Skip to content

Instantly share code, notes, and snippets.

@devops-adeel

devops-adeel/aws.tf

Created June 19, 2023 15:05
Show Gist options
  • Save devops-adeel/a8706bc2c8d5248bda3b2be8269967df to your computer and use it in GitHub Desktop.
Save devops-adeel/a8706bc2c8d5248bda3b2be8269967df to your computer and use it in GitHub Desktop.
Download ZIP
Visualise in code the manifests & constructs of a landing-zone
Raw
aws.tf
resource "aws_organizations_account" "default" {
name = "my_new_account"
email = "[email protected]"
}
data "aws_billing_service_account" "default" {}
resource "aws_iam_user" "default" {
name = "vault-aws-auth-user"
}
resource "aws_iam_access_key" "default" {
user = aws_iam_user.default.name
}
resource "aws_iam_user_policy" "default" {
name = "vault"
user = aws_iam_user.default.name
policy = data.aws_iam_policy_document.default.json
}
data "aws_iam_policy_document" "default" {
version = "2012-10-17"
statement {
sid = "AllowVaultAuth"
effect = "Allow"
resources = ["*"]
actions = [
"ec2:DescribeInstances",
"iam:GetInstanceProfile",
"iam:GetUser",
"iam:GetRole"
]
}
statement {
sid = "ManageOwnAccessKeys"
effect = "Allow"
resources = [aws_iam_user.default.arn]
actions = [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetAccessKeyLastUsed",
"iam:GetUser",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
]
}
}
resource "vault_auth_backend" "default" {
type = "aws"
}
resource "vault_aws_auth_backend_client" "default" {
backend = vault_auth_backend.default.path
access_key = aws_iam_access_key.default.id
secret_key = aws_iam_access_key.default.secret
}
resource "vault_generic_endpoint" "rotate_root" {
ignore_absent_fields = true
data_json = jsonencode({})
path = format(
"%s/config/rotate-root",
vault_aws_auth_backend_client.default.backend
)
}
resource "vault_aws_auth_backend_role" "default" {
backend = vault_auth_backend.default.path
role = "pki"
auth_type = "ec2"
bound_account_ids = [aws_billing_service_account.default.id]
inferred_entity_type = "ec2_instance"
token_ttl = 60
token_max_ttl = 120
token_policies = [vault_policy.default.name]
}
Raw
boundary.tf
resource "boundary_scope" "default" {
name = var.application
description = "My first scope!"
scope_id = boundary_scope.org.id
auto_create_admin_role = true
}
resource "boundary_group" "default" {
name = var.application
scope_id = boundary_scope.default.id
}
resource "boundary_host_catalog" "default" {
name = "My catalog"
type = "Static"
scope_id = boundary_scope.default.id
}
resource "boundary_credential_store_vault" "default" {
name = var.application
address = var.vault_address
token = var.vault_token
scope_id = boundary_scope.default.id
}
resource "boundary_credential_library_vault_ssh_certificate" "default" {
name = format("ssh-%s", var.application)
credential_store_id = boundary_credential_store_vault.default.id
path = "ssh/sign/foo"
username = "foo"
}
Raw
consul.tf
resource "consul_namespace" "default" {
name = var.application
meta = {
foo = "bar"
}
}
resource "consul_acl_policy" "default" {
name = "agent"
rules = <<-RULE
node_prefix "" {
policy = "read"
}
RULE
}
resource "consul_namespace_policy_attachment" "default" {
namespace = consul_namespace.default.name
policy = consul_acl_policy.default.name
}
resource "consul_acl_role" "default" {
name = "agent"
}
resource "consul_namespace_role_attachment" "default" {
namespace = consul_namespace.default.name
role = consul_acl_role.default.name
}
Raw
github.tf
locals {
github_oidc = "https://token.actions.githubusercontent.com"
user_claim = "workflow"
sub_claim = tolist(format(
"repo:%s:ref:%s",
github_repository.default.full_name,
github_branch.default.ref
))
bound_claim = { "sub" = local.sub_claim }
}
resource "github_repository" "default" {
name = var.application
visibility = "public"
template {
owner = "github"
repository = "app-scoped-terraform-infra"
include_all_branches = true
}
}
resource "github_branch_default" "default" {
repository = github_repository.default.name
branch = "main"
}
resource "github_team" "default" {
name = var.application
}
resource "github_team_repository" "default" {
team_id = github_team.default.id
repository = github_repository.default.name
permission = "pull"
}
resource "vault_jwt_auth_backend" "default" {
description = "Vault Github OIDC Auth Method"
path = "github"
type = "jwt"
default_role = "github-action"
oidc_discovery_url = local.github_oidc
bound_issuer = local.github_oidc
tune {
default_lease_ttl = "768h"
max_lease_ttl = "768h"
token_type = "default-service"
}
}
resource "vault_jwt_auth_backend_role" "default" {
backend = vault_jwt_auth_backend.default.path
role_type = vault_jwt_auth_backend.default.type
role_name = github_repository.default.name
bound_claims = local.bound_claim
user_claim = local.user_claim
bound_claims_type = "glob"
}
Raw
google.tf
resource "google_project" "default" {
name = var.application
org_id = "1234567"
