Provides AWS resources typically required by projects. The resources are defined in a cloud provider agnostic and developer friendly YAML format. An example:
stack:
uptimeEnabled: true
backupEnabled: true
auth:
serviceAccounts:
- name: my-project-prod-server
- name: my-project-prod-worker
roles:
my-role: {}
notification-publisher:
assumeRolePolicy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Principal:
AWS:
- arn:aws:iam::111111111111:role/LambdaRoleOfAnotherAccount
permissionPolicy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sns:Publish
Resource: 'arn:aws:sns:::my-project-prod-notifications'
ingress:
enabled: true
class: cloudfront
createMainDomain: false
domains:
- name: myproject.mydomain.com
mainDomain: mydomain.com
altDomains:
- name: www.myproject.mydomain.com
services:
admin:
type: static
path: /admin
uptimePath: /admin
client:
type: static
path: /
uptimePath: /
server:
type: function
path: /api
uptimePath: /api/uptimez
timeout: 3
runtime: nodejs20.x
memoryRequest: 128
tags:
customtag: customvalue
secrets:
DATABASE_PASSWORD: my-project-prod-app
REDIS_PASSWORD: ${taito_project}-${taito_env}-redis.secretKey
env:
TOPIC_NOTIFICATIONS: my-project-prod-notifications
DATABASE_HOST: my-postgres.c45t0ln04uqh.us-east-1.rds.amazonaws.com
DATABASE_PORT: 5432
DATABASE_SSL_ENABLED: true
DATABASE_NAME: my-project-prod
DATABASE_USER: my-project-prod-app
DATABASE_POOL_MIN: 5
DATABASE_POOL_MAX: 10
REDIS_HOST: my-project-prod-001.my-project-prod.nde1c2.use1.cache.amazonaws.com
REDIS_PORT: 6379
S3_BUCKET: my-project-prod
S3_REGION: us-east-1
# Example: Allow bucket/topic access with permissionPolicy instead of service account
permissionPolicy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:PutObjectAcl
Resource: 'arn:aws:s3:::my-project-prod/*'
- Effect: Allow
Action:
- sns:Publish
Resource: 'arn:aws:sns:::my-project-prod-notifications'
worker:
type: function
concurrency: 5
timeout: 100
runtime: nodejs20.x
memoryRequest: 512
deadLetterQueue: my-project-prod-dlq
# deadLetterTopic:
secrets:
DATABASE_PASSWORD: my-project-prod-app
DATABASE_HOST: my-postgres.c45t0ln04uqh.us-east-1.rds.amazonaws.com
DATABASE_PORT: 5432
DATABASE_SSL_ENABLED: true
DATABASE_NAME: my-project-prod
DATABASE_USER: my-project-prod-app
DATABASE_POOL_MIN: 5
DATABASE_POOL_MAX: 10
sources:
- type: queue
name: my-project-prod-jobs.fifo
batchSize: 5
cronJobs:
- name: refresh
schedule: cron(0 * * * ? *)
command: refresh
dlq:
type: queue
name: my-project-prod-dlq
jobs:
type: queue
name: my-project-prod-jobs.fifo
queueType: fifo
visibilityTimeout: 600
# Example: Allow role of another account to send directly without assume role
accessPolicy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:SendMessage
- sqs:GetQueueAttributes
Principal:
AWS:
- arn:aws:iam::111111111111:role/roleOfAnotherAccount
notifications:
type: topic
name: my-project-prod-notifications
subscribers:
- id: my-project-prod-worker
worker:
type: container # TODO: implement
image: my-registry/my-worker:1234
replicas: 2
memoryRequest: 128
secrets:
# Example: Allow bucket/topic access with service account instead of permissionPolicy
SERVICE_ACCOUNT_KEY: my-project-prod-worker-serviceaccount.key
env:
TOPIC_NOTIFICATIONS: my-project-prod-notifications
S3_BUCKET: my-project-prod
S3_REGION: us-east-1
redis:
type: redis
name: my-project-prod
replicas: 2
machineType: cache.t2.small
zones:
- us-east1a
- us-east1b
secret: my-project-prod-redis.secretKey
bucket:
type: bucket
name: my-bucket-prod
location: us-east-1
storageClass: STANDARD_IA
corsRules:
- allowedOrigins:
- https://myproject.mydomain.com
- https://www.myproject.mydomain.com
queues: # TODO: implement
- name: my-bucket-prod
events:
- s3:ObjectCreated:Put
- s3:ObjectRemoved:Delete
# Object lifecycle
versioning: true
versioningRetainDays: 60
lockRetainDays: # TODO: implement
transitionRetainDays:
transitionStorageClass:
autoDeletionRetainDays:
# Replication (TODO: implement)
replicationBucket:
# Backup (TODO: implement)
backupRetainDays: 60
backupLocation: us-west-1
backupLock: true
# User rights
admins:
- id: john.doe
objectAdmins:
- id: jane.doe
- id: my-project-prod-worker
objectViewers:
- id: jack.doe
With create_* variables you can choose which resources are created/updated in which phase. For example, you can choose to update some of the resources manually when the environment is created or updated:
create_cicd_service_account = true
create_cicd_role = false
create_domain = true
create_domain_certificate = true
create_storage_buckets = true
create_databases = true
create_in_memory_databases = true
create_queues = true
create_topics = true
create_service_accounts = true
create_roles = true
create_uptime_checks = true
create_container_image_repositories = true
And choose to update gateway, containers, and functions on every deployment in your CI/CD pipeline:
create_ingress = true
create_containers = true
create_functions = true
create_function_permissions = true
Similar YAML format is used also by the following modules:
- AWS project resources
- Azure project resources
- Google Cloud project resources
- Digital Ocean project resources
- Full-stack template (Helm chart for Kubernetes)
NOTE: This module creates resources for only one project environment. That is, such resources should already exist that are shared among multiple projects or project environments (e.g. users, roles, vpc networks, kubernetes, database clusters). You can use the following modules to create the shared infrastructure:
- Admin
- DNS
- Network
- Compute
- Kubernetes
- Databases
- Storage
- Monitoring
- Integrations
- PostgreSQL privileges
- MySQL privileges
TIP: This module is used by project templates of Taito CLI. See the full-stack-template as an example on how to use this module.
Contributions are welcome! This module should include implementations for the most commonly used AWS services. For more specific cases, the YAML can be extended with additional Terraform modules.