├── .editorconfig
├── .github
    └── FUNDING.yml
├── .gitignore
├── .pre-commit-config.yaml
├── LICENSE
├── README.md
├── TALK.md
├── acme-master
    ├── .envrc
    ├── common.tfvars
    ├── eu-central-1
    │   ├── ecr-repositories
    │   │   ├── acme-api
    │   │   │   └── terragrunt.hcl
    │   │   └── acme-launcher
    │   │   │   └── terragrunt.hcl
    │   └── regional.tfvars
    ├── eu-west-1
    │   ├── regional.tfvars
    │   └── s3-bucket-artifacts
    │   │   └── terragrunt.hcl
    ├── global
    │   ├── iam-account
    │   │   └── terragrunt.hcl
    │   ├── organizations
    │   │   └── terragrunt.hcl
    │   └── regional.tfvars
    └── terragrunt.hcl
├── acme-prod
    ├── .envrc
    ├── common.tfvars
    ├── eu-central-1
    │   ├── acm
    │   │   └── terragrunt.hcl
    │   ├── alb-security-group
    │   │   └── terragrunt.hcl
    │   ├── alb
    │   │   └── terragrunt.hcl
    │   ├── aws-data
    │   │   └── terragrunt.hcl
    │   ├── regional.tfvars
    │   └── vpc
    │   │   └── terragrunt.hcl
    ├── global
    │   ├── iam-account
    │   │   └── terragrunt.hcl
    │   ├── iam-assumable-roles
    │   │   └── terragrunt.hcl
    │   └── regional.tfvars
    ├── terragrunt.hcl
    └── us-east-1
    │   ├── acm
    │       └── terragrunt.hcl
    │   └── regional.tfvars
├── acme-serverless
    ├── README.md
    ├── api-gateway
    │   ├── _extra.tf
    │   ├── output.txt
    │   └── terragrunt.hcl
    ├── lambda
    │   └── terragrunt.hcl
    ├── src
    │   ├── go-function
    │   │   └── main.go
    │   └── python-function
    │   │   └── index.py
    ├── terragrunt.hcl
    └── tmp
    │   ├── api_gateway.tf
    │   ├── deploy.tf
    │   ├── lambda_python.tf
    │   ├── main.tf
    │   ├── outputs.tf
    │   └── s3_bucket.tf
├── acme-staging
    └── README.md
└── modules
    ├── aws-data
        ├── README.md
        ├── main.tf
        └── outputs.tf
    └── organizations
        ├── README.md
        └── main.tf


/.editorconfig:
--------------------------------------------------------------------------------
 1 | # EditorConfig is awesome: http://EditorConfig.org
 2 | # Uses editorconfig to maintain consistent coding styles
 3 | 
 4 | # top-most EditorConfig file
 5 | root = true
 6 | 
 7 | # Unix-style newlines with a newline ending every file
 8 | [*]
 9 | charset = utf-8
10 | end_of_line = lf
11 | indent_size = 2
12 | indent_style = space
13 | insert_final_newline = true
14 | max_line_length = 80
15 | trim_trailing_whitespace = true
16 | 
17 | [*.{tf,tfvars}]
18 | indent_size = 2
19 | indent_style = space
20 | 
21 | [*.md]
22 | max_line_length = 0
23 | trim_trailing_whitespace = false
24 | 
25 | [Makefile]
26 | tab_width = 2
27 | indent_style = tab
28 | 
29 | [COMMIT_EDITMSG]
30 | max_line_length = 0
31 | 


--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | github: [antonbabenko]
2 | custom: https://www.paypal.me/antonbabenko
3 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Terraform
 2 | .terraform
 3 | .terragrunt-cache
 4 | *.tfstate*
 5 | crash.log
 6 | 
 7 | # Secrets are not allowed in general
 8 | *.key
 9 | *.pem
10 | 
11 | # Secrets are encrypted using git-crypt
12 | !secrets/*
13 | 
14 | # OS X
15 | .history
16 | .DS_Store
17 | 
18 | # IntelliJ
19 | .idea_modules
20 | *.iml
21 | *.iws
22 | *.ipr
23 | .idea/
24 | build/
25 | */build/
26 | 


--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
 1 | repos:
 2 |   - repo: git://github.com/antonbabenko/pre-commit-terraform
 3 |     rev: v1.30.0
 4 |     hooks:
 5 |       - id: terraform_fmt
 6 |       - id: terragrunt_fmt
 7 |       - id: terraform_docs
 8 |   - repo: git://github.com/pre-commit/pre-commit-hooks
 9 |     rev: v2.5.0
10 |     hooks:
11 |       - id: check-merge-conflict
12 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2019 Anton Babenko
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 6 | 
 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 8 | 
 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
10 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Acme's Infrastructure - Terragrunt Reference Architecture (updated: May 2020)
  2 | 
  3 | This repository contains rather complete infrastructure configurations where [Terragrunt](https://github.com/gruntwork-io/terragrunt) is used to manage infrastructure for [Acme Corporation](https://en.wikipedia.org/wiki/Acme_Corporation).
  4 | 
  5 | 
  6 | ### By the way!
  7 | 
  8 | This code is very close to the one produced by [modules.tf](https://modules.tf/) - [open-source](https://github.com/antonbabenko/modules.tf-lambda) infrastructure as code generator from visual diagrams created with [Cloudcraft.co](https://cloudcraft.co/app). See it yourself in [modules.tf-demo](https://github.com/antonbabenko/modules.tf-demo)!
  9 | 
 10 | 
 11 | ## Introduction
 12 | 
 13 | Acme has several environments (prod, staging and dev) entirely separated by AWS accounts.
 14 | 
 15 | Infrastructure in each environment consists of multiple layers (autoscaling, alb, vpc, ...) where each layer is configured using one of [Terraform AWS modules](https://github.com/terraform-aws-modules/) with arguments specified in `terragrunt.hcl` in layer's directory.
 16 | 
 17 | [Terragrunt](https://github.com/gruntwork-io/terragrunt) is used to work with Terraform configurations which allows orchestrating of dependent layers, update arguments dynamically and keep configurations [DRY](https://en.wikipedia.org/wiki/Don%27t_repeat_yourself).
 18 | 
 19 | 
 20 | ## Environments
 21 | 
 22 | Primary AWS region for all environments is `eu-central-1 (Frankfurt)`:
 23 | 
 24 | - `acme-prod` - Production configurations (AWS account - 111111111111)
 25 | - `acme-staging` - Staging configurations (AWS account - 444444444444)
 26 | - `acme-master` - Master AWS account (333333333333) contains:
 27 | 
 28 |   - AWS Organizations
 29 |   - IAM entities (users, groups)
 30 |   - ECR repositories
 31 |   - Route53 zones
 32 | 
 33 |   
 34 | ## Pre-requirements
 35 | 
 36 | - [Terraform 0.12](https://www.terraform.io/intro/getting-started/install.html)
 37 | - [Terragrunt 0.22 or newer](https://terragrunt.gruntwork.io/docs/getting-started/install/)
 38 | - [Terraform Docs](https://github.com/segmentio/terraform-docs)
 39 | - [pre-commit hooks](http://pre-commit.com) to keep Terraform formatting and documentation up-to-date
 40 | - [direnv](https://github.com/direnv/direnv#setup) to automatically set correct environment variables per AWS account as specified in `.envrc` (optional)
 41 | 
 42 | If you are using macOS you can install all dependencies using [Homebrew](https://brew.sh/):
 43 | 
 44 |     $ brew install terraform terragrunt pre-commit
 45 | 
 46 | 
 47 | ## Configure access to AWS account
 48 | 
 49 | Acme has dedicated AWS account where IAM users, groups and roles managed. This AWS account is a jump account, where IAM users logged in, and then they assume role in other AWS account.
 50 | 
 51 | The recommended way to configure access credentials to AWS account is using environment variables:
 52 | 
 53 | ```
 54 | $ export AWS_DEFAULT_REGION=eu-west-1
 55 | $ export AWS_ACCESS_KEY_ID=...
 56 | $ export AWS_SECRET_ACCESS_KEY=...
 57 | ```
 58 | 
 59 | Alternatively, you can edit `terragrunt.hcl` and use another authentication mechanism as described in [AWS provider documentation](https://www.terraform.io/docs/providers/aws/index.html#authentication).
 60 | 
 61 | 
 62 | [aws-vault](https://github.com/99designs/aws-vault), [vaulted](https://github.com/miquella/vaulted), [awsp](https://github.com/antonbabenko/awsp) or other tool can be used to manage your AWS credentials securely locally and switch roles.
 63 | 
 64 | 
 65 | ## Create and manage your infrastructure
 66 | 
 67 | Infrastructure consists of multiple layers (vpc, alb, ...) where each layer is described using one [Terraform module](https://www.terraform.io/docs/configuration/modules.html) with `inputs` arguments specified in `terragrunt.hcl` in respective layer's directory.
 68 | 
 69 | Navigate through layers to review and customize values inside `inputs` block.
 70 | 
 71 | There are two ways to manage infrastructure (slower&complete, or faster&granular):
 72 | - **Region as a whole (slower&complete).** Run this command to create infrastructure in all layers in a single region:
 73 | 
 74 | ```
 75 | $ cd acme-prod/eu-central-1
 76 | $ terragrunt apply-all
 77 | ```
 78 | 
 79 | - **As a single layer (faster&granular).** Run this command to create infrastructure in a single layer (eg, `vpc`):
 80 | 
 81 | ```
 82 | $ cd acme-prod/eu-central-1/vpc
 83 | $ terragrunt apply
 84 | ```
 85 | 
 86 | After you confirm the creation of the infrastructure should succeed.
 87 | 
 88 | If you want to suppress irrelevant output produced by Terragrunt, you can install this alias in your shell ([source to gist](https://gist.github.com/antonbabenko/675049186e54b770b4789886d2056639)):
 89 | 
 90 |     terragrunt () {
 91 |     	local action=$1
 92 |     	shift 1
 93 |     	command terragrunt $action "$@" 2>&1 | sed -E "s|$(dirname $(pwd))/||g;s|^\[terragrunt\]( [0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2})* ||g;s|(\[.*\]) [0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}|\1|g"
 94 |     }
 95 | 
 96 | 
 97 | ## References
 98 | 
 99 | * [Terraform documentation](https://www.terraform.io/docs/) and [Terragrunt documentation](https://terragrunt.gruntwork.io/docs/) for all available commands and features.
100 | * [Terraform AWS modules](https://github.com/terraform-aws-modules/).
101 | * [Terraform modules registry](https://registry.terraform.io/).
102 | 
103 | 
104 | ## Author
105 | 
106 | This project is created and maintained by [Anton Babenko](https://github.com/antonbabenko).
107 | 
108 | [![Maintained by Anton Babenko](https://img.shields.io/badge/maintained%20by-@antonbabenko-%235c4ee5.svg)](https://github.com/antonbabenko) [![@antonbabenko](https://img.shields.io/twitter/follow/antonbabenko.svg?style=social&label=Follow%20@antonbabenko%20on%20Twitter)](https://twitter.com/antonbabenko)
109 | 
110 | 
111 | ## License
112 | 
113 | All content, including [Terraform AWS modules](https://github.com/terraform-aws-modules/) used in these configurations, is released under the MIT License.
114 | 
115 | Copyright (c) 2019-2020 Anton Babenko
116 | 


