Initial implementation (#1)

* Initial implementation * Update module versions * Update `BUILD_HARNESS_VERSION` * Update `region` * Add `docs` project * Fix `default` attribute * Fix `attributes` var * Fix `docs_cloudfront_origin_access_identity_path` output * Update `docs` project * Remove `Host` forwarded header (not needed for S3 website) * Use `s3_bucket_website_endpoint` as origin * Add `docs` outputs * Update module versions. Add `enabled` flags * Bump `terraform-aws-tfstate-backend` version * Add `acm_cloudfront` project * Rename to `acm-cloudfront` * Update `viewer_protocol_policy` and `aliases` * Update `aliases` * Update `aliases`
cloudposse · May 12, 2018 · e12590d · e12590d
1 parent 19ac69c
commit e12590d
Show file tree

Hide file tree

Showing 36 changed files with 1,173 additions and 7 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,8 @@
+.git
+.gitignore
+.editorconfig
+**/.terraform
+*.tfstate
+*.tfstate.*
+.idea
+*.iml
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,24 @@
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+end_of_line = lf
+insert_final_newline = true
+
+# Override for Makefile
+[{Makefile, makefile, GNUmakefile}]
+indent_style = tab
+indent_size = 4
+
+[Makefile.*]
+indent_style = tab
+indent_size = 4
+
+[shell]
+indent_style = tab
+indent_size = 4
+
+[*.sh]
+indent_style = tab
+indent_size = 4
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,7 @@
-# Compiled files
+.build-harness
+build-harness
+.terraform
 *.tfstate
-*.tfstate.backup
-
-# Module directory
-.terraform/
+*.tfstate.*
+.idea
+*.iml
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,3 @@
+FROM alpine:3.7
+COPY aws/ /aws
+WORKDIR /aws
diff --git a/LICENSE b/LICENSE
@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2018 Cloud Posse, LLC
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

diff --git a/Makefile b/Makefile
@@ -0,0 +1,21 @@
+export DOCKER_ORG ?= cloudposse
+export DOCKER_IMAGE ?= $(DOCKER_ORG)/terraform-root-modules
+export DOCKER_TAG ?= latest
+export DOCKER_IMAGE_NAME ?= $(DOCKER_IMAGE):$(DOCKER_TAG)
+export DOCKER_BUILD_FLAGS = 
+
+-include $(shell curl -sSL -o .build-harness "https://git.io/build-harness"; echo .build-harness)
+
+all: init deps build install run
+
+deps:
+	@exit 0
+
+build:
+	@make --no-print-directory docker:build
+
+push:
+	docker push $(DOCKER_IMAGE)
+
+run:
+	docker run -it ${DOCKER_IMAGE_NAME} sh
diff --git a/README.md b/README.md
@@ -1,2 +1,3 @@
 # terraform-root-modules
-Collection of root modules for provisioning reference architectures
+
+This is a collection of reusable root modules for CloudPosse AWS accounts.
diff --git a/aws/acm-cloudfront/main.tf b/aws/acm-cloudfront/main.tf
@@ -0,0 +1,48 @@
+terraform {
+  required_version = ">= 0.11.2"
+
+  backend "s3" {}
+}
+
+variable "aws_assume_role_arn" {}
+
+provider "aws" {
+  #  CloudFront certs must be created in the `aws-east-1` region, even if your origin is in a different one
+  # This is a CloudFront limitation
+  # https://christian.legnitto.com/blog/2017/10/11/terraform-and-cloudfront-gotchas/
+  # https://medium.com/modern-stack/5-minute-static-ssl-website-in-aws-with-terraform-76819a12d412
+  # https://medium.com/runatlantis/hosting-our-static-site-over-ssl-with-s3-acm-cloudfront-and-terraform-513b799aec0f
+  region = "us-east-1"
+
+  assume_role {
+    role_arn = "${var.aws_assume_role_arn}"
+  }
+}
+
+variable "domain_name" {
+  description = "Domain name (E.g. staging.cloudposse.org)"
+}
+
+module "certificate" {
+  source                           = "git::https://github.com/cloudposse/terraform-aws-acm-request-certificate.git?ref=tags/0.1.1"
+  domain_name                      = "${var.domain_name}"
+  proces_domain_validation_options = "true"
+  ttl                              = "300"
+  subject_alternative_names        = ["*.${var.domain_name}"]
+}
+
+output "certificate_domain_name" {
+  value = "${var.domain_name}"
+}
+
+output "certificate_id" {
+  value = "${module.certificate.id}"
+}
+
+output "certificate_arn" {
+  value = "${module.certificate.arn}"
+}
+
+output "certificate_domain_validation_options" {
+  value = "${module.certificate.domain_validation_options}"
+}
diff --git a/aws/acm/main.tf b/aws/acm/main.tf
@@ -0,0 +1,41 @@
+terraform {
+  required_version = ">= 0.11.2"
+
+  backend "s3" {}
+}
+
+variable "aws_assume_role_arn" {}
