├── .gitignore
├── LICENSE
├── amis
    └── ami
    │   ├── ami.json
    │   ├── user_data.sh
    │   └── variables.json
├── docs
    ├── AMIs.md
    ├── AWS Service Level Security Compliance.md
    ├── Arch.graffle
    │   ├── data.plist
    │   ├── image1.pdf
    │   ├── image10.pdf
    │   ├── image11.pdf
    │   ├── image12.pdf
    │   ├── image14.pdf
    │   ├── image15.pdf
    │   ├── image18.pdf
    │   ├── image19.pdf
    │   ├── image20.pdf
    │   ├── image21.pdf
    │   ├── image22.pdf
    │   ├── image24.pdf
    │   ├── image25.pdf
    │   ├── image3.pdf
    │   ├── image4.pdf
    │   ├── image5.pdf
    │   └── image7.pdf
    ├── Bastion.md
    ├── Containers.md
    ├── Multi Account Setup.md
    ├── Patterns.md
    ├── README.md
    └── Standards.md
├── environments
    ├── account
    │   ├── config.tf
    │   ├── iam.tf
    │   ├── locals.tf
    │   ├── main.tf
    │   └── versions.tf
    └── domain
    │   ├── cloudfront-lambda-viewer-response.js
    │   ├── cloudfront.tf
    │   ├── dynamodb.tf
    │   ├── ecs-alb.tf
    │   ├── ecs-nlb.tf
    │   ├── ecs.tf
    │   ├── elasticsearch.tf
    │   ├── elasticsearch
    │       └── mappings.json
    │   ├── locals.tf
    │   ├── main.tf
    │   ├── mysql.tf
    │   ├── postgres.tf
    │   ├── postgres
    │       ├── postgis.sql
    │       └── uuid.sql
    │   ├── redis.tf
    │   ├── versions.tf
    │   └── vpc.tf
├── master
    ├── account
    │   ├── config.tf
    │   ├── iam.tf
    │   ├── locals.tf
    │   ├── main.tf
    │   ├── organization.tf
    │   └── versions.tf
    ├── operations
    │   ├── ami.tf
    │   ├── dns.tf
    │   ├── ecr.tf
    │   ├── locals.tf
    │   ├── main.tf
    │   └── versions.tf
    └── state
    │   ├── main.tf
    │   └── versions.tf
└── package.json


/.gitignore:
--------------------------------------------------------------------------------
 1 | #  Local .terraform directories
 2 | **/.terraform/*
 3 | 
 4 | # .tfstate files
 5 | *.tfstate
 6 | *.tfstate.*
 7 | 
 8 | # .tfvars files
 9 | #*.tfvars
10 | 
11 | 
12 | terraform-profile.auto.tfvars
13 | 
14 | # Node
15 | node_modules
16 | package-lock.json
17 | 
18 | # IDE
19 | .idea
20 | *.iml
21 | 
22 | 
23 | # OS
24 | .DS_Store
25 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 will Farrell
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/amis/ami/ami.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "variables": {
 3 |     "profile": "",
 4 |     "region": "",
 5 |     "ami_regions": ""
 6 |   },
 7 |   "builders": [
 8 |     {
 9 |       "type": "amazon-ebs",
10 |       "profile": "{{user `profile`}}",
11 |       "region": "{{user `region`}}",
12 |       "ami_regions": "{{user `ami_regions`}}",
13 |       "source_ami_filter": {
14 |         "filters": {
15 |           "virtualization-type": "hvm",
16 |           "name": "amzn-ami-vpc-nat-hvm-*-x86_64-ebs",
17 |           "root-device-type": "ebs"
18 |         },
19 |         "owners": [
20 |           "137112412989"
21 |         ],
22 |         "most_recent": true
23 |       },
24 |       "instance_type": "t2.micro",
25 |       "ssh_username": "ec2-user",
26 |       "ami_name": "amzn-ami-vpc-nat-hvm-{{isotime \"20060102030405\"}}-x86_64-ebs"
27 |     }
28 |   ],
29 |   "provisioners": [
30 |     {
31 |       "type": "shell",
32 |       "script": "user_data.sh",
33 |       "execute_command": "sudo -S env {{ .Vars }} {{ .Path }}"
34 |     }
35 |   ]
36 | }


--------------------------------------------------------------------------------
/amis/ami/user_data.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | 
3 | echo "***** Update *****"
4 | yum update -y
5 | 


--------------------------------------------------------------------------------
/amis/ami/variables.json:
--------------------------------------------------------------------------------
1 | {
2 |   "profile": "default",
3 |   "ami_regions": "us-east-2,us-west-2,ca-central-1",
4 |   "region": "us-east-1"
5 | }
6 | 


--------------------------------------------------------------------------------
/docs/AMIs.md:
--------------------------------------------------------------------------------
 1 | # Packer
 2 | Packer scripts for creating up to date AMIs for faster initial boot time.
 3 | The subfolders are named as their respective terraform modules e.g. the scripts 
 4 | for creating AMI for the bastion modules are in "bastion" subfolder.
 5 | Creating the AMI in all required regions is a prerequisite for using the ec2, bastion and ecs terraform modules.
 6 | 
 7 | ## Features
 8 | - Updated operating system 
 9 | - CloudWatch logging enabled
10 | - CloudWatch agent for collecting additional metrics
11 | - Inspector agent for allowing running of security assessments in Amazon Inspector
12 | - SSM Agent for allowing shell access from Session AWS Systems Manager
13 | - bastion AMI only - `authorized_keys` generated from users in an IAM group
14 | 
15 | ## Requirements
16 | ```bash
17 | $ brew install packer
18 | ```
19 | 
20 | ## Setup
21 | To create the AMIs, go to the respective subfolder, edit the `variables.json`, and run:
22 | ```bash
23 | packer build -var-file=variables.json ami.json
24 | ```
25 | 
26 | ## Input - these are located in variables.json
27 | - **profile** the profile to use in the shared credentials file for AWS. 
28 | - **ami_regions:** a list of regions to copy the AMI to. Tags and attributes are copied along with the AMI. 
29 | - **region:** the name of the region, such as us-east-1, in which to launch the EC2 instance to create the AMI.
30 | - **user_data.sh:** - this file contain the provisioning shell script.
31 | 
32 | ## Output 
33 | Along with the entire output from running the provisioning commands at the end of successfull execution the AMI ids in all regions are displayed.
34 | 
35 | 
36 | 


--------------------------------------------------------------------------------
/docs/AWS Service Level Security Compliance.md:
--------------------------------------------------------------------------------
 1 | # AWS Service Level Security Compliance
 2 | 
 3 | Last reviewed: 2019-08-01
 4 | Sources:
 5 | - https://aws.amazon.com/compliance/programs
 6 | - https://aws.amazon.com/compliance/csa
 7 | - https://aws.amazon.com/compliance/services-in-scope
 8 | - https://aws.amazon.com/compliance/fips
 9 | 
10 | Compliance Report: https://aws.amazon.com/artifact/getting-started
11 | 
12 | ## Certifications
13 | - CSA
14 | - SOC: 1,2,3
15 | - PCI: DSS Level 1
16 | - ISO: 9001:2015, 27001:2013, 27017:2015, 27018:2014
17 | - FIPS: 140-2
18 | 
19 | Service                            | SOC | PCI | ISO | FIPS | Dependencies | NOTES + CONSIDERATIONS
20 | -----------------------------------|-----|-----|-----|------|--------------|------------
21 | API Gateway (APIG)                 | Yes | Yes | Yes | US   |              | Deployed with serverless
22 | Certificate Manager (ACM)          | Yes | Yes | Yes | No   |              | Security Secret Management
23 | CloudFront (CDN)                   | Yes | Yes | Yes | No   |              | Edge Service
24 | CloudFormation                     | Yes | Yes | Yes | US   |              | DevOps, Deployed with serverless
25 | CloudHSM                           | Yes | Yes | Yes | No   |              | Security Secret Management
26 | CloudTrail                         | Yes | Yes | Yes | US   | S3           | Edge Service, Security Logging
27 | CloudWatch                         | Yes | Yes | Yes | No   |              | DevOps, PCI for Logs only
28 | Config                             | Yes | Yes | Yes | US   |              | Security Scanning
29 | Cognito                            | Yes | Yes | Yes | US   |              | Security Authentication
30 | DynamoDB                           | Yes | Yes | Yes | Yes  |              | 
31 | Elastic Block Storage (EBS)        | Yes | Yes | Yes | US   | VPC          | 
32 | Elastic Compute Cloud (EC2)        | Yes | Yes | Yes | Yes  | VPC          | 
33 | Elastic Container Registry (ECR)   | Yes | Yes | Yes | No   |              |
34 | Elastic Container Service (ECS)    | Yes | Yes | Yes | No   | VPC          | 
35 | Elastic File System (EFS)          | Yes | Yes | Yes | No   | VPC          | 
36 | Elastic Load Balancing (ELB)       | Yes | Yes | Yes | US   | VPC          | 
37 | ElastiCache                        | Yes | Yes | Yes | US   | VPC          | redis only
38 | Elasticsearch Service              | Yes | Yes | Yes | US   |              | 
39 | GuardDuty                          | Yes | Yes | Yes | No   |              | Security Scanner
40 | Identity & Access Management (IAM) | Yes | Yes | Yes | US   |              | Edge Service	
41 | Inspector                          | Yes | Yes | Yes | US   | EC2          | Security Scanner
42 | Key Management Service (KMS)       | Yes | Yes | Yes | US   |              | Security Secret Management
43 | Kinesis Data Firehose              | Yes | Yes | Yes | US   |              | Security Logging
44 | Lambda                             | Yes | Yes | Yes | US   |              | 
45 | Lambda@Edge                        | Yes | Yes | No  | No   | CDN          | Edge Service currently used with CloudFront to enforce CSP headers on static assets
46 | Macie                              | Yes | Yes | Yes | No   | S3           | Security Scanner
47 | Organizations                      | Yes | No  | Yes | No   |              | Edge Service
48 | Relational Database Service (RDS)  | Yes | Yes | Yes | Yes  | VPC          | 
49 | Route 53 (DNS)                     | Yes | Yes | Yes | US   |              | Edge Service
50 | Security Hub                       | Yes | Yes | Yes | No   |              | Security Scanner
51 | Security Token Service (STS)       | --- | --- | --- | Yes  |              | Security
52 | Shield                             | Yes | Yes | Yes | US   | APIG,CDN,ELB | Security
53 | Simple Email Service (SES)         | Yes | No  | Yes | No   |              | Edge service
54 | Simple Notification Service (SNS)  | Yes | Yes | Yes | US   |              | 
55 | Simple Queue Service (SQS)         | Yes | Yes | Yes | US   |              | 
56 | Simple Storage Service (S3)        | Yes | Yes | Yes | US   |              | Includes Glacier
57 | Step Functions                     | Yes | Yes | Yes | No   |              | 
58 | Systems Manager (SSM)              | Yes | Yes | Yes | No   |              | Security Secret Management
59 | Trusted Advisor                    | No  | No  | Yes | No   |              | Edge Service, Security Scanner
60 | Virtual Private Cloud (VPC)        | Yes | Yes | Yes | US   |              |
61 | Web Application Firewall (WAF)     | Yes | Yes | Yes | US   | APIG,CDN,ELB | Security Scanner
62 | X-Ray                              | Yes | Yes | Yes | No   | APIG,EC2,ECS | DevOps
63 | 
64 | ## Encryption at Rest 
65 | 
66 | Service                           | Keys | Notes
67 | ----------------------------------|------|------
68 | DynamoDB                          | AWS  | 
69 | Elastic Block Storage (EBS)       | KMS  | 
70 | Elastic Compute Cloud (EC2) AMI   | KMS  | Encrypted AMI can only be used in the same account.
71 | Elastic Container Registry (ECR)  | No   | 
72 | Elastic File System (EFS)         | KMS  | 
73 | ElastiCache                       | AWS  | 
74 | Elasticsearch Service             | KMS  | Only certain instances [Docs](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html)
75 | Lambda                            | KMS  | 
76 | Relational Database Service (RDS) | KMS  | Only certain instances [Docs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Limitations)
77 | Simple Storage Service (S3)       | KMS* | ELB logs cannot use KMS - TODO re-check
78 | 
79 | ## Encryption in Transit
80 | Service                           | TLS  | Notes
81 | ----------------------------------|------|------
82 | Elastic File System (EFS)         | 1.2  | OCSP option
83 | ElastiCache                       | 1.2? | 
84 | Elasticsearch Service             | 1.2? |
85 | Relational Database Service (RDS) | 1.2? | Requires `ssl:true` to be set in application, or use serverless.
86 | 


