search

aws-samples / aws-network-hub-for-terraform

This repository demonstrates a scalable, segregated, secured AWS network hub for multi-account organizations using Terraform.
MIT No Attribution
98 stars 24 forks source link

Suggestion for var.environment for the central networking account? #4

Closed Vermyndax closed 2 years ago

Vermyndax commented 2 years ago

I'm confused about what should be set for the central networking account's var.environment. The documentation seems to point toward this setting for spoke resources, not for the central account itself.

Also, if those environments need to be customized, what is the proper place to customize them?

aandsco commented 2 years ago

The var.environment points to what env to deploy your network hub, the different envs are to carry out SDLC on your network hub.

The sample code uses a map in the auto tfvars file, the corresponding map within the map for each env will be selected when you assign the var.environment var.

The example code has dev test preprod and prod and is purely for SDLC in lower environments.

aandsco commented 2 years ago

It is documented in the readme

<!DOCTYPE html>

Global variables environment Environment to deploy into. Accepted values * dev, test, preprod, prod
aandsco commented 2 years ago

env_config = { dev = { ipam_cidr = "10.0.0.0/10" tgw_route_tables = ["prod", "dev", "shared"] root_domain = "network-dev.internal" } test = { ipam_cidr = "10.64.0.0/10" tgw_route_tables = ["prod", "dev", "shared"] root_domain = "network-test.internal" } preprod = { ipam_cidr = "10.128.0.0/10" tgw_route_tables = ["prod", "dev", "shared"] root_domain = "network-preprod.internal" } prod = { ipam_cidr = "10.192.0.0/10" tgw_route_tables = ["prod", "dev", "shared"] root_domain = "network-prod.internal" } }

aandsco commented 2 years ago

If you want another env or to change the names then you can edit the config.auto.tfvars file

Vermyndax commented 2 years ago

@aandsco thanks for the response. If I'm installing this main template in the transit hub account, then the maps need to show what environments I plan to deploy as spokes for the others, then? I tried setting var.environment to "prod" for the transit hub stack and it failed with a lot of similar-named objects and resource limits on IPAM (1 out of 1 already used). This is a bare AWS account with RAM enabled and IPAM delegated properly.

Vermyndax commented 2 years ago

Well, what I'm hoping to do is deploy this stack in the transit hub account, and then accommodate "dev,", "QA", "UAT", and "prod" - so I'm not clear what var.environment to use for the transit hub account, since theoretically it's "environment less".

aandsco commented 2 years ago

The IPAM limit per account is one and I wouldn’t suggest having the 4 envs in a single account.

Dev network hub to a dev accouny is what I’d planned. The lower env network hubs are for SDLC of the network hub only. Although you could adapt.

The spoke accounts will connect to the prod TGW and serve shared services, prod and non prod route tables for env segregation.

As a sample it is there to be adapted as you will, take any bits you like.

For the unique naming in the same account you would have to go through the solution and prefix each resource to be able to deploy 4 in a single account, however I would advise against this as we should look at an account as a boundary for miss configuration or security. And having all 4 in a single account increases this.

Andy Scott DevOps Consultant – Central Government Public Sector, Professional Services

M: +447496589430 E: @.**@.>

Work Hard. Have Fun. Make History.

Thoughts on our interaction? Provide feedback herehttps://feedback.aws.amazon.com/?ea=aandsco&fn=Andy&ln=Scott.

On 10 Mar 2022, at 18:09, Jason Miller @.***> wrote:



Well, what I'm hoping to do is deploy this stack in the transit hub account, and then accommodate "dev,", "QA", "UAT", and "prod" - so I'm not clear what var.environment to use for the transit hub account, since theoretically it's "environment less".

— Reply to this email directly, view it on GitHubhttps://github.com/aws-samples/aws-network-hub-for-terraform/issues/4#issuecomment-1064348754, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AWUALUTJCK7LAOMVHFGHB7TU7I27NANCNFSM5QLENNFA. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284

Amazon Web Services EMEA Sarl, UK Branch, 1 Principal Place, Worship Street, London, EC2A 2FA, United Kingdom, registered in England and Wales, UK Establishment No. BR019315

Vermyndax commented 2 years ago

So in that design, you'd have theoretically 4 different transit hub accounts?

aandsco commented 2 years ago

Yes if that’s what your SDLC strategy is, I’d say minimum of 2 environment, somewhere to develop and somewhere to deploy that delivers live service. Ideally 3.

But for this concept the prod network hub serves all spoke envs.

As if your developing new things in the network hub you don’t want to impact all other users dev envs

Vermyndax commented 2 years ago

Ok, so I'm trying to deploy this template with var.environment set to "prod." I modified the names of the environments in the map and tried to deploy it. I ran into this error:

│ Error: failed creating IAM Role (prod_network_automation_role): EntityAlreadyExists: Role with name prod_network_automation_role already exists.
│   status code: 409, request id: f7f1de07-43e0-4e56-9c8b-18050a9cd6b9
│
│   with aws_iam_role.central_network,
│   on main.tf line 73, in resource "aws_iam_role" "central_network":
│   73: resource "aws_iam_role" "central_network" {
│
╵
╷
│ Error: error creating IAM policy prod_central_network_automation_policy: EntityAlreadyExists: A policy called prod_central_network_automation_policy already exists. Duplicate names are not allowed.
│   status code: 409, request id: 7eb296b3-13bc-4758-938b-bfeddc1cd2a8
│
│   with aws_iam_policy.central_network,
│   on main.tf line 104, in resource "aws_iam_policy" "central_network":
│  104: resource "aws_iam_policy" "central_network" {
│
╵
╷
│ Error: failed creating IAM Role (prod_endpoint_vpc_flow_logs): EntityAlreadyExists: Role with name prod_endpoint_vpc_flow_logs already exists.
│   status code: 409, request id: 9f448e6b-f5a4-46df-a1ac-ba71bcc35a99
│
│   with aws_iam_role.flow_logs,
│   on main.tf line 166, in resource "aws_iam_role" "flow_logs":
│  166: resource "aws_iam_role" "flow_logs" {
│
╵
╷
│ Error: Error creating ipam: ResourceLimitExceeded: You've reached the limit for ipams. You have created 1 ipams and you are limited to 1.
│   status code: 400, request id: 33c140c5-b121-47f6-852a-0d64ffc8a4c1
│
│   with module.ipam.aws_vpc_ipam.org_ipam,
│   on modules/ipam/ipam.tf line 4, in resource "aws_vpc_ipam" "org_ipam":
│    4: resource "aws_vpc_ipam" "org_ipam" {

This is what I used for the variables:

environment = "prod"

/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
   SPDX-License-Identifier: MIT-0 */

aws_region    = "us-east-1"
vpc_endpoints = ["ec2", "rds", "sqs", "sns", "ssm", "logs", "ssmmessages", "ec2messages", "autoscaling", "ecs", "athena"]

tags = {
  Product    = "xxxx_Automation"
  Owner      = "XXXX"
  Project_ID = "12345"
}

env_config = {
  dev = {
    ipam_cidr        = "10.0.0.0/10"
    tgw_route_tables = ["prod", "dev", "shared"]
    root_domain      = "xxxx-dev.internal"
  }
  qa = {
    ipam_cidr        = "10.64.0.0/10"
    tgw_route_tables = ["prod", "dev", "shared"]
    root_domain      = "xxxx-qa.internal"
  }
  uat = {
    ipam_cidr        = "10.128.0.0/10"
    tgw_route_tables = ["prod", "dev", "shared"]
    root_domain      = "xxxx-uat.internal"
  }
  prod = {
    ipam_cidr        = "10.192.0.0/10"
    tgw_route_tables = ["prod", "dev", "shared"]
    root_domain      = "xxxx-prod.internal"
  }
}

Thanks for your patience in helping me to grok this one.

aandsco commented 2 years ago

I would do a destroy and ensure the role doesn’t exist.

Just to be sure.

Andy Scott DevOps Consultant – Central Government Public Sector, Professional Services

Work Hard. Have Fun. Make History.

Thoughts on our interaction? Provide feedback herehttps://feedback.aws.amazon.com/?ea=aandsco&fn=Andy&ln=Scott.

On 10 Mar 2022, at 18:52, Jason Miller @.***> wrote:



Ok, so I'm trying to deploy this template with var.environment set to "prod." I modified the names of the environments in the map and tried to deploy it. I ran into this error:

│ Error: failed creating IAM Role (prod_network_automation_role): EntityAlreadyExists: Role with name prod_network_automation_role already exists. │ status code: 409, request id: f7f1de07-43e0-4e56-9c8b-18050a9cd6b9 │ │ with aws_iam_role.central_network, │ on main.tf line 73, in resource "aws_iam_role" "central_network": │ 73: resource "aws_iam_role" "central_network" { │ ╵ ╷ │ Error: error creating IAM policy prod_central_network_automation_policy: EntityAlreadyExists: A policy called prod_central_network_automation_policy already exists. Duplicate names are not allowed. │ status code: 409, request id: 7eb296b3-13bc-4758-938b-bfeddc1cd2a8 │ │ with aws_iam_policy.central_network, │ on main.tf line 104, in resource "aws_iam_policy" "central_network": │ 104: resource "aws_iam_policy" "central_network" { │ ╵ ╷ │ Error: failed creating IAM Role (prod_endpoint_vpc_flow_logs): EntityAlreadyExists: Role with name prod_endpoint_vpc_flow_logs already exists. │ status code: 409, request id: 9f448e6b-f5a4-46df-a1ac-ba71bcc35a99 │ │ with aws_iam_role.flow_logs, │ on main.tf line 166, in resource "aws_iam_role" "flow_logs": │ 166: resource "aws_iam_role" "flow_logs" { │ ╵ ╷ │ Error: Error creating ipam: ResourceLimitExceeded: You've reached the limit for ipams. You have created 1 ipams and you are limited to 1. │ status code: 400, request id: 33c140c5-b121-47f6-852a-0d64ffc8a4c1 │ │ with module.ipam.aws_vpc_ipam.org_ipam, │ on modules/ipam/ipam.tf line 4, in resource "aws_vpc_ipam" "org_ipam": │ 4: resource "aws_vpc_ipam" "org_ipam" {

