Skip to content

Latest commit

 

History

History
126 lines (108 loc) · 14.5 KB

File metadata and controls

126 lines (108 loc) · 14.5 KB

terraform-module-cloud-multy-prerequisites

This Terraform module creates various resources for managing multi-cloud prerequisites, such as Route53 zones, IAM credentials, and S3 buckets. The module also deploys a tenant repository with the necessary configuration files and instructions for deploying the GlueOps Platform on Kubernetes.

Prerequisite Prerequisites

Some dependencies for this module must be creates prior to its use, including:

  1. Tenant Account, generally created via Terraform in the same reposity where this module is deployed, at /organization/tf/main.tf.
  2. GitHub OAuth APP
  3. GitHub App

Overview of what this module produces

  1. Parent Route53 Zone per Tenant: Creates a parent Route53 zone for each tenant.
  2. Route53 Zones per Cluster: Creates a Route53 zone for each cluster.
    • IAM Credentials for Cert-Manager: Generates IAM credentials that allow cert-manager to access a specific cluster's Route53 zone.
    • IAM Credentials for External-DNS: Generates IAM credentials that allow external-dns to access a specific cluster's Route53 zone.
  3. S3 Bucket for Backups: Creates a single S3 bucket for storing backups.
    • IAM Credentials for Vault Backups: Generates IAM credentials that allow Vault to back up data to the S3 backup bucket.
  4. S3 Buckets for Loki Log Retention: Creates one or more S3 buckets dedicated to Loki for log retention.
    • IAM Credentials per Bucket for Loki: Generates IAM credentials for each Loki S3 bucket.
  5. OpsGenie API Key: Creates an OpsGenie API key.
    • API Key per Cluster: Generates an API key for each cluster.
  6. Tenant GitHub Repository: Creates tenant repository for managing a GlueOps Platform Kubernetes Cluster.

Requirements

No requirements.

Providers

Name Version
aws.clientaccount n/a
aws.management-tenant-dns n/a
aws.primaryregion n/a
random n/a

Modules

Name Source Version
argocd_helm_values git::https://github.com/GlueOps/docs-argocd.git v0.15.0
captain_repository ./modules/github-captain-repository/0.1.0 n/a
captain_repository_files ./modules/github-captain-repository-files/0.1.0 n/a
common_s3 ./modules/multy-s3-bucket/0.1.0 n/a
dnssec_key git::https://github.com/GlueOps/terraform-module-cloud-aws-dnssec-kms-key.git v0.3.0
glueops_platform_helm_values git::https://github.com/GlueOps/platform-helm-chart-platform.git v0.53.5
loki_s3 ./modules/multy-s3-bucket/0.1.0 n/a
opsgenie_teams ./modules/opsgenie/0.1.0 n/a
tenant_readmes ./modules/tenant-readme/0.1.0 n/a

