add chapter 11 code

Author: Scott Winkler

chapter11/complete/main.tf

@@ -0,0 +1,30 @@
+variable "aws" {
+  type = object({ access_key = string, secret_key = string, region = string })
+}
+
+variable "vcs_repo" {
+  type = object({ identifier = string, branch = string, oauth_token = string })
+}
+
+provider "aws" {
+  access_key = var.aws.access_key
+  secret_key = var.aws.secret_key
+  region     = var.aws.region
+}
+
+module "s3backend" {
+  source = "scottwinkler/s3backend/aws"
+}
+
+module "codepipeline" {
+  source     = "./modules/codepipeline"
+  name       = "terraform-in-action"
+  vcs_repo   = var.vcs_repo
+  auto_apply = true
+  environment = {
+    AWS_ACCESS_KEY_ID     = var.aws.access_key
+    AWS_SECRET_ACCESS_KEY = var.aws.secret_key
+    CONFIRM_DESTROY       = 1
+  }
+  s3_backend_config = module.s3backend.config
+}

chapter11/complete/modules/codepipeline/iam.tf

@@ -0,0 +1,111 @@
+resource "aws_iam_role" "codebuild_role" {
+  name               = "${local.namespace}-codebuild"
+  assume_role_policy = <<-EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codebuild.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "codebuild_policy" {
+  role   = aws_iam_role.codebuild_role.name
+  policy = <<-EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Resource": [
+        "*"
+      ],
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ]
+    },
+    {
+      "Effect":"Allow",
+      "Action": [
+        "s3:GetObject",
+        "s3:GetObjectVersion",
+        "s3:GetBucketVersioning",
+        "s3:PutObject"
+      ],
+      "Resource": [
+        "${aws_s3_bucket.codepipeline_bucket.arn}",
+        "${aws_s3_bucket.codepipeline_bucket.arn}/*"
+      ]
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role" "codepipeline_role" {
+  name               = "${local.namespace}-pipeline-role"
+  assume_role_policy = <<-EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codepipeline.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "codepipeline_policy" {
+  name = "codepipeline_policy"
+  role = aws_iam_role.codepipeline_role.id
+
+  policy = <<-EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect":"Allow",
+      "Action": [
+        "s3:GetObject",
+        "s3:GetObjectVersion",
+        "s3:GetBucketVersioning",
+        "s3:PutObject"
+      ],
+      "Resource": [
+        "${aws_s3_bucket.codepipeline_bucket.arn}",
+        "${aws_s3_bucket.codepipeline_bucket.arn}/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "sns:Publish"
+      ],
+      "Resource": "${aws_sns_topic.codepipeline.arn}"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "codebuild:BatchGetBuilds",
+        "codebuild:StartBuild"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}

