### VPN Setup
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/work-with-us/roadmap/ref-arch/operational-excellence.md
Setup and configuration of a VPN, including installing Pritunl and creating organizations, servers, and users.
```markdown
| Base
Infrastructure | leverage
base-infrastructure
vpn |
Networking 2: VPN (install Pritunl, create organization, servers and users)
|
```
--------------------------------
### Leverage CLI Usage
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/leverage-cli/installation.md
Displays the help information for the Leverage CLI, showing available commands and options. This is used to verify the installation and understand the CLI's capabilities.
```APIDOC
leverage --help
Usage: leverage [OPTIONS] COMMAND [ARGS]...
Leverage Reference Architecture projects command-line tool.
Options:
-v, --verbose Increase output verbosity.
--version Show the version and exit.
--help Show this message and exit.
Commands:
aws Run AWS CLI commands in a custom containerized environment.
credentials Manage AWS cli credentials.
kc Run Kubectl commands in a custom containerized environment.
kubectl Run Kubectl commands in a custom containerized environment.
project Manage a Leverage project.
run Perform specified task(s) and all of its dependencies.
shell Run a shell in a generic container.
tofu Run OpenTofu commands in a custom containerized...
tf Run OpenTofu commands in a custom containerized...
terraform Run Terraform commands in a custom containerized...
tfautomv Run TFAutomv commands in a custom containerized...
```
--------------------------------
### AWS Organization Setup Post-Steps
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/ref-architecture-aws/features/organization/configuration.md
Details the steps required after initial AWS Organization setup, including orchestrating IAM layers, setting up permanent credentials for admin users, and inviting legacy accounts.
```markdown
1. Following the [doc](../identities/identities.md) orchestrate vía the `Leverage CLI` workflow the Mgmt
Account IAM layer (`base-identities`) with the admin IAM Users (consider this/these users will have admin privileges over the
[entire AWS Org assuming the `OrganizationAccountAccessRole`](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html))
-> [le-tf-infra-aws/root/global/base-identities](https://github.com/binbashar/le-tf-infra-aws/tree/master/root/global/base-identities)
- :ledger: The IAM role: `OrganizationAccessAccountRole` => does not exist in the initial Management (root)
account, this will be created by the code in this layer.
2. Mgmt account admin user permanent credentials set up =>
[setup in your workstation the AWS credentials](../identities/identities.md))
for the `OrganizationAccountAccessRole` IAM role (`project_short-root-oaar`, eg: `bb-root-oaar`).
Then validate within each initial mgmt account layer that the profile `bb-root-oaar` is correctly configured
at the below presented config files, as well as any other necessary setup.
- [`/config/common.config`](https://github.com/binbashar/le-tf-infra-aws/blob/master/config/common.config.example)
- [`/root/config/account.config`](https://github.com/binbashar/le-tf-infra-aws/blob/master/root/config/account.config)
- [`/root/config/backend.config`](https://github.com/binbashar/le-tf-infra-aws/blob/master/root/config/backend.config)
3. Setup (code and config files) and Orchestrate the
[`/security/global/base-identities`](https://github.com/binbashar/le-tf-infra-aws/tree/master/security/global/base-identities)
layer via `Leverage CLI` on your security account
for consolidated and centralized User Mgmt and access to the AWS Org.
4. [AWS Organizations: invite pre-existing (legacy) accounts](./legacy-accounts.md)
- :ledger: Pending to document the debug mode for the mfa script
```
--------------------------------
### Project Configuration Example
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/leverage-project-setup.md
An example of the project configuration file showing the structure for organization accounts, including management account ID and email.
```yaml
...
organization:
accounts:
- name: management
email: myexample-aws@example.com
id: '000123456789'
...
```
--------------------------------
### Install Leverage CLI
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/leverage-cli/installation.md
Installs the Leverage CLI using pip. This command downloads and installs the latest stable version of the Leverage CLI.
```bash
$ pip3 install leverage
```
--------------------------------
### Leverage CLI 'run' Command Task Listing Example
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/leverage-cli/reference/run.md
Provides an example output of the task listing functionality, showing task names and their descriptions.
