Merge pull request #2 from huksley/cloudposse-master

Cloudposse master

Author: huksley

.gitignore

@@ -1,9 +1,13 @@
 # Compiled files
 *.tfstate
 *.tfstate.backup
+.terraform.tfstate.lock.info
 
 # Module directory
 .terraform/
-
 .idea
 *.iml
+
+# Build Harness
+.build-harness
+build-harness/

Makefile

@@ -1,6 +1,10 @@
 SHELL := /bin/bash
 
+# List of targets the `readme` target should call before generating the readme
+export README_DEPS ?= docs/targets.md docs/terraform.md
+
 -include $(shell curl -sSL -o .build-harness "https://git.io/build-harness"; echo .build-harness)
 
+## Lint terraform code
 lint:
 	$(SELF) terraform:install terraform:get-modules terraform:get-plugins terraform:lint terraform:validate

README.md

@@ -0,0 +1,112 @@
+---
+#
+# This is the canonical configuration for the `README.md`
+# Run `make readme` to rebuild the `README.md`
+#
+
+# Name of this project
+name: terraform-aws-codebuild
+
+# Logo for this project
+#logo: docs/logo.png
+
+# License of this project
+license: "APACHE2"
+
+# Canonical GitHub repo
+github_repo: cloudposse/terraform-aws-codebuild
+
+# Badges to display
+badges:
+  - name: "Build Status"
+    image: "https://travis-ci.org/cloudposse/terraform-aws-codebuild.svg?branch=master"
+    url: "https://travis-ci.org/cloudposse/terraform-aws-codebuild"
+  - name: "Latest Release"
+    image: "https://img.shields.io/github/release/cloudposse/terraform-aws-codebuild.svg"
+    url: "https://github.com/cloudposse/terraform-aws-codebuild/releases"
+  - name: "Slack Community"
+    image: "https://slack.cloudposse.com/badge.svg"
+    url: "https://slack.cloudposse.com"
+
+related:
+  - name: "terraform-aws-ecs-codepipeline"
+    description: "Terraform Module for CI/CD with AWS Code Pipeline and Code Build for ECS"
+    url: "https://github.com/cloudposse/terraform-aws-ecs-codepipeline"
+
+# Short description of this project
+description: |-
+  Terraform module to create AWS CodeBuild project for AWS CodePipeline.
+
+# How to use this project
+usage: |-
+  Include this module in your existing terraform code:
+
+  ```hcl
+  module "build" {
+      source              = "git::https://github.com/cloudposse/terraform-aws-codebuild.git?ref=master"
+      namespace           = "general"
+      name                = "ci"
+      stage               = "staging"
+
+      # https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html
+      build_image         = "aws/codebuild/docker:1.12.1"
+      build_compute_type  = "BUILD_GENERAL1_SMALL"
+
+      # These attributes are optional, used as ENV variables when building Docker images and pushing them to ECR
+      # For more info:
+      # http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html
+      # https://www.terraform.io/docs/providers/aws/r/codebuild_project.html
+
+      privileged_mode     = "true"
+      aws_region          = "us-east-1"
+      aws_account_id      = "xxxxxxxxxx"
+      image_repo_name     = "ecr-repo-name"
+      image_tag           = "latest"
+
+      # Optional extra environment variables
+      environment_variables = [{
+          name  = "JENKINS_URL"
+          value = "https://jenkins.example.com"
+        },
+        {
+          name  = "COMPANY_NAME"
+          value = "Amazon"
+        },
+        {
+          name = "TIME_ZONE"
+          value = "Pacific/Auckland"
+
+        }]
+  }
+  ```
+
+  ### To hide warnings about unset versions in providers
+
+  Add this to your .tf files
+  ```hcl
+  provider "random" {
+    version = "~> 1.0"
+  }
+
+  provider "null" {
+    version = "~> 1.0"
+  }
+  ```
+
+# Other files to include in this README from the project folder
+include:
+  - "docs/targets.md"
+  - "docs/terraform.md"
+
+# Contributors to this project
+contributors:
+  - name: "Erik Osterman"
+    github: "osterman"
+  - name: "Igor Rodionov"
+    github: "goruha"
+  - name: "Andriy Knysh"
+    github: "aknysh"
+  - name: "Jamie Nelson"
+    github: "Jamie-BitfFlight"
+  - name: "Sarkis Varozian"
+    github: "sarkis"

