Skip to content

Latest commit

 

History

History
154 lines (135 loc) · 18.5 KB

README.md

File metadata and controls

154 lines (135 loc) · 18.5 KB
Raw

Terraform Service Catalog Engine - Terraform Community Edition

The AWS Service Catalog Terraform Community Engine (TCE) provides an example for you to configure and install a Terraform engine in your AWS Service Catalog administrator account. The TCE deploys the core components needed to support Terraform Community Edition as an EXTERNAL AWS Service Catalog provisioning engine. With the engine installed into your account, you can use AWS Service Catalog as a single tool to organize, govern, and distribute your Terraform configurations within AWS. For more information about Terraform and AWS Service Catalog, see Getting started with Terraform.

AWS Service Catalog Engine Core will need to be deployed as part of AWS Service Catalog Terraform Community Engine in order to perform the below tasks:

  1. Terraform Community Engine receive messages from the queues and forwards the message to AWS Step Function.
  2. An AWS Step Function Workflow handles the request. The Terraform operations run in AWS CodeBuild.
  3. Terraform Engine sends provisioning results to the AWS Service Catalog service.

Architecture

SCE Core Architecture

Terraform Community Engine Workflow

  1. An AWS Step Function (State Machine) manages the Terraform Provisioning experience.
  2. AWS CodeBuild task triggers based on the update, provision or terminate operation.
  3. Terraform runner in the AWS CodeBuild performs the terraform apply action to provision or update the AWS resources.
  4. Terraform runner in the AWS CodeBuild also performs the terraform destroy action to destroy the AWS resources.
  5. Depending on the terraform runner results, the AWS Service Catalog product gets notified.
  6. AWS CodeBuild tasks success or failure results also get notified to the developers using the Amazon Simple Notification Service (SNS).
  7. AWS CodeBuild runs Terraform Apply to provision or update the AWS Service Catalog products. It also notifies the AWS Service Catalog in case of a failed response from the terraform runner.
  8. AWS CodeBuild runs Terraform Destroy to terminate the AWS Service Catalog product. It also notifies the AWS Service Catalog in case of a succeeded or failed response from the terraform runner.
  9. For any Succeeded results from terraform runner in AWS CodeBuild, AWS Step Function will run the process of parsing the success results and notifying the AWS Service Catalog using AWS Lambda Functions.
  10. AWS Lambda Function fetches the state file from S3 state bucket and parses outputs from the state file to record outputs.
  11. After getting the output, another AWS Lambda Function sends back the success notification and output results of Terraform provision or update to AWS Service Catalog.

Requirements

Name Version
terraform >= 1.3.0
archive >=2.4.0
aws >= 5.0.0
null >=3.2.2

Providers

Name Version
archive >=2.4.0
aws >= 5.0.0

Modules

Name Source Version
build ./modules/dependency-builder n/a
core git::https://github.com/aws-ia/terraform-aws-sce-core.git 481e8d1a40f2a6b62710bd95f69884e0c0082d41
label git::https://github.com/aws-ia/terraform-aws-label.git 9595b11aadf520f5ee3c210848802c414441236f

