Caravan Infra AWS

Prerequisites

• AWS Credentials file at ~/.aws/credentials like

[default]
aws_access_key_id=AKIAJPZXVYEXAMPLE
aws_secret_access_key=4k6ZilhMPdshU6/kuwEExAmPlE

Prepare environment

You need an AWS bucket (and a DynamoDB table) for terraform state, so run the script project-setup.sh passing as arguments:

1. Prefix name to give to resources (look at terraform inputs)
2. AWS region
3. AWS profile

./project-setup.sh <NAME> <REGION> <PROFILE>

Running

Edit the generate aws.tfvars and then run:

terraform init -reconfigure -upgrade
terraform apply --var-file aws.tfvars

Requirements

Name	Version
terraform	~> 0.15.4
aws	~> 3.0

Providers

Name	Version
aws	3.51.0
dns	3.2.1
local	2.1.0
null	3.1.0
random	3.1.0
tls	3.1.0

Modules

Name	Source	Version
caravan-bootstrap	git::https://github.com/bitrockteam/caravan-bootstrap	refs/tags/v0.2.12
cloud_init_control_plane	git::https://github.com/bitrockteam/caravan-cloudinit	refs/tags/v0.1.13
cloud_init_worker_plane	git::https://github.com/bitrockteam/caravan-cloudinit	refs/tags/v0.1.9
terraform_acme_le	git::https://github.com/bitrockteam/caravan-acme-le	refs/tags/v0.0.1
vpc	terraform-aws-modules/vpc/aws	n/a

Resources

Name	Type
aws_acm_certificate.cert	resource
aws_autoscaling_group.bastion-service	resource
aws_autoscaling_group.hashicorp_workers	resource
aws_ebs_volume.consul_cluster_data	resource
aws_ebs_volume.csi	resource
aws_ebs_volume.nomad_cluster_data	resource
aws_ebs_volume.vault_cluster_data	resource
aws_iam_instance_profile.control_plane	resource
aws_iam_instance_profile.worker_plane	resource
aws_iam_role.control_plane	resource
aws_iam_role.worker_plane	resource
aws_iam_role_policy.csi	resource
aws_iam_role_policy.docker_pull	resource
aws_iam_role_policy.vault_aws_auth	resource
aws_iam_role_policy.vault_client	resource
aws_iam_role_policy.vault_kms_unseal	resource
aws_instance.hashicorp_cluster	resource
aws_instance.monitoring	resource
aws_key_pair.hashicorp_keypair	resource
aws_kms_key.vault	resource
aws_launch_configuration.bastion-service-host	resource
aws_launch_template.hashicorp_workers	resource
aws_lb.hashicorp_alb	resource
aws_lb.hashicorp_nlb	resource
aws_lb_listener.bastion-service	resource
aws_lb_listener.http_80	resource
aws_lb_listener.http_8500	resource
aws_lb_listener.https_443	resource
aws_lb_listener.this	resource
aws_lb_listener_rule.consul	resource
aws_lb_listener_rule.nomad	resource
aws_lb_listener_rule.vault	resource
aws_lb_target_group.alb	resource
aws_lb_target_group.bastion-service	resource
aws_lb_target_group.consul	resource
aws_lb_target_group.ingress	resource
aws_lb_target_group.nomad	resource
aws_lb_target_group.vault	resource
aws_lb_target_group_attachment.consul	resource
aws_lb_target_group_attachment.nomad	resource
aws_lb_target_group_attachment.this	resource
aws_lb_target_group_attachment.vault	resource
aws_route53_record.all_cname	resource
aws_route53_record.bastion	resource
aws_route53_record.consul_cname	resource
aws_route53_record.hashicorp_zone_ns	resource
aws_route53_record.nomad_cname	resource
aws_route53_record.vault_cname	resource
aws_route53_zone.hashicorp_zone	resource
aws_security_group.alb	resource
aws_security_group.allow_cluster_basics	resource
aws_security_group.internal_consul	resource
aws_security_group.internal_nomad	resource
aws_security_group.internal_vault	resource
aws_security_group.internal_workers	resource
aws_volume_attachment.consul_cluster_ec2	resource
aws_volume_attachment.nomad_cluster_ec2	resource
aws_volume_attachment.vault_cluster_ec2	resource
local_file.backend_tf_appsupport	resource
local_file.backend_tf_platform	resource
local_file.ssh_key	resource
local_file.tfvars_appsupport	resource
local_file.tfvars_platform	resource
null_resource.ca_certs	resource
null_resource.ca_certs_bundle	resource
random_pet.env	resource
tls_private_key.cert_private_key	resource
tls_private_key.ssh_key	resource
aws_ami.centos7	data source
aws_ami.debian	data source
aws_iam_policy_document.assume_role	data source
aws_iam_policy_document.vault_client	data source
aws_iam_policy_document.vault_kms_unseal	data source
aws_route53_zone.main	data source
dns_a_record_set.alb	data source

