Skip to content

Latest commit

 

History

History
487 lines (427 loc) · 70.3 KB

README.md

File metadata and controls

487 lines (427 loc) · 70.3 KB

Terraform Seqera Infrastructure Deployment Module

This Terraform code deploys infrastructure resources using the following modules:

  • VPC: Creates a Virtual Private Cloud (VPC) with subnets, routing, and networking configurations.
  • EKS: Provisions an Amazon Elastic Kubernetes Service (EKS) cluster with managed node groups.
  • Security-Group: Sets up a security group for access from the EKS cluster to the database.
  • RDS: Deploys an Amazon RDS database instance.
  • Elasticache-Redis: Creates a Redis MemoryDB cluster.
  • EC2: Creates en EC2 instance

Prerequisites

Before running this Terraform code, ensure you have the following prerequisites in place: Terraform CLI is installed on your local machine.

Usage

Follow the steps below to deploy the infrastructure:

Example EKS cluster:

## Module
module "terraform-seqera-aws" {
  source  = "github.com/seqeralabs/terraform-seqera-aws"
  region  = "eu-west-2"

  ## VPC
  vpc_name = "my-seqera-tf-vpc"

  ## EKS
  create_eks_cluster  = true
  cluster_name    = "my-seqera-tf-cluster"
  cluster_version = "1.27"
  eks_managed_node_group_defaults_instance_types = ["t3.medium"]
  eks_managed_node_group_defaults_capacity_type = "ON_DEMAND"
  eks_aws_auth_roles = [
    "arn:aws:iam::1234567890123:role/MyIAMRole",
  ]

  eks_aws_auth_users = [
    "arn:aws:iam::1234567890123:user/MyIAMUSer"
  ]

  default_tags = {
    Environment = "myenvironment"
    ManagedBy   = "Terraform"
    Product     = "Seqera"
  }
}

## Outputs
output "database_url" {
  value = module.terraform-seqera-aws.database_url
}

output "redis_url" {
  value = module.terraform-seqera-aws.redis_url
}

output "seqera_irsa_role_name" {
  value = module.terraform-seqera-aws.seqera_irsa_role_name
}

Example of public EC2 instance with your local SSH public key main.tf

module "terraform-seqera-aws" {
  source  = "github.com/seqeralabs/terraform-seqera-aws"
  region  = "eu-west-2"

  ## VPC
  vpc_name = "seqera-vpc"

  ## EC2 Instance
  create_ec2_instance = true
  create_ec2_instance_local_key_pair = true
  create_ec2_public_instance = true

  default_tags = {
    Environment = "development"
    ManagedBy   = "Terraform"
    Product     = "Seqera"
    CreatedBy   = "DevOps"
  }
}

output "database_url" {
  value = module.terraform-seqera-aws.database_url
}

output "redis_url" {
  value = module.terraform-seqera-aws.redis_url
}

output "ec2_instance_public_dns_name" {
  value = module.terraform-seqera-aws.ec2_instance_public_dns_name
}

Note: To connect to the EC2 instance use the following syntax ssh ec2-user@<EC2 Instance Public DNS Name>

Example of public EC2 instance with existing AWS key pair main.tf

module "terraform-seqera-aws" {
  source  = "github.com/seqeralabs/terraform-seqera-aws"
  region  = "eu-west-2"

  ## VPC
  vpc_name = "seqera-vpc"

  ## EC2 Instance
  create_ec2_instance = true
  ec2_instance_key_name = "my-key-pair"
  create_ec2_public_instance = true

  default_tags = {
    Environment = "development"
    ManagedBy   = "Terraform"
    Product     = "Seqera"
    CreatedBy   = "DevOps"
  }
}

output "database_url" {
  value = module.terraform-seqera-aws.database_url
}

output "redis_url" {
  value = module.terraform-seqera-aws.redis_url
}

output "ec2_instance_public_dns_name" {
  value = module.terraform-seqera-aws.ec2_instance_public_dns_name
}

Example of private EC2 instance

module "terraform-seqera-aws" {
  source  = "github.com/seqeralabs/terraform-seqera-aws"
  region  = "eu-west-2"

  ## VPC
  vpc_name = "seqera-vpc"

  ## EC2 Instance
  create_ec2_instance = true
  enable_ec2_instance_session_manager_access = true

  default_tags = {
    Environment = "development"
    ManagedBy   = "Terraform"
    Product     = "Seqera"
    CreatedBy   = "DevOps"
  }
}

output "database_url" {
  value = module.terraform-seqera-aws.database_url
}

output "redis_url" {
  value = module.terraform-seqera-aws.redis_url
}

output "ec2_instance_id" {
  value = module.terraform-seqera-aws.ec2_instance_id
}

Note: To connect to the private EC2 instance, you will need to use the aws ssm plugin. the syntax is aws ssm start-session --target <EC2 Instance ID>

Example of public EC2 instance with secure SSM Session Manager access main.tf

module "terraform-seqera-aws" {
  source  = "github.com/seqeralabs/terraform-seqera-aws"
  region  = "eu-west-2"

