Skip to content

Commit

Permalink
feat: use resource account
Browse files Browse the repository at this point in the history
  • Loading branch information
johanneswuerbach committed Apr 15, 2024
1 parent 81f8cd0 commit 3be342d
Show file tree
Hide file tree
Showing 140 changed files with 1,071 additions and 659 deletions.
11 changes: 9 additions & 2 deletions examples/dns/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,17 @@ graph LR;
| Name | Version |
|------|---------|
| terraform | >= 1.3.0 |
| aws | ~> 5.0 |
| humanitec | ~> 1.0 |
| random | ~> 3.5 |

## Providers

| Name | Version |
|------|---------|
| aws | ~> 5.0 |
| humanitec | ~> 1.0 |
| random | ~> 3.5 |

## Modules

Expand All @@ -58,17 +62,20 @@ graph LR;

| Name | Type |
|------|------|
| [aws_iam_role.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
| [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
| [humanitec_resource_definition_criteria.dns](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
| [random_password.external_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [aws_iam_policy_document.instance_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| access\_key | AWS Access Key | `string` | n/a | yes |
| hosted\_zone\_id | The id of the hosted zone in which this record set will reside. | `string` | n/a | yes |
| region | AWS Region | `string` | n/a | yes |
| secret\_key | AWS Secret Key | `string` | n/a | yes |
| name | Name of the example application | `string` | `"hum-rp-dns-example"` | no |
| prefix | Prefix of the created resources | `string` | `"hum-rp-dns-ex-"` | no |
| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | `"refs/heads/main"` | no |
Expand Down
66 changes: 63 additions & 3 deletions examples/dns/main.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,60 @@
# AWS IAM role used by Humanitec to provision resources

locals {
admin_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
humanitec_user_arn = "arn:aws:iam::767398028804:user/humanitec"
}

resource "random_password" "external_id" {
length = 16
special = false
}

data "aws_iam_policy_document" "instance_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]

principals {
type = "AWS"
identifiers = [local.humanitec_user_arn]
}

condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [random_password.external_id.result]
}
}
}

resource "aws_iam_role" "humanitec_provisioner" {
name = var.name

assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json
}

resource "aws_iam_role_policy_attachment" "humanitec_provisioner" {
role = aws_iam_role.humanitec_provisioner.name
policy_arn = local.admin_policy_arn
}

resource "humanitec_resource_account" "humanitec_provisioner" {
id = var.name
name = var.name
type = "aws-role"
credentials = jsonencode({
aws_role = aws_iam_role.humanitec_provisioner.arn
external_id = random_password.external_id.result
})

depends_on = [
# Otherwise the account looses permissions before the resources are deleted
aws_iam_role_policy_attachment.humanitec_provisioner
]
}

# Example application and resource definition criteria

resource "humanitec_application" "example" {
id = var.name
name = var.name
Expand All @@ -6,11 +63,12 @@ resource "humanitec_application" "example" {
module "route53" {
source = "../../humanitec-resource-defs/dns/basic"

access_key = var.access_key
secret_key = var.secret_key
resource_packs_aws_url = var.resource_packs_aws_url
resource_packs_aws_rev = var.resource_packs_aws_rev
region = var.region
append_logs_to_error = true
driver_account = humanitec_resource_account.humanitec_provisioner.id

region = var.region

prefix = var.prefix

Expand All @@ -20,4 +78,6 @@ module "route53" {
resource "humanitec_resource_definition_criteria" "dns" {
resource_definition_id = module.route53.id
app_id = humanitec_application.example.id

force_delete = true
}
20 changes: 19 additions & 1 deletion examples/dns/providers.tf
Original file line number Diff line number Diff line change
@@ -1,13 +1,31 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
humanitec = {
source = "humanitec/humanitec"
version = "~> 1.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.5"
}
}

required_version = ">= 1.3.0"
}

provider "humanitec" {
provider "aws" {
default_tags {
tags = {
"managed_by" = "terraform"
"source" = "github.com/humanitec-architecture/resource-pack-aws"
}
}
}

provider "humanitec" {}

provider "random" {}
8 changes: 1 addition & 7 deletions examples/dns/terraform.tfvars.example
Original file line number Diff line number Diff line change
@@ -1,7 +1,4 @@

# AWS Access Key
access_key = ""

# The id of the hosted zone in which this record set will reside.
hosted_zone_id = ""

Expand All @@ -18,7 +15,4 @@ region = ""
resource_packs_aws_rev = "refs/heads/main"

# AWS Resource Pack git url
resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"

# AWS Secret Key
secret_key = ""
resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
10 changes: 0 additions & 10 deletions examples/dns/variables.tf
Original file line number Diff line number Diff line change
@@ -1,13 +1,3 @@
variable "access_key" {
description = "AWS Access Key"
type = string
}

variable "secret_key" {
description = "AWS Secret Key"
type = string
}

variable "region" {
description = "AWS Region"
type = string
Expand Down
10 changes: 8 additions & 2 deletions examples/mysql/aurora/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,12 +41,15 @@ graph LR;
| terraform | >= 1.3.0 |
| aws | ~> 5.0 |
| humanitec | ~> 1.0 |
| random | ~> 3.5 |

