tfctl 1.0.0.rc1 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.adoc +1 -1
- data/docs/configuration.adoc +27 -3
- data/docs/control_tower.adoc +30 -10
- data/docs/creating_a_profile.adoc +27 -5
- data/docs/iam_permissions.adoc +21 -1
- data/docs/project_layout.adoc +26 -4
- data/lib/tfctl/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6d47682cf9949db840c18d07b6f06907a9d36e2a75d0a5255b4c57f3603c0dbf
|
4
|
+
data.tar.gz: d5a81e877943fff53e903a104249e1147a827c593430bc91c0b78d5cc467fc4b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 03b7d69b7a7bbf296b0b1ab3aa8794d8b91e51559a1e2ee1d450396615aeba495b63993f84866c6fe5997d34c760da143cb66ca0cabc2a1a5a1266b701676bac
|
7
|
+
data.tar.gz: f9ebdae72fd58473c3a8cc5015fd2d2e32092488218b52efa79e2d625802ccdf4447298e45497d4ec0e03583b0edbd3a31b51e92f76a5981a5f3819f9cee1e4a
|
data/CHANGELOG.adoc
CHANGED
data/docs/configuration.adoc
CHANGED
@@ -1,4 +1,28 @@
|
|
1
|
-
|
1
|
+
// Settings:
|
2
|
+
:idprefix:
|
3
|
+
:idseparator: -
|
4
|
+
ifndef::env-github[:icons: font]
|
5
|
+
ifdef::env-github,env-browser[]
|
6
|
+
:toc: macro
|
7
|
+
:toclevels: 1
|
8
|
+
endif::[]
|
9
|
+
ifdef::env-github[]
|
10
|
+
:branch: master
|
11
|
+
:status:
|
12
|
+
:outfilesuffix: .adoc
|
13
|
+
:!toc-title:
|
14
|
+
:caution-caption: :fire:
|
15
|
+
:important-caption: :exclamation:
|
16
|
+
:note-caption: :paperclip:
|
17
|
+
:tip-caption: :bulb:
|
18
|
+
:warning-caption: :warning:
|
19
|
+
endif::[]
|
20
|
+
|
21
|
+
= Configuration
|
22
|
+
|
23
|
+
toc::[]
|
24
|
+
|
25
|
+
== Overview
|
2
26
|
|
3
27
|
Tfctl retrieves initial account configuration from AWS Organizations and merges
|
4
28
|
it with configuration specified in a yaml file.
|
@@ -48,7 +72,7 @@ TIP: You can display the fully merged configuration by running `tfctl -c
|
|
48
72
|
conf/CONFIG_FILE.yaml -s`. It's safe to run as it doesn't make any changes to
|
49
73
|
AWS resources. It's a good way to test your configuration.
|
50
74
|
|
51
|
-
|
75
|
+
== Defining arbitrary data
|
52
76
|
|
53
77
|
You can define arbitrary data under the `data:` parameter, both in the root of
|
54
78
|
the config and in the organization sections. It will be available in Terraform
|
@@ -57,7 +81,7 @@ subnet ranges, s3 bucket names and so on. `data:` in organization sections
|
|
57
81
|
will be merged with accounts following the usual merge order as described
|
58
82
|
above.
|
59
83
|
|
60
|
-
|
84
|
+
== Handling secrets
|
61
85
|
|
62
86
|
No secrets should be committed into Terraform or tfctl configuration. Use AWS
|
63
87
|
Secrets Manager instead and retrieve in Terraform profiles using
|
data/docs/control_tower.adoc
CHANGED
@@ -1,12 +1,32 @@
|
|
1
|
-
:
|
2
|
-
|
3
|
-
|
1
|
+
// Settings:
|
2
|
+
:idprefix:
|
3
|
+
:idseparator: -
|
4
|
+
ifndef::env-github[:icons: font]
|
5
|
+
ifdef::env-github,env-browser[]
|
6
|
+
:toc: macro
|
7
|
+
:toclevels: 1
|
8
|
+
endif::[]
|
9
|
+
ifdef::env-github[]
|
10
|
+
:branch: master
|
11
|
+
:status:
|
12
|
+
:outfilesuffix: .adoc
|
13
|
+
:!toc-title:
|
14
|
+
:caution-caption: :fire:
|
15
|
+
:important-caption: :exclamation:
|
16
|
+
:note-caption: :paperclip:
|
17
|
+
:tip-caption: :bulb:
|
18
|
+
:warning-caption: :warning:
|
19
|
+
endif::[]
|
20
|
+
|
21
|
+
= Control Tower integration guide
|
4
22
|
|
5
23
|
This guide will help you integrate Terraform with AWS Control Tower using the
|
6
24
|
tfctl wrapper. This involves setting up resources for remote state tracking,
|
7
25
|
necessary IAM roles and a tfctl project.
