Infrastructure as Code Library

A collection of over 300,000 lines of reusable, battle-tested, production-ready infrastructure code for AWS, GCP, and Azure.

You don't have to reinvent the wheel

Most teams have the same basic infrastructure needs: server cluster, load balancer, database, cache, CI/CD, monitoring, secrets management, and so on. Why waste time building it all from scratch? At Gruntwork, we are a team of DevOps experts who have spent thousands of hours creating a library of reusable, battle-tested infrastructure code that has been used in production by hundreds of companies, and now you can leverage all of it with the Infrastructure as Code Library.

What's in the Library?

The Infrastructure as Code Library consists of 40+ GitHub repos, some open source, some private, each of which contains reusable, battle-tested infrastructure code for AWS, GCP, and Azure, written in Terraform, Go, Bash, and Python. Check out How to use the Gruntwork Infrastructure as Code Library to see how it all works.

Search:

Name	Description	Tags
AWS VPC	Create a best-practices Virtual Private Cloud (VPC) on AWS. Includes multiple subnet tiers, netwo...	AWS Subscriber-Only
Monitoring and Alerting	Configure monitoring, log aggregation, and alerting using CloudWatch, SNS, and S3. Includes Slack...	AWS Subscriber-Only
EC2 Container Service (ECS)	Deploy a best-practices ECS Cluster and run Docker containers on it as ECS Services. Includes zer...	AWS Subscriber-Only
EC2 Kubernetes Service (EKS)	Deploy a best-practices EKS cluster and run Docker containers on it as Kubernetes services. Suppo...	AWS Subscriber-Only
Kubernetes Helm Server	Deploy a best-practices Tiller (Helm Server) to your Kubernetes cluster. Supports namespaces, ser...	AWS GCP Azure Open Source
Auto Scaling Group	Run stateless and stateful services on top of an Auto Scaling Group. Supports zero-downtime, roll...	AWS Subscriber-Only
AWS Load Balancer	Run the highly-available and scalable load balancers in AWS: Application Load Balancer (ALB), Net...	AWS Subscriber-Only
Lambda	Deploy and manage Lambda functions with Terraform and build serverless apps. Automatically upload...	AWS Subscriber-Only
API Gateway	Build serverless applications by defining APIs in Swagger, running your app locally using SAM, an...	AWS Subscriber-Only
Security	A collection of security best practices for managing secrets, credentials, and servers. Includes ...	AWS GCP Azure Subscriber-Only
Continuous Delivery	A collection of scripts and Terraform code that implement common CI and build pipeline tasks incl...	AWS GCP Azure Subscriber-Only
Relational Database	Run MySQL, Postgres, MariaDB, or Amazon Aurora on Amazon’s Relational Database Service (RDS) or A...	AWS Subscriber-Only
Distributed Cache	Run Redis or Memcached clusters using Amazon’s ElastiCache Service. Creates the cluster, sets up ...	AWS Subscriber-Only
Stateful Server	Set up a best-practices deployment of a single, stateful server on top of AWS, such as Jenkins or...	AWS Subscriber-Only
AWS Static Assets	Deploy your static content and static websites on S3, optionally with a CloudFront distribution i...	AWS Subscriber-Only
MongoDB Cluster	Deploy a MongoDB cluster, including replica sets, sharding, an automated bootstrapping process, b...	AWS Subscriber-Only
Kafka	Deploy a cluster of Apache brokers that can automatically bootstrap themselves. Includes support ...	AWS Subscriber-Only
ZooKeeper	Deploy an Apache ZooKeeper cluster that can automatically bootstrap itself. Includes support for ...	AWS Subscriber-Only
ELK	Deploy and manage an ELK cluster. Includes support for deploying separate Elasticsearch, Logstash...	AWS Subscriber-Only
OpenVPN Server	Deploy an OpenVPN server and manage user accounts using IAM groups. Includes automatic install an...	AWS Subscriber-Only
Messaging	Create SQS queues with support for FIFO, message retention, message delays, content-based dedupli...	AWS Subscriber-Only
Google Kubernetes Engine (GKE)	Terraform modules for running a Kubernetes cluster on Google Cloud Platform (GCP) using Google Ku...	GCP Open Source
GCP VPC	Create a best-practices Virtual Private Cloud (VPC) on GCP. Includes multiple subnet tiers, firew...	GCP Open Source
Google Cloud SQL	Run relational databases such as MySQL and PostgreSQL on Google Cloud Platform (GCP) using Cloud ...	GCP Open Source
GCP Static Assets	Manage static assets (CSS, JS, images) on GCP using Google Cloud Storage and HTTP Load Balancers.	GCP Open Source
Google Cloud Load Balancer	Perform load balancing on GCP using Google Cloud Load Balancer, with support for HTTP, HTTPs, and...	GCP Open Source
kubergrunt	kubergrunt is a standalone go binary with a collection of commands that attempts to fill in the g...	AWS GCP Open Source
Kubernetes Services	Package services into a best-practices deployment for Kubernetes. Supports zero-downtime, rolling...	AWS GCP Azure Open Source
Consul	Deploy a best-practices HashiCorp Consul cluster. Includes support for automatic bootstrapping, c...	AWS GCP Azure Open Source
Nomad	Deploy a best-practices HashiCorp Nomad cluster. Includes support for automatic bootstrapping, au...	AWS GCP Azure Open Source
Vault	Deploy a best-practices HashiCorp Vault cluster for secrets management. Includes support for auto...	AWS GCP Azure Open Source
Couchbase	Deploy a best-practices Couchbase cluster. Includes support for automatic bootstrapping, running ...	AWS Open Source
Influx AWS	Deploy a best-practices TICK stack (Telegraf, InfluxDB, Chronograf, Kapacitor). Includes support ...	AWS Open Source
Terratest	Terratest is a Go library that makes it easier to write automated tests for your infrastructure c...	AWS GCP Azure Open Source
gruntkms	Make secrets management easy using this command-line tool that can encrypt and decrypt data using...	AWS Subscriber-Only
ssh-grunt	A tool that allows you to manage SSH access to EC2 Instances using either AWS IAM or your Identit...	AWS Subscriber-Only
aws-auth	A small wrapper script for the AWS CLI that makes it much easier to authenticate to AWS with Mult...	AWS Subscriber-Only
bash-commons	A collection of reusable Bash functions for handling common tasks such as logging, assertions, st...	AWS GCP Azure Open Source
cloud-nuke	A tool for cleaning up your cloud accounts by nuking (deleting) all resources within it.	AWS Open Source
gruntwork-installer	A simple, lightweight package manager for installing Gruntwork modules.	AWS GCP Azure Open Source
fetch	A tool that makes it easy to download files, folders, and release assets from a specific git comm...	AWS GCP Azure Open Source
pre-commit	A collection of pre-commit hooks for Terraform, bash, Go, and more.	AWS GCP Azure Open Source
gruntwork	A CLI tool to perform Gruntwork tasks, such as bootstrapping your GitHub and AWS accounts for the...	AWS Subscriber-Only
package-terraform-utilities	A collection of miscellaneous utilities and helper modules for use with Terraform. Includes modul...	AWS GCP Azure Open Source
Influx GCP	Deploy a best-practices TICK stack (Telegraf, InfluxDB, Chronograf, Kapacitor) in Google Cloud Pl...	GCP Open Source