--------------------------------------------------------------------------------
/docs/Arch.graffle/data.plist:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/data.plist


--------------------------------------------------------------------------------
/docs/Arch.graffle/image1.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image1.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image10.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image10.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image11.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image11.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image12.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image12.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image14.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image14.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image15.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image15.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image18.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image18.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image19.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image19.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image20.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image20.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image21.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image21.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image22.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image22.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image24.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image24.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image25.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image25.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image3.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image4.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image4.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image5.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image5.pdf


--------------------------------------------------------------------------------
/docs/Arch.graffle/image7.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/willfarrell/terraform-aws-template/6050637c59019a4f6d39c6b544adcc5ac1de1133/docs/Arch.graffle/image7.pdf


--------------------------------------------------------------------------------
/docs/Bastion.md:
--------------------------------------------------------------------------------
 1 | # Bastion Docs
 2 | Connecting to services in your AWS VPC.
 3 | 
 4 | ## IAM
 5 | ### Generate Key
 6 | Run [script](https://gist.github.com/willfarrell/e9b7553367f5edca0ac7e0b8e9647a040) or see below
 7 | ```bash
 8 | # Amazon only accepts RSA Keys
 9 | $ ssh-keygen -q -t rsa -b 4096 -o -N '' -C "Your Device Name Here" -f ~/.ssh/id_rsa
10 | $ ssh-add ~/.ssh/id_rsa
11 | ```
12 | 
13 | ### Upload to AWS
14 | Copy your key contents:
15 | ```bash
16 | $ cat ~/.ssh/id_rsa.pub
17 | ```
18 | 
19 | Go to `https://console.aws.amazon.com/iam/home?#/users/username?section=security_credentials`. 
20 | 
21 | Press `Upload SSH public key`.
22 | 
23 | Paste contents in and press `Upload SSH public key`.
24 | 
25 | ### AWS Config
26 | You should have the proper access keys in your `~/.aws/credentials` file. They should follow the below pattern.
27 | ```bash
28 | # ~/.aws/credentials
29 | [${name}]
30 | aws_access_key_id = 
31 | aws_secret_access_key = 
32 | 
33 | [${name}-${workspace}]
34 | source_profile = ${name}
35 | role_arn = arn:aws:iam::${SUB_ACCOUNT_ID}:role/admin
36 | session_name = ${name}-${workspace}
37 | ```
38 | 
39 | ## SSH
40 | Keep your ssh configs clean, used `config.d`.
41 | **~/.ssh/config**
42 | ```bash
43 | Include config.d/*
44 | ```
45 | 
46 | **~/.ssh/config.d/example**
47 | ```bash
48 | ### Company Name (cn) ###
49 | 
50 | # ssh -N cn-proxy-${environment}
51 | Host cn-proxy-${environment}
52 |   HostName ${BASTION_IP}
53 |   IdentityFile ~/.ssh/id_rsa
54 |   User ${USERNAME}
55 |   ControlPath /tmp/ssh_cn-proxy-${environment}
56 |   LocalForward 3307 mysql-test.*****.us-east-1.rds.amazonaws.com:3306
57 |   LocalForward 5432 postgres-test.*****.us-east-1.rds.amazonaws.com:5432
58 |   LocalForward 6378 redis-test.*****.0001.use1.cache.amazonaws.com:6379
59 |   # TODO elasticsearch example
60 |   # TODO Private ALB example
61 | 
62 | Host cn-bastion-${environment}
63 |   HostName ${BASTION_IP}
64 |   IdentityFile ~/.ssh/id_rsda
65 |   User ${USERNAME}
66 |   ControlPath /tmp/ssh_cn-bastion-${environment}
67 | 
68 | Host cn-${environment}-*
69 |   ProxyCommand ssh -W %h:%p cn-bastion-${environment}
70 |   IdentityFile ~/.ssh/id_rsa
71 |   User ${USERNAME}
72 |   
73 | Host cn-${environment}-nat
74 |   HostName ${PRIVATE_IP}
75 | ```
76 | 
77 | ## SSM
78 | Install the Session Manager Plugin for the AWS CLI - https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
79 | 
80 | To start new shell session from aws cli
81 | ```bash
82 | $ aws ssm start-session --target i-00000000000000000 --region ca-central-1 --profile ${name}
83 | ```
84 | 


--------------------------------------------------------------------------------
/docs/Containers.md:
--------------------------------------------------------------------------------
 1 | 
 2 | # ECS
 3 | 
 4 | 
 5 | ## Fargate
 6 | - fixed memory
 7 | - tasks
 8 | 
 9 | ## EC2
10 | - shared volumes
11 | - long running services
12 | 
13 | ### EC2 w/ ALB
14 | - reachable by the public
15 | 
16 | ### EC2 w/ NLB
17 | - tasks
18 | - reachable by the private resources
19 | 
20 | ### EC2
21 | - tasks
22 | - long running services
23 | 


--------------------------------------------------------------------------------
/docs/Multi Account Setup.md:
--------------------------------------------------------------------------------
  1 | # Multi Account Setup
  2 | 
  3 | ## Manual Steps
  4 | 1. Create Master Account *
  5 | 1. Create Sub Accounts *
  6 | 1. Setup Master Account *
  7 | 1. Setup Login Account *
  8 | 1. Setup Sub Accounts *
  9 | 
 10 | \* See collection of re-usable steps below.
 11 | 
 12 | ### Create Master Account
 13 | See [How do I create and activate a new Amazon Web Services account?](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/)
 14 | 1. Go to [AWS](https://aws.amazon.com/).
 15 | 1. Click `Create an AWS Account`, orange button in the top right corner.
 16 | 1. Enter `Email` (aws+master@example.com), `Password`, `Confirm Password`, `AWS account name` (master) and press `Continue`.
 17 | 1. Enter `Account type` (Professional), remaining fields and press `Create Account and Continue`.
 18 | 1. Enter payment information and press `Secure Submit`.
 19 | 1. Enter `Security Check` and press `Call me now`.
 20 | 1. Enter 4-digit code into your phone after picking up and press `Continue`.
 21 | 1. Press `Free`.
 22 | 1. Setup MFA *
 23 | 1. Press `Add` .
 24 | 1. Services activation can take up to 24h.
 25 | 
 26 | ### Setup Master Account
 27 | 1. Create `terraform` User *
 28 | 1. `terraform apply` `./master/state`
 29 | 1. `terraform apply` `./master/account`
 30 | 1. Delete `terraform` User from account
 31 | 
 32 | ### Create Sub Accounts
 33 | If `terraform` is unsuccessful.
 34 | 1. Must request from support to up the limit for Organizations / Number of Accounts to 6+ from 2
 35 | 1. Organizations -> `Create Organization`
 36 | 1. You should of received an `AWS Organizations email verification request`, Click `Verify your email address` in the email
 37 | 1. Press `Add Account`
 38 | 1. `Create Account` -> Enter Name, email
 39 | 
 40 | ### Setup Sub Accounts
 41 | 1. Set Sub Account Root Password (See [Accessing and Administering the Member Accounts in Your Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_access-as-root))
 42 | 1. Create `terraform` User *
 43 | 1. `terraform apply` `./environments/account`
 44 | 1. Delete `terraform` User from account
 45 | 1. Repeat for each sub account
 46 | 
 47 | ### Create `terraform` User
 48 | 1. Go to IAM.
 49 | 1. Press `Add User`.
 50 | 1. Enter `User name` as `terraform`, check `Programmatic access` and press `Next: Permissions`.
 51 | 1. Press `Attach existing policies directly`, check `AdministratorAccess` and press `Next Review`.
 52 | 1. Press `Create user`.
 53 | 1. Copy `Access key ID` and `Secret access key` to `~/.aws/credentials` into `[main]` or `[main-account]`.
 54 | 1. Press `Close`.
 55 | 
 56 | 
 57 | ### Setup Login Account
 58 | 1. Go to [AWS Console Login](https://console.aws.amazon.com/iam/home/) (https://${alias}.signin.aws.amazon.com/console)
 59 | 1. Enter `Account ID or alias`, `IAM user name`, and `Passowrd` and press `Sign In`.
 60 | 1. Enter `Old Password`, `New password`, `Retype new password` and press `Confirm password change`.
 61 | 1. Got to [`IAM`](https://console.aws.amazon.com/iam/) if not already there.
 62 | 1. Setup MFA *
 63 | 1. Create Access Keys *
 64 | 
 65 | ### Create Access Keys
 66 | 1. Got to [`IAM`](https://console.aws.amazon.com/iam/home/) if not already there.
 67 | 1. Click `Users` -> `${username}` -> `Security credentials` -> `Create access key` under `Access Keys`.
 68 | 1. Copy into `~/.aws/credentials`.
 69 | 
 70 | ```bash
 71 | [main]
 72 | aws_access_key_id = access_key_id
 73 | aws_secret_access_key = secret_access_key
 74 | ```
 75 | 
 76 | ### Setup MFA
 77 | 1. Got to [`IAM`](https://console.aws.amazon.com/iam/home/) if not already there.
 78 | 1. Click `Users` -> `${username}` -> `Security credentials` -> `Manage` beside `Assigned MFA device:`. 
 79 | 1. Choose `Virtual device` and press `Continue`.
 80 | 1. Click `Show QR code` and scan QRCode into MFA device.
 81 | 1. Enter `MFA code 1`, wait ~30sec, enter `MFA code 2` and press `Assign MFA`.
 82 | 1. Press `Close`.
 83 | 
 84 | ### Setup `Switch Role` in Console
 85 | 1. From account drop down choose `Switch Role`.
 86 | 1. Press `Switch Role`.
 87 | 1. Enter `Account` (ID), `Role` (`OrganizationAccountAccessRole`,`admin`,`developer`), `Display Name` and press `Switch Role`.
 88 | 
 89 | ### Setup `Assume Role` in CLI
 90 | Update `~/.aws/credentials`:
 91 | ```bash
 92 | [main-environment]
 93 | source_profile = main
 94 | role_arn = arn:aws:iam::${account_id}:role/admin
 95 | session_name = main-environment
 96 | ```
 97 | 
 98 | ## Enabled Account level services
 99 | 
100 | ### Trusted Advisor
101 | 1. Go to [Trusted Advisor Dashboard](https://console.aws.amazon.com/trustedadvisor/home)
102 | 1. TODO https://aws.amazon.com/premiumsupport/trustedadvisor/
103 | 
104 | ### Macie
105 | 1. [Set Up](https://docs.aws.amazon.com/macie/latest/userguide/macie-setting-up.html#macie-setting-up-enable)
106 | 
107 | 


--------------------------------------------------------------------------------
/docs/Patterns.md:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 | 
 5 | ## Environmental Variables
 6 | 
 7 | AWS Secret Manager:
 8 |  - DB passwords
 9 |  - 3rd party account passwords
10 | AWS Systems Manager Parameter Store:
11 |  - Environment configurations variables
12 |  
13 | 


