Created
August 16, 2017 19:16
-
-
Save lehins/7d501f43aeb89fe0d01af6c29bbd44ef to your computer and use it in GitHub Desktop.
Three terraform modules that should be applied individually
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
provider "aws" { | |
region = "us-east-1" | |
} | |
terraform { | |
backend "s3" { | |
bucket = "example-tfstate" | |
key = "remote-tfstate/credstash/terraform.tfstate" | |
region = "us-east-1" | |
encrypt = true | |
} | |
} | |
module "credstash" { | |
source = "github.com/fpco/fpco-terraform-aws/tf-modules/credstash-setup" | |
create_reader_policy = true | |
create_writer_policy = true | |
} | |
// KMS Key ARN. It can later be used to store and retrieve secrets. | |
output "kms_key_arn" { | |
value = "${module.credstash.kms_key_arn}" | |
} | |
// KMS Master key id. | |
output "kms_key_id" { | |
value = "${module.credstash.kms_key_id}" | |
} | |
// KMS Key alias. It can later be used to store and retrieve secrets. | |
output "kms_key_alias" { | |
value = "${module.credstash.kms_key_alias}" | |
} | |
// KMS Master key alias ARN. | |
output "kms_key_alias_arn" { | |
value = "${module.credstash.kms_key_alias_arn}" | |
} | |
// DynamoDB table ARN | |
output "db_table_arn" { | |
value = "${module.credstash.db_table_arn}" | |
} | |
// DynamoDB table name that can be used by credstash to store/retrieve secrets. | |
output "db_table_name" { | |
value = "${module.credstash.db_table_name}" | |
} | |
// Ubuntu bash script snippet for installing credstash and its dependencies | |
output "install_snippet" { | |
value = "${module.credstash.install_snippet}" | |
} | |
// Credstash get command with region and table values set. | |
output "get_cmd" { | |
value = "${module.credstash.get_cmd}" | |
} | |
// Credstash put command with region, table and kms key values set. | |
output "put_cmd" { | |
value = "${module.credstash.put_cmd}" | |
} | |
// Secret Reader policy | |
output "reader_policy_arn" { | |
value = "${module.credstash.reader_policy_arn}" | |
} | |
// Secret Writer policy | |
output "writer_policy_arn" { | |
value = "${module.credstash.writer_policy_arn}" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Terraform env for the S3 bucket for storing TF's remote state | |
provider "aws" { | |
region = "us-east-1" | |
} | |
module "remote-state" { | |
source = "github.com/fpco/fpco-terraform-aws/tf-modules/s3-remote-state" | |
bucket_name = "example-tfstate" | |
principals = [] | |
} | |
output "bucket_name" { | |
value = "${module.remote-state.bucket_id}" | |
} | |
## Remote state for this module can be saved in the same bucket it is creating. | |
## In order to achieve this deployment has to be done in two stages. | |
## Simplest way is to apply this module and the uncomment the code below and | |
## then apply it again. | |
# terraform { | |
# backend "s3" { | |
# bucket = "example-tfstate" | |
# key = "remote-tfstate/remote-state-bucket/terraform.tfstate" | |
# region = "us-east-1" | |
# encrypt = true | |
# } | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data "terraform_remote_state" "credstash" { | |
backend = "s3" | |
config { | |
bucket = "example-tfstate" | |
key = "remote-tfstate/credstash/terraform.tfstate" | |
region = "us-east-1" | |
} | |
} | |
resource "aws_instance" "webserver" { | |
ami = "ami-cd0f5cb6" # Ubuntu 16.04 LTS AMI | |
instance_type = "t2.micro" | |
vpc_security_group_ids = ["${aws_security_group.webserver-sg.id}"] | |
associate_public_ip_address = true | |
iam_instance_profile = "${aws_iam_instance_profile.credstash-profile.id}" | |
user_data = <<USER_DATA | |
#!/bin/bash | |
${data.terraform_remote_state.credstash.install_snippet} | |
apt-get install -y nginx | |
BASIC_AUTH_USERNAME="$(${data.terraform_remote_state.credstash.get_cmd} nginx-username env=example webserver=credsAccessPhrase)" | |
BASIC_AUTH_PASSWORD="$(${data.terraform_remote_state.credstash.get_cmd} nginx-password env=example webserver=credsAccessPhrase)" | |
echo -n "$BASIC_AUTH_USERNAME:" > /etc/nginx/.htpasswd | |
openssl passwd -apr1 "$BASIC_AUTH_PASSWORD" >> /etc/nginx/.htpasswd | |
cat <<EOF > /etc/nginx/sites-available/default | |
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
server_name _; | |
root /var/www/html; | |
index index.nginx-debian.html; | |
location / { | |
auth_basic "Restricted Space"; | |
auth_basic_user_file /etc/nginx/.htpasswd; | |
} | |
} | |
EOF | |
service nginx reload | |
USER_DATA | |
} | |
resource "aws_security_group" "webserver-sg" { | |
name = "webserver-sg" | |
description = "Security group that allows HTTP and HTTPS traffic." | |
ingress { | |
cidr_blocks = ["0.0.0.0/0"] | |
from_port = 80 | |
to_port = 80 | |
protocol = "tcp" | |
} | |
egress { | |
cidr_blocks = ["0.0.0.0/0"] | |
from_port = 0 | |
to_port = 0 | |
protocol = "-1" | |
} | |
} | |
module "credstash-grant" { | |
source = "github.com/fpco/fpco-terraform-aws/tf-modules/credstash-grant" | |
kms_key_arn = "${data.terraform_remote_state.credstash.kms_key_arn}" | |
reader_policy_arn = "${data.terraform_remote_state.credstash.reader_policy_arn}" | |
reader_context = "env=example webserver=credsAccessPhrase" | |
roles_count = 1 | |
roles_arns = ["${aws_iam_role.credstash-role.arn}"] | |
roles_names = ["${aws_iam_role.credstash-role.name}"] | |
} | |
resource "aws_iam_instance_profile" "credstash-profile" { | |
name = "credstash-profile" | |
role = "${aws_iam_role.credstash-role.name}" | |
} | |
resource "aws_iam_role" "credstash-role" { | |
name_prefix = "credstash-role-" | |
assume_role_policy = <<END_POLICY | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": "sts:AssumeRole", | |
"Principal": { | |
"Service": "ec2.amazonaws.com" | |
}, | |
"Effect": "Allow", | |
"Sid": "" | |
} | |
] | |
} | |
END_POLICY | |
} | |
output "instance_ip" { | |
value = "${aws_instance.webserver.public_ip}" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment