- a/docs/try-leverage/leverage-project-setup.md +++ b/docs/try-leverage/leverage-project-setup.md @@ -6,7 +6,7 @@ The account's name will be given by your project's name followed by `-management Along the same line, we'll use the `example.com` domain for the email address used to register the account. Adding a `-aws` suffix to the project's name to indicate that this email address is related to the project's AWS account, we end up with a registration email that looks like `myexample-aws@example.com`. !!! info "Email addresses for AWS accounts." - Each AWS account requires having a unique email address associated to it. The Leverage Reference Architecture for AWS makes use of multiple accounts to better manage the infrastructure, as such, you will need different addresses for each one. Creating a new email account for each AWS is not a really viable solution to this problem, a better approach is to take advantage of mail services that support aliases. For information regarding how this works: [:books: Email setup for your AWS account.](../../user-guide/ref-architecture-aws/features/organization/configuration/#pre-requisites) + Each AWS account requires having a unique email address associated to it. The Leverage Reference Architecture for AWS makes use of multiple accounts to better manage the infrastructure, as such, you will need different addresses for each one. Creating a new email account for each AWS is not a really viable solution to this problem, a better approach is to take advantage of mail services that support aliases. For information regarding how this works: [:books: Email setup for your AWS account.](/user-guide/ref-architecture-aws/features/organization/configuration/#pre-requisites) ## Create the project directory Each Leverage project lives in its own working directory. Create a directory for your project as follows: @@ -77,7 +77,7 @@ users: !!! info "The project definition file includes other entries but the ones shown above are the most frequently updated." ## Configure "bootstrap" credentials -To be able to interact with your AWS environment you first need to configure the credentials to enable AWS CLI to do so. Provide the keys obtained in the previous [account creation step](../aws-account-setup/) to the command by any of the available means. +To be able to interact with your AWS environment you first need to configure the credentials to enable AWS CLI to do so. Provide the keys obtained in the previous [account creation step](/try-leverage/aws-account-setup/) to the command by any of the available means. === "Manually" ``` bash @@ -123,7 +123,7 @@ To be able to interact with your AWS environment you first need to configure the [09:37:55.344] INFO Skipping assumable roles configuration. -!!! info "More information on [`credentials configure`](../../user-guide/leverage-cli/reference/credentials/#configure)" +!!! info "More information on [`credentials configure`](/user-guide/leverage-cli/reference/credentials/#configure)" During the credentials setup, the AWS account id is filled in for us in the project configuration file. @@ -169,7 +169,7 @@ leverage project create [09:40:55.743] INFO Finished setting up project. -!!! info "More information on [`project create`](../../user-guide/leverage-cli/reference/project#create)" +!!! info "More information on [`project create`](/user-guide/leverage-cli/reference/project#create)" In this step, the directory structure for the project and all definition files are created using the information from the `project.yaml` file and checked for correct formatting. diff --git a/docs/try-leverage/local-setup.md b/docs/try-leverage/local-setup.md index 9890d4e29..14664f919 100644 --- a/docs/try-leverage/local-setup.md +++ b/docs/try-leverage/local-setup.md @@ -1,5 +1,5 @@ # Install Leverage CLI -Leverage-based projects are better managed via the [Leverage CLI](../../how-it-works/leverage-cli/) which is a companion tool that simplifies your daily interactions with Leverage. This page will guide you through the installation steps. +Leverage-based projects are better managed via the [Leverage CLI](/user-guide/leverage-cli/overview/) which is a companion tool that simplifies your daily interactions with Leverage. This page will guide you through the installation steps. ## Prerequisites In order to install the CLI you should have the following installed in your system: @@ -8,13 +8,13 @@ In order to install the CLI you should have the following installed in your syst - [X] [Python 3](https://www.python.org/) `version 3.8 and up` - [X] [Docker](https://docs.docker.com/engine/install/) -## Install [Leverage CLI](../../user-guide/leverage-cli/overview/) +## Install [Leverage CLI](/user-guide/leverage-cli/overview/) Leverage CLI is distributed as a python package that you can install it via `pip` as follows: ``` bash pip install leverage ``` -!!! info "For further details on installing Leverage CLI: [:books: Install Leverage CLI](../../user-guide/leverage-cli/installation/)" +!!! info "For further details on installing Leverage CLI: [:books: Install Leverage CLI](/user-guide/leverage-cli/installation/)" ## Verify your Leverage CLI installation Verify that your Leverage CLI installation was successful by running the following command: diff --git a/docs/try-leverage/management-account.md b/docs/try-leverage/management-account.md index 9f7acf5f1..5b9fe594c 100644 --- a/docs/try-leverage/management-account.md +++ b/docs/try-leverage/management-account.md @@ -23,7 +23,7 @@ leverage terraform apply All `apply` commands will prompt for confirmation, answer `yes` when this happens. -!!! info "More information on [`terraform init`](../../user-guide/leverage-cli/reference/terraform#init) and [`terraform apply`](../../user-guide/leverage-cli/reference/terraform#apply)" +!!! info "More information on [`terraform init`](/user-guide/leverage-cli/reference/terraform#init) and [`terraform apply`](/user-guide/leverage-cli/reference/terraform#apply)" Now, the infrastructure for the Terraform state management is created. The next step is to push the local `.tfstate` to the bucket. To do this, uncomment the `backend` section for the `terraform` configuration in `management/base-tf-backend/config.tf` @@ -86,7 +86,7 @@ And run: leverage terraform import aws_organizations_account.management 000123456789 ``` -!!! info "More information on [`terraform import`](../../user-guide/leverage-cli/reference/terraform#import)" +!!! info "More information on [`terraform import`](/user-guide/leverage-cli/reference/terraform#import)" !!! info "Getting errors with zsh?" Zsh users may need to prepend `noglob` to the import command for it to be recognized correctly, as an alternative, square brackets can be escaped as `\[\]` @@ -117,7 +117,7 @@ $ leverage credentials configure --type BOOTSTRAP --skip-access-keys-setup [09:09:08.307] INFO Updating project's Terraform common configuration. ``` -!!! info "More information on [`credentials configure`](../../user-guide/leverage-cli/reference/credentials#configure)" +!!! info "More information on [`credentials configure`](/user-guide/leverage-cli/reference/credentials#configure)" ### SSO layer Before working on the SSO layer you have to navigate to the [AWS IAM Identity Center page](https://console.aws.amazon.com/singlesignon/) and enable Single Sign-On (SSO) by clicking on the `Enable` button. diff --git a/docs/try-leverage/post-deployment.md b/docs/try-leverage/post-deployment.md index f1cff8b20..d148be400 100644 --- a/docs/try-leverage/post-deployment.md +++ b/docs/try-leverage/post-deployment.md @@ -60,9 +60,9 @@ profile = "me-shared-devops" ``` ## Activate your SSO user and set up your password -The SSO users you created when you provisioned the SSO layer need to go through an email activation procedure. Find the [instructions here](../../user-guide/ref-architecture-aws/features/sso/managing-users/#trigger-user-email-activation). +The SSO users you created when you provisioned the SSO layer need to go through an email activation procedure. Find the [instructions here](/user-guide/ref-architecture-aws/features/sso/managing-users/#trigger-user-email-activation). -Once SSO user's have been activated, they will need to get their initial password so they are able to log in. Check out the [steps for that here](../../user-guide/ref-architecture-aws/features/sso/managing-users/#reset-a-user-password). +Once SSO user's have been activated, they will need to get their initial password so they are able to log in. Check out the [steps for that here](/user-guide/ref-architecture-aws/features/sso/managing-users/#reset-a-user-password). ## Configure the CLI for SSO Almost there. Let's try the SSO integration now. @@ -70,7 +70,7 @@ Almost there. Let's try the SSO integration now. ### Configure your SSO profiles Since this is your first time using that you will need to configure it by running this: `leverage aws configure sso` -Follow the wizard to get your AWS config file created for you. There is [more info about that here](../../user-guide/ref-architecture-aws/features/sso/configuration/#authentication-via-sso). +Follow the wizard to get your AWS config file created for you. There is [more info about that here](/user-guide/ref-architecture-aws/features/sso/configuration/#authentication-via-sso). ### Verify on a layer in the management account To ensure that worked, let's run a few commands to verify: @@ -410,5 +410,5 @@ Now you not only have a fully functional landing zone configuration deployed, bu For more detailed information, visit the links below. -- [X] :books: [How it works](../how-it-works/ref-architecture/index.md) -- [X] :books: [User guides](../user-guide/index.md) +- [X] :books: [How it works](/user-guide/ref-architecture-aws/overview/) +- [X] :books: [User guide](/user-guide/) diff --git a/docs/try-leverage/security-and-shared-accounts.md b/docs/try-leverage/security-and-shared-accounts.md index 727af0c8c..2360312f8 100644 --- a/docs/try-leverage/security-and-shared-accounts.md +++ b/docs/try-leverage/security-and-shared-accounts.md @@ -17,7 +17,7 @@ Move into the `us-east-1/base-tf-backend` directory and run: leverage terraform init --skip-validation leverage terraform apply ``` -!!! info "More information on [`terraform init`](../../user-guide/leverage-cli/reference/terraform#init) and [`terraform apply`](../../user-guide/leverage-cli/reference/terraform#apply)" +!!! info "More information on [`terraform init`](/user-guide/leverage-cli/reference/terraform#init) and [`terraform apply`](/user-guide/leverage-cli/reference/terraform#apply)" Now, to push the local `.tfstate` to the bucket, uncomment the `backend` section for the `terraform` configuration in `security/base-tf-backend/config.tf` ``` terraform @@ -65,7 +65,7 @@ Move into the `us-east-1/base-tf-backend` directory and run: leverage terraform init --skip-validation leverage terraform apply ``` -!!! info "More information on [`terraform init`](../../user-guide/leverage-cli/reference/terraform#init) and [`terraform apply`](../../user-guide/leverage-cli/reference/terraform#apply)" +!!! info "More information on [`terraform init`](/user-guide/leverage-cli/reference/terraform#init) and [`terraform apply`](/user-guide/leverage-cli/reference/terraform#apply)" Now, to push the local `.tfstate` to the bucket, uncomment the `backend` section for the `terraform` configuration in `shared/base-tf-backend/config.tf` ``` terraform diff --git a/docs/user-guide/index.md b/docs/user-guide/index.md index e22fc953f..14beed372 100644 --- a/docs/user-guide/index.md +++ b/docs/user-guide/index.md @@ -1,4 +1,4 @@ -![binbash-logo](../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} +![binbash-logo](/assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} # User Guide diff --git a/docs/user-guide/infra-as-code-library/infra-as-code-library-specs.md b/docs/user-guide/infra-as-code-library/infra-as-code-library-specs.md index 3f88f0965..591307047 100644 --- a/docs/user-guide/infra-as-code-library/infra-as-code-library-specs.md +++ b/docs/user-guide/infra-as-code-library/infra-as-code-library-specs.md @@ -76,7 +76,7 @@ Continuously perform updates, additions, and fixes to libraries and modules. ??? important ":checkered_flag: **Orchestrated in automation**" - We use the [leverage-cli](../leverage-cli/index.md) for this purpose + We use the [leverage-cli](/user-guide/leverage-cli/overview/) for this purpose ??? important ":checkered_flag: **Proven & Tested**" Every commit goes through a suite of automated tests to grant code styling and functional testing. @@ -104,4 +104,4 @@ --help command, doc-string and in line comments. ??? important ":checkered_flag: **Supported & Customizable**" - Commercially maintained and supported by [**_binbash_**](../../work-with-us/support.md). + Commercially maintained and supported by [**_binbash_**](/work-with-us/support/). diff --git a/docs/user-guide/infra-as-code-library/overview.md b/docs/user-guide/infra-as-code-library/overview.md index 3c1977afe..96e85197d 100644 --- a/docs/user-guide/infra-as-code-library/overview.md +++ b/docs/user-guide/infra-as-code-library/overview.md @@ -7,11 +7,11 @@ Dockerfiles, Helm charts and Makefiles. ## Model Our development model is strongly based on code reusability. -![infra-as-code-library](../../assets/images/diagrams/infra-as-code-library-specs.png "Leverage"){: style="width:750px"} +![infra-as-code-library](/assets/images/diagrams/infra-as-code-library-specs.png "Leverage"){: style="width:750px"} ## Reusability High level summary of the the code reusability efficiency. -![infra-as-code-library](../../assets/images/diagrams/infra-as-code-library-reuse.png "Leverage"){: style="width:750px"} +![infra-as-code-library](/assets/images/diagrams/infra-as-code-library-reuse.png "Leverage"){: style="width:750px"} !!! important "Considerations" @@ -23,4 +23,4 @@ High level summary of the the code reusability efficiency. ## Modules Infrastructure as Code (IaC) Library development and implementation workflow. -![infra-as-code-library](../../assets/images/diagrams/infra-as-code-library-workflow.png "Leverage"){: style="width:850px"} +![infra-as-code-library](/assets/images/diagrams/infra-as-code-library-workflow.png "Leverage"){: style="width:850px"} diff --git a/docs/user-guide/leverage-cli/extending-leverage/how-to-extend.md b/docs/user-guide/leverage-cli/extending-leverage/how-to-extend.md index ee4d54e80..071becb75 100644 --- a/docs/user-guide/leverage-cli/extending-leverage/how-to-extend.md +++ b/docs/user-guide/leverage-cli/extending-leverage/how-to-extend.md @@ -22,7 +22,7 @@ your configuration, reducing the risk of misconfigurations or errors. !!! info "Read More about `.tfvars` config files" In order to further understand this mechanism and how to use it please visit the dedicated - [.tfvars configs](../../ref-architecture-aws/configs.md) entry. + [.tfvars configs](../../ref-architecture-aws/configuration.md) entry. ## Custom tasks with build.py Leverage CLI has a native mechanism to allow customizing your workflow. With the custom tasks feature using `build.py`, diff --git a/docs/user-guide/leverage-cli/extending-leverage/tasks.md b/docs/user-guide/leverage-cli/extending-leverage/tasks.md index 73b891ef5..5f9eaab45 100644 --- a/docs/user-guide/leverage-cli/extending-leverage/tasks.md +++ b/docs/user-guide/leverage-cli/extending-leverage/tasks.md @@ -13,7 +13,7 @@ when interacting with your Leverage project and simplify the usage of any other ## Tasks Tasks are simple python functions that are marked as such with the use of the `@task()` decorator. We call the file where all tasks are defined a 'build script', and by default it is assumed to be named `build.py`. If you use any other name -for your build script, you can let Leverage know through the [global option `--filename`](../reference/basic-features.md). +for your build script, you can let Leverage know through the [global option `--filename`](../basic-features.md). ```python from leverage import task @@ -25,7 +25,7 @@ def copy_file(src, dst): ``` -The contents in the task's docstring are used to provide a short description of what's the task's purpose when [listing all available tasks](../reference/basic-features.md) to run. +The contents in the task's docstring are used to provide a short description of what's the task's purpose when [listing all available tasks](../basic-features.md) to run. ``` bash $ leverage --list-tasks @@ -124,7 +124,7 @@ Starting server at localhost:80 [09:38:32.825] [ build.py - ✔ Completed task start_server ] ``` -When [listing the available tasks](../reference/basic-features.md) any ignored task will be marked as such. +When [listing the available tasks](../basic-features.md) any ignored task will be marked as such. ``` bash $ leverage --list-tasks diff --git a/docs/user-guide/leverage-cli/overview.md b/docs/user-guide/leverage-cli/overview.md index 8193a70c8..bb163db7a 100644 --- a/docs/user-guide/leverage-cli/overview.md +++ b/docs/user-guide/leverage-cli/overview.md @@ -1,4 +1,4 @@ -![binbash-logo](../../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} +![binbash-logo](/assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} # Leverage CLI diff --git a/docs/user-guide/leverage-cli/reference/credentials.md b/docs/user-guide/leverage-cli/reference/credentials.md index f276e0a2e..055e9116e 100644 --- a/docs/user-guide/leverage-cli/reference/credentials.md +++ b/docs/user-guide/leverage-cli/reference/credentials.md @@ -14,7 +14,7 @@ leverage credentials configure --type [BOOTSTRAP|MANAGEMENT|SECURITY] [options] The `credentials configure` command sets up the credentials needed to interact with the AWS environment, from the initial deployment process (`BOOTSTRAP`) to everyday management (`MANAGEMENT`) and development or use (`SECURITY`) of it. -It attempts to retrieve the structure of the organization in order to generate all the [AWS CLI profiles required to interact with the environment](../../user-guide/identities/credentials.md) and update the terraform configuration with the id of all relevant accounts. +It attempts to retrieve the structure of the organization in order to generate all the [AWS CLI profiles required to interact with the environment](/user-guide/identities/credentials.md) and update the terraform configuration with the id of all relevant accounts. Backups of the previous configured credentials files are always created when overwriting or updating the current ones. diff --git a/docs/user-guide/ref-architecture-ansible/overview.md b/docs/user-guide/ref-architecture-ansible/overview.md index edad79289..09870b4cb 100644 --- a/docs/user-guide/ref-architecture-ansible/overview.md +++ b/docs/user-guide/ref-architecture-ansible/overview.md @@ -8,29 +8,29 @@ files used to create _**binbash Leverage™**_ Reference Architecture for AWS. Check out the README.md under contained under each repo !!! important "Playbooks Documentation" - ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **User Management & Security** + ![leverage-ansible](/assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **User Management & Security** - [x] [sec-users](https://github.com/binbashar/le-ansible-infra/blob/master/sec-users/README.md) - ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **VPN Server** + ![leverage-ansible](/assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **VPN Server** - [x] [vpn-pritunl](https://github.com/binbashar/le-ansible-infra/blob/master/vpn-pritunl/README.md) - ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Monitoring & Alerting** + ![leverage-ansible](/assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Monitoring & Alerting** - [x] [prometheus-grafana](https://github.com/binbashar/le-ansible-infra/blob/master/prometheus/README.md) - ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Centralized Logs** + ![leverage-ansible](/assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Centralized Logs** - [x] [eskibana](https://github.com/binbashar/le-ansible-infra/blob/master/eskibana/README.md) - ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **CI/CD** + ![leverage-ansible](/assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **CI/CD** - [x] [jenkins](https://github.com/binbashar/le-ansible-infra/blob/master/jenkins/README.md) - [x] [spinnaker](https://github.com/binbashar/le-ansible-infra/blob/master/spinnaker/README.md) - [x] [droneci](https://github.com/binbashar/le-ansible-infra/blob/master/droneci/README.md) - [x] [webhook](https://github.com/binbashar/le-ansible-infra/blob/master/webhook-proxy/README.md) - ![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Secret Mgmt** + ![leverage-ansible](/assets/images/logos/ansible.png "Leverage"){: style="width:20px"} **Secret Mgmt** - [x] [hashicorp-vault](https://github.com/binbashar/le-ansible-infra/blob/master/vault/README.md) diff --git a/docs/user-guide/ref-architecture-ansible/workflow.md b/docs/user-guide/ref-architecture-ansible/workflow.md index 1a7514bd1..8602713df 100644 --- a/docs/user-guide/ref-architecture-ansible/workflow.md +++ b/docs/user-guide/ref-architecture-ansible/workflow.md @@ -1,13 +1,13 @@ # Workflow !!! info "Leverage CLI" - - We rely on the [**`Leverage CLI`**](../leverage-cli/install-leverage-cli.md) as a wrapper to run ansible commands + - We rely on the [**`Leverage CLI`**](/leverage-cli/install-leverage-cli.md) as a wrapper to run ansible commands that consistently use the same config files and secrets. - - You are encouraged to read more about our [**`Leverage CLI`** how it works](../../how-it-works/leverage-cli/index.md) + - You are encouraged to read more about our [**`Leverage CLI`** how it works](/how-it-works/leverage-cli/index.md) section to better understand it. -!!! example "![leverage-ansible](../../../assets/images/logos/ansible.png "Leverage"){: style="width:20px"} [Ansible Infra](https://github.com/binbashar/le-ansible-infra)" +!!! example "![leverage-ansible](/assets/images/logos/ansible.png "Leverage"){: style="width:20px"} [Ansible Infra](https://github.com/binbashar/le-ansible-infra)" 1. Get into the folder that you need to work with (e.g. `ansible-playbook-vpn-pritunl`) 2. Run `leverage run init` to get all the necessary Ansible roles based on each `requirements.yml` 4. Make whatever changes you need to make as stated in each Playbook Documentation (check Documentation section above) diff --git a/docs/user-guide/ref-architecture-aws/configuration.md b/docs/user-guide/ref-architecture-aws/configuration.md index 81ca1cc25..1754393fa 100644 --- a/docs/user-guide/ref-architecture-aws/configuration.md +++ b/docs/user-guide/ref-architecture-aws/configuration.md @@ -24,7 +24,7 @@ - File `backend.tfvars` will inject the profile name that TF will use to make changes on AWS. - Such profile is usually one that relies on another profile to assume a role to get access to each corresponding account. - Please follow to correctly setup your AWS Credentials - - [user-guide/user-guide/identities](../user-guide/identities/identities.md) - - [user-guide/user-guide/identities/credentials](../user-guide/identities/credentials.md) + - [user-guide/user-guide/identities](/user-guide/identities/identities.md) + - [user-guide/user-guide/identities/credentials](/user-guide/identities/credentials.md) - Read the following page leverage doc to understand [how to set up a profile to assume a role](https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html) diff --git a/docs/user-guide/ref-architecture-aws/dir-structure.md b/docs/user-guide/ref-architecture-aws/dir-structure.md index cb2d44585..6d169ac64 100644 --- a/docs/user-guide/ref-architecture-aws/dir-structure.md +++ b/docs/user-guide/ref-architecture-aws/dir-structure.md @@ -155,18 +155,18 @@ The following block provides a brief explanation of the chosen files/folders lay └── 📂 tools-prometheus ``` -[Configuration files](configs.md) are organized by environments (e.g. dev, stg, prd), and service type, +[Configuration files](configuration.md) are organized by environments (e.g. dev, stg, prd), and service type, which we call **layers** (identities, organizations, storage, etc) to keep any changes made to them separate. Within each of those **layers** folders you should find the Terraform files that are used to define all the resources that belong to such account environment and specific layer. !!! info "Project file structure " An extended project file structure could be found - [here](../../../try-leverage/leverage-project-setup/#create-the-configured-project) + [here](../..//try-leverage/leverage-project-setup/#create-the-configured-project) While some other basic concepts and naming conventions in the context of Leverage like "project" and "layer" - [here](../../../how-it-works/ref-architecture/ref-architecture-aws/#structural-concepts) + [here](..//how-it-works/ref-architecture/ref-architecture-aws/#structural-concepts) -![binbash-logo](../../../assets/images/diagrams/ref-architecture-aws.png "binbash"){: style="width:950px"} +![binbash-logo](/assets/images/diagrams/ref-architecture-aws.png "binbash"){: style="width:950px"}
Figure: AWS Organization multi-account architecture diagram. (Source: binbash Leverage, diff --git a/docs/user-guide/ref-architecture-aws/features/cdn/cdn.md b/docs/user-guide/ref-architecture-aws/features/cdn/cdn.md index e4451d125..cf79c2a88 100644 --- a/docs/user-guide/ref-architecture-aws/features/cdn/cdn.md +++ b/docs/user-guide/ref-architecture-aws/features/cdn/cdn.md @@ -1,6 +1,6 @@ # CDN -!!! quote "![leverage-aws-ec2](../../../../assets/images/icons/aws-emojipack/NetworkingContentDelivery_AmazonCloudFront.png "Leverage"){: style="width:20px"} AWS Cloud Front" +!!! quote "![leverage-aws-ec2](/assets/images/icons/aws-emojipack/NetworkingContentDelivery_AmazonCloudFront.png "Leverage"){: style="width:20px"} AWS Cloud Front" [**Amazon CloudFront**](https://aws.amazon.com/cloudfront/) is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront is integrated with AWS – both physical locations that are directly connected to the AWS @@ -13,7 +13,7 @@ ## Load Balancer (ALB | NLB) & S3 Cloudfront Origins -![leverage-aws-cloudfront](../../../../assets/images/diagrams/aws-cloudfront-acm-elb-s3.png "Leverage"){: style="width:950px"} +![leverage-aws-cloudfront](/assets/images/diagrams/aws-cloudfront-acm-elb-s3.png "Leverage"){: style="width:950px"}
Figure: AWS CloudFront with ELB and S3 as origin diagram. (Source: Lee Atkinson, @@ -24,7 +24,7 @@ AWS Security Blog, accessed November 17th 2020). ## API Gateway Cloudfront Origins -![leverage-aws-cloudfront](../../../../assets/images/diagrams/aws-cloudfront-api-gw.png "Leverage"){: style="width:950px"} +![leverage-aws-cloudfront](/assets/images/diagrams/aws-cloudfront-api-gw.png "Leverage"){: style="width:950px"}
Figure: AWS CloudFront with API Gateway as origin diagram. (Source: AWS, diff --git a/docs/user-guide/ref-architecture-aws/features/ci-cd/ci-cd.md b/docs/user-guide/ref-architecture-aws/features/ci-cd/ci-cd.md index 3d5c4ea26..86b9270a4 100644 --- a/docs/user-guide/ref-architecture-aws/features/ci-cd/ci-cd.md +++ b/docs/user-guide/ref-architecture-aws/features/ci-cd/ci-cd.md @@ -1,7 +1,7 @@ # Continuous Integration / Continuous Delivery (CI/CD) ## Opt-1: Jenkins + ArgoCD -![leverage-ci-cd-argocd](../../../../assets/images/diagrams/ci-cd-argocd.png "Leverage"){: style="width:750px"} +![leverage-ci-cd-argocd](/assets/images/diagrams/ci-cd-argocd.png "Leverage"){: style="width:750px"}
Figure: ACI/CD with Jenkins + ArgoCD architecture diagram. @@ -12,7 +12,7 @@ ArgoCD documentation, accessed November 18th 2020).