--------------------------------------------------------------------------------
/TALK.md:
--------------------------------------------------------------------------------
 1 | # Plan for Terragrunt talk
 2 | 
 3 | 0. Infrastructure as code == Terraform
 4 | 1. Intro and use cases - https://github.com/gruntwork-io/terragrunt
 5 | 2. Demo:
 6 |  - sample repos:
 7 |    - https://github.com/terraform-aws-modules/meta
 8 |    - https://github.com/antonbabenko/terragrunt-reference-architecture
 9 |    - https://github.com/antonbabenko/modules.tf-demo
10 |  - code structure
11 |    - group by logical provider's mental model (AWS = account/region/env/proj)
12 |    - group by working area (eg, all AWS Lambda functions inside "lambdas" folder)
13 |    - service-provider oriented VS application-oriented approach
14 |    
15 |  - IAM roles (direnv)
16 |  - Terragrunt hooks ( https://github.com/terraform-aws-modules/meta/blob/master/github/terragrunt.hcl#L6 )
17 |  - dependencies
18 |  - dependency
19 |  - apply-all, plan-all, validate-all
20 |  - atlantis / makefile
21 |  - pre-commit, terraform-docs
22 |  - patterns:
23 |    - include files (hierarchy, internal (specific) + high-level (general))
24 |    - modules (local => PR to origin => external repo)
25 |    - extend Terragrunt with Terraform (workaround for passing providers or other limits, terraform does not support CLI for providers, for eg)
26 |    - use module placeholder to get remote_state benefits
27 |    - tfvars = static, but `inputs` in terragrunt.hcl has full support for expressions and functions
28 |    - `depends_on` with modules = native `dependency` output with TG
29 |  - complains & limitations:
30 |    - verbosity in outputs
31 |    - multiple providers (possible, but hard)
32 |    - for_each with modules
33 |    - circular dependencies between modules (eg, AWS Lambda + API Gateway + Permissions)
34 |    - lots of various issues and bugs when doing complex things
35 |    - terragrunt state 
36 | 3. modules.tf
37 | 


--------------------------------------------------------------------------------
/acme-master/.envrc:
--------------------------------------------------------------------------------
1 | # export TERRAGRUNT_IAM_ROLE="arn:aws:iam::333333333333:role/admin"
2 | 


--------------------------------------------------------------------------------
/acme-master/common.tfvars:
--------------------------------------------------------------------------------
1 | allowed_account_ids = ["333333333333"]
2 | 
3 | common_parameters = {
4 | 
5 |   domain = "master-domain-for-this-aws-account.com"
6 | 
7 | }
8 | 


--------------------------------------------------------------------------------
/acme-master/eu-central-1/ecr-repositories/acme-api/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "git::git@github.com:doingcloudright/terraform-aws-ecr-cross-account.git?ref=1.0.1"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | inputs = {
10 | 
11 |   use_namespaces = false
12 | 
13 |   namespace = ""
14 | 
15 |   name = "acme-api"
16 | 
17 |   allowed_read_principals = [
18 |     "arn:aws:iam::111111111111:root", # prod
19 |     "arn:aws:iam::222222222222:root", # dev
20 |     "arn:aws:iam::333333333333:root", # master
21 |     "arn:aws:iam::444444444444:root", # staging
22 |   ]
23 | 
24 |   allowed_write_principals = [
25 |     "arn:aws:iam::111111111111:root", # prod
26 |     "arn:aws:iam::222222222222:root", # dev
27 |     "arn:aws:iam::333333333333:root", # master
28 |     "arn:aws:iam::444444444444:root", # staging
29 |   ]
30 | 
31 | }
32 | 


--------------------------------------------------------------------------------
/acme-master/eu-central-1/ecr-repositories/acme-launcher/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "git::git@github.com:doingcloudright/terraform-aws-ecr-cross-account.git?ref=1.0.1"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | inputs = {
10 | 
11 |   use_namespaces = false
12 | 
13 |   namespace = ""
14 | 
15 |   name = "acme-launcher"
16 | 
17 |   allowed_read_principals = [
18 |     "arn:aws:iam::111111111111:root", # prod
19 |     "arn:aws:iam::222222222222:root", # dev
20 |     "arn:aws:iam::333333333333:root", # master
21 |     "arn:aws:iam::444444444444:root", # staging
22 |   ]
23 | 
24 |   allowed_write_principals = [
25 |     "arn:aws:iam::111111111111:root", # prod
26 |     "arn:aws:iam::222222222222:root", # dev
27 |     "arn:aws:iam::333333333333:root", # master
28 |     "arn:aws:iam::444444444444:root", # staging
29 |   ]
30 | 
31 | }
32 | 