--------------------------------------------------------------------------------
/docs/README.md:
--------------------------------------------------------------------------------
  1 | # Infrastructure
  2 | Visit [`willfarrell/terraform-aws-template`](https://github.com/willfarrell/terraform-aws-template) for the latest improvements and most up to date documentation.
  3 | 
  4 | ## Accounts
  5 | 
  6 | Name        | Account ID   | Colour | Root Email         |
  7 | ------------|--------------|--------|--------------------|
  8 | master      |              | ------ |                    |
  9 | production  |              | Red    |                    |
 10 | staging     |              | Orange |                    |
 11 | testing     |              | Yellow |                    |
 12 | development |              | Green  |                    |
 13 | operations  |              | Blue   |                    |
 14 | forensics   |              | Purple |                    |
 15 | 
 16 | ## Project Structure
 17 | 
 18 | ```bash
 19 | ${project}-infrastructure
 20 | |-- package.json	# Script shortcuts (lint, install, deploy, test) & versioning?
 21 | |-- amis            # Collection of AMIs, built by Packer
 22 | |   |-- {name}      # AMI folders, ie bastion, ecs, nat or custom ones
 23 | |-- master			# Setup for root level account
 24 | |   |-- state		# Sets up state management for terraform
 25 | |   |-- account     # Account setup (Groups, Monitoring)
 26 | |   |-- operations	# Setup for operation pieces
 27 | |-- environments
 28 | |   |-- account     # Account setup (Roles, Monitoring)
 29 | |   |-- domain		# Domain specific VPC, App, API, ECS, etc. Rename folder to `name`.
 30 | |-- modules			# Collection of project specific modules
 31 | ```
 32 | 
 33 | ## Getting Started
 34 | For up to date documentation and modules see [terraform-aws-template](https://github.com/willfarrell/terraform-aws-template).
 35 | 
 36 | ### Installing CLIs
 37 | ```bash
 38 | $ brew install terraform
 39 | 
 40 | # Optional, for building AMIs
 41 | $ brew install packer
 42 | ```
 43 | 
 44 | - [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-macos.html)
 45 | - [AWS SSM Plugin](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html)
 46 | - [AWS ECS CLI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_CLI_installation.html)
 47 | 
 48 | ### Setup Terraform Workspaces
 49 | To create the workspaces, go to the respective subfolder (`/environments/*/`), and run:
 50 | 
 51 | ```bash
 52 | $ terraform init
 53 | $ terraform workspace new production
 54 | $ terraform workspace new staging
 55 | $ terraform workspace new testing
 56 | $ terraform workspace new development
 57 | ```
 58 | 
 59 | Ensure you have the right workspace selected before you `apply`.
 60 | 
 61 | ```bash
 62 | $ terraform workspace select development
 63 | $ terraform workspace list
 64 | ```
 65 | 
 66 | ### Setup Multi-Accounts
 67 | See [docs](./docs/Multi Account Setup.md) for detailed steps.
 68 | 
 69 | ### Build AMIs
 70 | To create the AMIs, go to the respective subfolder (`/amis/*/`), edit the `variables.json`, and run:
 71 | ```bash
 72 | $ packer build -var-file=variables.json ami.json
 73 | ```
 74 | 
 75 | See [docs](./docs/AMIs.md) for configuration and full documentation.
 76 | 
 77 | ### Install node dependencies
 78 | ```bash
 79 | $ npm run install:npm
 80 | ```
 81 | 
 82 | ## Switch Roles
 83 | - `OrganizationAccountAccessRole`: Admin Access
 84 | 
 85 | It is recommended that the `account/roles` module be forks to customized to specific needs
 86 | 
 87 | ## Manual Steps
 88 | - [Well-Architected Tool](https://aws.amazon.com/well-architected-tool/)
 89 | - [Trust Advisor](https://aws.amazon.com/premiumsupport/technology/trusted-advisor/)
 90 | - [Macie](https://docs.aws.amazon.com/macie/latest/userguide/macie-setting-up.html#macie-setting-up-enable)
 91 | 
 92 | ## Deployment Steps
 93 | 1. Build an AMIs that will be needed
 94 | ```bash
 95 | packer build -var-file=variables.json ami.json
 96 | ```
 97 | 
 98 | 1. master/state
 99 | 
100 | 1. master/account
101 |     - [ ] Users (Manual)
102 |     - [ ] Macie (Manual)
103 |     - [x] Sub-Accounts / Organization
104 |     - [x] Groups for sub account access
105 |     - [x] Roles for sub accounts (bastion, ECR)
106 |     - [x] AMI permissions
107 |     - [x] CloudTrail
108 |     - [x] GuardDuty
109 |     - [ ] Security Hub
110 | 
111 | 1. Switch Roles into each sub-account using `OrganizationAccountAccessRole`. Create a `terraform` user to bootstrap assume roles.
112 | Be sure to delete the user after you bootstrap
113 | 
114 | 1. Setup `terraform` workspaces
115 | Run the following in each `environments` folder
116 | ```bash
117 | terraform workspace new production
118 | terraform workspace new staging
119 | terraform workspace new testing
120 | terraform workspace new development
121 | terraform workspace select ${sub_account_name}
122 | ```
123 | 
124 | 1. environment/account
125 |     - [x] Roles (admin, developer, operator, audit, etc)
126 |     - [x] API Gateway Logs
127 |     - [x] CloudTrail
128 |     - [x] GuardDuty
129 |     - [ ] Inspector Agent
130 |     - [ ] Macie (Manual)
131 | 
132 | 1. At this point you'll need to update your AWS credentials.
133 | Update `~/.aws/credentials`:
134 | ```bash
135 | [${profile}-${sub_account_name}]
136 | source_profile = ${profile}
137 | role_arn = arn:aws:iam::${sub_account_id}:role/admin
138 | session_name = ${profile}-${sub_account_name}
139 | ```
140 | 
141 | 1. environment/domain
142 |     - [x] VPC
143 |     - [x] VPC Endpoints (S3, DynamoDB)
144 |     - [x] Bastion
145 |     - [x] RDS (postgres,mysql)
146 |     - [x] ElasticCache (redis)
147 |     - [x] ElasticSearch
148 |     - [x] DynamoDB
149 |     - [x] ALB + ECS
150 |     - [x] NLB + ECS
151 |     - [x] ECS
152 |     - [ ] API Gateway
153 |     - [ ] Events, SQS, SNS, Lambda, S3,
154 |     - [x] CloudFront
155 |     - [x] S3
156 |     - [ ] CloudWatch Dashboards
157 | 
158 | ## Built With
159 | - [Terraform](https://www.terraform.io/)
160 | - [Packer](https://www.packer.io/)
161 | - [NodeJS](https://nodejs.org/en/)
162 | 
163 | ### Modules
164 | - [state module](https://github.com/willfarrell/terraform-state-module)
165 | - [account modules](https://github.com/willfarrell/terraform-account-modules)
166 | - [logs module](https://github.com/willfarrell/terraform-logs-module)
167 | - [VPC module](https://github.com/willfarrell/terraform-vpc-module)
168 | - [DB modules](https://github.com/willfarrell/terraform-db-modules)
169 | - [EC modules](https://github.com/willfarrell/terraform-ec-modules)
170 | - [WAF module](https://github.com/willfarrell/terraform-waf-module)
171 | - [LB module](https://github.com/willfarrell/terraform-lb-module)
172 | - [IdP module](https://github.com/willfarrell/terraform-idp-module) - TODO
173 | - [CDN module](https://github.com/willfarrell/terraform-public-static-assets-module)
174 | 
175 | ## Contributing
176 | See Developer Guide (TODO add link)
177 | 
178 | ## Versioning
179 | We use [SemVer](http://semver.org/) for versioning. For the versions available, see the [tags on this repository](https://github.com/willfarrell/terraform-aws-template/tags).
180 | 
181 | ## Authors
182 | - [will Farrell](https://github.com/willfarrell)
183 | 
184 | See also the list of [contributors](https://github.com/willfarrell/terraform-aws-template/contributors) who participated in this project.
185 | 
186 | ## License
187 | 
188 | This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details
189 | 
190 | ## Acknowledgments
191 | 
192 | 


--------------------------------------------------------------------------------
/docs/Standards.md:
--------------------------------------------------------------------------------
 1 | # Standards
 2 | 
 3 | ## User Interface
 4 | - a11y: accessibility
 5 |  - ARIA: Accessible Rich Internet Applications
 6 |  - WAI: Web Accessibility Initiative
 7 |  - WCAG: Web Content Accessibility Guidelines
 8 | - i18n: internationalization
 9 | - l10n: localization
10 | 
11 | ## Data Format
12 | - ISO 639-1: Language - ex. `en` for English `fr` for French 
13 | - ISO 3166-1: Country - ex. `CA` for Canada
14 | - ISO 3166-2: Region - ex. `AB` for Alberta
15 | - RFC 3282: Content Language Headers - combines ISO 639-1 & 3166-1 to identify one preferred Locale - ex `en-CA` for Canadian English
16 | - RFC 3492: Punycode for Internationalized Domain Names - ex support of emojis in email addresses
17 | - ISO 19160: International Addressing (United Postal Union S42)
18 | - E.164: International Public Telecommunication Numbering Plan - ex `+18005554444`


--------------------------------------------------------------------------------
/environments/account/config.tf:
--------------------------------------------------------------------------------
 1 | # Edge Region
 2 | 
 3 | module "edge-logs" {
 4 |   #source = "git@github.com:willfarrell/terraform-logs-module?ref=v0.5.2"
 5 |   source = "../../../../../github/terraform-logs-module"
 6 |   name   = "${local.workspace["name"]}-${local.workspace["env"]}-edge"
 7 |   providers = {
 8 |     aws = aws.edge
 9 |   }
10 |   tags = {
11 |     Name = "Edge Logs"
12 |   }
13 | }
14 | 
15 | module "cloudtrail" {
16 |   #source         = "git@github.com:willfarrell/terraform-account-modules//cloudtrail?ref=v0.0.1"
17 |   source         = "../../../../../github/terraform-account-modules/cloudtrail"
18 |   name           = local.workspace["name"]
19 |   logging_bucket = module.edge-logs.id
20 |   providers = {
21 |     aws = aws.edge
22 |   }
23 | }
24 | 
25 | module "apigateway-logs" {
26 |   #source = "git@github.com:willfarrell/terraform-account-modules//api-gateway?ref=v0.0.1"
27 |   source = "../../../../../github/terraform-sub-account-modules/api-gateway"
28 |   providers = {
29 |     aws = aws.edge
30 |   }
31 | }
32 | 
33 | module "route53-logs" {
34 |   #source = "git@github.com:willfarrell/terraform-account-modules//route53?ref=v0.0.1"
35 |   source = "../../../../../github/terraform-sub-account-modules/route53"
36 | }
37 | 
38 | module "elasticsearch-logs" {
39 |   #source = "git@github.com:willfarrell/terraform-account-modules//route53?ref=v0.0.1"
40 |   source = "../../../../../github/terraform-sub-account-modules/elasticsearch"
41 | }
42 | 
43 | 
44 | 
45 | # Primary Region
46 | 
47 | module "region-logs" {
48 |   #source = "git@github.com:willfarrell/terraform-logs-module?ref=v0.5.2"
49 |   source = "../../../../../github/terraform-logs-module"
50 |   name   = "${local.workspace["name"]}-${local.workspace["env"]}-${local.workspace["region"]}"
51 |   tags = {
52 |     Name = "${local.workspace["region"]} Logs"
53 |   }
54 | }
55 | 
56 | 
57 | 


--------------------------------------------------------------------------------
/environments/account/iam.tf:
--------------------------------------------------------------------------------
 1 | module "roles" {
 2 |   source            = "git@github.com:willfarrell/terraform-account-modules//roles?ref=v0.0.1"
 3 |   type              = "member"
 4 |   master_account_id = data.terraform_remote_state.master.outputs.account_id
 5 |   providers = {
 6 |     aws = aws.edge
 7 |   }
 8 | }
 9 | 
10 | output "role_arns" {
11 |   value = module.roles.arns
12 | }
13 | 


