delored/terra-test
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added terrafrom configs

Browse Source
This commit is contained in:
Vladimir Rozhkovsky
2023-11-01 00:02:56 +02:00
parent a4f429eff9
commit f19e926b1a
21 changed files with 407 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
000000000000/iam/roles/data.tf Normal file
View File

@@ -0,0 +1,37 @@
data "template_file" "policy_a" {
template = file("../../templates/role_a_policy.tpl")
}
data "template_file" "asume_role_policy" {
template = file("../../templates/asume_role_policy.tpl")
vars = {
prod_account_id = var.prod_account_id
}
}
data "template_file" "asume_role" {
template = file("../../templates/assume_role.tpl")
}
data "terraform_remote_state" "group_2" {
backend = "s3"
config = {
bucket = "mytesting-tf-states"
profile = "terra"
region = "eu-west-1"
key = "000000000000/iam/users_and_groups/normal_users/terraform.tfstate"
}
}
data "terraform_remote_state" "group_1" {
backend = "s3"
config = {
bucket = "mytesting-tf-states"
profile = "terra"
region = "eu-west-1"
key = "000000000000/iam/users_and_groups/cli_users/terraform.tfstate"
}
}

72
000000000000/iam/roles/main.tf Normal file
View File

@@ -0,0 +1,72 @@
terraform {
backend "s3" {
profile = "terra"
bucket = "mytesting-tf-states"
key = "000000000000/iam/roles/terraform.tfstate"
region = "eu-west-1"
}
}
##########################
###"A" policy and role
##########################
resource "aws_iam_policy" "role_a_policy" {
name = "role_a_policy"
path = "/service-role/"
description = "role_a_policy"
policy = data.template_file.policy_a.rendered
}
resource "aws_iam_role" "role_a" {
name = "role_a"
assume_role_policy = data.template_file.asume_role.rendered
managed_policy_arns = [aws_iam_policy.role_a_policy.arn]
}
##########################
###"B" policy and role
##########################
resource "aws_iam_policy" "role_b_policy" {
name = "role_b_policy"
path = "/service-role/"
description = ""
policy = data.template_file.asume_role_policy.rendered
}
resource "aws_iam_role" "role_b" {
name = "role_b"
assume_role_policy = data.template_file.asume_role.rendered
managed_policy_arns = [aws_iam_policy.role_b_policy.arn]
}
#######################################
### Creating Ec2 instance role for "B"
#######################################
resource "aws_iam_instance_profile" "test_profile" {
name = "s3_profile"
role = aws_iam_role.role_b.name
}
####################################################
### Attach "A" role policy to group 1 just for test
####################################################
resource "aws_iam_group_policy_attachment" "group_1" {
group = data.terraform_remote_state.group_1.outputs.user_group_1_name
policy_arn = aws_iam_policy.role_a_policy.arn
depends_on = [aws_iam_policy.role_a_policy]
}
resource "aws_iam_group_policy_attachment" "group_2_role" {
group = data.terraform_remote_state.group_2.outputs.user_group_2_name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
depends_on = [aws_iam_policy.role_a_policy]
}

4
000000000000/iam/roles/provider.tf Normal file
View File

@@ -0,0 +1,4 @@
provider "aws" {
region = var.region
profile = "terra"
}

9
000000000000/iam/roles/variables.tf Normal file
View File

@@ -0,0 +1,9 @@
variable "region" {
type = string
default = "eu-west-1"
}
variable "prod_account_id" {
type = string
default = "184100688147"
}

50
000000000000/iam/users_and_groups/cli_users/main.tf Normal file
View File

@@ -0,0 +1,50 @@
terraform {
backend "s3" {
profile = "terra"
bucket = "mytesting-tf-states"
key = "000000000000/iam/users_and_groups/cli_users/terraform.tfstate"
region = "eu-west-1"
}
}
locals {
cli_users = {
"ci" = {
name = "ci"
email = "ci@home.co"
},
"engine" = {
name = "engine"
email = "ci@home.co"
}
}
}
#######################################
### creating group 1 and service users
#######################################
resource "aws_iam_group" "group_1" {
name = var.group_name
}
resource "aws_iam_user" "cli_users" {
for_each = local.cli_users
name = each.key
force_destroy = false
}
resource "aws_iam_access_key" "user_access_key" {
for_each = local.cli_users
user = each.key
depends_on = [aws_iam_user.cli_users]
}
resource "aws_iam_group_membership" "group_1" {
for_each = local.cli_users
name = aws_iam_group.group_1.name
users = [each.key]
group = aws_iam_group.group_1.name
}

13
000000000000/iam/users_and_groups/cli_users/outputs.tf Normal file
View File

@@ -0,0 +1,13 @@
output "user_access_keys" {
value = {
for k, v in local.cli_users : k => {
"key" = aws_iam_access_key.user_access_key[k].id
"secret" = aws_iam_access_key.user_access_key[k].secret
}
}
sensitive = true
}
output "user_group_1_name" {
value = aws_iam_group.group_1.name
}

4
000000000000/iam/users_and_groups/cli_users/provider.tf Normal file
View File

@@ -0,0 +1,4 @@
provider "aws" {
region = var.region
profile = "terra"
}

9
000000000000/iam/users_and_groups/cli_users/variables.tf Normal file
View File

@@ -0,0 +1,9 @@
variable "region" {
type = string
default = "eu-west-1"
}
variable "group_name" {
type = string
default = "group_1"
}

60
000000000000/iam/users_and_groups/normal_users/main.tf Normal file
View File

@@ -0,0 +1,60 @@
terraform {
backend "s3" {
profile = "terra"
bucket = "mytesting-tf-states"
key = "000000000000/iam/users_and_groups/normal_users/terraform.tfstate"
region = "eu-west-1"
}
}
locals {
normal_users = {
"Denys_Platon" = {
name = "denys_platon"
email = "denys_platon@work.co"
},
"ivan_petrenko" = {
name = "ivan_petrenko"
email = "ivan_petrenko@work.co"
}
}
}
#######################################
### creating group 2 and normal users
#######################################
resource "aws_iam_group" "group_2" {
name = "group_2"
}
resource "aws_iam_user" "normal_users" {
for_each = local.normal_users
name = each.key
force_destroy = false
}
resource "aws_iam_access_key" "user_access_key" {
for_each = local.normal_users
user = each.key
depends_on = [aws_iam_user.normal_users]
}
resource "aws_iam_user_login_profile" "normal_user" {
for_each = local.normal_users
user = each.key
# password_reset_required = true
depends_on = [aws_iam_user.normal_users]
}
resource "aws_iam_group_membership" "group_2" {
for_each = local.normal_users
name = aws_iam_group.group_2.name
users = [each.key]
group = aws_iam_group.group_2.name
depends_on = [aws_iam_user_login_profile.normal_user]
}

11
000000000000/iam/users_and_groups/normal_users/outputs.tf Normal file
View File

@@ -0,0 +1,11 @@
output "password" {
value = {
for k, v in local.normal_users : k => {
"password" = aws_iam_user_login_profile.normal_user[k].password
}
}
}
output "user_group_2_name" {
value = aws_iam_group.group_2.name
}

4
000000000000/iam/users_and_groups/normal_users/provider.tf Normal file
View File

@@ -0,0 +1,4 @@
provider "aws" {
region = var.region
profile = "terra"
}

7
000000000000/iam/users_and_groups/normal_users/variables.tf Normal file
View File

@@ -0,0 +1,7 @@
variable "region" {
default = "eu-west-1"
}
variable "group_name" {
default = "group_2"
}

13
000000000000/templates/assume_role.tpl Normal file
View File

@@ -0,0 +1,13 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}

12
000000000000/templates/asume_role_policy.tpl Normal file
View File

@@ -0,0 +1,12 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::${prod_account_id}:role/role_c"
}
]
}

17
000000000000/templates/role_a_policy.tpl Normal file
View File

@@ -0,0 +1,17 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow",
"Sid": ""
},
{
"Action": "iam:*",
"Resource": "*",
"Effect": "Deny",
"Sid": ""
}
]
}

10
111111111111/iam/roles/data.tf Normal file
View File

@@ -0,0 +1,10 @@
data "template_file" "s3_policy" {
template = file("../../templates/s3_bucker_access.tpl")
}
data "template_file" "asume_role" {
template = file("../../templates/assume_role.tpl")
vars = {
dev_account_id = var.dev_account_id
}
}

24
111111111111/iam/roles/main.tf Normal file
View File

@@ -0,0 +1,24 @@
terraform {
backend "s3" {
profile = "terra"
bucket = "mytesting-tf-states"
key = "111111111111/iam/roles/terraform.tfstate"
region = "eu-west-1"
}
}
resource "aws_iam_policy" "s3_bucker_access_policy" {
name = "s3_bucker_access_policy"
path = "/"
description = "s3_bucker_access_policy"
policy = data.template_file.s3_policy.rendered
}
resource "aws_iam_role" "role_c" {
name = "role_c"
assume_role_policy = data.template_file.asume_role.rendered
managed_policy_arns = [aws_iam_policy.s3_bucker_access_policy.arn]
}

4
111111111111/iam/roles/provider.tf Normal file
View File

@@ -0,0 +1,4 @@
provider "aws" {
region = var.region
profile = "monit"
}

7
111111111111/iam/roles/variables.tf Normal file
View File

@@ -0,0 +1,7 @@
variable "region" {
default = "eu-west-1"
}
variable "dev_account_id" {
default = "449091252457"
}

13
111111111111/templates/assume_role.tpl Normal file
View File

@@ -0,0 +1,13 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${dev_account_id}:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}

27
111111111111/templates/s3_bucker_access.tpl Normal file
View File

@@ -0,0 +1,27 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::monit-aws-test-bucket"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::monit-aws-test-bucket/*"
}
]
}