# An Example Terraform(Opentofu) setup "packed" as a (docker)compose application

This repo contains a [`compose.yml`](./compose.yml) file. With such a `compose.yml` which 
sometimes can be named also `docker-compose.yml` we setup an application, defined by services

```
# this is exampoel compose.yml content
services:
  a_service:
    image: name/of-container-image:tag
  another_service:
    image: name/of-container-image:tag
  [...]
```

The compose.yml in this repo has only a single service that is the container/service "terraform"

## Usage Part 1: the `docker compose` part

### Requirements
After having `docker compose` installed (it should be a versoin 2.XX, given version 1 is outdated)
which can be checked via:
```
#> docker compose version
Docker Compose version 2.29.2
```

### Build the application
A first step is to `docker compose` `build` the application

``` 
#> docker compose build
```

This will build the image for the container. The service terraform inside `compose.yml`
uses the this information to have an inline Dockerfile/recipe:

```
services:
  terraform:
    hostname: container-for-tf
    volumes:
    - ./terraformdata:/terraformdata
    build:
      dockerfile_inline: |
        FROM alpine:latest
        RUN apk update
        RUN apk add aws-cli-bash-completion aws-cli aws-cli-doc bash bash-completion 
        RUN apk add man-db man-pages
        RUN apk add opentofu
        RUN apk add vim jq less
        RUN <<EOF
        cat >> /etc/bash/bashrc <<BASHRC
        complete -C '$(which aws_completer)' aws
        tofu() {
          while ! aws sts get-caller-identity 
          do 
            echo "no valid aws credentials setup, running 'aws configure'"
            aws configure 
          done
          unset tofu 
          command tofu "$@"
        }
        alias terraform='tofu'
        alias terra='tofu'
        EOF
        ENTRYPOINT ["/bin/bash"]
        WORKDIR /terraformdata
```

### Use/Run the terraform/service to do opentofu/terraform stuff 

After the compose application terrafrom was build one can run it.
(to be fair, if having skipped the previous `docker compose build` step it would be automaticly 
build when running anyways, as clearly the contaner image is required to run the container service
hence `docker compose run -it terraform` would automatically build it with the inline `Dockerfile`
information in the `services.terraform.build.dockerfile_inline` information.

To now run the terraform service use:
```
docer compose run -it terraform
```

this will drop the user into a shell inside the container with the following utilities setup:
* `aws` (the Amazon web services aws command line tool)
* `jq` (a tool to handle JSON on the command line)
* `less` (less command)
* `vim` (to have an editor if needed inside the container)
* a feels like `bash` shell and completion for the `aws` command line (given 
* `man` manual pages 
* `tofu` (aliased also to be run as `terra` and `terraform`), the opentofu tool

## Usage Part 2: the AWS part

Once dropped into the shell in the container of `compose.yml`'s terraform service. 
the main command one can interact with is `tofu`.

The first stell should be to run just `tofu` which will check if the container 
is already setup to interact with an AWS account (which if it is a fresh container 
it will most likely not)

this will happen:
```
container-for-tf:/terraformdata# tofu

Unable to locate credentials. You can configure credentials by running "aws configure".
no valid aws credentials setup, running 'aws configure'
AWS Access Key ID [None]: AK..............
AWS Secret Access Key [None]: hereYourAWSSecretAccessKeyPasted
Default region name [None]: eu-central-1
Default output format [None]:
{
    "UserId": "AID........",
    "Account": ".........",
    "Arn": "arn:aws:iam::.......:user/user....."
}
Usage: tofu [global options] <subcommand> [args]

The available commands for execution are listed below.
The primary workflow commands are given first, followed by
less common or more advanced commands.

Main commands:
  init          Prepare your working directory for other commands
  validate      Check whether the configuration is valid
  plan          Show changes required by the current configuration
[...]
```

as is visible in the above this required to specify a amazon IAM user via
the crediatals of 
a) AWS Access Key ID (i.e. alike an ID/username)
b) AWS Secret Access Key (i.e. kind of a password, indeeed a base64 encoded key)

hence to successfuly go through the dialog on needs to setup the users
this can be done in the [amazon web gui for IAM](https://us-east-1.console.aws.amazon.com/iam/home?region=eu-west-1#/users)
IAM is the user service/permissions part of AWS.

It makes much sense to setup a new user that is dedicated to EC2 (aws instances).
The process to do so is somewhat challenging because of the sheer number of stuff
that AWS has stuffed into AWS such as 

* users 
* roles
* policies
* permissions
* identify provides......

indeed we need only users. Such a user should have those Permission Policies set
* AmazonEC2FullAccess (since we want to have the use be able to do all EC2 stuff)
* a "inline persmission" allowing the read of STS -> get-caller-identiy (required to use the `aws` cli tool)

This is an exmaple user screenshoted
![example IAM user](./images/screenshot.aws.user.png)

Once the user is created it is required to generate the credentials to be used in the dialog above.
This can be done in the here:

![generate AWS access key for user](./images/screenshot.aws.create.accesskey.png)

since they are more complicatred, disregard the suggested  alternatives:
![disregard alternatives](./images/screenshot.aws.ignore.alternatives.png)

also we need no tag to be set (AWS really makes it a point to strech out and prolong simple stuff)
![no tag necessary](./images/screenshot.aws.no-tag-needed.png)

lastly get the credintials
![no tag necessary](./images/screenshot.aws.get-credentials.png)

with those credentials the above mask should have completed successfully

 
## Usage Part 3: the Opentofu/Terraform parts




on