This is a fully reproducible, Terragrunt-based infrastructure deployment demo managed using Nix flakes. It is configured for a demo AWS account and deploys a full stack including VPC, EKS, job modules, and S3 storage using GitHub Actions and OIDC authentication.
This infrastructure includes:
-
Terragrunt + Terraform Modules:
aws-data: AWS region/account data sourcevpc-1: Custom VPC for demo workloadseks-1: Kubernetes cluster (EKS)crawler-job-1: Sample workload running in Kubernetescrawler-s3-1: S3 bucket for crawler storagegithub-oidc: IAM roles for GitHub OIDC authentication
-
Live Environment:
live/demo/eu-central-1/- Organized by AWS region and account
- Each component has its own
terragrunt.hcl
-
Nix Flake: Development environment and automation
nix develop: provides pinned versions of Terraform, Terragrunt, kubectl, and AWS CLInix run .#validate: validates HCL and Terraform formatnix run .#apply: applies all Terragrunt modules
Deployment is fully automated through GitHub Actions using OIDC:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::767140398543:role/github-oidc-terraform
aws-region: eu-central-1GitHub workflow is located in:
.github/workflows/deploy.yml
It:
- Installs Nix
- Authenticates with AWS via OIDC
- Runs
nix run .#validate - Runs
nix run .#apply
Validation is handled via the validate app:
nix run .#validateWhich checks:
terraform fmt -recursive -checkterragrunt hcl fmt --checkterragrunt hcl validate(with exit code checking)
You can enter the development shell with:
nix developThis provides:
- Terraform
- Terragrunt
- AWS CLI
- kubectl
With the following env vars set:
AWS_PROFILE=demo-profile
AWS_REGION=eu-central-1
TG_PROVIDER_CACHE=1.
├── flake.nix
├── root.hcl
├── live/
│ └── demo/
│ └── eu-central-1/
│ ├── aws-data/
│ ├── vpc-1/
│ ├── eks-1/
│ ├── crawler-job-1/
│ ├── crawler-s3-1/
│ └── github-oidc/
├── modules/
│ ├── aws-data/
│ ├── crawler-job/
│ └── github-oidc/
└── .github/
└── workflows/
└── deploy.yml