From 3962e9d514e1c2c1dcbf04a5c1a77e8a8e281be7 Mon Sep 17 00:00:00 2001 From: Robert Fairhead Date: Thu, 6 Jun 2019 14:49:33 -0500 Subject: [PATCH] Convert repo to work with Terraform 0.12 (#37) * Switch tests to terraform 0.12 * Upgrade test/all.tf to 0.12 format * Terraform 0.12upgrade for root module * Terraform 0.12upgrade for vpc * Terraform 0.12upgrade of wildcard cert * Terraform 0.12upgrade of app_base * Terraform 0.12upgrade of command console * Terraform 0.12upgrade of database * Terraform 0.12upgrade of encryptkey * Terraform 0.12upgrade of fargate_cluster * Terrform 0.12upgrade ingress * Terrform 0.12upgrade lambda_cron * Remove unused soapbox module * Terraform 0.12upgrade of plain_instance * Terraform 0.12upgrade of static_site * Terraform 0.12upgrade of utilities * Clean-up automated warnings and validation errors * Add new recursive flag for fmt --- Jenkinsfile | 4 +- app_base/data.tf | 21 +- app_base/main.tf | 83 ++--- app_base/outputs.tf | 5 +- app_base/variables.tf | 1 + app_base/versions.tf | 4 + command_console/data.tf | 26 +- command_console/main.tf | 50 +-- command_console/outputs.tf | 5 +- command_console/variables.tf | 1 + command_console/versions.tf | 4 + database/data.tf | 17 +- database/main.tf | 43 +-- database/outputs.tf | 5 +- database/variables.tf | 4 +- database/versions.tf | 4 + encryptkey/data.tf | 4 +- encryptkey/main.tf | 12 +- encryptkey/outputs.tf | 3 +- encryptkey/variables.tf | 1 + encryptkey/versions.tf | 4 + fargate_cluster/data.tf | 14 +- fargate_cluster/main.tf | 314 +++++++++---------- fargate_cluster/outputs.tf | 3 +- fargate_cluster/variables.tf | 3 +- fargate_cluster/versions.tf | 4 + ingress/data.tf | 30 +- ingress/main.tf | 347 +++++++++++---------- ingress/variables.tf | 3 +- ingress/versions.tf | 4 + lambda_cron/data.tf | 11 +- lambda_cron/main.tf | 83 ++--- lambda_cron/outputs.tf | 3 +- lambda_cron/variables.tf | 5 +- lambda_cron/versions.tf | 4 + main.tf | 25 +- outputs.tf | 3 +- plain_instance/data.tf | 26 +- plain_instance/main.tf | 62 ++-- plain_instance/outputs.tf | 5 +- plain_instance/variables.tf | 1 + plain_instance/versions.tf | 4 + soapbox_managed/main.tf | 3 - static_site/data.tf | 5 +- static_site/main.tf | 89 +++--- static_site/outputs.tf | 7 +- static_site/variables.tf | 1 + static_site/versions.tf | 4 + test/all.tf | 43 +-- test/versions.tf | 4 + utilities/jenkins/data.tf | 27 +- utilities/jenkins/main.tf | 325 +++++++++---------- utilities/jenkins/outputs.tf | 3 +- utilities/jenkins/variables.tf | 1 + utilities/jenkins/versions.tf | 4 + utilities/jumpbox/data.tf | 19 +- utilities/jumpbox/main.tf | 31 +- utilities/jumpbox/variables.tf | 1 + utilities/jumpbox/versions.tf | 4 + utilities/main.tf | 27 +- utilities/outputs.tf | 3 +- utilities/teleport/auth.tf | 127 ++++---- utilities/teleport/data.tf | 28 +- utilities/teleport/main.tf | 22 +- utilities/teleport/outputs.tf | 3 +- utilities/teleport/proxy.tf | 87 +++--- utilities/teleport/variables.tf | 1 + utilities/teleport/versions.tf | 4 + utilities/teleport_subcluster/auth.tf | 123 ++++---- utilities/teleport_subcluster/data.tf | 20 +- utilities/teleport_subcluster/main.tf | 14 +- utilities/teleport_subcluster/outputs.tf | 3 +- utilities/teleport_subcluster/proxy.tf | 39 +-- utilities/teleport_subcluster/variables.tf | 1 + utilities/teleport_subcluster/versions.tf | 4 + utilities/variables.tf | 1 + utilities/versions.tf | 4 + variables.tf | 1 + versions.tf | 4 + vpc/data.tf | 4 +- vpc/main.tf | 89 +++--- vpc/outputs.tf | 3 +- vpc/variables.tf | 1 + vpc/versions.tf | 4 + wildcard_cert/data.tf | 3 +- wildcard_cert/main.tf | 19 +- wildcard_cert/outputs.tf | 3 +- wildcard_cert/variables.tf | 1 + wildcard_cert/versions.tf | 4 + 89 files changed, 1323 insertions(+), 1150 deletions(-) create mode 100644 app_base/versions.tf create mode 100644 command_console/versions.tf create mode 100644 database/versions.tf create mode 100644 encryptkey/versions.tf create mode 100644 fargate_cluster/versions.tf create mode 100644 ingress/versions.tf create mode 100644 lambda_cron/versions.tf create mode 100644 plain_instance/versions.tf delete mode 100644 soapbox_managed/main.tf create mode 100644 static_site/versions.tf create mode 100644 test/versions.tf create mode 100644 utilities/jenkins/versions.tf create mode 100644 utilities/jumpbox/versions.tf create mode 100644 utilities/teleport/versions.tf create mode 100644 utilities/teleport_subcluster/versions.tf create mode 100644 utilities/versions.tf create mode 100644 versions.tf create mode 100644 vpc/versions.tf create mode 100644 wildcard_cert/versions.tf diff --git a/Jenkinsfile b/Jenkinsfile index 38d0110..4837840 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -12,7 +12,7 @@ pipeline { } } steps { - sh 'terraform fmt -check=true -diff=true' + sh 'terraform fmt -check=true -diff=true -recursive' } } @@ -25,7 +25,7 @@ pipeline { stage('Terraform validation') { agent { docker { - image 'hashicorp/terraform:0.11.13' + image 'hashicorp/terraform:0.12.1' args '-w $WORKSPACE --entrypoint=""' } } diff --git a/app_base/data.tf b/app_base/data.tf index 29e099d..f9eebba 100644 --- a/app_base/data.tf +++ b/app_base/data.tf @@ -3,33 +3,33 @@ ####### data "aws_vpc" "vpc" { - tags { - env = "${var.env}" + tags = { + env = var.env } } data "aws_subnet" "application_subnet" { count = 3 - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id - tags { + tags = { name = "app-sub-${count.index}" - env = "${var.env}" + env = var.env } } data "aws_subnet" "public_subnet" { count = 3 - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id - tags { + tags = { name = "public-sub-${count.index}" - env = "${var.env}" + env = var.env } } data "aws_route53_zone" "external" { - name = "${var.domain_name}" + name = var.domain_name private_zone = false } @@ -39,6 +39,7 @@ data "aws_route53_zone" "internal" { } data "aws_acm_certificate" "wildcard" { - domain = "${var.domain_name}" + domain = var.domain_name most_recent = true } + diff --git a/app_base/main.tf b/app_base/main.tf index 1b63ffa..64375d2 100644 --- a/app_base/main.tf +++ b/app_base/main.tf @@ -3,21 +3,21 @@ ####### resource "aws_route53_record" "external_cname" { - zone_id = "${data.aws_route53_zone.external.id}" - name = "${var.application_name}" + zone_id = data.aws_route53_zone.external.id + name = var.application_name type = "CNAME" ttl = 30 - records = ["${aws_alb.application_alb.dns_name}"] + records = [aws_alb.application_alb.dns_name] } resource "aws_route53_record" "internal_cname" { - zone_id = "${data.aws_route53_zone.internal.id}" - name = "${var.application_name}" + zone_id = data.aws_route53_zone.internal.id + name = var.application_name type = "CNAME" ttl = 30 - records = ["${aws_alb.application_alb.dns_name}"] + records = [aws_alb.application_alb.dns_name] } ####### @@ -28,15 +28,15 @@ resource "aws_alb" "application_alb" { # max 6 characters for name prefix name_prefix = "${format("%.5s", var.application_name)}-" internal = false - security_groups = ["${aws_security_group.application_alb_sg.id}"] - subnets = ["${data.aws_subnet.public_subnet.*.id}"] + security_groups = [aws_security_group.application_alb_sg.id] + subnets = data.aws_subnet.public_subnet.*.id ip_address_type = "ipv4" - tags { - env = "${var.env}" + tags = { + env = var.env terraform = "true" - app = "${var.application_name}" + app = var.application_name name = "alb-${var.application_name}" } } @@ -45,38 +45,38 @@ resource "aws_alb" "application_alb" { resource "aws_alb_target_group" "application_target_group" { # max 6 characters for name prefix name_prefix = "${format("%.5s", var.application_name)}-" - port = "${var.application_port}" + port = var.application_port protocol = "HTTP" - vpc_id = "${data.aws_vpc.vpc.id}" - target_type = "ip" # Must use IP to support fargate + vpc_id = data.aws_vpc.vpc.id + target_type = "ip" # Must use IP to support fargate health_check { interval = 60 - path = "${var.health_check_path}" - port = "${var.application_port}" + path = var.health_check_path + port = var.application_port healthy_threshold = 2 unhealthy_threshold = 2 } - depends_on = ["aws_alb.application_alb"] + depends_on = [aws_alb.application_alb] - tags { - env = "${var.env}" + tags = { + env = var.env terraform = "true" - app = "${var.application_name}" + app = var.application_name name = "alb-tg-${var.application_name}:${var.application_port}" } } resource "aws_alb_listener" "application_alb_https" { - load_balancer_arn = "${aws_alb.application_alb.arn}" - port = "${var.loadbalancer_port}" + load_balancer_arn = aws_alb.application_alb.arn + port = var.loadbalancer_port protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-2016-08" - certificate_arn = "${data.aws_acm_certificate.wildcard.arn}" + certificate_arn = data.aws_acm_certificate.wildcard.arn default_action { - target_group_arn = "${aws_alb_target_group.application_target_group.arn}" + target_group_arn = aws_alb_target_group.application_target_group.arn type = "forward" } } @@ -84,12 +84,12 @@ resource "aws_alb_listener" "application_alb_https" { # Security Group: world -> alb resource "aws_security_group" "application_alb_sg" { name_prefix = "${var.application_name}-alb-" - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id - tags { - env = "${var.env}" + tags = { + env = var.env terraform = "true" - app = "${var.application_name}" + app = var.application_name name = "world->alb-sg-${var.application_name}" } } @@ -97,12 +97,12 @@ resource "aws_security_group" "application_alb_sg" { // Allow inbound only to our listening port resource "aws_security_group_rule" "lb_ingress" { type = "ingress" - from_port = "${var.loadbalancer_port}" - to_port = "${var.loadbalancer_port}" + from_port = var.loadbalancer_port + to_port = var.loadbalancer_port protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.application_alb_sg.id}" + security_group_id = aws_security_group.application_alb_sg.id } // Allow all outbound by default @@ -113,7 +113,7 @@ resource "aws_security_group_rule" "lb_egress" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.application_alb_sg.id}" + security_group_id = aws_security_group.application_alb_sg.id } ####### @@ -122,23 +122,23 @@ resource "aws_security_group_rule" "lb_egress" { resource "aws_security_group" "app_sg" { name_prefix = "${var.application_name}-app-" - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id - tags { - app = "${var.application_name}" - env = "${var.env}" + tags = { + app = var.application_name + env = var.env } } // Allow inbound only to our application port resource "aws_security_group_rule" "app_ingress" { type = "ingress" - from_port = "${var.application_port}" - to_port = "${var.application_port}" + from_port = var.application_port + to_port = var.application_port protocol = "tcp" - source_security_group_id = "${aws_security_group.application_alb_sg.id}" + source_security_group_id = aws_security_group.application_alb_sg.id - security_group_id = "${aws_security_group.app_sg.id}" + security_group_id = aws_security_group.app_sg.id } // Allow all outbound, e.g. third-pary API endpoints, by default @@ -149,5 +149,6 @@ resource "aws_security_group_rule" "app_egress" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.app_sg.id}" + security_group_id = aws_security_group.app_sg.id } + diff --git a/app_base/outputs.tf b/app_base/outputs.tf index 15094da..ede5779 100644 --- a/app_base/outputs.tf +++ b/app_base/outputs.tf @@ -1,7 +1,8 @@ output "app_sg_id" { - value = "${aws_security_group.app_sg.id}" + value = aws_security_group.app_sg.id } output "lb_tg_arn" { - value = "${aws_alb_target_group.application_target_group.arn}" + value = aws_alb_target_group.application_target_group.arn } + diff --git a/app_base/variables.tf b/app_base/variables.tf index d28aa26..fcc6985 100644 --- a/app_base/variables.tf +++ b/app_base/variables.tf @@ -24,3 +24,4 @@ variable "loadbalancer_port" { description = "port on which the load balancer will be listening. it will terminate TLS on this port." default = "443" } + diff --git a/app_base/versions.tf b/app_base/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/app_base/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/command_console/data.tf b/command_console/data.tf index 7192fa3..693e58e 100644 --- a/command_console/data.tf +++ b/command_console/data.tf @@ -1,36 +1,37 @@ data "aws_vpc" "vpc" { - tags { - env = "${var.env}" + tags = { + env = var.env } } -data "aws_caller_identity" "current" {} +data "aws_caller_identity" "current" { +} data "aws_subnet" "application_subnet" { count = 3 - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id - tags { + tags = { name = "app-sub-${count.index}" - env = "${var.env}" + env = var.env } } data "aws_security_group" "ssh_proxies" { - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id - tags { - env = "${var.env}" + tags = { + env = var.env app = "teleport" Name = "teleport-proxies" } } data "aws_security_group" "jumpbox" { - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id - tags { - env = "${var.env}" + tags = { + env = var.env app = "utilities" Name = "jumpbox" } @@ -49,3 +50,4 @@ data "aws_ami" "base" { values = ["adhoc_base*"] } } + diff --git a/command_console/main.tf b/command_console/main.tf index e9bb5d1..a96f2a9 100644 --- a/command_console/main.tf +++ b/command_console/main.tf @@ -1,29 +1,29 @@ resource "aws_instance" "console" { - ami = "${data.aws_ami.base.id}" - instance_type = "${var.instance_size}" + ami = data.aws_ami.base.id + instance_type = var.instance_size - iam_instance_profile = "${aws_iam_instance_profile.iam.name}" - user_data = "${var.user_data}" - key_name = "${var.key_pair}" + iam_instance_profile = aws_iam_instance_profile.iam.name + user_data = var.user_data + key_name = var.key_pair associate_public_ip_address = false #distribute instances across AZs - subnet_id = "${element(data.aws_subnet.application_subnet.*.id,count.index)}" - vpc_security_group_ids = ["${aws_security_group.sg.id}"] + subnet_id = element(data.aws_subnet.application_subnet.*.id, count.index) + vpc_security_group_ids = [aws_security_group.sg.id] lifecycle { - ignore_changes = ["ami"] + ignore_changes = [ami] } credit_specification { cpu_credits = "unlimited" } - tags { + tags = { Name = "command-console-${var.env}" app = "command-console" - env = "${var.env}" + env = var.env } } @@ -32,11 +32,11 @@ resource "aws_instance" "console" { ##### resource "aws_security_group" "sg" { name_prefix = "console-" - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id - tags { + tags = { app = "command-console" - env = "${var.env}" + env = var.env } } @@ -48,7 +48,7 @@ resource "aws_security_group_rule" "egress" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.sg.id}" + security_group_id = aws_security_group.sg.id } # Add rule to allow SSH proxies to connect @@ -57,9 +57,9 @@ resource "aws_security_group_rule" "proxy_ssh" { from_port = 3022 to_port = 3022 protocol = "tcp" - source_security_group_id = "${data.aws_security_group.ssh_proxies.id}" + source_security_group_id = data.aws_security_group.ssh_proxies.id - security_group_id = "${aws_security_group.sg.id}" + security_group_id = aws_security_group.sg.id } resource "aws_security_group_rule" "jumpbox" { @@ -67,9 +67,9 @@ resource "aws_security_group_rule" "jumpbox" { from_port = 22 to_port = 22 protocol = "tcp" - source_security_group_id = "${data.aws_security_group.jumpbox.id}" + source_security_group_id = data.aws_security_group.jumpbox.id - security_group_id = "${aws_security_group.sg.id}" + security_group_id = aws_security_group.sg.id } ##### @@ -77,7 +77,7 @@ resource "aws_security_group_rule" "jumpbox" { ##### resource "aws_iam_instance_profile" "iam" { name = "${var.env}-command-console" - role = "${aws_iam_role.iam.name}" + role = aws_iam_role.iam.name } # Auth instance profile and roles @@ -96,17 +96,19 @@ resource "aws_iam_role" "iam" { ] } EOF + } # Give it base teleport permissions resource "aws_iam_role_policy_attachment" "iam_teleport" { - role = "${aws_iam_role.iam.name}" + role = aws_iam_role.iam.name policy_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/${var.env}/teleport/${var.env}-instance-teleport-secrets" } resource "aws_kms_grant" "main" { - name = "command-console-${var.env}-main" - key_id = "${data.aws_kms_alias.main.target_key_arn}" - grantee_principal = "${aws_iam_role.iam.arn}" - operations = ["Decrypt"] + name = "command-console-${var.env}-main" + key_id = data.aws_kms_alias.main.target_key_arn + grantee_principal = aws_iam_role.iam.arn + operations = ["Decrypt"] } + diff --git a/command_console/outputs.tf b/command_console/outputs.tf index 4e31c7c..b6fc223 100644 --- a/command_console/outputs.tf +++ b/command_console/outputs.tf @@ -1,8 +1,9 @@ output "sg_id" { - value = "${aws_security_group.sg.id}" + value = aws_security_group.sg.id } output "instance_iam_role" { description = "IAM role name for attaching additional policies to the instance with aws_iam_role_policy_attachment" - value = "${aws_iam_role.iam.name}" + value = aws_iam_role.iam.name } + diff --git a/command_console/variables.tf b/command_console/variables.tf index 5b9ee96..fd90b93 100644 --- a/command_console/variables.tf +++ b/command_console/variables.tf @@ -16,3 +16,4 @@ variable "user_data" { description = "OPTIONAL: user data script to run on initialization" default = "" } + diff --git a/command_console/versions.tf b/command_console/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/command_console/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/database/data.tf b/database/data.tf index a16635f..3aa9845 100644 --- a/database/data.tf +++ b/database/data.tf @@ -8,31 +8,32 @@ data "aws_route53_zone" "internal" { } data "aws_vpc" "vpc" { - tags { - env = "${var.env}" + tags = { + env = var.env } } data "aws_subnet" "data_subnet" { count = 3 - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id - tags { + tags = { name = "data-sub-${count.index}" - env = "${var.env}" + env = var.env } } data "aws_subnet" "application_subnet" { count = 3 - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id - tags { + tags = { name = "app-sub-${count.index}" - env = "${var.env}" + env = var.env } } data "aws_kms_key" "main" { key_id = "alias/${var.env}-main" } + diff --git a/database/main.tf b/database/main.tf index 3cd448a..c8c95e8 100644 --- a/database/main.tf +++ b/database/main.tf @@ -4,13 +4,13 @@ resource "aws_db_subnet_group" "db_subnet_group" { name = "${var.env}-${var.application_name}-rds-subnet-group" - subnet_ids = ["${data.aws_subnet.data_subnet.*.id}"] + subnet_ids = data.aws_subnet.data_subnet.*.id } resource "aws_security_group" "db_sg" { name = "${var.env}-${var.application_name}-db-sg" description = "SG for database servers" - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id } resource "aws_security_group_rule" "app_ingress" { @@ -18,9 +18,9 @@ resource "aws_security_group_rule" "app_ingress" { from_port = 5432 to_port = 5432 protocol = "tcp" - source_security_group_id = "${var.app_sg}" + source_security_group_id = var.app_sg - security_group_id = "${aws_security_group.db_sg.id}" + security_group_id = aws_security_group.db_sg.id } # TODO(bob) confirm this can be locked to egress 5432 only @@ -31,7 +31,7 @@ resource "aws_security_group_rule" "egress" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.db_sg.id}" + security_group_id = aws_security_group.db_sg.id } #### @@ -41,11 +41,11 @@ resource "aws_security_group_rule" "egress" { resource "aws_db_instance" "primary" { identifier_prefix = "${var.env}-${var.application_name}-" - username = "${var.user}" - password = "${var.password}" + username = var.user + password = var.password - db_subnet_group_name = "${aws_db_subnet_group.db_subnet_group.id}" - vpc_security_group_ids = ["${aws_security_group.db_sg.id}"] + db_subnet_group_name = aws_db_subnet_group.db_subnet_group.id + vpc_security_group_ids = [aws_security_group.db_sg.id] publicly_accessible = false multi_az = true @@ -58,25 +58,26 @@ resource "aws_db_instance" "primary" { skip_final_snapshot = true allocated_storage = 30 storage_encrypted = true - kms_key_id = "${data.aws_kms_key.main.arn}" + kms_key_id = data.aws_kms_key.main.arn - parameter_group_name = "${aws_db_parameter_group.postgres.id}" + parameter_group_name = aws_db_parameter_group.postgres.id enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"] monitoring_interval = 30 - monitoring_role_arn = "${aws_iam_role.monitoring.arn}" + monitoring_role_arn = aws_iam_role.monitoring.arn backup_retention_period = 7 lifecycle { - ignore_changes = ["snapshot_identifier", - "engine_version", + ignore_changes = [ + snapshot_identifier, + engine_version, ] } - tags { - env = "${var.env}" - app = "${var.application_name}" + tags = { + env = var.env + app = var.application_name terraform = "true" name = "${var.env}-db" } @@ -133,12 +134,12 @@ resource "aws_db_parameter_group" "postgres" { #### resource "aws_route53_record" "rds_cname" { - zone_id = "${data.aws_route53_zone.internal.id}" + zone_id = data.aws_route53_zone.internal.id name = "${var.application_name}-db-primary" type = "CNAME" ttl = 30 - records = ["${aws_db_instance.primary.address}"] + records = [aws_db_instance.primary.address] } ################################################## @@ -159,13 +160,13 @@ resource "aws_iam_role" "monitoring" { ] } EOF + } resource "aws_iam_role_policy_attachment" "monitoring" { - role = "${aws_iam_role.monitoring.name}" + role = aws_iam_role.monitoring.name policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole" } ## TODO(bob) Add read replicas? ## TODO(bob) Store username/password in secrets manager with rotation - diff --git a/database/outputs.tf b/database/outputs.tf index f0e4272..864b7aa 100644 --- a/database/outputs.tf +++ b/database/outputs.tf @@ -1,8 +1,9 @@ # The connection endpoint in address:port format output "url" { - value = "${aws_route53_record.rds_cname.fqdn}" + value = aws_route53_record.rds_cname.fqdn } output "security_group_id" { - value = "${aws_security_group.db_sg.id}" + value = aws_security_group.db_sg.id } + diff --git a/database/variables.tf b/database/variables.tf index 4750dc5..2f47d42 100644 --- a/database/variables.tf +++ b/database/variables.tf @@ -15,4 +15,6 @@ variable "user" { default = "dbuser" } -variable "password" {} +variable "password" { +} + diff --git a/database/versions.tf b/database/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/database/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/encryptkey/data.tf b/encryptkey/data.tf index 8fc4b38..d6fa1a8 100644 --- a/encryptkey/data.tf +++ b/encryptkey/data.tf @@ -1 +1,3 @@ -data "aws_caller_identity" "current" {} +data "aws_caller_identity" "current" { +} + diff --git a/encryptkey/main.tf b/encryptkey/main.tf index ff8c968..2e6c80b 100644 --- a/encryptkey/main.tf +++ b/encryptkey/main.tf @@ -78,14 +78,16 @@ resource "aws_kms_key" "main" { } POLICY - tags { - env = "${var.env}" + + tags = { + env = var.env terraform = "true" - name = "${var.env}-key-main" + name = "${var.env}-key-main" } } resource "aws_kms_alias" "main" { - name = "alias/${var.env}-main" - target_key_id = "${aws_kms_key.main.key_id}" + name = "alias/${var.env}-main" + target_key_id = aws_kms_key.main.key_id } + diff --git a/encryptkey/outputs.tf b/encryptkey/outputs.tf index ff3baeb..41df35b 100644 --- a/encryptkey/outputs.tf +++ b/encryptkey/outputs.tf @@ -1,3 +1,4 @@ output "key_arn" { - value = "${aws_kms_key.main.arn}" + value = aws_kms_key.main.arn } + diff --git a/encryptkey/variables.tf b/encryptkey/variables.tf index fe845e8..d7dbe4e 100644 --- a/encryptkey/variables.tf +++ b/encryptkey/variables.tf @@ -1,3 +1,4 @@ variable "env" { description = "the name of the environment, e.g. \"testing\". it must be unique in the account." } + diff --git a/encryptkey/versions.tf b/encryptkey/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/encryptkey/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/fargate_cluster/data.tf b/fargate_cluster/data.tf index b0e9238..6866cf2 100644 --- a/fargate_cluster/data.tf +++ b/fargate_cluster/data.tf @@ -1,17 +1,19 @@ -data "aws_region" "current" {} +data "aws_region" "current" { +} data "aws_vpc" "vpc" { - tags { - env = "${var.env}" + tags = { + env = var.env } } data "aws_subnet" "application_subnet" { count = 3 - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id - tags { + tags = { name = "app-sub-${count.index}" - env = "${var.env}" + env = var.env } } + diff --git a/fargate_cluster/main.tf b/fargate_cluster/main.tf index 0f91de0..f6e99df 100644 --- a/fargate_cluster/main.tf +++ b/fargate_cluster/main.tf @@ -1,12 +1,12 @@ module "fargate_base" { source = "../app_base" - env = "${var.env}" - domain_name = "${var.domain_name}" - application_name = "${var.application_name}" - application_port = "${var.application_port}" - loadbalancer_port = "${var.loadbalancer_port}" - health_check_path = "${var.health_check_path}" + env = var.env + domain_name = var.domain_name + application_name = var.application_name + application_port = var.application_port + loadbalancer_port = var.loadbalancer_port + health_check_path = var.health_check_path } # TODO(bob) May need a call to create a service linked role first: @@ -14,81 +14,70 @@ module "fargate_base" { # seems to be one-time only thing so maybe bootbox? resource "aws_ecs_cluster" "app" { - name = "${var.application_name}" + name = var.application_name } # Must use template here to get ports as ints data "template_file" "task" { - template = "${file("${path.module}/container_task.tmpl")}" + template = file("${path.module}/container_task.tmpl") - vars { - image = "${var.docker_image}" - awslogs-group = "${aws_cloudwatch_log_group.app.name}" - awslogs-region = "${data.aws_region.current.name}" + vars = { + image = var.docker_image + awslogs-group = aws_cloudwatch_log_group.app.name + awslogs-region = data.aws_region.current.name awslogs-stream-prefix = "${var.env}-${var.application_name}" - name = "${var.application_name}" - port = "${var.application_port}" - environment_variables = "${jsonencode(var.environment_variables)}" + name = var.application_name + port = var.application_port + environment_variables = jsonencode(var.environment_variables) } } resource "aws_ecs_task_definition" "app" { family = "${var.env}-${var.application_name}" - container_definitions = "${data.template_file.task.rendered}" - execution_role_arn = "${aws_iam_role.ecs_execution.arn}" + container_definitions = data.template_file.task.rendered + execution_role_arn = aws_iam_role.ecs_execution.arn requires_compatibilities = ["FARGATE"] network_mode = "awsvpc" - cpu = "2048" # 2 vCPU - memory = "4096" # 4 GiB + cpu = "2048" # 2 vCPU + memory = "4096" # 4 GiB } resource "aws_ecs_service" "application" { - name = "${var.application_name}" - cluster = "${aws_ecs_cluster.app.id}" - task_definition = "${aws_ecs_task_definition.app.arn}" + name = var.application_name + cluster = aws_ecs_cluster.app.id + task_definition = aws_ecs_task_definition.app.arn launch_type = "FARGATE" desired_count = 2 network_configuration { - subnets = ["${data.aws_subnet.application_subnet.