-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathmain.tf
214 lines (175 loc) · 7.6 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
locals {
enable_oidc = var.auth_method == "iam_role_oidc" && var.oidc_settings != null
}
################################################################################
# Workspace
################################################################################
module "tfe-workspace" {
source = "schubergphilis/mcaf-workspace/tfe"
version = "~> 2.2.0"
name = var.name
agent_pool_id = var.execution_mode == "agent" ? var.agent_pool_id : null
allow_destroy_plan = var.allow_destroy_plan
assessments_enabled = var.assessments_enabled
auto_apply = var.auto_apply
auto_apply_run_trigger = var.auto_apply_run_trigger
branch = var.branch
clear_text_env_variables = var.region != null ? merge(var.clear_text_env_variables, { AWS_DEFAULT_REGION = var.region }) : var.clear_text_env_variables
clear_text_hcl_variables = var.clear_text_hcl_variables
clear_text_terraform_variables = var.clear_text_terraform_variables
description = var.description
execution_mode = var.execution_mode
file_triggers_enabled = var.file_triggers_enabled
github_app_installation_id = var.repository_identifier != null ? var.github_app_installation_id : null
global_remote_state = var.global_remote_state
notification_configuration = var.notification_configuration
oauth_token_id = var.repository_identifier != null ? var.oauth_token_id : null
project_id = var.project_id
queue_all_runs = var.queue_all_runs
remote_state_consumer_ids = var.remote_state_consumer_ids
repository_identifier = var.repository_identifier
sensitive_env_variables = var.sensitive_env_variables
sensitive_hcl_variables = var.sensitive_hcl_variables
sensitive_terraform_variables = var.sensitive_terraform_variables
speculative_enabled = var.speculative_enabled
ssh_key_id = var.ssh_key_id
terraform_organization = var.terraform_organization
terraform_version = var.terraform_version
trigger_patterns = var.trigger_patterns
trigger_prefixes = var.trigger_prefixes
variable_set_ids = var.variable_set_ids
working_directory = var.working_directory
workspace_tags = var.workspace_tags
}
################################################################################
# RBAC
################################################################################
data "tfe_team" "default" {
for_each = toset(keys(var.team_access))
name = each.value
organization = var.terraform_organization
}
resource "tfe_team_access" "default" {
for_each = var.team_access
access = each.value.access
team_id = data.tfe_team.default[each.key].id
workspace_id = module.tfe-workspace.workspace_id
dynamic "permissions" {
for_each = each.value.permissions != null ? { create = true } : {}
content {
run_tasks = each.value.permissions["run_tasks"]
runs = each.value.permissions["runs"]
sentinel_mocks = each.value.permissions["sentinel_mocks"]
state_versions = each.value.permissions["state_versions"]
variables = each.value.permissions["variables"]
workspace_locking = each.value.permissions["workspace_locking"]
}
}
}
################################################################################
# Auth - IAM User
################################################################################
module "workspace_iam_user" {
count = var.auth_method == "iam_user" ? 1 : 0
source = "schubergphilis/mcaf-user/aws"
version = "~> 0.4.0"
name = var.username
path = var.path
policy = var.policy
policy_arns = var.policy_arns
permissions_boundary = var.permissions_boundary_arn
tags = var.tags
}
resource "tfe_variable" "aws_access_key_id" {
count = var.auth_method == "iam_user" ? 1 : 0
key = "AWS_ACCESS_KEY_ID"
value = module.workspace_iam_user[0].access_key_id
category = "env"
workspace_id = module.tfe-workspace.workspace_id
}
resource "tfe_variable" "aws_secret_access_key" {
count = var.auth_method == "iam_user" ? 1 : 0
key = "AWS_SECRET_ACCESS_KEY"
value = module.workspace_iam_user[0].secret_access_key
category = "env"
sensitive = true
workspace_id = module.tfe-workspace.workspace_id
}
################################################################################
# Auth - IAM Role - External ID & Agent
################################################################################
resource "random_uuid" "external_id" {
count = var.auth_method == "iam_role" ? 1 : 0
}
module "workspace_iam_role" {
count = var.auth_method == "iam_role" ? 1 : 0
source = "schubergphilis/mcaf-role/aws"
version = "~> 0.4.0"
name = var.role_name
path = var.path
permissions_boundary = var.permissions_boundary_arn
policy_arns = var.policy_arns
role_policy = var.policy
tags = var.tags
assume_policy = templatefile("${path.module}/templates/assume_role_policy.tftpl", {
external_id = random_uuid.external_id[0].result,
role_arns_json = jsonencode(var.agent_role_arns)
})
}
resource "tfe_variable" "aws_assume_role" {
count = var.auth_method == "iam_role" ? 1 : 0
key = "aws_assume_role"
value = module.workspace_iam_role[0].arn
category = "terraform"
workspace_id = module.tfe-workspace.workspace_id
}
resource "tfe_variable" "aws_assume_role_external_id" {
count = var.auth_method == "iam_role" ? 1 : 0
key = "aws_assume_role_external_id"
value = random_uuid.external_id[0].result
category = "terraform"
sensitive = true
workspace_id = module.tfe-workspace.workspace_id
}
################################################################################
# Auth - IAM Role - OIDC
################################################################################
module "workspace_iam_role_oidc" {
count = local.enable_oidc ? 1 : 0
source = "schubergphilis/mcaf-role/aws"
version = "~> 0.4.0"
name = var.role_name
path = var.path
permissions_boundary = var.permissions_boundary_arn
policy_arns = var.policy_arns
role_policy = var.policy
tags = var.tags
assume_policy = templatefile("${path.module}/templates/assume_role_policy_oidc.tftpl", {
audience = var.oidc_settings.audience,
org_name = var.terraform_organization,
provider_arn = var.oidc_settings.provider_arn,
site_address = var.oidc_settings.site_address,
workspace_name = var.name
})
}
resource "tfe_variable" "tfc_aws_provider_auth" {
count = local.enable_oidc ? 1 : 0
key = "TFC_AWS_PROVIDER_AUTH"
value = "true"
category = "env"
workspace_id = module.tfe-workspace.workspace_id
}
resource "tfe_variable" "tfc_aws_run_role_arn" {
count = local.enable_oidc ? 1 : 0
key = "TFC_AWS_RUN_ROLE_ARN"
value = module.workspace_iam_role_oidc[0].arn
category = "env"
workspace_id = module.tfe-workspace.workspace_id
}
resource "tfe_variable" "tfc_aws_workload_identity_audience" {
count = local.enable_oidc ? 1 : 0
key = "TFC_AWS_WORKLOAD_IDENTITY_AUDIENCE"
value = var.oidc_settings.audience
category = "env"
workspace_id = module.tfe-workspace.workspace_id
}