Browse Source

wip

tags/0.1.0^2
Quentin Vallin 1 year ago
parent
commit
43a44ec079
Signed by: quentin.vallin <quentin.vallin@fxinnovation.com> GPG Key ID: 96D1C2CDC50558C3
11 changed files with 306 additions and 0 deletions
  1. +3
    -0
      .gitignore
  2. +10
    -0
      .pre-commit-config.yaml
  3. +2
    -0
      Jenkinsfile
  4. +1
    -0
      data.tf
  5. +50
    -0
      examples/standard/README.md
  6. +28
    -0
      examples/standard/main.tf
  7. +113
    -0
      examples/standard/outputs.tf
  8. +9
    -0
      examples/standard/variables.tf
  9. +88
    -0
      main.tf
  10. +1
    -0
      outputs.tf
  11. +1
    -0
      variabales.tf

+ 3
- 0
.gitignore View File

@@ -0,0 +1,3 @@
.terraform
*.tfstate*
*.tfvars*

+ 10
- 0
.pre-commit-config.yaml View File

@@ -0,0 +1,10 @@
repos:
- repo: git://github.com/antonbabenko/pre-commit-terraform
rev: v1.8.1
hooks:
- id: terraform_fmt
- id: terraform_docs
- repo: git://github.com/pre-commit/pre-commit-hooks
rev: v2.1.0
hooks:
- id: check-merge-conflict

+ 2
- 0
Jenkinsfile View File

@@ -0,0 +1,2 @@
fxTerraform(
)

+ 1
- 0
data.tf View File

@@ -0,0 +1 @@
data "aws_caller_identity" "current" {}

+ 50
- 0
examples/standard/README.md View File

@@ -0,0 +1,50 @@
# Common IAM Standard exemple

Create all the policies and roles

## Usage

To run this example, you need to execute:

```
$ terraform init
$ terraform plan
$ terraform apply
```

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|:----:|:-----:|:-----:|
| access\_key | Credentials: AWS access key. | string | n/a | yes |
| secret\_key | Credentials: AWS secret key. Pass this as a variable, never write password in the code. | string | n/a | yes |

## Outputs

| Name | Description |
|------|-------------|
| iam\_instance\_profile\_arn | ARN of the Expertus instance profile. |
| iam\_instance\_profile\_id | ID of the Expertus instance profile. |
| iam\_instance\_profile\_path | Path of the Expertus instance profile. |
| iam\_policy\_ec2\_for\_docker\_arn | ARN of the IAM policy EC2 for docker. |
| iam\_policy\_ec2\_for\_docker\_id | ID of the IAM policy EC2 for docker. |
| iam\_policy\_ec2\_for\_docker\_name | Name of the IAM policy EC2 for docker. |
| iam\_policy\_ec2\_for\_ssm\_arn | ARN of the IAM policy EC2 for SSM. |
| iam\_policy\_ec2\_for\_ssm\_id | ID of the IAM policy EC2 for SSM. |
| iam\_policy\_ec2\_for\_ssm\_name | Name of the IAM policy EC2 for SSM. |
| iam\_policy\_reboot\_ec2\_arn | The ARN of the policy RebootEc2. |
| iam\_policy\_reboot\_ec2\_id | The ID of the policy RebootEc2. |
| iam\_policy\_reboot\_ec2\_name | The name of the policy RebootEc2. |
| iam\_role\_instance\_profile\_arn | ARN of the IAM role of the Expertus instance profile. |
| iam\_role\_instance\_profile\_id | ID of the IAM role of the Expertus instance profile. |
| iam\_role\_instance\_profile\_name | Name of the IAM role of the Expertus instance profile. |
| iam\_role\_instance\_profile\_policy\_arns | All the policies attached to the instance profle. |
| iam\_role\_read\_only\_arn | The ARN of the role ReadOnlyRoleForEveryOne. |
| iam\_role\_read\_only\_id | The ID of the role ReadOnlyRoleForEveryOne. |
| iam\_role\_read\_only\_name | The name of the role ReadOnlyRoleForEveryOne. |
| iam\_role\_reboot\_ec2\_arn | The ARN of the role ManageEC2LifeCyleRoleForAdministrator. |
| iam\_role\_reboot\_ec2\_id | The ID of the role ManageEC2LifeCyleRoleForAdministrator. |
| iam\_role\_reboot\_ec2\_name | The name of the role ManageEC2LifeCyleRoleForAdministrator. |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

