From 6ffe4cc3cc31fdb6cbb46436a38ddc8409d040ef Mon Sep 17 00:00:00 2001
From: Peter Mikus <peter.mikus@icloud.com>
Date: Wed, 22 Jan 2025 11:51:02 +0100
Subject: feat(terraform): Refactor roles

Signed-off-by: Peter Mikus <peter.mikus@icloud.com>
Change-Id: Ie5e5bb0d8d3c927c26286439fb128529b8b30a81
---
 .../terraform-nomad-pyspark-etl/main.tf            |  5 --
 .../fdio/main.tf                                   | 23 ------
 .../fdio/providers.tf                              |  5 --
 .../fdio/variables.tf                              | 29 --------
 .../fdio/versions.tf                               | 13 ----
 .../terraform-vault-aws-secret-backend/main.tf     | 28 ++-----
 .../variables.tf                                   |  5 ++
 .../terraform-vault-fdio-creds/main.tf             | 86 ++++++++++++++++++++++
 .../terraform-vault-fdio-creds/providers.tf        |  5 ++
 .../terraform-vault-fdio-creds/variables.tf        | 29 ++++++++
 .../terraform-vault-fdio-creds/versions.tf         | 13 ++++
 11 files changed, 144 insertions(+), 97 deletions(-)
 delete mode 100644 fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/main.tf
 delete mode 100644 fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/providers.tf
 delete mode 100644 fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/variables.tf
 delete mode 100644 fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/versions.tf
 create mode 100644 fdio.infra.terraform/terraform-vault-fdio-creds/main.tf
 create mode 100644 fdio.infra.terraform/terraform-vault-fdio-creds/providers.tf
 create mode 100644 fdio.infra.terraform/terraform-vault-fdio-creds/variables.tf
 create mode 100644 fdio.infra.terraform/terraform-vault-fdio-creds/versions.tf

(limited to 'fdio.infra.terraform')

diff --git a/fdio.infra.terraform/terraform-nomad-pyspark-etl/main.tf b/fdio.infra.terraform/terraform-nomad-pyspark-etl/main.tf
index cfe326bfcc..b9027a8ceb 100644
--- a/fdio.infra.terraform/terraform-nomad-pyspark-etl/main.tf
+++ b/fdio.infra.terraform/terraform-nomad-pyspark-etl/main.tf
@@ -3,11 +3,6 @@ data "vault_kv_secret_v2" "fdio_logs" {
   name  = "etl/fdio_logs"
 }
 
