tfctl 1.0.0.rc1 → 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.adoc +1 -1
- data/docs/configuration.adoc +27 -3
- data/docs/control_tower.adoc +30 -10
- data/docs/creating_a_profile.adoc +27 -5
- data/docs/iam_permissions.adoc +21 -1
- data/docs/project_layout.adoc +26 -4
- data/lib/tfctl/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6d47682cf9949db840c18d07b6f06907a9d36e2a75d0a5255b4c57f3603c0dbf
|
4
|
+
data.tar.gz: d5a81e877943fff53e903a104249e1147a827c593430bc91c0b78d5cc467fc4b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 03b7d69b7a7bbf296b0b1ab3aa8794d8b91e51559a1e2ee1d450396615aeba495b63993f84866c6fe5997d34c760da143cb66ca0cabc2a1a5a1266b701676bac
|
7
|
+
data.tar.gz: f9ebdae72fd58473c3a8cc5015fd2d2e32092488218b52efa79e2d625802ccdf4447298e45497d4ec0e03583b0edbd3a31b51e92f76a5981a5f3819f9cee1e4a
|
data/CHANGELOG.adoc
CHANGED
data/docs/configuration.adoc
CHANGED
@@ -1,4 +1,28 @@
|
|
1
|
-
|
1
|
+
// Settings:
|
2
|
+
:idprefix:
|
3
|
+
:idseparator: -
|
4
|
+
ifndef::env-github[:icons: font]
|
5
|
+
ifdef::env-github,env-browser[]
|
6
|
+
:toc: macro
|
7
|
+
:toclevels: 1
|
8
|
+
endif::[]
|
9
|
+
ifdef::env-github[]
|
10
|
+
:branch: master
|
11
|
+
:status:
|
12
|
+
:outfilesuffix: .adoc
|
13
|
+
:!toc-title:
|
14
|
+
:caution-caption: :fire:
|
15
|
+
:important-caption: :exclamation:
|
16
|
+
:note-caption: :paperclip:
|
17
|
+
:tip-caption: :bulb:
|
18
|
+
:warning-caption: :warning:
|
19
|
+
endif::[]
|
20
|
+
|
21
|
+
= Configuration
|
22
|
+
|
23
|
+
toc::[]
|
24
|
+
|
25
|
+
== Overview
|
2
26
|
|
3
27
|
Tfctl retrieves initial account configuration from AWS Organizations and merges
|
4
28
|
it with configuration specified in a yaml file.
|
@@ -48,7 +72,7 @@ TIP: You can display the fully merged configuration by running `tfctl -c
|
|
48
72
|
conf/CONFIG_FILE.yaml -s`. It's safe to run as it doesn't make any changes to
|
49
73
|
AWS resources. It's a good way to test your configuration.
|
50
74
|
|
51
|
-
|
75
|
+
== Defining arbitrary data
|
52
76
|
|
53
77
|
You can define arbitrary data under the `data:` parameter, both in the root of
|
54
78
|
the config and in the organization sections. It will be available in Terraform
|
@@ -57,7 +81,7 @@ subnet ranges, s3 bucket names and so on. `data:` in organization sections
|
|
57
81
|
will be merged with accounts following the usual merge order as described
|
58
82
|
above.
|
59
83
|
|
60
|
-
|
84
|
+
== Handling secrets
|
61
85
|
|
62
86
|
No secrets should be committed into Terraform or tfctl configuration. Use AWS
|
63
87
|
Secrets Manager instead and retrieve in Terraform profiles using
|
data/docs/control_tower.adoc
CHANGED
@@ -1,12 +1,32 @@
|
|
1
|
-
:
|
2
|
-
|
3
|
-
|
1
|
+
// Settings:
|
2
|
+
:idprefix:
|
3
|
+
:idseparator: -
|
4
|
+
ifndef::env-github[:icons: font]
|
5
|
+
ifdef::env-github,env-browser[]
|
6
|
+
:toc: macro
|
7
|
+
:toclevels: 1
|
8
|
+
endif::[]
|
9
|
+
ifdef::env-github[]
|
10
|
+
:branch: master
|
11
|
+
:status:
|
12
|
+
:outfilesuffix: .adoc
|
13
|
+
:!toc-title:
|
14
|
+
:caution-caption: :fire:
|
15
|
+
:important-caption: :exclamation:
|
16
|
+
:note-caption: :paperclip:
|
17
|
+
:tip-caption: :bulb:
|
18
|
+
:warning-caption: :warning:
|
19
|
+
endif::[]
|
20
|
+
|
21
|
+
= Control Tower integration guide
|
4
22
|
|
5
23
|
This guide will help you integrate Terraform with AWS Control Tower using the
|
6
24
|
tfctl wrapper. This involves setting up resources for remote state tracking,
|
7
25
|
necessary IAM roles and a tfctl project.
