From 671a18b0ab06915c57cbd9b05457ea6a7a6f2c32 Mon Sep 17 00:00:00 2001 From: Vedant Pareek Date: Mon, 28 Aug 2023 09:58:38 +0530 Subject: [PATCH 1/3] Added support for platform user, s3, ecr and ssm creation through terragrunt --- .github/workflows/lint_clean.yaml | 18 +++ .github/workflows/terraform-docs.yaml | 16 ++ .github/workflows/tflint.yaml | 40 +++++ LICENSE | 201 ++++++++++++++++++++++++++ README.md | 3 + buckets.tf | 75 ++++++++++ iam.tf | 132 +++++++++++++++++ locals.tf | 17 +++ output.tf | 31 ++++ variables.tf | 103 +++++++++++++ versions.tf | 10 ++ 11 files changed, 646 insertions(+) create mode 100644 .github/workflows/lint_clean.yaml create mode 100644 .github/workflows/terraform-docs.yaml create mode 100644 .github/workflows/tflint.yaml create mode 100644 LICENSE create mode 100644 buckets.tf create mode 100644 iam.tf create mode 100644 locals.tf create mode 100644 output.tf create mode 100644 variables.tf create mode 100644 versions.tf diff --git a/.github/workflows/lint_clean.yaml b/.github/workflows/lint_clean.yaml new file mode 100644 index 0000000..a15b694 --- /dev/null +++ b/.github/workflows/lint_clean.yaml @@ -0,0 +1,18 @@ +name: 'Lint and Clean' + +on: + pull_request: + + push: + branches: + - main + +jobs: + fmt: + name: Terraform FMT + runs-on: ubuntu-latest + container: + image: hashicorp/terraform:latest + steps: + - uses: actions/checkout@v2 + - run: terraform fmt --recursive --diff -check=true \ No newline at end of file diff --git a/.github/workflows/terraform-docs.yaml b/.github/workflows/terraform-docs.yaml new file mode 100644 index 0000000..7a48d79 --- /dev/null +++ b/.github/workflows/terraform-docs.yaml @@ -0,0 +1,16 @@ +name: Generate terraform docs +on: + - pull_request + +jobs: + docs: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Render terraform docs and push changes back to PR + uses: terraform-docs/gh-actions@main + with: + git-push: "true" diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yaml new file mode 100644 index 0000000..42620cf --- /dev/null +++ b/.github/workflows/tflint.yaml @@ -0,0 +1,40 @@ +name: Lint +on: + pull_request: + branches: + - main + +jobs: + tflint: + runs-on: ${{ matrix.os }} + + strategy: + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] + + steps: + - uses: actions/checkout@v3 + name: Checkout source code + + - uses: actions/cache@v3 + name: Cache plugin dir + with: + path: ~/.tflint.d/plugins + key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }} + + - uses: terraform-linters/setup-tflint@v3 + name: Setup TFLint + with: + tflint_version: v0.47.0 + + - name: Show version + run: tflint --version + + - name: Init TFLint + run: tflint --init + env: + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + GITHUB_TOKEN: ${{ github.token }} + + - name: Run TFLint + run: tflint --minimum-failure-severity=error -f compact \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..261eeb9 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md index c6dd006..15ed708 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,5 @@ # terraform-aws-truefoundry-platform-features Truefoundry AWS platform features + + + \ No newline at end of file diff --git a/buckets.tf b/buckets.tf new file mode 100644 index 0000000..4514ccb --- /dev/null +++ b/buckets.tf @@ -0,0 +1,75 @@ +module "truefoundry_bucket" { + count = var.platform_feature_enabled ? var.feature_blob_storage_enabled ? 1 : 0 : 0 + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.15.0" + + bucket = var.blob_storage_enable_override ? var.blob_storage_override_name : null + bucket_prefix = var.blob_storage_enable_override ? null : trimsuffix(substr(local.truefoundry_unique_name, 0, 37), "-") + + force_destroy = var.blob_storage_force_destroy + + tags = merge( + { + Name = var.blob_storage_enable_override ? var.blob_storage_override_name : trimsuffix(substr(local.truefoundry_unique_name, 0, 37), "-") + }, + local.tags + ) + + + # Bucket policies + attach_policy = true + attach_deny_insecure_transport_policy = true + attach_require_latest_tls_policy = true + + # S3 bucket-level