Skip to content

Commit

Permalink
Move Terraform configuration out of repository
Browse files Browse the repository at this point in the history
  • Loading branch information
punmechanic committed Feb 24, 2024
1 parent 400962b commit e60b34d
Show file tree
Hide file tree
Showing 27 changed files with 2 additions and 735 deletions.
34 changes: 2 additions & 32 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ api/lambdas/get_user_data/get_user_data
*.bak
.vscode

# Created by https://www.gitignore.io/api/go,vim,osx,node,emacs,windows,terraform
# Edit at https://www.gitignore.io/?templates=go,vim,osx,node,emacs,windows,terraform
# Created by https://www.gitignore.io/api/go,vim,osx,node,emacs,windows
# Edit at https://www.gitignore.io/?templates=go,vim,osx,node,emacs,windows

### Emacs ###
# -*- mode: gitignore; -*-
Expand Down Expand Up @@ -198,36 +198,6 @@ Network Trash Folder
Temporary Items
.apdisk

### Terraform ###
# Local .terraform directories
**/.terraform/*

# .tfstate files
*.tfstate
*.tfstate.*

# Crash log files
crash.log

# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
# .tfvars files are managed as part of configuration and so should be included in
# version control.
#
# example.tfvars

# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json

# Include override files you do wish to add to version control using negated pattern
# !example_override.tf

# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*

### Vim ###
# Swap
[._]*.s[a-v][a-z]
Expand Down
101 changes: 0 additions & 101 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ aws s3api create-bucket --bucket <terraform state bucket> --region us-west-2 --c

- go 1.20+
- node 16.17.0+
- terraform 1.3.7+

## Setting Up Your Variable Files

Expand Down Expand Up @@ -88,103 +87,3 @@ We advise against using environment variables for secrets in AWS Lambda as they
| OKTA_HOST | The hostname of your Okta instance. We'd recommend using a vanity domain, such as https://singlesignon.example.com. |
| OKTA_TOKEN | A token from Okta that has the `okta.apps.read` scope. |
| SETTINGS_PROVIDER | This must be set to 'env' for the Lambda functions to read from the environment. |

# Deploying

These steps assume you created `prod.env` as instructed above.

## First Deploy

You'll need to create a Terraform module which references KeyConjurer. We recommend you do this outside of the KeyConjurer folder itself and check your Terraform configuration into source control. An example module that uses KeyConjurer might look like this:


```hcl
resource "aws_acm_certificate" "api-cert" {
domain_name = "api.keyconjurer.example.com"
validation_method = "EMAIL"
lifecycle {
create_before_destroy = true
}
}
resource "aws_acm_certificate_validation" "api-cert" {
certificate_arn = aws_acm_certificate.api-cert.arn
}
resource "aws_acm_certificate" "frontend-cert" {
domain_name = "keyconjurer.example.com"
validation_method = "EMAIL"
lifecycle {
create_before_destroy = true
}
}
resource "aws_acm_certificate_validation" "frontend-cert" {
certificate_arn = aws_acm_certificate.frontend-cert.arn
}
module "keyconjurer-production" {
source = "./Key-Conjurer/terraform/modules/kitchensink"
api_cert = aws_acm_certificate.development-cert.arn
api_domain = aws_acm_certificate.development-cert.domain_name
frontend_cert = aws_acm_certificate.frontend-cert.arn
frontend_domain = aws_acm_certificate.frontend-cert.domain_name
vpc_id = "vpc-xxxxxx"
subnets = ["subnet-xxxxxx", "subnet-xxxxxx", "subnet-xxxxxx"]
s3_tf_bucket = "<the bucket you created in step 1>"
kms_key_arn = data.aws_kms_key.development.arn
lambda_env = {
VAULT_ADDR = ""
VAULT_ROLE_NAME = "
VAULT_SECRET_MOUNT_PATH = ""
VAULT_SECRET_PATH = ""
VAULT_AWS_AUTH_PATH = ""
}
lb_security_group_ids = []
depends_on = [
aws_acm_certificate_validation.frontend-cert
aws_acm_certificate_validation.api-cert
]
}
```

After modifying `example.env` to your liking, we would recommend renaming this to `prod.env`. You can then deploy KeyConjurer using the following steps:

```
$ pwd
/key-conjurer
$ make build
$ cd terraform
/key-conjurer
$ make upload
$ /your/key-conjurer/terraform/folder
$ terraform apply
```

During your initial deployment, you may need to verify the domain name you've created. This is left as an exercise to the reader; the only thing KeyConjurer requires is _two_ ACM certificates:

1. One for the frontend Cloudfront distribution
2. One for the Load Balancer.

## Future Deploys

Similar to the above steps:

```
$ pwd
/key-conjurer
$ make build
$ cd terraform
/key-conjurer
$ make upload
$ /your/key-conjurer/terraform/folder
$ terraform apply
```

## Noteworthy Info

* `frontend` serves the CLI tool. This means the binaries created in `cli` need to be uploaded to the same bucket that's used to serve the frontend.
* KeyConjurer's Terraform will create an ACL by default unless `create_waf_acl` is set to _false_ and a WAF ACL is provided using `waf_acl_id`. This default ACL will **block all connections**.
* Both a Load Balancer Security Group and a WAF are used to control connections to KeyConjurer. These both need to agree on the IP ranges to allow to KeyConjurer, otherwise you may end up in a situation where a user can access the frontend or use KeyConjurer from the CLI, but not both.
6 changes: 0 additions & 6 deletions example.env
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,6 @@ tfswitch $TF_VERSION > /dev/null

export RELEASE='prod'

# The backend bucket in terraform/main.tf needs to be set to the same value
# because you cannot use a variable for that value in terraform
export S3_TF_BUCKET_NAME='<S3_TF_BUCKET_NAME>'
export S3_TF_BUCKET_TAGS="TagSet=[{Key=Name,Value=keyconjurer}]"
export S3_FRONTEND_BUCKET='<Bucket to Hold UI/CLI binaries>'

export LOGSTASH_ENDPOINT='<LOGSTASH_ENDPOINT>'
export SECRETS_RETRIEVER='kms_blob'

Expand Down
2 changes: 0 additions & 2 deletions git-hooks/pre-commit

This file was deleted.

25 changes: 0 additions & 25 deletions terraform/modules/frontend/.terraform.lock.hcl

This file was deleted.

45 changes: 0 additions & 45 deletions terraform/modules/frontend/bucket.tf

This file was deleted.

50 changes: 0 additions & 50 deletions terraform/modules/frontend/cloudfront.tf

This file was deleted.

3 changes: 0 additions & 3 deletions terraform/modules/frontend/outputs.tf

This file was deleted.

23 changes: 0 additions & 23 deletions terraform/modules/frontend/variables.tf

This file was deleted.

9 changes: 0 additions & 9 deletions terraform/modules/frontend/versions.tf

This file was deleted.

19 changes: 0 additions & 19 deletions terraform/modules/frontend/wafclassic.tf

This file was deleted.

25 changes: 0 additions & 25 deletions terraform/modules/kitchensink/.terraform.lock.hcl

This file was deleted.

Loading

0 comments on commit e60b34d

Please sign in to comment.