MirrorMirror
/
riju
mirror of https://github.com/radian-software/riju.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Many Terraform updates

This commit is contained in:
Radon Rosborough 2021-07-10 17:48:05 +00:00
parent 9c0de456e4
commit e4890bee6a
6 changed files with 249 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
tf/ami.tf Normal file
View File

@ -0,0 +1,33 @@
data "aws_ami" "server" {
count = local.ami_available ? 1 : 0
owners = ["self"]
filter {
name = "name"
values = [data.external.env.result.AMI_NAME]
}
}
data "aws_ami" "ubuntu" {
count = local.ssh_key_available ? 1 : 0
owners = ["099720109477"]
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-*-21.04-amd64-server-*"]
}
filter {
name = "root-device-type"
values = ["ebs"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
most_recent = true
}

11
tf/asg.tf
View File

@ -1,14 +1,3 @@
data "aws_ami" "server" {
count = local.ami_available ? 1 : 0
owners = ["self"]
filter {
name = "name"
values = [data.external.env.result.AMI_NAME]
}
}
resource "aws_security_group" "server" {
name = "riju-server"
description = "Security group for Riju server"

31
tf/backup.tf Normal file
View File

@ -0,0 +1,31 @@
resource "aws_backup_vault" "riju" {
name = "riju"
}
resource "aws_backup_plan" "riju" {
name = "riju"
rule {
rule_name = "riju"
target_vault_name = aws_backup_vault.riju.name
schedule = "cron(0 5 ? * * *)"
lifecycle {
delete_after = 7
}
recovery_point_tags {
BillingCategory = "Riju"
}
}
}
resource "aws_backup_selection" "riju" {
iam_role_arn = aws_iam_role.backup.arn
name = "riju"
plan_id = aws_backup_plan.riju.id
resources = [
aws_instance.dev_server[0].arn,
]
}

58
tf/ec2.tf Normal file
View File

@ -0,0 +1,58 @@
resource "aws_security_group" "dev_server" {
count = local.ssh_key_available ? 1 : 0
name = "riju-dev-server"
description = "Security group for Riju dev server"
ingress {
description = "SSH"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "HTTP"
from_port = 6119
to_port = 6119
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_instance" "dev_server" {
count = local.ssh_key_available ? 1 : 0
ami = data.aws_ami.ubuntu[0].id
instance_type = "t3.2xlarge"
ebs_optimized = true
security_groups = [aws_security_group.dev_server[0].name]
root_block_device {
volume_size = 256
tags = merge(local.tags, {
Name = "Riju dev server"
})
}
tags = {
Name = "Riju dev server"
}
lifecycle {
ignore_changes = [
ami,
security_groups, # legacy
]
}
}

126
tf/iam.tf
View File

@ -7,6 +7,18 @@ resource "aws_iam_access_key" "deploy" {
}
data "aws_iam_policy_document" "deploy" {
statement {
actions = [
"ecr:GetAuthorizationToken",
"ecr-public:GetAuthorizationToken",
"sts:GetServiceBearerToken",
]
resources = [
"*",
]
}
statement {
actions = [
"s3:ListBucket",
@ -28,6 +40,21 @@ data "aws_iam_policy_document" "deploy" {
}
}
data "aws_iam_policy_document" "deploy_assume_role" {
statement {
actions = [
"sts:AssumeRole",
]
principals {
type = "AWS"
identifiers = [
"${data.aws_caller_identity.current.account_id}",
]
}
}
}
resource "aws_iam_policy" "deploy" {
name = "riju-deploy"
description = "Policy granting CI access to deploy Riju"
@ -39,6 +66,17 @@ resource "aws_iam_user_policy_attachment" "deploy" {
policy_arn = aws_iam_policy.deploy.arn
}
resource "aws_iam_role" "deploy" {
name = "riju-deploy"
description = "Role used by CI and deployment"
assume_role_policy = data.aws_iam_policy_document.deploy_assume_role.json
}
resource "aws_iam_role_policy_attachment" "deploy" {
role = aws_iam_role.deploy.name
policy_arn = aws_iam_policy.deploy.arn
}
data "aws_iam_policy_document" "server" {
statement {
actions = [
@ -108,3 +146,91 @@ resource "aws_iam_instance_profile" "server" {
name = "riju-server"
role = aws_iam_role.server.name
}
data "aws_iam_policy_document" "dev_server" {
statement {
actions = [
"*",
]
resources = [
"*",
]
}
}
resource "aws_iam_policy" "dev_server" {
name = "riju-dev-server"
description = "Policy granting AWS administrative access from dev server"
policy = data.aws_iam_policy_document.dev_server.json
}
data "aws_iam_policy_document" "dev_server_assume_role" {
statement {
actions = [
"sts:AssumeRole",
]
principals {
type = "Service"
identifiers = [
"ec2.amazonaws.com",
]
}
}
}
resource "aws_iam_role" "dev_server" {
name = "riju-dev-server"
description = "Role used by Riju dev server"
assume_role_policy = data.aws_iam_policy_document.dev_server_assume_role.json
}
resource "aws_iam_role_policy_attachment" "dev_server" {
role = aws_iam_role.dev_server.name
policy_arn = aws_iam_policy.dev_server.arn
}
resource "aws_iam_instance_profile" "dev_server" {
name = "riju-dev-server"
role = aws_iam_role.dev_server.name
}
data "aws_iam_policy_document" "backup_assume_role" {
statement {
actions = [
"sts:AssumeRole",
]
principals {
type = "Service"
identifiers = [
"backup.amazonaws.com",
]
}
}
}
resource "aws_iam_role" "backup" {
name = "riju-backup"
description = "Role used by AWS Backup for Riju"
assume_role_policy = data.aws_iam_policy_document.backup_assume_role.json
}
data "aws_iam_policy" "backup" {
name = "AWSBackupServiceRolePolicyForBackup"
}
data "aws_iam_policy" "backup_restores" {
name = "AWSBackupServiceRolePolicyForRestores"
}
resource "aws_iam_role_policy_attachment" "backup" {
role = aws_iam_role.backup.name
policy_arn = data.aws_iam_policy.backup.arn
}
resource "aws_iam_role_policy_attachment" "backup_restores" {
role = aws_iam_role.backup.name
policy_arn = data.aws_iam_policy.backup_restores.arn
}

1
tf/main.tf
View File

@ -26,6 +26,7 @@ locals {
}
ami_available = lookup(data.external.env.result, "AMI_NAME", "") != "" ? true : false
ssh_key_available = lookup(data.external.env.result, "SSH_KEY_NAME", "") != "" ? true : false
}
provider "aws" {