Skip to content

Latest commit

 

History

History

terraform

README.md

Infrastructure as Code

Organization

To manage both dev and prod environments in the same AWS account, it's common to separate them using different VPCs. This approach ensures complete isolation between environments. Below is a best practices directory structure and file contents according to the most current Terraform standards and recommendations.

By initializing Terraform separately for each environment, you can manage your dev and prod environments independently. This setup allows you to maintain separate state files and configurations, ensuring that changes in one environment do not affect the other.

IAM

An IAM role and an instance profile are related but distinct concepts in AWS. Here's a detailed explanation of each and their differences:

IAM Role

  • Purpose: An IAM role is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. Roles are intended to be assumable by trusted entities, such as IAM users, applications, or AWS services like EC2.
  • Use Case: Roles are used to grant permissions to entities that do not have long-term credentials (e.g., applications running on EC2 instances).
  • Components: An IAM role consists of a trust policy (which specifies who can assume the role) and one or more permissions policies (which specify what actions are allowed).

Instance Profile

  • Purpose: An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
  • Use Case: Instance profiles are used to associate an IAM role with an EC2 instance, allowing the instance to assume the role and obtain temporary security credentials.
  • Components: An instance profile contains a reference to an IAM role. When you launch an EC2 instance with an instance profile, the instance can assume the role specified in the profile.

Key Differences

  • Role: Defines permissions and trust relationships. It can be assumed by various entities, including EC2 instances, Lambda functions, and other AWS services.
  • Instance Profile: Specifically used to pass an IAM role to an EC2 instance. It acts as a bridge between the EC2 instance and the IAM role.

Requirements

Name Version
terraform >= 1.9
aws ~> 5.6
tls ~> 4.0

Providers

Name Version
aws 5.67.0
tls 4.0.6

Modules

No modules.

Resources

Name Type
aws_db_instance.icb resource
aws_db_subnet_group.icb resource
aws_dynamodb_table.ichrisbirch_terraform_state_locking resource
aws_eip.ichrisbirch_elastic_ip resource
aws_eip_association.ichrisbirch_elastic_ip_assoc resource
aws_iam_group.developer resource
aws_iam_group.developer_admin resource
aws_iam_group.security resource
aws_iam_group_membership.developer resource
aws_iam_group_membership.developer_admin resource
aws_iam_group_policy_attachment.developer_admin_assume_admin resource
aws_iam_group_policy_attachment.developer_admin_assume_terraform resource
aws_iam_group_policy_attachment.developer_cloud_developer resource
aws_iam_group_policy_attachment.developer_ec2_instance_connect resource
aws_iam_group_policy_attachment.developer_pass_webserver_role resource
aws_iam_group_policy_attachment.security_assume_adming resource
aws_iam_instance_profile.ichrisbirch_webserver resource
aws_iam_openid_connect_provider.github resource
aws_iam_policy.access_backups_bucket resource
aws_iam_policy.access_webserver_keys resource
aws_iam_policy.allow_pass_webserver_role resource
aws_iam_policy.assume_admin_role resource
aws_iam_policy.assume_terraform_role resource
aws_iam_policy.cloud_developer resource
aws_iam_policy.ec2_instance_connect resource
aws_iam_policy.terraform_execution resource
aws_iam_role.admin resource
aws_iam_role.github_actions resource
aws_iam_role.ichrisbirch_webserver resource
aws_iam_role.terraform resource
aws_iam_role_policy_attachment.admin_access_webserver_keys resource
aws_iam_role_policy_attachment.admin_administrator_access resource
aws_iam_role_policy_attachment.admin_view_cost_and_usage resource
aws_iam_role_policy_attachment.github_actions_assume_terraform_role resource
aws_iam_role_policy_attachment.github_actions_terraform_execution resource
aws_iam_role_policy_attachment.terraform_role_terraform_execution resource
aws_iam_role_policy_attachment.webserver_access_backups_bucket resource
aws_iam_role_policy_attachment.webserver_access_webserver_keys resource
aws_iam_user.chris_birch resource
aws_iam_user.john_kundycki resource
aws_iam_user_login_profile.chris_birch resource
aws_iam_user_policy_attachment.chris_birch_iam_user_change_password resource
aws_iam_user_policy_attachment.john_kundycki_iam_user_change_password resource
aws_instance.ichrisbirch_webserver resource
aws_internet_gateway.prod resource
aws_main_route_table_association.prod_public resource
aws_network_interface.ichrisbirch_webserver resource
aws_route53_record.api_ichrisbirch_a resource
aws_route53_record.api_ichrisbirch_ns resource
aws_route53_record.api_ichrisbirch_ns_ns resource
aws_route53_record.docs_ichrisbirch_a resource
aws_route53_record.docs_ichrisbirch_cname resource
aws_route53_record.docs_ichrisbirch_ns resource
aws_route53_record.ichrisbirch_ns resource
aws_route53_record.www_ichrisbirch_a resource
aws_route53_zone.api_ichrisbirch resource
aws_route53_zone.docs_ichrisbirch resource
aws_route53_zone.ichrisbirch resource
aws_route_table.prod_private resource
aws_route_table.prod_public resource
aws_route_table_association.prod_private resource
aws_route_table_association.prod_public resource
aws_s3_bucket.ichrisbirch_backups resource
aws_s3_bucket.ichrisbirch_stats resource
aws_s3_bucket.ichrisbirch_terraform resource
aws_s3_bucket.ichrisbirch_webserver_keys resource
aws_s3_bucket_lifecycle_configuration.ichrisbirch_backups resource
aws_s3_bucket_policy.ichrisbirch_webserver_keys_admin_role_only_policy resource
aws_s3_bucket_public_access_block.ichrisbirch_backups resource
aws_s3_bucket_public_access_block.ichrisbirch_stats resource
aws_s3_bucket_public_access_block.ichrisbirch_terraform resource
aws_s3_bucket_public_access_block.ichrisbirch_webserver_keys resource
aws_security_group.ichrisbirch_database resource
aws_security_group.ichrisbirch_webserver resource
aws_subnet.prod_private resource
aws_subnet.prod_public resource
aws_vpc.prod resource
aws_vpc_security_group_egress_rule.allow_all_traffic_out resource
aws_vpc_security_group_egress_rule.postgres_out_all_vpc resource
aws_vpc_security_group_ingress_rule.allow_all_http_ipv4_in resource
aws_vpc_security_group_ingress_rule.allow_all_icmp_ipv4_in resource
aws_vpc_security_group_ingress_rule.allow_all_ssh_ipv4_in resource
aws_vpc_security_group_ingress_rule.allow_all_tls_ipv4_in resource
aws_vpc_security_group_ingress_rule.allow_postgres_from_webserver resource
aws_ami.ichrisbirch_webserver data source
aws_availability_zones.available data source
aws_caller_identity.current data source
aws_iam_policy.admin data source
aws_iam_policy.billing data source
aws_iam_policy_document.assume_role data source
tls_certificate.github_actions data source

