-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
5ce313f
commit 2cae845
Showing
15 changed files
with
583 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
name: Release | ||
|
||
on: | ||
push: | ||
tags: | ||
- '*.*.*' | ||
pull_request: | ||
branches: | ||
- main | ||
workflow_dispatch: | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- name: Set env | ||
run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV | ||
|
||
- name: Package | ||
run: | | ||
echo packaging... | ||
tar -czf terraform-s3-mrap-${{ env.RELEASE_VERSION }}.tar.gz terraform labfiles | ||
- name: Upload Artifact | ||
uses: actions/upload-artifact@v2 | ||
with: | ||
name: terraform-s3-mrap-${{ env.RELEASE_VERSION }} | ||
path: terraform-s3-mrap-${{ env.RELEASE_VERSION }}.tar.gz | ||
|
||
- name: Make Release | ||
uses: softprops/[email protected] | ||
if: startsWith(github.ref, 'refs/tags/') | ||
with: | ||
name: terraform-s3-${{ env.RELEASE_VERSION }}.tar.gz | ||
files: | | ||
terraform-s3-${{ env.RELEASE_VERSION }}.tar.gz | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
terraform.tfstate | ||
terraform.tfstate.backup | ||
.terraform.lock.hcl | ||
.terraform/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
locals { | ||
run_id = "prod" | ||
} | ||
|
||
module "role-s3-replication" { | ||
source = "./modules/role" | ||
|
||
saml_enabled = false | ||
assumable_service = ["s3.amazonaws.com"] | ||
name = "s3-replication" | ||
} | ||
|
||
module "kms-source" { | ||
source = "./modules/kms" | ||
|
||
kms_key_alias = join("", ["bucket-key-replication-source-kms", local.run_id]) | ||
kms_key_description = "Example KMS key for source S3 bucket" | ||
} | ||
|
||
module "kms-dest" { | ||
providers = { | ||
aws = aws.us-west-2 | ||
} | ||
source = "./modules/kms" | ||
|
||
kms_key_alias = join("", ["bucket-key-replication-dest-kms", local.run_id]) | ||
kms_key_description = "Example KMS key for destination S3 bucket" | ||
} | ||
|
||
module "s3-source" { | ||
source = "./modules/s3" | ||
|
||
kms_key_arn = module.kms-source.kms_key_arn | ||
apply_bucket_request_metrics = true | ||
core_backups_retention = "NOBACKUP" | ||
|
||
######################################################################## | ||
# uncomment the below code only after the creation of buckets in step 1 | ||
######################################################################## | ||
replication_role_arns = [module.role-s3-replication.role_arn] | ||
|
||
replication_configuration = { | ||
role_name = module.role-s3-replication.role_name | ||
rules = [ | ||
{ | ||
id = "bar" | ||
status = "Enabled" | ||
priority = 1 | ||
|
||
destination = { | ||
bucket = "DESTINATION_BUCKET_ARN_GOES_HERE" | ||
storage_class = "STANDARD" | ||
replica_kms_key_id = "DESTINATION_KMS_KEY_ARN_GOES_HERE" | ||
} | ||
|
||
filter = { | ||
prefix = "logs" | ||
tags = { | ||
ReplicateMe = "Yes" | ||
} | ||
} | ||
} | ||
] | ||
} | ||
} | ||
|
||
module "s3-dest" { | ||
providers = { | ||
aws = aws.us-west-2 | ||
} | ||
source = "./modules/s3" | ||
|
||
kms_key_arn = module.kms-dest.kms_key_arn | ||
apply_bucket_request_metrics = true | ||
core_backups_retention = "NOBACKUP" | ||
|
||
############################################################################ | ||
#uncomment the below code only after provisioning of the bucket in step 1 | ||
############################################################################ | ||
replication_role_arns = [module.role-s3-replication.role_arn] | ||
|
||
