add chapter 12

Author: Scott Winkler

chapter1/archive/listing1.4/main.tf

@@ -1,4 +1,7 @@
 resource "aws_instance" "helloworld" {
-  ami           = "ami-944162ec"
+  ami           = "ami-09dd2e08d601bff67"
   instance_type = "t2.micro"
+  tags = {
+    Name = "HelloWorld"
+  }
 }

chapter1/listing1.1/main.tf

@@ -1,9 +1,12 @@
 provider "aws" {
-  version = "2.12.0"
+  version = "2.65.0"
   region  = "us-west-2"
 }
 
 resource "aws_instance" "helloworld" {
-  ami           = "ami-944162ec"
+  ami           = "ami-09dd2e08d601bff67"
   instance_type = "t2.micro"
+  tags = {
+    Name = "HelloWorld"
+  }
 }

chapter1/listing1.2/main.tf

@@ -1,20 +1,23 @@
 provider "aws" {
-  version = "2.12.0"
-  region  = "us-west-2"
+  version = "2.65.0"
+  region = "us-west-2"
 }
 
 data "aws_ami" "ubuntu" {
   most_recent = true
 
   filter {
     name   = "name"
-    values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
+    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
   }
 
   owners = ["099720109477"]
 }
 
 resource "aws_instance" "helloworld" {
-  ami           = data.aws_ami.ubuntu.id
+  ami           = data.aws_ami.ubuntu.id 
   instance_type = "t2.micro"
+  tags = {
+    Name = "HelloWorld"
+  }
 }

chapter1/listing1.3/main.tf

@@ -1,11 +1,17 @@
 {
     "Resources": {
-        "helloworld": {
+        "Example": {
             "Type": "AWS::EC2::Instance",
             "Properties": {
-                "ImageId": "ami-944162ec",
-                "InstanceType": "t2.micro"
+                "ImageId": "ami-09dd2e08d601bff67",
+                "InstanceType": "t2.micro",
+                "Tags": [
+                    {
+                        "Key": "Name",
+                        "Value": "HelloWorld"
+                    }
+                ]
             }
         }
     }
-}
+}

chapter1/snippet1.1/cf.json

@@ -0,0 +1,33 @@
+{
+    "mode": "managed",
+    "type": "aws_db_instance",
+    "name": "database",
+    "provider": "provider.aws",
+    "instances": [
+      {
+        "schema_version": 1,
+        "attributes": {
+          "password": "hunter2",
+          "performance_insights_enabled": false,
+          "performance_insights_kms_key_id": "",
+          "performance_insights_retention_period": 0,
+          "port": 5432,
+          "publicly_accessible": false,
+          "replicas": [],
+          "replicate_source_db": "",
+          "resource_id": "db-O6TUYBMS2HGAY7GKSLTL5H4JEM",
+          "s3_import": [],
+          "security_group_names": null,
+          "skip_final_snapshot": false,
+          "snapshot_identifier": null,
+          "status": "available",
+          "storage_encrypted": false,
+          "storage_type": "gp2",
+          "tags": null,
+          "timeouts": null,
+          "timezone": "",
+          "username": "AzureDiamond"
+        }
+      }
+    ]
+}

chapter12/listing12.1/state.json

@@ -0,0 +1,22 @@
+import "tfconfig/v2" as tfconfig
+
+keywordInProvisioners = func(s){
+	bad_provisioners = filter tfconfig.provisioners as _, p {
+		p.type is "local-exec" and
+		p.config.command["constant_value"] matches s
+	}
+	return length(bad_provisioners) > 0
+}
+
+no_access_keys = rule {
+	not keywordInProvisioners("AWS_ACCESS_KEY_ID")
+}
+
+no_secret_keys = rule {
+	not keywordInProvisioners("AWS_SECRET_ACCESS_KEY")
+}
+
+main = rule {
+	no_access_keys and
+	no_secret_keys
+}

chapter12/listing12.10/block.sentinel

@@ -0,0 +1,16 @@
+resource "aws_lambda_function" "lambda" {
+  filename      = "code.zip"
+  function_name = "${local.namespace}-lambda"
+  role          = aws_iam_role.lambda.arn
+  handler       = "exports.main"
+
+  source_code_hash = filebase64sha256("code.zip")
+  runtime = "nodejs12.x"
+
+  environment {
+    variables = {
+      USERNAME = var.username
+      PASSWORD = var.password
+    }
+  }
+}

chapter12/listing12.2/main.tf

@@ -0,0 +1,15 @@
+resource "aws_lambda_function" "lambda" {
+  filename      = "code.zip"
+  function_name = "${local.namespace}-lambda"
+  role          = aws_iam_role.lambda.arn
+  handler       = "exports.main"
+
+  source_code_hash = filebase64sha256("code.zip")
+  runtime = "nodejs12.x"
+
+  environment {
+    variables = {
+      SECRET_ID = var.secret_id #A
+    }
+  }
+}

chapter12/listing12.3/main.tf

@@ -0,0 +1,33 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/aws/aws-lambda-go/lambda"
+	"github.com/aws/aws-sdk-go/aws"
+
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/secretsmanager"
+)
+
+func HandleRequest(ctx context.Context) error {
+	client := secretsmanager.New(session.New())
+	config := &secretsmanager.GetSecretValueInput{
+		SecretId: aws.String(os.Getenv("SECRET_ID")),
+	}
+	val, err := client.GetSecretValue(config) #A
+	if err != nil {
+		return err
+	}
+
+	// do something with secret value
+	fmt.Printf("Secret is: %s", *val.SecretString)
+
+	return nil
+}
+
+func main() {
+	lambda.Start(HandleRequest)
+}

chapter12/listing12.4/lambda.go

@@ -0,0 +1,30 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "",
+            "Effect": "Allow",
+            "Action": "s3:ListBucket",
+            "Resource": "arn:aws:s3:::tia-state-bucket"
+        },
+        {
+            "Sid": "",
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutObject",
+                "s3:GetObject"
+            ],
+            "Resource": "arn:aws:s3:::tia-state-bucket/team1/*"
+        },
+        {
+            "Sid": "",
+            "Effect": "Allow",
+            "Action": [
+                "dynamodb:PutItem",
+                "dynamodb:GetItem",
+                "dynamodb:DeleteItem"
+            ],
+            "Resource": "arn:aws:dynamodb:us-west-2:215974853022:table/tia-state-lock"
+        }
+    ]
+}

chapter12/listing12.5/policy.json

@@ -0,0 +1,33 @@
+Trying to get account information via sts:GetCallerIdentity
+[aws-sdk-go] DEBUG: Request sts/GetCallerIdentity Details:
+---[ REQUEST POST-SIGN ]-----------------------------
+POST / HTTP/1.1
+Host: sts.amazonaws.com
+User-Agent: aws-sdk-go/1.30.16 (go1.13.7; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.24 (+https://www.terraform.io)
+Content-Length: 43
+Authorization: AWS4-HMAC-SHA256 Credential=AKIATESI2XGPMMVVB7XL/20200504/us-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=c4df301a200eb46d278ce1b6b9ead1cfbe64f045caf9934a14e9b7f8c207c3f8
+#A
+Content-Type: application/x-www-form-urlencoded; charset=utf-8
+X-Amz-Date: 20200504T084221Z
+Accept-Encoding: gzip
+Action=GetCallerIdentity&Version=2011-06-15
+-----------------------------------------------------
+[aws-sdk-go] DEBUG: Response sts/GetCallerIdentity Details:
+---[ RESPONSE ]--------------------------------------
+HTTP/1.1 200 OK
+Connection: close
+Content-Length: 405
+Content-Type: text/xml
+Date: Mon, 04 May 2020 07:37:21 GMT
+X-Amzn-Requestid: 74b2886b-43bc-475c-bda3-846123059142
+-----------------------------------------------------
+[aws-sdk-go] <GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
+  <GetCallerIdentityResult>
+    <Arn>arn:aws:iam::215974853022:user/swinkler</Arn> #B
+    <UserId>AIDAJKZ3K7CTQHZ5F4F52</UserId> #B
+    <Account>215974853022</Account> #B
+  </GetCallerIdentityResult>
+  <ResponseMetadata>
+    <RequestId>74b2886b-43bc-475c-bda3-846123059142</RequestId>
+  </ResponseMetadata>
+</GetCallerIdentityResponse>