}
resource "google_service_account" "default" {
account_id = "service-account-id"
display_name = "Service Account"
project = google_project.default.id
}
resource "google_project_iam_member" "sa_admin" {
project = google_project.default.id
role = "roles/iam.serviceAccountKeyAdmin"
member = format("serviceAccount:%s", google_service_account.default.email)
}
resource "google_project_iam_member" "compute_viewer" {
project = google_project.default.id
role = "roles/compute.viewer"
member = format("serviceAccount:%s", google_service_account.default.email)
}
resource "google_service_account_key" "default" {
service_account_id = google_service_account.default.name
}
resource "vault_gcp_auth_backend" "default" {
namespace = vault_namespace.default.path
credentials = based64decode(google_service_account_key.default.private_key)
}
resource "vault_gcp_auth_backend_role" "default" {
backend = vault_gcp_auth_backend.default.path
role = var.application
type = "iam"
bound_projects = [google_project.default.id]
token_ttl = 300
token_max_ttl = 600
token_policies = ["pki", "default"]
add_group_aliases = true
}
Raw
kubernetes.tf
locals {
namespace = format(
"{{identity.entity.aliases.%s.metadata.service_account_namespace}}",
vault_auth_backend.default.accessor
)
}
resource "kubernetes_namespace_v1" "default" {
metadata {
name = format("%s-namespace", var.application)
annotations = {
name = var.application
}
labels = {
env = var.env
}
}
}
data "kubernetes_service_account_v1" "default" {
metadata {
name = "vault-auth"
namespace = "kube-system"
}
}
data "kubernetes_secret" "default" {
metadata {
name = data.kubernetes_service_account_v1.default.default_secret_name
namespace = "kube-system"
}
}
resource "vault_auth_backend" "default" {
namespace = vault_namespace.default.path
type = "kubernetes"
}
resource "vault_kubernetes_auth_backend_config" "default" {
namespace = vault_namespace.default.path
backend = vault_auth_backend.default.path
kubernetes_host = var.kubernetes_host
kubernetes_ca_cert = data.kubernetes_secret.default.data["ca.crt"]
token_reviewer_jwt = data.kubernetes_secret.default.data.token
}
resource "vault_kubernetes_auth_backend_role" "default" {
namespace = vault_namespace.default.path
backend = vault_auth_backend.default.path
role_name = var.application
bound_service_account_names = ["*"]
bound_service_account_namespaces = [var.application]
token_ttl = 43200
token_policies = [vault_policy.default.name]
audience = "vault"
}
data "vault_policy_document" "default" {
rule {
path = format("secret/data/%s", local.acl_template)
capabilities = ["read", "list"]
description = "Allow access only to namespace area"
}
}
resource "vault_policy" "kubernetes" {
namespace = vault_namespace.default.path
name = var.application
policy = data.vault_policy_document.default.hcl
}
Raw
tfe.tf
data "tfe_organization" "default" {
name = "organization-name"
}
resource "tfe_project" "default" {
organization = data.tfe_organization.default.name
name = var.application
}
resource "tfe_variable_set" "default" {
name = "Test Varset"
organization = data.tfe_organization.default.name
}
resource "tfe_project_variable_set" "default" {
variable_set_id = tfe_variable_set.default.id
project_id = tfe_project.default.id
}
resource "tfe_team" "default" {
name = var.application
organization = data.tfe_organization.default.name
organization_access {
manage_modules = true
}
}
resource "tfe_team_project_access" "default" {
access = "read"
team_id = tfe_team.default.id
project_id = tfe_project.default.id
}
Raw
vault.tf
locals {
ssh_path = format(
"ssh/sign/%s",
vault_ssh_secret_backend_role.default.name
)
ssh_user = format(
"{{identity.entity.aliases.%s.metadata.first_name}}",
vault_jwt_auth_backend.default.accessor
)
}
resource "vault_namespace" "default" {
path = var.application
}
resource "vault_mount" "default" {
namespace = vault_namespace.default.path
type = "ssh"
description = "SSH secrets engine"
default_lease_ttl_seconds = 3600
max_lease_ttl_seconds = 86400
}
resource "vault_ssh_secret_backend_ca" "default" {
namespace = vault_namespace.default.path
backend = vault_mount.default.path
generate_signing_key = true
}
resource "vault_ssh_secret_backend_role" "default" {
namespace = vault_namespace.default.path
name = var.role
backend = vault_mount.default.path
key_type = "ca"
algorithm_signer = "rsa-sha2-512"
allow_user_certificates = true
allowed_users_template = true
allowed_users = [local.ssh_user]
allowed_extensions = ["permit-pty"]
default_user = local.ssh_user
max_ttl = "604800"
ttl = "30m0s"
default_extensions = {
permit-pty = ""
}
}
data "vault_policy_document" "default" {
rule {
capabilities = ["create", "update"]
path = local.ssh_path
}
}
resource "vault_policy" "ssh" {
namespace = vault_namespace.default.path
name = "ssh"
policy = data.vault_policy_document.default.hcl
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment