onramp is a collection of security-focused IaC modules that serve as a base infrastructure profile for FedRAMP Moderate environments. Stands up AWS and Azure (coming soon!) govcloud infrastructure and a managed kubernetes cluster to deploy your app into.
-
terraform: standup ECR w/ EBS backed encrypted volumes using KMS key and push app helm chart to ECR
-
implement tf.env https://github.com/tfutils/tfenv
-
create and implement s3 bucket for storing terraform state
-
migrate from monolith file to modules
-
document order of operations
-
write wrapper script
-
implement validation for names, k8s versions, cidr blocks
- parse config
- create s3 bucket for tf state storage
- provision aws infra
- provision eks cluster and ELB
- create standard aws route 53 pointing to govcloud ELB
- install app helm chart to EKS using route 53 cname
- TODO
Use of this terraform requires admin AWS permissions
Configure the AWS provider with your credentials
Run terraform init.
Run terraform apply.
When complete, run terraform destroy to destroy all terraform-managed resources.
Copy default.auto.tfvars.example to default.auto.tfvars and set your configuration there.
Example:
#### Variable definitions
aws_credentials_file = "/Users/ross/.aws/credentials" # full path to your local AWS credentials file
aws_profile = "aws-govcloud-admin" # name of the profile to use from the AWS credentials file
aws_region = "us-gov-east-1" # AWS region used for all resources
customer_name = "ross" # customer name to use for tagging resources
org_name = "ross-test" # name of the organization to use when creating a new Route 53 public record
acm_certificate_domain = "" # existing AWS ACM certificate domain name; used to lookup ACM certificate for use by AWS Client VPN
Preferred method is to configure the aws_credentials_file variable in the default.auto.tfvars file with the full path of the AWS credentials file.
Alternate method:
Linux/macOS
terraform apply -var=aws_credentials_file=$HOME/.aws/credentials"
Windows
terraform apply -var "aws_credentials_file=[\"%USERPROFILE%\\.aws\\credentials"]"
https://registry.terraform.io/providers/hashicorp/aws/latest/docs#shared-credentials-file
You can use an AWS credentials or configuration file to specify your credentials. The default location is $HOME/.aws/credentials on Linux and macOS, or "%USERPROFILE%.aws\credentials" on Windows.
Example: Creating a linux/macOS AWS credentials file with profile name default
mkdir -p $HOME/.aws/credentials
cat << EOF > $HOME/.aws/credentials
[default]
aws_access_key_id=XXXX
aws_secret_access_key=YYYYY
EOFExample: Creating a Windows AWS credentials file with profile name default
powershell
New-Item -Type Directory -Path "%USERPROFILE%\\.aws" -Force
$CrendentialString = @"
[default]
aws_access_key_id=XXXX
aws_secret_access_key=YYYYY
"@
New-Item -ItemType File -Path "%USERPROFILE%\\.aws\\credentials" -Value $CredentialString