--------------------------------------------------------------------------------
/acme-master/eu-central-1/regional.tfvars:
--------------------------------------------------------------------------------
1 | aws_region = "eu-central-1"
2 | 


--------------------------------------------------------------------------------
/acme-master/eu-west-1/regional.tfvars:
--------------------------------------------------------------------------------
1 | aws_region = "eu-west-1"
2 | 


--------------------------------------------------------------------------------
/acme-master/eu-west-1/s3-bucket-artifacts/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git?ref=v1.6.0"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | ###########################################################
10 | # View all available inputs for this module:
11 | # https://registry.terraform.io/modules/terraform-aws-modules/s3-bucket/aws/1.6.0?tab=inputs
12 | ###########################################################
13 | inputs = {
14 | 
15 |   bucket              = "main-bucket"
16 |   acl                 = "private"
17 |   force_destroy       = true
18 |   block_public_policy = true
19 | 
20 |   cors_rule = {
21 |     allowed_methods = ["GET"]
22 |     allowed_origins = ["*"]
23 |     allowed_headers = ["*"]
24 |     max_age_seconds = 3000
25 |   }
26 | 
27 |   lifecycle_rule = [
28 |     {
29 |       id      = "delete-all-ancient"
30 |       enabled = true
31 | 
32 |       expiration = {
33 |         days = 365
34 |       }
35 |     }
36 |   ]
37 | 
38 | }
39 | 


--------------------------------------------------------------------------------
/acme-master/global/iam-account/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "git::git@github.com:terraform-aws-modules/terraform-aws-iam.git//modules/iam-account?ref=v2.9.0"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | ###########################################################
10 | # View all available inputs for this module:
11 | # https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/2.9.0/submodules/iam-account?tab=inputs
12 | ###########################################################
13 | inputs = {
14 | 
15 |   account_alias = "acme-master"
16 | 
17 |   minimum_password_length = 10
18 | 
19 |   password_reuse_prevention = false
20 | 
21 |   require_symbols = false
22 | 
23 | }
24 | 


--------------------------------------------------------------------------------
/acme-master/global/organizations/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "${get_parent_terragrunt_dir()}/../../modules/organizations"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | 
10 | inputs = {
11 | 
12 | }
13 | 


--------------------------------------------------------------------------------
/acme-master/global/regional.tfvars:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/acme-master/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   extra_arguments "common_vars" {
 3 |     commands = get_terraform_commands_that_need_vars()
 4 | 
 5 |     required_var_files = [
 6 |       find_in_parent_folders("common.tfvars"),
 7 |     ]
 8 | 
 9 |     optional_var_files = [
10 |       find_in_parent_folders("regional.tfvars"),
11 |     ]
12 | 
13 |   }
14 | 
15 |   extra_arguments "disable_input" {
16 |     commands  = get_terraform_commands_that_need_input()
17 |     arguments = ["-input=false"]
18 |   }
19 | }
20 | 
21 | generate "main_providers" {
22 |   path      = "main_providers.tf"
23 |   if_exists = "overwrite"
24 |   contents  = <<EOF
25 | provider "aws" {
26 |   region = var.aws_region
27 | 
28 |   allowed_account_ids = var.allowed_account_ids
29 | 
30 |   # Make it faster by skipping something
31 |   skip_get_ec2_platforms      = true
32 |   skip_metadata_api_check     = true
33 |   skip_region_validation      = true
34 |   skip_credentials_validation = true
35 | }
36 | 
37 | variable "aws_region" {
38 |   description = "AWS region to create infrastructure in"
39 |   type        = string
40 | }
41 | 
42 | variable "allowed_account_ids" {
43 |   description = "List of allowed AWS account ids to create infrastructure in"
44 |   type        = list(string)
45 | }
46 | 
47 | variable "common_parameters" {
48 |   description = "Map of common parameters shared across all infrastructure resources (eg, domain names)"
49 |   type        = map(string)
50 |   default     = {}
51 | }
52 | EOF
53 | }
54 | 
55 | remote_state {
56 |   backend      = "s3"
57 |   disable_init = tobool(get_env("TERRAGRUNT_DISABLE_INIT", "false"))
58 | 
59 |   generate = {
60 |     path      = "_backend.tf"
61 |     if_exists = "overwrite"
62 |   }
63 | 
64 |   config = {
65 |     encrypt        = true
66 |     region         = "eu-central-1"
67 |     key            = format("%s/terraform.tfstate", path_relative_to_include())
68 |     bucket         = format("terraform-states-%s", get_aws_account_id())
69 |     dynamodb_table = format("terraform-states-%s", get_aws_account_id())
70 | 
71 |     skip_metadata_api_check     = true
72 |     skip_credentials_validation = true
73 |   }
74 | }
75 | 


--------------------------------------------------------------------------------
/acme-prod/.envrc:
--------------------------------------------------------------------------------
1 | export TERRAGRUNT_IAM_ROLE="arn:aws:iam::111111111111:role/admin"
2 | 


--------------------------------------------------------------------------------
/acme-prod/common.tfvars:
--------------------------------------------------------------------------------
1 | allowed_account_ids = ["111111111111"]
2 | 
3 | common_parameters = {
4 | 
5 |   domain = "prod-domain-for-this-aws-account.com"
6 | 
7 | }
8 | 


--------------------------------------------------------------------------------
/acme-prod/eu-central-1/acm/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "git::git@github.com:terraform-aws-modules/terraform-aws-acm.git?ref=v2.5.0"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | ###########################################################
10 | # View all available inputs for this module:
11 | # https://registry.terraform.io/modules/terraform-aws-modules/acm/aws/2.5.0?tab=inputs
12 | ###########################################################
13 | inputs = {
14 | 
15 |   domain_name = "acme-prod.com"
16 | 
17 |   validate_certificate = false # validated manually is separate AWS account
18 | 
19 | }
20 | 


--------------------------------------------------------------------------------
/acme-prod/eu-central-1/alb-security-group/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "git::git@github.com:terraform-aws-modules/terraform-aws-security-group.git?ref=v3.1.0"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | dependencies {
10 |   paths = ["../vpc"]
11 | }
12 | 
13 | dependency "vpc" {
14 |   config_path = "../vpc"
15 | }
16 | 
17 | ###########################################################
18 | # View all available inputs for this module:
19 | # https://registry.terraform.io/modules/terraform-aws-modules/security-group/aws/3.1.0?tab=inputs
20 | ###########################################################
21 | inputs = {
22 |   # List of IPv4 CIDR ranges to use on all ingress rules
23 |   # type: list(string)
24 |   ingress_cidr_blocks = ["0.0.0.0/0"]
25 | 
26 |   # List of ingress rules to create by name
27 |   # type: list(string)
28 |   ingress_rules = ["http-80-tcp", "https-443-tcp"]
29 | 
30 |   # Name of security group
31 |   # type: string
32 |   name = "acme-prod-alb"
33 | 
34 |   # Description for security group
35 |   # type: string
36 |   description = "Security group for the public Application Load Balancer"
37 | 
38 |   # ID of the VPC where to create security group
39 |   # type: string
40 |   vpc_id = dependency.vpc.outputs.vpc_id
41 | 
42 |   egress_with_cidr_blocks = [
43 |     {
44 |       rule        = "all-all"
45 |       cidr_blocks = "0.0.0.0/0"
46 |     },
47 |   ]
48 | 
49 | }
50 | 


--------------------------------------------------------------------------------
/acme-prod/eu-central-1/alb/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "git::git@github.com:terraform-aws-modules/terraform-aws-alb.git?ref=v5.4.0"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | dependencies {
10 |   paths = ["../acm", "../vpc", "../alb-security-group"]
11 | }
12 | 
13 | dependency "acm" {
14 |   config_path = "../acm"
15 | }
16 | 
17 | dependency "vpc" {
18 |   config_path = "../vpc"
19 | }
20 | 
21 | dependency "alb-security-group" {
22 |   config_path = "../alb-security-group"
23 | }
24 | 
25 | ###########################################################
26 | # View all available inputs for this module:
27 | # https://registry.terraform.io/modules/terraform-aws-modules/alb/aws/5.4.0?tab=inputs
28 | ###########################################################
29 | inputs = {
30 |   name = "acme-prod"
31 | 
32 |   vpc_id = dependency.vpc.outputs.vpc_id
33 | 
34 |   subnets = dependency.vpc.outputs.public_subnets
35 | 
36 |   security_groups = [dependency.alb-security-group.outputs.this_security_group_id]
37 | 
38 |   ip_address_type = "dualstack"
39 | 
40 |   enable_deletion_protection = true
41 | 
42 |   drop_invalid_header_fields = true
43 | 
44 |   http_tcp_listeners = [
45 |     {
46 |       port        = 80
47 |       protocol    = "HTTP"
48 |       action_type = "redirect"
49 |       redirect = {
50 |         port        = 443
51 |         protocol    = "HTTPS"
52 |         status_code = "HTTP_301"
53 |       }
54 |     },
55 |   ]
56 | 
57 |   https_listeners = [
58 |     {
59 |       target_group_index = 0
60 |       port               = 443
61 |       protocol           = "HTTPS"
62 |       certificate_arn    = dependency.acm.outputs.this_acm_certificate_arn
63 |       action_type        = "redirect"
64 |       redirect = {
65 |         port        = 443
66 |         protocol    = "HTTPS"
67 |         status_code = "HTTP_302"
68 |         host        = "github.com"
69 |         path        = "/antonbabenko/terraform-cost-estimation"
70 |         query       = ""
71 |       }
72 |     },
73 |   ]
74 | 
75 |   target_groups = [
76 |     {
77 |       name_prefix                        = "l1-"
78 |       target_type                        = "lambda"
79 |       lambda_multi_value_headers_enabled = true
80 |     },
81 |   ]
82 | }
83 | 


--------------------------------------------------------------------------------
/acme-prod/eu-central-1/aws-data/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "${get_parent_terragrunt_dir()}/../../modules/aws-data"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | 
10 | inputs = {
11 | 
12 | }
13 | 


--------------------------------------------------------------------------------
/acme-prod/eu-central-1/regional.tfvars:
--------------------------------------------------------------------------------
1 | aws_region = "eu-central-1"
2 | 


--------------------------------------------------------------------------------
/acme-prod/eu-central-1/vpc/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "git::git@github.com:terraform-aws-modules/terraform-aws-vpc.git?ref=v2.18.0"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | dependencies {
10 |   paths = ["../aws-data"]
11 | }
12 | 
13 | dependency "aws-data" {
14 |   config_path = "../aws-data"
15 | }
16 | 
17 | ###########################################################
18 | # View all available inputs for this module:
19 | # https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/2.18.0?tab=inputs
20 | ###########################################################
21 | inputs = {
22 |   # A list of availability zones in the region
23 |   # type: list(string)
24 |   azs = [for v in dependency.aws-data.outputs.available_aws_availability_zones_names : v]
25 | 
26 |   # The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden
27 |   # type: string
28 |   cidr = "10.0.0.0/16"
29 | 
30 |   # A list of database subnets
31 |   # type: list(string)
32 |   database_subnets = [for k, v in dependency.aws-data.outputs.available_aws_availability_zones_names : cidrsubnet("10.0.0.0/16", 8, k + 20)]
33 | 
34 |   # Name to be used on all the resources as identifier
35 |   # type: string
36 |   name = "prod"
37 | 
38 |   # A list of private subnets inside the VPC
39 |   # type: list(string)
40 |   private_subnets = [for k, v in dependency.aws-data.outputs.available_aws_availability_zones_names : cidrsubnet("10.0.0.0/16", 8, k + 10)]
41 | 
42 |   # A list of public subnets inside the VPC
43 |   # type: list(string)
44 |   public_subnets = [for k, v in dependency.aws-data.outputs.available_aws_availability_zones_names : cidrsubnet("10.0.0.0/16", 8, k)]
45 | 
46 |   enable_nat_gateway = true
47 | 
48 |   single_nat_gateway = true
49 | 
50 |   enable_dns_hostnames = true
51 | 
52 |   enable_dns_support = true
53 | 
54 |   tags = {
55 |     Environment = "prod"
56 |   }
57 | 
58 | }
59 | 


--------------------------------------------------------------------------------
/acme-prod/global/iam-account/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "git::git@github.com:terraform-aws-modules/terraform-aws-iam.git//modules/iam-account?ref=v2.9.0"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | ###########################################################
10 | # View all available inputs for this module:
11 | # https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/2.9.0/submodules/iam-account?tab=inputs
12 | ###########################################################
13 | inputs = {
14 | 
15 |   account_alias = "acme-prod"
16 | 
17 | }
18 | 


--------------------------------------------------------------------------------
/acme-prod/global/iam-assumable-roles/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "git::git@github.com:terraform-aws-modules/terraform-aws-iam.git//modules/iam-assumable-roles?ref=v2.9.0"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | dependencies {
10 |   paths = ["../iam-account"]
11 | }
12 | 
13 | ###########################################################
14 | # View all available inputs for this module:
15 | # https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/2.9.0/submodules/iam-assumable-roles?tab=inputs
16 | ###########################################################
17 | inputs = {
18 | 
19 |   # Role ARN who should be allowed to assume role in this AWS account
20 |   # (by default, it is "acme-master" AWS account)
21 |   trusted_role_arns = ["arn:aws:iam::333333333333:root"]
22 | 
23 |   mfa_age = 86400
24 | 
25 |   max_session_duration = 43200
26 | 
27 |   create_admin_role = true
28 | 
29 |   admin_role_name = "admin"
30 | 
31 |   admin_role_requires_mfa = true
32 | 
33 |   create_poweruser_role = true
34 | 
35 |   poweruser_role_name = "developer"
36 | 
37 |   poweruser_role_requires_mfa = false
38 | 
39 |   create_readonly_role = true
40 | 
41 |   readonly_role_name = "readonly"
42 | 
43 |   readonly_role_requires_mfa = false
44 | 
45 | }
46 | 


--------------------------------------------------------------------------------
/acme-prod/global/regional.tfvars:
--------------------------------------------------------------------------------
1 | aws_region = "us-east-1"
2 | 


