Skip to content

Commit

Permalink
add tfstate module
Browse files Browse the repository at this point in the history
  • Loading branch information
alismx committed Oct 15, 2024
1 parent b80e6eb commit 0798ca3
Show file tree
Hide file tree
Showing 8 changed files with 104 additions and 7 deletions.
8 changes: 7 additions & 1 deletion terraform/implementation/ecs/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,14 @@ module "ecs" {

# If intent is to pull from the phdi GHCR, set disable_ecr to true (default is false)
# disable_ecr = true

# If intent is to use the non-integrated viewer, set non_integrated_viewer to "true" (default is false)
# non_integrated_viewer = "true"
# If the intent is to make the ecr-viewer availabble on the public internet, set internal to false (default is true) This requires an internet gateway to be present in the VPC.

# If the intent is to make the ecr-viewer availabble on the public internet, set internal to false (default is true)
# This requires an internet gateway to be present in the VPC.
# internal = false

# If the intent is to disable authentication, set ecr_viewer_app_env to "test" (default is "prod")
# ecr_viewer_app_env = "test"
}
8 changes: 8 additions & 0 deletions terraform/implementation/setup/_local.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
locals {
vpc_name = "${var.project}-${var.owner}-${terraform.workspace}"
tags = {
project = var.project
owner = var.owner
workspace = terraform.workspace
}
}
2 changes: 1 addition & 1 deletion terraform/modules/ecs/_data.tf
Original file line number Diff line number Diff line change
Expand Up @@ -36,5 +36,5 @@ data "aws_iam_policy" "amazon_ec2_container_service_for_ec2_role" {

data "aws_route_table" "this" {
for_each = local.private_subnet_kvs
subnet_id = each.key
subnet_id = each.value
}
4 changes: 2 additions & 2 deletions terraform/modules/ecs/_local.tf
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,6 @@ locals {
"com.amazonaws.${var.region}.logs",
"com.amazonaws.${var.region}.secretsmanager",
]
s3_service_name = "com.amazonaws.${var.region}.s3"
private_subnet_kvs = { for rt in var.private_subnet_ids : rt => rt }
s3_service_name = "com.amazonaws.${var.region}.s3"
private_subnet_kvs = { for index, rt in var.private_subnet_ids : index => rt }
}
15 changes: 12 additions & 3 deletions terraform/modules/oidc/_data.tf
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@ data "aws_iam_policy_document" "storage" {
"${var.state_bucket_arn}",
"${var.state_bucket_arn}/*",
"${var.dynamodb_table_arn}",
"arn:aws:s3:::prod-region-starport-layer-bucket/*"
]
}
}
Expand All @@ -52,6 +51,8 @@ data "aws_iam_policy_document" "wildcard" {
statement {
actions = [
"ec2:DescribeAddresses",
"ec2:DescribeVpcEndpoints",
"ec2:DescribePrefixLists",
"ec2:DescribeAddressesAttribute",
"ec2:DescribeFlowLogs",
"ec2:DescribeInternetGateways",
Expand Down Expand Up @@ -135,6 +136,7 @@ data "aws_iam_policy_document" "scoped_one" {
data "aws_iam_policy_document" "scoped_two" {
statement {
actions = [
"ec2:createVpcEndpoint",
"ec2:CreateFlowLogs",
"ec2:CreateNatGateway",
"ec2:CreateNetworkAclEntry",
Expand All @@ -156,6 +158,7 @@ data "aws_iam_policy_document" "scoped_two" {
"arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:natgateway/*",
"arn:aws:ecr:${var.region}:${data.aws_caller_identity.current.account_id}:repository/*",
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.project_owner_workspace}*",
"arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc-endpoint/*",
]
}
}
Expand All @@ -165,6 +168,7 @@ data "aws_iam_policy_document" "request_tags_create_actions" {
statement {
actions = [
"appmesh:CreateMesh",
"ec2:createVpcEndpoint",
"appmesh:CreateVirtualNode",
"appmesh:DeleteMesh",
"appmesh:DeleteVirtualNode",
Expand All @@ -185,12 +189,14 @@ data "aws_iam_policy_document" "request_tags_create_actions" {
"iam:CreateRole",
"logs:CreateLogDelivery",
"logs:CreateLogGroup",
"logs:TagResource",
"servicediscovery:CreatePrivateDnsNamespace",
]
resources = [
"arn:aws:appmesh:${var.region}:${data.aws_caller_identity.current.account_id}:mesh/${local.project_owner_workspace}",
"arn:aws:appmesh:${var.region}:${data.aws_caller_identity.current.account_id}:mesh/${local.project_owner_workspace}/*",
"arn:aws:appmesh:${var.region}:${data.aws_caller_identity.current.account_id}:mesh/${local.project_owner_workspace}/*",
"arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc/${local.vpc_id}",
"arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc-endpoint/*",
"arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc-flow-log/*",
"arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:subnet/*",
"arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:route-table/*",
Expand Down Expand Up @@ -256,6 +262,7 @@ data "aws_iam_policy_document" "resource_tags_update_actions" {
"iam:TagPolicy",
"iam:UntagPolicy",
"logs:PutRetentionPolicy",
"logs:UntagResource",
"servicediscovery:TagResource",
]
resources = [
Expand Down Expand Up @@ -305,6 +312,7 @@ data "aws_iam_policy_document" "resource_tags_delete_actions" {
"ecs:DeleteCluster",
"ecs:DeleteService",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpoints",
"ec2:DeleteTags",
"ec2:DisassociateRouteTable",
"ec2:DeleteRouteTable",
Expand Down Expand Up @@ -332,6 +340,7 @@ data "aws_iam_policy_document" "resource_tags_delete_actions" {
"arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:natgateway/*",
"arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:security-group/*",
"arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc-flow-log/*",
"arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc-endpoint/*",
"arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:internet-gateway/*",
"arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:elastic-ip/*",
"arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:network-interface/*",
Expand All @@ -357,4 +366,4 @@ data "aws_iam_policy_document" "resource_tags_delete_actions" {
]
}
}
}
}
7 changes: 7 additions & 0 deletions terraform/modules/tfstate/_output.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
output "state_bucket" {
value = aws_s3_bucket.tfstate
}

output "dynamodb_table" {
value = aws_dynamodb_table.tfstate_lock
}
22 changes: 22 additions & 0 deletions terraform/modules/tfstate/_variable.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
variable "owner" {
description = "The owner of the project"
type = string
default = "skylight"
}

variable "project" {
description = "The name of the project"
type = string
default = "dibbs-ce"
}

variable "region" {
type = string
description = "The AWS region where resources are created"
default = "us-east-1"
}

variable "identifier" {
type = string
default = ""
}
45 changes: 45 additions & 0 deletions terraform/modules/tfstate/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
resource "aws_s3_bucket" "tfstate" {
bucket = "${var.project}-tfstate-${var.owner}-${var.identifier}"

force_destroy = true
}

resource "aws_s3_bucket_public_access_block" "default" {
bucket = aws_s3_bucket.tfstate.id

block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}

# https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0132/
# trivy:ignore:AVD-AWS-0132
resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
bucket = aws_s3_bucket.tfstate.bucket

rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}

resource "aws_s3_bucket_versioning" "default" {
bucket = aws_s3_bucket.tfstate.id
versioning_configuration {
status = "Enabled"
}
}

# Create a DynamoDB table for locking the state file
resource "aws_dynamodb_table" "tfstate_lock" {
name = "${var.project}-tfstate-lock-${var.owner}-${var.identifier}"
hash_key = "LockID"
billing_mode = "PAY_PER_REQUEST"

attribute {
name = "LockID"
type = "S"
}
}

0 comments on commit 0798ca3

Please sign in to comment.