chore: iterate

humanitec-architecture · Jan 10, 2024 · bcc14af · bcc14af
1 parent 6406fae
commit bcc14af
Show file tree

Hide file tree

Showing 20 changed files with 365 additions and 25 deletions.
diff --git a/examples/s3/README.md b/examples/s3/README.md
@@ -16,10 +16,13 @@
 
 | Name | Source | Version |
 |------|--------|---------|
-| iam\_policy\_s3\_admin | ../../humanitec-resource-defs/iam-policy/s3-admin | n/a |
+| iam\_policy\_s3\_admin | ../../humanitec-resource-defs/iam-policy/s3 | n/a |
+| iam\_policy\_s3\_read\_only | ../../humanitec-resource-defs/iam-policy/s3 | n/a |
 | iam\_role\_service\_account | ../../humanitec-resource-defs/iam-role/service-account | n/a |
 | k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a |
 | s3\_basic | ../../humanitec-resource-defs/s3/basic | n/a |
+| s3\_basic\_admin | ../../humanitec-resource-defs/s3/passthrough | n/a |
+| s3\_basic\_read\_only | ../../humanitec-resource-defs/s3/passthrough | n/a |
 | workload | ../../humanitec-resource-defs/workload/service-account | n/a |
 
 ## Resources
@@ -28,9 +31,12 @@
 |------|------|
 | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
 | [humanitec_resource_definition_criteria.iam_policy_s3_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.iam_policy_s3_read_only](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.iam_role_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.s3_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.s3_basic_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.s3_basic_read_only](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 
 ## Inputs

diff --git a/examples/s3/main.tf b/examples/s3/main.tf
@@ -7,24 +7,21 @@ resource "humanitec_application" "example" {
   name = var.name
 }
 
-module "k8s_service_account" {
-  source = "../../humanitec-resource-defs/k8s/service-account"
-
-  prefix = local.res_def_prefix
-}
-
-resource "humanitec_resource_definition_criteria" "k8s_service_account" {
-  resource_definition_id = module.k8s_service_account.id
-  app_id                 = humanitec_application.example.id
-}
-
 # S3 bucket
 
 locals {
-  s3_class              = "basic"
-  s3_admin_policy_class = "s3-admin"
+  # Classes used to build the resource definition graph
+  s3_basic_class            = "basic"
+  s3_admin_policy_class     = "s3-basic-admin"
+  s3_read_only_policy_class = "s3-basic-read-only"
+
+  # Classes that developers can select from
+  s3_basic_admin_class     = "basic-admin"
+  s3_basic_read_only_class = "basic-read-only"
 }
 
+# Define s3 bucket basic "flavour" as base
+
 module "s3_basic" {
   source = "../../humanitec-resource-defs/s3/basic"
 
@@ -41,11 +38,16 @@ module "s3_basic" {
 resource "humanitec_resource_definition_criteria" "s3_basic" {
   resource_definition_id = module.s3_basic.id
   app_id                 = humanitec_application.example.id
-  class                  = local.s3_class
+  class                  = local.s3_basic_class
 }
 
+# Add different access policy to s3 basic bucket
+
+# Admin
+
+## Policy
 module "iam_policy_s3_admin" {
-  source = "../../humanitec-resource-defs/iam-policy/s3-admin"
+  source = "../../humanitec-resource-defs/iam-policy/s3"
 
   resource_packs_aws_url = var.resource_packs_aws_url
   resource_packs_aws_rev = var.resource_packs_aws_rev
@@ -54,7 +56,11 @@ module "iam_policy_s3_admin" {
   secret_key = var.secret_key
   region     = var.region
 
+  policy = "admin"
+
   prefix = local.res_def_prefix
+
+  s3_resource_class = local.s3_basic_class
 }
 
 resource "humanitec_resource_definition_criteria" "iam_policy_s3_admin" {
@@ -63,6 +69,79 @@ resource "humanitec_resource_definition_criteria" "iam_policy_s3_admin" {
   class                  = local.s3_admin_policy_class
 }
 
