From ca81b6ccfdcee62846217f824c1e4a1610b8a950 Mon Sep 17 00:00:00 2001
From: Peter Mikus <pmikus@cisco.com>
Date: Thu, 31 Mar 2022 15:59:10 +0200
Subject: refactor(terraform): Directory structure

Signed-off-by: Peter Mikus <pmikus@cisco.com>
Change-Id: I2f3cdf0241aaf7c4a8ba4e00b701df10c9165cf8
---
 .../fdio/main.tf                                   | 17 ++++++++++
 .../fdio/providers.tf                              |  5 +++
 .../fdio/variables.tf                              | 17 ++++++++++
 .../fdio/versions.tf                               | 13 ++++++++
 .../terraform-vault-aws-secret-backend/main.tf     | 37 ++++++++++++++++++++++
 .../variables.tf                                   | 17 ++++++++++
 .../terraform-vault-aws-secret-backend/versions.tf |  8 +++++
 7 files changed, 114 insertions(+)
 create mode 100644 fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/main.tf
 create mode 100644 fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/providers.tf
 create mode 100644 fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/variables.tf
 create mode 100644 fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/versions.tf
 create mode 100644 fdio.infra.terraform/terraform-vault-aws-secret-backend/main.tf
 create mode 100644 fdio.infra.terraform/terraform-vault-aws-secret-backend/variables.tf
 create mode 100644 fdio.infra.terraform/terraform-vault-aws-secret-backend/versions.tf

(limited to 'fdio.infra.terraform/terraform-vault-aws-secret-backend')

diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/main.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/main.tf
new file mode 100644
index 0000000000..4473dafda8
--- /dev/null
+++ b/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/main.tf
@@ -0,0 +1,17 @@
+module "fdio-logs" {
+  # fdio logs iam
+  source = "../"
+  name   = "dynamic-aws-creds-vault-fdio-logs"
+}
+
+module "fdio-docs" {
+  # fdio docs iam
+  source = "../"
+  name   = "dynamic-aws-creds-vault-fdio-docs"
+}
+
+module "fdio-csit-jenkins" {
+  # fdio csit jenkins iam
+  source = "../"
+  name   = "dynamic-aws-creds-vault-fdio-csit-jenkins"
+}
diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/providers.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/providers.tf
new file mode 100644
index 0000000000..102fd31b87
--- /dev/null
+++ b/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/providers.tf
@@ -0,0 +1,5 @@
+provider "vault" {
+  address         = var.vault_provider_address
+  skip_tls_verify = var.vault_provider_skip_tls_verify
+  token           = var.vault_provider_token
+}
\ No newline at end of file
diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/variables.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/variables.tf
new file mode 100644
index 0000000000..e36ed08473
--- /dev/null
+++ b/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/variables.tf
@@ -0,0 +1,17 @@
+variable "vault_provider_address" {
+  description = "Vault cluster address."
+  type        = string
+  default     = "http://10.30.51.28:8200"
+}
+
+variable "vault_provider_skip_tls_verify" {
+  description = "Verification of the Vault server's TLS certificate"
+  type        = bool
+  default     = false
+}
+
+variable "vault_provider_token" {
+  description = "Vault root token"
+  type        = string
+  sensitive   = true
+}
diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/versions.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/versions.tf
new file mode 100644
index 0000000000..ec03c7c9ee
--- /dev/null
+++ b/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/versions.tf
@@ -0,0 +1,13 @@
+terraform {
+  backend "consul" {
+    address = "consul.service.consul:8500"
+    scheme  = "http"
+    path    = "fdio/terraform/1n/nomad"
+  }
+  required_providers {
+    vault = {
+      version = ">= 3.2.1"
+    }
+  }
+  required_version = ">= 1.1.4"
+}
diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/main.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/main.tf
new file mode 100644
index 0000000000..a65c390792
--- /dev/null
+++ b/fdio.infra.terraform/terraform-vault-aws-secret-backend/main.tf
@@ -0,0 +1,37 @@
+resource "vault_aws_secret_backend" "aws" {
+  access_key = var.aws_access_key
+  secret_key = var.aws_secret_key
+  path       = "${var.name}-path"
+
+  default_lease_ttl_seconds = "0"
+  max_lease_ttl_seconds     = "0"
+}
+
+resource "vault_aws_secret_backend_role" "admin" {
+  backend         = vault_aws_secret_backend.aws.path
+  name            = "${var.name}-role"
+  credential_type = "iam_user"
+
+  policy_document = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:*", "ec2:*"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+output "backend" {
+  value = vault_aws_secret_backend.aws.path
+}
+
+output "role" {
+  value = vault_aws_secret_backend_role.admin.name
+}
diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/variables.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/variables.tf
new file mode 100644
index 0000000000..2545345185
--- /dev/null
+++ b/fdio.infra.terraform/terraform-vault-aws-secret-backend/variables.tf
@@ -0,0 +1,17 @@
+variable "aws_access_key" {
+  description = "AWS access key"
+  type        = string
+  sensitive   = true
+}
+
+variable "aws_secret_key" {
+  description = "AWS secret key"
+  type        = string
+  sensitive   = true
+}
+
+variable "name" {
+  default     = "dynamic-aws-creds-vault"
+  description = "Vault path"
+  type        = string
+}
diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/versions.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/versions.tf
new file mode 100644
index 0000000000..996288568d
--- /dev/null
+++ b/fdio.infra.terraform/terraform-vault-aws-secret-backend/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    vault = {
+      version = ">=2.22.1"
+    }
+  }
+  required_version = ">= 1.1.4"
+}
-- 
cgit 1.2.3-korg