Description	Create a best-practices Virtual Private Cloud (VPC) on AWS. Includes multiple subnet tiers, network ACLs, security groups, NAT gateways, Internet Gateways, and VPC peering.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform
Links	Public Docs Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	vpc-app: launch an app VPC Launch a VPC meant to house applications and production code. This module creates the VPC, 3 "tiers" of subnets (public, private app, private persistence) across all Availability Zones, route tables, routing rules, Internet gateways, and NAT gateways. vpc-mgmt: launch a mgmt VPC Launch a VPC meant to house internal tools (e.g. Jenkins, VPN server). This module creates the VPC, 2 "tiers" of subnets (public, private), route tables, routing rules, Internet gateways, and NAT gateways. vpc-app-network-acls: add NACLs to the app VPC Add a default set of Network ACLs to a VPC created using the vpc-app module that strictly control what inbound and outbound network traffic is allowed in each subnet of that VPC. vpc-mgmt-network-acls: add NACLs to the mgmt VPC Add a default set of Network ACLs to a VPC created using the vpc-mgmt module that strictly control what inbound and outbound network traffic is allowed in each subnet of that VPC. vpc-peering: peer VPCs in the same account Create peering connections between your VPCs to allow them to communicate with each other. vpc-peering-external: peer VPCs in different accounts Create peering connections between your VPCs and VPCs managed in other (external) AWS accounts. vpc-flow-logs: create VPC flow logs Create VPC flow logs to observe IP traffic in your VPCs.

Description	Configure monitoring, log aggregation, and alerting using CloudWatch, SNS, and S3. Includes Slack integration.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform Bash Python
Links	Public Docs Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	alarms: create CloudWatch alarms for your AWS services A collection of more than 20 modules that set up CloudWatch Alarms for a variety of AWS services, such as CPU, memory, and disk space usage for EC2 Instances, Route 53 health checks for public endpoints, 4xx/5xx/connection errors for load balancers, and a way to send alarm notifications to a Slack channel. logs: aggregate all your logs in CloudWatch logs A collection of modules to set up log aggregation, including one to send logs from all of your EC2 instances to CloudWatch Logs, one to rotate and rate-limit logging so you don't run out of disk space, and one to store all load balancer logs in S3. metrics: collect metrics from your AWS services Modules that add custom metrics to CloudWatch, including critical metrics not visible to the EC2 hypervisor, such as memory usage and disk space usage.

Description	Deploy a best-practices ECS Cluster and run Docker containers on it as ECS Services. Includes zero-downtime, rolling deployments, and auto scaling.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform Bash
Links	Public Docs Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	ecs-cluster: deploy an ECS cluster Deploy an Auto Scaling Group (ASG) that ECS can use for running Docker containers. The size of the ASG can be scaled up or down in response to load. ecs-service: deploy a service in your ECS cluster Deploy a Docker container as a long-running ECS Service. Includes support for automated, zero-downtime deployment, auto-restart of crashed containers, and automatic integration with the Elastic Load Balancer (ELB). ecs-fargate: deploy a service in ECS Fargate Deploy a Docker container as a long-running Fargate Service. A Fargate service automatically manages and scales your cluster as needed without you needing to manage the underlying EC2 instances or clusters, it also includes integration with an Application Load Balancer (ALB) or a Network Load Balancer (NLB). ecs-service-with-alb: deploy a service in your ECS cluster with an ALB Deploy a Docker container as a long-running ECS Service. Includes support for automated, zero-downtime deployment, auto-restart of crashed containers, and automatic integration with the Application Load Balancer (ALB). ecs-deploy: deploy a short-running task in your ECS cluster Deploy a Docker container as a short-running ECS Task, wait for it to exit, and exit with the same exit code as the ECS Task.

Description	Deploy a best-practices EKS cluster and run Docker containers on it as Kubernetes services. Supports zero-downtime, rolling deployment, IAM to RBAC mapping, auto scaling, IAM roles for Pods, deploying Helm securely with automated TLS certificate management, and heterogeneous worker groups.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform Python
Links	Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	eks-cluster-control-plane: deploy the EKS control plane Deploy an EKS control plane managed by AWS with support to configure your local kubectl to authenticate with EKS. eks-cluster-workers: deploy a cluster of EKS workers Deploy a cluster of EC2 instances registered as Kubernetes workers with auto-recovery of failed nodes. eks-k8s-role-mapping: manage mappings between IAM and RBAC Manage mappings between IAM roles and RBAC groups as code for provisioning accounts that can access the Kubernetes API. eks-vpc-tags: tag your VPC for EKS Provides tags for your VPC to ensure Kubernetes uses it for allocating IP addresses to Pods and Services. eks-cloudwatch-container-logs: aggregate EKS logs to CloudWatch Deploys Helm chart that installs fluentd into your cluster to aggregate Kubernetes logs for shipping to CloudWatch. eks-alb-ingress-controller: use ALBs as ingress controllers Deploys Helm chart that installs the AWS ALB Ingress Controller into your cluster to map Ingress resources to ALBs. eks-k8s-external-dns: use Route53 for ingress hostnames Deploys Helm chart that installs the external-dns application into your cluster to map Ingress hostnames to Route 53 Domain records.

Description	Deploy a best-practices Tiller (Helm Server) to your Kubernetes cluster. Supports namespaces, service accounts, least privilege RBAC roles, and automated TLS management.
Supported clouds	AWS GCP Azure
Type	Open Source
Technologies	Terraform
Links	Full Repo
Key modules	k8s-namespace: create a Kubernetes namespace Create a namespace in Kubernetes with a set of predefined RBAC roles. k8s-namespace-roles: create RBAC roles for a namespace Create a set of predefined RBAC roles for use with an existing namespace. k8s-service-account: create a Kubernetes service account Create a Kubernetes service account with options to bind the account to a set of RBAC roles.

Description	Run stateless and stateful services on top of an Auto Scaling Group. Supports zero-downtime, rolling deployment, attaching EBS volumes and ENIs, load balancing, health checks, service discovery, and auto scaling.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform Python
Links	Public Docs Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	asg-rolling-deploy: ASG that can do a rolling deployment Create an ASG that can do a zero-downtime rolling deployment. server-group: ASG with persistent EBS volumes and ENIs Run a fixed-size cluster of servers, backed by ASGs, that can automatically attach EBS Volumes and ENIs, while still supporting zero-downtime deployment.

Description	Run the highly-available and scalable load balancers in AWS: Application Load Balancer (ALB), Network Load Balancer (NLB), and the Classic Load Balancer (CLB).
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform
Links	Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	alb: deploy an Application Load Balancer Deploy an Application Load Balancer (ALB) in AWS. It supports HTTP, HTTPS, HTTP/2, WebSockets, path-based routing, host-based routing, and health checks. nlb: deploy a Network Load Balancer Deploy a Network Load Balancer (NLB) in AWS. It supports TCP, WebSockets, static IPs, high throughputs, and health checks. acm-tls-certificate: create and validate a TLS certificate Create a free, auto-renewing TLS certificate using AWS Certificate Manager (ACM) and automatically validate it.

Description	Deploy and manage Lambda functions with Terraform and build serverless apps. Automatically upload source code, configure environment variables, create an IAM Role, associate with a VPC. enable versioning/aliasing. Also supports scheduled Lambdas and dead letter targets.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform
Links	Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	lambda: deploy and manage a Lambda function Deploy and manage AWS Lambda functions. Includes support for automatically uploading your code to AWS, configuring an IAM role for your Lambda function, and giving your Lambda function access to your VPCs. scheduled-lambda-job: run a Lambda function on a scheduled basis Configure your Lambda function to run on a scheduled basis, like a cron job. keep-warm: keep a Lambda function warm This is a Lambda function you can use to invoke your other Lambda functions on a scheduled basis to keep those functions "warm," avoiding the cold start issue. lambda-edge: deploy and manage a Lambda@Edge function This module makes it easy to deploy and manage an AWS Lambda@Edge function. Lambda@Edge gives you a way to run code on-demand in AWS Edge locations without having to manage servers.

Description	Build serverless applications by defining APIs in Swagger, running your app locally using SAM, and deploying the app to production using Terraform and API Gateway.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform Go
Links	Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	gruntsam: run and test API Gateway and Lambda locally CLI tool that allows you to define your APIs using Swagger, run and test your code locally using SAM, and deploy your code to production using API Gateway and Lambda. api-gateway-account-settings: configure API Gateway settings set the global (regional) settings required to allow API Gateway to write to CloudWatch logs.

