Module restructuring

- Renamed the s3 module to backup - Bumped GraphDB version to 10.4.0-RC5 - Removed IAM backup user - Moved IAM policies to their respectful modules - Added configurations for LB thresholds and SG - Formatting
Ontotext-AD · Oct 10, 2023 · f70b77c · f70b77c
1 parent baa39e9
commit f70b77c
Show file tree

Hide file tree

Showing 25 changed files with 287 additions and 304 deletions.
diff --git a/main.tf b/main.tf
@@ -12,21 +12,28 @@ provider "aws" {
   }
 }
 
+module "iam" {
+  source = "./modules/iam"
+
+  resource_name_prefix        = var.resource_name_prefix
+  permissions_boundary        = var.permissions_boundary
+  user_supplied_iam_role_name = var.user_supplied_iam_role_name
+}
+
 module "dns" {
   source = "./modules/dns"
 
-  vpc_id        = var.vpc_id
-  zone_dns_name = var.zone_dns_name
+  vpc_id               = var.vpc_id
+  resource_name_prefix = var.resource_name_prefix
+  zone_dns_name        = var.zone_dns_name
+  iam_role_id          = module.iam.iam_role_id
 }
 
-module "iam" {
-  source = "./modules/iam"
+module "backup" {
+  source = "./modules/backup"
 
-  permissions_boundary        = var.permissions_boundary
-  resource_name_prefix        = var.resource_name_prefix
-  user_supplied_iam_role_name = var.user_supplied_iam_role_name
-  s3_bucket_name              = module.s3.backup_bucket_name
-  route53_zone_id             = module.dns.zone_id
+  resource_name_prefix = var.resource_name_prefix
+  iam_role_id          = module.iam.iam_role_id
 }
 
 module "config" {
@@ -48,9 +55,8 @@ module "load_balancer" {
   lb_health_check_path          = var.lb_health_check_path
   lb_health_check_interval      = var.lb_health_check_interval
   lb_enable_deletion_protection = var.prevent_resource_deletion
-  tls_enabled                   = var.tls_enabled
-  tls_certificate_arn           = var.tls_certificate_arn
-  tls_policy                    = var.tls_policy
+  lb_tls_certificate_arn        = var.lb_tls_certificate_arn
+  lb_tls_policy                 = var.lb_tls_policy
 }
 
 module "user_data" {
@@ -60,10 +66,10 @@ module "user_data" {
   resource_name_prefix        = var.resource_name_prefix
   user_supplied_userdata_path = var.user_supplied_userdata_path
   device_name                 = var.device_name
-  backup_schedule             = var.backup_schedule
-  backup_retention_count      = var.backup_retention_count
-  backup_iam_key_id           = module.iam.backups_bucket_key_id
-  backup_iam_key_secret       = module.iam.backups_bucket_key_secret
+
+  backup_schedule        = var.backup_schedule
+  backup_retention_count = var.backup_retention_count
+  backup_bucket_name     = module.backup.bucket_name
 
   ebs_volume_type       = var.ebs_volume_type
   ebs_volume_size       = var.ebs_volume_size
@@ -77,20 +83,13 @@ module "user_data" {
   instance_type = var.instance_type
 
   depends_on = [
-    module.config,
+    module.config
   ]
 }
 
-module "s3" {
-  source = "./modules/s3"
-
-  resource_name_prefix = var.resource_name_prefix
-  access_log_bucket    = var.s3_access_log_bucket
-}
-
 locals {
   graphdb_target_group_arns = concat(
-    [module.load_balancer.lb_target_group_arn],
+    [module.load_balancer.lb_target_group_arn]
   )
 }
 
@@ -99,8 +98,8 @@ module "vm" {
 
   allowed_inbound_cidrs     = var.allowed_inbound_cidrs_lb
   allowed_inbound_cidrs_ssh = var.allowed_inbound_cidrs_ssh
-  aws_iam_instance_profile  = module.iam.aws_iam_instance_profile
-  common_tags               = var.common_tags
+  iam_instance_profile      = module.iam.iam_instance_profile
+  iam_role_id               = module.iam.iam_role_id
   instance_type             = var.instance_type
   key_name                  = var.key_name
   lb_subnets                = var.lb_internal ? var.private_subnet_ids : var.public_subnet_ids

diff --git a/modules/backup/README.md b/modules/backup/README.md
@@ -0,0 +1 @@
+# GraphDB Backups Module
diff --git a/modules/s3/main.tf → modules/backup/main.tf b/modules/s3/main.tf → modules/backup/main.tf
@@ -1,5 +1,11 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  account_id = data.aws_caller_identity.current.account_id
+}
+
 resource "aws_s3_bucket" "backup" {
-  bucket = "${var.resource_name_prefix}-graphdb-backup"
+  bucket = "${var.resource_name_prefix}-graphdb-backup-${local.account_id}"
 }
 