Public Access Block configuration + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + + versioning = { + status = true + mfa_delete = false + } + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + kms_master_key_id = var.blob_storage_encryption_key_arn + sse_algorithm = var.blob_storage_encryption_algorithm + } + } + } + + intelligent_tiering = { + general = { + status = "Enabled" + tiering = { + ARCHIVE_ACCESS = { + days = 90 + } + } + } + } + + lifecycle_rule = [ + { + id = "abort-multipart-uploads-tfy-rule" + status = "Enabled" + prefix = "" + enabled = true + + abort_incomplete_multipart_upload_days = 7 + } + ] + + cors_rule = [ + { + allowed_methods = ["GET", "POST", "PUT"] + allowed_origins = var.blob_storage_cors_origins + allowed_headers = ["*"] + expose_headers = ["ETag"] + max_age_seconds = 3000 + } + ] +} \ No newline at end of file diff --git a/iam.tf b/iam.tf new file mode 100644 index 0000000..4b13772 --- /dev/null +++ b/iam.tf @@ -0,0 +1,132 @@ +data "aws_iam_policy_document" "truefoundry_platform_feature_user_s3_policy_document" { + count = var.platform_feature_enabled ? var.feature_blob_storage_enabled ? 1 : 0 : 0 + statement { + effect = "Allow" + actions = [ + "s3:*", + ] + + resources = [ + "arn:aws:s3:::${module.truefoundry_bucket[0].s3_bucket_arn}", + "arn:aws:s3:::${module.truefoundry_bucket[0].s3_bucket_arn}/*" + ] + } +} + +data "aws_iam_policy_document" "truefoundry_platform_feature_user_ssm_policy_document" { + count = var.platform_feature_enabled ? var.feature_secrets_enabled ? 1 : 0 : 0 + statement { + effect = "Allow" + actions = [ + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:PutParameter", + "ssm:DeleteParameter", + "ssm:DeleteParameters", + "ssm:GetParameterHistory" + ] + resources = [ + "*" + ] + } +} + +data "aws_iam_policy_document" "truefoundry_platform_feature_user_ecr_policy_document" { + count = var.platform_feature_enabled ? var.feature_docker_registry_enabled ? 1 : 0 : 0 + statement { + effect = "Allow" + actions = [ + "ecr:GetRegistryPolicy", + "ecr:DescribeImageScanFindings", + "ecr:GetLifecyclePolicyPreview", + "ecr:CreateRepository", + "ecr:GetDownloadUrlForLayer", + "ecr:DescribeRegistry", + "ecr:DescribeImageReplicationStatus", + "ecr:GetAuthorizationToken", + "ecr:ListTagsForResource", + "ecr:BatchGetRepositoryScanningConfiguration", + "ecr:GetRegistryScanningConfiguration", + "ecr:PutImage", + "ecr:BatchGetImage", + "ecr:DescribeRepositories", + "ecr:BatchCheckLayerAvailability", + "ecr:GetRepositoryPolicy", + "ecr:GetLifecyclePolicy", + "ecr:ListImages", + "ecr:InitiateLayerUpload", + "ecr:CompleteLayerUpload", + "ecr:DescribeImages", + "ecr:DeleteRepository", + "ecr:UploadLayerPart", + "sts:GetServiceBearerToken" + ] + + resources = [ + "*" + ] + } +} + +resource "aws_iam_policy" "truefoundry_platform_feature_user_s3_policy" { + count = var.platform_feature_enabled ? var.feature_blob_storage_enabled ? 1 : 0 : 0 + name_prefix = "${local.truefoundry_unique_name}-s3-access" + description = "IAM policy for TrueFoundry user for platform features blob storage" + policy = data.aws_iam_policy_document.truefoundry_platform_feature_user_s3_policy_document[0].json + tags = local.tags +} + +resource "aws_iam_policy" "truefoundry_platform_feature_user_ssm_policy" { + count = var.platform_feature_enabled ? var.feature_secrets_enabled ? 1 : 0 : 0 + name_prefix = "${local.truefoundry_unique_name}-ssm-access" + description = "IAM policy for TrueFoundry user for platform features Secrets manager" + policy = data.aws_iam_policy_document.truefoundry_platform_feature_user_ssm_policy_document[0].json + tags = local.tags +} + +resource "aws_iam_policy" "truefoundry_platform_feature_user_ecr_policy" { + count = var.platform_feature_enabled ? var.feature_docker_registry_enabled ? 1 : 0 : 0 + name_prefix = "${local.truefoundry_unique_name}-ecr-access" + description = "IAM policy for TrueFoundry user for platform features docker registry" + policy = data.aws_iam_policy_document.truefoundry_platform_feature_user_ecr_policy_document[0].json + tags = local.tags +} + + +################################################################################ +# IAM user +################################################################################ + +resource "aws_iam_user" "truefoundry_platform_user" { + count = var.platform_feature_enabled ? 