```bash
Tasks in build file `build.py`:
clean Clean build directory.
copy_file
echo
html Generate HTML.
images [Ignored] Prepare images.
start_server [Default] Start the server
stop_server
Powered by Leverage 1.13.0
```
--------------------------------
### AWS Organization Initialization Steps
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/ref-architecture-aws/features/organization/configuration.md
A step-by-step guide for initializing an AWS Organization. It covers creating the management account, setting up an IAM admin user with programmatic and console access, generating access keys, configuring local credentials, setting up project configurations, and initializing OpenTofu remote state.
```markdown
### Reference AWS Organization init workflow
!!! example "Steps for initial AWS Organization setup"
1. Create a brand [new AWS Account](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/),
intended to be our AWS Organization Management (root) Account
- [x] **Name:** `project_name-management`, eg: `leverage-management`
- [x] **MFA:** [Enable MFA for your root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa)
- [x] **Billing:** review billing setup as pre-requisite to deploy the AWS Org.
At your [Management account billing setup](https://console.aws.amazon.com/billing/home?#/account)
check
- Activate IAM User and Role Access to Billing Information
- If needed Update Alternate Contacts
2. Via [AWS Web Console](https://us-east-1.console.aws.amazon.com/iam/home#/users): in `project_name-management` previously created account (eg, name: `leverage-management`,
email: `aws@binbash.com.ar`) [create the `mgmt-org-admin` IAM user with Admin privileges](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console)
(attach the `AdministratorAccess` IAM managed policy and enable Web Console and programmatic access), which will be use for the initial AWS Org bootstrapping.
- :ledger: **NOTE:** After it’s 1st execution only nominated Org admin users will persist in the `project-management` account.
3. Via AWS Web Console: in `project-management` account create `mgmt-org-admin` IAM user AWS ACCESS KEYS
- :ledger: **NOTE:** This could be created all in one in the previous step (Nº 2).
{: style="width:950px"}
Figure: AWS Web Console screenshot.
(Source: binbash, "AWs Organization management account init IAM admin user", accessed June 16th 2021).
{: style="width:950px"}
Figure: AWS Web Console screenshot.
(Source: binbash, "AWs Organization management account init IAM admin user", accessed June 16th 2021).
4. Set your IAM credentials in the machine your're going to exec the `Leverage CLI` (remember this are the
`mgmt-org-admin` temporary user credentials shown in the screenshot immediately above).
5. Set up your Leverage reference architecture configs in order to work with your new account and
`org-mgmt-admin IAM user
- [common config](https://github.com/binbashar/le-tf-infra-aws/blob/master/config/common.config.example)
- [account configs](https://github.com/binbashar/le-tf-infra-aws/tree/master/root/config)
6. Setup and create the **opentofu remote state** for the new AWS Org Management account
- [x] [opentofu remote state config](https://leverage.binbash.com.ar/user-guide/base-configuration/repo-le-tf-infra-aws/#remote-state)
- [x] [opentofu remote state workflow](../../../base-workflow/repo-le-tf-infra-aws-tf-state/)
- [x] [opentofu remote state ref code](https://github.com/binbashar/le-tf-infra-aws/tree/master/root/us-east-1/base-tf-backend)
- :ledger: You'll 1st get a local state and then you'll need to move your tf state to s3; validate it and finally delete local state files
7. The AWS Organization from the Reference Architecture
[/le-tf-infra-aws/root/global/organizations](https://github.com/binbashar/le-tf-infra-aws/tree/master/root/global/organizations)
will be orchestrated using the `Leverage CLI` following the
[standard workflow](../../base-workflow/repo-le-tf-infra/#steps).
- :ledger: the Management account has to be imported into de the code.
8. Verify your Management account email address in order to invite existing (legacy) AWS accounts to
join your organization.
```
--------------------------------
### Initialize and Serve MkDocs Locally
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/README.md
Commands to initialize MkDocs Makefiles and start a live-reloading local development server for the documentation. Requires Docker daemon.
```bash
make init-makefiles
make docs-live
```
--------------------------------
### Project Definition File Snippet
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/leverage-project-setup.md
Example of the project.yaml file showing basic project configuration including project name, short name, and region settings.
```yaml
project_name: example
short_name: ex
primary_region: us-east-1
secondary_region: us-west-2
...
```
--------------------------------
### Verify Leverage CLI Installation
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/local-setup.md
Verifies the successful installation of the Leverage CLI by checking its version.
```bash
$ leverage --version
leverage, version 1.9.2
```
--------------------------------
### Pritunl VPN Server Deployment Guide
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/ref-architecture-aws/features/security/vpn.md
Provides a link to a guide for deploying a Pritunl VPN Server. This is an informational snippet directing users to external resources for hands-on implementation.
```markdown
!!! info "Tip"
To deploy your Pritunl VPN Server you can follow [this guide](../../../cookbooks/VPN-server/index.md)
```
--------------------------------
### Install Leverage CLI
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/local-setup.md
Installs the Leverage CLI using pip. Ensure Python 3.8+ and pip are installed.
```bash
pip install leverage
```
--------------------------------
### Install Extras with Leverage
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/cookbooks/k8s.md
Installs additional components like Traefik using the leverage CLI. Requires configuration in config.tf and running leverage commands.
```shell
cp ${KUBECONFIG} ../3-extras/
cd ../3-extras/
# Configure config.tf with desired extras, e.g., traefik = true
leverage tf init
leverage tf apply
```
--------------------------------
### VPN Server Setup
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/cookbooks/index.md
This cookbook covers the setup of a VPN server. It likely includes instructions for configuring a virtual private network to allow secure remote access to resources.
```markdown
[VPN Server](./VPN-server)
```
--------------------------------
### User and Group Definitions
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/leverage-project-setup.md
Example of the project.yaml file demonstrating how to define users with their first name, last name, email, and assigned groups for SSO access.
```yaml
...
users:
- first_name: Jane
last_name: Doe
email: jane.doe@example.com
groups:
- administrators
- devops
- first_name: Foo
last_name: Bar
email: foo.bar@example.com
groups:
- devops
...
```
--------------------------------
### IAM Setup
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/work-with-us/roadmap/ref-arch/operational-excellence.md
Initial setup for Identity and Access Management (IAM), including accounts, users, groups, policies, and roles for shared and application-specific DevOps teams.
```markdown
| Base
Infrastructure | leverage
base-infrastructure
iam | IAM: initial accounts (security users, groups, policies, roles; shared/appdevtsg/appprd DevOps role)
|
| Base
Infrastructure | leverage
base-infrastructure
iam
| Implement AWS service accounts (IRSA for EKS) to provide IAM credentials to containers running inside a kubernetes cluster based on annotations.
|
```
--------------------------------
### Organization Accounts Configuration
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/leverage-project-setup.md
Example of the project.yaml file illustrating the configuration of organization accounts, including management, security, and shared accounts with their respective email addresses.
```yaml
...
organization:
accounts:
- name: management
email: aws@example.com
- name: security
email: aws+security@example.com
- name: shared
email: aws+shared@example.com
...
```
--------------------------------
### Project File Structure Example
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/ref-architecture-aws/dir-structure.md
Illustrates a typical directory structure for the Leverage project, showing organization by tools and environments.
```plaintext
| ├── 📂 tools-prometheus
| ├── 📂 tools-vault
| ├── 📂 tools-vpn-server
| └── 📂 tools-webhooks
└── 📂 us-east-2
├── 📂 base-network
├── 📂 container-registry
├── 📂 security-compliance
├── 📂 security-keys
├── 📂 tools-eskibana
└── 📂 tools-prometheus
```
--------------------------------
### KOPS Layer Setup Procedure
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/cookbooks/k8s.md
Steps to integrate the KOPS Kubernetes layer into a binbash Leverage project, including directory structure and script dependencies.
```APIDOC
KOPS Layer Integration:
1. Obtain KOPS Layer: Download the KOPS layer from the specified GitHub repository.
2. Project Placement: Paste the layer into your binbash Leverage project under the chosen account/region directory (e.g., `apps-devstg/us-east-1/`). The final path should be `apps-devstg/us-east-1/k8s-kops/`.
3. Directory Naming: Crucially, do not rename the subdirectories `1-prerequisites`, `2-kops`, and `3-extras` as the deployment scripts rely on these exact names.
4. Deployment Steps:
- Apply prerequisites.
- Apply the cluster configuration.
- Apply additional configurations (extras).
```
--------------------------------
### Enable Fish Tab Completion for Leverage CLI
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/local-setup.md
Enables shell completion for Leverage CLI commands in Fish by adding a command to ~/.config/fish/completions/leverage.fish.
```fish
eval (env _LEVERAGE_COMPLETE=fish_source leverage)
```
--------------------------------
### Install Python Pip
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/leverage-cli/installation.md
Installs the Python Package Installer (pip) on various Linux distributions and macOS. Pip is required to install the Leverage CLI.