README.yaml

@@ -0,0 +1,10 @@
+## Makefile Targets
+```
+Available targets:
+
+  help                                Help screen
+  help/all                            Display help for all targets
+  help/short                          This help short screen
+  lint                                Lint terraform code
+
+```

docs/targets.md

@@ -0,0 +1,42 @@
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| attributes | Additional attributes (e.g. `policy` or `role`) | list | `<list>` | no |
+| aws_account_id | (Optional) AWS Account ID. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | string | `` | no |
+| aws_region | (Optional) AWS Region, e.g. us-east-1. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | string | `` | no |
+| build_compute_type | Instance type of the build instance | string | `BUILD_GENERAL1_SMALL` | no |
+| build_image | Docker image for build environment, e.g. 'aws/codebuild/docker:1.12.1' or 'aws/codebuild/eb-nodejs-6.10.0-amazonlinux-64:4.0.0'. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref.html | string | `aws/codebuild/docker:1.12.1` | no |
+| buildspec | Optional buildspec declaration to use for building the project | string | `` | no |
+| cache_bucket_suffix_enabled | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value | string | `true` | no |
+| cache_enabled | If cache_enabled is true, create an S3 bucket for storing codebuild cache inside | string | `true` | no |
+| cache_expiration_days | How many days should the build cache be kept | string | `7` | no |
+| codebuild_var1 |  | string | `var1` | no |
+| codebuild_var1_val |  | string | `value1` | no |
+| codebuild_var2 |  | string | `var2` | no |
+| codebuild_var2_val |  | string | `value2` | no |
+| codebuild_var3 |  | string | `var3` | no |
+| codebuild_var3_val |  | string | `value3` | no |
+| delimiter | Delimiter to be used between `name`, `namespace`, `stage`, etc. | string | `-` | no |
+| enabled | A boolean to enable/disable resource creation | string | `true` | no |
+| github_token | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | string | `` | no |
+| image_repo_name | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | string | `UNSET` | no |
+| image_tag | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | string | `latest` | no |
+| name | Solution name, e.g. 'app' or 'jenkins' | string | `codebuild` | no |
+| namespace | Namespace, which could be your organization name, e.g. 'cp' or 'cloudposse' | string | `global` | no |
+| privileged_mode | (Optional) If set to true, enables running the Docker daemon inside a Docker container on the CodeBuild instance. Used when building Docker images | string | `false` | no |
+| source_location | The location of the source code from git or s3. | string | `` | no |
+| source_type | The type of repository that contains the source code to be built. Valid values for this parameter are: CODECOMMIT, CODEPIPELINE, GITHUB, GITHUB_ENTERPRISE, BITBUCKET or S3. | string | `CODEPIPELINE` | no |
+| stage | Stage, e.g. 'prod', 'staging', 'dev', or 'test' | string | `default` | no |
+| tags | Additional tags (e.g. `map('BusinessUnit', 'XYZ')` | map | `<map>` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| cache_bucket_name | Cache S3 bucket name |
+| project_id | Project ID |
+| project_name | Project name |
+| role_arn | IAM Role ARN |
+

docs/terraform.md

@@ -15,7 +15,59 @@ module "label" {
   tags       = "${var.tags}"
 }
 
+resource "aws_s3_bucket" "cache_bucket" {
+  count         = "${var.enabled == "true" && var.cache_enabled == "true" ? 1 : 0}"
+  bucket        = "${local.cache_bucket_name_normalised}"
+  acl           = "private"
+  force_destroy = true
+  tags          = "${module.label.tags}"
+
+  lifecycle_rule {
+    id      = "codebuildcache"
+    enabled = true
+
+    prefix = "/"
+    tags   = "${module.label.tags}"
+
+    expiration {
+      days = "${var.cache_expiration_days}"
+    }
+  }
+}
+
+resource "random_string" "bucket_prefix" {
+  length  = 12
+  number  = false
+  upper   = false
+  special = false
+  lower   = true
+}
+
+locals {
+  cache_bucket_name = "${module.label.id}${var.cache_bucket_suffix_enabled == "true" ? "-${random_string.bucket_prefix.result}" : "" }"
+
+  ## Clean up the bucket name to use only hyphens, and trim its length to 63 characters.
+  ## As per https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html
+  cache_bucket_name_normalised = "${substr(join("-", split("_", lower(local.cache_bucket_name))), 0, min(length(local.cache_bucket_name),63))}"
+
+  ## This is the magic where a map of a list of maps is generated
+  ## and used to conditionally add the cache bucket option to the
+  ## aws_codebuild_project
+  cache_def = {
+    "true" = [{
+      type     = "S3"
+      location = "${var.enabled == "true" && var.cache_enabled == "true" ? join("", aws_s3_bucket.cache_bucket.*.bucket) : "none" }"
+    }]
+
+    "false" = []
+  }
+
+  # Final Map Selected from above
+  cache = "${local.cache_def[var.cache_enabled]}"
+}
+
 resource "aws_iam_role" "default" {
+  count              = "${var.enabled == "true" ? 1 : 0}"
   name               = "${module.label.id}"
   assume_role_policy = "${data.aws_iam_policy_document.role.json}"
 }
@@ -38,25 +90,34 @@ data "aws_iam_policy_document" "role" {
 }
 
