This repository contains a set of (opinionated) Terraform modules to provision HashiCorp's suite of tools on AWS, including:
- Consul: Service discovery, distributed key-value store, and service mesh
- Nomad: Scheduling
- Vault: secrets management
These tools are useful to deploy a basic infrastructure on the cloud for your developers to run their applications and services.
To get started, see the Core module. Some of the modules are optional and add additional features after you have provisioned the Core module.
See CONTRIBUTING.md
for more details.
This repository has various submodules. When you are cloning it for the first time, make sure to do so with
git clone --recursive https://github.com/GovTechSG/terraform-modules.git
To update an already cloned repository, you can do
git submodule update --init --recursive
This module sets up a VPC, and a Consul and Nomad cluster to allow you to run applications on.
This module configures Vault to accept authentication via EC2 instance metadata. This is required for use with some of the Vault integration modules.
This module serves as a post-bootstrap addon for the Core Module. It integrates Vault into Nomad so that jobs may acquire secrets from Vault.
This module serves as a post-bootstrap addon for the Core Module. This enables ACL for Nomad, where Nomad ACL tokens can be retrieved from Vault.
We can use Vault's SSH secrets engine to generate signed certificates to access your machines via SSH.
This module serves as a post-bootstrap addon for the Core Module. This module provisions load balancers on top of a Traefik reverse proxy to expose your applications running on your Nomad cluster to the internet.
This module serves as a post-bootstrap addon for the Core Module. It allows you to configure Nomad clients to authenticate with private Docker registries.
This module serves as a bootstrap addon for the Core module. It provisions the PKI secrets engine in Vault. This PKI secrets engine allows you to maintain an internal CA and allows Vault users to request for certificates.
This module is required for some of the other Vault integration.
This modules serves as a post-bootstrap addon for the Core Module. This module adds managed AWS Elasticsearch service (with Kibana). The module also allows integration with Traefik set-up, to allow redirect service to redirect users to the Kibana visualisation UI with a more friendly named URL.
This module runs Curator as a Cron job in Nomad to clean up old indices in your Elasticsearch cluster.
This module sets up a Lambda function with a API Gateway trigger, secured with an API key authentication.
This module sets up Telegraf service for collecting and reporting metrics. This is instances containing services consul
, nomad_client
, nomad_server
and vault
.
This module allows enabling of td-agent
, the stable distrution package of Fluentd, for log forwarding. For
instances containing services consul
, nomad_client
, nomad_server
and vault
.
This module sets up an additional cluster of Nomad clients after the initial bootstrap of the core
module.
This module is an addon for adding application service policies to access key / value secrets stored in your already set-up Vault.
This module runs Fluentd on Nomad to forward logs to Elasticsearch and (optionally) S3.
Provisions additional resources to enable Vault Auto Unseal when used with the Core module.
Contains Ansible roles for installation of various services. For more details, check out the README in the respective role directories.