empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 17:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
436733763a
fleet/infrastructure/sandbox/JITProvisioner/deprovisioner.tf

392 lines
10 KiB
HCL
Raw Blame History

data "aws_iam_policy_document" "sfn-assume-role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["states.amazonaws.com"]
}
}
}
resource "aws_iam_role_policy_attachment" "sfn" {
role = aws_iam_role.sfn.id
policy_arn = aws_iam_policy.sfn.arn
}
resource "aws_iam_policy" "sfn" {
name = "${local.full_name}-sfn"
policy = data.aws_iam_policy_document.sfn.json
}
data "aws_iam_policy_document" "sfn" {
statement {
actions = ["ecs:RunTask"]
resources = [
replace(aws_ecs_task_definition.deprovisioner.arn, "/:\\d+$/", ":*"), replace(aws_ecs_task_definition.deprovisioner.arn, "/:\\d+$/", ""),
replace(aws_ecs_task_definition.ingress_destroyer.arn, "/:\\d+$/", ":*"), replace(aws_ecs_task_definition.ingress_destroyer.arn, "/:\\d+$/", ""),
]
condition {
test = "ArnLike"
variable = "ecs:cluster"
values = [var.ecs_cluster.arn]
}
}
statement {
actions = ["iam:PassRole"]
resources = ["*"]
condition {
test = "StringLike"
variable = "iam:PassedToService"
values = ["ecs-tasks.amazonaws.com"]
}
}
statement {
actions = ["events:PutTargets", "events:PutRule", "events:DescribeRule"]
resources = ["*"]
}
}
resource "aws_iam_role" "sfn" {
name = "${local.full_name}-sfn"
assume_role_policy = data.aws_iam_policy_document.sfn-assume-role.json
}
resource "aws_iam_role_policy_attachment" "deprovisioner" {
role = aws_iam_role.deprovisioner.id
policy_arn = aws_iam_policy.deprovisioner.arn
}
resource "aws_iam_policy" "deprovisioner" {
name = "${local.full_name}-deprovisioner"
policy = data.aws_iam_policy_document.deprovisioner.json
}
data "aws_iam_policy_document" "deprovisioner" {
statement {
actions = [
"dynamodb:List*",
"dynamodb:DescribeReservedCapacity*",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTimeToLive"
]
resources = ["*"]
}
statement {
actions = [
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
"dynamodb:PutItem"
]
resources = [var.dynamodb_table.arn]
}
statement {
actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
]
resources = [aws_kms_key.ecr.arn, var.kms_key.arn]
}
statement {
actions = ["*"]
resources = ["*"]
}
statement {
actions = ["eks:DescribeCluster"]
resources = [var.eks_cluster.eks_cluster_arn]
}
statement {
actions = ["sts:GetCallerIdentity"]
resources = ["*"]
}
}
data "aws_iam_policy_document" "deprovisioner-assume-role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
resource "aws_iam_role" "deprovisioner" {
name = "${local.full_name}-deprovisioner"
assume_role_policy = data.aws_iam_policy_document.deprovisioner-assume-role.json
}
resource "aws_ecs_task_definition" "deprovisioner" {
family = "${local.full_name}-deprovisioner"
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
execution_role_arn = aws_iam_role.deprovisioner.arn
task_role_arn = aws_iam_role.deprovisioner.arn
cpu = 1024
memory = 4096
container_definitions = jsonencode(
[
{
name = "${var.prefix}-deprovisioner"
image = docker_registry_image.deprovisioner.name
mountPoints = []
volumesFrom = []
essential = true
networkMode = "awsvpc"
logConfiguration = {
logDriver = "awslogs"
options = {
awslogs-group = aws_cloudwatch_log_group.main.name
awslogs-region = data.aws_region.current.name
awslogs-stream-prefix = "${local.full_name}-deprovisioner"
}
},
environment = concat([
{
name = "TF_VAR_mysql_secret"
value = var.mysql_secret.id
},
{
name = "TF_VAR_eks_cluster"
value = var.eks_cluster.eks_cluster_id
},
])
}
])
lifecycle {
create_before_destroy = true
}
}
resource "aws_ecs_task_definition" "ingress_destroyer" {
family = "${local.full_name}-ingress-destroyer"
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
execution_role_arn = aws_iam_role.deprovisioner.arn
task_role_arn = aws_iam_role.deprovisioner.arn
cpu = 512
memory = 1024
container_definitions = jsonencode(
[
{
name = "${var.prefix}-ingress-destroyer"
image = docker_registry_image.ingress_destroyer.name
mountPoints = []
volumesFrom = []
essential = true
networkMode = "awsvpc"
logConfiguration = {
logDriver = "awslogs"
options = {
awslogs-group = aws_cloudwatch_log_group.main.name
awslogs-region = data.aws_region.current.name
awslogs-stream-prefix = "${local.full_name}-ingress-destroyer"
}
},
environment = [
{
name = "CLUSTER_NAME"
value = var.eks_cluster.eks_cluster_id
},
]
}
])
lifecycle {
create_before_destroy = true
}
}
resource "aws_security_group" "deprovisioner" {
name = "${local.full_name}-deprovisioner"
description = "security group for ${local.full_name}-deprovisioner"
vpc_id = var.vpc.vpc_id
egress {
description = "egress to all"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_sfn_state_machine" "main" {
name = var.prefix
role_arn = aws_iam_role.sfn.arn
definition = <<EOF
{
"Comment": "Controls the lifecycle of a Fleet demo environment",
"StartAt": "Wait",
"States": {
"Wait": {
"Type": "Wait",
"SecondsPath": "$.waitTime",
"Next": "IngressDestroyer"
},
"IngressDestroyer": {
"Type": "Task",
"Resource": "arn:aws:states:::ecs:runTask.sync",
"Parameters": {
"LaunchType": "FARGATE",
"NetworkConfiguration": {
"AwsvpcConfiguration": {
"Subnets": ${jsonencode(var.vpc.private_subnets)},
"SecurityGroups": ["${aws_security_group.deprovisioner.id}"],
"AssignPublicIp": "DISABLED"
}
},
"Cluster": "${var.ecs_cluster.arn}",
"TaskDefinition": "${replace(aws_ecs_task_definition.ingress_destroyer.arn, "/:\\d+$/", "")}",
"Overrides": {
"ContainerOverrides": [
{
"Name": "${var.prefix}-ingress-destroyer",
"Environment": [
{
"Name": "INSTANCE_ID",
"Value.$": "$.instanceID"
},
{
"Name": "DYNAMODB_LIFECYCLE_TABLE",
"Value": "${var.dynamodb_table.id}"
}
]
}
]
}
},
"Next": "Idle",
"ResultPath": null
},
"Idle": {
"Type": "Wait",
"Seconds": 2592000,
"Next": "Deprovisioner"
},
"Deprovisioner": {
"Type": "Task",
"Resource": "arn:aws:states:::ecs:runTask.sync",
"Parameters": {
"LaunchType": "FARGATE",
"NetworkConfiguration": {
"AwsvpcConfiguration": {
"Subnets": ${jsonencode(var.vpc.private_subnets)},
"SecurityGroups": ["${aws_security_group.deprovisioner.id}"],
"AssignPublicIp": "DISABLED"
}
},
"Cluster": "${var.ecs_cluster.arn}",
"TaskDefinition": "${replace(aws_ecs_task_definition.deprovisioner.arn, "/:\\d+$/", "")}",
"Overrides": {
"ContainerOverrides": [
{
"Name": "${var.prefix}-deprovisioner",
"Environment": [
{
"Name": "INSTANCE_ID",
"Value.$": "$.instanceID"
}
]
}
]
}
},
"End": true
}
}
}
EOF
}
output "deprovisioner" {
value = aws_sfn_state_machine.main
}
resource "random_uuid" "deprovisioner" {
keepers = {
lambda = data.archive_file.deprovisioner.output_sha
}
}
resource "random_uuid" "ingress-destroyer" {
keepers = {
lambda = data.archive_file.ingress_destroyer.output_sha
}
}
resource "local_file" "backend-config" {
content = templatefile("${path.module}/deprovisioner/backend-template.conf",
{
remote_state = var.remote_state
})
filename = "${path.module}/deprovisioner/deploy_terraform/backend.conf"
}
data "archive_file" "deprovisioner" {
type = "zip"
output_path = "${path.module}/.deprovisioner.zip"
source_dir = "${path.module}/deprovisioner"
}
// used to obtain a unique checksum
data "archive_file" "ingress_destroyer" {
type = "zip"
output_path = "${path.module}/.ingress_destroyer.zip"
source_dir = "${path.module}/ingress_destroyer"
}
resource "docker_registry_image" "deprovisioner" {
name = "${aws_ecr_repository.main.repository_url}:${data.git_repository.main.branch}-${random_uuid.deprovisioner.result}"
keep_remotely = true
build {
context = "${path.module}/deprovisioner/"
pull_parent = true
platform = "linux/amd64"
}
depends_on = [
local_file.backend-config
]
}
resource "docker_registry_image" "ingress_destroyer" {
name = "${aws_ecr_repository.main.repository_url}:${data.git_repository.main.branch}-${random_uuid.ingress-destroyer.result}"
keep_remotely = true
build {
context = "${path.module}/ingress_destroyer/"
pull_parent = true
platform = "linux/amd64"
}
depends_on = [
local_file.backend-config
]
}
output "deprovisioner_role" {
value = aws_iam_role.deprovisioner
}
Reference in New Issue View Git Blame Copy Permalink