chapter11/complete/modules/codepipeline/main.tf

@@ -0,0 +1,139 @@
+resource "random_string" "rand" {
+  length  = 24
+  special = false
+  upper   = false
+}
+
+locals {
+  namespace = substr(join("-", [var.name, random_string.rand.result]), 0, 24)
+  projects  = ["plan", "apply"]
+}
+
+resource "aws_codebuild_project" "project" {
+  count        = length(local.projects)
+  name         = "${local.namespace}-${local.projects[count.index]}"
+  service_role = aws_iam_role.codebuild_role.id
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  environment {
+    compute_type = "BUILD_GENERAL1_SMALL"
+    image        = "hashicorp/terraform:${var.terraform_version}"
+    type         = "LINUX_CONTAINER"
+  }
+
+  source {
+    type      = "NO_SOURCE"
+    buildspec = file("${path.module}/templates/buildspec_${local.projects[count.index]}.yml")
+  }
+}
+
+locals {
+  backend = templatefile("${path.module}/templates/backend.json", { config : var.s3_backend_config, name : local.namespace })
+  default_environment = {
+    TF_IN_AUTOMATION  = "1"
+    TF_INPUT          = "1"
+    CONFIRM_DESTROY   = "0"
+    WORKING_DIRECTORY = var.working_directory
+    BACKEND           = local.backend,
+  }
+  environment = jsonencode([for k, v in merge(local.default_environment, var.environment) : { name : k, value : v, type : "PLAINTEXT" }])
+}
+
+resource "aws_s3_bucket" "codepipeline_bucket" {
+  bucket        = "${local.namespace}-codepipeline-bucket"
+  acl           = "private"
+  force_destroy = true
+}
+
+resource "aws_sns_topic" "codepipeline" {
+  name = "${local.namespace}-pipeline-topic"
+}
+
+resource "aws_codepipeline" "codepipeline" {
+  name     = "${local.namespace}-pipeline"
+  role_arn = aws_iam_role.codepipeline_role.arn
+
+  artifact_store {
+    location = aws_s3_bucket.codepipeline_bucket.bucket
+    type     = "S3"
+  }
+
+  stage {
+    name = "Source"
+
+    action {
+      name             = "Source"
+      category         = "Source"
+      owner            = "ThirdParty"
+      provider         = "GitHub"
+      version          = "1"
+      output_artifacts = ["source_output"]
+
+      configuration = {
+        Owner      = split("/", var.vcs_repo.identifier)[0]
+        Repo       = split("/", var.vcs_repo.identifier)[1]
+        Branch     = var.vcs_repo.branch
+        OAuthToken = var.vcs_repo.oauth_token
+      }
+    }
+  }
+
+  stage {
+    name = "Plan"
+
+    action {
+      name            = "Plan"
+      category        = "Build"
+      owner           = "AWS"
+      provider        = "CodeBuild"
+      input_artifacts = ["source_output"]
+      version         = "1"
+
+      configuration = {
+        ProjectName          = aws_codebuild_project.project[0].name
+        EnvironmentVariables = local.environment
+      }
+    }
+  }
+
+  dynamic "stage" {
+    for_each = ! var.auto_apply ? [1] : []
+    content {
+      name = "Approve"
+
+      action {
+        name     = "Approve"
+        category = "Approval"
+        owner    = "AWS"
+        provider = "Manual"
+        version  = "1"
+
+        configuration = {
+          CustomData         = "Please review output of plan and approve"
+          NotificationArn    = aws_sns_topic.codepipeline.arn
+        }
+      }
+    }
+  }
+
+  stage {
+    name = "Apply"
+
+    action {
+      name            = "Apply"
+      category        = "Build"
+      owner           = "AWS"
+      provider        = "CodeBuild"
+      input_artifacts = ["source_output"]
+      version         = "1"
+
+      configuration = {
+        ProjectName          = aws_codebuild_project.project[1].name
+        EnvironmentVariables = local.environment
+      }
+    }
+  }
+}

chapter11/complete/modules/codepipeline/templates/backend.json

@@ -0,0 +1,14 @@
+{
+  "terraform": {
+    "backend": {
+      "s3": {
+        "bucket": "${config.bucket}",
+        "key": "aws/${name}",
+        "region": "${config.region}",
+        "encrypt": true,
+        "role_arn": "${config.role_arn}",
+        "dynamodb_table": "${config.dynamodb_table}"
+      }
+    }
+  }
+}

chapter11/complete/modules/codepipeline/templates/buildspec_apply.yml

@@ -0,0 +1,13 @@
+version: 0.2
+phases:
+  build:
+    commands:
+       - cd $WORKING_DIRECTORY
+       - echo $BACKEND >> backend.tf.json
+       - terraform init
+       - |
+         if [[ "$CONFIRM_DESTROY" == "0" ]]; then
+           terraform apply -auto-approve
+         else
+           terraform destroy -auto-approve
+         fi

chapter11/complete/modules/codepipeline/templates/buildspec_plan.yml

@@ -0,0 +1,13 @@
+version: 0.2
+phases:
+  build:
+    commands:
+       - cd $WORKING_DIRECTORY
+       - echo $BACKEND >> backend.tf.json
+       - terraform init 
+       - |
+         if [[ "$CONFIRM_DESTROY" == "0" ]]; then
+           terraform plan
+         else
+           terraform plan -destroy
+         fi

chapter11/complete/modules/codepipeline/variables.tf

@@ -0,0 +1,44 @@
+variable "name" {
+  type    = string
+  default = "terraform"
+  description = "A project name to use for resource mapping"
+}
+
+variable "auto_apply" {
+  type    = bool
+  default = false
+  description = "Whether to automatically apply changes when a Terraform plan is successful. Defaults to false."
+}
+
+variable "terraform_version" {
+  type    = string
+  default = "latest"
+  description = "The version of Terraform to use for this workspace. Defaults to the latest available version."
+}
+
+variable "working_directory" {
+  type    = string
+  default = "."
+  description = "A relative path that Terraform will execute within. Defaults to the root of your repository."
+}
+
+variable "vcs_repo" {
+  type = object({ identifier = string, branch = string, oauth_token = string })
+  description = "Settings for the workspace's VCS repository."
+}
+
+variable "environment" {
+  type    = map(string)
+  default = {}
+  description = "A map of environment varaibles to use for this workspace"
+}
+
+variable "s3_backend_config" {
+  type = object({
+    bucket         = string,
+    region         = string,
+    role_arn       = string,
+    dynamodb_table = string,
+  })
+  description = "Settings for configuring the S3 remote backend"
+}