|
|
|
## Step 2/4
|
|
|
|
### AWS
|
|
|
|
1. Upload your public ssh key, creating a key pair (one noted in [Workstation](Workstation) section). Place this in `envs/your_env_folder/credentials.tf` assigning it to `aws_key_name`.
|
|
|
|
1. [Create a key pair](https://console.aws.amazon.com/ec2/v2/home?KeyPairs:) in the **region you intend to launch machines**, uploading your public ssh key (one noted in [Workstation](Workstation) section).
|
|
|
|
|
|
|
|
- Place the key_pair name in `envs/your_env_folder/credentials.tf` assigning it to `aws_key_name`.
|
|
|
|
`variable "aws_key_name" { default = "YOUR_KEY_NAME" }`
|
|
|
|
|
|
|
|
Next you'll create 2 users accounts, one that will manage the infrastructure and a bot user that will handle uploading/downloading from s3 on the machines. This is so you dont place a key with elevated access on the server itself.
|
|
|
|
|
|
|
|
> Each user/bot created is provided an **AWS_ACCESS_KEY** and **AWS_SECRET_ACCESS_KEY** and is needed in a moment, make note of all of them.
|
|
|
|
|
|
|
|
2. Create a User (recommended admin/**AdministratorAccess**) that will manage the overall infrastructure.
|
|
|
|
2. [Create a User](https://console.aws.amazon.com/iamv2/home?#/users) (recommended admin/**AdministratorAccess**) that will manage the overall infrastructure.
|
|
|
|
- If the User is **given the AdministratorAccess** managed policy, your access key will have all of the below policies by default and does not need further configuration.
|
|
|
|
|
|
|
|
- If **not using AdministratorAccess** User, it **must** have the following **managed** policies:
|
| ... | ... | @@ -17,7 +18,7 @@ Next you'll create 2 users accounts, one that will manage the infrastructure and |
|
|
|
>**AmazonS3FullAccess**: Upload and Download from S3.
|
|
|
|
>*TODO: Review if **all** s3 actions done by bot or not*
|
|
|
|
|
|
|
|
3. Create a User that will be a Bot user that will download/upload to s3.
|
|
|
|
3. [Create a User](https://console.aws.amazon.com/iamv2/home?#/users) that will be a Bot user that will download/upload to s3.
|
|
|
|
|
|
|
|
- Bot user **must** have the following **managed** policy:
|
|
|
|
>**AmazonS3FullAccess**: Upload and Download from S3
|
| ... | ... | @@ -31,50 +32,27 @@ Next you'll create 2 users accounts, one that will manage the infrastructure and |
|
|
|
`variable "aws_bot_access_key" { default = "AWS_ACCESS_KEY" }`
|
|
|
|
`variable "aws_bot_secret_key" { default = "AWS_SECRET_ACCESS_KEY" }`
|
|
|
|
|
|
|
|
5. Create an AWS S3 bucket and assign the name to `aws_bucket_name`.
|
|
|
|
*TODO:* Make notes how/where. Also research if they are region specific.
|
|
|
|
|
|
|
|
5. [Create an AWS S3 bucket](https://s3.console.aws.amazon.com/s3/home) in the **region you intend to launch machines**.
|
|
|
|
- The bucket **does not** need to have public access.
|
|
|
|
- Assign the name to `aws_bucket_name`.
|
|
|
|
`variable "aws_bucket_name" { default = "your_bucket_name"}`
|
|
|
|
|
|
|
|
6. If you are only testing/creating a tempoary infrastructure, or completely new to AWS, you can continue onto the [Remote backend](#remote-backend-optional) or [Domain](domain) section and come back to this later.
|
|
|
|
|
|
|
|
|
|
|
|
> Below steps assume a slight familiarity to AWS and is not required if only testing. What the following steps do is sticky a set of nameservers to a placeholder domain so you only need to modify any new domain's nameservers only once, persisting through `terraform destroy`.
|
|
|
|
|
|
|
|
> If you would like to sticky nameservers for multiple domains (aws uses many and changes them whenever a hosted zone is destroyed/created) you have 2 options. One using aws cli and the other terraform. Both require keeping a single placeholder hosted zone with a reusable delegation set. NOTE you are charged for each hosted_zone in aws every month (I believe its $.50 cents each)
|
|
|
|
|
|
|
|
First option using the aws cli (no terraform, less complicated overall)
|
|
|
|
- Create a "placeholder" [hosted zone](https://console.aws.amazon.com/route53/v2/hostedzones#) (the domain does not need to exist) and place the name in `envs/your_env_folder/vars.tf` assigning it to `placeholder_hostzone`.
|
|
|
|
|
|
|
|
`variable "placeholder_hostzone" { default = "placeholder.com" }`
|
|
|
|
|
|
|
|
- Get the Hosted Zone ID (adjust the table to get the full ID)
|
|
|
|
- With the aws cli tool (AWS Cloudshell works), enter the following command replacing YOUR_ZONE_ID with the Hosted Zone ID:
|
|
|
|
6. Next we're going to create a placeholder hosted zone to create a `reusable_delegation_set` and reusable name servers to point our domain to in later steps.
