diff --git a/infrastructure/sandbox/SharedInfrastructure/alb.tf b/infrastructure/sandbox/SharedInfrastructure/alb.tf index ff349f1e6d..8eaae56eff 100644 --- a/infrastructure/sandbox/SharedInfrastructure/alb.tf +++ b/infrastructure/sandbox/SharedInfrastructure/alb.tf @@ -108,7 +108,7 @@ resource "cloudflare_record" "cert" { resource "cloudflare_record" "main" { zone_id = data.cloudflare_zone.main.id - name = "sandbox" + name = local.env_specific[data.aws_caller_identity.current.account_id]["dns_name"] type = "CNAME" value = aws_lb.main.dns_name proxied = false @@ -116,7 +116,7 @@ resource "cloudflare_record" "main" { resource "cloudflare_record" "wildcard" { zone_id = data.cloudflare_zone.main.id - name = "*.sandbox" + name = "*.${local.env_specific[data.aws_caller_identity.current.account_id]["dns_name"]}" type = "CNAME" value = aws_lb.main.dns_name proxied = false diff --git a/infrastructure/sandbox/SharedInfrastructure/eks.tf b/infrastructure/sandbox/SharedInfrastructure/eks.tf index c8498ec308..defd927829 100644 --- a/infrastructure/sandbox/SharedInfrastructure/eks.tf +++ b/infrastructure/sandbox/SharedInfrastructure/eks.tf @@ -27,7 +27,8 @@ locals { cluster_version = "1.21" account_role_mapping = { # Add nonprod or other deployed accounts here - 411315989055 = "AWSReservedSSO_SandboxProdAdmins_9ccaa4f25c2eada0" + 411315989055 = "AWSReservedSSO_SandboxDevAdmins_6cfa1b6052653825" + 968703308407 = "AWSReservedSSO_SandboxProdAdmins_9ccaa4f25c2eada0" } # Role Generated by SSO but needs admin to EKS # This hack is needed because "aws_iam_role" returns an unsusable ARN for EKS on SSO roles. @@ -35,6 +36,14 @@ locals { id = local.account_role_mapping[data.aws_caller_identity.current.account_id] arn = join("", ["arn:aws:iam::", data.aws_caller_identity.current.account_id, ":role/", local.account_role_mapping[data.aws_caller_identity.current.account_id]]) } + env_specific = { + 411315989055 = { + "dns_name" = "sandbox", + } + 968703308407 = { + "dns_name" = "sandbox-dev", + } + } } output "eks_cluster" { diff --git a/infrastructure/sandbox/main.tf b/infrastructure/sandbox/main.tf index afdd7a107d..cc80516fc4 100644 --- a/infrastructure/sandbox/main.tf +++ b/infrastructure/sandbox/main.tf @@ -30,7 +30,7 @@ provider "aws" { tags = { environment = "fleet-demo-${terraform.workspace}" terraform = "https://github.com/fleetdm/fleet/tree/main/infrastructure/sandbox" - state = "s3://fleet-terraform-state20220408141538466600000002/fleet-cloud-sandbox-prod/sandbox/terraform.tfstate" + state = "s3://fleet-terraform-state20220408141538466600000002/${local.env_specific[data.aws_caller_identity.current.account_id]["state_name"]}/sandbox/terraform.tfstate" } } } @@ -41,11 +41,16 @@ provider "aws" { tags = { environment = "fleet-demo-${terraform.workspace}" terraform = "https://github.com/fleetdm/fleet/tree/main/infrastructure/sandbox" - state = "s3://fleet-terraform-state20220408141538466600000002/fleet-cloud-sandbox-prod/sandbox/terraform.tfstate" + state = "s3://fleet-terraform-state20220408141538466600000002/${local.env_specific[data.aws_caller_identity.current.account_id]["state_name"]}/sandbox/terraform.tfstate" } } } +provider "aws" { + alias = "tmp" + region = "us-east-2" +} + provider "cloudflare" {} provider "random" {} @@ -62,15 +67,31 @@ provider "docker" { provider "git" {} -data "aws_caller_identity" "current" {} +data "aws_caller_identity" "current" { + provider = aws.tmp +} data "git_repository" "tf" { path = "${path.module}/../../" } locals { - prefix = "sandbox-prod" - base_domain = "sandbox.fleetdm.com" + env_specific = { + 411315989055 = { + "state_name" = "fleet-cloud-sandbox-prod" + "prefix" = "sandbox-prod", + "base_domain" = "sandbox.fleetdm.com", + "subnet" = "11", + }, + 968703308407 = { + "state_name" = "fleet-cloud-sandbox-dev" + "prefix" = "sandbox-dev", + "base_domain" = "sandbox-dev.fleetdm.com", + "subnet" = "13", + }, + } + prefix = local.env_specific[data.aws_caller_identity.current.account_id]["prefix"] + base_domain = local.env_specific[data.aws_caller_identity.current.account_id]["base_domain"] } data "aws_iam_policy_document" "kms" { @@ -109,14 +130,30 @@ module "vpc" { version = "3.12.0" name = local.prefix - cidr = "10.11.0.0/16" + cidr = "10.${local.env_specific[data.aws_caller_identity.current.account_id]["subnet"]}.0.0/16" # TODO hard coded AZs - azs = ["us-east-2a", "us-east-2b", "us-east-2c"] - private_subnets = ["10.11.16.0/20", "10.11.32.0/20", "10.11.48.0/20"] - public_subnets = ["10.11.128.0/24", "10.11.129.0/24", "10.11.130.0/24"] - database_subnets = ["10.11.131.0/24", "10.11.132.0/24", "10.11.133.0/24"] - elasticache_subnets = ["10.11.134.0/24", "10.11.135.0/24", "10.11.136.0/24"] + azs = ["us-east-2a", "us-east-2b", "us-east-2c"] + private_subnets = [ + "10.${local.env_specific[data.aws_caller_identity.current.account_id]["subnet"]}.16.0/20", + "10.${local.env_specific[data.aws_caller_identity.current.account_id]["subnet"]}.32.0/20", + "10.${local.env_specific[data.aws_caller_identity.current.account_id]["subnet"]}.48.0/20", + ] + public_subnets = [ + "10.${local.env_specific[data.aws_caller_identity.current.account_id]["subnet"]}.128.0/24", + "10.${local.env_specific[data.aws_caller_identity.current.account_id]["subnet"]}.129.0/24", + "10.${local.env_specific[data.aws_caller_identity.current.account_id]["subnet"]}.130.0/24", + ] + database_subnets = [ + "10.${local.env_specific[data.aws_caller_identity.current.account_id]["subnet"]}.131.0/24", + "10.${local.env_specific[data.aws_caller_identity.current.account_id]["subnet"]}.132.0/24", + "10.${local.env_specific[data.aws_caller_identity.current.account_id]["subnet"]}.133.0/24", + ] + elasticache_subnets = [ + "10.${local.env_specific[data.aws_caller_identity.current.account_id]["subnet"]}.134.0/24", + "10.${local.env_specific[data.aws_caller_identity.current.account_id]["subnet"]}.135.0/24", + "10.${local.env_specific[data.aws_caller_identity.current.account_id]["subnet"]}.136.0/24", + ] create_database_subnet_group = false create_database_subnet_route_table = true