- terraform 0.14.11
- python pip awscli pre-commit
- aws session manager plugin (https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html, and this https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html#ssh-connections-enable)
- Create new AWS Account setup root user with MFA.
- Create another user with
AdministratorAccess
role attached and also setup MFA. - git clone this repository
- Install pre-commit hooks
pre-commit install
This will deploys a S3 bucket and dynamodb table for terraform state storage and locking.
- change directory to
terraform/tf-state
terraform init
terraform apply
- push terraform state to s3
- un-comment terraform s3 backend
terraform init
terraform apply
terraform state pull > terraform.tfstate
- comment terraform s3 backend
terraform init
terraform destroy -target <terraform-resource-name>
all resources except s3 bucket.- empty s3 bucket and manaully delete.
This deploys ECS/Fargate (nginx container), AWS Elasticsearch Service and a EC2 instance used as a bastion (only accessible via AWS Systems Manager Session Manager).
https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ssh-vpc-resources/
- change directory to
terraform/environment
terraform init
terraform apply
After elastic search is up and running you need to follow the directions for I'm unable to stream my CloudWatch log group to an Amazon ES domain when fine-grained access control is enabled
from https://aws.amazon.com/tr/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/
If someone is wanting to limit egress of internet access I would switch to VPC Endpoint(s). This can cost slightly more than a NAT gateway and it also has a lot more configuration involved but it gives the most control and is a very secure approach.
- Switch to an aws ecr repository (guards against public infrastructure downtimes)
- Use VPC endpoints for ecr access (no NAT gateway is required)
- Switch to containers using TLS/SSL instead of plain text. Once this is done update load balancer to use HTTPS.
- Move to an internal load balancer in the private subnet and only allow access over the private subnet. This also requires something like AWS Client VPN.
- switch to cognito/SAML authentication instead of a master user. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html
- Once this is done the master user/password can be removed.
- find another option to automate the lambda to deliver logs from cloudwatchLogs to elasticsearch.
- see if there is a way to automate other configuration details of managing elasticsearch like dashboards.
- I would remove this instance and setup AWS Client VPN and setup Elastic Search and Kibana to work over AWS Client VPN only.
- tf-state should have more limited IAM policies for s3/dyanmodb.
- Name/tag all things to allow for better tracking/understanding resources.
- break up
terraform/environment/*
into a couple different modules to help with speed since elastic search can take awhile to deploy.