Skip to content
/ infrastructure Public

Terraform monorepo for our cloud infrastructure.

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

iron-security/infrastructure

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

228 Commits

.github

.github

 
 

cloudflare

cloudflare

 
 

github

github

 
 

google

google

 
 

helm/dev

helm/dev

 
 

kubernetes

kubernetes

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

SECURITY.md

SECURITY.md

 
 

modules.dev.tf

modules.dev.tf

 
 

modules.main.tf

modules.main.tf

 
 

providers.tf

providers.tf

 
 

variables.tf

variables.tf

 
 

Repository files navigation

infrastructure

This repository contains the Terraform configuration that steers the infrastructure that is used to run the IRON platform.

Usage

# first install terraform
% brew install terraform

# create a development file with your secrets
% vim dev.env
# export TF_VAR_cf_email=""
# export TF_VAR_cf_api_key=""
# export TF_VAR_github_token=""

# ensure you have a billing account associated in GCP
# https://console.cloud.google.com/billing/linkedaccount

# now initialize, create the S3 bucket we will store our terraform state in and create the terraform service account to be used
% make init enable-services create-state-bucket create-terraform-account

# for local development, a terraform-sa.json credential will be stored on your local filesystem
# in your CI/CD, we rely on the Google Auth GitHub Action identity federation

# and now we can finally bring up our infrastructure!
% make init validate plan apply

Overview

  • cloudflare/: the configuration for our Cloudflare DNS service.
  • github/: the configuration for our GitHub repositories, teams and memberships.
  • google/: the configuration for our Google Cloud Platform resources, including GKE.
  • kubernetes/: the configuration for the administrative resources for our Kubernetes clusters such as namespaces.
  • helm/: the configuration for the actual workload Helm deployments on our Kubernetes clusters.

RBAC

We rely on the Google Groups GKE RBAC feature to re-use Google Workspace Groups to grant access to our Kubernetes cluster. This provides us with a single source of truth.

Authentication

GitHub

Create a developer token in your GitHub profile and set it as an export in dev.env or in GitHub Actions.

Cloudflare

Create a scoped Cloudflare API key in your Cloudflare account and set it as an export in dev.env or in GitHub Actions.

Google Cloud

Setup the Google Auth GitHub Action for GCP identity federation for CI/CD.

Local development access to Google Cloud is done through gcloud, so make sure you went through a gcloud login flow.

For Google Cloud, we rely on identity federation by using the which scopes a Google Cloud service account to this repository nicely. Any authentication performed against any private workloads on GKE should be done over either IAP or Cloudflare Access.

Kubernetes

Access to the Kubernetes API is done over the gcloud command and the actual Kubernetes API is kept private. This allows us to re-use regular Google Cloud authentication & authorization for our Kubernetes cluster at all times.

About

Terraform monorepo for our cloud infrastructure.

Resources

Readme

License

GPL-3.0 license

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 15

v1.1.13 Latest
Jun 29, 2022
+ 14 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages