IaC Catalog
...
Getting Started
Getting Started with Terraform...
Create Blueprint
5min
The blueprint definition is now complete. It's time to deploy the blueprint to AutoCloud using Terraform. Review the code produced, run terraform apply, and verify that the blueprint has been deployed to AutoCloud in Draft status.
The final Terraform code defining the KMS encrypted S3 bucket should look like this:
Terraform
|
data "autocloud_github_repos" "repos" {} #### # Local variables locals { # Destination repos where generated code will be submitted dest_repos = [ for repo in data.autocloud_github_repos.repos.data[*].url : repo if length(regexall("/infrastructure-live-demo", repo)) > 0 ] } #### # Module Resources # # Connect to the Terraform modules that will be used to create this blueprint #### # KMS Key # resource "autocloud_module" "kms_key" { name = "cpkmskey" source = "cloudposse/kms-key/aws" version = "0.12.1" } data "autocloud_blueprint_config" "kms_key_processor" { source = { kms = autocloud_module.kms_key.blueprint_config } ### # Hide variables from user omit_variables = [ # Global "context", "tenant", "stage", "delimiter", "attributes", "labels_as_tags", "additional_tag_map", "label_order", "regex_replace_chars", "id_length_limit", "label_key_case", "label_value_case", "descriptor_formats", "enabled", # Use defaults in the module (don't collect) "alias", "customer_master_key_spec", "key_usage", "multi_region", "policy", # Hard Coded values "deletion_window_in_days", "description", "enable_key_rotation", ] ### # Force KMS key deletion window to 14 days variable { name = "kms.variables.deletion_window_in_days" type = "shortText" value = 14 } ### # Set description variable { name = "kms.variables.description" value = format("KMS key for encryption of KMS encrypted S3 bucket") } } #### # S3 Bucket # resource "autocloud_module" "s3_bucket" { name = "cps3bucket" source = "cloudposse/s3-bucket/aws" version = "3.1.0" } data "autocloud_blueprint_config" "s3_bucket_processor" { source = { s3 = autocloud_module.s3_bucket.blueprint_config } ### # Hide variables from user omit_variables = [ # Global "context", "tenant", "stage", "delimiter", "attributes", "labels_as_tags", "additional_tag_map", "label_order", "regex_replace_chars", "id_length_limit", "label_key_case", "label_value_case", "descriptor_formats", "enabled", # Use defaults in the module (don't collect) "access_key_enabled", "acl", "allowed_bucket_actions", "block_public_acls", "block_public_policy", "bucket_key_enabled", "bucket_name", "cors_configuration", "force_destroy", "grants", "ignore_public_acls", "lifecycle_configuration_rules", "lifecycle_rule_ids", "lifecycle_rules", "logging", "object_lock_configuration", "policy", "privileged_principal_actions", "privileged_principal_arns", "replication_rules", "restrict_public_buckets", "s3_replica_bucket_arn", "s3_replication_enabled", "s3_replication_permissions_boundary_arn", "s3_replication_rules", "s3_replication_source_roles", "source_policy_documents", "ssm_base_path", "store_access_key_in_ssm", "transfer_acceleration_enabled", "user_enabled", "user_permissions_boundary_arn", "versioning_enabled", "website_configuration", "website_redirect_all_requests_to", # Hard Coded values "allow_encrypted_uploads_only", "allow_ssl_requests_only", "kms_master_key_arn", "s3_object_ownership", "sse_algorithm", ] ### # Force encrypted uploads variable { name = "s3.variables.allow_encrypted_uploads_only" value = true } ### # Force encrypted downloads variable { name = "s3.variables.allow_ssl_requests_only" value = true } ### # Force BucketOwner object permissions variable { name = "s3.variables.s3_object_ownership" value = "BucketOwnerEnforced" } ### # Use KMS key encryption variable { name = "s3.variables.sse_algorithm" value = "aws:kms" } ### # Set KMS Key ARN variable { name = "s3.variables.kms_master_key_arn" value = autocloud_module.kms_key.outputs["key_arn"] } } #### # Create Blueprint Config # # Combine resources into the final config data "autocloud_blueprint_config" "global" { source = { kms = data.autocloud_blueprint_config.kms_key_processor.blueprint_config, s3 = data.autocloud_blueprint_config.s3_bucket_processor.blueprint_config } ### # Hide variables from user omit_variables = [ # Global # Use defaults in the module (don't collect) "context", "tenant", "stage", "delimiter", "attributes", "labels_as_tags", "additional_tag_map", "label_order", "regex_replace_chars", "id_length_limit", "label_key_case", "label_value_case", "descriptor_formats", # Hard Coded values "enabled", # KMS Key # Use defaults in the module (don't collect) "alias", "customer_master_key_spec", "key_usage", "multi_region", "policy", # Hard Coded values "deletion_window_in_days", "description", "enable_key_rotation", # S3 Bucket # Use defaults in the module (don't collect) "access_key_enabled", "acl", "allowed_bucket_actions", "block_public_acls", "block_public_policy", "bucket_key_enabled", "bucket_name", "cors_configuration", "force_destroy", "grants", "ignore_public_acls", "lifecycle_configuration_rules", "lifecycle_rule_ids", "lifecycle_rules", "logging", "object_lock_configuration", "policy", "privileged_principal_actions", "privileged_principal_arns", "replication_rules", "restrict_public_buckets", "s3_replica_bucket_arn", "s3_replication_enabled", "s3_replication_rules", "s3_replication_source_roles", "source_policy_documents", "ssm_base_path", "store_access_key_in_ssm", "transfer_acceleration_enabled", "user_enabled", "versioning_enabled", "website_configuration", "website_redirect_all_requests_to", # Hard Coded values "allow_encrypted_uploads_only", "allow_ssl_requests_only", "kms_master_key_arn", "s3_object_ownership", "sse_algorithm", ] ### # Hard code `enabled` to true to create all assets variable { name = "enabled" value = true } ### # Set the namespace variable { name = "namespace" display_name = "Namespace" helper_text = "The organization namespace the assets will be deployed in" type = "shortText" value = "unstyl" } ### # Choose the environment variable { name = "environment" display_name = "Environment" helper_text = "The environment the assets will be deployed in" type = "radio" options { option { label = "Nonprod" value = "nonprod" checked = true } option { label = "Production" value = "production" } } } ### # Collect the name of the asset group variable { name = "name" display_name = "Name" helper_text = "The name of the encrypted S3 bucket" type = "shortText" validation_rule { rule = "isRequired" error_message = "You must provide a name for the encrypted S3 bucket" } } ### # Collect tags to apply to assets variable { name = "tags" display_name = "Tags" helper_text = "A map of tags to apply to the deployed assets" type = "map" } } #### # Create Blueprint # # Create generator blueprint that contains all the elements resource "autocloud_blueprint" "this" { name = "KMS Encrypted S3 Bucket" ### # UI Configuration # author = "jim@unstyl.com" description = "Deploys a KMS Encrypted S3 Bucket to AWS" instructions = <<-EOT To deploy this generator, these simple steps: * step 1: Choose the target environment * step 2: Provide a name to identify assets * step 3: Add tags to apply to assets EOT labels = ["aws"] ### # Form configuration config = data.autocloud_blueprint_config.global.config ### # File definitions # file { action = "CREATE" destination = "aws/{{environment}}/{{namespace}}-{{environment}}-{{name}}.tf" variables = { namespace = "cpkmskey.namespace" environment = "cpkmskey.environment" name = "cpkmskey.name" } modules = [ autocloud_module.kms_key.name, autocloud_module.s3_bucket.name, ] } ### # Destination repository git configuraiton # git_config { destination_branch = "main" git_url_options = local.dest_repos git_url_default = length(local.dest_repos) != 0 ? local.dest_repos[0] : "" # Choose the first in the list by default pull_request { title = "[AutoCloud] new KMS Encrypted S3 Bucket {{namespace}}-{{environment}}-{{name}}, created by {{authorName}}" commit_message_template = "[AutoCloud] new KMS Encrypted S3 Bucket {{namespace}}-{{environment}}-{{name}}, created by {{authorName}}" body = file("./files/pull_request.md.tpl") variables = { authorName = "generic.authorName" namespace = "cpkmskey.namespace" environment = "cpkmskey.environment" name = "cpkmskey.name" } } } }
If there are discrepancies, please return to the previous steps and review.