+ 28
- 0
examples/standard/main.tf View File

@@ -0,0 +1,28 @@
provider "aws" {
version = "~> 2.2.0"
region = "eu-west-1"
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
}

resource "random_string" "this" {
length = 8
upper = false
special = false
}

module "standard" {
source = "../../"

reboot_ec2_policy_name = "tftestRebootEC2Policy${random_string.this.result}"
reboot_ec2_role_name = "tftestRebootEC2Role${random_string.this.result}"
read_only_role_name = "tftestReadOnlyRole${random_string.this.result}"
ec2_for_ssm_policy_name = "tftestEC2ForSSMPolicy${random_string.this.result}"
ec2_for_docker_policy_name = "tftestEC2ForDockerPolicy${random_string.this.result}"
instance_profile_role_name = "tftestInstanceProfileRole${random_string.this.result}"
instance_profile_name = "tftestInstanceProfileName${random_string.this.result}"

tags {
Name = "tftest"
}
}

+ 113
- 0
examples/standard/outputs.tf View File

@@ -0,0 +1,113 @@
output "iam_role_reboot_ec2_id" {
description = "The ID of the role ManageEC2LifeCyleRoleForAdministrator."
value = "${module.standard.iam_role_reboot_ec2_id}"
}

output "iam_role_reboot_ec2_arn" {
description = "The ARN of the role ManageEC2LifeCyleRoleForAdministrator."
value = "${module.standard.iam_role_reboot_ec2_arn}"
}

output "iam_role_reboot_ec2_name" {
description = "The name of the role ManageEC2LifeCyleRoleForAdministrator."
value = "${module.standard.iam_role_reboot_ec2_name}"
}

output "iam_role_read_only_id" {
description = "The ID of the role ReadOnlyRoleForEveryOne."
value = "${module.standard.iam_role_read_only_id}"
}

output "iam_role_read_only_arn" {
description = "The ARN of the role ReadOnlyRoleForEveryOne."
value = "${module.standard.iam_role_read_only_arn}"
}

output "iam_role_read_only_name" {
description = "The name of the role ReadOnlyRoleForEveryOne."
value = "${module.standard.iam_role_read_only_name}"
}

output "iam_policy_reboot_ec2_id" {
description = "The ID of the policy RebootEc2."
value = "${module.standard.iam_policy_reboot_ec2_id}"
}

output "iam_policy_reboot_ec2_arn" {
description = "The ARN of the policy RebootEc2."
value = "${module.standard.iam_policy_reboot_ec2_arn}"
}

output "iam_policy_reboot_ec2_name" {
description = "The name of the policy RebootEc2."
value = "${module.standard.iam_policy_reboot_ec2_name}"
}

#####
# EC2
#####

output "iam_role_instance_profile_policy_arns" {
description = "All the policies attached to the instance profle."
value = "${module.standard.iam_role_instance_profile_policy_arns}"
}

output "iam_role_instance_profile_id" {
description = "ID of the IAM role of the Expertus instance profile."
value = "${module.standard.iam_role_instance_profile_id}"
}

output "iam_role_instance_profile_arn" {
description = "ARN of the IAM role of the Expertus instance profile."
value = "${module.standard.iam_role_instance_profile_arn}"
}

output "iam_role_instance_profile_name" {
description = "Name of the IAM role of the Expertus instance profile."
value = "${module.standard.iam_role_instance_profile_name}"
}

output "iam_instance_profile_id" {
description = "ID of the Expertus instance profile."
value = "${module.standard.iam_instance_profile_id}"
}

output "iam_instance_profile_arn" {
description = "ARN of the Expertus instance profile."
value = "${module.standard.iam_instance_profile_arn}"
}