-data "vault_kv_secret_v2" "fdio_docs" {
-  mount = "kv"
-  name  = "etl/fdio_docs"
-}
-
 data "vault_kv_secret_v2" "csit_docs" {
   mount = "kv"
   name  = "etl/csit_docs"
diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/main.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/main.tf
deleted file mode 100644
index 08c3ca8b73..0000000000
--- a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/main.tf
+++ /dev/null
@@ -1,23 +0,0 @@
-module "fdio-logs" {
-  # fdio logs iam
-  source = "../"
-  name   = "dynamic-aws-creds-vault-fdio-logs"
-  aws_access_key = var.aws_access_key
-  aws_secret_key = var.aws_secret_key
-}
-
-module "fdio-docs" {
-  # fdio docs iam
-  source = "../"
-  name   = "dynamic-aws-creds-vault-fdio-docs"
-  aws_access_key = var.aws_access_key
-  aws_secret_key = var.aws_secret_key
-}
-
-module "fdio-csit-jenkins" {
-  # fdio csit jenkins iam
-  source = "../"
-  name   = "dynamic-aws-creds-vault-fdio-csit-jenkins"
-  aws_access_key = var.aws_access_key
-  aws_secret_key = var.aws_secret_key
-}
diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/providers.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/providers.tf
deleted file mode 100644
index 102fd31b87..0000000000
--- a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/providers.tf
+++ /dev/null
@@ -1,5 +0,0 @@
-provider "vault" {
-  address         = var.vault_provider_address
-  skip_tls_verify = var.vault_provider_skip_tls_verify
-  token           = var.vault_provider_token
-}
\ No newline at end of file
diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/variables.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/variables.tf
deleted file mode 100644
index b1f64eccf2..0000000000
--- a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/variables.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-variable "vault_provider_address" {
-  description = "Vault cluster address."
-  type        = string
-  default     = "http://10.30.51.26:8200"
-}
-
-variable "vault_provider_skip_tls_verify" {
-  description = "Verification of the Vault server's TLS certificate."
-  type        = bool
-  default     = false
-}
-
-variable "vault_provider_token" {
-  description = "Vault root token."
-  type        = string
-  sensitive   = true
-}
-
-variable "aws_access_key" {
-  description = "AWS access key"
-  type        = string
-  sensitive   = true
-}
-
-variable "aws_secret_key" {
-  description = "AWS secret key"
-  type        = string
-  sensitive   = true
-}
\ No newline at end of file
diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/versions.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/versions.tf
deleted file mode 100644
index c573731d65..0000000000
--- a/fdio.infra.terraform/terraform-vault-aws-secret-backend/fdio/versions.tf
+++ /dev/null
@@ -1,13 +0,0 @@
-terraform {
-  backend "consul" {
-    address = "10.30.51.26:8500"
-    scheme  = "http"
-    path    = "terraform/aws-secret-backend"
-  }
-  required_providers {
-    vault = {
-      version = "4.3.0"
-    }
-  }
-  required_version = ">= 1.5.4"
-}
diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/main.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/main.tf
index 814121986f..6a2d42e681 100644
--- a/fdio.infra.terraform/terraform-vault-aws-secret-backend/main.tf
+++ b/fdio.infra.terraform/terraform-vault-aws-secret-backend/main.tf
@@ -1,4 +1,4 @@
-resource "vault_aws_secret_backend" "aws" {
+resource "vault_aws_secret_backend" "aws_secret_backend" {
   access_key = var.aws_access_key
   secret_key = var.aws_secret_key
   path       = "${var.name}-path"
@@ -7,34 +7,18 @@ resource "vault_aws_secret_backend" "aws" {
   max_lease_ttl_seconds     = "0"
 }
 
-resource "vault_aws_secret_backend_role" "admin" {
-  backend         = vault_aws_secret_backend.aws.path
+resource "vault_aws_secret_backend_role" "aws_secret_backend_role" {
+  backend         = vault_aws_secret_backend.aws_secret_backend.path
   name            = "${var.name}-role"
   credential_type = "iam_user"
 
-  policy_document = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "iam:*",
-        "ec2:*",
-        "s3:*",
-        "elasticbeanstalk:*"
-      ],
-      "Resource": "*"
-    }
-  ]
-}
-EOF
+  policy_document = var.policy_document
 }
 
 output "backend" {
-  value = vault_aws_secret_backend.aws.path
+  value = vault_aws_secret_backend.aws_secret_backend.path
 }
 