|
|
|
|
- Create a "placeholder" [hosted zone](https://console.aws.amazon.com/route53/v2/hostedzones#) (domain does not need to exist).
|
|
|
|
- Get the Hosted Zone ID (under "Hosted zone details" right after creating or adjust the table at the [hosted zone list](https://console.aws.amazon.com/route53/v2/hostedzones#) to get the full ID)
|
|
|
|
- With the aws cli tool ([AWS Cloudshell](https://console.aws.amazon.com/cloudshell/home) works), enter the following command replacing YOUR_ZONE_ID with the Hosted Zone ID:
|
|
|
|
|
|
|
|
`aws route53 create-reusable-delegation-set --caller-reference="unique" --hosted-zone-id="YOUR_ZONE_ID"`
|
|
|
|
|
|
|
|
- Finally, get the ID created from the command and place it in `envs/your_env_folder/vars.tf` assigning it to `placeholder_reusable_delegationset_id`.
|
|
|
|
|
|
|
|
`variable "placeholder_reusable_delegationset_id" { default = "ID_CREATED_FROM_COMMAND" }`
|
|
|
|
|
|
|
|
Now a placeholder hosted zone with 4 nameservers will be "saved" in route53 that we can point any domain in our registrars to (which is covered in the [next step](domain)) and not worry about changing them again. Its rather convoluted compared to digital oceans `ns1.digitalocean.com...` convention but it gets the job done.
|
|
|
|
|
|
|
|
Second option using only terraform (no aws cli)
|
|
|
|
- Inside `envs/your_env_folder/vars.tf` enter a "placeholder" domain name into `placeholder_hostzone` and return here after you've created your infrastructure.
|
|
|
|
|
|
|
|
`variable "placeholder_hostzone" { default = "placeholder.com" }`
|
|
|
|
|
|
|
|
- After the entire infra is created, run `terraform show` and retrieve the ID from the resource `module.main.aws_route53_delegation_set.dset[0]`.
|
|
|
|
- Inside `envs/your_env_folder/vars.tf` fill in `placeholder_reusable_delegationset_id`.
|
|
|
|
|
|
|
|
`variable "placeholder_reusable_delegationset_id" { default = "ID_FOUND_FROM_TERRAFORM_SHOW" }`
|
|
|
|
|
|
|
|
- To finish, run the following two commands to remove both the zone and delegation set from state, thus not being destroyed on `terraform destroy`.
|
|
|
|
|
|
|
|
`terraform state rm module.main.aws_route53_delegation_set.dset[0]`
|
|
|
|
`terraform state rm module.main.aws_route53_zone.default_host[0]`
|
|
|
|
|
|
|
|
After using either method a placeholder hosted zone with 4 nameservers will be in route53 that we can point any domain in our registrars to and not worry about changing them again. Its rather convoluted compared to digital oceans `ns1.digitalocean.com...` convention but it gets the job done.
|
|
|
|
7. Continue onto [Remote backend](#remote-backend-optional) or [Domain](domain).
|
|
|
|
|
|
|
|
If you would like to create your *own* `ns1.example.com` nameservers, we've performed some of those steps here, the rest can [be found here](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/white-label-name-servers.html).
|
|
|
|
> **Advanced**: If you would like to create your *own* `ns1.example.com` nameservers, we've performed some of those steps here, the rest can be found [reading AWS docs](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/white-label-name-servers.html).
|
|
|
|
|
|
|
|
<br>
|
|
|
|
|
| ... | ... | @@ -111,7 +89,7 @@ Next you'll create a token and a set of keys. The Token will manage the infrastr |
|
|
|
#### Remote backend (optional)
|
|
|
|
Now that you've configured your cloud providers and their s3 object storage, we can optionally store terraforms `terraform.tfstate` state file remotely instead of our local workstation. This keeps the state file remotely in the s3 bucket allowing cross-team collaboration and accessing it from another machine (that has s3 access)
|
|
|
|
|
|
|
|
TODO: Explan remote backend for both AWS and Digital Ocean
|
|
|
|
TODO: Explain remote backend for both AWS and Digital Ocean
|
|
|
|
|
|
|
|
<br>
|
|
|
|
|
| ... | ... | @@ -126,6 +104,6 @@ Now that your [workstation](workstation) is setup, you've [configured your cloud |
|
|
|
---
|
|
|
|
|
|
|
|
- 1/4 ~~[Setup workstation](workstation)~~
|
|
|
|
- 2/4 ~~[Configure a cloud provider](cloud-provider)~~ <- Current page
|
|
|
|
- 2/4 **~~[Configure a cloud provider](cloud-provider)~~**
|
|
|
|
- 3/4 [Configure an external domain](domain)
|
|
|
|
- 4/4 [Adjust settings and deploy](deploy) |
|
|
\ No newline at end of file |
|
|
|
- 4/4 [Adjust settings and deploy](deploy) |
