Skip to content

Latest commit

 

History

History
115 lines (96 loc) · 13.4 KB

README.md

File metadata and controls

115 lines (96 loc) · 13.4 KB

License: Unlicense GitHub pull-requests closed GitHub pull-requests GitHub issues-closed GitHub issues terraform-infra-provisioning checkov-static-analysis-scan Generate terraform docs

Image

Motivation

Amazon ElastiCache service supports Redis and Memcached. If you want in an in-memory caching solution for your application, check out the AWS-Docs. In this repository I cover two use cases.


Use-Case 1: Create an Amazon ElastiCache for Redis cluster using Terraform, and
Use-Case 2: Create an Amazon ElastiCache for Redis cluster and Amazon EC2 instances to access the cluster using Terraform.


If you are interested in Use-case 1, please refer to the create-amazon-elasticache branch.

For Use-case 2, this repository has the Terraform code to provision an Amazon ElastiCache for Redis cluster and all the supporting infrastructure components like Amazon VPC, subnets, security group, AWS KMS key, and AWS Secrets Manager secret. It also has addition AWS cloud resources like:
- an internet gateway and update the path in the route table attached to the public subnet
- an IAM instance profile and attach an IAM role with the two existing IAM policies to read from the SSM parameter store and AWS Secrets manager. These resources have the ElastiCache endpoint and auth_token stored that was created in Use-case 1.
- two Amazon EC2 instances in the public subnet with separate user data scripts to install Python libraries and create Python files inside the instances.
The process of provisioning is automated using GitHub Actions.


I discussed the concept in detail in my notes at -Connect to an Amazon ElastiCache cluster from an Amazon EC2 instance using Python.


I used Bridgecrew Checkov to scan the Terraform code for security vulnerabilities. Here is a link if you are interested in adding code scanning capabilities to your GitHub Actions pipeline -automate-terraform-configuration-scan-with-checkov-and-github-actions.
I also used Infracost to generate a cost estimate of building the architecture. If you want to learn more about adding Infracost estimates to your repository, head over to this note -estimate AWS Cloud resource cost with Infracost, Terraform, and GitHub Actions.
Lastly, I also automated the process of provisioning the resources using GitHub Actions pipeline and I discussed that in detail at -CI-CD with Terraform and GitHub Actions to deploy to AWS.

Prerequisites

For this code to function without errors, I created an OpenID connect identity provider in Amazon Identity and Access Management that has a trust relationship with this GitHub repository. You can read about it here to get a detailed explanation with steps.
I stored the ARN of the IAM Role as a GitHub secret which is referred in the terraform.yml file.
Since I used Infracost in this repository, I stored the INFRACOST_API_KEY as a repository secret. It is referenced in the terraform.yml GitHub actions workflow file.
As part of the Infracost integration, I also created a INFRACOST_API_KEY and stored that as a GitHub Actions secret. I also managed the cost estimate process using a GitHub Actions variable INFRACOST_SCAN_TYPE where the value is either hcl_code or tf_plan, depending on the type of scan desired.

Requirements

Name Version
aws 5.20.1
random 3.6.3

Providers

Name Version
aws 5.20.1
random 3.6.3

Modules

Name Source Version
vpc github.com/kunduso/terraform-aws-vpc v1.0.1

Resources

Name Type
aws_cloudwatch_log_group.engine_log resource
aws_cloudwatch_log_group.slow_log resource
aws_elasticache_replication_group.app4 resource
aws_elasticache_subnet_group.elasticache_subnet resource
aws_iam_instance_profile.ec2_profile resource
aws_iam_policy.secret_manager_policy resource
aws_iam_policy.ssm_parameter_policy resource
aws_iam_role.ec2_role resource
aws_iam_role_policy_attachment.custom resource
aws_iam_role_policy_attachment.secret_policy_attachement resource
aws_iam_role_policy_attachment.ssm_policy_attachement resource
aws_instance.app-server-read resource
aws_instance.app-server-write resource
aws_kms_alias.encryption_rest resource
aws_kms_alias.encryption_secret resource
aws_kms_key.encryption_rest resource
aws_kms_key.encryption_secret resource
aws_kms_key_policy.encryption_rest_policy resource
aws_kms_key_policy.encryption_secret_policy resource
aws_secretsmanager_secret.elasticache_auth resource
aws_secretsmanager_secret_version.auth resource
aws_security_group.ec2_instance resource
aws_security_group.elasticache resource
aws_security_group_rule.ec2_instance_egress resource
aws_security_group_rule.ec2_instance_ingress resource
aws_security_group_rule.elasticache_egress resource
aws_security_group_rule.elasticache_ingress resource
aws_ssm_parameter.elasticache_ep resource
aws_ssm_parameter.elasticache_port resource
random_password.auth resource
aws_ami.amazon_ami data source
aws_caller_identity.current data source

Inputs

Name Description Type Default Required
access_key The access_key that belongs to the IAM user. string "" no
ami_name The ami name of the image from where the instances will be created list(string) 
[
  "amzn2-ami-amd-hvm-2.0.20230727.0-x86_64-gp2"
]
 no
instance_type The instance type of the EC2 instances string "t3.medium" no
name The name of the application. string "app-4" no
region AWS Cloud infrastructure region. string "us-east-2" no
secret_key The secret_key that belongs to the IAM user. string "" no
subnet_cidr_private CIDR blocks for the private subnets. list(any) 
[
  "10.20.32.0/27",
  "10.20.32.32/27",
  "10.20.32.64/27"
]
 no
subnet_cidr_public CIDR blocks for the public subnets. list(any) 
[
  "10.20.32.96/27"
]
 no
vpc_cidr CIDR for the VPC. string "10.20.32.0/25" no

Outputs

No outputs.

Usage

Ensure that the policy attached to the IAM role whose credentials are being used in this configuration has permission to create and manage all the resources that are included in this repository.


Review the code including the terraform.yml to understand the steps in the GitHub Actions pipeline. Also review the terraform code to understand all the concepts associated with creating an AWS VPC, subnets, internet gateway, route table, and route table association.
If you want to check the pipeline logs, click on the Build Badge (terrform-infra-provisioning) above the image in this ReadMe.

Contributing

If you find any issues or have suggestions for improvement, feel free to open an issue or submit a pull request. Contributions are always welcome!

License

This code is released under the Unlincse License. See LICENSE.