 resource "aws_iam_policy" "default" {
+  count  = "${var.enabled == "true" ? 1 : 0}"
   name   = "${module.label.id}"
   path   = "/service-role/"
   policy = "${data.aws_iam_policy_document.permissions.json}"
 }
 
+resource "aws_iam_policy" "default_cache_bucket" {
+  count  = "${var.enabled == "true" && var.cache_enabled == "true" ? 1 : 0}"
+  name   = "${module.label.id}-cache-bucket"
+  path   = "/service-role/"
+  policy = "${data.aws_iam_policy_document.permissions_cache_bucket.json}"
+}
+
 data "aws_iam_policy_document" "permissions" {
   statement {
     sid = ""
 
     actions = [
-      "logs:CreateLogGroup",
-      "logs:CreateLogStream",
-      "logs:PutLogEvents",
       "ecr:BatchCheckLayerAvailability",
       "ecr:CompleteLayerUpload",
       "ecr:GetAuthorizationToken",
       "ecr:InitiateLayerUpload",
       "ecr:PutImage",
       "ecr:UploadLayerPart",
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "ssm:GetParameters",
     ]
 
     effect = "Allow"
@@ -67,17 +128,39 @@ data "aws_iam_policy_document" "permissions" {
   }
 }
 
+data "aws_iam_policy_document" "permissions_cache_bucket" {
+  count = "${var.enabled == "true" ? 1 : 0}"
+
+  statement {
+    sid = ""
+
+    actions = [
+      "s3:*",
+    ]
+
+    effect = "Allow"
+
+    resources = [
+      "${aws_s3_bucket.cache_bucket.arn}",
+      "${aws_s3_bucket.cache_bucket.arn}/*",
+    ]
+  }
+}
+
 resource "aws_iam_role_policy_attachment" "default" {
+  count      = "${var.enabled == "true" ? 1 : 0}"
   policy_arn = "${aws_iam_policy.default.arn}"
   role       = "${aws_iam_role.default.id}"
 }
 
-#data "aws_ecr_repository" "service" {
-#   count     = "${signum(length(var.image_repo_name)) != 0 ? 1 : 0}"
-#   name      = "${var.image_repo_name}"
-#}
+resource "aws_iam_role_policy_attachment" "default_cache_bucket" {
+  count      = "${var.enabled == "true" && var.cache_enabled == "true" ? 1 : 0}"
+  policy_arn = "${element(aws_iam_policy.default_cache_bucket.*.arn, count.index)}"
+  role       = "${aws_iam_role.default.id}"
+}
 
 resource "aws_codebuild_project" "default" {
+  count        = "${var.enabled == "true" ? 1 : 0}"
   name         = "${module.label.id}"
   service_role = "${aws_iam_role.default.arn}"
 
@@ -139,7 +222,8 @@ resource "aws_codebuild_project" "default" {
 
   source {
     buildspec = "${var.buildspec}"
-    type      = "CODEPIPELINE"
+    type      = "${var.source_type}"
+    location  = "${var.source_location}"
   }
 
   tags = "${module.label.tags}"

main.tf

@@ -1,11 +1,19 @@
 output "project_name" {
-  value = "${aws_codebuild_project.default.name}"
+  description = "Project name"
+  value       = "${join("", aws_codebuild_project.default.*.name)}"
 }
 
 output "project_id" {
-  value = "${aws_codebuild_project.default.id}"
+  description = "Project ID"
+  value       = "${join("", aws_codebuild_project.default.*.id)}"
 }
 
 output "role_arn" {
-  value = "${aws_iam_role.default.id}"
+  description = "IAM Role ARN"
+  value       = "${join("", aws_iam_role.default.*.id)}"
+}
+
+output "cache_bucket_name" {
+  description = "Cache S3 bucket name"
+  value       = "${var.enabled == "true" && var.cache_enabled == "true" ? join("", aws_s3_bucket.cache_bucket.*.bucket) : "UNSET" }"
 }