Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 114

Terraform guide updates (#6832)

Browse source 
* Updating Terraform guide

* Updating Migration section

* Updating instructions for prod.tvars

* Removed duplicate entry in production variables

* Added link to Using Fleet documentation.

* Removed errant 'git pull'
This commit is contained in:
Katheryn Satterlee 2022-08-02 07:17:49 -05:00 committed by GitHub
parent 33252011f0
commit 9c3e52f0aa
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 58 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
articles/deploying-fleet-on-aws-with-terraform.md
View file

@ -6,20 +6,20 @@ Deploying on AWS with Fleets reference architecture will get you a fully func
## Prerequisites:
- AWS CLI installed
- AWS CLI installed and configured.
- Terraform installed (version 1.04 or greater)
- AWS Account and IAM user capable of creating resources
- Clone [Fleet](https://github.com/fleetdm/fleet) or copy the [Terraform files](https://github.com/fleetdm/fleet/tree/main/infrastructure/dogfood/terraform/aws)
## Bootstrapping
To bootstrap our [remote state](https://www.terraform.io/docs/language/state/remote.html) resources, well create a S3 bucket and DynamoDB table using the values defined in `remote-state/main.tf`. Override the `prefix` terraform variable to get unique resources and the `region` variable to use you preferred AWS region.
To bootstrap our [remote state](https://www.terraform.io/docs/language/state/remote.html) resources, well create a S3 bucket and DynamoDB table using the values defined in `remote-state/main.tf`. We'll override the `prefix` terraform variable to get unique resources and the `region` variable to use the same region set in the AWS CLI (you can run `aws configure get region` to see what region is set).
From the `/remote-state` directory, run:
2. `terraform init`
3. `terraform workspace new prod`
4. `terraform apply -var prefix="<prefix>" -var region="<region>"`
1. `terraform init`
2. `terraform workspace new <your_org>-fleet-remote-state`
3. `terraform apply -var prefix="<your_org>-fleet" -var region="<region>"`
You should be able to see all the resources that Terraform will create — the **S3 bucket** and the **dynamodb** table:
@ -31,11 +31,12 @@ From the `/remote-state` directory, run:
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value:
```
After typing `yes` you should have a new S3 bucket named `<prefix>-terraform-remote-state` And the table `<prefix>-terraform-state-lock`. Keep these handy because well need them in the following steps.
After typing `yes` you should have a new S3 bucket named `<your_org>-fleet-terraform-remote-state` And the table `<your_org>-fleet-terraform-state-lock`. Keep these handy because well need them in the following steps.
You may see a warning during this process. It is safe to ignore.
Now that the remote state is configured, we can move on to setting up the infrastructure for Fleet.
@ -49,10 +50,10 @@ Next, well update the terraform setup in the `/aws` directory's [main.tf](htt
terraform {
// bootstrapped in ./remote-state
backend "s3" {
bucket = "<prefix>-terraform-remote-state"
bucket = "<your_org>-fleet-terraform-remote-state"
region = "<region>"
key = "fleet"
dynamodb_table = "<prefix>-terraform-state-lock"
key = "<your_org>-fleet"
dynamodb_table = "<your_org>-fleet-terraform-state-lock"
}
required_providers {
aws = {
@ -63,27 +64,29 @@ terraform {
}
```
Well also need a `tfvars` file to make some environment-specific variable overrides. Create a file in the `/aws` directory named `prod.tfvars`, and copy/paste the variables below (note the bucket names will have to be unique for your environment):
Well also need a `tfvars` file to make some environment-specific variable overrides. Create a file in the `/aws` directory named `prod.tfvars`, and copy/paste the variables below:
```
prefix = "<your_org>-fleet-prod"
fleet_backend_cpu = 1024
fleet_backend_mem = 4096 //software inventory requires 4GB
redis_instance = "cache.t3.micro"
fleet_min_capacity = 1
fleet_max_capacity = 5
domain_fleetdm = <domain> //YOUR FLEET DOMAIN
fleet_min_capacity = 0
