This repository provides all the tooling to manage the prod account infrastructure on AWS. It distributes a single docker container which bundles the entire tool-chain and infrastructure as code necessary to administer the account.
| Property | Value |
|---|---|
| AWS Account ID | 877858628825 |
| Account Email | ops+prod@ryanjarv.sh |
| Login URL | https://signin.aws.amazon.com/switchrole?account=877858628825&roleName=OrganizationAccountAccessRole&displayName=rjsh-prod-admin |
| Namespace | rjsh |
| Stage | prod |
| Default Region | us-west-2 |
This project aims to be lightweight. It follows these principles:
- Use industry standard tools over custom ones. e.g. terraform and chamber
- Favor documentation over automation. Instead of wrapping terraform and obfuscating layers of complexity, provide documentation on terraform "best practices" and actionable examples.
- Automate Repetitive Processes using
Makefiles. Only introduce automation when a repetitive workflow emerges. Write simple shell scripts that provide minimal orchestration to avoid obfuscation of the underlying workflows.
We use the Geodesic base image for the prod account infrastructure. It’s a swiss army knife for creating and building consistent platforms to be shared across a team environment. It easily versions environments in a repeatable manner that can be followed by any team member.
NOTE: This repo was created automatically using the cloudposse/reference-architectures cold-start project.
We use geodesic to define and build world-class cloud infrastructures backed by AWS and powered by Kubernetes.
The geodesic base docker image exposes many tools that can be used to define and provision AWS and Kubernetes resources.
There's no need to install any native software dependencies on your workstation other than docker.
Here is the list of some of the tools we use to provision prod.ryanjarv.sh infrastructure in order to facilitate cloud fabrication and administration:
NOTE: Additional documentation can be found in the docs/ directory.
This repo is organized in the following way.
prod.ryanjarv.sh/
├── conf/ # All configurations should be kept here
│ ├── Makefile # Makefile for controlling interactions between projects
│ ├── module1/ # Example terraform "root" module (aka project)
│ │ └── terraform.tfvars # Define project specific settings using a varfile (do not commit secrets)
│ ├── module2/ # Another terraform "root" module
│ │ └── terraform.tfvars # Terraform settings specific to this project
│ └── module3/ # Another terraform "root" module
│ ├── file1.tf # Overlay additional files
│ └── file2.tf #
├── docs/ # Additional documentation
├── Dockerfile # Dockerfile that describes how to build this image
├── Makefile # Makefile that uses the `build-harness` to facilitate building the image
└── rootfs/ # "Root" (`/`) filesystem which is overlayed inside of the docker image
Most configuration settings are defined as environment variables. These can be set using the ENV declaration in the Dockerfile. These have been set to sane defaults and shouldn't need to be touched. All these settings are required.
List of Supported Environment Variables
| Environment Variable | Description of the setting |
|---|---|
| DOCKER_IMAGE | This docker image name (and repository). This is for the bootstrap script. |
| DOCKER_TAG | The default image tag to use by the bootstrap script. |
| NAMESPACE | Resource namespace used as a prefix for all AWS resources. |
| STAGE | Operating stage of this account (e.g. prod, corp, audit, root). |
| BANNER | Banner text to display when launching an interactive shell. |
| MOTD_URL | URL to a "Message of the Day" to display when launching an interactive shell. |
| AWS_REGION | Current operating region for this account. |
| AWS_DEFAULT_REGION | Default operating region for this account. |
| AWS_ACCOUNT_ID | AWS Account ID (used by aws-config-setup). |
| AWS_ROOT_ACCOUNT_ID | AWS "Root" (parent) Account ID (used by aws-config-setup). |
| ORG_NETWORK_CIDR | Organizations Network CIDR . |
| ACCOUNT_NETWORK_CIDR | This account's network CIDR. |
| TF_BUCKET | Terraform state bucket. |
| TF_BUCKET_REGION | Region where the Terraform state bucket was created. |
| TF_DYNAMODB_TABLE | DynamoDB table that will be used by Terraform for state locking. |
| AWS_DEFAULT_PROFILE | AWS Profile that will be used by aws-vault to assume roles. |
| CHAMBER_KMS_KEY_ALIAS | Default KMS key that will be used to encrypt secrets for chamber. |
NOTE: You can use tfenv to easily pass environment variables to terraform.
- Docker is required to build & run all containers
- Standard development tools (e.g.
xcode-select --installon OSX):git,make
NOTE: It should work out-of-the-box with Mac OSX, Linux, and Windows 10 (using WSL).
Here's how to get started with this repository.
Basic Operating Instructions
First, let's initialize the build-harness. You only need to do this once per git clone of this repository.
# Initialize the project's build-harness
make initBuild the docker image we'll use for local development, to provision infrastructure or to administer AWS.
make docker/buildInstall the helper script which makes it easier to start the docker container. You only really need to do this once.
make installAnytime you want to interact with tools like terraform, chamber, etc we recommend you do so from within the shell.
/usr/local/bin/prod.ryanjarv.shNOTE (a): You can just run prod.ryanjarv.sh, if your PATH contains /usr/local/bin
NOTE (b): Your HOME directory is mounted to /localhost inside of the container. This makes it easier to do local development or use your IDE of choice.
Configure your AWS profile in ~/.aws/config by running aws-config-setup inside of the shell. This will also prompt you to setup aws-vault.
NOTE: You only need to do this once per AWS account.
aws-config-setupRun this command anytime you start a new shell and need to operate on AWS:
assume-roleNOTE: Before provisioning AWS resources with Terraform, you need to create a tfstate-backend first. This is an S3 bucket that is used to store the Terraform state and a DynamoDB table for state locking.
You need to do it only once per account during the cold-start.
make -C /conf/tfstate-backend initAfter tfstate-backend has been provisioned, you can just run init-terraform from any project folder to reattach the remote state.
For more info, see Using Geodesic with Terraform
- https://docs.cloudposse.com
- https://github.com/cloudposse/geodesic
- https://github.com/cloudposse/packages
- https://github.com/cloudposse/build-harness
Did you get stuck? Find us on slack in the #geodesic channel.