1 : 0 + + name = "${local.truefoundry_unique_name}-user" + path = "/truefoundry/" + force_destroy = var.platform_user_force_destroy + tags = local.tags +} + + +resource "aws_iam_access_key" "truefoundry_platform_user_keys" { + count = var.platform_feature_enabled ? 1 : 0 + + user = aws_iam_user.truefoundry_platform_user[0].name +} + +resource "aws_iam_user_policy_attachment" "truefoundry_platform_user_s3_policy_attachment" { + count = var.platform_feature_enabled ? var.feature_blob_storage_enabled ? 1 : 0 : 0 + user = aws_iam_user.truefoundry_platform_user[0].name + policy_arn = aws_iam_policy.truefoundry_platform_feature_user_s3_policy[0].arn +} + +resource "aws_iam_user_policy_attachment" "truefoundry_platform_user_ssm_policy_attachment" { + count = var.platform_feature_enabled ? var.feature_secrets_enabled ? 1 : 0 : 0 + user = aws_iam_user.truefoundry_platform_user[0].name + policy_arn = aws_iam_policy.truefoundry_platform_feature_user_ssm_policy[0].arn +} + +resource "aws_iam_user_policy_attachment" "truefoundry_platform_user_ecr_policy_attachment" { + count = var.platform_feature_enabled ? var.feature_docker_registry_enabled ? 1 : 0 : 0 + user = aws_iam_user.truefoundry_platform_user[0].name + policy_arn = aws_iam_policy.truefoundry_platform_feature_user_ecr_policy[0].arn +} \ No newline at end of file diff --git a/locals.tf b/locals.tf new file mode 100644 index 0000000..49a6b1b --- /dev/null +++ b/locals.tf @@ -0,0 +1,17 @@ +locals { + tags = merge( + { + "terraform-module" = "platform-features" + "terraform" = "true" + "cluster-name" = var.cluster_name + }, + var.tags + ) + truefoundry_unique_name = var.blob_storage_enable_override ? var.blob_storage_override_name : var.cluster_name + policy_arns = [ + var.feature_blob_storage_enabled ? aws_iam_policy.truefoundry_platform_feature_user_s3_policy[0].arn : null, + var.feature_secrets_enabled ? aws_iam_policy.truefoundry_platform_feature_user_ssm_policy[0].arn : null, + var.feature_docker_registry_enabled ? aws_iam_policy.truefoundry_platform_feature_user_ecr_policy[0].arn : null, + ] + truefoundry_platform_user_policy_arns = [for arn in local.policy_arns : tostring(arn) if arn != null] +} \ No newline at end of file diff --git a/output.tf b/output.tf new file mode 100644 index 0000000..c468feb --- /dev/null +++ b/output.tf @@ -0,0 +1,31 @@ +# From https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/outputs.tf + +################################################################################ +# User creds +################################################################################ + +output "platform_user_name" { + description = "The user's name" + value = var.platform_feature_enabled ? aws_iam_user.truefoundry_platform_user[0].name : "" +} + +output "platform_user_arn" { + description = "The user IAM resource arn" + value = var.platform_feature_enabled ? aws_iam_user.truefoundry_platform_user[0].arn : "" +} + +output "platform_user_access_key" { + description = "The user access key ID" + value = var.platform_feature_enabled ? aws_iam_access_key.truefoundry_platform_user_keys[0].id : "" +} + +output "platform_user_secret_key" { + description = "The user secret key" + value = var.platform_feature_enabled ? aws_iam_access_key.truefoundry_platform_user_keys[0].secret : "" + sensitive = true +} + +output "policy_arns" { + description = "The list of ARNs of policies directly assigned to the IAM user" + value = local.truefoundry_platform_user_policy_arns +} \ No newline at end of file diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..b2b7122 --- /dev/null +++ b/variables.tf @@ -0,0 +1,103 @@ +# From https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/variables.tf + +################################################################################ +# Global +################################################################################ +variable "platform_feature_enabled" { + description = "Enable platform features like docker registry, secrets manager and blob storage" + type = bool + default = true +} + +################################################################################ +# Cluster +################################################################################ + +variable "cluster_name" { + description = "Name of the EKS cluster" + type = string +} + +################################################################################ +# IAM user +################################################################################ + +variable "platform_user_force_destroy" { + description = "Enable force destroy of the user" + type = bool + default = true +} + +################################################################################ +# Buckets +################################################################################ + +variable "feature_blob_storage_enabled" { + description = "Enable blob storage feature in the platform" + type = bool + default = true +} + +variable "blob_storage_enable_override" { + description = "Enable overriding name of s3 bucket. This will only be used if feature_blob_storage_enabled is enabled. You need to pass s3_override_name to pass the bucket name" + type = bool + default = false +} + +variable "blob_storage_override_name" { + description = "S3 bucket name. Only used if s3_enable_override is enabled" + type = string + default = "" +} + +variable "blob_storage_encryption_algorithm" { + description = "Algorithm used for encrypting the default bucket." + type = string + default = "AES256" +} + +variable "blob_storage_force_destroy" { + description = "Force destroy for mlfoundry s3 bucket" + default = false + type = bool +} + +variable "blob_storage_encryption_key_arn" { + description = "ARN of the key used to encrypt the bucket. Only needed if you set aws:kms as encryption algorithm." + type = string + default = null +} + +variable "blob_storage_cors_origins" { + description = "List of CORS origins for Mlfoundry bucket" + type = list(string) + default = ["*"] +} +################################################################################ +# SSM +################################################################################ +variable "feature_secrets_enabled" { + description = "Enable secrets manager feature in the platform" + type = bool + default = true +} + + +################################################################################ +# ECR +################################################################################ +variable "feature_docker_registry_enabled" { + description = "Enable docker registry feature in the platform" + type = bool + default = true +} + +################################################################################## +## Other variables +################################################################################## + +variable "tags" { + description = "A map of tags to add to all resources" + type = map(string) + default = {} +} \ No newline at end of file diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..9c8cce3 --- /dev/null +++ b/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.4" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "5.14.0" + } + } +} \ No newline at end of file From 143a8378e46f80924149d9623a1d4d02158f197f Mon Sep 17 00:00:00 2001 From: Vedant Pareek Date: Mon, 28 Aug 2023 14:23:50 +0530 Subject: [PATCH 2/3] Modified outputs, variables and bucket policy --- iam.tf | 4 ++-- locals.tf | 2 +- output.tf | 23 ++++++++++++++++++++++- variables.tf | 13 ++++++++++++- 4 files changed, 37 insertions(+), 5 deletions(-) diff --git a/iam.tf b/iam.tf index 4b13772..22f4802 100644 --- a/iam.tf +++ b/iam.tf @@ -7,8 +7,8 @@ data "aws_iam_policy_document" "truefoundry_platform_feature_user_s3_policy_docu ] resources = [ - "arn:aws:s3:::${module.truefoundry_bucket[0].s3_bucket_arn}", - "arn:aws:s3:::${module.truefoundry_bucket[0].s3_bucket_arn}/*" + module.truefoundry_bucket[0].s3_bucket_arn, + "${module.truefoundry_bucket[0].s3_bucket_arn}/*" ] } } diff --git a/locals.tf b/locals.tf index 49a6b1b..a5a4ee0 100644 --- a/locals.tf +++ b/locals.tf @@ -7,7 +7,7 @@ locals { }, var.tags ) - truefoundry_unique_name = var.blob_storage_enable_override ? var.blob_storage_override_name : var.cluster_name + truefoundry_unique_name = var.blob_storage_enable_override ? var.blob_storage_override_name : "${var.cluster_name}-platform" policy_arns = [ var.feature_blob_storage_enabled ? aws_iam_policy.truefoundry_platform_feature_user_s3_policy[0].arn : null, var.feature_secrets_enabled ? aws_iam_policy.truefoundry_platform_feature_user_ssm_policy[0].arn : null, diff --git a/output.tf b/output.tf index c468feb..c0f1d03 100644 --- a/output.tf +++ b/output.tf @@ -1,7 +1,7 @@ # From https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/outputs.tf ################################################################################ -# User creds +# User details ################################################################################ output "platform_user_name" { @@ -28,4 +28,25 @@ output "platform_user_secret_key" { output "policy_arns" { description = "The list of ARNs of policies directly assigned to the IAM user" value = local.truefoundry_platform_user_policy_arns +} + +################################################################################ +# Bucket details +################################################################################ +output "platform_user_bucket_name" { + description = "The bucket's ID/name" + value = var.feature_blob_storage_enabled ? module.truefoundry_bucket[0].s3_bucket_id : "" +} + +output "platform_user_bucket_arn" { + description = "The bucket's arn" + value = var.feature_blob_storage_enabled ? module.truefoundry_bucket[0].s3_bucket_arn : "" +} + +################################################################################ +# ECR details +################################################################################ +output "platform_user_ecr_url" { + description = "The ECR url to connect" + value = var.feature_docker_registry_enabled ? "${var.aws_account_id}.dkr.ecr.${var.aws_region}.amazonaws.com" : "" } \ No newline at end of file diff --git a/variables.tf b/variables.tf index b2b7122..8d8ba0b 100644 --- a/variables.tf +++ b/variables.tf @@ -3,6 +3,17 @@ ################################################################################ # Global ################################################################################ + +variable "aws_account_id" { + description = "AWS account id" + type = string +} + +variable "aws_region" { + description = "AWS region" + type = string +} + variable "platform_feature_enabled" { description = "Enable platform features like docker registry, secrets manager and blob storage" type = bool @@ -58,7 +69,7 @@ variable "blob_storage_encryption_algorithm" { variable "blob_storage_force_destroy" { description = "Force destroy for mlfoundry s3 bucket" - default = false + default = true type = bool } From dceef5019cd096ce43dabeb1893bc29cba319c40 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 28 Aug 2023 08:54:49 +0000 Subject: [PATCH 3/3] terraform-docs: automated action --- README.md | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/README.md b/README.md index 15ed708..fe64ae4 100644 --- a/README.md +++ b/README.md @@ -2,4 +2,71 @@ Truefoundry AWS platform features +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.4 | +| [aws](#requirement\_aws) | 5.14.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.14.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [truefoundry\_bucket](#module\_truefoundry\_bucket) | terraform-aws-modules/s3-bucket/aws | 3.15.