-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathzero-module.yml
296 lines (292 loc) · 14.6 KB
/
zero-module.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
name: zero-aws-eks-stack
description: 'Zero module to configure AWS infrastructure for hosting SaaS applications either using Kubernetes with EKS or serverless with SAM/Lambda'
author: 'Commit'
zeroVersion: '>= 0.2.1'
commands:
check: sh scripts/check.sh
template:
strictMode: true
delimiters:
- '<%'
- '%>'
inputDir: 'templates'
outputDir: 'infrastructure'
requiredCredentials:
- aws
- github
parameters:
- field: backendApplicationHosting
label: How do you want to host the backend of your application?
info: "Kubernetes is more complex and expensive, but significantly more feature-rich. The serverless approach can be cheaper but is limited in tooling.\nWe recommend Kubernetes for all but the most simple applications. See why: https://whyk8s.getzero.dev"
default: "kubernetes"
options:
"kubernetes": "Kubernetes using AWS EKS"
"serverless": "(BETA) Serverless using AWS SAM/Lambda"
- field: useExistingAwsProfile
label: "Use credentials from an existing AWS profile?"
info: "You can choose either a currently existing profile if you've already configured your AWS CLI, or manually enter a pair of AWS access keys."
options:
"yes": "Yes"
"no": "No"
omitFromProjectFile: yes
- field: profilePicker
omitFromProjectFile: yes
type: AWSProfilePicker
conditions:
- action: KeyMatchCondition
whenValue: "yes"
matchField: useExistingAwsProfile
- field: accessKeyId
label: AWS AccessKeyId
info: "AWS access is controlled by a pair of keys tied to a user account.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html "
envVarName: "AWS_ACCESS_KEY_ID"
conditions:
- action: KeyMatchCondition
whenValue: "no"
matchField: useExistingAwsProfile
- field: secretAccessKey
envVarName: "AWS_SECRET_ACCESS_KEY"
label: AWS SecretAccessKey
info: "AWS access is controlled by a pair of keys tied to a user account.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html "
conditions:
- action: KeyMatchCondition
whenValue: "no"
matchField: useExistingAwsProfile
- field: githubAccessToken
label: "Github API Key to setup your repository and optionally CI/CD"
info: "This API key will let us set up new repositories to check in your code.\nhttps://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token"
envVarName: GITHUB_ACCESS_TOKEN
- field: region
label: Select AWS Region
info: "This is the region your resources will be created in.\nMost regions have all the same features and functionality, but depending on your product you may need to choose a different region for data sovereignty reasons."
options:
"us-east-1": "us-east-1 - US East (N. Virginia)"
"us-east-2": "us-east-2 - US East (Ohio)"
"us-west-2": "us-west-2 - US West (Oregon)"
"ca-central-1": "ca-central-1 - Canada (Central)"
"eu-west-1": "eu-west-1 - Europe (Ireland)"
"ap-southeast-1": "ap-southeast-1 - Asia Pacific (Singapore)"
- field: productionHostRoot
label: Production Root Host Name (e.g. mydomain.com)
info: "This must be the root of the chosen domain, not a subdomain. You will also be prompted for the subdomains to use for your application."
fieldValidation:
type: regex
value: '^([a-z0-9]+(-[a-z0-9]+)*\.{1})+[a-z]{2,}$'
errorMessage: Invalid root domain name
- field: productionFrontendSubdomain
label: Production Frontend Host Name (e.g. app.)
info: "The subdomain that will point to the static assets of your frontend hosted in Cloudfront."
default: app.
fieldValidation:
type: regex
value: '^([a-z0-9]+(-[a-z0-9]+)*\.)$'
errorMessage: Invalid subdomain (cannot contain special chars & must end with a '.')
- field: productionBackendSubdomain
label: Production Backend Host Name (e.g. api.)
info: "The subdomain that will point to the API of your backend running in Kubernetes."
default: api.
fieldValidation:
type: regex
value: '^([a-z0-9]+(-[a-z0-9]+)*\.)$'
errorMessage: Invalid subdomain (cannot contain special chars & must end with a '.')
- field: stagingHostRoot
label: Staging Root Host Name (e.g. mydomain-staging.com)
info: "This must be the root of the chosen domain, not a subdomain. You will also be prompted for the subdomains to use for your application.\nIt's recommended that you use different hostnames for staging and production instead of trying to have staging as a subdomain of your production domain."
fieldValidation:
type: regex
value: '^([a-z0-9]+(-[a-z0-9]+)*\.{1})+[a-z]{2,}$'
errorMessage: Invalid root domain name
- field: stagingFrontendSubdomain
label: Staging Frontend Host Name (e.g. app.)
info: "The subdomain that will point to the static assets of your frontend hosted in Cloudfront."
default: app.
fieldValidation:
type: regex
value: '^([a-z0-9]+(-[a-z0-9]+)*\.)$'
errorMessage: Invalid subdomain (cannot contain special chars & must end with a '.')