|
8
26
|
|
9
|
-
|
27
|
+
toc::[]
|
28
|
+
|
29
|
+
== Overview
|
10
30
|
|
11
31
|
For state tracking we're going to create a dedicated `shared-services` account
|
12
32
|
under a `mgmt` organization unit. We'll use S3 for state storage and DynamoDB
|
@@ -26,7 +46,7 @@ account factory and can be assumed from the primary account.
|
|
26
46
|
We're going to create a `live` and `test` organization units in Control Tower
|
27
47
|
and provision a couple of accounts for testing.
|
28
48
|
|
29
|
-
|
49
|
+
== Prerequisites
|
30
50
|
|
31
51
|
Before starting you'll need:
|
32
52
|
|
@@ -35,7 +55,7 @@ Before starting you'll need:
|
|
35
55
|
* AWS CLI tools installed on your machine.
|
36
56
|
* Terraform 0.12 or higher.
|
37
57
|
|
38
|
-
|
58
|
+
== Configure Control Tower
|
39
59
|
|
40
60
|
Create the following organization units in Control Tower:
|
41
61
|
|
@@ -52,14 +72,14 @@ Then provision accounts:
|
|
52
72
|
NOTE: Control Tower accounts need to be provisioned one at a time. It takes
|
53
73
|
approximately 20 mins to provision one.
|
54
74
|
|
55
|
-
|
75
|
+
== Install tfctl
|
56
76
|
|
57
77
|
----
|
58
78
|
git clone git@github.com:scalefactory/tfctl.git
|
59
79
|
cd tfctl/ && sudo make install
|
60
80
|
----
|
61
81
|
|
62
|
-
|
82
|
+
== Set up AWS resources
|
63
83
|
|
64
84
|
It's assumed you have configured AWS CLI access to the primary account.
|
65
85
|
|
@@ -128,7 +148,7 @@ aws cloudformation describe-stacks --stack-name TfctlOrgAccess
|
|
128
148
|
|
129
149
|
NOTE: Successful status should read: `CREATE_COMPLETE`.
|
130
150
|
|
131
|
-
|
151
|
+
== Configure tfctl
|
132
152
|
|
133
153
|
Copy the example project directory `examples/control_tower` somewhere convenient
|
134
154
|
and edit `conf/example.yaml`.
|
@@ -142,7 +162,7 @@ You need to modify the following parameters:
|
|
142
162
|
|
143
163
|
TIP: You should keep your project directory under version control.
|
144
164
|
|
145
|
-
|
165
|
+
== Deploy example tfctl profile
|
146
166
|
|
147
167
|
The example profile will create an S3 bucket in accounts under `test`, `live`
|
148
168
|
and `mgmt` OUs.
|
@@ -1,9 +1,31 @@
|
|
1
|
-
|
1
|
+
// Settings:
|
2
|
+
:idprefix:
|
3
|
+
:idseparator: -
|
4
|
+
ifndef::env-github[:icons: font]
|
5
|
+
ifdef::env-github,env-browser[]
|
6
|
+
:toc: macro
|
7
|
+
:toclevels: 1
|
8
|
+
endif::[]
|
9
|
+
ifdef::env-github[]
|
10
|
+
:branch: master
|
11
|
+
:status:
|
12
|
+
:outfilesuffix: .adoc
|
13
|
+
:!toc-title:
|
14
|
+
:caution-caption: :fire:
|
15
|
+
:important-caption: :exclamation:
|
16
|
+
:note-caption: :paperclip:
|
17
|
+
:tip-caption: :bulb:
|
18
|
+
:warning-caption: :warning:
|
19
|
+
endif::[]
|
20
|
+
|
21
|
+
= Creating and deploying a tfctl profile
|
2
22
|
|
3
23
|
This guide will show you how to create a tfctl profile, declare some resources
|
4
24
|
in it and deploy it to to a group of accounts in an organization unit.
|
5
25
|
|
6
|
-
|
26
|
+
toc::[]
|
27
|
+
|
28
|
+
== Create a new profile
|
7
29
|
|
8
30
|
In your tfctl project directory create a new profile:
|
9
31
|
|
@@ -87,7 +109,7 @@ resource "aws_s3_bucket" "example" {
|
|
87
109
|
This will create an S3 bucket with a name containing the current account name
|
88
110
|
(which will vary depending on which account it's deployed to).
|
89
111
|
|
90
|
-
|
112
|
+
== Assign profile to accounts
|
91
113
|
|
92
114
|
Before you can deploy the new profile you need to tell `tfctl` which accounts
|
93
115
|
to deploy it to.
