This module creates the infrastructure for Lyft's Cartography in AWS.
This is meant to be a starting point / POC for anyone testing out Cartography. I made this for my own purposes. It is NOT meant for use in a production environment.
The following resources should already exist in your AWS environment:
- AWS SSH key pair
- Trust policies in target AWS accounts for Cartography to assume
- Go to the example
cd examples/single-account- Set up your Terraform state config in
state.tf - Fill out the variables
- Make sure the
allowed_inbound_cidr_blocksvariable matches a CIDR range including your IP address, so it is not set to0.0.0.0/0 - Build it
terraform init
terraform plan
terraform apply -auto-approve-
Go to that IP address in your web browser and suffix it with port 7474. Like this: http://1.2.3.4:7474
-
It will bring you to the Neo4j database login. Enter
boltas your username and password.
MATCH (n:EC2Instance)
WHERE (n.iaminstanceprofile) starts with 'arn' and (n.publicdnsname) contains '.'
RETURN n.region, n.instanceid, n.iaminstanceprofile, n.publicdnsname
match (lb:LoadBalancer{scheme:"internet-facing"})-[:MEMBER_OF_EC2_SECURITY_GROUP]->(sb:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP]-(IP:IpPermissionInbound{protocol:"tcp"})<-[:MEMBER_OF_IP_RULE]-(rule:IpRange{range:"0.0.0.0/0"}) return lb, sb,IP,rule
module "cartography" {
source = "../../"
namespace = "yourname"
stage = "dev"
name = "demo"
cartography_instance_profile_name = ""
region = "us-east-1"
key_name = "kinnaird"
vpc_cidr = "10.1.1.0/24"
public_subnet_cidrs = ["10.1.1.0/28"]
subnet_azs = ["us-east-1a"]
allowed_inbound_cidr_blocks = ["0.0.0.0/0"] # # TODO: Make sure you change this to your CIDR range, not actual 0.0.0.0/0
create_iam = true
create_vpc = true
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allowed_inbound_cidr_blocks | Allowed inbound CIDRs for the security group rules. | list(string) |
[] |
no |
| attributes | Additional attributes, e.g. 1 |
list(string) |
[] |
no |
| cartography_config_rendered | The ~/.aws/config file for cartography user. Use this for gathering data from multiple accounts. If no value is set, it will just set the default config. | string |
"" |
no |
| cartography_instance_profile_name | If create_iam is set to false, use this instance profile name for Cartography server instead. | any |
n/a | yes |
| convert_case | Convert fields to lower case | string |
"true" |
no |
| create_bucket | Set to false to disable creation of an S3 bucket for cartography config | bool |
true |
no |
| create_iam | Set to false to disable creation of IAM resources. Default value is true. | bool |
true |
no |
| create_vpc | Set to false to disable creation of VPC resources. Default value is true. | bool |
true |
no |
| default_tags | Default billing tags to be applied across all resources | map(string) |
{} |
no |
| delimiter | Delimiter to be used between (1) namespace, (2) name, (3) stage and (4) attributes |
string |
"-" |
no |
| ec2_ami_name_filter | The name of the AMI to search for. Defaults to amzn2-ami-hvm-2.0.2019*-x86_64-ebs | string |
"amzn2-ami-hvm-2.0.2019*-x86_64-ebs" |
no |
| ec2_ami_owner_filter | List of AMI owners to limit search. Defaults to amazon. |
string |
"amazon" |
no |
| enable_bucket_versioning | Set to true to enable bucket versioning | bool |
false |
no |
| force_destroy | A boolean string that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
true |
no |
| instance_type | The size of the Ec2 instance. Defaults to t2.medium | string |
"t2.medium" |
no |
| key_name | The name of the SSH key in AWS to use for accessing the EC2 instance. | any |
n/a | yes |
| kms_key_alias | The KMS key alias to use for the EBS Volume | string |
"alias/cartography" |
no |
| name | Name, which could be the name of your solution or app. Third item in naming sequence. | any |
n/a | yes |
| namespace | Namespace, which could be your organization name. First item in naming sequence. | any |
n/a | yes |
| public_subnet_cidrs | The CIDR block of the public subnet. | list(string) |
|
no |
| region | The AWS region for these resources, such as us-east-1. | any |
n/a | yes |
| stage | Stage, e.g. prod, staging, dev, or test. Second item in naming sequence. |
any |
n/a | yes |
| subnet_azs | Subnets will be created in these availability zones. | list(string) |
|
no |
| volume_size | The disk size for the EC2 instance root volume. Defaults to 50 (for 50GB) | number |
50 |
no |
| vpc_cidr | The CIDR block for the VPC. | string |
"10.1.1.0/24" |
no |
| Name | Description |
|---|---|
| bucket | The name of the S3 bucket |
| bucket_config_path | The path to the cartography cross account config stashed in s3 |
| public_ip | The public IP address of the EC2 instance running Cartography. |
| root_block_device_volume_ids | List of volume IDs of root block devices of instances |
| zREADME | Post-deploy instructions |
- Better Neo4j config