Refactor apps and policy documents

carlssonk · Sep 24, 2024 · 0ff3455 · 0ff3455
1 parent 9ace0e3
commit 0ff3455
Show file tree

Hide file tree

Showing 16 changed files with 240 additions and 63 deletions.
diff --git a/apps/blackjack-game-multiplayer/main.tf b/apps/blackjack-game-multiplayer/main.tf
@@ -80,15 +80,3 @@ module "cloudflare" {
     value = var.alb_dns_name
   }]
 }
-
-module "iam_policy" {
-  workflow_step = var.workflow_step
-  source        = "../../iam_policy"
-  name          = local.app_name
-  policy_documents = [
-    module.ecs_task_definition.policy_document,
-    module.alb_target_group.policy_document,
-    module.ecs_service.policy_document,
-    module.cloudwatch.policy_document
-  ]
-}
diff --git a/apps/blackjack-game-multiplayer/outputs.tf b/apps/blackjack-game-multiplayer/outputs.tf
@@ -1,3 +1,8 @@
-output "policy_document" {
-  value = module.iam_policy.policy_document
+output "policy_documents" {
+  value = [
+    module.ecs_task_definition.policy_document,
+    module.alb_target_group.policy_document,
+    module.ecs_service.policy_document,
+    module.cloudwatch.policy_document
+  ]
 }
diff --git a/apps/flag-racer/main.tf b/apps/flag-racer/main.tf
@@ -74,15 +74,3 @@ module "cloudflare" {
     value = var.alb_dns_name
   }]
 }
-
-module "iam_policy" {
-  workflow_step = var.workflow_step
-  source        = "../../iam_policy"
-  name          = local.app_name
-  policy_documents = [
-    module.ecs_task_definition.policy_document,
-    module.alb_target_group.policy_document,
-    module.ecs_service.policy_document,
-    module.cloudwatch.policy_document
-  ]
-}
diff --git a/apps/flag-racer/outputs.tf b/apps/flag-racer/outputs.tf
@@ -1,3 +1,8 @@
-output "policy_document" {
-  value = module.iam_policy.policy_document
+output "policy_documents" {
+  value = [
+    module.ecs_task_definition.policy_document,
+    module.alb_target_group.policy_document,
+    module.ecs_service.policy_document,
+    module.cloudwatch.policy_document
+  ]
 }
diff --git a/apps/s3-website/iam_deploy.tf b/apps/s3-website/iam_deploy.tf
@@ -0,0 +1,62 @@
+module "globals" {
+  source = "../../globals"
+}
+
+locals {
+  oidc_domain = "token.actions.githubusercontent.com"
+}
+
+resource "aws_iam_role" "this" {
+  count = var.workflow_step == "resources" ? 1 : 0
+  name  = "${var.app_name}-deploy-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRoleWithWebIdentity"
+      Effect = "Allow"
+      Principal = {
+        Federated = "arn:aws:iam::${module.globals.var.aws_account_id}:oidc-provider/${local.oidc_domain}"
+      }
+      Condition = {
+        StringEquals = {
+          "${local.oidc_domain}:aud" : "sts.amazonaws.com"
+        }
+        StringLike = {
+          "${local.oidc_domain}:sub" : "repo:${var.github_repo_name}:*"
+        }
+      }
+    }]
+  })
+}
+
+resource "aws_iam_policy" "this" {
+  count = var.workflow_step == "resources" ? 1 : 0
+  name  = "${var.app_name}-deploy-policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:PutObject",
+          "s3:GetObject",
+          "s3:ListBucket",
+          "s3:DeleteObject",
+          "s3:GetBucketLocation"
+        ]
+        Resource = [
+          "arn:aws:s3:::${local.domain_name}",
+          "arn:aws:s3:::${local.domain_name}/*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+  count      = var.workflow_step == "resources" ? 1 : 0
+  policy_arn = aws_iam_policy.this[0].arn
+  role       = aws_iam_role.this[0].name
+}
diff --git a/apps/s3-website/main.tf b/apps/s3-website/main.tf
@@ -0,0 +1,43 @@
+
+
+locals {
+  domain_name = "${var.subdomain}.${var.root_domain}"
+}
+
+module "subdomain_bucket" {
+  source      = "../../modules/s3/default"
+  bucket_name = local.domain_name
+  website_config = {
+    is_website = true
+  }
+  bucket_access_and_policy = "cloudflare"
+}
+
+module "root_bucket" {
+  count       = var.subdomain == "www" ? 1 : 0
+  source      = "../../modules/s3/default"
+  bucket_name = var.root_domain
+  website_config = {
+    redirect_to = local.domain_name
+  }
+  depends_on = [module.subdomain_bucket]
+}
+
+module "cloudflare" {
+  source      = "../../modules/cloudflare-record/default"
+  root_domain = var.root_domain
+  dns_records = concat(
+    [
+      {
+        name  = subdomain
+        value = module.subdomain_bucket.website_endpoint
+      }
+    ],
+    var.subdomain == "www" ? [
+      {
+        name  = "@"
+        value = module.root_bucket.website_endpoint
+      }
+    ] : []
+  )
+}
diff --git a/apps/s3-website/outputs.tf b/apps/s3-website/outputs.tf
@@ -0,0 +1,10 @@
+output "policy_document" {
+  value = module.iam_policy.policy_document
+}
+
+output "policy_documents" {
+  value = [
+    module.subdomain_bucket.policy_document,
+    try(module.root_bucket.policy_document, null)
+  ]
+}
diff --git a/apps/s3-website/variables.tf b/apps/s3-website/variables.tf
@@ -0,0 +1,24 @@
+variable "workflow_step" {
+  description = "iam|resources"
+  type        = string
+}
+
+variable "app_name" {
+  description = "Name"
+  type        = string
+}
+
+variable "root_domain" {
+  description = "Root domain name"
+  type        = string
+}
+
+variable "subdomain" {
+  description = "Subdomains. Use 'www' if website is root"
+  type        = string
+}
+
+variable "github_repo_name" {
+  description = "Repository name for deployment policy. '[github name]/[repo name]'"
+  type        = string
+}
diff --git a/environments/staging-and-prod/locals.tf b/environments/staging-and-prod/locals.tf
@@ -0,0 +1,41 @@
+locals {
+  root_domain = "carlssonk.com"
+  env_prefix  = var.environment == "prod" ? "" : "${var.environment}."
+
+  apps = {
+    portfolio = {
+      app_name         = "Portfolio"
+      root_domain      = local.root_domain
+      subdomain        = "www"
+      github_repo_name = "carlssonk/website"
+    }
+    fps = {
+      app_name         = "FirstPersonShooter"
+      root_domain      = local.root_domain
+      subdomain        = "fps"
+      github_repo_name = "carlssonk/fps"
+    }
+    terraform = {
+      app_name         = "TerraformDiagram"
+      root_domain      = local.root_domain
+      subdomain        = "terraform"
+      github_repo_name = "carlssonk/terraform-diagram"
+    }
+  }
+
+  # cloudflare_configuration = {
+  #   for app, config in local.apps : app => {
+  #     root_domain = local.base_domain
+  #     ruleset_rules = [
+  #       for subdomain in config.subdomains : {
+  #         action = "set_config"
+  #         action_parameters = {
+  #           ssl = "flexible"
+  #         }
+  #         expression  = "(http.host eq \"${local.env_prefix}${subdomain}${subdomain == "" ? "" : "."}${local.base_domain}\")"
+  #         description = "Cloudflare rules for ${app}"
+  #       }
+  #     ]
+  #   }
+  # }
+}
diff --git a/environments/staging-and-prod/main.tf b/environments/staging-and-prod/main.tf
@@ -94,7 +94,7 @@ module "cloudflare" {
   apps   = local.cloudflare_configuration
 }
 
-module "iam_policy" {
+module "common_policy" {
   workflow_step = var.workflow_step
   source        = "../../iam_policy"
   name          = "common"
@@ -105,41 +105,25 @@ module "iam_policy" {
   ])
 }
 
-output "common_policy_document" {
-  value = module.iam_policy.policy_document
-}
-
 ########################################################################
 ######################## APPLICATIONS/SERVICES #########################
 ########################################################################
 
-module "portfolio" {
-  workflow_step = var.workflow_step
-  source        = "../../apps/portfolio"
-  root_domain   = "carlssonk.com"
-  app_name      = "portfolio"
-}
-
-output "portfolio_policy_document" {
-  value = module.portfolio.policy_document
-}
-
-module "terraform_diagram" {
-  workflow_step = var.workflow_step
-  source        = "../../apps/terraform-diagram"
+module "s3_websites" {
+  for_each         = local.apps
+  workflow_step    = var.workflow_step
+  source           = "../../apps/s3-website"
+  root_domain      = each.value.root_domain
+  app_name         = each.value.app_name
+  subdomain        = each.value.subdomain
+  github_repo_name = each.value.github_repo_name
 }
 
-output "terraform_diagram_policy_document" {
-  value = module.terraform_diagram.policy_document
-}
-
-module "fps" {
-  workflow_step = var.workflow_step
-  source        = "../../apps/fps"
-}
-
-output "fps_policy_document" {
-  value = module.fps.policy_document
+module "s3_websites_policy" {
+  workflow_step    = var.workflow_step
+  source           = "../../iam_policy"
+  name             = "s3_websites"
+  policy_documents = flatten(values(module.s3_websites)[*].policy_documents)
 }
 
 ########################################################################
@@ -155,8 +139,12 @@ module "blackjack" {
   alb_listener_arn           = module.services.main_alb_listener_arn
   alb_listener_rule_priority = 100
 }
-output "blackjack_policy_document" {
-  value = module.blackjack.policy_document
+
+module "blackjack_policy" {
+  workflow_step    = var.workflow_step
+  source           = "../../iam_policy"
+  name             = "blackjack"
+  policy_documents = module.blackjack.policy_documents
 }
 
 ########################################################################
@@ -172,6 +160,10 @@ module "flagracer" {
   alb_listener_arn           = module.services.main_alb_listener_arn
   alb_listener_rule_priority = 99
 }
-output "flagracer_policy_document" {
-  value = module.flagracer.policy_document
+
+module "flagracer_policy" {
+  workflow_step    = var.workflow_step
+  source           = "../../iam_policy"
+  name             = "flagracer"
+  policy_documents = module.flagracer.policy_documents
 }
diff --git a/environments/staging-and-prod/outputs.tf b/environments/staging-and-prod/outputs.tf
@@ -0,0 +1,8 @@
+output "policy_documents" {
+  value = {
+    (module.common_policy.name)      = module.common_policy.policy_document
+    (module.s3_websites_policy.name) = module.s3_websites_policy.policy_document
+    (module.blackjack_policy.name)   = module.blackjack_policy.policy_document
+    (module.flagracer_policy.name)   = module.flagracer_policy.policy_document
+  }
+}
diff --git a/environments/staging-and-prod/prod.tfvars b/environments/staging-and-prod/prod.tfvars
@@ -1,3 +1,4 @@
+environment    = "prod"
 aws_region     = "eu-north-1"
 aws_account_id = "752502408032"
 organization   = "carlssonk"
diff --git a/environments/staging-and-prod/staging.tfvars b/environments/staging-and-prod/staging.tfvars
@@ -1,3 +1,4 @@
+environment    = "staging"
 aws_region     = "eu-north-1"
 aws_account_id = ""
 organization   = "carlssonk"

diff --git a/environments/staging-and-prod/variables.tf b/environments/staging-and-prod/variables.tf
@@ -22,3 +22,8 @@ variable "organization" {
   description = "Github account or organization name"
   type        = string
 }
+
+variable "environment" {
+  description = "Environment name"
+  type        = string
+}
diff --git a/iam_policy/main.tf b/iam_policy/main.tf
@@ -25,7 +25,7 @@ data "terraform_remote_state" "previous" {
 }
 
 locals {
-  previous_policy_document = tobool(module.globals.var.cleanup_policies) ? [] : try([data.terraform_remote_state.previous[0].outputs["${var.name}_policy_document"]], [])
+  previous_policy_document = tobool(module.globals.var.cleanup_policies) ? [] : try([data.terraform_remote_state.previous[0].outputs.policy_documents[var.name]], [])
   policies                 = distinct(concat(local.previous_policy_document, var.policy_documents))
 
   // Below logic groups all resources together that have the same permissions

diff --git a/iam_policy/outputs.tf b/iam_policy/outputs.tf
@@ -1,3 +1,7 @@
 output "policy_document" {
   value = jsonencode(local.policy_document_result)
 }
+
+output "name" {
+  value = var.name
+}