Description	A collection of security best practices for managing secrets, credentials, and servers. Includes streamlined support for CloudTrail, KMS, SSH key management via IAM, IAM Groups, fail2ban, NTP, and OS hardening.
Supported clouds	AWS GCP Azure
Type	Subscriber-Only
Technologies	Terraform Bash Go
Links	Public Docs Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	account-baseline-app: account baseline for app accounts A security baseline for AWS Landing Zone for configuring the app accounts. account-baseline-root: account baseline for root accounts A security baseline for AWS Landing Zone for configuring the root account. account-baseline-security: account baseline for security accounts A security baseline for AWS Landing Zone for configuring the security accounts. auto-update: automatically patch servers Configure your servers to automatically install critical security patches. aws-auth: authenticate to AWS from the CLI A script that makes it much easier to use the AWS CLI with MFA and/or multiple AWS accounts. aws-config: enable the AWS Config service Enable AWS Config to monitor, audit, and assess an AWS account for compliance. aws-config-multi-region: enable the AWS Config service in all regions Enable AWS Config in all enabled regions for the AWS account. aws-organizations: manage AWS organizations Manage your AWS Organization and accounts that are part of it. aws-organizations-config-rules: AWS organizations config rules Configure a best-practices set of AWS Config Managed Rules for your organization. cloudtrail: configure audit logging in AWS Configure CloudTrail in an AWS account to audit all API calls. guardduty: enable the GuardDuty service Detect threats and monitor your AWS accounts for malicious activity and unauthorized behavior. guardduty-multi-region: enable the GuardDuty service in all regions Enable GuardDuty in all enabled regions for the AWS account. kms-master-key: create a KMS master key Create a master key in Amazon's Key Management Service and configure permissions for that key. ssh-grunt: manage SSH access via IAM or Houston Manage SSH access to your servers using an identity provider, such as AWS IAM groups or Gruntwork Houston. Every developer in a managed group you specify will be able to SSH to your servers using their own username and SSH key. ssh-grunt-selinux-policy: SELinux policy for ssh-grunt Install a SELinux Local Policy Module that is necessary to make ssh-grunt work on systems with SELinux, such as CentOS. iam-groups: create and manage IAM groups Create a best-practices set of IAM groups for managing access to your AWS account. iam-policies: create and manage IAM policies Create a set of IAM policy documents that can be used in IAM users, groups and roles. custom-iam-entity: create IAM groups and roles with managed policies Create an IAM group or role and attach a custom set of managed policies iam-user-password-policy: create an AWS account password policy Set the AWS Account Password Policy that will govern password requirements for IAM Users. iam-users: create and manage IAM users Create a set of IAM users for managing access to your AWS account. cross-account-iam-roles: create IAM roles for cross-account access Create IAM roles that allow IAM users to easily switch between AWS accounts. saml-iam-roles: allow federated access to AWS using SAML Allow access to AWS using federated identity providers via SAML. fail2ban: install fail2ban Install fail2ban on your servers to automatically ban malicious users. os-hardening: CIS hardening for Linux Build a hardened Linux-AMI that implements certain CIS benchmarks. ntp: install and configure NTP Install and configures NTP on a Linux server. ip-lockdown: block access to IPs Install ip-lockdown on your servers to automatically lock down access to specific IPs, such as locking down the EC2 metadata endpoint so only the root user can access it.

Description	A collection of scripts and Terraform code that implement common CI and build pipeline tasks including running Jenkins, configuring CircleCi, building a Docker image, building a Packer image, updating Terraform code, pushing to git, sharing or making AMIs public, and configuring the build environment.
Supported clouds	AWS GCP Azure
Type	Subscriber-Only
Technologies	Terraform Bash
Links	Public Docs Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	aws-helpers: automate common AWS tasks Automate common AWS tasks, such as publishing AMIs to multiple regions. build-helpers: automate Docker and Packer builds Automate the process of building versioned, immutable, deployable artifacts, including Docker images and AMIs built with Packer. circleci-helpers: configure a CircleCi environment Configure the CircleCI environment, including installing Go and configuring GOPATH. iam-policies: IAM policies for CI servers Configure common IAM policies for CI servers, including policies for automatically pushing Docker containers to ECR, deploying Docker images to ECS, and using S3 for Terraform remote state. terraform-helpers: automate using Terraform in CI Automate common CI tasks that involve Terraform, such as automatically updating variables in a .tfvars file. ec2-backup: backup an EC2 instance on a schedule Run a Lambda function to make scheduled backups of EC2 Instances. install-jenkins: install Jenkins Install Jenkins on a Linux server. jenkins-server: deploy Jenkins Deploy a Jenkins server with an ASG, EBS Volume, ALB, and Route 53 settings.