Resources

Name Type
aws_cloudwatch_log_group.sce_codebuild_runner resource
aws_cloudwatch_log_group.sce_lambda_get_state_file_outputs resource
aws_cloudwatch_log_group.sce_lambda_notify_provision_update_result resource
aws_cloudwatch_log_group.sce_lambda_provisioning_handler resource
aws_cloudwatch_log_group.sce_sfn_manage_provisioned_product resource
aws_codebuild_project.sce_runner resource
aws_iam_policy.aws_lambda_basic_execution resource
aws_iam_policy.aws_lambda_vpc_access_execution resource
aws_iam_policy.aws_lambda_xray_write_only_access resource
aws_iam_role.sce_codebuild_runner resource
aws_iam_role.sce_lambda_get_state_file_outputs resource
aws_iam_role.sce_lambda_notify_provision_update_result resource
aws_iam_role.sce_lambda_provisioning_handler resource
aws_iam_role.sce_sfn_manage_provisioned_product resource
aws_iam_role_policy.sce_codebuild_runner resource
aws_iam_role_policy.sce_lambda_get_state_file_outputs resource
aws_iam_role_policy.sce_lambda_notify_provision_update_result resource
aws_iam_role_policy.sce_lambda_provisioning_handler resource
aws_iam_role_policy.sce_sfn_manage_provisioned_product resource
aws_iam_role_policy_attachment.sce_lambda_get_state_file_outputs resource
aws_iam_role_policy_attachment.sce_lambda_notify_provision_update_result resource
aws_iam_role_policy_attachment.sce_lambda_provisioning_handler resource
aws_kms_alias.tfc resource
aws_kms_key.tfc resource
aws_lambda_event_source_mapping.sce_provision_queue resource
aws_lambda_event_source_mapping.sce_terminate_queue resource
aws_lambda_event_source_mapping.sce_update_queue resource
aws_lambda_function.sce_get_state_file_outputs resource
aws_lambda_function.sce_notify_provision_update_result resource
aws_lambda_function.sce_provisioning_handler resource
aws_lambda_layer_version.sce_terraform_community_layer resource
aws_s3_bucket.sce_access_logs resource
aws_s3_bucket.sce_logging resource
aws_s3_bucket.sce_terraform_state resource
aws_s3_bucket_lifecycle_configuration.sce_access_logs resource
aws_s3_bucket_lifecycle_configuration.sce_logging resource
aws_s3_bucket_logging.sce_logging resource
aws_s3_bucket_logging.sce_terraform_state resource
aws_s3_bucket_policy.sce_access_logs resource
aws_s3_bucket_policy.sce_logging resource
aws_s3_bucket_policy.sce_terraform_state resource
aws_s3_bucket_public_access_block.sce_logging resource
aws_s3_bucket_public_access_block.sce_logging_bucket resource
aws_s3_bucket_public_access_block.sce_terraform_state resource
aws_s3_bucket_server_side_encryption_configuration.sce_access_logs resource
aws_s3_bucket_server_side_encryption_configuration.sce_logging resource
aws_s3_bucket_server_side_encryption_configuration.sce_terraform_state resource
aws_s3_bucket_versioning.sce_access_logs resource
aws_s3_bucket_versioning.sce_logging resource
aws_s3_bucket_versioning.sce_terraform_state resource
aws_s3_object.terraform_parameter_parser resource
aws_s3_object.terraform_runner resource
aws_sfn_state_machine.sce_manage_provisioned_product resource
aws_sns_topic.sns_codebuild_result_notify_topic resource
aws_sns_topic_policy.sns_codebuild_result_notify_topic resource
aws_sns_topic_subscription.sns_codebuild_result_notify_topic resource
aws_ssm_parameter.ssh_key resource
archive_file.sce_get_state_file_outputs data source
archive_file.sce_notify_provision_update_result data source
archive_file.sce_provisioning_handler data source
archive_file.sce_terraform_community_layer data source
archive_file.terraform_parameter_parser data source
archive_file.terraform_runner data source
aws_caller_identity.current data source
aws_iam_policy.AWSLambdaBasicExecutionRole data source
aws_iam_policy.AWSLambdaVPCAccessExecutionRole data source
aws_iam_policy.AWSXrayWriteOnlyAccess data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
cloudwatch_log_group_retention Amount of days to keep CloudWatch Log Groups for Lambda functions. 0 = Never Expire string "0" no
create_ssh_key_ssm_parameter Boolean flag indicating whether an SSM parameter will be created for an SSH key. If created, it will be defaulted to a value of REPLACE_ME and will need to be updated outside of this module. bool false no
label_id_order ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique list(string) 
[
  "name",
  "namespace",
  "stage"
]
 no
s3_access_logging_expiration_days The amount of days to retain access logs in the S3 logs bucket string "365" no
s3_force_destroy Set to true if you want to force delete S3 bucket created by this module (including contents of the bucket) bool false no
s3_logs_expiration_days The amount of days to retain solution-related logs in the S3 logs bucket string "365" no
sfn_log_level Defines which category of execution history events are logged. Valid values: ALL, ERROR, FATAL, OFF string "ALL" no
sns_topic_email_addresses The email address to notify about the AWS CodeBuild success or failure list(string) [] no
ssh_key_ssm_parameter_path The SSM parameter path containing a private SSH key for cloning modules from private Git repositories. string "/sce/tf/ssh-key" no
stage Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release'. string null no
tags Map of tags to apply to resources deployed by this solution. map(any) null no
vpc_id VPC ID to use if leveraging an existing VPC for the solution. Otherwise, a VPC will be created as part of deployment. string null no
vpc_private_subnet_ids Required if vpc_id is specified. List of private subnets to use in the provided vpc_id list(string) null no
vpc_security_group_ids Required if vpc_id is specified. List of security groups to use in the provided vpc_id list(string) null no
x_ray_tracing_enabled When set to true, AWS X-Ray tracing is enabled. bool true no

Outputs

Name Description
sce_parameter_parser_role_arn Parameter parser Lambda function IAM role ARN. You need to allow this role to assume the portfolio launch role
terraform_execution_role CodeBuild IAM role ARN. You need to allow this role to assume the portfolio launch role