Inputs

Name Description Type Default Required
db_password The password for the database string n/a yes
db_username The username for the database string n/a yes
gh_actions_token_url URL for the Github Actions API string "https://token.actions.githubusercontent.com" no
gh_org Name of the Github Organization. string "datapointchris" no
gh_repo Name of the ECR Repository- should match the Github repo name. string "ichrisbirch" no
private_subnet_cidrs Private Subnet CIDR values list(string) [ "10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24" ] no
public_subnet_cidrs Public Subnet CIDR values list(string) [ "10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24" ] no
region The AWS region to deploy resources string "us-east-2" no
vpc_cidr The CIDR block for the VPC string "10.0.0.0/16" no

Outputs

Name Description
aws_account_id n/a
aws_region n/a
db_endpoint n/a
db_engine n/a
db_engine_version n/a
db_id n/a
db_instance_class n/a
db_security_group_ids n/a
db_subnet_group_name n/a
dynamodb_terraform_state_locking_table_id n/a
iam_group_developer_admin_arn n/a
iam_group_developer_arn n/a
iam_group_security_arn n/a
iam_instance_profile_ichrisbirch_webserver_arn n/a
iam_oidc_provider_github_arn n/a
iam_policy_access_webserver_keys_arn n/a
iam_policy_allow_pass_webserver_role_arn n/a
iam_policy_assume_admin_role_arn n/a
iam_policy_assume_terraform_role_arn n/a
iam_policy_cloud_developer_arn n/a
iam_policy_ec2_instance_connect_arn n/a
iam_policy_terraform_execution_arn n/a
iam_role_admin_arn n/a
iam_role_github_actions_arn n/a
iam_role_ichrisbirch_webserver_arn n/a
iam_role_terraform_arn n/a
iam_user_chris_birch_arn n/a
iam_user_john_kundycki_arn n/a
internet_gateway_id n/a
network_interface_ichrisbirch_webserver_id n/a
prod_private_route_table_id n/a
prod_private_subnet_ids n/a
prod_public_route_table_id n/a
prod_public_subnet_ids n/a
prod_vpc_cidr_block n/a
prod_vpc_id n/a
route53_api_ichrisbirch_zone_id n/a
route53_api_ichrisbirch_zone_name n/a
route53_api_ichrisbirch_zone_name_servers n/a
route53_api_ichrisbirch_zone_primary_name_server n/a
route53_docs_ichrisbirch_zone_id n/a
route53_docs_ichrisbirch_zone_name n/a
route53_docs_ichrisbirch_zone_name_servers n/a
route53_docs_ichrisbirch_zone_primary_name_server n/a
route53_ichrisbirch_zone_id n/a
route53_ichrisbirch_zone_name n/a
route53_ichrisbirch_zone_name_servers n/a
route53_ichrisbirch_zone_primary_name_server n/a
security_group_ichrisbirch_webserver_id n/a
user_chris_birch_generated_password n/a
webserver_ami_id n/a
webserver_availability_zone n/a
webserver_elastic_ip n/a
webserver_iam_instance_profile n/a
webserver_id n/a
webserver_instance_type n/a
webserver_key_name n/a
webserver_route_table_id n/a
webserver_security_groups n/a
webserver_subnet_id n/a