+## Exposed passthrough resource definition
+module "s3_basic_admin" {
+  source = "../../humanitec-resource-defs/s3/passthrough"
+
+  prefix = local.res_def_prefix
+
+  s3_resource_class     = local.s3_basic_class
+  policy_resource_class = local.s3_admin_policy_class
+}
+
+resource "humanitec_resource_definition_criteria" "s3_basic_admin" {
+  resource_definition_id = module.s3_basic_admin.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.s3_basic_admin_class
+}
+
+
+# Read-only
+
+## Policy
+module "iam_policy_s3_read_only" {
+  source = "../../humanitec-resource-defs/iam-policy/s3"
+
+  resource_packs_aws_url = var.resource_packs_aws_url
+  resource_packs_aws_rev = var.resource_packs_aws_rev
+
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = var.region
+
+  policy = "read-only"
+
+  prefix = local.res_def_prefix
+
+  s3_resource_class = local.s3_basic_class
+}
+
+resource "humanitec_resource_definition_criteria" "iam_policy_s3_read_only" {
+  resource_definition_id = module.iam_policy_s3_read_only.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.s3_read_only_policy_class
+}
+
+## Exposed passthrough resource definition
+module "s3_basic_read_only" {
+  source = "../../humanitec-resource-defs/s3/passthrough"
+
+  prefix = local.res_def_prefix
+
+  s3_resource_class     = local.s3_basic_class
+  policy_resource_class = local.s3_read_only_policy_class
+}
+
+resource "humanitec_resource_definition_criteria" "s3_basic_read_only" {
+  resource_definition_id = module.s3_basic_read_only.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.s3_basic_read_only_class
+}
+
+
+# Required resources for workload identity
+
+module "k8s_service_account" {
+  source = "../../humanitec-resource-defs/k8s/service-account"
+
+  prefix = local.res_def_prefix
+}
+
+resource "humanitec_resource_definition_criteria" "k8s_service_account" {
+  resource_definition_id = module.k8s_service_account.id
+  app_id                 = humanitec_application.example.id
+}
+
 module "iam_role_service_account" {
   source = "../../humanitec-resource-defs/iam-role/service-account"
 

diff --git a/humanitec-resource-defs/iam-policy/s3/README.md b/humanitec-resource-defs/iam-policy/s3/README.md
@@ -0,0 +1,39 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| humanitec | ~> 0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| humanitec | ~> 0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [humanitec_resource_definition.main](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| access\_key | n/a | `string` | n/a | yes |
+| policy | Name of the exposed policy | `string` | n/a | yes |
+| prefix | n/a | `string` | n/a | yes |
+| region | n/a | `string` | n/a | yes |
+| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes |
+| s3\_resource\_class | n/a | `string` | n/a | yes |
+| secret\_key | n/a | `string` | n/a | yes |
+| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| id | n/a |
+<!-- END_TF_DOCS -->
diff --git a/...resource-defs/iam-policy/s3-admin/main.tf → ...nitec-resource-defs/iam-policy/s3/main.tf b/...resource-defs/iam-policy/s3-admin/main.tf → ...nitec-resource-defs/iam-policy/s3/main.tf
@@ -1,7 +1,7 @@
 resource "humanitec_resource_definition" "main" {
   driver_type = "humanitec/terraform"
-  id          = "${var.prefix}iam-policy-s3-admin"
-  name        = "${var.prefix}iam-policy-s3-admin"
+  id          = "${var.prefix}iam-policy-s3-${var.policy}"
+  name        = "${var.prefix}iam-policy-s3-${var.policy}"
   type        = "aws-policy"
 
   driver_inputs = {
@@ -14,7 +14,7 @@ resource "humanitec_resource_definition" "main" {
 
     values_string = jsonencode({
       source = {
-        path = "modules/iam-policy/s3-admin"
+        path = "modules/iam-policy/s3-${var.policy}"
         rev  = var.resource_packs_aws_rev
         url  = var.resource_packs_aws_url
       }
@@ -23,10 +23,15 @@ resource "humanitec_resource_definition" "main" {
         region = var.region,
         prefix = "${var.prefix}$${context.res.id}"
 
-        res_id = "$${context.res.id}"
-        app_id = "$${context.app.id}"
-        env_id = "$${context.env.id}"
+        res_id        = "$${context.res.id}"
+        app_id        = "$${context.app.id}"
+        env_id        = "$${context.env.id}"
+        s3_bucket_arn = "$${resources['s3.${var.s3_resource_class}'].outputs.arn}"
       }
     })
   }
 }
+
+variable "s3_resource_class" {
+  type = string
+}
diff --git a/...ource-defs/iam-policy/s3-admin/outputs.tf → ...ec-resource-defs/iam-policy/s3/outputs.tf b/...ource-defs/iam-policy/s3-admin/outputs.tf → ...ec-resource-defs/iam-policy/s3/outputs.tf
diff --git a/...rce-defs/iam-policy/s3-admin/providers.tf → ...-resource-defs/iam-policy/s3/providers.tf b/...rce-defs/iam-policy/s3-admin/providers.tf → ...-resource-defs/iam-policy/s3/providers.tf
diff --git a/...-policy/s3-admin/terraform.tfvars.example → ...fs/iam-policy/s3/terraform.tfvars.example b/...-policy/s3-admin/terraform.tfvars.example → ...fs/iam-policy/s3/terraform.tfvars.example
@@ -1,11 +1,16 @@
 access_key = ""
-prefix     = ""
-region     = ""
+
+# Name of the exposed policy
+policy = ""
+
+prefix = ""
+region = ""
 
