Merge branch 'terraform-aws'

*.env

.bundle/

!Pipfile.lock

!pdm.lock

!Gemfile.lock

.terraform

.terraform.*

!.terraform.lock.hcl

tfplan

*.tfstate*

*.venv

include:

  - project: shore/ci-stuff

    file: templates/pre-commit.yml

  - project: shore/ci-stuff

    file: templates/terraform.yml

default:

  before_script:

    - apt-get update

    - apt-get install -y terraform

AWS Terraform plan:

  extends: .tf_plan

  stage: test

  #rules: &aws_tf_rules

  #  - changes:

  #      - ${TF_ROOT}/

  variables: &aws_tf_vars

    TF_ROOT: Terraform/AWS

AWS Terraform apply:

  extends: .tf_apply

  stage: deploy

  #rules: *aws_tf_rules

  needs:

    - job: AWS Terraform plan

      artifacts: true

  variables: *aws_tf_vars

$TTL 1h

$ORIGIN shore.co.il.

@               IN      SOA     ns1     hostmaster (

        2021051901

        2022041003

        1h

        5m

        4w

_adsp._domainkey        IN      TXT     "dkim=all;"

_dmarc  IN      TXT     "v=DMARC1;p=quarantine;pct=100;sp=reject;fo=1;rua=mailto:postmaster@shore.co.il;ruf=mailto:postmaster@shore.co.il;adkim=s;aspf=s"

aws     IN      NS      ns-117.awsdns-14.com.

aws     IN      NS      ns-1352.awsdns-41.org.

aws     IN      NS      ns-1664.awsdns-16.co.uk.

aws     IN      NS      ns-750.awsdns-29.net.

# This file is maintained automatically by "terraform init".

# Manual edits may be lost in future updates.

provider "registry.terraform.io/hashicorp/aws" {

  version     = "4.9.0"

  constraints = "~> 4.0"

  hashes = [

    "h1:GtmIOZMkKmr9tMLWouHWiGXmKEL/diOTNar5XfOVLjs=",

    "zh:084b83aef3335ad4f5e4b8323c6fe43c1ff55e17a7647c6a5cad6af519f72b42",

    "zh:132e47ce69f14de4523b84b213cedf7173398acda14245b1ffe7747aac50f050",

    "zh:2068baef7dfce3613f3b4f27314175e971f8db68d9cde9ec30b5659f80c68c6c",

    "zh:63c6f489683d5f1ac55e82a0df387143ed22701d5f22c109a4d5c9924dd4e437",

    "zh:8115fd21965954fa4568c09331e05bb29da967fab8d077419aed09954378e216",

    "zh:8efdc95fde108f777ed9c79ae25dc17aea9771903250f5c5c8a4c726b90a345f",

    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",

    "zh:9d42a7bc34d84b70c1d1bcc215cabd63abbcbd0352b70bd84da6c3916634932f",

    "zh:aacbcceb241aa475888c0869e87593182edeced3170c76a0c960dd9c905df449",

    "zh:c7fe7904511052e4102870256819a1917177572cf684f0611ebf767f9c1fbaa8",

    "zh:c8e07c3424663d1d0e7e32f4ade8099c19f6326d37c6da98104d90c986ff66fc",

    "zh:e47cafbd38b56ef14fd8d727b4ffea847c166b1c684f585ee5fb78983b537248",

  ]

}

terraform {

  backend "http" {}

  required_providers {

    aws = {

      source  = "hashicorp/aws"

      version = "~> 4.0"

    }

  }

}

locals {

  env     = terraform.workspace == "default" ? "prod" : terraform.workspace

  module  = basename(abspath(path.root))

  name    = "${local.project}-${local.module}-${local.env}"

  project = "homelab"

  common_tags = {

    Environment = local.env

    Module      = local.module

    Name        = local.name

    Project     = local.project

  }

}

output "env" {

  description = "Environment (prod/dev etc.)."

  value       = local.env

}

output "module" {

  description = "The name of the Terraform module, used to tagging resources."

  value       = local.module

}

output "project" {

  description = "The name of the Git project, used to tagging resources."

  value       = local.project

}

variable "region" {

  default     = "us-east-1"

  description = "AWS region."

  type        = string

}

output "region" {

  description = "AWS region."

  value       = var.region

}

provider "aws" {

  region = var.region

  default_tags {

    tags = local.common_tags

  }

}

data "aws_caller_identity" "current" {}

locals {

  account_id = data.aws_caller_identity.current.account_id

}

output "account_id" {

  description = "The AWS account ID."

  value       = local.account_id

}

data "aws_iam_policy_document" "ec2_assume_policy" {

  statement {

    effect  = "Allow"

    actions = ["sts:AssumeRole"]

    principals {

      type        = "Service"

      identifiers = ["ec2.amazonaws.com"]

    }

  }

}

locals {

  ec2_assume_policy = data.aws_iam_policy_document.ec2_assume_policy.json

}

output "ec2_assume_policy" {

  value       = local.ec2_assume_policy

  description = "IAM policy document for EC2 instance assuming a role."

}

data "aws_iam_policy_document" "task_assume_policy" {

  statement {

    effect  = "Allow"

    actions = ["sts:AssumeRole"]

    principals {

      type        = "Service"

      identifiers = ["ecs-tasks.amazonaws.com"]

    }

  }

}

locals {

  task_assume_policy = data.aws_iam_policy_document.task_assume_policy.json

}

output "task_assume_policy" {

  description = "IAM policy document for ECS tasks assuming a role."

  value       = local.task_assume_policy

}

locals {

  resource_group_query = {

    ResourceTypeFilters = [

      "AWS::AllSupported",

    ]

    TagFilters = [

      {

        Key    = "Environment"

        Values = [local.env, ]

      },

      {

        Key    = "Module"

        Values = [local.module, ]

      },

      {

        Key    = "Project"

        Values = [local.project, ]

      },

    ]

  }

}

resource "aws_resourcegroups_group" "group" {

  name = local.name

  resource_query {

    query = jsonencode(local.resource_group_query)

  }

}

locals {

  resource_group_arn  = aws_resourcegroups_group.group.arn

  resource_group_name = aws_resourcegroups_group.group.name

}

output "resource_group_arn" {

  description = "ARN of the resource group."

  value       = local.resource_group_arn

}

output "resource_group_name" {

  description = "Name of the resource group."

  value       = local.resource_group_name

}