This module could be useful if you find yourself creating a layout that includes the following resources:
- EC2 Instance w/ configurable AMI, family type, key pair, networking, userdata, among others.
- EC2 Profile with a customizable IAM Role supporting both AWS and customer managed policies.
- Multiple EBS dynamic blocks (root_block_device, ebs_block_device and ephemeral_block_device) w/ configurable type, size, device name and encryption configs among others.
- Security group for the instance above.
- Optionally associate a public IP address with the instance.
- DNS record with a record that points to the instance private IP / public IP.
- Tags: both EC2 and EBS.
- SSM support for interactive shell access via browser or AWS CLI
Personally we have seen the need of creating a similar set of such resources for an OpenVPN instance, for Jenkins, Spinnaker, DroneCI, Prometheus, Grafana, Hashicorp Vault, ElasticSearch, Kibana and so forth.
| Name | Version |
|---|---|
| terraform | >= 0.13.2 |
| aws | ~> 4.0 |
| Name | Version |
|---|---|
| aws | ~> 4.0 |
No modules.
| Name | Type |
|---|---|
| aws_eip.this | resource |
| aws_iam_instance_profile.basic_instance | resource |
| aws_iam_policy.cross_org_instance_access | resource |
| aws_iam_role.basic_instance_assume_role | resource |
| aws_iam_role_policy_attachment.basic_instance_aws_roles | resource |
| aws_iam_role_policy_attachment.ec2_ssm_access | resource |
| aws_iam_role_policy_attachment.this | resource |
| aws_instance.main | resource |
| aws_route53_record.main_private | resource |
| aws_route53_record.main_public | resource |
| aws_security_group.main | resource |
| aws_security_group_rule.egress_allow_all | resource |
| aws_security_group_rule.ingress_rules | resource |
| aws_ami.ubuntu_linux | data source |
| aws_iam_policy_document.cross_org_instance_access | data source |
| aws_iam_policy_document.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| ami_id | AMI Identifier | string |
"" |
no |
| associate_public_ip_address | Associate a public IP address with the instance | bool |
false |
no |
| aws_ami_os_id | AWS AMI Operating System Identificator | string |
"ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*" |
no |
| aws_ami_os_owner | AWS AMI Operating System Owner, eg: 099720109477 for Canonical | string |
"099720109477" |
no |
| credit_specification_cpu | Can be applied/modified to the EC2 at any time. The credit option for CPU usage. Can be 'standard' or 'unlimited'. By default T3 = unlimited & T2 'standard'. | string |
"unlimited" |
no |
| cross_account_roles_resource_arn_list | Resources arn list for cross org roles for EC2 profile IAM Role policy. | list(string) |
[] |
no |
| disable_api_termination | If true, enables EC2 Instance Termination Protection | string |
"false" |
no |
| dns_records_internal_hosted_zone | A list of DNS private (internal hosted zone) records to create with the instance's IP | list(any) |
[] |
no |
| dns_records_public_hosted_zone | A list of DNS public (public hosted zone) records to create with the instance's IP | list(any) |
[] |
no |
| ebs_block_device | Additional EBS block devices to attach to the instance | list(map(string)) |
[] |
no |
| ebs_optimized | Enable EBS Optimized | string |
"false" |
no |
| enable_ssm_access | If true, attaches SSM policy to instance role | bool |
false |
no |
| ephemeral_block_device | Customize Ephemeral (also known as Instance Store) volumes on the instance | list(map(string)) |
[] |
no |
| instance_profile | The IAM Instance Profile to launch the instance with. Specified as the name of the Instance Profile. | string |
"" |
no |
| instance_type | EC2 Instance Type | string |
"t3.micro" |
no |
| key_pair_name | Key Pair Name | string |
n/a | yes |
| monitoring | If true, the launched EC2 instance will have detailed monitoring enabled | bool |
false |
no |
| name | Name | string |
n/a | yes |
| policy_arn | Attach AWS IAM managed policies to the IAM Role. | list(string) |
[] |
no |
| prefix | Prefix | string |
"default" |
no |
| root_block_device | Customize details about the root block device of the instance. See Block Devices below for details | list(map(string)) |
[] |
no |
| root_device_backup_tag | EC2 Root Block Device backup tag | string |
"True" |
no |
| security_group_ids | A list of security group ids | list(string) |
[] |
no |
| security_group_rules | A list of security group rules | list(any) |
[] |
no |
| subnet_id | Subnet ID | string |
n/a | yes |
| tag_approved_ami_value | Set the specific tag ApprovedAMI ('true' | 'false') that identifies aws-config compliant AMIs | string |
"false" |
no |
| tags | Tags | map(string) |
{} |
no |
| user_data | The user data to provide when launching the instance. Do not pass gzip-compressed data via this argument; see user_data_base64 instead. | string |
null |
no |
| user_data_base64 | Can be used instead of user_data to pass base64-encoded binary data directly. Use this instead of user_data whenever the value is not a valid UTF-8 string. For example, gzip-encoded user data must be base64-encoded and passed via this argument to avoid corruption. | string |
null |
no |
| vpc_id | VPC ID | string |
n/a | yes |
| Name | Description |
|---|---|
| aws_instance_ami | The AMI of the Instance. |
| aws_instance_assume_role_name | The IAM instance profile of the EC2. |
| aws_instance_iam_profile | The IAM instance profile of the EC2. |
| aws_instance_key_name | The ssh key pair name of the Instance. |
| aws_instance_private_ip | Contains the instance private IP address. |
| aws_instance_public_ip | Contains the instance public IP address. |
| aws_instance_type | The type of the Instance. |
| aws_instance_volume_tags | The root EBS volume tags of the instace. |
| dns_record_private | DNS |
| dns_record_public | n/a |
| instance | Compute |
| security_group | n/a |
Please refer to the module Examples.
In order to get the full automated potential of the
Binbash Leverage DevOps Automation Code Library
you should initialize all the necessary helper Makefiles.
You must execute the make init-makefiles command at the root context:
╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make
Available Commands:
- init-makefiles initialize makefiles
You'll get all the necessary commands to automatically operate this module via a dockerized approach, example shown below
╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make
Available Commands:
- circleci-validate-config ## Validate A CircleCI Config (https
- format-check ## The terraform fmt is used to rewrite tf conf files to a canonical format and style.
- format ## The terraform fmt is used to rewrite tf conf files to a canonical format and style.
- tf-dir-chmod ## run chown in ./.terraform to gran that the docker mounted dir has the right permissions
- version ## Show terraform version
- init-makefiles ## initialize makefiles╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make format-check
docker run --rm -v /home/delivery/Binbash/repos/Leverage/terraform/terraform-aws-backup-by-tags:"/go/src/project/":rw -v :/config -v /common.config:/common-config/common.config -v ~/.ssh:/root/.ssh -v ~/.gitconfig:/etc/gitconfig -v ~/.aws/bb:/root/.aws/bb -e AWS_SHARED_CREDENTIALS_FILE=/root/.aws/bb/credentials -e AWS_CONFIG_FILE=/root/.aws/bb/config --entrypoint=/bin/terraform -w "/go/src/project/" -it binbash/terraform-awscli-slim:0.12.28 fmt -check
- pipeline-job (NOTE: Will only run after merged PR)
- releases
- changelog