Scaffolding for AWS infra.

3c136de1 · nimrod · 17d03554 · 3c136de1 · 3c136de1 · 3c136de1
Commit 3c136de1 authored 3 years ago by nimrod
--- a/.gitignore
+++ b/.gitignore
@@ -49,8 +49,11 @@ dist/
 *.env
 .bundle/
 !Pipfile.lock
+!pdm.lock
+!Gemfile.lock
 .terraform
 .terraform.*
+!.terraform.lock.hcl
 tfplan
 *.tfstate*
 *.venv

--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2,3 +2,28 @@
 include:
  - project: shore/ci-stuff
    file: templates/pre-commit.yml
+  - project: shore/ci-stuff
+    file: templates/terraform.yml
+
+default:
+  before_script:
+    - apt-get update
+    - apt-get install -y terraform
+
+AWS Terraform plan:
+  extends: .tf_plan
+  stage: test
+  #rules: &aws_tf_rules
+  #  - changes:
+  #      - ${TF_ROOT}/
+  variables: &aws_tf_vars
+    TF_ROOT: Terraform/AWS
+
+AWS Terraform apply:
+  extends: .tf_apply
+  stage: deploy
+  #rules: *aws_tf_rules
+  needs:
+    - job: AWS Terraform plan
+      artifacts: true
+  variables: *aws_tf_vars
--- a/Terraform/AWS/.terraform.lock.hcl
+++ b/Terraform/AWS/.terraform.lock.hcl
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.9.0"
+  constraints = "~> 4.0"
+  hashes = [
+    "h1:GtmIOZMkKmr9tMLWouHWiGXmKEL/diOTNar5XfOVLjs=",
+    "zh:084b83aef3335ad4f5e4b8323c6fe43c1ff55e17a7647c6a5cad6af519f72b42",
+    "zh:132e47ce69f14de4523b84b213cedf7173398acda14245b1ffe7747aac50f050",
+    "zh:2068baef7dfce3613f3b4f27314175e971f8db68d9cde9ec30b5659f80c68c6c",
+    "zh:63c6f489683d5f1ac55e82a0df387143ed22701d5f22c109a4d5c9924dd4e437",
+    "zh:8115fd21965954fa4568c09331e05bb29da967fab8d077419aed09954378e216",
+    "zh:8efdc95fde108f777ed9c79ae25dc17aea9771903250f5c5c8a4c726b90a345f",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9d42a7bc34d84b70c1d1bcc215cabd63abbcbd0352b70bd84da6c3916634932f",
+    "zh:aacbcceb241aa475888c0869e87593182edeced3170c76a0c960dd9c905df449",
+    "zh:c7fe7904511052e4102870256819a1917177572cf684f0611ebf767f9c1fbaa8",
+    "zh:c8e07c3424663d1d0e7e32f4ade8099c19f6326d37c6da98104d90c986ff66fc",
+    "zh:e47cafbd38b56ef14fd8d727b4ffea847c166b1c684f585ee5fb78983b537248",
+  ]
+}
--- a/Terraform/AWS/main.tf
+++ b/Terraform/AWS/main.tf
+terraform {
+  backend "http" {}
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}
+
+locals {
+  env     = terraform.workspace == "default" ? "prod" : terraform.workspace
+  module  = basename(abspath(path.root))
+  name    = "${local.project}-${local.module}-${local.env}"
+  project = "homelab"
+  common_tags = {
+    Environment = local.env
+    Module      = local.module
+    Name        = local.name
+    Project     = local.project
+  }
+}
+
+output "env" {
+  description = "Environment (prod/dev etc.)."
+  value       = local.env
+}
+
+output "module" {
+  description = "The name of the Terraform module, used to tagging resources."
+  value       = local.module
+}
+
+output "project" {
+  description = "The name of the Git project, used to tagging resources."
+  value       = local.project
+}
+
+variable "region" {
+  default     = "us-east-1"
+  description = "AWS region."
+  type        = string
+}
+
+output "region" {
+  description = "AWS region."
+  value       = var.region
+}
+
+provider "aws" {
+  region = var.region
+  default_tags {
+    tags = local.common_tags
+  }
+}
+
+data "aws_caller_identity" "current" {}
+
+locals {
+  account_id = data.aws_caller_identity.current.account_id
+}
+
+output "account_id" {
+  description = "The AWS account ID."
+  value       = local.account_id
+}
+
+data "aws_iam_policy_document" "ec2_assume_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+locals {
+  ec2_assume_policy = data.aws_iam_policy_document.ec2_assume_policy.json
+}
+
+output "ec2_assume_policy" {
+  value       = local.ec2_assume_policy
+  description = "IAM policy document for EC2 instance assuming a role."
+}
+
+data "aws_iam_policy_document" "task_assume_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+locals {
+  task_assume_policy = data.aws_iam_policy_document.task_assume_policy.json
+}
+
+output "task_assume_policy" {
+  description = "IAM policy document for ECS tasks assuming a role."
+  value       = local.task_assume_policy
+}
+
+locals {
+  resource_group_query = {
+    ResourceTypeFilters = [
+      "AWS::AllSupported",
+    ]
+    TagFilters = [
+      {
+        Key    = "Environment"
+        Values = [local.env, ]
+      },
+      {
+        Key    = "Module"
+        Values = [local.module, ]
+      },
+      {
+        Key    = "Project"
+        Values = [local.project, ]
+      },
+    ]
+  }
+}
+
+resource "aws_resourcegroups_group" "group" {
+  name = local.name
+  resource_query {
+    query = jsonencode(local.resource_group_query)
+  }
+}
+
+locals {
+  resource_group_arn  = aws_resourcegroups_group.group.arn
+  resource_group_name = aws_resourcegroups_group.group.name
+}
+
+output "resource_group_arn" {
+  description = "ARN of the resource group."
+  value       = local.resource_group_arn
+}
+
+output "resource_group_name" {
+  description = "Name of the resource group."
+  value       = local.resource_group_name
+}