fleet_max_capacity = 0
domain_fleetdm = "<your_fleet_domain>"
software_inventory = "1"
vulnerabilities_path = "/fleet/vuln"
osquery_results_s3_bucket = "<name>-osquery-results-archive-dev"
osquery_status_s3_bucket = "<name>-osquery-status-archive-dev"
osquery_results_s3_bucket = "<your_org>-fleet-prod-osquery-results-archive"
osquery_status_s3_bucket = "<your_org>-fleet-prod-osquery-status-archive"
```
Feel free to use whatever values you would like for the `osquery_results_s3_bucket` and `osquery_status_s3_bucket`. Just keep in mind that they need to be unique across AWS. We're setting the initial capacity for `fleet` to `0` to prevent the fleet service from attempting to start until setup is complete.
Now were ready to apply the terraform. From the `/aws` directory, Run:
1. `terraform init`
2. `terraform workspace new prod`
3. `terraform apply -var-file=prod.tfvars`
2. `terraform workspace new <your_org>-fleet-prod`
3. `terraform apply --var-file=prod.tfvars`
You should see the planned output, and you will need to confirm the creation. Review this output, and type `yes` when you are ready.
@ -129,23 +132,55 @@ redis_cluster_members = toset([
target_group_arn_suffix = "targetgroup/fleetdm/0f3bec83c8b02f58"
```
We can use the output here to create an AWS ECS Task that will migrate the database and prepare it for use.
We'll need some of these values in the next step.
## Prepare the database
Now all we need to do is prepare the database for use. We'll run an AWS ECS Task that will migrate the database and prepare it for use.
```
aws ecs run-task --cluster fleet-backend --task-definition fleet-migrate:<latest_version> --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[<private_subnet_id>],securityGroups=[<desired_security_group>]}"
aws ecs run-task --cluster fleet-backend --task-definition fleet-migrate:<latest_migration_version> --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[<private_subnet_id>],securityGroups=[<desired_security_group>]}"
```
Where `<private_subnet_id>` is one of the private subnets, and `<desired_security_group>` is the security group from the output for example:
Where `<migration_version>` is `fleet-migration-task-revision`, `<private_subnet_id>` is one of the private subnets, and `<desired_security_group>` is the security group from the previous output.
For the example output from `terraform apply` in the previous step, the command would look like this:
```
aws ecs run-task --cluster fleet-backend --task-definition fleet-migrate:4 --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[subnet-03a54736c942cd1e4],securityGroups=[sg-00c9fa9632d7e03ca]}"
```
Running this command should kick off the migration task, and Fleet should be ready to go.
Running this command will kick off the migration task, and Fleet will be ready to go.
![AWS Console ECS Clusters](../website/assets/images/articles/deploying-fleet-on-aws-with-terraform-2-640x313@2x.png)
Navigating to `https://fleet.queryops.com` we should be greeted with the Setup page.
At this point, you can go to your Fleet domain and start [using Fleet](https://fleetdm.com/docs/using-fleet).
## Start the Fleet service
Now that Fleet has everything it needs, we're ready to start the service.
First, we'll need to edit our production variables to increase Fleet's capacity and allow the service to start. In the `prod.tvars` file, update `fleet_min_capacity` and `fleet_max_capacity`:
```
prefix = "<your_org>-fleet-prod"
fleet_backend_cpu = 1024
fleet_backend_mem = 4096 //software inventory requires 4GB
redis_instance = "cache.t3.micro"
fleet_min_capacity = 1
fleet_max_capacity = 5
domain_fleetdm = "<your_fleet_domain>"
software_inventory = "1"
vulnerabilities_path = "/fleet/vuln"
osquery_results_s3_bucket = "<your_org>-fleet-prod-osquery-results-archive"
osquery_status_s3_bucket = "<your_org>-fleet-prod-osquery-status-archive"
```
Then apply the updates:
`terraform apply --var-file=prod.tfvars`
Once the process completes, your Fleet instance is ready to use! Check out the documentation for more details on [using Fleet](https://fleetdm.com/docs/using-fleet).
## Conclusion