Skip to content

Commit

Permalink
add SSM to AWS network setup deployment
Browse files Browse the repository at this point in the history
migrate aws-alb to terragrunt/opentofu
  • Loading branch information
matihost committed Nov 9, 2023
1 parent 13ccc1b commit dcedfe8
Show file tree
Hide file tree
Showing 21 changed files with 480 additions and 160 deletions.
9 changes: 8 additions & 1 deletion ansible/system/inventory.yml
Original file line number Diff line number Diff line change
Expand Up @@ -715,9 +715,13 @@ all:
- name: terraformer
desc: |
Reverse terraform
Sample:
Sample for GC:
terraformer import google --connect=true --regions=`gcloud config get-value compute/region` --projects=`gcloud config get-value project` \
--resources=dns,monitoring,addresses,autoscalers,regionAutoscalers,globalForwardingRules,healthChecks,globalAddresses,regionBackendServices,urlMaps,regionSslCertificates,forwardingRules,httpHealthChecks,targetTcpProxies,regionInstanceGroupManagers,targetHttpsProxies,backendServices,sslCertificates
Sample for AWS
awsume rolename@accounr
# TODO https://github.com/GoogleCloudPlatform/terraformer/issues/1743
terraformer import aws --resources=api_gateway,alb --regions=us-east-1 --profile=""
become: true
command: |
CURRENT_VERSION="$(curl -sL https://api.github.com/repos/GoogleCloudPlatform/terraformer/releases/latest | grep tag_name | cut -d '"' -f 4)"
Expand Down Expand Up @@ -838,6 +842,9 @@ all:
sudo aws/install --update
rm -rf /tmp/awscli-installer
echo "AWC CLI Installed"
curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" -o "/tmp/session-manager-plugin.deb"
dpkg -i /tmp/session-manager-plugin.deb
echo "AWC Session Manager Plugin Installed"
}
[ -e /etc/bash_completion.d/aws_bash_completer ] || {
echo 'complete -C aws_completer aws' > /etc/bash_completion.d/aws_bash_completer
Expand Down
52 changes: 35 additions & 17 deletions terraform/aws/aws-alb/Makefile
Original file line number Diff line number Diff line change
@@ -1,13 +1,32 @@
WHOAMI := $(shell dig +short myip.opendns.com @resolver1.opendns.com)
apply: prepare ## setup free-tier eliglible Ubuntu instances via Launch Template, ASG and attache ALB on it
export TF_VAR_external_access_ip=$(WHOAMI) && \
terraform init -upgrade=true && \
terraform validate && \
terraform plan -lock=false && \
terraform apply -auto-approve
.EXPORT_ALL_VARIABLES:

DEBUG := false
ifeq ($(strip $(DEBUG)),true)
TF_LOG := DEBUG
endif

MODE := apply
ifeq ($(strip $(MODE)),apply)
MODE_STR := apply -auto-approve
else ifeq ($(strip $(MODE)),destroy)
MODE_STR := destroy -auto-approve
else
MODE_STR := plan
endif


ENV := dev

init:
cd stage/$(ENV) && terragrunt init -upgrade=true


run: init ## setup VPC: make run [ENV=dev] [MODE=apply]
@cd stage/$(ENV) && terragrunt validate && terragrunt $(MODE_STR)


test: ## test ALB Nginx instance
curl http://$(shell terraform output alb_dns):80
curl http://$(shell cd stage/$(ENV) && terragrunt output alb_dns):80

show-auto-scalling-group-state: ## show AutoScalingGroup state(see DesiredCapacity for current amount of instances)
aws autoscaling describe-auto-scaling-groups --auto-scaling-group-name webserver
Expand All @@ -19,18 +38,17 @@ scale-down-manually: ## scale Auto Scaling Group down by single instance
aws autoscaling set-desired-capacity --auto-scaling-group-name webserver --desired-capacity $$(( `aws autoscaling describe-auto-scaling-groups --auto-scaling-group-name webserver | jq '..|.DesiredCapacity?'|grep -v null` - 1 ))


show-state: ## show terraform.state
terraform state list
terraform show
show-state: ## show state
cd stage/$(ENV) && terragrunt state list && terragrunt show

clean: ## clean cached plugins and data
find . -name ".terra*" -exec rm -rf {} +
find . -name "target" -exec rm -rf {} +

destroy: ## destroy resourced created via apply
export TF_VAR_external_access_ip=$(WHOAMI) && \
terraform plan && terraform destroy -auto-approve
upgrade-providers-version: init

prepare:
@[ -e "$(HOME)/.ssh/id_rsa.aws.vm" ] || { cd ~/.ssh && ssh-keygen -m PEM -t rsa -N '' -f id_rsa.aws.vm; }

help: ## show usage and tasks (default)
@eval $$(sed -E -n 's/^([\*\.a-zA-Z0-9_-]+):.*?## (.*)$$/printf "\\033[36m%-30s\\033[0m %s\\n" "\1" "\2" ;/; ta; b; :a p' $(MAKEFILE_LIST))
.DEFAULT_GOAL := help
.PHONY: help apply destroy
.PHONY: help run clean
4 changes: 2 additions & 2 deletions terraform/aws/aws-alb/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ In particular it creates:

- targetgroup for ALB usage - it is being populated via autoscalling group automatically (aka changes to instances count is reflected in target group)

- Application Load Balancer (ALB) with single listener forwarding all trafic to above targetgroup
- Application Load Balancer (ALB) with single listener forwarding all traffic to above target group

This setup use AWS resources eliglible to AWS Free Tier __only__.