 # AWS Resource Pack git branch
 resource_packs_aws_rev = ""
 
 # AWS Resource Pack git url
 resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
 
-secret_key = ""
+s3_resource_class = ""
+secret_key        = ""
diff --git a/...rce-defs/iam-policy/s3-admin/variables.tf → ...-resource-defs/iam-policy/s3/variables.tf b/...rce-defs/iam-policy/s3-admin/variables.tf → ...-resource-defs/iam-policy/s3/variables.tf
@@ -24,3 +24,8 @@ variable "secret_key" {
 variable "region" {
   type = string
 }
+
+variable "policy" {
+  description = "Name of the exposed policy"
+  type        = string
+}
diff --git a/...source-defs/iam-policy/s3-admin/README.md → ...ec-resource-defs/s3/passthrough/README.md b/...source-defs/iam-policy/s3-admin/README.md → ...ec-resource-defs/s3/passthrough/README.md
@@ -23,9 +23,11 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | access\_key | n/a | `string` | n/a | yes |
+| policy\_resource\_class | n/a | `string` | n/a | yes |
 | prefix | n/a | `string` | n/a | yes |
 | region | n/a | `string` | n/a | yes |
 | resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes |
+| s3\_resource\_class | n/a | `string` | n/a | yes |
 | secret\_key | n/a | `string` | n/a | yes |
 | resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
 

diff --git a/humanitec-resource-defs/s3/passthrough/main.tf b/humanitec-resource-defs/s3/passthrough/main.tf
@@ -0,0 +1,25 @@
+resource "humanitec_resource_definition" "main" {
+  driver_type = "humanitec/template"
+  id          = "${var.prefix}s3-${var.s3_resource_class}-${var.policy_resource_class}"
+  name        = "${var.prefix}s3-${var.s3_resource_class}-${var.policy_resource_class}"
+  type        = "s3"
+
+  driver_inputs = {
+    values_string = jsonencode({
+      templates = {
+        outputs = <<EOL
+bucket: "$${resources['s3.${var.s3_resource_class}'].outputs.bucket}"
+region: "$${resources['s3.${var.s3_resource_class}'].outputs.region}"
+arn: "$${resources['s3.${var.s3_resource_class}'].outputs.arn}"
+EOL
+      }
+    })
+  }
+
+  provision = {
+    "aws-policy.${var.policy_resource_class}" = {
+      match_dependents = true
+      is_dependent     = false
+    }
+  }
+}
diff --git a/humanitec-resource-defs/s3/passthrough/outputs.tf b/humanitec-resource-defs/s3/passthrough/outputs.tf
@@ -0,0 +1,3 @@
+output "id" {
+  value = humanitec_resource_definition.main.id
+}
diff --git a/humanitec-resource-defs/s3/passthrough/providers.tf b/humanitec-resource-defs/s3/passthrough/providers.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    humanitec = {
+      source  = "humanitec/humanitec"
+      version = "~> 0"
+    }
+  }
+
+  required_version = ">= 1.3.0"
+}
diff --git a/humanitec-resource-defs/s3/passthrough/terraform.tfvars.example b/humanitec-resource-defs/s3/passthrough/terraform.tfvars.example
@@ -0,0 +1,13 @@
+access_key            = ""
+policy_resource_class = ""
+prefix                = ""
+region                = ""
+
+# AWS Resource Pack git branch
+resource_packs_aws_rev = ""
+
+# AWS Resource Pack git url
+resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+
+s3_resource_class = ""
+secret_key        = ""
diff --git a/humanitec-resource-defs/s3/passthrough/variables.tf b/humanitec-resource-defs/s3/passthrough/variables.tf
@@ -0,0 +1,11 @@
+variable "prefix" {
+  type = string
+}
+
+variable "s3_resource_class" {
+  type = string
+}
+
+variable "policy_resource_class" {
+  type = string
+}