From 538adbb01f92418ab413f6b5210b238d3af91d7f Mon Sep 17 00:00:00 2001 From: Katheryn Satterlee Date: Thu, 21 Jul 2022 16:44:14 -0500 Subject: [PATCH] Updating Terraform guide (#6809) * Updating Terraform guide * Removed trailing `/` --- .../deploying-fleet-on-aws-with-terraform.md | 59 +++++++++++-------- 1 file changed, 33 insertions(+), 26 deletions(-) diff --git a/articles/deploying-fleet-on-aws-with-terraform.md b/articles/deploying-fleet-on-aws-with-terraform.md index f9514ee989..e7d1673737 100644 --- a/articles/deploying-fleet-on-aws-with-terraform.md +++ b/articles/deploying-fleet-on-aws-with-terraform.md @@ -13,41 +13,46 @@ Deploying on AWS with Fleet’s reference architecture will get you a fully func ## Bootstrapping -To bootstrap our [remote state](https://www.terraform.io/docs/language/state/remote.html) resources, we’ll create a S3 bucket and DynamoDB table. You can use the resources in [`remote-state`](https://www.terraform.io/docs/language/state/remote.html) as an example. Override the `prefix` terraform variable to get unique resources. +To bootstrap our [remote state](https://www.terraform.io/docs/language/state/remote.html) resources, we’ll create a S3 bucket and DynamoDB table using the values defined in `remote-state/main.tf`. Override the `prefix` terraform variable to get unique resources and the `region` variable to use you preferred AWS region. -1. `terraform init` -2. `terraform workspace new prod` -3. `terraform apply -var prefix=queryops` +From the `/remote-state` directory, run: -You should be able to see all the resources that Terraform will create — the **S3 bucket** and the **dynamodb** table: +2. `terraform init` +3. `terraform workspace new prod` +4. `terraform apply -var prefix="" -var region=""` -``` -Plan: 3 to add, 0 to change, 0 to destroy. + You should be able to see all the resources that Terraform will create — the **S3 bucket** and the **dynamodb** table: -Do you want to perform these actions in workspace "dev"? + ``` + Plan: 3 to add, 0 to change, 0 to destroy. -Terraform will perform the actions described above. + Do you want to perform these actions in workspace "dev"? -Only 'yes' will be accepted to approve. + Terraform will perform the actions described above. -Enter a value: -``` + Only 'yes' will be accepted to approve. -After typing `yes` you should have a new S3 bucket named `-terraform-remote-state` And the table `-terraform-state-lock`. Keep these handy because we’ll need them in the following steps. + Enter a value: + ``` + + After typing `yes` you should have a new S3 bucket named `-terraform-remote-state` And the table `-terraform-state-lock`. Keep these handy because we’ll need them in the following steps. + +Now that the remote state is configured, we can move on to setting up the infrastructure for Fleet. ## Infastructure -https://github.com/fleetdm/fleet/tools/terraform +https://github.com/fleetdm/fleet/tree/main/infrastructure/dogfood/terraform/aws -Using the buckets and table we just created, we’ll update the [remote state](https://github.com/fleetdm/fleet/tree/main/infrastructure/dogfood/terraform/aws/main.tf) to expect the same values: + +Next, we’ll update the terraform setup in the `/aws` directory's [main.tf](https://github.com/fleetdm/fleet/tree/main/infrastructure/dogfood/terraform/aws/main.tf) to use the S3 Bucket and DynamoDB created above: ``` terraform { // bootstrapped in ./remote-state backend "s3" { - bucket = "queryops-terraform-remote-state" - region = "us-east-2" - key = "fleet/" - dynamodb_table = "queryops-terraform-state-lock" + bucket = "-terraform-remote-state" + region = "" + key = "fleet" + dynamodb_table = "-terraform-state-lock" } required_providers { aws = { @@ -58,7 +63,7 @@ terraform { } ``` -We’ll also need a `tfvars` file to make some environment-specific variable overrides. Create a file in the same directory named `prod.tfvars` and paste the contents (note the bucket names will have to be unique for your environment): +We’ll also need a `tfvars` file to make some environment-specific variable overrides. Create a file in the `/aws` directory named `prod.tfvars`, and copy/paste the variables below (note the bucket names will have to be unique for your environment): ``` fleet_backend_cpu = 1024 @@ -66,21 +71,23 @@ fleet_backend_mem = 4096 //software inventory requires 4GB redis_instance = "cache.t3.micro" fleet_min_capacity = 1 fleet_max_capacity = 5 -domain_fleetdm = fleet.queryops.com // YOUR DOMAIN HERE +domain_fleetdm = //YOUR FLEET DOMAIN software_inventory = "1" vulnerabilities_path = "/fleet/vuln" -osquery_results_s3_bucket = "queryops-osquery-results-archive-dev" -osquery_status_s3_bucket = "queryops-osquery-status-archive-dev" -file_carve_bucket = "queryops-file-carve" +osquery_results_s3_bucket = "-osquery-results-archive-dev" +osquery_status_s3_bucket = "-osquery-status-archive-dev" ``` -Now we’re ready to apply the terraform: + +Now we’re ready to apply the terraform. From the `/aws` directory, Run: 1. `terraform init` 2. `terraform workspace new prod` 3. `terraform apply -var-file=prod.tfvars` -You should see the planned output, and you will need to confirm the creation. Review this output, and type `yes` when you are ready. This process should take 5–10 minutes. +You should see the planned output, and you will need to confirm the creation. Review this output, and type `yes` when you are ready. + +During this process, terraform will create a `hosted zone` with an `NS` record for your domain and request a certificate from [AWS Certificate Manager (ACM)](https://aws.amazon.com/certificate-manager/). While the process is running, you'll need to add the `NS` records to your domain as well. Let’s say we own `queryops.com` and have an ACM certificate issued to it. We want to host Fleet at `fleet.queryops.com` so in this case, we’ll need to hand nameserver authority over to `fleet.queryops.com` before ACM will verify via DNS and issue the certificate. To make this work, we need to create an `NS` record on `queryops.com`, and put the same `NS` records that get created after terraform creates the `fleet.queryops.com` hosted zone.