```bash
$ sudo apt install python3-pip
```
```bash
$ sudo yum install python3-pip
```
```bash
$ sudo dnf install python3-pip
```
```bash
$ brew install python3
```
--------------------------------
### Create and Navigate Project Directory
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/leverage-project-setup.md
This snippet demonstrates how to create a new directory for your Leverage project and then navigate into it. This is the first step in setting up a new project.
```bash
mkdir myexample
cd myexample
```
--------------------------------
### Initialize Leverage Project
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/leverage-project-setup.md
This command initializes a new Leverage project. It creates the `project.yaml` file, initializes a git repository, and sets up the initial project structure. The output shows the progress and confirmation of these steps.
```bash
$ leverage project init
[18:53:24.407] INFO Project template found. Updating.
[18:53:25.105] INFO Finished updating template.
[18:53:25.107] INFO Initializing git repository in project directory.
[18:53:25.139] INFO No project configuration file found. Dropping configuration template project.yaml.
[18:53:25.143] INFO Project initialization finished.
```
--------------------------------
### Monitoring and Alerting Setup
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/work-with-us/roadmap/ref-arch/reliability-performance.md
This section details the setup and configuration of Prometheus for metrics collection, including NodeExporter, BlackBox exporter, and Alertmanager. It also covers Grafana installation and configuration with Kubernetes and Prometheus integrations, as well as AWS CloudWatch integration for metrics visualization.
```APIDOC
Prometheus & Grafana Setup:
Install and configure Prometheus:
- NodeExporter for EC2 instances
- BlackBox exporter for external service monitoring
- Alertmanager for alert routing and notification
Install and configure Grafana:
- Kubernetes plugin for cluster visibility
- Prometheus data source integration
- AWS CloudWatch data source integration (using grafana-aws-cloudwatch-dashboards)
Configure Grafana dashboards for CloudWatch metrics.
```
--------------------------------
### Enable Leverage Shell Autocompletion
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/leverage-cli/installation.md
Configures shell autocompletion for the Leverage CLI in Bash, Zsh, and Fish shells. This enhances user experience by providing command suggestions.
```bash
eval "$(_LEVERAGE_COMPLETE=bash_source leverage)"
```
```zsh
eval "$(_LEVERAGE_COMPLETE=zsh_source leverage)"
```
```fish
eval (env _LEVERAGE_COMPLETE=fish_source leverage)
```
```bash
_LEVERAGE_COMPLETE=bash_source leverage > ~/.leverage-complete.bash
. ~/.leverage-complete.bash
```
```zsh
_LEVERAGE_COMPLETE=zsh_source leverage > ~/.leverage-complete.zsh
. ~/.leverage-complete.zsh
```
```fish
_LEVERAGE_COMPLETE=fish_source leverage > ~/.config/fish/completions/leverage.fish
```
--------------------------------
### Update Leverage CLI
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/leverage-cli/installation.md
Updates the Leverage CLI to a specific version or the latest stable version. It's recommended to keep the CLI updated for the latest features and bug fixes.
```bash
$ pip3 install -Iv leverage==1.9.1
```
```bash
$ pip3 install --upgrade leverage
```
--------------------------------
### Project File Structure Example
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/ref-architecture-aws/dir-structure.md
Illustrates the hierarchical organization of project files and directories, including configuration files, environment-specific setups, and service modules across various AWS regions.
