Initial Terraform Files

Author: jayfo

terraform/.gitignore

@@ -0,0 +1,4 @@
+# Terraform Local State
+**/.terraform
+**/terraform.tfstate
+**/terraform.tfstate.backup

terraform/backend/.terraform.lock.hcl

@@ -0,0 +1,36 @@
+/*
+ * Bucket for backend state.
+ */
+resource "aws_s3_bucket" "terraform_state_codebuild" {
+  bucket = "web-dub-aws-infrastructure-state-codebuild"
+
+  /*
+  lifecycle {
+    prevent_destroy = true
+  }
+  */
+}
+
+resource "aws_s3_bucket_versioning" "terraform_state_codebuild" {
+    bucket = aws_s3_bucket.terraform_state_codebuild.id
+
+    versioning_configuration {
+      status = "Enabled"
+    }
+}
+
+resource "aws_kms_key" "terraform_state_codebuild" {
+  description             = "Key for bucket web-dub-aws-infrastructure-state-codebuild"
+  deletion_window_in_days = 10
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "terraform_state_codebuild" {
+  bucket = aws_s3_bucket.terraform_state_codebuild.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.terraform_state_codebuild.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}

terraform/backend/bucket_codebuild.tf

@@ -0,0 +1,35 @@
+/*
+ * Pin specific versions.
+ */
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "5.38.0"
+    }
+  }
+
+  required_version = "1.7.4"
+}
+
+/*
+ * Configure AWS profile.
+ */
+provider "aws" {
+  profile = "probe"
+}
+
+/*
+ * Table for backend locking.
+ */
+resource "aws_dynamodb_table" "terraform_state_lock" {
+  name           = "web-dub-aws-infrastructure-state-lock"
+  read_capacity  = 1
+  write_capacity = 1
+  hash_key       = "LockID"
+
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+}

terraform/backend/terraform.tf

@@ -0,0 +1,172 @@
+/*
+ * Pin specific versions.
+ */
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "5.38.0"
+    }
+  }
+
+  backend "s3" {
+    profile = "probe"
+    region = "us-east-1"
+
+    bucket = "web-dub-aws-infrastructure-state-codebuild"
+    key = "state/terraform.tfstate"
+    dynamodb_table = "web-dub-aws-infrastructure-state-lock"
+  }
+
+  required_version = "1.7.4"
+}
+
+/*
+ * Configure AWS profile.
+ */
+provider "aws" {
+  profile = "probe"
+}
+
+/*
+ * S3 bucket in which to place archive of source.
+ */
+resource "aws_s3_bucket" "codebuild_source_bucket" {
+}
+
+/*
+ * S3 upload of source.
+ */
+resource "aws_s3_object"  "codebuild_source_object" {
+  bucket = aws_s3_bucket.codebuild_source_bucket.id
+  key = "${var.name}.zip"
+  source = var.source_archive
+
+  # etag triggers upload when file changes
+  etag = filemd5(var.source_archive)
+}
+
+/*
+ * Policy document for assuming the defined role.
+ */
+data "aws_iam_policy_document" "policy_document_assume" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "codebuild.amazonaws.com",
+      ]
+    }
+  }
+}
+
+/*
+ * Policy document for the CodeBuild role.
+ */
+data "aws_iam_policy_document" "policy_document_codebuild" {
+  # CodeBuild policy for permissive access to logging
+  statement {
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = [
+      "*"
+    ]
+  }
+
+  # CodeBuild policy for permissive access to S3
+  statement {
+    actions = [
+      "s3:GetBucketAcl",
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+      "s3:PutObject",
+    ]
+
+    resources = [
+      "*"
+    ]
+  }
+
+  # CodeBuild policy for permissive access to ECR
+  statement {
+    actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:CompleteLayerUpload",
+      "ecr:GetAuthorizationToken",
+      "ecr:InitiateLayerUpload",
+      "ecr:PutImage",
+      "ecr:UploadLayerPart",
+    ]
+
+    resources = [
+      "*"
+    ]
+  }
+}
+
+/*
+ * Policy for the CodeBuild role.
+ */
+resource "aws_iam_policy" "policy_codebuild" {
+  policy = data.aws_iam_policy_document.policy_document_codebuild.json
+}
+
+/*
+ * Role that defines access policies for project.
+ */
+resource "aws_iam_role" "codebuild_project_role" {
+  name = "codebuild_role_${var.name}"
+
+  assume_role_policy = data.aws_iam_policy_document.policy_document_assume.json
+  managed_policy_arns = [
+    aws_iam_policy.policy_codebuild.arn,
+  ]
+}
+
+/*
+ * Group for logs.
+ */
+resource "aws_cloudwatch_log_group" "logs" {
+  name = "/aws/codebuild/${var.name}"
+}
+
+/*
+ * Codebuild project.
+ */
+resource "aws_codebuild_project" "codebuild_project" {
+  name = var.name
+
+  service_role = aws_iam_role.codebuild_project_role.arn
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  environment {
+    compute_type = "BUILD_GENERAL1_SMALL"
+    type = "LINUX_CONTAINER"
+    image = "aws/codebuild/standard:5.0"
+
+    privileged_mode = true
+  }
+
+  source {
+    type = "S3"
+    location = "${aws_s3_object.codebuild_source_object.bucket}/${aws_s3_object.codebuild_source_object.key}"
+  }
+
+  logs_config {
+    cloudwatch_logs {
+      group_name = aws_cloudwatch_log_group.logs.name
+    }
+  }
+}

terraform/codebuild/.terraform.lock.hcl

@@ -0,0 +1,13 @@
+/*
+ * Name of CodeBuild project.
+ */
+variable "name" {
+  type = string
+}
+
+/*
+ * Path to source archive to upload for CodeBuild.
+ */
+variable "source_archive" {
+  type = string
+}