From e15d2681dc585ef6a990410f505d5c24ba0a9352 Mon Sep 17 00:00:00 2001 From: Veetaha Date: Tue, 25 Mar 2025 14:14:33 +0000 Subject: [PATCH 1/4] Itroduce `elastio-asset-account-cloudformation-stack` terraform module --- .../cloudformation-stack/.module.toml | 5 + .../terraform/cloudformation-stack/README.md | 72 ++++++++++ .../examples/basic/.terraform.lock.hcl | 25 ++++ .../examples/basic/main.tf | 6 + .../examples/basic/variables.tf | 13 ++ .../examples/basic/versions.tf | 3 + .../terraform/cloudformation-stack/main.tf | 35 +++++ .../terraform/cloudformation-stack/outputs.tf | 7 + .../cloudformation-stack/variables.tf | 132 ++++++++++++++++++ .../cloudformation-stack/versions.tf | 10 ++ .../terraform/stack-set/.module.toml | 2 +- .../terraform/stack-set/variables.tf | 2 +- iam-policies/terraform/README.md | 2 +- 13 files changed, 311 insertions(+), 3 deletions(-) create mode 100644 asset-account/terraform/cloudformation-stack/.module.toml create mode 100644 asset-account/terraform/cloudformation-stack/README.md create mode 100644 asset-account/terraform/cloudformation-stack/examples/basic/.terraform.lock.hcl create mode 100644 asset-account/terraform/cloudformation-stack/examples/basic/main.tf create mode 100644 asset-account/terraform/cloudformation-stack/examples/basic/variables.tf create mode 100644 asset-account/terraform/cloudformation-stack/examples/basic/versions.tf create mode 100644 asset-account/terraform/cloudformation-stack/main.tf create mode 100644 asset-account/terraform/cloudformation-stack/outputs.tf create mode 100644 asset-account/terraform/cloudformation-stack/variables.tf create mode 100644 asset-account/terraform/cloudformation-stack/versions.tf diff --git a/asset-account/terraform/cloudformation-stack/.module.toml b/asset-account/terraform/cloudformation-stack/.module.toml new file mode 100644 index 0000000..92387ce --- /dev/null +++ b/asset-account/terraform/cloudformation-stack/.module.toml @@ -0,0 +1,5 @@ +[module] +name = "aws-elastio-asset-account-cloudformation-stack" +description = "Terraform module for creating the Elastio Asset Account CloudFormation stack" +type = "terraform" +version = "0.33.0" diff --git a/asset-account/terraform/cloudformation-stack/README.md b/asset-account/terraform/cloudformation-stack/README.md new file mode 100644 index 0000000..45feab1 --- /dev/null +++ b/asset-account/terraform/cloudformation-stack/README.md @@ -0,0 +1,72 @@ +# Elastio Asset Account CloudFormation Stack + +See [this README](../..) for more details on what this stack does. + +This is a Terraform module, that is a thin wrapper on top of an [`aws_cloudformation_stack`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) resource used to deploy the Elastio Asset Account stack. + +See the basic [usage example](./examples/basic/main.tf). + +## Installation + +[Configure](../../../README.md#configuring-the-terraform-modules-registry) the Elastio terraform module registry, and add this to your project: + +```tf +module "elastio_asset_account" { + source = "terraform.cloudsmith.io/public/elastio-asset-account-cloudformation-stack/aws" + version = "0.33.0" + + // Provide input parameters +} +``` + + + +## Requirements + +| Name | Version | +| ------------------------------------------------------------------------ | ------- | +| [terraform](#requirement_terraform) | ~> 1.0 | +| [aws](#requirement_aws) | ~> 5.0 | + +## Providers + +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | ~> 5.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +| --------------------------------------------------------------------------------------------------------------------------------- | -------- | +| [aws_cloudformation_stack.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------- | ----------------------- | :------: | +| [disable_rollback](#input_disable_rollback) | [See docs here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack#disable_rollback-1) | `bool` | `null` | no | +| [encrypt_with_cmk](#input_encrypt_with_cmk) | Provision an additional customer-managed KMS key to encrypt Lambda environment variables.
This increases the cost of the stack. | `bool` | `false` | no | +| [iam_resource_names_prefix](#input_iam_resource_names_prefix) | Add a custom prefix to names of all IAM resources deployed by this stack. | `string` | `""` | no | +| [iam_resource_names_suffix](#input_iam_resource_names_suffix) | Add a custom prefix to names of all IAM resources deployed by this stack. | `string` | `""` | no | +| [iam_role_arn](#input_iam_role_arn) | [See docs here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack#iam_role_arn-1) | `string` | `null` | no | +| [lambda_tracing](#input_lambda_tracing) | Enable AWS X-Ray tracing for Lambda functions.
This increases the cost of the stack. | `bool` | `false` | no | +| [notification_arns](#input_notification_arns) | [See docs here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack#notification_arns-1) | `list(string)` | `null` | no | +| [on_failure](#input_on_failure) | [See docs here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack#on_failure-1) | `string` | `null` | no | +| [policy_body](#input_policy_body) | [See docs here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack#policy_body-1) | `string` | `null` | no | +| [policy_url](#input_policy_url) | [See docs here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack#policy_url-1) | `string` | `null` | no | +| [stack_name](#input_stack_name) | The name of the CloudFormation StackSet. | `string` | `"ElastioAssetAccount"` | no | +| [tags](#input_tags) | Additional tags to apply to all resources created by this stack. | `map(string)` | `{}` | no | +| [template_url](#input_template_url) | The URL of the Elastio Asset Account CloudFormation template obtained from
the Elastio Portal.

This parameter is sensitive, because anyone who knows this URL can deploy
Elastio Account stack and linking it to your Elastio tenant. | `string` | n/a | yes | +| [timeout_in_minutes](#input_timeout_in_minutes) | [See docs here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack#timeout_in_minutes-1) | `number` | `null` | no | + +## Outputs + +| Name | Description | +| -------------------------------------------------- | ----------------------------------------------------- | +| [stack](#output_stack) | The outputs of the aws_cloudformation_stack resource. | + + diff --git a/asset-account/terraform/cloudformation-stack/examples/basic/.terraform.lock.hcl b/asset-account/terraform/cloudformation-stack/examples/basic/.terraform.lock.hcl new file mode 100644 index 0000000..7573cdb --- /dev/null +++ b/asset-account/terraform/cloudformation-stack/examples/basic/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.92.0" + constraints = "~> 5.0" + hashes = [ + "h1:ZnpTxMfg5PThZc5WZCsZELinsR0gPhdTpNmXjVcf7aE=", + "zh:1d3a0b40831360e8e988aee74a9ff3d69d95cb541c2eae5cb843c64303a091ba", + "zh:3d29cbced6c708be2041a708d25c7c0fc22d09e4d0b174360ed113bfae786137", + "zh:4341a203cf5820a0ca18bb514ae10a6c113bc6a728fb432acbf817d232e8eff4", + "zh:4a49e2d91e4d92b6b93ccbcbdcfa2d67935ce62e33b939656766bb81b3fd9a2c", + "zh:54c7189358b37fd895dedbabf84e509c1980a8c404a1ee5b29b06e40497b8655", + "zh:5d8bb1ff089c37cb65c83b4647f1981fded993e87d8132915d92d79f29e2fcd8", + "zh:618f2eb87cd65b245aefba03991ad714a51ff3b841016ef68e2da2b85d0b2325", + "zh:7bce07bc542d0588ca42bac5098dd4f8af715417cd30166b4fb97cedd44ab109", + "zh:81419eab2d8810beb114b1ff5cbb592d21edc21b809dc12bb066e4b88fdd184a", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9dea39d4748eeeebe2e76ca59bca4ccd161c2687050878c47289a98407a23372", + "zh:d692fc33b67ac89e916c8f9233d39eacab8c438fe10172990ee9d94fba5ca372", + "zh:d9075c7da48947c029ba47d5985e1e8e3bf92367bfee8ca1ff0e747765e779a1", + "zh:e81c62db317f3b640b2e04eba0ada8aa606bcbae0152c09f6242e86b86ef5889", + "zh:f68562e073722c378d2f3529eb80ad463f12c44aa5523d558ae3b69f4de5ca1f", + ] +} diff --git a/asset-account/terraform/cloudformation-stack/examples/basic/main.tf b/asset-account/terraform/cloudformation-stack/examples/basic/main.tf new file mode 100644 index 0000000..ed8dd97 --- /dev/null +++ b/asset-account/terraform/cloudformation-stack/examples/basic/main.tf @@ -0,0 +1,6 @@ + +module "elastio_asset_account" { + source = "../../" + + template_url = var.template_url +} diff --git a/asset-account/terraform/cloudformation-stack/examples/basic/variables.tf b/asset-account/terraform/cloudformation-stack/examples/basic/variables.tf new file mode 100644 index 0000000..9761c40 --- /dev/null +++ b/asset-account/terraform/cloudformation-stack/examples/basic/variables.tf @@ -0,0 +1,13 @@ +variable "template_url" { + description = <<-DESCR + The URL of the Elastio Asset Account CloudFormation template obtained from + the Elastio Portal. + + This parameter is sensitive, because anyone who knows this URL can deploy + Elastio Account stack and linking it to your Elastio tenant. + DESCR + + sensitive = true + type = string + nullable = false +} diff --git a/asset-account/terraform/cloudformation-stack/examples/basic/versions.tf b/asset-account/terraform/cloudformation-stack/examples/basic/versions.tf new file mode 100644 index 0000000..ab789a3 --- /dev/null +++ b/asset-account/terraform/cloudformation-stack/examples/basic/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = "~> 1.0" +} diff --git