This is what I used for the variables:

` environment = "prod"

/ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: MIT-0 /

aws_region = "us-east-1" vpc_endpoints = ["ec2", "rds", "sqs", "sns", "ssm", "logs", "ssmmessages", "ec2messages", "autoscaling", "ecs", "athena"]

tags = { Product = "xxxx_Automation" Owner = "XXXX" Project_ID = "12345" }

env_config = { dev = { ipam_cidr = "10.0.0.0/10" tgw_route_tables = ["prod", "dev", "shared"] root_domain = "xxxx-dev.internal" } qa = { ipam_cidr = "10.64.0.0/10" tgw_route_tables = ["prod", "dev", "shared"] root_domain = "xxxx-qa.internal" } uat = { ipam_cidr = "10.128.0.0/10" tgw_route_tables = ["prod", "dev", "shared"] root_domain = "xxxx-uat.internal" } prod = { ipam_cidr = "10.192.0.0/10" tgw_route_tables = ["prod", "dev", "shared"] root_domain = "xxxx-prod.internal" } } `

Thanks for your patience in helping me to grok this one.

— Reply to this email directly, view it on GitHubhttps://github.com/aws-samples/aws-network-hub-for-terraform/issues/4#issuecomment-1064384287, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AWUALUT5LVDZE5QGSF2VCADU7JACLANCNFSM5QLENNFA. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284

Amazon Web Services EMEA Sarl, UK Branch, 1 Principal Place, Worship Street, London, EC2A 2FA, United Kingdom, registered in England and Wales, UK Establishment No. BR019315

Vermyndax commented 2 years ago

Yeah, I did... this was the first execution in a brand new AWS account...

aandsco commented 2 years ago

It seems you’ve hit the service limit for IPAM so that indicates it has something deployed?

Andy Scott DevOps Consultant – Central Government Public Sector, Professional Services

M: +447496589430 E: @.**@.>

Work Hard. Have Fun. Make History.

Thoughts on our interaction? Provide feedback herehttps://feedback.aws.amazon.com/?ea=aandsco&fn=Andy&ln=Scott.

On 10 Mar 2022, at 18:57, Jason Miller @.***> wrote:



Yeah, I did... this was the first execution in a brand new AWS account...

— Reply to this email directly, view it on GitHubhttps://github.com/aws-samples/aws-network-hub-for-terraform/issues/4#issuecomment-1064388870, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AWUALURFHBN75HCQOOF5G7LU7JAWHANCNFSM5QLENNFA. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284

Amazon Web Services EMEA Sarl, UK Branch, 1 Principal Place, Worship Street, London, EC2A 2FA, United Kingdom, registered in England and Wales, UK Establishment No. BR019315

Vermyndax commented 2 years ago

The IPAM that was in there is the one that was created from this stack... have never used IPAM before hahaha

aandsco commented 2 years ago

It looks like it’s creating over the top of a deployment then, if your state file there?

It seems an environmental issue and not with the solution.

Andy Scott DevOps Consultant – Central Government Public Sector, Professional Services

Work Hard. Have Fun. Make History.

Thoughts on our interaction? Provide feedback herehttps://feedback.aws.amazon.com/?ea=aandsco&fn=Andy&ln=Scott.

On 10 Mar 2022, at 19:05, Jason Miller @.***> wrote:



The IPAM that was in there is the one that was created from this stack... have never used IPAM before hahaha

— Reply to this email directly, view it on GitHubhttps://github.com/aws-samples/aws-network-hub-for-terraform/issues/4#issuecomment-1064395846, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AWUALUSYGWSMNEXQCFJVROTU7JBXFANCNFSM5QLENNFA. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284

Amazon Web Services EMEA Sarl, UK Branch, 1 Principal Place, Worship Street, London, EC2A 2FA, United Kingdom, registered in England and Wales, UK Establishment No. BR019315

aandsco commented 2 years ago

Closing issue. Code tested in fresh account. Issue points to environment issue.