diff --git a/examples/s3/README.md b/examples/s3/README.md new file mode 100644 index 0000000..6881e3b --- /dev/null +++ b/examples/s3/README.md @@ -0,0 +1,72 @@ +# AWS S3 + +This example configures an S3 bucket resource definition, with two different access policies: + +* `basic-admin` (full access) +* `basic-read-only` (read-only access) + +Those resources can be used in your score file like: + +```yaml +resources: + ... + s3: + type: s3 + class: basic-admin +``` + +The workload service account will automatically be assigned the necessary AWS IAM Role with the selected IAM Policy. + + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 1.3.0 | +| humanitec | ~> 0 | + +## Providers + +| Name | Version | +|------|---------| +| humanitec | ~> 0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| iam\_policy\_s3\_admin | ../../humanitec-resource-defs/iam-policy/s3 | n/a | +| iam\_policy\_s3\_read\_only | ../../humanitec-resource-defs/iam-policy/s3 | n/a | +| iam\_role\_service\_account | ../../humanitec-resource-defs/iam-role/service-account | n/a | +| k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a | +| s3\_basic | ../../humanitec-resource-defs/s3/basic | n/a | +| s3\_basic\_admin | ../../humanitec-resource-defs/s3/passthrough | n/a | +| s3\_basic\_read\_only | ../../humanitec-resource-defs/s3/passthrough | n/a | +| workload | ../../humanitec-resource-defs/workload/service-account | n/a | + +## Resources + +| Name | Type | +|------|------| +| [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource | +| [humanitec_resource_definition_criteria.iam_policy_s3_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_resource_definition_criteria.iam_policy_s3_read_only](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_resource_definition_criteria.iam_role_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_resource_definition_criteria.s3_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_resource_definition_criteria.s3_basic_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_resource_definition_criteria.s3_basic_read_only](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| access\_key | AWS Access Key | `string` | n/a | yes | +| cluster\_name | Name of the EKS cluster | `string` | n/a | yes | +| region | AWS Region | `string` | n/a | yes | +| secret\_key | AWS Secret Key | `string` | n/a | yes | +| name | Name of the example application | `string` | `"s3-test"` | no | +| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | `"refs/heads/main"` | no | +| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no | + diff --git a/examples/s3/main.tf b/examples/s3/main.tf new file mode 100644 index 0000000..591d040 --- /dev/null +++ b/examples/s3/main.tf @@ -0,0 +1,173 @@ +locals { + res_def_prefix = "${var.name}-" +} + +resource "humanitec_application" "example" { + id = var.name + name = var.name +} + +# S3 bucket + +locals { + # Classes used to build the resource definition graph + s3_basic_class = "basic" + s3_admin_policy_class = "s3-basic-admin" + s3_read_only_policy_class = "s3-basic-read-only" + + # Classes that developers can select from + s3_basic_admin_class = "basic-admin" + s3_basic_read_only_class = "basic-read-only" +} + +# Define s3 bucket basic "flavour" as base + +module "s3_basic" { + source = "../../humanitec-resource-defs/s3/basic" + + resource_packs_aws_url = var.resource_packs_aws_url + resource_packs_aws_rev = var.resource_packs_aws_rev + + access_key = var.access_key + secret_key = var.secret_key + region = var.region + + prefix = local.res_def_prefix +} + +resource "humanitec_resource_definition_criteria" "s3_basic" { + resource_definition_id = module.s3_basic.id + app_id = humanitec_application.example.id + class = local.s3_basic_class +} + +# Add different access policy to s3 basic bucket + +# Admin + +## Policy +module "iam_policy_s3_admin" { + source = "../../humanitec-resource-defs/iam-policy/s3" + + resource_packs_aws_url = var.resource_packs_aws_url + resource_packs_aws_rev = var.resource_packs_aws_rev + + access_key = var.access_key + secret_key = var.secret_key + region = var.region + + policy = "admin" + + prefix = local.res_def_prefix + + s3_resource_class = local.s3_basic_class +} + +resource "humanitec_resource_definition_criteria" "iam_policy_s3_admin" { + resource_definition_id = module.iam_policy_s3_admin.id + app_id = humanitec_application.example.id + class = local.s3_admin_policy_class +} + +## Exposed passthrough resource definition +module "s3_basic_admin" { + source = "../../humanitec-resource-defs/s3/passthrough" + + prefix = local.res_def_prefix + + s3_resource_class = local.s3_basic_class + policy_resource_class = local.s3_admin_policy_class +} + +resource "humanitec_resource_definition_criteria" "s3_basic_admin" { + resource_definition_id = module.s3_basic_admin.id + app_id = humanitec_application.example.id + class = local.s3_basic_admin_class +} + + +# Read-only + +## Policy +module "iam_policy_s3_read_only" { + source = "../../humanitec-resource-defs/iam-policy/s3" + + resource_packs_aws_url = var.resource_packs_aws_url + resource_packs_aws_rev = var.resource_packs_aws_rev + + access_key = var.access_key + secret_key = var.secret_key + region = var.region + + policy = "read-only" + + prefix = local.res_def_prefix + + s3_resource_class = local.s3_basic_class +} + +resource "humanitec_resource_definition_criteria" "iam_policy_s3_read_only" { + resource_definition_id = module.iam_policy_s3_read_only.id + app_id = humanitec_application.example.id + class = local.s3_read_only_policy_class +} + +## Exposed passthrough resource definition +module "s3_basic_read_only" { + source = "../../humanitec-resource-defs/s3/passthrough" + + prefix = local.res_def_prefix + + s3_resource_class = local.s3_basic_class + policy_resource_class = local.s3_read_only_policy_class +} + +resource "humanitec_resource_definition_criteria" "s3_basic_read_only" { + resource_definition_id = module.s3_basic_read_only.id + app_id = humanitec_application.example.id + class = local.s3_basic_read_only_class +} + + +# Required resources for workload identity + +module "k8s_service_account" { + source = "../../humanitec-resource-defs/k8s/service-account" + + prefix = local.res_def_prefix +} + +resource "humanitec_resource_definition_criteria" "k8s_service_account" { + resource_definition_id = module.k8s_service_account.id + app_id = humanitec_application.example.id +} + +module "iam_role_service_account" { + source = "../../humanitec-resource-defs/iam-role/service-account" + + resource_packs_aws_url = var.resource_packs_aws_url + resource_packs_aws_rev = var.resource_packs_aws_rev + + access_key = var.access_key + secret_key = var.secret_key + region = var.region + + cluster_name = var.cluster_name + prefix = local.res_def_prefix +} + +resource "humanitec_resource_definition_criteria" "iam_role_service_account" { + resource_definition_id = module.iam_role_service_account.id + app_id = humanitec_application.example.id +} + +module "workload" { + source = "../../humanitec-resource-defs/workload/service-account" + + prefix = local.res_def_prefix +} + +resource "humanitec_resource_definition_criteria" "workload" { + resource_definition_id = module.workload.id + app_id = humanitec_application.example.id +} diff --git a/examples/s3/providers.tf b/examples/s3/providers.tf new file mode 100644 index 0000000..2f2107a --- /dev/null +++ b/examples/s3/providers.tf @@ -0,0 +1,13 @@ +terraform { + required_providers { + humanitec = { + source = "humanitec/humanitec" + version = "~> 0" + } + } + + required_version = ">= 1.3.0" +} + + +provider "humanitec" {} diff --git a/examples/s3/terraform.tfvars.example b/examples/s3/terraform.tfvars.example new file mode 100644 index 0000000..cf1b8f7 --- /dev/null +++ b/examples/s3/terraform.tfvars.example @@ -0,0 +1,21 @@ + +# AWS Access Key +access_key = "" + +# Name of the EKS cluster +cluster_name = "" + +# Name of the example application +name = "s3-test" + +# AWS Region +region = "" + +# AWS Resource Pack git branch +resource_packs_aws_rev = "refs/heads/main" + +# AWS Resource Pack git url +resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git" + +# AWS Secret Key +secret_key = "" \ No newline at end of file diff --git a/examples/s3/variables.tf b/examples/s3/variables.tf new file mode 100644 index 0000000..0330b2d --- /dev/null +++ b/examples/s3/variables.tf @@ -0,0 +1,37 @@ +variable "access_key" { + description = "AWS Access Key" + type = string +} + +variable "secret_key" { + description = "AWS Secret Key" + type = string +} + +variable "region" { + description = "AWS Region" + type = string +} + +variable "cluster_name" { + description = "Name of the EKS cluster" + type = string +} + +variable "resource_packs_aws_url" { + description = "AWS Resource Pack git url" + type = string + default = "https://github.com/humanitec-architecture/resource-packs-aws.git" +} + +variable "resource_packs_aws_rev" { + description = "AWS Resource Pack git branch" + type = string + default = "refs/heads/main" +} + +variable "name" { + description = "Name of the example application" + type = string + default = "s3-test" +} diff --git a/examples/sqs/README.md b/examples/sqs/README.md index 6c866a5..58baf1a 100644 --- a/examples/sqs/README.md +++ b/examples/sqs/README.md @@ -1,3 +1,22 @@ +# AWS SQS + +This example configures an SQS queue resource definition, with two different access policies: + +* `basic-publisher` (allowed to send messages) +* `basic-consumer` (allowed to receive messages) + +Those resources can be used in your score file like: + +```yaml +resources: + ... + sqs: + type: sqs + class: basic-publisher +``` + +The workload service account will automatically be assigned the necessary AWS IAM Role with the selected IAM Policy. + ## Requirements @@ -16,12 +35,13 @@ | Name | Source | Version | |------|--------|---------| -| iam\_policy\_s3\_admin | ../../humanitec-resource-defs/iam-policy/s3-admin | n/a | -| iam\_policy\_sqs\_admin | ../../humanitec-resource-defs/iam-policy/sqs-admin | n/a | +| iam\_policy\_sqs\_consumer | ../../humanitec-resource-defs/iam-policy/sqs | n/a | +| iam\_policy\_sqs\_publisher | ../../humanitec-resource-defs/iam-policy/sqs | n/a | | iam\_role\_service\_account | ../../humanitec-resource-defs/iam-role/service-account | n/a | | k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a | -| s3\_basic | ../../humanitec-resource-defs/s3/basic | n/a | | sqs\_basic | ../../humanitec-resource-defs/sqs/basic | n/a | +| sqs\_basic\_consumer | ../../humanitec-resource-defs/sqs/passthrough | n/a | +| sqs\_basic\_publisher | ../../humanitec-resource-defs/sqs/passthrough | n/a | | workload | ../../humanitec-resource-defs/workload/service-account | n/a | ## Resources @@ -29,23 +49,24 @@ | Name | Type | |------|------| | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource | -| [humanitec_resource_definition_criteria.iam_policy_s3_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | -| [humanitec_resource_definition_criteria.iam_policy_sqs_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_resource_definition_criteria.iam_policy_sqs_consumer](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_resource_definition_criteria.iam_policy_sqs_publisher](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.iam_role_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | -| [humanitec_resource_definition_criteria.s3_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.sqs_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_resource_definition_criteria.sqs_basic_consumer](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_resource_definition_criteria.sqs_basic_publisher](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| access\_key | n/a | `string` | n/a | yes | -| oidc\_provider | n/a | `string` | n/a | yes | -| oidc\_provider\_arn | n/a | `string` | n/a | yes | -| secret\_key | n/a | `string` | n/a | yes | -| name | n/a | `string` | `"item-list"` | no | -| region | n/a | `string` | `"eu-central-1"` | no | -| resource\_packs\_aws\_rev | n/a | `string` | `"refs/heads/main"` | no | - \ No newline at end of file +| access\_key | AWS Access Key | `string` | n/a | yes | +| cluster\_name | Name of the EKS cluster | `string` | n/a | yes | +| region | AWS Region | `string` | n/a | yes | +| secret\_key | AWS Secret Key | `string` | n/a | yes | +| name | Name of the example application | `string` | `"sqs-test"` | no | +| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | `"refs/heads/main"` | no | +| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no | + diff --git a/examples/sqs/main.tf b/examples/sqs/main.tf index 15f07c5..4e2c912 100644 --- a/examples/sqs/main.tf +++ b/examples/sqs/main.tf @@ -1,151 +1,157 @@ -variable "access_key" { - type = string -} -variable "secret_key" { - type = string +locals { + res_def_prefix = "${var.name}-" } -variable "region" { - type = string - default = "eu-central-1" +resource "humanitec_application" "example" { + id = var.name + name = var.name } -variable "resource_packs_aws_rev" { - type = string - default = "refs/heads/main" -} +# SQS queue -variable "oidc_provider" { - type = string -} +locals { + # Classes used to build the resource definition graph + sqs_basic_class = "basic" + sqs_publisher_policy_class = "sqs-basic-publisher" + sqs_consumer_policy_class = "sqs-basic-consumer" -variable "oidc_provider_arn" { - type = string + # Classes that developers can select from + sqs_basic_publisher_class = "basic-publisher" + sqs_basic_consumer_class = "basic-consumer" } -variable "name" { - type = string - default = "item-list" -} +# Define sqs queue basic "flavour" as base -locals { - res_def_prefix = "${var.name}-" -} +module "sqs_basic" { + source = "../../humanitec-resource-defs/sqs/basic" -resource "humanitec_application" "example" { - id = var.name - name = var.name -} + resource_packs_aws_url = var.resource_packs_aws_url + resource_packs_aws_rev = var.resource_packs_aws_rev -module "k8s_service_account" { - source = "../../humanitec-resource-defs/k8s/service-account" + access_key = var.access_key + secret_key = var.secret_key + region = var.region prefix = local.res_def_prefix } -resource "humanitec_resource_definition_criteria" "k8s_service_account" { - resource_definition_id = module.k8s_service_account.id +resource "humanitec_resource_definition_criteria" "sqs_basic" { + resource_definition_id = module.sqs_basic.id app_id = humanitec_application.example.id + class = local.sqs_basic_class } -# S3 bucket +# Add different access policy to sqs basic queue -locals { - s3_class = "default" - s3_admin_policy_class = "s3-admin" -} +# Publisher + +## Policy -module "s3_basic" { - source = "../../humanitec-resource-defs/s3/basic" +module "iam_policy_sqs_publisher" { + source = "../../humanitec-resource-defs/iam-policy/sqs" - access_key = var.access_key - secret_key = var.secret_key + resource_packs_aws_url = var.resource_packs_aws_url resource_packs_aws_rev = var.resource_packs_aws_rev - region = var.region - policy_classes = [local.s3_admin_policy_class] - prefix = local.res_def_prefix + access_key = var.access_key + secret_key = var.secret_key + region = var.region + + prefix = local.res_def_prefix + policy = "publisher" + sqs_resource_class = local.sqs_basic_publisher_class } -resource "humanitec_resource_definition_criteria" "s3_basic" { - resource_definition_id = module.s3_basic.id +resource "humanitec_resource_definition_criteria" "iam_policy_sqs_publisher" { + resource_definition_id = module.iam_policy_sqs_publisher.id app_id = humanitec_application.example.id - class = local.s3_class + class = local.sqs_publisher_policy_class } -module "iam_policy_s3_admin" { - source = "../../humanitec-resource-defs/iam-policy/s3-admin" +## Exposed passthrough resource definition +module "sqs_basic_publisher" { + source = "../../humanitec-resource-defs/sqs/passthrough" - access_key = var.access_key - secret_key = var.secret_key - resource_packs_aws_rev = var.resource_packs_aws_rev - region = var.region + prefix = local.res_def_prefix - prefix = local.res_def_prefix - s3_resource_definition_class = local.s3_class + sqs_resource_class = local.sqs_basic_class + policy_resource_class = local.sqs_publisher_policy_class } -resource "humanitec_resource_definition_criteria" "iam_policy_s3_admin" { - resource_definition_id = module.iam_policy_s3_admin.id +resource "humanitec_resource_definition_criteria" "sqs_basic_publisher" { + resource_definition_id = module.sqs_basic_publisher.id app_id = humanitec_application.example.id - class = local.s3_admin_policy_class + class = local.sqs_basic_publisher_class } -# SQS queue +# Consumer -locals { - sqs_class = "default" - sqs_admin_policy_class = "sqs-admin" +## Policy +module "iam_policy_sqs_consumer" { + source = "../../humanitec-resource-defs/iam-policy/sqs" + + resource_packs_aws_url = var.resource_packs_aws_url + resource_packs_aws_rev = var.resource_packs_aws_rev + + access_key = var.access_key + secret_key = var.secret_key + region = var.region + + policy = "consumer" + + prefix = local.res_def_prefix + + sqs_resource_class = local.sqs_basic_consumer_class } -module "sqs_basic" { - source = "../../humanitec-resource-defs/sqs/basic" +resource "humanitec_resource_definition_criteria" "iam_policy_sqs_consumer" { + resource_definition_id = module.iam_policy_sqs_consumer.id + app_id = humanitec_application.example.id + class = local.sqs_consumer_policy_class +} - access_key = var.access_key - secret_key = var.secret_key - resource_packs_aws_rev = var.resource_packs_aws_rev - region = var.region - policy_classes = [local.sqs_admin_policy_class] +## Exposed passthrough resource definition +module "sqs_basic_consumer" { + source = "../../humanitec-resource-defs/sqs/passthrough" prefix = local.res_def_prefix + + sqs_resource_class = local.sqs_basic_class + policy_resource_class = local.sqs_consumer_policy_class } -resource "humanitec_resource_definition_criteria" "sqs_basic" { - resource_definition_id = module.sqs_basic.id +resource "humanitec_resource_definition_criteria" "sqs_basic_consumer" { + resource_definition_id = module.sqs_basic_consumer.id app_id = humanitec_application.example.id - class = local.sqs_class + class = local.sqs_basic_consumer_class } -module "iam_policy_sqs_admin" { - source = "../../humanitec-resource-defs/iam-policy/sqs-admin" - access_key = var.access_key - secret_key = var.secret_key - resource_packs_aws_rev = var.resource_packs_aws_rev - region = var.region +# Required resources for workload identity - prefix = local.res_def_prefix - sqs_resource_definition_class = local.sqs_class +module "k8s_service_account" { + source = "../../humanitec-resource-defs/k8s/service-account" + + prefix = local.res_def_prefix } -resource "humanitec_resource_definition_criteria" "iam_policy_sqs_admin" { - resource_definition_id = module.iam_policy_sqs_admin.id +resource "humanitec_resource_definition_criteria" "k8s_service_account" { + resource_definition_id = module.k8s_service_account.id app_id = humanitec_application.example.id - class = local.sqs_admin_policy_class } module "iam_role_service_account" { source = "../../humanitec-resource-defs/iam-role/service-account" - access_key = var.access_key - secret_key = var.secret_key + resource_packs_aws_url = var.resource_packs_aws_url resource_packs_aws_rev = var.resource_packs_aws_rev - region = var.region - oidc_provider = var.oidc_provider - oidc_provider_arn = var.oidc_provider_arn - prefix = local.res_def_prefix - policy_classes = [] + access_key = var.access_key + secret_key = var.secret_key + region = var.region + + cluster_name = var.cluster_name + prefix = local.res_def_prefix } resource "humanitec_resource_definition_criteria" "iam_role_service_account" { diff --git a/examples/sqs/terraform.tfvars.example b/examples/sqs/terraform.tfvars.example index 05ea2d4..c9fb80c 100644 --- a/examples/sqs/terraform.tfvars.example +++ b/examples/sqs/terraform.tfvars.example @@ -1,7 +1,21 @@ -access_key = "" -name = "item-list" -oidc_provider = "" -oidc_provider_arn = "" -region = "eu-central-1" + +# AWS Access Key +access_key = "" + +# Name of the EKS cluster +cluster_name = "" + +# Name of the example application +name = "sqs-test" + +# AWS Region +region = "" + +# AWS Resource Pack git branch resource_packs_aws_rev = "refs/heads/main" -secret_key = "" \ No newline at end of file + +# AWS Resource Pack git url +resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git" + +# AWS Secret Key +secret_key = "" \ No newline at end of file diff --git a/examples/sqs/variables.tf b/examples/sqs/variables.tf new file mode 100644 index 0000000..ae334ed --- /dev/null +++ b/examples/sqs/variables.tf @@ -0,0 +1,37 @@ +variable "access_key" { + description = "AWS Access Key" + type = string +} + +variable "secret_key" { + description = "AWS Secret Key" + type = string +} + +variable "region" { + description = "AWS Region" + type = string +} + +variable "cluster_name" { + description = "Name of the EKS cluster" + type = string +} + +variable "resource_packs_aws_url" { + description = "AWS Resource Pack git url" + type = string + default = "https://github.com/humanitec-architecture/resource-packs-aws.git" +} + +variable "resource_packs_aws_rev" { + description = "AWS Resource Pack git branch" + type = string + default = "refs/heads/main" +} + +variable "name" { + description = "Name of the example application" + type = string + default = "sqs-test" +} diff --git a/humanitec-resource-defs/iam-policy/ecr-create-repository/README.md b/humanitec-resource-defs/iam-policy/ecr-create-repository/README.md index 8c014e6..25112e6 100644 --- a/humanitec-resource-defs/iam-policy/ecr-create-repository/README.md +++ b/humanitec-resource-defs/iam-policy/ecr-create-repository/README.md @@ -25,8 +25,9 @@ | access\_key | n/a | `string` | n/a | yes | | prefix | n/a | `string` | n/a | yes | | region | n/a | `string` | n/a | yes | -| resource\_packs\_aws\_rev | n/a | `string` | n/a | yes | +| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes | | secret\_key | n/a | `string` | n/a | yes | +| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no | ## Outputs diff --git a/humanitec-resource-defs/iam-policy/ecr-create-repository/main.tf b/humanitec-resource-defs/iam-policy/ecr-create-repository/main.tf index 9bfc4f3..5ab4cdb 100644 --- a/humanitec-resource-defs/iam-policy/ecr-create-repository/main.tf +++ b/humanitec-resource-defs/iam-policy/ecr-create-repository/main.tf @@ -16,7 +16,7 @@ resource "humanitec_resource_definition" "main" { source = { path = "modules/iam-policy/ecr-create-repository" rev = var.resource_packs_aws_rev - url = "https://github.com/humanitec-architecture/resource-packs-aws.git" + url = var.resource_packs_aws_url } variables = { diff --git a/humanitec-resource-defs/iam-policy/ecr-create-repository/terraform.tfvars.example b/humanitec-resource-defs/iam-policy/ecr-create-repository/terraform.tfvars.example index 5206eeb..b52a6af 100644 --- a/humanitec-resource-defs/iam-policy/ecr-create-repository/terraform.tfvars.example +++ b/humanitec-resource-defs/iam-policy/ecr-create-repository/terraform.tfvars.example @@ -1,5 +1,11 @@ -access_key = "" -prefix = "" -region = "" +access_key = "" +prefix = "" +region = "" + +# AWS Resource Pack git branch resource_packs_aws_rev = "" -secret_key = "" \ No newline at end of file + +# AWS Resource Pack git url +resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git" + +secret_key = "" \ No newline at end of file diff --git a/humanitec-resource-defs/iam-policy/ecr-create-repository/variables.tf b/humanitec-resource-defs/iam-policy/ecr-create-repository/variables.tf index 2399540..f5b3698 100644 --- a/humanitec-resource-defs/iam-policy/ecr-create-repository/variables.tf +++ b/humanitec-resource-defs/iam-policy/ecr-create-repository/variables.tf @@ -2,8 +2,15 @@ variable "prefix" { type = string } +variable "resource_packs_aws_url" { + description = "AWS Resource Pack git url" + type = string + default = "https://github.com/humanitec-architecture/resource-packs-aws.git" +} + variable "resource_packs_aws_rev" { - type = string + description = "AWS Resource Pack git branch" + type = string } variable "access_key" { diff --git a/humanitec-resource-defs/iam-policy/s3-admin/main.tf b/humanitec-resource-defs/iam-policy/s3-admin/main.tf deleted file mode 100644 index 7fae256..0000000 --- a/humanitec-resource-defs/iam-policy/s3-admin/main.tf +++ /dev/null @@ -1,33 +0,0 @@ -resource "humanitec_resource_definition" "main" { - driver_type = "humanitec/terraform" - id = "${var.prefix}iam-policy-s3-admin" - name = "${var.prefix}iam-policy-s3-admin" - type = "aws-policy" - - driver_inputs = { - secrets_string = jsonencode({ - variables = { - access_key = var.access_key - secret_key = var.secret_key - } - }) - - values_string = jsonencode({ - source = { - path = "modules/iam-policy/s3-admin" - rev = var.resource_packs_aws_rev - url = "https://github.com/humanitec-architecture/resource-packs-aws.git" - } - - variables = { - region = var.region, - prefix = "${var.prefix}$${context.res.id}" - s3_bucket_arn = "$${resources['s3.${var.s3_resource_definition_class}'].outputs.arn}" - - res_id = "$${context.res.id}" - app_id = "$${context.app.id}" - env_id = "$${context.env.id}" - } - }) - } -} diff --git a/humanitec-resource-defs/iam-policy/s3-admin/terraform.tfvars.example b/humanitec-resource-defs/iam-policy/s3-admin/terraform.tfvars.example deleted file mode 100644 index 60ed9a8..0000000 --- a/humanitec-resource-defs/iam-policy/s3-admin/terraform.tfvars.example +++ /dev/null @@ -1,6 +0,0 @@ -access_key = "" -prefix = "" -region = "" -resource_packs_aws_rev = "" -s3_resource_definition_class = "" -secret_key = "" \ No newline at end of file diff --git a/humanitec-resource-defs/iam-policy/s3/README.md b/humanitec-resource-defs/iam-policy/s3/README.md new file mode 100644 index 0000000..8ea228d --- /dev/null +++ b/humanitec-resource-defs/iam-policy/s3/README.md @@ -0,0 +1,39 @@ + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 1.3.0 | +| humanitec | ~> 0 | + +## Providers + +| Name | Version | +|------|---------| +| humanitec | ~> 0 | + +## Resources + +| Name | Type | +|------|------| +| [humanitec_resource_definition.main](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| access\_key | n/a | `string` | n/a | yes | +| policy | Name of the exposed policy | `string` | n/a | yes | +| prefix | n/a | `string` | n/a | yes | +| region | n/a | `string` | n/a | yes | +| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes | +| s3\_resource\_class | The class of the S3 resource | `string` | n/a | yes | +| secret\_key | n/a | `string` | n/a | yes | +| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| id | n/a | + \ No newline at end of file diff --git a/humanitec-resource-defs/iam-policy/s3/main.tf b/humanitec-resource-defs/iam-policy/s3/main.tf new file mode 100644 index 0000000..df3a714 --- /dev/null +++ b/humanitec-resource-defs/iam-policy/s3/main.tf @@ -0,0 +1,33 @@ +resource "humanitec_resource_definition" "main" { + driver_type = "humanitec/terraform" + id = "${var.prefix}iam-policy-s3-${var.policy}" + name = "${var.prefix}iam-policy-s3-${var.policy}" + type = "aws-policy" + + driver_inputs = { + secrets_string = jsonencode({ + variables = { + access_key = var.access_key + secret_key = var.secret_key + } + }) + + values_string = jsonencode({ + source = { + path = "modules/iam-policy/s3-${var.policy}" + rev = var.resource_packs_aws_rev + url = var.resource_packs_aws_url + } + + variables = { + region = var.region, + prefix = "${var.prefix}$${context.res.id}" + + res_id = "$${context.res.id}" + app_id = "$${context.app.id}" + env_id = "$${context.env.id}" + s3_bucket_arn = "$${resources['s3.