Add examples

sudoblark · Sep 18, 2024 · f48476a · f48476a
1 parent 1d6a705
commit f48476a
Show file tree

Hide file tree

Showing 9 changed files with 87 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -75,7 +75,7 @@ the module itself, and the [examples](#examples) section which has examples of h
 |------|-------------|------|---------|:--------:|
 | <a name="input_application_name"></a> [application\_name](#input\_application\_name) | Name of the application utilising resource. | `string` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | Which environment this is being instantiated in. | `string` | n/a | yes |
-| <a name="input_raw_state_machines"></a> [raw\_state\_machines](#input\_raw\_state\_machines) | Data structure<br>---------------<br>A list of dictionaries, where each dictionary has the following attributes:<br><br>REQUIRED<br>---------<br>- template\_file         : Which file under application/state\_machine\_definition this machine corresponds to<br>- template\_input        : A dictionary of key/value pairs, outlining in detail the inputs needed for a template to be instantiated<br>- suffix                : Friendly name for the state function<br>- iam\_policy\_statements : A list of dictionaries where each dictionary is an IAM statement defining glue job permissions<br>-- Each dictionary in this list must define the following attributes:<br>--- sid: Friendly name for the policy, no spaces or special characters allowed<br>--- actions: A list of IAM actions the state machine is allowed to perform<br>--- resources: Which resource(s) the state machine may perform the above actions against<br>--- conditions    : An OPTIONAL list of dictionaries, which each defines:<br>---- test         : Test condition for limiting the action<br>---- variable     : Value to test<br>---- values       : A list of strings, denoting what to test for<br><br><br>OPTIONAL<br>---------<br>- cloudwatch\_retention  : How many days logs should be retained for in Cloudwatch, defaults to 90 | <pre>list(<br>    object({<br>      template_file  = string,<br>      template_input = map(string),<br>      suffix         = string,<br>      iam_policy_statements = list(<br>        object({<br>          sid       = string,<br>          actions   = list(string),<br>          resources = list(string),<br>          conditions = optional(list(<br>            object({<br>              test : string,<br>              variable : string,<br>              values = list(string)<br>            })<br>          ), [])<br>        })<br>      ),<br>      cloudwatch_retention = optional(number, 90)<br>    })<br>  )</pre> | n/a | yes |
+| <a name="input_raw_state_machines"></a> [raw\_state\_machines](#input\_raw\_state\_machines) | Data structure<br>---------------<br>A list of dictionaries, where each dictionary has the following attributes:<br><br>REQUIRED<br>---------<br>- template\_file         : File path which this machine corresponds to<br>- template\_input        : A dictionary of key/value pairs, outlining in detail the inputs needed for a template to be instantiated<br>- suffix                : Friendly name for the state function<br>- iam\_policy\_statements : A list of dictionaries where each dictionary is an IAM statement defining glue job permissions<br>-- Each dictionary in this list must define the following attributes:<br>--- sid: Friendly name for the policy, no spaces or special characters allowed<br>--- actions: A list of IAM actions the state machine is allowed to perform<br>--- resources: Which resource(s) the state machine may perform the above actions against<br>--- conditions    : An OPTIONAL list of dictionaries, which each defines:<br>---- test         : Test condition for limiting the action<br>---- variable     : Value to test<br>---- values       : A list of strings, denoting what to test for<br><br><br>OPTIONAL<br>---------<br>- cloudwatch\_retention  : How many days logs should be retained for in Cloudwatch, defaults to 90 | <pre>list(<br>    object({<br>      template_file  = string,<br>      template_input = map(string),<br>      suffix         = string,<br>      iam_policy_statements = list(<br>        object({<br>          sid       = string,<br>          actions   = list(string),<br>          resources = list(string),<br>          conditions = optional(list(<br>            object({<br>              test : string,<br>              variable : string,<br>              values = list(string)<br>            })<br>          ), [])<br>        })<br>      ),<br>      cloudwatch_retention = optional(number, 90)<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_vpc_config"></a> [vpc\_config](#input\_vpc\_config) | AWS VPC ID | `string` | n/a | yes |
 
 ## Outputs
@@ -91,7 +91,7 @@ A list of dictionaries, where each dictionary has the following attributes:
 
 REQUIRED
 ---------
-- template_file         : Which file under application/state_machine_definition this machine corresponds to
+- template_file         : File path which this machine corresponds to
 - template_input        : A dictionary of key/value pairs, outlining in detail the inputs needed for a template to be instantiated
 - suffix                : Friendly name for the state function
 - iam_policy_statements : A list of dictionaries where each dictionary is an IAM statement defining glue job permissions

diff --git a/aws_iam_policy_document.tf b/aws_iam_policy_document.tf
@@ -31,6 +31,7 @@ locals {
               "arn:aws:logs:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_account.account_id}:log-group:/aws/stepfunction/${format("%s-%s-%s-stepfunction", var.environment, var.application_name, state_machine.suffix)}",
               "arn:aws:logs:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_account.account_id}:log-group:/aws/stepfunction/${format("%s-%s-%s-stepfunction", var.environment, var.application_name, state_machine.suffix)}:*"
             ]
+            conditions = []
           },
           {
             sid = "AllowCloudwatchLogDelivery",
@@ -44,7 +45,8 @@ locals {
               "logs:ListLogDeliveries",
               "logs:DescribeLogGroups"
             ],
-            resources = ["*"]
+            resources  = ["*"]
+            conditions = []
           }
         ]
       )

diff --git a/examples/step-function/.terraform-version b/examples/step-function/.terraform-version
@@ -0,0 +1 @@
+1.5.1
diff --git a/examples/step-function/data.tf b/examples/step-function/data.tf
@@ -0,0 +1,8 @@
+# Get current region
+data "aws_region" "current_region" {}
+
+# Retrieve the current AWS Account info
+data "aws_caller_identity" "current_account" {}
+
+# Retrieve the default VPC
+data "aws_vpc" "current" {}
diff --git a/examples/step-function/files/step-function.json b/examples/step-function/files/step-function.json
@@ -0,0 +1,11 @@
+{
+  "Comment": "A Hello World example of the Amazon States Language using an AWS Lambda Function",
+  "StartAt": "HelloWorld",
+  "States": {
+    "HelloWorld": {
+      "Type": "Task",
+      "Resource": "${lambda-arn}",
+      "End": true
+    }
+  }
+}
diff --git a/examples/step-function/locals.tf b/examples/step-function/locals.tf
@@ -0,0 +1,23 @@
+locals {
+  raw_state_machines = [
+    {
+      suffix : "hello-world",
+      template_file : "${path.module}/files/step-function.json",
+      template_input : {
+        "lambda-arn" : "arn:aws:lambda:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_account.account_id}:function:hello-world-function"
+      },
+      iam_policy_statements : [
+        {
+          sid : "AllowLambdaExecution",
+          actions : [
+            "lambda:InvokeFunction",
+            "lambda:InvokeAsync",
+          ],
+          resources : [
+            "arn:aws:lambda:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_account.account_id}:function:hello-world-function"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/examples/step-function/main.tf b/examples/step-function/main.tf
@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.61.0"
+    }
+  }
+  required_version = "~> 1.5.0"
+}
+
+provider "aws" {
+  region = "eu-west-2"
+}
+
+module "step_function" {
+  source = "github.com/sudoblark/sudoblark.terraform.module.aws.state_machine?ref=1.0.0"
+
+  application_name   = var.application_name
+  environment        = var.environment
+  raw_state_machines = local.raw_state_machines
+  vpc_config         = data.aws_vpc.current.id
+
+}
diff --git a/examples/step-function/variables.tf b/examples/step-function/variables.tf
@@ -0,0 +1,15 @@
+variable "environment" {
+  description = "Which environment this is being instantiated in."
+  type        = string
+  validation {
+    condition     = contains(["dev", "test", "prod"], var.environment)
+    error_message = "Must be either dev, test or prod"
+  }
+  default = "prod"
+}
+
+variable "application_name" {
+  description = "Name of the application utilising the resource resource."
+  type        = string
+  default     = "demo-app"
+}
diff --git a/variables.tf b/variables.tf
@@ -27,7 +27,7 @@ A list of dictionaries, where each dictionary has the following attributes:
 
 REQUIRED
 ---------
-- template_file         : Which file under application/state_machine_definition this machine corresponds to
+- template_file         : File path which this machine corresponds to
 - template_input        : A dictionary of key/value pairs, outlining in detail the inputs needed for a template to be instantiated
 - suffix                : Friendly name for the state function
 - iam_policy_statements : A list of dictionaries where each dictionary is an IAM statement defining glue job permissions