diff options
| author |   Peter Mikus <peter.mikus@icloud.com> | 2025-01-22 11:51:02 +0100 |
|---|---|---|
| committer | Peter Mikus <peter.mikus@icloud.com> | 2025-01-23 09:12:41 +0000 |
| commit | 6ffe4cc3cc31fdb6cbb46436a38ddc8409d040ef (patch) | |
| tree | f0f318e2e028cd7ac449d71c0cafde7f6c7c54fd | |
| parent | f1f090a9ddfe8ee8de209ff435d720d711c30ccd (diff) | |
feat(terraform): Refactor roles
Signed-off-by: Peter Mikus <peter.mikus@icloud.com>
Change-Id: Ie5e5bb0d8d3c927c26286439fb128529b8b30a81
| -rw-r--r-- | fdio.infra.terraform/terraform-nomad-pyspark-etl/main.tf | 5 | ||||
| -rw-r--r-- | fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/main.tf | 23 | ||||
| -rw-r--r-- | fdio.infra.terraform/terraform-vault-aws-secret-backend/main.tf | 28 | ||||
| -rw-r--r-- | fdio.infra.terraform/terraform-vault-aws-secret-backend/variables.tf | 5 | ||||
| -rw-r--r-- | fdio.infra.terraform/terraform-vault-fdio-creds/main.tf | 86 | ||||
| -rw-r--r-- | fdio.infra.terraform/terraform-vault-fdio-creds/providers.tf (renamed from fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/providers.tf) | 0 | ||||
| -rw-r--r-- | fdio.infra.terraform/terraform-vault-fdio-creds/variables.tf (renamed from fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/variables.tf) | 0 | ||||
| -rw-r--r-- | fdio.infra.terraform/terraform-vault-fdio-creds/versions.tf (renamed from fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/versions.tf) | 0 |
8 files changed, 97 insertions, 50 deletions
diff --git a/fdio.infra.terraform/terraform-nomad-pyspark-etl/main.tf b/fdio.infra.terraform/terraform-nomad-pyspark-etl/main.tf index cfe326bfcc..b9027a8ceb 100644 --- a/fdio.infra.terraform/terraform-nomad-pyspark-etl/main.tf +++ b/fdio.infra.terraform/terraform-nomad-pyspark-etl/main.tf @@ -3,11 +3,6 @@ data "vault_kv_secret_v2" "fdio_logs" { name = "etl/fdio_logs" } -data "vault_kv_secret_v2" "fdio_docs" { - mount = "kv" - name = "etl/fdio_docs" -} - data "vault_kv_secret_v2" "csit_docs" { mount = "kv" name = "etl/csit_docs" diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/main.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/main.tf deleted file mode 100644 index 08c3ca8b73..0000000000 --- a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/main.tf +++ /dev/null @@ -1,23 +0,0 @@ -module "fdio-logs" { - # fdio logs iam - source = "../" - name = "dynamic-aws-creds-vault-fdio-logs" - aws_access_key = var.aws_access_key - aws_secret_key = var.aws_secret_key -} - -module "fdio-docs" { - # fdio docs iam - source = "../" - name = "dynamic-aws-creds-vault-fdio-docs" - aws_access_key = var.aws_access_key - aws_secret_key = var.aws_secret_key -} - -module "fdio-csit-jenkins" { - # fdio csit jenkins iam - source = "../" - name = "dynamic-aws-creds-vault-fdio-csit-jenkins" - aws_access_key = var.aws_access_key - aws_secret_key = var.aws_secret_key -} diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/main.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/main.tf index 814121986f..6a2d42e681 100644 --- a/fdio.infra.terraform/terraform-vault-aws-secret-backend/main.tf +++ b/fdio.infra.terraform/terraform-vault-aws-secret-backend/main.tf @@ -1,4 +1,4 @@ -resource "vault_aws_secret_backend" "aws" { +resource "vault_aws_secret_backend" "aws_secret_backend" { access_key = var.aws_access_key secret_key = var.aws_secret_key path = "${var.name}-path" @@ -7,34 +7,18 @@ resource "vault_aws_secret_backend" "aws" { max_lease_ttl_seconds = "0" } -resource "vault_aws_secret_backend_role" "admin" { - backend = vault_aws_secret_backend.aws.path +resource "vault_aws_secret_backend_role" "aws_secret_backend_role" { + backend = vault_aws_secret_backend.aws_secret_backend.path name = "${var.name}-role" credential_type = "iam_user" - policy_document = <<EOF -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:*", - "ec2:*", - "s3:*", - "elasticbeanstalk:*" - ], - "Resource": "*" - } - ] -} -EOF + policy_document = var.policy_document } output "backend" { - value = vault_aws_secret_backend.aws.path + value = vault_aws_secret_backend.aws_secret_backend.path } output "role" { - value = vault_aws_secret_backend_role.admin.name + value = vault_aws_secret_backend_role.aws_secret_backend_role.name } diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/variables.