```terraform
├── 📂 apps-devstg
│ ├── 📂 config
| │ ├── 📄 account.tfvars
| │ └── 📄 backend.tfvars
│ ├── 📂 global
│ │ └── 📂 base-identities
│ ├── 📂 us-east-1
│ │ ├── 📂 backups
│ │ ├── 📂 base-certificates
│ │ ├── 📂 base-network
│ │ ├── 📂 base-tf-backend
│ │ ├── 📂 cdn-s3-frontend
│ │ ├── 📂 databases-aurora
│ │ ├── 📂 databases-mysql
│ │ ├── 📂 databases-pgsql
│ │ ├── 📂 k8s-eks-demoapps
│ │ ├── 📂 notifications
│ │ ├── 📂 security-audit
│ │ ├── 📂 security-base
│ │ ├── 📂 security-certs
│ │ ├── 📂 security-firewall
│ │ ├── 📂 storage
│ │ └── 📂 tools-cloud-nuke
│ └── 📂 us-east-2
| ├── 📂 k8s-eks
| ├── 📂 security-compliance
| └── 📂 security-keys
├── 📂 apps-prd
│ ├── 📂 config
| │ ├── 📄 account.tfvars
| │ └── 📄 backend.tfvars
│ ├── 📂 global
│ │ └── 📂 base-identities
│ └── 📂 us-east-1
| ├── 📂 backups
| ├── 📂 base-network
| ├── 📂 base-tf-backend
| ├── 📂 cdn-s3-frontend
| ├── 📂 k8s-eks
| ├── 📂 notifications
| ├── 📂 security-audit
| ├── 📂 security-base
| ├── 📂 security-certs
| ├── 📂 security-compliance
| └── 📂 security-keys
├── 📄 build.env
├── 📄 build.py
├── 📂 config
│ └── 📄 common.tfvars
├── 📂 management
│ ├── 📂 config
| │ ├── 📄 account.tfvars
| │ └── 📄 backend.tfvars
│ ├── 📂 global
│ │ ├── 📂 base-identities
│ │ ├── 📂 cost-mgmt
│ │ ├── 📂 organizations
│ │ └── 📂 sso
│ ├── 📂 us-east-1
│ │ ├── 📂 backups
│ │ ├── 📂 base-tf-backend
│ │ ├── 📂 notifications
│ │ ├── 📂 security-audit
│ │ ├── 📂 security-base
│ │ ├── 📂 security-compliance
│ │ ├── 📂 security-keys
│ └── 📂 us-east-2
| └── 📂 security-monitoring
├── 📂 network
│ ├── 📂 config
| │ ├── 📄 account.tfvars
| │ └── 📄 backend.tfvars
│ ├── 📂 global
| │ └── 📂 base-identities
│ ├── 📂 us-east-1
│ │ ├── 📂 base-network
│ │ ├── 📂 base-tf-backend
│ │ ├── 📂 network-firewall
│ │ ├── 📂 notifications
│ │ ├── 📂 security-audit
│ │ ├── 📂 security-base
│ │ ├── 📂 security-compliance
│ │ ├── 📂 security-keys
│ │ └── 📂 transit-gateway
│ └── 📂 us-east-2
| ├── 📂 base-network
| ├── 📂 network-firewall
| ├── 📂 security-compliance
| ├── 📂 security-keys
| └── 📂 transit-gateway
├── 📂 security
│ ├── 📂 config
| │ ├── 📄 account.tfvars
| │ └── 📄 backend.tfvars
│ ├── 📂 global
| │ └── 📂 base-identities
│ ├── 📂 us-east-1
│ │ ├── 📂 base-tf-backend
│ │ ├── 📂 firewall-manager
│ │ ├── 📂 notifications
│ │ ├── 📂 security-audit
│ │ ├── 📂 security-base
│ │ ├── 📂 security-compliance
│ │ ├── 📂 security-keys
│ │ └── 📂 security-monitoring
│ └── 📂 us-east-2
| ├── 📂 security-audit
| ├── 📂 security-compliance
| └── 📂 security-monitoring
└── 📂 shared
│ ├── 📂 config
| │ ├── 📄 account.tfvars
| │ └── 📄 backend.tfvars
│ ├── 📂 global
| | ├── 📂 base-dns
| | └── 📂 base-identities
│ └── 📂 us-east-1
| │ ├── 📂 backups
| │ ├── 📂 base-network
| │ ├── 📂 base-tf-backend
| │ ├── 📂 container-registry
| │ ├── 📂 ec2-fleet
| │ ├── 📂 k8s-eks
| │ ├── 📂 k8s-eks-demoapps
| │ ├── 📂 k8s-eks-prd
| │ ├── 📂 notifications
| │ ├── 📂 security-audit
| │ ├── 📂 security-base
| │ ├── 📂 security-compliance
| │ ├── 📂 storage
| │ ├── 📂 tools-cloud-scheduler-stop-start
| │ ├── 📂 tools-eskibana
| │ ├── 📂 tools-github-selfhosted-runners
| │ ├── 📂 tools-jenkins
| │ └── 📂 tools-managedeskibana
```
--------------------------------
### AWS Organization Account Creation Example
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/ref-architecture-aws/features/organization/configuration.md
This Terraform code snippet demonstrates how to create an AWS organization account for production services. It specifies the account name, email alias, and parent organizational unit ID.
