Terraform is available via brew
on Mac OS:
brew install terraform
Downloads for other OS are available.
- Create an IAM user called
tooling-public-write-user
- Give them no permissions (these will be set by terraform)
- Set programatic access and save the keys to add to GitHub
- Create an IAM user called
github-deploy
- Give them no permissions (these will be set by terraform)
- Set programatic access and save the keys to add to GitHub
- Create an IAM user called
lambda-public-write-user
- Give them no permissions (these will be set by terraform)
- Set programatic access and save the keys to add to GitHub
- Create an IAM user called
code-commit-replicator
- Give them no permissions (these will be set by terraform)
- Set programatic access and save the keys to add to GitHub
Terraform state is stored in s3.
Create a bucket with Bucket Versioning enabled.
The default bucket is currently exercism-terraform
- update terraform/terraform.tf
if you want to change this.
Create a policy called terraform-s3-state
with the following JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::exercism-terraform"
},
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject", "s3:PutObjectAcl"],
"Resource": "arn:aws:s3:::exercism-terraform/production.state"
}
]
}
Create a policy called terraform-iam
with the following JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetUser",
"iam:GetUserPolicy",
"iam:GetRole",
"iam:UpdateAssumeRolePolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:DeletePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:GetRolePolicy",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:ListInstanceProfilesForRole",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:ListPolicyVersions",
"iam:ListAttachedRolePolicies",
"iam:DeleteRolePolicy",
"iam:DeletePolicyVersion",
"iam:CreateInstanceProfile",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:DeleteUserPolicy",
"iam:ListRolePolicies"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:PutUserPolicy"
],
"Resource": [
"arn:aws:iam::*:user/github-deploy",
"arn:aws:iam::*:user/tooling-public-write-user",
"arn:aws:iam::*:user/lambda-public-write-user"
]
}
]
}
- Create a terraform IAM user.
- Give them PowerUser privileges and the above policies (
terraform-iam
ands3-state
) - Set programatic access and save the keys for later.
CD into the terraform
directory.
Install provider plugins:
terraform init
Create a file ~/.aws/credentials
, or add the following stanza to an existing file with terraform user's credentials.
[exercism_terraform]
aws_access_key_id = XXXXXXXXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Start by running terraform init
.
AWS_PROFILE=exercism_terraform terraform init
To see what will be run, use plan
:
AWS_PROFILE=exercism_terraform terraform plan -var-file=variables/pre-production.tfvars
To run things for real, and actually make changes to infrastructure:
AWS_PROFILE=exercism_terraform terraform apply -var-file=environments/staging.tfvars
The environment variable TF_LOG
can be set to DEBUG
or another value to enable more versbose logs.
For all values see the Terraform debugging documenteion
Terraform provides a tool to format manifests:
terraform fmt
- Add a line to the list of tools in
terraform/main.tf
- Add a line to the tooling type's configuration in
terraform/dynamodb_tooling_language_groups.tf
Currently the ami.sh also needs updating
-
Getting started blog post which describes basic usage, templates, and variables.