a/asset-account/terraform/cloudformation-stack/main.tf b/asset-account/terraform/cloudformation-stack/main.tf new file mode 100644 index 0000000..0774af9 --- /dev/null +++ b/asset-account/terraform/cloudformation-stack/main.tf @@ -0,0 +1,35 @@ +resource "aws_cloudformation_stack" "this" { + tags = merge(var.tags, { "elastio:resource" = true }) + + name = var.stack_name + template_url = var.template_url + capabilities = ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM"] + + disable_rollback = var.disable_rollback + notification_arns = var.notification_arns + on_failure = var.on_failure + policy_body = var.policy_body + policy_url = var.policy_url + iam_role_arn = var.iam_role_arn + timeout_in_minutes = var.timeout_in_minutes + + parameters = { + for key, value in { + iamResourceNamesPrefix = var.iam_resource_names_prefix + iamResourceNamesSuffix = var.iam_resource_names_suffix + encryptWithCmk = var.encrypt_with_cmk + lambdaTracing = var.lambda_tracing + } : + key => tostring(value) + } + + # Ignore some internal parameter values + lifecycle { + ignore_changes = [ + parameters["cloudConnectorAccountId"], + parameters["cloudConnectorRoleExternalId"], + parameters["deploymentNotificationToken"], + parameters["deploymentNotificationTopicArn"], + ] + } +} diff --git a/asset-account/terraform/cloudformation-stack/outputs.tf b/asset-account/terraform/cloudformation-stack/outputs.tf new file mode 100644 index 0000000..44169ed --- /dev/null +++ b/asset-account/terraform/cloudformation-stack/outputs.tf @@ -0,0 +1,7 @@ +output "stack" { + description = <<-DESCR + The outputs of the aws_cloudformation_stack resource. + DESCR + + value = aws_cloudformation_stack.this +} diff --git a/asset-account/terraform/cloudformation-stack/variables.tf b/asset-account/terraform/cloudformation-stack/variables.tf new file mode 100644 index 0000000..f26be64 --- /dev/null +++ b/asset-account/terraform/cloudformation-stack/variables.tf @@ -0,0 +1,132 @@ +######################### +## Required parameters ## +######################### + +variable "template_url" { + description = <<-DESCR + The URL of the Elastio Asset Account CloudFormation template obtained from + the Elastio Portal. + + This parameter is sensitive, because anyone who knows this URL can deploy + Elastio Account stack and linking it to your Elastio tenant. + DESCR + + sensitive = true + type = string + nullable = false +} + +######################### +## Optional parameters ## +######################### + +variable "tags" { + description = <<-DESCR + Additional tags to apply to all resources created by this stack. + DESCR + + type = map(string) + default = {} +} + +variable "stack_name" { + description = "The name of the CloudFormation StackSet." + type = string + nullable = false + default = "ElastioAssetAccount" +} + +variable "disable_rollback" { + description = "[See docs here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack#disable_rollback-1)" + + type = bool + default = null +} + +variable "notification_arns" { + description = "[See docs here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack#notification_arns-1)" + + type = list(string) + default = null +} + +variable "on_failure" { + description = "[See docs here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack#on_failure-1)" + + type = string + default = null +} + +variable "policy_body" { + description = "[See docs here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack#policy_body-1)" + + type = string + default = null +} + +variable "policy_url" { + description = "[See docs here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack#policy_url-1)" + + type = string + default = null +} + +variable "iam_role_arn" { + description = "[See docs here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack#iam_role_arn-1)" + + type = string + default = null +} + +variable "timeout_in_minutes" { + description = "[See docs here](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack#timeout_in_minutes-1)" + + type = number + default = null +} + +##################################################### +## Optional parameters of the CloudFormation stack ## +##################################################### + +variable "iam_resource_names_prefix" { + description = <<-DESCR + Add a custom prefix to names of all IAM resources deployed by this stack. + DESCR + + type = string + nullable = false + default = "" +} + +variable "iam_resource_names_suffix" { + description = <<-DESCR + Add a custom prefix to names of all IAM resources deployed by this stack. + DESCR + + type = string + nullable = false + default = "" +} + +variable "encrypt_with_cmk" { + description = <<-DESCR + Provision an additional customer-managed KMS key to encrypt Lambda environment variables. + This increases the cost of the stack. + DESCR + + type = bool + nullable = false + default = false +} + +variable "lambda_tracing" { + description = <<-DESCR + Enable AWS X-Ray tracing for Lambda functions. + This increases the cost of the stack. + DESCR + + type = bool + nullable = false + default = false +} diff --git a/asset-account/terraform/cloudformation-stack/versions.tf b/asset-account/terraform/cloudformation-stack/versions.tf new file mode 100644 index 0000000..d50a6bd --- /dev/null +++ b/asset-account/terraform/cloudformation-stack/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} diff --git a/asset-account/terraform/stack-set/.module.toml b/asset-account/terraform/stack-set/.module.toml index 11242ed..e285659 100644 --- a/asset-account/terraform/stack-set/.module.toml +++ b/asset-account/terraform/stack-set/.module.toml @@ -1,5 +1,5 @@ [module] name = "aws-elastio-asset-account-stack-set" -description = "Terraform module for creating the Elastio Asset Account stack" +description = "Terraform module for creating the Elastio Asset Account CloudFormation StackSet" type = "terraform" version = "0.33.0" diff --git a/asset-account/terraform/stack-set/variables.tf b/asset-account/terraform/stack-set/variables.tf index 24bb656..956d51c 100644 --- a/asset-account/terraform/stack-set/variables.tf +++ b/asset-account/terraform/stack-set/variables.tf @@ -166,7 +166,7 @@ variable "retain_stacks" { } ###################################################### -## Optional parameters of the Cloudformation stacks ## +## Optional parameters of the CloudFormation stacks ## ###################################################### variable "iam_resource_names_prefix" { diff --git a/iam-policies/terraform/README.md b/iam-policies/terraform/README.md index 75e4781..0942133 100644 --- a/iam-policies/terraform/README.md +++ b/iam-policies/terraform/README.md @@ -21,7 +21,7 @@ Specify the set of names of policies from the list of [available policies](#avai The policies are generated using TypeScript. Their final JSON output is stored as `policies/{PolicyName}.json` documents in this module's directory. You can see the original policy source code with comments about the reasoning for some IAM permissions if you click on the policy names in the table below. -See also the basic [usage example](./examples/basic/). +See the basic [usage example](./examples/basic/main.tf). ## Available Policies From ef455571aa09c1edac0566519e5590aaa55fa0a2 Mon Sep 17 00:00:00 2001 From: Veetaha Date: Tue, 25 Mar 2025 15:11:36 +0000 Subject: [PATCH 2/4] Remove empty line --- .../terraform/cloudformation-stack/examples/basic/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/asset-account/terraform/cloudformation-stack/examples/basic/main.tf b/asset-account/terraform/cloudformation-stack/examples/basic/main.tf index ed8dd97..22e19c4 100644 --- a/asset-account/terraform/cloudformation-stack/examples/basic/main.tf +++ b/asset-account/terraform/cloudformation-stack/examples/basic/main.tf @@ -1,4 +1,3 @@ - module "elastio_asset_account" { source = "../../" From bb5b802ae51ec8ed5cbfa94faca7d5a9f0697a00 Mon Sep 17 00:00:00 2001 From: Veetaha Date: Tue, 25 Mar 2025 15:13:06 +0000 Subject: [PATCH 3/4] Fix use examples instead of modules in tf validate --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0a3417d..99ac453 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,7 +41,7 @@ jobs: strategy: matrix: - terraform_example: ${{fromJson(needs.meta.outputs.tf-modules)}} + terraform_example: ${{fromJson(needs.meta.outputs.tf-examples)}} steps: - uses: actions/checkout@v4 From d4a70acc6726f57ce9dc779b2de956e672a04636 Mon Sep 17 00:00:00 2001 From: Veetaha Date: Tue, 25 Mar 2025 15:15:03 +0000 Subject: [PATCH 4/4] Remove ignores --- asset-account/terraform/cloudformation-stack/main.tf | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/asset-account/terraform/cloudformation-stack/main.tf b/asset-account/terraform/cloudformation-stack/main.tf index 0774af9..c7575e2 100644 --- a/asset-account/terraform/cloudformation-stack/main.tf +++ b/asset-account/terraform/cloudformation-stack/main.tf @@ -22,14 +22,4 @@ resource "aws_cloudformation_stack" "this" { } : key => tostring(value) } - - # Ignore some internal parameter values - lifecycle { - ignore_changes = [ - parameters["cloudConnectorAccountId"], - parameters["cloudConnectorRoleExternalId"], - parameters["deploymentNotificationToken"], - parameters["deploymentNotificationTopicArn"], - ] - } }