Description	Run MySQL, Postgres, MariaDB, or Amazon Aurora on Amazon’s Relational Database Service (RDS) or Amazon Redshift. Creates the database, sets up replicas, configures multi-zone automatic failover and automatic backup.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform Python
Links	Public Docs Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	rds: deploy RDS for MySQL, PostgreSQL, Oracle, etc Deploy a relational database on top of RDS. Includes support for MySQL, PostgreSQL, Oracle, and SQL Server, as well as automatic failover, read replicas, backups, patching, and encryption. aurora: deploy RDS for Aurora Deploy Amazon Aurora on top of RDS. This is a MySQL-compatible database that supports automatic failover, read replicas, backups, patching, and encryption. redshift: deploy a Redshift cluster Deploy Amazon Redshift. This is a managed data warehouse that supports automatic failover, backups, patching, and encryption. lambda-create-snapshot: snapshot an RDS database on a schedule Create an AWS Lambda function that runs on a scheduled basis and takes snapshots of an RDS database for backup purposes. Includes an AWS alarm that goes off if backup fails. lambda-share-snapshot: share RDS snapshots with another account An AWS Lambda function that can automatically share an RDS snapshot with another AWS account. Useful for storing your RDS backups in a separate backup account. lambda-copy-shared-snapshot: copy RDS snapshots An AWS Lambda function that can make a local copy of an RDS snapshot shared from another AWS account. Useful for storing your RDS backups in a separate backup account. lambda-cleanup-snapshots: delete RDS snapshots An AWS Lambda function that runs on a scheduled basis to clean up old RDS database snapshots. Useful to ensure you aren't spending lots of money storing old snapshots you no longer need.

Description	Run Redis or Memcached clusters using Amazon’s ElastiCache Service. Creates the cluster, sets up replicas, configures multi-zone automatic failover and automatic backup.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform
Links	Public Docs Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	redis: deploy Redis on ElastiCache Deploy a Redis cluster on top of ElastiCache. Includes support for automatic failover, backup, patches, and cluster scaling. memcached: deploy mecached on ElastiCache Deploy a Memcached cluster on top of ElastiCache.

Description	Set up a best-practices deployment of a single, stateful server on top of AWS, such as Jenkins or WordPress. Supports EBS volume re-attachment, and a scheduled Lambda job to backup the Instance on a cron schedule. Includes alarm if backup jobs fail.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform Bash
Links	Public Docs Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	single-server: deploy an EC2 instance Run a server in AWS and configure its IAM role, security group, optional Elastic IP Address (EIP), and optional DNS A record in Route 53. attach-eni: attach an ENI to a server Attach an Elastic Network Interface (ENI) to a server during boot. This is useful when you need to maintain a pool of IP addresses that remain static even as the underlying servers are replaced. persistent-ebs-volume: attach and mount an EBS volume to a server Attach and mount an EBS Volume in a server during boot. This is useful when you want to maintain data on a hard disk even as the underlying server is replaced. route53-helpers: attach a DNS record in Route 53 to a server Attach a DNS A record in Route 53 to a server during boot. This is useful when you want a pool of domain names that remain static even as the underlying servers are replaced.

Description	Deploy your static content and static websites on S3, optionally with a CloudFront distribution in front of it as a CDN. Includes bucket versioning, access logging, cache settings, Route 53 DNS entries, and TLS certs.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform
Links	Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	s3-static-website: deploy a static website on S3 Create an S3 bucket to host a static website. Includes support for custom routing rules and custom domain names. s3-cloudfront: deploy CloudFront as a CDN Deploy a CloudFront distribution as a CDN in front of an S3 bucket. Includes support for custom caching rules, custom domain names, and SSL.

Description	Deploy a MongoDB cluster, including replica sets, sharding, an automated bootstrapping process, backup, recovery, and OS optimizations.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform Bash
Links	Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	install-mongodb: install MongoDB Install MongoDB and all of its dependencies on a Linux server. run-mongodb: configure and run MongoDB Boot up a mongod, mongos, or mongo config server. Meant to be used in the User Data of the servers in your MongoDB cluster. mongodb-cluster: run a MongoDB cluster Run a MongoDB cluster using an Auto Scaling Group (ASG) and configure its IAM role, security group, EBS Volume, ENI, and private domain name. backup-mongodb: back up MongoDB Back up the data in your MongoDB cluster to S3. init-mongodb: configure a MongoDB replica set Configure a MongoDB replica set.

Description	Deploy a cluster of Apache brokers that can automatically bootstrap themselves. Includes support for automatically discovering a ZooKeeper cluster, EBS Volumes for better log performance, automated zero-downtime rolling deployment, end-to-end encryption, OS optimizations, and security groups and IAM policy configuration.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform Bash
Links	Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	install-kafka: install Kafka Install Kafka and its dependencies on a Linux server. kafka-cluster: deploy a cluster of Kafka brokers Deploy a Kafka cluster using the server-group module from the AMI Cluster Infrastructure Package. Includes support for EBS Volumes for the Kafka log. confluent-tools-cluster: deploy a cluster for Confluent tools Run a cluster of Confluent tools (REST Proxy, Schema Registry, Kafka Connect). install-confluent-tools: install Confluent tools Install Confluent tools (REST Proxy and Schema Registry) on Linux. run-kafka-connect: configure and run Kafka Connect Configure and run Kafka Connect. run-kafka-rest: configure and run Kafka REST proxy Configure and run Kafka REST Proxy. run-schema-registry: configure and run Schema Registry Configure and run Schema Registry.

Description	Deploy an Apache ZooKeeper cluster that can automatically bootstrap itself. Includes support for Exhibitor as a process supervisor and management UI for ZooKeeper, static IP addresses (ENIs), EBS Volumes for better transaction log performance, automated zero-downtime rolling deployment, automatic recovery of failed servers, and security groups and IAM policy configuration.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform Bash
Links	Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	install-zookeeper: install ZooKeeper Install ZooKeeper and its dependencies on a Linux server. install-exhibitor: install Exhibitor Install Exhibitor and its dependencies on a Linux server. install-openjdk: install OpenJDK Install OpenJDK on a Linux server run-exhibitor: configure and run Exhibitor and ZooKeeper Configure and run Exhibitor and ZooKeeper on a Linux server run-health-checker: run a ZooKeeper health check Run a custom health check for ZooKeeper. Used in conjunction with a load balancer to do zero-downtime rolling updates of the ZooKeeper cluster. zookeeper-cluster: deploy a ZooKeeper cluster Deploy a ZooKeeper cluster using the server-group module from the AMI Cluster Infrastructure Package. Includes support for EBS Volumes for the transaction log as well as a set of ENIs to provide static IP addresses to ZooKeeper clients.

Description	Deploy and manage an ELK cluster. Includes support for deploying separate Elasticsearch, Logstash and Kibana clusters, each with automated zero-downtime rolling deployment, automatic recovery of failed servers, and security groups and IAM policy configuration. Also contains scripts for setting up Filebeat and CollectD on an application server to ship off logs and machine metrics to Elasticsearch.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform Bash
Links	Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	elasticsearch-cluster: deploy an Elasticsearch cluster Deploy a cluster of Elasticsearch nodes with zero-downtime deployment and auto-recovery of failed nodes. kibana-cluster: deploy a Kibana cluster Deploy a cluster of Kibana nodes with zero-downtime deployment and auto-recovery of failed nodes. logstash-cluster: deploy a Logstash cluster Deploy a cluster of Logstash nodes with zero-downtime deployment and auto-recovery of failed nodes. elastalert: configure and run ElastAlert on a server Runs ElastAlert in an instance, which makes API calls to the Elasticsearch cluster and sends alerts based on pre-defined data pattern rules. run-filebeat: configure and run Filebeat on a server Runs Filebeat on an application server to ship application logs off to Logstash cluster. run-collectd: configure and run CollectD on a server Runs CollectD on an application server and ships off machine metrics to th Logstash cluster.

Description	Deploy an OpenVPN server and manage user accounts using IAM groups. Includes automatic install and configuration of a high-availability OpenVPN server, public key infrastructure (PKI), data backup, IAM policies, security groups, and cross-platform apps to automatically request and revoke credentials.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform Bash Go
Links	Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	install-openvpn: install OpenVPN on a Linux server Install OpenVPN and its dependencies on a Linux server. init-openvpn: initialize OpenVPN, PKI, and CA Initialize an OpenVPN server, including its Public Key Infrastructure (PKI), Certificate Authority (CA) and configuration. openvpn-admin: CLI tool to manage OpenVPN certs A command-line utility that allows users to request new certificates, administrators to revoke certificates and the OpenVPN server to process those requests. All access and permissions are controlled via IAM. openvpn-server: deploy an OpenVPN server Deploy an OpenVPN server and configure its IAM role, security group, Elastic IP Address (EIP), S3 bucket for storage, and SQS queues.

Description	Create SQS queues with support for FIFO, message retention, message delays, content-based deduplication, dead-letter queues, and IP-based access controls. Create SNS topics with configurable IAM and delivery policies. Create Kinesis streams with configurable or auto-calculated shard and retention settings.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform
Links	Full Repo (ONLY accessible to Gruntwork subscribers!)
Key modules	sqs: create an SQS queue Create an SQS queue. Includes support for FIFO, dead letter queues, and IP-limiting. sns: create an SNS topic Create an SNS topic as well as the publisher and subscriber policies for that topic. kinesis: create a Kinesis stream Create a Kinesis stream and configure its sharding settings.

Description	Terraform modules for running a Kubernetes cluster on Google Cloud Platform (GCP) using Google Kubernetes Engine (GKE).
Supported clouds	GCP
Type	Open Source
Technologies	Terraform
Links	Full Repo
Key modules	gke-cluster: deploy a GKE cluster Deploy a GKE cluster to run a managed Kubernetes Control Plane. Supports autoscaling, StackDriver monitoring, private and public access. gke-service-account: configure a GCP service account Configure a GCP Service Account that can be used with a GKE cluster. This can be used to allow applications Pods running on your GKE workers to access other GCP services.

Description	Create a best-practices Virtual Private Cloud (VPC) on GCP. Includes multiple subnet tiers, firewall rules, NAT gateways, and VPC peering.
Supported clouds	GCP
Type	Open Source
Technologies	Terraform
Links	Full Repo
Key modules	vpc-network: deploy a VPC Launch a secure VPC network on GCP. Supports "access tiers", a pair of subnetwork and network tags. By defining an appropriate subnetwork and tag for an instance, you'll ensure that traffic to and from the instance is properly restricted. network-peering: peer VPCs Configure peering connections between your networks, allowing you to limit access between environments and reduce the risk of production workloads being compromised. network-firewall: configure firewall rules for a VPC Configures the firewall rules expected by the vpc-network module.

Description	Run relational databases such as MySQL and PostgreSQL on Google Cloud Platform (GCP) using Cloud SQL.
Supported clouds	GCP
Type	Open Source
Technologies	Terraform
Links	Full Repo
Key modules	cloud-sql: deploy MySQL or PostgreSQL Deploy a Cloud SQL MySQL or PostgreSQL database. Supports automated backups, private and public access, autoresizing of disks, TLS, HA, and read replicas.