--------------------------------------------------------------------------------
/acme-prod/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   extra_arguments "common_vars" {
 3 |     commands = get_terraform_commands_that_need_vars()
 4 | 
 5 |     required_var_files = [
 6 |       find_in_parent_folders("common.tfvars"),
 7 |     ]
 8 | 
 9 |     optional_var_files = [
10 |       find_in_parent_folders("regional.tfvars"),
11 |     ]
12 | 
13 |   }
14 | 
15 |   extra_arguments "disable_input" {
16 |     commands  = get_terraform_commands_that_need_input()
17 |     arguments = ["-input=false"]
18 |   }
19 | }
20 | 
21 | generate "main_providers" {
22 |   path      = "main_providers.tf"
23 |   if_exists = "overwrite"
24 |   contents  = <<EOF
25 | provider "aws" {
26 |   region = var.aws_region
27 | 
28 |   allowed_account_ids = var.allowed_account_ids
29 | 
30 |   # Make it faster by skipping something
31 |   skip_get_ec2_platforms      = true
32 |   skip_metadata_api_check     = true
33 |   skip_region_validation      = true
34 |   skip_credentials_validation = true
35 | }
36 | 
37 | variable "aws_region" {
38 |   description = "AWS region to create infrastructure in"
39 |   type        = string
40 | }
41 | 
42 | variable "allowed_account_ids" {
43 |   description = "List of allowed AWS account ids to create infrastructure in"
44 |   type        = list(string)
45 | }
46 | 
47 | variable "common_parameters" {
48 |   description = "Map of common parameters shared across all infrastructure resources (eg, domain names)"
49 |   type        = map(string)
50 |   default     = {}
51 | }
52 | EOF
53 | }
54 | 
55 | remote_state {
56 |   backend      = "s3"
57 |   disable_init = tobool(get_env("TERRAGRUNT_DISABLE_INIT", "false"))
58 | 
59 |   generate = {
60 |     path      = "_backend.tf"
61 |     if_exists = "overwrite"
62 |   }
63 | 
64 |   config = {
65 |     encrypt        = true
66 |     region         = "eu-central-1"
67 |     key            = format("%s/terraform.tfstate", path_relative_to_include())
68 |     bucket         = format("terraform-states-%s", get_aws_account_id())
69 |     dynamodb_table = format("terraform-states-%s", get_aws_account_id())
70 | 
71 |     skip_metadata_api_check     = true
72 |     skip_credentials_validation = true
73 |   }
74 | }
75 | 


--------------------------------------------------------------------------------
/acme-prod/us-east-1/acm/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "git::git@github.com:terraform-aws-modules/terraform-aws-acm.git?ref=v2.5.0"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | ###########################################################
10 | # View all available inputs for this module:
11 | # https://registry.terraform.io/modules/terraform-aws-modules/acm/aws/2.5.0?tab=inputs
12 | ###########################################################
13 | inputs = {
14 | 
15 |   domain_name = "acme2.com"
16 | 
17 |   subject_alternative_names = [
18 |     "*.acme.com",
19 |     "*.cdn.acme.com",
20 |     "*.acme2.com",
21 |     "*.cdn.acme2.com",
22 |   ]
23 | 
24 |   zone_id = "Z34ZYFQX4QMAA1" # public_route53_zone_id. Zones are managed inside eu-central-1 region inside route53-zones
25 | 
26 |   # Do not wait for validation, because several subdomains records should be created.
27 |   # It is easier to click "Create record in Route 53" once certificates are created manually on this link:
28 |   # https://console.aws.amazon.com/acm/home?region=us-east-1
29 |   wait_for_validation = false
30 | 
31 |   validate_certificate = false
32 | 
33 |   tags = {
34 |     Name = "acme.com"
35 |   }
36 | 
37 | }
38 | 


--------------------------------------------------------------------------------
/acme-prod/us-east-1/regional.tfvars:
--------------------------------------------------------------------------------
1 | aws_region = "us-east-1"
2 | 


--------------------------------------------------------------------------------
/acme-serverless/README.md:
--------------------------------------------------------------------------------
1 | # acme-serverless
2 | 
3 | This directory contains code similar to [serverless.tf-playground repository](https://github.com/antonbabenko/serverless.tf-playground) implemented using Terragrunt with the goal to show how it can be done.
4 | 


--------------------------------------------------------------------------------
/acme-serverless/api-gateway/_extra.tf:
--------------------------------------------------------------------------------
 1 | //output "name" {
 2 | //  value = var.name
 3 | //}
 4 | //
 5 | //#resource "aws_s3_bucket" ".." {}
 6 | //
 7 | //provider "aws" {
 8 | //  alias = "another"
 9 | //}
10 | //
11 | //#providers = {
12 | //#  aws = aws.another
13 | //#}
14 | 


--------------------------------------------------------------------------------
/acme-serverless/api-gateway/output.txt:
--------------------------------------------------------------------------------
1 | arn:aws:apigateway:eu-west-1::/apis/88o5jaa82l/stages/$default
2 | 


--------------------------------------------------------------------------------
/acme-serverless/api-gateway/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "git::git@github.com:terraform-aws-modules/terraform-aws-apigateway-v2.git?ref=master"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | dependencies {
10 |   paths = ["../lambda"]
11 | }
12 | 
13 | dependency "lambda" {
14 |   config_path = "../lambda"
15 | #  skip_outputs = true
16 | }
17 | 
18 | inputs = {
19 |   name          = "awesome-api-gateway"
20 |   description   = "My awesome HTTP API Gateway"
21 |   protocol_type = "HTTP"
22 | 
23 |   create_api_domain_name = false
24 | 
25 |   default_stage_access_log_destination_arn = "arn:aws:logs:eu-west-1:835367859851:log-group:debug-apigateway"
26 |   default_stage_access_log_format          = "$context.identity.sourceIp - - [$context.requestTime] \"$context.httpMethod $context.routeKey $context.protocol\" $context.status $context.responseLength $context.requestId $context.integrationErrorMessage"
27 | 
28 |   integrations = {
29 |     "GET /" = {
30 |       lambda_arn             = dependency.lambda.outputs.this_lambda_function_arn
31 |       payload_format_version = "2.0"
32 |       timeout_milliseconds   = 12000
33 |     }
34 | 
35 |     "$default" = {
36 |       lambda_arn = dependency.lambda.outputs.this_lambda_function_arn
37 |     }
38 | 
39 |   }
40 | 
41 | }
42 | 


--------------------------------------------------------------------------------
/acme-serverless/lambda/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   source = "git::git@github.com:terraform-aws-modules/terraform-aws-lambda.git?ref=master"
 3 | }
 4 | 
 5 | include {
 6 |   path = find_in_parent_folders()
 7 | }
 8 | 
 9 | #
10 | #dependencies {
11 | #  paths = ["../api-gateway"]
12 | #}
13 | #
14 | #dependency "api_gateway" {
15 | #  config_path = "../api-gateway"
16 | #}
17 | 
18 | locals {
19 |   artifacts_dir = abspath("${get_terragrunt_dir()}/../builds")
20 | }
21 | 
22 | inputs = {
23 |   function_name = "awesome-lambda-python"
24 |   description   = "My awesome Python lambda function"
25 |   handler       = "index.lambda_handler"
26 |   runtime       = "python3.8"
27 |   publish       = true
28 | 
29 |   // terragrunt bug: use jsonencode when "type = any"
30 |   source_path = jsonencode("${get_parent_terragrunt_dir()}/src/python-function")
31 | 
32 |   artifacts_dir = local.artifacts_dir
33 | 
34 |   attach_tracing_policy    = true
35 | 
36 |   //  create_current_version_allowed_triggers = false
37 | #  allowed_triggers = {
38 | #    AllowExecutionFromAPIGateway = {
39 | #      service    = "apigateway"
40 | #      source_arn = "${dependency.api_gateway.outputs.this_apigatewayv2_api_execution_arn}/*/*"
41 | #    }
42 | #  }
43 | 
44 | }
45 | 


--------------------------------------------------------------------------------
/acme-serverless/src/go-function/main.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"github.com/aws/aws-lambda-go/lambda"
 5 | )
 6 | 
 7 | // Response is the generic lambda response
 8 | type Response struct {
 9 | 	Message string `json:"message"`
10 | }
11 | 
12 | func Handler() (Response, error) {
13 | 	return Response{
14 | 		Message: "Hello from Go!",
15 | 	}, nil
16 | }
17 | 
18 | func main() {
19 | 	lambda.Start(Handler)
20 | }
21 | 


