Add 07_terraform_env_customised_v1.x_updated

07_terraform_env_customised_v1.x_updated/.envrc

@@ -0,0 +1,23 @@
+if [ ! -d ".venv" ]; then
+  echo "Installing virtualenv for $(python -V)"
+  python -m venv .venv
+  echo "Activating $(python -V) virtualenv"
+  source $PWD/.venv/bin/activate
+  test -f $PWD/requirements.txt && pip3 install -r $PWD/requirements.txt --upgrade
+fi
+
+source $PWD/.venv/bin/activate
+export PATH=$(git rev-parse --show-toplevel)/bin:$PATH:$PWD/.venv/bin
+
+export AWS_DEFAULT_PROFILE=default
+
+export AWS_DEFAULT_REGION="$(aws configure get ${AWS_DEFAULT_PROFILE}.region)"
+export AWS_ACCESS_KEY_ID="$(aws configure get ${AWS_DEFAULT_PROFILE}.aws_access_key_id)"
+export AWS_SECRET_ACCESS_KEY="$(aws configure get ${AWS_DEFAULT_PROFILE}.aws_secret_access_key)"
+
+# https://www.terraform.io/docs/backends/types/s3.html
+export STATE_BACKEND="myorg-terraform-state"
+
+# https://github.com/hashicorp/terraform/blob/master/CHANGELOG.md
+export TERRAFORM_VERSION="1.0.4"
+#export TF_LOG=TRACE

07_terraform_env_customised_v1.x_updated/Makefile

@@ -0,0 +1,27 @@
+MAKEFLAGS += --silent
+
+.DEFAULT_GOAL := validate
+
+terraform := $(shell command -v terraform 2> /dev/null)
+
+ifndef terraform
+    $(error "terraform is not available please install")
+endif
+
+## Initialize terraform remote state
+init: 
+	[ -d .terraform ] || ${terraform} $@
+
+## Pass arguments through to terraform which require remote state
+apply destroy graph plan output providers show validate: init
+	${terraform} $@
+
+## Pass arguments through to terraform which do not require remote state
+get fmt version console:
+	${terraform} $@
+
+.PHONY: test
+test:
+	[ -f ./test/test.sh ] && ./test/test.sh || true
+
+-include include.mk

07_terraform_env_customised_v1.x_updated/README.md

@@ -0,0 +1,18 @@
+# Parametrising clusters as Terraform modules terraform > v1.x.x
+
+You can provision multiple EKS clusters with:
+
+```bash
+make plan
+make apply
+```
+
+It might take a while for the cluster to be creates (up to 15-20 minutes).
+
+At the end you will have:
+
+1. A cluster for development.
+1. A cluster for staging.
+1. A cluster for production.
+
+In the same folder you will find a kubeconfig file for each cluster.

07_terraform_env_customised_v1.x_updated/cluster/iam-policy.json

@@ -0,0 +1,140 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "acm:DescribeCertificate",
+        "acm:ListCertificates",
+        "acm:GetCertificate"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:AuthorizeSecurityGroupIngress",
+        "ec2:CreateSecurityGroup",
+        "ec2:CreateTags",
+        "ec2:DeleteTags",
+        "ec2:DeleteSecurityGroup",
+        "ec2:DescribeAccountAttributes",
+        "ec2:DescribeAddresses",
+        "ec2:DescribeInstances",
+        "ec2:DescribeInstanceStatus",
+        "ec2:DescribeInternetGateways",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeTags",
+        "ec2:DescribeVpcs",
+        "ec2:ModifyInstanceAttribute",
+        "ec2:ModifyNetworkInterfaceAttribute",
+        "ec2:RevokeSecurityGroupIngress"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "elasticloadbalancing:AddListenerCertificates",
+        "elasticloadbalancing:AddTags",
+        "elasticloadbalancing:CreateListener",
+        "elasticloadbalancing:CreateLoadBalancer",
+        "elasticloadbalancing:CreateRule",
+        "elasticloadbalancing:CreateTargetGroup",
+        "elasticloadbalancing:DeleteListener",
+        "elasticloadbalancing:DeleteLoadBalancer",
+        "elasticloadbalancing:DeleteRule",
+        "elasticloadbalancing:DeleteTargetGroup",
+        "elasticloadbalancing:DeregisterTargets",
+        "elasticloadbalancing:DescribeListenerCertificates",
+        "elasticloadbalancing:DescribeListeners",
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:DescribeLoadBalancerAttributes",
+        "elasticloadbalancing:DescribeRules",
+        "elasticloadbalancing:DescribeSSLPolicies",
+        "elasticloadbalancing:DescribeTags",
+        "elasticloadbalancing:DescribeTargetGroups",
+        "elasticloadbalancing:DescribeTargetGroupAttributes",
+        "elasticloadbalancing:DescribeTargetHealth",
+        "elasticloadbalancing:ModifyListener",
+        "elasticloadbalancing:ModifyLoadBalancerAttributes",
+        "elasticloadbalancing:ModifyRule",
+        "elasticloadbalancing:ModifyTargetGroup",
+        "elasticloadbalancing:ModifyTargetGroupAttributes",
+        "elasticloadbalancing:RegisterTargets",
+        "elasticloadbalancing:RemoveListenerCertificates",
+        "elasticloadbalancing:RemoveTags",
+        "elasticloadbalancing:SetIpAddressType",
+        "elasticloadbalancing:SetSecurityGroups",
+        "elasticloadbalancing:SetSubnets",
+        "elasticloadbalancing:SetWebAcl"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreateServiceLinkedRole",
+        "iam:GetServerCertificate",
+        "iam:ListServerCertificates"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "cognito-idp:DescribeUserPoolClient"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "waf-regional:GetWebACLForResource",
+        "waf-regional:GetWebACL",
+        "waf-regional:AssociateWebACL",
+        "waf-regional:DisassociateWebACL"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "tag:GetResources",
+        "tag:TagResources"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "waf:GetWebACL"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "wafv2:GetWebACL",
+        "wafv2:GetWebACLForResource",
+        "wafv2:AssociateWebACL",
+        "wafv2:DisassociateWebACL"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "shield:DescribeProtection",
+        "shield:GetSubscriptionState",
+        "shield:DeleteProtection",
+        "shield:CreateProtection",
+        "shield:DescribeSubscription",
+        "shield:ListProtections"
+      ],
+      "Resource": "*"
+    }
+  ]
+}