Visit willfarrell/terraform-aws-template for the latest improvements and most up to date documentation.
| Name | Account ID | Colour | Root Email |
|---|---|---|---|
| master | ------ | ||
| production | Red | ||
| staging | Orange | ||
| testing | Yellow | ||
| development | Green | ||
| operations | Blue | ||
| forensics | Purple |
${project}-infrastructure
|-- package.json # Script shortcuts (lint, install, deploy, test) & versioning?
|-- amis # Collection of AMIs, built by Packer
| |-- {name} # AMI folders, ie bastion, ecs, nat or custom ones
|-- master # Setup for root level account
| |-- state # Sets up state management for terraform
| |-- account # Account setup (Groups, Monitoring)
| |-- operations # Setup for operation pieces
|-- environments
| |-- account # Account setup (Roles, Monitoring)
| |-- domain # Domain specific VPC, App, API, ECS, etc. Rename folder to `name`.
|-- modules # Collection of project specific modulesFor up to date documentation and modules see terraform-aws-template.
$ brew install terraform
# Optional, for building AMIs
$ brew install packerTo create the workspaces, go to the respective subfolder (/environments/*/), and run:
$ terraform init
$ terraform workspace new production
$ terraform workspace new staging
$ terraform workspace new testing
$ terraform workspace new developmentEnsure you have the right workspace selected before you apply.
$ terraform workspace select development
$ terraform workspace listSee [docs](./docs/Multi Account Setup.md) for detailed steps.
To create the AMIs, go to the respective subfolder (/amis/*/), edit the variables.json, and run:
$ packer build -var-file=variables.json ami.jsonSee docs for configuration and full documentation.
$ npm run install:npmOrganizationAccountAccessRole: Admin Access
It is recommended that the account/roles module be forks to customized to specific needs
- Build an AMIs that will be needed
packer build -var-file=variables.json ami.json-
master/state
-
master/account
- Users (Manual)
- Macie (Manual)
- Sub-Accounts / Organization
- Groups for sub account access
- Roles for sub accounts (bastion, ECR)
- AMI permissions
- CloudTrail
- GuardDuty
- Security Hub
-
Switch Roles into each sub-account using
OrganizationAccountAccessRole. Create aterraformuser to bootstrap assume roles. Be sure to delete the user after you bootstrap -
Setup
terraformworkspaces Run the following in eachenvironmentsfolder
terraform workspace new production
terraform workspace new staging
terraform workspace new testing
terraform workspace new development
terraform workspace select ${sub_account_name}-
environment/account
- Roles (admin, developer, operator, audit, etc)
- API Gateway Logs
- CloudTrail
- GuardDuty
- Inspector Agent
- Macie (Manual)
-
At this point you'll need to update your AWS credentials. Update
~/.aws/credentials:
[${profile}-${sub_account_name}]
source_profile = ${profile}
role_arn = arn:aws:iam::${sub_account_id}:role/admin
session_name = ${profile}-${sub_account_name}- environment/domain
- VPC
- VPC Endpoints (S3, DynamoDB)
- Bastion
- RDS (postgres,mysql)
- ElasticCache (redis)
- ElasticSearch
- DynamoDB
- ALB + ECS
- NLB + ECS
- ECS
- API Gateway
- Events, SQS, SNS, Lambda, S3,
- CloudFront
- S3
- CloudWatch Dashboards
- state module
- account modules
- logs module
- VPC module
- DB modules
- EC modules
- WAF module
- LB module
- IdP module - TODO
- CDN module
See Developer Guide (TODO add link)
We use SemVer for versioning. For the versions available, see the tags on this repository.
See also the list of contributors who participated in this project.
This project is licensed under the MIT License - see the LICENSE file for details