From ad711a7ab2fc04a76f3a7e0410bd57c91d7f3535 Mon Sep 17 00:00:00 2001 From: Kevin Date: Tue, 23 Nov 2021 17:02:58 -0500 Subject: [PATCH 1/6] Optional SSM policy and SG --- main.tf | 23 ++++++++++++++++------- outputs.tf | 2 +- variables.tf | 16 ++++++++++++++-- 3 files changed, 31 insertions(+), 10 deletions(-) diff --git a/main.tf b/main.tf index f2b0d1f..89b9b1f 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,9 @@ locals { - allow_ssm = var.create && var.use_ssm - create_key = var.create && var.create_keypair - keypair = local.create_key ? aws_key_pair.instance_root[0].key_name : var.external_keypair + create_ssm = var.create && var.create_ssm + create_key = var.create && var.create_keypair + create_sg = var.create && var.create_sg + instance_sg = try(aws_security_group.instance[0].id, "") + keypair = local.create_key ? aws_key_pair.instance_root[0].key_name : var.external_keypair } ########################################## @@ -9,7 +11,7 @@ locals { ########################################## resource "aws_security_group" "instance" { - count = var.create ? 1 : 0 + count = local.create_sg ? 1 : 0 name_prefix = "${var.env}-${var.name}-" description = "Security group attached to the ${var.env}-${var.name} instance." vpc_id = var.vpc @@ -113,17 +115,23 @@ data "aws_iam_policy_document" "ssm_access" { } resource "aws_iam_policy" "ssm_access" { - count = local.allow_ssm ? 1 : 0 + count = local.create_ssm ? 1 : 0 name_prefix = "${var.name}-ssm-access-" policy = data.aws_iam_policy_document.ssm_access.json } resource "aws_iam_role_policy_attachment" "ssm_access" { - count = local.allow_ssm ? 1 : 0 + count = local.create_ssm ? 1 : 0 role = aws_iam_role.instance[0].name policy_arn = aws_iam_policy.ssm_access[0].arn } +resource "aws_iam_role_policy_attachment" "ssm_access_arn" { + count = var.ssm_access_arn != "" ? 1 : 0 + role = aws_iam_role.instance[0].name + policy_arn = var.ssm_access_arn +} + data "aws_iam_policy_document" "instance_tags" { statement { actions = [ @@ -195,10 +203,11 @@ resource "aws_instance" "instance" { private_ip = var.instance_ip != null ? var.instance_ip : null subnet_id = var.subnet_id user_data = var.userdata_script - vpc_security_group_ids = concat([aws_security_group.instance[0].id], var.security_groups) + vpc_security_group_ids = compact(concat([local.instance_sg], var.security_groups)) root_block_device { delete_on_termination = true + encrypted = true volume_size = var.volume_size volume_type = var.volume_type } diff --git a/outputs.tf b/outputs.tf index 872d6ee..8085d63 100644 --- a/outputs.tf +++ b/outputs.tf @@ -5,7 +5,7 @@ output "instance_id" { output "instance_sg_id" { description = "ID of the instance created" - value = aws_security_group.instance[0].id + value = join("", aws_security_group.instance[*].id) } output "private_ip" { diff --git a/variables.tf b/variables.tf index be44120..e1ea42c 100644 --- a/variables.tf +++ b/variables.tf @@ -61,12 +61,24 @@ variable "create_keypair" { type = bool } -variable "use_ssm" { +variable "create_sg" { default = true - description = "Whether or not to associate an IAM managed policy to allow SSM access to the instance." + description = "Whether or not to create and associate a security group for the instance. " type = bool } +variable "create_ssm" { + default = true + description = "Whether or not to create and associate an IAM managed policy to allow SSM access to the instance." + type = bool +} + +variable "ssm_access_arn" { + default = "" + description = "Whether or not to associate a pre-created IAM managed policy to allow SSM access to the instance." + type = string +} + variable "userdata_script" { description = "Userdata script to execute when provisioning the instance." type = string From 