Flightdeck AWS Application

This Terraform module provisions AWS resources for running an application on Flightdeck.

Example

module "production" {
  source = "[email protected]:thoughtbot/terraform-flightdeck-aws-application.git?ref=v0.1.0"

  # Required
  cluster_names = ["example-production-v1"]
  name          = "example"
  stage         = "production"

  # Generate a secret key
  generate_secret_key = true
  secret_key_variable = "SECRET_KEY_BASE"

  # Postgres
  postgres_enabled               = true
  postgres_allocated_storage     = 64
  postgres_engine_version        = "14.8"
  postgres_identifier            = "example-red"
  postgres_instance_class        = "db.t4g.large"
  postgres_max_allocated_storage = 128

  # Redis
  redis_enabled       = true
  redis_name          = "example-production-blue"
  redis_node_type     = "cache.m6g.large"
  redis_replica_count = 1

  # S3
  s3_enabled     = true
  s3_bucket_name = "example-uploads"

  # Sentry DSN
  sentry_enabled      = true
  sentry_organization = "myorg"
  sentry_project      = "example"

  # Developer managed secrets
  developer_managed_secrets = {
    Email = ["SMTP_USERNAME", "SMTP_PASSWORD"]
  }

  # AWS IAM Identity Center permissions
  readwrite_permission_sets = ["DeveloperAccess"]
  secret_permission_sets    = ["SecretsAccess"]
}

This module is designed as a quick start to cover the most common cases for applications running on Flightdeck. If you need additional resources for your application or want to customize further than the variables allow, you can clone this module into a directory in your Terraform project and use a local module reference.

This module can be combined with the application-config module to quickly create necessary base resources in the target cluster:

module "production_v1" {
  source    = "github.com/thoughtbot/flightdeck//aws/application-config?ref=v0.10.0"
  providers = { kubernetes = kubernetes.production_v1 }

  developer_group         = "developer"
  enable_exec             = true
  namespace               = module.production.namespace
  secrets_manager_secrets = module.production.secrets_manager_secrets
  pod_service_account     = module.production.service_account_name
  pod_iam_role            = module.production.pod_role_arn

  depends_on = [module.production]
}

Requirements

Name	Version
terraform	>= 1.4.2
aws	~> 5.0
random	~> 3.0

Providers

Name	Version
aws	~> 5.0
random	~> 3.0

Modules

Name	Source	Version
cluster	github.com/thoughtbot/flightdeck//aws/cluster-name	v0.12.1
deploy_role	github.com/thoughtbot/terraform-eks-cicd//modules/github-actions-eks-deploy-role	v0.3.0
developer_managed_secrets	github.com/thoughtbot/terraform-aws-secrets//user-managed-secret	v0.8.0
developer_managed_secrets_policy	github.com/thoughtbot/terraform-aws-secrets//read-secret-policy	v0.8.0
es_pod_policy	github.com/thoughtbot/flightdeck//aws/service-account-policy	v0.12.1
network	github.com/thoughtbot/flightdeck//aws/network-data	v0.12.1
opensearch	./modules/opensearch	n/a
pod_policy	github.com/thoughtbot/flightdeck//aws/service-account-policy	v0.12.1
pod_role	github.com/thoughtbot/flightdeck//aws/service-account-role	v0.12.1
postgres	github.com/thoughtbot/terraform-aws-databases//rds-postgres/primary-instance	v0.6.0
postgres_admin_login	github.com/thoughtbot/terraform-aws-databases//rds-postgres/admin-login	v0.6.0
postgres_policy	github.com/thoughtbot/terraform-aws-secrets//read-secret-policy	v0.8.0
redis	github.com/thoughtbot/terraform-aws-databases//elasticache-redis/replication-group	v0.6.0
redis_policy	github.com/thoughtbot/terraform-aws-secrets//read-secret-policy	v0.8.0
redis_token	github.com/thoughtbot/terraform-aws-databases//elasticache-redis/auth-token	v0.6.0
s3_bucket	github.com/thoughtbot/terraform-s3-bucket	v0.4.0
secret_key	github.com/thoughtbot/terraform-aws-secrets//random-secret	v0.8.0
secret_key_policy	github.com/thoughtbot/terraform-aws-secrets//read-secret-policy	v0.8.0
sentry_dsn	github.com/thoughtbot/terraform-aws-sentry-dsn	v0.4.0
sso_roles	github.com/thoughtbot/terraform-aws-sso-permission-set-roles	v0.3.0

Resources

Name	Type
aws_iam_service_linked_role.elasticsearch	resource
random_id.parameter_group	resource
random_password.es	resource
aws_availability_zones.available	data source
aws_iam_policy_document.ecs_osis_access	data source
aws_iam_role.execution	data source
aws_region.current	data source
aws_ssm_parameter.prometheus_workspace_id	data source

