From 5747228f8c7c793dcf62a94aeb11fdb96ee7a37e Mon Sep 17 00:00:00 2001
From: pmikus <pmikus@cisco.com>
Date: Fri, 29 Oct 2021 06:19:46 +0000
Subject: feat(Terraform): AWS backend role migration

Signed-off-by: pmikus <pmikus@cisco.com>
Change-Id: I8c93eaaa766c48b705a19e38123b69c994669dc0
---
 fdio.infra.terraform/1n_nmd/aws/main.tf            | 37 -----------------
 fdio.infra.terraform/1n_nmd/aws/providers.tf       | 14 -------
 fdio.infra.terraform/1n_nmd/aws/variables.tf       | 11 -----
 .../1n_nmd/tools/artifacts_download.py             | 47 ----------------------
 .../1n_nmd/vault-aws-secret-backend/main.tf        | 37 +++++++++++++++++
 .../1n_nmd/vault-aws-secret-backend/providers.tf   |  5 +++
 .../1n_nmd/vault-aws-secret-backend/variables.tf   | 23 +++++++++++
 .../1n_nmd/vault-aws-secret-backend/versions.tf    | 13 ++++++
 8 files changed, 78 insertions(+), 109 deletions(-)
 delete mode 100644 fdio.infra.terraform/1n_nmd/aws/main.tf
 delete mode 100644 fdio.infra.terraform/1n_nmd/aws/providers.tf
 delete mode 100644 fdio.infra.terraform/1n_nmd/aws/variables.tf
 delete mode 100755 fdio.infra.terraform/1n_nmd/tools/artifacts_download.py
 create mode 100644 fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/main.tf
 create mode 100644 fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/providers.tf
 create mode 100644 fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/variables.tf
 create mode 100644 fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/versions.tf

(limited to 'fdio.infra.terraform/1n_nmd')

diff --git a/fdio.infra.terraform/1n_nmd/aws/main.tf b/fdio.infra.terraform/1n_nmd/aws/main.tf
deleted file mode 100644
index be7eb7c577..0000000000
--- a/fdio.infra.terraform/1n_nmd/aws/main.tf
+++ /dev/null
@@ -1,37 +0,0 @@
-resource "vault_aws_secret_backend" "aws" {
-  access_key = var.aws_access_key
-  secret_key = var.aws_secret_key
-  path       = "${var.name}-path"
-
-  default_lease_ttl_seconds = "43200"
-  max_lease_ttl_seconds     = "43200"
-}
-
-resource "vault_aws_secret_backend_role" "admin" {
-  backend         = vault_aws_secret_backend.aws.path
-  name            = "${var.name}-role"
-  credential_type = "iam_user"
-
-  policy_document = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "iam:*", "ec2:*"
-      ],
-      "Resource": "*"
-    }
-  ]
-}
-EOF
-}
-
-output "backend" {
-  value = vault_aws_secret_backend.aws.path
-}
-
-output "role" {
-  value = vault_aws_secret_backend_role.admin.name
-}
diff --git a/fdio.infra.terraform/1n_nmd/aws/providers.tf b/fdio.infra.terraform/1n_nmd/aws/providers.tf
deleted file mode 100644
index 9bcd95ec57..0000000000
--- a/fdio.infra.terraform/1n_nmd/aws/providers.tf
+++ /dev/null
@@ -1,14 +0,0 @@
-terraform {
-  required_providers {
-    vault = {
-      version = ">=2.22.1"
-    }
-  }
-  required_version = ">= 1.0.3"
-}
-
-provider "vault" {
-  address         = "http://10.30.51.28:8200"
-  skip_tls_verify = true
-  token           = "s.4z5PsufFwV3sHbCzK9Y2Cojd"
-}
\ No newline at end of file
diff --git a/fdio.infra.terraform/1n_nmd/aws/variables.tf b/fdio.infra.terraform/1n_nmd/aws/variables.tf
deleted file mode 100644
index ee9fb73a73..0000000000
--- a/fdio.infra.terraform/1n_nmd/aws/variables.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-variable "aws_access_key" {
-  sensitive = true
-}
-
-variable "aws_secret_key" {
-  sensitive = true
-}
-
-variable "name" {
-  default = "dynamic-aws-creds-vault-admin"
-}
\ No newline at end of file
diff --git a/fdio.infra.terraform/1n_nmd/tools/artifacts_download.py b/fdio.infra.terraform/1n_nmd/tools/artifacts_download.py
deleted file mode 100755
index 2af895e8b9..0000000000
--- a/fdio.infra.terraform/1n_nmd/tools/artifacts_download.py
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/usr/bin/python3
-
-# Copyright (c) 2021 Cisco and/or its affiliates.
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""Storage utilities library."""
-
-from boto3 import resource
-from botocore.client import Config
-
-
-ENDPOINT_URL = u"http://storage.service.consul:9000"
-AWS_ACCESS_KEY_ID = u"storage"
-AWS_SECRET_ACCESS_KEY = u"Storage1234"
-REGION_NAME = u"yul1"
-LOGS_BUCKET = f"logs.fd.io"
-
-
-if __name__ == u"__main__":
-    """Main function for storage manipulation."""
-
-    # Create main storage resource.
-    storage = resource(
-        u"s3",
-        endpoint_url=ENDPOINT_URL,
-        aws_access_key_id=AWS_ACCESS_KEY_ID,
-        aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
-        config=Config(
-            signature_version=u"s3v4"
-        ),
-        region_name=REGION_NAME
-    )
-
-    storage.Bucket(LOGS_BUCKET).download_file(
-        "/vex-yul-rot-jenkins-1/csit-vpp-perf-report-iterative-2101-3n-skx/47/archives/output_info.xml.gz",
-        "output.xml.gz"
-    )
\ No newline at end of file
diff --git a/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/main.tf b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/main.tf
new file mode 100644
index 0000000000..a65c390792
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/main.tf
@@ -0,0 +1,37 @@
+resource "vault_aws_secret_backend" "aws" {
+  access_key = var.aws_access_key
+  secret_key = var.aws_secret_key
+  path       = "${var.name}-path"
+
+  default_lease_ttl_seconds = "0"
+  max_lease_ttl_seconds     = "0"
+}
+
+resource "vault_aws_secret_backend_role" "admin" {
+  backend         = vault_aws_secret_backend.aws.path
+  name            = "${var.name}-role"
+  credential_type = "iam_user"
+
+  policy_document = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:*", "ec2:*"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+output "backend" {
+  value = vault_aws_secret_backend.aws.path
+}
+
+output "role" {
+  value = vault_aws_secret_backend_role.admin.name
+}
diff --git a/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/providers.tf b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/providers.tf
new file mode 100644
index 0000000000..c084d486a6
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/providers.tf
@@ -0,0 +1,5 @@
+provider "vault" {
+  address         = "http://10.30.51.28:8200"
+  skip_tls_verify = true
+  token           = var.token
+}
diff --git a/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/variables.tf b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/variables.tf
new file mode 100644
index 0000000000..df752980fd
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/variables.tf
@@ -0,0 +1,23 @@
+variable "aws_access_key" {
+  description = "AWS access key"
+  type        = string
+  sensitive   = true
+}
+
+variable "aws_secret_key" {
+  description = "AWS secret key"
+  type        = string
+  sensitive   = true
+}
+
+variable "name" {
+  default     = "dynamic-aws-creds-vault-fdio"
+  description = "Vault path"
+  type        = string
+}
+
+variable "token" {
+  description = "Vault root token"
+  type        = string
+  sensitive   = true
+}
diff --git a/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/versions.tf b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/versions.tf
new file mode 100644
index 0000000000..ef6f844721
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/versions.tf
@@ -0,0 +1,13 @@
+terraform {
+  backend "consul" {
+    address = "consul.service.consul:8500"
+    scheme  = "http"
+    path    = "fdio/terraform/1n/nomad"
+  }
+  required_providers {
+    vault = {
+      version = ">=2.22.1"
+    }
+  }
+  required_version = ">= 1.0.3"
+}
-- 
cgit 1.2.3-korg