  ## VPC
  vpc_name = "seqera-vpc"

  ## EC2 Instance
  create_ec2_instance = true
  enable_ec2_instance_session_manager_access = true
  create_ec2_public_instance = true
  ec2_instance_security_group_ingress_rules_names = ["http-80-tcp", "https-443-tcp"]

  default_tags = {
    Environment = "development"
    ManagedBy   = "Terraform"
    Product     = "Seqera"
    CreatedBy   = "DevOps"
  }
}

output "database_url" {
  value = module.terraform-seqera-aws.database_url
}

output "redis_url" {
  value = module.terraform-seqera-aws.redis_url
}

Note: To connect to the private EC2 instance, you will need to use the aws ssm plugin. the syntax is aws ssm start-session --target <EC2 Instance ID>

  1. Clone this repository to your local machine.
  2. Navigate to the project directory.
  3. Initialize the Terraform configuration by running the following command:
terraform init
  1. Review the variables in the variables.tf file and update them as per your requirements.
  2. Run the Terraform plan command to see the execution plan:
terraform plan

If the plan looks good, apply the changes by running the following command:

terraform apply
  1. Confirm the changes by typing yes when prompted. Wait for Terraform to provision the infrastructure resources.

  2. Once the deployment is complete, you will see the output values that provide information about the provisioned resources.

The following outputs will be displayed after successful deployment:

Cleanup

To destroy the provisioned infrastructure and clean up resources, run the following command:

terraform destroy

Confirm the action by typing yes when prompted.

License

This Terraform code is licensed under the Apache License

Requirements

Name Version
terraform >= 1.6.0
aws 5.0.0
helm 2.11.0
http 3.4.0
kubectl 1.14.0
kubernetes 2.23.0
random 3.5.1

Providers

Name Version
aws 5.0.0
helm 2.11.0
http 3.4.0
kubectl 1.14.0
kubernetes 2.23.0
random 3.5.1

Modules

Name Source Version
access_logs_s3_bucket terraform-aws-modules/s3-bucket/aws 3.15.1
aws_cluster_autoscaler_iam_policy terraform-aws-modules/iam/aws//modules/iam-policy 5.30.0
aws_ebs_csi_driver_iam_policy terraform-aws-modules/iam/aws//modules/iam-policy 5.30.0
aws_efs_csi_driver_iam_policy terraform-aws-modules/iam/aws//modules/iam-policy 5.30.0
aws_loadbalancer_controller_iam_policy terraform-aws-modules/iam/aws//modules/iam-policy 5.30.0
db terraform-aws-modules/rds/aws 6.1.1
db_sg terraform-aws-modules/security-group/aws 5.1.0
ec2_instance terraform-aws-modules/ec2-instance/aws 5.5.0
ec2_instance_profile_iam_policy terraform-aws-modules/iam/aws//modules/iam-policy 5.30.0
ec2_k8s_api_rule terraform-aws-modules/security-group/aws 5.1.0
ec2_sg terraform-aws-modules/security-group/aws 5.1.0
ec2_ssh_rule terraform-aws-modules/security-group/aws 5.1.0
efs_sg terraform-aws-modules/security-group/aws 5.1.0
eks terraform-aws-modules/eks/aws 19.21.0
key_pair terraform-aws-modules/key-pair/aws 2.0.2
redis cloudposse/elasticache-redis/aws 0.52.0
redis_sg terraform-aws-modules/security-group/aws 5.1.0
seqera_iam_policy terraform-aws-modules/iam/aws//modules/iam-policy 5.30.0
seqera_irsa terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks 5.30.0
this cloudposse/label/null 0.25.0
vpc terraform-aws-modules/vpc/aws 5.4.0
vpc_endpoints terraform-aws-modules/vpc/aws//modules/vpc-endpoints ~> 5.0

Resources

Name Type
aws_efs_access_point.eks_efs_access_point resource
aws_efs_backup_policy.eks_efs resource
aws_efs_file_system.eks_efs resource
aws_efs_mount_target.eks_efs_mount_target resource
helm_release.aws-ebs-csi-driver resource
helm_release.aws-efs-csi-driver resource
helm_release.aws-load-balancer-controller resource
helm_release.aws_cluster_autoscaler resource
kubectl_manifest.aws_loadbalancer_controller_crd resource
kubernetes_config_map_v1.tower_app_configmap resource
kubernetes_job_v1.seqera_schema_job resource
kubernetes_namespace_v1.this resource
kubernetes_secret_v1.db_app_password resource
kubernetes_service_account_v1.this resource
kubernetes_storage_class.efs_storage_class resource
random_password.db_app_password resource
random_password.db_root_password resource
aws_ami.amazon_linux_2 data source
aws_availability_zones.available data source
aws_caller_identity.current data source
aws_eks_cluster_auth.this data source
http_http.local_public_ip data source

Inputs

Name Description Type Default Required
vpc_name The name of the Virtual Private Cloud (VPC) to be created. string n/a yes
access_logs_s3_bucket_acl_name The ACL for the S3 bucket for ELB access logs. string "log-delivery-write" no
access_logs_s3_bucket_name The name prefix of the S3 bucket for ELB access logs. string "seqera-access-logs-" no
access_logs_s3_bucket_object_ownership The ownership of the S3 bucket for ELB access logs. string "ObjectWriter" no
aws_cluster_autoscaler_iam_policy IAM policy for the AWS Cluster Autoscaler string "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"autoscaling:DescribeAutoScalingGroups\",\n \"autoscaling:DescribeAutoScalingInstances\",\n \"autoscaling:DescribeLaunchConfigurations\",\n \"autoscaling:DescribeScalingActivities\",\n \"autoscaling:DescribeTags\",\n \"ec2:DescribeInstanceTypes\",\n \"ec2:DescribeLaunchTemplateVersions\"\n ],\n \"Resource\": [\"*\"]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"autoscaling:SetDesiredCapacity\",\n \"autoscaling:TerminateInstanceInAutoScalingGroup\",\n \"ec2:DescribeImages\",\n \"ec2:GetInstanceTypesFromInstanceRequirements\",\n \"eks:DescribeNodegroup\"\n ],\n \"Resource\": [\"*\"]\n }\n ]\n}\n" no
aws_cluster_autoscaler_iam_policy_name The name of the IAM policy for the AWS Cluster Autoscaler. string "aws-cluster-autoscaler-iam-policy" no
aws_cluster_autoscaler_version The version of the AWS Cluster Autoscaler to deploy. string "9.29.3" no
aws_ebs_csi_driver_iam_policy IAM policy for the EBS CSI driver string "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateSnapshot\",\n \"ec2:AttachVolume\",\n \"ec2:DetachVolume\",\n \"ec2:ModifyVolume\",\n \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeInstances\",\n \"ec2:DescribeSnapshots\",\n \"ec2:DescribeTags\",\n \"ec2:DescribeVolumes\",\n \"ec2:DescribeVolumesModifications\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateTags\"\n ],\n \"Resource\": [\n \"arn:aws:ec2:*:*:volume/*\",\n \"arn:aws:ec2:*:*:snapshot/*\"\n ],\n \"Condition\": {\n \"StringEquals\": {\n \"ec2:CreateAction\": [\n \"CreateVolume\",\n \"CreateSnapshot\"\n ]\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DeleteTags\"\n ],\n \"Resource\": [\n \"arn:aws:ec2:*:*:volume/*\",\n \"arn:aws:ec2:*:*:snapshot/*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateVolume\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"aws:RequestTag/ebs.csi.aws.com/cluster\": \"true\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateVolume\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"aws:RequestTag/CSIVolumeName\": \"*\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DeleteVolume\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"ec2:ResourceTag/ebs.csi.aws.com/cluster\": \"true\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DeleteVolume\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"ec2:ResourceTag/CSIVolumeName\": \"*\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DeleteVolume\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"ec2:ResourceTag/kubernetes.io/created-for/pvc/name\": \"*\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DeleteSnapshot\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"ec2:ResourceTag/CSIVolumeSnapshotName\": \"*\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DeleteSnapshot\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"ec2:ResourceTag/ebs.csi.aws.com/cluster\": \"true\"\n }\n }\n }\n ]\n}\n" no
aws_ebs_csi_driver_iam_policy_name The name of the IAM policy for the EBS CSI driver. string "ebs-csi-driver-iam-policy" no
aws_ebs_csi_driver_version The version of the EBS CSI driver to deploy. string "2.13.0" no
aws_efs_csi_driver_backup_policy_status The backup policy status of the EFS file system. string "ENABLED" no
aws_efs_csi_driver_creation_token_name The creation token for the EFS file system. string "seqera-efs-csi-driver" no
aws_efs_csi_driver_iam_policy IAM policy for the AWS EFS CSI driver string "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticfilesystem:DescribeAccessPoints\",\n \"elasticfilesystem:DescribeFileSystems\",\n \"elasticfilesystem:DescribeMountTargets\",\n \"ec2:DescribeAvailabilityZones\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticfilesystem:CreateAccessPoint\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"aws:RequestTag/efs.csi.aws.com/cluster\": \"true\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticfilesystem:TagResource\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringLike\": {\n \"aws:ResourceTag/efs.csi.aws.com/cluster\": \"true\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": \"elasticfilesystem:DeleteAccessPoint\",\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringEquals\": {\n \"aws:ResourceTag/efs.csi.aws.com/cluster\": \"true\"\n }\n }\n }\n ]\n}\n" no
aws_efs_csi_driver_iam_policy_name The name of the IAM policy for the AWS EFS CSI driver. string "aws-efs-csi-driver-iam-policy" no
aws_efs_csi_driver_performance_mode The performance mode of the EFS file system. string "generalPurpose" no