## Opt-2: [Jenkins + Spinnaker](https://drive.google.com/file/d/1VtKHzBkw5a3zGKFwgI_2rllL9M7ceuCD/view?usp=sharing) -![leverage-ci-cd-spinnaker](../../../../assets/images/diagrams/ci-cd-spinnaker.png "Leverage"){: style="width:950px"} +![leverage-ci-cd-spinnaker](/assets/images/diagrams/ci-cd-spinnaker.png "Leverage"){: style="width:950px"}
Figure: CI/CD with Jenkins + Spinnaker diagram. diff --git a/docs/user-guide/ref-architecture-aws/features/ci-cd/k8s-argocd.md b/docs/user-guide/ref-architecture-aws/features/ci-cd/k8s-argocd.md index 7308c3041..947b21ff8 100644 --- a/docs/user-guide/ref-architecture-aws/features/ci-cd/k8s-argocd.md +++ b/docs/user-guide/ref-architecture-aws/features/ci-cd/k8s-argocd.md @@ -5,7 +5,7 @@ The below diagram is based on our [binbash Leverage Reference Architecture CI-CD official documentation](https://binbash.atlassian.net/wiki/external/1962410007/YWMxMmY1NzM4MmIyNDRmMDkxMDIwNDY3OWU4ZDYwZjA) -![leverage-aws-demoapps](../../../../assets/images/diagrams/aws-k8s-eks-ci-cd-argocd.png "Leverage"){: style="width:750px"} +![leverage-aws-demoapps](/assets/images/diagrams/aws-k8s-eks-ci-cd-argocd.png "Leverage"){: style="width:750px"}
Figure: K8S reference architecture CI/CD with ArgoCD diagram. (Source: binbash Leverage Confluence Doc, diff --git a/docs/user-guide/ref-architecture-aws/features/compute/k8s-eks.md b/docs/user-guide/ref-architecture-aws/features/compute/k8s-eks.md new file mode 100644 index 000000000..1a190fe34 --- /dev/null +++ b/docs/user-guide/ref-architecture-aws/features/compute/k8s-eks.md @@ -0,0 +1,4 @@ +# AWS Elastic Kubernetes Service (EKS) + +!!! info "Important" + This page has been moved [here](/user-guide/ref-architecture-eks/overview/). diff --git a/docs/user-guide/ref-architecture-aws/features/compute/k8s-kops.md b/docs/user-guide/ref-architecture-aws/features/compute/k8s-kops.md index 493f3068a..c0abaa274 100644 --- a/docs/user-guide/ref-architecture-aws/features/compute/k8s-kops.md +++ b/docs/user-guide/ref-architecture-aws/features/compute/k8s-kops.md @@ -16,7 +16,7 @@ The project describes itself as kubectl for clusters. - [x] Rolling cluster updates - [x] Supports heterogeneous clusters by creating multiple instance groups -![leverage-aws-k8s-kops](../../../../assets/images/diagrams/aws-k8s-kops.png "Leverage"){: style="width:950px"} +![leverage-aws-k8s-kops](/assets/images/diagrams/aws-k8s-kops.png "Leverage"){: style="width:950px"}
Figure: AWS K8s Kops architecture diagram (just as reference). @@ -65,7 +65,7 @@ Nclouds.com Blog post, accessed November 18th 2020). ``` #### Resulting Solutions Architecture -![leverage-aws-k8s-kops](../../../../assets/images/diagrams/aws-k8s-kops.png "Leverage"){: style="width:950px"} +![leverage-aws-k8s-kops](/assets/images/diagrams/aws-k8s-kops.png "Leverage"){: style="width:950px"}
Figure: AWS K8s Kops architecture diagram (just as reference).
@@ -84,7 +84,7 @@ fully customize any AWS component without having to alter our Kubernetes cluster 2. This is a fully declarative coding style approach to manage your infrastructure so being able to declare the state of our cluster in YAML files fits **100% as code & GitOps** based approach. -![leverage-aws-k8s-kops](../../../../assets/images/diagrams/aws-k8s-kops-tf.png "Leverage"){: style="width:950px"} +![leverage-aws-k8s-kops](/assets/images/diagrams/aws-k8s-kops-tf.png "Leverage"){: style="width:950px"}
Figure: [Workflow diagram](https://medium.com/bench-engineering/deploying-kubernetes-clusters-with-kops-and-terraform-832b89250e8e).
## Kops Cluster Management diff --git a/docs/user-guide/ref-architecture-aws/features/compute/k8s-service-mesh.md b/docs/user-guide/ref-architecture-aws/features/compute/k8s-service-mesh.md index c0507086a..387115b79 100644 --- a/docs/user-guide/ref-architecture-aws/features/compute/k8s-service-mesh.md +++ b/docs/user-guide/ref-architecture-aws/features/compute/k8s-service-mesh.md @@ -15,7 +15,7 @@ reliability to Kubernetes, without the complexity. CNCF-hosted and 100% open sou without introducing excessive latency. ### Architecture -![leverage-k8s-networking](../../../../assets/images/diagrams/k8s-linkerd-control-plane.png "Leverage"){: style="width:750px"} +![leverage-k8s-networking](/assets/images/diagrams/k8s-linkerd-control-plane.png "Leverage"){: style="width:750px"}
Figure: Figure: Linkerd v2.10 architecture diagram. (Source: Linkerd official documentation, @@ -25,7 +25,7 @@ Linkerd Doc, accessed June 14th 2021).
### Dashboard -![leverage-k8s-networking](../../../../assets/images/diagrams/k8s-linkerd-dashboard.png "Leverage"){: style="width:750px"} +![leverage-k8s-networking](/assets/images/diagrams/k8s-linkerd-dashboard.png "Leverage"){: style="width:750px"}
Figure: Figure: Linkerd v2.10 dashboard. (Source: Linkerd official documentation, diff --git a/docs/user-guide/ref-architecture-aws/features/compute/overview.md b/docs/user-guide/ref-architecture-aws/features/compute/overview.md index 37c0697ae..c36a59fbd 100644 --- a/docs/user-guide/ref-architecture-aws/features/compute/overview.md +++ b/docs/user-guide/ref-architecture-aws/features/compute/overview.md @@ -15,7 +15,7 @@ Clusters will be provisioned with [**_Kops_**](https://github.com/kubernetes/kop [**_AWS EKS_**](https://aws.amazon.com/eks/), which are solutions meant to orchestrate this compute engine in AWS. Whenever possible the initial version deployed will be the latest stable release. -![leverage-k8s-architecture](../../../../assets/images/diagrams/k8s-architecture.png "Leverage"){: style="width:700"} +![leverage-k8s-architecture](/assets/images/diagrams/k8s-architecture.png "Leverage"){: style="width:700"}
Figure: Kubernetes high level components architecture. diff --git a/docs/user-guide/ref-architecture-aws/features/compute/serverless.md b/docs/user-guide/ref-architecture-aws/features/compute/serverless.md index 60110d1e6..5a8e12b6a 100644 --- a/docs/user-guide/ref-architecture-aws/features/compute/serverless.md +++ b/docs/user-guide/ref-architecture-aws/features/compute/serverless.md @@ -16,7 +16,7 @@ As stated by [AWS Serverless definitions](https://aws.amazon.com/serverless/) about managing and operating servers or runtimes, either in the cloud or on-premises. This reduced overhead lets developers reclaim time and energy that can be spent on developing great products which scale and that are reliable. -![leverage-aws-serverless](../../../../assets/images/diagrams/aws-serverless.png "Leverage"){: style="width:950px"} +![leverage-aws-serverless](/assets/images/diagrams/aws-serverless.png "Leverage"){: style="width:950px"}
Figure: AWS serverless architecture diagram (just as reference). @@ -26,7 +26,7 @@ As stated by [AWS Serverless definitions](https://aws.amazon.com/serverless/) Containers-on-AWS Medium Blog post, accessed November 18th 2020).
-!!! info "Serverless Compute ![aws-service](../../../../assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} Services" +!!! info "Serverless Compute ![aws-service](/assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} Services" * [x] [AWS Lambda](https://aws.amazon.com/lambda/) lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running. * [x] [Lambda@Edge](https://aws.amazon.com/lambda/edge/) allows you to run Lambda functions at AWS Edge locations in diff --git a/docs/user-guide/ref-architecture-aws/features/costs/costs.md b/docs/user-guide/ref-architecture-aws/features/costs/costs.md index 78c2a17d4..b5a1b1c95 100644 --- a/docs/user-guide/ref-architecture-aws/features/costs/costs.md +++ b/docs/user-guide/ref-architecture-aws/features/costs/costs.md @@ -2,7 +2,7 @@ ## Opportunity to optimize resources -!!! tip "![leverage-aws-ec2](../../../../assets/images/icons/aws-emojipack/Compute_AmazonEC2.png "Leverage"){: style="width:20px"} Compute" +!!! tip "![leverage-aws-ec2](/assets/images/icons/aws-emojipack/Compute_AmazonEC2.png "Leverage"){: style="width:20px"} Compute" * Usage of reserved EC2 instances for stable workloads (AWS Cost Explorer Reserved Optimization | Compute Optimizer - get a -$ of up to 42% vs On-Demand) * Usage of Spot EC2 instances for fault-tolerant workloads (-$ by up to 90%). @@ -11,10 +11,10 @@ * Compute Savings Plans to reduce EC2, Fargate and Lambda $ (Compute Savings Plans OK regardless of EC2 family, size, AZ, reg, OS or tenancy, OK for Fargate / Lambda too). -!!! tip "![leverage-aws-rds](../../../../assets/images/icons/aws-emojipack/Database_AmazonRDS.png "Leverage"){: style="width:20px"} Databases" +!!! tip "![leverage-aws-rds](/assets/images/icons/aws-emojipack/Database_AmazonRDS.png "Leverage"){: style="width:20px"} Databases" * Usage of reserved RDS instances for stable workload databases. -!!! tip "![leverage-aws-cw](../../../../assets/images/icons/aws-emojipack/ManagementTools_AmazonCloudWatch.png "Leverage"){: style="width:20px"} Monitoring & Automation" +!!! tip "![leverage-aws-cw](/assets/images/icons/aws-emojipack/ManagementTools_AmazonCloudWatch.png "Leverage"){: style="width:20px"} Monitoring & Automation" * AWS billing alarms + AWS Budget (forecasted account cost / RI Coverage) Notifications to Slack * Activate AWS Trusted Advisor cost related results * Id EBS w/ low-utiliz and -$ by snapshotting and then rm them @@ -23,7 +23,7 @@ * Setup Lambda nuke to automatically clean up AWS account resources. * Setup lambda scheduler for stop and start resources on AWS (EC2, ASG & RDS) -!!! tip "![leverage-aws-s3](../../../../assets/images/icons/aws-emojipack/Storage_AmazonS3.png "Leverage"){: style="width:20px"} Storage & Network Traffic" +!!! tip "![leverage-aws-s3](/assets/images/icons/aws-emojipack/Storage_AmazonS3.png "Leverage"){: style="width:20px"} Storage & Network Traffic" * Check S3 usage and -$ by leveraging lower $ storage tiers. * Use S3 Analytics, or automate mv for these objects into lower $ storage tier w/ Life Cycle Policies or w/ S3 Intelligent-Tiering. diff --git a/docs/user-guide/ref-architecture-aws/features/identities/credentials-vault.md b/docs/user-guide/ref-architecture-aws/features/identities/credentials-vault.md index 6de193c49..7b236735d 100644 --- a/docs/user-guide/ref-architecture-aws/features/identities/credentials-vault.md +++ b/docs/user-guide/ref-architecture-aws/features/identities/credentials-vault.md @@ -82,7 +82,7 @@ to show an example using the Github personal access token, one of our supported Open your preferred web browser choose Github auth method and paste your GH token and you'll be able to login to your instance. -![leverage-vault-ui-auth](../../../../assets/images/screenshots/vault-ui-auth-github.png "Leverage"){: style="width:1200px"} +![leverage-vault-ui-auth](/assets/images/screenshots/vault-ui-auth-github.png "Leverage"){: style="width:1200px"}
Figure: Vault HCP UI user authentication screen. (Source: binbash Leverage, diff --git a/docs/user-guide/ref-architecture-aws/features/identities/identities.md b/docs/user-guide/ref-architecture-aws/features/identities/identities.md index f328f3283..527c2e8de 100644 --- a/docs/user-guide/ref-architecture-aws/features/identities/identities.md +++ b/docs/user-guide/ref-architecture-aws/features/identities/identities.md @@ -52,7 +52,7 @@ afterwards in your [`project-security`](https://github.com/binbashar/le-tf-infra --- :ledger: Source | :earth_americas: [AWS Documentation IAM User Guide | Activating and deactivating AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) -![leverage-aws-iam-roles](../../../../assets/images/screenshots/aws-iam-sts-regions.png "Leverage"){: style="width:900px"} +![leverage-aws-iam-roles](/assets/images/screenshots/aws-iam-sts-regions.png "Leverage"){: style="width:900px"} **Figure:** *Deactivating AWS STS in not in use AWS Region. Only in used Regions must have STS activated.* diff --git a/docs/user-guide/ref-architecture-aws/features/identities/overview.md b/docs/user-guide/ref-architecture-aws/features/identities/overview.md index 7fc7a2f53..7636b3e7c 100644 --- a/docs/user-guide/ref-architecture-aws/features/identities/overview.md +++ b/docs/user-guide/ref-architecture-aws/features/identities/overview.md @@ -4,7 +4,7 @@ Having this [official AWS resource](https://d0.awsstatic.com/aws-answers/AWS_Multi_Account_Security_Strategy.pdf) as reference we've define a security account structure for managing multiple accounts. -!!! tip "User Management Definitions ![aws-service](../../../../assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_IAM.png){: style="width:15px"}" +!!! tip "User Management Definitions ![aws-service](/assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} ![aws-service](/assets/images/icons/aws-emojipack/SecurityIdentityCompliance_IAM.png){: style="width:15px"}" * [x] IAM users will strictly be created and centralized in the Security account (member accounts IAM Users could be exceptionally created for very specific tools that still don’t support IAM roles for cross-account auth). * [x] All access to resources within the Client organization will be assigned via policy documents attached to IAM roles or groups. * [x] All IAM roles and groups will have the least privileges required to properly work. @@ -20,7 +20,7 @@ as reference we've define a security account structure for managing multiple ac of AWS-based deployments, centralize security monitoring and management, manage identity and access, and provide audit and compliance monitoring services -![leverage-aws-iam](../../../../assets/images/diagrams/aws-iam.png "Leverage"){: style="width:600px"} +![leverage-aws-iam](/assets/images/diagrams/aws-iam.png "Leverage"){: style="width:600px"}
Figure: AWS Organization Security account structure for managing multiple accounts (just as reference). diff --git a/docs/user-guide/ref-architecture-aws/features/identities/roles.md b/docs/user-guide/ref-architecture-aws/features/identities/roles.md index e10d1880f..975535edd 100644 --- a/docs/user-guide/ref-architecture-aws/features/identities/roles.md +++ b/docs/user-guide/ref-architecture-aws/features/identities/roles.md @@ -1,6 +1,6 @@ # IAM Roles -!!! info "What are AWS IAM Roles? ![aws-service](../../../../assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_IAM.png){: style="width:15px"}" +!!! info "What are AWS IAM Roles? ![aws-service](/assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} ![aws-service](/assets/images/icons/aws-emojipack/SecurityIdentityCompliance_IAM.png){: style="width:15px"}" For the Leverage AWS Reference Architecture we heavily depend on **AWS IAM roles**, which is a standalone IAM entity that: @@ -28,7 +28,7 @@ ## How IAM roles work? -![leverage-aws-iam-roles](../../../../assets/images/diagrams/aws-iam-role-cross-account.png "Leverage"){: style="width:600px"} +![leverage-aws-iam-roles](/assets/images/diagrams/aws-iam-role-cross-account.png "Leverage"){: style="width:600px"}
Figure: Example of AWS cross-account AWS access. @@ -94,7 +94,7 @@ AWS Security Blog, accessed November 17th 2020). first authenticate to AWS using some other mechanism. For example, for an IAM user to assume an IAM role, the workflow looks like this: -![leverage-aws-iam-roles](../../../../assets/images/diagrams/aws-iam-role-assume.png "Leverage"){: style="width:900px"} +![leverage-aws-iam-roles](/assets/images/diagrams/aws-iam-role-assume.png "Leverage"){: style="width:900px"}
Figure: Assuming an AWS IAM role. diff --git a/docs/user-guide/ref-architecture-aws/features/index.md b/docs/user-guide/ref-architecture-aws/features/index.md index cc26bc3de..3c0b00454 100644 --- a/docs/user-guide/ref-architecture-aws/features/index.md +++ b/docs/user-guide/ref-architecture-aws/features/index.md @@ -1,4 +1,4 @@ -![binbash-logo](../../../../assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} +![binbash-logo](/assets/images/logos/binbash-leverage-header.png "binbash"){: style="width:800px"} # Features @@ -8,7 +8,7 @@ This reference architecture supports a growing number of AWS services. This sect ## Governance | AWS Organizations - [x] [Overview](organization/overview.md) - [x] [Configuration](organization/configuration.md) -- [x] [Invite pre-exiting accounts to AWS Organizations](organization/organization-legacy-accounts.md) +- [x] [Invite pre-exiting accounts to AWS Organizations](organization/legacy-accounts.md) ## Identity Management - [x] [GPG Keys](identities/gpg.md) @@ -17,13 +17,13 @@ This reference architecture supports a growing number of AWS services. This sect - [x] [Hashicorp Vault Credentials](identities/credentials-vault.md) ## Single Sign-On (SSO) -- [x] [AWS SSO + Jumpcloud IdP](sso/sso.md) +- [x] [AWS SSO + Jumpcloud IdP](sso/overview.md) ## Cost Monitoring & Optimization - [x] [Costs](costs/costs.md) ## Security -- [X] [Security Services](security/services.md) +- [X] [Security Services](security/overview.md) - [X] [VPN | Pritunl](security/vpn.md) ## Networking | VPC, TGW, NFW, DNS and NACLs @@ -63,5 +63,5 @@ This reference architecture supports a growing number of AWS services. This sect ## Reliability - [X] [Bakcups](reliability/backups.md) -- [x] [Health-Checks](reliability/health-checks.md) +- [x] [Health-Checks](./) - [X] [Disaster Recovery](reliability/dr.md) diff --git a/docs/user-guide/ref-architecture-aws/features/monitoring/logs.md b/docs/user-guide/ref-architecture-aws/features/monitoring/logs.md index c2bb00ad4..b5877a86b 100644 --- a/docs/user-guide/ref-architecture-aws/features/monitoring/logs.md +++ b/docs/user-guide/ref-architecture-aws/features/monitoring/logs.md @@ -10,7 +10,7 @@ request logs, application error logs. Access logs on AWS based resources can be stored in a centralized bucket for that purpose, on the security account and given the need these can be streamed to Elasticsearch as well if needed. -![leverage-monitoring](../../../../assets/images/diagrams/monitoring-metrics-logs.png "Leverage"){: style="width:750px"} +![leverage-monitoring](/assets/images/diagrams/monitoring-metrics-logs.png "Leverage"){: style="width:750px"}
Figure: Monitoring metrics and log architecture diagram (just as reference). (Source: binbash Leverage, diff --git a/docs/user-guide/ref-architecture-aws/features/monitoring/metrics.md b/docs/user-guide/ref-architecture-aws/features/monitoring/metrics.md index f38bfdc23..d77bd51c2 100644 --- a/docs/user-guide/ref-architecture-aws/features/monitoring/metrics.md +++ b/docs/user-guide/ref-architecture-aws/features/monitoring/metrics.md @@ -16,7 +16,7 @@ Prometheus and [AWS CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudW include a library in your own application that provides you with the ability to create an endpoint that publishes certain metrics about your own application, that we can graph or alert based on them. -![leverage-monitoring](../../../../assets/images/diagrams/monitoring-metrics-logs.png "Leverage"){: style="width:750px"} +![leverage-monitoring](/assets/images/diagrams/monitoring-metrics-logs.png "Leverage"){: style="width:750px"}
Figure: Monitoring metrics and log architecture diagram (just as reference). (Source: binbash Leverage, @@ -33,7 +33,7 @@ binbash Leverage Doc, accessed November 18th 2020). Grafana as well, and build dashboards that integrate these metrics and even do some intelligence on them coming from multiple origins. -![leverage-monitoring](../../../../assets/images/screenshots/monitoring-metrics-k8s-cluster.png){: style="width:750px"} +![leverage-monitoring](/assets/images/screenshots/monitoring-metrics-k8s-cluster.png){: style="width:750px"}
Figure: Grafana K8s cluster metrics monitoring dashboard reference screenshot. (Source: DevOpsProdigy, @@ -42,7 +42,7 @@ binbash Leverage Doc, accessed November 18th 2020). Grafana plugins, accessed November 18th 2020).