```terraform
#
# Project Prd: services and resources related to production are placed and
# maintained here.
#
resource "aws_organizations_account" "apps_prd" {
name = "apps-prd"
email = "aws+apps-prd@domain.ar"
parent_id = aws_organizations_organizational_unit.apps_prd.id
}
```
--------------------------------
### Example Project File Structure
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/leverage-project-setup.md
This illustrates the typical directory and file structure generated after a successful project creation. It includes configuration files, account-specific definitions, and common infrastructure modules.
```terraform
📂 myexample
├── 📄 build.env
├── 📄 project.yaml
├── 📂 config
│ └── 📄 common.tfvars
├── 📂 management
│ ├── 📂 config
│ │ ├── 📄 account.tfvars
│ │ └── 📄 backend.tfvars
| ├── 📂 global
| │ ├── 📂 organizations
| │ │ ├── 📄 accounts.tf
| │ │ ├── 📄 config.tf
| │ │ ├── 📄 delegated_administrator.tf
| │ │ ├── 📄 locals.tf
| │ │ ├── 📄 organizational_units.tf
| │ │ ├── 📄 organization.tf
| │ │ ├── 📄 policies_scp.tf
| │ │ ├── 📄 policy_scp_attachments.tf
| │ │ ├── 📄 service_linked_roles.tf
| │ │ └── 📄 variables.tf
| │ └── 📂 base-identities
| │ ├── 📄 account.tf
| │ ├── 📄 config.tf
| │ ├── 📄 groups.tf
| │ ├── 📄 keys
| │ ├── 📄 locals.tf
| │ ├── 📄 outputs.tf
| │ ├── 📄 roles.tf
| │ ├── 📄 users.tf
| │ └── 📄 variables.tf
| └── 📂 us-east-1
| ├── 📂 base-tf-backend
| │ ├── 📄 config.tf
| │ ├── 📄 locals.tf
| │ ├── 📄 main.tf
| │ └── 📄 variables.tf
| └── 📂 security-base
| ├── 📄 account.tf
| ├── 📄 config.tf
| └── 📄 variables.tf
├── 📂 security
│ ├── 📂 config
│ │ ├── 📄 account.tfvars
│ │ └── 📄 backend.tfvars
│ ├── 📂 global
| | └── 📂 base-identities
| │ ├── 📄 account.tf
| │ ├── 📄 config.tf
| │ ├── 📄 groups_policies.tf
| │ ├── 📄 groups.tf
| │ ├── 📄 keys
| │ ├── 📄 locals.tf
| │ ├── 📄 outputs.tf
| │ ├── 📄 role_policies.tf
| │ ├── 📄 roles.tf
| │ └── 📄 variables.tf
│ └── 📂 us-east-1
```
--------------------------------
### Instance Tagging Configuration
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/cookbooks/schedule-start-stop-ec2.md
Defines the tags required for instances to be managed by the scheduler. 'ScheduleStopDaily' and 'ScheduleStartManual' are example tags used to control daily stop and manual start actions respectively.
```yaml
ScheduleStopDaily = true
ScheduleStartManual = true
```
--------------------------------
### Initialize and Apply OpenTofu Backend
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/management-account.md
Initializes the OpenTofu environment, skipping validation, and then applies the configuration to create the state management infrastructure. It requires confirmation for the apply step.
```bash
leverage tofu init --skip-validation
leverage tofu apply
```
--------------------------------
### OpenTofu Apply with Variable Files
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/leverage-cli/shell.md
Applies changes to a project layer using OpenTofu, specifying variable files for configuration. This example includes common configuration files like `common.tfvars`, `account.tfvars`, and `backend.tfvars`.
```bash
tofu apply -var-file=../../../config/common.tfvars -var-file=../../config/account.tfvars -var-file=../../config/backend.tfvars
```
--------------------------------
### Create Project with Leverage CLI
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/leverage-project-setup.md
This snippet shows the command to initiate project creation using the leverage CLI. The output log demonstrates the steps involved in setting up the project's directory structure and common base files across different accounts and layers.
```bash
leverage project create
```
```bash
[09:40:54.934] INFO Loading configuration file.
[09:40:54.950] INFO Creating project directory structure.
[09:40:54.957] INFO Finished creating directory structure.
[09:40:54.958] INFO Setting up common base files.
[09:40:54.964] INFO Account: Setting up management.
[09:40:54.965] INFO Layer: Setting up config.
[09:40:54.968] INFO Layer: Setting up base-tf-backend.
[09:40:54.969] INFO Layer: Setting up base-identities.
[09:40:54.984] INFO Layer: Setting up organizations.
[09:40:54.989] INFO Layer: Setting up security-base.
[09:40:54.990] INFO Account: Setting up security.
[09:40:54.991] INFO Layer: Setting up config.
[09:40:54.994] INFO Layer: Setting up base-tf-backend.
[09:40:54.995] INFO Layer: Setting up base-identities.
[09:40:55.001] INFO Layer: Setting up security-base.
[09:40:55.002] INFO Account: Setting up shared.
[09:40:55.003] INFO Layer: Setting up config.
[09:40:55.006] INFO Layer: Setting up base-tf-backend.
[09:40:55.007] INFO Layer: Setting up base-identities.
[09:40:55.008] INFO Layer: Setting up security-base.
[09:40:55.009] INFO Layer: Setting up base-network.
[09:40:55.013] INFO Project configuration finished.
INFO Reformatting terraform configuration to the standard style.
[09:40:55.743] INFO Finished setting up project.
```
--------------------------------
### AWS Client VPN Implementation Guide
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/cookbooks/VPN-server/index.md
Provides detailed instructions for implementing AWS Client VPN, including endpoint configuration, authentication setup, and network associations. It covers creating secure VPN connections, configuring authorization rules, and managing client access.
```markdown
For detailed instructions on implementing AWS Client VPN, including endpoint configuration, authentication setup, and network associations, please refer to our [AWS Client VPN implementation guide](https://github.com/binbashar/le-tf-infra-aws/blob/master/network/us-east-1/client-vpn/README.md). The guide provides step-by-step procedures for creating a secure VPN connection, configuring authorization rules, and managing client access using AWS best practices.
```
--------------------------------
### Initial Server Connection and Password Setup
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/cookbooks/VPN-server/VPN-server-gui-setup.md
Connect to the server via SSH and reset the default password using the `pritunl default-password` command. This is the first step to accessing the Pritunl web interface.
```shell
sudo pritunl default-password
```
--------------------------------
### BackEnd Build CI/CD Pipeline
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/work-with-us/roadmap/ref-arch/demo-apps.md
Sets up ECR, IAM permissions, and CI/CD pipelines (Jenkins/DroneCI) with GitHub triggers for building the back-end demo application.
```markdown
CI/CD Pipeline
automation
& imple
leverage
ci-cd-pipeline
docker
build
BackEnd Build (Demo App): set up ECR, create IAM permissions, create pipelines (Jenkins / DroneCI), set up GitHub triggers
```
--------------------------------
### Install GnuPG Inside Ubuntu Container
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/ref-architecture-aws/features/identities/gpg.md
Installs the necessary GnuPG packages within the Ubuntu container. This includes updating the package list and then installing the `gnupg` package, which provides the command-line tools for managing GPG keys.
```bash
apt update
apt install gnupg
```
--------------------------------
### Push Button Environments CI/CD Pipeline
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/work-with-us/roadmap/ref-arch/demo-apps.md
Implements ephemeral environments for the demo application using CI/CD pipelines and Kubernetes.
```markdown
CI/CD Pipeline
automation
& imple
leverage
ci-cd-pipeline
kubernetes
pbe
Push Button Environments (Demo App): implement ephemeral environments.
```
--------------------------------
### Pritunl VPN Server Deployment Steps
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/cookbooks/VPN-server/index.md
This section outlines the steps required to deploy a Pritunl VPN Server. It involves creating an EC2 instance using OpenTofu, deploying the Pritunl server with Ansible, and configuring it via its web GUI.
```markdown
1. [Create the EC2 instance with OpenTofu](./VPN-server-opentofu.md)
2. [Deploy Pritunl VPN Server with Ansible](./VPN-server-ansible.md)
3. [Configure Pritunl from its web GUI interface](./VPN-server-gui-setup.md)
```
--------------------------------
### FrontEnd Build CI/CD Pipeline
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/work-with-us/roadmap/ref-arch/demo-apps.md
Sets up ECR, IAM permissions, and CI/CD pipelines (Jenkins/DroneCI) with GitHub triggers for building the front-end demo application.
