Merge pull request geckoboard#1 from geckoboard/add-terraform-modules

Add terraform modules
peidong-hu · Jan 9, 2019 · e4e8a28 · e4e8a28
2 parents c1a18e1 + b988282
commit e4e8a28
Show file tree

Hide file tree

Showing 6 changed files with 72 additions and 0 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -0,0 +1,9 @@
+version: 2
+jobs:
+  build:
+    docker:
+      - image: hashicorp/terraform
+    steps:
+      - checkout
+      - run: apk update && apk add colordiff --no-cache --force-refresh --repository http://dl-cdn.alpinelinux.org/alpine/edge/community/
+      - run: cd terraform && terraform fmt -diff=true -check=true | colordiff
diff --git a/terraform/aws-app-role/main.tf b/terraform/aws-app-role/main.tf
@@ -0,0 +1,20 @@
+resource "aws_iam_role" "slash-infra-access" {
+  name               = "${var.role_name}"
+  assume_role_policy = "${data.aws_iam_policy_document.allow-slash-infra-account-to-assume.json}"
+
+  tags = {
+    CreatedBy = "terraform"
+  }
+}
+
+data "aws_iam_policy_document" "allow-slash-infra-account-to-assume" {
+  statement {
+    id      = "1"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${var.trusted_aws_account_id}"]
+    }
+  }
+}
diff --git a/terraform/aws-app-role/outputs.tf b/terraform/aws-app-role/outputs.tf
@@ -0,0 +1,4 @@
+output "iam_role_arn" {
+  description = "The ARN of the IAM role that will be assumed by slash-infra's IAM user. Useful for attaching additional policies to the role that are specific to your org"
+  value       = "${aws_iam_role.slash-infra-access.arn}"
+}
diff --git a/terraform/aws-app-role/variables.tf b/terraform/aws-app-role/variables.tf
@@ -0,0 +1,8 @@
+variable "role_name" {
+  description = "The name of the role to create. This should match the name of the role your IAM user has permission to assume"
+  default     = "SlashInfraAccess"
+}
+
+variable "trusted_aws_account_id" {
+  description = "The ID of the account in which the AWS IAM user for slash-infra lives"
+}
diff --git a/terraform/aws-app-user/main.tf b/terraform/aws-app-user/main.tf
@@ -0,0 +1,22 @@
+resource "aws_iam_user" "app-user" {
+  name = "${var.username}"
+}
+
+resource "aws_iam_user_policy" "allow-assuming-slash-infra-roles" {
+  name = "allow-assuming-slash-infra-roles"
+  user = "${aws_iam_user.app-user.name}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+          "Sid": "AllowAssumingSlashInfraRoles",
+          "Effect": "Allow",
+          "Action": "sts:AssumeRole",
+          "Resource": "arn:aws:iam::*:role/${var.role_name}"
+      }
+  ]
+}
+EOF
+}
diff --git a/terraform/aws-app-user/variables.tf b/terraform/aws-app-user/variables.tf
@@ -0,0 +1,9 @@
+variable "username" {
+  description = "This will be the username given to the AWS IAM user"
+  default     = "slash-infra-app"
+}
+
+variable "role_name" {
+  description = "The name of the role your AWS accounts will use. By default this is the only role the user will be allowed to assume"
+  default     = "SlashInfraApp"
+}