feat: s3 example

humanitec-architecture · Feb 1, 2024 · dfe2d3b · dfe2d3b
1 parent 6a78c43
commit dfe2d3b
Show file tree

Hide file tree

Showing 61 changed files with 849 additions and 237 deletions.
diff --git a/examples/s3/README.md b/examples/s3/README.md
@@ -0,0 +1,73 @@
+# AWS S3
+
+This example configures an S3 bucket resource definition, with two different access policies:
+
+* `basic-admin` (full access)
+* `basic-read-only` (read-only access)
+
+Those resources can be used in your score file like:
+
+```yaml
+resources:
+  ...
+  s3:
+    type: s3
+    class: basic-admin
+```
+
+The workload service account will automatically be assigned the necessary AWS IAM Role with the selected IAM Policy.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| humanitec | ~> 0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| humanitec | ~> 0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| iam\_policy\_s3\_admin | ../../humanitec-resource-defs/iam-policy/s3 | n/a |
+| iam\_policy\_s3\_read\_only | ../../humanitec-resource-defs/iam-policy/s3 | n/a |
+| iam\_role\_service\_account | ../../humanitec-resource-defs/iam-role/service-account | n/a |
+| k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a |
+| s3\_basic | ../../humanitec-resource-defs/s3/basic | n/a |
+| s3\_basic\_admin | ../../humanitec-resource-defs/s3/passthrough | n/a |
+| s3\_basic\_read\_only | ../../humanitec-resource-defs/s3/passthrough | n/a |
+| workload | ../../humanitec-resource-defs/workload/service-account | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
+| [humanitec_resource_definition_criteria.iam_policy_s3_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.iam_policy_s3_read_only](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.iam_role_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.s3_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.s3_basic_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.s3_basic_read_only](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| access\_key | AWS Access Key | `string` | n/a | yes |
+| oidc\_provider | IAM OIDC Provider in the format "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" | `string` | n/a | yes |
+| oidc\_provider\_arn | IAM OIDC Provider ARN in the format "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" | `string` | n/a | yes |
+| region | AWS Region | `string` | n/a | yes |
+| secret\_key | AWS Secret Key | `string` | n/a | yes |
+| name | Name of the example application | `string` | `"s3-test"` | no |
+| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | `"refs/heads/main"` | no |
+| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
+<!-- END_TF_DOCS -->
diff --git a/examples/s3/main.tf b/examples/s3/main.tf
@@ -0,0 +1,174 @@
+locals {
+  res_def_prefix = "${var.name}-"
+}
+
+resource "humanitec_application" "example" {
+  id   = var.name
+  name = var.name
+}
+
+# S3 bucket
+
+locals {
+  # Classes used to build the resource definition graph
+  s3_basic_class            = "basic"
+  s3_admin_policy_class     = "s3-basic-admin"
+  s3_read_only_policy_class = "s3-basic-read-only"
+
+  # Classes that developers can select from
+  s3_basic_admin_class     = "basic-admin"
+  s3_basic_read_only_class = "basic-read-only"
+}
+
+# Define s3 bucket basic "flavour" as base
+
+module "s3_basic" {
+  source = "../../humanitec-resource-defs/s3/basic"
+
+  resource_packs_aws_url = var.resource_packs_aws_url
+  resource_packs_aws_rev = var.resource_packs_aws_rev
+
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = var.region
+
+  prefix = local.res_def_prefix
+}
+
+resource "humanitec_resource_definition_criteria" "s3_basic" {
+  resource_definition_id = module.s3_basic.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.s3_basic_class
+}
+
+# Add different access policy to s3 basic bucket
+
+# Admin
+
+## Policy
+module "iam_policy_s3_admin" {
+  source = "../../humanitec-resource-defs/iam-policy/s3"
+
+  resource_packs_aws_url = var.resource_packs_aws_url
+  resource_packs_aws_rev = var.resource_packs_aws_rev
+
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = var.region
+
+  policy = "admin"
+
+  prefix = local.res_def_prefix
+
+  s3_resource_class = local.s3_basic_class
+}
+
+resource "humanitec_resource_definition_criteria" "iam_policy_s3_admin" {
+  resource_definition_id = module.iam_policy_s3_admin.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.s3_admin_policy_class
+}
+
+## Exposed passthrough resource definition
+module "s3_basic_admin" {
+  source = "../../humanitec-resource-defs/s3/passthrough"
+
+  prefix = local.res_def_prefix
+
+  s3_resource_class     = local.s3_basic_class
+  policy_resource_class = local.s3_admin_policy_class
+}
+
+resource "humanitec_resource_definition_criteria" "s3_basic_admin" {
+  resource_definition_id = module.s3_basic_admin.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.s3_basic_admin_class
+}
+
+
+# Read-only
+
+## Policy
+module "iam_policy_s3_read_only" {
+  source = "../../humanitec-resource-defs/iam-policy/s3"
+
+  resource_packs_aws_url = var.resource_packs_aws_url
+  resource_packs_aws_rev = var.resource_packs_aws_rev
+
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = var.region
+
+  policy = "read-only"
+
+  prefix = local.res_def_prefix
+
+  s3_resource_class = local.s3_basic_class
+}
+
+resource "humanitec_resource_definition_criteria" "iam_policy_s3_read_only" {
+  resource_definition_id = module.iam_policy_s3_read_only.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.s3_read_only_policy_class
+}
+
+## Exposed passthrough resource definition
+module "s3_basic_read_only" {
+  source = "../../humanitec-resource-defs/s3/passthrough"
+
+  prefix = local.res_def_prefix
+
+  s3_resource_class     = local.s3_basic_class
+  policy_resource_class = local.s3_read_only_policy_class
+}
+
+resource "humanitec_resource_definition_criteria" "s3_basic_read_only" {
+  resource_definition_id = module.s3_basic_read_only.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.s3_basic_read_only_class
+}
+
+
+# Required resources for workload identity
+
+module "k8s_service_account" {
+  source = "../../humanitec-resource-defs/k8s/service-account"
+
+  prefix = local.res_def_prefix
+}
+
+resource "humanitec_resource_definition_criteria" "k8s_service_account" {
+  resource_definition_id = module.k8s_service_account.id
+  app_id                 = humanitec_application.example.id
+}
+
+module "iam_role_service_account" {
+  source = "../../humanitec-resource-defs/iam-role/service-account"
+
+  resource_packs_aws_url = var.resource_packs_aws_url
+  resource_packs_aws_rev = var.resource_packs_aws_rev
+
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = var.region
+
+  oidc_provider     = var.oidc_provider
+  oidc_provider_arn = var.oidc_provider_arn
+  prefix            = local.res_def_prefix
+}
+
+resource "humanitec_resource_definition_criteria" "iam_role_service_account" {
+  resource_definition_id = module.iam_role_service_account.id
+  app_id                 = humanitec_application.example.id
+}
+
+module "workload" {
+  source = "../../humanitec-resource-defs/workload/service-account"
+
+  prefix = local.res_def_prefix
+}
+
+resource "humanitec_resource_definition_criteria" "workload" {
+  resource_definition_id = module.workload.id
+  app_id                 = humanitec_application.example.id
+}
diff --git a/examples/s3/providers.tf b/examples/s3/providers.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    humanitec = {
+      source  = "humanitec/humanitec"
+      version = "~> 0"
+    }
+  }
+
+  required_version = ">= 1.3.0"
+}
+
+
+provider "humanitec" {}
diff --git a/examples/s3/terraform.tfvars.example b/examples/s3/terraform.tfvars.example
@@ -0,0 +1,24 @@
+
+# AWS Access Key
+access_key = ""
+
+# Name of the example application
+name = "s3-test"
+
+# IAM OIDC Provider in the format "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
+oidc_provider = ""
+
+# IAM OIDC Provider ARN in the format "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
+oidc_provider_arn = ""
+
+# AWS Region
+region = ""
+
+# AWS Resource Pack git branch
+resource_packs_aws_rev = "refs/heads/main"
+
+# AWS Resource Pack git url
+resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+
+# AWS Secret Key
+secret_key = ""
diff --git a/examples/s3/variables.tf b/examples/s3/variables.tf
@@ -0,0 +1,42 @@
+variable "access_key" {
+  description = "AWS Access Key"
+  type        = string
+}
+
+variable "secret_key" {
+  description = "AWS Secret Key"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS Region"
+  type        = string
+}
+
+variable "oidc_provider" {
+  description = "IAM OIDC Provider in the format \"oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE\""
+  type        = string
+}
+
+variable "oidc_provider_arn" {
+  description = "IAM OIDC Provider ARN in the format \"arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE\""
+  type        = string
+}
+
+variable "resource_packs_aws_url" {
+  description = "AWS Resource Pack git url"
+  type        = string
+  default     = "https://github.com/humanitec-architecture/resource-packs-aws.git"
+}
+
+variable "resource_packs_aws_rev" {
+  description = "AWS Resource Pack git branch"
+  type        = string
+  default     = "refs/heads/main"
+}
+
+variable "name" {
+  description = "Name of the example application"
+  type        = string
+  default     = "s3-test"
+}
diff --git a/examples/sqs/README.md b/examples/sqs/README.md
@@ -16,11 +16,9 @@
 
