Skip to content

Commit e3c5e74

Browse files
robertnovac1robertnovac1
authored
VED-357 Imported AWS resources into infra (#633)
1 parent af6c41e commit e3c5e74

File tree

17 files changed

+541
-170
lines changed

17 files changed

+541
-170
lines changed

infra/.env-default

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
ENVIRONMENT=
2+
AWS_REGION=
3+
AWS_PROFILE=
4+
BUCKET_NAME=
5+
TF_VAR_key=

infra/.terraform.lock.hcl

Lines changed: 16 additions & 38 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

infra/Makefile

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
-include .env
2+
3+
interactionId=$(ENVIRONMENT)
4+
5+
tf_cmd = AWS_PROFILE=$(AWS_PROFILE) terraform
6+
tf_state= -backend-config="bucket=$(BUCKET_NAME)"
7+
tf_vars= -var-file=environments/$(ENVIRONMENT)/variables.tfvars
8+
9+
.PHONY: lock-provider workspace init plan apply clean destroy output tf-%
10+
11+
lock-provider:
12+
# Run this only when you install a new terraform provider. This will generate sha code in lock file for all platform
13+
echo "This may take a while. Be patient!"
14+
$(tf_cmd) providers lock -platform=darwin_arm64 -platform=darwin_amd64 -platform=linux_amd64 -platform=windows_amd64
15+
16+
workspace:
17+
$(tf_cmd) workspace new $(ENVIRONMENT) || $(tf_cmd) workspace select $(ENVIRONMENT) && echo "Switched to workspace/environment: $(ENVIRONMENT)"
18+
19+
init:
20+
$(tf_cmd) init $(tf_state) -upgrade $(tf_vars)
21+
22+
init-reconfigure:
23+
$(tf_cmd) init $(tf_state) -upgrade $(tf_vars) -reconfigure
24+
25+
plan: workspace
26+
$(tf_cmd) plan $(tf_vars)
27+
28+
apply: workspace
29+
$(tf_cmd) apply $(tf_vars) -auto-approve
30+
31+
clean:
32+
rm -rf build .terraform upload-key
33+
34+
destroy: workspace
35+
$(tf_cmd) destroy $(tf_vars) -auto-approve
36+
$(tf_cmd) workspace select default
37+
$(tf_cmd) workspace delete $(ENVIRONMENT)
38+
39+
output:
40+
ifndef name
41+
$(error name variable not set. Use 'make output name=...')
42+
endif
43+
$(tf_cmd) output -raw $(name)
44+
45+
import:
46+
$(tf_cmd) import $(tf_vars) $(to) $(id)
47+
48+
tf-%:
49+
$(tf_cmd) $*

infra/README.MD

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
# About
2+
Use .env-default as a reference for the required environment variables.
3+
You can use the commands defined in the Makefile to interact with the infrastructure resources.
4+
5+
Currently, this process is run manually whenever we need to update the base layer of our infrastructure. These core resources remain consistent across all deployments.
6+
7+
## Steps
8+
The general procedures are:
9+
1. Configure your environment by copying and updating `.env` based on the `.env-default` file.
10+
2. Run `make init` to initialize the Terraform project.
11+
3. Run `make plan` to review the proposed infrastructure changes.
12+
13+
4. Once you're confident in the plan and understand its impact, execute `make apply` to apply the changes.

infra/auto_ops_policy.json

Lines changed: 222 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,222 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Sid": "VisualEditor0",
6+
"Effect": "Allow",
7+
"Action": [
8+
"iam:CreateServiceSpecificCredential",
9+
"firehose:*",
10+
"iam:TagMFADevice",
11+
"iam:ListServiceSpecificCredentials",
12+
"iam:PutRolePolicy",
13+
"iam:ListSigningCertificates",
14+
"iam:AddRoleToInstanceProfile",
15+
"ses:SendEmail",
16+
"iam:SimulateCustomPolicy",
17+
"iam:ListRolePolicies",
18+
"iam:DeleteOpenIDConnectProvider",
19+
"iam:PutGroupPolicy",
20+
"iam:ListPolicies",
21+
"sns:*",
22+
"iam:GetRole",
23+
"iam:ListSAMLProviders",
24+
"apigateway:*",
25+
"iam:TagPolicy",
26+
"iam:UpdateServerCertificate",
27+
"cloudwatch:*",
28+
"pipes:*",
29+
"ecs:*",
30+
"ec2:*",
31+
"iam:GetOpenIDConnectProvider",
32+
"iam:UntagRole",
33+
"iam:PutRolePermissionsBoundary",
34+
"iam:TagRole",
35+
"cloudtrail:*",
36+
"iam:ResetServiceSpecificCredential",
37+
"iam:DeleteRolePermissionsBoundary",
38+
"iam:ListInstanceProfilesForRole",
39+
"iam:PassRole",
40+
"iam:DeleteRolePolicy",
41+
"kms:*",
42+
"iam:EnableMFADevice",
43+
"iam:ResyncMFADevice",
44+
"iam:ListCloudFrontPublicKeys",
45+
"guardduty:*",
46+
"iam:ListRoles",
47+
"iam:DeleteUser",
48+
"iam:GetContextKeysForCustomPolicy",
49+
"iam:CreatePolicy",
50+
"iam:CreateServiceLinkedRole",
51+
"iam:AttachGroupPolicy",
52+
"iam:DeleteVirtualMFADevice",
53+
"ecr:*",
54+
"iam:UpdateRole",
55+
"iam:UntagOpenIDConnectProvider",
56+
"iam:ListGroups",
57+
"iam:UntagInstanceProfile",
58+
"iam:DeleteServiceSpecificCredential",
59+
"iam:TagOpenIDConnectProvider",
60+
"iam:DeleteSAMLProvider",
61+
"iam:UpdateAssumeRolePolicy",
62+
"iam:GetPolicyVersion",
63+
"application-autoscaling:*",
64+
"iam:DeleteGroup",
65+
"iam:GetMFADevice",
66+
"iam:ListServerCertificates",
67+
"iam:RemoveRoleFromInstanceProfile",
68+
"iam:UpdateGroup",
69+
"dynamodb:*",
70+
"iam:ListVirtualMFADevices",
71+
"servicediscovery:*",
72+
"cloudfront:*",
73+
"iam:ListSSHPublicKeys",
74+
"iam:GetAccountEmailAddress",
75+
"iam:ListOpenIDConnectProviderTags",
76+
"config:*",
77+
"ebs:*",
78+
"iam:DeleteCloudFrontPublicKey",
79+
"events:*",
80+
"iam:ChangePassword",
81+
"iam:UpdateLoginProfile",
82+
"iam:GetServerCertificate",
83+
"iam:GetAccessKeyLastUsed",
84+
"iam:UpdateSSHPublicKey",
85+
"iam:UpdateAccountPasswordPolicy",
86+
"iam:DeleteServiceLinkedRole",
87+
"iam:ListSTSRegionalEndpointsStatus",
88+
"iam:GetAccountSummary",
89+
"iam:DeletePolicy",
90+
"iam:CreateVirtualMFADevice",
91+
"iam:ListMFADevices",
92+
"iam:AddUserToGroup",
93+
"tag:*",
94+
"iam:CreatePolicyVersion",
95+
"iam:GetInstanceProfile",
96+
"elasticloadbalancing:*",
97+
"iam:UntagServerCertificate",
98+
"iam:ListUserPolicies",
99+
"iam:TagUser",
100+
"iam:ListPolicyVersions",
101+
"iam:ListOpenIDConnectProviders",
102+
"lambda:*",
103+
"iam:ListUsers",
104+
"iam:UpdateSigningCertificate",
105+
"iam:ListUserTags",
106+
"iam:GetAccountPasswordPolicy",
107+
"iam:DeactivateMFADevice",
108+
"iam:DeleteAccessKey",
109+
"rds:*",
110+
"iam:ListRoleTags",
111+
"iam:UpdateCloudFrontPublicKey",
112+
"iam:GenerateServiceLastAccessedDetails",
113+
"iam:UpdateOpenIDConnectProviderThumbprint",
