Skip to content

Commit

Permalink
Create dynamodb table (#17)
Browse files Browse the repository at this point in the history
* Create dynamodb table

* ddb table codacy ignores

* ddb table codacy ignores
  • Loading branch information
jarrod-lowe authored Aug 11, 2024
1 parent 516adbc commit e076878
Show file tree
Hide file tree
Showing 9 changed files with 267 additions and 181 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -32,3 +32,4 @@ override.tf.json
# Ignore CLI configuration files
.terraformrc
terraform.rc
.validate
11 changes: 11 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
default: all

TERRAFORM_ENVIRONMENTS := aws github wildsea
TERRAFOM_VALIDATE := $(addsuffix /.validate,$(addprefix terraform/environment/, $(TERRAFORM_ENVIRONMENTS)))

all: $(TERRAFOM_VALIDATE)

terraform/environment/%/.validate: terraform/environment/%/*.tf
cd terraform/environment/$* ; terraform fmt
cd terraform/environment/$* ; terraform validate
touch $@
19 changes: 10 additions & 9 deletions terraform/environment/aws/main.tf
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

variable "app_name" {
default = "Wildsea"
default = "Wildsea"
}

variable "action_prefix" {
default = "GitHubAction"
default = "GitHubAction"
}

variable "workspace" {
Expand All @@ -32,15 +33,15 @@ variable "environment" {
}

terraform {
backend "s3" {
// region, bucket and key come from -backend-config
}
backend "s3" {
// region, bucket and key come from -backend-config
}
}

provider "aws" {
default_tags {
tags = {
Application = "Wildsea-setup-${var.environment}"
}
default_tags {
tags = {
Application = "Wildsea-setup-${var.environment}"
}
}
}
96 changes: 96 additions & 0 deletions terraform/environment/aws/policy.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
data "aws_iam_policy_document" "ro" {
statement {
sid = "ReadState"
actions = [
"s3:GetObject"
]
resources = [
"${aws_s3_bucket.state.arn}/${var.environment}/terraform.tfstate"
]
}

statement {
sid = "ListState"
actions = [
"s3:ListBucket"
]
resources = [
aws_s3_bucket.state.arn
]
}

statement {
sid = "Dynamodb"
actions = [
"dynamodb:DescribeTable*"
]
resources = [
"arn:${data.aws_partition.current.id}:dynamodb:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:table/${var.app_name}-${var.environment}"
]
}
}

data "aws_iam_policy_document" "rw" {
statement {
sid = "WriteState"
actions = [
"s3:PutObject"
]
resources = [
"${aws_s3_bucket.state.arn}/${var.environment}/terraform.tfstate"
]
}

statement {
sid = "Dynamodb"
actions = [
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
]
resources = [
"arn:${data.aws_partition.current.id}:dynamodb:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:table/${var.app_name}-${var.environment}"
]
}
}

data "aws_iam_policy_document" "rw_boundary" {
statement {
sid = "s3"
actions = [
"s3:GetObject",
"s3:PutObject"
]
resources = [
"${aws_s3_bucket.state.arn}/${var.environment}/terraform.tfstate",
"arn:${data.aws_partition.current.id}:s3:::${var.app_name}-${var.environment}-*/*"
]
}

statement {
sid = "ListState"
actions = [
"s3:ListBucket"
]
resources = [
"arn:${data.aws_partition.current.id}:s3:::${var.app_name}-${var.environment}-*/*"
]
}

statement {
sid = "Dynamodb"
actions = [
"dynamodb:DescribeTable",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:BatchGet*",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:DeleteItem",
"dynamodb:UpdateItem*",
"dynamodb:PutItem*",
]
resources = [
"arn:${data.aws_partition.current.id}:dynamodb:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:table/${var.app_name}-${var.environment}"
]
}
}
200 changes: 71 additions & 129 deletions terraform/environment/aws/roles.tf
Original file line number Diff line number Diff line change
@@ -1,168 +1,110 @@
resource "aws_iam_openid_connect_provider" "oidc" {
url = "https://token.actions.githubusercontent.com"
client_id_list = [
"sts.${data.aws_partition.current.dns_suffix}"
]
thumbprint_list = [
"d89e3bd43d5d909b47a18977aa9d5ce36cee184c"
]
url = "https://token.actions.githubusercontent.com"
client_id_list = [
"sts.${data.aws_partition.current.dns_suffix}"
]
thumbprint_list = [
"d89e3bd43d5d909b47a18977aa9d5ce36cee184c"
]
}

resource "aws_iam_role" "ro" {
name = "${var.action_prefix}-${var.app_name}-ro-${var.environment}"
assume_role_policy = data.aws_iam_policy_document.ro_assume.json
name = "${var.action_prefix}-${var.app_name}-ro-${var.environment}"
assume_role_policy = data.aws_iam_policy_document.ro_assume.json

tags = {
Name = "${var.action_prefix}-${var.app_name}-ro-${var.environment}"
}
tags = {
Name = "${var.action_prefix}-${var.app_name}-ro-${var.environment}"
}
}

