TF: add backup S3 bucket

For LSS-2109

Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
Change-Id: Iede061f0bc186ea6405a8fd400a7dd905000aeab
diff --git a/backups.tf b/backups.tf
new file mode 100644
index 0000000..cec2e99
--- /dev/null
+++ b/backups.tf
@@ -0,0 +1,32 @@
+module "trustedfirmware_backups" {
+  source = "./modules/resources/s3"
+  bucket = "trustedfirmware-backups"
+  acl = "private"
+}
+
+module "s3_backup_policy" {
+  source      = "./modules/resources/iam_policy"
+  name        = "s3_backup_policy"
+  policy_file = "templates/role_policy.tmpl"
+  actions = [
+                "s3:AbortMultipartUpload",
+                "s3:CompleteMultipartUpload",
+                "s3:ListBucket",
+                "s3:ListBucketMultipartUploads",
+                "s3:PutObject",
+                "s3:GetObject",
+                "s3:DeleteObject",
+                "s3:PutObjectAcl"
+  ]
+  resources = [
+                "arn:aws:s3:::trustedfirmware-backups-*/*"
+  ]
+}
+
+module "backup_policy_attach" {
+  source     = "./modules/resources/iam_user_policy_attachement"
+  user       = "cloud-backups"
+  policy_arn = module.s3_backup_policy.arn
+}
+
+
diff --git a/modules/resources/iam_policy/main.tf b/modules/resources/iam_policy/main.tf
new file mode 100644
index 0000000..d097a9c
--- /dev/null
+++ b/modules/resources/iam_policy/main.tf
@@ -0,0 +1,9 @@
+resource "aws_iam_policy" "iam_policy" {
+  name = var.name
+  policy = templatefile(var.policy_file, {
+    effect    = var.effect
+    actions   = jsonencode(var.actions)
+    resources = jsonencode(var.resources)
+    }
+  )
+}
diff --git a/modules/resources/iam_policy/outputs.tf b/modules/resources/iam_policy/outputs.tf
new file mode 100644
index 0000000..0aa5f96
--- /dev/null
+++ b/modules/resources/iam_policy/outputs.tf
@@ -0,0 +1,6 @@
+output "name" {
+  value = "${aws_iam_policy.iam_policy.name}"
+}
+output "arn" {
+  value = "${aws_iam_policy.iam_policy.arn}"
+}
diff --git a/modules/resources/iam_policy/vars.tf b/modules/resources/iam_policy/vars.tf
new file mode 100644
index 0000000..5eac806
--- /dev/null
+++ b/modules/resources/iam_policy/vars.tf
@@ -0,0 +1,21 @@
+variable "name" {
+  default = ""
+}
+
+variable "policy_file" {
+  default = ""
+}
+
+variable "resources" {
+  type    = list
+  default = []
+}
+
+variable "actions" {
+  type    = list
+  default = []
+}
+
+variable "effect" {
+  default = "Allow"
+}
diff --git a/modules/resources/iam_user_policy_attachement/main.tf b/modules/resources/iam_user_policy_attachement/main.tf
new file mode 100644
index 0000000..231ed32
--- /dev/null
+++ b/modules/resources/iam_user_policy_attachement/main.tf
@@ -0,0 +1,4 @@
+resource "aws_iam_user_policy_attachment" "attachment" {
+  user       = var.user
+  policy_arn = var.policy_arn
+}
diff --git a/modules/resources/iam_user_policy_attachement/vars.tf b/modules/resources/iam_user_policy_attachement/vars.tf
new file mode 100644
index 0000000..4f91621
--- /dev/null
+++ b/modules/resources/iam_user_policy_attachement/vars.tf
@@ -0,0 +1,7 @@
+variable "user" {
+  default = ""
+}
+
+variable "policy_arn" {
+  default = ""
+}
diff --git a/modules/resources/s3/main.tf b/modules/resources/s3/main.tf
new file mode 100644
index 0000000..e7bab31
--- /dev/null
+++ b/modules/resources/s3/main.tf
@@ -0,0 +1,5 @@
+resource "aws_s3_bucket" "s3bucket" {
+  bucket = var.bucket
+  acl    = var.acl
+  tags   = var.tags
+}
diff --git a/modules/resources/s3/outputs.tf b/modules/resources/s3/outputs.tf
new file mode 100644
index 0000000..c833c3d
--- /dev/null
+++ b/modules/resources/s3/outputs.tf
@@ -0,0 +1,14 @@
+output "id" {
+  description = "Name of the bucket"
+  value       = "${aws_s3_bucket.s3bucket.id}"
+}
+
+output "arn" {
+  description = "ARN of the bucket"
+  value       = "${aws_s3_bucket.s3bucket.arn}"
+}
+
+output "region" {
+  description = "Region of the bucket"
+  value       = "${aws_s3_bucket.s3bucket.region}"
+}
diff --git a/modules/resources/s3/vars.tf b/modules/resources/s3/vars.tf
new file mode 100644
index 0000000..265176e
--- /dev/null
+++ b/modules/resources/s3/vars.tf
@@ -0,0 +1,7 @@
+variable "bucket" {}
+variable "acl" {
+  default = "private"
+}
+variable "tags" {
+  default = {}
+}
diff --git a/templates/assume_role.json b/templates/assume_role.json
new file mode 100644
index 0000000..5ed7179
--- /dev/null
+++ b/templates/assume_role.json
@@ -0,0 +1,13 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+               "Service": "${service}"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}
diff --git a/templates/role_policy.tmpl b/templates/role_policy.tmpl
new file mode 100644
index 0000000..e0ddc31
--- /dev/null
+++ b/templates/role_policy.tmpl
@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": ${actions},
+      "Effect": "${effect}",
+      "Resource": ${resources}
+    }
+  ]
+}
diff --git a/terraform b/terraform
new file mode 100755
index 0000000..af18b2b
--- /dev/null
+++ b/terraform
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+set -eu
+TOP=$(dirname $0)
+
+update_terraform()
+{
+    export TFVERS=0.12.28
+    if [ ! -x $TOP/.bin/terraform_${TFVERS} ]
+    then
+        (
+        mkdir -p $TOP/.bin/
+        cd $TOP/.bin
+        wget -q https://releases.hashicorp.com/terraform/${TFVERS}/terraform_${TFVERS}_linux_amd64.zip
+        unzip -o terraform_${TFVERS}_linux_amd64.zip
+        mv terraform terraform_${TFVERS}
+        chmod a+x terraform_${TFVERS}
+        ln -sf terraform_${TFVERS} terraform
+        rm terraform_${TFVERS}_linux_amd64.zip
+        )
+    fi
+}
+
+update_terraform
+
+$TOP/.bin/terraform "$@"
+