Description	Manage static assets (CSS, JS, images) on GCP using Google Cloud Storage and HTTP Load Balancers.
Supported clouds	GCP
Type	Open Source
Technologies	Terraform
Links	Full Repo
Key modules	cloud-storage-static-website: deploy a website in a GCS bucket Deploy a GCS bucket to host static content as a website. Supports assigning a custom domain to host the content under. http-load-balancer-website: deploy a load balancer for a GCS bucket Deploy a GCS bucket to host static content and serve using Google Cloud Load Balancing. Supports configuring SSL/TLS with a custom domain name.

Description	Perform load balancing on GCP using Google Cloud Load Balancer, with support for HTTP, HTTPs, and global forwarding rules.
Supported clouds	GCP
Type	Open Source
Technologies	Terraform
Links	Full Repo
Key modules	http-load-balancer: deploy an HTTP(s) Cloud Load Balancer Deploy an HTTP(S) Cloud Load Balancer using global forwarding rules. Supports balancing HTTP and HTTPS traffic across multiple backend instances, across multiple regions.

Description	kubergrunt is a standalone go binary with a collection of commands that attempts to fill in the gaps between Terraform, Helm, and Kubectl for managing a Kubernetes Cluster. It includes support for authenticating to EKS clusters, managing Helm, and generating and securely storing TLS certificates.
Supported clouds	AWS GCP
Type	Open Source
Technologies	Go
Links	Full Repo

Description	Package services into a best-practices deployment for Kubernetes. Supports zero-downtime, rolling deployment, RBAC roles and groups, auto scaling, secrets management, and centralized logging. Includes support for web services, daemon sets, and tasks / jobs.
Supported clouds	AWS GCP Azure
Type	Open Source
Technologies	Go
Links	Full Repo
Key modules	k8s-service: deploy a Kubernetes service using Helm Package your application service as a docker container and deploy to Kubernetes as a Deployment. Supports replication, rolling deployment, logging, configuration values, and secrets management.

Description	Deploy a best-practices HashiCorp Consul cluster. Includes support for automatic bootstrapping, configuring dnsmasq to use Consul as a DNS server, access to the Consul UI, and automatic recovery of failed servers.
Supported clouds	AWS GCP Azure
Type	Open Source
Technologies	Terraform Bash
Links	AWS Version GCP Version Azure Version
Key modules	install-consul: install Consul on a Linux server Install Consul and its dependencies on a Linux server. install-dnsmasq: install dnsmasq on a Linux server Install dnsmasq on a Linux server and configure it to work with Consul as a DNS server. This allows you to use domain names such as my-app.service.consul. run-consul: configure and run Consul Run Consul and automatically bootstrap the cluster. consul-cluster: deploy a Consul cluster Deploy a Consul cluster on GCP using a Managed Instance Group.

Description	Deploy a best-practices HashiCorp Nomad cluster. Includes support for automatic bootstrapping, automatic discovery of Consul servers (for cluster coordination), automatic recovery of failed servers.
Supported clouds	AWS GCP Azure
Type	Open Source
Technologies	Terraform Bash
Links	AWS Version GCP Version Azure Version
Key modules	install-nomad: install Nomad on a Linux server Install Nomad and its dependencies on a Linux server. run-nomad: configure and run Nomad Run Nomad and automatically connect to a Consul cluster. nomad-cluster: deploy a Nomad cluster Deploy a Nomad cluster on GCP using a Managed Instance Group.

Description	Deploy a best-practices HashiCorp Vault cluster for secrets management. Includes support for automatic bootstrapping, automatic discovery of Consul clusters (for HA cluster coordination), using S3 as a storage backend, creating self-signed TLS certificates, updating the OS certificate store, configuring an ELB in front of Vault to allow public access, and automatic recovery of failed servers.
Supported clouds	AWS GCP Azure
Type	Open Source
Technologies	Terraform Bash
Links	AWS Version GCP Version Azure Version
Key modules	install-vault: install Vault on a Linux server Install Vault and its dependencies on a Linux server. run-vault: configure and run Vault Run Vault and automatically connect to a Consul cluster. private-tls-cert: generate a self-signed TLS cert Generate self-signed TLS certificates for use with Vault. vault-cluster: deploy a Vault cluster Deploy a Vault cluster on GCP using a Managed Instance Group.

Description	Deploy a best-practices Couchbase cluster. Includes support for automatic bootstrapping, running Sync Gateway, Web Console UI, cross-region replication, and automatic recovery of failed servers.
Supported clouds	AWS
Type	Open Source
Technologies	Terraform Bash
Links	AWS Version
Key modules	install-couchbase-server: install Couchbase on a Linux server Install Couchbase and its dependencies on a Linux server. install-sync-gateway: install Sync Gateway on a Linux server Install Sync Gateway and its dependencies on a Linux server. run-couchbase-server: configure and run Couchbase Configure and run Couchbase. run-sync-gateway: configure and run Sync Gateway Configure and start Sync Gateway. couchbase-cluster: deploy a Couchbase cluster Deploy a Couchbase cluster on AWS using an Auto Scaling Group.

