This repository contains rather complete infrastructure configurations where Terragrunt is used to manage infrastructure for Acme Corporation.
This code is very close to the one produced by modules.tf - open-source infrastructure as code generator from visual diagrams created with Cloudcraft.co. See it yourself in modules.tf-demo!
Acme has several environments (prod, staging and dev) entirely separated by AWS accounts.
Infrastructure in each environment consists of multiple layers (autoscaling, alb, vpc, ...) where each layer is configured using one of Terraform AWS modules with arguments specified in terragrunt.hcl in layer's directory.
Terragrunt is used to work with Terraform configurations which allows orchestrating of dependent layers, update arguments dynamically and keep configurations DRY.
Primary AWS region for all environments is eu-central-1 (Frankfurt):
-
acme-prod- Production configurations (AWS account - 111111111111) -
acme-staging- Staging configurations (AWS account - 444444444444) -
acme-master- Master AWS account (333333333333) contains:- AWS Organizations
- IAM entities (users, groups)
- ECR repositories
- Route53 zones
- Terraform 0.12
- Terragrunt 0.22 or newer
- Terraform Docs
- pre-commit hooks to keep Terraform formatting and documentation up-to-date
- direnv to automatically set correct environment variables per AWS account as specified in
.envrc(optional)
If you are using macOS you can install all dependencies using Homebrew:
$ brew install terraform terragrunt pre-commit
Acme has dedicated AWS account where IAM users, groups and roles managed. This AWS account is a jump account, where IAM users logged in, and then they assume role in other AWS account.
The recommended way to configure access credentials to AWS account is using environment variables:
$ export AWS_DEFAULT_REGION=eu-west-1
$ export AWS_ACCESS_KEY_ID=...
$ export AWS_SECRET_ACCESS_KEY=...
Alternatively, you can edit terragrunt.hcl and use another authentication mechanism as described in AWS provider documentation.
aws-vault, vaulted, awsp or other tool can be used to manage your AWS credentials securely locally and switch roles.
Infrastructure consists of multiple layers (vpc, alb, ...) where each layer is described using one Terraform module with inputs arguments specified in terragrunt.hcl in respective layer's directory.
Navigate through layers to review and customize values inside inputs block.
There are two ways to manage infrastructure (slower&complete, or faster&granular):
- Region as a whole (slower&complete). Run this command to create infrastructure in all layers in a single region:
$ cd acme-prod/eu-central-1
$ terragrunt apply-all
- As a single layer (faster&granular). Run this command to create infrastructure in a single layer (eg,
vpc):
$ cd acme-prod/eu-central-1/vpc
$ terragrunt apply
After you confirm the creation of the infrastructure should succeed.
If you want to suppress irrelevant output produced by Terragrunt, you can install this alias in your shell (source to gist):
terragrunt () {
local action=$1
shift 1
command terragrunt $action "$@" 2>&1 | sed -E "s|$(dirname $(pwd))/||g;s|^\[terragrunt\]( [0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2})* ||g;s|(\[.*\]) [0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}|\1|g"
}
- Terraform documentation and Terragrunt documentation for all available commands and features.
- Terraform AWS modules.
- Terraform modules registry.
This project is created and maintained by Anton Babenko.
All content, including Terraform AWS modules used in these configurations, is released under the MIT License.
Copyright (c) 2019-2020 Anton Babenko