A sample infra resources code in Terraform that goes into a target workload account. This code is pushed into the AWS CodeCommit repo for our sample.

• Sample Workload Infra
• Prerequisites
• To push the infra repo code into AWS CodeCommit in the central tooling account
• To deploy resources into the target workload accounts
• To destroy the resources in the target workload accounts
• Security
• License

• Regional resources: An external facing ALB all the way down to the VPC.
• Global resources: An IAM role.

Once all resources are deployed (see section on how to deploy resources) then go to EC2 -> Load Balancer (demo*) -> DNS Name -> Copy it and open it in the browser (make sure to use http:// and not https://).

• Set up the central tooling account as per its README in the sister repo aws-multi-region-cicd-with-terraform that will create the AWS CodeCommit repo.

• See instructions in the sister repo aws-multi-region-cicd-with-terraform

• See instructions on how to kick off an infra pipeline (in the central tooling account) at the sister repo aws-multi-region-cicd-with-terraform

• If not done already, use aws configure with your IAM user credentials for the central tooling account and then assume InfraBuildRole:

# You can use below one liner
# For details, see [this](https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
OUT=$(aws sts assume-role --role-arn arn:aws:iam::111122223333:role/InfraBuildRole --role-session-name INFRA_BUILD);export AWS_ACCESS_KEY_ID=$(echo $OUT | jq -r '.Credentials''.AccessKeyId');export AWS_SECRET_ACCESS_KEY=$(echo $OUT | jq -r '.Credentials''.SecretAccessKey');export AWS_SESSION_TOKEN=$(echo $OUT | jq -r '.Credentials''.SessionToken');

# Verify you assumed the role
aws sts get-caller-identity
{
    "UserId": "AAA:INFRA_BUILD",
    "Account": "111122223333",
    "Arn": "arn:aws:sts::111122223333:assumed-role/InfraBuildRole/INFRA_BUILD"
}

• Use the regional resources destroy shell script in this repo to generate the tf plan for the account and region. Inspect the tf plan and then run terraform apply "tfplan"

./scripts/run-tf-regional-destroy.sh -t <tag> -b <tf_backend_config_prefix> -r <tf_state_region> -g <global_resource_deployment_region>
# Ex: ./scripts/run-tf-regional-destroy.sh -t dev_us-east-1/research/1.0 -g eu-central-1 -r eu-central-1 -b org-awesome-tf-state

• Then, use the global resources destroy shell script in this repo to generate the tf plan for the account. Inspect the tf plan and then run terraform apply "tfplan"

./scripts/run-tf-global-destroy.sh -t <tag> -b <tf_backend_config_prefix> -r <tf_state_region> -g <global_resource_deployment_region>
# Ex: ./scripts/run-tf-global-destroy.sh -t dev_global/research/1.0 -g eu-central-1 -r eu-central-1 -b org-awesome-tf-state

See CONTRIBUTING for more information.

This library is licensed under the MIT-0 License. See the LICENSE file.