{"id":20811560,"url":"https://github.com/nextbreakpoint/infrastructure-as-code","last_synced_at":"2025-09-02T23:45:39.639Z","repository":{"id":18264734,"uuid":"83913322","full_name":"nextbreakpoint/infrastructure-as-code","owner":"nextbreakpoint","description":"Cloud-based infrastructure for running micro-services on Kubernetes","archived":false,"fork":false,"pushed_at":"2022-11-15T13:58:49.000Z","size":800,"stargazers_count":13,"open_issues_count":0,"forks_count":6,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-05-07T09:52:51.126Z","etag":null,"topics":["aws","cloud-computing","infrastructure","infrastructure-as-code","kubernetes","microservices","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nextbreakpoint.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-03-04T17:57:37.000Z","updated_at":"2025-05-02T08:19:05.000Z","dependencies_parsed_at":"2022-08-28T05:41:52.218Z","dependency_job_id":null,"html_url":"https://github.com/nextbreakpoint/infrastructure-as-code","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/nextbreakpoint/infrastructure-as-code","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nextbreakpoint%2Finfrastructure-as-code","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nextbreakpoint%2Finfrastructure-as-code/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nextbreakpoint%2Finfrastructure-as-code/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nextbreakpoint%2Finfrastructure-as-code/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nextbreakpoint","download_url":"https://codeload.github.com/nextbreakpoint/infrastructure-as-code/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nextbreakpoint%2Finfrastructure-as-code/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267827503,"owners_count":24150350,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-30T02:00:09.044Z","response_time":70,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloud-computing","infrastructure","infrastructure-as-code","kubernetes","microservices","terraform"],"created_at":"2024-11-17T20:44:49.533Z","updated_at":"2025-07-30T07:07:56.155Z","avatar_url":"https://github.com/nextbreakpoint.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# Infrastructure as code\n\nThis repository contains the resources for creating a minimal infrastructure for running micro-services on [Kubernetes](https://kubernetes.io).\n\n    THIS PROJECT IS WORK IN PROGRESS\n\nWe provide a simple and reliable process for creating a scalable and secure infrastructure on [AWS](https://aws.amazon.com).\nThe infrastructure is configured to use the minimum amount of resources required to run the essential services,\nbut it can be scaled in order to manage a higher workload, and extended with additional components if needed.\n\n\n## Requirements\n\nYou need an AWS account for creating the infrastructure. Create it on [AWS](https://aws.amazon.com) if you don't have one already.\n\n    BEWARE OF THE COST OF RUNNING THE INFRASTRUCTURE ON AWS. WE ARE NOT RESPONSIBLE FOR ANY CHARGES\n\nOnce you have created your account, save the account id, you will need it soon.\n\n\n## Setup\n\nInstall AWS CLI v2:\n\n    curl \"https://awscli.amazonaws.com/AWSCLIV2.pkg\" -o \"AWSCLIV2.pkg\"\n    sudo installer -pkg AWSCLIV2.pkg -target /\n\nInstall required tools:\n\n    brew install jq\n    brew install terragrunt\n    brew install kubernetes-cli\n    brew tap weaveworks/tap\n    brew install weaveworks/tap/eksctl\n    brew install aws-iam-authenticator\n\nInstall optional tools:\n\n    brew install kubectx\n    brew install tfenv\n    tfenv install 1.2.1\n    tfenv use 1.2.1\n\n\n## Bootstrap\n\nYou will need a user which has the right permissions to configure the required resources before we can automate the process.\nYou could use your AWS root account, but we don't recommend it, because that user has high privileges. We recommend instead\nthat you manually create a new user with only the required privileges from the AWS web console.