Skip to content

Terraform module for provisioning Flightdeck application resources in AWS

License

Notifications You must be signed in to change notification settings

thoughtbot/terraform-flightdeck-aws-application

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Flightdeck AWS Application

This Terraform module provisions AWS resources for running an application on Flightdeck.

Example

module "production" {
  source = "[email protected]:thoughtbot/terraform-flightdeck-aws-application.git?ref=v0.1.0"

  # Required
  cluster_names = ["example-production-v1"]
  name          = "example"
  stage         = "production"

  # Generate a secret key
  generate_secret_key = true
  secret_key_variable = "SECRET_KEY_BASE"

  # Postgres
  postgres_enabled               = true
  postgres_allocated_storage     = 64
  postgres_engine_version        = "14.8"
  postgres_identifier            = "example-red"
  postgres_instance_class        = "db.t4g.large"
  postgres_max_allocated_storage = 128

  # Redis
  redis_enabled       = true
  redis_name          = "example-production-blue"
  redis_node_type     = "cache.m6g.large"
  redis_replica_count = 1

  # S3
  s3_enabled     = true
  s3_bucket_name = "example-uploads"

  # Sentry DSN
  sentry_enabled      = true
  sentry_organization = "myorg"
  sentry_project      = "example"

  # Developer managed secrets
  developer_managed_secrets = {
    Email = ["SMTP_USERNAME", "SMTP_PASSWORD"]
  }

  # AWS IAM Identity Center permissions
  readwrite_permission_sets = ["DeveloperAccess"]
  secret_permission_sets    = ["SecretsAccess"]
}

This module is designed as a quick start to cover the most common cases for applications running on Flightdeck. If you need additional resources for your application or want to customize further than the variables allow, you can clone this module into a directory in your Terraform project and use a local module reference.

This module can be combined with the application-config module to quickly create necessary base resources in the target cluster:

module "production_v1" {
  source    = "github.com/thoughtbot/flightdeck//aws/application-config?ref=v0.10.0"
  providers = { kubernetes = kubernetes.production_v1 }

  developer_group         = "developer"
  enable_exec             = true
  namespace               = module.production.namespace
  secrets_manager_secrets = module.production.secrets_manager_secrets
  pod_service_account     = module.production.service_account_name
  pod_iam_role            = module.production.pod_role_arn

  depends_on = [module.production]
}

Requirements

Name Version
terraform >= 1.4.2
aws ~> 4.0
random ~> 3.0

Providers

Name Version
aws ~> 4.0
random ~> 3.0

Modules

Name Source Version
cluster github.com/thoughtbot/flightdeck//aws/cluster-name v0.9.0
deploy_role github.com/thoughtbot/terraform-eks-cicd//modules/github-actions-eks-deploy-role v0.2.0
developer_managed_secrets github.com/thoughtbot/terraform-aws-secrets//user-managed-secret v0.5.0
network github.com/thoughtbot/flightdeck//aws/network-data v0.9.0
pod_policy github.com/thoughtbot/flightdeck//aws/service-account-policy v0.9.0
pod_role github.com/thoughtbot/flightdeck//aws/service-account-role v0.9.0
postgres github.com/thoughtbot/terraform-aws-databases//rds-postgres/primary-instance v0.4.0
postgres_admin_login github.com/thoughtbot/terraform-aws-databases//rds-postgres/admin-login v0.4.0
redis github.com/thoughtbot/terraform-aws-databases//elasticache-redis/replication-group v0.4.0
redis_token github.com/thoughtbot/terraform-aws-databases//elasticache-redis/auth-token v0.4.0
s3_bucket github.com/thoughtbot/terraform-s3-bucket v0.3.0
secret_key github.com/thoughtbot/terraform-aws-secrets//random-secret v0.6.0
secrets_policy github.com/thoughtbot/terraform-aws-secrets//read-secret-policy v0.6.0
sentry_dsn github.com/thoughtbot/terraform-aws-sentry-dsn v0.3.0
sso_roles github.com/thoughtbot/terraform-aws-sso-permission-set-roles v0.2.0

Resources

Name Type
random_id.parameter_group resource
aws_iam_role.execution data source
aws_ssm_parameter.prometheus_workspace_id data source

Inputs

Name Description Type Default Required
cluster_names Names of EKS clusters for application list(string) n/a yes
deploy_role_name Override the name of the deploy role string null no
developer_managed_secrets Secrets managed manually by developers map(list(string)) {} no
execution_role_arns ARNs of execution roles allowed to manage this application list(string) [] no
execution_role_names Names of execution roles allowed to manage this application list(string)
[
"terraform-execution"
]
no
github_branches GitHub branches allowed to deploy to this instance list(string) n/a yes
github_iam_oidc_provider_arn ARN for the GitHub Actions IAM OIDC provider string n/a yes
github_organization GitHub organization allowed to deploy to this instance string n/a yes
github_repository GitHub repository allowed to deploy to this instance string n/a yes
name Name of this application string n/a yes
postgres_admin_username Username for the admin user string "postgres" no
postgres_allocated_storage Size in GB for the database instance number n/a yes
postgres_apply_immediately Set to true to immediately apply changes and cause downtime bool false no
postgres_default_database Name of the default database string "postgres" no
postgres_enabled Set to true to enable creation of the Postgres database bool false no
postgres_engine_version Version for RDS database engine string n/a yes
postgres_identifier Unique identifier for this database string n/a yes
postgres_instance_class Tier for the database instance string n/a yes
postgres_max_allocated_storage Maximum size GB after autoscaling number n/a yes
postgres_storage_encrypted Set to false to disable encryption at rest bool true no
prometheus_workspace_name Name of the AMP workspace to which metrics will be written string null no
redis_enabled Set to true to enable creation of a Redis instance bool false no
redis_name Name of the ElastiCache instance for Redis string n/a yes
redis_node_type Node type for the ElastiCache instance for Redis string n/a yes
redis_replica_count Number of replicas for the Redis cluster number n/a yes
s3_bucket_name Name of the S3 bucket for ActiveStorage uploads string n/a yes
s3_enabled Set to true to enable creation of an S3 bucket bool false no
s3_read_principals Additional principals able to read S3 data list(string) n/a yes
s3_readwrite_principals Additional principals able to read and write S3 data list(string) n/a yes
secret_key_variable Name of the environment variable for the application secret key string "SECRET_KEY_BASE" no
sentry_organization Slug of the Sentry organization string n/a yes
sentry_project Slug of the Sentry project string n/a yes
service_account_name Name of the Kubernetes service account for the application string null no
stage Software development lifecycle stage for this tenant string n/a yes

Outputs

Name Description
deploy_role_arn ARN of the IAM role for deploying to this Kubernetes namespace
deploy_role_name Name of the IAM role for deploying to this Kubernetes namespace
namespace Kubernetes namespace to which this application deploys
pod_role_arn ARN of the IAM role for Kubernetes pods
secrets_manager_secrets SecretsManager environment variables
service_account_name Name of the Kubernetes service account

Contributing

Please see CONTRIBUTING.md.

License

This module is Copyright © 2024 Joe Ferris and thoughtbot. It is free software, and may be redistributed under the terms specified in the LICENSE file.

About thoughtbot

thoughtbot

This repo is maintained and funded by thoughtbot, inc. The names and logos for thoughtbot are trademarks of thoughtbot, inc.

We love open source software! See our other projects. We are available for hire.

About

Terraform module for provisioning Flightdeck application resources in AWS

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Sponsor this project

 

Packages

No packages published