diff --git a/modules/elasticache/main.tf b/modules/elasticache/main.tf new file mode 100644 index 0000000..7ebbace --- /dev/null +++ b/modules/elasticache/main.tf @@ -0,0 +1,41 @@ +module "redis_security_group" { + source = "terraform-aws-modules/security-group/aws" + version = "~> 3.0" + + name = "allow-redis-${var.name}" + description = "allows access to redis cluster" + vpc_id = var.vpc_id + + egress_with_self = [ + { + rule = "all-all" + }, + ] + + computed_ingress_with_cidr_blocks = [ + { + rule = "redis-tcp", + cidr_blocks = var.source_subnet + }, + ] + number_of_computed_ingress_with_cidr_blocks = 1 +} + +resource "aws_elasticache_subnet_group" "this" { + name = "${var.name}-${var.engine}-subnet-group" + subnet_ids = var.subnet_ids +} + +resource "aws_elasticache_cluster" "this" { + cluster_id = var.name + engine = var.engine + node_type = var.node_type + num_cache_nodes = var.number_of_nodes + parameter_group_name = var.parameter_group + engine_version = var.engine_version + port = 6379 + tags = var.tags + security_group_ids = [module.redis_security_group.this_security_group_id] + subnet_group_name = aws_elasticache_subnet_group.this.name +} + diff --git a/modules/elasticache/outputs.tf b/modules/elasticache/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/modules/elasticache/variables.tf b/modules/elasticache/variables.tf new file mode 100644 index 0000000..57ec340 --- /dev/null +++ b/modules/elasticache/variables.tf @@ -0,0 +1,17 @@ +variable "vpc_id" {} +variable "subnet_ids" { + type = list(string) +} +variable "source_subnet" {} +variable "name" {} +variable "parameter_group" {} + +variable "engine" {} +variable "engine_version" {} +variable "node_type" {} +variable "number_of_nodes" {} + +variable "tags" { + type = map(string) +} + diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf new file mode 100644 index 0000000..423a5b8 --- /dev/null +++ b/modules/kubernetes/main.tf @@ -0,0 +1,23 @@ +data "aws_eks_cluster" "this" { + name = var.cluster_id +} + +data "aws_eks_cluster_auth" "this" { + name = var.cluster_id +} + + +provider "kubernetes" { + host = data.aws_eks_cluster.this.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.this.token + load_config_file = false +} + +resource "kubernetes_namespace" "namespaces" { + for_each = var.namespaces + metadata { + name = each.value + } +} + diff --git a/modules/kubernetes/variables.tf b/modules/kubernetes/variables.tf new file mode 100644 index 0000000..5edf472 --- /dev/null +++ b/modules/kubernetes/variables.tf @@ -0,0 +1,16 @@ +variable "cluster_id" { + type = string + description = "name/id of the EKS cluster which will be connected to" +} + +variable "namespaces" { + type = set(string) + description = "namespaces to create in the cluster" +} + +variable "install_dev_tools" { + type = bool + description = "Whether to install our devtools or not" + default = false +} + diff --git a/modules/msk/main.tf b/modules/msk/main.tf new file mode 100644 index 0000000..b92b8fc --- /dev/null +++ b/modules/msk/main.tf @@ -0,0 +1,53 @@ + + +module "kafka_security_group" { + source = "terraform-aws-modules/security-group/aws" + version = "~> 3.0" + + name = "allow-kafka-${var.cluster_name}" + description = "allows access to kafka brokers" + vpc_id = var.vpc_id + + egress_with_self = [ + { + rule = "all-all" + }, + ] + + # allow EKS workloads to access kafka + computed_ingress_with_cidr_blocks = [ + { + rule = "kafka-broker-tcp", + cidr_blocks = var.source_subnet + }, + { + rule = "kafka-broker-tls-tcp", + cidr_blocks = var.source_subnet + }, + { + rule = "zookeeper-2181-tcp", + cidr_blocks = var.source_subnet + }, + ] + number_of_computed_ingress_with_cidr_blocks = 3 +} + +resource "aws_msk_cluster" "this" { + cluster_name = var.cluster_name + kafka_version = var.kafka_version + number_of_broker_nodes = var.number_of_brokers + broker_node_group_info { + client_subnets = var.number_of_brokers < length(var.subnet_ids) ? slice(var.subnet_ids, 0, var.number_of_brokers) : var.subnet_ids + ebs_volume_size = var.ebs_volume_size + instance_type = var.instance_size + security_groups = [module.kafka_security_group.this_security_group_id] + } + + encryption_info { + encryption_in_transit { + client_broker = var.TLS_SETTING + in_cluster = true + } + } + +} \ No newline at end of file diff --git a/modules/msk/outputs.tf b/modules/msk/outputs.tf new file mode 100644 index 0000000..7fff933 --- /dev/null +++ b/modules/msk/outputs.tf @@ -0,0 +1,11 @@ +output "brokers" { + value = split(",", aws_msk_cluster.this.bootstrap_brokers) +} + +output "brokers_tls" { + value = split(",", aws_msk_cluster.this.bootstrap_brokers_tls) +} + +output "zookeeper" { + value = split(",", aws_msk_cluster.this.zookeeper_connect_string) +} \ No newline at end of file diff --git a/modules/msk/variables.tf b/modules/msk/variables.tf new file mode 100644 index 0000000..baad6ec --- /dev/null +++ b/modules/msk/variables.tf @@ -0,0 +1,31 @@ + +variable "cluster_name" {} + +variable "kafka_version" {} + +variable "number_of_brokers" { + type = number +} + +variable "ebs_volume_size" { + type = number +} + +variable "instance_size" { + type = string +} + +variable "vpc_id" {} + +variable "subnet_ids" { + type = list(string) +} + +variable "source_subnet" { +} + +variable "TLS_SETTING" { + type = string + description = "TLS setting for client broker, can be: TLS, TLS_PLAINTEXT or PLAINTEXT " +} + diff --git a/modules/vault/kubernetes.tf b/modules/vault/kubernetes.tf new file mode 100644 index 0000000..9fdc7d3 --- /dev/null +++ b/modules/vault/kubernetes.tf @@ -0,0 +1,29 @@ +resource "kubernetes_secret" "vault_secret" { + metadata { + name = "vault-aws-kms-secrets" + namespace = var.namespace + } + data = { + access-key = aws_iam_access_key.vault_user_access_key.id + access-key-secret = aws_iam_access_key.vault_user_access_key.secret + region = var.region + kms-id = aws_kms_key.vault_key.id + table = aws_dynamodb_table.vault_dynamodb_table.name + } +} + +resource "helm_release" "vault" { + name = "vault" + chart = "vault" + repository = "https://helm.releases.hashicorp.com" + version = var.vault_version + values = [ + file("${path.module}/values.yaml")] + + namespace = var.namespace + depends_on = [ + aws_dynamodb_table.vault_dynamodb_table, + aws_iam_user.vault_user, + aws_iam_policy.kms_vault_user_policy + ] +} diff --git a/modules/vault/main.tf b/modules/vault/main.tf new file mode 100644 index 0000000..c91ef99 --- /dev/null +++ b/modules/vault/main.tf @@ -0,0 +1,41 @@ + +resource "aws_kms_key" "vault_key" { + description = "Vault key ${var.name}" + key_usage = "ENCRYPT_DECRYPT" + tags = var.common_tags +} + +resource "aws_kms_alias" "vault_alias" { + name = "alias/${var.kms_name}" + target_key_id = aws_kms_key.vault_key.id +} + +resource "aws_iam_user" "vault_user" { + name = var.username + path = "/" + tags = var.common_tags +} + +resource "aws_iam_access_key" "vault_user_access_key" { + user = aws_iam_user.vault_user.name +} + + +resource "aws_dynamodb_table" "vault_dynamodb_table" { + name = var.dynamodb_name + billing_mode = "PAY_PER_REQUEST" + tags = var.common_tags + + hash_key = "Path" + range_key = "Key" + + attribute { + name = "Path" + type = "S" + } + + attribute { + name = "Key" + type = "S" + } +} diff --git a/modules/vault/policies.tf b/modules/vault/policies.tf new file mode 100644 index 0000000..440dfcd --- /dev/null +++ b/modules/vault/policies.tf @@ -0,0 +1,50 @@ +resource "aws_iam_user_policy_attachment" "vault_user_policy" { + policy_arn = aws_iam_policy.kms_vault_user_policy.arn + user = aws_iam_user.vault_user.name +} + +resource "aws_iam_policy" "kms_vault_user_policy" { + name = "${var.username}-to-kms-policy" + policy = data.aws_iam_policy_document.kms_use.json +} + +data "aws_iam_policy_document" "kms_use" { + statement { + effect = "Allow" + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + ] + resources = [ + aws_kms_key.vault_key.arn + ] + } + statement { + effect = "Allow" + actions = [ + "dynamodb:DescribeLimits", + "dynamodb:DescribeTimeToLive", + "dynamodb:ListTagsOfResource", + "dynamodb:DescribeReservedCapacityOfferings", + "dynamodb:DescribeReservedCapacity", + "dynamodb:ListTables", + "dynamodb:BatchGetItem", + "dynamodb:BatchWriteItem", + "dynamodb:CreateTable", + "dynamodb:DeleteItem", + "dynamodb:GetItem", + "dynamodb:GetRecords", + "dynamodb:PutItem", + "dynamodb:Query", + "dynamodb:UpdateItem", + "dynamodb:Scan", + "dynamodb:DescribeTable" + ] + resources = [ + aws_dynamodb_table.vault_dynamodb_table.arn + ] + } +} diff --git a/modules/vault/values.yaml b/modules/vault/values.yaml new file mode 100644 index 0000000..347de59 --- /dev/null +++ b/modules/vault/values.yaml @@ -0,0 +1,37 @@ +server: + extraSecretEnvironmentVars: + - envName: AWS_DEFAULT_REGION + secretName: "vault-aws-kms-secrets" + secretKey: "region" + - envName: AWS_ACCESS_KEY_ID + secretName: "vault-aws-kms-secrets" + secretKey: "access-key" + - envName: AWS_SECRET_ACCESS_KEY + secretName: "vault-aws-kms-secrets" + secretKey: "access-key-secret" + - envName: VAULT_AWSKMS_SEAL_KEY_ID + secretName: "vault-aws-kms-secrets" + secretKey: "kms-id" + - envName: AWS_DYNAMODB_TABLE + secretName: "vault-aws-kms-secrets" + secretKey: "table" + + authDelegator: + enabled: true + ha: + enabled: true + replicas: 3 + config: | + ui = true + api_addr = "http://POD_ID:8200" + seal "awskms" {} + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + } + storage "dynamodb" { + ha_enabled = "true" + } +injector: + enabled: false diff --git a/modules/vault/variables.tf b/modules/vault/variables.tf new file mode 100644 index 0000000..23590cd --- /dev/null +++ b/modules/vault/variables.tf @@ -0,0 +1,30 @@ +variable "name" { + type = string +} +variable "username" { + type = string +} + +variable "kms_name" { + type = string +} + +variable "dynamodb_name" { + type = string +} + +variable "namespace" { + type = string +} + +variable "region" { + type = string +} + +variable "common_tags" { + type = map(string) +} + +variable "vault_version" { + description = "The version of the hashicorp vault helm chart" +} \ No newline at end of file diff --git a/src/aws/ecr/main.tf b/src/aws/ecr/main.tf deleted file mode 100644 index 4d2b68a..0000000 --- a/src/aws/ecr/main.tf +++ /dev/null @@ -1,81 +0,0 @@ -resource "aws_ecr_repository" "repository" { - name = var.repository_name - image_tag_mutability = "MUTABLE" - - image_scanning_configuration { - scan_on_push = true - } - tags = var.common_tags -} - -resource "aws_ecr_repository_policy" "policy" { - repository = aws_ecr_repository.repository.name - policy = <