-
Notifications
You must be signed in to change notification settings - Fork 23
/
s3-backend.template
167 lines (166 loc) · 4.47 KB
/
s3-backend.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
Parameters:
LockTableName:
Description: Name of the DynamoDB table to store state locks.
Type: String
Default: TerraformStateLock
GitlabRunnerAccountNumber:
Description: >-
The account number of the Gitlab Runner's account (the DevOps account).
This is used to allow the Gitlab Runner to assume the TerraformRole.
Type: String
ExternalId:
Description: 'Values of the ExternalId parameter used during sts:AssumeRole'
Type: String
AWSTemplateFormatVersion: 2010-09-09
Resources:
TerraformStateBucket:
Type: 'AWS::S3::Bucket'
Properties:
AccessControl: Private
VersioningConfiguration:
Status: Enabled
Tags:
- Key: Purpose
Value: TerraformState
Metadata:
'AWS::CloudFormation::Designer':
id: 92b2ead2-cb68-4345-a7b0-057955763d51
TerraformLockTable:
Type: 'AWS::DynamoDB::Table'
Properties:
AttributeDefinitions:
- AttributeName: LockID
AttributeType: S
KeySchema:
- AttributeName: LockID
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
TableName: !Ref LockTableName
Metadata:
'AWS::CloudFormation::Designer':
id: 360f9fc9-e778-401f-a4cf-caefe46666bc
TerraformRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: TerraformRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Join [ '', [ 'arn:aws:iam::', !Ref GitlabRunnerAccountNumber, ':role/GitlabRunnerRole' ] ]
Action:
- 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref ExternalId
Path: /
Policies:
- PolicyName: TerraformPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'ec2:*'
Resource: '*'
Metadata:
'AWS::CloudFormation::Designer':
id: a3f3650b-b757-4ce4-94a0-275e35bc36cf
S3BackendRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: S3BackendRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Join [ '', [ 'arn:aws:iam::', !Ref GitlabRunnerAccountNumber, ':role/GitlabRunnerRole' ] ]
Action:
- 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref ExternalId
Path: /
Policies:
- PolicyName: S3BackendPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 's3:PutObject'
- 's3:GetObject'
Resource: !Join
- '/'
- - !GetAtt
- TerraformStateBucket
- Arn
- '*'
- Effect: Allow
Action:
- 's3:ListBucket'
Resource: !GetAtt
- TerraformStateBucket
- Arn
- Effect: Allow
Action:
- 'dynamodb:GetItem'
- 'dynamodb:PutItem'
- 'dynamodb:DeleteItem'
Resource: !GetAtt
- TerraformLockTable
- Arn
Metadata:
'AWS::CloudFormation::Designer':
id: e56c4ae0-bc61-4308-9314-e48bc1d2abf4
Outputs:
StackName:
Value: !Ref 'AWS::StackName'
AwsRegion:
Value: !Ref "AWS::Region"
AwsAccountId:
Value: !Ref "AWS::AccountId"
TerraformS3BucketName:
Value: !Ref TerraformStateBucket
Metadata:
'AWS::CloudFormation::Designer':
360f9fc9-e778-401f-a4cf-caefe46666bc:
size:
width: 60
height: 60
position:
x: 60
'y': 90
z: 1
embeds: []
92b2ead2-cb68-4345-a7b0-057955763d51:
size:
width: 60
height: 60
position:
x: 180
'y': 90
z: 1
embeds: []
a3f3650b-b757-4ce4-94a0-275e35bc36cf:
size:
width: 60
height: 60
position:
x: 60
'y': 190
z: 0
embeds: []
e56c4ae0-bc61-4308-9314-e48bc1d2abf4:
size:
width: 60
height: 60
position:
x: 180
'y': 190
z: 0
embeds: []