lehins/credstash_setup.tf

## credstash_setup.tf
provider "aws" {
  region = "us-east-1"
}
terraform {
  backend "s3" {
    bucket  = "example-tfstate"
    key     = "remote-tfstate/credstash/terraform.tfstate"
    region  = "us-east-1"
    encrypt = true
  }
}
module "credstash" {
  source               = "github.com/fpco/fpco-terraform-aws/tf-modules/credstash-setup"
  create_reader_policy = true
  create_writer_policy = true
}
// KMS Key ARN. It can later be used to store and retrieve secrets.
output "kms_key_arn" {
  value = "${module.credstash.kms_key_arn}"
}
// KMS Master key id.
output "kms_key_id" {
  value = "${module.credstash.kms_key_id}"
}
// KMS Key alias. It can later be used to store and retrieve secrets.
output "kms_key_alias" {
  value = "${module.credstash.kms_key_alias}"
}
// KMS Master key alias ARN.
output "kms_key_alias_arn" {
  value = "${module.credstash.kms_key_alias_arn}"
}
// DynamoDB table ARN
output "db_table_arn" {
  value = "${module.credstash.db_table_arn}"
}
// DynamoDB table name that can be used by credstash to store/retrieve secrets.
output "db_table_name" {
  value = "${module.credstash.db_table_name}"
}
// Ubuntu bash script snippet for installing credstash and its dependencies
output "install_snippet" {
  value = "${module.credstash.install_snippet}"
}
// Credstash get command with region and table values set.
output "get_cmd" {
  value = "${module.credstash.get_cmd}"
}
// Credstash put command with region, table and kms key values set.
output "put_cmd" {
  value = "${module.credstash.put_cmd}"
}
// Secret Reader policy
output "reader_policy_arn" {
  value = "${module.credstash.reader_policy_arn}"
}
// Secret Writer policy
output "writer_policy_arn" {
  value = "${module.credstash.writer_policy_arn}"
}

## remote_state.tf
# Terraform env for the S3 bucket for storing TF's remote state
provider "aws" {
  region = "us-east-1"
}
module "remote-state" {
  source      = "github.com/fpco/fpco-terraform-aws/tf-modules/s3-remote-state"
  bucket_name = "example-tfstate"
  principals  = []
}

output "bucket_name" {
    value = "${module.remote-state.bucket_id}"
}

## Remote state for this module can be saved in the same bucket it is creating.
## In order to achieve this deployment has to be done in two stages.
## Simplest way is to apply this module and the uncomment the code below and
## then apply it again.

# terraform {
#  backend "s3" {
#    bucket  = "example-tfstate"
#    key     = "remote-tfstate/remote-state-bucket/terraform.tfstate"
#    region  = "us-east-1"
#    encrypt = true
#  }
}

## webserver.tf

data "terraform_remote_state" "credstash" {
  backend = "s3"
  config {
    bucket  = "example-tfstate"
    key     = "remote-tfstate/credstash/terraform.tfstate"
    region  = "us-east-1"
  }
}

resource "aws_instance" "webserver" {
  ami                         = "ami-cd0f5cb6" # Ubuntu 16.04 LTS AMI
  instance_type               = "t2.micro"
  vpc_security_group_ids      = ["${aws_security_group.webserver-sg.id}"]
  associate_public_ip_address = true
  iam_instance_profile        = "${aws_iam_instance_profile.credstash-profile.id}"
  user_data                   = <<USER_DATA
#!/bin/bash
${data.terraform_remote_state.credstash.install_snippet}
apt-get install -y nginx
BASIC_AUTH_USERNAME="$(${data.terraform_remote_state.credstash.get_cmd} nginx-username env=example webserver=credsAccessPhrase)"
BASIC_AUTH_PASSWORD="$(${data.terraform_remote_state.credstash.get_cmd} nginx-password env=example webserver=credsAccessPhrase)"
echo -n "$BASIC_AUTH_USERNAME:" > /etc/nginx/.htpasswd
openssl passwd -apr1 "$BASIC_AUTH_PASSWORD" >> /etc/nginx/.htpasswd

cat <<EOF > /etc/nginx/sites-available/default
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    root /var/www/html;
    index index.nginx-debian.html;
    location / {
        auth_basic "Restricted Space";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }
}
EOF
service nginx reload
USER_DATA
}

resource "aws_security_group" "webserver-sg" {
  name        = "webserver-sg"
  description = "Security group that allows HTTP and HTTPS traffic."

  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
  }

  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
  }
}

module "credstash-grant" {
  source            = "github.com/fpco/fpco-terraform-aws/tf-modules/credstash-grant"
  kms_key_arn       = "${data.terraform_remote_state.credstash.kms_key_arn}"
  reader_policy_arn = "${data.terraform_remote_state.credstash.reader_policy_arn}"
  reader_context    = "env=example webserver=credsAccessPhrase"
  roles_count       = 1
  roles_arns        = ["${aws_iam_role.credstash-role.arn}"]
  roles_names       = ["${aws_iam_role.credstash-role.name}"]
}

resource "aws_iam_instance_profile" "credstash-profile" {
  name = "credstash-profile"
  role = "${aws_iam_role.credstash-role.name}"
}

resource "aws_iam_role" "credstash-role" {
  name_prefix  = "credstash-role-"
  assume_role_policy = <<END_POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
END_POLICY
}

