aws-sample-infra-resources-terraform

A sample infra resources code in Terraform that goes into a target workload account. This code is pushed into the AWS CodeCommit repo for our sample.

Table of contents

• Sample Workload Infra
• Prerequisites
• To push the infra repo code into AWS CodeCommit in the central tooling account
• To deploy resources into the target workload accounts
• To destroy the resources in the target workload accounts
• Security
• License

Sample Workload Infra

• Regional resources: An external facing ALB all the way down to the VPC.
• Global resources: An IAM role.

Once all resources are deployed (see section on how to deploy resources) then go to EC2 -> Load Balancer (demo*) -> DNS Name -> Copy it and open it in the browser (make sure to use http:// and not https://).

Prerequisites:

• Set up the central tooling account as per its README in the sister repo aws-multi-region-cicd-with-terraform that will create the AWS CodeCommit repo.

To push the infra repo code into AWS CodeCommit in the central tooling account:

• See instructions in the sister repo aws-multi-region-cicd-with-terraform

To deploy resources into the target workload accounts:

• See instructions on how to kick off an infra pipeline (in the central tooling account) at the sister repo aws-multi-region-cicd-with-terraform

To destroy the resources in the target workload accounts:

• If not done already, use aws configure with your IAM user credentials for the central tooling account and then assume InfraBuildRole:

# You can use below one liner
# For details, see [this](https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
OUT=$(aws sts assume-role --role-arn arn:aws:iam::111122223333:role/InfraBuildRole --role-session-name INFRA_BUILD);export AWS_ACCESS_KEY_ID=$(echo $OUT | jq -r '.Credentials''.AccessKeyId');export AWS_SECRET_ACCESS_KEY=$(echo $OUT | jq -r '.Credentials''.SecretAccessKey');export AWS_SESSION_TOKEN=$(echo $OUT | jq -r '.Credentials''.SessionToken');

# Verify you assumed the role
aws sts get-caller-identity
{
    "UserId": "AAA:INFRA_BUILD",
    "Account": "111122223333",
    "Arn": "arn:aws:sts::111122223333:assumed-role/InfraBuildRole/INFRA_BUILD"
}

• Use the regional resources destroy shell script in this repo to generate the tf plan for the account and region. Inspect the tf plan and then run terraform apply "tfplan"

./scripts/run-tf-regional-destroy.sh -t <tag> -b <tf_backend_config_prefix> -r <tf_state_region> -g <global_resource_deployment_region>
# Ex: ./scripts/run-tf-regional-destroy.sh -t dev_us-east-1/research/1.0 -g eu-central-1 -r eu-central-1 -b org-awesome-tf-state

• Then, use the global resources destroy shell script in this repo to generate the tf plan for the account. Inspect the tf plan and then run terraform apply "tfplan"

./scripts/run-tf-global-destroy.sh -t <tag> -b <tf_backend_config_prefix> -r <tf_state_region> -g <global_resource_deployment_region>
# Ex: ./scripts/run-tf-global-destroy.sh -t dev_global/research/1.0 -g eu-central-1 -r eu-central-1 -b org-awesome-tf-state

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Requirements

Name	Version
terraform	> 0.14
aws	~> 3.74

Providers

Name	Version
aws	3.74.2

Modules

Name	Source	Version
global	./modules/global	n/a
regional	./modules/regional	n/a

Resources

Name	Type
aws_caller_identity.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
account	Target AWS account number	number	n/a	yes
env	Environment name	string	n/a	yes
number_of_azs	Number of azs to deploy to	number	2	no
region	Target region	string	n/a	yes

Outputs

Name	Description
account_id	The effective account id in which Terraform is operating
caller_arn	The effective user arn that Terraform is running as
caller_user	The effective user id that Terraform is running as
region	The region in which Terraform is operating