aws_efs_csi_driver_security_group_ingress_rule_name The name of the security group ingress rule for the AWS EFS CSI driver. string "nfs-tcp" no
aws_efs_csi_driver_security_group_name The name of the security group for the AWS EFS CSI driver. string "aws-efs-csi-driver-sg" no
aws_efs_csi_driver_storage_class_name The name of the storage class for the EFS file system. string "efs-sc" no
aws_efs_csi_driver_storage_class_parameters The parameters for the storage class for the EFS file system. map(string)
{
"basePath": "/dynamic_provisioning",
"directoryPerms": "700",
"gidRangeEnd": "2000",
"gidRangeStart": "1000",
"provisioningMode": "efs-ap"
}
no
aws_efs_csi_driver_storage_class_reclaim_policy The reclaim policy for the EFS file system. string "Retain" no
aws_efs_csi_driver_storage_class_storage_provisioner_name The storage provisioner for the EFS file system. string "efs.csi.aws.com" no
aws_efs_csi_driver_version The version of the AWS EFS CSI driver to deploy. string "2.4.9" no
aws_loadbalancer_controller_iam_policy IAM policy for the AWS LoadBalancer Controller string "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringEquals\": {\n \"iam:AWSServiceName\": \"elasticloadbalancing.amazonaws.com\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeInternetGateways\",\n \"ec2:DescribeVpcs\",\n \"ec2:DescribeVpcPeeringConnections\",\n \"ec2:DescribeSubnets\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:DescribeInstances\",\n \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DescribeTags\",\n \"ec2:GetCoipPoolUsage\",\n \"ec2:DescribeCoipPools\",\n \"elasticloadbalancing:DescribeLoadBalancers\",\n \"elasticloadbalancing:DescribeLoadBalancerAttributes\",\n \"elasticloadbalancing:DescribeListeners\",\n \"elasticloadbalancing:DescribeListenerCertificates\",\n \"elasticloadbalancing:DescribeSSLPolicies\",\n \"elasticloadbalancing:DescribeRules\",\n \"elasticloadbalancing:DescribeTargetGroups\",\n \"elasticloadbalancing:DescribeTargetGroupAttributes\",\n \"elasticloadbalancing:DescribeTargetHealth\",\n \"elasticloadbalancing:DescribeTags\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"cognito-idp:DescribeUserPoolClient\",\n \"acm:ListCertificates\",\n \"acm:DescribeCertificate\",\n \"iam:ListServerCertificates\",\n \"iam:GetServerCertificate\",\n \"waf-regional:GetWebACL\",\n \"waf-regional:GetWebACLForResource\",\n \"waf-regional:AssociateWebACL\",\n \"waf-regional:DisassociateWebACL\",\n \"wafv2:GetWebACL\",\n \"wafv2:GetWebACLForResource\",\n \"wafv2:AssociateWebACL\",\n \"wafv2:DisassociateWebACL\",\n \"shield:GetSubscriptionState\",\n \"shield:DescribeProtection\",\n \"shield:CreateProtection\",\n \"shield:DeleteProtection\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:RevokeSecurityGroupIngress\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateSecurityGroup\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateTags\"\n ],\n \"Resource\": \"arn:aws:ec2:*:*:security-group/*\",\n \"Condition\": {\n \"StringEquals\": {\n \"ec2:CreateAction\": \"CreateSecurityGroup\"\n },\n \"Null\": {\n \"aws:RequestTag/elbv2.k8s.aws/cluster\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:CreateTags\",\n \"ec2:DeleteTags\"\n ],\n \"Resource\": \"arn:aws:ec2:*:*:security-group/*\",\n \"Condition\": {\n \"Null\": {\n \"aws:RequestTag/elbv2.k8s.aws/cluster\": \"true\",\n \"aws:ResourceTag/elbv2.k8s.aws/cluster\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:DeleteSecurityGroup\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Null\": {\n \"aws:ResourceTag/elbv2.k8s.aws/cluster\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:CreateLoadBalancer\",\n \"elasticloadbalancing:CreateTargetGroup\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Null\": {\n \"aws:RequestTag/elbv2.k8s.aws/cluster\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:CreateListener\",\n \"elasticloadbalancing:DeleteListener\",\n \"elasticloadbalancing:CreateRule\",\n \"elasticloadbalancing:DeleteRule\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:AddTags\",\n \"elasticloadbalancing:RemoveTags\"\n ],\n \"Resource\": [\n \"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*\",\n \"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*\",\n \"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*\"\n ],\n \"Condition\": {\n \"Null\": {\n \"aws:RequestTag/elbv2.k8s.aws/cluster\": \"true\",\n \"aws:ResourceTag/elbv2.k8s.aws/cluster\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:AddTags\",\n \"elasticloadbalancing:RemoveTags\"\n ],\n \"Resource\": [\n \"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*\",\n \"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*\",\n \"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*\",\n \"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:ModifyLoadBalancerAttributes\",\n \"elasticloadbalancing:SetIpAddressType\",\n \"elasticloadbalancing:SetSecurityGroups\",\n \"elasticloadbalancing:SetSubnets\",\n \"elasticloadbalancing:DeleteLoadBalancer\",\n \"elasticloadbalancing:ModifyTargetGroup\",\n \"elasticloadbalancing:ModifyTargetGroupAttributes\",\n \"elasticloadbalancing:DeleteTargetGroup\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Null\": {\n \"aws:ResourceTag/elbv2.k8s.aws/cluster\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:AddTags\"\n ],\n \"Resource\": [\n \"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*\",\n \"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*\",\n \"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*\"\n ],\n \"Condition\": {\n \"StringEquals\": {\n \"elasticloadbalancing:CreateAction\": [\n \"CreateTargetGroup\",\n \"CreateLoadBalancer\"\n ]\n },\n \"Null\": {\n \"aws:RequestTag/elbv2.k8s.aws/cluster\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:RegisterTargets\",\n \"elasticloadbalancing:DeregisterTargets\"\n ],\n \"Resource\": \"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"elasticloadbalancing:SetWebAcl\",\n \"elasticloadbalancing:ModifyListener\",\n \"elasticloadbalancing:AddListenerCertificates\",\n \"elasticloadbalancing:RemoveListenerCertificates\",\n \"elasticloadbalancing:ModifyRule\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}\n\n" no
aws_loadbalancer_controller_iam_policy_name The name of the IAM policy for the AWS LoadBalancer Controller string "aws-loadbalancer-controller-iam-policy" no
aws_loadbalancer_controller_version The version of the AWS LoadBalancer Controller to deploy string "1.6.0" no
cluster_name The name of the EKS cluster. string "seqera" no
cluster_version The version of Kubernetes to use for the EKS cluster. string "1.26" no
create_database_subnet_group Determines whether a database subnet group should be created. bool true no
create_database_subnet_route_table Determines whether a subnet route table should be created for the database subnets. bool true no
create_db_cluster Determines whether the database cluster should be created. bool true no
create_db_password_secret Determines whether a secret should be created for the database password. bool true no
create_ec2_instance Determines whether to create an EC2 instance. bool false no
create_ec2_instance_iam_instance_profile Determines whether to create an IAM instance profile for the EC2 instance. bool true no
create_ec2_instance_local_key_pair Determines whether to create a local SSH key pair for the EC2 instance. bool false no
create_ec2_public_instance Determines whether to create a public EC2 instance. bool false no
create_ec2_spot_instance Determines whether to create an EC2 spot instance. bool false no
create_eks_cluster Determines whether an EKS cluster should be created. bool false no
create_redis_cluster Determines whether to create a Redis cluster. bool true no
create_seqera_namespace Determines whether to create the Seqera namespace. bool true no
create_seqera_service_account Determines whether to create the Seqera service account. bool true no
create_tower_app_configmap Determines whether a configMap should be created for the Tower app. bool true no
database_identifier The identifier for the database. string "seqera-db" no
db_allocated_storage The allocated storage size for the database. number 10 no
db_app_password Password for the Seqera DB user. string "" no
db_app_schema_name The name of the database. string "tower" no
db_app_username The username for the database. string "seqera" no
db_backup_window The backup window for the database. string "03:00-06:00" no
db_create_monitoring_role Determines whether the monitoring role should be created. bool false no
db_deletion_protection Determines whether deletion protection is enabled for the database. bool false no
db_engine_version The version of the database engine. string "5.7" no
db_family The family of the database engine. string "mysql5.7" no
db_iam_database_authentication_enabled Determines whether IAM database authentication is enabled for the database. bool false no
db_ingress_rule_name The ingress rule for the database. string "mysql-tcp" no
db_instance_class The instance class for the database. string "db.r5.xlarge" no
db_maintenance_window The maintenance window for the database. string "Mon:00:00-Mon:03:00" no
db_major_engine_version The major version of the database engine. string "5.7" no
db_manage_master_user_password Determines whether the master user password should be managed. bool false no
db_monitoring_interval The monitoring interval for the database. string "0" no
db_monitoring_role_name The name of the IAM role used for database monitoring. string "SeqeraRDSMonitoringRole" no
db_options The list of database options.
list(object({
option_name = string
option_settings = list(object({
name = string
value = string
}))
}))
[
{
"option_name": "MARIADB_AUDIT_PLUGIN",
"option_settings": [
{
"name": "SERVER_AUDIT_EVENTS",
"value": "CONNECT"
},
{
"name": "SERVER_AUDIT_FILE_ROTATIONS",
"value": "37"
}
]
}
]
no
db_parameters The list of database parameters.
list(object({
name = string
value = string
}))
[
{
"name": "character_set_client",
"value": "utf8mb4"
},
{
"name": "character_set_server",
"value": "utf8mb4"
}
]
no
db_password_secret_name The name of the secret for the database password. string "tower-terraform-secrets" no
db_port The port for the database. string "3306" no