-![leverage-monitoring](../../../../assets/images/screenshots/monitoring-metrics-k8s-nodes.png "Leverage"){: style="width:750px"} +![leverage-monitoring](/assets/images/screenshots/monitoring-metrics-k8s-nodes.png "Leverage"){: style="width:750px"}
Figure: Grafana K8s cluster metrics monitoring dashboard reference screenshot. (Source: DevOpsProdigy, @@ -56,7 +56,7 @@ Grafana plugins, accessed November 18th 2020). engine configured, because we can have really customize and specify alerts. We can have them as code in their extremely readable syntax. Example: -![leverage-monitoring](../../../../assets/images/screenshots/monitoring-metrics-alerts.png "Leverage"){: style="width:750px"} +![leverage-monitoring](/assets/images/screenshots/monitoring-metrics-alerts.png "Leverage"){: style="width:750px"}
Figure: Prometheus Alert Manager `CriticalRamUsage` alert screenshot (just as reference). (Source: binbash Leverage). diff --git a/docs/user-guide/ref-architecture-aws/features/monitoring/tracing.md b/docs/user-guide/ref-architecture-aws/features/monitoring/tracing.md index 2bc6c3be2..f4310ddb8 100644 --- a/docs/user-guide/ref-architecture-aws/features/monitoring/tracing.md +++ b/docs/user-guide/ref-architecture-aws/features/monitoring/tracing.md @@ -5,7 +5,7 @@ especially those built using a microservices architecture. Distributed tracing helps pinpoint where failures occur and what causes poor performance. -![leverage-monitoring](../../../../assets/images/diagrams/monitoring-tracing.png "Leverage"){: style="width:750px"} +![leverage-monitoring](/assets/images/diagrams/monitoring-tracing.png "Leverage"){: style="width:750px"}
Figure: Figure: Distributed tracing architecture diagram (just as reference). (Source: binbash Leverage, diff --git a/docs/user-guide/ref-architecture-aws/features/network/dns.md b/docs/user-guide/ref-architecture-aws/features/network/dns.md index a55bc1804..31d15ead9 100644 --- a/docs/user-guide/ref-architecture-aws/features/network/dns.md +++ b/docs/user-guide/ref-architecture-aws/features/network/dns.md @@ -2,14 +2,14 @@ ## How it works -!!! info "![aws-service](../../../../assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} ![aws-service](../../../../assets/images/icons/aws-emojipack/NetworkingContentDelivery_AmazonRoute53.png){: style="width:20px"} Route53 Considerations" +!!! info "![aws-service](/assets/images/icons/aws-emojipack/General_AWScloud.png){: style="width:30px"} ![aws-service](/assets/images/icons/aws-emojipack/NetworkingContentDelivery_AmazonRoute53.png){: style="width:20px"} Route53 Considerations" - [x] **Route53** private hosted zone will have associations with VPCs on different AWS organization accounts - [x] **Route53** should ideally be hosted in the Shared account, although sometimes Route53 is already deployed in a Legacy account where it can be imported and fully supported as code. - [x] **Route53** [zero downtime migration](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-migrating.html) (active-active hosted zones) is completely possible and achievable with Leverage terraform code -![leverage-aws-dns](../../../../assets/images/diagrams/aws-route53.png "Leverage"){: style="width:800px"} +![leverage-aws-dns](/assets/images/diagrams/aws-route53.png "Leverage"){: style="width:800px"}
Figure: AWS Organization shared account Route53 DNS diagram. (Source: Cristian Southall, @@ -21,14 +21,14 @@ Abstractable.io Blog post, accessed November 18th 2020). ## User guide !!! done "pre-requisites" - * :gear: Review & update [**configs**](../../ref-architecture-aws/configs.md) - * :gear: Review & understand the [**workflow**](../../ref-architecture-aws/workflow.md) + * :gear: Review & update [**configs**](/user-guide/ref-architecture-aws/configuration.md) + * :gear: Review & understand the [**workflow**](/user-guide/ref-architecture-aws/workflow.md) !!! example "Steps" 1. **DNS** service has to be orchestrated from [`/shared/global/base-dns`](https://github.com/binbashar/le-tf-infra-aws/tree/master/shared/global/base-dns) layer - following the standard [workflow](../../ref-architecture-aws/workflow.md) + following the standard [workflow](/user-guide/ref-architecture-aws/workflow.md) ### Migrated AWS Route53 Hosted Zones between AWS Accounts diff --git a/docs/user-guide/ref-architecture-aws/features/network/tgw-topology.md b/docs/user-guide/ref-architecture-aws/features/network/tgw-topology.md index c07fca7ab..b34db5284 100644 --- a/docs/user-guide/ref-architecture-aws/features/network/tgw-topology.md +++ b/docs/user-guide/ref-architecture-aws/features/network/tgw-topology.md @@ -3,7 +3,7 @@ ## Transit Gateway ### Dedicated TGW Network Account Architecture -![leverage-aws-tgw](../../../../assets/images/diagrams/aws-tgw.png "Leverage"){: style="width:1600px"} +![leverage-aws-tgw](/assets/images/diagrams/aws-tgw.png "Leverage"){: style="width:1600px"}
Figure: Multi-account dedicated network transit gateway architecture diagram. (Source: binbash Leverage, diff --git a/docs/user-guide/ref-architecture-aws/features/network/vpc-addressing.md b/docs/user-guide/ref-architecture-aws/features/network/vpc-addressing.md index 4756c31f2..56088b713 100644 --- a/docs/user-guide/ref-architecture-aws/features/network/vpc-addressing.md +++ b/docs/user-guide/ref-architecture-aws/features/network/vpc-addressing.md @@ -88,7 +88,7 @@ subnets in each of these VPCs defining Private and Public subnets split among di ### Considerations -- Kubernetes on EKS General Requirements for Network Layer: [**K8s EKS Networking | VPC Adressing**](../compute/k8s-eks/vpc-addressing.md) +- Kubernetes on EKS General Requirements for Network Layer: [**K8s EKS Networking | VPC Adressing**](/user-guide/ref-architecture-eks/vpc/) ## User guide diff --git a/docs/user-guide/ref-architecture-aws/features/network/vpc-peering.md b/docs/user-guide/ref-architecture-aws/features/network/vpc-peering.md index dbd05ab2b..2f56c05cf 100644 --- a/docs/user-guide/ref-architecture-aws/features/network/vpc-peering.md +++ b/docs/user-guide/ref-architecture-aws/features/network/vpc-peering.md @@ -8,7 +8,7 @@ TODO # Diagram: Network Service (cross-account [VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)) -![leverage-aws-vpc-peering](../../../../assets/images/diagrams/aws-vpc-peering-1.png "Leverage"){: style="width:300px"} +![leverage-aws-vpc-peering](/assets/images/diagrams/aws-vpc-peering-1.png "Leverage"){: style="width:300px"}
Figure: AWS multi account Organization VPC peering diagram. (Source: AWS, @@ -17,7 +17,7 @@ TODO AWS Documentation Amazon VPC User Guide, accessed November 18th 2020).
-![leverage-aws-vpc-peering](../../../../assets/images/diagrams/aws-vpc-peering-2.png "Leverage"){: style="width:300px"} +![leverage-aws-vpc-peering](/assets/images/diagrams/aws-vpc-peering-2.png "Leverage"){: style="width:300px"}
Figure: AWS multi account Organization peering detailed diagram. (Source: AWS, diff --git a/docs/user-guide/ref-architecture-aws/features/network/vpc-topology.md b/docs/user-guide/ref-architecture-aws/features/network/vpc-topology.md index 61914a9c2..8a16e760c 100644 --- a/docs/user-guide/ref-architecture-aws/features/network/vpc-topology.md +++ b/docs/user-guide/ref-architecture-aws/features/network/vpc-topology.md @@ -29,7 +29,7 @@ traffic goes to those instances, the NAT device translates the address back to those instances’ private IPv4 addresses. -![leverage-aws-vpc-ngw](../../../../assets/images/diagrams/aws-vpc-nat-gateway.png "Leverage"){: style="width:900px"} +![leverage-aws-vpc-ngw](/assets/images/diagrams/aws-vpc-nat-gateway.png "Leverage"){: style="width:900px"}
Figure: VPC topology diagram. (Source: AWS, @@ -38,7 +38,7 @@ AWS Documentation Amazon VPC User Guide, accessed November 18th 2020).
-![leverage-aws-vpc-ngw-ha](../../../../assets/images/diagrams/aws-vpc-nat-gateway-ha.png "Leverage"){: style="width:900px"} +![leverage-aws-vpc-ngw-ha](/assets/images/diagrams/aws-vpc-nat-gateway-ha.png "Leverage"){: style="width:900px"}
Figure: VPC topology diagram with multiple Nat Gateways for HA. (Source: Andreas Wittig, diff --git a/docs/user-guide/ref-architecture-aws/features/network/vpc-traffic-out.md b/docs/user-guide/ref-architecture-aws/features/network/vpc-traffic-out.md index 48ca24b08..8cb4020c1 100644 --- a/docs/user-guide/ref-architecture-aws/features/network/vpc-traffic-out.md +++ b/docs/user-guide/ref-architecture-aws/features/network/vpc-traffic-out.md @@ -26,7 +26,7 @@ [Centralized Network Firewall deployment model](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/), North-South: Centralized internet egress (VPC to internet via Transit Gateway) and NAT gateway. -![leverage-aws-tgw](../../../../assets/images/diagrams/aws-tgw-nfw.png "Leverage"){: style="width:1600px"} +![leverage-aws-tgw](/assets/images/diagrams/aws-tgw-nfw.png "Leverage"){: style="width:1600px"}
Figure: Multi-account dedicated network transit gateway + network firewall architecture diagram. (Source: binbash Leverage, diff --git a/docs/user-guide/ref-architecture-aws/features/organization/billing.md b/docs/user-guide/ref-architecture-aws/features/organization/billing.md index 07f74bb27..032380056 100644 --- a/docs/user-guide/ref-architecture-aws/features/organization/billing.md +++ b/docs/user-guide/ref-architecture-aws/features/organization/billing.md @@ -4,7 +4,7 @@ Each month AWS charges your payer **Root Account** for all the linked accounts in a consolidated bill. The following illustration shows an example of a consolidated bill. -![leverage-aws-org](../../../../assets/images/diagrams/aws-organizations-scp.png "Leverage"){: style="width:750px"} +![leverage-aws-org](/assets/images/diagrams/aws-organizations-scp.png "Leverage"){: style="width:750px"}
Figure: AWS Organization Multi-Account structure (just as reference). (Source: Andreas Wittig, @@ -13,7 +13,7 @@ The following illustration shows an example of a consolidated bill. Cloudonaut.io Blog, accessed November 18th 2020).
-![leverage-aws-org](../../../../assets/images/diagrams/aws-organizations-billing.png "Leverage"){: style="width:750px"} +![leverage-aws-org](/assets/images/diagrams/aws-organizations-billing.png "Leverage"){: style="width:750px"}
Figure: AWS Organization Multi-Account billing structure (just as reference). (Source: AWS, diff --git a/docs/user-guide/ref-architecture-aws/features/organization/configuration.md b/docs/user-guide/ref-architecture-aws/features/organization/configuration.md index 13a8a48b5..a17ed380a 100644 --- a/docs/user-guide/ref-architecture-aws/features/organization/configuration.md +++ b/docs/user-guide/ref-architecture-aws/features/organization/configuration.md @@ -53,13 +53,13 @@ the aliases automatically implicitly when running Terraform's Leverage code. 3. Via AWS Web Console: in `project-management` account create `mgmt-org-admin` IAM user AWS ACCESS KEYS - :ledger: **NOTE:** This could be created all in one in the previous step (Nº 2). - ![leverage-org](../../../../assets/images/screenshots/aws-iam-org-mgmt-admin-user-permissions.png "Leverage"){: style="width:950px"} + ![leverage-org](/assets/images/screenshots/aws-iam-org-mgmt-admin-user-permissions.png "Leverage"){: style="width:950px"}
Figure: AWS Web Console screenshot. (Source: binbash, "AWs Organization management account init IAM admin user", accessed June 16th 2021).
- ![leverage-org](../../../../assets/images/screenshots/aws-iam-org-mgmt-admin-user-keys.png "Leverage"){: style="width:950px"} + ![leverage-org](/assets/images/screenshots/aws-iam-org-mgmt-admin-user-keys.png "Leverage"){: style="width:950px"}
Figure: AWS Web Console screenshot. (Source: binbash, "AWs Organization management account init IAM admin user", accessed June 16th 2021). @@ -112,7 +112,7 @@ the aliases automatically implicitly when running Terraform's Leverage code. layer via `Leverage CLI` on your security account for consolidated and centralized User Mgmt and access to the AWS Org. - 4. [AWS Organizations: invite pre-existing (legacy) accounts](./organization-legacy-accounts.md) + 4. [AWS Organizations: invite pre-existing (legacy) accounts](./legacy-accounts.md) - :ledger: Pending to document the debug mode for the mfa script diff --git a/docs/user-guide/ref-architecture-aws/features/organization/legacy-accounts.md b/docs/user-guide/ref-architecture-aws/features/organization/legacy-accounts.md index 56fa6a059..ed73c804d 100644 --- a/docs/user-guide/ref-architecture-aws/features/organization/legacy-accounts.md +++ b/docs/user-guide/ref-architecture-aws/features/organization/legacy-accounts.md @@ -1,8 +1,8 @@ # Managing legacy (pre-existing) accounts !!! help "How it works" - :books: [**documentation:** organization](../../../../how-it-works/user-guide/organization/organization/) + :books: [**documentation:** organization](../..//how-it-works/user-guide/organization/organization/) - :books: [**documentation:** organization accounts](../../../../how-it-works/user-guide/organization/accounts/) + :books: [**documentation:** organization accounts](../..//how-it-works/user-guide/organization/accounts/) ## User guide diff --git a/docs/user-guide/ref-architecture-aws/features/organization/overview.md b/docs/user-guide/ref-architecture-aws/features/organization/overview.md index bca29797c..82714df44 100644 --- a/docs/user-guide/ref-architecture-aws/features/organization/overview.md +++ b/docs/user-guide/ref-architecture-aws/features/organization/overview.md @@ -36,7 +36,7 @@ The following block provides a brief explanation of the chosen AWS Organization ... ``` -![leverage-aws-org](../../../../assets/images/diagrams/ref-architecture-aws-landing-zone-full.png "Leverage"){: style="width:750px"} +![leverage-aws-org](/assets/images/diagrams/ref-architecture-aws-landing-zone-full.png "Leverage"){: style="width:750px"}
Figure: AWS Organization multi-account architecture diagram (just as reference). (Source: binbash Leverage, diff --git a/docs/user-guide/ref-architecture-aws/features/reliability/backups.md b/docs/user-guide/ref-architecture-aws/features/reliability/backups.md index 40dfa16ac..37873b8f4 100644 --- a/docs/user-guide/ref-architecture-aws/features/reliability/backups.md +++ b/docs/user-guide/ref-architecture-aws/features/reliability/backups.md @@ -20,7 +20,7 @@ and retention management. AWS Backup provides a fully managed, policy-based backup solution, simplifying your backup management, enabling you to meet your business and regulatory backup compliance requirements. -![leverage-aws-backup](../../../../assets/images/diagrams/aws-backup.png "Leverage"){: style="width:950px"} +![leverage-aws-backup](/assets/images/diagrams/aws-backup.png "Leverage"){: style="width:950px"}
Figure: AWS Backup service diagram (just as reference). (Source: AWS, @@ -28,11 +28,11 @@ AWS Documentation, accessed November 18th 2020).
-## ![leverage-aws-s3](../../../../assets/images/icons/aws-emojipack/Storage_AmazonS3.png "Leverage"){: style="width:30px"} S3 bucket region replication -* ![leverage-aws-s3](../../../../assets/images/icons/aws-emojipack/Storage_AmazonS3_bucket.png "Leverage"){: style="width:20px"} +## ![leverage-aws-s3](/assets/images/icons/aws-emojipack/Storage_AmazonS3.png "Leverage"){: style="width:30px"} S3 bucket region replication +* ![leverage-aws-s3](/assets/images/icons/aws-emojipack/Storage_AmazonS3_bucket.png "Leverage"){: style="width:20px"} Buckets that hold data critical to business or to application operation can be replicated to another region almost synchronously. -* ![leverage-aws-s3](../../../../assets/images/icons/aws-emojipack/Storage_AmazonS3_bucket.png "Leverage"){: style="width:20px"} +* ![leverage-aws-s3](/assets/images/icons/aws-emojipack/Storage_AmazonS3_bucket.png "Leverage"){: style="width:20px"} This can be setup on request to increase durability and along with database backup can constitute the base for a Business Continuity strategy. diff --git a/docs/user-guide/ref-architecture-aws/features/reliability/dr.md b/docs/user-guide/ref-architecture-aws/features/reliability/dr.md index 4de66a716..ddc8d9be1 100644 --- a/docs/user-guide/ref-architecture-aws/features/reliability/dr.md +++ b/docs/user-guide/ref-architecture-aws/features/reliability/dr.md @@ -38,7 +38,7 @@ After deciding RTO and RPO we have options available to achieve the time objecti that is available, this can even be performed automatically with Route53 or other DNS services that provide health check mechanisms as well as load balancing. -![leverage-aws-dr](../../../../assets/images/diagrams/aws-route53-dns-dr.png "Leverage"){: style="width:800px"} +![leverage-aws-dr](/assets/images/diagrams/aws-route53-dns-dr.png "Leverage"){: style="width:800px"}
Figure: 2 sets of app instances, each behind an elastic load balancer in two separate regions (just as reference). (Source: Randika Rathugamage, @@ -47,7 +47,7 @@ After deciding RTO and RPO we have options available to achieve the time objecti Medium blogpost, accessed December 1st 2020).
-![leverage-aws-dr](../../../../assets/images/diagrams/aws-route53-dns-health-checks.png "Leverage"){: style="width:800px"} +![leverage-aws-dr](/assets/images/diagrams/aws-route53-dns-health-checks.png "Leverage"){: style="width:800px"}
Figure: AWS calculated — or parent — health check, we can fail on any number of child health checks (just as reference). (Source: Simon Tabor, diff --git a/docs/user-guide/ref-architecture-aws/features/reliability/high-availability.md b/docs/user-guide/ref-architecture-aws/features/reliability/high-availability.md index cbfe7a310..2899104e5 100644 --- a/docs/user-guide/ref-architecture-aws/features/reliability/high-availability.md +++ b/docs/user-guide/ref-architecture-aws/features/reliability/high-availability.md @@ -6,7 +6,7 @@ It keeps an AWS environment reliable. Using logs and metrics from CloudWatch, designing a system where the failures themselves trigger recovery is the way to move forward. -![leverage-aws-reliability](../../../../assets/images/diagrams/aws-reliability-ha-recovery-failure.png "Leverage"){: style="width:750px"} +![leverage-aws-reliability](/assets/images/diagrams/aws-reliability-ha-recovery-failure.png "Leverage"){: style="width:750px"}
Figure: AWS HA architecture diagrams (just as reference).
## Recovery Procedures @@ -17,7 +17,7 @@ that can be done using these insights. Real points of failure are exploited and the way the environment reacts to the emergency shows just how reliable the system it. -![leverage-aws-reliability](../../../../assets/images/diagrams/aws-reliability-ha-recovery-procs.png "Leverage"){: style="width:750px"} +![leverage-aws-reliability](/assets/images/diagrams/aws-reliability-ha-recovery-procs.png "Leverage"){: style="width:750px"}
Figure: AWS HA architecture diagrams (just as reference).
## Scalability and Availability @@ -27,7 +27,7 @@ measures. Of course, multiple redundancies require good management and maintenance for them to remain active through the environment’s lifecycle. -![leverage-aws-reliability](../../../../assets/images/diagrams/aws-reliability-ha-recovery-scaling.png "Leverage"){: style="width:750px"} +![leverage-aws-reliability](/assets/images/diagrams/aws-reliability-ha-recovery-scaling.png "Leverage"){: style="width:750px"}
Figure: AWS HA scalable architecture diagrams (just as reference).
## Healthchecks & Self-healing diff --git a/docs/user-guide/ref-architecture-aws/features/security/audit-cloudtrail.md b/docs/user-guide/ref-architecture-aws/features/security/audit-cloudtrail.md index f95c6e5d1..cf732af30 100644 --- a/docs/user-guide/ref-architecture-aws/features/security/audit-cloudtrail.md +++ b/docs/user-guide/ref-architecture-aws/features/security/audit-cloudtrail.md @@ -13,14 +13,14 @@ giving you control over storage, analysis, and remediation actions. time will be available through a centralized S3 bucket.
- ![Cloudtrail Diagram](../../../../assets/images/diagrams/aws-cloudtrail.svg){ width="600" } + ![Cloudtrail Diagram](/assets/images/diagrams/aws-cloudtrail.svg){ width="600" }
Figure: AWS CloudTrail components architecture diagram (just as reference). (Source: binbash Leverage diagrams, accessed July 6th 2022).