${var.s3_resource_class}'].outputs.arn}" + } + }) + } +} diff --git a/humanitec-resource-defs/iam-policy/s3-admin/outputs.tf b/humanitec-resource-defs/iam-policy/s3/outputs.tf similarity index 100% rename from humanitec-resource-defs/iam-policy/s3-admin/outputs.tf rename to humanitec-resource-defs/iam-policy/s3/outputs.tf diff --git a/humanitec-resource-defs/iam-policy/s3-admin/providers.tf b/humanitec-resource-defs/iam-policy/s3/providers.tf similarity index 100% rename from humanitec-resource-defs/iam-policy/s3-admin/providers.tf rename to humanitec-resource-defs/iam-policy/s3/providers.tf diff --git a/humanitec-resource-defs/iam-policy/s3/terraform.tfvars.example b/humanitec-resource-defs/iam-policy/s3/terraform.tfvars.example new file mode 100644 index 0000000..4e491e8 --- /dev/null +++ b/humanitec-resource-defs/iam-policy/s3/terraform.tfvars.example @@ -0,0 +1,18 @@ +access_key = "" + +# Name of the exposed policy +policy = "" + +prefix = "" +region = "" + +# AWS Resource Pack git branch +resource_packs_aws_rev = "" + +# AWS Resource Pack git url +resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git" + +# The class of the S3 resource +s3_resource_class = "" + +secret_key = "" \ No newline at end of file diff --git a/humanitec-resource-defs/iam-policy/s3/variables.tf b/humanitec-resource-defs/iam-policy/s3/variables.tf new file mode 100644 index 0000000..adec55d --- /dev/null +++ b/humanitec-resource-defs/iam-policy/s3/variables.tf @@ -0,0 +1,36 @@ +variable "prefix" { + type = string +} + +variable "resource_packs_aws_url" { + description = "AWS Resource Pack git url" + type = string + default = "https://github.com/humanitec-architecture/resource-packs-aws.git" +} + +variable "resource_packs_aws_rev" { + description = "AWS Resource Pack git branch" + type = string +} + +variable "access_key" { + type = string +} + +variable "secret_key" { + type = string +} + +variable "region" { + type = string +} + +variable "policy" { + description = "Name of the exposed policy" + type = string +} + +variable "s3_resource_class" { + description = "The class of the S3 resource" + type = string +} diff --git a/humanitec-resource-defs/iam-policy/sqs-admin/main.tf b/humanitec-resource-defs/iam-policy/sqs-admin/main.tf deleted file mode 100644 index cd5a519..0000000 --- a/humanitec-resource-defs/iam-policy/sqs-admin/main.tf +++ /dev/null @@ -1,33 +0,0 @@ -resource "humanitec_resource_definition" "main" { - driver_type = "humanitec/terraform" - id = "${var.prefix}iam-policy-sqs-admin" - name = "${var.prefix}iam-policy-sqs-admin" - type = "aws-policy" - - driver_inputs = { - secrets_string = jsonencode({ - variables = { - access_key = var.access_key - secret_key = var.secret_key - } - }) - - values_string = jsonencode({ - source = { - path = "modules/iam-policy/sqs-admin" - rev = var.resource_packs_aws_rev - url = "https://github.com/humanitec-architecture/resource-packs-aws.git" - } - - variables = { - region = var.region, - prefix = "${var.prefix}$${context.res.id}" - sqs_queue_arn = "$${resources['sqs.${var.sqs_resource_definition_class}'].outputs.arn}" - - res_id = "$${context.res.id}" - app_id = "$${context.app.id}" - env_id = "$${context.env.id}" - } - }) - } -} diff --git a/humanitec-resource-defs/iam-policy/sqs-admin/terraform.tfvars.example b/humanitec-resource-defs/iam-policy/sqs-admin/terraform.tfvars.example deleted file mode 100644 index fe1b427..0000000 --- a/humanitec-resource-defs/iam-policy/sqs-admin/terraform.tfvars.example +++ /dev/null @@ -1,6 +0,0 @@ -access_key = "" -prefix = "" -region = "" -resource_packs_aws_rev = "" -secret_key = "" -sqs_resource_definition_class = "" \ No newline at end of file diff --git a/humanitec-resource-defs/iam-policy/sqs/README.md b/humanitec-resource-defs/iam-policy/sqs/README.md new file mode 100644 index 0000000..f69abda --- /dev/null +++ b/humanitec-resource-defs/iam-policy/sqs/README.md @@ -0,0 +1,39 @@ + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 1.3.0 | +| humanitec | ~> 0 | + +## Providers + +| Name | Version | +|------|---------| +| humanitec | ~> 0 | + +## Resources + +| Name | Type | +|------|------| +| [humanitec_resource_definition.main](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| access\_key | n/a | `string` | n/a | yes | +| policy | Name of the exposed policy | `string` | n/a | yes | +| prefix | n/a | `string` | n/a | yes | +| region | n/a | `string` | n/a | yes | +| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes | +| secret\_key | n/a | `string` | n/a | yes | +| sqs\_resource\_class | The class of the SQS resource | `string` | n/a | yes | +| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| id | n/a | + \ No newline at end of file diff --git a/humanitec-resource-defs/iam-policy/sqs/main.tf b/humanitec-resource-defs/iam-policy/sqs/main.tf new file mode 100644 index 0000000..f34f209 --- /dev/null +++ b/humanitec-resource-defs/iam-policy/sqs/main.tf @@ -0,0 +1,33 @@ +resource "humanitec_resource_definition" "main" { + driver_type = "humanitec/terraform" + id = "${var.prefix}iam-policy-sqs-${var.policy}" + name = "${var.prefix}iam-policy-sqs-${var.policy}" + type = "aws-policy" + + driver_inputs = { + secrets_string = jsonencode({ + variables = { + access_key = var.access_key + secret_key = var.secret_key + } + }) + + values_string = jsonencode({ + source = { + path = "modules/iam-policy/sqs-${var.policy}" + rev = var.resource_packs_aws_rev + url = var.resource_packs_aws_url + } + + variables = { + region = var.region, + prefix = "${var.prefix}$${context.res.id}" + + res_id = "$${context.res.id}" + app_id = "$${context.app.id}" + env_id = "$${context.env.id}" + sqs_queue_arn = "$${resources['sqs.${var.sqs_resource_class}'].outputs.arn}" + } + }) + } +} diff --git a/humanitec-resource-defs/iam-policy/sqs-admin/outputs.tf b/humanitec-resource-defs/iam-policy/sqs/outputs.tf similarity index 100% rename from humanitec-resource-defs/iam-policy/sqs-admin/outputs.tf rename to humanitec-resource-defs/iam-policy/sqs/outputs.tf diff --git a/humanitec-resource-defs/iam-policy/sqs-admin/providers.tf b/humanitec-resource-defs/iam-policy/sqs/providers.tf similarity index 100% rename from humanitec-resource-defs/iam-policy/sqs-admin/providers.tf rename to humanitec-resource-defs/iam-policy/sqs/providers.tf diff --git a/humanitec-resource-defs/iam-policy/sqs/terraform.tfvars.example b/humanitec-resource-defs/iam-policy/sqs/terraform.tfvars.example new file mode 100644 index 0000000..4155494 --- /dev/null +++ b/humanitec-resource-defs/iam-policy/sqs/terraform.tfvars.example @@ -0,0 +1,18 @@ +access_key = "" + +# Name of the exposed policy +policy = "" + +prefix = "" +region = "" + +# AWS Resource Pack git branch +resource_packs_aws_rev = "" + +# AWS Resource Pack git url +resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git" + +secret_key = "" + +# The class of the SQS resource +sqs_resource_class = "" \ No newline at end of file diff --git a/humanitec-resource-defs/iam-policy/sqs/variables.tf b/humanitec-resource-defs/iam-policy/sqs/variables.tf new file mode 100644 index 0000000..90a6118 --- /dev/null +++ b/humanitec-resource-defs/iam-policy/sqs/variables.tf @@ -0,0 +1,36 @@ +variable "prefix" { + type = string +} + +variable "resource_packs_aws_url" { + description = "AWS Resource Pack git url" + type = string + default = "https://github.com/humanitec-architecture/resource-packs-aws.git" +} + +variable "resource_packs_aws_rev" { + description = "AWS Resource Pack git branch" + type = string +} + +variable "access_key" { + type = string +} + +variable "secret_key" { + type = string +} + +variable "region" { + type = string +} + +variable "policy" { + description = "Name of the exposed policy" + type = string +} + +variable "sqs_resource_class" { + description = "The class of the SQS resource" + type = string +} diff --git a/humanitec-resource-defs/iam-role/service-account/README.md b/humanitec-resource-defs/iam-role/service-account/README.md index fb710ef..f1147b6 100644 --- a/humanitec-resource-defs/iam-role/service-account/README.md +++ b/humanitec-resource-defs/iam-role/service-account/README.md @@ -23,13 +23,12 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_key | n/a | `string` | n/a | yes | -| oidc\_provider | n/a | `string` | n/a | yes | -| oidc\_provider\_arn | n/a | `string` | n/a | yes | -| policy\_classes | n/a | `list(string)` | n/a | yes | +| cluster\_name | n/a | `string` | n/a | yes | | prefix | n/a | `string` | n/a | yes | | region | n/a | `string` | n/a | yes | -| resource\_packs\_aws\_rev | n/a | `string` | n/a | yes | +| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes | | secret\_key | n/a | `string` | n/a | yes | +| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no | ## Outputs diff --git a/humanitec-resource-defs/iam-role/service-account/main.tf b/humanitec-resource-defs/iam-role/service-account/main.tf index 92ecc81..97a5c8a 100644 --- a/humanitec-resource-defs/iam-role/service-account/main.tf +++ b/humanitec-resource-defs/iam-role/service-account/main.tf @@ -4,13 +4,6 @@ resource "humanitec_resource_definition" "main" { name = "${var.prefix}aws-workload-role" type = "aws-role" - provision = { - for s in var.policy_classes : "aws-policy.${s}" => { - match_dependents = true - is_dependent = false - } - } - driver_inputs = { secrets_string = jsonencode({ variables = { @@ -23,16 +16,15 @@ resource "humanitec_resource_definition" "main" { source = { path = "modules/iam-role/service-account" rev = var.resource_packs_aws_rev - url = "https://github.com/humanitec-architecture/resource-packs-aws.git" + url = var.resource_packs_aws_url } variables = { - region = var.region, - prefix = "${var.prefix}$${context.res.id}" - policy_arns = "$${resources.workload>aws-policy.outputs.arn}" - oidc_provider = var.oidc_provider - oidc_provider_arn = var.oidc_provider_arn - namespace = "$${resources.k8s-namespace#k8s-namespace.outputs.namespace}" + region = var.region, + prefix = "${var.prefix}$${context.res.id}" + policy_arns = "$${resources.workload>aws-policy.outputs.arn}" + cluster_name = var.cluster_name + namespace = "$${resources.k8s-namespace#k8s-namespace.outputs.namespace}" res_id = "$${context.res.id}" app_id = "$${context.app.id}" diff --git a/humanitec-resource-defs/iam-role/service-account/terraform.tfvars.example b/humanitec-resource-defs/iam-role/service-account/terraform.tfvars.example index d3b19d6..5b3c21c 100644 --- a/humanitec-resource-defs/iam-role/service-account/terraform.tfvars.example +++ b/humanitec-resource-defs/iam-role/service-account/terraform.tfvars.example @@ -1,8 +1,12 @@ -access_key = "" -oidc_provider = "" -oidc_provider_arn = "" -policy_classes = "" -prefix = "" -region = "" +access_key = "" +cluster_name = "" +prefix = "" +region = "" + +# AWS Resource Pack git branch resource_packs_aws_rev = "" -secret_key = "" \ No newline at end of file + +# AWS Resource Pack git url +resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git" + +secret_key = "" \ No newline at end of file diff --git a/humanitec-resource-defs/iam-role/service-account/variables.tf b/humanitec-resource-defs/iam-role/service-account/variables.tf index ec26ba0..ed24232 100644 --- a/humanitec-resource-defs/iam-role/service-account/variables.tf +++ b/humanitec-resource-defs/iam-role/service-account/variables.tf @@ -2,10 +2,16 @@ variable "prefix" { type = string } -variable "resource_packs_aws_rev" { - type = string +variable "resource_packs_aws_url" { + description = "AWS Resource Pack git url" + type = string + default = "https://github.com/humanitec-architecture/resource-packs-aws.git" } +variable "resource_packs_aws_rev" { + description = "AWS Resource Pack git branch" + type = string +} variable "access_key" { type = string @@ -19,14 +25,6 @@ variable "region" { type = string } -variable "oidc_provider" { +variable "cluster_name" { type = string } - -variable "oidc_provider_arn" { - type = string -} - -variable "policy_classes" { - type = list(string) -} diff --git a/humanitec-resource-defs/k8s/service-account/main.tf b/humanitec-resource-defs/k8s/service-account/main.tf index 98b0aa9..09ebae5 100644 --- a/humanitec-resource-defs/k8s/service-account/main.tf +++ b/humanitec-resource-defs/k8s/service-account/main.tf @@ -5,15 +5,8 @@ resource "humanitec_resource_definition" "main" { driver_type = "humanitec/template" driver_inputs = { - secrets_string = jsonencode({ - templates = { - # outputs = "" - } - }) - values_string = jsonencode({ templates = { - # cookie = "" init = "" manifests = <{
"1": {
"db_parameter_group_name": "default.aurora-postgresql14",
"instance_class": "db.r5.2xlarge",
"publicly_accessible": true
},
"2": {
"identifier": "static-member-1",
"instance_class": "db.r5.2xlarge"
}
} | no | -| resource\_packs\_aws\_rev | n/a | `string` | `"ref/heads/main"` | no | -| resource\_packs\_aws\_url | n/a | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no | +| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no | | security\_group\_rules | n/a | `any` | `{}` | no | | skip\_final\_snapshot | n/a | `bool` | `true` | no | | storage\_encrypted | n/a | `bool` | `true` | no | diff --git a/humanitec-resource-defs/rds/aurora/terraform.tfvars.example b/humanitec-resource-defs/rds/aurora/terraform.tfvars.example index ef00e98..2a23fe1 100644 --- a/humanitec-resource-defs/rds/aurora/terraform.tfvars.example +++ b/humanitec-resource-defs/rds/aurora/terraform.tfvars.example @@ -25,18 +25,23 @@ instances = { "instance_class": "db.r5.2xlarge" } } -master_password = "" -master_username = "" -name = "" -prefix = "" -region = "" -resource_packs_aws_rev = "ref/heads/main" +master_password = "" +master_username = "" +name = "" +prefix = "" +region = "" + +# AWS Resource Pack git branch +resource_packs_aws_rev = "" + +# AWS Resource Pack git url resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git" -secret_key = "" -security_group_rules = {} -skip_final_snapshot = true -storage_encrypted = true -storage_type = "aurora" -subnets = "" -type = "postgres" -vpc = "" \ No newline at end of file + +secret_key = "" +security_group_rules = {} +skip_final_snapshot = true +storage_encrypted = true +storage_type = "aurora" +subnets = "" +type = "postgres" +vpc = "" \ No newline at end of file diff --git a/humanitec-resource-defs/rds/aurora/variables.tf b/humanitec-resource-defs/rds/aurora/variables.tf index c6a1800..22d5faa 100644 --- a/humanitec-resource-defs/rds/aurora/variables.tf +++ b/humanitec-resource-defs/rds/aurora/variables.tf @@ -2,14 +2,15 @@ variable "prefix" { type = string } -variable "resource_packs_aws_rev" { - type = string - default = "ref/heads/main" +variable "resource_packs_aws_url" { + description = "AWS Resource Pack git url" + type = string + default = "https://github.com/humanitec-architecture/resource-packs-aws.git" } -variable "resource_packs_aws_url" { - type = string - default = "https://github.com/humanitec-architecture/resource-packs-aws.git" +variable "resource_packs_aws_rev" { + description = "AWS Resource Pack git branch" + type = string } variable "access_key" { diff --git a/humanitec-resource-defs/rds/basic/README.md b/humanitec-resource-defs/rds/basic/README.md index 70e8f1b..1679912 100644 --- a/humanitec-resource-defs/rds/basic/README.md +++ b/humanitec-resource-defs/rds/basic/README.md @@ -29,6 +29,7 @@ | password | n/a | `string` | n/a | yes | | prefix | n/a | `string` | n/a | yes | | region | n/a | `string` | n/a | yes | +| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes | | secret\_key | n/a | `string` | n/a | yes | | subnet\_ids | n/a | `set(string)` | n/a | yes | | username | n/a | `string` | n/a | yes | @@ -57,8 +58,7 @@ | performance\_insights\_enabled | n/a | `bool` | `true` | no | | performance\_insights\_retention\_period | n/a | `number` | `7` | no | | port | n/a | `number` | `5432` | no | -| resource\_packs\_aws\_rev | n/a | `string` | `"ref/heads/main"` | no | -| resource\_packs\_aws\_url | n/a | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no | +| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no | | skip\_final\_snapshot | n/a | `bool` | `true` | no | | type | n/a | `string` | `"postgres"` | no | diff --git a/humanitec-resource-defs/rds/basic/terraform.tfvars.example b/humanitec-resource-defs/rds/basic/terraform.tfvars.example index fbc8f40..b5db5c4 100644 --- a/humanitec-resource-defs/rds/basic/terraform.tfvars.example +++ b/humanitec-resource-defs/rds/basic/terraform.tfvars.example @@ -29,11 +29,16 @@ performance_insights_retention_period = 7 port = 5432 prefix = "" region = "" -resource_packs_aws_rev = "ref/heads/main" -resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git" -secret_key = "" -skip_final_snapshot = true -subnet_ids = "" -type = "postgres" -username = "" -vpc_security_group_ids = "" \ No newline at end of file + +# AWS Resource Pack git branch +resource_packs_aws_rev = "" + +# AWS Resource Pack git url +resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git" + +secret_key = "" +skip_final_snapshot = true +subnet_ids = "" +type = "postgres" +username = "" +vpc_security_group_ids = "" \ No newline at end of file diff --git a/humanitec-resource-defs/rds/basic/variables.tf b/humanitec-resource-defs/rds/basic/variables.tf index a2a5ba2..1b728d9 100644 --- a/humanitec-resource-defs/rds/basic/variables.tf +++ b/humanitec-resource-defs/rds/basic/variables.tf @@ -2,14 +2,15 @@ variable "prefix" { type = string } -variable "resource_packs_aws_rev" { - type = string - default = "ref/heads/main" +variable "resource_packs_aws_url" { + description = "AWS Resource Pack git url" + type = string + default = "https://github.com/humanitec-architecture/resource-packs-aws.git" } -variable "resource_packs_aws_url" { - type = string - default = "https://github.com/humanitec-architecture/resource-packs-aws.git" +variable "resource_packs_aws_rev" { + description = "AWS Resource Pack git branch" + type = string } variable "region" { @@ -182,4 +183,4 @@ variable "monitoring_role_description" { variable "parameters" { type = set(any) default = [] -} \ No newline at end of file +} diff --git a/humanitec-resource-defs/redis/basic/README.md b/humanitec-resource-defs/redis/basic/README.md index 4c831cb..aa6dbe2 100644 --- a/humanitec-resource-defs/redis/basic/README.md +++ b/humanitec-resource-defs/redis/basic/README.md @@ -25,13 +25,13 @@ | access\_key | AWS Access Key | `string` | n/a | yes | | prefix | Prefix for all resources | `string` | n/a | yes | | region | AWS Region | `string` | n/a | yes | +| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes | | secret\_key | AWS Secret Key | `string` | n/a | yes | | security\_group\_ids | List of AWS security group IDs to use for the AWS ElastiCache cluster | `set(string)` | n/a | yes | | subnet\_group\_name | Name of the AWS ElastiCache subnet group to use | `string` | n/a | yes | | node\_type | AWS ElastiCache node type | `string` | `"cache.t4g.micro"` | no | | num\_cache\_clusters | Number of AWS ElastiCache clusters | `number` | `1` | no | | parameter\_group\_name | AWS ElastiCache parameter group name | `string` | `"default.redis7.cluster.on"` | no | -| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | `"refs/heads/main"` | no | | resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no | ## Outputs diff --git a/humanitec-resource-defs/redis/basic/terraform.tfvars.example b/humanitec-resource-defs/redis/basic/terraform.tfvars.example index 6c210f8..e849f4d 100644 --- a/humanitec-resource-defs/redis/basic/terraform.tfvars.example +++ b/humanitec-resource-defs/redis/basic/terraform.tfvars.example @@ -18,7 +18,7 @@ prefix = "" region = "" # AWS Resource Pack git branch -resource_packs_aws_rev = "refs/heads/main" +resource_packs_aws_rev = "" # AWS Resource Pack git url resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git" diff --git a/humanitec-resource-defs/redis/basic/variables.tf b/humanitec-resource-defs/redis/basic/variables.tf index 8b59aae..55f20d8 100644 --- a/humanitec-resource-defs/redis/basic/variables.tf +++ b/humanitec-resource-defs/redis/basic/variables.tf @@ -12,7 +12,6 @@ variable "resource_packs_aws_url" { variable "resource_packs_aws_rev" { description = "AWS Resource Pack git branch" type = string - default = "refs/heads/main" } variable "access_key" { diff --git a/humanitec-resource-defs/s3/basic/README.md b/humanitec-resource-defs/s3/basic/README.md index f182ef4..25112e6 100644 --- a/humanitec-resource-defs/s3/basic/README.md +++ b/humanitec-resource-defs/s3/basic/README.md @@ -23,11 +23,11 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access\_key | n/a | `string` | n/a | yes | -| policy\_classes | n/a | `list(string)` | n/a | yes | | prefix | n/a | `string` | n/a | yes | | region | n/a | `string` | n/a | yes | -| resource\_packs\_aws\_rev | n/a | `string` | n/a | yes | +| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | n/a | yes | | secret\_key | n/a | `string` | n/a | yes | +| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no | ## Outputs diff --git a/humanitec-resource-defs/s3/basic/main.tf b/humanitec-resource-defs/s3/basic/main.tf index dcb697f..8dab176 100644 --- a/humanitec-resource-defs/s3/basic/main.tf +++ b/humanitec-resource-defs/s3/basic/main.tf @@ -4,13 +4,6 @@ resource "humanitec_resource_definition" "main" { name = "${var.prefix}s3-basic" type = "s3" - provision = { - for s in var.policy_classes : "aws-policy.${s}" => { - match_dependents = true - is_dependent = false - } - } - driver_inputs = { secrets_string = jsonencode({ variables = { @@ -23,7 +16,7 @@ resource "humanitec_resource_definition" "main" { source = { path = "modules/s3/basic" rev = var.resource_packs_aws_rev - url = "https://github.com/humanitec-architecture/resource-packs-aws.git" + url = var.resource_packs_aws_url } variables = { diff --git a/humanitec-resource-defs/s3/basic/terraform.tfvars.example b/humanitec-resource-defs/s3/basic/terraform.tfvars.example index 29b3cfe..b52a6af 100644 --- a/humanitec-resource-defs/s3/basic/terraform.tfvars.example +++ b/humanitec-resource-defs/s3/basic/terraform.tfvars.example @@ -1,6 +1,11 @@ -access_key = "" -policy_classes = "" -prefix = "" -region = "" +access_key = "" +prefix = "" +region = "" + +# AWS Resource Pack git branch resource_packs_aws_rev = "" -secret_key = "" \ No newline at end of file + +# AWS Resource Pack git url +resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git" + +secret_key = "" \ No newline at end of file diff --git a/humanitec-resource-defs/s3/basic/variables.tf b/humanitec-resource-defs/s3/basic/variables.tf index 117ecc4..f5b3698 100644 --- a/humanitec-resource-defs/s3/basic/variables.tf +++ b/humanitec-resource-defs/s3/basic/variables.tf @@ -2,8 +2,15 @@ variable "prefix" { type = string } +variable "resource_packs_aws_url" { + description = "AWS Resource Pack git url" + type = string + default = "https://github.com/humanitec-architecture/resource-packs-aws.git" +} + variable "resource_packs_aws_rev" { - type = string + description = "AWS Resource Pack git branch" + type = string } variable "access_key" { @@ -17,7 +24,3 @@ variable "secret_key" { variable "region" { type = string } - -variable "policy_classes" { - type = list(string) -} diff --git a/humanitec-resource-defs/iam-policy/s3-admin/README.md b/humanitec-resource-defs/s3/passthrough/README.md similarity index 71% rename from humanitec-resource-defs/iam-policy/s3-admin/README.md rename to humanitec-resource-defs/s3/passthrough/README.md index 838fbe2..21a4f67 100644 --- a/humanitec-resource-defs/iam-policy/s3-admin/README.md +++ b/humanitec-resource-defs/s3/passthrough/README.md @@ -22,12 +22,9 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| access\_key | n/a | `string` | n/a | yes | +| policy\_resource\_class | n/a | `string` | n/a | yes | | prefix | n/a | `string` | n/a | yes | -| region | n/a | `string` | n/a | yes | -| resource\_packs\_aws\_rev | n/a | `string` | n/a | yes | -| s3\_resource\_definition\_class | n/a | `string` | n/a | yes | -| secret\_key | n/a | `string` | n/a | yes | +| s3\_resource\_class | n/a | `string` | n/a | yes | ## Outputs diff --git a/humanitec-resource-defs/s3/passthrough/main.tf b/humanitec-resource-defs/s3/passthrough/main.tf new file mode 100644 index 0000000..26624a1 --- /dev/null +++ b/humanitec-resource-defs/s3/passthrough/main.tf @@ -0,0 +1,25 @@ +resource "humanitec_resource_definition" "main" { + driver_type = "humanitec/template" + id = "${var.prefix}s3-${var.s3_resource_class}-${var.policy_resource_class}" + name = "${var.prefix}s3-${var.s3_resource_class}-${var.policy_resource_class}" + type = "s3" + + driver_inputs = { + values_string = jsonencode({ + templates = { + outputs = < { - match_dependents = true - is_dependent = false - } - } - driver_inputs = { secrets_string = jsonencode({ variables = { @@ -23,7 +16,7 @@ resource "humanitec_resource_definition" "main" { source = { path = "modules/sqs/basic" rev = var.resource_packs_aws_rev - url = "https://github.com/humanitec-architecture/resource-packs-aws.git" + url = var.resource_packs_aws_url } variables = { diff --git a/humanitec-resource-defs/sqs/basic/terraform.tfvars.example b/humanitec-resource-defs/sqs/basic/terraform.tfvars.example index 29b3cfe..b52a6af 100644 --- a/humanitec-resource-defs/sqs/basic/terraform.tfvars.example +++ b/humanitec-resource-defs/sqs/basic/terraform.tfvars.example @@ -1,6 +1,11 @@ -access_key = "" -policy_classes = "" -prefix = "" -region = "" +access_key = "" +prefix = "" +region = "" + +# AWS Resource Pack git branch resource_packs_aws_rev = "" -secret_key = "" \ No newline at end of file + +# AWS Resource Pack git url +resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git" + +secret_key = "" \ No newline at end of file diff --git a/humanitec-resource-defs/sqs/basic/variables.tf b/humanitec-resource-defs/sqs/basic/variables.tf index 117ecc4..f5b3698 100644 --- a/humanitec-resource-defs/sqs/basic/variables.tf +++ b/humanitec-resource-defs/sqs/basic/variables.tf @@ -2,8 +2,15 @@ variable "prefix" { type = string } +variable "resource_packs_aws_url" { + description = "AWS Resource Pack git url" + type = string + default = "https://github.com/humanitec-architecture/resource-packs-aws.git" +} + variable "resource_packs_aws_rev" { - type = string + description = "AWS Resource Pack git branch" + type = string } variable "access_key" { @@ -17,7 +24,3 @@ variable "secret_key" { variable "region" { type = string } - -variable "policy_classes" { - type = list(string) -} diff --git a/humanitec-resource-defs/iam-policy/sqs-admin/README.md b/humanitec-resource-defs/sqs/passthrough/README.md similarity index 71% rename from humanitec-resource-defs/iam-policy/sqs-admin/README.md rename to humanitec-resource-defs/sqs/passthrough/README.md index 084c9a4..8b50ee8 100644 --- a/humanitec-resource-defs/iam-policy/sqs-admin/README.md +++ b/humanitec-resource-defs/sqs/passthrough/README.md @@ -22,12 +22,9 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| access\_key | n/a | `string` | n/a | yes | +| policy\_resource\_class | n/a | `string` | n/a | yes | | prefix | n/a | `string` | n/a | yes | -| region | n/a | `string` | n/a | yes | -| resource\_packs\_aws\_rev | n/a | `string` | n/a | yes | -| secret\_key | n/a | `string` | n/a | yes | -| sqs\_resource\_definition\_class | n/a | `string` | n/a | yes | +| sqs\_resource\_class | n/a | `string` | n/a | yes | ## Outputs diff --git a/humanitec-resource-defs/sqs/passthrough/main.tf b/humanitec-resource-defs/sqs/passthrough/main.tf new file mode 100644 index 0000000..c38a09d --- /dev/null +++ b/humanitec-resource-defs/sqs/passthrough/main.tf @@ -0,0 +1,25 @@ +resource "humanitec_resource_definition" "main" { + driver_type = "humanitec/template" + id = "${var.prefix}sqs-${var.sqs_resource_class}-${var.policy_resource_class}" + name = "${var.prefix}sqs-${var.sqs_resource_class}-${var.policy_resource_class}" + type = "sqs" + + driver_inputs = { + values_string = jsonencode({ + templates = { + outputs = < +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 1.3.0 | +| aws | ~> 5.0 | + +## Providers + +| Name | Version | +|------|---------| +| aws | ~> 5.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy_document.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| access\_key | n/a | `string` | n/a | yes | +| app\_id | n/a | `string` | n/a | yes | +| env\_id | n/a | `string` | n/a | yes | +| prefix | n/a | `string` | n/a | yes | +| region | n/a | `string` | n/a | yes | +| res\_id | n/a | `string` | n/a | yes | +| s3\_bucket\_arn | n/a | `string` | n/a | yes | +| secret\_key | n/a | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| arn | n/a | + \ No newline at end of file diff --git a/modules/iam-policy/s3-read-only/main.tf b/modules/iam-policy/s3-read-only/main.tf new file mode 100644 index 0000000..feb7e9d --- /dev/null +++ b/modules/iam-policy/s3-read-only/main.tf @@ -0,0 +1,28 @@ +data "aws_iam_policy_document" "main" { + statement { + actions = [ + "s3:ListBucket", + ] + + resources = [ + var.s3_bucket_arn, + ] + } + + statement { + actions = [ + "s3:Get*", + ] + + resources = [ + "${var.s3_bucket_arn}/*" + ] + } +} + + +resource "aws_iam_policy" "main" { + name = "${var.prefix}s3-read-only" + description = "Allows read-only access to S3 buckets" + policy = data.aws_iam_policy_document.main.json +} diff --git a/modules/iam-policy/s3-read-only/outputs.tf b/modules/iam-policy/s3-read-only/outputs.tf new file mode 100644 index 0000000..bbea1ea --- /dev/null +++ b/modules/iam-policy/s3-read-only/outputs.tf @@ -0,0 +1,3 @@ +output "arn" { + value = aws_iam_policy.main.arn +} diff --git a/modules/iam-policy/s3-read-only/providers.tf b/modules/iam-policy/s3-read-only/providers.tf new file mode 100644 index 0000000..54e12d3 --- /dev/null +++ b/modules/iam-policy/s3-read-only/providers.tf @@ -0,0 +1,27 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } + + required_version = ">= 1.3.0" +} + +provider "aws" { + # Injected via the humanitec-terraform-driver + access_key = var.access_key + secret_key = var.secret_key + region = var.region + + # TODO + default_tags { + tags = { + "managed-by" = "humanitec" + "hum-app-id" = var.app_id + "hum-env-id" = var.env_id + "hum-res-id" = var.res_id + } + } +} diff --git a/modules/iam-policy/s3-read-only/terraform.tfvars.example b/modules/iam-policy/s3-read-only/terraform.tfvars.example new file mode 100644 index 0000000..78c933b --- /dev/null +++ b/modules/iam-policy/s3-read-only/terraform.tfvars.example @@ -0,0 +1,8 @@ +access_key = "" +app_id = "" +env_id = "" +prefix = "" +region = "" +res_id = "" +s3_bucket_arn = "" +secret_key = "" \ No newline at end of file diff --git a/humanitec-resource-defs/iam-policy/sqs-admin/variables.tf b/modules/iam-policy/s3-read-only/variables.tf similarity index 61% rename from humanitec-resource-defs/iam-policy/sqs-admin/variables.tf rename to modules/iam-policy/s3-read-only/variables.tf index b55a237..e79fc84 100644 --- a/humanitec-resource-defs/iam-policy/sqs-admin/variables.tf +++ b/modules/iam-policy/s3-read-only/variables.tf @@ -2,7 +2,7 @@ variable "prefix" { type = string } -variable "resource_packs_aws_rev" { +variable "region" { type = string } @@ -14,10 +14,18 @@ variable "secret_key" { type = string } -variable "region" { +variable "s3_bucket_arn" { + type = string +} + +variable "app_id" { + type = string +} + +variable "env_id" { type = string } -variable "sqs_resource_definition_class" { +variable "res_id" { type = string } diff --git a/modules/iam-policy/sqs-admin/main.tf b/modules/iam-policy/sqs-admin/main.tf index c0f38d1..e486fa7 100644 --- a/modules/iam-policy/sqs-admin/main.tf +++ b/modules/iam-policy/sqs-admin/main.tf @@ -1,15 +1,4 @@ data "aws_iam_policy_document" "main" { - statement { - actions = [ - "s3:ListAllMyBuckets", - "s3:GetBucketLocation", - ] - - resources = [ - "arn:aws:s3:::*", - ] - } - statement { actions = [ "sqs:*", diff --git a/modules/iam-policy/sqs-consumer/README.md b/modules/iam-policy/sqs-consumer/README.md new file mode 100644 index 0000000..42a4f12 --- /dev/null +++ b/modules/iam-policy/sqs-consumer/README.md @@ -0,0 +1,40 @@ + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 1.3.0 | +| aws | ~> 5.0 | + +## Providers + +| Name | Version | +|------|---------| +| aws | ~> 5.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy_document.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| access\_key | n/a | `string` | n/a | yes | +| app\_id | n/a | `string` | n/a | yes | +| env\_id | n/a | `string` | n/a | yes | +| prefix | n/a | `string` | n/a | yes | +| region | n/a | `string` | n/a | yes | +| res\_id | n/a | `string` | n/a | yes | +| secret\_key | n/a | `string` | n/a | yes | +| sqs\_queue\_arn | n/a | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| arn | n/a | + \ No newline at end of file diff --git a/modules/iam-policy/sqs-consumer/main.tf b/modules/iam-policy/sqs-consumer/main.tf new file mode 100644 index 0000000..04b66f4 --- /dev/null +++ b/modules/iam-policy/sqs-consumer/main.tf @@ -0,0 +1,18 @@ +data "aws_iam_policy_document" "main" { + statement { + actions = [ + "sqs:ReceiveMessage", + ] + + resources = [ + var.sqs_queue_arn, + ] + } +} + + +resource "aws_iam_policy" "main" { + name = "${var.prefix}sqs-consumer" + description = "Allows consuming from SQS queue" + policy = data.aws_iam_policy_document.main.json +} diff --git a/modules/iam-policy/sqs-consumer/outputs.tf b/modules/iam-policy/sqs-consumer/outputs.tf new file mode 100644 index 0000000..bbea1ea --- /dev/null +++ b/modules/iam-policy/sqs-consumer/outputs.tf @@ -0,0 +1,3 @@ +output "arn" { + value = aws_iam_policy.main.arn +} diff --git a/modules/iam-policy/sqs-consumer/providers.tf b/modules/iam-policy/sqs-consumer/providers.tf new file mode 100644 index 0000000..54e12d3 --- /dev/null +++ b/modules/iam-policy/sqs-consumer/providers.tf @@ -0,0 +1,27 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } + + required_version = ">= 1.3.0" +} + +provider "aws" { + # Injected via the humanitec-terraform-driver + access_key = var.access_key + secret_key = var.secret_key + region = var.region + + # TODO + default_tags { + tags = { + "managed-by" = "humanitec" + "hum-app-id" = var.app_id + "hum-env-id" = var.env_id + "hum-res-id" = var.res_id + } + } +} diff --git a/modules/iam-policy/sqs-consumer/terraform.tfvars.example