\n\nSign in to your AWS account (you must have created one):\n\n    open https://${YOUR_AWS_ACCOUNT_ID}.signin.aws.amazon.com/console\n\nCreate a user \"Superuser\", attach the policy arn:aws:iam::aws:policy/IAMFullAccess, and create an access key (keep the access key details secret).\nWe will use the user to create users and groups, and to create the essential roles and policies for managing the infrastructure.\n\nCreate an AWS profile (you will need the access key details):\n\n    ./add-profile.sh --profile=superuser \\\n      --region=${YOUR_AWS_REGION} \\\n      --access-key-id=${SUPERUSER_ACCESS_KEY_ID} \\\n      --secret-access-key=${SUPERUSER_SECRET_ACCESS_KEY} \\\n\nCreate SSH keys (you will need them later to access the EC2 machines):\n\n    ./make-keys.sh --path=keys --environment=prod --colour=green\n\nCopy the keys to a safe place and share them only with people who you trust.\n\nCreate policy files:\n\n    ./make-policies.sh --account=${YOUR_AWS_ACCOUNT_ID}\n\nCreate bootstrap role:\n\n    aws --profile superuser iam create-role \\\n        --role-name Terraform-Manage-Bootstrap \\\n        --assume-role-policy-document file://policies/assume-role.json\n\nCreate bootstrap group:\n\n    aws --profile superuser iam create-group --group-name Terraform-Bootstrap\n\nConfigure role policies:\n\n    aws --profile superuser iam attach-role-policy \\\n        --role-name Terraform-Manage-Bootstrap \\\n        --policy-arn arn:aws:iam::aws:policy/IAMFullAccess\n\n    aws --profile superuser iam attach-role-policy \\\n        --role-name Terraform-Manage-Bootstrap \\\n        --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess\n\n    aws --profile superuser iam attach-role-policy \\\n        --role-name Terraform-Manage-Bootstrap \\\n        --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess\n\n    aws --profile superuser iam attach-role-policy \\\n        --role-name Terraform-Manage-Bootstrap \\\n        --policy-arn arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess\n\nConfigure group policies:\n\n    aws --profile superuser iam put-group-policy \\\n        --group-name Terraform-Bootstrap \\\n        --policy-name Terraform-Manage-Bootstrap \\\n        --policy-document file://policies/assume-role-manage-boostrap.json\n\nCreate a user \"BootstrapAdmin\", assign a group, create an access key, and create a profile:\n\n    ./create-user.sh --profile=superuser --user-profile=bootstrap-admin \\\n      --user-name=BootstrapAdmin --group-name=Terraform-Bootstrap --region=${YOUR_AWS_REGION}\n\nCreate a user \"SecurityAdmin\", assign a group, create an access key, and create a profile:\n\n    ./create-user.sh --profile=superuser --user-profile=security-admin \\\n      --user-name=SecurityAdmin --group-name=Terraform-Security --region=${YOUR_AWS_REGION}\n\nCreate a user \"NetworksAdmin\", assign a group, create an access key, and create a profile:\n\n    ./create-user.sh --profile=superuser --user-profile=networks-admin \\\n      --user-name=NetworksAdmin --group-name=Terraform-Networks --region=${YOUR_AWS_REGION}\n\nCreate a user \"ServersAdmin\", assign a group, create an access key, and create a profile:\n\n    ./create-user.sh --profile=superuser --user-profile=servers-admin \\\n      --user-name=ServersAdmin --group-name=Terraform-Servers --region=${YOUR_AWS_REGION}\n\nCreate a user \"ClustersAdmin\", assign a group, create an access key, and create a profile:\n\n    ./create-user.sh --profile=superuser --user-profile=clusters-admin \\\n      --user-name=ClustersAdmin --group-name=Terraform-Clusters --region=${YOUR_AWS_REGION}\n\nCreate a user \"Packer\", assign a group, create an access key, and create a profile:\n\n    ./create-user.sh --profile=superuser --user-profile=packer \\\n      --user-name=Packer --group-name=Packer-Build --region=${YOUR_AWS_REGION}\n\nCreate a user \"Developer\", assign a group, create an access key, and create a profile:\n\n    ./create-user.sh --profile=superuser --user-profile=developer \\\n      --user-name=Developer --group-name=Developers --region=${YOUR_AWS_REGION}\n\nEnsure you have created two certificates (one for public servers and the other for private servers):\n\n    aws --profile bootstrap-admin acm request-certificate --domain-name '*.