--------------------------------------------------------------------------------
/acme-serverless/src/python-function/index.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | 
 3 | 
 4 | def lambda_handler(event, context):
 5 |     body = "Hello from serverless.tf!"
 6 |     body += json.dumps(event)
 7 |     body += json.dumps(context)
 8 | 
 9 |     r = {
10 |         "isBase64Encoded": False,
11 |         "statusCode": 200,
12 |         "statusDescription": "200 OK",
13 |         "headers": {
14 |             "Content-Type": "application/json",
15 |         },
16 |         "body": json.dumps(body)
17 |     }
18 | 
19 |     return r
20 | 
21 | 


--------------------------------------------------------------------------------
/acme-serverless/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   extra_arguments "common_vars" {
 3 |     commands = get_terraform_commands_that_need_vars()
 4 | 
 5 | #    required_var_files = [
 6 | #      find_in_parent_folders("common.tfvars"),
 7 | #    ]
 8 | 
 9 | #    optional_var_files = [
10 | #      for i in range(5): find_in_parent_folders("regional${i}.tfvars")
11 | #    ]
12 | 
13 |   }
14 | 
15 |   extra_arguments "disable_input" {
16 |     commands  = get_terraform_commands_that_need_input()
17 |     arguments = ["-input=false"]
18 |   }
19 | }
20 | 
21 | generate "main_providers" {
22 |   path      = "main_providers.tf"
23 |   if_exists = "overwrite"
24 |   contents  = <<EOF
25 | provider "aws" {
26 |   region = "eu-west-1"
27 | 
28 |   # Make it faster by skipping something
29 |   skip_get_ec2_platforms      = true
30 |   skip_metadata_api_check     = true
31 |   skip_region_validation      = true
32 |   skip_credentials_validation = true
33 | }
34 | EOF
35 | }
36 | 
37 | remote_state {
38 |   backend      = "s3"
39 |   disable_init = tobool(get_env("TERRAGRUNT_DISABLE_INIT", "false"))
40 | 
41 |   generate = {
42 |     path      = "_backend.tf"
43 |     if_exists = "overwrite"
44 |   }
45 | 
46 |   config = {
47 |     encrypt        = true
48 |     region         = "eu-west-1"
49 |     key            = format("%s/terraform.tfstate", path_relative_to_include())
50 |     bucket         = format("terraform-states-%s", get_aws_account_id())
51 |     dynamodb_table = format("terraform-states-%s", get_aws_account_id())
52 | 
53 |     skip_metadata_api_check     = true
54 |     skip_credentials_validation = true
55 |   }
56 | }
57 | 


--------------------------------------------------------------------------------
/acme-serverless/tmp/api_gateway.tf:
--------------------------------------------------------------------------------
 1 | module "api_gateway" {
 2 |   source  = "terraform-aws-modules/apigateway-v2/aws"
 3 |   version = "~> 0.0"
 4 | 
 5 |   name          = "${random_pet.this.id}-http"
 6 |   description   = "My awesome HTTP API Gateway"
 7 |   protocol_type = "HTTP"
 8 | 
 9 |   create_api_domain_name = false
10 | 
11 |   default_stage_access_log_destination_arn = "arn:aws:logs:eu-west-1:835367859851:log-group:debug-apigateway"
12 |   default_stage_access_log_format          = "$context.identity.sourceIp - - [$context.requestTime] \"$context.httpMethod $context.routeKey $context.protocol\" $context.status $context.responseLength $context.requestId $context.integrationErrorMessage"
13 | 
14 |   integrations = {
15 |     "GET /" = {
16 |       lambda_arn             = module.lambda.this_lambda_function_arn
17 |       payload_format_version = "2.0"
18 |       timeout_milliseconds   = 12000
19 |     }
20 | 
21 |     "$default" = {
22 |       lambda_arn = module.lambda.this_lambda_function_arn
23 |     }
24 | 
25 |   }
26 | 
27 | }
28 | 


--------------------------------------------------------------------------------
/acme-serverless/tmp/deploy.tf:
--------------------------------------------------------------------------------
 1 | //module "deploy" {
 2 | //  source  = "terraform-aws-modules/lambda/aws//modules/deploy"
 3 | //  version = "~> 1.0"
 4 | //
 5 | //  alias_name    = module.lambda_alias.this_lambda_alias_name
 6 | //  function_name = module.lambda.this_lambda_function_name
 7 | //
 8 | //  target_version = module.lambda.this_lambda_function_version
 9 | //  description    = "This is my awesome deploy!"
10 | //
11 | //  use_existing_app = true
12 | //  app_name         = aws_codedeploy_app.this.name
13 | //
14 | //  create_deployment_group = true
15 | //  deployment_group_name   = "prod"
16 | //
17 | ////  deployment_config_name = "CodeDeployDefault.LambdaCanary10Percent5Minutes"
18 | //
19 | //  create_deployment          = true
20 | //  wait_deployment_completion = true
21 | //  //  force_deploy               = true
22 | //}
23 | 


--------------------------------------------------------------------------------
/acme-serverless/tmp/lambda_python.tf:
--------------------------------------------------------------------------------
 1 | module "lambda" {
 2 |   source  = "terraform-aws-modules/lambda/aws"
 3 |   version = "~> 1.0"
 4 | 
 5 |   function_name = "${random_pet.this.id}-lambda-python"
 6 |   description   = "My awesome Python lambda function"
 7 |   handler       = "index.lambda_handler"
 8 |   runtime       = "python3.8"
 9 |   publish       = true
10 | 
11 |   source_path = "../src/python-function"
12 | 
13 |   attach_tracing_policy    = true
14 |   attach_policy_statements = true
15 | 
16 |   policy_statements = {
17 |     s3_read = {
18 |       effect    = "Allow",
19 |       actions   = ["s3:HeadObject", "s3:GetObject"],
20 |       resources = ["${module.s3_bucket.this_s3_bucket_arn}/*"]
21 |     }
22 |   }
23 | 
24 | //  create_current_version_allowed_triggers = false
25 |   allowed_triggers = {
26 |     AllowExecutionFromAPIGateway = {
27 |       service    = "apigateway"
28 |       source_arn = "${module.api_gateway.this_apigatewayv2_api_execution_arn}/*/*"
29 |     }
30 |   }
31 | }
32 | 
33 | module "lambda_alias" {
34 |   source  = "terraform-aws-modules/lambda/aws//modules/alias"
35 |   version = "~> 1.0"
36 | 
37 |   name = "prod"
38 | 
39 |   function_name = module.lambda.this_lambda_function_name
40 | 
41 |   # Set function_version when creating alias to be able to deploy using it,
42 |   # because AWS CodeDeploy doesn't understand $LATEST as CurrentVersion.
43 |   function_version = module.lambda.this_lambda_function_version
44 | }
45 | 


--------------------------------------------------------------------------------
/acme-serverless/tmp/main.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |   region = "eu-west-1"
 3 | 
 4 |   # Make it faster by skipping something
 5 |   skip_get_ec2_platforms      = true
 6 |   skip_metadata_api_check     = true
 7 |   skip_region_validation      = true
 8 |   skip_credentials_validation = true
 9 | 
10 |   # skip_requesting_account_id should be disabled to generate valid ARN in apigatewayv2_api_execution_arn
11 |   skip_requesting_account_id = false
12 | }
13 | 
14 | //provider "aws" {
15 | //  region                      = "eu-west-1"
16 | //  skip_credentials_validation = true
17 | //  skip_metadata_api_check     = true
18 | //
19 | //  # Some services, like HTTP API Gateway, are only available in Pro-version - https://localstack.cloud/#pricing
20 | //  endpoints {
21 | //    apigateway     = "http://localhost:4566"
22 | //    dynamodb       = "http://localhost:4566"
23 | //    iam            = "http://localhost:4566"
24 | //    lambda         = "http://localhost:4566"
25 | //    s3             = "http://localhost:4566"
26 | //  }
27 | //}
28 | 
29 | resource "random_pet" "this" {
30 |   length = 2
31 | }
32 | 
33 | # Put all extra resources which don't belong anywhere
34 | resource "aws_codedeploy_app" "this" {
35 |   name             = random_pet.this.id
36 |   compute_platform = "Lambda"
37 | }
38 | 


