Building the Connectivity

Building the Connectivity

Anoop Jayadharan Anoop Jayadharan

Anoop Jayadharan

CNCF Kubestronaut | F5 2xCSE(Security & Cloud) | App Delivery & Security

发布日期: 2024年11月21日
+ 关注

In one of the posts, I talk about setting up an AWS landing zone using the control tower.

Followed these steps from the control tower section of the Management account

  • Create an OU named "Infrastructure."

OU List


  • Create an AWS account named "Network" from the account factory.

  • Disable automatic creation of VPCs in all regions by the Account Factory in AWS Control Tower.

Control Tower Account Factory


Now that our network account is ready, we must deploy a VPC resource using Terraform via the GitHub Actions workflow.

In another post, I discussed the steps to integrate GitHub with AWS using OIDC. In the same way, HCP Terraform must also be integrated with AWS for infrastructure provisioning. Add HCP as the OIDC provider on the AWS and create an IAM role. This role must be added as a variable on your HCP workspace/organization.


HCP variables


Our new VPC contains the following resources:

  • Two public subnets
  • Two private subnets
  • One internet gateway
  • Four routing tables

VPC overview


领英推荐

A successful workflow summary will look like this;

Workflow summary


Connect to the "Network" account and verify the VPC creation.

VPC

The last step is to create a resource share using AWS Resource Access Manager(RAM) to share all four VPC subnets with the "Sandbox" OU.


RAM Resource Share


Our terraform code contains a file named ram.tf as follows; 

# Creates a Resource Access Manager (RAM) Resource Share
resource "aws_ram_resource_share" "subnet_share" {
  name = var.ram_name
  tags = local.tags
}

# Associates Private Subnets to RAM
resource "aws_ram_resource_association" "private_subnets" {
  count              = length(var.private_subnet_cidr)
  resource_arn       = aws_subnet.private[count.index].arn
  resource_share_arn = aws_ram_resource_share.subnet_share.arn
}

# Associates Public Subnets to RAM
resource "aws_ram_resource_association" "public_subnets" {
  count              = length(var.public_subnet_cidr)
  resource_arn       = aws_subnet.public[count.index].arn
  resource_share_arn = aws_ram_resource_share.subnet_share.arn
}

# Share resources to Sandbox OU
resource "aws_ram_principal_association" "ram_principal_association" {
  principal          = var.ou_arn
  resource_share_arn = aws_ram_resource_share.subnet_share.arn
}

One quick tip is to add the ARN of OU to the Terraform workspace.


OU_ARN

Resource share has been created and will look like the one below. Notice "shared by me", ie, the Network Account

RAM - Network Account

Connect to the "development" account, and you will see "shared with me" under RAM.

RAM - Development Account

In this way, all future accounts within Sandbox OU will inherit the shared VPC from the Network account.

要查看或添加评论,请登录

Anoop Jayadharan的更多文章

  • A Website or Blog-page for you
    2025年1月14日

    A Website or Blog-page for you

    Here is how I developed and hosted my blog page on GitHub Pages for free. Prerequisites Install Git on your local…

  • Kerberos SSO constrained delegation with BIG-IP APM
    2025年1月3日

    Kerberos SSO constrained delegation with BIG-IP APM

    The primary purpose of Kerberos Single Sign-On is to provide seamless authentication to web or application servers once…

  • Connect to your Amazon EC2 instance using Session Manager
    2024年12月30日

    Connect to your Amazon EC2 instance using Session Manager

    You might encounter problems when you connect to the EC2 instance through the session manager for the first time…

  • Database Migration
    2024年12月17日

    Database Migration

    If you need some background, visit my previous post, Launching MVP. The following diagram depicts the v1.

    6 条评论
  • CloudTalents Application on K8s??
    2024年12月10日

    CloudTalents Application on K8s??

    After building the docker image in the previous article, it's time to orchestrate containers using K8s. Follow along by…

    6 条评论
  • Dockerizing Cloudtalents Startup App
    2024年12月9日

    Dockerizing Cloudtalents Startup App

    All right, here you go; this is the high-level overview of the application. It is written in Python and uses the Django…

    1 条评论
  • Launching MVP
    2024年12月2日

    Launching MVP

    The diagram depicts two CI/CD workflows. One builds the AMI using Packer, and the other deploys an EC2 from the custom…

    6 条评论
  • A Taste of DevOps
    2024年11月19日

    A Taste of DevOps

    A workflow is triggered when a developer pushes code to the main branch. The workflow has three jobs defined: Provision…

  • OIDC Integration between GitHub and AWS
    2024年11月17日

    OIDC Integration between GitHub and AWS

    Does your GitHub Actions CI/CD pipeline have hard-coded, long-lived cloud-provider credentials for communicating with…

  • AWS Landing Zone
    2024年11月16日

    AWS Landing Zone

    Recently, I set up a landing zone on AWS using the control tower. A landing zone is a well-architected, multi-account…

    2 条评论

社区洞察

其他会员也浏览了