${YOUR_ZONE_NAME}' --validation-method DNS    \n    aws --profile bootstrap-admin acm request-certificate --domain-name '*.internal.${YOUR_ZONE_NAME}' --validation-method DNS    \n\nInitialize Terraform state:\n\n    ./terraform-state.sh --profile=bootstrap-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --bucket=${YOUR_TERRAFORM_BUCKET_NAME}\n\nConfigure Terragrunt script (see script for additional configuration parameters):\n\n    ./terragrunt-configure.sh --region=${YOUR_AWS_REGION} \\\n      --terraform-bucket-name=${YOUR_TERRAFORM_BUCKET_NAME} --openvpn-bucket-name=${YOUR_OPENVPN_BUCKET_NAME} \\\n      --hosted-zone-id=${YOUR_ROUTE53_ZONE_ID} --hosted-zone-name=${YOUR_ROUTE53_ZONE_NAME} \\\n      --keys-path=${YOUR_KEYS_PATH} --environment=prod --colour=green\n\nCreate bootstrap resources:\n\n    ./terragrunt-run.sh --profile=bootstrap-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --bucket=${YOUR_TERRAFORM_BUCKET_NAME} --module=bootstrap\n\n\n## Security\n\nWe can now create the remaining groups, roles, and policies for managing the infrastructure.\nWe will run Terraform using a role that has the minimum required permissions for performing the task.\n\nCreate resources:\n\n    ./terragrunt-run.sh --profile=security-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --bucket=${YOUR_TERRAFORM_BUCKET_NAME} --module=security\n\n\n## Networks\n\nWe can now create the required VPCs, subnets, and routing tables for the infrastructure.\nWe will run Terraform using a role that has the minimum required permissions for performing the task.\n\nCreate resources:\n\n    ./terragrunt-run.sh --profile=networks-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --bucket=${YOUR_TERRAFORM_BUCKET_NAME} --module=vpcs\n    ./terragrunt-run.sh --profile=networks-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --bucket=${YOUR_TERRAFORM_BUCKET_NAME} --module=subnets\n\n\n## Servers\n\nWe can now create the required servers to access the machines in the private networks.\nWe will run Terraform using a role that has the minimum required permissions for performing the task.\n\nBuild AMI images (you will need one of the SSH keys):\n\n    PACKER_BUILD_SUBNET=$(./query-subnet.sh --profile=networks-admin --key=\"bastion-public-subnet-a-id\" --region=${YOUR_AWS_REGION} --bucket=${YOUR_TERRAFORM_BUCKET_NAME})\n    ./build-image.sh --profile=packer --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --subnet=${PACKER_BUILD_SUBNET} --ssh-key=prod-green-packer --image=openvpn --version=1.0\n    ./build-image.sh --profile=packer --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --subnet=${PACKER_BUILD_SUBNET} --ssh-key=prod-green-packer --image=server --version=1.0\n\nCreate bucket for OpenVPN secrets:\n\n    ./openvpn-init-secrets.sh --profile=bootstrap-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --bucket=${YOUR_OPENVPN_BUCKET_NAME}\n\nCreate resources:\n\n    ./terragrunt-run.sh --profile=servers-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --bucket=${YOUR_TERRAFORM_BUCKET_NAME} --module=keys\n    ./terragrunt-run.sh --profile=servers-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --bucket=${YOUR_TERRAFORM_BUCKET_NAME} --module=bastion\n    ./terragrunt-run.sh --profile=servers-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --bucket=${YOUR_TERRAFORM_BUCKET_NAME} --module=openvpn\n    ./terragrunt-run.sh --profile=servers-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --bucket=${YOUR_TERRAFORM_BUCKET_NAME} --module=servers\n\nDownload OpenVPN secrets (it might take some time for the server to create the secrets):\n\n    ./openvpn-get-secrets.sh --profile=bootstrap-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --bucket=${YOUR_OPENVPN_BUCKET_NAME}\n\nUse the client.pvpn file to configure OpenVPN Connect and access the EC2 machines.