```markdown
CI/CD Pipeline
automation
& imple
leverage
ci-cd-pipeline
docker
build
FrontEnd Build (Demo App): set up ECR, create IAM permissions, create pipelines (Jenkins / DroneCI), set up GitHub triggers
```
--------------------------------
### Leverage CLI Reference Documentation
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/management-account.md
Provides links to detailed documentation for specific Leverage CLI commands, including tofu init, tofu apply, tofu import, and credentials configure.
```APIDOC
leverage tofu init: Initializes the OpenTofu environment.
- --skip-validation: Skips validation checks during initialization.
leverage tofu apply: Applies the OpenTofu configuration to create or update infrastructure.
- Requires confirmation before applying changes.
leverage tofu import: Imports existing infrastructure into the OpenTofu state.
- Usage: leverage tofu import .
- Example: leverage tofu import aws_organizations_account.management 000123456789
- Note for Zsh users: Prepend 'noglob' or escape brackets as '[ ]'.
leverage credentials configure: Configures AWS CLI credentials and profiles.
- --type BOOTSTRAP: Sets the credential type to bootstrap.
- --skip-access-keys-setup: Skips the setup of IAM access keys.
- Output: Configures profiles in ~/.aws/me/config and updates Terraform configuration.
```
--------------------------------
### Initialize and Apply OpenTofu Backend for Shared Account
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/security-and-shared-accounts.md
Initializes the OpenTofu environment and applies the backend configuration for the shared account, skipping validation initially.
```bash
leverage tofu init --skip-validation
leverage tofu apply
```
--------------------------------
### AWS Credentials Configuration Example
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/user-guide/ref-architecture-aws/features/identities/identities.md
An example of how to configure AWS credentials and configuration files for accessing AWS resources, typically located at `~/.aws/project/credentials` and `~/.aws/project/config`.
```bash
# Example ~/.aws/project/credentials file
[default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY
# Example ~/.aws/project/config file
[default]
region = us-east-1
output = json
```
--------------------------------
### Initialize and Apply OpenTofu Backend for Security Account
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/security-and-shared-accounts.md
Initializes the OpenTofu environment and applies the backend configuration for the security account, skipping validation initially.
```bash
leverage tofu init --skip-validation
leverage tofu apply
```
--------------------------------
### AWS Management Account Creation
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/aws-account-setup.md
Instructions for creating the initial AWS account, which will serve as the management account for an AWS Organization. This account is critical for project setup and requires specific naming conventions.
```markdown
## Create the first AWS account
First and foremost you'll need to create an AWS account for your project.
!!! attention
Note this will be your management account and has to be called `-management`.
E.g. if your project is called `binbash` then your account should be `binbash-management`.
Follow the [instructions here](/user-guide/ref-architecture-aws/features/organization/configuration/).
This will be the management account for your [AWS Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) and the email address you use for signing up will be the [root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) of this account -- you can see this user represented in the [architecture diagram](../#leverage-landing-zone).
Since the root user is the main access point to your account it is strongly recommended that you keep its credentials (email, password) safe by following [AWS best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html).
!!! tip
To protect your management account, [enabling Multi Factor Authentication](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa) is **highly** encouraged. Also, reviewing the [account's billing setup](https://console.aws.amazon.com/billing/home?#/account) is always a good idea before proceeding.
!!! info "For more details on setting up your AWS account: [:books: Organization account setup guide](/user-guide/ref-architecture-aws/features/organization/configuration/)"
```
--------------------------------
### FrontEnd Deploy CI/CD Pipeline
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/work-with-us/roadmap/ref-arch/demo-apps.md
Creates CI/CD pipelines (Jenkins/Spinnaker) with ECR/GitHub triggers for deploying the front-end demo application.
```markdown
CI/CD Pipeline
automation
& imple
leverage
ci-cd-pipeline
deploy
FrontEnd Deploy (Demo App): create pipelines (Jenkins / Spinnaker), set up ECR/Github triggers
```
--------------------------------
### Project Configuration Example
Source: https://github.com/binbashar/le-ref-architecture-doc/blob/master/docs/try-leverage/management-account.md
An example snippet from a project configuration file (likely `project.yaml`) showing the structure for defining AWS accounts within an organization, including their names, emails, and IDs.
```yaml
organization:
accounts:
- name: management
email: myexample-aws@example.com
id: '000123456789'
```