data "aws_iam_policy_document" "ro_assume" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [ aws_iam_openid_connect_provider.oidc.arn ]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:aud"
values = ["sts.${data.aws_partition.current.dns_suffix}"]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:sub"
values = ["repo:${var.workspace}/${var.repo}:environment:${var.environment}-ro"]
}
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.oidc.arn]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:aud"
values = ["sts.${data.aws_partition.current.dns_suffix}"]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:sub"
values = ["repo:${var.workspace}/${var.repo}:environment:${var.environment}-ro"]
}
}
}

resource "aws_iam_policy" "ro" {
name = aws_iam_role.ro.name
policy = data.aws_iam_policy_document.ro.json
name = aws_iam_role.ro.name
policy = data.aws_iam_policy_document.ro.json

tags = {
Name = aws_iam_role.ro.name
}
tags = {
Name = aws_iam_role.ro.name
}
}

resource "aws_iam_role_policy_attachment" "ro-ro" {
role = aws_iam_role.ro.name
policy_arn = aws_iam_policy.ro.arn
}

data "aws_iam_policy_document" "ro" {
statement {
sid = "ReadState"
actions = [
"s3:GetObject"
]
resources = [
"${aws_s3_bucket.state.arn}/${var.environment}/terraform.tfstate"
]
}

statement {
sid = "ListState"
actions = [
"s3:ListBucket"
]
resources = [
aws_s3_bucket.state.arn
]
}
role = aws_iam_role.ro.name
policy_arn = aws_iam_policy.ro.arn
}

resource "aws_iam_role" "rw" {
name = "${var.action_prefix}-${var.app_name}-rw-${var.environment}"
assume_role_policy = data.aws_iam_policy_document.rw_assume.json
permissions_boundary = aws_iam_policy.rw_boundary.arn
name = "${var.action_prefix}-${var.app_name}-rw-${var.environment}"
assume_role_policy = data.aws_iam_policy_document.rw_assume.json
permissions_boundary = aws_iam_policy.rw_boundary.arn

tags = {
Name = "${var.action_prefix}-${var.app_name}-rw-${var.environment}"
}
tags = {
Name = "${var.action_prefix}-${var.app_name}-rw-${var.environment}"
}
}

data "aws_iam_policy_document" "rw_assume" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [ aws_iam_openid_connect_provider.oidc.arn ]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:aud"
values = ["sts.${data.aws_partition.current.dns_suffix}"]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:sub"
values = ["repo:${var.workspace}/${var.repo}:environment:${var.environment}-rw"]
}
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.oidc.arn]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:aud"
values = ["sts.${data.aws_partition.current.dns_suffix}"]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:sub"
values = ["repo:${var.workspace}/${var.repo}:environment:${var.environment}-rw"]
}
}
}

resource "aws_iam_policy" "rw" {
name = aws_iam_role.rw.name
policy = data.aws_iam_policy_document.rw.json
name = aws_iam_role.rw.name
policy = data.aws_iam_policy_document.rw.json

tags = {
Name = aws_iam_role.rw.name
}
tags = {
Name = aws_iam_role.rw.name
}
}

resource "aws_iam_role_policy_attachment" "rw-ro" {
role = aws_iam_role.rw.name
policy_arn = aws_iam_policy.ro.arn
role = aws_iam_role.rw.name
policy_arn = aws_iam_policy.ro.arn
}

resource "aws_iam_role_policy_attachment" "rw-rw" {
role = aws_iam_role.rw.name
policy_arn = aws_iam_policy.rw.arn
}

data "aws_iam_policy_document" "rw" {
statement {
sid = "WriteState"
actions = [
"s3:PutObject"
]
resources = [
"${aws_s3_bucket.state.arn}/${var.environment}/terraform.tfstate"
]
}
role = aws_iam_role.rw.name
policy_arn = aws_iam_policy.rw.arn
}

resource "aws_iam_policy" "rw_boundary" {
name = "${var.action_prefix}-${var.app_name}-rw-${var.environment}-boundary"
policy = data.aws_iam_policy_document.rw_boundary.json
name = "${var.action_prefix}-${var.app_name}-rw-${var.environment}-boundary"
policy = data.aws_iam_policy_document.rw_boundary.json

tags = {
Name = "${var.action_prefix}-${var.app_name}-rw-${var.environment}-boundary"
}
}

data "aws_iam_policy_document" "rw_boundary" {
statement {
sid = "s3"
actions = [
"s3:GetObject",
"s3:PutObject"
]
resources = [
"${aws_s3_bucket.state.arn}/${var.environment}/terraform.tfstate",
"arn:${data.aws_partition.current.id}:s3:::${var.app_name}-${var.environment}-*/*"
]
}

statement {
sid = "ListState"
actions = [
"s3:ListBucket"
]
resources = [
aws_s3_bucket.state.arn
]
}
tags = {
Name = "${var.action_prefix}-${var.app_name}-rw-${var.environment}-boundary"
}
}
Loading

0 comments on commit e076878

Please sign in to comment.