Inputs

Name	Description	Type	Default	Required
cluster_names	Names of EKS clusters for application	list(string)	n/a	yes
deploy_role_name	Override the name of the deploy role	string	null	no
developer_managed_secrets	Secrets managed manually by developers	map(list(string))	{}	no
elasticsearch_enabled	Set to true to enable creation of the Elasticsearch database	bool	false	no
es_admin_principals	Principals allowed to peform admin actions (default: current account)	list(string)	null	no
es_application_name	Unique name for the opensearch instance	string	""	no
es_dedicated_master_type	Instance type of the dedicated main nodes in the cluster.	string	n/a	yes
es_ebs_iops	Baseline input/output (I/O) performance of EBS volumes attached to data nodes	number	3000	no
es_engine_version	Version of Elasticsearch to deploy.	string	n/a	yes
es_instance_count	Number of instances in the cluster	number	2	no
es_instance_type	Instance type of data nodes in the cluster.	string	""	no
es_read_principals	Principals allowed to read the secret (default: current account)	list(string)	null	no
es_volume_size	Size of EBS volumes attached to data nodes (in GiB).	number	100	no
es_volume_type	Type of EBS volumes attached to data nodes.	string	"gp3"	no
execution_role_arns	ARNs of execution roles allowed to manage this application	list(string)	[]	no
execution_role_names	Names of execution roles allowed to manage this application	list(string)	[ "terraform-execution" ]	no
generate_secret_key	Set to true to generate a secret key for the application	bool	false	no
github_branches	GitHub branches allowed to deploy to this instance	list(string)	n/a	yes
github_iam_oidc_provider_arn	ARN for the GitHub Actions IAM OIDC provider	string	n/a	yes
github_organization	GitHub organization allowed to deploy to this instance	string	n/a	yes
github_repository	GitHub repository allowed to deploy to this instance	string	n/a	yes
name	Name of this application	string	n/a	yes
postgres_admin_username	Username for the admin user	string	"postgres"	no
postgres_allocated_storage	Size in GB for the database instance	number	null	no
postgres_apply_immediately	Set to true to immediately apply changes and cause downtime	bool	false	no
postgres_default_database	Name of the default database	string	"postgres"	no
postgres_enabled	Set to true to enable creation of the Postgres database	bool	false	no
postgres_engine_version	Version for RDS database engine	string	null	no
postgres_identifier	Unique identifier for this database	string	null	no
postgres_instance_class	Tier for the database instance	string	null	no
postgres_max_allocated_storage	Maximum size GB after autoscaling	number	null	no
postgres_storage_encrypted	Set to false to disable encryption at rest	bool	true	no
prometheus_workspace_name	Name of the AMP workspace to which metrics will be written	string	null	no
read_permission_sets	AWS IAM permission sets allowed to read application data	list(string)	[]	no
readwrite_permission_sets	AWS IAM permission sets allowed to read and write application data	list(string)	[]	no
redis_enabled	Set to true to enable creation of a Redis instance	bool	false	no
redis_name	Name of the ElastiCache instance for Redis	string	null	no
redis_node_type	Node type for the ElastiCache instance for Redis	string	null	no
redis_replica_count	Number of replicas for the Redis cluster	number	null	no
s3_bucket_name	Name of the S3 bucket for this application	string	null	no
s3_enabled	Set to true to enable creation of an S3 bucket	bool	false	no
s3_read_principals	Additional principals able to read S3 data	list(string)	[]	no
s3_readwrite_principals	Additional principals able to read and write S3 data	list(string)	[]	no
secret_key_variable	Name of the environment variable for the application secret key	string	"SECRET_KEY_BASE"	no
secret_permission_sets	AWS IAM permission sets allow to read and manage secrets	list(string)	[]	no
sentry_enabled	Set to true to enable creation of a Sentry DSN	bool	false	no
sentry_organization	Slug of the Sentry organization	string	null	no
sentry_project	Slug of the Sentry project	string	null	no
service_account_name	Name of the Kubernetes service account for the application	string	null	no
stage	Software development lifecycle stage for this tenant	string	n/a	yes
tags	Tags to apply to the instance in AWS	map(string)	{}	no

Outputs

Name	Description
deploy_role_arn	ARN of the IAM role for deploying to this Kubernetes namespace
deploy_role_name	Name of the IAM role for deploying to this Kubernetes namespace
developer_managed_secrets	SecretsManager environment variables managed by developers
namespace	Kubernetes namespace to which this application deploys
pod_role_arn	ARN of the IAM role for Kubernetes pods
secrets_manager_secrets	SecretsManager environment variables
service_account_name	Name of the Kubernetes service account

Contributing

Please see CONTRIBUTING.md.

License

This module is Copyright © 2024 Joe Ferris and thoughtbot. It is free software, and may be redistributed under the terms specified in the LICENSE file.

About thoughtbot

This repo is maintained and funded by thoughtbot, inc. The names and logos for thoughtbot are trademarks of thoughtbot, inc.

We love open source software! See our other projects. We are available for hire.