initial commit

Scott Winkler · Scott Winkler · commit dbf10cf88bc1 · 2021-01-01T21:03:21.000-08:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,7 @@
+.DS_Store
+.vscode
+*.tfstate
+*.tfstate.*
+terraform
+**/.terraform/*
+crash.log
diff --git a/README.md b/README.md
@@ -0,0 +1,2 @@
+# S3 Backend Module
+This is a description for a module
diff --git a/examples/default/README.md b/examples/default/README.md
@@ -0,0 +1,3 @@
+# Default example
+
+The example shows the default usages of the module. 
diff --git a/examples/default/main.tf b/examples/default/main.tf
@@ -0,0 +1,8 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+module "s3backend" {
+  source    = "../../"
+  namespace = "default"
+}
diff --git a/examples/default/outputs.tf b/examples/default/outputs.tf
@@ -0,0 +1,3 @@
+output "config" {
+  value = module.s3backend
+}
diff --git a/iam.tf b/iam.tf
@@ -0,0 +1,68 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  principal = var.principal != null ? var.principal : data.aws_caller_identity.current.account_id
+}
+
+resource "aws_iam_role" "iam_role" {
+  name = "${local.namespace}-tf-assume-role"
+
+  assume_role_policy = <<-EOF
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Action": "sts:AssumeRole",
+          "Principal": {
+              "AWS": "${local.principal}"
+          },
+          "Effect": "Allow"
+        }
+      ]
+    }
+  EOF
+
+  tags = {
+    ResourceGroup = local.namespace 
+  }
+}
+
+data "aws_iam_policy_document" "policy_doc" {
+  statement {
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      aws_s3_bucket.s3_bucket.arn
+    ]
+  }
+
+  statement {
+    actions = ["s3:GetObject", "s3:PutObject"]
+
+    resources = [
+      "${aws_s3_bucket.s3_bucket.arn}/*",
+    ]
+  }
+
+  statement {
+    actions = [
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:DeleteItem"
+    ]
+    resources = [aws_dynamodb_table.dynamodb_table.arn]
+  }
+}
+
+resource "aws_iam_policy" "iam_policy" {
+  name = "${local.namespace}-tf-policy"
+  path = "/"
+  policy = data.aws_iam_policy_document.policy_doc.json
+}
+
+resource "aws_iam_role_policy_attachment" "policy_attach" {
+  role = aws_iam_role.iam_role.name
+  policy_arn = aws_iam_policy.iam_policy.arn
+}
diff --git a/main.tf b/main.tf
@@ -0,0 +1,72 @@
+data "aws_region" "current" {}
+
+resource "random_string" "rand" {
+  length  = 24
+  special = false
+  upper   = false
+}
+
+locals {
+  namespace = substr(join("-", [var.namespace, random_string.rand.result]), 0, 24)
+}
+
+resource "aws_resourcegroups_group" "resourcegroups_group" {
+  name = "${local.namespace}-group"
+
+  resource_query {
+    query = <<-JSON
+{
+  "ResourceTypeFilters": [
+    "AWS::AllSupported"
+  ],
+  "TagFilters": [
+    {
+      "Key": "ResourceGroup",
+      "Values": ["${local.namespace}"]
+    }
+  ]
+}
+  JSON
+  }
+}
+
+resource "aws_kms_key" "kms_key" {
+  tags = {
+    ResourceGroup = local.namespace 
+  }
+}
+
+resource "aws_s3_bucket" "s3_bucket" {
+  bucket = "${local.namespace}-state-bucket"
+  force_destroy = var.force_destroy_state
+  
+  versioning {
+    enabled = true
+  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm     = "aws:kms"
+        kms_master_key_id = aws_kms_key.kms_key.arn
+      }
+    }
+  }
+  
+  tags = {
+    ResourceGroup = local.namespace 
+  }
+}
+
+resource "aws_dynamodb_table" "dynamodb_table" {
+  name         = "${local.namespace}-state-lock"
+  hash_key     = "LockID"
+  billing_mode = "PAY_PER_REQUEST"
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+  tags = {
+    ResourceGroup = local.namespace 
+  }
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,8 @@
+output "config" {
+  value = {
+    bucket         = aws_s3_bucket.s3_bucket.bucket
+    region         = data.aws_region.current.name
+    role_arn       = aws_iam_role.iam_role.arn
+    dynamodb_table = aws_dynamodb_table.dynamodb_table.name
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,17 @@
+variable "namespace" {
+  description = "The project namespace to use for unique resource naming"
+  default     = "s3backend"
+  type        = string
+}
+
+variable "principal" {
+  description = "AWS principal identifier allowed to assume IAM role"
+  default     = null
+  type        = string
+}
+
+variable "force_destroy_state" {
+  description = "Force destroy the s3 bucket containing state files?"
+  default     = true
+  type        = bool
+}
diff --git a/versions.tf b/versions.tf
@@ -0,0 +1,7 @@
+/*terraform {
+  required_version = "~> 0.12"
+  required_providers {
+    aws = "~> 2.19"
+    random = "~> 2.1"
+  }
+}*/

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# S3 Backend Module`
	`2`	`+This is a description for a module`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# Default example`
	`2`	`+`
	`3`	`+The example shows the default usages of the module.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+output "config" {`
	`2`	`+ value = module.s3backend`
	`3`	`+}`