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/variables.tf index 2545345185..d7a2f4a987 100644 --- a/fdio.infra.terraform/terraform-vault-aws-secret-backend/variables.tf +++ b/fdio.infra.terraform/terraform-vault-aws-secret-backend/variables.tf @@ -15,3 +15,8 @@ variable "name" { description = "Vault path" type = string } + +variable "policy_document" { + description = "AWS policy document" + type = string +} diff --git a/fdio.infra.terraform/terraform-vault-fdio-creds/main.tf b/fdio.infra.terraform/terraform-vault-fdio-creds/main.tf new file mode 100644 index 0000000000..4469bb131c --- /dev/null +++ b/fdio.infra.terraform/terraform-vault-fdio-creds/main.tf @@ -0,0 +1,86 @@ +module "fdio-logs" { + # fdio logs iam + source = "../terraform-vault-aws-secret-backend" + name = "dynamic-aws-creds-vault-fdio-logs" + aws_access_key = var.aws_access_key + aws_secret_key = var.aws_secret_key + policy_document = jsonencode({ + Statement = [ + { + Action = [ + "iam:*", + "ec2:*", + "s3:*", + "elasticbeanstalk:*", + "ssm:*", + "cloudformation:*", + "logs:*", + "elasticloadbalancing:*", + "autoscaling:*", + "cloudwatch:*" + ] + Effect = "Allow" + Resource = "*" + }, + ] + Version = "2012-10-17" + }) +} + +module "csit-cdash" { + # csit cdash iam + source = "../terraform-vault-aws-secret-backend" + name = "dynamic-aws-creds-vault-cdash" + aws_access_key = var.aws_access_key + aws_secret_key = var.aws_secret_key + policy_document = jsonencode({ + Statement = [ + { + Action = [ + "iam:*", + "ec2:*", + "s3:*", + "elasticbeanstalk:*", + "ssm:*", + "cloudformation:*", + "logs:*", + "elasticloadbalancing:*", + "autoscaling:*", + "cloudwatch:*" + ] + Effect = "Allow" + Resource = "*" + }, + ] + Version = "2012-10-17" + }) +} + +module "fdio-csit-jenkins" { + # fdio csit jenkins iam + source = "../terraform-vault-aws-secret-backend" + name = "dynamic-aws-creds-vault-fdio-csit-jenkins" + aws_access_key = var.aws_access_key + aws_secret_key = var.aws_secret_key + policy_document = jsonencode({ + Statement = [ + { + Action = [ + "iam:*", + "ec2:*", + "s3:*", + "elasticbeanstalk:*", + "ssm:*", + "cloudformation:*", + "logs:*", + "elasticloadbalancing:*", + "autoscaling:*", + "cloudwatch:*" + ] + Effect = "Allow" + Resource = "*" + }, + ] + Version = "2012-10-17" + }) +} diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/providers.tf b/fdio.infra.terraform/terraform-vault-fdio-creds/providers.tf index 102fd31b87..102fd31b87 100644 --- a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/providers.tf +++ b/fdio.infra.terraform/terraform-vault-fdio-creds/providers.tf diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/variables.tf b/fdio.infra.terraform/terraform-vault-fdio-creds/variables.tf index b1f64eccf2..b1f64eccf2 100644 --- a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/variables.tf +++ b/fdio.infra.terraform/terraform-vault-fdio-creds/variables.tf diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/versions.tf b/fdio.infra.terraform/terraform-vault-fdio-creds/versions.tf index c573731d65..c573731d65 100644 --- a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/versions.tf +++ b/fdio.infra.terraform/terraform-vault-fdio-creds/versions.tf |