114+
"iam:SetSecurityTokenServicePreferences",
115+
"iam:DeleteServerCertificate",
116+
"quicksight:*",
117+
"iam:UploadSSHPublicKey",
118+
"iam:DetachGroupPolicy",
119+
"iam:GetCredentialReport",
120+
"iam:UpdateServiceSpecificCredential",
121+
"iam:GetPolicy",
122+
"iam:RemoveClientIDFromOpenIDConnectProvider",
123+
"iam:ListEntitiesForPolicy",
124+
"iam:DeleteRole",
125+
"iam:UpdateRoleDescription",
126+
"iam:UploadCloudFrontPublicKey",
127+
"iam:GetRolePolicy",
128+
"iam:CreateInstanceProfile",
129+
"iam:GenerateCredentialReport",
130+
"sqs:*",
131+
"iam:GetServiceLastAccessedDetails",
132+
"athena:*",
133+
"iam:GetServiceLinkedRoleDeletionStatus",
134+
"iam:ListAttachedGroupPolicies",
135+
"iam:ListPolicyTags",
136+
"iam:DeleteAccountAlias",
137+
"iam:UpdateSAMLProvider",
138+
"iam:ListAccessKeys",
139+
"iam:DeleteInstanceProfile",
140+
"elasticfilesystem:*",
141+
"cognito-identity:*",
142+
"s3:*",
143+
"iam:ListGroupPolicies",
144+
"ses:SendRawEmail",
145+
"iam:GetSSHPublicKey",
146+
"iam:PutUserPermissionsBoundary",
147+
"iam:DeleteUserPermissionsBoundary",
148+
"ssm:*",
149+
"iam:ListServerCertificateTags",
150+
"iam:PutUserPolicy",
151+
"iam:TagServerCertificate",
152+
"iam:ListAccountAliases",
153+
"iam:UntagPolicy",
154+
"iam:GetUser",
155+
"iam:GetLoginProfile",
156+
"acm:*",
157+
"iam:TagInstanceProfile",
158+
"iam:SetDefaultPolicyVersion",
159+
"logs:*",
160+
"iam:CreateRole",
161+
"iam:AttachRolePolicy",
162+
"iam:SetSTSRegionalEndpointStatus",
163+
"iam:TagSAMLProvider",
164+
"autoscaling:*",
165+
"iam:CreateLoginProfile",
166+
"iam:DetachRolePolicy",
167+
"iam:SimulatePrincipalPolicy",
168+
"secretsmanager:*",
169+
"iam:ListAttachedRolePolicies",
170+
"iam:CreateAccountAlias",
171+
"iam:ListSAMLProviderTags",
172+
"kinesis:*",
173+
"iam:DetachUserPolicy",
174+
"iam:GetAccountAuthorizationDetails",
175+
"iam:CreateGroup",
176+
"iam:UntagSAMLProvider",
177+
"iam:UpdateUser",
178+
"iam:DeleteUserPolicy",
179+
"iam:AttachUserPolicy",
180+
"iam:UpdateAccessKey",
181+
"iam:DeleteSigningCertificate",
182+
"iam:GetUserPolicy",
183+
"waf:*",
184+
"iam:ListGroupsForUser",
185+
"iam:GetAccountName",
186+
"cognito-idp:*",
187+
"iam:GetGroupPolicy",
188+
"iam:GetServiceLastAccessedDetailsWithEntities",
189+
"iam:ListPoliciesGrantingServiceAccess",
190+
"iam:DeleteSSHPublicKey",
191+
"iam:ListInstanceProfileTags",
192+
"iam:CreateUser",
193+
"iam:GetGroup",
194+
"glue:*",
195+
"iam:GetOrganizationsAccessReport",
196+
"iam:CreateAccessKey",
197+
"iam:GetContextKeysForPrincipalPolicy",
198+
"iam:UpdateAccountName",
199+
"iam:RemoveUserFromGroup",
200+
"wafv2:*",
201+
"iam:GetCloudFrontPublicKey",
202+
"iam:ListAttachedUserPolicies",
203+
"iam:UpdateAccountEmailAddress",
204+
"iam:GetSAMLProvider",
205+
"iam:DeleteLoginProfile",
206+
"iam:UploadSigningCertificate",
207+
"iam:DeleteAccountPasswordPolicy",
208+
"iam:ListInstanceProfiles",
209+
"iam:CreateOpenIDConnectProvider",
210+
"iam:UploadServerCertificate",
211+
"iam:UntagUser",
212+
"iam:UntagMFADevice",
213+
"route53:*",
214+
"iam:DeleteGroupPolicy",
215+
"iam:ListMFADeviceTags",
216+
"elasticache:*",
217+
"iam:DeletePolicyVersion"
218+
],
219+
"Resource": "*"
220+
}
221+
]
222+
}

0 commit comments

Comments
 (0)