Skip to content

Commit

Permalink
feat: parameterized codebuild role
Browse files Browse the repository at this point in the history
  • Loading branch information
@farhanangullia
farhanangullia committed Jul 20, 2022
1 parent 95a2541 commit 22d85bb
Show file tree
Hide file tree
Showing 6 changed files with 158 additions and 130 deletions.
10 changes: 5 additions & 5 deletions examples/mwaa/environment/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@ resource "aws_vpc" "mwaa_vpc" {
enable_dns_hostnames = true
}

# resource "aws_default_security_group" "default" {
# vpc_id = aws_vpc.mwaa_vpc.id
# }
resource "aws_default_security_group" "default" {
vpc_id = aws_vpc.mwaa_vpc.id
}

resource "aws_subnet" "mwaa_private_subnets" {
count = length(var.pri_sub_cidrs)
Expand Down Expand Up @@ -102,8 +102,8 @@ resource "aws_route_table_association" "pubrt_associations" {
}

resource "aws_security_group" "this" {
vpc_id = aws_vpc.mwaa_vpc.id
name = "mwaa-no-ingress-sg"
vpc_id = aws_vpc.mwaa_vpc.id
name = "mwaa-no-ingress-sg"
tags = merge({
Name = "mwaa-no-ingress-sg"
}, var.tags)
Expand Down
4 changes: 3 additions & 1 deletion examples/mwaa/switch/config.auto.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,6 @@ kill_resources_schedule = "cron(0 1/3 * * ? *)"
revive_resources_schedule = "cron(0 1/2 * * ? *)"
init_command = "terraform -chdir=examples/mwaa/environment init -backend-config=\\\"bucket=REPLACE_ME\\\" -backend-config=\\\"key=REPLACE_ME\\\" -backend-config=\\\"region=REPLACE_ME\\\" -input=false" # Replace all fields of REPLACE_ME with your s3 backend configuration values that is used to deploy the MWAA environment.
kill_command = "terraform -chdir=examples/mwaa/environment apply -input=false -target=aws_mwaa_environment.this -var enabled=false -auto-approve"
revive_command = "terraform -chdir=examples/mwaa/environment apply -input=false -target=aws_mwaa_environment.this -var enabled=true -auto-approve"
revive_command = "terraform -chdir=examples/mwaa/environment apply -input=false -target=aws_mwaa_environment.this -var enabled=true -auto-approve"
tf_backend_bucket = "REPLACE_ME"
tf_backend_key = "REPLACE_ME"
139 changes: 127 additions & 12 deletions examples/mwaa/switch/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,133 @@
# Copyright © 2022 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. This AWS Content is provided subject to the terms of the AWS Customer Agreement available at http://aws.amazon.com/agreement or other written agreement between Customer and either Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both."

#### (0) switch module ####
#### (1) switch module ####
module "mwaa_switch" {
source = "../../../"

git_personal_access_token = jsondecode(data.aws_secretsmanager_secret_version.github_token_secret_version.secret_string)["TOKEN"]
source_type = "GITHUB"
source_location = "https://github.com/aws-samples/aws-terraform-scheduled-switch.git"
kill_resources_schedule = "cron(0 1/3 * * ? *)"
revive_resources_schedule = "cron(0 1/2 * * ? *)"
init_command = "terraform -chdir=examples/mwaa/environment init -backend-config=\\\"bucket=${var.tf_backend_bucket}\\\" -backend-config=\\\"key=${var.tf_backend_key}\\\" -backend-config=\\\"region=${var.tf_backend_region}\\\" -input=false"
kill_command = "terraform -chdir=examples/mwaa/environment apply -input=false -target=aws_mwaa_environment.this -var enabled=false -auto-approve"
revive_command = "terraform -chdir=examples/mwaa/environment apply -input=false -target=aws_mwaa_environment.this -var enabled=true -auto-approve"
terraform_version = var.terraform_version
tf_backend_bucket = var.tf_backend_bucket
tf_backend_key = var.tf_backend_key
git_personal_access_token = jsondecode(data.aws_secretsmanager_secret_version.github_token_secret_version.secret_string)["TOKEN"]
source_type = "GITHUB"
switch_additional_policy_arn = aws_iam_policy.mwaa_switch_policy.arn
source_location = var.source_location
kill_resources_schedule = var.kill_resources_schedule
revive_resources_schedule = var.revive_resources_schedule
init_command = var.init_command
kill_command = var.kill_command
revive_command = var.revive_command
terraform_version = var.terraform_version
tf_backend_bucket = var.tf_backend_bucket
tf_backend_key = var.tf_backend_key
}

#### (0) Switch Policy for MWAA ####
resource "aws_iam_policy" "mwaa_switch_policy" {
name = "MWAASwitchPolicy"
description = "A policy for MWAA operations."

policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Action": [
"iam:ListRolePolicies",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "airflow:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRouteTables",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ListGrants",
"kms:CreateGrant",
"kms:RevokeGrant",
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Resource": "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/aws/airflow"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": "airflow.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetEncryptionConfiguration"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:*:*:vpc-endpoint/*",
"arn:aws:ec2:*:*:vpc/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*"
]
}
]
}
EOF
}
10 changes: 10 additions & 0 deletions examples/mwaa/switch/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,16 @@ variable "region" {

#### switch ####

variable "tf_backend_bucket" {
type = string
description = "S3 Backend bucket name"
}

variable "tf_backend_key" {
type = string
description = "S3 object key to terraform state file"
}

variable "source_location" {
type = string
description = "Information about the location of the source code of the Terraform configuration that is being managed."
Expand Down
117 changes: 5 additions & 112 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,118 +57,6 @@ resource "aws_iam_role" "switch_codebuild_role" {
EOF
}

resource "aws_iam_role_policy" "switch_codebuild_policy" {
role = aws_iam_role.switch_codebuild_role.name

policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Action": [
"iam:ListRolePolicies",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "airflow:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRouteTables",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ListGrants",
"kms:CreateGrant",
"kms:RevokeGrant",
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Resource": "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/aws/airflow"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": "airflow.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetEncryptionConfiguration"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws:ec2:*:*:vpc-endpoint/*",
"arn:aws:ec2:*:*:vpc/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*"
]
}
]
}
POLICY
}

resource "aws_iam_role_policy" "switch_codebuild_s3_backend_policy" {
role = aws_iam_role.switch_codebuild_role.name

Expand All @@ -195,4 +83,9 @@ POLICY
resource "aws_iam_role_policy_attachment" "s3_policy" {
role = aws_iam_role.switch_codebuild_role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}

resource "aws_iam_role_policy_attachment" "switch_additional_policy" {
role = aws_iam_role.switch_codebuild_role.name
policy_arn = var.switch_additional_policy_arn
}
8 changes: 8 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,14 @@ variable "source_location" {
description = "Information about the location of the source code of the Terraform configuration that is being managed."
}

# CodeBuild variables

variable "switch_additional_policy_arn" {
type = string
description = "ARN of additional IAM policy for CodeBuild."
default = null
}

# switch EventBridge variables
variable "kill_resources_schedule" {
type = string
Expand Down

0 comments on commit 22d85bb

Please sign in to comment.