\n\nAfter connecting to the VPN run the command:\n\n    ssh -i keys/prod-green-server.pem ubuntu@\u003cthe_private_ip_address_or_hostname_of_ec2_machine\u003e\n\nYou can access the bastion machine without VPN:\n\n    ssh -i keys/prod-green-bastion.pem ubuntu@prod-green-bastion.${YOUR_ZONE_NAME}\n\n\n## Clusters\n\nWe can now create the Kubernetes cluster and related resources, including load balancers.\nWe will run Terraform using a role that has the minimum required permissions for performing the task.\n\nCreate resources:\n\n    ./terragrunt-run.sh --profile=clusters-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --bucket=${YOUR_TERRAFORM_BUCKET_NAME} --module=k8s\n    ./terragrunt-run.sh --profile=clusters-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --bucket=${YOUR_TERRAFORM_BUCKET_NAME} --module=lbs\n\nGet Kubernetes config:\n\n    ./k8s-get-config.sh --profile=clusters-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --cluster=prod-green-k8s --role=Developers\n\nConfigure namespace:\n\n    ./k8s-configure-namespace.sh --profile=clusters-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --cluster=prod-green-k8s --namespace=test\n\nConfigure role:\n\n    ./k8s-configure-role.sh --profile=clusters-admin --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --cluster=prod-green-k8s --namespace=test --role=Developers\n\nGet Kubernetes config as user \"Developer\":\n\n    ./k8s-get-config.sh --profile=developer --account=${YOUR_AWS_ACCOUNT_ID} --region=${YOUR_AWS_REGION} --cluster=prod-green-k8s --role=Developers\n\nAccess Kubernetes as user \"Developer\":\n\n    AWS_PROFILE=developer kubectl -n test get pod\n\nSee Kubernetes's documentation about [authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to configure the permissions for the role (Developers in this case).\n\n\n## Notes\n\nDisable the access keys you don't use to increase security:\n\n    USER_ACCESS_KEY_ID=$(aws --profile superuser iam list-access-keys --user-name BootstrapAdmin | jq -r \".AccessKeyMetadata[0].AccessKeyId\")\n    aws --profile superuser iam update-access-key --access-key-id ${USER_ACCESS_KEY_ID} --status Inactive --user-name BootstrapAdmin\n\nConfigure password policy:\n\n    aws --profile superuser iam update-account-password-policy --minimum-password-length 8 \\\n      --require-numbers --require-uppercase-characters --require-lowercase-characters --require-symbols --max-password-age 30\n\nCreate a AWS console user and enable MFA:\n\n    aws --profile superuser iam create-user --user-name SomeUser\n    aws --profile superuser iam create-login-profile --user-name SomeUser --password-reset-required --password password\n    aws --profile superuser iam create-virtual-mfa-device --virtual-mfa-device-name someuser-mfa-device --outfile QRCode.png --bootstrap-method QRCodePNG\n    aws --profile superuser iam enable-mfa-device --user-name SomeUser --serial-number arn:aws:iam::${YOUR_AWS_ACCOUNT_ID}:mfa/someuser-mfa-device --authentication-code1 ${FIRST_CODE} --authentication-code2 ${SECOND_CODE}\n\nCreate an administrators group:\n\n    aws --profile superuser iam create-group --group-name Administrators\n    aws --profile superuser iam attach-group-policy --group-name Administrators --policy-arn arn:aws:iam::aws:policy/IAMFullAccess\n    aws --profile superuser iam attach-group-policy --group-name Administrators --policy-arn arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess\n    aws --profile superuser iam attach-group-policy --group-name Administrators --policy-arn arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess\n    aws --profile superuser iam attach-group-policy --group-name