--------------------------------------------------------------------------------
/environments/account/locals.tf:
--------------------------------------------------------------------------------
 1 | locals {
 2 |   env = {
 3 |     default = {
 4 |       env     = terraform.workspace
 5 |       name    = "{**NAME**}"
 6 |       profile = "{**PROFILE**}"
 7 |       region  = "us-west-2"
 8 |     }
 9 | 
10 |     production = {}
11 | 
12 |     staging = {}
13 | 
14 |     testing = {}
15 | 
16 |     development = {}
17 |   }
18 | 
19 |   workspace = merge(local.env["default"], local.env[terraform.workspace])
20 | }
21 | 
22 | output "workspace" {
23 |   value = terraform.workspace
24 | }
25 | 


--------------------------------------------------------------------------------
/environments/account/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   backend "s3" {
 3 |     bucket         = "terraform-state-{**NAME**}"
 4 |     key            = "account/terraform.tfstate"
 5 |     region         = "us-east-1"
 6 |     profile        = "{**PROFILE**}"
 7 |     dynamodb_table = "terraform-state-{**NAME**}"
 8 |     encrypt        = true
 9 |   }
10 | }
11 | 
12 | # On first run have terraform user creds attached to profile
13 | # change credentials for assume role for future runs
14 | provider "aws" {
15 |   profile = "${local.workspace["profile"]}-${local.workspace["env"]}"
16 |   region  = local.workspace["region"]
17 | }
18 | 
19 | provider "aws" {
20 |   profile = "${local.workspace["profile"]}-${local.workspace["env"]}"
21 |   region  = "us-east-1"
22 |   alias   = "edge"
23 | }
24 | 
25 | data "terraform_remote_state" "master" {
26 |   backend = "s3"
27 | 
28 |   config = {
29 |     bucket  = "terraform-state-${local.workspace["name"]}"
30 |     key     = "master/account/terraform.tfstate"
31 |     region  = "us-east-1"
32 |     profile = local.workspace["profile"]
33 |   }
34 | }
35 | 


--------------------------------------------------------------------------------
/environments/account/versions.tf:
--------------------------------------------------------------------------------
1 | 
2 | terraform {
3 |   required_version = ">= 0.12"
4 | }
5 | 


--------------------------------------------------------------------------------
/environments/domain/cloudfront-lambda-viewer-response.js:
--------------------------------------------------------------------------------
 1 | 'use strict'
 2 | 
 3 | const headers = {
 4 |   'any': {
 5 |     'Server': '',
 6 |     'X-Content-Type-Options': 'nosniff',
 7 |     'Referrer-Policy': 'no-referrer',
 8 |     'Strict-Transport-Security': 'max-age=31536000; includeSubdomains; preload'
 9 |     //"Expect-CT":""
10 |   },
11 |   'html': {
12 |     // Content-Security-Policy-Report-Only: https://${username}.report-uri.com/r/d/csp/reportOnly
13 |     // Content-Security-Policy:             https://${username}.report-uri.com/r/d/csp/enforce
14 |     'Content-Security-Policy-Report-Only': 'default-src \'none\';' +
15 |       ' img-src \'none\';' +
16 |       ' script-src \'none\';' +
17 |       ' style-src \'none\';' +
18 |       ' connect-src \'none\';' +
19 |       ' base-uri \'none\';' +
20 |       ' frame-ancestors \'none\';' +
21 |       ' block-all-mixed-content;' +
22 |       ' upgrade-insecure-requests;' +
23 |       ' report-uri https://*******.report-uri.com/r/d/csp/reportOnly',
24 |     // https://github.com/WICG/feature-policy/blob/master/features.md
25 |     'Feature-Policy': '' +
26 |       'camera \'none\'' +
27 |       ' fullscreen \'self\'' +
28 |       ' gyroscope \'none\'' +
29 |       ' geolocation \'none\'' +
30 |       ' magnetometer \'none\'' +
31 |       ' microphone \'none\'' +
32 |       ' midi \'none\'' +
33 |       ' payment \'none\'' +
34 |       ' speaker \'none\'' +
35 |       ' sync-xhr \'self\'',
36 |     'X-Frame-Options': 'DENY',
37 |     'X-XSS-Protection': '1; mode=block',
38 |     'X-UA-Compatible': 'ie=edge'
39 |   }
40 | }
41 | 
42 | // Reformat headers object for CF
43 | function makeHeaders (headers) {
44 |   const formattedHeaders = {}
45 |   Object.keys(headers).forEach((key) => {
46 |     formattedHeaders[key.toLowerCase()] = [{
47 |       key: key,
48 |       value: headers[key]
49 |     }]
50 |   })
51 |   return formattedHeaders
52 | }
53 | 
54 | function getHeaders (mime) {
55 |   return makeHeaders(headers[mime])
56 | }
57 | 
58 | function handler (event, context, callback) {
59 |   const request = event.Records[0].cf.request
60 |   const response = event.Records[0].cf.response
61 | 
62 |   //console.log(JSON.stringify(request),JSON.stringify(response))
63 | 
64 |   let responseHeaders = getHeaders('any')
65 | 
66 |   // Catch 304 w/o Content-Type from S3
67 |   if (!response.headers['content-type'] && request.uri === '/') {
68 |     response.headers['content-type'] = [{
69 |       key: 'Content-Type',
70 |       value: 'text/html; charset=utf-8'
71 |     }]
72 |   }
73 | 
74 |   if (response.headers['content-type'] && response.headers['content-type'][0].value.indexOf('text/html') !== -1) {
75 |     Object.assign(responseHeaders, getHeaders('html'))
76 |   }
77 | 
78 |   Object.assign(response.headers, responseHeaders)
79 | 
80 |   return callback(null, response)
81 | }
82 | 
83 | module.exports = {
84 |   makeHeaders,
85 |   headers,
86 |   handler
87 | }
88 | 


--------------------------------------------------------------------------------
/environments/domain/cloudfront.tf:
--------------------------------------------------------------------------------
 1 | data "aws_acm_certificate" "main" {
 2 |   provider = "aws.edge"
 3 |   domain   = local.workspace["app_domain"]
 4 | 
 5 |   statuses = [
 6 |     "ISSUED",
 7 |   ]
 8 | 
 9 |   providers = {
10 |     aws = "aws.edge"
11 |   }
12 | }
13 | 
14 | module "app" {
15 |   source = "git@github.com:willfarrell/terraform-public-static-assets-module?ref=v0.2.1"
16 |   name   = local.workspace["name"]
17 | 
18 |   aliases = [
19 |     local.workspace["app_domain"],
20 |   ]
21 | 
22 |   acm_certificate_arn = data.aws_acm_certificate.main.arn
23 |   web_acl_id          = module.waf.id
24 |   lambda = {
25 |     "viewer-response" = file("${path.module}/cloudfront-lambda-viewer-response.js")
26 |   }
27 |   logging_bucket = "${local.workspace["name"]}-${local.workspace["env"]}-edge-logs"
28 |   providers = {
29 |     aws = "aws.edge"
30 |   }
31 | }
32 | 
33 | module "waf" {
34 |   source         = "git@github.com:willfarrell/terraform-waf-module?ref=v0.0.1"
35 |   type           = "edge"
36 |   name           = local.workspace["name"]
37 |   defaultAction  = "ALLOW"
38 |   logging_bucket = "${local.workspace["name"]}-${local.workspace["env"]}-edge-logs"
39 |   providers = {
40 |     aws = "aws.edge"
41 |   }
42 | }
43 | 
44 | output "waf_bad-bot_ipset_id" {
45 |   value = module.waf.ipset_bad-bot_id
46 | }
47 | 


--------------------------------------------------------------------------------
/environments/domain/dynamodb.tf:
--------------------------------------------------------------------------------
 1 | # VPC
 2 | resource "aws_vpc_endpoint" "dynamodb" {
 3 |   vpc_id          = module.vpc.id
 4 |   service_name    = "com.amazonaws.${local.workspace["region"]}.dynamodb"
 5 |   route_table_ids = module.vpc.private_route_table_ids
 6 | 
 7 |   policy = <<POLICY
 8 | {
 9 |     "Statement": [
10 |         {
11 |             "Action": "*",
12 |             "Effect": "Allow",
13 |             "Resource": "*",
14 |             "Principal": "*"
15 |         }
16 |     ]
17 | }
18 | POLICY
19 | }
20 | 
21 | # Database
22 | 