|
8
26
|
|
9
|
-
|
27
|
+
toc::[]
|
28
|
+
|
29
|
+
== Overview
|
10
30
|
|
11
31
|
For state tracking we're going to create a dedicated `shared-services` account
|
12
32
|
under a `mgmt` organization unit. We'll use S3 for state storage and DynamoDB
|
@@ -26,7 +46,7 @@ account factory and can be assumed from the primary account.
|
|
26
46
|
We're going to create a `live` and `test` organization units in Control Tower
|
27
47
|
and provision a couple of accounts for testing.
|
28
48
|
|
29
|
-
|
49
|
+
== Prerequisites
|
30
50
|
|
31
51
|
Before starting you'll need:
|
32
52
|
|
@@ -35,7 +55,7 @@ Before starting you'll need:
|
|
35
55
|
* AWS CLI tools installed on your machine.
|
36
56
|
* Terraform 0.12 or higher.
|
37
57
|
|
38
|
-
|
58
|
+
== Configure Control Tower
|
39
59
|
|
40
60
|
Create the following organization units in Control Tower:
|
41
61
|
|
@@ -52,14 +72,14 @@ Then provision accounts:
|
|
52
72
|
NOTE: Control Tower accounts need to be provisioned one at a time. It takes
|
53
73
|
approximately 20 mins to provision one.
|
54
74
|
|
55
|
-
|
75
|
+
== Install tfctl
|
56
76
|
|
57
77
|
----
|
58
78
|
git clone git@github.com:scalefactory/tfctl.git
|
59
79
|
cd tfctl/ && sudo make install
|
60
80
|
----
|
61
81
|
|
62
|
-
|
82
|
+
== Set up AWS resources
|
63
83
|
|
64
84
|
It's assumed you have configured AWS CLI access to the primary account.
|
65
85
|
|
@@ -128,7 +148,7 @@ aws cloudformation describe-stacks --stack-name TfctlOrgAccess
|
|
128
148
|
|
129
149
|
NOTE: Successful status should read: `CREATE_COMPLETE`.
|
130
150
|
|
131
|
-
|
151
|
+
== Configure tfctl
|
132
152
|
|
133
153
|
Copy the example project directory `examples/control_tower` somewhere convenient
|
134
154
|
and edit `conf/example.yaml`.
|
@@ -142,7 +162,7 @@ You need to modify the following parameters:
|
|
142
162
|
|
143
163
|
TIP: You should keep your project directory under version control.
|
144
164
|
|
145
|
-
|
165
|
+
== Deploy example tfctl profile
|
146
166
|
|
147
167
|
The example profile will create an S3 bucket in accounts under `test`, `live`
|
148
168
|
and `mgmt` OUs.
|
@@ -1,9 +1,31 @@
|
|
1
|
-
|
1
|
+
// Settings:
|
2
|
+
:idprefix:
|
3
|
+
:idseparator: -
|
4
|
+
ifndef::env-github[:icons: font]
|
5
|
+
ifdef::env-github,env-browser[]
|
6
|
+
:toc: macro
|
7
|
+
:toclevels: 1
|
8
|
+
endif::[]
|
9
|
+
ifdef::env-github[]
|
10
|
+
:branch: master
|
11
|
+
:status:
|
12
|
+
:outfilesuffix: .adoc
|
13
|
+
:!toc-title:
|
14
|
+
:caution-caption: :fire:
|
15
|
+
:important-caption: :exclamation:
|
16
|
+
:note-caption: :paperclip:
|
17
|
+
:tip-caption: :bulb:
|
18
|
+
:warning-caption: :warning:
|
19
|
+
endif::[]
|
20
|
+
|
21
|
+
= Creating and deploying a tfctl profile
|
2
22
|
|
3
23
|
This guide will show you how to create a tfctl profile, declare some resources
|
4
24
|
in it and deploy it to to a group of accounts in an organization unit.
|
5
25
|
|
6
|
-
|
26
|
+
toc::[]
|
27
|
+
|
28
|
+
== Create a new profile
|
7
29
|
|
8
30
|
In your tfctl project directory create a new profile:
|
9
31
|
|
@@ -87,7 +109,7 @@ resource "aws_s3_bucket" "example" {
|
|
87
109
|
This will create an S3 bucket with a name containing the current account name
|
88
110
|
(which will vary depending on which account it's deployed to).
|
89
111
|
|
90
|
-
|
112
|
+
== Assign profile to accounts
|
91
113
|
|
92
114
|
Before you can deploy the new profile you need to tell `tfctl` which accounts
|
93
115
|
to deploy it to.
