This repository is dedicated to managing the infrastructure for my personal website. As part of a dual repository setup, the application code resides in a separate repository, ensuring a clear separation of concerns between the infrastructure and the application.
This repository utilises Terraform for automated infrastructure provisioning and deployments through GitHub Actions, and follows a GitOps deployment workflow with ArgoCD within the cluster for continuous delivery.
Helm charts enable dynamic Kubernetes configuration and deployments, according to the environment.
With this project being completely open source on Github, ensuring its security will be of utmost importance. The use of secret variables, sealed secrets, firewalls, image vulnerability scanning, etc will be employed.
Cost is a key consideration, and therefore I have chosen to use DigitalOcean as my cloud environment. A similar setup on AWS would be around 5x the cost of DO.
- Support for production and staging environments, with infrastructure state reflected from their respective branches
- Terraform deploys resources via Github Actions
- Argo CD with git-ops for personal website app
- Argo CD Image Updator
- Kustomize templating for personal website app
- Semantic versioning for app images
- Database-first app deployments
- Code exception monitoring
- Prometheus monitoring + Grafana
- Hashicorp vault for secrets
- Cert Manager and External DNS
- Kubernetes RBAC
- Bastion/VPN for secure access into cloud environment
WIP
In the DigitalOcean web interface:
- Create a new project and obtain your DigitalOcean token.
- Update the
do_tokenTerraform value in the terraform.tfvars file with your token. - Create a new Space with a unique name.
- Replace the
bucketTerraform value inbackend-config.tfvarswith your unique Space name. - Generate access credentials for the Space under API -> Space keys -> Generate new key.
- Update the
access_keyandsecret_keyvalues inbackend-config.tfvarswith your access keypair. - Initialise Terraform using the
backend-config.tfvarsfile:
terraform init -backend-config=backend-config.tfvars - Create a new Terraform workspace:
terraform workspace new staging - Check your Space storage to confirm that the remote state file has been added.
Set these private environment variables (Github Actions secrets):
spaces_access_tokenspaces_secret_keytf_state_bucket
Then run:
terraform init \
-backend-config="access_key=$spaces_access_token" \
-backend-config="secret_key=$spaces_secret_key" \
-backend-config="bucket=$tf_state_bucket"Github Actions will handle plans and deployments when changes are made to any Terraform files or configuration files. A comment containing the Terraform plan will be added to the Pull Request. If the plan has no errors, you can apply the plan by merging the Pull Request.
Note: Terraform infrastructure changes should always be done from a single location (Github Actions) for safety and consistency of state. However if you configure your local environment with the same environment variables it is possible to manage infrastructure changes from your machine, if manual intervention is required.