-!!! example "![leverage-tf](../../../../assets/images/logos/terraform.png "Terraform"){: style="width:25px"} IaC Terraform Codebase <>" +!!! example "![leverage-tf](/assets/images/logos/terraform.png "Terraform"){: style="width:25px"} IaC Terraform Codebase <>" - [x] `binbash-management` account | Audit: Cloudtrail - **Code:** [management/us-east-1/security-audit](https://github.com/binbashar/le-tf-infra-aws/tree/master/management/us-east-1/security-audit) - [x] `binbash-security` account | Audit: Cloudtrail & S3 Bucket diff --git a/docs/user-guide/ref-architecture-aws/features/security/certificates.md b/docs/user-guide/ref-architecture-aws/features/security/certificates.md index 7b621f814..4b369f6a2 100644 --- a/docs/user-guide/ref-architecture-aws/features/security/certificates.md +++ b/docs/user-guide/ref-architecture-aws/features/security/certificates.md @@ -28,7 +28,7 @@ With AWS Certificate Manager Private Certificate Authority, you pay monthly for the operation of the private CA and for the private certificates you issue."_ -![leverage-aws-acm](../../../../assets/images/diagrams/aws-acm.png "Leverage ACM"){: style="width:450px"} +![leverage-aws-acm](/assets/images/diagrams/aws-acm.png "Leverage ACM"){: style="width:450px"}
Figure: AWS certificate manager (ACM) service integration diagram. (Source: AWS, @@ -50,7 +50,7 @@ AWS Documentation Amazon ACM User Guide, accessed August 4th 2021). - [x] It is loosely based upon the work of kube-lego and has borrowed some wisdom from other similar projects such as kube-cert-manager. -![leverage-aws-vpc-peering](../../../../assets/images/diagrams/cert-manager.svg "Leverage Cert-manager"){: style="width:800px"} +![leverage-aws-vpc-peering](/assets/images/diagrams/cert-manager.svg "Leverage Cert-manager"){: style="width:800px"}
Figure: Certificate manager high level components architecture diagram. (Source: Cert-manager official documentation, diff --git a/docs/user-guide/ref-architecture-aws/features/security/firewall-manager.md b/docs/user-guide/ref-architecture-aws/features/security/firewall-manager.md index 26baba314..de7e59393 100644 --- a/docs/user-guide/ref-architecture-aws/features/security/firewall-manager.md +++ b/docs/user-guide/ref-architecture-aws/features/security/firewall-manager.md @@ -1,6 +1,6 @@ # Firewall Manager -![Firewall Manager Service](../../../../assets/images/diagrams/aws-fms.png) +![Firewall Manager Service](/assets/images/diagrams/aws-fms.png) ## Use Cases diff --git a/docs/user-guide/ref-architecture-aws/features/security/iam-access-analyzer.md b/docs/user-guide/ref-architecture-aws/features/security/iam-access-analyzer.md index fdde311f7..db016f886 100644 --- a/docs/user-guide/ref-architecture-aws/features/security/iam-access-analyzer.md +++ b/docs/user-guide/ref-architecture-aws/features/security/iam-access-analyzer.md @@ -13,7 +13,7 @@ Supported resource types: - [x] Amazon Simple Queue Service queues - [x] AWS Secrets Manager secrets -![leverage-vpn](../../../../assets/images/diagrams/aws-iam-access-analyzer.png "Leverage"){: style="width:650px"} +![leverage-vpn](/assets/images/diagrams/aws-iam-access-analyzer.png "Leverage"){: style="width:650px"}
Figure: AWS IAM access analysis features. (Source: AWS, @@ -50,7 +50,7 @@ AWS Documentation, accessed June 11th 2021). ``` ## AWS Web Console -![leverage-security-iam](../../../../assets/images/screenshots/aws-iam-access-analyzer.png "Leverage"){: style="width:950px"} +![leverage-security-iam](/assets/images/screenshots/aws-iam-access-analyzer.png "Leverage"){: style="width:950px"}
Figure: AWS Web Console screenshot. (Source: binbash, "IAM access analyzer service", accessed June 11th 2021). diff --git a/docs/user-guide/ref-architecture-aws/features/security/overview.md b/docs/user-guide/ref-architecture-aws/features/security/overview.md index 0edb3cd9e..de11d2a2f 100644 --- a/docs/user-guide/ref-architecture-aws/features/security/overview.md +++ b/docs/user-guide/ref-architecture-aws/features/security/overview.md @@ -1,32 +1,32 @@ # Security ## Supported AWS Security Services -- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_IAM.png){: style="width:30px"} +- [x] ![aws-service](/assets/images/icons/aws-emojipack/SecurityIdentityCompliance_IAM.png){: style="width:30px"} **AWS IAM Access Analyzer:** Generates comprehensive findings that identify resources policies for public or cross-account accessibility, monitors and helps you refine permissions. Provides the highest levels of security assurance. -- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_Config.png){: style="width:30px"} +- [x] ![aws-service](/assets/images/icons/aws-emojipack/SecurityIdentityCompliance_Config.png){: style="width:30px"} **AWS Config:** Tracks changes made to AWS resources over time, making possible to return to a previous state. Monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired compliance rule set. Adds accountability factor. -- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_CloudTrail.png){: style="width:30px"} +- [x] ![aws-service](/assets/images/icons/aws-emojipack/SecurityIdentityCompliance_CloudTrail.png){: style="width:30px"} **AWS Cloudtrail:** Stores logs over all calls made to AWS APIs, coming from web console, command line or any other. Allowing us to monitor it via CW Dashboards and notifications. -- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/NetworkingContentDelivery_AmazonVPC_flowlogs.png){: style="width:30px"} +- [x] ![aws-service](/assets/images/icons/aws-emojipack/NetworkingContentDelivery_AmazonVPC_flowlogs.png){: style="width:30px"} **AWS VPC Flow Logs:** Enables us to examine individual Network Interfaces logs, to address network issues and also monitor suspicious behavior. -- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_AWSWAF.png){: style="width:30px"} +- [x] ![aws-service](/assets/images/icons/aws-emojipack/SecurityIdentityCompliance_AWSWAF.png){: style="width:30px"} **AWS Web Application Firewall:** Optional but if not used, it is recommended that a similar service is used, such as Cloudflare. When paired to an Application Load Balancer or Cloudfront distribution, it checks incoming requests to detect and block OWASP Top10 attacks, such as SQL injection, XSS and others. -- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_AmazonInspector.png){: style="width:30px"} +- [x] ![aws-service](/assets/images/icons/aws-emojipack/SecurityIdentityCompliance_AmazonInspector.png){: style="width:30px"} **AWS Inspector:** Is an automated security assessment service that helps improve the security and compliance of infrastructure and applications deployed on AWS. -- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/SecurityIdentityCompliance_AmazonGuardDuty.png){: style="width:30px"} +- [x] ![aws-service](/assets/images/icons/aws-emojipack/SecurityIdentityCompliance_AmazonGuardDuty.png){: style="width:30px"} **AWS GuardDuty:** Is a managed [threat](https://youtu.be/czsuZXQvD8E?t=947) detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. Detects unusual API calls or potentially unauthorized deployments (possible account compromise) and potentially compromised instances or reconnaissance by attackers. -- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/ManagementTools_AmazonCloudWatch.png){: style="width:30px"} +- [x] ![aws-service](/assets/images/icons/aws-emojipack/ManagementTools_AmazonCloudWatch.png){: style="width:30px"} **AWS Security Logs** Other access logs from client-facing resources will be stored in the Security account. -- [x] ![aws-service](../../../../assets/images/icons/aws-emojipack/AWS_Firewall_Manager.png){: style="width:30px"} +- [x] ![aws-service](/assets/images/icons/aws-emojipack/AWS_Firewall_Manager.png){: style="width:30px"} **AWS Firewall Manager** Is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. This service lets you build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your entire infrastructure, from a central administrator account. diff --git a/docs/user-guide/ref-architecture-aws/features/security/vpn.md b/docs/user-guide/ref-architecture-aws/features/security/vpn.md index 6b81a201a..d6203e554 100644 --- a/docs/user-guide/ref-architecture-aws/features/security/vpn.md +++ b/docs/user-guide/ref-architecture-aws/features/security/vpn.md @@ -14,7 +14,7 @@ 2. Each VPN user can be required to use MFA to connect via VPN (as well as strong passwords). This combination makes almost impossible for an outsider to gain access via VPN. 3. Centralized access and audit logs. -![leverage-vpn](../../../../assets/images/diagrams/ref-architecture-vpn.png "Leverage"){: style="width:650px"} +![leverage-vpn](/assets/images/diagrams/ref-architecture-vpn.png "Leverage"){: style="width:650px"}
Figure: Securing access to a private network with Pritunl diagram. (Source: Pritunl, diff --git a/docs/user-guide/ref-architecture-aws/features/sso/configuration.md b/docs/user-guide/ref-architecture-aws/features/sso/configuration.md index 0261a025f..e505870a4 100644 --- a/docs/user-guide/ref-architecture-aws/features/sso/configuration.md +++ b/docs/user-guide/ref-architecture-aws/features/sso/configuration.md @@ -6,7 +6,7 @@ Before deploying your AWS SSO definition in the project, it will first have to b !!! note ":books: [Prerequisites](https://docs.aws.amazon.com/singlesignon/latest/userguide/prereqs.html)" !!! info ":books: [Enable AWS SSO](https://docs.aws.amazon.com/singlesignon/latest/userguide/step1.html)" -After that, choosing and configuring an Identity Provider (IdP) is the next step. For this, we will make use of JumpCloud, as described in the [how it works](../../../how-it-works/user-guide/sso/sso.md) section. These resources point to all requirements and procedures to have your JumpCloud account setup and synched with AWS SSO: +After that, choosing and configuring an Identity Provider (IdP) is the next step. For this, we will make use of JumpCloud, as described in the [how it works](/user-guide/sso/overview/) section. These resources point to all requirements and procedures to have your JumpCloud account setup and synched with AWS SSO: !!! info ":books: [AWS JumpCloud support guide](https://docs.aws.amazon.com/singlesignon/latest/userguide/jumpcloud-idp.html)" !!! info ":books: [JumpCloud guide on how to configure as IdP for AWS SSO](https://docs.aws.amazon.com/singlesignon/latest/userguide/jumpcloud-idp.html)" diff --git a/docs/user-guide/ref-architecture-aws/features/sso/overview.md b/docs/user-guide/ref-architecture-aws/features/sso/overview.md index 080ac0ac4..e7e3fd0f4 100644 --- a/docs/user-guide/ref-architecture-aws/features/sso/overview.md +++ b/docs/user-guide/ref-architecture-aws/features/sso/overview.md @@ -7,7 +7,7 @@ JumpCloud will be configured as the Identity Provider (IdP) that we will integra in order to grant users access to AWS resources from a centralized service. Users will be able to log in to JumpCloud in order to access AWS accounts, using specific permission sets that will in turn determine what kind of actions they are allowed on AWS resources. -![leverage-aws-sso](../../../../assets/images/diagrams/aws-sso.png "Leverage"){: style="width:750px"} +![leverage-aws-sso](/assets/images/diagrams/aws-sso.png "Leverage"){: style="width:750px"}
Figure: AWS Organization with SSO + JumpCloud IdP diagram. (Source: binbash Leverage, diff --git a/docs/user-guide/ref-architecture-aws/features/storage/storage.md b/docs/user-guide/ref-architecture-aws/features/storage/storage.md index 18b8a6ec9..f3a48db42 100644 --- a/docs/user-guide/ref-architecture-aws/features/storage/storage.md +++ b/docs/user-guide/ref-architecture-aws/features/storage/storage.md @@ -6,7 +6,7 @@ We will review all S3 buckets in the existing account to determine if it’s nec evaluate existing bucket policy and tightening permissions to be absolutely minimum required for users and applications. As for EBS volumes, our recommendation is to create all encrypted by default. Overhead created by this process is negligible. -## ![leverage-aws-s3](../../../../assets/images/icons/aws-emojipack/Storage_AmazonS3.png "Leverage"){: style="width:30px"} S3 buckets +## ![leverage-aws-s3](/assets/images/icons/aws-emojipack/Storage_AmazonS3.png "Leverage"){: style="width:30px"} S3 buckets !!! important "Tech specs" * [x] **Encryption:** Yes (by default) @@ -25,7 +25,7 @@ As for EBS volumes, our recommendation is to create all encrypted by default. Ov | S3 Glacier Deep Archive | Archiving rarely accessed data with a default retrieval time of 12 hours | 99.999999999% | 99.99% (after you restore objects) | >= 3 | 180 days | 40 KB | Per GB retrieval fees apply. You must first restore archived objects before you can access them. For more information, see Restoring archived objects. | | RRS (Not recommended) | Frequently accessed, non-critical data | 99.99% | 99.99% | >= 3 | None | None | None | -## ![leverage-aws-ebs](../../../../assets/images/icons/aws-emojipack/Storage_AmazonEBS.png "Leverage"){: style="width:25px"} EBS Volumes +## ![leverage-aws-ebs](/assets/images/icons/aws-emojipack/Storage_AmazonEBS.png "Leverage"){: style="width:25px"} EBS Volumes !!! Important "Tech specs" * [x] **Backups:** Periodic EBS snapshots with retention policy diff --git a/docs/user-guide/ref-architecture-aws/overview.md b/docs/user-guide/ref-architecture-aws/overview.md index e99d2c260..e40796f36 100644 --- a/docs/user-guide/ref-architecture-aws/overview.md +++ b/docs/user-guide/ref-architecture-aws/overview.md @@ -31,7 +31,7 @@ Each individual configuration of the Reference Architecture is referred to as a ## A More Visual Example The following diagram shows the type of AWS multi-account setup you can achieve by using this Reference Architecture: -![leverage-aws-org](../../../assets/images/diagrams/ref-architecture-aws.png "Leverage"){: style="width:950px"} +![leverage-aws-org](/assets/images/diagrams/ref-architecture-aws.png "Leverage"){: style="width:950px"}
Figure: AWS Organization multi-account reference architecture diagram. (Source: binbash Leverage, "Leverage Reference Architecture components", binbash Leverage Doc, accessed August 4th 2021).
diff --git a/docs/user-guide/ref-architecture-aws/tf-state.md b/docs/user-guide/ref-architecture-aws/tf-state.md index 4c8cff63a..7b4998f68 100644 --- a/docs/user-guide/ref-architecture-aws/tf-state.md +++ b/docs/user-guide/ref-architecture-aws/tf-state.md @@ -6,7 +6,7 @@ Use this terraform configuration files to create the **S3 bucket** & **DynamoDB* !!! info "What is the Terraform Remote State?" Read the [official definition](https://developer.hashicorp.com/terraform/language/state/remote) by Hashicorp. -![leverage-ref-arch-tf](../../../assets/images/diagrams/terraform-aws-s3-backend.png "Leverage"){: style="width:350px"} +![leverage-ref-arch-tf](/assets/images/diagrams/terraform-aws-s3-backend.png "Leverage"){: style="width:350px"}
Figure: Terraform remote state store & locking necessary AWS S3 bucket and DynamoDB table components. @@ -19,11 +19,11 @@ Terraform modules registry, accessed December 3rd 2020). ## Prerequisites !!! example "Terraform repo structure + state backend initialization" - 1. Ensure you have [`Leverage CLI`](../../user-guide/leverage-cli/overview.md) installed in your system + 1. Ensure you have [`Leverage CLI`](/user-guide/leverage-cli/overview.md) installed in your system 2. Refer to [Configuration Pre-requisites](./configuration.md) to understand how to set up the configuration files required for this layer. Where you must build your [Terraform Reference Architecture account structure](features/organization/overview.md) - 3. Leveraged by the [Infrastructure as Code (IaC) Library](../../user-guide/infra-as-code-library/overview.md) through the + 3. Leveraged by the [Infrastructure as Code (IaC) Library](/user-guide/infra-as-code-library/overview.md) through the [terraform-aws-tfstate-backend module](https://registry.terraform.io/modules/binbashar/tfstate-backend/aws/latest) - [/management/base-tf-backend](https://github.com/binbashar/le-tf-infra-aws/tree/master/root/us-east-1/base-tf-backend) - [/security/base-tf-backend](https://github.com/binbashar/le-tf-infra-aws/tree/master/security/us-east-1/base-tf-backend) diff --git a/docs/user-guide/ref-architecture-aws/workflow.md b/docs/user-guide/ref-architecture-aws/workflow.md index 7aa3924ee..110f9cbd5 100644 --- a/docs/user-guide/ref-architecture-aws/workflow.md +++ b/docs/user-guide/ref-architecture-aws/workflow.md @@ -43,7 +43,7 @@ Now, the extended workflow is annotated with more explanations and it is intende rest of our tools and practices like CI/CD, in ## Running in Automation -![leverage-aws-terraform](../../../assets/images/diagrams/aws-terraform-automation.png "Terraform"){: style="width:350"} +![leverage-aws-terraform](/assets/images/diagrams/aws-terraform-automation.png "Terraform"){: style="width:350"}
Figure: Running terraform with AWS in automation (just as reference).
!!! info "Read More" diff --git a/docs/user-guide/ref-architecture-eks/components.md b/docs/user-guide/ref-architecture-eks/components.md index 2560f94a0..7f2ed6a2d 100644 --- a/docs/user-guide/ref-architecture-eks/components.md +++ b/docs/user-guide/ref-architecture-eks/components.md @@ -1,14 +1,14 @@ # Components ## Overview -![leverage-aws-eks](../../../assets/images/diagrams/ref-architecture-eks.png "Leverage"){: style="width:750px"} +![leverage-aws-eks](/assets/images/diagrams/ref-architecture-eks.png "Leverage"){: style="width:750px"}
Figure: K8S EKS reference architecture components diagram. (Source: binbash Leverage Confluence Doc, "Implementation Diagrams", binbash Leverage Doc, accessed January 5th 2022).
## Components List -![leverage-aws-eks-detailed](../../../assets/images/diagrams/ref-architecture-eks-components.png "Leverage"){: style="width:750px"} +![leverage-aws-eks-detailed](/assets/images/diagrams/ref-architecture-eks-components.png "Leverage"){: style="width:750px"}
Figure: K8S EKS reference architecture detailed components diagram. (Source: binbash Leverage Confluence Doc, "Implementation Diagrams", binbash Leverage Doc, accessed January 5th 2022). diff --git a/docs/user-guide/ref-architecture-eks/overview.md b/docs/user-guide/ref-architecture-eks/overview.md index 5934e6483..6961d7ac1 100644 --- a/docs/user-guide/ref-architecture-eks/overview.md +++ b/docs/user-guide/ref-architecture-eks/overview.md @@ -13,7 +13,7 @@ to run **Kubernetes** on AWS without needing to install and operate your own Kub - [x] Built with the Community: AWS actively works with the Kubernetes community, including making contributions to the Kubernetes code base helping you take advantage of AWS services. -![leverage-aws-eks](../../../../../assets/images/diagrams/aws-k8s-eks.png "Leverage"){: style="width:950px"} +![leverage-aws-eks](/assets/images/diagrams/aws-k8s-eks.png "Leverage"){: style="width:950px"}
Figure: AWS K8s EKS architecture diagram (just as reference). diff --git a/docs/user-guide/ref-architecture-vault/configs.md b/docs/user-guide/ref-architecture-vault/configs.md index 5ca2e804a..71f3cc687 100644 --- a/docs/user-guide/ref-architecture-vault/configs.md +++ b/docs/user-guide/ref-architecture-vault/configs.md @@ -16,8 +16,8 @@ - File `backend.tfvars` will inject the profile name that TF will use to make changes on AWS. - Such profile is usually one that relies on another profile to assume a role to get access to each corresponding account. - Please follow to correctly setup your AWS Credentials - - [user-guide/user-guide/identities](../user-guide/identities/identities.md) - - [user-guide/user-guide/identities/credentials](../user-guide/identities/credentials.md) + - [user-guide/user-guide/identities](/user-guide/identities/identities.md) + - [user-guide/user-guide/identities/credentials](/user-guide/identities/credentials.md) - Read the following page leverage doc to understand [how to set up a profile to assume a role](https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html) diff --git a/docs/user-guide/ref-architecture-vault/tf-state-workflow.md b/docs/user-guide/ref-architecture-vault/tf-state-workflow.md index 54159112b..3998bb5be 100644 --- a/docs/user-guide/ref-architecture-vault/tf-state-workflow.md +++ b/docs/user-guide/ref-architecture-vault/tf-state-workflow.md @@ -4,7 +4,7 @@ Use this terraform configuration files to create the **S3 bucket** & **DynamoDB** table needed to use Terraform Remote State Storage & Locking. -![leverage-ref-arch-tf](../../assets/images/diagrams/terraform-aws-s3-backend.png "Leverage"){: style="width:350px"} +![leverage-ref-arch-tf](/assets/images/diagrams/terraform-aws-s3-backend.png "Leverage"){: style="width:350px"}
Figure: Terraform remote state store & locking necessary AWS S3 bucket and DynamoDB table components. @@ -17,10 +17,10 @@ Terraform modules registry, accessed December 3rd 2020). ## Prerequisites !!! example "Terraform repo structure + state backend initialization" - 1. Ensure you have [`Leverage CLI`](../../how-it-works/leverage-cli/index.md) installed in your system - 2. Refer to [Configuration Pre-requisites](./configs.md) to understand how to set up the + 1. Ensure you have [`Leverage CLI`](/how-it-works/leverage-cli/index.md) installed in your system + 2. Refer to [Configuration Pre-requisites](./) to understand how to set up the configuration files required for this layer. - 3. Leveraged by the [Infrastructure as Code (IaC) Library](../../how-it-works/infra-as-code-library/index.md) through the + 3. Leveraged by the [Infrastructure as Code (IaC) Library](/how-it-works/infra-as-code-library/index.md) through the [terraform-aws-tfstate-backend module](https://registry.terraform.io/modules/binbashar/tfstate-backend/aws/latest) - [/aws/base-tf-backend](https://github.com/binbashar/le-tf-vault/tree/master/aws/base-tf-backend) - [/hcp/base-tf-backend](https://github.com/binbashar/le-tf-vault/tree/master/hcp/base-tf-backend) diff --git a/docs/user-guide/ref-architecture-vault/workflow.md b/docs/user-guide/ref-architecture-vault/workflow.md index 03dee7164..349873b2f 100644 --- a/docs/user-guide/ref-architecture-vault/workflow.md +++ b/docs/user-guide/ref-architecture-vault/workflow.md @@ -5,12 +5,12 @@ 1. Make sure you've read and prepared your local development environment following the [Overview base-configurations](../index.md) section. 2. Depending in which Terraform Ref Architecture repo you are working, please review and assure you meet - all the [terraform aws pre-requisites](./configs.md) or + all the [terraform aws pre-requisites](./) or [terraform vault pre-requisites](./dir-structure.md) - [x] [Remote State](tf-state-workflow.md) - [x] Configuration files - - [x] [AWS Profile and credentials](../user-guide/identities/credentials.md) - - [x] [Vault token secret](../user-guide/identities/credentials-vault.md) + - [x] [AWS Profile and credentials](/user-guide/identities/credentials.md) + - [x] [Vault token secret](/user-guide/identities/credentials-vault.md) 3. Get into the folder that you need to work with (e.g. `2_identities`) 4. Run `leverage terraform init` 5. Make whatever changes you need to make @@ -25,7 +25,7 @@ rest of our tools and practices like CI/CD, in ## Running in Automation -![leverage-aws-terraform](../../assets/images/diagrams/aws-terraform-automation.png "Terraform"){: style="width:350"} +![leverage-aws-terraform](/assets/images/diagrams/aws-terraform-automation.png "Terraform"){: style="width:350"}
Figure: Running terraform with AWS in automation (just as reference).