Resources

Name Type
aws_iam_access_key.certmanager resource
aws_iam_access_key.externaldns resource
aws_iam_access_key.loki_s3 resource
aws_iam_access_key.tls_cert_backup_s3 resource
aws_iam_access_key.tls_cert_restore_s3 resource
aws_iam_access_key.vault_init_s3 resource
aws_iam_access_key.vault_s3 resource
aws_iam_policy.loki_s3 resource
aws_iam_policy.route53 resource
aws_iam_policy.tls_cert_backup_s3 resource
aws_iam_policy.tls_cert_restore_s3 resource
aws_iam_policy.vault_init_s3 resource
aws_iam_policy.vault_s3_backup resource
aws_iam_user.certmanager resource
aws_iam_user.externaldns resource
aws_iam_user.loki_s3 resource
aws_iam_user.tls_cert_backup_s3 resource
aws_iam_user.tls_cert_restore_s3 resource
aws_iam_user.vault_init_s3 resource
aws_iam_user.vault_s3 resource
aws_iam_user_policy_attachment.certmanager resource
aws_iam_user_policy_attachment.externaldns resource
aws_iam_user_policy_attachment.loki_s3 resource
aws_iam_user_policy_attachment.tls_cert_backup_s3 resource
aws_iam_user_policy_attachment.tls_cert_restore_s3 resource
aws_iam_user_policy_attachment.vault_init_s3 resource
aws_iam_user_policy_attachment.vault_s3 resource
aws_route53_hosted_zone_dnssec.cluster_zones resource
aws_route53_hosted_zone_dnssec.parent_tenant_zone resource
aws_route53_key_signing_key.cluster_zones resource
aws_route53_key_signing_key.parent_tenant_zone resource
aws_route53_record.cluster_zone_dnssec_records resource
aws_route53_record.cluster_zone_ns_records resource
aws_route53_record.delegation_to_parent_tenant_zone resource
aws_route53_record.enable_dnssec_for_parent_tenant_zone resource
aws_route53_record.wildcard_for_apps resource
aws_route53_zone.clusters resource
aws_route53_zone.main resource
aws_s3_object.argocd_helm_values resource
aws_s3_object.combined_outputs resource
aws_s3_object.platform_helm_values resource
random_password.dex_argocd_client_secret resource
random_password.dex_grafana_client_secret resource
random_password.dex_pomerium_client_secret resource
random_password.dex_vault_client_secret resource
random_password.grafana_admin_secret resource
aws_route53_zone.management_tenant_dns data source

Inputs

Name Description Type Default Required
backup_region The secondary S3 region to create S3 bucket in used for backups. This should be different than the primary region and will have the data from the primary region replicated to it. string n/a yes
cluster_environments The cluster environments and their respective github app ids
list(object({
environment_name = string
host_network_enabled = bool
github_oauth_app_client_id = string
github_oauth_app_client_secret = string
github_tenant_app_id = string
github_tenant_app_installation_id = string
github_tenant_app_b64enc_private_key = string
admin_github_org_name = string
tenant_github_org_name = string
vault_github_org_team_policy_mappings = list(object({
oidc_groups = list(string)
policy_name = string
}))
argocd_rbac_policies = string
}))
[
{
"admin_github_org_name": "GlueOps",
"argocd_rbac_policies": " g, GlueOps:argocd_super_admins, role:admin\n g, glueops-rocks:developers, role:developers\n p, role:developers, clusters, get, *, allow\n p, role:developers, *, get, development, allow\n p, role:developers, repositories, , development/, allow\n p, role:developers, applications, , development/, allow\n p, role:developers, exec, , development/, allow\n",
"environment_name": "test",
"github_oauth_app_client_id": "oauth-app-id",
"github_oauth_app_client_secret": "oauth-app-secret",
"github_tenant_app_b64enc_private_key": "tenant-github-app-b64enc-private-key",
"github_tenant_app_id": "tenant-github-app-id",
"github_tenant_app_installation_id": "tenant-github-app-installation-id",
"host_network_enabled": true,
"tenant_github_org_name": "glueops-rocks",
"vault_github_org_team_policy_mappings": [
{
"oidc_groups": [
"GlueOps:vault_super_admins"
],
"policy_name": "editor"
},
{
"oidc_groups": [
"GlueOps:vault_super_admins",
"testing-okta:developers"
],
"policy_name": "reader"
}
]
}
]
no
github_owner The GitHub Owner where the tenant repo will be deployed. string n/a yes
management_tenant_dns_aws_account_id The company AWS account id for the management-tenant-dns account string n/a yes
management_tenant_dns_zoneid The Route53 ZoneID that all the delegation is coming from. string n/a yes
opsgenie_emails List of user email addresses list(string) n/a yes
primary_region The primary S3 region to create S3 bucket in used for backups. This should be the same region as the one where the cluster is being deployed. string n/a yes
tenant_account_id The tenant AWS account id string n/a yes
tenant_key The tenant key string n/a yes
this_is_development The development cluster environment and data/resources can be destroyed! string false no

Outputs

No outputs.