Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TES-238: Module restructuring #15

Merged
merged 1 commit into from
Oct 12, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 26 additions & 27 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,21 +12,28 @@ provider "aws" {
}
}

module "iam" {
source = "./modules/iam"

resource_name_prefix = var.resource_name_prefix
permissions_boundary = var.permissions_boundary
user_supplied_iam_role_name = var.user_supplied_iam_role_name
}

module "dns" {
source = "./modules/dns"

vpc_id = var.vpc_id
zone_dns_name = var.zone_dns_name
vpc_id = var.vpc_id
resource_name_prefix = var.resource_name_prefix
zone_dns_name = var.zone_dns_name
iam_role_id = module.iam.iam_role_id
}

module "iam" {
source = "./modules/iam"
module "backup" {
source = "./modules/backup"

permissions_boundary = var.permissions_boundary
resource_name_prefix = var.resource_name_prefix
user_supplied_iam_role_name = var.user_supplied_iam_role_name
s3_bucket_name = module.s3.backup_bucket_name
route53_zone_id = module.dns.zone_id
resource_name_prefix = var.resource_name_prefix
iam_role_id = module.iam.iam_role_id
}

module "config" {
Expand All @@ -48,9 +55,8 @@ module "load_balancer" {
lb_health_check_path = var.lb_health_check_path
lb_health_check_interval = var.lb_health_check_interval
lb_enable_deletion_protection = var.prevent_resource_deletion
tls_enabled = var.tls_enabled
tls_certificate_arn = var.tls_certificate_arn
tls_policy = var.tls_policy
lb_tls_certificate_arn = var.lb_tls_certificate_arn
lb_tls_policy = var.lb_tls_policy
}

module "user_data" {
Expand All @@ -60,10 +66,10 @@ module "user_data" {
resource_name_prefix = var.resource_name_prefix
user_supplied_userdata_path = var.user_supplied_userdata_path
device_name = var.device_name
backup_schedule = var.backup_schedule
backup_retention_count = var.backup_retention_count
backup_iam_key_id = module.iam.backups_bucket_key_id
backup_iam_key_secret = module.iam.backups_bucket_key_secret

backup_schedule = var.backup_schedule
backup_retention_count = var.backup_retention_count
backup_bucket_name = module.backup.bucket_name

ebs_volume_type = var.ebs_volume_type
ebs_volume_size = var.ebs_volume_size
Expand All @@ -77,20 +83,13 @@ module "user_data" {
instance_type = var.instance_type

depends_on = [
module.config,
module.config
]
}

module "s3" {
source = "./modules/s3"

resource_name_prefix = var.resource_name_prefix
access_log_bucket = var.s3_access_log_bucket
}

locals {
graphdb_target_group_arns = concat(
[module.load_balancer.lb_target_group_arn],
[module.load_balancer.lb_target_group_arn]
)
}

Expand All @@ -99,8 +98,8 @@ module "vm" {

allowed_inbound_cidrs = var.allowed_inbound_cidrs_lb
allowed_inbound_cidrs_ssh = var.allowed_inbound_cidrs_ssh
aws_iam_instance_profile = module.iam.aws_iam_instance_profile
common_tags = var.common_tags
iam_instance_profile = module.iam.iam_instance_profile
iam_role_id = module.iam.iam_role_id
instance_type = var.instance_type
key_name = var.key_name
lb_subnets = var.lb_internal ? var.private_subnet_ids : var.public_subnet_ids
Expand Down
1 change: 1 addition & 0 deletions modules/backup/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
# GraphDB Backups Module
42 changes: 34 additions & 8 deletions modules/s3/main.tf → modules/backup/main.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
data "aws_caller_identity" "current" {}

locals {
account_id = data.aws_caller_identity.current.account_id
}

resource "aws_s3_bucket" "backup" {
bucket = "${var.resource_name_prefix}-graphdb-backup"
bucket = "${var.resource_name_prefix}-graphdb-backup-${local.account_id}"
}