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_access_key.truefoundry_platform_user_keys](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_access_key) | resource | +| [aws_iam_policy.truefoundry_platform_feature_user_ecr_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource | +| [aws_iam_policy.truefoundry_platform_feature_user_s3_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource | +| [aws_iam_policy.truefoundry_platform_feature_user_ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_policy) | resource | +| [aws_iam_user.truefoundry_platform_user](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_user) | resource | +| [aws_iam_user_policy_attachment.truefoundry_platform_user_ecr_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_user_policy_attachment) | resource | +| [aws_iam_user_policy_attachment.truefoundry_platform_user_s3_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_user_policy_attachment) | resource | +| [aws_iam_user_policy_attachment.truefoundry_platform_user_ssm_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/resources/iam_user_policy_attachment) | resource | +| [aws_iam_policy_document.truefoundry_platform_feature_user_ecr_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.truefoundry_platform_feature_user_s3_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.truefoundry_platform_feature_user_ssm_policy_document](https://registry.terraform.io/providers/hashicorp/aws/5.14.0/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_account\_id](#input\_aws\_account\_id) | AWS account id | `string` | n/a | yes | +| [aws\_region](#input\_aws\_region) | AWS region | `string` | n/a | yes | +| [blob\_storage\_cors\_origins](#input\_blob\_storage\_cors\_origins) | List of CORS origins for Mlfoundry bucket | `list(string)` | 
[
  "*"
]
| no | +| [blob\_storage\_enable\_override](#input\_blob\_storage\_enable\_override) | Enable overriding name of s3 bucket. This will only be used if feature\_blob\_storage\_enabled is enabled. You need to pass s3\_override\_name to pass the bucket name | `bool` | `false` | no | +| [blob\_storage\_encryption\_algorithm](#input\_blob\_storage\_encryption\_algorithm) | Algorithm used for encrypting the default bucket. | `string` | `"AES256"` | no | +| [blob\_storage\_encryption\_key\_arn](#input\_blob\_storage\_encryption\_key\_arn) | ARN of the key used to encrypt the bucket. Only needed if you set aws:kms as encryption algorithm. | `string` | `null` | no | +| [blob\_storage\_force\_destroy](#input\_blob\_storage\_force\_destroy) | Force destroy for mlfoundry s3 bucket | `bool` | `true` | no | +| [blob\_storage\_override\_name](#input\_blob\_storage\_override\_name) | S3 bucket name. Only used if s3\_enable\_override is enabled | `string` | `""` | no | +| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | +| [feature\_blob\_storage\_enabled](#input\_feature\_blob\_storage\_enabled) | Enable blob storage feature in the platform | `bool` | `true` | no | +| [feature\_docker\_registry\_enabled](#input\_feature\_docker\_registry\_enabled) | Enable docker registry feature in the platform | `bool` | `true` | no | +| [feature\_secrets\_enabled](#input\_feature\_secrets\_enabled) | Enable secrets manager feature in the platform | `bool` | `true` | no | +| [platform\_feature\_enabled](#input\_platform\_feature\_enabled) | Enable platform features like docker registry, secrets manager and blob storage | `bool` | `true` | no | +| [platform\_user\_force\_destroy](#input\_platform\_user\_force\_destroy) | Enable force destroy of the user | `bool` | `true` | no | +| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [platform\_user\_access\_key](#output\_platform\_user\_access\_key) | The user access key ID | +| [platform\_user\_arn](#output\_platform\_user\_arn) | The user IAM resource arn | +| [platform\_user\_bucket\_arn](#output\_platform\_user\_bucket\_arn) | The bucket's arn | +| [platform\_user\_bucket\_name](#output\_platform\_user\_bucket\_name) | The bucket's ID/name | +| [platform\_user\_ecr\_url](#output\_platform\_user\_ecr\_url) | The ECR url to connect | +| [platform\_user\_name](#output\_platform\_user\_name) | The user's name | +| [platform\_user\_secret\_key](#output\_platform\_user\_secret\_key) | The user secret key | +| [policy\_arns](#output\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | \ No newline at end of file