feat: Add X-Ray policy, VPC connectory security group, and ability to toggle resources independently

bryantbiggs · bryantbiggs · commit bb47aa9289e1 · 2022-09-03T17:39:05.000-04:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.73.0
+    rev: v1.74.2
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
diff --git a/README.md b/README.md
@@ -50,10 +50,16 @@ No modules.
 | [aws_apprunner_observability_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apprunner_observability_configuration) | resource |
 | [aws_apprunner_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apprunner_service) | resource |
 | [aws_apprunner_vpc_connector.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apprunner_vpc_connector) | resource |
+| [aws_iam_policy.access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.access_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.instance_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_iam_policy_document.access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.access_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.instance_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
@@ -77,9 +83,11 @@ No modules.
 | <a name="input_create_autoscaling_configuration"></a> [create\_autoscaling\_configuration](#input\_create\_autoscaling\_configuration) | Determines whether an Auto Scaling Configuration will be created | `bool` | `true` | no |
 | <a name="input_create_custom_domain_association"></a> [create\_custom\_domain\_association](#input\_create\_custom\_domain\_association) | Determines whether a Custom Domain Association will be created | `bool` | `false` | no |
 | <a name="input_create_instance_iam_role"></a> [create\_instance\_iam\_role](#input\_create\_instance\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
+| <a name="input_create_observability_configuration"></a> [create\_observability\_configuration](#input\_create\_observability\_configuration) | Determines whether an Observability Configuration will be created | `bool` | `false` | no |
+| <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created for the VPC connector | `bool` | `true` | no |
+| <a name="input_create_service"></a> [create\_service](#input\_create\_service) | Determines whether the service will be created | `bool` | `true` | no |
 | <a name="input_create_vpc_connector"></a> [create\_vpc\_connector](#input\_create\_vpc\_connector) | Determines whether a VPC Connector will be created | `bool` | `false` | no |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | The custom domain endpoint to association. Specify a base domain e.g., `example.com` or a subdomain e.g., `subdomain.example.com` | `string` | `""` | no |
-| <a name="input_enable_observability_configuration"></a> [enable\_observability\_configuration](#input\_enable\_observability\_configuration) | Determines whether an Observability Configuration will be created | `bool` | `false` | no |
 | <a name="input_enable_www_subdomain"></a> [enable\_www\_subdomain](#input\_enable\_www\_subdomain) | Whether to associate the subdomain with the App Runner service in addition to the base domain. Defaults to `true` | `bool` | `null` | no |
 | <a name="input_encryption_configuration"></a> [encryption\_configuration](#input\_encryption\_configuration) | The encryption configuration for the service | `any` | `{}` | no |
 | <a name="input_health_check_configuration"></a> [health\_check\_configuration](#input\_health\_check\_configuration) | The health check configuration for the service | `any` | `{}` | no |
@@ -91,14 +99,20 @@ No modules.
 | <a name="input_instance_iam_role_policies"></a> [instance\_iam\_role\_policies](#input\_instance\_iam\_role\_policies) | IAM policies to attach to the IAM role | `map(string)` | `{}` | no |
 | <a name="input_instance_iam_role_use_name_prefix"></a> [instance\_iam\_role\_use\_name\_prefix](#input\_instance\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
 | <a name="input_network_configuration"></a> [network\_configuration](#input\_network\_configuration) | The network configuration for the service | `any` | `{}` | no |
+| <a name="input_observability_configuration"></a> [observability\_configuration](#input\_observability\_configuration) | The observability configuration for the service | `any` | `{}` | no |
 | <a name="input_observability_configuration_name"></a> [observability\_configuration\_name](#input\_observability\_configuration\_name) | The name of the Observability Configuration | `string` | `""` | no |
-| <a name="input_observability_trace_configuration"></a> [observability\_trace\_configuration](#input\_observability\_trace\_configuration) | The name of the Trace Configuration | `any` | `{}` | no |
+| <a name="input_observability_trace_configuration"></a> [observability\_trace\_configuration](#input\_observability\_trace\_configuration) | The Observability Configuration trace coniguration | `any` | `{}` | no |
+| <a name="input_private_ecr_arn"></a> [private\_ecr\_arn](#input\_private\_ecr\_arn) | The ARN of the private ECR repository that contains the service image to launch | `string` | `null` | no |
+| <a name="input_security_group_description"></a> [security\_group\_description](#input\_security\_group\_description) | Description for the security group created | `string` | `null` | no |
+| <a name="input_security_group_rules"></a> [security\_group\_rules](#input\_security\_group\_rules) | List of security group rules to add to the security group created | `any` | `{}` | no |
+| <a name="input_security_group_use_name_prefix"></a> [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Determines whether the security group name (`security_group_name`) is used as a prefix | `bool` | `true` | no |
 | <a name="input_service_name"></a> [service\_name](#input\_service\_name) | The name of the service | `string` | `""` | no |
 | <a name="input_source_configuration"></a> [source\_configuration](#input\_source\_configuration) | The source configuration for the service | `any` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_vpc_connector_name"></a> [vpc\_connector\_name](#input\_vpc\_connector\_name) | The name of the VPC Connector | `string` | `""` | no |
 | <a name="input_vpc_connector_security_groups"></a> [vpc\_connector\_security\_groups](#input\_vpc\_connector\_security\_groups) | The security groups to use for the VPC Connector | `list(string)` | `[]` | no |
 | <a name="input_vpc_connector_subnets"></a> [vpc\_connector\_subnets](#input\_vpc\_connector\_subnets) | The subnets to use for the VPC Connector | `list(string)` | `[]` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC where the security will be provisioned | `string` | `null` | no |
 