--------------------------------------------------------------------------------
/environments/domain/ecs-alb.tf:
--------------------------------------------------------------------------------
  1 | # Cert
  2 | data "aws_acm_certificate" "alb" {
  3 |   domain = local.workspace["domain"]
  4 | 
  5 |   statuses = [
  6 |     "ISSUED",
  7 |   ]
  8 | }
  9 | 
 10 | # WAF
 11 | module "waf" {
 12 |   source        = "git@github.com:willfarrell/terraform-waf-module?ref=v0.0.1"
 13 |   type          = "regional"
 14 |   name          = local.workspace["name"]
 15 |   defaultAction = "ALLOW"
 16 | }
 17 | 
 18 | # ALB
 19 | module "alb" {
 20 |   source = "git@github.com:willfarrell/terraform-lb-module?ref=v0.0.1"
 21 |   name   = local.workspace["name"]
 22 |   type   = "application"
 23 |   vpc_id = module.vpc.id
 24 | 
 25 |   private_subnet_ids = module.vpc.private_subnet_ids
 26 | 
 27 |   waf_acl_id      = module.waf.id
 28 |   https_only      = true
 29 |   ssl_policy      = "ELBSecurityPolicy-2016-08"
 30 |   certificate_arn = data.aws_acm_certificate.alb.arn
 31 | 
 32 |   # ecs
 33 |   ports                  = [3000]
 34 |   autoscaling_group_name = module.ecs_alb.autoscaling_group_name
 35 |   security_group_id      = module.ecs_alb.security_group_id
 36 | 
 37 |   logging_bucket = "${local.workspace["name"]}-${local.workspace["env"]}-${local.workspace["region"]}-logs"
 38 | }
 39 | 
 40 | output "alb_endpoint" {
 41 |   value = module.alb.endpoint
 42 | }
 43 | 
 44 | # ECS - For long running process that need to be reached from the public
 45 | module "ecs_alb" {
 46 |   source         = "git@github.com:willfarrell/terraform-ec-modules//ecs?ref=v0.0.1"
 47 |   name           = "${local.workspace["name"]}-alb"
 48 |   ami_account_id = data.terraform_remote_state.master.outputs.account_id
 49 |   vpc_id         = module.vpc.id
 50 | 
 51 |   private_subnet_ids = module.vpc.private_subnet_ids
 52 | 
 53 |   instance_type    = local.workspace["instance_type"]
 54 |   min_size         = local.workspace["min_size"]
 55 |   max_size         = local.workspace["max_size"]
 56 |   desired_capacity = local.workspace["desired_capacity"]
 57 | 
 58 |   # Will need to comment out `efs` on initial apply TODO BUG
 59 |   efs_ids = [
 60 |     module.efs_alb.efs_id
 61 |   ]
 62 | 
 63 |   efs_security_group_ids = [
 64 |     module.efs_alb.security_group_id
 65 |   ]
 66 | 
 67 |   assume_role_arn = matchkeys(data.terraform_remote_state.master.outputs.ecr_role_arns, keys(data.terraform_remote_state.master.outputs.sub_accounts), list(local.workspace["env"]))[0]
 68 | }
 69 | 
 70 | output "ecs_alb_billing_suggestion" {
 71 |   value = module.ecs_alb.billing_suggestion
 72 | }
 73 | 
 74 | # EFS
 75 | module "efs_alb" {
 76 |   source = "git@github.com:willfarrell/terraform-ec-modules//efs?ref=v0.0.1"
 77 |   name   = "${local.workspace["name"]}-ecs-alb"
 78 | 
 79 |   subnet_ids = module.vpc.private_subnet_ids
 80 | }
 81 | 
 82 | # You can use `willfarrell/hello-world` to test out the ALB
 83 | 
 84 | # API Service
 85 | # Ref: https://github.com/terraform-providers/terraform-provider-aws/issues/632
 86 | 
 87 | resource "aws_ecs_task_definition" "api" {
 88 |   family = "${local.workspace["name"]}-ecs-${local.workspace["ecs_api_name"]}-task"
 89 |   requires_compatibilities = [
 90 |     "EC2",
 91 |   ]
 92 |   cpu                = "256"
 93 |   memory             = "256"
 94 |   network_mode       = "bridge"
 95 |   task_role_arn      = aws_iam_role.api_task.arn
 96 |   execution_role_arn = module.ecs_alb.iam_execution_role_arn
 97 |   # "image": "${data.terraform_remote_state.master.outputs.ecr_api_url}:${local.workspace["ecs_api_version"]}",
 98 |   container_definitions = <<DEFINITION
 99 | [
100 |   {
101 |     "name": "emr",
102 |     "image": "willfarrell/hello-world:latest",
103 |     "cpu": 256,
104 |     "memory": 256,
105 |     "essential":true,
106 |     "portMappings":[{
107 |       "hostPort":80,
108 |       "containerPort":80,
109 |       "protocol":"tcp"
110 |     }],
111 |     "environment":[
112 |       { "name":"PORT", "value":"80" }
113 |     ],
114 |     "logConfiguration":{
115 |       "logDriver": "awslogs",
116 |       "options":{
117 |         "awslogs-group":"${aws_cloudwatch_log_group.api.name}",
118 |         "awslogs-region":"${local.workspace["region"]}",
119 |         "awslogs-stream-prefix":"ecs"
120 |       }
121 |     },
122 |     "mountPoints":[],
123 |     "volumesFrom":[]
124 |   }
125 | ]
126 | DEFINITION
127 | 
128 |   lifecycle {
129 |     ignore_changes = [
130 |       #requires_compatibilities,
131 |       #cpu,
132 |       #memory,
133 |       #container_definitions,
134 |     ]
135 |   }
136 | 
137 |   #tags {}
138 | }
139 | 
140 | resource "aws_cloudwatch_log_group" "api" {
141 |   name = "/ecs/${local.workspace["ecs_api_name"]}"
142 |   retention_in_days = 30
143 |   tags = {
144 |     Name = "${local.workspace["name"]}-ecs-${local.workspace["ecs_api_name"]}"
145 |   }
146 | }
147 | 
148 | resource "aws_iam_role" "api_task" {
149 |   name = "${local.workspace["name"]}-ecs-${local.workspace["ecs_emr_name"]}-role"
150 | 
151 |   assume_role_policy = <<POLICY
152 | {
153 |   "Version": "2012-10-17",
154 |   "Statement": [
155 |     {
156 |       "Effect": "Allow",
157 |       "Principal": {
158 |         "Service": [
159 |           "ecs-tasks.amazonaws.com"
160 |         ]
161 |       },
162 |       "Action": "sts:AssumeRole"
163 |     }
164 |   ]
165 | }
166 | POLICY
167 | }
168 | 
169 | resource "aws_iam_policy" "api_task" {
170 |   name   = "${local.workspace["name"]}-ecs-${local.workspace["ecs_emr_name"]}-policy"
171 |   policy = <<POLICY
172 | {
173 |   "Version": "2012-10-17",
174 |   "Statement": [
175 |     {
176 |       "Effect": "Allow",
177 |       "Action": [
178 |         "*"
179 |       ],
180 |       "Resource": "*"
181 |     }
182 |   ]
183 | }
184 | POLICY
185 | }
186 | 
187 | resource "aws_iam_role_policy_attachment" "api" {
188 |   role = aws_iam_role.api_task.name
189 |   policy_arn = aws_iam_policy.api_task.arn
190 | }
191 | 
192 | resource "aws_ecs_service" "api" {
193 |   name = local.workspace["ecs_api_name"]
194 |   cluster = module.ecs_alb.arn
195 |   #launch_type     = ""
196 |   task_definition = aws_ecs_task_definition.api.arn
197 | 
198 |   desired_count = 2
199 |   ordered_placement_strategy {
200 |     type = "spread"
201 |     field = "attribute:ecs.availability-zone"
202 |   }
203 |   ordered_placement_strategy {
204 |     type = "spread"
205 |     field = "instanceId"
206 |   }
207 |   placement_constraints {
208 |     type = "distinctInstance"
209 |   }
210 | 
211 |   dynamic "load_balancer" {
212 |     for_each = module.alb.target_group_arns
213 |     content {
214 |       target_group_arn = load_balancer.value
215 |       container_name = local.workspace["ecs_api_name"]
216 |       container_port = 80
217 |     }
218 |   }
219 | 
220 |   lifecycle {
221 |     ignore_changes = [
222 |       #task_definition
223 |     ]
224 |   }
225 | }
226 | 


--------------------------------------------------------------------------------
/environments/domain/ecs-nlb.tf:
--------------------------------------------------------------------------------
 1 | # NLB
 2 | module "nlb" {
 3 |   source = "git@github.com:willfarrell/terraform-lb-module?ref=v0.0.2"
 4 |   name   = local.workspace["name"]
 5 |   type   = "network"
 6 |   vpc_id = module.vpc.id
 7 | 
 8 |   private_subnet_ids = module.vpc.private_subnet_ids
 9 | 
10 |   # ecs
11 |   ports                  = [3000]
12 |   autoscaling_group_name = module.ecs_nlb.autoscaling_group_id
13 |   security_group_id      = module.ecs_nlb.security_group_id
14 | 
15 |   logging_bucket = "${local.workspace["name"]}-${local.workspace["env"]}-${local.workspace["region"]}-logs"
16 | }
17 | 
18 | output "nlb_endpoint" {
19 |   value = module.nlb.endpoint
20 | }
21 | 
22 | output "nlb_target_group_arn" {
23 |   value = module.nlb.target_group_arn
24 | }
25 | 
26 | # ECS - For long running and batch processes
27 | module "ecs_nlb" {
28 |   source         = "git@github.com:willfarrell/terraform-ec-modules//ecs?ref=v0.0.1"
29 |   name           = "${local.workspace["name"]}-nlb"
30 |   ami_account_id = data.terraform_remote_state.master.outputs.account_id
31 |   vpc_id         = module.vpc.id
32 | 
33 |   private_subnet_ids = module.vpc.private_subnet_ids
34 | 
35 |   instance_type    = local.workspace["instance_type"]
36 |   min_size         = local.workspace["min_size"]
37 |   max_size         = local.workspace["max_size"]
38 |   desired_capacity = local.workspace["desired_capacity"]
39 | 
40 |   # Will need to comment out `efs` on initial apply TODO BUG
41 |   efs_ids = [
42 |     module.efs_nlb.efs_id
43 |   ]
44 | 
45 |   efs_security_group_ids = [
46 |     module.efs_nlb.security_group_id
47 |   ]
48 | }
49 | 
50 | output "ecs_nlb_billing_suggestion" {
51 |   value = module.ecs_nlb.billing_suggestion
52 | }
53 | 
54 | # EFS
55 | module "efs_nlb" {
56 |   source = "git@github.com:willfarrell/terraform-ec-modules//efs?ref=v0.0.1"
57 |   name   = "${local.workspace["name"]}-ecs-nlb"
58 | 
59 |   subnet_ids = module.vpc.private_subnet_ids
60 | }
61 | 
62 | # TODO sg - allow proxy access from bastion to private ports
63 | 
64 | 


--------------------------------------------------------------------------------
/environments/domain/ecs.tf:
--------------------------------------------------------------------------------
 1 | module "ecs" {
 2 |   source         = "git@github.com:willfarrell/terraform-ec-modules//ecs?ref=v0.0.3"
 3 |   name           = local.workspace["name"]
 4 |   ami_account_id = data.terraform_remote_state.master.outputs.account_id
 5 |   vpc_id         = module.vpc.id
 6 | 
 7 |   private_subnet_ids = module.vpc.private_subnet_ids
 8 | 
 9 |   instance_type    = local.workspace["instance_type"]
10 |   min_size         = local.workspace["min_size"]
11 |   max_size         = local.workspace["max_size"]
12 |   desired_capacity = local.workspace["desired_capacity"]
13 | 
14 |   # Will need to comment out `efs` on initial apply TODO BUG
15 |   efs_ids = [
16 |     module.efs.efs_id
17 |   ]
18 | 
19 |   efs_security_group_ids = [
20 |     module.efs.security_group_id
21 |   ]
22 | }
23 | 
24 | output "ecs_billing_suggestion" {
25 |   value = module.ecs.billing_suggestion
26 | }
27 | 
28 | # EFS
29 | module "efs" {
30 |   source = "git@github.com:willfarrell/terraform-ec-modules//efs?ref=v0.0.3"
31 |   name   = "${local.workspace["name"]}-ecs"
32 | 
33 |   subnet_ids = module.vpc.private_subnet_ids
34 | }
35 | 
36 | # TODO sg - allow proxy access from bastion to private ports
37 | 
38 | # TODO task def
39 | 


--------------------------------------------------------------------------------
/environments/domain/elasticsearch.tf:
--------------------------------------------------------------------------------
 1 | module "elasticsearch" {
 2 |   source = "git@github.com:willfarrell/terraform-db-modules//elasticsearch?ref=v0.0.1"
 3 |   name   = local.workspace["name"]
 4 |   vpc_id = module.vpc.id
 5 | 
 6 |   private_subnet_ids = module.vpc.private_subnet_ids
 7 | 
 8 |   #type                = local.workspace["elasticsearch_type"]          # N/A
 9 |   instance_type = local.workspace["elasticsearch_instance_type"]
10 |   node_count    = local.workspace["relasticsearch_node_count"]
11 | 
12 |   #engine              = local.workspace["elasticsearch_engine"]          # N/A
13 |   engine_version = local.workspace["elasticsearch_engine_version"]
14 | 
15 |   # bootstrap
16 |   ssh_username      = "iam.username"
17 |   ssh_identity_file = "~/.ssh/id_rsa"
18 |   bastion_ip        = module.vpc.bastion_ip
19 | 
20 |   #bootstrap_file      = local.workspace["elasticsearch_bootstrap_file"]
21 |   security_group_ids = [
22 |     #module.bastion.security_group_id,
23 |     #module.ecs.security_group_id,
24 |   ]
25 | }
26 | 
27 | resource "aws_ssm_parameter" "elasticsearch_endpoint" {
28 |   name        = "/database/elasticsearch/endpoint"
29 |   description = "ElasticSearch Endpoint"
30 |   type        = "String"
31 |   value       = module.elasticsearch.endpoint
32 | }
33 | 
34 | output "elasticsearch_endpoint" {
35 |   value = module.elasticsearch.endpoint
36 | }
37 | 


--------------------------------------------------------------------------------
/environments/domain/elasticsearch/mappings.json:
--------------------------------------------------------------------------------
1 | {}
2 | 