--------------------------------------------------------------------------------
/acme-serverless/tmp/outputs.tf:
--------------------------------------------------------------------------------
  1 | ##################
  2 | # Lambda Function
  3 | ##################
  4 | output "this_lambda_function_arn" {
  5 |   description = "The ARN of the Lambda Function"
  6 |   value       = module.lambda.this_lambda_function_arn
  7 | }
  8 | 
  9 | output "this_lambda_function_invoke_arn" {
 10 |   description = "The Invoke ARN of the Lambda Function"
 11 |   value       = module.lambda.this_lambda_function_invoke_arn
 12 | }
 13 | 
 14 | output "this_lambda_function_name" {
 15 |   description = "The name of the Lambda Function"
 16 |   value       = module.lambda.this_lambda_function_name
 17 | }
 18 | 
 19 | output "this_lambda_function_qualified_arn" {
 20 |   description = "The ARN identifying your Lambda Function Version"
 21 |   value       = module.lambda.this_lambda_function_qualified_arn
 22 | }
 23 | 
 24 | output "this_lambda_function_version" {
 25 |   description = "Latest published version of Lambda Function"
 26 |   value       = module.lambda.this_lambda_function_version
 27 | }
 28 | 
 29 | output "this_lambda_function_last_modified" {
 30 |   description = "The date Lambda Function resource was last modified"
 31 |   value       = module.lambda.this_lambda_function_last_modified
 32 | }
 33 | 
 34 | output "this_lambda_function_kms_key_arn" {
 35 |   description = "The ARN for the KMS encryption key of Lambda Function"
 36 |   value       = module.lambda.this_lambda_function_kms_key_arn
 37 | }
 38 | 
 39 | output "this_lambda_function_source_code_hash" {
 40 |   description = "Base64-encoded representation of raw SHA-256 sum of the zip file"
 41 |   value       = module.lambda.this_lambda_function_source_code_hash
 42 | }
 43 | 
 44 | output "this_lambda_function_source_code_size" {
 45 |   description = "The size in bytes of the function .zip file"
 46 |   value       = module.lambda.this_lambda_function_source_code_size
 47 | }
 48 | 
 49 | # Lambda Layer
 50 | output "this_lambda_layer_arn" {
 51 |   description = "The ARN of the Lambda Layer with version"
 52 |   value       = module.lambda.this_lambda_layer_arn
 53 | }
 54 | 
 55 | output "this_lambda_layer_layer_arn" {
 56 |   description = "The ARN of the Lambda Layer without version"
 57 |   value       = module.lambda.this_lambda_layer_layer_arn
 58 | }
 59 | 
 60 | output "this_lambda_layer_created_date" {
 61 |   description = "The date Lambda Layer resource was created"
 62 |   value       = module.lambda.this_lambda_layer_created_date
 63 | }
 64 | 
 65 | output "this_lambda_layer_source_code_size" {
 66 |   description = "The size in bytes of the Lambda Layer .zip file"
 67 |   value       = module.lambda.this_lambda_layer_source_code_size
 68 | }
 69 | 
 70 | output "this_lambda_layer_version" {
 71 |   description = "The Lambda Layer version"
 72 |   value       = module.lambda.this_lambda_layer_version
 73 | }
 74 | 
 75 | # IAM Role
 76 | output "lambda_role_arn" {
 77 |   description = "The ARN of the IAM role created for the Lambda Function"
 78 |   value       = module.lambda.lambda_role_arn
 79 | }
 80 | 
 81 | output "lambda_role_name" {
 82 |   description = "The name of the IAM role created for the Lambda Function"
 83 |   value       = module.lambda.lambda_role_name
 84 | }
 85 | 
 86 | # Deployment package
 87 | output "local_filename" {
 88 |   description = "The filename of zip archive deployed (if deployment was from local)"
 89 |   value       = module.lambda.local_filename
 90 | }
 91 | 
 92 | output "s3_object" {
 93 |   description = "The map with S3 object data of zip archive deployed (if deployment was from S3)"
 94 |   value       = module.lambda.s3_object
 95 | }
 96 | 
 97 | ###############
 98 | # API Gateway
 99 | ###############
100 | output "this_apigatewayv2_api_id" {
101 |   description = "The API identifier"
102 |   value       = module.api_gateway.this_apigatewayv2_api_id
103 | }
104 | 
105 | output "this_apigatewayv2_api_api_endpoint" {
106 |   description = "The URI of the API"
107 |   value       = module.api_gateway.this_apigatewayv2_api_api_endpoint
108 | }
109 | 
110 | output "this_apigatewayv2_api_arn" {
111 |   description = "The ARN of the API"
112 |   value       = module.api_gateway.this_apigatewayv2_api_arn
113 | }
114 | 
115 | output "this_apigatewayv2_api_execution_arn" {
116 |   description = "The ARN prefix to be used in an aws_lambda_permission's source_arn attribute or in an aws_iam_policy to authorize access to the @connections API."
117 |   value       = module.api_gateway.this_apigatewayv2_api_execution_arn
118 | }
119 | 
120 | output "default_apigatewayv2_stage_execution_arn" {
121 |   description = "The ARN prefix to be used in an aws_lambda_permission's source_arn attribute or in an aws_iam_policy to authorize access to the @connections API."
122 |   value       = module.api_gateway.default_apigatewayv2_stage_execution_arn
123 | }
124 | 
125 | 
126 | 
127 | ###############
128 | # Lambda Alias
129 | ###############
130 | output "this_lambda_alias_name" {
131 |   description = "The name of the Lambda Function Alias"
132 |   value       = module.lambda_alias.this_lambda_alias_name
133 | }
134 | 
135 | output "this_lambda_alias_arn" {
136 |   description = "The ARN of the Lambda Function Alias"
137 |   value       = module.lambda_alias.this_lambda_alias_arn
138 | }
139 | 
140 | output "this_lambda_alias_invoke_arn" {
141 |   description = "The ARN to be used for invoking Lambda Function from API Gateway"
142 |   value       = module.lambda_alias.this_lambda_alias_invoke_arn
143 | }
144 | 
145 | output "this_lambda_alias_description" {
146 |   description = "Description of alias"
147 |   value       = module.lambda_alias.this_lambda_alias_description
148 | }
149 | 
150 | output "this_lambda_alias_function_version" {
151 |   description = "Lambda function version which the alias uses"
152 |   value       = module.lambda_alias.this_lambda_alias_function_version
153 | }
154 | 


--------------------------------------------------------------------------------
/acme-serverless/tmp/s3_bucket.tf:
--------------------------------------------------------------------------------
 1 | module "s3_bucket" {
 2 |   source  = "terraform-aws-modules/s3-bucket/aws"
 3 |   version = "~> 1.0"
 4 | 
 5 |   bucket        = "${random_pet.this.id}-bucket"
 6 |   acl           = "private"
 7 |   force_destroy = true
 8 | 
 9 |   // S3 bucket-level Public Access Block configuration
10 |   block_public_acls       = true
11 |   block_public_policy     = true
12 |   ignore_public_acls      = true
13 |   restrict_public_buckets = true
14 | }
15 | 


--------------------------------------------------------------------------------
/acme-staging/README.md:
--------------------------------------------------------------------------------
1 | `acme-staging` should contain code for staging environment but Acme is brave enough to experiment in production! :)
2 | 
3 | See code in [acme-prod](../acme-prod) for inspiration.
4 | 