|
@@ -113,7 +135,7 @@ organization_units:
|
|
113
135
|
----
|
114
136
|
|
115
137
|
|
116
|
-
|
138
|
+
== Plan
|
117
139
|
|
118
140
|
To see what would happen when the change is applied run:
|
119
141
|
|
@@ -161,7 +183,7 @@ what went wrong.
|
|
161
183
|
tfctl will generate a plan file automatically and use it with `apply` in the
|
162
184
|
next step.
|
163
185
|
|
164
|
-
|
186
|
+
== Apply
|
165
187
|
|
166
188
|
Once you're happy with the plan, apply it.
|
167
189
|
----
|
data/docs/iam_permissions.adoc
CHANGED
@@ -1,4 +1,24 @@
|
|
1
|
-
|
1
|
+
// Settings:
|
2
|
+
:idprefix:
|
3
|
+
:idseparator: -
|
4
|
+
ifndef::env-github[:icons: font]
|
5
|
+
ifdef::env-github,env-browser[]
|
6
|
+
:toc: macro
|
7
|
+
:toclevels: 1
|
8
|
+
endif::[]
|
9
|
+
ifdef::env-github[]
|
10
|
+
:branch: master
|
11
|
+
:status:
|
12
|
+
:outfilesuffix: .adoc
|
13
|
+
:!toc-title:
|
14
|
+
:caution-caption: :fire:
|
15
|
+
:important-caption: :exclamation:
|
16
|
+
:note-caption: :paperclip:
|
17
|
+
:tip-caption: :bulb:
|
18
|
+
:warning-caption: :warning:
|
19
|
+
endif::[]
|
20
|
+
|
21
|
+
= IAM roles
|
2
22
|
|
3
23
|
Tfctl usually requires three IAM roles to be configured:
|
4
24
|
|
data/docs/project_layout.adoc
CHANGED
@@ -1,4 +1,24 @@
|
|
1
|
-
|
1
|
+
// Settings:
|
2
|
+
:idprefix:
|
3
|
+
:idseparator: -
|
4
|
+
ifndef::env-github[:icons: font]
|
5
|
+
ifdef::env-github,env-browser[]
|
6
|
+
:toc: macro
|
7
|
+
:toclevels: 1
|
8
|
+
endif::[]
|
9
|
+
ifdef::env-github[]
|
10
|
+
:branch: master
|
11
|
+
:status:
|
12
|
+
:outfilesuffix: .adoc
|
13
|
+
:!toc-title:
|
14
|
+
:caution-caption: :fire:
|
15
|
+
:important-caption: :exclamation:
|
16
|
+
:note-caption: :paperclip:
|
17
|
+
:tip-caption: :bulb:
|
18
|
+
:warning-caption: :warning:
|
19
|
+
endif::[]
|
20
|
+
|
21
|
+
= Project layout
|
2
22
|
|
3
23
|
Example project structure
|
4
24
|
----
|
@@ -16,7 +36,9 @@ project_dir/
|
|
16
36
|
└── variables.tf
|
17
37
|
----
|
18
38
|
|
19
|
-
|
39
|
+
toc::[]
|
40
|
+
|
41
|
+
== tfctl configuration file
|
20
42
|
|
21
43
|
Assigns Terraform profiles and configuration to accounts based on:
|
22
44
|
|
@@ -29,7 +51,7 @@ The configuration data is exposed to terraform via a profile `config` variable.
|
|
29
51
|
It also defines Terraform and tfctl configuration such as state tracking and
|
30
52
|
what IAM roles to use.
|
31
53
|
|
32
|
-
|
54
|
+
== profiles
|
33
55
|
|
34
56
|
Profiles are re-usable collections of resources which can be applied to
|
35
57
|
accounts. They are implemented just like usual modules but provide an
|
@@ -38,6 +60,6 @@ other data sources). Profiles often compose multiple modules and provide
|
|
38
60
|
configuration data to them. This approach makes it possible to re-use standard
|
39
61
|
modules (e.g. Terraform module registry).
|
40
62
|
|
41
|
-
|
63
|
+
== modules
|
42
64
|
|
43
65
|
Standard Terraform modules.
|
data/lib/tfctl/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: tfctl
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.0
|
4
|
+
version: 1.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Andrew Wasilczuk
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-11-
|
11
|
+
date: 2019-11-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-organizations
|
@@ -167,9 +167,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
167
167
|
version: '0'
|
168
168
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
169
169
|
requirements:
|
170
|
-
- - "
|
170
|
+
- - ">="
|
171
171
|
- !ruby/object:Gem::Version
|
172
|
-
version:
|
172
|
+
version: '0'
|
173
173
|
requirements: []
|
174
174
|
rubyforge_project:
|
175
175
|
rubygems_version: 2.7.7
|