## Read More diff --git a/docs/work-with-us/archived/team.md.back b/docs/work-with-us/archived/team.md.back index a31c27d2a..be9a81bfd 100644 --- a/docs/work-with-us/archived/team.md.back +++ b/docs/work-with-us/archived/team.md.back @@ -9,7 +9,7 @@ title: binbash Leverage [comment]: <> (!!! info "[Marcos Pagnucco | Co-Founder & DevOps Cloud Engineer @ binbash](https://www.linkedin.com/in/pagnucco/)") -[comment]: <> ( ![team](../assets/images/team/marcos.pagnucco.bwc.png "Leverage-team"){: style="width:150px"}) +[comment]: <> ( ![team](/assets/images/team/marcos.pagnucco.bwc.png "Leverage-team"){: style="width:150px"}) [comment]: <> ( - [x] Devops specialist and SRE with lots of experience on Cloud Infrastructure.) @@ -27,7 +27,7 @@ title: binbash Leverage [comment]: <> (!!! info "[Exequiel Barrirero | Co-Founder & DevOps Cloud Engineer @ binbash](https://www.linkedin.com/in/barrireroexequiel/)") -[comment]: <> ( ![team](../assets/images/team/exequiel.barrirero.bwc.png "Leverage-team"){: style="width:150px"}) +[comment]: <> ( ![team](/assets/images/team/exequiel.barrirero.bwc.png "Leverage-team"){: style="width:150px"}) [comment]: <> ( - [x] IT passionate Telecommunications Engineer with over 10 years of) @@ -47,7 +47,7 @@ title: binbash Leverage [comment]: <> (!!! info "[Diego Armando Ojeda | DevOps Cloud Solutions & Software Architecture Consultant @ binbash](https://www.linkedin.com/in/diegoaojeda/)") -[comment]: <> ( ![team](../assets/images/team/diego.ojeda.bwc.png "Leverage-team"){: style="width:150px"}) +[comment]: <> ( ![team](/assets/images/team/diego.ojeda.bwc.png "Leverage-team"){: style="width:150px"}) [comment]: <> ( - [x] **DevOps Cloud Solutions:** plenty of experience with AWS, Kubernetes, Terraform, Ansible, Docker, Jenkins, ) @@ -61,7 +61,7 @@ title: binbash Leverage [comment]: <> (!!! info "[Luis Gallardo | Cloud Solutions Architect @ binbash](https://www.linkedin.com/in/lgallard/)") -[comment]: <> ( ![team](../assets/images/team/luis.gallardo.bwc.png "Leverage-team"){: style="width:150px"}) +[comment]: <> ( ![team](/assets/images/team/luis.gallardo.bwc.png "Leverage-team"){: style="width:150px"}) [comment]: <> ( - [x] Teach Lead & Solutions Architect. Terraform expert, AWS & K8s Certified. Focus on integration of several) @@ -95,7 +95,7 @@ title: binbash Leverage [comment]: <> (!!! info "[Angelo Fenoglio | Software Engineer @ binbash](https://www.linkedin.com/in/angelofenoglio/)") -[comment]: <> ( ![team](../assets/images/team/angelo.fenoglio.bwc.png "Leverage-team"){: style="width:150px"}) +[comment]: <> ( ![team](/assets/images/team/angelo.fenoglio.bwc.png "Leverage-team"){: style="width:150px"}) [comment]: <> ( - [x] Sofware Engineer. Senior Python developer. Cybersecurity and DevOps enthusiast.) @@ -103,7 +103,7 @@ title: binbash Leverage [comment]: <> (!!! info "[Carolina Rey | Emotional Intelligence Coach @ binbash](https://www.linkedin.com/in/caroreyp/)") -[comment]: <> ( ![team](../assets/images/team/carolina.rey.bwc.png "Leverage-team"){: style="width:140px"}) +[comment]: <> ( ![team](/assets/images/team/carolina.rey.bwc.png "Leverage-team"){: style="width:140px"}) [comment]: <> ( - [x] Emotional coaching to binbash Leverage leadership team members.) @@ -119,13 +119,13 @@ title: binbash Leverage [comment]: <> (!!! info "[Marcelo Beresvil | CFO & BizDev Manager @ binbash](https://www.linkedin.com/in/marceloberesvil/)") -[comment]: <> ( ![team](../assets/images/team/marcelo.beresvil.bwc.png "Leverage-team"){: style="width:150px"}) +[comment]: <> ( ![team](/assets/images/team/marcelo.beresvil.bwc.png "Leverage-team"){: style="width:150px"}) [comment]: <> ( - [x] Chief Financial Officer & Business Development Manager) [comment]: <> (!!! info "[Patricia Charlier | Project Manager @ binbash](https://www.linkedin.com/in/patricia-charlier-653bb23b/)") -[comment]: <> ( ![team](../assets/images/team/patricia.charlier.bwc.png "Leverage-team"){: style="width:150px"}) +[comment]: <> ( ![team](/assets/images/team/patricia.charlier.bwc.png "Leverage-team"){: style="width:150px"}) [comment]: <> ( - [x] Project Manager (PM)) diff --git a/docs/work-with-us/archived/testimonials.md.back b/docs/work-with-us/archived/testimonials.md.back index 1fbe335b7..707b5fd69 100644 --- a/docs/work-with-us/archived/testimonials.md.back +++ b/docs/work-with-us/archived/testimonials.md.back @@ -4,7 +4,7 @@ !!! info "[Yury Yakubchyk | Founder, Investor, Board Member & Advisor @ Multiple US Industries](https://www.linkedin.com/in/yuryyak/)" - ![testimonial](../assets/images/testimonials/yury.yakubchyk.bwc.png "Leverage-Testimonial"){: style="width:150px"} + ![testimonial](/assets/images/testimonials/yury.yakubchyk.bwc.png "Leverage-Testimonial"){: style="width:150px"} - 🌎 **Company website:** [lifehousehotels.com](https://www.lifehousehotels.com/) - 🌎 **Company website:** [joinsprouttherapy.com](https://www.joinsprouttherapy.com/) @@ -18,7 +18,7 @@ !!! info "[Alejandro Parise | Founder & CEO @ Latam & North America EdTech Industry](https://www.linkedin.com/in/aleparise/)" - ![testimonial](../assets/images/testimonials/alejandro.parise.bwc.png "Leverage-Testimonial"){: style="width:150px"} + ![testimonial](/assets/images/testimonials/alejandro.parise.bwc.png "Leverage-Testimonial"){: style="width:150px"} 🌎 **Company website:** [e-valuados.com](https://e-valuados.com/) @@ -32,7 +32,7 @@ !!! info "[Martin Vago | IT & CloudOps Manager @ Latam Fintech Industry](https://www.linkedin.com/in/mvago/)" - ![testimonial](../assets/images/testimonials/martin.vago.bwc.png "Leverage-Testimonial"){: style="width:150px"} + ![testimonial](/assets/images/testimonials/martin.vago.bwc.png "Leverage-Testimonial"){: style="width:150px"} 🌎 **Company website:** [tunubi.com](https://www.tunubi.com/) @@ -44,7 +44,7 @@ !!! info "[Felipe Lerena | Software Architect & Dev Lead @ Latam Fintech Industry](https://www.linkedin.com/in/felipelerena/)" - ![testimonial](../assets/images/testimonials/felipe.lerena.bwc.png "Leverage-Testimonial"){: style="width:150px"} + ![testimonial](/assets/images/testimonials/felipe.lerena.bwc.png "Leverage-Testimonial"){: style="width:150px"} 🌎 **Company website:** [tunubi.com](https://www.tunubi.com/) @@ -55,7 +55,7 @@ !!! info "[Juan Manuel Rodrigo | CTO @ Latam Fintech / Banking / Insurtech Industries](https://www.linkedin.com/in/jmrodrigopmp/)" - ![testimonial](../assets/images/testimonials/juan.manuel.rodrigo.bwc.png "Leverage-Testimonial"){: style="width:150px"} + ![testimonial](/assets/images/testimonials/juan.manuel.rodrigo.bwc.png "Leverage-Testimonial"){: style="width:150px"} 🌎 **Company website:** [flexibility.com.ar](https://www.flexibility.com.ar/eng/home-us/) @@ -67,7 +67,7 @@ !!! info "[Alejandro Creta | Infrastructure Architecture Lead @ Latam Fintech / Banking / Insurtech Industries](https://www.linkedin.com/in/alejandro-creta-24b7a917b/)" - ![testimonial](../assets/images/testimonials/alejandro.creta.bwc.png "Leverage-Testimonial"){: style="width:150px"} + ![testimonial](/assets/images/testimonials/alejandro.creta.bwc.png "Leverage-Testimonial"){: style="width:150px"} 🌎 **Company website:** [flexibility.com.ar](https://www.flexibility.com.ar/eng/home-us/) @@ -82,7 +82,7 @@ !!! info "[Max Ivanov | Software Architect @ US Media Entertainment Industry](https://www.toptal.com/resume/max-ivanov)" - ![testimonial](../assets/images/testimonials/max.ivanov.bwc.png "Leverage-Testimonial"){: style="width:150px"} + ![testimonial](/assets/images/testimonials/max.ivanov.bwc.png "Leverage-Testimonial"){: style="width:150px"} - [x] *"binbash has a focused and highly productive professional team. They have exceptional tech skills and effectively transmit and implement their solutions, such as Leverage. @@ -95,7 +95,7 @@ !!! info "[Franco Gauchat | DevSecOps Engineer @ Cyber Security Industry](https://www.linkedin.com/in/gauchatfranco/)" - ![testimonial](../assets/images/testimonials/franco.gauchat.bwc.png "Leverage-Testimonial"){: style="width:150px"} + ![testimonial](/assets/images/testimonials/franco.gauchat.bwc.png "Leverage-Testimonial"){: style="width:150px"} 🌎 **Company website:** [btrconsulting.com](https://www.btrconsulting.com/) @@ -109,7 +109,7 @@ !!! info "[Horacio G. de Oro | Head of DevOps @ Risk Management US Industry](https://www.linkedin.com/in/hgdeoro/)" - ![testimonial](../assets/images/testimonials/horacio.oro.bwc.png "Leverage-Testimonial"){: style="width:150px"} + ![testimonial](/assets/images/testimonials/horacio.oro.bwc.png "Leverage-Testimonial"){: style="width:150px"} 🌎 **Company website:** [thirdpartytrust.com](https://www.thirdpartytrust.com/) @@ -127,7 +127,7 @@ !!! info "[Leandro Basso | Co-Founder & BizDev Manager @ Latam Sports and Events Industry](https://www.linkedin.com/in/leandro-basso-29588068/)" - ![testimonial](../assets/images/testimonials/leandro.basso.bwc.png "Leverage-Testimonial"){: style="width:150px"} + ![testimonial](/assets/images/testimonials/leandro.basso.bwc.png "Leverage-Testimonial"){: style="width:150px"} 🌎 **Company website:** [hayturno.com](https://www.hayturno.com/) @@ -140,7 +140,7 @@ !!! info "[Alina Fermo | Project Manager @ US Digital Marketing Industry](https://www.linkedin.com/in/alina-fermo-8b781a47/)" - ![testimonial](../assets/images/testimonials/alina.fermo.bwc.png "Leverage-Testimonial"){: style="width:150px"} + ![testimonial](/assets/images/testimonials/alina.fermo.bwc.png "Leverage-Testimonial"){: style="width:150px"} 🌎 **Company website:** [grey.com](https://www.grey.com/en) diff --git a/docs/work-with-us/careers.md b/docs/work-with-us/careers.md index 89c6272e8..ddd39b153 100644 --- a/docs/work-with-us/careers.md +++ b/docs/work-with-us/careers.md @@ -40,13 +40,13 @@ ## Leverage Software / DevOps Engineer Profile !!! info "What You'll Work On (our tech stack) :man_technologist: :woman_technologist: :rocket:" - - [x] [**Infrastructure as Code (IaC) Library**](../how-it-works/ref-architecture/index.md) + - [x] [**Infrastructure as Code (IaC) Library**](/user-guide/infra-as-code-library/overview/) Create a collection of reusable, tested, production-ready E2E AWS oriented infrastructure modules (e.g., VPC, IAM, Kubernetes, Prometheus, Grafana, EFK, Consul, Vault, Jenkins, etc.) using several tool and languages: *Terraform, Ansible, Helm, Dockerfiles, Python, Bash and Makefiles*. - - [x] [**Reference Architecture**](../how-it-works/infra-as-code-library/index.md) + - [x] [**Reference Architecture**](/user-guide/) Improve, maintain, extend and update our reference architecture, which has been designed under optimal configs for the most popular modern web and mobile applications needs. Its design is fully based on the @@ -55,7 +55,7 @@ - [x] **Open Source & Leverage DevOps Tools** Contribute to our open source projects to continue building a fundamentally better DevOps experience, including - our [open source modules](../how-it-works/infra-as-code-library/modules-library-per-tech.md), + our [open source modules](/user-guide/infra-as-code-library/modules-library-by-technology/), [leverage python CLI](https://github.com/binbashar/leverage), [Makefiles Lib](https://github.com/binbashar/le-dev-makefiles) among others. diff --git a/docs/work-with-us/contribute.md b/docs/work-with-us/contribute.md index 3ebfe668d..a5f6b0d4b 100644 --- a/docs/work-with-us/contribute.md +++ b/docs/work-with-us/contribute.md @@ -40,7 +40,7 @@ To run tests, just run... ## Releasing ### CircleCi PR auto-release job -![circleci-logo](../assets/images/logos/circleci.png "CircleCI"){: style="width:150px"} +![circleci-logo](/assets/images/logos/circleci.png "CircleCI"){: style="width:150px"} - - **NOTE:** Will only run after merged PR. \ No newline at end of file diff --git a/docs/work-with-us/index.md b/docs/work-with-us/index.md index 05e8b738a..78c5b055d 100644 --- a/docs/work-with-us/index.md +++ b/docs/work-with-us/index.md @@ -2,7 +2,7 @@ ## Customers collaboration methodology -![leverage-worflow](../assets/images/diagrams/ref-architecture-collab-methodology.png "Leverage"){: style="width:1200px"} +![leverage-worflow](/assets/images/diagrams/ref-architecture-collab-methodology.png "Leverage"){: style="width:1200px"} !!! info "What are all the steps of an engagement" - [x] **1st Stage:** Leverage Customer Tech Intro Interview @@ -28,7 +28,7 @@ ## Customer Support workflow -![leverage-support](../assets/images/diagrams/ref-architecture-support.png "Leverage"){: style="width:1200px"} +![leverage-support](/assets/images/diagrams/ref-architecture-support.png "Leverage"){: style="width:1200px"} ## Read More diff --git a/docs/work-with-us/releases/releases-and-versions.md b/docs/work-with-us/releases/releases-and-versions.md index 298073868..fd22f8fe7 100644 --- a/docs/work-with-us/releases/releases-and-versions.md +++ b/docs/work-with-us/releases/releases-and-versions.md @@ -16,7 +16,7 @@ We're constantly kicking with a lot of improvements and some exciting new featur ## Infrastructure as Code Library !!! done ":calendar: RELEASES" - ![leverage-tf](../../assets/images/logos/terraform.png "Terraform"){: style="width:25px"} **Releases |Terraform Leverage™ Modules** : + ![leverage-tf](/assets/images/logos/terraform.png "Terraform"){: style="width:25px"} **Releases |Terraform Leverage™ Modules** : - [terraform-aws-waf-owasp](https://github.com/binbashar/terraform-aws-waf-owasp/releases) - [terraform-aws-cost-billing-alarm](https://github.com/binbashar/terraform-aws-cost-billing-alarm/releases) @@ -31,12 +31,12 @@ We're constantly kicking with a lot of improvements and some exciting new featur - [terraform-aws-backup-notifications](https://github.com/binbashar/terraform-aws-backup-notifications/releases) - [terraform-aws-rds-export-to-s3](https://github.com/binbashar/terraform-aws-rds-export-to-s3/releases) - ![leverage-tf](../../assets/images/logos/terraform.png "Terraform"){: style="width:25px"} **Releases | Terraform Community Forks Modules**: + ![leverage-tf](/assets/images/logos/terraform.png "Terraform"){: style="width:25px"} **Releases | Terraform Community Forks Modules**: - [terraform-aws-sso]([terraform-aws-sso](https://github.com/binbashar/terraform-aws-sso/tags)) - ... - ![leverage-helm](../../assets/images/logos/helm.png "Terraform"){: style="width:25px"} **Releases | Helm Leverage™ Charts**: + ![leverage-helm](/assets/images/logos/helm.png "Terraform"){: style="width:25px"} **Releases | Helm Leverage™ Charts**: - [helm-charts](https://github.com/binbashar/helm-charts/blob/master/index.yaml) diff --git a/docs/work-with-us/support.md b/docs/work-with-us/support.md index 21c916061..630dae881 100644 --- a/docs/work-with-us/support.md +++ b/docs/work-with-us/support.md @@ -7,17 +7,17 @@ get immediate support from the [binbash Leverage Team](https://www.binbash.com.a ### Our Engineering & Support Team -![leverage-aws-waf](../assets/images/services/ref-architecture-waf-team.png "Leverage"){: style="width:850px"} +![leverage-aws-waf](/assets/images/services/ref-architecture-waf-team.png "Leverage"){: style="width:850px"} ### [AWS Well Architected Review](https://aws.amazon.com/architecture/well-architected/) -Feel free to contact us for an ![leverage-aws](../assets/images/icons/aws-emojipack/General_AWScloud.png "AWS"){: style="width:30px"} +Feel free to contact us for an ![leverage-aws](/assets/images/icons/aws-emojipack/General_AWScloud.png "AWS"){: style="width:30px"} [**AWS Well Architected Framework Review**](https://drive.google.com/file/d/16VOOy5LmSqkFZ5vFpoURDeifEWpjMHtJ/view?usp=sharing) :cloud::rocket::cloud: -![leverage-aws-waf](../assets/images/services/ref-architecture-waf-review.png "Leverage"){: style="width:850px"} +![leverage-aws-waf](/assets/images/services/ref-architecture-waf-review.png "Leverage"){: style="width:850px"} -!!! check "![leverage-aws](../assets/images/icons/aws-emojipack/General_AWScloud.png "AWS"){: style="width:30px"} Well Architected Framework Review Reference Study Case" +!!! check "![leverage-aws](/assets/images/icons/aws-emojipack/General_AWScloud.png "AWS"){: style="width:30px"} Well Architected Framework Review Reference Study Case" - [X] [Operational Excellence](https://drive.google.com/file/d/1NQScQo0skHjbm-hG0kOJ6zvBwb0M2qLx/view?usp=sharing) - [X] [Security](https://drive.google.com/file/d/10TAb2h-P4yaF9WIau5rfIWtazwHvMpUH/view?usp=sharing) - [X] [Cost Optimization](https://drive.google.com/file/d/1Eoj9YuTHSbXWt6ASxq3WwO7snto5YrcB/view?usp=sharing) diff --git a/material/overrides/home.html b/material/overrides/home.html index 57ae55337..a9d35fc31 100644 --- a/material/overrides/home.html +++ b/material/overrides/home.html @@ -23,7 +23,7 @@ - - + +
diff --git a/mkdocs.yml b/mkdocs.yml index 24d207f0a..11d4d353f 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -151,8 +151,8 @@ extra_css: nav: - Home: - Home: "index.md" - - Welcome: "welcome.md" - - First steps: "try-leverage/introduction.md" + - Welcome: "concepts/index.md" + - First steps: "try-leverage/index.md" - How it works: "how-it-works/ref-architecture/index.md" - User guide: "user-guide/index.md" - Work with us: "work-with-us/index.md" @@ -220,6 +220,7 @@ nav: - Secrets: "user-guide/ref-architecture-aws/features/secrets/secrets.md" - Compute: - Overview: "user-guide/ref-architecture-aws/features/compute/overview.md" + - K8s EKS: "user-guide/ref-architecture-aws/features/compute/k8s-eks.md" - K8s Kops: "user-guide/ref-architecture-aws/features/compute/k8s-kops.md" - K8s Service Mesh: "user-guide/ref-architecture-aws/features/compute/k8s-service-mesh.md" - Serverless: "user-guide/ref-architecture-aws/features/compute/serverless.md" From ecac2aa949eebf0a9caab5daa303788fa63a2c34 Mon Sep 17 00:00:00 2001 From: Diego OJ Date: Mon, 24 Apr 2023 10:49:15 -0300 Subject: [PATCH 07/19] Add early troubleshooting credentials page --- .../ref-architecture-aws/design-references.md} | 3 +-- docs/user-guide/troubleshooting/credentials.md | 8 ++++++++ mkdocs.yml | 3 +++ 3 files changed, 12 insertions(+), 2 deletions(-) rename docs/{how-it-works/read-more.md => user-guide/ref-architecture-aws/design-references.md} (98%) diff --git a/docs/how-it-works/read-more.md b/docs/user-guide/ref-architecture-aws/design-references.md similarity index 98% rename from docs/how-it-works/read-more.md rename to docs/user-guide/ref-architecture-aws/design-references.md index 0d274ec05..6f5884a75 100644 --- a/docs/how-it-works/read-more.md +++ b/docs/user-guide/ref-architecture-aws/design-references.md @@ -1,5 +1,4 @@ -# Read more - +# Design References Please consider some official AWS docs, blog post and whitepapers we've considered for the current Reference Solutions Architecture design: diff --git a/docs/user-guide/troubleshooting/credentials.md b/docs/user-guide/troubleshooting/credentials.md index 3644553e9..f1afcac50 100644 --- a/docs/user-guide/troubleshooting/credentials.md +++ b/docs/user-guide/troubleshooting/credentials.md @@ -1,5 +1,7 @@ # Troubleshooting credentials issues +## General tips + ### Gathering more information Trying to get as much information of the issue as possible is key when troubleshooting. Keep reading to find out typical scenarios and how you can gather more information about each. @@ -29,3 +31,9 @@ Since Leverage stores the AWS config and credentials file under a non-default pa export AWS_CONFIG_FILE=~/.aws/[project_name_here]/config export AWS_SHARED_CREDENTIALS_FILE=~/.aws/[project_name_here]/credentials ``` + +## Troubleshooting SSO credentials +TODO + +## Troubleshooting IAM credentials +TODO diff --git a/mkdocs.yml b/mkdocs.yml index 11d4d353f..2161a9463 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -242,6 +242,7 @@ nav: - Backups: "user-guide/ref-architecture-aws/features/reliability/backups.md" - Disaster Recovery: "user-guide/ref-architecture-aws/features/reliability/dr.md" - High Availability: "user-guide/ref-architecture-aws/features/reliability/high-availability.md" + - Design References: "user-guide/ref-architecture-aws/design-references.md" - Reference Architecture for EKS: - Overview: "user-guide/ref-architecture-eks/overview.md" - VPC: "user-guide/ref-architecture-eks/vpc.md" @@ -275,6 +276,8 @@ nav: - Forks workflow: "user-guide/infra-as-code-library/infra-as-code-library-forks.md" - Specifications: "user-guide/infra-as-code-library/infra-as-code-library-specs.md" - Modules by Technology: "user-guide/infra-as-code-library/modules-library-by-technology.md" + - Troubleshooting: + - Identities: "user-guide/troubleshooting/credentials.md" - Work with us: - Overview: "work-with-us/index.md" - Support: "work-with-us/support.md" From c2bfb3fba66a80dbb637b42805773d6baf3499a2 Mon Sep 17 00:00:00 2001 From: Diego OJ Date: Mon, 24 Apr 2023 17:48:52 -0300 Subject: [PATCH 08/19] Add EKS upgrade steps --- .../ref-architecture-eks/cluster-upgrade.md | 141 ++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 142 insertions(+) create mode 100644 docs/user-guide/ref-architecture-eks/cluster-upgrade.md diff --git a/docs/user-guide/ref-architecture-eks/cluster-upgrade.md b/docs/user-guide/ref-architecture-eks/cluster-upgrade.md new file mode 100644 index 000000000..6a426aea0 --- /dev/null +++ b/docs/user-guide/ref-architecture-eks/cluster-upgrade.md @@ -0,0 +1,141 @@ +# Upgrading EKS + +## Brief +This guideline includes considerations and steps that should be performed when upgrading a cluster to a newer version. + +## General Steps +- General considerations +- Understand what changed +- Plan a maintenance window for the upgrade +- Rehearse on a non-Production cluster first +- Ensure you have proper visibility on the cluster +- Upgrade Control Plane +- Upgrade Managed Node Groups +- Upgrade EKS Add-ons +- Upgrade Cluster AutoScaler version +- Final Steps +- Migration Notes + + +## Detailed Steps + +### General considerations +- Ensure your sensitive workloads are deployed in a highly available manner to reduce downtime as much as possible +- Ensure Pod Disruption Budgets are set in your deployments to ensure your application pods are evicted in a controlled way (e.g. leave at least one pod active at all times) +- Ensure Liveness and Readiness probes are set so that Kubernetes can tell whether your application is healthy to start receiving traffic or needs a restart +- Plan the upgrade during off hours so that unexpected disruptions have even less impact on end-users + +### Understand what changed +Here you need to get a good understanding of the things that changed between the current version and the version you want to upgrade to. For that, it is highly recommended to go to the [AWS EKS official documentation](https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html) as it is frequently being updated. + +Another documentation you should refer to is the Kubernetes official documentation, specially the [Kubernetes API Migration Guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/) which explains in great detail what has been changed. + +For instance, typical changes include: +* Removed/deprecated Kubernetes APIs: this one may require that you also upgrade the resources used by your applications or even base components your applications rely on. E.g. cert-manager, external-dns, etc. +* You can use tools such as [kubent](https://github.com/doitintl/kube-no-trouble) to find deprecated API versions. That should list the resources that need to be upgraded however you may still need to figure out if it's an EKS base component or a cluster component installed via Terraform & Helm. +* Base component updates: this is about changes to control plane components. components that run on the nodes. An example of that would be the deprecation and removal of Docker as a container runtime. + +### Plan a maintenance window for the upgrade +Keep in mind that, at the very least, you will be upgrading the control plane and the data plane; and in some cases you would also need to upgrade components and workloads. So, although Kubernetes has a great development team and automation; and even though we rely on EKS for which AWS performs additional checks and validations, we are still dealing with a complex, evolving piece of software, so planning for the upgrade is still a reasonable move. + +Upgrading the control plane should not affect the workloads but you should still bear in mind that the Kubernetes API may become unresponsive during the upgrade, so anything that talks to the Kubernetes API might experience delays or even timeouts. + +Now, upgrading the nodes is the more sensitive task and, while you can use a rolling-update strategy, that still doesn't provide any guarantees on achieving a zero down-time upgrade so, again, planning for some maintenance time is recommended. + +### Rehearse on a non-Production cluster first +Perform the upgrade on a non-Production to catch up and anticipate any issues before you upgrade the Production cluster. Also take notes and reflect any important updates on this document. + +### Ensure you have proper visibility on the cluster +Monitoring the upgrade is important so make sure you have monitoring tools in-place before attempting the upgrade. +Such tools include the AWS console (via AWS EKS Monitoring section) and also tools like Prometheus/Grafana and ElasticSearch/Kibana. Make sure you are familiar with those before the upgrade. + +### Upgrade Control Plane +This is simply about updating the `cluster_version` variable in the `variables.tf` file within the `cluster` layer of the cluster you want to upgrade and then applying that change. However, the current version of the Terraform EKS module, when modifying the cluster version input, it will show that it needs to upgrade the control plane and the nodes which may not follow the expected order (first cluster, then nodes). Another thing that could go wrong is Terraform ending up in an unfinished state due to the upgrade taking too long to complete (or, what happened to me, the cluster gets upgraded but somehow the launch template used for the nodes is deleted and thus the upgraded nodes cannot be spun up). + +The