Skip to main content

Adding AWS resources to your environment

Through the cloud-platform-environments repository, you can provision AWS resources for your environments. This is done using Terraform and more specifically, terraform modules the Cloud Platform team provides.

The documentation for the modules lives in each module’s repository.

Available modules

The list of terraform modules provided by the Cloud Platform team is available here: Terraform Modules

Usage

There are two ways to create Terraform resources for your namespace:

  • Manually create a Terraform manifest.
  • Using the cloud-platform CLI tool.

Manually create a Terraform manifest

In the cloud-platform-environments, cd into your namespace and create a new directory called resources (if it doesn’t already exist). Inside this directory create a file with a sensible filename i.e. rds.tf and create a call to the module you require.

For example, if you wish to create an RDS instance, go to the example in the module’s repository and populate your rds.tf file using the example as a guide.

Use the cloud-platform cli

At time of writing, the following resources can be created by the CLI tool:

  • rds
  • s3
  • ecr
  • serviceaccount

Download the cloud-platform command line tool.

In the cloud-platform-environments, cd into your namespace and run the following command. This will create an RDS manifest in the resources directory:

cloud-platform environment rds create

Each example will have some global terraform configuration defined, however, this should only be declared once, regardless of the number of modules used:

terraform {
  backend "s3" {}
}

provider "aws" {
  region = "eu-west-1"
}

Additionally, some examples might define variables. Again, these should only be declared once per namespace:

variable "cluster_name" {}

variable "cluster_state_bucket" {}

The main README file of each module repository will list all the available configuration options that can be passed to the module.

Outputs

Each module will have its own outputs. These expose useful information, such as endpoints, credentials etc. The module examples all use a common approach: they employ the kubernetes_secret terraform resource to push the outputs straight into your namespace in the form of a Secret which you could then extract information from or directly reference in Pods.

This is currently the only supported way of accessing terraform outputs.

See this article for instructions on how to use these secrets in your applications.

Versioning

Only the latest version of a Cloud Platform terraform module may be used.

The Cloud Platform team will upgrade all existing instances of a module, whenever a new version is released, as per this architecture decision record

Please check the version badge for the module you are using (visit the web page of the module’s github repository - the version badge will be just below the README heading), and make sure you are using the latest version of the module in your configuration, by specifying the ref attribute in the query string of the source URL:

module "my_module" {
  source = "https://github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=1.0"
}

Refer to the terraform documentation on modules for more information on usage.

Monitoring AWS Resources

All resources are monitored by AWS CloudWatch by default. We use CloudWatch Exporter to export a number of the metrics for the Terraform Modules we provide into Prometheus.

To view the current set of metrics available:

  • Log into Prometheus
  • Click on ‘insert metric at cursor’
  • type ‘aws_’

You can view all metrics AWS make available here

This page was last reviewed on 31 March 2021. It needs to be reviewed again on 30 June 2021 .
This page was set to be reviewed before 30 June 2021. This might mean the content is out of date.