This Terraform module provisions AWS resources for running an application on Flightdeck.
module "production" {
source = "git@github.com:thoughtbot/terraform-flightdeck-aws-application.git?ref=v0.1.0"
# Required
cluster_names = ["example-production-v1"]
name = "example"
stage = "production"
# Generate a secret key
generate_secret_key = true
secret_key_variable = "SECRET_KEY_BASE"
# Postgres
postgres_enabled = true
postgres_allocated_storage = 64
postgres_engine_version = "14.8"
postgres_identifier = "example-red"
postgres_instance_class = "db.t4g.large"
postgres_max_allocated_storage = 128
# Redis
redis_enabled = true
redis_name = "example-production-blue"
redis_node_type = "cache.m6g.large"
redis_replica_count = 1
# S3
s3_enabled = true
s3_bucket_name = "example-uploads"
# Sentry DSN
sentry_enabled = true
sentry_organization = "myorg"
sentry_project = "example"
# Developer managed secrets
developer_managed_secrets = {
Email = ["SMTP_USERNAME", "SMTP_PASSWORD"]
}
# AWS IAM Identity Center permissions
readwrite_permission_sets = ["DeveloperAccess"]
secret_permission_sets = ["SecretsAccess"]
}
This module is designed as a quick start to cover the most common cases for applications running on Flightdeck. If you need additional resources for your application or want to customize further than the variables allow, you can clone this module into a directory in your Terraform project and use a local module reference.
This module can be combined with the application-config module to quickly create necessary base resources in the target cluster:
module "production_v1" {
source = "github.com/thoughtbot/flightdeck//aws/application-config?ref=v0.10.0"
providers = { kubernetes = kubernetes.production_v1 }
developer_group = "developer"
enable_exec = true
namespace = module.production.namespace
secrets_manager_secrets = module.production.secrets_manager_secrets
pod_service_account = module.production.service_account_name
pod_iam_role = module.production.pod_role_arn
depends_on = [module.production]
}
Name | Version |
---|---|
terraform | >= 1.4.2 |
aws | ~> 4.0 |
random | ~> 3.0 |
Name | Version |
---|---|
aws | ~> 4.0 |
random | ~> 3.0 |
Name | Source | Version |
---|---|---|
cluster | github.com/thoughtbot/flightdeck//aws/cluster-name | v0.9.0 |
deploy_role | github.com/thoughtbot/terraform-eks-cicd//modules/github-actions-eks-deploy-role | v0.2.0 |
developer_managed_secrets | github.com/thoughtbot/terraform-aws-secrets//user-managed-secret | v0.5.0 |
network | github.com/thoughtbot/flightdeck//aws/network-data | v0.9.0 |
pod_policy | github.com/thoughtbot/flightdeck//aws/service-account-policy | v0.9.0 |
pod_role | github.com/thoughtbot/flightdeck//aws/service-account-role | v0.9.0 |
postgres | github.com/thoughtbot/terraform-aws-databases//rds-postgres/primary-instance | v0.4.0 |
postgres_admin_login | github.com/thoughtbot/terraform-aws-databases//rds-postgres/admin-login | v0.4.0 |
redis | github.com/thoughtbot/terraform-aws-databases//elasticache-redis/replication-group | v0.4.0 |
redis_token | github.com/thoughtbot/terraform-aws-databases//elasticache-redis/auth-token | v0.4.0 |
s3_bucket | github.com/thoughtbot/terraform-s3-bucket | v0.3.0 |
secret_key | github.com/thoughtbot/terraform-aws-secrets//random-secret | v0.6.0 |
secrets_policy | github.com/thoughtbot/terraform-aws-secrets//read-secret-policy | v0.6.0 |
sentry_dsn | github.com/thoughtbot/terraform-aws-sentry-dsn | v0.3.0 |
sso_roles | github.com/thoughtbot/terraform-aws-sso-permission-set-roles | v0.2.0 |
Name | Type |
---|---|
random_id.parameter_group | resource |
aws_iam_role.execution | data source |
aws_ssm_parameter.prometheus_workspace_id | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
cluster_names | Names of EKS clusters for application | list(string) |
n/a | yes |
