TF: add backup S3 bucket
For LSS-2109
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
Change-Id: Iede061f0bc186ea6405a8fd400a7dd905000aeab
diff --git a/backups.tf b/backups.tf
new file mode 100644
index 0000000..cec2e99
--- /dev/null
+++ b/backups.tf
@@ -0,0 +1,32 @@
+module "trustedfirmware_backups" {
+ source = "./modules/resources/s3"
+ bucket = "trustedfirmware-backups"
+ acl = "private"
+}
+
+module "s3_backup_policy" {
+ source = "./modules/resources/iam_policy"
+ name = "s3_backup_policy"
+ policy_file = "templates/role_policy.tmpl"
+ actions = [
+ "s3:AbortMultipartUpload",
+ "s3:CompleteMultipartUpload",
+ "s3:ListBucket",
+ "s3:ListBucketMultipartUploads",
+ "s3:PutObject",
+ "s3:GetObject",
+ "s3:DeleteObject",
+ "s3:PutObjectAcl"
+ ]
+ resources = [
+ "arn:aws:s3:::trustedfirmware-backups-*/*"
+ ]
+}
+
+module "backup_policy_attach" {
+ source = "./modules/resources/iam_user_policy_attachement"
+ user = "cloud-backups"
+ policy_arn = module.s3_backup_policy.arn
+}
+
+
diff --git a/modules/resources/iam_policy/main.tf b/modules/resources/iam_policy/main.tf
new file mode 100644
index 0000000..d097a9c
--- /dev/null
+++ b/modules/resources/iam_policy/main.tf
@@ -0,0 +1,9 @@
+resource "aws_iam_policy" "iam_policy" {
+ name = var.name
+ policy = templatefile(var.policy_file, {
+ effect = var.effect
+ actions = jsonencode(var.actions)
+ resources = jsonencode(var.resources)
+ }
+ )
+}
diff --git a/modules/resources/iam_policy/outputs.tf b/modules/resources/iam_policy/outputs.tf
new file mode 100644
index 0000000..0aa5f96
--- /dev/null
+++ b/modules/resources/iam_policy/outputs.tf
@@ -0,0 +1,6 @@
+output "name" {
+ value = "${aws_iam_policy.iam_policy.name}"
+}
+output "arn" {
+ value = "${aws_iam_policy.iam_policy.arn}"
+}
diff --git a/modules/resources/iam_policy/vars.tf b/modules/resources/iam_policy/vars.tf
new file mode 100644
index 0000000..5eac806
--- /dev/null
+++ b/modules/resources/iam_policy/vars.tf
@@ -0,0 +1,21 @@
+variable "name" {
+ default = ""
+}
+
+variable "policy_file" {
+ default = ""
+}
+
+variable "resources" {
+ type = list
+ default = []
+}
+
+variable "actions" {
+ type = list
+ default = []
+}
+
+variable "effect" {
+ default = "Allow"
+}
diff --git a/modules/resources/iam_user_policy_attachement/main.tf b/modules/resources/iam_user_policy_attachement/main.tf
new file mode 100644
index 0000000..231ed32
--- /dev/null
+++ b/modules/resources/iam_user_policy_attachement/main.tf
@@ -0,0 +1,4 @@
+resource "aws_iam_user_policy_attachment" "attachment" {
+ user = var.user
+ policy_arn = var.policy_arn
+}
diff --git a/modules/resources/iam_user_policy_attachement/vars.tf b/modules/resources/iam_user_policy_attachement/vars.tf
new file mode 100644
index 0000000..4f91621
--- /dev/null
+++ b/modules/resources/iam_user_policy_attachement/vars.tf
@@ -0,0 +1,7 @@
+variable "user" {
+ default = ""
+}
+
+variable "policy_arn" {
+ default = ""
+}
diff --git a/modules/resources/s3/main.tf b/modules/resources/s3/main.tf
new file mode 100644
index 0000000..e7bab31
--- /dev/null
+++ b/modules/resources/s3/main.tf
@@ -0,0 +1,5 @@
+resource "aws_s3_bucket" "s3bucket" {
+ bucket = var.bucket
+ acl = var.acl
+ tags = var.tags
+}
diff --git a/modules/resources/s3/outputs.tf b/modules/resources/s3/outputs.tf
new file mode 100644
index 0000000..c833c3d
--- /dev/null
+++ b/modules/resources/s3/outputs.tf
@@ -0,0 +1,14 @@
+output "id" {
+ description = "Name of the bucket"
+ value = "${aws_s3_bucket.s3bucket.id}"
+}
+
+output "arn" {
+ description = "ARN of the bucket"
+ value = "${aws_s3_bucket.s3bucket.arn}"
+}
+
+output "region" {
+ description = "Region of the bucket"
+ value = "${aws_s3_bucket.s3bucket.region}"
+}
diff --git a/modules/resources/s3/vars.tf b/modules/resources/s3/vars.tf
new file mode 100644
index 0000000..265176e
--- /dev/null
+++ b/modules/resources/s3/vars.tf
@@ -0,0 +1,7 @@
+variable "bucket" {}
+variable "acl" {
+ default = "private"
+}
+variable "tags" {
+ default = {}
+}
diff --git a/templates/assume_role.json b/templates/assume_role.json
new file mode 100644
index 0000000..5ed7179
--- /dev/null
+++ b/templates/assume_role.json
@@ -0,0 +1,13 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Action": "sts:AssumeRole",
+ "Principal": {
+ "Service": "${service}"
+ },
+ "Effect": "Allow",
+ "Sid": ""
+ }
+ ]
+}
diff --git a/templates/role_policy.tmpl b/templates/role_policy.tmpl
new file mode 100644
index 0000000..e0ddc31
--- /dev/null
+++ b/templates/role_policy.tmpl
@@ -0,0 +1,10 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Action": ${actions},
+ "Effect": "${effect}",
+ "Resource": ${resources}
+ }
+ ]
+}
diff --git a/terraform b/terraform
new file mode 100755
index 0000000..af18b2b
--- /dev/null
+++ b/terraform
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+set -eu
+TOP=$(dirname $0)
+
+update_terraform()
+{
+ export TFVERS=0.12.28
+ if [ ! -x $TOP/.bin/terraform_${TFVERS} ]
+ then
+ (
+ mkdir -p $TOP/.bin/
+ cd $TOP/.bin
+ wget -q https://releases.hashicorp.com/terraform/${TFVERS}/terraform_${TFVERS}_linux_amd64.zip
+ unzip -o terraform_${TFVERS}_linux_amd64.zip
+ mv terraform terraform_${TFVERS}
+ chmod a+x terraform_${TFVERS}
+ ln -sf terraform_${TFVERS} terraform
+ rm terraform_${TFVERS}_linux_amd64.zip
+ )
+ fi
+}
+
+update_terraform
+
+$TOP/.bin/terraform "$@"
+