 ## Outputs
 
diff --git a/main.tf b/main.tf
@@ -5,7 +5,7 @@ data "aws_partition" "current" {}
 ################################################################################
 
 resource "aws_apprunner_service" "this" {
-  count = var.create ? 1 : 0
+  count = var.create && var.create_service ? 1 : 0
 
   auto_scaling_configuration_arn = try(aws_apprunner_auto_scaling_configuration_version.this[0].arn, null)
 
@@ -56,11 +56,11 @@ resource "aws_apprunner_service" "this" {
   }
 
   dynamic "observability_configuration" {
-    for_each = var.enable_observability_configuration ? [1] : []
+    for_each = length(var.observability_configuration) > 0 ? [var.observability_configuration] : []
 
     content {
-      observability_configuration_arn = aws_apprunner_observability_configuration.this[0].arn
-      observability_enabled           = var.enable_observability_configuration
+      observability_configuration_arn = var.create_observability_configuration ? aws_apprunner_observability_configuration.this[0].arn : try(observability_configuration.value.observability_configuration_arn, null)
+      observability_enabled           = try(observability_configuration.value.observability_enabled, null)
     }
   }
 
@@ -147,11 +147,13 @@ resource "aws_apprunner_service" "this" {
 ################################################################################
 
 locals {
+  create_access_iam_role = var.create && var.create_service && var.create_access_iam_role
+
   access_iam_role_name = try(coalesce(var.access_iam_role_name, "${var.service_name}-access"), "")
 }
 
 data "aws_iam_policy_document" "access_assume_role" {
-  count = var.create && var.create_access_iam_role ? 1 : 0
+  count = local.create_access_iam_role ? 1 : 0
 
   statement {
     sid     = "AccessAssumeRole"
@@ -165,7 +167,7 @@ data "aws_iam_policy_document" "access_assume_role" {
 }
 
 resource "aws_iam_role" "access" {
-  count = var.create && var.create_access_iam_role ? 1 : 0
+  count = local.create_access_iam_role ? 1 : 0
 
   name        = var.access_iam_role_use_name_prefix ? null : local.access_iam_role_name
   name_prefix = var.access_iam_role_use_name_prefix ? "${local.access_iam_role_name}-" : null
@@ -179,8 +181,57 @@ resource "aws_iam_role" "access" {
   tags = var.tags
 }
 
+data "aws_iam_policy_document" "access" {
+  count = local.create_access_iam_role && var.private_ecr_arn != null ? 1 : 0
+
+  dynamic "statement" {
+    for_each = var.private_ecr_arn != null ? [1] : []
+
+    content {
+      sid = "ReadPrivateEcr"
+      actions = [
+        "ecr:BatchGetImage",
+        "ecr:DescribeImages",
+        "ecr:GetDownloadUrlForLayer",
+      ]
+      resources = [var.private_ecr_arn]
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.private_ecr_arn != null ? [1] : []
+
+    content {
+      sid = "AuthPrivateEcr"
+      actions = [
+        "ecr:DescribeImages",
+        "ecr:GetAuthorizationToken",
+      ]
+      resources = ["*"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "access" {
+  count = local.create_access_iam_role && var.private_ecr_arn != null ? 1 : 0
+
+  name        = var.access_iam_role_use_name_prefix ? null : local.access_iam_role_name
+  name_prefix = var.access_iam_role_use_name_prefix ? "${local.access_iam_role_name}-" : null
+  path        = var.access_iam_role_path
+  description = var.access_iam_role_description
+
+  policy = data.aws_iam_policy_document.access[0].json
+}
+
 resource "aws_iam_role_policy_attachment" "access" {
-  for_each = { for k, v in var.access_iam_role_policies : k => v if var.create && var.create_access_iam_role }
+  count = local.create_access_iam_role && var.private_ecr_arn != null ? 1 : 0
+
+  policy_arn = aws_iam_policy.access[0].arn
+  role       = aws_iam_role.access[0].name
+}
+
+resource "aws_iam_role_policy_attachment" "access_additional" {
+  for_each = { for k, v in var.access_iam_role_policies : k => v if local.create_access_iam_role }
 
   policy_arn = each.value
   role       = aws_iam_role.access[0].name
@@ -191,6 +242,8 @@ resource "aws_iam_role_policy_attachment" "access" {
 ################################################################################
 
 locals {
+  create_instance_iam_role = var.create && var.create_service && var.create_instance_iam_role
+
   instance_iam_role_name = try(coalesce(var.instance_iam_role_name, "${var.service_name}-instance"), "")
 }
 
@@ -209,7 +262,7 @@ data "aws_iam_policy_document" "instance_assume_role" {
 }
 
 resource "aws_iam_role" "instance" {
-  count = var.create && var.create_instance_iam_role ? 1 : 0
+  count = local.create_instance_iam_role ? 1 : 0
 
   name        = var.instance_iam_role_use_name_prefix ? null : local.instance_iam_role_name
   name_prefix = var.instance_iam_role_use_name_prefix ? "${local.instance_iam_role_name}-" : null
@@ -223,8 +276,15 @@ resource "aws_iam_role" "instance" {
   tags = var.tags
 }
 
+resource "aws_iam_role_policy_attachment" "instance_xray" {
+  count = local.create_instance_iam_role && try(var.observability_trace_configuration.vendor, null) == "AWSXRAY" ? 1 : 0
+
+  policy_arn = "arn:${data.aws_partition.current.id}:iam::aws:policy/AWSXRayDaemonWriteAccess"
+  role       = aws_iam_role.instance[0].name
+}
+
 resource "aws_iam_role_policy_attachment" "instance" {
-  for_each = { for k, v in var.instance_iam_role_policies : k => v if var.create && var.create_instance_iam_role }
+  for_each = { for k, v in var.instance_iam_role_policies : k => v if local.create_instance_iam_role }
 
   policy_arn = each.value
   role       = aws_iam_role.instance[0].name
@@ -234,16 +294,63 @@ resource "aws_iam_role_policy_attachment" "instance" {
 # VPC Connector
 ################################################################################
 
