Caravan Infra AWS¶

Caravan 2021 AWS

Prerequisites¶

AWS Credentials file at ~/.aws/credentials like

[default]
aws_access_key_id=AKIAJPZXVYEXAMPLE
aws_secret_access_key=4k6ZilhMPdshU6/kuwEExAmPlE

Prepare environment¶

You need an AWS bucket (and a DynamoDB table) for terraform state, so run the script project-setup.sh passing as arguments:

Prefix name to give to resources (look at terraform inputs)
AWS region
AWS profile

./project-setup.sh <NAME> <REGION> <PROFILE>

Running¶

Edit the generate aws.tfvars and then run:

terraform init -reconfigure -upgrade
terraform apply --var-file aws.tfvars

Requirements¶

Name	Version
terraform	~> 1.0
aws	~> 4.0

Providers¶

Name	Version
aws	4.27.0
dns	3.2.3
local	2.2.3
null	3.1.1
random	3.3.2
tls	4.0.1

Modules¶

Name	Source	Version
caravan-bootstrap	git::https://github.com/bitrockteam/caravan-bootstrap	refs/tags/v0.2.19
cloud_init_control_plane	git::https://github.com/bitrockteam/caravan-cloudinit	refs/tags/v0.1.18
cloud_init_worker_plane	git::https://github.com/bitrockteam/caravan-cloudinit	refs/tags/v0.1.18
terraform_acme_le	git::https://github.com/bitrockteam/caravan-acme-le	refs/tags/v0.0.16
vpc	terraform-aws-modules/vpc/aws	>= 3.13.0

Resources¶

Name	Type
aws_acm_certificate.cert	resource
aws_autoscaling_group.bastion-service	resource
aws_autoscaling_group.hashicorp_workers	resource
aws_ebs_volume.consul_cluster_data	resource
aws_ebs_volume.csi	resource
aws_ebs_volume.nomad_cluster_data	resource
aws_ebs_volume.vault_cluster_data	resource
aws_iam_instance_profile.control_plane	resource
aws_iam_instance_profile.worker_plane	resource
aws_iam_policy_attachment.ec2_ssm	resource
aws_iam_policy_attachment.ssm_core	resource
aws_iam_role.control_plane	resource
aws_iam_role.worker_plane	resource
aws_iam_role_policy.csi	resource
aws_iam_role_policy.docker_pull	resource
aws_iam_role_policy.vault_aws_auth	resource
aws_iam_role_policy.vault_client	resource
aws_iam_role_policy.vault_kms_unseal	resource
aws_instance.hashicorp_cluster	resource
aws_instance.monitoring	resource
aws_key_pair.hashicorp_keypair	resource
aws_kms_key.vault	resource
aws_launch_configuration.bastion-service-host	resource
aws_launch_template.hashicorp_workers	resource
aws_lb.hashicorp_alb	resource
aws_lb.hashicorp_nlb	resource
aws_lb_listener.bastion-service	resource
aws_lb_listener.http_80	resource
aws_lb_listener.http_8500	resource
aws_lb_listener.https_443	resource
aws_lb_listener.this	resource
aws_lb_listener_rule.consul	resource
aws_lb_listener_rule.nomad	resource
aws_lb_listener_rule.vault	resource
aws_lb_target_group.alb	resource
aws_lb_target_group.bastion-service	resource
aws_lb_target_group.consul	resource
aws_lb_target_group.ingress	resource
aws_lb_target_group.nomad	resource
aws_lb_target_group.vault	resource
aws_lb_target_group_attachment.consul	resource
aws_lb_target_group_attachment.nomad	resource
aws_lb_target_group_attachment.this	resource
aws_lb_target_group_attachment.vault	resource
aws_route53_record.all_cname	resource
aws_route53_record.bastion	resource
aws_route53_record.consul_cname	resource
aws_route53_record.hashicorp_zone_ns	resource
aws_route53_record.nomad_cname	resource
aws_route53_record.vault_cname	resource
aws_route53_zone.hashicorp_zone	resource
aws_security_group.alb	resource
aws_security_group.allow_cluster_basics	resource
aws_security_group.internal_consul	resource
aws_security_group.internal_nomad	resource
aws_security_group.internal_vault	resource
aws_security_group.internal_workers	resource
aws_volume_attachment.consul_cluster_ec2	resource
aws_volume_attachment.nomad_cluster_ec2	resource
aws_volume_attachment.vault_cluster_ec2	resource
local_file.backend_tf_appsupport	resource
local_file.backend_tf_platform	resource
local_file.ssh_key	resource
local_file.tfvars_appsupport	resource
local_file.tfvars_platform	resource
null_resource.ca_certs	resource
null_resource.ca_certs_bundle	resource
random_pet.env	resource
tls_private_key.cert_private_key	resource
tls_private_key.ssh_key	resource
aws_ami.caravan	data source
aws_ami.debian	data source
aws_iam_policy_document.assume_role	data source
aws_iam_policy_document.vault_client	data source
aws_iam_policy_document.vault_kms_unseal	data source
aws_route53_zone.main	data source
dns_a_record_set.alb	data source

