Terraform infrastructure as code
To init and apply the terraform configs, simply run the makefile and specify the environment. The default environment is staging
make ENV=<environment>
All the modules that are being applied can be found in terraform/modules/environment/main.tf
- VPC - Virtual Private Cloud
- EKS - Elastic Kubernetes Service
- EC2 - Elastic Comput Cloud orchestrated by EKS
- S3 - Simple Storage Service
- Cloudfront - Cloudfront Pricing
- ECR - Elastic Container Registry
The most expensive component will be the EKS cluster as well as the instances that it spins up. The rest of the modules have very low cost
- Costs will vary depending on the region selected but based on
us-west-2the following items will contribute to the most of the cost of the infrastructure - EKS Cluster: $0.1 USD / hr
- NAT Gateway: $0.045 USD / hr
- RDS (db.t3.small): $0.034 USD / hr
- EC2 (t2.small): $0.023 USD / hr
- Expected total monthly cost: $ 0.202 USD / hr or ~$150USD / month
EC2 instance sizing can be configured in terraform/environments/staging/main.tf
aws eks update-kubeconfig --name <cluster-name> --region us-west-2
aws eks update-kubeconfig --name <cluster-name> --region us-west-2 --role-arn <role-arn>
Running Bash
kubectl run -it --image ubuntu bash
Getting secrets
kubectl get secret --namespace default <secret-key> -o jsonpath="{.data.password}" | base64 --decode; echo
Port forward
kubectl port-forward --namespace default $(kubectl get pods --namespace default -l app.kubernetes.io/instance=keycloak -o jsonpath="{.items[0].metadata.name}") 8080
aws ecr describe-repositories --region us-west-2
aws ecr create-repository --repository-name <ecr-repo-name> --region <aws-region>
aws ecr delete-repository --repository-name <ecr-repo-name> --region <aws-region>
Describing the ECR repositories will also give you a list of the fully resolved repository URI.
If you need your AWS account ID, you can use:
aws sts get-caller-identity --query Account --output text
AWS DOCS: Registry Authentication
aws ecr get-login --region <region> --no-include-email
This will output a docker command for you to login with the password. Eg. docker login -u AWS -p password https://<aws_account_id>.dkr.ecr.<region>.amazonaws.com
AWS Docs: Docker Push ECR Image
Make sure you have a docker image withe the appropriately named tag that corresponds to an ECR repo.
docker build --tag <aws_account_id>.dkr.ecr.<region>.amazonaws.com/<ecr-repo-name> .
or for an existing image
docker tag <dockerImage> <aws_account_id>.dkr.ecr.<region>.amazonaws.com/<ecr-repo-name>
then just docker push
docker push <aws_account_id>.dkr.ecr.<region>.amazonaws.com/<ecr-repo-name>
The terraform by default generates random password during for the RDS instance and stores it in AWS secrets manager Using AWS Secretsmanager
aws secretsmanager list-secrets
aws secretsmanager get-secret-value --secret-id <SECRETNAME> --region <REGION>
In a Kubernetes cluster you'll need to run bash container to access the RDS in VPC
kubectl run -it --image ubuntu bash
kubectl exec -it <bash-pod-id> -- /bin/bash
In the container shell
Apt-get update -y
Apt-get install pgcli
pgcli -h <rds-url> -U master_user -d postgres
CREATE DATABASE <database>;
create USER <db-user> with password '<db-password>';
GRANT ALL PRIVILEGES ON DATABASE <database> to <db-user>;
kubectl run --restart=Never --image=alpine/socat db-gateway -- -d -d tcp-listen:5432,fork,reuseaddr tcp-connect:<RDS_ADDRESS>:5432
kubectl port-forward db-gateway 5432:5432