1712adde003e046b62700d73a466c6a76ff5070d Mon Sep 17 00:00:00 2001 From: Kevin Date: Tue, 23 Nov 2021 21:04:54 -0500 Subject: [PATCH 2/6] Added route53 --- main.tf | 12 ++++++++++++ variables.tf | 10 ++++++++++ 2 files changed, 22 insertions(+) diff --git a/main.tf b/main.tf index 89b9b1f..b774c74 100644 --- a/main.tf +++ b/main.tf @@ -219,3 +219,15 @@ resource "aws_instance" "instance" { }, ) } + +########################################## +# Route53 record +########################################## +resource "aws_route53_record" "route53_record" { + count = var.route53_record != "" ? 1 : 0 + zone_id = var.route53_zone_id + name = var.route53_record + type = "A" + ttl = "300" + records = [aws_instance.instance[0].private_ip] +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index e1ea42c..b3523cf 100644 --- a/variables.tf +++ b/variables.tf @@ -73,6 +73,16 @@ variable "create_ssm" { type = bool } +variable "route53_record" { + description = "Route53 record to point to EC2 instance." + type = string +} + +variable "route53_zone_id" { + description = "Route53 zone ID for the route53_record." + type = string +} + variable "ssm_access_arn" { default = "" description = "Whether or not to associate a pre-created IAM managed policy to allow SSM access to the instance." From 6f0509b0d3f7843f0120524b676bfa27bcbb2f7e Mon Sep 17 00:00:00 2001 From: Linter Bot Date: Wed, 24 Nov 2021 02:05:48 +0000 Subject: [PATCH 3/6] Apply automatic changes --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index b774c74..2b1b321 100644 --- a/main.tf +++ b/main.tf @@ -224,10 +224,10 @@ resource "aws_instance" "instance" { # Route53 record ########################################## resource "aws_route53_record" "route53_record" { - count = var.route53_record != "" ? 1 : 0 + count = var.route53_record != "" ? 1 : 0 zone_id = var.route53_zone_id name = var.route53_record type = "A" ttl = "300" records = [aws_instance.instance[0].private_ip] -} \ No newline at end of file +} From 8fea50784abfd0f35e632fe6ecfcbb24827f476f Mon Sep 17 00:00:00 2001 From: Kevin Date: Tue, 23 Nov 2021 21:12:14 -0500 Subject: [PATCH 4/6] tf fmt --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index b774c74..97ad131 100644 --- a/main.tf +++ b/main.tf @@ -224,7 +224,7 @@ resource "aws_instance" "instance" { # Route53 record ########################################## resource "aws_route53_record" "route53_record" { - count = var.route53_record != "" ? 1 : 0 + count = var.route53_record != "" ? 1 : 0 zone_id = var.route53_zone_id name = var.route53_record type = "A" From 07c9e5dec9faa0363d6a22d9d6ccde48ae5d0c43 Mon Sep 17 00:00:00 2001 From: Kevin Date: Tue, 23 Nov 2021 21:19:24 -0500 Subject: [PATCH 5/6] Change SG output to null --- outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index 8085d63..fe11cfd 100644 --- a/outputs.tf +++ b/outputs.tf @@ -5,7 +5,7 @@ output "instance_id" { output "instance_sg_id" { description = "ID of the instance created" - value = join("", aws_security_group.instance[*].id) + value = length(aws_security_group.instance[*].id) > 0 ? aws_security_group.instance[9].id : null } output "private_ip" { From 965ce72c2e9cc07e288422d842819fe87a9850bb Mon Sep 17 00:00:00 2001 From: Kevin Date: Wed, 24 Nov 2021 11:55:14 -0500 Subject: [PATCH 6/6] Wrong output index --- outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index fe11cfd..4ede59c 100644 --- a/outputs.tf +++ b/outputs.tf @@ -5,7 +5,7 @@ output "instance_id" { output "instance_sg_id" { description = "ID of the instance created" - value = length(aws_security_group.instance[*].id) > 0 ? aws_security_group.instance[9].id : null + value = length(aws_security_group.instance[*].id) > 0 ? aws_security_group.instance[0].id : null } output "private_ip" {