Terraform

instructions to work with terraform

Teragrunt

Entire implementation is implemented as terraform. In order to use it, make sure you have terragrunt installed as per tools requirements

🚀 Terraform repository: saritasa-nest/igaawi-infra-aws

➜ tree -d
.
├── bin
├── envs
│   ├── prod
│   │   ├── apps
│   │   │   ├── api-backend
│   │   │   └── frontend
│   │   ├── aws
│   │   │   ├── backups
│   │   │   ├── billing
│   │   │   ├── ecr
│   │   │   ├── eks
│   │   │   ├── elasticache
│   │   │   ├── guardduty
│   │   │   ├── notifications
│   │   │   ├── organizations
│   │   │   ├── rds
│   │   │   ├── route53
│   │   │   ├── ses
│   │   │   ├── sso
│   │   │   └── vpc
│   │   └── platforms
│   │       ├── airbyte
│   │       ├── docs
│   │       ├── github
│   │       ├── keycloak
│   │       ├── opsgenie
│   │       ├── rattic
│   │       ├── redash
│   │       ├── reportportal
│   │       └── sentry
│   ├── root
│   │   ├── aws
│   │   │   ├── organizations
│   │   │   └── sso
│   │   └── platforms
│   │       └── terraform-state
│   └── security
│       ├── aws
│       │   ├── chatbot
│       │   ├── health
│       │   ├── inspector
│       │   ├── organizations
│       │   └── sso
│       └── platforms
│           └── statuscake
├── modules
│   ├── aws
│   │   ├── health-forwarder
│   │   └── secret-manager
│   │       └── secret
│   ├── gcp
│   │   └── service-account
│   ├── sentry-project
│   └── sso
│       └── iam-assumable-role-with-saml
├── stacks
│   ├── apps
│   │   ├── api-backend
│   │   └── frontend
│   ├── aws
│   │   ├── backups
│   │   ├── billing
│   │   ├── ecr
│   │   ├── eks
│   │   ├── elasticache
│   │   ├── guardduty
│   │   ├── notifications
│   │   ├── organizations
│   │   ├── rds
│   │   ├── route53
│   │   ├── ses
│   │   ├── sso
│   │   └── vpc
│   ├── gcp
│   └── platforms
│       ├── airbyte
│       ├── docs
│       ├── github
│       ├── keycloak
│       ├── opsgenie
│       ├── rattic
│       ├── redash
│       ├── reportportal
│       ├── sentry
│       ├── statuscake
│       └── terraform-state
└── taskfiles

Important

apps contains terraform code for business apps deployed in the infra, such as api-backend, frontend,
modules contains terraform reusable modules used in stacks/apps,
stacks contains infrastructure specific code, i.e. EKS, ECR, SSO, Route53 etc.

Apps

aws-vault exec igaawi/sso/administrators

cd envs/prod/apps/api-backend
export ENV=prod
tg init
tg apply

If you want to see specific credentials generated inside the app you can do:

tg output --json | jq -r .github_repository_webhook_secret.value
HIDDEN_SECRET_TOKEN

Stacks

aws-vault exec igaawi/sso/administrators

cd envs/prod/aws/eks
export ENV=prod
tg init
tg apply

Troubleshooting

Error: reading IAM Role

If your received the following error when you run tg apply:

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: reading IAM Role (terraform-role): operation error IAM: GetRole, https response error StatusCode: 403, RequestID: fecc4070-6a31-442a-8b7a-ab54b5441c70, api error InvalidClientTokenId: The security token included in the request is invalid
│
│   with module.terraform-role-root.aws_iam_role.this[0],
│   on .terraform/modules/terraform-role-root/modules/iam-assumable-role/main.tf line 142, in resource "aws_iam_role" "this":
│  142: resource "aws_iam_role" "this" {

Reason:

AWS does not allow IAM operations with an assumed role unless it’s authenticated with an MFA

Explanation:

aws-vault is always using assumed roles, even if you’ve just set it up with an access key / secret, the same way that you might have done with aws cli

Solution:

use aws-vault exec --no-session

aws-vault exec --no-session igaawi/sso/administrators

That way, you expose actual long-term aws credentials in the shell, and AWS IAM will not complain.