deploy_role_name | Override the name of the deploy role | string |
null |
no |
developer_managed_secrets | Secrets managed manually by developers | map(list(string)) |
{} |
no |
execution_role_arns | ARNs of execution roles allowed to manage this application | list(string) |
[] |
no |
execution_role_names | Names of execution roles allowed to manage this application | list(string) |
[ |
no |
github_branches | GitHub branches allowed to deploy to this instance | list(string) |
n/a | yes |
github_iam_oidc_provider_arn | ARN for the GitHub Actions IAM OIDC provider | string |
n/a | yes |
github_organization | GitHub organization allowed to deploy to this instance | string |
n/a | yes |
github_repository | GitHub repository allowed to deploy to this instance | string |
n/a | yes |
name | Name of this application | string |
n/a | yes |
postgres_admin_username | Username for the admin user | string |
"postgres" |
no |
postgres_allocated_storage | Size in GB for the database instance | number |
n/a | yes |
postgres_apply_immediately | Set to true to immediately apply changes and cause downtime | bool |
false |
no |
postgres_default_database | Name of the default database | string |
"postgres" |
no |
postgres_enabled | Set to true to enable creation of the Postgres database | bool |
false |
no |
postgres_engine_version | Version for RDS database engine | string |
n/a | yes |
postgres_identifier | Unique identifier for this database | string |
n/a | yes |
postgres_instance_class | Tier for the database instance | string |
n/a | yes |
postgres_max_allocated_storage | Maximum size GB after autoscaling | number |
n/a | yes |
postgres_storage_encrypted | Set to false to disable encryption at rest | bool |
true |
no |
prometheus_workspace_name | Name of the AMP workspace to which metrics will be written | string |
null |
no |
redis_enabled | Set to true to enable creation of a Redis instance | bool |
false |
no |
redis_name | Name of the ElastiCache instance for Redis | string |
n/a | yes |
redis_node_type | Node type for the ElastiCache instance for Redis | string |
n/a | yes |
redis_replica_count | Number of replicas for the Redis cluster | number |
n/a | yes |
s3_bucket_name | Name of the S3 bucket for ActiveStorage uploads | string |
n/a | yes |
s3_enabled | Set to true to enable creation of an S3 bucket | bool |
false |
no |
s3_read_principals | Additional principals able to read S3 data | list(string) |
n/a | yes |
s3_readwrite_principals | Additional principals able to read and write S3 data | list(string) |
n/a | yes |
secret_key_variable | Name of the environment variable for the application secret key | string |
"SECRET_KEY_BASE" |
no |
sentry_organization | Slug of the Sentry organization | string |
n/a | yes |
sentry_project | Slug of the Sentry project | string |
n/a | yes |
service_account_name | Name of the Kubernetes service account for the application | string |
null |
no |
stage | Software development lifecycle stage for this tenant | string |
n/a | yes |
Name | Description |
---|---|
deploy_role_arn | ARN of the IAM role for deploying to this Kubernetes namespace |
deploy_role_name | Name of the IAM role for deploying to this Kubernetes namespace |
namespace | Kubernetes namespace to which this application deploys |
pod_role_arn | ARN of the IAM role for Kubernetes pods |
secrets_manager_secrets | SecretsManager environment variables |
service_account_name | Name of the Kubernetes service account |
Please see CONTRIBUTING.md.
This module is Copyright © 2024 Joe Ferris and thoughtbot. It is free software, and may be redistributed under the terms specified in the LICENSE file.
This repo is maintained and funded by thoughtbot, inc. The names and logos for thoughtbot are trademarks of thoughtbot, inc.
We love open source software! See our other projects. We are available for hire.