A production-ready AWS App Runner repository template with Terraform.
Feel free to make a pull request or issue if you have any suggestions or improvements.
- WAF Rate Limiting
- WAF IP Allow List
- IAM Service Account
- Automatic HTTPS with ACM + DNS Validation
- Custom Domain for AWS App Runner
- AWS App Runner Service
- Security Groups
- Makefile for faster development
- S3 Backend with encryption
- S3 Bucket configured
- ECR repository configured
- Application image built and pushed to ECR
- Route53 Domain Zone registered
- Subnets contain tags for data.aws_subnets.private
- TFLint
- TFSec
- make deploy - Same as terraform apply
- make destroy - Same as terraform destroy
- make docs - Generates Readme documentation
- make format - Formates terraform files
- make init - Initialises terraform modules, providers and backend connection
- make plan - Same as terraform plan
- make validate - Validates terraform code quality and style
- make tfsec - Validate possible vulnerabilites in code
- make tflint - Validate terraform code style
Before we're going to deep dive, let's explain, why we need to separate variables.
There's some general variables that are getting changed continuously or are used in multiple files. These variables are located under env/variables.tfvars.example
Also terraform needs an connection with AWS and S3 Backend to store Terraform state. These variables are located under .env.example. The S3_BUCKET_TF_STATE
environmentals are used ONLY IN CASE OF GH Actions.
To setup prerequisites, you can use cloudformation stack from here.
Go to Cloudformation -> Stacks -> Create Stack -> Upload a template file -> prerequisites.yaml
Under BucketName and RepositoryName, fill in the values and create the stack.
As mentioned above, you need to upload some image to ECR registry.
You can use this for testing purposes.
1. Clone this repository
git clone git@github.com:KostLinux/aws-app-runner-tf-template.git & cd aws-app-runner-tf-template
2. Configure connection with AWS via .env
Configure connection with AWS to store Terraform state.
environmentals are used Pipeline Only variables!
cp .env.example .env
3. Configure Terraform variables via terraform.tfvars
cp env/variables.tfvars.example env/variables.tfvars
vim env/variables.tfvars
4. Make necessary changes in other .tf files via IDE
Due to template repository, .tf files contain examples that should be replaced with real values.
& waf.tf
- "" must be changed.
# VsCode
code .
# Atom
atom .
NOTE! Don't forget to 5. Validate code
make validate
6. Initialize Terraform
make init
7. Make terraform plan file
make plan
8. Apply changes
make apply
9. Push changes to git
This repository contains workflow of feature-branches, when PR is merged, github actions deploy changes to AWS.
1. Configure secrets
Configure secrets in Settings -> Secrets and Variables -> Actions -> Environment Secrets
TEST_AWS_ACCESS_KEY_ID - AWS Access Key ID for testing environment
TEST_AWS_SECRET_ACCESS_KEY - AWS Secret Access Key for testing environment
TEST_AWS_REGION - AWS Region for testing environment
TEST_BUCKET_TF_STATE - S3 Bucket for testing environment
TEST_KEY_TF_STATE - S3 Key for testing environment
MAIN_AWS_ACCESS_KEY_ID - AWS Access Key ID for production environment
MAIN_AWS_SECRET_ACCESS_KEY - AWS Secret Access Key for production environment
MAIN_AWS_REGION - AWS Region for production environment
MAIN_BUCKET_TF_STATE - S3 Bucket for production environment
MAIN_KEY_TF_STATE - S3 Key for production environment
2. Create example branch & push changes
git checkout -b "test/try-pipeline"
git commit -m "Trigger a pipeline"
git push --set-upstream origin test/try-pipeline
3. Create PR, merge into test and look into Github Actions
This project is under MIT License
KostLinux - Getting Error after error :S
- IAM Service Account error
In case of IAM Service Account Error, just start the terraform apply again.
│ Error: creating App Runner Service (example_laravel_app): operation error AppRunner: CreateService, https response error StatusCode: 400, RequestID: 36cb0cc6-0c00-454c-9fbf-5035f94614cd, InvalidRequestException: Error in assuming access role arn:aws:iam::058264387177:role/example_application_service_account
│ with module.example_app_runner.aws_apprunner_service.this[0],
│ on .terraform/modules/example_app_runner/main.tf line 34, in resource "aws_apprunner_service" "this":
│ 34: resource "aws_apprunner_service" "this" {
Terraform reference shows all the providers and modules used in this repository
Name | Version |
terraform | >= 1.5.1 |
aws | >= 5.0 |
Name | Version |
aws | >= 5.0 |
Name | Source | Version |
acm | terraform-aws-modules/acm/aws | ~> 4.0 |
application_service_account | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 5.32.0 |
example_app_runner | terraform-aws-modules/app-runner/aws | ~> 1.2.0 |
iam_policy | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 5.32.0 |
Name | Type |
aws_route53_record.example_app_runner | resource |
aws_route53_record.validation_records_app_runner | resource |
aws_security_group.app_runner | resource |
aws_security_group_rule.allow_egress | resource |
aws_security_group_rule.allow_https | resource |
aws_wafv2_ip_set.ip_list | resource |
aws_wafv2_web_acl.app_runner_acl | resource |
aws_wafv2_web_acl_association.example | resource |
aws_caller_identity.current | data source |
aws_region.current | data source |
aws_route53_zone.existing_route53_zone | data source |
aws_subnets.private | data source |
aws_vpc.default | data source |
Name | Description | Type | Default | Required |
app_environment_variables | Environment variables for the application | list(object({ |
[] |
no |
app_image_tag | ECR image tag | string |
"latest" |
no |
app_port | Port the application is listening on | number |
8080 |
no |
app_repository | ECR repository name | string |
"example-api" |
no |
app_sub_domain | Subdomain for the application | string |
"example-api" |
no |
route53_domain | Domain name registered in Route53 | string |
"" |
no |
Name | Description |
apprunner_service_id | App Runner Service ID for the application |
certificate_validation_records | Certificate Validation Records for the application |
route53_zone_arn | Route53 Zone ARN for the application |
route53_zone_id | Route53 Zone ID for the application |
route53_zone_name | Route53 Zone Name for the application |
service_account_arn | Service Account ARN for the application |
service_account_name | Service Account Name for the application |
subnets | Subnets for the application |
vpc_id | VPC ID for the application |
This README is created via terraform-docs