- field: stagingBackendSubdomain
label: Staging Backend Host Name (e.g. api.)
info: "The subdomain that will point to the API of your backend running in Kubernetes."
default: api.
fieldValidation:
type: regex
value: '^([a-z0-9]+(-[a-z0-9]+)*\.)$'
errorMessage: Invalid subdomain (cannot contain special chars & must end with a '.')
- field: CIVendor
label: Which CI vendor would you like to use?
info: "Build pipelines will be set up which will deploy your code to your infrastructure whenever PRs are merged to the main branch."
default: "circleci"
options:
"circleci": "CircleCI"
"github-actions": "Github Actions"
- field: circleciApiKey
label: "CircleCI API Key"
info: "This will let us configure your CircleCI account to automatically enable CI for these newly created projects.\nhttps://circleci.com/docs/2.0/managing-api-tokens/"
envVarName: CIRCLECI_API_KEY
conditions:
- action: KeyMatchCondition
matchField: CIVendor
whenValue: "circleci"
- field: database
label: Database engine to use
info: "This will set up a database for you using RDS.\nIt will be accessible only by your application, credentials will be created automatically."
options:
"postgres": "PostgreSQL"
"mysql": "MySQL"
- field: cacheStore
label: "Cache store to use"
info: "If necessary for your application, this will set up a cache using AWS ElastiCache."
options:
"none": "none"
"redis": "Redis"
"memcached": "Memcached"
- field: loggingType
label: Which application logging to configure.
info: "Cloudwatch is usually cheaper and simpler but with a limited feature set.\nElasticsearch + Kibana will set up more infrastructure but enable a much richer logging search and visualization experience. Only available with EKS."
options:
"cloudwatch": "AWS CloudWatch"
"kibana": "Kibana"
conditions:
- action: KeyMatchCondition
matchField: backendApplicationHosting
whenValue: "kubernetes"
elseValue: "cloudwatch"
- field: metricsType
label: Additional application metrics method to configure.
info: "Metrics are available through CloudWatch, but choosing prometheus will install Prometheus and Grafana, for a richer metrics experience.\nNo additional infrastructure is required, but a number of prometheus pods will need to exist in the cluster, utilizing some resources. Only Available with EKS."
options:
"none": "none"
"prometheus": "Prometheus"
conditions:
- action: KeyMatchCondition
matchField: backendApplicationHosting
whenValue: "kubernetes"
elseValue: "none"
- field: notificationServiceEnabled
label: "Install the Zero Notification Service in your cluster?"
info: "Provides easy notification capability through email, slack, SMS, etc.\nhttps://github.com/commitdev/zero-notification-service"
default: yes
options:
"yes": "Yes"
"no": "No"
conditions:
- action: KeyMatchCondition
matchField: backendApplicationHosting
whenValue: "kubernetes"
elseValue: "no"
- field: sendgridApiKey
label: "API key to setup email integration (optional: leave blank to opt-out of Sendgrid setup)"
info: "Signup at https://signup.sendgrid.com or create an API key at https://app.sendgrid.com/settings/api_keys\nSendgrid is an email delivery service enabling transactional email sending and more."
- field: notificationServiceSlackApiKey
label: "API key of your Slack bot if you want to use Slack with the Zero Notification Service."
info: "Leave blank if you don't intend to use the Slack functionality.\nSee https://slack.com/intl/en-ca/help/articles/215770388-Create-and-regenerate-API-tokens"
conditions:
- action: KeyMatchCondition
whenValue: "yes"
matchField: notificationServiceEnabled
- field: notificationServiceTwilioAccountId
label: "Twilio Account ID if you want to send SMS with the Zero Notification Service."
info: "Leave blank if you don't intend to use the Twilio SMS functionality.\nSee https://www.twilio.com/"
conditions:
- action: KeyMatchCondition
whenValue: "yes"
matchField: notificationServiceEnabled
- field: notificationServiceTwilioAuthToken
label: "Twilio Auth Token if you want to send SMS with the Zero Notification Service."
info: "Leave blank if you don't intend to use the Twilio SMS functionality.\nSee https://www.twilio.com/"
conditions:
- action: KeyMatchCondition
whenValue: "yes"
matchField: notificationServiceEnabled
- field: notificationServiceTwilioPhoneNumber
label: "Twilio Phone Number if you want to send SMS with the Zero Notification Service."
