feat(iam): deploy admin role into prod+dev account (#1)

* feat(iam): deploy admin role into prod account Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * feat(ci): create terragrunt workflow Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * feat(ci): workflow syntax Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * feat(ci): remove pull request syntax, run terragrunt on branch push Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * feat(ci): remove pull request syntax, run terragrunt on push path Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * feat(ci): trigger workflow with change Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * fix(ci): bump terragrunt workflow v Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * fix(ci): bump terragrunt workflow v Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * fix(ci): bump terragrunt workflow version Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * fix(terragrunt): move state bucket and lock table Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * fix(terragrunt): move state lock table Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * fix(ci): run CI jobs on common change Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * chore(ci): bump workflow version Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * chore(ci): bump workflow version Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * chore(ci): run workflow on PR targets to main Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * chore(iam): create admin role for dev account Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * chore(terraform): bump module version, add plan file to gitignore Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * chore(terraform): ci Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * chore(ci): bump workflow version Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * chore(ci): bump workflow version Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * chore(ci): bump workflow version Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * chore(ci): test plan change with new workflow Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> * chore(ci): run terragrunt on main branch Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com> --------- Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
kolvin · Jun 11, 2023 · 47c3bd5 · 47c3bd5
1 parent f9b7389
commit 47c3bd5
Show file tree

Hide file tree

Showing 10 changed files with 283 additions and 0 deletions.
diff --git a/.github/workflows/terragrunt-dev.yml b/.github/workflows/terragrunt-dev.yml
@@ -0,0 +1,24 @@
+name: dev-ci-roles
+
+on:
+  pull_request:
+    branches: main
+    paths: 
+      - 'environments/dev/global/**'
+      - '.github/workflows/**-dev.yml'
+      - 'common.hcl'
+  push:
+    branches: main
+
+jobs:
+  terragrunt:
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write
+    uses: kloud-cnf/workflows/.github/workflows/terragrunt.yaml@v0.3.7
+    with:
+      working-directory: "environments/dev/global/"
+      target-account-id: "943824751361"
+      target-region: "eu-west-1"
+      ci-role-name: "github-ci-role-provisioner"
diff --git a/.github/workflows/terragrunt-prod.yml b/.github/workflows/terragrunt-prod.yml
@@ -0,0 +1,24 @@
+name: prod-ci-roles
+
+on:
+  pull_request:
+    branches: main
+    paths: 
+      - 'environments/prod/global/**'
+      - '.github/workflows/**-prod.yml'
+      - 'common.hcl'
+  push:
+    branches: main
+
+jobs:
+  terragrunt:
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write
+    uses: kloud-cnf/workflows/.github/workflows/terragrunt.yaml@v0.3.7
+    with:
+      working-directory: "environments/prod/global/"
+      target-account-id: "310394544294"
+      target-region: "eu-west-1"
+      ci-role-name: "github-ci-role-provisioner"
diff --git a/.gitignore b/.gitignore
@@ -150,6 +150,7 @@ fabric.properties
 ### Terraform ###
 # Local .terraform directories
 **/.terraform/*
+**/tgplan.out
 