alternative to all of that is to perform the upgrade outside Terraform and, after it is complete, to update the `cluster_version` variable in `variables.tf` file. Then you can run a Terraform Plan to verify the output shows no changes. This should be the method that provides a good degree of control over the upgrade. + +Having said that, go ahead and proceed with the upgrade, either via [the AWS console, the AWS CLI or the EKS CLI](https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html) and watch the upgrade as it happens. As it was stated in a previous step, the Kubernetes API may evidence some down-time during this operation so make sure you prepare accordingly. + +### Upgrade Managed Node Groups +Once the control plane is upgraded you should be ready to upgrade the nodes. There are 2 strategies you could use here: rolling-upgrade or recreate. The former is recommended for causing the minimal disruption. Recreate could be used in an environment where down-time won't be an issue. + +As it was mentioned in the previous step, the recommendation is to trigger the upgrade outside Terraform so please proceed with that and monitor the operation as it happens (via AWS EKS console, via Kubectl, via Prometheus/Grafana). + +If you go with the AWS CLI, you can use the following command to get a list of the clusters available to your current AWS credentials: +``` +aws eks list-clusters --profile [AWS_PROFILE] +``` +Make a note of the cluster name as you will be using that in subsequent commands. + +Now use the following command to get a list of the node groups: +``` +aws eks list-nodegroups --cluster-name [CLUSTER_NAME] --profile [AWS_PROFILE] +``` + +After that you need to identify the appropriate release version for the upgrade. Use the official documentation to find that: https://docs.aws.amazon.com/eks/latest/userguide/eks-linux-ami-versions.html + +With that information you should be ready to trigger the update with the command below: +``` +aws eks update-nodegroup-version \ + --cluster-name [CLUSTER_NAME] \ + --nodegroup-name [NODE_GROUP_NAME] \ + --release-version [RELEASE_VERSION] \ + --force \ + --profile [AWS_PROFILE] +``` +The `--force` flag is generally useful to by-pass pod eviction failures. + +Once you are done with the upgrade you can continue with the rest of the node groups. + +### Upgrade Cluster AutoScaler version +Modify [scaling.tf](https://github.com/binbashar/le-tf-infra-aws/blob/master/apps-devstg/us-east-1/k8s-eks/k8s-components/scaling.tf) per [the official Kubernetes autoscaler chart](https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler) and apply with Terraform. +The version of the cluster autoscaler should at least match the cluster version you are moving to. A greater version of the autoscaler might work with earlier version of Kubernetes but the opposite most likely won't be the case. + +### Upgrade EKS base components +Namely these components are: +- Kube-Proxy +- CoreDNS +- VPC CNI + +In recent versions EKS is able to manage these components as add-ons which makes their upgrades less involved and which can even be performed through a recent version of the Terraform EKS module. However, we are not currently using EKS Add-ons to manage the installation of these components, we are using the so called self-managed approach, so the upgrade needs to be applied manually. + +Generally speaking, the upgrade procedure could be summed up as follows: +1. Determine current version +2. Determine the appropriate version you need to upgrade to +3. Upgrade each component and verify + +Now, the recommendation is to refer to the following guides which carefully describe the steps that need to be performed: +1. Kube-proxy: https://docs.aws.amazon.com/eks/latest/userguide/managing-kube-proxy.html#updating-kube-proxy-add-on +2. CoreDNS: https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html#updating-coredns-add-on +3. VPC CNI: https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#updating-vpc-cni-add-on + +IMPORTANT: be extremely careful when applying these updates, specially with the VPC CNI as the instructions are not easy to follow. + +### Closing Steps +Make sure you notify the team about the upgrade result. Also, do not forget about committing/pushing all code changes to the repository and creating a PR for them. + +### Migration Notes +If you found any information you consider it should be added to this document, you are welcome to reflect that here. + +#### Migration to v1.21 + +VPC CNI: The latest available version was v1.11.4 but I was only able to upgrade to v1.9.3. I couldn't move further because v1.10.3 wasn't able to run as it keep throwing the following errors: +``` +{"level":"info","ts":"2022-10-07T15:42:01.802Z","caller":"entrypoint.sh","msg":"Retrying waiting for IPAM-D"} +panic: runtime error: invalid memory address or nil pointer dereference +[signal SIGSEGV: segmentation violation code=0x1 addr=0x39 pc=0x560d2186d418] +``` + +Cluster Autoscaler: it is already at v1.23.0. The idea is that this should match with the Kubernetes version but since the version we have has been working well so far, we can keep it and it should cover us until we upgrade Kubernetes to a matching version. + +Managed Nodes failures due to PodEvictionFailure: this one happened twice during a Production cluster upgrade. It seemed to be related to Calico pods using tolerations that are not compatible with Kubernetes typical node upgrade procedure. In short, the pods tolerate the NoSchedule taint and thus refuse to be evicted from the nodes during a drain procedure. The workaround that worked was using a forced upgrade. That is esentially a flag that can be passed via Terraform (or via AWS CLI). A more permanent solution would involve figuring out a proper way to configure Calico pods without the problematic toleration; we just need to keep in mind that we are deploying Calico via the Tigera Operator. + +#### Migration to v1.22 + +Control plane and managed nodes: no issues. +Cluster Autoscaler: already at v1.23.0. +Kube-proxy: no issues. Upgraded to v1.22.16-minimal-eksbuild.3. +CodeDNS: no issues. Upgraded to v1.8.7-eksbuild.1. +VPC CNI: no issues. Upgraded to latest version available, v1.12.1. + +Outstanding issue: Prometheus/Grafana instance became unresponsive right during the upgrade of the control plane. It was fully inaccessible. A stop and start was needed to bring it back up. diff --git a/mkdocs.yml b/mkdocs.yml index b908514e9..676124482 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -248,6 +248,7 @@ nav: - Overview: "user-guide/ref-architecture-eks/overview.md" - VPC: "user-guide/ref-architecture-eks/vpc.md" - Components: "user-guide/ref-architecture-eks/components.md" + - Upgrading EKS: "user-guide/ref-architecture-eks/cluster-upgrade.md" - Reference Architecture for Ansible: - Overview: "user-guide/ref-architecture-ansible/overview.md" - Workflow: "user-guide/ref-architecture-ansible/workflow.md" From 718d5e40b4dfd6397e188a776b40849cc06e08ba Mon Sep 17 00:00:00 2001 From: Diego OJ Date: Mon, 24 Apr 2023 17:58:16 -0300 Subject: [PATCH 09/19] Fix lists --- docs/user-guide/ref-architecture-eks/cluster-upgrade.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/user-guide/ref-architecture-eks/cluster-upgrade.md b/docs/user-guide/ref-architecture-eks/cluster-upgrade.md index 6a426aea0..d1ac29b66 100644 --- a/docs/user-guide/ref-architecture-eks/cluster-upgrade.md +++ b/docs/user-guide/ref-architecture-eks/cluster-upgrade.md @@ -31,6 +31,7 @@ Here you need to get a good understanding of the things that changed between the Another documentation you should refer to is the Kubernetes official documentation, specially the [Kubernetes API Migration Guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/) which explains in great detail what has been changed. For instance, typical changes include: + * Removed/deprecated Kubernetes APIs: this one may require that you also upgrade the resources used by your applications or even base components your applications rely on. E.g. cert-manager, external-dns, etc. * You can use tools such as [kubent](https://github.com/doitintl/kube-no-trouble) to find deprecated API versions. That should list the resources that need to be upgraded however you may still need to figure out if it's an EKS base component or a cluster component installed via Terraform & Helm. * Base component updates: this is about changes to control plane components. components that run on the nodes. An example of that would be the deprecation and removal of Docker as a container runtime. @@ -100,11 +101,13 @@ Namely these components are: In recent versions EKS is able to manage these components as add-ons which makes their upgrades less involved and which can even be performed through a recent version of the Terraform EKS module. However, we are not currently using EKS Add-ons to manage the installation of these components, we are using the so called self-managed approach, so the upgrade needs to be applied manually. Generally speaking, the upgrade procedure could be summed up as follows: + 1. Determine current version 2. Determine the appropriate version you need to upgrade to 3. Upgrade each component and verify Now, the recommendation is to refer to the following guides which carefully describe the steps that need to be performed: + 1. Kube-proxy: https://docs.aws.amazon.com/eks/latest/userguide/managing-kube-proxy.html#updating-kube-proxy-add-on 2. CoreDNS: https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html#updating-coredns-add-on 3. VPC CNI: https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#updating-vpc-cni-add-on From c2347b4d63f9335aee6d0e9ad28ac25cda081db6 Mon Sep 17 00:00:00 2001 From: Diego OJ Date: Tue, 25 Apr 2023 10:40:20 -0300 Subject: [PATCH 10/19] Update cluster upgrade steps a bit --- .../ref-architecture-eks/cluster-upgrade.md | 75 ++++++++++--------- 1 file changed, 41 insertions(+), 34 deletions(-) diff --git a/docs/user-guide/ref-architecture-eks/cluster-upgrade.md b/docs/user-guide/ref-architecture-eks/cluster-upgrade.md index d1ac29b66..9835e81ff 100644 --- a/docs/user-guide/ref-architecture-eks/cluster-upgrade.md +++ b/docs/user-guide/ref-architecture-eks/cluster-upgrade.md @@ -3,29 +3,33 @@ ## Brief This guideline includes considerations and steps that should be performed when upgrading a cluster to a newer version. -## General Steps -- General considerations -- Understand what changed -- Plan a maintenance window for the upgrade -- Rehearse on a non-Production cluster first -- Ensure you have proper visibility on the cluster -- Upgrade Control Plane -- Upgrade Managed Node Groups -- Upgrade EKS Add-ons -- Upgrade Cluster AutoScaler version -- Final Steps -- Migration Notes - - -## Detailed Steps - -### General considerations +## Upgrade Plan Overview +1. General considerations +2. Preparation Steps + 1. Understand what changed + 2. Plan a maintenance window for the upgrade + 3. Rehearse on a non-Production cluster first + 4. Ensure you have proper visibility on the cluster +3. Upgrade Steps + 1. Upgrade Control Plane + 2. Upgrade Managed Node Groups + 3. Upgrade Cluster AutoScaler version + 4. Upgrade EKS Add-ons +4. Closing Steps + 1. Migration Notes + + +## Detailed Upgrade Plan + +### 1) General considerations - Ensure your sensitive workloads are deployed in a highly available manner to reduce downtime as much as possible - Ensure Pod Disruption Budgets are set in your deployments to ensure your application pods are evicted in a controlled way (e.g. leave at least one pod active at all times) - Ensure Liveness and Readiness probes are set so that Kubernetes can tell whether your application is healthy to start receiving traffic or needs a restart - Plan the upgrade during off hours so that unexpected disruptions have even less impact on end-users -### Understand what changed +### 2) Preparation Steps + +#### Understand what changed Here you need to get a good understanding of the things that changed between the current version and the version you want to upgrade to. For that, it is highly recommended to go to the [AWS EKS official documentation](https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html) as it is frequently being updated. Another documentation you should refer to is the Kubernetes official documentation, specially the [Kubernetes API Migration Guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/) which explains in great detail what has been changed. @@ -36,28 +40,30 @@ For instance, typical changes include: * You can use tools such as [kubent](https://github.com/doitintl/kube-no-trouble) to find deprecated API versions. That should list the resources that need to be upgraded however you may still need to figure out if it's an EKS base component or a cluster component installed via Terraform & Helm. * Base component updates: this is about changes to control plane components. components that run on the nodes. An example of that would be the deprecation and removal of Docker as a container runtime. -### Plan a maintenance window for the upgrade +#### Plan a maintenance window for the upgrade Keep in mind that, at the very least, you will be upgrading the control plane and the data plane; and in some cases you would also need to upgrade components and workloads. So, although Kubernetes has a great development team and automation; and even though we rely on EKS for which AWS performs additional checks and validations, we are still dealing with a complex, evolving piece of software, so planning for the upgrade is still a reasonable move. Upgrading the control plane should not affect the workloads but you should still bear in mind that the Kubernetes API may become unresponsive during the upgrade, so anything that talks to the Kubernetes API might experience delays or even timeouts. Now, upgrading the nodes is the more sensitive task and, while you can use a rolling-update strategy, that still doesn't provide any guarantees on achieving a zero down-time upgrade so, again, planning for some maintenance time is recommended. -### Rehearse on a non-Production cluster first +#### Rehearse on a non-Production cluster first Perform the upgrade on a non-Production to catch up and anticipate any issues before you upgrade the Production cluster. Also take notes and reflect any important updates on this document. -### Ensure you have proper visibility on the cluster +#### Ensure you have proper visibility on the cluster Monitoring the upgrade is important so make sure you have monitoring tools in-place before attempting the upgrade. Such tools include the AWS console (via AWS EKS Monitoring section) and also tools like Prometheus/Grafana and ElasticSearch/Kibana. Make sure you are familiar with those before the upgrade. -### Upgrade Control Plane +### 3) Upgrade Steps + +#### 1) Upgrade Control Plane This is simply about updating the `cluster_version` variable in the `variables.tf` file within the `cluster` layer of the cluster you want to upgrade and then applying that change. However, the current version of the Terraform EKS module, when modifying the cluster version input, it will show that it needs to upgrade the control plane and the nodes which may not follow the expected order (first cluster, then nodes). Another thing that could go wrong is Terraform ending up in an unfinished state due to the upgrade taking too long to complete (or, what happened to me, the cluster gets upgraded but somehow the launch template used for the nodes is deleted and thus the upgraded nodes cannot be spun up). The alternative to all of that is to perform the upgrade outside Terraform and, after it is complete, to update the `cluster_version` variable in `variables.tf` file. Then you can run a Terraform Plan to verify the output shows no changes. This should be the method that provides a good degree of control over the upgrade. Having said that, go ahead and proceed with the upgrade, either via [the AWS console, the AWS CLI or the EKS CLI](https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html) and watch the upgrade as it happens. As it was stated in a previous step, the Kubernetes API may evidence some down-time during this operation so make sure you prepare accordingly. -### Upgrade Managed Node Groups +#### 2) Upgrade Managed Node Groups Once the control plane is upgraded you should be ready to upgrade the nodes. There are 2 strategies you could use here: rolling-upgrade or recreate. The former is recommended for causing the minimal disruption. Recreate could be used in an environment where down-time won't be an issue. As it was mentioned in the previous step, the recommendation is to trigger the upgrade outside Terraform so please proceed with that and monitor the operation as it happens (via AWS EKS console, via Kubectl, via Prometheus/Grafana). @@ -84,16 +90,17 @@ aws eks update-nodegroup-version \ --force \ --profile [AWS_PROFILE] ``` -The `--force` flag is generally useful to by-pass pod eviction failures. +The `--force` flag is generally useful to bypass pod eviction failures. Once you are done with the upgrade you can continue with the rest of the node groups. -### Upgrade Cluster AutoScaler version +#### 3) Upgrade Cluster AutoScaler version Modify [scaling.tf](https://github.com/binbashar/le-tf-infra-aws/blob/master/apps-devstg/us-east-1/k8s-eks/k8s-components/scaling.tf) per [the official Kubernetes autoscaler chart](https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler) and apply with Terraform. The version of the cluster autoscaler should at least match the cluster version you are moving to. A greater version of the autoscaler might work with earlier version of Kubernetes but the opposite most likely won't be the case. -### Upgrade EKS base components +#### 4) Upgrade EKS base components Namely these components are: + - Kube-Proxy - CoreDNS - VPC CNI @@ -108,19 +115,19 @@ Generally speaking, the upgrade procedure could be summed up as follows: Now, the recommendation is to refer to the following guides which carefully describe the steps that need to be performed: -1. Kube-proxy: https://docs.aws.amazon.com/eks/latest/userguide/managing-kube-proxy.html#updating-kube-proxy-add-on -2. CoreDNS: https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html#updating-coredns-add-on -3. VPC CNI: https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#updating-vpc-cni-add-on +1. Kube-proxy: [check here](https://docs.aws.amazon.com/eks/latest/userguide/managing-kube-proxy.html#updating-kube-proxy-add-on) +2. CoreDNS: [check here](https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html#updating-coredns-add-on) +3. VPC CNI: [check here](https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#updating-vpc-cni-add-on) -IMPORTANT: be extremely careful when applying these updates, specially with the VPC CNI as the instructions are not easy to follow. +**IMPORTANT:** be extremely careful when applying these updates, specially with the VPC CNI as the instructions are not easy to follow. -### Closing Steps +### 4) Closing Steps Make sure you notify the team about the upgrade result. Also, do not forget about committing/pushing all code changes to the repository and creating a PR for them. -### Migration Notes +#### Migration Notes If you found any information you consider it should be added to this document, you are welcome to reflect that here. -#### Migration to v1.21 +**Migration to v1.21** VPC CNI: The latest available version was v1.11.4 but I was only able to upgrade to v1.9.3. I couldn't move further because v1.10.3 wasn't able to run as it keep throwing the following errors: ``` @@ -133,7 +140,7 @@ Cluster Autoscaler: it is already at v1.23.0. The idea is that this should match Managed Nodes failures due to PodEvictionFailure: this one happened twice during a Production cluster upgrade. It seemed to be related to Calico pods using tolerations that are not compatible with Kubernetes typical node upgrade procedure. In short, the pods tolerate the NoSchedule taint and thus refuse to be evicted from the nodes during a drain procedure. The workaround that worked was using a forced upgrade. That is esentially a flag that can be passed via Terraform (or via AWS CLI). A more permanent solution would involve figuring out a proper way to configure Calico pods without the problematic toleration; we just need to keep in mind that we are deploying Calico via the Tigera Operator. -#### Migration to v1.22 +**Migration to v1.22** Control plane and managed nodes: no issues. Cluster Autoscaler: already at v1.23.0. From 67bc29c35891fb4842bfb9382df1670425af7e4a Mon Sep 17 00:00:00 2001 From: Diego OJ Date: Wed, 26 Apr 2023 17:08:29 -0300 Subject: [PATCH 11/19] Refactor the add-new-account page and several other small updates --- docs/try-leverage/add-aws-accounts.md | 622 +++++++----------- docs/try-leverage/aws-account-setup.md | 2 +- .../security-and-shared-accounts.md | 9 +- docs/user-guide/leverage-cli/reference/aws.md | 5 + .../ref-architecture-aws/design-references.md | 17 - .../features/compute/k8s-eks.md | 2 +- .../features/sso/overview.md | 3 +- .../ref-architecture-aws/references.md | 15 + mkdocs.yml | 4 +- 9 files changed, 286 insertions(+), 393 deletions(-) delete mode 100644 docs/user-guide/ref-architecture-aws/design-references.md create mode 100644 docs/user-guide/ref-architecture-aws/references.md diff --git a/docs/try-leverage/add-aws-accounts.md b/docs/try-leverage/add-aws-accounts.md index da926bfcc..97f000f89 100644 --- a/docs/try-leverage/add-aws-accounts.md +++ b/docs/try-leverage/add-aws-accounts.md @@ -1,62 +1,43 @@ -# Add AWS Accounts +# Add more AWS Accounts -If necessary you can easily add new AWS accounts to your Leverage project by following these steps. +## Brief +You can add new AWS accounts to your Leverage project by following the steps in this page. -For this example `apps-prd` will be created in region `us-east-1`. - -## Create the account in your Organization +!!! info "Important" + In the examples belo, we will be using `apps-prd` as the account we will be adding and it will be created in the `us-east-1` region. +## Create the new account in your AWS Organization 1. Go to `management/global/organizations`. - 2. Edit the `locals.tf` file to add the account to the local `accounts` variable. ```yaml accounts = { - - [...] - + ... + ... apps-prd = { - email = "aws+apps-prd@yourcompany.com", - parent_ou = "apps" + email = "aws+apps-prd@yourcompany.com", + parent_ou = "apps" } } ``` - - Note `apps` organizational unit (OU) is being used as parent OU. If a new OU has to be used here, it has to be created by adding it to `organizational_units` structure in the same file. - -3. Run the [Terraform workflow](https://leverage.binbash.com.ar/user-guide/ref-architecture-aws/workflow/) to apply the new changes. - - Basically: - + Note that the `apps` organizational unit (OU) is being used as the parent OU of the new account. If you need to use a new OU you can add it to `organizational_units` variable in the same file. +3. Run the [Terraform workflow](https://leverage.binbash.com.ar/user-guide/ref-architecture-aws/workflow/) to apply the new changes. Typically that would be this: ```shell + leverage terraform init leverage terraform apply ``` - -4. Add the new account to the `config/common.tfvars` file. - - The new account ID should be got from the previous step. - - Usi it to update the file: - +4. Add the new account to the `config/common.tfvars` file. The new account ID should have been displayed in the output of the previous step so please grab it from there and use it to update said file as in the example below: ```shell - accounts = { + accounts = { - [...] + [...] - apps-prd = { - email = "aws+apps-prd@yourcompany.com", - id = "" - } + apps-prd = { + email = "", + id = "" } + } ``` - -5. If SSO is being used in this project. - - Permissions for SSO access have to be granted before we can step forward. - - Add the right permissions in file `management/global/sso/account_assignments.tf`. - - For the example: - +5. If you are using SSO in this project, permissions on the new account must be granted before we can move forward. Add the right permissions to the `management/global/sso/account_assignments.tf` file. For the example: ```yaml { account = var.accounts.apps-prd.id, @@ -83,51 +64,34 @@ For this example `apps-prd` will be created in region `us-east-1`. }, ``` - - Note your needs can vary, these permissions are just an example, please be careful with what you are granting here. - - Apply changes: + Note your needs can vary, these permissions are just an example, please be careful with what you are granting here. Apply these changes: ```shell leverage terraform apply ``` - - Now you need to get the new permissions locally: - + And you must update your AWS config file accordingly by running this: ```shell leverage aws configure sso ``` -Now, you have to create the initial directory structure for this new account, *as explained below*. - -## Setup and apply the layers for the new account +Good! Now you are ready to create the initial directory structure for the new account. The next section will guide through those steps. - For this example, we will create the `apps-prd` account structure by using the `apps-devstg` as a template: +## Create and deploy the layers for the new account +In this example we will create the `apps-prd` account structure by using the `apps-devstg` as a template. +### Create the initial directory structure for the new account 1. Ensure you are at the root of this repository - -2. Create the initial directory structure for the new account: - +2. Now create the directory structure for the new account: ```shell mkdir -p apps-prd/{global,us-east-1} ``` - 3. Set up the config files: - 1. Create the config files for this account: - ```shell cp -r apps-devstg/config apps-prd/config ``` - - 2. Open `apps-prd/config/backend.tfvars` and replace any occurrences of `devstg` with `prd`. - - (basically, `apps-devstg` is