Terraform Notes.md 4.0 KB
Terraform Notes.md
00-cis-hardening - CIS Hardening for MDR root
00-organizations-and-iam - IAM Accounts and Policies across accounts
00-state-mgmt - S3 buckets for state management (may be prerequisite for others)
01-eips - Elastic IPs and Associated DNS Record
02-msoc_vpc - Managed SOC VPC (msoc is old name?) - Meat and potatoes of command and control
03-mgmt - ? Maybe Unused ?
04-ghe - GitHub Enterprise
05-customer_portal - Web App for Customers in Docker using ECR (How does it relate to fargate?)
10-custpod1 - ? Maybe Unused ?
11-codebuild - Code Build to make RPMs
12-fargate - ? And how
100-moose - Our splunk environment (watch for modules of modules of modules)
101-afs - AFS Customer Environment
102-saf - SAF ("Smart and Final") - Powered Down through console
103-nga - FEDRAMP SPONSOR NGA ("National Gallery of Art"), sometimes referred to as Gallery.
104-coalfire - Our FedRAMP Auditors
105-cf2 - Our FedRAMP Auditors 2nd Environment
106-ma-c19 - Massachusetts Covid-19 (Internal AFS customer)
107-la-c19 - Louisiana Covid-19 (Internal AFS customer)
common - Common files that are symbolicly linked into other folders
modules - Reusable code - Do not run terraform here! A mix of homebrewed and third party modules.
workspaces are being used to break up environments.
terraform workspace list terraform workspace select test
Strange errors? Unexpected results? try this rm .terraform terraform init
State issues terraform state show aws_ami.msoc_base terraform refresh -target=data.aws_ami.msoc_base
Terraform also has a DynamoDB State lock (msoc-terraform-lock). This will prevent terraform state breakage.
View TF code https://github.com/terraform-aws-modules
Modules
We are using the aws ec2-instance module
https://registry.terraform.io/modules/terraform-aws-modules/ec2-instance/aws/2.13.0 https://github.com/terraform-aws-modules/terraform-aws-ec2-instance
var.something means this is a module that needs the variable to run. Your code will fill the variable. data is a read-only terrafom object that queries provider or generates something on the localhost locals are variables that can refer to variables or other locals variables - expecting data from somewhere else. provider instance of the API
IAM Role
get this error? aws_iam_policy.nga_instance_policy: Error creating IAM policy nga_instance_tag_read: AccessDenied:
add this provider = "aws.iam_admin"
in terraform .tf files when the self = true. that is for putting the security group into itself. e.g. add the security group to the security groups rules.
the terraform is setup in folders. each folder is a project and apply should be run in the folder. Common is the execption as some of the projects are dependent on that folder.
role and policy have to be done in the IAM terraform
iam_data.tf
02-msoc_vpc/lambda.tf with security groups
terraform plan -target= terraform plan -target=module.sensu_go_server.aws_instance.this -target=module.sensu_go_server.aws_route53_record.private
terraform apply -target=module.sensu_server.aws_route53_record.private -target=module.sensu_server.aws_instance.this
terraform apply -target=aws_security_group_rule.outbound_to_sensu -target=module.sensu_servers_sg.aws_security_group_rule.ingress_with_cidr_blocks[0] -target=module.sensu_servers_sg.aws_security_group_rule.ingress_with_cidr_blocks[1]
terraform apply -target=module.vpc_default_security_groups.aws_security_group_rule.typical_host_outbound_to_sensu_8081 -target=aws_security_group_rule.vault_server_to_sensu -target=module.vpc_default_security_groups.aws_security_group_rule.typical_host_outbound_to_sensu_5672
terraform apply -target=module.afs_cluster.module.vpc_default_security_groups.aws_security_group_rule.typical_host_outbound_to_sensu_5672 -target=module.afs_cluster.module.vpc_default_security_groups.aws_security_group_rule.typical_host_outbound_to_sensu_8081