Skip to content

[WIP] IaC for standing up AWS and Azure (coming soon!) govcloud infrastructure and a managed kubernetes cluster

License

Notifications You must be signed in to change notification settings

rosskirkpat/onramp

Repository files navigation

onramp - WIP

onramp is a collection of security-focused IaC modules that serve as a base infrastructure profile for FedRAMP Moderate environments. Stands up AWS and Azure (coming soon!) govcloud infrastructure and a managed kubernetes cluster to deploy your app into.

TODO

  1. terraform: standup ECR w/ EBS backed encrypted volumes using KMS key and push app helm chart to ECR

  2. implement tf.env https://github.com/tfutils/tfenv

  3. create and implement s3 bucket for storing terraform state

  4. migrate from monolith file to modules

  5. document order of operations

  6. write wrapper script

  7. implement validation for names, k8s versions, cidr blocks

Order of Operations

AWS

  1. parse config
  2. create s3 bucket for tf state storage
  3. provision aws infra
  4. provision eks cluster and ELB
  5. create standard aws route 53 pointing to govcloud ELB
  6. install app helm chart to EKS using route 53 cname

Azure

  1. TODO

Usage

Use of this terraform requires admin AWS permissions

Set your variables.

Configure the AWS provider with your credentials

Run terraform init.

Run terraform apply.

When complete, run terraform destroy to destroy all terraform-managed resources.

Variables Files

Copy default.auto.tfvars.example to default.auto.tfvars and set your configuration there.

Example:

#### Variable definitions
aws_credentials_file    = "/Users/ross/.aws/credentials" # full path to your local AWS credentials file
aws_profile             = "aws-govcloud-admin" # name of the profile to use from the AWS credentials file
aws_region              = "us-gov-east-1" # AWS region used for all resources
customer_name           = "ross" # customer name to use for tagging resources
org_name                = "ross-test" # name of the organization to use when creating a new Route 53 public record
acm_certificate_domain  = "" # existing AWS ACM certificate domain name; used to lookup ACM certificate for use by AWS Client VPN

Configuring the AWS provider to consume your AWS credentials file

Preferred method is to configure the aws_credentials_file variable in the default.auto.tfvars file with the full path of the AWS credentials file.

Alternate method:

Linux/macOS

terraform apply -var=aws_credentials_file=$HOME/.aws/credentials"

Windows

terraform apply -var "aws_credentials_file=[\"%USERPROFILE%\\.aws\\credentials"]"

How to authenticate with the AWS terraform provider

https://registry.terraform.io/providers/hashicorp/aws/latest/docs#shared-credentials-file

You can use an AWS credentials or configuration file to specify your credentials. The default location is $HOME/.aws/credentials on Linux and macOS, or "%USERPROFILE%.aws\credentials" on Windows.

Example: Creating a linux/macOS AWS credentials file with profile name default

mkdir -p $HOME/.aws/credentials
cat << EOF > $HOME/.aws/credentials
[default]
aws_access_key_id=XXXX
aws_secret_access_key=YYYYY
EOF

Example: Creating a Windows AWS credentials file with profile name default

powershell
New-Item -Type Directory -Path "%USERPROFILE%\\.aws" -Force

$CrendentialString = @" 
[default]
aws_access_key_id=XXXX
aws_secret_access_key=YYYYY
"@

New-Item -ItemType File -Path "%USERPROFILE%\\.aws\\credentials" -Value $CredentialString

About

[WIP] IaC for standing up AWS and Azure (coming soon!) govcloud infrastructure and a managed kubernetes cluster

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages