Merge branch 'main' into cloudformation-stackset-module

rsturla · Oct 4, 2024 · 5bb4890 · 5bb4890
2 parents 9218bc8 + 686e05d
commit 5bb4890
Show file tree

Hide file tree

Showing 16 changed files with 385 additions and 2 deletions.
diff --git a/modules/aws/identity/github-actions-oidc-provider/main.tf b/modules/aws/identity/github-actions-oidc-provider/main.tf
@@ -0,0 +1,13 @@
+data "aws_partition" "current" {}
+
+data "tls_certificate" "this" {
+  url = "https://token.actions.githubusercontent.com"
+}
+
+resource "aws_iam_openid_connect_provider" "this" {
+  url             = data.tls_certificate.this.url
+  client_id_list  = ["sts.${data.aws_partition.current.dns_suffix}"]
+  thumbprint_list = data.tls_certificate.this.certificates[*].sha1_fingerprint
+
+  tags = var.tags_all
+}
diff --git a/modules/aws/identity/github-actions-oidc-provider/outputs.tf b/modules/aws/identity/github-actions-oidc-provider/outputs.tf
diff --git a/modules/aws/identity/github-actions-oidc-provider/variables.tf b/modules/aws/identity/github-actions-oidc-provider/variables.tf
@@ -0,0 +1,5 @@
+variable "tags_all" {
+  description = "A map of tags to add to all resources"
+  type        = map(string)
+  default     = {}
+}
diff --git a/modules/aws/identity/github-actions-oidc-provider/versions.tf b/modules/aws/identity/github-actions-oidc-provider/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">=1.3"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">=4.0"
+    }
+  }
+}
diff --git a/modules/aws/identity/github-actions-role/main.tf b/modules/aws/identity/github-actions-role/main.tf
@@ -37,3 +37,42 @@ resource "aws_iam_role_policy_attachment" "this" {
   role       = aws_iam_role.this.name
   policy_arn = each.key
 }
+
+resource "aws_iam_role_policy_attachment" "custom_policy" {
+  count = length(var.policy_statements) > 0 ? 1 : 0
+
+  role       = aws_iam_role.this.name
+  policy_arn = aws_iam_policy.custom_policy[0].arn
+}
+
+resource "aws_iam_policy" "custom_policy" {
+  count = length(var.policy_statements) > 0 ? 1 : 0
+
+  name        = "${var.name}-policy"
+  description = "The IAM policy for the GitHub Actions role"
+  policy      = data.aws_iam_policy_document.custom_policy[0].json
+}
+
+data "aws_iam_policy_document" "custom_policy" {
+  count = length(var.policy_statements) > 0 ? 1 : 0
+
+  dynamic "statement" {
+    for_each = var.policy_statements
+    content {
+      sid         = statement.key
+      effect      = lookup(statement.value, "effect", null)
+      actions     = lookup(statement.value, "actions", null)
+      not_actions = lookup(statement.value, "not_actions", null)
+      resources   = lookup(statement.value, "resources", null)
+
+      dynamic "condition" {
+        for_each = lookup(statement.value, "condition", {})
+        content {
+          test     = condition.value.test
+          variable = condition.value.variable
+          values   = condition.value.values
+        }
+      }
+    }
+  }
+}
diff --git a/modules/aws/identity/github-actions-role/outputs.tf b/modules/aws/identity/github-actions-role/outputs.tf
@@ -1,4 +1,9 @@
-output "role_arn" {
+output "arn" {
+  description = "The ARN of the IAM role"
   value       = aws_iam_role.this.arn
-  description = "The ARN of the GitHub Actions role"
+}
+
+output "name" {
+  description = "The name of the IAM role"
+  value       = aws_iam_role.this.name
 }
diff --git a/modules/aws/identity/github-actions-role/variables.tf b/modules/aws/identity/github-actions-role/variables.tf
@@ -24,3 +24,9 @@ variable "policy_arns" {
   type        = list(string)
   default     = []
 }
+
+variable "policy_statements" {
+  description = "The IAM policy to attach to the role"
+  type        = any
+  default     = {}
+}
diff --git a/modules/aws/identity/iam-role/main.tf b/modules/aws/identity/iam-role/main.tf
@@ -0,0 +1,78 @@
+resource "aws_iam_role" "this" {
+  name               = var.name
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+}
+
+data "aws_iam_policy_document" "assume_role" {
+  dynamic "statement" {
+    for_each = var.assume_role_statements
+    content {
+      sid     = statement.key
+      effect  = lookup(statement.value, "effect", "Allow")
+      actions = lookup(statement.value, "actions", null)
+
+      dynamic "condition" {
+        for_each = lookup(statement.value, "condition", {})
+        content {
+          test     = condition.value.test
+          variable = condition.value.variable
+          values   = condition.value.values
+        }
+      }
+
+      dynamic "principals" {
+        for_each = lookup(statement.value, "principals", {})
+        content {
+          type        = principals.value.type
+          identifiers = principals.value.identifiers
+        }
+      }
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+  for_each = toset(var.policy_arns)
+
+  role       = aws_iam_role.this.name
+  policy_arn = each.key
+}
+
+resource "aws_iam_role_policy_attachment" "custom_policy" {
+  count = length(var.policy_statements) > 0 ? 1 : 0
+
+  role       = aws_iam_role.this.name
+  policy_arn = aws_iam_policy.custom_policy[0].arn
+}
+
+resource "aws_iam_policy" "custom_policy" {
+  count = length(var.policy_statements) > 0 ? 1 : 0
+
+  name        = "${var.name}-policy"
+  description = "The IAM policy for the GitHub Actions role"
+  policy      = data.aws_iam_policy_document.custom_policy[0].json
+}
+
+data "aws_iam_policy_document" "custom_policy" {
+  count = length(var.policy_statements) > 0 ? 1 : 0
+
+  dynamic "statement" {
+    for_each = var.policy_statements
+    content {
+      sid         = statement.key
+      effect      = lookup(statement.value, "effect", null)
+      actions     = lookup(statement.value, "actions", null)
+      not_actions = lookup(statement.value, "not_actions", null)
+      resources   = lookup(statement.value, "resources", null)
+
+      dynamic "condition" {
+        for_each = lookup(statement.value, "condition", {})
+        content {
+          test     = condition.value.test
+          variable = condition.value.variable
+          values   = condition.value.values
+        }
+      }
+    }
+  }
+}
diff --git a/modules/aws/identity/iam-role/outputs.tf b/modules/aws/identity/iam-role/outputs.tf
@@ -0,0 +1,9 @@
+output "arn" {
+  description = "The ARN of the IAM role"
+  value       = aws_iam_role.this.arn
+}
+
+output "name" {
+  description = "The name of the IAM role"
+  value       = aws_iam_role.this.name
+}
diff --git a/modules/aws/identity/iam-role/variables.tf b/modules/aws/identity/iam-role/variables.tf
@@ -0,0 +1,22 @@
+variable "name" {
+  description = "The name of the IAM role"
+  type        = string
+}
+
+variable "assume_role_statements" {
+  description = "The IAM trust policy for the role"
+  type        = any
+  default     = {}
+}
+
+variable "policy_arns" {
+  description = "The ARNs of the IAM policies to attach to the role"
+  type        = list(string)
+  default     = []
+}
+
+variable "policy_statements" {
+  description = "The IAM policy to attach to the role"
+  type        = any
+  default     = {}
+}
diff --git a/modules/aws/identity/iam-role/versions.tf b/modules/aws/identity/iam-role/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">=1.3"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">=4.0"
+    }
+  }
+}
diff --git a/modules/aws/misc/cloudformation-stack/iam.tf b/modules/aws/misc/cloudformation-stack/iam.tf
@@ -0,0 +1,72 @@
+resource "aws_iam_role" "cloudformation_stack_assume_role" {
+  name               = "${var.name}-assume-role"
+  assume_role_policy = data.aws_iam_policy_document.cloudformation_stack_assume_role.json
+  tags = merge(var.tags_all, {
+    Name = "${var.name}-assume-role",
+  })
+}
+
+data "aws_iam_policy_document" "cloudformation_stack_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudformation.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "cloudformation_stack_assume_policy" {
+  count = length(var.assume_policy_statements) > 0 ? 1 : 0
+  dynamic "statement" {
+    for_each = var.assume_policy_statements
+    content {
+      sid         = statement.key
+      effect      = lookup(statement.value, "effect", null)
+      actions     = lookup(statement.value, "actions", null)
+      not_actions = lookup(statement.value, "not_actions", null)
+      resources   = lookup(statement.value, "resources", ["*"])
+
+      dynamic "principals" {
+        for_each = lookup(statement.value, "principals", {})
+        content {
+          type        = principals.key
+          identifiers = principals.value
+        }
+      }
+
+      dynamic "not_principals" {
+        for_each = lookup(statement.value, "not_principals", {})
+        content {
+          type        = not_principals.key
+          identifiers = not_principals.value
+        }
+      }
+
+      dynamic "condition" {
+        for_each = lookup(statement.value, "condition", {})
+        content {
+          test     = condition.value.test
+          variable = condition.value.variable
+          values   = condition.value.values
+        }
+      }
+    }
+  }
+}
+
+resource "aws_iam_policy" "additional_permissions_policy" {
+  count  = length(var.assume_policy_statements) > 0 ? 1 : 0
+  name   = "${var.name}-additional-permissions-policy"
+  policy = data.aws_iam_policy_document.cloudformation_stack_assume_policy[0].json
+}
+
+resource "aws_iam_policy_attachment" "additional_permissions_attachment" {
+  count = length(var.assume_policy_statements) > 0 ? 1 : 0
+  name  = "${var.name}-assume-policy-attachment"
+  roles = [
+    aws_iam_role.cloudformation_stack_assume_role.name,
+  ]
+  policy_arn = aws_iam_policy.additional_permissions_policy[0].arn
+}
diff --git a/modules/aws/misc/cloudformation-stack/main.tf b/modules/aws/misc/cloudformation-stack/main.tf
@@ -0,0 +1,19 @@
+resource "aws_cloudformation_stack" "this" {
+  name               = var.name
+  template_body      = var.template_body
+  template_url       = var.template_url
+  capabilities       = var.capabilities
+  disable_rollback   = var.disable_rollback
+  notification_arns  = var.notification_arns
+  on_failure         = var.on_failure
+  parameters         = var.parameters
+  policy_body        = var.cloudformation_stack_policy_body
+  policy_url         = var.cloudformation_stack_policy_url
+  iam_role_arn       = aws_iam_role.cloudformation_stack_assume_role.arn
+  timeout_in_minutes = var.timeout_in_minutes
+  tags = merge(var.tags_all, {
+    Name = var.name,
+  })
+
+  depends_on = [aws_iam_policy_attachment.additional_permissions_attachment]
+}
diff --git a/modules/aws/misc/cloudformation-stack/outputs.tf b/modules/aws/misc/cloudformation-stack/outputs.tf
@@ -0,0 +1,9 @@
+output "cloudformation_stack_id" {
+  value       = aws_cloudformation_stack.this.id
+  description = "The ID of the created cloudformation stack"
+}
+
+output "cloudformation_stack_outputs" {
+  value       = aws_cloudformation_stack.this.outputs
+  description = "The outputs of the created cloudformation stack"
+}
diff --git a/modules/aws/misc/cloudformation-stack/variables.tf b/modules/aws/misc/cloudformation-stack/variables.tf
@@ -0,0 +1,76 @@
+variable "name" {
+  type        = string
+  description = "Name of the Cloudformation Stack"
+}
+
+variable "tags_all" {
+  type        = map(string)
+  description = "A map of tags to add to all resources"
+  default     = {}
+}
+
+variable "template_body" {
+  type        = string
+  description = "Structure containing the template body"
+  default     = null
+}
+
+variable "template_url" {
+  type        = string
+  description = "Location of file containing the template body"
+  default     = null
+}
+
+variable "capabilities" {
+  type        = list(string)
+  description = "A list of capabilities. Valid values: CAPABILITY_IAM, CAPABILITY_NAMED_IAM, or CAPABILITY_AUTO_EXPAND"
+  default     = null
+}
+
+variable "disable_rollback" {
+  type        = bool
+  description = "Determines whether to rollback the stack if stack creation failed. Conflicts with on_failure"
+  default     = null
+}
+
+variable "notification_arns" {
+  type        = list(string)
+  description = "A list of SNS topic ARNs to publish stack related events"
+  default     = []
+}
+
+variable "on_failure" {
+  type        = string
+  description = "Action to be taken if stack creation fails. This must be one of: DO_NOTHING, ROLLBACK, or DELETE. Conflicts with disable_rollback"
+  default     = null
+}
+
+variable "parameters" {
+  type        = map(string)
+  description = "A map of parameters to pass to the stack"
+  default     = {}
+}
+
+variable "cloudformation_stack_policy_body" {
+  type        = any
+  description = "Structure containing the stack policy body. Conflicts with policy_url"
+  default     = null
+}
+
+variable "cloudformation_stack_policy_url" {
+  type        = string
+  description = "Location of a file containing the stack policy body. Conflicts w/ policy_body"
+  default     = null
+}
+
+variable "timeout_in_minutes" {
+  type        = number
+  description = "The amount of time that can pass before the stack status becomes CREATE_FAILED"
+  default     = null
+}
+
+variable "assume_policy_statements" {
+  type        = any
+  description = "The IAM policy to apply to this cloudformation stack."
+  default     = {}
+}