Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Three terraform modules that should be applied individually
provider "aws" {
region = "us-east-1"
}
terraform {
backend "s3" {
bucket = "example-tfstate"
key = "remote-tfstate/credstash/terraform.tfstate"
region = "us-east-1"
encrypt = true
}
}
module "credstash" {
source = "github.com/fpco/fpco-terraform-aws/tf-modules/credstash-setup"
create_reader_policy = true
create_writer_policy = true
}
// KMS Key ARN. It can later be used to store and retrieve secrets.
output "kms_key_arn" {
value = "${module.credstash.kms_key_arn}"
}
// KMS Master key id.
output "kms_key_id" {
value = "${module.credstash.kms_key_id}"
}
// KMS Key alias. It can later be used to store and retrieve secrets.
output "kms_key_alias" {
value = "${module.credstash.kms_key_alias}"
}
// KMS Master key alias ARN.
output "kms_key_alias_arn" {
value = "${module.credstash.kms_key_alias_arn}"
}
// DynamoDB table ARN
output "db_table_arn" {
value = "${module.credstash.db_table_arn}"
}
// DynamoDB table name that can be used by credstash to store/retrieve secrets.
output "db_table_name" {
value = "${module.credstash.db_table_name}"
}
// Ubuntu bash script snippet for installing credstash and its dependencies
output "install_snippet" {
value = "${module.credstash.install_snippet}"
}
// Credstash get command with region and table values set.
output "get_cmd" {
value = "${module.credstash.get_cmd}"
}
// Credstash put command with region, table and kms key values set.
output "put_cmd" {
value = "${module.credstash.put_cmd}"
}
// Secret Reader policy
output "reader_policy_arn" {
value = "${module.credstash.reader_policy_arn}"
}
// Secret Writer policy
output "writer_policy_arn" {
value = "${module.credstash.writer_policy_arn}"
}
# Terraform env for the S3 bucket for storing TF's remote state
provider "aws" {
region = "us-east-1"
}
module "remote-state" {
source = "github.com/fpco/fpco-terraform-aws/tf-modules/s3-remote-state"
bucket_name = "example-tfstate"
principals = []
}
output "bucket_name" {
value = "${module.remote-state.bucket_id}"
}
## Remote state for this module can be saved in the same bucket it is creating.
## In order to achieve this deployment has to be done in two stages.
## Simplest way is to apply this module and the uncomment the code below and
## then apply it again.
# terraform {
# backend "s3" {
# bucket = "example-tfstate"
# key = "remote-tfstate/remote-state-bucket/terraform.tfstate"
# region = "us-east-1"
# encrypt = true
# }
}
data "terraform_remote_state" "credstash" {
backend = "s3"
config {
bucket = "example-tfstate"
key = "remote-tfstate/credstash/terraform.tfstate"
region = "us-east-1"
}
}
resource "aws_instance" "webserver" {
ami = "ami-cd0f5cb6" # Ubuntu 16.04 LTS AMI
instance_type = "t2.micro"
vpc_security_group_ids = ["${aws_security_group.webserver-sg.id}"]
associate_public_ip_address = true
iam_instance_profile = "${aws_iam_instance_profile.credstash-profile.id}"
user_data = <<USER_DATA
#!/bin/bash
${data.terraform_remote_state.credstash.install_snippet}
apt-get install -y nginx
BASIC_AUTH_USERNAME="$(${data.terraform_remote_state.credstash.get_cmd} nginx-username env=example webserver=credsAccessPhrase)"
BASIC_AUTH_PASSWORD="$(${data.terraform_remote_state.credstash.get_cmd} nginx-password env=example webserver=credsAccessPhrase)"
echo -n "$BASIC_AUTH_USERNAME:" > /etc/nginx/.htpasswd
openssl passwd -apr1 "$BASIC_AUTH_PASSWORD" >> /etc/nginx/.htpasswd
cat <<EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /var/www/html;
index index.nginx-debian.html;
location / {
auth_basic "Restricted Space";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
EOF
service nginx reload
USER_DATA
}
resource "aws_security_group" "webserver-sg" {
name = "webserver-sg"
description = "Security group that allows HTTP and HTTPS traffic."
ingress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 80
to_port = 80
protocol = "tcp"
}
egress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 0
to_port = 0
protocol = "-1"
}
}
module "credstash-grant" {
source = "github.com/fpco/fpco-terraform-aws/tf-modules/credstash-grant"
kms_key_arn = "${data.terraform_remote_state.credstash.kms_key_arn}"
reader_policy_arn = "${data.terraform_remote_state.credstash.reader_policy_arn}"
reader_context = "env=example webserver=credsAccessPhrase"
roles_count = 1
roles_arns = ["${aws_iam_role.credstash-role.arn}"]
roles_names = ["${aws_iam_role.credstash-role.name}"]
}
resource "aws_iam_instance_profile" "credstash-profile" {
name = "credstash-profile"
role = "${aws_iam_role.credstash-role.name}"
}
resource "aws_iam_role" "credstash-role" {
name_prefix = "credstash-role-"
assume_role_policy = <<END_POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
END_POLICY
}
output "instance_ip" {
value = "${aws_instance.webserver.public_ip}"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.