Expand All @@ -31,7 +31,7 @@ aws configure
```bash

# deploy webservers ALB
make apply
make run ENV=dev MODE=apply

# test webservers via ALB
make test
Expand Down
83 changes: 0 additions & 83 deletions terraform/aws/aws-alb/main.tf

This file was deleted.

53 changes: 53 additions & 0 deletions terraform/aws/aws-alb/module/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@

data "aws_caller_identity" "current" {}

locals {
# tflint-ignore: terraform_unused_declarations
account_id = data.aws_caller_identity.current.account_id

prefix = var.env
}

variable "env" {
type = string
description = "Environment name"
}

# tflint-ignore: terraform_unused_declarations
variable "external_access_ip" {
type = string
description = "The public IP which is allowed to access instance"
}


variable "ec2_instance_type" {
type = string
description = "Instance type for EC2 deployments"
default = "t3.micro"
}

variable "ec2_architecture" {
type = string
description = "Instance type for EC2 deployments"
default = "x86_64"
}

variable "zone" {
default = "us-east-1a"
type = string
description = "Preffered AWS AZ where resources need to placed, has to be compatible with region variable"
}

# tflint-ignore: terraform_unused_declarations
variable "region" {
default = "us-east-1"
type = string
description = "Preffered AWS region where resource need to be placed"
}


variable "instance_profile" {
default = ""
type = string
description = "The name of instance_profile (dynamically provisioning access to role)"
}
File renamed without changes.
Original file line number Diff line number Diff line change
@@ -1,5 +1,74 @@
data "aws_ami" "ubuntu" {
most_recent = true

# possible filter ids from sample image:
# aws ec2 describe-images --region us-east-1 --image-ids ami-0fc5d935ebf8bc3bc
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-*-server-*"]
}

filter {
name = "virtualization-type"
values = ["hvm"]
}

filter {
name = "architecture"
values = [var.ec2_architecture]
}

owners = ["099720109477"] # Canonical
}

data "aws_vpc" "default" {
default = true
}

data "aws_subnet" "private_subnet" {
vpc_id = data.aws_vpc.default.id
availability_zone = var.zone
tags = {
Tier = "private"
}
}

data "aws_subnet" "private_subnet2" {
vpc_id = data.aws_vpc.default.id
availability_zone = "us-east-1b"
tags = {
Tier = "private"
}
}


data "aws_subnet" "public_subnet_1" {
vpc_id = data.aws_vpc.default.id
availability_zone = var.zone
default_for_az = true
}

data "aws_subnet" "public_subnet_2" {
vpc_id = data.aws_vpc.default.id
availability_zone = "us-east-1b"
default_for_az = true
}

data "aws_security_group" "internal_access" {
tags = {
Name = "internal_access"
}
}

data "aws_security_group" "http_from_single_computer" {
tags = {
Name = "http_from_single_computer"
}
}


resource "aws_launch_template" "webserver" {
name = "webserver"
name = "${local.prefix}-webserver"
update_default_version = true

iam_instance_profile {
Expand All @@ -8,9 +77,9 @@ resource "aws_launch_template" "webserver" {

image_id = data.aws_ami.ubuntu.id

instance_type = "t4g.small"
instance_type = var.ec2_instance_type

key_name = "vm"
key_name = "${local.prefix}-bastion-ssh"

vpc_security_group_ids = [data.aws_security_group.internal_access.id]

Expand All @@ -22,7 +91,7 @@ resource "aws_launch_template" "webserver" {
}
}

user_data = filebase64("webserver.cloud-init.yaml")
user_data = filebase64("${path.module}/webserver.cloud-init.yaml")
}

resource "aws_lb_target_group" "webserver" {
Expand All @@ -40,7 +109,7 @@ resource "aws_autoscaling_group" "webserver" {
version = "$Latest"
}
# Subnets where to place instances
vpc_zone_identifier = [data.aws_subnet.private_subnet.id]
vpc_zone_identifier = [data.aws_subnet.private_subnet.id, data.aws_subnet.private_subnet2.id]

# ALBs Target Groups to place instances
target_group_arns = [aws_lb_target_group.webserver.arn]
Expand All @@ -50,7 +119,7 @@ resource "aws_autoscaling_group" "webserver" {

health_check_type = "ELB"
# The amount of time until EC2 Auto Scaling performs the first health check on new instances after they are put into service.
health_check_grace_period = 300
health_check_grace_period = 120

# maximum time for Terraform to wait for ASG reach
wait_for_capacity_timeout = "10m"
Expand All @@ -77,6 +146,8 @@ resource "aws_lb" "webserver" {
internal = false
load_balancer_type = "application"
security_groups = [data.aws_security_group.http_from_single_computer.id]

# TODO replace with subnet mapping to reserver EIP
subnets = [data.aws_subnet.public_subnet_1.id, data.aws_subnet.public_subnet_2.id]
}

Expand Down
22 changes: 22 additions & 0 deletions terraform/aws/aws-alb/stage/dev/terragrunt.hcl
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
locals {
current_ip = "${run_cmd("--terragrunt-quiet", "dig", "+short", "myip.opendns.com", "@resolver1.opendns.com")}"
}

include {
path = find_in_parent_folders()
}

terraform {
# https://github.com/gruntwork-io/terragrunt/issues/1675
source = "${find_in_parent_folders("module")}///"
}


inputs = {
env = "dev"
external_access_ip = local.current_ip
instance_profile = "SSM-EC2"
ec2_instance_type = "t4g.small" # or t3.micro
ec2_architecture = "arm64" # or x86_64
aws_tags = { Env = "dev" }
}
Loading

0 comments on commit dcedfe8

Please sign in to comment.