replication_configuration = { | ||
role_name = module.role-s3-replication.role_name | ||
rules = [ | ||
{ | ||
id = "bar" | ||
status = "Enabled" | ||
priority = 1 | ||
|
||
destination = { | ||
bucket = "SOURCE_BUCKET_ARN_GOES_HERE" | ||
storage_class = "STANDARD" | ||
replica_kms_key_id = "SOURCE_KMS_KEY_ARN_GOES_HERE" | ||
} | ||
|
||
filter = { | ||
prefix = "logs" | ||
tags = { | ||
ReplicateMe = "Yes" | ||
} | ||
} | ||
} | ||
] | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
terraform { | ||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = "~> 5.50.0" | ||
} | ||
} | ||
} | ||
|
||
resource "aws_kms_key" "key" { | ||
description = var.kms_key_description | ||
key_usage = "ENCRYPT_DECRYPT" | ||
deletion_window_in_days = 7 | ||
} | ||
|
||
resource "aws_kms_alias" "alias" { | ||
name = "alias/${var.kms_key_alias}" | ||
target_key_id = aws_kms_key.key.key_id | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
output "kms_key_arn" { | ||
value = aws_kms_key.key.arn | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# variable "version" { | ||
# description = "The module version" | ||
# type = string | ||
# } | ||
|
||
variable "kms_key_alias" { | ||
description = "The alias for the KMS key" | ||
type = string | ||
} | ||
|
||
variable "kms_key_description" { | ||
description = "The description for the KMS key" | ||
type = string | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
resource "aws_iam_role" "s3_replication" { | ||
name = "${var.name}_repl_role" | ||
|
||
assume_role_policy = <<POLICY | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Action": "sts:AssumeRole", | ||
"Principal": { | ||
"Service": ${jsonencode(var.assumable_service)} | ||
}, | ||
"Effect": "Allow", | ||
"Sid": "" | ||
} | ||
] | ||
} | ||
POLICY | ||
} | ||
|
||
resource "aws_iam_policy" "s3_replication" { | ||
name = "${var.name}_repl_policy" | ||
|
||
policy = <<POLICY | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Action": [ | ||
"s3:GetReplicationConfiguration", | ||
"s3:ListBucket" | ||
], | ||
"Effect": "Allow", | ||
"Resource": [ | ||
"*" | ||
] | ||
}, | ||
{ | ||
"Action": [ | ||
"s3:GetObjectVersionForReplication", | ||
"s3:GetObjectVersionAcl", | ||
"s3:GetObjectVersionTagging" | ||
], | ||
"Effect": "Allow", | ||
"Resource": [ | ||
"*" | ||
] | ||
}, | ||
{ | ||
"Action": [ | ||
"s3:ReplicateObject", | ||
"s3:ReplicateDelete", | ||
"s3:ReplicateTags" | ||
], | ||
"Effect": "Allow", | ||
"Resource": "*" | ||
}, | ||
{ | ||
"Action": [ | ||
"s3:*", | ||
"kms:*" | ||
], | ||
"Effect": "Allow", | ||
"Resource": "*" | ||
} | ||
] | ||
} | ||
POLICY | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "s3_replication" { | ||
role = aws_iam_role.s3_replication.name | ||
policy_arn = aws_iam_policy.s3_replication.arn | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
output "role_name" { | ||
value = aws_iam_role.s3_replication.name | ||
} | ||
|
||
output "role_arn" { | ||
value = aws_iam_role.s3_replication.arn | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# variable "version" { | ||
# description = "The module version" | ||
# type = string | ||
# } | ||
|
||
variable "saml_enabled" { | ||
description = "Whether SAML is enabled" | ||
type = bool | ||
} | ||
|
||
variable "assumable_service" { | ||
description = "The services that can assume the role" | ||
type = list(string) | ||
} | ||
|
||
variable "name" { | ||
description = "The name of the role" | ||
type = string | ||
} |
Oops, something went wrong.