Terraform is available via brew on Mac OS:
brew install terraformDownloads for other OS are available.
- Create an IAM user called
tooling-public-write-user - Give them no permissions (these will be set by terraform)
- Set programatic access and save the keys for later.
- Create an IAM user called
github-deploy - Give them no permissions (these will be set by terraform)
- Set programatic access and save the keys for later.
Terraform state is stored in s3.
Create a bucket with Bucket Versioning enabled.
The default bucket is currently exercism-staging-terraform - update terraform/terraform.tf if you want to change this.
Create a policy called terraform-s3-state with the following JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mybucket"
},
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::exercism-terraform/pre-production.state"
}
]
}
Create a policy called terraform-iam with the following JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:UpdateAssumeRolePolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:DeletePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:GetRolePolicy",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:ListInstanceProfilesForRole",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:ListPolicyVersions",
"iam:ListAttachedRolePolicies",
"iam:DeleteRolePolicy",
"iam:DeletePolicyVersion",
"iam:CreateInstanceProfile",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:AddRoleToInstanceProfile"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:PutUserPolicy"
],
"Resource": [
"arn:aws:iam::*:user/github-deploy",
"arn:aws:iam::*:user/tooling-public-write-user"
]
}
]
}
- Create a terraform IAM user.
- Give them PowerUser privileges and the above policies.
- Set programatic access and save the keys for later.
CD into the terraform directory.
Install provider plugins:
terraform initCreate a file ~/.aws/credentials, or add the following stanza to an existing file with terraform user's credentials.
[exercism_terraform]
aws_access_key_id = XXXXXXXXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Start by running terraform init.
AWS_PROFILE=exercism_terraform terraform init
To see what will be run, use plan:
AWS_PROFILE=exercism_terraform terraform plan -var-file=variables/pre-production.tfvarsTo run things for real, and actually make changes to infrastructure:
AWS_PROFILE=exercism_terraform terraform apply -var-file=environments/staging.tfvarsThe environment variable TF_LOG can be set to DEBUG or another value to enable more versbose logs.
For all values see the Terraform debugging documenteion
Terraform provides a tool to format manifests:
terraform fmt
- Add a block to
terraform/tooling/ecr.tf - Add a line to
terraform/tooling/iam_ecr.tf - Add a line to
terraform/tooling_invoker/iam_policy_ecr.tf
Currently the ami.sh also needs updating
-
Getting started blog post which describes basic usage, templates, and variables.
-
[Useful Fargate Blog Post] (https://blog.oxalide.io/post/aws-fargate/)