Skip to content

Commit

Permalink
Merge pull request #8 from zebrunner/#4
Browse files Browse the repository at this point in the history 
Described actions for terraform deploy/support/destroy
  • Loading branch information
@vdelendik
vdelendik authored Jul 30, 2024
2 parents 9e495e7 + fcd45e9 commit 3bde8fc
Show file tree
Hide file tree
Showing 8 changed files with 608 additions and 4 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@ terraform.tfstate
terraform.tfstate.backup
*.terraform
*.plan
111_*/
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ git clone https://github.com/zebrunner/e3s-terraform-deploy.git && cd ./e3s-terr
* `enable_cloudwatch` - Value type: boolean. Default value: `false`. Enables tasks logs display at aws ecs console.
* `e3s_server_instance_type` - Value type: string. Default value: `m5n.large`. Instance type for e3s-server.
* `data_layer_remote` - Value type: boolean. Default value: `true`. Determines whether to create rds and elasticache services in aws cloud or use local ones instead.
* `profile` - Value type: string. Default value: `None`. Aws profile to use in terraform provider.
* `remote_db` - Value type: object. Default value:
`{
username = "postgres"
Expand Down
4 changes: 2 additions & 2 deletions deploy/provider.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ terraform {
}

provider "aws" {
region = var.region

region = var.region
profile = var.profile
default_tags {
tags = {
Environment = var.environment
Expand Down
3 changes: 2 additions & 1 deletion deploy/rds.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ resource "aws_db_subnet_group" "rds" {

resource "aws_db_instance" "postgres" {
count = var.data_layer_remote ? 1 : 0
db_name = local.e3s_rds_db_name
identifier = local.e3s_rds_db_name
db_name = "postgres"
allocated_storage = 10
max_allocated_storage = 30
instance_class = "db.t4g.small"
Expand Down
7 changes: 6 additions & 1 deletion deploy/vars.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,11 @@ variable "data_layer_remote" {
default = true
}

variable "profile" {
type = string
default = ""
}

variable "remote_db" {
type = object({
username = string
Expand Down Expand Up @@ -137,6 +142,6 @@ locals {
e3s_log_group_name = join("-", [local.service_name, var.environment, "log-group"])

e3s_rds_subnet_name = join("-", [local.service_name, var.environment, "rds", "subnet"])
e3s_rds_db_name = join("_", [local.service_name, var.environment, "postgres"])
e3s_rds_db_name = join("-", [local.service_name, var.environment, "postgres"])
e3s_serverless_cache_name = join("-", [local.service_name, var.environment, "redis"])
}
274 changes: 274 additions & 0 deletions policies/terraform-ec2-deploy-policy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,274 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2OnResourcesByTags",
"Effect": "Allow",
"Action": [
"ec2:DeleteKeyPair",
"ec2:DescribeVpcAttribute",
"ec2:DeleteVpc",
"ec2:ModifyVpcAttribute",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSubnet",
"ec2:ModifySubnetAttribute",
"ec2:ReleaseAddress",
"ec2:AttachInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:DetachInternetGateway",
"ec2:DeleteRouteTable",
"ec2:CreateRoute",
"ec2:AssociateRouteTable",
"ec2:DisassociateRouteTable",
"ec2:DeleteVpcEndpoints",
"ec2:DeleteNatGateway",
"ec2:DeleteLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:DeleteLaunchTemplateVersions"
],
"Resource": [
"arn:aws:ec2:{region}:{account}:vpc/*",
"arn:aws:ec2:{region}:{account}:key-pair/e3s-{env}-agent",
"arn:aws:ec2:{region}:{account}:security-group/*",
"arn:aws:ec2:{region}:{account}:subnet/*",
"arn:aws:ec2:{region}:{account}:elastic-ip/*",
"arn:aws:ec2:{region}:{account}:internet-gateway/*",
"arn:aws:ec2:{region}:{account}:route-table/*",
"arn:aws:ec2:{region}:{account}:vpc-endpoint/*",
"arn:aws:ec2:{region}:{account}:natgateway/*",
"arn:aws:ec2:{region}:{account}:launch-template/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "e3s",
"ec2:ResourceTag/Environment": "{env}"
}
}
},
{
"Sid": "DisassociateAddress",
"Effect": "Allow",
"Action": [
"ec2:DisassociateAddress"
],
"Resource": "arn:aws:ec2:{region}:{account}:*/*"
},
{
"Sid": "E3SServerTermination",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:{region}:{account}:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "e3s-{env}",
"ec2:ResourceTag/Environment": "{env}"
}
}
},
{
"Sid": "EC2CreateWithTag",
"Effect": "Allow",
"Action": [
"ec2:ImportKeyPair",
"ec2:CreateVpc",
"ec2:AllocateAddress",
"ec2:CreateInternetGateway",
"ec2:CreateLaunchTemplate"
],
"Resource": [
"arn:aws:ec2:{region}:{account}:key-pair/e3s-{env}-agent",
"arn:aws:ec2:{region}:{account}:vpc/*",
"arn:aws:ec2:{region}:{account}:elastic-ip/*",
"arn:aws:ec2:{region}:{account}:internet-gateway/*",
"arn:aws:ec2:{region}:{account}:launch-template/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/Name": "e3s",
"aws:RequestTag/Environment": "{env}"
}
}
},
{
"Sid": "EC2VpcWithTag",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateRouteTable"
],
"Resource": [
"arn:aws:ec2:{region}:{account}:security-group/*",
"arn:aws:ec2:{region}:{account}:subnet/*",
"arn:aws:ec2:{region}:{account}:route-table/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/Name": "e3s",
"aws:RequestTag/Environment": "{env}"
}
}
},
{
"Sid": "EC2VpcByTag",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateRouteTable"
],
"Resource": [
"arn:aws:ec2:{region}:{account}:vpc/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "e3s",
"ec2:ResourceTag/Environment": "{env}"
}
}
},
{
"Sid": "SGRuleWithTag",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress"
],
"Resource": [
"arn:aws:ec2:{region}:{account}:security-group-rule/*"
],
"Condition": {
"StringEquals": {
"ec2:RequestTag/Name": "e3s",
"ec2:RequestTag/Environment": "{env}"
}
}
},
{
"Sid": "SGRuleByTag",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress"
],
"Resource": [
"arn:aws:ec2:{region}:{account}:security-group/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "e3s",
"ec2:ResourceTag/Environment": "{env}"
}
}
},
{
"Sid": "Nat",
"Effect": "Allow",
"Action": [
"ec2:CreateNatGateway"
],
"Resource": [
"arn:aws:ec2:{region}:{account}:natgateway/*"
]
},
{
"Sid": "NatByTags",
"Effect": "Allow",
"Action": [
"ec2:CreateNatGateway"
],
"Resource": [
"arn:aws:ec2:{region}:{account}:subnet/*",
"arn:aws:ec2:{region}:{account}:elastic-ip/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "e3s",
"ec2:ResourceTag/Environment": "{env}"
}
}
},
{
"Sid": "VpcEndpointWithTags",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint"
],
"Resource": [
"arn:aws:ec2:{region}:{account}:vpc-endpoint/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/Name": "e3s",
"aws:RequestTag/Environment": "{env}"
}
}
},
{
"Sid": "VpcEndpointByTags",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint"
],
"Resource": [
"arn:aws:ec2:{region}:{account}:vpc/*",
"arn:aws:ec2:{region}:{account}:subnet/*",
"arn:aws:ec2:{region}:{account}:route-table/*",
"arn:aws:ec2:{region}:{account}:security-group/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "e3s",
"ec2:ResourceTag/Environment": "{env}"
}
}
},
{
"Sid": "E3SKeyPar",
"Effect": "Allow",
"Action": [
"ec2:ImportKeyPair"
],
"Resource": [
"arn:aws:ec2:{region}:{account}:key-pair/{e3s-key-name}"
]
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:{region}::image/*",
"arn:aws:ec2:{region}:{account}:instance/*",
"arn:aws:ec2:{region}:{account}:volume/*",
"arn:aws:ec2:{region}:{account}:network-interface/*",
"arn:aws:ec2:{region}:{account}:key-pair/{e3s-key-name}",
"arn:aws:ec2:{region}:{account}:key-pair/e3s-{env}-agent"
]
},
{
"Sid": "EC2RunInstancesByTags",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:{region}:{account}:security-group/*",
"arn:aws:ec2:{region}:{account}:subnet/*",
"arn:aws:ec2:{region}:{account}:launch-template/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "e3s",
"ec2:ResourceTag/Environment": "{env}"
}
}
}
]
}
Loading

0 comments on commit 3bde8fc

Please sign in to comment.