Environments templates (#17)

* add templates for: dev, staging, production * fix: name in rds prefix * add datasource for route53 zone * chore: Update terraform docs * Update templates/production/rds.tf * Update templates/production/rds.tf * Update templates/production/variables.tf * chore: Update terraform docs * Update templates/staging/ci.tf * Update templates/staging/route53.tf * Update templates/staging/variables.tf * chore: Update terraform docs * add changes from review * chore: Update terraform docs * add new files for dev environment * chore: Update terraform docs * add new files for dev environment * chore: Update terraform docs * apply feedback * chore: Update terraform docs * fix source for modules * chore: Update terraform docs * apply review * chore: Update terraform docs --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Selleo · Jan 10, 2025 · 73e299f · 73e299f
1 parent 0dda7ec
commit 73e299f
Show file tree

Hide file tree

Showing 32 changed files with 986 additions and 2 deletions.
diff --git a/examples/iam/user-with-access-key/.terraform.lock.hcl b/examples/iam/user-with-access-key/.terraform.lock.hcl
diff --git a/examples/iam/user-with-access-key/README.md b/examples/iam/user-with-access-key/README.md
@@ -10,8 +10,8 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.64.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.2 |
 
 ## Modules
 

diff --git a/templates/dev/README.md b/templates/dev/README.md
@@ -0,0 +1,37 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_iam"></a> [iam](#module\_iam) | ../../modules/iam/user-with-access-key | n/a |
+| <a name="module_iam_user"></a> [iam\_user](#module\_iam\_user) | ../../modules/iam/user-with-access-key | n/a |
+| <a name="module_secrets"></a> [secrets](#module\_secrets) | Selleo/ssm/aws//modules/parameters | 0.4.0 |
+| <a name="module_storage_s3_read_write"></a> [storage\_s3\_read\_write](#module\_storage\_s3\_read\_write) | ../../modules/iam/s3-read-write | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_group.emails](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
+| [aws_s3_bucket.storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_region"></a> [region](#input\_region) | Default AWS region | `string` | `"eu-central-1"` | no |
+<!-- END_TF_DOCS -->
diff --git a/templates/dev/iam.tf b/templates/dev/iam.tf
@@ -0,0 +1,15 @@
+resource "aws_iam_group" "emails" {
+  name = "name" # TODO adjust name to your project
+}
+
+# users
+
+module "iam_user" {
+  source  = "../../modules/iam/user-with-access-key"
+
+  name = "name" # TODO adjust name to your project
+
+  groups = [
+    aws_iam_group.emails.name,
+  ]
+}
diff --git a/templates/dev/s3.tf b/templates/dev/s3.tf
@@ -0,0 +1,35 @@
+resource "aws_s3_bucket" "storage" {
+  bucket = "name" # TODO adjust name to your project
+}
+
+module "storage_s3_read_write" {
+  source = "../../modules/iam/s3-read-write"
+
+  name_prefix = "name" # TODO adjust name to your project
+  bucket_arn  = aws_s3_bucket.storage.arn
+  users       = [module.iam.name]
+}
+
+module "iam" {
+  source  = "../../modules/iam/user-with-access-key"
+
+  name = "name" # TODO adjust name to your project
+}
+
+module "secrets" {
+  source  = "Selleo/ssm/aws//modules/parameters"
+  version = "0.4.0"
+
+  context = {
+    namespace = "name" # TODO adjust name to your project
+    stage     = "dev"
+    name      = "name" # TODO adjust name to your project
+  }
+
+  secrets = {
+    AWS_REGION            = var.region
+    AWS_S3_BUCKET         = aws_s3_bucket.storage.id
+    AWS_ACCESS_KEY_ID     = module.iam.key_id
+    AWS_SECRET_ACCESS_KEY = module.iam.key_secret
+  }
+}
diff --git a/templates/dev/variables.tf b/templates/dev/variables.tf
@@ -0,0 +1,5 @@
+variable "region" {
+  type        = string
+  description = "Default AWS region"
+  default     = "eu-central-1"
+}
diff --git a/templates/dev/versions.tf b/templates/dev/versions.tf
@@ -0,0 +1,33 @@
+terraform {
+  required_version = "~> 1.0"
+
+  # cloud {
+  #   organization = "organization" # TODO adjust name to your project
+
+  #   workspaces {
+  #     name = "workspace" # TODO adjust name to your project
+  #   }
+  # }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+
+  default_tags {
+    tags = {
+      terraform = 1
+    }
+  }
+}
diff --git a/templates/production/.terraform.lock.hcl b/templates/production/.terraform.lock.hcl
diff --git a/templates/production/README.md b/templates/production/README.md
@@ -0,0 +1,59 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.68.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_ci_iam"></a> [ci\_iam](#module\_ci\_iam) | ../../modules/iam/user-with-access-key | n/a |
+| <a name="module_cloudfront_app"></a> [cloudfront\_app](#module\_cloudfront\_app) | ../../modules/cloudfront-app | n/a |
+| <a name="module_cloudfront_bucket_policy"></a> [cloudfront\_bucket\_policy](#module\_cloudfront\_bucket\_policy) | ../../modules/cloudfront-s3-origin-bucket-policy | n/a |
+| <a name="module_cloudfront_deployment_policy"></a> [cloudfront\_deployment\_policy](#module\_cloudfront\_deployment\_policy) | ../../modules/cloudfront-deployment-policy | n/a |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | ../../modules/ecs-cluster | n/a |
+| <a name="module_database_subnet"></a> [database\_subnet](#module\_database\_subnet) | ../../modules/vpc-private-subnet | n/a |
+| <a name="module_db"></a> [db](#module\_db) | ../../modules/postgres | n/a |
+| <a name="module_ecr"></a> [ecr](#module\_ecr) | ../../modules/ecr-repository | n/a |
+| <a name="module_lb"></a> [lb](#module\_lb) | ../../modules/lb/alb | n/a |
+| <a name="module_private_subnet"></a> [private\_subnet](#module\_private\_subnet) | ../../modules/vpc-private-subnet | n/a |
+| <a name="module_public_subnet"></a> [public\_subnet](#module\_public\_subnet) | ../../modules/vpc-public-subnet | n/a |
+| <a name="module_secrets_ci"></a> [secrets\_ci](#module\_secrets\_ci) | ../../modules/ssm/parameters | n/a |
+| <a name="module_service"></a> [service](#module\_service) | ../../modules/ecs-service | n/a |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../modules/vpc | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.ci_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_user_policy_attachment.ci_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
+| [aws_s3_bucket.apps_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_public_access_block.apps_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.ci_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_route53_zone.domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_region"></a> [region](#input\_region) | Default AWS region | `string` | `"todo"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_url"></a> [url](#output\_url) | n/a |
+<!-- END_TF_DOCS -->
diff --git a/templates/production/ci.tf b/templates/production/ci.tf
@@ -0,0 +1,60 @@
+module "ci_iam" {
+  source  = "../../modules/iam/user-with-access-key"
+
+  name = "name-production-ci" # TODO adjust name to your project
+
+  groups = [
+    module.cluster.deployment_group,
+    module.service.deployment_group,
+    module.ecr.deployment_group
+  ]
+
+  depends_on = [
+    module.ecr
+  ]
+}
+
+resource "aws_iam_user_policy_attachment" "ci_user" {
+  user       = module.ci_iam.name
+  policy_arn = aws_iam_policy.ci_user.arn
+}
+
+resource "aws_iam_policy" "ci_user" {
+  name   = "production-apps-ci-ssm" 
+  policy = data.aws_iam_policy_document.ci_user.json
+}
+
+data "aws_iam_policy_document" "ci_user" {
+  statement {
+    actions = [
+      "ssm:GetParameter",
+      "ssm:GetParametersByPath"
+    ]
+    resources = ["arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/name/production/api/*"] # TODO adjust name to your project
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "ssm:DescribeParameters"
+    ]
+    resources = ["*"]
+  }
+}
+
+module "secrets_ci" {
+  source  = "../../modules/ssm/parameters"
+
+  context = {
+    namespace = "name" # TODO adjust namespace to your project
+    stage     = "production"
+    name      = "ci-secrets"
+  }
+
+  secrets = {
+    AWS_ACCESS_KEY_ID     = module.ci_iam.key_id
+    AWS_SECRET_ACCESS_KEY = module.ci_iam.key_secret
+    ECR_URL               = module.ecr.url
+    ECS_CLUSTER           = module.cluster.name
+    ECS_SERVICE           = module.service.name
+  }
+}