db_root_password The master password for the database. string "" no
db_root_username The master username for the database. string "root" no
db_security_group_name The name of the security group for the database. string "seqera_db_security_group" no
db_setup_job_image The image for the database setup job. string "mysql:8.0.35-debian" no
db_setup_job_name The name of the database setup job. string "seqera-db-setup-job" no
db_skip_final_snapshot Determines whether a final snapshot should be created when the database is deleted. bool true no
default_tags Default tags to be applied to the provisioned resources. map(string)
{
"ManagedBy": "Terraform",
"Product": "SeqeraPlatform"
}
no
ebs_block_device The list of EBS block devices for the EC2 instance. list(any)
[
{
"device_name": "/dev/sdx",
"volume_size": 100,
"volume_type": "gp3"
}
]
no
ec2_instance_ami_id The ID of the AMI for the EC2 instance. string "" no
ec2_instance_iam_role_description The description of the IAM role for the EC2 instance. string "Seqera Forge IAM role" no
ec2_instance_iam_role_name The name of the IAM role for the EC2 instance. string "seqera-forge-role" no
ec2_instance_key_name The name of the key pair for the EC2 instance. string null no
ec2_instance_kubernetes_api_cidr_blocks The CIDR blocks for the security group ingress rule. list(string)
[
""
]
no
ec2_instance_name The name of the EC2 instance. string "seqera-platform-vm" no
ec2_instance_profile_iam_policy IAM policy for the EC2 instance profile string "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"TowerForge0\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ssm:GetParameters\",\n \"iam:CreateInstanceProfile\",\n \"iam:DeleteInstanceProfile\",\n \"iam:GetRole\",\n \"iam:RemoveRoleFromInstanceProfile\",\n \"iam:CreateRole\",\n \"iam:DeleteRole\",\n \"iam:AttachRolePolicy\",\n \"iam:PutRolePolicy\",\n \"iam:AddRoleToInstanceProfile\",\n \"iam:PassRole\",\n \"iam:DetachRolePolicy\",\n \"iam:ListAttachedRolePolicies\",\n \"iam:DeleteRolePolicy\",\n \"iam:ListRolePolicies\",\n \"iam:TagRole\",\n \"iam:TagInstanceProfile\",\n \"batch:CreateComputeEnvironment\",\n \"batch:DescribeComputeEnvironments\",\n \"batch:CreateJobQueue\",\n \"batch:DescribeJobQueues\",\n \"batch:UpdateComputeEnvironment\",\n \"batch:DeleteComputeEnvironment\",\n \"batch:UpdateJobQueue\",\n \"batch:DeleteJobQueue\",\n \"fsx:DeleteFileSystem\",\n \"fsx:DescribeFileSystems\",\n \"fsx:CreateFileSystem\",\n \"fsx:TagResource\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeSubnets\",\n \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\", \n \"ec2:CreateLaunchTemplate\",\n \"ec2:DeleteLaunchTemplate\",\n \"ec2:DescribeKeyPairs\",\n \"ec2:DescribeVpcs\",\n \"ec2:DescribeInstanceTypeOfferings\",\n \"ec2:GetEbsEncryptionByDefault\",\n \"elasticfilesystem:DescribeMountTargets\",\n \"elasticfilesystem:CreateMountTarget\",\n \"elasticfilesystem:CreateFileSystem\",\n \"elasticfilesystem:DescribeFileSystems\",\n \"elasticfilesystem:DeleteMountTarget\",\n \"elasticfilesystem:DeleteFileSystem\",\n \"elasticfilesystem:UpdateFileSystem\",\n \"elasticfilesystem:PutLifecycleConfiguration\",\n \"elasticfilesystem:TagResource\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"TowerLaunch0\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:Get*\",\n \"s3:List*\",\n \"batch:DescribeJobQueues\",\n \"batch:CancelJob\",\n \"batch:SubmitJob\",\n \"batch:ListJobs\",\n \"batch:TagResource\",\n \"batch:DescribeComputeEnvironments\",\n \"batch:TerminateJob\",\n \"batch:DescribeJobs\",\n \"batch:RegisterJobDefinition\",\n \"batch:DescribeJobDefinitions\",\n \"ecs:DescribeTasks\",\n \"ec2:DescribeInstances\",\n \"ec2:DescribeInstanceTypes\",\n \"ec2:DescribeInstanceAttribute\",\n \"ecs:DescribeContainerInstances\",\n \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeImages\",\n \"logs:Describe*\",\n \"logs:Get*\",\n \"logs:List*\",\n \"logs:StartQuery\",\n \"logs:StopQuery\",\n \"logs:TestMetricFilter\",\n \"logs:FilterLogEvents\",\n \"ses:SendRawEmail\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}\n" no
ec2_instance_profile_iam_policy_name The name of the IAM policy for the EC2 instance profile. string "seqera-forge-policy" no
ec2_instance_root_block_device The root block device for the EC2 instance. list(any)
[
{
"volume_size": 100,
"volume_type": "gp3"
}
]
no
ec2_instance_security_group_egress_rules_names The names of the security group egress rules. list(string)
[
"all-all"
]
no
ec2_instance_security_group_ingress_rules_names Security group ingress rules names. list(string)
[
"http-80-tcp",
"https-443-tcp"
]
no
ec2_instance_security_group_name The name of the security group for the EC2 instance. string "seqera-forge-security-group" no
ec2_instance_sg_egress_cidr_blocks The CIDR blocks for the security group egress rule. list(string)
[
"0.0.0.0/0"
]
no
ec2_instance_sg_ingress_cidr_blocks The CIDR blocks for the security group ingress rule. list(string)
[
"0.0.0.0/0"
]
no
ec2_instance_ssh_cidr_blocks The CIDR blocks for the security group ingress rule. list(string)
[
""
]
no