output "instance_ip" {
  value = "${aws_instance.webserver.public_ip}"
}
	provider "aws" {
	region = "us-east-1"
	}
	terraform {
	backend "s3" {
	bucket = "example-tfstate"
	key = "remote-tfstate/credstash/terraform.tfstate"
	region = "us-east-1"
	encrypt = true
	}
	}
	module "credstash" {
	source = "github.com/fpco/fpco-terraform-aws/tf-modules/credstash-setup"
	create_reader_policy = true
	create_writer_policy = true
	}
	// KMS Key ARN. It can later be used to store and retrieve secrets.
	output "kms_key_arn" {
	value = "${module.credstash.kms_key_arn}"
	}
	// KMS Master key id.
	output "kms_key_id" {
	value = "${module.credstash.kms_key_id}"
	}
	// KMS Key alias. It can later be used to store and retrieve secrets.
	output "kms_key_alias" {
	value = "${module.credstash.kms_key_alias}"
	}
	// KMS Master key alias ARN.
	output "kms_key_alias_arn" {
	value = "${module.credstash.kms_key_alias_arn}"
	}
	// DynamoDB table ARN
	output "db_table_arn" {
	value = "${module.credstash.db_table_arn}"
	}
	// DynamoDB table name that can be used by credstash to store/retrieve secrets.
	output "db_table_name" {
	value = "${module.credstash.db_table_name}"
	}
	// Ubuntu bash script snippet for installing credstash and its dependencies
	output "install_snippet" {
	value = "${module.credstash.install_snippet}"
	}
	// Credstash get command with region and table values set.
	output "get_cmd" {
	value = "${module.credstash.get_cmd}"
	}
	// Credstash put command with region, table and kms key values set.
	output "put_cmd" {
	value = "${module.credstash.put_cmd}"
	}
	// Secret Reader policy
	output "reader_policy_arn" {
	value = "${module.credstash.reader_policy_arn}"
	}
	// Secret Writer policy
	output "writer_policy_arn" {
	value = "${module.credstash.writer_policy_arn}"
	}
	# Terraform env for the S3 bucket for storing TF's remote state
	provider "aws" {
	region = "us-east-1"
	}
	module "remote-state" {
	source = "github.com/fpco/fpco-terraform-aws/tf-modules/s3-remote-state"
	bucket_name = "example-tfstate"
	principals = []
	}

	output "bucket_name" {
	value = "${module.remote-state.bucket_id}"
	}

	## Remote state for this module can be saved in the same bucket it is creating.
	## In order to achieve this deployment has to be done in two stages.
	## Simplest way is to apply this module and the uncomment the code below and
	## then apply it again.

	# terraform {
	# backend "s3" {
	# bucket = "example-tfstate"
	# key = "remote-tfstate/remote-state-bucket/terraform.tfstate"
	# region = "us-east-1"
	# encrypt = true
	# }
	}

	data "terraform_remote_state" "credstash" {
	backend = "s3"
	config {
	bucket = "example-tfstate"
	key = "remote-tfstate/credstash/terraform.tfstate"
	region = "us-east-1"
	}
	}

	resource "aws_instance" "webserver" {
	ami = "ami-cd0f5cb6" # Ubuntu 16.04 LTS AMI
	instance_type = "t2.micro"
	vpc_security_group_ids = ["${aws_security_group.webserver-sg.id}"]
	associate_public_ip_address = true
	iam_instance_profile = "${aws_iam_instance_profile.credstash-profile.id}"
	user_data = <<USER_DATA
	#!/bin/bash
	${data.terraform_remote_state.credstash.install_snippet}
	apt-get install -y nginx
	BASIC_AUTH_USERNAME="$(${data.terraform_remote_state.credstash.get_cmd} nginx-username env=example webserver=credsAccessPhrase)"
	BASIC_AUTH_PASSWORD="$(${data.terraform_remote_state.credstash.get_cmd} nginx-password env=example webserver=credsAccessPhrase)"
	echo -n "$BASIC_AUTH_USERNAME:" > /etc/nginx/.htpasswd
	openssl passwd -apr1 "$BASIC_AUTH_PASSWORD" >> /etc/nginx/.htpasswd

	cat <<EOF > /etc/nginx/sites-available/default
	server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	root /var/www/html;
	index index.nginx-debian.html;
	location / {
	auth_basic "Restricted Space";
	auth_basic_user_file /etc/nginx/.htpasswd;
	}
	}
	EOF
	service nginx reload
	USER_DATA
	}

	resource "aws_security_group" "webserver-sg" {
	name = "webserver-sg"
	description = "Security group that allows HTTP and HTTPS traffic."

	ingress {
	cidr_blocks = ["0.0.0.0/0"]
	from_port = 80
	to_port = 80
	protocol = "tcp"
	}

	egress {
	cidr_blocks = ["0.0.0.0/0"]
	from_port = 0
	to_port = 0
	protocol = "-1"
	}
	}

	module "credstash-grant" {
	source = "github.com/fpco/fpco-terraform-aws/tf-modules/credstash-grant"
	kms_key_arn = "${data.terraform_remote_state.credstash.kms_key_arn}"
	reader_policy_arn = "${data.terraform_remote_state.credstash.reader_policy_arn}"
	reader_context = "env=example webserver=credsAccessPhrase"
	roles_count = 1
	roles_arns = ["${aws_iam_role.credstash-role.arn}"]
	roles_names = ["${aws_iam_role.credstash-role.name}"]
	}

	resource "aws_iam_instance_profile" "credstash-profile" {
	name = "credstash-profile"
	role = "${aws_iam_role.credstash-role.name}"
	}

	resource "aws_iam_role" "credstash-role" {
	name_prefix = "credstash-role-"
	assume_role_policy = <<END_POLICY
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Action": "sts:AssumeRole",
	"Principal": {
	"Service": "ec2.amazonaws.com"
	},
	"Effect": "Allow",
	"Sid": ""
	}
	]
	}
	END_POLICY
	}

	output "instance_ip" {
	value = "${aws_instance.webserver.public_ip}"
	}