*.id}"] - security_groups = ["${module.fargate_base.app_sg_id}"] + subnets = data.aws_subnet.application_subnet.*.id + security_groups = [module.fargate_base.app_sg_id] } load_balancer { - target_group_arn = "${module.fargate_base.lb_tg_arn}" - container_name = "${var.application_name}" - container_port = "${var.application_port}" + target_group_arn = module.fargate_base.lb_tg_arn + container_name = var.application_name + container_port = var.application_port } depends_on = [ - # https://www.terraform.io/docs/providers/aws/r/ecs_service.html - # Note: To prevent a race condition during service deletion, - # make sure to set depends_on to the related aws_iam_role_policy; - # otherwise, the policy may be destroyed too soon and - # the ECS service will then get stuck in the DRAINING state. - "aws_iam_role_policy.ecs_execution", - - # This prevents errors with the load balancer targeting group - # not being linked yet causing invalid parameter errors - "module.fargate_base", + aws_iam_role_policy.ecs_execution, + module.fargate_base, ] lifecycle { - ignore_changes = [ - # Ignore changes to the desired count (which may be due to autoscaling) - "desired_count", - ] + ignore_changes = [desired_count] } } resource "aws_cloudwatch_log_group" "app" { name = "${var.env}-${var.application_name}" - tags { + tags = { Name = "${var.env}-${var.application_name}" - environment = "${var.env}" - app = "${var.application_name}" + environment = var.env + app = var.application_name } } @@ -109,11 +98,12 @@ resource "aws_iam_role" "ecs_execution" { ] } EOF + } resource "aws_iam_role_policy" "ecs_execution" { name = "${var.env}-${var.application_name}-ecs_execution" - role = "${aws_iam_role.ecs_execution.id}" + role = aws_iam_role.ecs_execution.id policy = < alb resource "aws_security_group" "application_alb_sg" { - name_prefix = "app-alb-" - vpc_id = "${data.aws_vpc.vpc.id}" +name_prefix = "app-alb-" +vpc_id = data.aws_vpc.vpc.id - tags { - env = "${var.env}" - terraform = "true" - app = "helloworld" - name = "world->alb-sg-helloworld" - } +tags = { +env = var.env +terraform = "true" +app = "helloworld" +name = "world->alb-sg-helloworld" +} } // Allow inbound only to our listening port resource "aws_security_group_rule" "lb_ingress" { - type = "ingress" - from_port = "80" - to_port = "80" - protocol = "tcp" - source_security_group_id = "${aws_security_group.nginx.id}" +type = "ingress" +from_port = "80" +to_port = "80" +protocol = "tcp" +source_security_group_id = aws_security_group.nginx.id - security_group_id = "${aws_security_group.application_alb_sg.id}" +security_group_id = aws_security_group.application_alb_sg.id } // Allow all outbound by default resource "aws_security_group_rule" "lb_egress" { - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] +type = "egress" +from_port = 0 +to_port = 0 +protocol = "-1" +cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.application_alb_sg.id}" +security_group_id = aws_security_group.application_alb_sg.id } ####### @@ -419,10 +422,10 @@ resource "aws_security_group_rule" "lb_egress" { ####### resource "aws_instance" "application" { - ami = "${data.aws_ami.base.id}" - instance_type = "t3.micro" +ami = data.aws_ami.base.id +instance_type = "t3.micro" - user_data = < proxy resource "aws_security_group" "proxy_lb" { name_prefix = "teleport-proxy-lb-" - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id - tags { - env = "${var.env}" + tags = { + env = var.env terraform = "true" app = "teleport" Name = "world->teleport-proxy" @@ -87,7 +87,7 @@ resource "aws_security_group_rule" "lb_webui_ingress" { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.proxy_lb.id}" + security_group_id = aws_security_group.proxy_lb.id } resource "aws_security_group_rule" "lb_client_ingress" { @@ -97,7 +97,7 @@ resource "aws_security_group_rule" "lb_client_ingress" { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.proxy_lb.id}" + security_group_id = aws_security_group.proxy_lb.id } resource "aws_security_group_rule" "lb_ssh_ingress" { @@ -107,7 +107,7 @@ resource "aws_security_group_rule" "lb_ssh_ingress" { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.proxy_lb.id}" + security_group_id = aws_security_group.proxy_lb.id } resource "aws_security_group_rule" "lb_cluster_ingress" { @@ -117,7 +117,7 @@ resource "aws_security_group_rule" "lb_cluster_ingress" { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.proxy_lb.id}" + security_group_id = aws_security_group.proxy_lb.id } resource "aws_security_group_rule" "lb_egress" { @@ -127,47 +127,47 @@ resource "aws_security_group_rule" "lb_egress" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.proxy_lb.id}" + security_group_id = aws_security_group.proxy_lb.id } ####### # Proxy instances ####### data "template_file" "user_data" { - count = "${var.proxy_count}" - template = "${file("${path.module}/proxy-user-data.tmpl")}" + count = var.proxy_count + template = file("${path.module}/proxy-user-data.tmpl") - vars { + vars = { nodename = "teleport-proxy-${count.index}" - cluster_token = "${random_string.cluster_token.result}" - proxy_domain = "${aws_route53_record.public.fqdn}" + cluster_token = random_string.cluster_token.result + proxy_domain = aws_route53_record.public.fqdn } } resource "aws_instance" "proxies" { - count = "${var.proxy_count}" - ami = "${data.aws_ami.base.id}" + count = var.proxy_count + ami = data.aws_ami.base.id instance_type = "t3.micro" - key_name = "${var.key_pair}" + key_name = var.key_pair - user_data = "${element(data.template_file.user_data.*.rendered, count.index)}" + user_data = element(data.template_file.user_data.*.rendered, count.index) associate_public_ip_address = false - subnet_id = "${element(data.aws_subnet.application_subnet.*.id,count.index)}" #distribute instances across AZs - vpc_security_group_ids = ["${aws_security_group.proxies.id}"] + subnet_id = element(data.aws_subnet.application_subnet.*.id, count.index) #distribute instances across AZs + vpc_security_group_ids = [aws_security_group.proxies.id] lifecycle { - ignore_changes = ["ami"] + ignore_changes = [ami] } credit_specification { cpu_credits = "unlimited" } - tags { + tags = { Name = "teleport-proxy-${count.index}" app = "teleport" - env = "${var.env}" + env = var.env terraform = "true" } } @@ -175,9 +175,9 @@ resource "aws_instance" "proxies" { # Add to target group to attach to LB resource "aws_elb_attachment" "proxy_ssh" { - count = "${var.proxy_count}" - elb = "${aws_elb.proxy.id}" - instance = "${element(aws_instance.proxies.*.id,count.index)}" + count = var.proxy_count + elb = aws_elb.proxy.id + instance = element(aws_instance.proxies.*.id, count.index) } ####### @@ -186,10 +186,10 @@ resource "aws_elb_attachment" "proxy_ssh" { resource "aws_security_group" "proxies" { name_prefix = "teleport-proxies-" - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id - tags { - env = "${var.env}" + tags = { + env = var.env terraform = "true" app = "teleport" Name = "teleport-proxies" @@ -201,9 +201,9 @@ resource "aws_security_group_rule" "proxy_webui" { from_port = 3080 to_port = 3080 protocol = "tcp" - source_security_group_id = "${aws_security_group.proxy_lb.id}" + source_security_group_id = aws_security_group.proxy_lb.id - security_group_id = "${aws_security_group.proxies.id}" + security_group_id = aws_security_group.proxies.id } resource "aws_security_group_rule" "proxy_ssh" { @@ -211,9 +211,9 @@ resource "aws_security_group_rule" "proxy_ssh" { from_port = 3023 to_port = 3023 protocol = "tcp" - source_security_group_id = "${aws_security_group.proxy_lb.id}" + source_security_group_id = aws_security_group.proxy_lb.id - security_group_id = "${aws_security_group.proxies.id}" + security_group_id = aws_security_group.proxies.id } resource "aws_security_group_rule" "proxy_cluster" { @@ -221,9 +221,9 @@ resource "aws_security_group_rule" "proxy_cluster" { from_port = 3024 to_port = 3024 protocol = "tcp" - source_security_group_id = "${aws_security_group.proxy_lb.id}" + source_security_group_id = aws_security_group.proxy_lb.id - security_group_id = "${aws_security_group.proxies.id}" + security_group_id = aws_security_group.proxies.id } # Must allow talking to the world to call out to AWS APIs @@ -234,7 +234,7 @@ resource "aws_security_group_rule" "proxy_egress" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.proxies.id}" + security_group_id = aws_security_group.proxies.id } # Support for emergency jumpbox @@ -243,7 +243,8 @@ resource "aws_security_group_rule" "jumpbox_proxy" { from_port = 22 to_port = 22 protocol = "tcp" - source_security_group_id = "${data.aws_security_group.jumpbox.id}" + source_security_group_id = data.aws_security_group.jumpbox.id - security_group_id = "${aws_security_group.proxies.id}" + security_group_id = aws_security_group.proxies.id } + diff --git a/utilities/teleport/variables.tf b/utilities/teleport/variables.tf index 143b308..921c910 100644 --- a/utilities/teleport/variables.tf +++ b/utilities/teleport/variables.tf @@ -25,3 +25,4 @@ variable "gh_team" { description = "OPTIONAL: the Github team to provide access to via Teleport" default = "infrastructure-team" } + diff --git a/utilities/teleport/versions.tf b/utilities/teleport/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/utilities/teleport/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/utilities/teleport_subcluster/auth.tf b/utilities/teleport_subcluster/auth.tf index c9419ec..2c77162 100644 --- a/utilities/teleport_subcluster/auth.tf +++ b/utilities/teleport_subcluster/auth.tf @@ -11,13 +11,13 @@ resource "aws_lb" "auth" { name_prefix = "telep-" internal = true load_balancer_type = "network" - subnets = ["${data.aws_subnet.application_subnet.*.id}"] + subnets = data.aws_subnet.application_subnet.