Infrastructure

Accounts

Name	Account ID	Colour	Root Email
master
operations		Blue
production		Red
staging		Orange
testing		Yellow
development		Green
forensics		Purple

Project Structure

${project}-infrastructure
|-- package.json	# Script shortcuts (lint, install, deploy, test) & versioning?
|-- amis            # Collection of AMIs, built by Packer
|   |-- {name}      # AMI files
|-- master			# Setup for root level account
|   |-- state		# Sets up state management for terraform
|   |-- account     # Account setup (Groups, Monitoring)
|   |-- users		# IAM Users
|-- operations		# Setup for operation pieces
|   |-- account     # Account setup (Roles, Monitoring)
|   |-- cicd		# Jenkins
|   |-- dns			# Route53
|   |-- logging		# ELK & CloudWatch
|   |-- secrets		# HashiCorp Vault
|-- environments
|   |-- account     # Account setup (Roles, Monitoring)
|   |-- app			# Public static assets
|   |-- api			# Public/Private API endpoints and support infrastructure (cache, events, lambda)
|   |-- db			# Databases
|   |-- ops     	# Ops dashboards
|   |-- vpc			# VPC & Networking
|-- modules			# Collection of project specific modules

Getting Started

Installing CLIs

$ brew install terraform

# Optional, for building AMIs
$ brew install packer

• AWS CLI
• AWS SSM Plugin
• AWS ECS CLI

Setup Terraform Workspaces

To create the workspaces, go to the respective subfolder (/environments/*/), and run:

$ terraform init
$ terraform workspace new production
$ terraform workspace new staging
$ terraform workspace new testing
$ terraform workspace new development

Ensure you have the right workspace selected before you apply.

$ terraform workspace select development
$ terraform workspace list

Setup Multi-Accounts

See [docs](./docs/Multi Account Setup.md) for detailed steps.

Build AMIs

To create the AMIs, go to the respective subfolder (/amis/*/), edit the variables.json, and run:

$ packer build -var-file=variables.json ami.json

See docs for configuration and full documentation.

Install node dependencies

$ npm run install:npm

Switch Roles

• admin
• developer

TODO complete policy for developer TODO add in audit role?

Terraform Apply Order

1. master/state
2. master/account
   • Sub-Accounts / Organization (Manual)
   • Groups for sub account access
   • Roles for sub accounts (bastion)
   • Users (Manual/Optional)
   • CloudTrail
   • Security Hub
3. environment/account
   • roles (admin, developer, operator, audit, etc)
   • API Gateway Logs
   • CloudTrail
   • GuardDuty
   • Inspector Agent
   • Macie
4. environment/vpc
   • VPC
   • VPC Endpoints (S3, DynamoDB)
   • Bastion
5. environment/db
   • RDS (postgres,mysql)
   • ElasticCache (redis)
   • ElasticSearch
6. environment/api
   • [-] DynamoDB
   • ALB + ECS
   • ECS
   • API Gateway
   • Events, SQS, SNS, Lambda, S3,
7. environment/app
   • CloudFront
   • S3
8. environment/ops
   • CloudWatch Dashboards

Built With

• Terraform
• Packer
• NodeJS

Contributing

See Developer Guide (TODO add link)

Versioning

We use SemVer for versioning. For the versions available, see the tags on this repository.

Authors

• will Farrell

See also the list of contributors who participated in this project.

License

This project is licensed under the MIT License - see the LICENSE file for details

Acknowledgments

TODO / Roadmap

• Setup Vault - http://www.singulariti.co/2018/03/30/tech-blog-hashicorp-stack-for-secrets-management/