This repository implements a Proof of Concept for Terraform infrastructure automation for the AWS cloud. It manages components in the AWS infrastructure.
See here
See here
Probably its a good idea if the application deployment is handled separately from Cluster management. The possibility that something goes wrong (e.g. accidental deletion of Kubernetes cluster) is lower and separation of concern.
Several GitOps solutions possible
- fluxcd
- atlantis
- terraform cloud
todo: example layout for supporting multiple environments with Terraform
todo: example layout for supporting multiple cloud providers with Terraform
There are a few differences in regard to the existing state of the cplace-poc which should be mentioned. These are made consciously and with respect to stable/secure production operation.
- using prometheus-operator
instead of prometheus, grafana individually.
- also see helm
- bundles Grafana and dashboards
- uses CustomResourceDefinitions (CRD)
- uses ServiceMonitor CRD instead of Annotations for configuration
- using environment specific subdomain
xxx.poc.cplace.xyz - using wildcard domain and wildcard certificate
- therefore currently no
cert-managerneeded
- therefore currently no
- using AWS NLB Loadbalancer with HTTPS termination
- access to the k8s cluster (e.g. via kubectl) is only possible from the EC2 deployer instance
- User management to allow kubernetes cluster access (with fine grained permissions, not everybody is supposed to be admin)
- Private ingress controller (VPC internal)
- Investigate Traefik 2.2 as replacement candidate for nginx-ingress
- Egress controller (all outgoing traffic should be going through it)
- ideally traffic to internet is by default not possible, only whitelisted destinations
- Determine and Configure Resource Limits (CPU/Memory, to ensure proper scalability)
- Forward Alerts to Slack
- via Grafana
- via kube-slack
- importing raw kubernetes yaml manifests is not possible with Terraforms Kubernetes provider, however this is anyhow not needed because mostly we would want to use Helm for that purpose