output "iam_instance_profile_path" {
description = "Path of the Expertus instance profile."
value = "${module.standard.iam_instance_profile_path}"
}

output "iam_policy_ec2_for_ssm_id" {
description = "ID of the IAM policy EC2 for SSM."
value = "${module.standard.iam_policy_ec2_for_ssm_id}"
}

output "iam_policy_ec2_for_ssm_arn" {
description = "ARN of the IAM policy EC2 for SSM."
value = "${module.standard.iam_policy_ec2_for_ssm_arn}"
}

output "iam_policy_ec2_for_ssm_name" {
description = "Name of the IAM policy EC2 for SSM."
value = "${module.standard.iam_policy_ec2_for_ssm_name}"
}

output "iam_policy_ec2_for_docker_id" {
description = "ID of the IAM policy EC2 for docker."
value = "${module.standard.iam_policy_ec2_for_docker_id}"
}

output "iam_policy_ec2_for_docker_arn" {
description = "ARN of the IAM policy EC2 for docker."
value = "${module.standard.iam_policy_ec2_for_docker_arn}"
}

output "iam_policy_ec2_for_docker_name" {
description = "Name of the IAM policy EC2 for docker."
value = "${module.standard.iam_policy_ec2_for_docker_name}"
}

+ 9
- 0
examples/standard/variables.tf View File

@@ -0,0 +1,9 @@
variable "access_key" {
description = "Credentials: AWS access key."
type = "string"
}

variable "secret_key" {
description = "Credentials: AWS secret key. Pass this as a variable, never write password in the code."
type = "string"
}

+ 88
- 0
main.tf View File

@@ -0,0 +1,88 @@
####
# SSM Parameters
####

resource "aws_ssm_parameter" "this" {
count = "${var.enabled ? var.ssm_parameter_count : 0}"

name = "/${var.prefix}${element(var.names, count.index)}"
description = "${element(var.descriptions, count.index)}"
type = "${element(var.types, count.index)}"
value = "${element(var.values, count.index)}"
tier = "${element(var.tiers, count.index)}"

key_id = "${var.kms_key_create ? aws_kms_key.this.arn : var.kms_key_arn}"
overwrite = "${var.overwrite}"
allowed_pattern = "${element(var.allowed_patterns, count.index)}"

tags = "${merge(
map("Terraform", "true"),
var.tags
)}"
}

resource "aws_kms_key" "this" {
count = "${var.enabled && var.kms_key_create ? 1 : 0}"

description = "KMS Key for ${var.prefix} SSM secure strings parameters encryption."

tags = "${merge(
map("Terraform", "true"),
map("Name", var.kms_key_name),
var.tags,
var.kms_tags
)}"
}

resource "aws_kms_alias" "this" {
count = "${var.enabled && var.kms_key_create ? 1 : 0}"

name = "${var.kms_key_alias_name}"
target_key_id = "${aws_kms_key.this.key_id}"
}

####
# IAM Instance Profile
####

data "aws_iam_policy_document" "read" {
statement {
sid = "Allow${var.prefix}SSMParameterAccess"

effect = "Allow"

actions = [
"ssm:DescribeAssociation",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetParameter",
"ssm:GetParameters",
]

resources = [
"arn:aws:ssm:*:${data.aws_caller_identity.current.account_id}:parameter/${var.ssm_parameter_prefix}/var.names.*",
]
}

statement {
sid = "Allow${var.prefix}SSMParameterKMSAccess"

effect = "Allow"

actions = [
"kms:Decrypt",
"kms:ListKeyPolicies",
"kms:GetKeyPolicy",
"kms:DescribeKey",
]

resources = "${var.kms_key_create ? aws_kms_key.this.arn : var.kms_key_arn}"
}
}

resource "aws_iam_policy" "read" {
count = "${var.enabled && var.policy_create ? 1 : 0}"
name = "${var.policy_name}"
path = "${var.policy_path}"
policy = "${data.aws_iam_policy_document.read.json}"
}

+ 1
- 0
outputs.tf View File

@@ -0,0 +1 @@


+ 1
- 0
variabales.tf View File

@@ -0,0 +1 @@


Loading…
Cancel
Save