Skip to content
This repository was archived by the owner on Apr 29, 2020. It is now read-only.

Commit 85fc788

Browse files
authored
Merge pull request #3 from cmdlabs/uplift-to-tf12
Updated code to terraform 0.12.0
2 parents 2da96cc + 6eb7b72 commit 85fc788

File tree

8 files changed

+60
-22
lines changed

8 files changed

+60
-22
lines changed

CHANGELOG.md

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,17 @@ All notable changes to this project will be documented in this file.
44
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
55
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
66

7+
## [0.3.0] - 2019-06-03
8+
### Breaking
9+
- Updated code to terraform 0.12.0
10+
11+
### Fixed
12+
- Added IAM permissions to allow deletion of workspaces. Fixes #2
13+
714
## [0.2.0] - 2019-02-09
815
### Changed
916
- All resources are now prefixed allowing multiple backends to be deployed into the same account
10-
- Workspaces have been changed to prefixes rather than full paths.
17+
- Workspaces have been changed to prefixes rather than full paths
1118

1219
## [0.1.0] - 2019-01-27
1320
### Added

backend_roles.tf

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2,30 +2,36 @@
22
resource "aws_iam_role" "backend-all" {
33
name = "${var.resource_prefix}-terraform-backend"
44
description = "Allows access to all Terraform workspaces"
5-
assume_role_policy = "${data.aws_iam_policy_document.backend-assume-role-all.json}"
5+
assume_role_policy = data.aws_iam_policy_document.backend-assume-role-all.json
66
}
77

88
resource "aws_iam_role_policy" "backend-all" {
99
name = "${var.resource_prefix}-terraform-backend"
10-
policy = "${data.aws_iam_policy_document.iam-role-policy.json}"
10+
policy = data.aws_iam_policy_document.iam-role-policy.json
1111
role = "${var.resource_prefix}-terraform-backend"
1212

13-
depends_on = ["aws_iam_role.backend-all"]
13+
depends_on = [aws_iam_role.backend-all]
1414
}
1515

1616
#These roles are limited to their specific workspace through the use of S3 resource permissions
1717
resource "aws_iam_role" "backend-restricted" {
18-
count = "${length(var.workspace_prefixes)}"
18+
count = length(var.workspace_prefixes)
1919
name = "${var.resource_prefix}-terraform-backend-${element(var.workspace_prefixes, count.index)}"
2020
description = "Allows access to the ${element(var.workspace_prefixes, count.index)} workspace prefix "
21-
assume_role_policy = "${element(data.aws_iam_policy_document.backend-assume-role-restricted.*.json, count.index)}"
21+
assume_role_policy = element(
22+
data.aws_iam_policy_document.backend-assume-role-restricted.*.json,
23+
count.index,
24+
)
2225
}
2326

2427
resource "aws_iam_role_policy" "backend-restricted" {
25-
count = "${length(var.workspace_prefixes)}"
28+
count = length(var.workspace_prefixes)
2629
name = "${var.resource_prefix}-terraform-backend-${element(var.workspace_prefixes, count.index)}"
27-
policy = "${element(data.aws_iam_policy_document.iam-role-policy-restricted.*.json, count.index)}"
30+
policy = element(
31+
data.aws_iam_policy_document.iam-role-policy-restricted.*.json,
32+
count.index,
33+
)
2834
role = "${var.resource_prefix}-terraform-backend-${element(var.workspace_prefixes, count.index)}"
2935

30-
depends_on = ["aws_iam_role.backend-restricted"]
36+
depends_on = [aws_iam_role.backend-restricted]
3137
}

examples/main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
module "tf-backend" {
22
source = "../"
33

4-
resource_prefix = "deantftest"
4+
resource_prefix = "cmdlabtftest"
55
bucket_region = "ap-southeast-2"
66

