A sample infra resources code in Terraform that goes into a target workload account. This code is pushed into the AWS CodeCommit repo for our sample.
- Sample Workload Infra
- Prerequisites
- To push the infra repo code into AWS CodeCommit in the central tooling account
- To deploy resources into the target workload accounts
- To destroy the resources in the target workload accounts
- Security
- License
- Regional resources: An external facing ALB all the way down to the VPC.
- Global resources: An IAM role.
Once all resources are deployed (see section on how to deploy resources) then go to EC2 -> Load Balancer (demo*) -> DNS Name -> Copy it and open it in the browser (make sure to use http:// and not https://).
- Set up the central tooling account as per its README in the sister repo aws-multi-region-cicd-with-terraform that will create the AWS CodeCommit repo.
- See instructions in the sister repo aws-multi-region-cicd-with-terraform
- See instructions on how to kick off an infra pipeline (in the central tooling account) at the sister repo aws-multi-region-cicd-with-terraform
- If not done already, use
aws configurewith your IAM user credentials for the central tooling account and then assume InfraBuildRole:
# You can use below one liner
# For details, see [this](https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
OUT=$(aws sts assume-role --role-arn arn:aws:iam::111122223333:role/InfraBuildRole --role-session-name INFRA_BUILD);export AWS_ACCESS_KEY_ID=$(echo $OUT | jq -r '.Credentials''.AccessKeyId');export AWS_SECRET_ACCESS_KEY=$(echo $OUT | jq -r '.Credentials''.SecretAccessKey');export AWS_SESSION_TOKEN=$(echo $OUT | jq -r '.Credentials''.SessionToken');
# Verify you assumed the role
aws sts get-caller-identity
{
"UserId": "AAA:INFRA_BUILD",
"Account": "111122223333",
"Arn": "arn:aws:sts::111122223333:assumed-role/InfraBuildRole/INFRA_BUILD"
}- Use the regional resources destroy shell script in this repo to generate the tf plan for the account and region. Inspect the tf plan and then run
terraform apply "tfplan"
./scripts/run-tf-regional-destroy.sh -t <tag> -b <tf_backend_config_prefix> -r <tf_state_region> -g <global_resource_deployment_region>
# Ex: ./scripts/run-tf-regional-destroy.sh -t dev_us-east-1/research/1.0 -g eu-central-1 -r eu-central-1 -b org-awesome-tf-state- Then, use the global resources destroy shell script in this repo to generate the tf plan for the account. Inspect the tf plan and then run
terraform apply "tfplan"
./scripts/run-tf-global-destroy.sh -t <tag> -b <tf_backend_config_prefix> -r <tf_state_region> -g <global_resource_deployment_region>
# Ex: ./scripts/run-tf-global-destroy.sh -t dev_global/research/1.0 -g eu-central-1 -r eu-central-1 -b org-awesome-tf-stateSee CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.
| Name | Version |
|---|---|
| terraform | > 0.14 |
| aws | ~> 3.74 |
| Name | Version |
|---|---|
| aws | 3.74.2 |
| Name | Source | Version |
|---|---|---|
| global | ./modules/global | n/a |
| regional | ./modules/regional | n/a |
| Name | Type |
|---|---|
| aws_caller_identity.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account | Target AWS account number | number |
n/a | yes |
| env | Environment name | string |
n/a | yes |
| number_of_azs | Number of azs to deploy to | number |
2 |
no |
| region | Target region | string |
n/a | yes |
| Name | Description |
|---|---|
| account_id | The effective account id in which Terraform is operating |
| caller_arn | The effective user arn that Terraform is running as |
| caller_user | The effective user id that Terraform is running as |
| region | The region in which Terraform is operating |