init terraform-mendix-private-cloud

Author: geoffreyme

.gitignore

@@ -1,44 +1,17 @@
-build/
-plan.out
-plan.out.json
-
-# Local .terraform directories
 .terraform/
-
-# .tfstate files
 *.tfstate
-*.tfstate.*
-
-# Crash log files
-crash.log
-
-# Exclude all .tfvars files, which are likely to contain sentitive data, such as
-# password, private keys, and other secrets. These should not be part of version
-# control as they are data points which are potentially sensitive and subject
-# to change depending on the environment.
-#
-*.tfvars
-
-# Ignore override files as they are usually used to override resources locally and so
-# are not checked in
+*.tfstate*
+_tfplan
+*.terraform.lock.hcl
 override.tf
 override.tf.json
 *_override.tf
 *_override.tf.json
-
-# Include override files you do wish to add to version control using negated pattern
-#
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
-
-# Ignore CLI configuration files
+kubeconfig*
 .terraformrc
 terraform.rc
 .terraform.lock.hcl
-
-go.mod
-go.sum
-
-.DS_Store
+build/
+.DS_Store
+.idea
+temp.json

.header.md

@@ -1,57 +1,145 @@
-# Creating modules for AWS I&A Organization
-
-This repo template is used to seed Terraform Module templates for the [AWS I&A GitHub organization](https://github.com/aws-ia). Usage of this template is allowed per included license. PRs to this template will be considered but are not guaranteed to be included. Consider creating an issue to discuss a feature you want to include before taking the time to create a PR.
-### TL;DR
-
-1. [install pre-commit](https://pre-commit.com/)
-2. configure pre-commit: `pre-commit install`
-3. install required tools
-    - [tflint](https://github.com/terraform-linters/tflint)
-    - [tfsec](https://aquasecurity.github.io/tfsec/v1.0.11/)
-    - [terraform-docs](https://github.com/terraform-docs/terraform-docs)
-    - [golang](https://go.dev/doc/install) (for macos you can use `brew`)
-    - [coreutils](https://www.gnu.org/software/coreutils/)
-
-Write code according to [I&A module standards](https://aws-ia.github.io/standards-terraform/)
-
-## Module Documentation
-
-**Do not manually update README.md**. `terraform-docs` is used to generate README files. For any instructions an content, please update [.header.md](./.header.md) then simply run `terraform-docs ./` or allow the `pre-commit` to do so.
-
-## Terratest
-
-Please include tests to validate your examples/<> root modules, at a minimum. This can be accomplished with usually only slight modifications to the [boilerplate test provided in this template](./test/examples_basic_test.go)
-
-### Configure and run Terratest
-
-1. Install
-
-    [golang](https://go.dev/doc/install) (for macos you can use `brew`)
-2. Change directory into the test folder.
-
-    `cd test`
-3. Initialize your test
-
-    go mod init github.com/[github org]/[repository]
-
-    `go mod init github.com/aws-ia/terraform-aws-vpc`
-4. Run tidy
-
-    `git mod tidy`
-5. Install Terratest
-
-    `go get github.com/gruntwork-io/terratest/modules/terraform`
-6. Run test (You can have multiple test files).
-    - Run all tests
-
-        `go test`
-    - Run a specific test with a timeout
-
-        `go test -run TestExamplesBasic -timeout 45m`
-## Module Standards
-
-For best practices and information on developing with Terraform, see the [I&A Module Standards](https://aws-ia.github.io/standards-terraform/)
-
-## Continuous Integration
-
-The I&A team uses AWS CodeBuild to perform continuous integration (CI) within the organization. Our CI uses the a repo's `.pre-commit-config.yaml` file as well as some other checks. All PRs with other CI will be rejected. See our [FAQ](https://aws-ia.github.io/standards-terraform/faq/#are-modules-protected-by-ci-automation) for more details.
+# Terraform Mendix Private Cloud
+
+This repository represents an IaC project (Infractructure as Code) which facilitates the creation of repeatable and disposable environments meeting the requirements of Mendix for Private Cloud on AWS.
+
+## Architecture diagram
+![image description](doc/deployment_guide/images/terraform-mendix-private-cloud-diagram.png)
+
+## Prerequisites
+
+### Mendix Private Cloud
+* Create your application on https://privatecloud.mendixcloud.com
+* Mendix Runtime Version >= 9.21
+* Register a new EKS Cluster
+* Add a new Connected Namespace called **mendix**
+* Retrieve the cluster id and the cluster secret in the *Installation* tab
+
+### Terraform 
+Provision a S3 bucket with your desired name and a DynamoDB table with the partition key `LockID` (String type), to store the state file and have a locking mechanism respectively.
+
+* Install [Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli)
+* An IAM user with programmatic access with at least the following IAM [permissions](deployment-policy.json)
+* Install [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) 
+* Configure AWS CLI with the `ACCESS_KEY_ID` and `SECRET_ACCESS_KEY` corresponding to the IAM user which has the aforementioned IAM permissions (execute `aws configure`) 
+* Install [AWS IAM Authenticator](https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html)
+* Install [kubectl](https://kubernetes.io/docs/tasks/tools/)
+* Install wget (required for Terraform eks module)
+* Edit the `providers.tf` as the following example:
+```
+terraform {
+  backend "s3" {
+    region         = "eu-central-1"
+    bucket         = "state-bucket-state"
+    key            = "terraform.tfstate"
+    dynamodb_table = "dynamodb-table-state"
+    encrypt        = true
+  }
+```
+* Edit the `terraform.tfvars` as the following example: : 
+```
+aws_region                   = ""
+domain_name                  = "project-name-example.com"
+certificate_expiration_email = "[email protected]"
+s3_bucket_name               = "project-name"
+cluster_id                   = ""
+cluster_secret               = ""
+environments_internal_names  = ["app1", "app2", "app3"]
+```
+The number of applications deployed is handled by the `environments_internal_names` variable, those internal names are used during the environment creation : 
+![image description](doc/deployment_guide/images/environments_internal_names.png)
+## Provisionning 
+
+To provision a new Mendix for Private Cloud environment, aka Mx4PC, execute the following commands:
+
+```
+terraform init
+terraform apply
+```
+Once everything has been successfully provisioned, run the following command to retrieve the access credentials for your new cluster and automatically configure kubectl:
+
+```
+aws eks --region $(terraform output -raw region) update-kubeconfig --name $(terraform output -raw cluster_name)
+```
+
+Retrieve the aws_route53_zone_name_servers generated using the AWS Console in Route53 -> Hosted Zone, or at the end of the run using this command :
+
+```
+terraform output aws_route53_zone_name_server
+```
+Depending on your provider, update your external Domain Name Registrar or Route53 registered domain with those values following this documentation [Route53 Documentation](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring.html).
+
+Enable the External Secrets Store in the *Customization* tab of the Mendix for Private Cloud Portal Cluster Manager.
+![image description](doc/deployment_guide/images/secrets-store.png)
+## Security
+### Cluster endpoint
+Kubernetes API requests within your cluster's VPC (such as node to control plane communication) use the private VPC endpoint.
+Your cluster API server is accessible from the internet. You can, optionally, limit the CIDR blocks that can access the public endpoint as mentionned in the [Amazon EKS Documentation](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) by setting up the ``allowed_ips`` variable.
+
+### Encryption
+All the EBS volumes, the RDS PostgreSQL database and the S3 storage bucket are encrypted at rest. The end-to-end TLS encryption is handled at the Ingress NGINX Controller level, a certificate is generated for each app by cert-manager, configured with a Let’s Encrypt certificate issuer.
+
+## Automatic scaling
+All the Amazon EKS nodes are placed in an Auto Scaling group, but it doesn’t install
+the [Kubernetes Cluster Autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler) by default. The Cluster Autoscaler provides automatic
+scale-up and scale-down by allowing Kubernetes to modify the Amazon EC2 Auto Scaling
+groups.
+
+## Logging monitoring
+A basic logging and monitoring stack contaning Prometheus, Grafana, Loki and Promtail is provisionned by default, reacheable using this URL : https<span>://monitoring.{domain_name}
+
+To retrieve the Grafana admin credentials : 
+```
+terraform output -json grafana_admin_password
+```
+## Troubleshooting
+* For Mac M1 users, in order to fix this error: 
+```
+│ Provider Terraform Registry 38 v2.2.0 does not have a
+│ package available for your current platform, darwin_arm64
+```
+Install [m1-terraform-provider-helper](https://github.com/kreuzwerker/m1-terraform-provider-helper):
+```
+brew install kreuzwerker/taps/m1-terraform-provider-helper
+m1-terraform-provider-helper activate
+m1-terraform-provider-helper install hashicorp/template -v v2.2.0
+```
+* Windows users:
+```
+terraform providers lock -platform=linux_amd64 -platform=darwin_amd64
+```
+* Mendix Agent/Operator not connected or misconfigured.
+
+Retrieve the logs of the installer job :
+```
+kubectl logs job.batch/mxpc-cli-installer -n mendix
+```
+
+Expected output : 
+```
+-- Done-- Applying Kubernetes Secrets... Done!
+-- Applying Service Accounts... Done!
+-- Applying Storage Plans... Done!
+-- Applying Operator Patches... Done!
+-- Successfully applied all the configuration!
+operatorconfiguration.privatecloud.mendix.com/mendix-operator-configuration patched
+operatorconfiguration.privatecloud.mendix.com/mendix-operator-configuration patched
+operatorconfiguration.privatecloud.mendix.com/mendix-operator-configuration patched
+```
+* Reinstall the installer :
+```
+terraform destroy -target=helm_release.mendix_installer
+terraform plan; terraform apply --auto-approve
+```
+## Cleanup
+
+To completely clean up your environment, destroy the Terraform modules using this reverse order.
+```
+terraform destroy -target="module.eks_blueprints_kubernetes_addons.module.ingress_nginx[0].module.helm_addon.helm_release.addon[0]" -auto-approve
+terraform destroy -target="module.eks_blueprints_kubernetes_addons.module.prometheus[0].module.helm_addon.helm_release.addon[0]" -auto-approve
+terraform destroy -target="module.eks_blueprints_kubernetes_addons" -auto-approve
+terraform destroy -auto-approve
+```
+
+## License 
+
+[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)

.pre-commit-config.yaml

@@ -2,10 +2,9 @@
 fail_fast: false
 minimum_pre_commit_version: "2.6.0"
 repos:
-  -
-    repo: https://github.com/aws-ia/pre-commit-configs
-    # To update run:
-    # pre-commit autoupdate --freeze
-    rev: 80ed3f0a164f282afaac0b6aec70e20f7e541932  # frozen: v1.5.0
-    hooks:
-      - id: aws-ia-meta-hook
+    - repo: https://github.com/aws-ia/pre-commit-configs
+      # To update run:
+      # pre-commit autoupdate --freeze
+      rev: 51b268040aacc4a4b1f0a3540722409cf93ac18d  # frozen: v1.6.1
+      hooks:
+        - id: aws-ia-meta-hook

.terraform-docs.yaml

@@ -18,4 +18,4 @@ sort:
 
 output:
   file: README.md
-  mode: replace
+  mode: replace

.tflint.hcl

@@ -3,7 +3,7 @@
 
 plugin "aws" {
   enabled = true
-  version = "0.14.0"
+  version = "0.21.1"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 

README.md

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: mendix-installer
+type: application
+description: A Helm chart to configure Mendix Private Cloud components using mxpc-cli
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+version: 1.0.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application.
+appVersion: 1.0.0