enh: move gitlab-runner and elk-stack s3 buckets from layer1-aws into layer2-k8s (#166)

Author: mglotov

terraform/layer1-aws/examples/aws-s3-bucket-elastic-stack.tf

@@ -4,16 +4,15 @@ locals {
     repository    = lookup(local.helm_charts[index(local.helm_charts.*.id, "elk")], "repository", null)
     chart_version = lookup(local.helm_charts[index(local.helm_charts.*.id, "elk")], "version", null)
   }
-  kibana_domain_name        = "kibana-${local.domain_suffix}"
-  apm_domain_name           = "apm-${local.domain_suffix}"
-  elastic_stack_bucket_name = data.terraform_remote_state.layer1-aws.outputs.elastic_stack_bucket_name
+  kibana_domain_name = "kibana-${local.domain_suffix}"
+  apm_domain_name    = "apm-${local.domain_suffix}"
 }
 
 data "template_file" "elk" {
   template = file("${path.module}/templates/elk-values.yaml")
 
   vars = {
-    bucket_name             = local.elastic_stack_bucket_name
+    bucket_name             = aws_s3_bucket.elastic_stack.id
     storage_class_name      = kubernetes_storage_class.elk.id
     snapshot_retention_days = var.elk_snapshot_retention_days
     index_retention_days    = var.elk_index_retention_days
@@ -136,6 +135,36 @@ resource "random_string" "kibana_password" {
   upper   = true
 }
 
+resource "aws_s3_bucket" "elastic_stack" {
+  bucket = "${local.name}-elastic-stack"
+  acl    = "private"
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "aws:kms"
+      }
+    }
+  }
+
+  tags = {
+    Name        = "${local.name}-elastic-stack"
+    Environment = local.env
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "elastic_stack_public_access_block" {
+  bucket = aws_s3_bucket.elastic_stack.id
+  # Block new public ACLs and uploading public objects
+  block_public_acls = true
+  # Retroactively remove public access granted through public ACLs
+  ignore_public_acls = true
+  # Block new public bucket policies
+  block_public_policy = true
+  # Retroactivley block public and cross-account access if bucket has public policies
+  restrict_public_buckets = true
+}
+
 module "aws_iam_elastic_stack" {
   source = "../modules/aws-iam-user-with-policy"
 
@@ -152,7 +181,7 @@ module "aws_iam_elastic_stack" {
           "s3:ListBucketVersions"
         ],
         "Resource" : [
-          "arn:aws:s3:::${local.elastic_stack_bucket_name}"
+          "arn:aws:s3:::${aws_s3_bucket.elastic_stack.id}"
         ]
       },
       {
@@ -165,7 +194,7 @@ module "aws_iam_elastic_stack" {
           "s3:ListMultipartUploadParts"
         ],
         "Resource" : [
-          "arn:aws:s3:::${local.elastic_stack_bucket_name}/*"
+          "arn:aws:s3:::${aws_s3_bucket.elastic_stack.id}/*"
         ]
       }
     ]
@@ -187,3 +216,8 @@ output "elasticsearch_elastic_password" {
   sensitive   = true
   description = "Password of the superuser 'elastic'"
 }
+
+output "elastic_stack_bucket_name" {
+  value       = aws_s3_bucket.elastic_stack.id
+  description = "Name of the bucket for ELKS snapshots"
+}

terraform/layer1-aws/examples/aws-s3-bucket-gitlab-runner-cache.tf

@@ -4,17 +4,14 @@ locals {
     repository    = lookup(local.helm_charts[index(local.helm_charts.*.id, "gitlab-runner")], "repository", null)
     chart_version = lookup(local.helm_charts[index(local.helm_charts.*.id, "gitlab-runner")], "version", null)
   }
-  gitlab_runner_cache_bucket_name = data.terraform_remote_state.layer1-aws.outputs.gitlab_runner_cache_bucket_name
-
-  gitlab_runner_template = templatefile("${path.module}/templates/gitlab-runner-values.tmpl",
+  gitlab_runner_template = templatefile("${path.module}/templates/gitlab-runner-values.yaml",
     {
       registration_token = local.gitlab_registration_token
       namespace          = module.ci_namespace.name
       role_arn           = module.aws_iam_gitlab_runner.role_arn
-      bucket_name        = local.gitlab_runner_cache_bucket_name
+      bucket_name        = aws_s3_bucket.gitlab_runner_cache.id
       region             = local.region
   })
-
 }
 
 module "gitlab_runner_namespace" {
@@ -36,6 +33,49 @@ resource "helm_release" "gitlab_runner" {
   ]
 }
 
+resource "aws_s3_bucket" "gitlab_runner_cache" {
+  bucket = "${local.name}-gitlab-runner-cache"
+  acl    = "private"
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "aws:kms"
+      }
+    }
+  }
+
+  lifecycle_rule {
+    id      = "gitlab-runner-cache-lifecycle-rule"
+    enabled = true
+
+    tags = {
+      "rule" = "gitlab-runner-cache-lifecycle-rule"
+    }
+
+    expiration {
+      days = 120
+    }
+  }
+
+  tags = {
+    Name        = "${local.name}-gitlab-runner-cache"
+    Environment = local.env
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "gitlab_runner_cache_public_access_block" {
+  bucket = aws_s3_bucket.gitlab_runner_cache.id
+  # Block new public ACLs and uploading public objects
+  block_public_acls = true
+  # Retroactively remove public access granted through public ACLs
+  ignore_public_acls = true
+  # Block new public bucket policies
+  block_public_policy = true
+  # Retroactivley block public and cross-account access if bucket has public policies
+  restrict_public_buckets = true
+}
+
 module "aws_iam_gitlab_runner" {
   source = "../modules/aws-iam-eks-trusted"
 
@@ -58,10 +98,15 @@ module "aws_iam_gitlab_runner" {
           "s3:*"
         ],
         "Resource" : [
-          "arn:aws:s3:::${local.gitlab_runner_cache_bucket_name}",
-          "arn:aws:s3:::${local.gitlab_runner_cache_bucket_name}/*"
+          "arn:aws:s3:::${aws_s3_bucket.gitlab_runner_cache.id}",
+          "arn:aws:s3:::${aws_s3_bucket.gitlab_runner_cache.id}/*"
         ]
       }
     ]
   })
 }
+
+output "gitlab_runner_cache_bucket_name" {
+  value       = aws_s3_bucket.gitlab_runner_cache.id
+  description = "Name of the s3 bucket for gitlab-runner cache"
+}