+
+provider "aws" {
+  assume_role {
+    role_arn = "${var.aws_assume_role_arn}"
+  }
+}
+
+variable "domain_name" {
+  description = "Domain name (E.g. staging.cloudposse.org)"
+}
+
+module "certificate" {
+  source                           = "git::https://github.com/cloudposse/terraform-aws-acm-request-certificate.git?ref=tags/0.1.1"
+  domain_name                      = "${var.domain_name}"
+  proces_domain_validation_options = "true"
+  ttl                              = "300"
+  subject_alternative_names        = ["*.${var.domain_name}"]
+}
+
+output "certificate_domain_name" {
+  value = "${var.domain_name}"
+}
+
+output "certificate_id" {
+  value = "${module.certificate.id}"
+}
+
+output "certificate_arn" {
+  value = "${module.certificate.arn}"
+}
+
+output "certificate_domain_validation_options" {
+  value = "${module.certificate.domain_validation_options}"
+}
diff --git a/aws/acm/terraform.tfvars.example b/aws/acm/terraform.tfvars.example
@@ -0,0 +1 @@
+domain_name="foobar.domain.com"
diff --git a/aws/backing-services/aurora-postgres.tf b/aws/backing-services/aurora-postgres.tf
@@ -0,0 +1,84 @@
+# Don't use `admin`
+# ("MasterUsername admin cannot be used as it is a reserved word used by the engine")
+variable "POSTGRES_ADMIN_NAME" {
+  type        = "string"
+  description = "Postgres admin user name"
+}
+
+# Must be longer than 8 chars
+# ("The parameter MasterUserPassword is not a valid password because it is shorter than 8 characters")
+variable "POSTGRES_ADMIN_PASSWORD" {
+  type        = "string"
+  description = "Postgres password for the admin user"
+}
+
+variable "POSTGRES_DB_NAME" {
+  type        = "string"
+  description = "Postgres database name"
+}
+
+# db.r4.large is the smallest instance type supported by Aurora Postgres
+# https://aws.amazon.com/rds/aurora/pricing
+variable "POSTGRES_INSTANCE_TYPE" {
+  type        = "string"
+  default     = "db.r4.large"
+  description = "EC2 instance type for Postgres cluster"
+}
+
+variable "POSTGRES_CLUSTER_SIZE" {
+  type        = "string"
+  default     = "2"
+  description = "Postgres cluster size"
+}
+
+variable "POSTGRES_CLUSTER_ENABLED" {
+  type        = "string"
+  default     = "true"
+  description = "Set to false to prevent the module from creating any resources"
+}
+
+module "aurora_postgres" {
+  source             = "git::https://github.com/cloudposse/terraform-aws-rds-cluster.git?ref=tags/0.3.5"
+  namespace          = "${module.identity.namespace}"
+  stage              = "${module.identity.stage}"
+  name               = "postgres"
+  engine             = "aurora-postgresql"
+  cluster_family     = "aurora-postgresql9.6"
+  instance_type      = "${var.POSTGRES_INSTANCE_TYPE}"
+  cluster_size       = "${var.POSTGRES_CLUSTER_SIZE}"
+  admin_user         = "${var.POSTGRES_ADMIN_NAME}"
+  admin_password     = "${var.POSTGRES_ADMIN_PASSWORD}"
+  db_name            = "${var.POSTGRES_DB_NAME}"
+  db_port            = "5432"
+  vpc_id             = "${module.vpc.vpc_id}"
+  availability_zones = ["${module.identity.availability_zones}"]
+  subnets            = ["${module.subnets.private_subnet_ids}"]
+  zone_id            = "${module.identity.zone_id}"
+  security_groups    = ["${module.kops_metadata.nodes_security_group_id}"]
+  enabled            = "${var.POSTGRES_CLUSTER_ENABLED}"
+}
+
+output "aurora_postgres_database_name" {
+  value       = "${module.aurora_postgres.name}"
+  description = "Database name"
+}
+
+output "aurora_postgres_master_username" {
+  value       = "${module.aurora_postgres.user}"
+  description = "Username for the master DB user"
+}
+
+output "aurora_postgres_master_hostname" {
+  value       = "${module.aurora_postgres.master_host}"
+  description = "DB Master hostname"
+}
+
+output "aurora_postgres_replicas_hostname" {
+  value       = "${module.aurora_postgres.replicas_host}"
+  description = "Replicas hostname"
+}
+
+output "aurora_postgres_cluster_name" {
+  value       = "${module.aurora_postgres.cluster_name}"
+  description = "Cluster Identifier"
+}
diff --git a/aws/backing-services/elasticache-redis.tf b/aws/backing-services/elasticache-redis.tf
@@ -0,0 +1,52 @@
+variable "REDIS_INSTANCE_TYPE" {
+  type        = "string"
+  default     = "cache.t2.medium"
+  description = "EC2 instance type for Redis cluster"
+}
+
+variable "REDIS_CLUSTER_SIZE" {
