Acme's Infrastructure - Terragrunt Reference Architecture (updated: May 2020)
This repository contains rather complete infrastructure configurations where Terragrunt is used to manage infrastructure for Acme Corporation.
By the way!
This code is very close to the one produced by modules.tf - open-source infrastructure as code generator from visual diagrams created with Cloudcraft.co. See it yourself in modules.tf-demo!
Introduction
Acme has several environments (prod, staging and dev) entirely separated by AWS accounts.
Infrastructure in each environment consists of multiple layers (autoscaling, alb, vpc, ...) where each layer is configured using one of Terraform AWS modules with arguments specified in terragrunt.hcl in layer's directory.
Terragrunt is used to work with Terraform configurations which allows orchestrating of dependent layers, update arguments dynamically and keep configurations DRY.
Environments
Primary AWS region for all environments is eu-central-1 (Frankfurt):
-
acme-prod- Production configurations (AWS account - 111111111111) -
acme-staging- Staging configurations (AWS account - 444444444444) -
acme-master- Master AWS account (333333333333) contains:- AWS Organizations
- IAM entities (users, groups)
- ECR repositories
- Route53 zones
Pre-requirements
- Terraform 0.12
- Terragrunt 0.22 or newer
- Terraform Docs
- pre-commit hooks to keep Terraform formatting and documentation up-to-date
- direnv to automatically set correct environment variables per AWS account as specified in
.envrc(optional)
If you are using macOS you can install all dependencies using Homebrew:
$ brew install terraform terragrunt pre-commit
Configure access to AWS account
Acme has dedicated AWS account where IAM users, groups and roles managed. This AWS account is a jump account, where IAM users logged in, and then they assume role in other AWS account.
The recommended way to configure access credentials to AWS account is using environment variables:
$ export AWS_DEFAULT_REGION=eu-west-1
$ export AWS_ACCESS_KEY_ID=...
$ export AWS_SECRET_ACCESS_KEY=...
Alternatively, you can edit terragrunt.hcl and use another authentication mechanism as described in AWS provider documentation.
aws-vault, vaulted, awsp or other tool can be used to manage your AWS credentials securely locally and switch roles.
Create and manage your infrastructure
Infrastructure consists of multiple layers (vpc, alb, ...) where each layer is described using one Terraform module with inputs arguments specified in terragrunt.hcl in respective layer's directory.
Navigate through layers to review and customize values inside inputs block.
There are two ways to manage infrastructure (slower&complete, or faster&granular):
- Region as a whole (slower&complete). Run this command to create infrastructure in all layers in a single region:
$ cd acme-prod/eu-central-1
$ terragrunt apply-all
- As a single layer (faster&granular). Run this command to create infrastructure in a single layer (eg,
vpc):
$ cd acme-prod/eu-central-1/vpc
$ terragrunt apply
After you confirm the creation of the infrastructure should succeed.
If you want to suppress irrelevant output produced by Terragrunt, you can install this alias in your shell (source to gist):
terragrunt () {
local action=$1
shift 1
command terragrunt $action "$@" 2>&1 | sed -E "s|$(dirname $(pwd))/||g;s|^\[terragrunt\]( [0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2})* ||g;s|(\[.*\]) [0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}|\1|g"
}
References
- Terraform documentation and Terragrunt documentation for all available commands and features.
- Terraform AWS modules.
- Terraform modules registry.
Author
This project is created and maintained by Anton Babenko.
License
All content, including Terraform AWS modules used in these configurations, is released under the MIT License.
Copyright (c) 2019-2020 Anton Babenko