# Explicitly disable public access
Expand Down Expand Up @@ -33,13 +39,6 @@ resource "aws_s3_bucket_versioning" "backup" {
}
}

resource "aws_s3_bucket_logging" "backup" {
count = var.access_log_bucket != null ? 1 : 0
bucket = aws_s3_bucket.backup.id
target_bucket = var.access_log_bucket
target_prefix = "${var.resource_name_prefix}-graphdb-backup-access-logs/"
}

resource "aws_s3_bucket_policy" "disallow-non-tls-access-to-bucket" {
bucket = aws_s3_bucket.backup.id
policy = data.aws_iam_policy_document.disallow-non-tls-access-to-bucket.json
Expand Down Expand Up @@ -67,3 +66,30 @@ data "aws_iam_policy_document" "disallow-non-tls-access-to-bucket" {
}
}
}

resource "aws_iam_role_policy" "s3_crud" {
name = "${var.resource_name_prefix}-graphdb-s3-crud"
role = var.iam_role_id
policy = data.aws_iam_policy_document.backup_s3_crud.json
}

data "aws_iam_policy_document" "backup_s3_crud" {
statement {
effect = "Allow"
actions = [
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListObjects",
"s3:PutObject",
"s3:GetAccelerateConfiguration",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
]
resources = [
# the exact ARN is needed for the list bucket action, star for put,get,delete
"arn:aws:s3:::${aws_s3_bucket.backup.bucket}",
"arn:aws:s3:::${aws_s3_bucket.backup.bucket}/*"
]
}
}
14 changes: 14 additions & 0 deletions modules/backup/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
output "bucket_name" {
description = "Name of the S3 bucket for storing GraphDB backups"
value = aws_s3_bucket.backup.bucket
}

output "bucket_id" {
description = "ID of the S3 bucket for storing GraphDB backups"
value = aws_s3_bucket.backup.id
}

output "bucket_arn" {
description = "ARN of the S3 bucket for storing GraphDB backups"
value = aws_s3_bucket.backup.arn
}
13 changes: 4 additions & 9 deletions modules/s3/variables.tf → modules/backup/variables.tf
Original file line number Diff line number Diff line change
@@ -1,20 +1,15 @@
# REQUIRED parameters

variable "resource_name_prefix" {
description = "Resource name prefix used for tagging and naming AWS resources"
type = string
}

# OPTIONAL parameters

variable "kms_key_arn" {
description = "KMS key to use for bucket encryption."
variable "iam_role_id" {
description = "IAM role ID to attach permission policies to"
type = string
default = null
}

variable "access_log_bucket" {
description = "S3 bucket ID for storing access logs of the GraphDB backup bucket"
variable "kms_key_arn" {
description = "KMS key to use for bucket encryption. If left empty, it will use the account's default for S3."
type = string
default = null
}
File renamed without changes.
File renamed without changes.
19 changes: 19 additions & 0 deletions modules/dns/main.tf
Original file line number Diff line number Diff line change
@@ -1,9 +1,28 @@
resource "aws_route53_zone" "zone" {
name = var.zone_dns_name

# Allows for Terraform to destroy it.
force_destroy = true

vpc {
vpc_id = var.vpc_id
}
}

resource "aws_iam_role_policy" "route53_instance_registration" {
name = "${var.resource_name_prefix}-graphdb-route53-instance-registration"
role = var.iam_role_id
policy = data.aws_iam_policy_document.route53_instance_registration.json
}

data "aws_iam_policy_document" "route53_instance_registration" {
statement {
effect = "Allow"

actions = [
"route53:ChangeResourceRecordSets"
]

resources = ["arn:aws:route53:::hostedzone/${aws_route53_zone.zone.zone_id}"]
}
}
3 changes: 2 additions & 1 deletion modules/dns/outputs.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
output "zone_id" {
value = aws_route53_zone.zone.zone_id
description = "ID of the private hosted zone for GraphDB DNS resolving"
value = aws_route53_zone.zone.zone_id
}
10 changes: 10 additions & 0 deletions modules/dns/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,17 @@ variable "vpc_id" {
type = string
}

variable "resource_name_prefix" {
description = "Resource name prefix used for tagging and naming AWS resources"
type = string
}

variable "zone_dns_name" {
description = "DNS name for the private hosted zone in Route 53"
type = string
}

