Adding AWS resources to your environment
Through the cloud-platform-environments repository, you can provision AWS resources for your environments. This is done using Terraform and more specifically, terraform modules the Cloud Platform team provides.
The documentation for the modules lives in each module’s repository.
Available modules
The list of terraform modules provided by the Cloud Platform team is available here: Terraform Modules
Usage
There are two ways to create Terraform resources for your namespace:
- Manually create a Terraform manifest.
- Using the cloud-platform CLI tool.
Manually create a Terraform manifest
In the cloud-platform-environments, cd into your namespace and create a new directory called resources (if it doesn’t already exist). Inside this directory create a file with a sensible filename i.e. rds.tf and create a call to the module you require.
For example, if you wish to create an RDS mssql instance or an RDS mysql instance or an RDS postgresql instance, go to the example in the module’s repository and populate your rds-.tf file using the example as a guide.
Use the cloud-platform cli
At time of writing, the following resources can be created by the CLI tool:
- rds
- s3
- ecr
- serviceaccount
Download the cloud-platform command line tool.
In the cloud-platform-environments, cd into your namespace and run the following command. This will create an RDS manifest in the resources directory:
cloud-platform environment rds create
Each example will have some global terraform configuration defined, however, this should only be declared once, regardless of the number of modules used:
terraform {
backend "s3" {}
}
provider "aws" {
region = "eu-west-1"
}
Additionally, some examples might define variables. Again, these should only be declared once per namespace:
variable "cluster_name" {}
variable "cluster_state_bucket" {}
The main README file of each module repository will list all the available configuration options that can be passed to the module.
Outputs
Each module will have its own outputs. These expose useful information, such as endpoints, credentials etc. The module examples all use a common approach: they employ the kubernetes_secret terraform resource to push the outputs straight into your namespace in the form of a Secret which you could then extract information from or directly reference in Pods.
This is currently the only supported way of accessing terraform outputs.
See this article for instructions on how to use these secrets in your applications.
Versioning
Only the latest version of a Cloud Platform terraform module may be used.
The Cloud Platform team will upgrade all existing instances of a module, whenever a new version is released, as per this architecture decision record
Please check the version badge for the module you are using (visit the web page of the module’s github repository - the version badge will be just below the README heading), and make sure you are using the latest version of the module in your configuration, by specifying the ref attribute in the query string of the source URL:
module "my_module" {
source = "https://github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=1.0"
}
Refer to the terraform documentation on modules for more information on usage.
Monitoring AWS Resources
All resources are monitored by AWS CloudWatch by default. We use CloudWatch Exporter to export a number of the metrics for the Terraform Modules we provide into Prometheus.
To view the current set of metrics available:
- Log into Prometheus
- Click on ‘insert metric at cursor’
- type ‘aws_’
You can view all metrics AWS make available here