 # Explicitly disable public access
@@ -33,13 +39,6 @@ resource "aws_s3_bucket_versioning" "backup" {
   }
 }
 
-resource "aws_s3_bucket_logging" "backup" {
-  count         = var.access_log_bucket != null ? 1 : 0
-  bucket        = aws_s3_bucket.backup.id
-  target_bucket = var.access_log_bucket
-  target_prefix = "${var.resource_name_prefix}-graphdb-backup-access-logs/"
-}
-
 resource "aws_s3_bucket_policy" "disallow-non-tls-access-to-bucket" {
   bucket = aws_s3_bucket.backup.id
   policy = data.aws_iam_policy_document.disallow-non-tls-access-to-bucket.json
@@ -67,3 +66,30 @@ data "aws_iam_policy_document" "disallow-non-tls-access-to-bucket" {
     }
   }
 }
+
+resource "aws_iam_role_policy" "s3_crud" {
+  name   = "${var.resource_name_prefix}-graphdb-s3-crud"
+  role   = var.iam_role_id
+  policy = data.aws_iam_policy_document.backup_s3_crud.json
+}
+
+data "aws_iam_policy_document" "backup_s3_crud" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:DeleteObject",
+      "s3:GetObject",
+      "s3:ListObjects",
+      "s3:PutObject",
+      "s3:GetAccelerateConfiguration",
+      "s3:ListMultipartUploadParts",
+      "s3:AbortMultipartUpload"
+    ]
+    resources = [
+      # the exact ARN is needed for the list bucket action, star for put,get,delete
+      "arn:aws:s3:::${aws_s3_bucket.backup.bucket}",
+      "arn:aws:s3:::${aws_s3_bucket.backup.bucket}/*"
+    ]
+  }
+}
diff --git a/modules/backup/outputs.tf b/modules/backup/outputs.tf
@@ -0,0 +1,14 @@
+output "bucket_name" {
+  description = "Name of the S3 bucket for storing GraphDB backups"
+  value       = aws_s3_bucket.backup.bucket
+}
+
+output "bucket_id" {
+  description = "ID of the S3 bucket for storing GraphDB backups"
+  value       = aws_s3_bucket.backup.id
+}
+
+output "bucket_arn" {
+  description = "ARN of the S3 bucket for storing GraphDB backups"
+  value       = aws_s3_bucket.backup.arn
+}
diff --git a/modules/s3/variables.tf → modules/backup/variables.tf b/modules/s3/variables.tf → modules/backup/variables.tf
@@ -1,20 +1,15 @@
-# REQUIRED parameters
-
 variable "resource_name_prefix" {
   description = "Resource name prefix used for tagging and naming AWS resources"
   type        = string
 }
 
-# OPTIONAL parameters
-
-variable "kms_key_arn" {
-  description = "KMS key to use for bucket encryption."
+variable "iam_role_id" {
+  description = "IAM role ID to attach permission policies to"
   type        = string
-  default     = null
 }
 
-variable "access_log_bucket" {
-  description = "S3 bucket ID for storing access logs of the GraphDB backup bucket"
+variable "kms_key_arn" {
+  description = "KMS key to use for bucket encryption. If left empty, it will use the account's default for S3."
   type        = string
   default     = null
 }
diff --git a/modules/s3/versions.tf → modules/backup/versions.tf b/modules/s3/versions.tf → modules/backup/versions.tf
diff --git a/modules/s3/README.md → modules/dns/README.md b/modules/s3/README.md → modules/dns/README.md
diff --git a/modules/dns/main.tf b/modules/dns/main.tf
@@ -1,9 +1,28 @@
 resource "aws_route53_zone" "zone" {
   name = var.zone_dns_name
 
+  # Allows for Terraform to destroy it.
   force_destroy = true
 
   vpc {
     vpc_id = var.vpc_id
   }
 }
+
+resource "aws_iam_role_policy" "route53_instance_registration" {
+  name   = "${var.resource_name_prefix}-graphdb-route53-instance-registration"
+  role   = var.iam_role_id
+  policy = data.aws_iam_policy_document.route53_instance_registration.json
+}
+
+data "aws_iam_policy_document" "route53_instance_registration" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "route53:ChangeResourceRecordSets"
+    ]
+
+    resources = ["arn:aws:route53:::hostedzone/${aws_route53_zone.zone.zone_id}"]
+  }
+}
diff --git a/modules/dns/outputs.tf b/modules/dns/outputs.tf
@@ -1,3 +1,4 @@
 output "zone_id" {
-  value = aws_route53_zone.zone.zone_id
+  description = "ID of the private hosted zone for GraphDB DNS resolving"
+  value       = aws_route53_zone.zone.zone_id
 }
diff --git a/modules/dns/variables.tf b/modules/dns/variables.tf
@@ -3,7 +3,17 @@ variable "vpc_id" {
   type        = string
 }
 