Description	Deploy a best-practices TICK stack (Telegraf, InfluxDB, Chronograf, Kapacitor). Includes support for automatic bootstrapping, automatic node discovery, and automatic recovery of failed servers.
Supported clouds	AWS
Type	Open Source
Technologies	Terraform Bash
Links	AWS Version
Key modules	chronograf-server: deploy a Chronograf server deploy a Chronograf server influxdb-cluster: deploy an InfluxDB cluster deploy an InfluxDB cluster install-chronograf: install Chronograf on a Linux server install Chronograf on a Linux server install-influxdb: install InfluxDB on a Linux server install InfluxDB on a Linux server install-kapacitor: install Kapacitor on a Linux server install Kapacitor on a Linux server install-telegraf: install Telegraf on a Linux server install Telegraf on a Linux server kapacitor-server: deploy a Kapacitor server deploy a Kapacitor server run-chronograf: configure and run Chronograf configure and run Chronograf run-influxdb: configure and run InfluxDB configure and run InfluxDB run-kapacitor: configure and run Kapacitor configure and run Kapacitor run-telegraf: configure and run Telegraf configure and run Telegraf

Description	Terratest is a Go library that makes it easier to write automated tests for your infrastructure code. It provides a variety of helper functions and patterns for common infrastructure testing tasks, including testing Terraform code, Packer templates, Docker images, working with AWS, executing commands over SSH, and much more.
Supported clouds	AWS GCP Azure
Type	Open Source
Technologies	Terraform Go
Links	Full Repo

Description	Make secrets management easy using this command-line tool that can encrypt and decrypt data using Amazon Key Management Service (KMS).
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Go
Links	Full Repo (ONLY accessible to Gruntwork subscribers!)

Description	A tool that allows you to manage SSH access to EC2 Instances using either AWS IAM or your Identity Provider (e.g., ADFS, Google, Okta, etc). Developers can use their personal SSH keys to log in.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Terraform Go
Links	Public Docs Full Repo (ONLY accessible to Gruntwork subscribers!)

Description	A small wrapper script for the AWS CLI that makes it much easier to authenticate to AWS with Multi-factor authentication (MFA), or when you want to assume an IAM Role in another AWS account.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Bash
Links	Public Docs Full Repo (ONLY accessible to Gruntwork subscribers!)

Description	A collection of reusable Bash functions for handling common tasks such as logging, assertions, string manipulation, and more.
Supported clouds	AWS GCP Azure
Type	Open Source
Technologies	Bash
Links	Full Repo

Description	A tool for cleaning up your cloud accounts by nuking (deleting) all resources within it.
Supported clouds	AWS
Type	Open Source
Technologies	Go
Links	Full Repo

Description	A simple, lightweight package manager for installing Gruntwork modules.
Supported clouds	AWS GCP Azure
Type	Open Source
Technologies	Bash
Links	Full Repo

Description	A tool that makes it easy to download files, folders, and release assets from a specific git commit, branch, or tag of public and private GitHub repos.
Supported clouds	AWS GCP Azure
Type	Open Source
Technologies	Go
Links	Full Repo

Description	A collection of pre-commit hooks for Terraform, bash, Go, and more.
Supported clouds	AWS GCP Azure
Type	Open Source
Technologies	Bash
Links	Full Repo

Description	A CLI tool to perform Gruntwork tasks, such as bootstrapping your GitHub and AWS accounts for the Reference Architecture.
Supported clouds	AWS
Type	Subscriber-Only
Technologies	Go
Links	Full Repo

Description	A collection of miscellaneous utilities and helper modules for use with Terraform. Includes modules for determining the current operating system and running Python/PEX executables from Terraform.
Supported clouds	AWS GCP Azure
Type	Open Source
Technologies	Terraform Python
Links	Full Repo
Key modules	join-path: join paths with the proper separator Join a list of given path parts (that is, file and folder names) into a single path with the appropriate path separator (backslash or forward slash) for the current operating system. operating-system: determine the operating system Figure out what operating system is being used to run Terraform from inside your Terraform code. require-executable: ensure an executable is installed Verify an executable exists on the host system, and emit a friendly error message if it does not. run-pex-as-data-source: run a Python (pex) script as a data source Run a python script with dependencies packaged together as an external data source in a portable way. run-pex-as-resource: run a Python (pex) script as a data source Run a python script with dependencies packaged together as a local-exec provisioner on a null resource in a portable way.

Description	Deploy a best-practices TICK stack (Telegraf, InfluxDB, Chronograf, Kapacitor) in Google Cloud Platform. Includes support for automatic bootstrapping, automatic node discovery, and automatic recovery of failed servers.
Supported clouds	GCP
Type	Open Source
Technologies	Terraform Bash
Links	GCP Version
Key modules	external-firewall: control external traffic into servers control external traffic into servers influxdb-commons: common bash scripts for bootstrapping the servers common bash scripts for bootstrapping the servers install-chronograf: install Chronograf on a Linux server install Chronograf on a Linux server install-influxdb: install InfluxDB on a Linux server install InfluxDB on a Linux server install-kapacitor: install Kapacitor on a Linux server install Kapacitor on a Linux server install-telegraf: install Telegraf on a Linux server install Telegraf on a Linux server run-chronograf: configure and run Chronograf configure and run Chronograf run-influxdb: configure and run InfluxDB configure and run InfluxDB run-kapacitor: configure and run Kapacitor configure and run Kapacitor run-telegraf: configure and run Telegraf configure and run Telegraf service-account-firewall-rules: define firewall rules used to control internal traffic across instances define firewall rules used to control internal traffic across instances tick-instance-group: create Managed Instance Groups for InfluxDB, Kapacitor and Chronograf create Managed Instance Groups for InfluxDB, Kapacitor and Chronograf tick-service-account: create a GCP service account for use with your TICK cluster create a GCP service account for use with your TICK cluster