-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.tf
135 lines (106 loc) · 4.7 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
# backend "s3" {
# region = "<YOUR_AWS_REGION>"
# bucket = "terraform-state-for-<YOUR_PROJECT>"
# key = "org-shared-state/terraform.tfstate"
# dynamodb_table = "terraform-state-lock"
# kms_key_id = "alias/terraform-bucket-key"
# encrypt = true
# }
}
# Those values are not passed as variables because sadly you need to hardcode them in "backend" above
# so let's at least keep them close to one another
# This can be avoided by using Terragrunt, but that's an adventure for another day
locals {
aws_region = "<YOUR_AWS_REGION>"
terraform_state_bucket_name = "terraform-state-for-<YOUR_PROJECT>" # or anything else unique accross whole AWS
terraform_state_path = "org-shared-state/terraform.tfstate"
terraform_state_dynamo_lock_table_name = "terraform-state-lock"
terraform_state_kms_key_alias = "alias/terraform-bucket-key"
github_org = "<YOUR_GITHUB_ORG or USERNAME>"
github_app_repo = "<YOUR_GITHUB_APP_REPO_NAME>"
github_terraform_repo = "<YOUR_GITHUB_TERRAFORM_REPO_NAME>"
dev_account_name = "<YOUR_DEV_ACCOUNT_NAME>" # like myproject-dev
dev_account_root_email = "<YOUR_DEV_ACCOUNT_ROOT_EMAIL>" # like [email protected]
prod_account_name = "<YOUR_PROD_ACCOUNT_NAME>" # like myproject-prod
prod_account_root_email = "<YOUR_PROD_ACCOUNT_ROOT_EMAIL>" # like [email protected]
}
provider "aws" {
region = local.aws_region
}
locals {
app_repo_role_name = "github-role-for-${local.github_app_repo}-repo"
terraform_repo_role_name = "github-role-for-${local.github_terraform_repo}-repo"
# this is purely for providers to assume the right role, when running terraform
role_name_to_assume_in_member_accounts = coalesce(var.role_name_to_assume_in_member_accounts, local.terraform_repo_role_name)
}
module "terraform_backend" {
source = "./backend"
state_bucket_name = local.terraform_state_bucket_name
dynamo_lock_table_name = local.terraform_state_dynamo_lock_table_name
kms_key_alias = local.terraform_state_kms_key_alias
}
module "management_account" {
source = "./accounts/management"
github_org = local.github_org
app_repo = local.github_app_repo
terraform_repo = local.github_terraform_repo
app_repo_role_name = local.app_repo_role_name
roles_app_repo_can_assume = [
module.dev_account.app_repo_role_arn,
module.prod_account.app_repo_role_arn
]
terraform_repo_role_name = local.terraform_repo_role_name
roles_terraform_repo_can_assume = [
module.dev_account.terraform_repo_role_arn,
module.prod_account.terraform_repo_role_arn
]
terraform_state = {
bucket_name = local.terraform_state_bucket_name
path = local.terraform_state_path
bucket_kms_key_arn = module.terraform_backend.kms_terraform_bucket_key_arn
dynamo_table_name = local.terraform_state_dynamo_lock_table_name
}
}
module "dev_account" {
source = "./accounts/dev"
providers = {
aws.management = aws
}
role_name_to_assume = local.role_name_to_assume_in_member_accounts
account_name = local.dev_account_name
account_root_email = local.dev_account_root_email
aws_region = local.aws_region
organizational_unit_id = module.management_account.organizational_unit_id
management_account_app_repo_role_arn = module.management_account.app_repo_role_arn
management_account_terraform_repo_role_arn = module.management_account.terraform_repo_role_arn
app_repo_role_name = local.app_repo_role_name
terraform_repo_role_name = local.terraform_repo_role_name
}
module "prod_account" {
source = "./accounts/prod"
providers = {
aws.management = aws
}
role_name_to_assume = local.role_name_to_assume_in_member_accounts
account_name = local.prod_account_name
account_root_email = local.prod_account_root_email
aws_region = local.aws_region
organizational_unit_id = module.management_account.organizational_unit_id
management_account_app_repo_role_arn = module.management_account.app_repo_role_arn
management_account_terraform_repo_role_arn = module.management_account.terraform_repo_role_arn
app_repo_role_name = local.app_repo_role_name
terraform_repo_role_name = local.terraform_repo_role_name
}
# module "sso" {
# source = "./modules/sso"
# management_account_id = module.management_account.id
# prod_account_id = module.prod_account.id
# other_account_ids = [module.dev_account.id]
# }