## Providers

| Name | Version |
|------|---------|
| aws | ~> 5.0 |
| humanitec | ~> 1.0 |
| random | ~> 3.5 |

## Modules

Expand All @@ -58,17 +61,20 @@ graph LR;

| Name | Type |
|------|------|
| [aws_iam_role.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [humanitec_application.app](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
| [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
| [humanitec_resource_definition_criteria.mysql](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
| [random_password.external_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [aws_iam_policy_document.instance_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| access\_key | AWS Access Key | `string` | n/a | yes |
| k8s\_node\_security\_group\_id | AWS Security Group ID of the kubernetes nodes to allow access to the AWS RDS cluster | `string` | n/a | yes |
| region | AWS Region to create resources | `string` | n/a | yes |
| secret\_key | AWS Secret Key | `string` | n/a | yes |
| subnet\_ids | AWS Subnet IDs to use for the AWS RDS cluster | `set(string)` | n/a | yes |
| vpc\_id | AWS VPC ID | `string` | n/a | yes |
| name | Name of the example application | `string` | `"hum-rp-mysql-example"` | no |
Expand Down
67 changes: 63 additions & 4 deletions examples/mysql/aurora/main.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,60 @@
# AWS IAM role used by Humanitec to provision resources

locals {
admin_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
humanitec_user_arn = "arn:aws:iam::767398028804:user/humanitec"
}

resource "random_password" "external_id" {
length = 16
special = false
}

data "aws_iam_policy_document" "instance_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]

principals {
type = "AWS"
identifiers = [local.humanitec_user_arn]
}

condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [random_password.external_id.result]
}
}
}

resource "aws_iam_role" "humanitec_provisioner" {
name = var.name

assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json
}

resource "aws_iam_role_policy_attachment" "humanitec_provisioner" {
role = aws_iam_role.humanitec_provisioner.name
policy_arn = local.admin_policy_arn
}

resource "humanitec_resource_account" "humanitec_provisioner" {
id = var.name
name = var.name
type = "aws-role"
credentials = jsonencode({
aws_role = aws_iam_role.humanitec_provisioner.arn
external_id = random_password.external_id.result
})

depends_on = [
# Otherwise the account looses permissions before the resources are deleted
aws_iam_role_policy_attachment.humanitec_provisioner
]
}

# Example application and resource definition criteria

resource "humanitec_application" "app" {
id = var.name
name = var.name
Expand All @@ -6,12 +63,12 @@ resource "humanitec_application" "app" {
module "mysql" {
source = "../../../humanitec-resource-defs/mysql/aurora"

resource_packs_aws_rev = var.resource_packs_aws_rev
resource_packs_aws_url = var.resource_packs_aws_url
resource_packs_aws_rev = var.resource_packs_aws_rev
append_logs_to_error = true
driver_account = humanitec_resource_account.humanitec_provisioner.id

access_key = var.access_key
secret_key = var.secret_key
region = var.region
region = var.region

prefix = var.prefix
name = var.name
Expand All @@ -32,4 +89,6 @@ module "mysql" {
resource "humanitec_resource_definition_criteria" "mysql" {
resource_definition_id = module.mysql.id
app_id = humanitec_application.app.id

force_delete = true
}
9 changes: 7 additions & 2 deletions examples/mysql/aurora/providers.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ terraform {
source = "humanitec/humanitec"
version = "~> 1.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.5"
}
}

required_version = ">= 1.3.0"
Expand All @@ -22,5 +26,6 @@ provider "aws" {
}
}

provider "humanitec" {
}
provider "humanitec" {}

provider "random" {}
6 changes: 0 additions & 6 deletions examples/mysql/aurora/terraform.tfvars.example
Original file line number Diff line number Diff line change
@@ -1,7 +1,4 @@

# AWS Access Key
access_key = ""

# AWS Security Group ID of the kubernetes nodes to allow access to the AWS RDS cluster
k8s_node_security_group_id = ""

Expand All @@ -20,9 +17,6 @@ resource_packs_aws_rev = "refs/heads/main"
# AWS Resource Pack git url
resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"

# AWS Secret Key
secret_key = ""

# AWS Subnet IDs to use for the AWS RDS cluster
subnet_ids = ""

Expand Down
10 changes: 0 additions & 10 deletions examples/mysql/aurora/variables.tf
Original file line number Diff line number Diff line change
@@ -1,13 +1,3 @@
variable "access_key" {
type = string
description = "AWS Access Key"
}

variable "secret_key" {
type = string
description = "AWS Secret Key"
}

variable "region" {
type = string
description = "AWS Region to create resources"
Expand Down
Loading

0 comments on commit 3be342d

Please sign in to comment.