--------------------------------------------------------------------------------
/modules/aws-data/README.md:
--------------------------------------------------------------------------------
 1 | # aws-data
 2 | 
 3 | This module contains data-sources which are used as arguments in other AWS modules (eg, list of AZ when creating VPC).
 4 | 
 5 | <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 6 | ## Requirements
 7 | 
 8 | No requirements.
 9 | 
10 | ## Providers
11 | 
12 | | Name | Version |
13 | |------|---------|
14 | | aws | n/a |
15 | 
16 | ## Inputs
17 | 
18 | No input.
19 | 
20 | ## Outputs
21 | 
22 | | Name | Description |
23 | |------|-------------|
24 | | amazon\_linux2\_aws\_ami\_id | AMI ID of Amazon Linux 2 |
25 | | available\_aws\_availability\_zones\_names | A list of the Availability Zone names available to the account |
26 | | available\_aws\_availability\_zones\_zone\_ids | A list of the Availability Zone IDs available to the account |
27 | | aws\_region | Details about selected AWS region |
28 | | ubuntu\_1804\_aws\_ami\_id | AMI ID of Ubuntu 18.04 |
29 | 
30 | <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
31 | 


--------------------------------------------------------------------------------
/modules/aws-data/main.tf:
--------------------------------------------------------------------------------
 1 | data "aws_region" "selected" {}
 2 | 
 3 | data "aws_availability_zones" "available" {}
 4 | 
 5 | data "aws_ami" "ubuntu_1804" {
 6 |   most_recent = true
 7 |   owners      = ["099720109477"]
 8 | 
 9 |   filter {
10 |     name   = "name"
11 |     values = ["ubuntu-minimal/images/*/ubuntu-bionic-18.04-*"]
12 |   }
13 | 
14 |   filter {
15 |     name   = "virtualization-type"
16 |     values = ["hvm"]
17 |   }
18 | 
19 |   filter {
20 |     name   = "root-device-type"
21 |     values = ["ebs"]
22 |   }
23 | 
24 |   filter {
25 |     name   = "architecture"
26 |     values = ["x86_64"]
27 |   }
28 | }
29 | 
30 | data "aws_ami" "amazon_linux2" {
31 |   most_recent = true
32 |   owners      = ["137112412989"] # Amazon
33 | 
34 |   filter {
35 |     name   = "name"
36 |     values = ["amzn2-ami-hvm-*"]
37 |   }
38 | 
39 |   filter {
40 |     name   = "root-device-type"
41 |     values = ["ebs"]
42 |   }
43 | 
44 |   filter {
45 |     name   = "architecture"
46 |     values = ["x86_64"]
47 |   }
48 | 
49 |   filter {
50 |     name   = "virtualization-type"
51 |     values = ["hvm"]
52 |   }
53 | 
54 | }
55 | 


--------------------------------------------------------------------------------
/modules/aws-data/outputs.tf:
--------------------------------------------------------------------------------
 1 | output "aws_region" {
 2 |   description = "Details about selected AWS region"
 3 |   value       = data.aws_region.selected
 4 | }
 5 | 
 6 | output "available_aws_availability_zones_names" {
 7 |   description = "A list of the Availability Zone names available to the account"
 8 |   value       = data.aws_availability_zones.available.names
 9 | }
10 | 
11 | output "available_aws_availability_zones_zone_ids" {
12 |   description = "A list of the Availability Zone IDs available to the account"
13 |   value       = data.aws_availability_zones.available.zone_ids
14 | }
15 | 
16 | output "amazon_linux2_aws_ami_id" {
17 |   description = "AMI ID of Amazon Linux 2"
18 |   value       = data.aws_ami.amazon_linux2.id
19 | }
20 | 
21 | output "ubuntu_1804_aws_ami_id" {
22 |   description = "AMI ID of Ubuntu 18.04"
23 |   value       = data.aws_ami.ubuntu_1804.id
24 | }
25 | 


--------------------------------------------------------------------------------
/modules/organizations/README.md:
--------------------------------------------------------------------------------
 1 | # organizations
 2 | 
 3 | This module describes all AWS Organizations resources as-is. Most of this code has been imported from already created resources (before this project started).
 4 | 
 5 | <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 6 | ## Requirements
 7 | 
 8 | No requirements.
 9 | 
10 | ## Providers
11 | 
12 | | Name | Version |
13 | |------|---------|
14 | | aws | n/a |
15 | 
16 | ## Inputs
17 | 
18 | | Name | Description | Type | Default | Required |
19 | |------|-------------|------|---------|:--------:|
20 | | feature\_set | Specify 'ALL' (default) or 'CONSOLIDATED\_BILLING'. | `string` | `"ALL"` | no |
21 | 
22 | ## Outputs
23 | 
24 | | Name | Description |
25 | |------|-------------|
26 | | acme\_prod\_organizations\_account\_arn | The ARN for this account |
27 | | acme\_prod\_organizations\_account\_id | The AWS account id |
28 | | acme\_staging\_organizations\_account\_arn | The ARN for this account |
29 | | acme\_staging\_organizations\_account\_id | The AWS account id |
30 | | this\_organizations\_organization\_arn | ARN of the organization |
31 | | this\_organizations\_organization\_id | Identifier of the organization |
32 | | this\_organizations\_organization\_master\_account\_arn | ARN of the master account |
33 | | this\_organizations\_organization\_master\_account\_email | Email address of the master account |
34 | | this\_organizations\_organization\_master\_account\_id | Identifier of the master account |
35 | 
36 | <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
37 | 


--------------------------------------------------------------------------------
/modules/organizations/main.tf:
--------------------------------------------------------------------------------
 1 | variable "feature_set" {
 2 |   description = "Specify 'ALL' (default) or 'CONSOLIDATED_BILLING'."
 3 |   default     = "ALL"
 4 | }
 5 | 
 6 | resource "aws_organizations_organization" "this" {
 7 |   feature_set = var.feature_set
 8 | }
 9 | 
10 | output "this_organizations_organization_id" {
11 |   description = "Identifier of the organization"
12 |   value       = aws_organizations_organization.this.id
13 | }
14 | 
15 | output "this_organizations_organization_arn" {
16 |   description = "ARN of the organization"
17 |   value       = aws_organizations_organization.this.arn
18 | }
19 | 
20 | output "this_organizations_organization_master_account_arn" {
21 |   description = "ARN of the master account"
22 |   value       = aws_organizations_organization.this.master_account_arn
23 | }
24 | 
25 | output "this_organizations_organization_master_account_email" {
26 |   description = "Email address of the master account"
27 |   value       = aws_organizations_organization.this.master_account_email
28 | }
29 | 
30 | output "this_organizations_organization_master_account_id" {
31 |   description = "Identifier of the master account"
32 |   value       = aws_organizations_organization.this.master_account_id
33 | }
34 | 
35 | // acme-prod
36 | resource "aws_organizations_account" "acme_prod" {
37 |   name                       = "acme-prod"
38 |   email                      = "anton+acme-prod@antonbabenko.com"
39 |   iam_user_access_to_billing = "ALLOW"
40 |   role_name                  = "admin"
41 | }
42 | 
43 | output "acme_prod_organizations_account_id" {
44 |   description = "The AWS account id"
45 |   value       = aws_organizations_account.acme_prod.id
46 | }
47 | 
48 | output "acme_prod_organizations_account_arn" {
49 |   description = "The ARN for this account"
50 |   value       = aws_organizations_account.acme_prod.arn
51 | }
52 | 
53 | // acme-staging
54 | resource "aws_organizations_account" "acme_staging" {
55 |   name                       = "acme-staging"
56 |   email                      = "anton+acme-prod@antonbabenko.com"
57 |   iam_user_access_to_billing = "ALLOW"
58 |   role_name                  = "admin"
59 | }
60 | 
61 | output "acme_staging_organizations_account_id" {
62 |   description = "The AWS account id"
63 |   value       = aws_organizations_account.acme_staging.id
64 | }
65 | 
66 | output "acme_staging_organizations_account_arn" {
67 |   description = "The ARN for this account"
68 |   value       = aws_organizations_account.acme_staging.arn
69 | }
70 | 


--------------------------------------------------------------------------------