To deploy the blueprint, run terraform apply, review the changes, and deploy:
Shell
|
❯ terraform apply data.autocloud_github_repos.repos: Reading... data.autocloud_github_repos.repos: Read complete after 1s [id=1676406044] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create <= read (data resources) Terraform will perform the following actions: # data.autocloud_blueprint_config.global will be read during apply # (config refers to values not yet known) <= data "autocloud_blueprint_config" "global" { + blueprint_config = (known after apply) + config = (known after apply) + id = (known after apply) + omit_variables = [ + "access_key_enabled", + "acl", + "additional_tag_map", + "alias", + "allow_encrypted_uploads_only", + "allow_ssl_requests_only", + "allowed_bucket_actions", + "attributes", + "block_public_acls", + "block_public_policy", + "bucket_key_enabled", + "bucket_name", + "context", + "cors_configuration", + "customer_master_key_spec", + "deletion_window_in_days", + "delimiter", + "description", + "descriptor_formats", + "enable_key_rotation", + "enabled", + "force_destroy", + "grants", + "id_length_limit", + "ignore_public_acls", + "key_usage", + "kms_master_key_arn", + "label_key_case", + "label_order", + "label_value_case", + "labels_as_tags", + "lifecycle_configuration_rules", + "lifecycle_rule_ids", + "lifecycle_rules", + "logging", + "multi_region", + "object_lock_configuration", + "policy", + "privileged_principal_actions", + "privileged_principal_arns", + "regex_replace_chars", + "replication_rules", + "restrict_public_buckets", + "s3_object_ownership", + "s3_replica_bucket_arn", + "s3_replication_enabled", + "s3_replication_rules", + "s3_replication_source_roles", + "source_policy_documents", + "sse_algorithm", + "ssm_base_path", + "stage", + "store_access_key_in_ssm", + "tenant", + "transfer_acceleration_enabled", + "user_enabled", + "versioning_enabled", + "website_configuration", + "website_redirect_all_requests_to", ] + source = { + "kms" = (known after apply) + "s3" = (known after apply) } + variable { + name = "enabled" + value = "true" } + variable { + display_name = "Namespace" + helper_text = "The organization namespace the assets will be deployed in" + name = "namespace" + type = "shortText" + value = "unstyl" } + variable { + display_name = "Environment" + helper_text = "The environment the assets will be deployed in" + name = "environment" + type = "radio" + options { + option { + checked = true + label = "Nonprod" + value = "nonprod" } + option { + label = "Production" + value = "production" } } } + variable { + display_name = "Name" + helper_text = "The name of the encrypted S3 bucket" + name = "name" + type = "shortText" + validation_rule { + error_message = "You must provide a name for the encrypted S3 bucket" + rule = "isRequired" } } + variable { + display_name = "Tags" + helper_text = "A map of tags to apply to the deployed assets" + name = "tags" + type = "map" } } # data.autocloud_blueprint_config.kms_key_processor will be read during apply # (config refers to values not yet known) <= data "autocloud_blueprint_config" "kms_key_processor" { + blueprint_config = (known after apply) + config = (known after apply) + id = (known after apply) + omit_variables = [ + "additional_tag_map", + "alias", + "attributes", + "context", + "customer_master_key_spec", + "deletion_window_in_days", + "delimiter", + "description", + "descriptor_formats", + "enable_key_rotation", + "enabled", + "id_length_limit", + "key_usage", + "label_key_case", + "label_order", + "label_value_case", + "labels_as_tags", + "multi_region", + "policy", + "regex_replace_chars", + "stage", + "tenant", ] + source = { + "kms" = (known after apply) } + variable { + name = "kms.variables.deletion_window_in_days" + type = "shortText" + value = "14" } + variable { + name = "kms.variables.description" + value = "KMS key for encryption of KMS encrypted S3 bucket" } } # data.autocloud_blueprint_config.s3_bucket_processor will be read during apply # (config refers to values not yet known) <= data "autocloud_blueprint_config" "s3_bucket_processor" { + blueprint_config = (known after apply) + config = (known after apply) + id = (known after apply) + omit_variables = [ + "access_key_enabled", + "acl", + "additional_tag_map", + "allow_encrypted_uploads_only", + "allow_ssl_requests_only", + "allowed_bucket_actions", + "attributes", + "block_public_acls", + "block_public_policy", + "bucket_key_enabled", + "bucket_name", + "context", + "cors_configuration", + "delimiter", + "descriptor_formats", + "enabled", + "force_destroy", + "grants", + "id_length_limit", + "ignore_public_acls", + "kms_master_key_arn", + "label_key_case", + "label_order", + "label_value_case", + "labels_as_tags", + "lifecycle_configuration_rules", + "lifecycle_rule_ids", + "lifecycle_rules", + "logging", + "object_lock_configuration", + "policy", + "privileged_principal_actions", + "privileged_principal_arns", + "regex_replace_chars", + "replication_rules", + "restrict_public_buckets", + "s3_object_ownership", + "s3_replica_bucket_arn", + "s3_replication_enabled", + "s3_replication_rules", + "s3_replication_source_roles", + "source_policy_documents", + "sse_algorithm", + "ssm_base_path", + "stage", + "store_access_key_in_ssm", + "tenant", + "transfer_acceleration_enabled", + "user_enabled", + "versioning_enabled", + "website_configuration", + "website_redirect_all_requests_to", ] + source = { + "s3" = (known after apply) } + variable { + name = "s3.variables.allow_encrypted_uploads_only" + value = "true" } + variable { + name = "s3.variables.allow_ssl_requests_only" + value = "true" } + variable { + name = "s3.variables.s3_object_ownership" + value = "BucketOwnerEnforced" } + variable { + name = "s3.variables.sse_algorithm" + value = "aws:kms" } + variable { + name = "s3.variables.kms_master_key_arn" + value = (known after apply) } } # autocloud_blueprint.this will be created + resource "autocloud_blueprint" "this" { + author = "jim@unstyl.com" + config = (known after apply) + description = "Deploys a KMS Encrypted S3 Bucket to AWS" + id = (known after apply) + instructions = <<-EOT To deploy this generator, these simple steps: * step 1: Choose the target environment * step 2: Provide a name to identify assets * step 3: Add tags to apply to assets EOT + labels = [ + "aws", ] + name = "KMS Encrypted S3 Bucket" + file { + action = "CREATE" + destination = "aws/{{environment}}/{{namespace}}-{{environment}}-{{name}}.tf" + modules = [ + "cpkmskey", + "cps3bucket", ] + variables = { + "environment" = "cpkmskey.environment" + "name" = "cpkmskey.name" + "namespace" = "cpkmskey.namespace" } } + git_config { + destination_branch = "main" + git_url_default = "github.com/autoclouddev/infrastructure-live-demo" + git_url_options = [ + "github.com/autoclouddev/infrastructure-live-demo", ] + pull_request { + commit_message_template = "[AutoCloud] new KMS Encrypted S3 Bucket {{namespace}}-{{environment}}-{{name}}, created by {{authorName}}" + title = "[AutoCloud] new KMS Encrypted S3 Bucket {{namespace}}-{{environment}}-{{name}}, created by {{authorName}}" + variables = { + "authorName" = "generic.authorName" + "environment" = "cpkmskey.environment" + "name" = "cpkmskey.name" + "namespace" = "cpkmskey.namespace" } } } } # autocloud_module.kms_key will be created + resource "autocloud_module" "kms_key" { + blueprint_config = (known after apply) + blueprint_config_1 = (known after apply) + id = (known after apply) + name = "cpkmskey" + outputs = (known after apply) + source = "cloudposse/kms-key/aws" + tags_variable = "tags" + template = (known after apply) + template_config = (known after apply) + variables = (known after apply) + version = "0.12.1" } # autocloud_module.s3_bucket will be created + resource "autocloud_module" "s3_bucket" { + blueprint_config = (known after apply) + blueprint_config_1 = (known after apply) + id = (known after apply) + name = "cps3bucket" + outputs = (known after apply) + source = "cloudposse/s3-bucket/aws" + tags_variable = "tags" + template = (known after apply) + template_config = (known after apply) + variables = (known after apply) + version = "3.0.0" } Plan: 3 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: autocloud_module.kms_key: Creating... autocloud_module.s3_bucket: Creating... autocloud_module.kms_key: Creation complete after 3s [id=cle4ovlk9822407ws7aj6pw8x] data.autocloud_blueprint_config.kms_key_processor: Reading... data.autocloud_blueprint_config.kms_key_processor: Read complete after 0s [id=1676406049] autocloud_module.s3_bucket: Creation complete after 3s [id=cle4ovlsk823907wsswml5mnp] data.autocloud_blueprint_config.s3_bucket_processor: Reading... data.autocloud_blueprint_config.s3_bucket_processor: Read complete after 0s [id=1676406049] data.autocloud_blueprint_config.global: Reading... data.autocloud_blueprint_config.global: Read complete after 0s [id=1676406049] autocloud_blueprint.this: Creating... autocloud_blueprint.this: Creation complete after 1s [id=cle4ovme8780608y16q7v0u62] Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
Upon successful apply, the blueprint should be available in AutoCloud in draft status. To verify, log into AutoCloud, navigate to the Terraform Blueprints section, click on the Drafts tab, and you should see the KMS Encrypted S3 Bucket blueprint available:
Draft Blueprint
The blueprint is ready for testing and publication for consumption.
Updated 01 Jun 2023
Did this page help you?