 # .tfstate files
 *.tfstate

diff --git a/common.hcl b/common.hcl
@@ -0,0 +1,84 @@
+locals {
+  # Read project config file
+  config = jsondecode(file("${get_parent_terragrunt_dir()}/config.json"))
+
+  # Extract values from folder namespacing
+  // "environments/<account>/<region>/<instance>"
+  path           = path_relative_to_include()
+  path_split     = split("/", local.path)
+  component      = "github-aws-ci-roles"
+  account        = local.path_split[1]
+  aws_region     = local.path_split[2]
+  aws_account_id = local.config.aws.accounts[local.account]
+
+  backend_filename = local.config.terragrunt.backend_filename
+
+  tags = merge(
+    {
+      Location = "${local.config.base.git_url}/${path_relative_to_include()}"
+    }
+  )
+}
+
+# DRY terragrunt actions
+# https://terragrunt.gruntwork.io/docs/features/keep-your-cli-flags-dry/
+terraform {
+  extra_arguments "plan" {
+    commands  = ["plan"]
+    arguments = ["-out=${get_terragrunt_dir()}/tgplan.out"]
+  }
+
+  extra_arguments "apply" {
+    commands  = ["apply"]
+    arguments = ["${get_terragrunt_dir()}/tgplan.out"]
+  }
+  source = "git::https://github.com/kloud-cnf/terraform-aws-ci-iam-roles//?ref=v0.2.0"
+}
+
+# Generate an AWS provider block
+# https://terragrunt.gruntwork.io/docs/getting-started/quick-start/#example
+generate "aws_provider" {
+  path      = "_provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = file("${get_parent_terragrunt_dir()}/templates/aws_provider.tf.tmpl")
+}
+
+generate "terragrunt_local_vars" {
+  path      = "_locals.tf"
+  if_exists = "overwrite"
+  contents  = <<-EOF
+    locals {
+      terragrunt_dir        = "${get_terragrunt_dir()}"
+      parent_terragrunt_dir = "${get_parent_terragrunt_dir()}"
+      template_dir          = "${get_parent_terragrunt_dir()}/templates"
+      backend_filename      = "${local.backend_filename}"
+      aws_region            = "${local.aws_region}"
+    }
+  EOF
+}
+
+# Configure root level variables that all resources can inherit.
+inputs = merge(
+  {
+    aws_region     = local.aws_region == "global" ? "${local.config.aws.home_region}" : local.aws_region
+    aws_account_id = local.aws_account_id
+  }
+)
+
+# Configure Terragrunt to automatically store tfstate files in an S3 bucket
+remote_state {
+  backend = "s3"
+
+  config = {
+    encrypt        = true
+    bucket         = "terraform-state-${local.aws_account_id}"
+    key            = "${join("/", compact([local.component, local.aws_region]))}/terraform.tfstate"
+    region         = "eu-west-1" # one state bucket per account, multi region support via file path
+    dynamodb_table = "terraform-state-lock-${local.aws_account_id}"
+  }
+
+  generate = {
+    path      = local.backend_filename
+    if_exists = "overwrite_terragrunt"
+  }
+}
diff --git a/config.json b/config.json
@@ -0,0 +1,17 @@
+{
+	"aws": {
+		"home_region": "eu-west-1",
+		"accounts": {
+			"kloud": "016272825626",
+			"dev": "943824751361",
+			"prod": "310394544294",
+			"playground": "128335613984"
+		}
+	},
+	"base": {
+		"git_url": "https://github.com/kolvin/github-aws-ci-roles"
+	},
+	"terragrunt": {
+		"backend_filename": "_backend.tf"
+	}
+}
diff --git a/environments/dev/global/.terraform.lock.hcl b/environments/dev/global/.terraform.lock.hcl
diff --git a/environments/dev/global/terragrunt.hcl b/environments/dev/global/terragrunt.hcl
@@ -0,0 +1,49 @@
+include "common" {
+  path = find_in_parent_folders("common.hcl")
+}
+
+inputs = {
+  platform = "github"
+  roles = [
+    {
+      name_suffix = "admin"
+      trusted_projects_refs = [
+        {
+          paths    = ["kolvin/kloud"]
+          branches = ["*"]
+          tags     = ["*"]
+        }
+      ]
+      managed_policies = ["AdministratorAccess", "AmazonS3FullAccess"]
+    }
+    // {
+    //   name_suffix = "s3-readwrite"
+    //   trusted_projects_refs = [
+    //     { 
+    //       paths = ["kolvin/cdn-assets"]
+    //       branches = ["*"]
+    //       tags = ["*"]
+    //     }
+    //   ]
+    //   managed_policies = ["AmazonS3FullAccess", "AdministratorAccess"]
+    // },
+    // {
+    //   name_suffix = "s3-readonly"
+    //   trusted_projects_refs = [
+    //     { 
+    //       paths = ["kolvin/cdn-assets"]
+    //       branches = ["*"]
+    //       tags = ["*"]
+    //     }
+    //   ]
+    //   templated_policy_statements = [
+    //     {
+    //       template = "s3-readonly"
+    //       values = {
+    //         paths: ["some-bucket-prefix/*"]
+    //       }
+    //     }
+    //   ]
+    // }
+  ]
+}
diff --git a/environments/prod/global/.terraform.lock.hcl b/environments/prod/global/.terraform.lock.hcl
diff --git a/environments/prod/global/terragrunt.hcl b/environments/prod/global/terragrunt.hcl
@@ -0,0 +1,20 @@
+include "common" {
+  path = find_in_parent_folders("common.hcl")
+}
+
+inputs = {
+  platform = "github"
+  roles = [
+    {
+      name_suffix = "admin"
+      trusted_projects_refs = [
+        {
+          paths    = ["kolvin/kloud"]
+          branches = ["*"]
+          tags     = ["*"]
+        }
+      ]
+      managed_policies = ["AdministratorAccess", "AmazonSQSFullAccess"]
+    }
+  ]
+}
diff --git a/templates/aws_provider.tf.tmpl b/templates/aws_provider.tf.tmpl
@@ -0,0 +1,14 @@
+variable "aws_account_id" {
+  type        = string
+  description = "wit account we oan"
+}
+
+variable "aws_region" {
+  type        = string
+  description = "wit region we oan"
+}
+
+provider "aws" {
+  region              = var.aws_region
+  allowed_account_ids = ["${var.aws_account_id}"]
+}