b/modules/iam-policy/sqs-consumer/terraform.tfvars.example new file mode 100644 index 0000000..f43f826 --- /dev/null +++ b/modules/iam-policy/sqs-consumer/terraform.tfvars.example @@ -0,0 +1,8 @@ +access_key = "" +app_id = "" +env_id = "" +prefix = "" +region = "" +res_id = "" +secret_key = "" +sqs_queue_arn = "" \ No newline at end of file diff --git a/humanitec-resource-defs/iam-policy/s3-admin/variables.tf b/modules/iam-policy/sqs-consumer/variables.tf similarity index 61% rename from humanitec-resource-defs/iam-policy/s3-admin/variables.tf rename to modules/iam-policy/sqs-consumer/variables.tf index 1c68d38..6ceb999 100644 --- a/humanitec-resource-defs/iam-policy/s3-admin/variables.tf +++ b/modules/iam-policy/sqs-consumer/variables.tf @@ -2,7 +2,7 @@ variable "prefix" { type = string } -variable "resource_packs_aws_rev" { +variable "region" { type = string } @@ -14,10 +14,18 @@ variable "secret_key" { type = string } -variable "region" { +variable "sqs_queue_arn" { + type = string +} + +variable "app_id" { + type = string +} + +variable "env_id" { type = string } -variable "s3_resource_definition_class" { +variable "res_id" { type = string } diff --git a/modules/iam-policy/sqs-publisher/README.md b/modules/iam-policy/sqs-publisher/README.md new file mode 100644 index 0000000..42a4f12 --- /dev/null +++ b/modules/iam-policy/sqs-publisher/README.md @@ -0,0 +1,40 @@ + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 1.3.0 | +| aws | ~> 5.0 | + +## Providers + +| Name | Version | +|------|---------| +| aws | ~> 5.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy_document.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| access\_key | n/a | `string` | n/a | yes | +| app\_id | n/a | `string` | n/a | yes | +| env\_id | n/a | `string` | n/a | yes | +| prefix | n/a | `string` | n/a | yes | +| region | n/a | `string` | n/a | yes | +| res\_id | n/a | `string` | n/a | yes | +| secret\_key | n/a | `string` | n/a | yes | +| sqs\_queue\_arn | n/a | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| arn | n/a | + \ No newline at end of file diff --git a/modules/iam-policy/sqs-publisher/main.tf b/modules/iam-policy/sqs-publisher/main.tf new file mode 100644 index 0000000..aa53061 --- /dev/null +++ b/modules/iam-policy/sqs-publisher/main.tf @@ -0,0 +1,18 @@ +data "aws_iam_policy_document" "main" { + statement { + actions = [ + "sqs:SendMessage", + ] + + resources = [ + var.sqs_queue_arn, + ] + } +} + + +resource "aws_iam_policy" "main" { + name = "${var.prefix}sqs-publisher" + description = "Allows publishing to SQS queue" + policy = data.aws_iam_policy_document.main.json +} diff --git a/modules/iam-policy/sqs-publisher/outputs.tf b/modules/iam-policy/sqs-publisher/outputs.tf new file mode 100644 index 0000000..bbea1ea --- /dev/null +++ b/modules/iam-policy/sqs-publisher/outputs.tf @@ -0,0 +1,3 @@ +output "arn" { + value = aws_iam_policy.main.arn +} diff --git a/modules/iam-policy/sqs-publisher/providers.tf b/modules/iam-policy/sqs-publisher/providers.tf new file mode 100644 index 0000000..54e12d3 --- /dev/null +++ b/modules/iam-policy/sqs-publisher/providers.tf @@ -0,0 +1,27 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } + + required_version = ">= 1.3.0" +} + +provider "aws" { + # Injected via the humanitec-terraform-driver + access_key = var.access_key + secret_key = var.secret_key + region = var.region + + # TODO + default_tags { + tags = { + "managed-by" = "humanitec" + "hum-app-id" = var.app_id + "hum-env-id" = var.env_id + "hum-res-id" = var.res_id + } + } +} diff --git a/modules/iam-policy/sqs-publisher/terraform.tfvars.example b/modules/iam-policy/sqs-publisher/terraform.tfvars.example new file mode 100644 index 0000000..f43f826 --- /dev/null +++ b/modules/iam-policy/sqs-publisher/terraform.tfvars.example @@ -0,0 +1,8 @@ +access_key = "" +app_id = "" +env_id = "" +prefix = "" +region = "" +res_id = "" +secret_key = "" +sqs_queue_arn = "" \ No newline at end of file diff --git a/modules/iam-policy/sqs-publisher/variables.tf b/modules/iam-policy/sqs-publisher/variables.tf new file mode 100644 index 0000000..6ceb999 --- /dev/null +++ b/modules/iam-policy/sqs-publisher/variables.tf @@ -0,0 +1,31 @@ +variable "prefix" { + type = string +} + +variable "region" { + type = string +} + +variable "access_key" { + type = string +} + +variable "secret_key" { + type = string +} + +variable "sqs_queue_arn" { + type = string +} + +variable "app_id" { + type = string +} + +variable "env_id" { + type = string +} + +variable "res_id" { + type = string +} diff --git a/modules/iam-role/service-account/README.md b/modules/iam-role/service-account/README.md index be308ff..ac83b72 100644 --- a/modules/iam-role/service-account/README.md +++ b/modules/iam-role/service-account/README.md @@ -16,8 +16,10 @@ | Name | Type | |------|------| +| [aws_eks_pod_identity_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_pod_identity_association) | resource | | [aws_iam_role.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs @@ -25,10 +27,9 @@ |------|-------------|------|---------|:--------:| | access\_key | n/a | `string` | n/a | yes | | app\_id | n/a | `string` | n/a | yes | +| cluster\_name | n/a | `string` | n/a | yes | | env\_id | n/a | `string` | n/a | yes | | namespace | n/a | `string` | n/a | yes | -| oidc\_provider | n/a | `string` | n/a | yes | -| oidc\_provider\_arn | n/a | `string` | n/a | yes | | policy\_arns | n/a | `set(string)` | n/a | yes | | prefix | n/a | `string` | n/a | yes | | region | n/a | `string` | n/a | yes | diff --git a/modules/iam-role/service-account/main.tf b/modules/iam-role/service-account/main.tf index 1c734a8..45c34e6 100644 --- a/modules/iam-role/service-account/main.tf +++ b/modules/iam-role/service-account/main.tf @@ -2,32 +2,37 @@ locals { k8s_service_account_name = "${var.app_id}-${var.env_id}-${trimprefix(var.res_id, "modules.")}" } -resource "aws_iam_role" "main" { - name_prefix = var.prefix - // below uses StringLike to allow wildcards for multiple service accounts within the same namespace for workloads - assume_role_policy = jsonencode({ - "Version" : "2012-10-17", - "Statement" : [ - { - "Effect" : "Allow", - "Principal" : { - "Federated" : var.oidc_provider_arn, - }, - "Action" : "sts:AssumeRoleWithWebIdentity", - "Condition" : { - "StringLike" : { - "${var.oidc_provider}:sub" : "system:serviceaccount:${var.namespace}:${local.k8s_service_account_name}", - "${var.oidc_provider}:aud" : "sts.amazonaws.com" - } - } - } - ] +data "aws_iam_policy_document" "assume_role_policy" { + version = "2012-10-17" + + statement { + actions = ["sts:AssumeRole", "sts:TagSession"] + + principals { + type = "Service" + identifiers = ["pods.eks.amazonaws.com"] } - ) + } +} + +resource "aws_iam_role" "main" { + count = length(var.policy_arns) > 0 ? 1 : 0 + + name_prefix = var.prefix + assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json } resource "aws_iam_role_policy_attachment" "policies" { for_each = var.policy_arns - role = aws_iam_role.main.name + role = aws_iam_role.main[0].name policy_arn = each.value } + +resource "aws_eks_pod_identity_association" "this" { + count = length(var.policy_arns) > 0 ? 1 : 0 + + cluster_name = var.cluster_name + namespace = var.namespace + service_account = local.k8s_service_account_name + role_arn = aws_iam_role.main[0].arn +} diff --git a/modules/iam-role/service-account/outputs.tf b/modules/iam-role/service-account/outputs.tf index 7e0810c..9515f56 100644 --- a/modules/iam-role/service-account/outputs.tf +++ b/modules/iam-role/service-account/outputs.tf @@ -1,5 +1,5 @@ output "role_arn" { - value = aws_iam_role.main.arn + value = length(var.policy_arns) > 0 ? aws_iam_role.main[0].arn : "" } output "k8s_service_account_name" { diff --git a/modules/iam-role/service-account/terraform.tfvars.example b/modules/iam-role/service-account/terraform.tfvars.example index cb56415..a772a79 100644 --- a/modules/iam-role/service-account/terraform.tfvars.example +++ b/modules/iam-role/service-account/terraform.tfvars.example @@ -1,11 +1,10 @@ -access_key = "" -app_id = "" -env_id = "" -namespace = "" -oidc_provider = "" -oidc_provider_arn = "" -policy_arns = "" -prefix = "" -region = "" -res_id = "" -secret_key = "" \ No newline at end of file +access_key = "" +app_id = "" +cluster_name = "" +env_id = "" +namespace = "" +policy_arns = "" +prefix = "" +region = "" +res_id = "" +secret_key = "" \ No newline at end of file diff --git a/modules/iam-role/service-account/variables.tf b/modules/iam-role/service-account/variables.tf index b58fe93..e35d600 100644 --- a/modules/iam-role/service-account/variables.tf +++ b/modules/iam-role/service-account/variables.tf @@ -18,11 +18,7 @@ variable "policy_arns" { type = set(string) } -variable "oidc_provider" { - type = string -} - -variable "oidc_provider_arn" { +variable "cluster_name" { type = string }