|
| 1 | +variable "backup_enabled" { |
| 2 | + type = "string" |
| 3 | + default = "" |
| 4 | + description = "Set to false to prevent the module from creating any resources" |
| 5 | +} |
| 6 | + |
| 7 | +variable "backup_s3_user_enabled" { |
| 8 | + type = "string" |
| 9 | + default = "" |
| 10 | + description = "Set to `true` to create an backup_s3 user with permission to access the bucket" |
| 11 | +} |
| 12 | + |
| 13 | +variable "backup_s3_allowed_bucket_actions" { |
| 14 | + type = "list" |
| 15 | + default = ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:GetBucketLocation", "s3:AbortMultipartUpload"] |
| 16 | + description = "List of actions to permit for backup_s3 bucket" |
| 17 | +} |
| 18 | + |
| 19 | +variable "backup_s3_access_key_name" { |
| 20 | + type = "string" |
| 21 | + default = "codefresh_backups_aws_access_key_id" |
| 22 | + description = "backup_s3 user IAM access key name for storing in SSM. Default to aws_acces_key_id so chamber exports as AWS_ACCESS_KEY_ID, a standard AWS IAM ENV variable" |
| 23 | +} |
| 24 | + |
| 25 | +variable "backup_s3_secret_key_name" { |
| 26 | + type = "string" |
| 27 | + default = "codefresh_backups_aws_secret_access_key" |
| 28 | + description = "backup_s3 user IAM secret key name for storing in SSM. Default to aws_secret_acces_key so chamber exports as AWS_SECRET_ACCESS_KEY, a standard AWS IAM ENV variable " |
| 29 | +} |
| 30 | + |
| 31 | +locals { |
| 32 | + backup_s3_enabled = "${var.backup_enabled != "" ? var.backup_enabled : var.enabled}" |
| 33 | + backup_s3_user_enabled = "${var.backup_s3_user_enabled != "" ? var.backup_s3_user_enabled : var.enabled}" |
| 34 | +} |
| 35 | + |
| 36 | +module "backup_s3_bucket" { |
| 37 | + source = "git::https://github.com/cloudposse/terraform-aws-s3-bucket.git?ref=tags/0.2.0" |
| 38 | + enabled = "${local.backup_s3_enabled}" |
| 39 | + user_enabled = "${local.backup_s3_user_enabled}" |
| 40 | + versioning_enabled = "false" |
| 41 | + allowed_bucket_actions = "${var.backup_s3_allowed_bucket_actions}" |
| 42 | + name = "${var.name}" |
| 43 | + stage = "${var.stage}" |
| 44 | + namespace = "${var.namespace}" |
| 45 | + attributes = "${concat(var.attributes, list("backup"))}" |
| 46 | +} |
| 47 | + |
| 48 | +resource "aws_ssm_parameter" "backup_s3_user_iam_access_key_id" { |
| 49 | + count = "${local.backup_s3_enabled == "true" && local.backup_s3_user_enabled == "true" ? 1 : 0}" |
| 50 | + name = "${format(var.chamber_format, local.chamber_service, var.backup_s3_access_key_name)}" |
| 51 | + value = "${module.backup_s3_bucket.access_key_id}" |
| 52 | + description = "backup_s3 user aws_access_key_id" |
| 53 | + type = "String" |
| 54 | + overwrite = "${var.overwrite_ssm_parameter}" |
| 55 | +} |
| 56 | + |
| 57 | +resource "aws_ssm_parameter" "backup_s3_user_iam_secret_access_key" { |
| 58 | + count = "${local.backup_s3_enabled == "true" && local.backup_s3_user_enabled == "true" ? 1 : 0}" |
| 59 | + name = "${format(var.chamber_format, local.chamber_service, var.backup_s3_secret_key_name)}" |
| 60 | + value = "${module.backup_s3_bucket.secret_access_key}" |
| 61 | + description = "backup_s3 user aws_secret_acces_key" |
| 62 | + type = "SecureString" |
| 63 | + key_id = "${data.aws_kms_key.chamber_kms_key.id}" |
| 64 | + overwrite = "${var.overwrite_ssm_parameter}" |
| 65 | +} |
| 66 | + |
| 67 | +output "backup_s3_user_name" { |
| 68 | + value = "${module.backup_s3_bucket.user_name}" |
| 69 | + description = "Normalized IAM user name" |
| 70 | +} |
| 71 | + |
| 72 | +output "backup_s3_user_arn" { |
| 73 | + value = "${module.backup_s3_bucket.user_arn}" |
| 74 | + description = "The ARN assigned by AWS for the user" |
| 75 | +} |
| 76 | + |
| 77 | +output "backup_s3_user_unique_id" { |
| 78 | + value = "${module.backup_s3_bucket.user_unique_id}" |
| 79 | + description = "The user unique ID assigned by AWS" |
| 80 | +} |
| 81 | + |
| 82 | +output "backup_s3_access_key_id" { |
| 83 | + sensitive = true |
| 84 | + value = "${module.backup_s3_bucket.access_key_id}" |
| 85 | + description = "The access key ID" |
| 86 | +} |
| 87 | + |
| 88 | +output "backup_s3_secret_access_key" { |
| 89 | + sensitive = true |
| 90 | + value = "${module.backup_s3_bucket.secret_access_key}" |
| 91 | + description = "The secret access key. This will be written to the state file in plain-text" |
| 92 | +} |
| 93 | + |
| 94 | +output "backup_s3_bucket_arn" { |
| 95 | + value = "${module.backup_s3_bucket.s3_bucket_arn}" |
| 96 | + description = "The backup_s3 bucket ARN" |
| 97 | +} |
0 commit comments