 | Name | Source | Version |
 |------|--------|---------|
-| iam\_policy\_s3\_admin | ../../humanitec-resource-defs/iam-policy/s3-admin | n/a |
 | iam\_policy\_sqs\_admin | ../../humanitec-resource-defs/iam-policy/sqs-admin | n/a |
 | iam\_role\_service\_account | ../../humanitec-resource-defs/iam-role/service-account | n/a |
 | k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a |
-| s3\_basic | ../../humanitec-resource-defs/s3/basic | n/a |
 | sqs\_basic | ../../humanitec-resource-defs/sqs/basic | n/a |
 | workload | ../../humanitec-resource-defs/workload/service-account | n/a |
 
@@ -29,11 +27,9 @@
 | Name | Type |
 |------|------|
 | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
-| [humanitec_resource_definition_criteria.iam_policy_s3_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.iam_policy_sqs_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.iam_role_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
-| [humanitec_resource_definition_criteria.s3_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.sqs_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 
@@ -47,5 +43,6 @@
 | secret\_key | n/a | `string` | n/a | yes |
 | name | n/a | `string` | `"item-list"` | no |
 | region | n/a | `string` | `"eu-central-1"` | no |
-| resource\_packs\_aws\_rev | n/a | `string` | `"refs/heads/main"` | no |
+| resource\_packs\_aws\_rev | AWS Resource Pack git branch | `string` | `"refs/heads/main"` | no |
+| resource\_packs\_aws\_url | AWS Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-aws.git"` | no |
 <!-- END_TF_DOCS -->