Inputs¶

Name	Description	Type	Default	Required
awsprofile	AWS user profile	`string`	n/a	yes
personal_ip_list	IP address list for SSH connection to the VMs	`list(string)`	n/a	yes
prefix	The prefix of the objects’ names	`string`	n/a	yes
region	AWS region to use	`string`	n/a	yes
shared_credentials_file	AWS credential file path	`string`	n/a	yes
ssh_username	centos or ubuntu ssh user for bootstrap	`string`	n/a	yes
ami_filter_name	Regexp to find AMI to use built with caravan-baking	`string`	`"caravan-os-ubuntu-2204*"`	no
ca_certs	Fake certificates from staging Let’s Encrypt	map(object({ filename = string pemurl = string }))	{ “stg-int-r3”: { “filename”: “letsencrypt-stg-int-r3.pem”, “pemurl”: “https://letsencrypt.org/certs/staging/letsencrypt-stg-int-r3.pem” }, “stg-root-x1”: { “filename”: “letsencrypt-stg-root-x1.pem”, “pemurl”: “https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem” } }	no
consul_license_file	Path to Consul Enterprise license	`string`	`null`	no
control_plane_instance_count	Control plane instances number	`number`	`3`	no
control_plane_machine_type	Control plane instance machine type	`string`	`"t3.micro"`	no
csi_volumes	Example: { “jenkins” : { “availability_zone” : “eu-west-1a” “size” : “30” “type” : “gp3” “tags” : { “application”: “jenkins_master” } } }	`map(map(string))`	`{}`	no
dc_name	Hashicorp cluster name	`string`	`"aws-dc"`	no
enable_monitoring	Enable monitoring	`bool`	`true`	no
enable_nomad	Enables and setup Nomad cluster	`bool`	`true`	no
external_domain	Domain used for endpoints and certs	`string`	`""`	no
monitoring_machine_type	Monitoring instance machine type	`string`	`"t3.xlarge"`	no
nomad_license_file	Path to Nomad Enterprise license	`string`	`null`	no
ports	n/a	`map(number)`	{ “http”: 80, “https”: 443 }	no
tfstate_bucket_name	S3 Bucket where Terraform state is stored	`string`	`""`	no
tfstate_region	AWS Region where Terraform state resources are	`string`	`""`	no
tfstate_table_name	DynamoDB Table where Terraform state lock is acquired	`string`	`""`	no
use_le_staging	Use staging Let’s Encrypt endpoint	`bool`	`true`	no
vault_license_file	Path to Vault Enterprise license	`string`	`null`	no
volume_data_size	Volume size of control plan data disk	`number`	`20`	no
volume_root_size	Volume size of control plan root disk	`number`	`20`	no
volume_size	Volume size of workers disk	`number`	`100`	no
volume_type	Volume type of disks	`string`	`"gp3"`	no
vpc_cidr	VPC cidr	`string`	`"10.0.0.0/16"`	no
vpc_private_subnets	VCP private subnets	`list(string)`	[ “10.0.1.0/24”, “10.0.2.0/24”, “10.0.3.0/24” ]	no
vpc_public_subnets	VCP public subnets	`list(string)`	[ “10.0.101.0/24”, “10.0.102.0/24”, “10.0.103.0/24” ]	no
worker_plane_machine_type	Working plane instance machine type	`string`	`"t3.large"`	no
workers_group_size	Worker plane instances number	`number`	`3`	no

Outputs¶

Name	Description
PROJECT_APPSUPP_TFVAR	Caravan Application Support tfvars
PROJECT_PLATFORM_TFVAR	Caravan Platform tfvars
PROJECT_WORKLOAD_TFVAR	Caravan Workload tfvars
ca_certs	Let’s Encrypt staging CA certificates
cluster_public_ips	Control plane public IP addresses
control_plane_iam_role_arns	Control plane iam role list
control_plane_role_name	Control plane role name
csi_volumes	n/a
hashicorp_endpoints	Hashicorp clusters endpoints
load_balancer_ip_address	Load Balancer IP address
region	AWS region
vpc_id	VPC ID
worker_node_service_account	Worker plane ARN
worker_plane_iam_role_arns	Worker plane iam role list
worker_plane_role_name	Worker plane role name

Cleaning up¶

After terraform destroy -var-file=aws.tfvars, for removing bucket and dynamodb table, run the project-cleanup.sh script:

./project-cleanup.sh <NAME> <REGION> <PROFILE>