info: "This is the Send From number of the SMS messages sent, Leave blank if you don't intend to use the Twilio SMS functionality."
conditions:
- action: KeyMatchCondition
whenValue: "yes"
matchField: notificationServiceEnabled
- field: accountId
label: AWS Account ID
execute: aws sts get-caller-identity --query "Account" | tr -d '"'
- field: randomSeed
label: Random seed that will be shared between projects to come up with deterministic resource names
execute: uuidgen | head -c 8
- field: fileUploads
label: Enable file uploads using S3 and Cloudfront signed URLs?
info: "This will allow secure file uploads and downloads through your application.\nIt will require manual creation of a Cloudfront keypair in AWS. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html"
default: yes
options:
"yes": "Yes"
"no": "No"
- field: userAuth
label: Enable user management and auth access proxy?
info: "This will enable infrastructure and application code that uses Kratos for user management and the Oathkeeper access proxy.\nhttps://ory.sh"
default: yes
options:
"yes": "Yes"
"no": "No"
conditions:
- action: KeyMatchCondition
matchField: backendApplicationHosting
whenValue: "kubernetes"
elseValue: "yes"
- field: enableAuth0
label: Using Auth0 as the managed identity solution
info: "Auth0 is free to start but cost scales linearly with user number, currently Auth0 is the default authentication mechanism for our Serverless solution"
value: yes
conditions:
- action: KeyMatchCondition
matchField: backendApplicationHosting
whenValue: "serverless"
- field: productionAuth0TenantDoamin
label: "Production Auth0 Tenant Domain"
info: "Production Auth0 Tenant Domain, the credentials must have machine-to-machine access and permissions to create and manage clients. See guide at https://getzero.dev/docs/modules/aws-eks-stack/guides/serverless-auth0-setup"
conditions:
- action: KeyMatchCondition
matchField: backendApplicationHosting
whenValue: serverless
- field: productionAuth0TenantClientId
label: "Production Auth0 Tenant Client ID"
info: "Production Auth0 Tenant Client ID, the credentials must have machine-to-machine access and permissions to create and manage clients. See guide at https://getzero.dev/docs/modules/aws-eks-stack/guides/serverless-auth0-setup"
conditions:
- action: KeyMatchCondition
matchField: backendApplicationHosting
whenValue: serverless
- field: productionAuth0TenantClientSecret
label: "Production Auth0 Tenant Client Secret"
info: "Production Auth0 Tenant Client Secret, the credentials must have machine-to-machine access and permissions to create and manage clients. See guide at https://getzero.dev/docs/modules/aws-eks-stack/guides/serverless-auth0-setup"
conditions:
- action: KeyMatchCondition
matchField: backendApplicationHosting
whenValue: serverless
- field: stagingAuth0TenantDoamin
label: "Staging Auth0 Tenant Domain"
info: "Staging Auth0 Tenant Domain, the credentials must have machine-to-machine access and permissions to create and manage clients. See guide at https://getzero.dev/docs/modules/aws-eks-stack/guides/serverless-auth0-setup"
conditions:
- action: KeyMatchCondition
matchField: backendApplicationHosting
whenValue: serverless
- field: stagingAuth0TenantClientId
label: "staging Auth0 Tenant Client ID"
info: "staging Auth0 Tenant Client ID, the credentials must have machine-to-machine access and permissions to create and manage clients. See guide at https://getzero.dev/docs/modules/aws-eks-stack/guides/serverless-auth0-setup"
conditions:
- action: KeyMatchCondition
matchField: backendApplicationHosting
whenValue: serverless
- field: stagingAuth0TenantClientSecret
label: "staging Auth0 Tenant Client Secret"
info: "staging Auth0 Tenant Client Secret, the credentials must have machine-to-machine access and permissions to create and manage clients. See guide at https://getzero.dev/docs/modules/aws-eks-stack/guides/serverless-auth0-setup"
conditions:
- action: KeyMatchCondition
matchField: backendApplicationHosting
whenValue: serverless
- field: sharedResourcePrefix
label: "Mostly for development - Allow shared resources to have a unique prefix. This is only necessary if many zero projects will be run in the same AWS account."
value: "none"
- field: cloudtrailEnable
label: Enable cloudtrail?
info: "CloudTrail monitors and records account activity across your AWS infrastructure, giving you control over storage, analysis, and remediation actions. It can add $5-10 per month and may not provide much value to a smaller company"
default: no
options:
"yes": "Yes"
"no": "No"