Administrators --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess\n    aws --profile superuser iam attach-group-policy --group-name Administrators --policy-arn arn:aws:iam::aws:policy/IAMAccessAnalyzerReadOnlyAccess\n    aws --profile superuser iam attach-group-policy --group-name Administrators --policy-arn arn:aws:iam::aws:policy/AWSCertificateManagerReadOnly\n    aws --profile superuser iam attach-group-policy --group-name Administrators --policy-arn arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess\n    aws --profile superuser iam attach-group-policy --group-name Administrators --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess\n    aws --profile superuser iam attach-group-policy --group-name Administrators --policy-arn arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess\n    aws --profile superuser iam attach-group-policy --group-name Administrators --policy-arn arn:aws:iam::${YOUR_AWS_ACCOUNT_ID}:policy/EKS-Console\n\nAdd an administrator user:\n\n    aws --profile superuser iam add-user-to-group --user-name SomeUser --group-name Administrators\n\nAllow a user to decode an authorization messages:\n\n    aws --profile superuser iam attach-user-policy --user-name Superuser --policy-arn arn:aws:iam::${YOUR_AWS_ACCOUNT_ID}:policy/Decode-Authorization-Message\n\nDecode authorization messages to debug permission issues:\n\n    ./decode-message.sh --profile=bootstrap --account=${YOUR_AWS_ACCOUNT_ID} --message=${THE_ENCODED_MESSAGE}     \n\nRemove access to the Kubernetes cluster for a role:\n\n    eksctl delete iamidentitymapping --cluster prod-green-k8s --region=${YOUR_AWS_REGION} --arn arn:aws:iam::${YOUR_AWS_ACCOUNT_ID}:role/Test-Developers\n\nRestrict access to OpenVPN bucket to increase security:\n\n    cat \u003c\u003cEOF \u003epolicies/bucket-openvpn-deny-access.json\n    {\n      \"Version\": \"2012-10-17\",\n      \"Statement\": [\n        {\n          \"Effect\": \"Deny\",\n          \"Principal\": \"*\",\n          \"Action\": \"s3:*\",\n          \"Resource\": [\n            \"arn:aws:s3:::${YOUR_OPENVPN_BUCKET_NAME}\",\n            \"arn:aws:s3:::${YOUR_OPENVPN_BUCKET_NAME}/*\"\n          ],\n          \"Condition\": {\n            \"Bool\": {\n              \"aws:SecureTransport\": \"false\"\n            }\n          }\n        },\n        {\n          \"Effect\": \"Deny\",\n          \"Principal\": \"*\",\n          \"Action\": \"s3:*\",\n          \"Resource\": [\n             \"arn:aws:s3:::${YOUR_OPENVPN_BUCKET_NAME}\",\n             \"arn:aws:s3:::${YOUR_OPENVPN_BUCKET_NAME}/*\"\n          ],\n          \"Condition\": {\n            \"StringNotLike\": {\n              \"aws:userId\": [\n                \"$(aws --profile superuser iam get-role --role-name Terraform-Manage-Bootstrap | jq -r '.Role.RoleId'):*\",\n                \"$(aws --profile superuser iam get-role --role-name Terraform-Manage-Servers | jq -r '.Role.RoleId'):*\",\n                \"$(aws --profile superuser iam get-user --user-name Superuser | jq -r '.User.UserId')\",\n                \"${YOUR_AWS_ACCOUNT_ID}\"\n              ]\n            }\n          }\n        }\n      ]\n    }\n    EOF\n\n    export $(./assume-role.sh --profile=bootstrap-admin --account=${YOUR_AWS_ACCOUNT_ID} --role=Terraform-Manage-Bootstrap)\n    aws s3api put-bucket-policy --bucket ${YOUR_OPENVPN_BUCKET_NAME} --policy file://policies/bucket-openvpn-deny-access.json\n    aws s3api put-public-access-block --bucket ${YOUR_OPENVPN_BUCKET_NAME} --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"\n\nRestrict access to Terraform bucket to increase security:\n\n    cat \u003c\u003cEOF \u003epolicies/bucket-terraform-deny-access.json\n    {\n      \"Version\": \"2012-10-17\",\n      \"Statement\": [\n        {\n          \"Effect\": \"Deny\",\n          \"Principal\": \"*\",\n          \"Action\": \"s3:*\",\n          \"Resource\": [\n            \"arn:aws:s3:::${YOUR_TERRAFORM_BUCKET_NAME}\",\n            \"arn:aws:s3:::${YOUR_TERRAFORM_BUCKET_NAME}/*\"\n          ],\n          \"Condition\": {\n            \"Bool\": {\n              \"aws:SecureTransport\": \"false\"\n            }\n          }\n        },\n        {\n          \"Effect\": \"Deny\",\n          \"Principal\": \"*\",\n          \"Action\": \"s3:*\",\n          \"Resource\": [\n             \"arn:aws:s3:::${YOUR_TERRAFORM_BUCKET_NAME}\",\n             \"arn:aws:s3:::${YOUR_TERRAFORM_BUCKET_NAME}/*\"\n          ],\n          \"Condition\": {\n            \"StringNotLike\": {\n              \"aws:userId\": [\n                \"$(aws --profile superuser iam get-role --role-name Terraform-Manage-Bootstrap | jq -r '.Role.RoleId'):*\",\n                \"$(aws --profile superuser iam get-role --role-name Terraform-Manage-Security | jq -r '.Role.RoleId'):*\",\n                \"$(aws --profile superuser iam get-role --role-name Terraform-Manage-Networks | jq -r '.Role.RoleId'):*\",\n                \"$(aws --profile superuser iam get-role --role-name Terraform-Manage-Servers | jq -r '.Role.RoleId'):*\",\n                \"$(aws --profile superuser iam get-role --role-name Terraform-Manage-Clusters | jq -r '.Role.RoleId'):*\",\n                \"$(aws --profile superuser iam get-user --user-name Superuser | jq -r '.User.UserId')\",\n                \"${YOUR_AWS_ACCOUNT_ID}\"\n              ]\n            }\n          }\n        }\n      ]\n    }\n    EOF\n\n    export $(./assume-role.sh --profile=bootstrap-admin --account=${YOUR_AWS_ACCOUNT_ID} --role=Terraform-Manage-Bootstrap)\n    aws s3api put-bucket-policy --bucket ${YOUR_TERRAFORM_BUCKET_NAME} --policy file://policies/bucket-terraform-deny-access.json\n    aws s3api put-public-access-block --bucket ${YOUR_TERRAFORM_BUCKET_NAME} --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"\n\n\n## Reference documentation\n\n- https://www.terraform.io/language\n- https://terragrunt.gruntwork.io/docs/\n- https://stedolan.github.io/jq/manual/v1.6/\n- https://registry.terraform.io/providers/hashicorp/aws/latest/docs\n- https://terragrunt.gruntwork.io/docs/getting-started/quick-start/\n- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/index.html\n- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html\n- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy\n- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n- https://aws.amazon.com/premiumsupport/knowledge-center/eks-iam-permissions-namespaces/\n- https://aws.amazon.com/blogs/containers/de-mystifying-cluster-networking-for-amazon-eks-worker-nodes/\n- https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html\n- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-policy-examples.html\n- https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html\n- https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html\n- https://docs.aws.amazon.com/eks/latest/userguide/dashboard-tutorial.html\n- https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html\n- https://docs.aws.amazon.com/eks/latest/userguide/autoscaling.html#cluster-autoscaler\n- https://docs.aws.amazon.com/eks/latest/userguide/choosing-instance-type.html\n- https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html\n- https://docs.aws.amazon.com/eks/latest/userguide/update-stack.html\n- https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html\n- https://docs.aws.amazon.com/eks/latest/userguide/worker.html\n- https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node\n- https://cloud-images.ubuntu.com/aws-eks/amazon-eks-ubuntu-nodegroup.yaml\n- https://github.com/awslabs/amazon-eks-ami/blob/master/amazon-eks-nodegroup.yaml\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnextbreakpoint%2Finfrastructure-as-code","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnextbreakpoint%2Finfrastructure-as-code","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnextbreakpoint%2Finfrastructure-as-code/lists"}