https://github.com/glueops/terraform-module-cloud-multy-prerequisites
This Terraform module creates and manages multi-cloud prerequisites, including Route53 zones, IAM credentials, and S3 buckets. It also deploys tenant repositories with necessary configurations for deploying the GlueOps Platform on Kubernetes.
https://github.com/glueops/terraform-module-cloud-multy-prerequisites
aws cloud-prerequisites glueops-platform kubernetes kubernetes-deployment multi-cloud multicloud multy multy-cloud route53 s3 terraform terraform-module
Last synced: 1 day ago
JSON representation
This Terraform module creates and manages multi-cloud prerequisites, including Route53 zones, IAM credentials, and S3 buckets. It also deploys tenant repositories with necessary configurations for deploying the GlueOps Platform on Kubernetes.
- Host: GitHub
- URL: https://github.com/glueops/terraform-module-cloud-multy-prerequisites
- Owner: GlueOps
- Created: 2023-01-21T01:13:22.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2025-03-28T00:31:43.000Z (11 months ago)
- Last Synced: 2025-03-28T11:44:07.174Z (11 months ago)
- Topics: aws, cloud-prerequisites, glueops-platform, kubernetes, kubernetes-deployment, multi-cloud, multicloud, multy, multy-cloud, route53, s3, terraform, terraform-module
- Language: HCL
- Homepage:
- Size: 431 KB
- Stars: 0
- Watchers: 4
- Forks: 0
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# terraform-module-cloud-multy-prerequisites
This Terraform module creates various resources for managing multi-cloud prerequisites, such as Route53 zones, IAM credentials, and S3 buckets.
The module also deploys a `tenant` repository with the necessary configuration files and instructions for deploying the GlueOps Platform on Kubernetes.
## Prerequisite Prerequisites
Some dependencies for this module must be creates prior to its use, including:
1. Tenant Account, generally created via Terraform in the same reposity where this module is deployed, at `/organization/tf/main.tf`.
2. [GitHub OAuth APP](https://github.com/GlueOps/docs-github-apps/blob/main/github_oauth_app.md)
3. [GitHub App](https://github.com/GlueOps/docs-github-apps/blob/main/github_app.md)
## Overview of what this module produces
1. **Parent Route53 Zone per Tenant**: Creates a parent Route53 zone for each tenant.
2. **Route53 Zones per Cluster**: Creates a Route53 zone for each cluster.
- **IAM Credentials for Cert-Manager**: Generates IAM credentials that allow cert-manager to access a specific cluster's Route53 zone.
- **IAM Credentials for External-DNS**: Generates IAM credentials that allow external-dns to access a specific cluster's Route53 zone.
3. **S3 Bucket for Backups**: Creates a single S3 bucket for storing backups.
- **IAM Credentials for Vault Backups**: Generates IAM credentials that allow Vault to back up data to the S3 backup bucket.
4. **S3 Buckets for Loki Log Retention**: Creates one or more S3 buckets dedicated to Loki for log retention.
- **IAM Credentials per Bucket for Loki**: Generates IAM credentials for each Loki S3 bucket.
5. **OpsGenie API Key**: Creates an OpsGenie API key.
- **API Key per Cluster**: Generates an API key for each cluster.
6. **Tenant GitHub Repository**: Creates tenant repository for managing a GlueOps Platform Kubernetes Cluster.
## Requirements
| Name | Version |
|------|---------|
| [autoglue](#requirement\_autoglue) | 0.10.0 |
## Providers
| Name | Version |
|------|---------|
| [autoglue](#provider\_autoglue) | 0.10.0 |
| [aws.clientaccount](#provider\_aws.clientaccount) | n/a |
| [aws.management-tenant-dns](#provider\_aws.management-tenant-dns) | n/a |
| [random](#provider\_random) | n/a |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [argocd\_helm\_values](#module\_argocd\_helm\_values) | git::https://github.com/GlueOps/docs-argocd.git | v0.18.1 |
| [captain\_repository](#module\_captain\_repository) | ./modules/github-captain-repository/0.1.0 | n/a |
| [captain\_repository\_files](#module\_captain\_repository\_files) | ./modules/github-captain-repository-files/0.1.0 | n/a |
| [common\_s3](#module\_common\_s3) | ./modules/multy-s3-bucket/0.1.0 | n/a |
| [common\_s3\_v2](#module\_common\_s3\_v2) | ./modules/multy-s3-bucket/0.2.0 | n/a |
| [dnssec\_key](#module\_dnssec\_key) | git::https://github.com/GlueOps/terraform-module-cloud-aws-dnssec-kms-key.git | v0.3.0 |
| [generate\_gluekube\_creds](#module\_generate\_gluekube\_creds) | ./modules/gluekube/0.1.0 | n/a |
| [glueops\_platform\_helm\_values](#module\_glueops\_platform\_helm\_values) | git::https://github.com/GlueOps/platform-helm-chart-platform.git | v0.69.2 |
| [glueops\_platform\_versions](#module\_glueops\_platform\_versions) | ./modules/platform-chart-version/0.1.0 | n/a |
| [loki\_s3](#module\_loki\_s3) | ./modules/multy-s3-bucket/0.1.0 | n/a |
| [tenant\_cluster\_versions](#module\_tenant\_cluster\_versions) | ./modules/kubernetes-versions/0.1.0 | n/a |
| [tenant\_readmes](#module\_tenant\_readmes) | ./modules/tenant-readme/0.1.0 | n/a |
## Resources
| Name | Type |
|------|------|
| autoglue_credential.route53 | resource |
| [aws_iam_access_key.autoglue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_access_key.certmanager_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_access_key.externaldns_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_access_key.loki_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_access_key.tls_cert_backup_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_access_key.tls_cert_restore_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_access_key.vault_init_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_access_key.vault_s3_backup_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_policy.loki_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.route53_autoglue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.route53_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.tls_cert_backup_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.tls_cert_restore_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.vault_init_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.vault_s3_backup_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_user.autoglue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user.certmanager_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user.externaldns_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user.loki_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user.tls_cert_backup_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user.tls_cert_restore_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user.vault_init_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user.vault_s3_backup_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user_policy_attachment.autoglue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_iam_user_policy_attachment.certmanager_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_iam_user_policy_attachment.externaldns_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_iam_user_policy_attachment.loki_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_iam_user_policy_attachment.tls_cert_backup_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_iam_user_policy_attachment.tls_cert_restore_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_iam_user_policy_attachment.vault_init_s3_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_iam_user_policy_attachment.vault_s3_backup_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_route53_hosted_zone_dnssec.cluster_zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_hosted_zone_dnssec) | resource |
| [aws_route53_hosted_zone_dnssec.parent_tenant_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_hosted_zone_dnssec) | resource |
| [aws_route53_key_signing_key.cluster_zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_key_signing_key) | resource |
| [aws_route53_key_signing_key.parent_tenant_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_key_signing_key) | resource |
| [aws_route53_record.cluster_zone_dnssec_records](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route53_record.cluster_zone_ns_records](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route53_record.delegation_to_parent_tenant_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route53_record.enable_dnssec_for_parent_tenant_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route53_record.wildcard_for_apps](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route53_zone.clusters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
| [aws_route53_zone.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