variable "iam_role_id" {
description = "IAM role ID to attach permission policies to"
type = string
}
127 changes: 3 additions & 124 deletions modules/iam/main.tf
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
resource "aws_iam_instance_profile" "graphdb" {
name_prefix = "${var.resource_name_prefix}-graphdb"
role = var.user_supplied_iam_role_name != null ? var.user_supplied_iam_role_name : aws_iam_role.instance_role[0].name
role = var.user_supplied_iam_role_name != null ? var.user_supplied_iam_role_name : aws_iam_role.graphdb[0].name
}

resource "aws_iam_role" "instance_role" {
resource "aws_iam_role" "graphdb" {
count = var.user_supplied_iam_role_name != null ? 0 : 1
name_prefix = "${var.resource_name_prefix}-graphdb-"
permissions_boundary = var.permissions_boundary
Expand All @@ -14,7 +14,7 @@ data "aws_iam_policy_document" "instance_role" {
statement {
effect = "Allow"
actions = [
"sts:AssumeRole",
"sts:AssumeRole"
]

principals {
Expand All @@ -23,124 +23,3 @@ data "aws_iam_policy_document" "instance_role" {
}
}
}

resource "aws_iam_role_policy" "s3_crud" {
count = var.user_supplied_iam_role_name != null ? 0 : 1
name = "${var.resource_name_prefix}-graphdb-s3-crud"
role = aws_iam_role.instance_role[0].id
policy = data.aws_iam_policy_document.s3_crud.json
}

resource "aws_iam_role_policy" "instance_volume" {
count = var.user_supplied_iam_role_name != null ? 0 : 1
name = "${var.resource_name_prefix}-graphdb-instance-volume"
role = aws_iam_role.instance_role[0].id
policy = data.aws_iam_policy_document.instance_volume.json
}

resource "aws_iam_role_policy" "instance_volume_tagging" {
count = var.user_supplied_iam_role_name != null ? 0 : 1
name = "${var.resource_name_prefix}-graphdb-instance-volume-tagging"
role = aws_iam_role.instance_role[0].id
policy = data.aws_iam_policy_document.instance_volume_tagging.json
}

resource "aws_iam_role_policy" "route53_instance_registration" {
count = var.user_supplied_iam_role_name != null ? 0 : 1
name = "${var.resource_name_prefix}-graphdb-route53-instance-registration"
role = aws_iam_role.instance_role[0].id
policy = data.aws_iam_policy_document.route53_instance_registration.json
}

data "aws_iam_policy_document" "s3_crud" {
statement {
effect = "Allow"
actions = [
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListObjects",
"s3:PutObject",
"s3:GetAccelerateConfiguration",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
]
resources = [
# the exact ARN is needed for the list bucket action, star for put,get,delete
"arn:aws:s3:::${var.s3_bucket_name}",
"arn:aws:s3:::${var.s3_bucket_name}/*"
]
}
}

data "aws_iam_policy_document" "instance_volume" {
statement {
effect = "Allow"

actions = [
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:DescribeVolumes",
]

resources = ["*"]
}
}

data "aws_iam_policy_document" "instance_volume_tagging" {
statement {
effect = "Allow"

actions = [
"ec2:CreateTags"
]

resources = [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*",
]

condition {
test = "StringEquals"
variable = "ec2:CreateAction"
values = [
"CreateVolume",
"CreateSnapshot",
]
}
}
}

data "aws_iam_policy_document" "route53_instance_registration" {
statement {
effect = "Allow"

actions = [
"route53:ChangeResourceRecordSets"
]

resources = ["arn:aws:route53:::hostedzone/${var.route53_zone_id}"]
}
}

resource "aws_iam_role_policy_attachment" "systems-manager-policy" {
role = aws_iam_role.instance_role[0].id
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

# IAM user needed for the backup upload to S3

resource "aws_iam_user" "this" {
name = "${var.resource_name_prefix}-backup"
path = "/system/"
}

resource "aws_iam_access_key" "this" {
user = aws_iam_user.this.name
}

resource "aws_iam_user_policy" "this" {
name = "${var.resource_name_prefix}-s3backups"
user = aws_iam_user.this.name
policy = data.aws_iam_policy_document.s3_crud.json
}
Loading