|
@@ -113,7 +135,7 @@ organization_units:
|
|
113
135
|
----
|
114
136
|
|
115
137
|
|
116
|
-
|
138
|
+
== Plan
|
117
139
|
|
118
140
|
To see what would happen when the change is applied run:
|
119
141
|
|
@@ -161,7 +183,7 @@ what went wrong.
|
|
161
183
|
tfctl will generate a plan file automatically and use it with `apply` in the
|
162
184
|
next step.
|
163
185
|
|
164
|
-
|
186
|
+
== Apply
|
165
187
|
|
166
188
|
Once you're happy with the plan, apply it.
|
167
189
|
----
|
data/docs/iam_permissions.adoc
CHANGED
@@ -1,4 +1,24 @@
|
|
1
|
-
|
1
|
+
// Settings:
|
2
|
+
:idprefix:
|
3
|
+
:idseparator: -
|
4
|
+
ifndef::env-github[:icons: font]
|
5
|
+
ifdef::env-github,env-browser[]
|
6
|
+
:toc: macro
|
7
|
+
:toclevels: 1
|
8
|
+
endif::[]
|
9
|
+
ifdef::env-github[]
|
10
|
+
:branch: master
|
11
|
+
:status:
|
12
|
+
:outfilesuffix: .adoc
|
13
|
+
:!toc-title:
|
14
|
+
:caution-caption: :fire:
|
15
|
+
:important-caption: :exclamation:
|
16
|
+
:note-caption: :paperclip:
|
17
|
+
:tip-caption: :bulb:
|
18
|
+
:warning-caption: :warning:
|
19
|
+
endif::[]
|
20
|
+
|
21
|
+
= IAM roles
|
2
22
|
|
3
23
|
Tfctl usually requires three IAM roles to be configured:
|
4
24
|
|
data/docs/project_layout.adoc
CHANGED
@@ -1,4 +1,24 @@
|
|
1
|
-
|
1
|
+
// Settings:
|
2
|
+
:idprefix:
|
3
|
+
:idseparator: -
|
4
|
+
ifndef::env-github[:icons: font]
|
5
|
+
ifdef::env-github,env-browser[]
|
6
|
+
:toc: macro
|
7
|
+
:toclevels: 1
|
8
|
+
endif::[]
|
9
|
+
ifdef::env-github[]
|
10
|
+
:branch: master
|
11
|
+
:status:
|
12
|
+
:outfilesuffix: .adoc
|
13
|
+
:!toc-title:
|
14
|
+
:caution-caption: :fire:
|
15
|
+
:important-caption: :exclamation:
|
16
|
+
:note-caption: :paperclip:
|
17
|
+
:tip-caption: :bulb:
|
18
|
+
:warning-caption: :warning:
|
19
|
+
endif::[]
|
20
|
+
|
21
|
+
= Project layout
|
2
22
|
|
3
23
|
Example project structure
|
4
24
|
----
|
@@ -16,7 +36,9 @@ project_dir/
|
|
16
36
|
└── variables.tf
|
17
37
|
----
|
18
38
|
|
19
|
-
|
39
|
+
toc::[]
|
40
|
+
|
41
|
+
== tfctl configuration file
|
20
42
|
|
21
43
|
Assigns Terraform profiles and configuration to accounts based on:
|
22
44
|
|
@@ -29,7 +51,7 @@ The configuration data is exposed to terraform via a profile `config` variable.
|
|
29
51
|
It also defines Terraform and tfctl configuration such as state tracking and
|
30
52
|
what IAM roles to use.
|
31
53
|
|
32
|
-
|
54
|
+
== profiles
|
33
55
|
|
34
56
|
Profiles are re-usable collections of resources which can be applied to
|
35
57
|
accounts. They are implemented just like usual modules but provide an
|
@@ -38,6 +60,6 @@ other data sources). Profiles often compose multiple modules and provide
|
|
38
60
|
configuration data to them. This approach makes it possible to re-use standard
|
39
61
|
modules (e.g. Terraform module registry).
|
40
62
|
|
41
|
-
|
63
|
+
== modules
|
42
64
|
|
43
65
|
Standard Terraform modules.
|
data/lib/tfctl/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: tfctl
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.0
|
4
|
+
version: 1.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Andrew Wasilczuk
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-11-
|
11
|
+
date: 2019-11-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-organizations
|
@@ -167,9 +167,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
167
167
|
version: '0'
|
168
168
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
169
169
|
requirements:
|
170
|
-
- - "
|
170
|
+
- - ">="
|
171
171
|
- !ruby/object:Gem::Version
|
172
|
-
version:
|
172
|
+
version: '0'
|
173
173
|
requirements: []
|
174
174
|
rubyforge_project:
|
175
175
|
rubygems_version: 2.7.7
|