| [random_password.dex_argocd_client_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [random_password.dex_grafana_client_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [random_password.dex_oauth2_client_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [random_password.dex_oauth2_cookie_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [random_password.dex_vault_client_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [random_password.grafana_admin_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [random_uuid.autoglue_aws_iam_user](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.certmanager_v2_aws_iam_user](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.externaldns_v2_aws_iam_user](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.loki_v2_aws_iam_policy](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.loki_v2_aws_iam_user](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.route53_autoglue_aws_iam_policy](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.route53_v2_aws_iam_policy](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.tls_cert_backup_s3_v2_aws_iam_policy](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.tls_cert_backup_s3_v2_aws_iam_user](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.tls_cert_restore_s3_v2_aws_iam_policy](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.tls_cert_restore_s3_v2_aws_iam_user](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.vault_init_s3_v2_aws_iam_policy](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.vault_init_s3_v2_aws_iam_user](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.vault_s3_backup_v2_aws_iam_policy](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.vault_s3_backup_v2_aws_iam_user](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [aws_route53_zone.management_tenant_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [autoglue\_credentials](#input\_autoglue\_credentials) | The autoglue credentials object |
object({
autoglue_key = string
autoglue_org_secret = string
base_url = string
}) | n/a | yes |
| [backup\_region](#input\_backup\_region) | The secondary S3 region to create S3 bucket in used for backups. This should be different than the primary region and will have the data from the primary region replicated to it. | `string` | n/a | yes |
| [cluster\_environments](#input\_cluster\_environments) | The cluster environments and their respective github app ids | list(object({
environment_name = string
host_network_enabled = bool
traefik_enable_internal_lb = optional(bool, false)
traefik_enable_public_lb = optional(bool, true)
ingress_nginx_enable_public_lb = optional(bool, true)
github_oauth_app_client_id = string
github_oauth_app_client_secret = string
github_tenant_app_id = string
github_tenant_app_installation_id = string
github_tenant_app_b64enc_private_key = string
admin_github_org_name = string
tenant_github_org_name = string
kubeadm_cluster = optional(bool, false)
vault_github_org_team_policy_mappings = list(object({
oidc_groups = list(string)
policy_name = string
}))
argocd_rbac_policies = string
provider_credentials = optional(map(any), null)
})) | [
{
"admin_github_org_name": "GlueOps",
"argocd_rbac_policies": " g, GlueOps:argocd_super_admins, role:admin\n g, glueops-rocks:developers, role:developers\n p, role:developers, clusters, get, *, allow\n p, role:developers, *, get, development, allow\n p, role:developers, repositories, *, development/*, allow\n p, role:developers, applications, *, development/*, allow\n p, role:developers, exec, *, development/*, allow\n",
"autoglue": null,
"environment_name": "test",
"github_oauth_app_client_id": "oauth-app-id",
"github_oauth_app_client_secret": "oauth-app-secret",
"github_tenant_app_b64enc_private_key": "tenant-github-app-b64enc-private-key",
"github_tenant_app_id": "tenant-github-app-id",
"github_tenant_app_installation_id": "tenant-github-app-installation-id",
"host_network_enabled": true,
"ingress_nginx_enable_public_lb": true,
"kubeadm_cluster": false,
"provider_credentials": null,
"tenant_github_org_name": "glueops-rocks",
"traefik_enable_internal_lb": false,
"traefik_enable_public_lb": true,
"vault_github_org_team_policy_mappings": [
{
"oidc_groups": [
"GlueOps:vault_super_admins"
],
"policy_name": "editor"
},
{
"oidc_groups": [
"GlueOps:vault_super_admins",
"testing-okta:developers"
],
"policy_name": "reader"
}
]
}
]
| no |
| [github\_owner](#input\_github\_owner) | The GitHub Owner where the tenant repo will be deployed. | `string` | n/a | yes |
| [management\_tenant\_dns\_aws\_account\_id](#input\_management\_tenant\_dns\_aws\_account\_id) | The company AWS account id for the management-tenant-dns account | `string` | n/a | yes |
| [management\_tenant\_dns\_zoneid](#input\_management\_tenant\_dns\_zoneid) | The Route53 ZoneID that all the delegation is coming from. | `string` | n/a | yes |
| [opsgenie\_emails](#input\_opsgenie\_emails) | List of user email addresses | `list(string)` | `[]` | no |
| [primary\_region](#input\_primary\_region) | The primary S3 region to create S3 bucket in used for backups. This should be the same region as the one where the cluster is being deployed. | `string` | n/a | yes |
| [tenant\_account\_id](#input\_tenant\_account\_id) | The tenant AWS account id | `string` | n/a | yes |
| [tenant\_key](#input\_tenant\_key) | The tenant key | `string` | n/a | yes |
| [this\_is\_development](#input\_this\_is\_development) | The development cluster environment and data/resources can be destroyed! | `string` | `false` | no |
## Outputs
No outputs.