--------------------------------------------------------------------------------
/environments/domain/locals.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 |   env = {
  3 |     default = {
  4 |       env     = terraform.workspace
  5 |       profile = "{**PROFILE**}"
  6 |       name    = "{**NAME**}"
  7 |       region  = "ca-central-1"
  8 | 
  9 |       tags    = {
 10 |         Terraform   = true
 11 |         Environment = terraform.workspace
 12 |         Description = ""
 13 |         #CostID = ""
 14 |       }
 15 | 
 16 |       # VPC
 17 |       az_count = 2
 18 | 
 19 |       bastion_instance_type = "t3a.nano"
 20 | 
 21 |       # Database
 22 |       ## Cache
 23 |       redis_instance_type  = "cache.t2.micro"
 24 |       redis_engine         = "redis"
 25 |       redis_engine_version = "5.0"
 26 | 
 27 |       ## ElasticSearch
 28 |       elasticsearch_instance_type  = "r4.large.elasticsearch"
 29 |       elasticsearch_engine         = "elasticsearch"
 30 |       elasticsearch_engine_version = "6.5"
 31 |       elasticsearch_bootstrap_file = "${path.module}/elasticsearch/mappings.json"
 32 | 
 33 |       ## RDS
 34 |       mysql_instance_type    = "db.t2.micro"
 35 |       mysql_replica_count    = 0
 36 |       mysql_db_name          = "{**NAME**}"
 37 |       mysql_bootstrap_folder = "${path.module}/mysql"
 38 |       mysql_engine_version   = "8.0"
 39 |       mysql_engine_mode      = "provisioned"
 40 | 
 41 |       postgres_instance_type    = "db.t2.micro"
 42 |       postgres_replica_count    = 0
 43 |       postgres_db_name          = "{**NAME**}"
 44 |       postgres_bootstrap_folder = "${path.module}/postgres"
 45 |       postgres_engine_version   = "11"
 46 |       postgres_engine_mode      = "provisioned"
 47 |     }
 48 | 
 49 |     production = {
 50 |       # CloudFront
 51 |       app_domain = "app.example.com"
 52 | 
 53 |       # API
 54 |       instance_type    = "t2.micro"
 55 |       min_size         = 2
 56 |       max_size         = 5
 57 |       desired_capacity = 3
 58 |       api_domain       = "api.example.com"
 59 | 
 60 |       api_version = "v2.0.0"
 61 | 
 62 |       # VPC
 63 |       cidr_block            = "10.*.0.0/16"
 64 |       az_count              = 3
 65 |       nat_type              = "gateway"
 66 |       bastion_user_group    = "ProductionDeveloper"
 67 |       bastion_sudo_group    = "ProductionAdmin"
 68 | 
 69 |       # Database
 70 |       multi_az          = true
 71 |       apply_immediately = false
 72 | 
 73 |       redis_type          = "cluster"
 74 |       redis_node_count    = 2
 75 |       redis_replica_count = 2
 76 | 
 77 |       elasticsearch_node_count = 2
 78 | 
 79 |       mysql_type                    = "cluster"
 80 |       mysql_engine                  = "aurora-mysql"
 81 |       mysql_node_count              = 2
 82 |       mysql_replica_count           = 2
 83 |       mysql_allocated_storage       = 256
 84 |       mysql_backup_retention_period = 90
 85 | 
 86 |       postgres_type                    = "cluster"
 87 |       postgres_engine                  = "aurora-postgresql"
 88 |       postgres_node_count              = 2
 89 |       postgres_replica_count           = 2
 90 |       postgres_allocated_storage       = 256
 91 |       postgres_backup_retention_period = 90
 92 |     }
 93 | 
 94 |     staging = {
 95 |       # CloudFront
 96 |       app_domain = "uat-app.example.com"
 97 | 
 98 |       # API
 99 |       instance_type    = "t2.micro"
100 |       min_size         = 2
101 |       max_size         = 3
102 |       desired_capacity = 2
103 |       api_domain       = "uat-api.example.com"
104 | 
105 |       api_version = "v2.0.0"
106 | 
107 |       # VPC
108 |       cidr_block            = "10.*.0.0/16"
109 |       az_count              = 2
110 |       nat_type              = "gateway"
111 |       bastion_user_group    = "StagingDeveloper"
112 |       bastion_sudo_group    = "StagingAdmin"
113 | 
114 |       # Database
115 |       multi_az          = true
116 |       apply_immediately = false
117 | 
118 |       redis_type          = "cluster"
119 |       redis_node_count    = 2
120 |       redis_replica_count = 1
121 | 
122 |       elasticsearch_node_count = 2
123 | 
124 |       mysql_type                    = "cluster"
125 |       mysql_engine                  = "aurora-mysql"
126 |       mysql_node_count              = 2
127 |       mysql_replica_count           = 1
128 |       mysql_allocated_storage       = 64
129 |       mysql_backup_retention_period = 30
130 | 
131 |       postgres_type                    = "cluster"
132 |       postgres_engine                  = "aurora-postgresql"
133 |       postgres_node_count              = 2
134 |       postgres_replica_count           = 1
135 |       postgres_allocated_storage       = 64
136 |       postgres_backup_retention_period = 30
137 |     }
138 | 
139 |     testing = {
140 |       # CloudFront
141 |       app_domain = "qa-app.example.com"
142 | 
143 |       # API
144 |       instance_type    = "t2.micro"
145 |       min_size         = 1
146 |       max_size         = 1
147 |       desired_capacity = 1
148 |       api_domain       = "qa-api.example.com"
149 | 
150 |       # VPC
151 |       cidr_block            = "10.*.0.0/16"
152 |       az_count              = 2
153 |       nat_type              = "instance"
154 |       bastion_user_group    = "TestingDeveloper"
155 |       bastion_sudo_group    = "TestingAdmin"
156 | 
157 |       # Database
158 |       multi_az          = false
159 |       apply_immediately = true
160 | 
161 |       redis_type          = "service"
162 |       redis_node_count    = 1
163 |       redis_replica_count = 0
164 | 
165 |       elasticsearch_node_count = 1
166 | 
167 |       mysql_type                    = "service"
168 |       mysql_engine                  = "mysql"
169 |       mysql_node_count              = 1
170 |       mysql_replica_count           = 0
171 |       mysql_allocated_storage       = 32
172 |       mysql_backup_retention_period = 7
173 | 
174 |       postgres_type                    = "service"
175 |       postgres_engine                  = "postgres"
176 |       postgres_node_count              = 1
177 |       postgres_replica_count           = 0
178 |       postgres_allocated_storage       = 32
179 |       postgres_backup_retention_period = 7
180 |     }
181 | 
182 |     development = {
183 |       # CloudFront
184 |       app_domain = "dev-app.example.com"
185 | 
186 |       # API
187 |       instance_type    = "t2.micro"
188 |       min_size         = 1
189 |       max_size         = 1
190 |       desired_capacity = 1
191 |       api_domain       = "dev-api.example.com"
192 | 
193 |       # VPC
194 |       cidr_block            = "10.*.0.0/16"
195 |       az_count              = 2
196 |       nat_type              = "instance"
197 |       bastion_user_group    = "DevelopmentDeveloper"
198 |       bastion_sudo_group    = "DevelopmentAdmin"
199 | 
200 |       # Database
201 |       multi_az          = false
202 |       apply_immediately = true
203 | 
204 |       redis_type          = "service"
205 |       redis_node_count    = 1
206 |       redis_replica_count = 0
207 | 
208 |       elasticsearch_node_count = 1
209 | 
210 |       mysql_type                    = "service"
211 |       mysql_engine                  = "mysql"
212 |       mysql_node_count              = 1
213 |       mysql_replica_count           = 0
214 |       mysql_allocated_storage       = 8
215 |       mysql_backup_retention_period = 1
216 | 
217 |       postgres_type                    = "service"
218 |       postgres_engine                  = "postgres"
219 |       postgres_node_count              = 1
220 |       postgres_replica_count           = 0
221 |       postgres_allocated_storage       = 8
222 |       postgres_backup_retention_period = 1
223 |     }
224 |   }
225 | 
226 |   workspace = merge(local.env["default"], local.env[terraform.workspace])
227 | }
228 | 
229 | output "workspace" {
230 |   value = terraform.workspace
231 | }
232 | 


--------------------------------------------------------------------------------
/environments/domain/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   backend "s3" {
 3 |     bucket         = "terraform-state-{**NAME**}"
 4 |     key            = "{**DOMAIN**}/terraform.tfstate"
 5 |     region         = "us-east-1"
 6 |     profile        = "{**PROFILE**}"
 7 |     dynamodb_table = "terraform-state-{**NAME**}"
 8 |     encrypt        = true
 9 |   }
10 | }
11 | 
12 | provider "aws" {
13 |   profile = "${local.workspace["profile"]}-${local.workspace["env"]}"
14 |   region  = local.workspace["region"]
15 | }
16 | 
17 | provider "aws" {
18 |   profile = "${local.workspace["profile"]}-${local.workspace["env"]}"
19 |   region  = "us-east-1"
20 |   alias   = "edge"
21 | }
22 | 
23 | data "terraform_remote_state" "master" {
24 |   backend = "s3"
25 | 
26 |   config = {
27 |     bucket  = "terraform-state-${local.workspace["name"]}"
28 |     key     = "master/account/terraform.tfstate"
29 |     region  = "us-east-1"
30 |     profile = local.workspace["profile"]
31 |   }
32 | }
33 | 


--------------------------------------------------------------------------------
/environments/domain/mysql.tf:
--------------------------------------------------------------------------------
 1 | # TODO setup users for DB access
 2 | # TODO save password in Secrect Manager & rotate
 3 | # TODO bug fix ssh_identity_file path issue
 4 | module "mysql" {
 5 |   source = "git@github.com:willfarrell/terraform-db-modules//rds?ref=v0.0.1"
 6 |   name   = local.workspace["name"]
 7 |   vpc_id = module.vpc.id
 8 | 
 9 |   private_subnet_ids = module.vpc.private_subnet_ids
10 | 
11 |   type              = local.workspace["mysql_type"]
12 |   instance_type     = local.workspace["mysql_instance_type"]
13 |   node_count        = local.workspace["mysql_node_count"]
14 |   replica_count     = local.workspace["mysql_replica_count"]
15 |   multi_az          = local.workspace["multi_az"]
16 |   apply_immediately = local.workspace["apply_immediately"]
17 | 
18 |   db_name  = local.workspace["mysql_db_name"]
19 |   username = "root"
20 |   password = "password"
21 | 
22 |   engine                  = local.workspace["mysql_engine"]
23 |   engine_version          = local.workspace["mysql_engine_version"]
24 |   engine_mode             = local.workspace["mysql_engine_mode"]
25 |   allocated_storage       = local.workspace["mysql_allocated_storage"]
26 |   backup_retention_period = local.workspace["mysql_backup_retention_period"]
27 | 
28 |   # bootstrap
29 |   ssh_username      = "iam.username"
30 |   ssh_identity_file = "~/.ssh/id_rsa"
31 |   bastion_ip        = module.vpc.bastion_ip
32 | 
33 |   #bootstrap_folder        = "${local.workspace["mysql_bootstrap_folder"]}"
34 |   security_group_ids = [
35 |     #module.bastion.security_group_id,
36 |     #module.ecs.security_group_id,
37 |   ]
38 | }
39 | 
40 | # SSM
41 | resource "aws_ssm_parameter" "mysql_endpoint" {
42 |   name        = "/database/mysql/endpoint"
43 |   description = "Endpoint to connect to the database"
44 |   type        = "String"
45 |   value       = module.mysql.endpoint
46 | }
47 | 
48 | resource "aws_ssm_parameter" "mysql_endpoints" {
49 |   name        = "/database/mysql/endpoints"
50 |   description = "Endpoints to connect to read the database"
51 |   type        = "StringList"
52 |   value       = join(",", module.mysql.replica_endpoints)
53 | }
54 | 
55 | resource "aws_ssm_parameter" "mysql_port" {
56 |   name        = "/database/mysql/port"
57 |   description = "Port to connect to the database"
58 |   type        = "String"
59 |   value       = module.mysql.port
60 | }
61 | 
62 | resource "aws_ssm_parameter" "mysql_username" {
63 |   name        = "/database/mysql/username"
64 |   description = "Username to connect to the database"
65 |   type        = "SecureString"
66 |   value       = module.mysql.username
67 | }
68 | 
69 | resource "aws_ssm_parameter" "mysql_password" {
70 |   name        = "/database/mysql/username"
71 |   description = "Username to connect to the database"
72 |   type        = "SecureString"
73 |   value       = module.mysql.password
74 | }
75 | 
76 | resource "aws_ssm_parameter" "mysql_database" {
77 |   name        = "/database/mysql/database"
78 |   description = "Database to connect to"
79 |   type        = "String"
80 |   value       = module.mysql.database
81 | }
82 | 
83 | # Output
84 | output "mysql_endpoint" {
85 |   value = module.mysql.endpoint
86 | }
87 | 
88 | output "mysql_replica_endpoints" {
89 |   value = module.mysql.replica_endpoints
90 | }
91 | 
92 | output "mysql_billing_suggestion" {
93 |   value = module.mysql.billing_suggestion
94 | }
95 | 