ec2_instance_ssh_public_key_path The path to the public key for the EC2 instance. string "~/.ssh/id_rsa.pub" no
ec2_instance_type The type of the EC2 instance. string "m5a.2xlarge" no
ec2_instance_user_data_replace_on_change Determines whether the EC2 instance user data should be replaced on change. bool true no
eks_aws_auth_roles List of roles ARNs to add to the aws-auth config map list(string) [] no
eks_aws_auth_users List of users ARNs to add to the aws-auth config map list(string) [] no
eks_cluster_addons Addons to be enabled for the EKS cluster.
map(object({
most_recent = bool
}))
{
"coredns": {
"most_recent": true
},
"kube-proxy": {
"most_recent": true
},
"vpc-cni": {
"most_recent": true
}
}
no
eks_cluster_endpoint_public_access Determines whether the EKS cluster endpoint is publicly accessible. bool true no
eks_enable_irsa Determines whether to create an OpenID Connect Provider for EKS to enable IRSA bool true no
eks_manage_aws_auth_configmap Determines whether to manage the aws-auth ConfigMap. bool true no
eks_managed_node_group_defaults_capacity_type The capacity type for the default managed node group. string "ON_DEMAND" no
eks_managed_node_group_defaults_instance_types A list of EC2 instance types for the default managed node group. list(string)
[
"m5a.2xlarge"
]
no
enable_access_logs_s3_bucket Determines whether to create an S3 bucket for ELB access logs. bool true no
enable_aws_cluster_autoscaler Determines whether the AWS Cluster Autoscaler should be deployed. bool false no
enable_aws_ebs_csi_driver Determines whether the EBS CSI driver should be deployed. bool false no
enable_aws_efs_csi_driver Determines whether the AWS EFS CSI driver should be deployed. bool false no
enable_aws_loadbalancer_controller Determines whether the AWS LoadBalancer Controller should be deployed. bool true no
enable_dns_hostnames Determines whether instances in the VPC receive DNS hostnames. bool true no
enable_dns_support Determines whether DNS resolution is supported for the VPC. bool true no
enable_ec2_instance_kubernetes_api_access Defines whether Kubernetes API access should be enabled for the EC2 instance. bool true no
enable_ec2_instance_monitoring Determines whether detailed monitoring is enabled for the EC2 instance. bool true no
enable_ec2_instance_session_manager_access Determines whether SSM Session Manager access is enabled for the EC2 instance. bool false no
enable_ec2_instance_ssh_access Defines whether SSH access is enabled for the EC2 instance. bool true no
enable_elb_log_delivery_policy Determines whether to create a policy for ELB log delivery. bool true no
enable_lb_log_delivery_policy Determines whether to create a policy for LB log delivery. bool true no
enable_nat_gateway Determines whether NAT gateways should be provisioned. bool true no
enable_vpn_gateway Determines whether a VPN gateway should be provisioned. bool false no
environment The environment in which the infrastructure is being deployed. string "" no
get_ec2_instance_password_data Determines whether to get the password data for the EC2 instance. bool false no
ignore_ec2_instance_ami_changes Determines whether to ignore AMI changes for the EC2 instance. bool true no
local_ssh_key_pair_name The name of the local SSH key pair. string "seqera-platform-keypair" no
num_azs The number of Availability Zones to use for the VPC. number 2 no
one_nat_gateway_per_az Determines whether each Availability Zone should have a dedicated NAT gateway. bool true no
private_subnets A list of subnet IDs for private subnets within the VPC. list(string) [] no
public_subnets A list of subnet IDs for public subnets within the VPC. list(string) [] no
redis_apply_immediately Determines whether changes should be applied immediately for Redis. bool true no
redis_at_rest_encryption_enabled Determines whether encryption at rest is enabled for Redis. bool false no
redis_auto_minor_version_upgrade Determines whether automatic minor version upgrades are enabled for Redis. bool false no
redis_automatic_failover_enabled Determines whether automatic failover is enabled for Redis. bool false no
redis_cluster_description The description of the Redis cluster. string "Seqera Redis cluster" no
redis_cluster_name The name of the Redis cluster. string "seqera-redis" no
redis_cluster_size The size of the Redis cluster. number 1 no
redis_create_subnet_group Determines whether to create a Redis subnet group. bool true no
redis_engine_version The version of the Redis engine. string "6.2" no
redis_family The family of the Redis engine. string "redis6.x" no
redis_ingress_rule The ingress rule for the Redis cluster. string "redis-tcp" no
redis_instance_type The Redis node type. string "cache.t2.small" no
redis_maintenance_window The maintenance window for the Redis cluster. string "sun:23:00-mon:01:30" no
redis_parameter_group_description The description of the Redis parameter group. string "Redis Redis parameter group" no
redis_parameters The list of Redis parameters.
list(object({
name = string
value = string
}))
[
{
"name": "notify-keyspace-events",
"value": "lK"
}
]
no
redis_port The port for Redis. string "6379" no
