Cloud Posse Reference Architectures
Get up and running quickly with one of our reference architectures using our fully automated cold-start process.
NOTE: This project is under active development and subject to change. Please file issues for all bugs encountered.
Table of Contents
This project is part of our comprehensive "SweetOps" approach towards DevOps.
It's 100% Open Source and licensed under the APACHE2.
Screenshots
Example of using the geodesic shell as a build a docker image built from the cloudposse/reference-architectures
Introduction
High-Level Overview
You can provision the basic reference architecture in 3 "easy" steps. =)
All accounts will leverage our terraform-root-modules service catalog to get you started. Later, we recommend you fork this and start your very own service catalog suitable for your organization.
This process involves using terraform to generate the code (Dockerfile, Makefile, terraform.tfvar, etc) that you will use to manage your infrastructure.
This repo contains everything necessary to administer this architecture. We strive for a "share nothing" approach, which is why we use multiple AWS accounts and DNS zones. This reduces the blast radius from human errors. This reference architecture is ideally suited for larger enterprise or corporate environments where various stakeholders will be responsible for running services in their account.
See the Next Steps section for where to go after this process completes.
Architecture
Our "reference architecture" is an opinionated approach to architecting accounts for AWS.
This process provisions 7+ accounts that have different designations.
Here is what it includes. Enable the accounts you want.
| Account | Description |
|---|---|
| master | The "master" (parent, billing) account creates all member accounts and is where users login. |
| prod | The "production" is account where you run your most mission critical applications |
| staging | The "staging" account is where you run all of your QA/UAT/Testing |
| dev | The "dev" sandbox account is where you let your developers have fun and break things |
| audit | The "audit" account is where all logs end up |
| corp | The "corp" account is where you run the shared platform services for the company |
| data | The "data" account is where the quants live =) |
| testing | The "testing" account is where to run automated tests of unblessed infrastructure code |
| security | The "security" account is where to run automated security scanning software |
| identity | The "identity" account is where to add users and delegate access to the other accounts |
Each account has its own terraform state backend, along with a dedicated DNS zone for service discovery.
The master account owns the top-level DNS zone and then delegates NS authority to each member account.
Quick Start
Assumptions
- We are starting with a clean AWS environment and a new "master" (top-level) AWS account. This means you need the "master" credentials, since a fresh AWS account doesn't even have any AWS roles that can be assumed.
- You have administrator access to this account.
- You have docker installed on your workstation.
- You have terraform installed on your workstation.
Checklist
Before we get started, make sure you have the following
- Before you can create new AWS accounts under your organization, you must verify your email address.
- Open a support ticket to request the limit of AWS accounts be increased for your organization (the default is 1).
- Clone this repo on your workstation.
- Create a temporary pair of Access Keys. These should be deleted afterwards.
- Export your AWS "root" account credentials as
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY(this is temporary for bootstrapping). - An available domain we can use for DNS-base service discovery (E.g.
ourcompany.co). This domain must not be in use elsewhere as the master account will need to be the authoritative name server (SOA).
Getting Started
1. Provision Master Account
The "master" account is the top-most AWS account from which all other AWS accounts are programmatically created.
WARNING: Terraform cannot remove an AWS account from an organization. Terraform cannot close the account. The member account must be prepared to be a standalone account beforehand. To do this, issue a password reset using the member account's email address. Login and accept the prompts. Then you should be good to go. See the AWS Organization documentation for more information.
This account is provisioned slightly differently from the other member accounts.
Update the configuration for this account by editing the configs/master.tfvar file.
Then to get started, run:
make rootNOTE: We need to know each account's AWS_ACCOUNT_ID for Step 2.
NOTE: Sometimes provisioning of the account module fails due to rate limiting by AWS on creating member accounts. If this happens, just run make root/provision to retry. If that works, just continue on with step 2, once it completes.
Here's what that roughly looks like (but entirely automated).
- Create a new account git repo.
- Render templates into the repo (including
Dockerfile). - Build a docker image.
- Run the docker image and start provisioning resources including the Terraform state backend and member accounts.
- Create the IAM groups to permit access to member accounts.
- Write a list of member account IDs so we can use them in the next phase.
2. Provision Member Accounts
Member accounts are created from the master account.
Update the configuration for all the member accounts by editing the configs/$env.tfvar file (replace $env with the name of the account).
To get started, run:
make childrenHere's what that roughly looks like (but entirely automated).
For each member account:
- Create a new account git repo.
- Render the templates for a
memberaccount into the repo directory (includeDockerfile). Obtain the account ID from the previous phase. - Build a docker image.
- Run the docker image and start provisioning the member account's Terraform state bucket, DNS zone, cloudtrail logs, etc.
3. Delegate DNS
Now that each member account has been provisioned, we can delegate each DNS zone to those accounts.