--------------------------------------------------------------------------------
/environments/domain/postgres.tf:
--------------------------------------------------------------------------------
  1 | # TODO setup users for DB access
  2 | # TODO save password in Secrect Manager & rotate
  3 | # TODO bug fix ssh_identity_file path issue
  4 | 
  5 | 
  6 | 
  7 | module "postgres" {
  8 |   source = "git@github.com:willfarrell/terraform-db-modules//rds?ref=v0.0.1"
  9 |   name   = local.workspace["name"]
 10 |   vpc_id = module.vpc.id
 11 | 
 12 |   private_subnet_ids = module.vpc.private_subnet_ids
 13 | 
 14 |   type              = local.workspace["postgres_type"]
 15 |   instance_type     = local.workspace["postgres_instance_type"]
 16 |   node_count        = local.workspace["postgres_node_count"]
 17 |   replica_count     = local.workspace["postgres_replica_count"]
 18 |   multi_az          = local.workspace["multi_az"]
 19 |   apply_immediately = local.workspace["apply_immediately"]
 20 | 
 21 |   db_name  = local.workspace["postgres_db_name"]
 22 |   username = "root"
 23 |   password = "password"
 24 | 
 25 |   engine                  = local.workspace["postgres_engine"]
 26 |   engine_version          = local.workspace["postgres_engine_version"]
 27 |   engine_mode             = local.workspace["postgres_engine_mode"]
 28 |   allocated_storage       = local.workspace["postgres_allocated_storage"]
 29 |   backup_retention_period = local.workspace["postgres_backup_retention_period"]
 30 | 
 31 |   bastion_ip = module.bastion.public_ip
 32 | 
 33 |   # bootstrap
 34 |   #ssh_username      = "iam.username"
 35 |   #ssh_identity_file = "~/.ssh/id_rsa"
 36 |   #bootstrap_folder        = "${local.workspace["postgres_bootstrap_folder"]}"
 37 | 
 38 |   security_group_ids = [
 39 |     #module.bastion.security_group_id,
 40 |     #module.ecs.security_group_id,
 41 |   ]
 42 | }
 43 | 
 44 | # SSM
 45 | resource "aws_ssm_parameter" "postgres_endpoint" {
 46 |   name        = "/database/postgres/endpoint"
 47 |   description = "Endpoint to connect to the database"
 48 |   type        = "String"
 49 |   value       = module.postgres.endpoint
 50 | }
 51 | 
 52 | resource "aws_ssm_parameter" "postgres_endpoints" {
 53 |   name        = "/database/postgres/endpoints"
 54 |   description = "Endpoints to connect to read the database"
 55 |   type        = "StringList"
 56 |   value       = join(",", module.postgres.replica_endpoints)
 57 | }
 58 | 
 59 | resource "aws_ssm_parameter" "postgres_port" {
 60 |   name        = "/database/postgres/port"
 61 |   description = "Port to connect to the database"
 62 |   type        = "String"
 63 |   value       = module.postgres.port
 64 | }
 65 | 
 66 | resource "aws_ssm_parameter" "postgres_username" {
 67 |   name        = "/database/postgres/username"
 68 |   description = "Username to connect to the database"
 69 |   type        = "SecureString"
 70 |   value       = module.postgres.username
 71 | }
 72 | 
 73 | resource "aws_ssm_parameter" "postgres_password" {
 74 |   name        = "/database/postgres/password"
 75 |   description = "Username to connect to the database"
 76 |   type        = "SecureString"
 77 |   value       = module.postgres.password
 78 | }
 79 | 
 80 | resource "aws_ssm_parameter" "postgres_database" {
 81 |   name        = "/database/postgres/database"
 82 |   description = "Database to connect to"
 83 |   type        = "String"
 84 |   value       = module.postgres.database
 85 | }
 86 | 
 87 | # Output
 88 | output "postgres_endpoint" {
 89 |   value = module.postgres.endpoint
 90 | }
 91 | 
 92 | output "postgres_replica_endpoints" {
 93 |   value = module.postgres.replica_endpoints
 94 | }
 95 | 
 96 | output "postgres_billing_suggestion" {
 97 |   value = module.postgres.billing_suggestion
 98 | }
 99 | 
100 | 
101 | 


--------------------------------------------------------------------------------
/environments/domain/postgres/postgis.sql:
--------------------------------------------------------------------------------
 1 | 
 2 | /*
 3 | PostGIS
 4 | https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.html#Appendix.PostgreSQL.CommonDBATasks.PostGIS
 5 | */
 6 | 
 7 | create extension postgis;
 8 | create extension fuzzystrmatch;
 9 | create extension postgis_tiger_geocoder;
10 | create extension postgis_topology;
11 | 
12 | alter schema tiger owner to rds_superuser;
13 | alter schema tiger_data owner to rds_superuser;
14 | alter schema topology owner to rds_superuser;
15 | 
16 | CREATE FUNCTION exec(text) returns text language plpgsql volatile AS $f$ BEGIN EXECUTE $1; RETURN $1; END; $f$;
17 | 
18 | SELECT exec('ALTER TABLE ' || quote_ident(s.nspname) || '.' || quote_ident(s.relname) || ' OWNER TO rds_superuser;')
19 | FROM (
20 |        SELECT nspname, relname
21 |        FROM pg_class c JOIN pg_namespace n ON (c.relnamespace = n.oid)
22 |        WHERE nspname in ('tiger','topology') AND
23 |            relkind IN ('r','S','v') ORDER BY relkind = 'S')
24 |        s;
25 | 


--------------------------------------------------------------------------------
/environments/domain/postgres/uuid.sql:
--------------------------------------------------------------------------------
1 | 
2 | CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
3 | 


--------------------------------------------------------------------------------
/environments/domain/redis.tf:
--------------------------------------------------------------------------------
 1 | module "redis" {
 2 |   source = "git@github.com:willfarrell/terraform-db-modules//elasticache?ref=v0.0.1"
 3 |   name   = local.workspace["name"]
 4 |   vpc_id = module.vpc.id
 5 | 
 6 |   private_subnet_ids = module.vpc.private_subnet_ids
 7 | 
 8 |   type              = local.workspace["redis_type"]
 9 |   instance_type     = local.workspace["redis_instance_type"]
10 |   node_count        = local.workspace["redis_node_count"]
11 |   replica_count     = local.workspace["redis_replica_count"]
12 |   multi_az          = local.workspace["multi_az"]
13 |   apply_immediately = local.workspace["apply_immediately"]
14 | 
15 |   engine         = local.workspace["redis_engine"]
16 |   engine_version = local.workspace["redis_engine_version"]
17 | 
18 |   security_group_ids = [
19 |     #module.bastion.security_group_id,
20 |     #module.ecs.security_group_id,
21 |   ]
22 | }
23 | 
24 | # SSM
25 | resource "aws_ssm_parameter" "redis_endpoint" {
26 |   name        = "/database/redis/endpoint"
27 |   description = "Endpoint to connect to the database"
28 |   type        = "String"
29 |   value       = module.redis.endpoint
30 | }
31 | 
32 | resource "aws_ssm_parameter" "redis_endpoints" {
33 |   name        = "/database/redis/endpoints"
34 |   description = "Endpoints to connect to read the database"
35 |   type        = "StringList"
36 |   value       = join(",", module.redis.replica_endpoints)
37 | }
38 | 
39 | resource "aws_ssm_parameter" "redis_port" {
40 |   name        = "/database/redis/port"
41 |   description = "Port to connect to the database"
42 |   type        = "String"
43 |   value       = module.redis.port
44 | }
45 | 
46 | # Output
47 | output "redis_endpoint" {
48 |   value = module.redis.endpoint
49 | }
50 | 
51 | output "redis_replica_endpoints" {
52 |   value = module.redis.replica_endpoints
53 | }
54 | 
55 | output "redis_security_group_id" {
56 |   value = module.redis.security_group_id
57 | }
58 | 


--------------------------------------------------------------------------------
/environments/domain/versions.tf:
--------------------------------------------------------------------------------
1 | 
2 | terraform {
3 |   required_version = ">= 0.12"
4 | }
5 | 


--------------------------------------------------------------------------------
/environments/domain/vpc.tf:
--------------------------------------------------------------------------------
  1 | # VPC
  2 | // Docs: https://github.com/willfarrell/terraform-vpc-module
  3 | module "vpc" {
  4 |   source         = "git@github.com:willfarrell/terraform-vpc-module?ref=v0.0.1"
  5 |   name           = local.workspace["name"]
  6 |   az_count       = local.workspace["az_count"]
  7 |   cidr_block     = local.workspace["cidr_block"]
  8 |   nat_type       = local.workspace["nat_type"]
  9 |   ami_account_id = data.terraform_remote_state.master.outputs.account_id
 10 | }
 11 | 
 12 | resource "aws_vpc_endpoint" "s3" {
 13 |   vpc_id          = module.vpc.id
 14 |   service_name    = "com.amazonaws.${local.workspace["region"]}.s3"
 15 |   route_table_ids = module.vpc.private_route_table_ids
 16 | 
 17 |   tags = merge(
 18 |   local.workspace["tags"],
 19 |   {
 20 |     Name = "S3"
 21 |   }
 22 |   )
 23 | 
 24 |   policy = <<POLICY
 25 | {
 26 |   "Version": "2008-10-17",
 27 |   "Statement": [
 28 |       {
 29 |           "Sid":"",
 30 |           "Effect": "Allow",
 31 |           "Action": "s3:*",
 32 |           "Resource": [
 33 |             "arn:aws:s3:::*",
 34 |             "arn:aws:s3:::*/*"
 35 |           ],
 36 |           "Principal": "*",
 37 |           "Condition": {
 38 |             "StringEquals": {
 39 |               "aws:SourceVpce": "${module.vpc.id}"
 40 |             }
 41 |           }
 42 |       }
 43 |   ]
 44 | }
 45 | POLICY
 46 | }
 47 | 
 48 | // used for serverless
 49 | resource "aws_ssm_parameter" "vpc_id" {
 50 |   name = "/infrastructure/vpc/id"
 51 |   description = "VPC ID"
 52 |   type = "String"
 53 |   value = module.vpc.id
 54 | }
 55 | 
 56 | resource "aws_ssm_parameter" "vpc_public_subnets" {
 57 |   name = "/infrastructure/vpc/public_subnets"
 58 |   description = "VPC public subnets"
 59 |   type = "String"
 60 |   value = join(",", module.vpc.public_subnet_ids)
 61 | }
 62 | 
 63 | resource "aws_ssm_parameter" "vpc_private_subnets" {
 64 |   name = "/infrastructure/vpc/private_subnets"
 65 |   description = "VPC private subnets"
 66 |   type = "String"
 67 |   value = join(",", module.vpc.private_subnet_ids)
 68 | }
 69 | 
 70 | output "nat_ips" {
 71 |   value = module.vpc.public_ips
 72 | }
 73 | 
 74 | output "nat_billing_suggestion" {
 75 |   value = module.vpc.billing_suggestion
 76 | }
 77 | 
 78 | ## Public Subnets
 79 | 
 80 | // Bastion
 81 | // Docs: https://github.com/willfarrell/terraform-ec-modules/tree/master/bastion
 82 | module "bastion" {
 83 |   source = "git@github.com:willfarrell/terraform-ec-modules//bastion?ref=v0.0.4"
 84 |   name = local.workspace["name"]
 85 |   instance_type = local.workspace["bastion_instance_type"]
 86 |   vpc_id = module.vpc.id
 87 |   network_acl_id = module.vpc.network_acl_id
 88 |   public_subnet_ids = module.vpc.public_subnet_ids
 89 |   ami_account_id = data.terraform_remote_state.master.outputs.account_id
 90 |   iam_user_groups = local.workspace["bastion_user_group"]
 91 |   iam_sudo_groups = local.workspace["bastion_sudo_group"]
 92 |   assume_role_arn = matchkeys(data.terraform_remote_state.master.outputs.bastion_role_arns, keys(data.terraform_remote_state.master.outputs.sub_accounts), list(local.workspace["env"]))[0]
 93 | }
 94 | 
 95 | output "bastion_ip" {
 96 |   value = module.bastion.public_ip
 97 | }
 98 | 
 99 | output "bastion_billing_suggestion" {
100 |   value = module.bastion.billing_suggestion
101 | }
102 | 
103 | 
104 | ## Lambda
105 | resource "aws_security_group" "lambda" {
106 |   name = "${local.workspace["name"]}-lambda-security-group"
107 |   vpc_id = module.vpc.id
108 | 
109 |   egress {
110 |     from_port       = 0
111 |     to_port         = 0
112 |     protocol        = "-1"
113 |     cidr_blocks     = ["0.0.0.0/0"]
114 |   }
115 | 
116 |   tags = merge(
117 |   local.workspace["tags"],
118 |   {
119 |     Name = "${local.workspace["name"]}-lambda"
120 |   }
121 |   )
122 | }
123 | 
124 | resource "aws_ssm_parameter" "vpc_secuirty_group" {
125 |   name        = "/infrastructure/vpc/security_group"
126 |   description = "VPC security group for lambda"
127 |   type        = "String"
128 |   value       = aws_security_group.lambda.id
129 | }