+variable "resource_name_prefix" {
+  description = "Resource name prefix used for tagging and naming AWS resources"
+  type        = string
+}
+
 variable "zone_dns_name" {
   description = "DNS name for the private hosted zone in Route 53"
   type        = string
 }
+
+variable "iam_role_id" {
+  description = "IAM role ID to attach permission policies to"
+  type        = string
+}
diff --git a/modules/iam/main.tf b/modules/iam/main.tf
@@ -1,9 +1,9 @@
 resource "aws_iam_instance_profile" "graphdb" {
   name_prefix = "${var.resource_name_prefix}-graphdb"
-  role        = var.user_supplied_iam_role_name != null ? var.user_supplied_iam_role_name : aws_iam_role.instance_role[0].name
+  role        = var.user_supplied_iam_role_name != null ? var.user_supplied_iam_role_name : aws_iam_role.graphdb[0].name
 }
 
-resource "aws_iam_role" "instance_role" {
+resource "aws_iam_role" "graphdb" {
   count                = var.user_supplied_iam_role_name != null ? 0 : 1
   name_prefix          = "${var.resource_name_prefix}-graphdb-"
   permissions_boundary = var.permissions_boundary
@@ -14,7 +14,7 @@ data "aws_iam_policy_document" "instance_role" {
   statement {
     effect = "Allow"
     actions = [
-      "sts:AssumeRole",
+      "sts:AssumeRole"
     ]
 
     principals {
@@ -23,124 +23,3 @@ data "aws_iam_policy_document" "instance_role" {
     }
   }
 }
-
-resource "aws_iam_role_policy" "s3_crud" {
-  count  = var.user_supplied_iam_role_name != null ? 0 : 1
-  name   = "${var.resource_name_prefix}-graphdb-s3-crud"
-  role   = aws_iam_role.instance_role[0].id
-  policy = data.aws_iam_policy_document.s3_crud.json
-}
-
-resource "aws_iam_role_policy" "instance_volume" {
-  count  = var.user_supplied_iam_role_name != null ? 0 : 1
-  name   = "${var.resource_name_prefix}-graphdb-instance-volume"
-  role   = aws_iam_role.instance_role[0].id
-  policy = data.aws_iam_policy_document.instance_volume.json
-}
-
-resource "aws_iam_role_policy" "instance_volume_tagging" {
-  count  = var.user_supplied_iam_role_name != null ? 0 : 1
-  name   = "${var.resource_name_prefix}-graphdb-instance-volume-tagging"
-  role   = aws_iam_role.instance_role[0].id
-  policy = data.aws_iam_policy_document.instance_volume_tagging.json
-}
-
-resource "aws_iam_role_policy" "route53_instance_registration" {
-  count  = var.user_supplied_iam_role_name != null ? 0 : 1
-  name   = "${var.resource_name_prefix}-graphdb-route53-instance-registration"
-  role   = aws_iam_role.instance_role[0].id
-  policy = data.aws_iam_policy_document.route53_instance_registration.json
-}
-
-data "aws_iam_policy_document" "s3_crud" {
-  statement {
-    effect = "Allow"
-    actions = [
-      "s3:ListBucket",
-      "s3:DeleteObject",
-      "s3:GetObject",
-      "s3:ListObjects",
-      "s3:PutObject",
-      "s3:GetAccelerateConfiguration",
-      "s3:ListMultipartUploadParts",
-      "s3:AbortMultipartUpload"
-    ]
-    resources = [
-      # the exact ARN is needed for the list bucket action, star for put,get,delete
-      "arn:aws:s3:::${var.s3_bucket_name}",
-      "arn:aws:s3:::${var.s3_bucket_name}/*"
-    ]
-  }
-}
-
-data "aws_iam_policy_document" "instance_volume" {
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "ec2:CreateVolume",
-      "ec2:AttachVolume",
-      "ec2:DescribeVolumes",
-    ]
-
-    resources = ["*"]
-  }
-}
-
-data "aws_iam_policy_document" "instance_volume_tagging" {
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "ec2:CreateTags"
-    ]
-
-    resources = [
-      "arn:aws:ec2:*:*:volume/*",
-      "arn:aws:ec2:*:*:snapshot/*",
-    ]
-
-    condition {
-      test     = "StringEquals"
-      variable = "ec2:CreateAction"
-      values = [
-        "CreateVolume",
-        "CreateSnapshot",
-      ]
-    }
-  }
-}
-
-data "aws_iam_policy_document" "route53_instance_registration" {
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "route53:ChangeResourceRecordSets"
-    ]
-
-    resources = ["arn:aws:route53:::hostedzone/${var.route53_zone_id}"]
-  }
-}
-
-resource "aws_iam_role_policy_attachment" "systems-manager-policy" {
-  role       = aws_iam_role.instance_role[0].id
-  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
-}
-
-# IAM user needed for the backup upload to S3
-
-resource "aws_iam_user" "this" {
-  name = "${var.resource_name_prefix}-backup"
-  path = "/system/"
-}
-
-resource "aws_iam_access_key" "this" {
-  user = aws_iam_user.this.name
-}
-
-resource "aws_iam_user_policy" "this" {
-  name   = "${var.resource_name_prefix}-s3backups"
-  user   = aws_iam_user.this.name
-  policy = data.aws_iam_policy_document.s3_crud.json
-}