FEATURES:
- Added AWS Cloudtrail module
- Added Vault cluster with dedicated etcd storage backend
DESIGN CHANGE:
In previous implementation, we use one build directory for all resources, so there is only one terraform.tfstate file to maintain.
For more complicated cases, ongoing modifications to the infrastructure, e.g., a small change such as a security group rule, could take long time because all resources need to be refreshed and checked for consistency.
In this release, each resource has its owner terraform/<resource> and coresponding build/<resource> directory, so it can
be invidually managed, for example, make <resource_only> target will only plan and appply changes for that resource, without checking vpc dependency, if you are sure there is no vpc changes. This will speed up operations.
This release is backwards incompatible because of the structure change. You will need to migrate to this structure.
FEATURES:
- envs.sh: the file is used to override default environment variable values in Makefile. See envs.sh.sample.
- lock, unlock: these targets can be used in a team workflow to make sure only the person who owns the lock can alter the infrastructure. An pair of AWS key is used to facilitate the lock.
- session start, session end: same as lock, unlock, these targets force git pull and git push to keep repository in-sync if you use git to maintain terraform status and code.
- etcd cluster: the default cluster contains 1 etcd node, 1 worker node, t2.miro instance type. Change these in terraform/etcd/etcd.tf or terraform/worker/worker.tf for different configurations. The etcd cluster is in autoscaling group and can self-discover IP changes.
- graph make graph target will generate dependency graph in png format, under build/ directory. See graph-examples for examples.
- two stage bootstraping: all instances use the same user-data file, a bootstrap script that will download the instance's specific cloud-config file from their corresponding S3 bucket, then CoreOS will run cloud-config using the downloaed cloud-config yaml file. This means that you rarely need to tear down and rebuild machine if the only change is in the cloud-config.yaml: reboot the instance will pick up the change.
- applicaiton bootstraping: a git-sync timer unit is provisioned by cloud-config to download application relocated code, such as post-boot provisionning, account creation, file system mount, docker units files etc. The content of the applicaiton repo is cloned under/var/lib/apps location. The timer runs every minute, to pick up new changes. A default app repo is provided, and you can change it in envs.sh to use your own repoistory. You can also configure a private key for git-sync to use for the sync.
- route53, iam server certificate: these are optional resources. If you define APP_DOMAIN in envs.sh, the domain name will be used as a default route53 zone and a self-signed star server certificate will be generated and can used as default elb certitificate.
- default VPC: If you change AWS region, you need to go through terraform/vpc directory to make sure availablity zones are set correctly for the region,otherwise, the build will fail.
- technical details: See Technical notes.
Initial release.