How to Setup New Environment in TFC

What?

Let’s say we already have an AWS root account set up and want to add an environment, for example, production.

Problem 1. After creating the root account, the other AWS accounts are also created manually.

AWS accounts hierarchy looks like this:

Initialization

There is a repository where infrastructure is managed, for example infrastructure. And we have separate folders for each layer:

 infrstructure
|
|--- 0-accounts
|--- 1-environments
|--- 2-products

These are the commands to initialize at first:

cd infrastructure
meta auth
meta exec project-name account-name , in our case the account is for prod, so it will be meta exec project-name prod
meta init
terraform init
terraform apply

During the 1st terraform apply after meta init , new AWS access and secret keys are generated, which are temporary. Because of this, you will see these changes, which is fine, and these variables should be updated.

Account User Setup

Until this moment, nothing has been created manually except AWS prod account. To get access this account, we need to create an IAM user from root account, which will allow access to the prod account.

Before creating the user, SSO should be enabled from root for prod account, and at this step all users who should have access to prod can be invited to SSO.

Problem 2: SSO configuration is done manually.

After manually enabling SSO, we need to add yaml config file through which the IAM user will be created:

infrstructure
|
|--- 0-accounts
      |
      |--- root
            |
            |--- iam-prod.yaml
|--- 1-environments
|--- 2-products

iam-prod.yaml

source: terraform-aws-modules/iam/aws//modules/iam-user
version: 5.30.0
variables:
  name: terraform
  create_iam_user_login_profile: false
  create_iam_access_key: true
  policy_arns:
    - arn:aws:iam::aws:policy/AdministratorAccess
output:
  sensitive: true
providers:
  - name: aws
    version: ~> 4.0
    variables:
      default_tags:
        tags:
          Account: project-name-root
          ManageLevel: account
    blocks:
      assume_role:
        role_arn: "arn:aws:iam::33333333333333:role/OrganizationAccountAccessRole"
        session_name: "AssumeRoleSession"
        external_id: "33333333333333"

Each time we add a new yaml config file these commands are needed to execute:

terraform apply
git add .
git commit
git push

After just check that TFC correctly executes applying.

Environment Setup

Problem 3. We don’t have dependencies between workspaces, so we can’t integrate this configuration with the IAM user’s creation part.

We need to create a new subfolder in infrastructure/1-environments folder, for example prod-1:

infrstructure
|
|--- 0-accounts
|--- 1-environments
      |
      |--- prod-1
|--- 2-products

Environment-specific resources are created in this layer. To do so, we need to add yaml config files to this subfolder. For example, resources like EKS, VPC and IAM users are specific to the environment, so we have:

infrstructure
|
|--- 0-accounts
|--- 1-environments
      |
      |--- prod-1
            |--- eks.yaml
            |--- iam.yaml
            |--- vpc.yaml
|--- 2-products

These new resources are applied by using the IAM user’s credentials in AWS provider that we created during the previous step. Therefore, we need to include the user’s credentials in the provider.

For example, vpc.yaml config should look like this:

vpc.yaml

source: dasmeta/vpc/aws
version: 1.0.1
variables:
  name: "prod-vpc"
  availability_zones:
    - "us-east-1a"
    - "us-east-1b"
  private_subnets:
    - "10.17.1.0/24"
    - "10.17.2.0/24"
  public_subnets:
    - "10.17.3.0/24"
    - "10.17.4.0/24"
  cidr: "10.17.0.0/16"
  public_subnet_tags:
    "kubernetes.io/cluster/eks-prod": "shared"
    "kubernetes.io/role/elb": "1"
  private_subnet_tags:
    "kubernetes.io/cluster/eks-prod": "shared"
    "kubernetes.io/role/internal-elb": "1"
providers:
  - name: aws
    version: ~> 4.0
    module_nested_provider: true
    variables:
      region: us-east-1
      access_key: ${0-accounts/root/iam-prod.iam_access_key_id} ------ 1
      secret_key: ${0-accounts/root/iam-prod.iam_access_key_secret} ------ 2
      default_tags:
        tags:
          Account: project-name
          ManageLevel: environment
linked_workspaces: ------ 3
  - 0-accounts/root/iam-prod ------ 4

1, 2 lines specify which credentials must be used in the provider.

3, 4 lines establish the link between this new configuration and the previously created IAM user’s configuration. In TFC these are 2 separate workspaces.

The execution is the same like before:

terraform apply
git add .
git commit
git push