Inputs

Name	Description	Type	Default	Required
awsprofile	AWS user profile	string	n/a	yes
personal_ip_list	IP address list for SSH connection to the VMs	list(string)	n/a	yes
prefix	The prefix of the objects' names	string	n/a	yes
region	AWS region to use	string	n/a	yes
shared_credentials_file	AWS credential file path	string	n/a	yes
ami_filter_name	Regexp to find AMI to use built with caravan-baking	string	"*caravan-centos-image-os-*"	no
ca_certs	Fake certificates from staging Let's Encrypt	map(object({ filename = string pemurl = string }))	{ "stg-int-r3": { "filename": "letsencrypt-stg-int-r3.pem", "pemurl": "https://letsencrypt.org/certs/staging/letsencrypt-stg-int-r3.pem" }, "stg-root-x1": { "filename": "letsencrypt-stg-root-x1.pem", "pemurl": "https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem" } }	no
consul_license_file	Path to Consul Enterprise license	string	null	no
control_plane_instance_count	Control plane instances number	number	3	no
control_plane_machine_type	Control plane instance machine type	string	"t3.micro"	no
csi_volumes	Example: { "jenkins" : { "availability_zone" : "eu-west-1a" "size" : "30" "type" : "gp3" "tags" : { "application": "jenkins_master" } } }	map(map(string))	{}	no
dc_name	Hashicorp cluster name	string	"aws-dc"	no
enable_monitoring	Enable monitoring	bool	true	no
external_domain	Domain used for endpoints and certs	string	""	no
monitoring_machine_type	Monitoring instance machine type	string	"t3.xlarge"	no
nomad_license_file	Path to Nomad Enterprise license	string	null	no
ports	n/a	map(number)	{ "http": 80, "https": 443 }	no
tfstate_bucket_name	S3 Bucket where Terraform state is stored	string	""	no
tfstate_region	AWS Region where Terraform state resources are	string	""	no
tfstate_table_name	DynamoDB Table where Terraform state lock is acquired	string	""	no
use_le_staging	Use staging Let's Encrypt endpoint	bool	true	no
vault_license_file	Path to Vault Enterprise license	string	null	no
volume_data_size	Volume size of control plan data disk	number	20	no
volume_root_size	Volume size of control plan root disk	number	20	no
volume_size	Volume size of workers disk	number	100	no
volume_type	Volume type of disks	string	"gp3"	no
vpc_cidr	VPC cidr	string	"10.0.0.0/16"	no
vpc_private_subnets	VCP private subnets	list(string)	[ "10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24" ]	no
vpc_public_subnets	VCP public subnets	list(string)	[ "10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24" ]	no
worker_plane_machine_type	Working plane instance machine type	string	"t3.large"	no
workers_group_size	Worker plane instances number	number	3	no

Outputs

Name	Description
PROJECT_APPSUPP_TFVAR	Caravan Application Support tfvars
PROJECT_PLATFORM_TFVAR	Caravan Platform tfvars
PROJECT_WORKLOAD_TFVAR	Caravan Workload tfvars
ca_certs	Let's Encrypt staging CA certificates
cluster_public_ips	Control plane public IP addresses
control_plane_iam_role_arns	Control plane iam role list
control_plane_role_name	Control plane role name
csi_volumes	n/a
hashicorp_endpoints	Hashicorp clusters endpoints
load_balancer_ip_address	Load Balancer IP address
region	AWS region
vpc_id	VPC ID
worker_node_service_account	Worker plane ARN
worker_plane_iam_role_arns	Worker plane iam role list
worker_plane_role_name	Worker plane role name

Cleaning up

After terraform destroy -var-file=aws.tfvars, for removing bucket and dynamodb table, run the project-cleanup.sh script:

./project-cleanup.sh <NAME> <REGION> <PROFILE>