- 1. Static Website Route 53 -> Cloudfront -> S3 Website
- 2. API Gateway Route 53 -> Api Gateway (Edge) -> Existing API
- 3. Simple Service Route 53 -> Api Gateway (Edge) -> EC2
- 4. LoadBalanced Service Route 53 -> Api Gateway (Edge) -> ELB -> EC2
- 5. LoadBalanced Data Service Route 53 -> Api Gateway (Edge) -> VPC Link -> ELB -> EC2 -> RDS
- 6. ECS Cluster Route 53 -> Api Gateway (Edge) -> VPC Link -> ELB -> ECS -> RDS
- 7. EKS Cluster Route 53 -> Api Gateway (Edge) -> VPC Link -> ELB -> EKS -> RDS
This project requires the following Repository Secrets to be setup in Github Actions.
| Secret Name | Description | Example Value |
|---|---|---|
| AWS_ACCESS_KEY_ID | The Programmatic Access Key Id of the IAM User that will be used to deploy resources on AWS. The necessary IAM permissions are described below | N/A |
| AWS_SECRET_ACCESS_KEY | The Programmatic Access Secret Key of the IAM user that will be used to deploy resources on AWS. The necessary IAM permissions are described below | N/A |
| AWS_REGION | The region in which the AWS resources will be deployed. | us-east-1 |
| HOSTED_ZONE_NAME | The Name of the Route 53 Hosted Zone in which the DNS records for the deployed websites/APIs will be added. | example.io |
| NEUTRINO_USER_ID | 2-ApiGateway proxies to Neutrino's convert API. Create an account with NeutrinoAPI with a user-id of your choice and provide this user id in the secret. |
my-user-id |
| NEUTRINO_API_KEY | 2-ApiGateway proxies to Neutrino's convert API. Use the testing API key generated when you created an account with Neutrino API |
N/A |
| STATIC_WEBSITE_BUCKET_NAME | For 1-StaticWebsite, this is the bucket in which the source code of the static website is saved. I believe this bucket should have the same name as the value STATIC_WEBSITE_HOST |
terraform.example.io |
| STATIC_WEBSITE_HOST | For 1-StaticWebsite, this is the host name at which the static website will be hosted. |
terraform.example.io |
| API_GATEWAY_HOST | For 2-ApiGateway, this is the host name at which the API will be hosted |
api.example.io |
| SIMPLE_SERVICE_HOST | For 3-SimpleService, this is the host name at which the API will be hosted |
todo.example.io |
| LOAD_BALANCED_SERVICE_HOST | For 4-LoadBalancedService, this is the host name at which the API will be hosted |
measurements.example.io |
| DATA_SERVICE_HOST | For 5-DataService, this is the host name at which the API will be hosted |
noticeboard.example.io |
| CONTAINERIZED_APP_HOST | For 6-ContainerizedService, this is the host name at which the API will be hosted |
taskmonkey.example.io |
| RDS_PSQL_INSTANCE_IDENTIFIER | The DB identifier of a RDS PostgreSQL instance | my-postgresqldb-on-aws |
| RDS_PSQL_MASTER_USERNAME | The username to connect to the RDS PSQL instance. This role should eb able to create a database, create roles, and grant permissions | N/A |
| RDS_PSQL_MASTER_PASSWORD | The password for the RDS master username provided earlier | N/A |
To use S3 as Backend:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mybucket"
},
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::mybucket/path/to/my/key"
}
]
}
The IAM policy used by the terraform user (that runs these experiments):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cognito-identity:*",
"cognito-idp:*"
],
"Resource": [
"arn:aws:cognito-identity:ap-south-1:838107339577:identitypool/*",
"arn:aws:wafv2:ap-south-1:838107339577:*/webacl/*/*",
"arn:aws:cognito-idp:ap-south-1:838107339577:userpool/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"waf:ListWebACLs",
"rds:*",
"wafv2:GetWebACL",
"kinesis:ListStreams",
"route53domains:*",
"waf:GetWebACL",
"apigateway:*",
"cloudwatch:*",
"ecs:*",
"ec2:*",
"wafv2:ListWebACLs",
"sns:ListTopics",
"elasticfilesystem:*",
"s3:*",
"kinesis:DescribeStream",
"ssm:*",
"ecr:*",
"acm:*",
"application-autoscaling:*",
"logs:*",
"autoscaling:*",
"servicediscovery:*",
"cloudfront:*",
"events:*",
"cloudformation:*",
"iam:*",
"cognito-idp:*",
"cognito-identity:*",
"codedeploy:*",
"elasticloadbalancing:*",
"route53:*",
"lambda:*",
"cognito-idp:ConfirmDevice"
],
"Resource": "*"
}
]
}- Don't count on me to update the IAM policy above
- TODO: Figure out the minimum set of permissions for each experiment. This article describes how it can be done using iamlive by Ian Mckay.