redis_security_group_name The name of the security group for Redis. string "seqera_redis_security_group" no
redis_snapshot_retention_limit The number of days to retain Redis snapshots. number 7 no
redis_snapshot_window The window during which Redis snapshots are taken. string "05:00-09:00" no
redis_subnet_group_description The description of the Redis subnet group. string "Seqera Redis subnet group" no
redis_subnet_group_name The name of the Redis subnet group. string "seqera-redis-subnetgroup" no
redis_transit_encryption_enabled Determines whether encryption in transit is enabled for Redis. bool false no
region The AWS region in which the resources will be provisioned. string "" no
seqera_irsa_iam_policy_name The name of the IAM policy for IRSA. string "seqera-irsa-iam-policy" no
seqera_irsa_role_name The name of the IAM role for IRSA. string "seqera-irsa-role" no
seqera_managed_node_group_defaults_capacity_type The capacity type for the Seqera managed node group. string "ON_DEMAND" no
seqera_managed_node_group_defaults_instance_types A list of EC2 instance types for the Seqera managed node group. list(string)
[
"m5a.2xlarge"
]
no
seqera_managed_node_group_desired_size The desired size of the EKS managed node group. number 2 no
seqera_managed_node_group_labels Labels to be applied to the Seqera EKS managed node group. map(string) {} no
seqera_managed_node_group_max_size The maximum size of the EKS managed node group. number 4 no
seqera_managed_node_group_min_size The minimum size of the EKS managed node group. number 2 no
seqera_namespace_name The name of the namespace used to deploy Seqera platform manifests. string "seqera-platform" no
seqera_platform_service_account_iam_policy IAM policy for the Seqera service account string "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"TowerForge0\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ssm:GetParameters\",\n \"ses:SendRawEmail\",\n \"iam:CreateInstanceProfile\",\n \"iam:DeleteInstanceProfile\",\n \"iam:GetRole\",\n \"iam:RemoveRoleFromInstanceProfile\",\n \"iam:CreateRole\",\n \"iam:DeleteRole\",\n \"iam:AttachRolePolicy\",\n \"iam:PutRolePolicy\",\n \"iam:AddRoleToInstanceProfile\",\n \"iam:PassRole\",\n \"iam:DetachRolePolicy\",\n \"iam:ListAttachedRolePolicies\",\n \"iam:DeleteRolePolicy\",\n \"iam:ListRolePolicies\",\n \"iam:TagRole\",\n \"iam:TagInstanceProfile\",\n \"batch:CreateComputeEnvironment\",\n \"batch:DescribeComputeEnvironments\",\n \"batch:CreateJobQueue\",\n \"batch:DescribeJobQueues\",\n \"batch:UpdateComputeEnvironment\",\n \"batch:DeleteComputeEnvironment\",\n \"batch:UpdateJobQueue\",\n \"batch:DeleteJobQueue\",\n \"batch:TagResource\",\n \"fsx:DeleteFileSystem\",\n \"fsx:DescribeFileSystems\",\n \"fsx:CreateFileSystem\",\n \"fsx:TagResource\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeSubnets\",\n \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\", \n \"ec2:CreateLaunchTemplate\",\n \"ec2:DeleteLaunchTemplate\",\n \"ec2:DescribeKeyPairs\",\n \"ec2:DescribeVpcs\",\n \"ec2:DescribeInstanceTypeOfferings\",\n \"ec2:GetEbsEncryptionByDefault\",\n \"elasticfilesystem:DescribeMountTargets\",\n \"elasticfilesystem:CreateMountTarget\",\n \"elasticfilesystem:CreateFileSystem\",\n \"elasticfilesystem:DescribeFileSystems\",\n \"elasticfilesystem:DeleteMountTarget\",\n \"elasticfilesystem:DeleteFileSystem\",\n \"elasticfilesystem:UpdateFileSystem\",\n \"elasticfilesystem:PutLifecycleConfiguration\",\n \"elasticfilesystem:TagResource\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"TowerLaunch0\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:Get*\",\n \"s3:List*\",\n \"batch:DescribeJobQueues\",\n \"batch:CancelJob\",\n \"batch:SubmitJob\",\n \"batch:ListJobs\",\n \"batch:DescribeComputeEnvironments\",\n \"batch:TerminateJob\",\n \"batch:DescribeJobs\",\n \"batch:RegisterJobDefinition\",\n \"batch:DescribeJobDefinitions\",\n \"ecs:DescribeTasks\",\n \"ec2:DescribeInstances\",\n \"ec2:DescribeInstanceTypes\",\n \"ec2:DescribeInstanceAttribute\",\n \"ecs:DescribeContainerInstances\",\n \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeImages\",\n \"logs:Describe*\",\n \"logs:Get*\",\n \"logs:List*\",\n \"logs:StartQuery\",\n \"logs:StopQuery\",\n \"logs:TestMetricFilter\",\n \"logs:FilterLogEvents\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}\n" no
seqera_service_account_name Name for the Seqera platform service account string "seqera-sa" no
tower_app_configmap_name The name of the configMap for the Tower app. string "tower-terraform-cfg" no
vpc_cidr The CIDR block for the VPC. string "10.0.0.0/16" no
vpc_endpoint_services The list of VPC endpoint services. list(string)
[
"ssm",
"ssmmessages",
"ec2messages"
]
no

Outputs

Name Description
access_logs_s3_bucket_name S3 bucket name for access logs.
database_url Endpoint address for the primary RDS database instance.
ec2_instance_id EC2 instance ID.
ec2_instance_public_dns_name EC2 instance public DNS name.
redis_url Endpoint address for the Redis cluster. If not available, returns null.
seqera_irsa_role_name IAM role name associated with Seqera IRSA (IAM Roles for Service Accounts).