To finish up, run:
make finalizeHere's what that roughly looks like (but entirely automated).
- Re-use the docker images from phase (1) and phase (2).
- Update DNS so that
masteraccount delegates DNS zones to the member accounts. - Enable cloudtrail log forwarding to
auditaccount.
Known Limitations
- AWS does not support programmatic deletion of accounts. This means that if you use this project to create the account structure, but terraform is not able to completely tear it down. Deleting AWS accounts is a long, painful process, because AWS does not want to be on the hook for deleting stuff that it cannot get back.
- AWS by default only permits one member account. This limit can be easily increased for your organization by contacting AWS support, but it can take up to several days.
- AWS will rate limit account creation. This might mean you'll need to restart the provisioning.
- AWS only supports creating member accounts from the master account. This means you cannot create accounts from within member accounts.
- AWS does not permit email addresses to be reused across accounts. One key thing is that the email address associated with the account will be forever associated with that account. You will not be able to create a new account with that email address and you will not be able to change the email address later. So before you delete an account, change the email address to something you can consider a throwaway. Gmail and some other providers allow you to use plus-addressing (e.g.
[email protected])" to your username to create a unique email that still routes to you, so we suggest you use plus addressing for your accounts.
Next Steps
At this point, you have everything you need to start terraforming your way to success.
All of your account configurations are currently in repos/
- Commit all the changes made. Open Pull Requests.
- Ensure that the name servers for the service discovery domain (e.g.
ourcompany.co) have been configured with your domain registrar (e.g. GoDaddy). - Delete your master account credentials. They are no longer needed and should not be used. Instead, use the created IAM users.
- Request limits for EC2 instances to be raised in each account corresponding to the region you will be operating in.
- Set the member account's credentials. To do this, issue a password reset using the member account's email address. Login and accept the prompts. Setup MFA.
- Ensure you have MFA setup on your master account.
- Consider adding some other capabilities from our service catalog.
- Create your own
terraform-root-modulesservice catalog for your organization.
Getting Help
Did you get stuck? Find us on slack in the #geodesic channel.
Help
Got a question? We got answers.
File a GitHub issue, send us an email or join our Slack Community.
DevOps Accelerator for Startups
We are a DevOps Accelerator. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us.
Work directly with our team of DevOps experts via email, slack, and video conferencing.
We deliver 10x the value for a fraction of the cost of a full-time engineer. Our track record is not even funny. If you want things done right and you need it done FAST, then we're your best bet.
- Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
- Release Engineering. You'll have end-to-end CI/CD with unlimited staging environments.
- Site Reliability Engineering. You'll have total visibility into your apps and microservices.
- Security Baseline. You'll have built-in governance with accountability and audit logs for all changes.
- GitOps. You'll be able to operate your infrastructure via Pull Requests.
- Training. You'll receive hands-on training so your team can operate what we build.
- Questions. You'll have a direct line of communication between our teams via a Shared Slack channel.
- Troubleshooting. You'll get help to triage when things aren't working.
- Code Reviews. You'll receive constructive feedback on Pull Requests.
- Bug Fixes. We'll rapidly work with you to fix any bugs in our projects.
Slack Community
Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.
Discourse Forums
Participate in our Discourse Forums. Here you'll find answers to commonly asked questions. Most questions will be related to the enormous number of projects we support on our GitHub. Come here to collaborate on answers, find solutions, and get ideas about the products and services we value. It only takes a minute to get started! Just sign in with SSO using your GitHub account.
Newsletter
Sign up for our newsletter that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover.
Office Hours
Join us every Wednesday via Zoom for our weekly "Lunch & Learn" sessions. It's FREE for everyone!
Contributing
Bug Reports & Feature Requests
Please use the issue tracker to report any bugs or file feature requests.
Developing
If you are interested in being a contributor and want to get involved in developing this project or help out with our other projects, we would love to hear from you! Shoot us an email.
In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
- Fork the repo on GitHub
- Clone the project to your own machine
- Commit changes to your own branch
- Push your work back up to your fork
- Submit a Pull Request so that we can review your changes
NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!
Copyrights
Copyright © 2016-2020 Cloud Posse, LLC
License
See LICENSE for full details.
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
Trademarks
All other trademarks referenced herein are the property of their respective owners.
About
This project is maintained and funded by Cloud Posse, LLC. Like it? Please let us know by leaving a testimonial!
We're a DevOps Professional Services company based in Los Angeles, CA. We ❤️ Open Source Software.
We offer paid support on all of our projects.
Check out our other projects, follow us on twitter, apply for a job, or hire us to help with your cloud strategy and implementation.
Contributors
 Erik Osterman |
 John C Bland II |
 Andriy Knysh |
 Jeremy Grodberg |
|---|