chapter12/listing12.6/log.txt

@@ -0,0 +1,19 @@
+$ curl -L -X POST 'https://sts.amazonaws.com' \
+-H 'Host: sts.amazonaws.com' \
+-H 'Authorization: AWS4-HMAC-SHA256 Credential=AKIATESI2XGPMMVVB7XL/20200504/us-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=c4df301a200eb46d278ce1b6b9ead1cfbe64f045caf9934a14e9b7f8c207c3f8' \
+-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
+-H 'X-Amz-Date: 20200504T084221Z' \
+-H 'Accept-Encoding: gzip' \
+--data-urlencode 'Action=GetCallerIdentity' \
+--data-urlencode 'Version=2011-06-15'
+
+<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
+  <GetCallerIdentityResult>
+    <Arn>arn:aws:iam::215974853022:user/swinkler</Arn>
+    <UserId>AIDAJKZ3K7CTQHZ5F4F52</UserId>
+    <Account>215974853022</Account>
+  </GetCallerIdentityResult>
+  <ResponseMetadata>
+    <RequestId>e6870ff6-a09e-4479-8860-c3ca08b323b5</RequestId>
+  </ResponseMetadata>
+</GetCallerIdentityResponse>

chapter12/listing12.7/log.txt

@@ -0,0 +1,14 @@
+provider "vault" {
+  address = var.vault_address
+}
+
+data "vault_aws_access_credentials" "creds" {
+  backend = "aws"
+  role    = "prod-role"
+}
+
+provider "aws" {
+  access_key = data.vault_aws_access_credentials.creds.access_key
+  secret_key = data.vault_aws_access_credentials.creds.secret_key
+  region     = "us-west-2"
+}

chapter12/listing12.8/main.tf

@@ -0,0 +1,17 @@
+data "aws_secretsmanager_secret_version" "db" {
+  secret_id = var.secret_id
+}
+
+locals {
+  creds = jsondecode(data.aws_secretsmanager_secret_version.db.secret_string)
+}
+
+resource "aws_db_instance" "database" {
+  allocated_storage = 20
+  engine            = "postgres"
+  engine_version    = "12.2"
+  instance_class    = "db.t2.micro"
+  name              = "ptfe"
+  username          = local.creds["username"]
+  password          = local.creds["password"]
+}

chapter12/listing12.9/main.tf

@@ -0,0 +1,9 @@
+resource "aws_db_instance" "database" {
+  allocated_storage    = 20
+  engine               = "postgres"
+  engine_version       = "9.5"
+  instance_class       = "db.t3.medium"
+  name                 = "ptfe"
+  username             = var.username
+  password             = var.password
+}

chapter12/snippet12.1/main.tf

@@ -0,0 +1,7 @@
+resource "local_file" "aws" {
+  filename = "credentials.txt"
+  content = <<-EOF
+  access_key = ${var.access_key}
+  secret_key = ${var.secret_key}
+  EOF
+}

chapter12/snippet12.10/main.tf

@@ -0,0 +1,8 @@
+resource "aws_s3_bucket_object" "aws" {
+  key     = "creds.txt"
+  bucket  = var.bucket_name
+  content = <<-EOF
+  access_key = ${var.access_key}
+  secret_key = ${var.secret_key}
+  EOF
+}

chapter12/snippet12.11/main.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region     = "us-west-2"
+}

chapter12/snippet12.12/main.tf

@@ -0,0 +1,3 @@
+data "local_file" "credentials" {
+    filename = "/Users/Admin/.aws/credentials"
+}

chapter12/snippet12.13/main.tf

@@ -0,0 +1,9 @@
+resource "aws_db_instance" "database" {
+  allocated_storage    = 20
+  engine               = "postgres"
+  engine_version       = "9.5"
+  instance_class       = "db.t3.medium"
+  name                 = "ptfe"
+  username             = var.username
+  password             = var.password
+}

chapter12/snippet12.14/main.tf

@@ -0,0 +1,3 @@
+$ terraform apply \
+  -var-file="secrets.tfvars" \
+  -var-file="production.tfvars"

chapter12/snippet12.15/log.txt

@@ -0,0 +1,3 @@
+main = rule {
+	true 
+}

chapter12/snippet12.16/trivial.sentinel

@@ -0,0 +1,8 @@
+resource "null_resource" "uh_oh" {
+  provisioner "local-exec" {
+    command = <<-EOF
+        echo "access_key=$AWS_ACCESS_KEY_ID"
+        echo "secret_key=$AWS_SECRET_ACCESS_KEY"
+    EOF
+    }
+}