77
bucket_sse_algorithm = "AES256"

examples/providers.tf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
provider "aws" {
2+
version = "~> 2.0"
3+
region = "ap-southeast-2"
4+
}

iam_policy.tf

Lines changed: 20 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
11
data "aws_iam_policy_document" "iam-role-policy-restricted" {
2-
count = "${length(var.workspace_prefixes)}"
2+
count = length(var.workspace_prefixes)
33

44
statement {
55
actions = ["s3:ListBucket"]
66
resources = ["arn:aws:s3:::${aws_s3_bucket.backend.id}"]
77
}
88

99
statement {
10-
actions = ["s3:GetObject", "s3:PutObject"]
10+
actions = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
1111
resources = ["arn:aws:s3:::${aws_s3_bucket.backend.id}/env:/${element(var.workspace_prefixes, count.index)}*"]
1212
}
1313

@@ -24,7 +24,7 @@ data "aws_iam_policy_document" "iam-role-policy" {
2424
}
2525

2626
statement {
27-
actions = ["s3:GetObject", "s3:PutObject"]
27+
actions = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
2828
resources = ["arn:aws:s3:::${aws_s3_bucket.backend.id}/*"]
2929
}
3030

@@ -40,20 +40,34 @@ data "aws_iam_policy_document" "backend-assume-role-all" {
4040

4141
principals {
4242
type = "AWS"
43-
identifiers = ["${split(",", lookup(var.assume_policy, "all", data.aws_caller_identity.current.account_id))}"]
43+
identifiers = split(
44+
",",
45+
lookup(
46+
var.assume_policy,
47+
"all",
48+
data.aws_caller_identity.current.account_id,
49+
),
50+
)
4451
}
4552
}
4653
}
4754

4855
data "aws_iam_policy_document" "backend-assume-role-restricted" {
49-
count = "${length(var.workspace_prefixes)}"
56+
count = length(var.workspace_prefixes)
5057

5158
statement {
5259
actions = ["sts:AssumeRole"]
5360

5461
principals {
5562
type = "AWS"
56-
identifiers = ["${split(",", lookup(var.assume_policy, "${element(var.workspace_prefixes, count.index)}", data.aws_caller_identity.current.account_id))}"]
63+
identifiers = split(
64+
",",
65+
lookup(
66+
var.assume_policy,
67+
element(var.workspace_prefixes, count.index),
68+
data.aws_caller_identity.current.account_id,
69+
),
70+
)
5771
}
5872
}
5973
}

main.tf

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
resource "aws_s3_bucket" "backend" {
22
bucket = "${var.resource_prefix}-terraform-backend"
3-
region = "${var.bucket_region}"
3+
region = var.bucket_region
44
acl = "private"
55

66
versioning {
@@ -10,14 +10,14 @@ resource "aws_s3_bucket" "backend" {
1010
server_side_encryption_configuration {
1111
rule {
1212
apply_server_side_encryption_by_default {
13-
sse_algorithm = "${var.bucket_sse_algorithm}"
13+
sse_algorithm = var.bucket_sse_algorithm
1414
}
1515
}
1616
}
1717
}
1818

1919
resource "aws_s3_bucket_public_access_block" "backend" {
20-
bucket = "${aws_s3_bucket.backend.id}"
20+
bucket = aws_s3_bucket.backend.id
2121

2222
block_public_acls = true
2323
block_public_policy = true

outputs.tf

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,14 @@
11
output "state_bucket_id" {
2-
value = "${aws_s3_bucket.backend.id}"
2+
value = aws_s3_bucket.backend.id
33
}
44

55
output "dynamo_lock_table" {
6-
value = "${aws_dynamodb_table.lock.id}"
6+
value = aws_dynamodb_table.lock.id
77
}
88

99
output "iam_roles" {
10-
value = "${concat(aws_iam_role.backend-all.*.arn, aws_iam_role.backend-restricted.*.arn)}"
10+
value = concat(
11+
aws_iam_role.backend-all.*.arn,
12+
aws_iam_role.backend-restricted.*.arn,
13+
)
1114
}

versions.tf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
2+
terraform {
3+
required_version = ">= 0.12"
4+
}

0 commit comments

Comments
 (0)