 output "role" {
-  value = vault_aws_secret_backend_role.admin.name
+  value = vault_aws_secret_backend_role.aws_secret_backend_role.name
 }
diff --git a/fdio.infra.terraform/terraform-vault-aws-secret-backend/variables.tf b/fdio.infra.terraform/terraform-vault-aws-secret-backend/variables.tf
index 2545345185..d7a2f4a987 100644
--- a/fdio.infra.terraform/terraform-vault-aws-secret-backend/variables.tf
+++ b/fdio.infra.terraform/terraform-vault-aws-secret-backend/variables.tf
@@ -15,3 +15,8 @@ variable "name" {
   description = "Vault path"
   type        = string
 }
+
+variable "policy_document" {
+  description = "AWS policy document"
+  type        = string
+}
diff --git a/fdio.infra.terraform/terraform-vault-fdio-creds/main.tf b/fdio.infra.terraform/terraform-vault-fdio-creds/main.tf
new file mode 100644
index 0000000000..4469bb131c
--- /dev/null
+++ b/fdio.infra.terraform/terraform-vault-fdio-creds/main.tf
@@ -0,0 +1,86 @@
+module "fdio-logs" {
+  # fdio logs iam
+  source         = "../terraform-vault-aws-secret-backend"
+  name           = "dynamic-aws-creds-vault-fdio-logs"
+  aws_access_key = var.aws_access_key
+  aws_secret_key = var.aws_secret_key
+  policy_document = jsonencode({
+    Statement = [
+      {
+        Action = [
+          "iam:*",
+          "ec2:*",
+          "s3:*",
+          "elasticbeanstalk:*",
+          "ssm:*",
+          "cloudformation:*",
+          "logs:*",
+          "elasticloadbalancing:*",
+          "autoscaling:*",
+          "cloudwatch:*"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+    ]
+    Version = "2012-10-17"
+  })
+}
+
+module "csit-cdash" {
+  # csit cdash iam
+  source         = "../terraform-vault-aws-secret-backend"
+  name           = "dynamic-aws-creds-vault-cdash"
+  aws_access_key = var.aws_access_key
+  aws_secret_key = var.aws_secret_key
+  policy_document = jsonencode({
+    Statement = [
+      {
+        Action = [
+          "iam:*",
+          "ec2:*",
+          "s3:*",
+          "elasticbeanstalk:*",
+          "ssm:*",
+          "cloudformation:*",
+          "logs:*",
+          "elasticloadbalancing:*",
+          "autoscaling:*",
+          "cloudwatch:*"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+    ]
+    Version = "2012-10-17"
+  })
+}
+
+module "fdio-csit-jenkins" {
+  # fdio csit jenkins iam
+  source         = "../terraform-vault-aws-secret-backend"
+  name           = "dynamic-aws-creds-vault-fdio-csit-jenkins"
+  aws_access_key = var.aws_access_key
+  aws_secret_key = var.aws_secret_key
+  policy_document = jsonencode({
+    Statement = [
+      {
+        Action = [
+          "iam:*",
+          "ec2:*",
+          "s3:*",
+          "elasticbeanstalk:*",
+          "ssm:*",
+          "cloudformation:*",
+          "logs:*",
+          "elasticloadbalancing:*",
+          "autoscaling:*",
+          "cloudwatch:*"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+    ]
+    Version = "2012-10-17"
+  })
+}
diff --git a/fdio.infra.terraform/terraform-vault-fdio-creds/providers.tf b/fdio.infra.terraform/terraform-vault-fdio-creds/providers.tf
new file mode 100644
index 0000000000..102fd31b87
--- /dev/null
+++ b/fdio.infra.terraform/terraform-vault-fdio-creds/providers.tf
@@ -0,0 +1,5 @@
+provider "vault" {
+  address         = var.vault_provider_address
+  skip_tls_verify = var.vault_provider_skip_tls_verify
+  token           = var.vault_provider_token
+}
\ No newline at end of file
diff --git a/fdio.infra.terraform/terraform-vault-fdio-creds/variables.tf b/fdio.infra.terraform/terraform-vault-fdio-creds/variables.tf
new file mode 100644
index 0000000000..b1f64eccf2
--- /dev/null
+++ b/fdio.infra.terraform/terraform-vault-fdio-creds/variables.tf
@@ -0,0 +1,29 @@
+variable "vault_provider_address" {
+  description = "Vault cluster address."
+  type        = string
+  default     = "http://10.30.51.26:8200"
+}
+
+variable "vault_provider_skip_tls_verify" {
+  description = "Verification of the Vault server's TLS certificate."
+  type        = bool
+  default     = false
+}
+
+variable "vault_provider_token" {
+  description = "Vault root token."
+  type        = string
+  sensitive   = true
+}
+
+variable "aws_access_key" {
+  description = "AWS access key"
+  type        = string
+  sensitive   = true
+}
+
+variable "aws_secret_key" {
+  description = "AWS secret key"
+  type        = string
+  sensitive   = true
+}
\ No newline at end of file
diff --git a/fdio.infra.terraform/terraform-vault-fdio-creds/versions.tf b/fdio.infra.terraform/terraform-vault-fdio-creds/versions.tf
new file mode 100644
index 0000000000..c573731d65
--- /dev/null
+++ b/fdio.infra.terraform/terraform-vault-fdio-creds/versions.tf
@@ -0,0 +1,13 @@
+terraform {
+  backend "consul" {
+    address = "10.30.51.26:8500"
+    scheme  = "http"
+    path    = "terraform/aws-secret-backend"
+  }
+  required_providers {
+    vault = {
+      version = "4.3.0"
+    }
+  }
+  required_version = ">= 1.5.4"
+}
-- 
cgit 1.2.3-korg