-resource "aws_apprunner_vpc_connector" "this" {
-  count = var.create && var.create_vpc_connector ? 1 : 0
+locals {
+  create_vpc_connector = var.create && var.create_vpc_connector
 
   vpc_connector_name = try(coalesce(var.vpc_connector_name, var.service_name), "")
+}
+
+resource "aws_apprunner_vpc_connector" "this" {
+  count = local.create_vpc_connector ? 1 : 0
+
+  vpc_connector_name = local.vpc_connector_name
   subnets            = var.vpc_connector_subnets
-  security_groups    = var.vpc_connector_security_groups
+  security_groups    = compact(concat(var.vpc_connector_security_groups, try(aws_security_group.this[0].id, [])))
 
   tags = var.tags
 }
 
+################################################################################
+# VPC Connector - Security Group
+################################################################################
+
+resource "aws_security_group" "this" {
+  count = var.create_security_group && local.create_vpc_connector ? 1 : 0
+
+  name        = var.security_group_use_name_prefix ? null : local.vpc_connector_name
+  name_prefix = var.security_group_use_name_prefix ? "${local.vpc_connector_name}-" : null
+  description = var.security_group_description
+  vpc_id      = var.vpc_id
+
+  tags = merge(
+    var.tags,
+    { "Name" = local.vpc_connector_name },
+  )
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_security_group_rule" "this" {
+  for_each = { for k, v in var.security_group_rules : k => v if var.create_security_group && local.create_vpc_connector }
+
+  # Required
+  security_group_id = aws_security_group.this[0].id
+  protocol          = each.value.protocol
+  from_port         = each.value.from_port
+  to_port           = each.value.to_port
+  type              = "egress"
+
+  # Optional
+  description              = try(each.value.description, null)
+  cidr_blocks              = try(each.value.cidr_blocks, null)
+  ipv6_cidr_blocks         = try(each.value.ipv6_cidr_blocks, null)
+  prefix_list_ids          = try(each.value.prefix_list_ids, [])
+  self                     = try(each.value.self, null)
+  source_security_group_id = try(each.value.source_security_group_id, null)
+}
+
 ################################################################################
 # Autoscaling
 ################################################################################
@@ -264,8 +371,12 @@ resource "aws_apprunner_auto_scaling_configuration_version" "this" {
 # Custom Domain Association
 ################################################################################
 
+locals {
+  create_custom_domain_association = var.create && var.create_custom_domain_association
+}
+
 resource "aws_apprunner_custom_domain_association" "this" {
-  count = var.create && var.create_custom_domain_association ? 1 : 0
+  count = local.create_custom_domain_association ? 1 : 0
 
   domain_name          = var.domain_name
   enable_www_subdomain = var.enable_www_subdomain
@@ -278,7 +389,7 @@ resource "aws_apprunner_custom_domain_association" "this" {
 #       name   = dvo.name
 #       record = dvo.value
 #       type   = dvo.type
-#     } if var.create && var.create_custom_domain_association
+#     } if local.create_custom_domain_association
 #   }
 
 #   allow_overwrite = true
@@ -290,7 +401,7 @@ resource "aws_apprunner_custom_domain_association" "this" {
 # }
 
 # resource "aws_route53_record" "cname" {
-#   count = var.create && var.create_custom_domain_association ? 1 : 0
+#   count = local.create_custom_domain_association ? 1 : 0
 
 #   allow_overwrite = true
 #   name            = var.domain_name
@@ -305,7 +416,7 @@ resource "aws_apprunner_custom_domain_association" "this" {
 ################################################################################
 
 resource "aws_apprunner_observability_configuration" "this" {
-  count = var.create && var.enable_observability_configuration ? 1 : 0
+  count = var.create && var.create_observability_configuration ? 1 : 0
 
   observability_configuration_name = try(coalesce(var.observability_configuration_name, var.service_name), "")
 
diff --git a/variables.tf b/variables.tf