+  type        = "string"
+  default     = "2"
+  description = "Redis cluster size"
+}
+
+variable "REDIS_CLUSTER_ENABLED" {
+  type        = "string"
+  default     = "true"
+  description = "Set to false to prevent the module from creating any resources"
+}
+
+module "elasticache_redis" {
+  source                       = "git::https://github.com/cloudposse/terraform-aws-elasticache-redis.git?ref=tags/0.4.3"
+  namespace                    = "${module.identity.namespace}"
+  stage                        = "${module.identity.stage}"
+  name                         = "redis"
+  zone_id                      = "${module.identity.zone_id}"
+  security_groups              = ["${module.kops_metadata.nodes_security_group_id}"]
+  vpc_id                       = "${module.vpc.vpc_id}"
+  subnets                      = ["${module.subnets.private_subnet_ids}"]
+  maintenance_window           = "sun:03:00-sun:04:00"
+  cluster_size                 = "${var.REDIS_CLUSTER_SIZE}"
+  instance_type                = "${var.REDIS_INSTANCE_TYPE}"
+  engine_version               = "3.2.4"
+  family                       = "redis3.2"
+  port                         = "6379"
+  alarm_cpu_threshold_percent  = "75"
+  alarm_memory_threshold_bytes = "10000000"
+  apply_immediately            = "true"
+  availability_zones           = ["${module.identity.availability_zones}"]
+  automatic_failover           = "false"
+  enabled                      = "${var.REDIS_CLUSTER_ENABLED}"
+}
+
+output "elasticache_redis_id" {
+  value = "${module.elasticache_redis.id}"
+}
+
+output "elasticache_redis_security_group_id" {
+  value = "${module.elasticache_redis.security_group_id}"
+}
+
+output "elasticache_redis_host" {
+  value = "${module.elasticache_redis.host}"
+}
diff --git a/aws/backing-services/main.tf b/aws/backing-services/main.tf
@@ -0,0 +1,22 @@
+terraform {
+  required_version = ">= 0.11.2"
+
+  backend "s3" {}
+}
+
+variable "aws_assume_role_arn" {}
+
+provider "aws" {
+  assume_role {
+    role_arn = "${var.aws_assume_role_arn}"
+  }
+}
+
+module "identity" {
+  source = "git::[email protected]:cloudposse/terraform-aws-account-metadata.git?ref=init"
+}
+
+module "kops_metadata" {
+  source   = "git::https://github.com/cloudposse/terraform-aws-kops-metadata.git?ref=tags/0.1.1"
+  dns_zone = "${module.identity.aws_region}.${module.identity.zone_name}"
+}
diff --git a/aws/backing-services/vpc.tf b/aws/backing-services/vpc.tf
@@ -0,0 +1,24 @@
+locals {
+  name = "backing-services"
+}
+
+module "vpc" {
+  source     = "git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=tags/0.3.3"
+  namespace  = "${module.identity.namespace}"
+  stage      = "${module.identity.stage}"
+  name       = "${local.name}"
+  cidr_block = "10.0.0.0/16"
+}
+
+module "subnets" {
+  source              = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.3.4"
+  availability_zones  = ["${module.identity.availability_zones}"]
+  namespace           = "${module.identity.namespace}"
+  stage               = "${module.identity.stage}"
+  name                = "${local.name}"
+  region              = "${module.identity.aws_region}"
+  vpc_id              = "${module.vpc.vpc_id}"
+  igw_id              = "${module.vpc.igw_id}"
+  cidr_block          = "${module.vpc.vpc_cidr_block}"
+  nat_gateway_enabled = "true"
+}
diff --git a/aws/chamber/chamber-backing-services.sh b/aws/chamber/chamber-backing-services.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+echo "*WARNING* This script is probably out of date. Chamber is the only system of record for secrets"
+echo "This file is just an example"
+echo "*WARNING* Running this file as it is (without specifying the correct values) will destroy some secrets and break the environment"
+echo "To add/update secrets, first edit this file and set values (replace XXXXXXXXXXXX with the correct values)"
+echo "Then comment out 'exit 1' and run the file"
+echo "Then undo the editing and uncomment 'exit 1'"
+echo "Never commit this file with sensitive data. Run 'git reset --hard' if done accidentally"
+
+exit 1
+
+
+chamber write backing-services TF_VAR_POSTGRES_DB_NAME XXXXXXXXXXXX   # e.g. cloudposse
+chamber write backing-services TF_VAR_POSTGRES_ADMIN_NAME XXXXXXXXXXXX   # e.g. cloudposse
+chamber write backing-services TF_VAR_POSTGRES_ADMIN_PASSWORD XXXXXXXXXXXX