--------------------------------------------------------------------------------
/master/account/config.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | module "cloudtrail" {
 3 |   source         = "git@github.com:willfarrell/terraform-account-modules//cloudtrail?ref=v0.0.5"
 4 |   name           = local.workspace["name"]
 5 |   logging_bucket = module.edge-logs.id
 6 |   providers = {
 7 |     aws = aws.edge
 8 |   }
 9 | }
10 | 
11 | module "edge-logs" {
12 |   source = "git@github.com:willfarrell/terraform-logs-module?ref=v0.5.7"
13 |   name   = "${local.workspace["name"]}-${local.workspace["env"]}-edge"
14 |   providers = {
15 |     aws = aws.edge
16 |   }
17 |   tags = {
18 |     Name = "Edge Logs"
19 |   }
20 | }
21 | 


--------------------------------------------------------------------------------
/master/account/iam.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | # May need to comment out until after module.organization.sub_accounts exists
 3 | module "groups" {
 4 |   source       = "git@github.com:willfarrell/terraform-account-modules//groups?ref=v0.0.5"
 5 |   type         = "master"
 6 |   sub_accounts = module.organization.sub_accounts
 7 |   providers = {
 8 |     aws = aws.edge
 9 |   }
10 | }
11 | 
12 | module "roles" {
13 |   source         = "git@github.com:willfarrell/terraform-account-modules//roles?ref=v0.0.5"
14 |   type           = "master"
15 |   sub_accounts   = module.organization.sub_accounts
16 |   enable_ecr     = true
17 |   enable_bastion = true
18 |   providers = {
19 |     aws = aws.edge
20 |   }
21 | }
22 | 
23 | output "groups" {
24 |   value = module.groups.list
25 | }
26 | 
27 | output "role_arns" {
28 |   value = module.roles.arns
29 | }
30 | 
31 | output "bastion_role_arns" {
32 |   value = module.roles.bastion_arns
33 | }
34 | 


--------------------------------------------------------------------------------
/master/account/locals.tf:
--------------------------------------------------------------------------------
 1 | locals {
 2 |   env = {
 3 |     default = {
 4 |       env     = terraform.workspace
 5 |       profile = "{**PROFILE**}"
 6 |       name    = "{**NAME**}"
 7 |       region  = "ca-central-1"
 8 | 
 9 |       account_email = "aws-root@example.com"
10 | 
11 |       sub_accounts = ["production", "staging", "testing", "development"]
12 |     }
13 |   }
14 | 
15 |   workspace = merge(local.env["default"], local.env[terraform.workspace])
16 | }
17 | 
18 | output "workspace" {
19 |   value = terraform.workspace
20 | }
21 | 


--------------------------------------------------------------------------------
/master/account/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   backend "s3" {
 3 |     bucket         = "terraform-state-{**NAME**}"
 4 |     key            = "master/account/terraform.tfstate"
 5 |     region         = "us-east-1"
 6 |     profile        = "{**PROFILE**}"
 7 |     dynamodb_table = "terraform-state-{**NAME**}"
 8 |   }
 9 | }
10 | 
11 | provider "aws" {
12 |   profile = local.workspace["profile"]
13 |   region  = local.workspace["region"]
14 | }
15 | 
16 | provider "aws" {
17 |   profile = local.workspace["profile"]
18 |   region  = "us-east-1"
19 |   alias   = "edge"
20 | }
21 | 
22 | # Output
23 | data "aws_caller_identity" "current" {}
24 | 
25 | output "account_id" {
26 |   value = data.aws_caller_identity.current.account_id
27 | }
28 | 


--------------------------------------------------------------------------------
/master/account/organization.tf:
--------------------------------------------------------------------------------
 1 | module "organization" {
 2 |   source        = "git@github.com:willfarrell/terraform-account-modules//organization?ref=v0.0.5"
 3 |   account_email = local.workspace["account_email"]
 4 |   sub_accounts  = local.workspace["sub_accounts"]
 5 | }
 6 | 
 7 | output "sub_accounts" {
 8 |   value = module.organization.sub_accounts
 9 | }
10 | 


--------------------------------------------------------------------------------
/master/account/versions.tf:
--------------------------------------------------------------------------------
1 | 
2 | terraform {
3 |   required_version = ">= 0.12"
4 | }
5 | 


--------------------------------------------------------------------------------
/master/operations/ami.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | module "amis" {
 3 |   source       = "git@github.com:willfarrell/terraform-ec-modules//ami?ref=v0.0.1"
 4 |   sub_accounts = data.terraform_remote_state.master.outputs.sub_accounts
 5 |   images = [
 6 |     "amzn2-ami-hvm-*-x86_64-bastion",
 7 |     "amzn2-ami-hvm-*-x86_64-ecs",
 8 |     "amzn-ami-hvm-*-x86_64-nat"
 9 |   ]
10 | }
11 | 


--------------------------------------------------------------------------------
/master/operations/dns.tf:
--------------------------------------------------------------------------------
1 | 
2 | # Enable logging
3 | module "route53-logs" {
4 |   source = "git@github.com:willfarrell/terraform-account-modules//route53?ref=v0.0.1"
5 | }
6 | 


--------------------------------------------------------------------------------
/master/operations/ecr.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | module "ecr_app" {
 3 |   source = "git@github.com:willfarrell/terraform-ec-modules//ecr?ref=v0.0.1"
 4 |   name   = "${local.workspace["name"]}-app"
 5 | }
 6 | 
 7 | output "ecr_app_url" {
 8 |   value = module.ecr_app.url
 9 | }
10 | 


--------------------------------------------------------------------------------
/master/operations/locals.tf:
--------------------------------------------------------------------------------
 1 | locals {
 2 |   env = {
 3 |     default = {
 4 |       env     = terraform.workspace
 5 |       profile = "{**PROFILE**}"
 6 |       name    = "{**NAME**}"
 7 |       region  = "ca-central-1"
 8 |     }
 9 |   }
10 | 
11 |   workspace = merge(local.env["default"], local.env[terraform.workspace])
12 | }
13 | 
14 | output "workspace" {
15 |   value = terraform.workspace
16 | }
17 | 


--------------------------------------------------------------------------------
/master/operations/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   backend "s3" {
 3 |     bucket         = "terraform-state-{**NAME**}"
 4 |     key            = "master/operations/terraform.tfstate"
 5 |     region         = "us-east-1"
 6 |     profile        = "{**PROFILE**}"
 7 |     dynamodb_table = "terraform-state-{**NAME**}"
 8 |   }
 9 | }
10 | 
11 | provider "aws" {
12 |   profile = local.workspace["profile"]
13 |   region  = local.workspace["region"]
14 | }
15 | 
16 | provider "aws" {
17 |   profile = local.workspace["profile"]
18 |   region  = "us-east-1"
19 |   alias   = "edge"
20 | }
21 | 
22 | data "terraform_remote_state" "master" {
23 |   backend = "s3"
24 | 
25 |   config = {
26 |     bucket  = "terraform-state-${local.workspace["name"]}"
27 |     key     = "master/account/terraform.tfstate"
28 |     region  = "us-east-1"
29 |     profile = local.workspace["profile"]
30 |   }
31 | }
32 | 


--------------------------------------------------------------------------------
/master/operations/versions.tf:
--------------------------------------------------------------------------------
1 | 
2 | terraform {
3 |   required_version = ">= 0.12"
4 | }
5 | 


--------------------------------------------------------------------------------
/master/state/main.tf:
--------------------------------------------------------------------------------
 1 | variable "name" {
 2 |   type    = string
 3 |   default = "{**NAME**}"
 4 | }
 5 | 
 6 | variable "profile" {
 7 |   type    = string
 8 |   default = "{**PROFILE**}"
 9 | }
10 | 
11 | provider "aws" {
12 |   region  = "us-east-1"
13 |   profile = var.profile
14 | }
15 | 
16 | module "state" {
17 |   source = "git@github.com:willfarrell/terraform-state-module?ref=v0.2.1"
18 |   name   = var.name
19 | }
20 | 
21 | output "backend_s3_dynamodb_table" {
22 |   value = module.state.dynamodb_table_id
23 | }
24 | 
25 | output "backend_s3_region" {
26 |   value = "us-east-1"
27 | }
28 | 
29 | output "backend_s3_bucket" {
30 |   value = module.state.s3_bucket_id
31 | }
32 | 


--------------------------------------------------------------------------------
/master/state/versions.tf:
--------------------------------------------------------------------------------
1 | 
2 | terraform {
3 |   required_version = ">= 0.12"
4 | }
5 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "app-infrastructure",
 3 |   "version": "1.0.0",
 4 |   "description": "",
 5 |   "private": true,
 6 |   "scripts": {
 7 |     "install:npm": "find . -name package.json -not -path \"*/node_modules/*\" -exec bash -c \"npm --prefix \\$(dirname {}) install --production --no-audit\" \\;",
 8 |     "build:apig": "echo 'make apig routes'",
 9 |     "build:docker": "find . -name Dockerfile -exec bash -c \"echo $(dirname {})\"",
10 |     "lint": "npm run lint:tf && npm run lint:js",
11 |     "lint:tf": "terraform fmt -recursive -list=false",
12 |     "lint:js": "prettier-standard './**/*.{js,json}'",
13 |     "test": "echo \"Error: no test specified\" && exit 1"
14 |   },
15 |   "devDependencies": {
16 |     "@commitlint/cli": "8.0.0",
17 |     "@commitlint/config-conventional": "8.0.0",
18 |     "husky": "3.0.0",
19 |     "lint-staged": "9.1.0",
20 |     "prettier-standard-cli": "11.0.6"
21 |   },
22 |   "commitlint": {
23 |     "extends": [
24 |       "@commitlint/config-conventional",
25 |       "@commitlint/config-lerna-scopes"
26 |     ]
27 |   },
28 |   "lint-staged": {
29 |     "./**/*.{js,json}": [
30 |       "npm run lint:js",
31 |       "git add"
32 |     ]
33 |   }
34 | }
35 | 


--------------------------------------------------------------------------------