Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update README #22

Closed
wants to merge 1 commit into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 9 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ deploy an Elastic Kubernetes Cluster in Amazon Web Services (AWS).

Terraform backend state is stored in an S3 bucket with state locking enabled via a DynamoDB table. This setup ensures that multiple people can work with the pipeline and deploy simultaneously without causing conflicts by locking the state during operations like plan and apply.

Outputs from this infrastructure pipeline are persisted into the Terraform backend state so they can be read by he application pipeline ([xyz_app_poc](https://github.com/setheliot/xyz_app_poc)) that uses this infrastructure.

The deployment is currently configured to deploy to a staging environment first (from the `stage` branch) and then to a production environment (from the `main` branch). Other environments can be added.

| Environment type | Short name | Branch | Notes |
Expand Down Expand Up @@ -40,7 +42,7 @@ This code provisions several AWS resources, including:

The pipeline automation here currently only supports `stage` and `prod` environments.

The AWS Regions for the each of these should be different. You configure the Regions to use in [`stage.tf`](terraform/environment/stage.tfvars) and [`main.tf`](terraform/environment/main.tfvars) respectively.
The AWS Regions for the each of these should be different. You configure the Regions to use in [`stage.tfvars`](terraform/environment/stage.tfvars) and [`main.tfvars`](terraform/environment/main.tfvars) respectively.

Developers create their own `dev` branches to work in (using their own accounts as environments) and then create pull requests from these into `stage`

Expand All @@ -53,11 +55,11 @@ Three GitHub actions workflows are defined:
The following GitHub rules are enforced on branches `stage` (staging) and `main` (production)
- **Require approvals**: Requires at least one code review with resolution before merging.
- **Require a pull request before merging**: Require all commits be made to a non-target branch and submitted via a pull request before they can be merged.
- **Require stats checks to pass**:
- **Require status checks to pass**:
- Checks **Enforce Flow** to ensure pull requests are only accepted from the designated previous environment in the pipeline, after all tests have passed on it.
- Checks **Environment Tests** to ensure all environment tests pass on the current environment.

The following [GitHub environments for deployment](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-deployments/managing-environments-for-deployment) are defined: `stage`, `prod`
The following [GitHub environments for deployment](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-deployments/managing-environments-for-deployment) are defined: [`stage`](https://github.com/setheliot/xyz_infra_poc/deployments/stage), [`prod`](https://github.com/setheliot/xyz_infra_poc/deployments/prod)

## How to use
1. Clone the repository.
Expand All @@ -66,11 +68,11 @@ The following [GitHub environments for deployment](https://docs.github.com/en/ac
- For the DynamoDB table use `LockID` (type String) as the partition key.
- Update the `bucket` name, `dynamodb_table` name, and AWS `region` values in [`providers.tf`](terraform/providers.tf) under the **Remote backend** setting.
1. [optional] Update [`stage.tfvars`](terraform/environment/stage.tfvars) and [`main.tfvars`](terraform/environment/main.tfvars) to set the `aws_region` you want to use for each. These must be different than each other.
1. The staging environment infrastructure will automatically build when you merge a pull request into branch `stage`
1. The production environment infrastructure will automatically build when you merge a pull request from the staging environment into branch `main`
1. The staging environment infrastructure will automatically build when you merge a pull request into branch `stage`.
1. The production environment infrastructure will automatically build when you merge a pull request from branch `stage` into branch `main`.

## Future plans
- Add other environment types to the pipeline, such as `test`
- Add other environment stages to the pipeline, such as `test`

- Environments deploy to separate AWS accounts instead of separate Regions in the same account
- This provides better fault isolation between environments
Expand All @@ -81,7 +83,7 @@ The following [GitHub environments for deployment](https://docs.github.com/en/ac
- AWS recommends using short lived credentials such as an IAM Role instead of IAM User (long lived credentials)
- `aws-actions/configure-aws-credentials` can use IAM Roles if you setup a GitHub OIDC provider in the AWS account.

- Provide a sample IAM Policy for AWS credentials that follows least privilege, The AWS credentials used here require the following permissions:
- Provide a sample IAM Policy for AWS credentials that follows the principle of least-privilege. The AWS credentials used here require the following permissions:
- EC2 actions: Required for creating and managing VPCs, subnets, NAT gateways, and security groups.
- EKS actions: Needed for creating and managing the EKS cluster and node groups.
- IAM actions: Needed for creating and managing IAM roles and attaching policies (like the EKS cluster role).
Expand Down
Loading