Terraform Modules Save
Reusable Terraform modules
Terraform modules
This repository contains a set of (opinionated) Terraform modules to provision HashiCorp's suite of tools on AWS, including:
- Consul: Service discovery, distributed key-value store, and service mesh
- Nomad: Scheduling
- Vault: secrets management
These tools are useful to deploy a basic infrastructure on the cloud for your developers to run their applications and services.
To get started, see the Core module. Some of the modules are optional and add additional features after you have provisioned the Core module.
Contributing
See CONTRIBUTING.md for more details.
Submodules
This repository has various submodules. When you are cloning it for the first time, make sure to do so with
git clone --recursive https://github.com/GovTechSG/terraform-modules.git
To update an already cloned repository, you can do
git submodule update --init --recursive
Modules
Core
This module sets up a VPC, and a Consul and Nomad cluster to allow you to run applications on.
AWS Authentication
This module configures Vault to accept authentication via EC2 instance metadata. This is required for use with some of the Vault integration modules.
Nomad Vault Integration
This module serves as a post-bootstrap addon for the Core Module. It integrates Vault into Nomad so that jobs may acquire secrets from Vault.
Nomad ACL
This module serves as a post-bootstrap addon for the Core Module. This enables ACL for Nomad, where Nomad ACL tokens can be retrieved from Vault.
Vault SSH
We can use Vault's SSH secrets engine to generate signed certificates to access your machines via SSH.
Traefik
This module serves as a post-bootstrap addon for the Core Module. This module provisions load balancers on top of a Traefik reverse proxy to expose your applications running on your Nomad cluster to the internet.
Docker Authentication
This module serves as a post-bootstrap addon for the Core Module. It allows you to configure Nomad clients to authenticate with private Docker registries.
Vault PKI
This module serves as a bootstrap addon for the Core module. It provisions the PKI secrets engine in Vault. This PKI secrets engine allows you to maintain an internal CA and allows Vault users to request for certificates.
This module is required for some of the other Vault integration.
Elasticsearch
This modules serves as a post-bootstrap addon for the Core Module. This module adds managed AWS Elasticsearch service (with Kibana). The module also allows integration with Traefik set-up, to allow redirect service to redirect users to the Kibana visualisation UI with a more friendly named URL.
Curator
This module runs Curator as a Cron job in Nomad to clean up old indices in your Elasticsearch cluster.
Lambda-api-gateway
This module sets up a Lambda function with a API Gateway trigger, secured with an API key authentication.
Telegraf
This module sets up Telegraf service for collecting and reporting metrics. This is instances containing services consul, nomad_client, nomad_server and vault.
Td-Agent
This module allows enabling of td-agent, the stable distrution package of Fluentd, for log forwarding. For
instances containing services consul, nomad_client, nomad_server and vault.
Nomad Clients
This module sets up an additional cluster of Nomad clients after the initial bootstrap of the core module.
Vault App Policy
This module is an addon for adding application service policies to access key / value secrets stored in your already set-up Vault.
Fluentd
This module runs Fluentd on Nomad to forward logs to Elasticsearch and (optionally) S3.
Vault Auto Unseal
Provisions additional resources to enable Vault Auto Unseal when used with the Core module.
Roles
Contains Ansible roles for installation of various services. For more details, check out the README in the respective role directories.
Open Source Agenda Badge
