Terraform modules

This repository contains a set of (opinionated) Terraform modules to provision HashiCorp's suite of tools on AWS, including:

• Consul: Service discovery, distributed key-value store, and service mesh
• Nomad: Scheduling
• Vault: secrets management

These tools are useful to deploy a basic infrastructure on the cloud for your developers to run their applications and services.

To get started, see the Core module. Some of the modules are optional and add additional features after you have provisioned the Core module.

Contributing

See CONTRIBUTING.md for more details.

Submodules

This repository has various submodules. When you are cloning it for the first time, make sure to do so with

git clone --recursive https://github.com/GovTechSG/terraform-modules.git

To update an already cloned repository, you can do

git submodule update --init --recursive

Modules

Core

This module sets up a VPC, and a Consul and Nomad cluster to allow you to run applications on.

AWS Authentication

This module configures Vault to accept authentication via EC2 instance metadata. This is required for use with some of the Vault integration modules.

Nomad Vault Integration

This module serves as a post-bootstrap addon for the Core Module. It integrates Vault into Nomad so that jobs may acquire secrets from Vault.

Nomad ACL

This module serves as a post-bootstrap addon for the Core Module. This enables ACL for Nomad, where Nomad ACL tokens can be retrieved from Vault.

Vault SSH

We can use Vault's SSH secrets engine to generate signed certificates to access your machines via SSH.

Traefik

This module serves as a post-bootstrap addon for the Core Module. This module provisions load balancers on top of a Traefik reverse proxy to expose your applications running on your Nomad cluster to the internet.

Docker Authentication

This module serves as a post-bootstrap addon for the Core Module. It allows you to configure Nomad clients to authenticate with private Docker registries.

Vault PKI

This module serves as a bootstrap addon for the Core module. It provisions the PKI secrets engine in Vault. This PKI secrets engine allows you to maintain an internal CA and allows Vault users to request for certificates.

This module is required for some of the other Vault integration.

Elasticsearch

This modules serves as a post-bootstrap addon for the Core Module. This module adds managed AWS Elasticsearch service (with Kibana). The module also allows integration with Traefik set-up, to allow redirect service to redirect users to the Kibana visualisation UI with a more friendly named URL.

Curator

This module runs Curator as a Cron job in Nomad to clean up old indices in your Elasticsearch cluster.

Lambda-api-gateway

This module sets up a Lambda function with a API Gateway trigger, secured with an API key authentication.

Telegraf

This module sets up Telegraf service for collecting and reporting metrics. This is instances containing services consul, nomad_client, nomad_server and vault.

Td-Agent

This module allows enabling of td-agent, the stable distrution package of Fluentd, for log forwarding. For instances containing services consul, nomad_client, nomad_server and vault.

Nomad Clients

This module sets up an additional cluster of Nomad clients after the initial bootstrap of the core module.

Vault App Policy

This module is an addon for adding application service policies to access key / value secrets stored in your already set-up Vault.

Fluentd

This module runs Fluentd on Nomad to forward logs to Elasticsearch and (optionally) S3.

Vault Auto Unseal

Provisions additional resources to enable Vault Auto Unseal when used with the Core module.

Roles

Contains Ansible roles for installation of various services. For more details, check out the README in the respective role directories.