being replaced with the new name `apps-prd`) - - + 2. Open `apps-prd/config/backend.tfvars` and replace any occurrences of `devstg` with `prd`. (basically, `apps-devstg` is being replaced with the new name `apps-prd`) 3. Do the same with `apps-prd/config/account.tfvars` - 4. If **no SSO** is implemented in the project (i.e. OAAR is being used): - 1. Open up `apps-prd/config/backend.tfvars` again and replace this: ```yaml profile = "bb-apps-prd-devops" @@ -136,331 +100,251 @@ Now, you have to create the initial directory structure for this new account, *a ```yaml profile = "bb-apps-prd-oaar" ``` - 2. In the step above, we are switching to the OAAR (OrganizationalAccountAccessRole) role because we are working with a brand new account that is empty, so, the only way to access it programmatically is through the OAAR role. - 3. Now it's time to configure your OAAR credentials (if haven't already done so). For that you can follow the steps in [this section](https://leverage.binbash.com.ar/first-steps/management-account/#update-the-bootstrap-credentials) of the official documentation. -4. Create the `base-tf-backend` layer: - - 1. Copy the layer from an existing one: - - From the repository root run: - ```shell - cp -r apps-devstg/us-east-1/base-tf-backend apps-prd/us-east-1/base-tf-backend - ``` - - !!! info - If the source layer was already initialized you should delete the previous Terraform setup using `sudo rm -rf .terraform*` in the target layer's directory. - - 2. Go to the `apps-prd/us-east-1/base-tf-backend` directory, open the `config.tf` file and comment the S3 backend block: - - E.g.: - ```yaml - #backend "s3" { - # key = "apps-devstg/tf-backend/terraform.tfstate" - #} - ``` - - 3. Now run the [Terraform workflow](https://leverage.binbash.com.ar/user-guide/ref-architecture-aws/workflow/) to initialize and - apply this layer. - - The flag `--skip-validation` is needed here since the bucket does not yet exist. - - ```shell - leverage terraform init --skip-validation - leverage terraform apply - ``` - - 4. Open the `config.tf` file again uncommenting the block commented before and replacing `devstg` with `prd`: - - E.g.: - ```yaml - backend "s3" { - key = "apps-prd/tf-backend/terraform.tfstate" - } - ``` - - 5. To finish with the backend layer, re-init to move the `tfstate` to the new location. - - Run: - ```shell - leverage terraform init - ``` - - Terraform will detect that you are trying to move from a local to a remote state and will ask for confirmation. - - ```shell - Initializing the backend... - Acquiring state lock. This may take a few moments... - Do you want to copy existing state to the new backend? - Pre-existing state was found while migrating the previous "local" backend to the - newly configured "s3" backend. No existing state was found in the newly - configured "s3" backend. Do you want to copy this state to the new "s3" - backend? Enter "yes" to copy and "no" to start with an empty state. - - Enter a value: - - ``` - - Enter `yes` and hit enter. - -5. Create the `base-identities` layer: - - 1. Copy the layer from an existing one: - - From the repository root run: - ```shel - cp -r apps-devstg/global/base-identities apps-prd/global/base-identities` - ``` - - !!! info - If the source layer was already initialized you should delete the previous Terraform setup using `sudo rm -rf .terraform*` in the target layer's directory. - - 2. Go to the `apps-prd/global/base-identities` directory and open the `config.tf` file. Replace any occurrences of `devstg` with `prd` - - E.g. this line should be: - ```yaml - backend "s3" { - key = "apps-prd/identities/terraform.tfstate" - } - ``` - - 3. Init the layer +### Create the Terraform Backend layer +1. Copy the layer from an existing one: + ```shell + cp -r apps-devstg/us-east-1/base-tf-backend apps-prd/us-east-1/base-tf-backend + ``` - ```shell - leverage terraform init - ``` - - 4. Import the OAAR role + !!! info + If the source layer was already initialized you should delete the previous Terraform setup using `sudo rm -rf .terraform*` in the target layer's directory. - Run this command: - ```shell - leverage terraform import module.iam_assumable_role_oaar.aws_iam_role.this OrganizationAccountAccessRole - ``` - - 5. Finally apply the layer +2. Go to the `apps-prd/us-east-1/base-tf-backend` directory, open the `config.tf` file and comment the S3 backend block. E.g.: + ```yaml + #backend "s3" { + # key = "apps-devstg/tf-backend/terraform.tfstate" + #} + ``` +3. Now run the [Terraform workflow](https://leverage.binbash.com.ar/user-guide/ref-architecture-aws/workflow/) to initialize and + apply this layer. The flag `--skip-validation` is needed here since the bucket does not yet exist. + ```shell + leverage terraform init --skip-validation + leverage terraform apply + ``` +4. Open the `config.tf` file again uncommenting the block commented before and replacing `devstg` with `prd`. E.g.: + ```yaml + backend "s3" { + key = "apps-prd/tf-backend/terraform.tfstate" + } + ``` +5. To finish with the backend layer, re-init to move the `tfstate` to the new location. Run: + ```shell + leverage terraform init + ``` + Terraform will detect that you are trying to move from a local to a remote state and will ask for confirmation. + ```shell + Initializing the backend... + Acquiring state lock. This may take a few moments... + Do you want to copy existing state to the new backend? + Pre-existing state was found while migrating the previous "local" backend to the + newly configured "s3" backend. No existing state was found in the newly + configured "s3" backend. Do you want to copy this state to the new "s3" + backend? Enter "yes" to copy and "no" to start with an empty state. + + Enter a value: + ``` + Enter `yes` and hit enter. - ```shell - leverage terraform apply - ``` +### Create the identities layer +1. Copy the layer from an existing one: + From the repository root run: + ```shel + cp -r apps-devstg/global/base-identities apps-prd/global/base-identities` + ``` +2. Go to the `apps-prd/global/base-identities` directory and open the `config.tf` file. Replace any occurrences of `devstg` with `prd`. E.g. this line should be: + ```yaml + backend "s3" { + key = "apps-prd/identities/terraform.tfstate" + } + ``` +3. Init the layer + ```shell + leverage tf init -reconfigure -upgrade + ``` +4. Import the OAAR role + Run this command: + ```shell + leverage tf import module.iam_assumable_role_oaar.aws_iam_role.this OrganizationAccountAccessRole + ``` +5. Finally apply the layer + ```shell + leverage tf apply + ``` -6. Create the `security-base` layer: +### Create the `security-base` layer +1. Copy the layer from an existing one: + From the repository root run: + ```shell + cp -r apps-devstg/us-east-1/security-base apps-prd/us-east-1/security-base + ``` +2. Go to the `apps-prd/us-east-1/security-base` directory and open the `config.tf` file replacing any occurrences of `devstg` with `prd` + E.g. this line should be: + ```yaml + backend "s3" { + key = "apps-prd/security-base/terraform.tfstate" + } + ``` +3. Init and apply the layer - 1. Copy the layer from an existing one: - - From the repository root run: - ```shell - cp -r apps-devstg/us-east-1/security-base apps-prd/us-east-1/security-base - ``` - - !!! info - If the source layer was already initialized you should delete the previous Terraform setup using `sudo rm -rf .terraform*` in the target layer's directory. - - 2. Go to the `apps-prd/us-east-1/security-base` directory and open the `config.tf` file replacing any occurrences of `devstg` with `prd` + ```shell + leverage tf init -reconfigure -upgrade + leverage tf apply + ``` - E.g. this line should be: - ```yaml - backend "s3" { - key = "apps-prd/security-base/terraform.tfstate" +### Create the `network` layer +1. Copy the layer from an existing one: + From the root of the repository run this: + ```shell + cp -r apps-devstg/us-east-1/base-network apps-prd/us-east-1/base-network + ``` +2. Go to the `apps-prd/us-east-1/base-network` directory and open the `config.tf` file replacing any occurrences of `devstg` with `prd`. E.g. this line should be: + ```yaml + backend "s3" { + key = "apps-prd/network/terraform.tfstate" + } + ``` +3. Open the file `locals.tf` and set the new account's CIDRs. + ```yaml + vpc_cidr_block = "172.19.0.0/20" + azs = [ + "${var.region}a", + "${var.region}b", + #"${var.region}c", + #"${var.region}d", + ] + + private_subnets_cidr = ["172.19.0.0/21"] + private_subnets = [ + "172.19.0.0/23", + "172.19.2.0/23", + #"172.19.4.0/23", + #"172.19.6.0/23", + ] + + public_subnets_cidr = ["172.19.8.0/21"] + public_subnets = [ + "172.19.8.0/23", + "172.19.10.0/23", + #"172.19.12.0/23", + #"172.19.14.0/23", + ] + ``` + Note here only two AZs are enabled, if needed uncomment the other ones in the three structures. +3. Init and apply the layer + ```shell + leverage tf init -reconfigure -upgrade + leverage tf apply + ``` +4. Create the VPC Peering between the new account and the VPC of the Shared account. Edit file `shared/us-east-1/base-network/config.tf` and add provider and remote state for the created account. + ```yaml + provider "aws" { + alias = "apps-prd" + region = var.region + profile = "${var.project}-apps-prd-devops" + shared_credentials_file = "~/.aws/${var.project}/config" + } + + data "terraform_remote_state" "apps-prd-vpcs" { + for_each = { + for k, v in local.apps-prd-vpcs : + k => v if !v["tgw"] } - ``` - - 3. Init and apply the layer - ```shell - leverage tf init - leverage tf apply - ``` - -7. Create the `base-network` layer: - - 1. Copy the layer from an existing one: + backend = "s3" - From the repository root run: - ```shell - cp -r apps-devstg/us-east-1/base-network apps-prd/us-east-1/base-network - ``` - - !!! info - If the source layer was already initialized you should delete the previous Terraform setup using `sudo rm -rf .terraform*` in the target layer's directory. - - 2. Go to the `apps-prd/us-east-1/base-network` directory and open the `config.tf` file replacing any occurrences of `devstg` with `prd` - - E.g. this line should be: - ```yaml - backend "s3" { - key = "apps-prd/network/terraform.tfstate" + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") } - ``` - - 3. Open the file `locals.tf` and set the new account's CIDRs - - E.g. - ```yaml - vpc_cidr_block = "172.19.0.0/20" - azs = [ - "${var.region}a", - "${var.region}b", - #"${var.region}c", - #"${var.region}d", - ] - - private_subnets_cidr = ["172.19.0.0/21"] - private_subnets = [ - "172.19.0.0/23", - "172.19.2.0/23", - #"172.19.4.0/23", - #"172.19.6.0/23", - ] - - public_subnets_cidr = ["172.19.8.0/21"] - public_subnets = [ - "172.19.8.0/23", - "172.19.10.0/23", - #"172.19.12.0/23", - #"172.19.14.0/23", - ] - ``` - - Note here only two azs are enabled, if needed uncomment the other ones in the three structures. - - 3. Init and apply the layer + } - ```shell - leverage tf init - leverage tf apply - ``` - - 4. VPC Peering to Shared account - - Edit file `shared/us-east-1/base-network/config.tf` and add provider and remote state for the created account: - ```yaml - provider "aws" { - alias = "apps-prd" - region = var.region - profile = "${var.project}-apps-prd-devops" - shared_credentials_file = "~/.aws/${var.project}/config" + ``` + Edit file `shared/us-east-1/base-network/locals.tf` and under + ```yaml + # + # Data source definitions + # + ``` + ...add the related structure: + ```yaml + apps-prd-vpcs = { + apps-prd-base = { + region = var.region + profile = "${var.project}-apps-prd-devops" + bucket = "${var.project}-apps-prd-terraform-backend" + key = "apps-prd/network/terraform.tfstate" + tgw = false } - - data "terraform_remote_state" "apps-prd-vpcs" { - for_each = { - for k, v in local.apps-prd-vpcs : - k => v if !v["tgw"] - } - - backend = "s3" - - config = { - region = lookup(each.value, "region") - profile = lookup(each.value, "profile") - bucket = lookup(each.value, "bucket") - key = lookup(each.value, "key") - } + } + ``` + Edit file `shared/us-east-1/base-network/vpc_peerings.tf` and add the peering definition: + ```yaml + # + # VPC Peering: AppsPrd VPC => Shared VPC + # + module "vpc_peering_apps_prd_to_shared" { + source = "github.com/binbashar/terraform-aws-vpc-peering.git?ref=v4.0.1" + + for_each = { + for k, v in local.apps-prd-vpcs : + k => v if !v["tgw"] } - ``` - - Edit file `shared/us-east-1/base-network/locals.tf` and under - ```yaml - # - # Data source definitions - # - ``` - - ...add the related structure: - ```yaml - apps-prd-vpcs = { - apps-prd-base = { - region = var.region - profile = "${var.project}-apps-prd-devops" - bucket = "${var.project}-apps-prd-terraform-backend" - key = "apps-prd/network/terraform.tfstate" - tgw = false - } + providers = { + aws.this = aws + aws.peer = aws.apps-prd } - ``` - - Edit file `shared/us-east-1/base-network/vpc_peerings.tf` and add the peering definition: - ```yaml - # - # VPC Peering: AppsPrd VPC => Shared VPC - # - module "vpc_peering_apps_prd_to_shared" { - source = "github.com/binbashar/terraform-aws-vpc-peering.git?ref=v4.0.1" - - for_each = { - for k, v in local.apps-prd-vpcs : - k => v if !v["tgw"] - } - - providers = { - aws.this = aws - aws.peer = aws.apps-prd - } - - this_vpc_id = module.vpc.vpc_id - peer_vpc_id = data.terraform_remote_state.apps-prd-vpcs[each.key].outputs.vpc_id - - this_rts_ids = concat(module.vpc.private_route_table_ids, module.vpc.public_route_table_ids) - peer_rts_ids = concat( - data.terraform_remote_state.apps-prd-vpcs[each.key].outputs.public_route_table_ids, - data.terraform_remote_state.apps-prd-vpcs[each.key].outputs.private_route_table_ids - ) - - auto_accept_peering = true - - tags = merge(local.tags, { - "Name" = "${each.key}-to-shared", - "PeeringRequester" = each.key, - "PeeringAccepter" = "shared" - }) - } - - ``` - Apply the changes (be sure to CD into `shared/us-east-1/base-network` layer for doing this): + this_vpc_id = module.vpc.vpc_id + peer_vpc_id = data.terraform_remote_state.apps-prd-vpcs[each.key].outputs.vpc_id - ```shell - leverage terraform apply - ``` - -8. If no SSO is implemented in the project (i.e. OAAR is being used), switch back from OAAR to DevOps role - - 1. Open up `apps-prd/config/backend.tfvars` - - Replace this: - ```yaml - profile = "bb-apps-prd-oaar" - ``` - - with this: - - ```yaml - profile = "bb-apps-prd-devops" - ``` - - !!! info - This is needed because we only want to use the OAAR role for exceptional cases, not on a daily basis. - - 3. Now, let's configure your DevOps credentials (if you haven't already done so). - - 1. Log into your security account, create programmatic access keys, and enable MFA. - - 2. Then run: `leverage credentials configure --fetch-mfa-device --type SECURITY` + this_rts_ids = concat(module.vpc.private_route_table_ids, module.vpc.public_route_table_ids) + peer_rts_ids = concat( + data.terraform_remote_state.apps-prd-vpcs[each.key].outputs.public_route_table_ids, + data.terraform_remote_state.apps-prd-vpcs[each.key].outputs.private_route_table_ids + ) - 3. The command above should prompt for your programmatic keys and, with those, Leverage should be able to configure your AWS config and credentials files appropriately. + auto_accept_peering = true -9. That should be it. At this point you should have the following: - - 1. A brand-new AWS account - - 2. Configuration files that are needed for any layer that is created under this account - - 3. A Terraform State Backend for this new account - - 4. Roles and policies (base identities) that are necessary to access the new account - - 5. The base networking stuff + tags = merge(local.tags, { + "Name" = "${each.key}-to-shared", + "PeeringRequester" = each.key, + "PeeringAccepter" = "shared" + }) + } + ``` + Apply the changes (be sure to CD into `shared/us-east-1/base-network` layer for doing this): + ```shell + leverage terraform apply + ``` +### Replace temporary profiles with permanent ones +1. If no SSO is implemented in the project (i.e. OAAR is being used), switch back from OAAR to DevOps role +2. Open up `apps-prd/config/backend.tfvars`and replace this: + ```yaml + profile = "bb-apps-prd-oaar" + ``` + with this: + ```yaml + profile = "bb-apps-prd-devops" + ``` + This is needed because we only want to use the OAAR role for exceptional cases, not on a daily basis. +3. Now, let's configure your DevOps credentials (if you haven't already done so). + 1. Log into your security account, create programmatic access keys, and enable MFA. + 2. Then run: `leverage credentials configure --fetch-mfa-device --type SECURITY` + 3. The command above should prompt for your programmatic keys and, with those, Leverage should be able to configure your AWS config and credentials files appropriately. + +## Done! +That should be it. At this point you should have the following: + +1. A brand new AWS account in your AWS organization. +2. Working configuration files for both existing layers and any new layer you add in the future. +3. A remote Terraform State Backend for this new account. +4. Roles and policies (base identities) that are necessary to access the new account. +5. The base networking resources ready to host your compute services. diff --git a/docs/try-leverage/aws-account-setup.md b/docs/try-leverage/aws-account-setup.md index 1caaf9546..7a3c2cff3 100644 --- a/docs/try-leverage/aws-account-setup.md +++ b/docs/try-leverage/aws-account-setup.md @@ -1,6 +1,6 @@ # Creating your AWS Management account -## Create an AWS account +## Create the first AWS account First and foremost you'll need to [create an AWS account](/user-guide/ref-architecture-aws/features/organization/configuration/) for your project. This will be the management account of your [AWS Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) and the email address you use for signing up will be the [root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) of this account -- you can see this user represented in the [architecture diagram](../#leverage-landing-zone). Since the root user is the main access point to your account it is strongly recommended that you keep its credentials (email, password) safe by following [AWS best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html). diff --git a/docs/try-leverage/security-and-shared-accounts.md b/docs/try-leverage/security-and-shared-accounts.md index 2360312f8..104a7fafe 100644 --- a/docs/try-leverage/security-and-shared-accounts.md +++ b/docs/try-leverage/security-and-shared-accounts.md @@ -1,5 +1,10 @@ # Configure the Security and Shared accounts -Just a couple more accounts to get ready. Let's go! +You should by now be more familiar with the steps required to create and configure the Management account. Now you need to do pretty much the same with two more accounts: Security and Shared. Follow the sections in this page to get started! + +!!! info "What are these accounts used for?" + The **Security** account is intended for operating security services (e.g. GuardDuty, AWS Security Hub, AWS Audit Manager, Amazon Detective, Amazon Inspector, and AWS Config), monitoring AWS accounts, and automating security alerting and response. + + The **Shared Services** account supports the services that multiple applications and teams use to deliver their outcomes. Some examples include VPN servers, monitoring systems, and centralized logs management services. ## Deploy the Security account's layers The next account to orchestrate is the **security** account. @@ -52,7 +57,7 @@ leverage terraform apply ## Deploy the Shared account's layers The last account in this deployment is the `shared` account. -The account's objective is managing infrastructure for shared services and resources like directory services, DNS, VPN, monitoring tools or centralized logging solutions. +Again, this account is intended for managing the infrastructure of shared services and resources such as directory services, DNS, VPN, monitoring tools or centralized logging solutions. Place yourself in the `shared` directory. ``` bash diff --git a/docs/user-guide/leverage-cli/reference/aws.md b/docs/user-guide/leverage-cli/reference/aws.md index 76882cb3c..a93a8ffec 100644 --- a/docs/user-guide/leverage-cli/reference/aws.md +++ b/docs/user-guide/leverage-cli/reference/aws.md @@ -33,3 +33,8 @@ It wraps `aws sso login` taking extra steps to allow `Leverage` to use the resul 
leverage aws sso logout
It wraps `aws sso logout` taking extra steps to make sure that all tokens and temporary credentials are wiped from the system. It also reminds the user to log out form the AWS SSO login page and identity provider portal. This last action is left to the user to perform. + +!!! warn "Important" + Please keep in mind that this command will not only remove temporary credentials but also the AWS config + file. If you use such file to store your own configuration please create a backup before running the `sso + logout` command. diff --git a/docs/user-guide/ref-architecture-aws/design-references.md b/docs/user-guide/ref-architecture-aws/design-references.md deleted file mode 100644 index 6f5884a75..000000000 --- a/docs/user-guide/ref-architecture-aws/design-references.md +++ /dev/null @@ -1,17 +0,0 @@ -# Design References -Please consider some official AWS docs, blog post and whitepapers we've considered for the current -Reference Solutions Architecture design: - -!!! info "AWS Reference Articles" - - :orange_book: **CloudTrail for AWS Organizations:** https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html - - :orange_book: **Reserved Instances - Multi Account:** https://aws.amazon.com/about-aws/whats-new/2019/07/amazon-ec2-on-demand-capacity-reservations-shared-across-multiple-aws-accounts/ - - :orange_book: **AWS Multiple Account Security Strategy:** https://d0.awsstatic.com/aws-answers/AWS_Multi_Account_Security_Strategy.pdf - - :orange_book: **AWS Multiple Account Billing Strategy:** https://aws.amazon.com/answers/account-management/aws-multi-account-billing-strategy/ - - :orange_book: **AWS Secure Account Setup:** https://aws.amazon.com/answers/security/aws-secure-account-setup/ - - :orange_book: **Authentication and Access Control for AWS Organizations:** https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions.html - - :orange_book: **AWS Regions:** https://www.concurrencylabs.com/blog/choose-your-aws-region-wisely/ - - :orange_book: **VPC Peering:** https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html - - :orange_book: **Route53 DNS VPC Associations:** https://aws.amazon.com/premiumsupport/knowledge-center/private-hosted-zone-different-account/ - - :orange_book: **AWS Well Architected Framework:** https://aws.amazon.com/blogs/apn/the-5-pillars-of-the-aws-well-architected-framework/ - - :orange_book: **AWS Tagging strategies:** https://aws.amazon.com/answers/account-management/aws-tagging-strategies/ - - :orange_book: **Inviting an AWS Account to Join Your Organization**: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html diff --git a/docs/user-guide/ref-architecture-aws/features/compute/k8s-eks.md b/docs/user-guide/ref-architecture-aws/features/compute/k8s-eks.md index 1a190fe34..5e3a2f1c2 100644 --- a/docs/user-guide/ref-architecture-aws/features/compute/k8s-eks.md +++ b/docs/user-guide/ref-architecture-aws/features/compute/k8s-eks.md @@ -1,4 +1,4 @@ # AWS Elastic Kubernetes Service (EKS) !!! info "Important" - This page has been moved [here](/user-guide/ref-architecture-eks/overview/). + Please check the [Reference Architecture for EKS](/user-guide/ref-architecture-eks/overview/) to learn more details about this. diff --git a/docs/user-guide/ref-architecture-aws/features/sso/overview.md b/docs/user-guide/ref-architecture-aws/features/sso/overview.md index e7e3fd0f4..25ed721d1 100644 --- a/docs/user-guide/ref-architecture-aws/features/sso/overview.md +++ b/docs/user-guide/ref-architecture-aws/features/sso/overview.md @@ -1,6 +1,7 @@ # AWS SSO -TODO Replace JumpCloud with AWS SSO +!!! warn "Important" + Parts of this documentation are outdated. JumpCloud is no longer part of our reference architecture. ## Single Sign-On (SSO) JumpCloud will be configured as the Identity Provider (IdP) that we will integrate with AWS SSO diff --git a/docs/user-guide/ref-architecture-aws/references.md b/docs/user-guide/ref-architecture-aws/references.md new file mode 100644 index 000000000..6a43ce6f0 --- /dev/null +++ b/docs/user-guide/ref-architecture-aws/references.md @@ -0,0 +1,15 @@ +# References +The following are official AWS documentations, blog posts and whitepapers we have considered while building our Reference Solutions Architecture: + +- :orange_book: [**CloudTrail for AWS Organizations:**](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html) +- :orange_book: [**Reserved Instances - Multi Account:**](https://aws.amazon.com/about-aws/whats-new/2019/07/amazon-ec2-on-demand-capacity-reservations-shared-across-multiple-aws-accounts/) +- :orange_book: [**AWS Multiple Account Security Strategy:**](https://d0.awsstatic.com/aws-answers/)AWS_Multi_Account_Security_Strategy.pdf +- :orange_book: [**AWS Multiple Account Billing Strategy:**](https://aws.amazon.com/answers/account-management/)aws-multi-account-billing-strategy/ +- :orange_book: [**AWS Secure Account Setup:**](https://aws.amazon.com/answers/security/aws-secure-account-setup/) +- :orange_book: [**Authentication and Access Control for AWS Organizations:**](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions.html) +- :orange_book: [**AWS Regions:**](https://www.concurrencylabs.com/blog/choose-your-aws-region-wisely/) +- :orange_book: [**VPC Peering:**](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) +- :orange_book: [**Route53 DNS VPC Associations:**](https://aws.amazon.com/premiumsupport/knowledge-center/private-hosted-zone-different-account/) +- :orange_book: [**AWS Well Architected Framework:**](https://aws.amazon.com/blogs/apn/the-5-pillars-of-the-aws-well-architected-framework/) +- :orange_book: [**AWS Tagging strategies:**](https://aws.amazon.com/answers/account-management/aws-tagging-strategies/) +- :orange_book: [**Inviting an AWS Account to Join Your Organization**](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html) diff --git a/mkdocs.yml b/mkdocs.yml index 676124482..b29f5a3b6 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -166,7 +166,7 @@ nav: - Configure the Management account: "try-leverage/management-account.md" - Configure the Security and Shared accounts: "try-leverage/security-and-shared-accounts.md" - Post-deployment: "try-leverage/post-deployment.md" - - Add AWS Accounts: "try-leverage/add-aws-accounts.md" + - Add more AWS Accounts: "try-leverage/add-aws-accounts.md" - Concepts: - Index: "concepts/index.md" @@ -243,7 +243,7 @@ nav: - Backups: "user-guide/ref-architecture-aws/features/reliability/backups.md" - Disaster Recovery: "user-guide/ref-architecture-aws/features/reliability/dr.md" - High Availability: "user-guide/ref-architecture-aws/features/reliability/high-availability.md" - - Design References: "user-guide/ref-architecture-aws/design-references.md" + - References: "user-guide/ref-architecture-aws/references.md" - Reference Architecture for EKS: - Overview: "user-guide/ref-architecture-eks/overview.md" - VPC: "user-guide/ref-architecture-eks/vpc.md" From a4f6495651218898033c9730bc04b649e40d01e2 Mon Sep 17 00:00:00 2001 From: Diego OJ Date: Thu, 27 Apr 2023 10:50:30 -0300 Subject: [PATCH 12/19] Improve troubleshooting section a bit --- .../user-guide/troubleshooting/credentials.md | 39 ----------- docs/user-guide/troubleshooting/index.md | 66 +++++++++++++++++++ mkdocs.yml | 3 +- 3 files changed, 67 insertions(+), 41 deletions(-) delete mode 100644 docs/user-guide/troubleshooting/credentials.md create mode 100644 docs/user-guide/troubleshooting/index.md diff --git a/docs/user-guide/troubleshooting/credentials.md b/docs/user-guide/troubleshooting/credentials.md deleted file mode 100644 index f1afcac50..000000000 --- a/docs/user-guide/troubleshooting/credentials.md +++ /dev/null @@ -1,39 +0,0 @@ -# Troubleshooting credentials issues - -## General tips - -### Gathering more information -Trying to get as much information of the issue as possible is key when troubleshooting. Keep reading to find out typical scenarios and how you can gather more information about each. - -If the issue happens while you are working on a layer of the reference architecture and you are using Terraform, you can use the `--verbose` flag to try to get more information about the underlying issue. -For instance, if the error shows up while running a Terraform plan command, you can enable a more verbose output like this: `leverage --verbose tf plan` - -### Determine the profile you are using -When working with the reference architecture, it is important to understand what is the AWS profile that might be causing the issue. Enabling verbose mode should help with that. Read the above section to understand how it can be turned on. -The suspect profile is likely to show right above the error line. - -### Test the failing profile with the AWS CLI -Assuming that the suspect profile is `le-shared-devops`, you can try this command: `aws sts get-caller-identity --profile le-shared-devops`. -Note: if you use the AWS CLI installed in your host machine, you will need to configure the environment variables in the section `Configure the AWS CLI for Leverage` - -### Check the profiles in your AWS config file -Once you know what AWS profile is surfacing the issue you can open the AWS config file, typically under `~/.aws/[project_name_here]/config`, to inspect that profile definition. - -Important: when using SSO, the profiles are actually created in the AWS credentials file - -Things to look out for: -- Is there a profile entry in the AWS config file that matches the suspect profile? -- Does the profile entry include all necessary fields - -### Configure the AWS CLI for Leverage -Since Leverage stores the AWS config and credentials file under a non-default path, when using the AWS CLI you'll need to point it to the right locations: -``` -export AWS_CONFIG_FILE=~/.aws/[project_name_here]/config -export AWS_SHARED_CREDENTIALS_FILE=~/.aws/[project_name_here]/credentials -``` - -## Troubleshooting SSO credentials -TODO - -## Troubleshooting IAM credentials -TODO diff --git a/docs/user-guide/troubleshooting/index.md b/docs/user-guide/troubleshooting/index.md new file mode 100644 index 000000000..6815280b1 --- /dev/null +++ b/docs/user-guide/troubleshooting/index.md @@ -0,0 +1,66 @@ +# Troubleshooting + +## General + +### Gathering more information +Trying to get as much information of the issue as possible is key when troubleshooting. Keep reading to find out typical scenarios and how you can gather more information about each. + +If the issue happens while you are working on a layer of the reference architecture and you are using Terraform, you can use the `--verbose` flag to try to get more information about the underlying issue. +For instance, if the error shows up while running a Terraform plan command, you can enable a more verbose output like follows: +``` +leverage --verbose tf plan +``` + +### How Leverage gets AWS credentials for Terraform and other tools +First, you need to know that Terraform doesn't support AWS authentication methods that require user interaction. E.g. logging in via SSO or assuming roles that require MFA. +That is why Leverage made two design decisions in that regard: + +1. Configure Terraform to use AWS profiles via Terraform AWS provider and local [AWS configuration files](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). +2. Leverage handles the user interactivity during authentication in order to get the credentials Terraform needs through AWS profiles. + +So, Leverage runs simple bash scripts to deal with 2. and then passes the execution flow to Terraform which by then should have the AWS profiles ready-to-use, in the expected path. + +### Where are those AWS profiles stored again? +It's only 2 files: `config` and `credentials`. They should be located in this path: `~/.aws/[project_name_here]/`. So, for instance, if you project name is `acme`, then said files should be found in: `~/.aws/acme/`. + + +## Troubleshooting credentials issues + +### Determine the profile you are using +When working with the reference architecture, it is important to understand what is the AWS profile that might be causing the issue. Enabling verbose mode should help with that. Read the above section to understand how it can be turned on. +The suspect profile is likely to show right above the error line. + +### Test the failing profile with the AWS CLI +Once you have narrowed down your investigation to a profile what you can do is test it. For instance, assuming that the suspect profile is `le-shared-devops`, you can run this command: `aws sts get-caller-identity --profile le-shared-devops`. +Note: if you use the AWS CLI installed in your host machine, you will need to configure the environment variables in the section "Configure the AWS CLI for Leverage" below. + +### Check the profiles in your AWS config file +Once you know what AWS profile is causing the issue you can open the AWS config file, typically under `~/.aws/[project_name_here]/config`, to inspect that profile definition. + +Things to look out for: + +- Is there a profile entry in that file that matches the suspect profile? +- Does the profile entry include all necessary fields? +- Keep in mind that profiles change depending on if you are using SSO or IAM for authentication so please refer to the corresponding section below in this page to find specific details about your case. + +### Configure the AWS CLI for Leverage +Since Leverage stores the AWS config and credentials file under a non-default path, when using the AWS CLI you'll need to point it to the right locations: +``` +export AWS_CONFIG_FILE=~/.aws/[project_name_here]/config +export AWS_SHARED_CREDENTIALS_FILE=~/.aws/[project_name_here]/credentials +``` + +!!! info "Tip" + Another alternative, if you can't to install the AWS CLI on your machine, is to use the one built-in in Leverage toolbox Docker image. You can access it by running `leverage tf shell` + + +### Investigating SSO credentials issues +TODO config file role and account id + +TODO regenerate config file + +### Investigating IAM credentials issues +TODO config file role_arn, mfa_serial, region and source_profile + +TODO regenerate config file and credentials + diff --git a/mkdocs.yml b/mkdocs.yml index b29f5a3b6..42289f617 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -278,8 +278,7 @@ nav: - Forks workflow: "user-guide/infra-as-code-library/infra-as-code-library-forks.md" - Specifications: "user-guide/infra-as-code-library/infra-as-code-library-specs.md" - Modules by Technology: "user-guide/infra-as-code-library/modules-library-by-technology.md" - - Troubleshooting: - - Identities: "user-guide/troubleshooting/credentials.md" + - Troubleshooting: "user-guide/troubleshooting/index.md" - Work with us: - Overview: "work-with-us/index.md" - Support: "work-with-us/support.md" From 87565260f05dbf1b0bfe27bfc6bf4d8b4460d282 Mon Sep 17 00:00:00 2001 From: Diego OJ Date: Thu, 27 Apr 2023 16:05:06 -0300 Subject: [PATCH 13/19] Add ArgoCD page and split CI/CD index in different pages --- .../ci-cd/{k8s-argocd.md => argocd.md} | 4 ++-- .../features/ci-cd/ci-cd.md | 23 ------------------- .../features/ci-cd/jenkins-argocd.md | 12 ++++++++++ .../features/ci-cd/jenkins-spinnaker.md | 12 ++++++++++ .../ref-architecture-aws/features/index.md | 4 +++- mkdocs.yml | 5 +++- 6 files changed, 33 insertions(+), 27 deletions(-) rename docs/user-guide/ref-architecture-aws/features/ci-cd/{k8s-argocd.md => argocd.md} (92%) delete mode 100644 docs/user-guide/ref-architecture-aws/features/ci-cd/ci-cd.md create mode 100644 docs/user-guide/ref-architecture-aws/features/ci-cd/jenkins-argocd.md create mode 100644 docs/user-guide/ref-architecture-aws/features/ci-cd/jenkins-spinnaker.md diff --git a/docs/user-guide/ref-architecture-aws/features/ci-cd/k8s-argocd.md b/docs/user-guide/ref-architecture-aws/features/ci-cd/argocd.md similarity index 92% rename from docs/user-guide/ref-architecture-aws/features/ci-cd/k8s-argocd.md rename to docs/user-guide/ref-architecture-aws/features/ci-cd/argocd.md index 947b21ff8..a0f23d54c 100644 --- a/docs/user-guide/ref-architecture-aws/features/ci-cd/k8s-argocd.md +++ b/docs/user-guide/ref-architecture-aws/features/ci-cd/argocd.md @@ -1,6 +1,6 @@ ## ArgoCD -#### AWS Apps & Services K8s EKS accounts diagram +### AWS Apps & Services K8s EKS accounts diagram The below diagram is based on our [binbash Leverage Reference Architecture CI-CD official documentation](https://binbash.atlassian.net/wiki/external/1962410007/YWMxMmY1NzM4MmIyNDRmMDkxMDIwNDY3OWU4ZDYwZjA) @@ -12,4 +12,4 @@ The below diagram is based on our "Implementation Diagrams", binbash Leverage Doc, accessed August 4th 2021). -
\ No newline at end of file +
diff --git a/docs/user-guide/ref-architecture-aws/features/ci-cd/ci-cd.md b/docs/user-guide/ref-architecture-aws/features/ci-cd/ci-cd.md deleted file mode 100644 index 86b9270a4..000000000 --- a/docs/user-guide/ref-architecture-aws/features/ci-cd/ci-cd.md +++ /dev/null @@ -1,23 +0,0 @@ -# Continuous Integration / Continuous Delivery (CI/CD) - -## Opt-1: Jenkins + ArgoCD -![leverage-ci-cd-argocd](/assets/images/diagrams/ci-cd-argocd.png "Leverage"){: style="width:750px"} - -
-Figure: ACI/CD with Jenkins + ArgoCD architecture diagram. -(Source: ArgoCD, - -"Overview - What Is Argo CD", -ArgoCD documentation, accessed November 18th 2020). -
- -## Opt-2: [Jenkins + Spinnaker](https://drive.google.com/file/d/1VtKHzBkw5a3zGKFwgI_2rllL9M7ceuCD/view?usp=sharing) -![leverage-ci-cd-spinnaker](/assets/images/diagrams/ci-cd-spinnaker.png "Leverage"){: style="width:950px"} - -
-Figure: CI/CD with Jenkins + Spinnaker diagram. -(Source: Irshad Buchh, - -"Continuous Delivery using Spinnaker on Amazon EKS", -AWS Open Source Blog, accessed November 18th 2020). -
\ No newline at end of file diff --git a/docs/user-guide/ref-architecture-aws/features/ci-cd/jenkins-argocd.md b/docs/user-guide/ref-architecture-aws/features/ci-cd/jenkins-argocd.md new file mode 100644 index 000000000..23b702194 --- /dev/null +++ b/docs/user-guide/ref-architecture-aws/features/ci-cd/jenkins-argocd.md @@ -0,0 +1,12 @@ +# CI/CD + +## Jenkins + ArgoCD +![leverage-ci-cd-argocd](/assets/images/diagrams/ci-cd-argocd.png "Leverage"){: style="width:750px"} + +
+Figure: ACI/CD with Jenkins + ArgoCD architecture diagram. +(Source: ArgoCD, + +"Overview - What Is Argo CD", +ArgoCD documentation, accessed November 18th 2020). +
diff --git a/docs/user-guide/ref-architecture-aws/features/ci-cd/jenkins-spinnaker.md b/docs/user-guide/ref-architecture-aws/features/ci-cd/jenkins-spinnaker.md new file mode 100644 index 000000000..3ed60f5a9 --- /dev/null +++ b/docs/user-guide/ref-architecture-aws/features/ci-cd/jenkins-spinnaker.md @@ -0,0 +1,12 @@ +# CI/CD + +## [Jenkins + Spinnaker](https://drive.google.com/file/d/1VtKHzBkw5a3zGKFwgI_2rllL9M7ceuCD/view?usp=sharing) +![leverage-ci-cd-spinnaker](/assets/images/diagrams/ci-cd-spinnaker.png "Leverage"){: style="width:950px"} + +
+Figure: CI/CD with Jenkins + Spinnaker diagram. +(Source: Irshad Buchh, + +"Continuous Delivery using Spinnaker on Amazon EKS", +AWS Open Source Blog, accessed November 18th 2020). +
diff --git a/docs/user-guide/ref-architecture-aws/features/index.md b/docs/user-guide/ref-architecture-aws/features/index.md index 3c0b00454..c0ad1a7af 100644 --- a/docs/user-guide/ref-architecture-aws/features/index.md +++ b/docs/user-guide/ref-architecture-aws/features/index.md @@ -52,7 +52,9 @@ This reference architecture supports a growing number of AWS services. This sect - [x] [AWS CloudFront](cdn/cdn.md) ## CI/CD (Continuous Integration / Continuous Delivery) -- [x] [CI/CD](ci-cd/ci-cd.md) +- [x] [ArgoCD](ci-cd/argocd.md) +- [x] [Jenkins & ArgoCD](ci-cd/jenkins-argocd.md) +- [x] [Jenkins & Spinnaker](ci-cd/jenkins-spinnaker.md) ## Monitoring | Metrics, Logs, APM and Tracing - [x] [Monitoring](monitoring/monitoring.md) diff --git a/mkdocs.yml b/mkdocs.yml index 42289f617..a71385839 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -232,7 +232,10 @@ nav: - PostgresSQL: "user-guide/ref-architecture-aws/features/database/postgres.md" - Storage: "user-guide/ref-architecture-aws/features/storage/storage.md" - CDN: "user-guide/ref-architecture-aws/features/cdn/cdn.md" - - CI/CD: "user-guide/ref-architecture-aws/features/ci-cd/ci-cd.md" + - CI/CD: + - ArgoCD: "user-guide/ref-architecture-aws/features/ci-cd/argocd.md" + - Jenkins & ArgoCD: "user-guide/ref-architecture-aws/features/ci-cd/jenkins-argocd.md" + - Jenkins & Spinnaker: "user-guide/ref-architecture-aws/features/ci-cd/jenkins-spinnaker.md" - Monitoring: - Monitoring: "user-guide/ref-architecture-aws/features/monitoring/monitoring.md" - Metrics: "user-guide/ref-architecture-aws/features/monitoring/metrics.md" From c5dfd41cd266068c94386084b6e5a5d815da7920 Mon Sep 17 00:00:00 2001 From: Diego OJ Date: Thu, 27 Apr 2023 16:13:44 -0300 Subject: [PATCH 14/19] Put back the admonitions in the AWS features page --- .../ref-architecture-aws/features/index.md | 124 +++++++++--------- 1 file changed, 62 insertions(+), 62 deletions(-) diff --git a/docs/user-guide/ref-architecture-aws/features/index.md b/docs/user-guide/ref-architecture-aws/features/index.md index c0ad1a7af..79a95ecda 100644 --- a/docs/user-guide/ref-architecture-aws/features/index.md +++ b/docs/user-guide/ref-architecture-aws/features/index.md @@ -5,65 +5,65 @@ ## Overview This reference architecture supports a growing number of AWS services. This section lists all of them and goes through each in depth. -## Governance | AWS Organizations -- [x] [Overview](organization/overview.md) -- [x] [Configuration](organization/configuration.md) -- [x] [Invite pre-exiting accounts to AWS Organizations](organization/legacy-accounts.md) - -## Identity Management -- [x] [GPG Keys](identities/gpg.md) -- [x] [Identities](identities/identities.md) -- [x] [AWS Credentials](identities/credentials.md) -- [x] [Hashicorp Vault Credentials](identities/credentials-vault.md) - -## Single Sign-On (SSO) -- [x] [AWS SSO + Jumpcloud IdP](sso/overview.md) - -## Cost Monitoring & Optimization -- [x] [Costs](costs/costs.md) - -## Security -- [X] [Security Services](security/overview.md) -- [X] [VPN | Pritunl](security/vpn.md) - -## Networking | VPC, TGW, NFW, DNS and NACLs -- [x] [VPC Addressing](network/vpc-addressing.md) -- [x] [VPC Peering](network/vpc-peering.md) -- [x] [DNS](network/dns.md) - -## Secrets Management -- [X] [Secrets](secrets/secrets.md) - -## Compute -- [x] [Compute](compute/overview.md) -- [x] [K8s EKS](compute/k8s-eks.md) -- [x] [K8s Kops](compute/k8s-kops.md) -- [x] [Serverless](compute/serverless.md) - -## Databases -- [x] [Databases](database/database.md) -- [x] [RDS MySql](database/mysql.md) -- [x] [RDS Postgres](database/postgres.md) - -## Storage -- [x] [Storage](storage/storage.md) - -## Content Delivery Network (CDN) -- [x] [AWS CloudFront](cdn/cdn.md) - -## CI/CD (Continuous Integration / Continuous Delivery) -- [x] [ArgoCD](ci-cd/argocd.md) -- [x] [Jenkins & ArgoCD](ci-cd/jenkins-argocd.md) -- [x] [Jenkins & Spinnaker](ci-cd/jenkins-spinnaker.md) - -## Monitoring | Metrics, Logs, APM and Tracing -- [x] [Monitoring](monitoring/monitoring.md) -- [x] [Metrics](monitoring/metrics.md) -- [x] [Logs](monitoring/logs.md) -- [x] [Tracing](monitoring/tracing.md) -- [x] [APM](monitoring/apm.md) - -## Reliability -- [X] [Bakcups](reliability/backups.md) -- [x] [Health-Checks](./) -- [X] [Disaster Recovery](reliability/dr.md) +!!! check "Governance | AWS Organizations" + - [x] [Overview](organization/overview.md) + - [x] [Configuration](organization/configuration.md) + - [x] [Invite pre-exiting accounts to AWS Organizations](organization/legacy-accounts.md) + +!!! check "Identity Management" + - [x] [GPG Keys](identities/gpg.md) + - [x] [Identities](identities/identities.md) + - [x] [AWS Credentials](identities/credentials.md) + - [x] [Hashicorp Vault Credentials](identities/credentials-vault.md) + +!!! check "Single Sign-On (SSO)" + - [x] [AWS SSO + Jumpcloud IdP](sso/overview.md) + +!!! check "Cost Monitoring & Optimization" + - [x] [Costs](costs/costs.md) + +!!! check "Security" + - [X] [Security Services](security/overview.md) + - [X] [VPN | Pritunl](security/vpn.md) + +!!! check "Networking | VPC, TGW, NFW, DNS and NACLs" + - [x] [VPC Addressing](network/vpc-addressing.md) + - [x] [VPC Peering](network/vpc-peering.md) + - [x] [DNS](network/dns.md) + +!!! check "Secrets Management" + - [X] [Secrets](secrets/secrets.md) + +!!! check "Compute" + - [x] [Compute](compute/overview.md) + - [x] [K8s EKS](compute/k8s-eks.md) + - [x] [K8s Kops](compute/k8s-kops.md) + - [x] [Serverless](compute/serverless.md) + +!!! check "Databases" + - [x] [Databases](database/database.md) + - [x] [RDS MySql](database/mysql.md) + - [x] [RDS Postgres](database/postgres.md) + +!!! check "Storage" + - [x] [Storage](storage/storage.md) + +!!! check "Content Delivery Network (CDN)" + - [x] [AWS CloudFront](cdn/cdn.md) + +!!! check "CI/CD (Continuous Integration / Continuous Delivery)" + - [x] [ArgoCD](ci-cd/argocd.md) + - [x] [Jenkins & ArgoCD](ci-cd/jenkins-argocd.md) + - [x] [Jenkins & Spinnaker](ci-cd/jenkins-spinnaker.md) + +!!! check "Monitoring | Metrics, Logs, APM and Tracing" + - [x] [Monitoring](monitoring/monitoring.md) + - [x] [Metrics](monitoring/metrics.md) + - [x] [Logs](monitoring/logs.md) + - [x] [Tracing](monitoring/tracing.md) + - [x] [APM](monitoring/apm.md) + +!!! check "Reliability" + - [X] [Bakcups](reliability/backups.md) + - [x] [Health-Checks](./) + - [X] [Disaster Recovery](reliability/dr.md) From 1e182dadb25982ef506de6c9efed72decfd822b1 Mon Sep 17 00:00:00 2001 From: Diego OJ Date: Thu, 27 Apr 2023 16:23:03 -0300 Subject: [PATCH 15/19] Fix link to 2023 roadmap --- docs/work-with-us/roadmap/leverage-cli/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/work-with-us/roadmap/leverage-cli/overview.md b/docs/work-with-us/roadmap/leverage-cli/overview.md index a5c8adf79..4c5e8b05a 100644 --- a/docs/work-with-us/roadmap/leverage-cli/overview.md +++ b/docs/work-with-us/roadmap/leverage-cli/overview.md @@ -3,4 +3,4 @@ !!! info "[Leverage CLI](https://github.com/binbashar/leverage/issues) Product Roadmap" * [x] [2021](https://binbash.atlassian.net/wiki/external/1925873678/OWU2NjhiZTU3OWFmNDI1NzhlY2MyYTI5YmU0Y2JiNWQ?atlOrigin=eyJpIjoiMTlhMjM5OTJmMjUzNDA3Mzk5NmE1NTI2M2RkYzFhNWQiLCJwIjoiYyJ9) * [x] [2022](https://binbash.atlassian.net/wiki/external/2196799489/NDZmMzNmMjE5Y2FmNDFjOGFkZWExZjJmZmM2ZWIxNTM?atlOrigin=eyJpIjoiMTIzOWNlZDM4ZTc3NDMxMmE3OGE4MWNkODQzM2IwNmMiLCJwIjoiYyJ9) - * [x] [2023](https://binbash.atlassian.net/wiki/external/1934983197/MGM3ZTljOTAzODhlNDVjZjhlYTk5MmNhYzc5NTk1ZDU?atlOrigin=eyJpIjoiZGUxMmRiMzE4ZmQzNDEyZThiYWMzNGU3MmIzOWE2ODciLCJwIjoiYyJ9) + * [x] [2023](https://binbash.atlassian.net/wiki/external/2356445185/M2UxNjczMDVjMGVmNDhkZWE3ZjY1Zjk5NTAxOWNlNWU?atlOrigin=eyJpIjoiYmViZmY4MWM0MzdiNDFiZmFjZWFlYTBkYmQ3YmJmYjIiLCJwIjoiYyJ9) From 15dbd09a3c98e0fb2c8619bff73c1f415968a03a Mon Sep 17 00:00:00 2001 From: "Diego OJeda (BinBash)" <38356409+diego-ojeda-binbash@users.noreply.github.com> Date: Thu, 27 Apr 2023 16:46:35 -0300 Subject: [PATCH 16/19] Update docs/concepts/what-is-leverage.md Co-authored-by: Angelo Fenoglio --- docs/concepts/what-is-leverage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/concepts/what-is-leverage.md b/docs/concepts/what-is-leverage.md index 56e5d18ac..d44836229 100644 --- a/docs/concepts/what-is-leverage.md +++ b/docs/concepts/what-is-leverage.md @@ -1,5 +1,5 @@ # What is Leverage? -Leverage was made of a significant amount of knowledge, acquired through several years of experience, turned into an ecosystem of code, tools and workflows that enables you to build the AWS infrastructure for your applications and services quickly and securely. +Leverage was made out of a significant amount of knowledge, acquired through several years of experience, turned into an ecosystem of code, tools, and workflows that enables you to build the AWS infrastructure for your applications and services quickly and securely. Since all the code and modules are already built, we can get you up and running **up to 10x faster** :rocket: than a consulting company -- :white_check_mark: *typically in just a few weeks!* -- and on top of code that is thoroughly documented, tested, and has been proven in production at dozens of other project deployments. From 79276d2b8ecd5557a7075a9d21db16e902a630ef Mon Sep 17 00:00:00 2001 From: "Diego OJeda (BinBash)" <38356409+diego-ojeda-binbash@users.noreply.github.com> Date: Thu, 27 Apr 2023 16:46:56 -0300 Subject: [PATCH 17/19] Update docs/concepts/our-tech-stack.md Co-authored-by: Angelo Fenoglio --- docs/concepts/our-tech-stack.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/concepts/our-tech-stack.md b/docs/concepts/our-tech-stack.md index 953851eb5..168c0b2a6 100644 --- a/docs/concepts/our-tech-stack.md +++ b/docs/concepts/our-tech-stack.md @@ -1,7 +1,7 @@ # Our Tech Stack Leverage was built around the [AWS Well Architected Framework](https://aws.amazon.com/architecture/well-architected/) and it uses a stack that includes [Terraform](https://www.terraform.io/), [Ansible](https://www.ansible.com/), [Helm](https://helm.sh/) and other tools. -We are also adopters and supporters of Kubernetes and the Cloud Native movement, which you should become self-evident as you keep exploring our technology stack. +We are also adopters and supporters of Kubernetes and the Cloud Native movement, which should become self-evident as you keep exploring our technology stack. ## Why did we choose our tech stack? From 56c80442486dc305923284d0e8baacc588744f4a Mon Sep 17 00:00:00 2001 From: "Diego OJeda (BinBash)" <38356409+diego-ojeda-binbash@users.noreply.github.com> Date: Thu, 27 Apr 2023 16:51:47 -0300 Subject: [PATCH 18/19] Update docs/concepts/index.md Co-authored-by: Francisco Rivera --- docs/concepts/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/concepts/index.md b/docs/concepts/index.md index cee870f4b..b19547e1b 100644 --- a/docs/concepts/index.md +++ b/docs/concepts/index.md @@ -7,7 +7,7 @@ template: overrides/main.html # Concepts ## Welcome! -Welcome to Leverage's documentation! Here you will find the concepts you need to understand to work with our stack, the steps to try Leverage for yourself, and extensive documentation about every aspect of our solution. +Welcome to Leverage's documentation! Here you will find the concepts you need to understand to work with our stack, the steps to try Leverage by yourself, and the extensive documentation about every aspect of our solution. ## Getting Started Feel free to explore the following pages to know more about Leverage. From 136279b3848e6d99dd78c0d6ae851bc89cbcdbf9 Mon Sep 17 00:00:00 2001 From: "Diego OJeda (BinBash)" <38356409+diego-ojeda-binbash@users.noreply.github.com> Date: Thu, 27 Apr 2023 16:52:10 -0300 Subject: [PATCH 19/19] Update docs/try-leverage/add-aws-accounts.md Co-authored-by: Francisco Rivera --- docs/try-leverage/add-aws-accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/try-leverage/add-aws-accounts.md b/docs/try-leverage/add-aws-accounts.md index 97f000f89..68878ab82 100644 --- a/docs/try-leverage/add-aws-accounts.md +++ b/docs/try-leverage/add-aws-accounts.md @@ -4,7 +4,7 @@ You can add new AWS accounts to your Leverage project by following the steps in this page. !!! info "Important" - In the examples belo, we will be using `apps-prd` as the account we will be adding and it will be created in the `us-east-1` region. + In the examples below, we will be using `apps-prd` as the account we will be adding and it will be created in the `us-east-1` region. ## Create the new account in your AWS Organization 1. Go to `management/global/organizations`.