*.id enable_cross_zone_load_balancing = true ip_address_type = "ipv4" - tags { - env = "${var.env}" + tags = { + env = var.env terraform = "true" app = "teleport" name = "lb-teleport-auth-internal" @@ -30,13 +30,13 @@ resource "aws_lb_target_group" "auth" { name_prefix = "telep-" port = 3025 protocol = "TCP" - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id target_type = "ip" - depends_on = ["aws_lb.auth"] + depends_on = [aws_lb.auth] - tags { - env = "${var.env}" + tags = { + env = var.env terraform = "true" app = "teleport" Name = "lb-tg-telport-auth" @@ -44,12 +44,12 @@ resource "aws_lb_target_group" "auth" { } resource "aws_lb_listener" "auth" { - load_balancer_arn = "${aws_lb.auth.arn}" + load_balancer_arn = aws_lb.auth.arn port = 3025 protocol = "TCP" default_action { - target_group_arn = "${aws_lb_target_group.auth.arn}" + target_group_arn = aws_lb_target_group.auth.arn type = "forward" } } @@ -59,48 +59,48 @@ resource "aws_lb_listener" "auth" { ####### data "template_file" "auth_user_data" { - count = "${var.auth_count}" - template = "${file("${path.module}/auth-user-data.tmpl")}" + count = var.auth_count + template = file("${path.module}/auth-user-data.tmpl") - vars { + vars = { nodename = "teleport-auth-${count.index}" - cluster_token = "${random_string.cluster_token.result}" - region = "${data.aws_region.current.name}" - dynamo_table_name = "${aws_dynamodb_table.teleport_state.name}" - dynamo_events_table_name = "${aws_dynamodb_table.teleport_events.name}" - s3_bucket = "${aws_s3_bucket.recordings.id}" - cluster_name = "${var.env}" - main_cluster = "${var.main_cluster}" - main_cluster_token = "${data.aws_secretsmanager_secret_version.main_cluster_token.secret_string}" + cluster_token = random_string.cluster_token.result + region = data.aws_region.current.name + dynamo_table_name = aws_dynamodb_table.teleport_state.name + dynamo_events_table_name = aws_dynamodb_table.teleport_events.name + s3_bucket = aws_s3_bucket.recordings.id + cluster_name = var.env + main_cluster = var.main_cluster + main_cluster_token = data.aws_secretsmanager_secret_version.main_cluster_token.secret_string main_cluster_url = "teleport.${var.main_cluster}.${var.domain_name}" } } resource "aws_instance" "auths" { - count = "${var.auth_count}" - ami = "${data.aws_ami.base.id}" + count = var.auth_count + ami = data.aws_ami.base.id instance_type = "t3.nano" - key_name = "${var.key_pair}" + key_name = var.key_pair - iam_instance_profile = "${aws_iam_instance_profile.auth.name}" - user_data = "${element(data.template_file.auth_user_data.*.rendered, count.index)}" + iam_instance_profile = aws_iam_instance_profile.auth.name + user_data = element(data.template_file.auth_user_data.*.rendered, count.index) associate_public_ip_address = false - subnet_id = "${element(data.aws_subnet.application_subnet.*.id,count.index)}" #distribute instances across AZs - vpc_security_group_ids = ["${aws_security_group.auths.id}"] + subnet_id = element(data.aws_subnet.application_subnet.*.id, count.index) #distribute instances across AZs + vpc_security_group_ids = [aws_security_group.auths.id] lifecycle { - ignore_changes = ["ami"] + ignore_changes = [ami] } credit_specification { cpu_credits = "unlimited" } - tags { + tags = { Name = "teleport-auth-${count.index}" app = "teleport" - env = "${var.env}" + env = var.env terraform = "true" } } @@ -108,9 +108,9 @@ resource "aws_instance" "auths" { # Add to target group to attach to LB resource "aws_lb_target_group_attachment" "auth" { - count = "${var.auth_count}" - target_group_arn = "${aws_lb_target_group.auth.arn}" - target_id = "${element(aws_instance.auths.*.private_ip,count.index)}" + count = var.auth_count + target_group_arn = aws_lb_target_group.auth.arn + target_id = element(aws_instance.auths.*.private_ip, count.index) } ####### @@ -119,10 +119,10 @@ resource "aws_lb_target_group_attachment" "auth" { resource "aws_security_group" "auths" { name_prefix = "teleport-auth-" - vpc_id = "${data.aws_vpc.vpc.id}" + vpc_id = data.aws_vpc.vpc.id - tags { - env = "${var.env}" + tags = { + env = var.env terraform = "true" app = "teleport" Name = "teleport-auth" @@ -134,9 +134,9 @@ resource "aws_security_group_rule" "auth_webui" { from_port = 3025 to_port = 3025 protocol = "tcp" - cidr_blocks = ["${data.aws_vpc.vpc.cidr_block}"] + cidr_blocks = [data.aws_vpc.vpc.cidr_block] - security_group_id = "${aws_security_group.auths.id}" + security_group_id = aws_security_group.auths.id } # Allow it to talk to any address to be able to hit AWS APIs for Dynamo, S3 @@ -147,7 +147,7 @@ resource "aws_security_group_rule" "auth_egress" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.auths.id}" + security_group_id = aws_security_group.auths.id } # Support for emergency jumpbox @@ -156,9 +156,9 @@ resource "aws_security_group_rule" "jumpbox_auth" { from_port = 22 to_port = 22 protocol = "tcp" - source_security_group_id = "${data.aws_security_group.jumpbox.id}" + source_security_group_id = data.aws_security_group.jumpbox.id - security_group_id = "${aws_security_group.auths.id}" + security_group_id = aws_security_group.auths.id } ####### @@ -182,7 +182,10 @@ resource "aws_dynamodb_table" "teleport_state" { } lifecycle { - ignore_changes = ["read_capacity", "write_capacity"] + ignore_changes = [ + read_capacity, + write_capacity, + ] } attribute { @@ -200,8 +203,8 @@ resource "aws_dynamodb_table" "teleport_state" { enabled = true } - tags { - env = "${var.env}" + tags = { + env = var.env terraform = "true" app = "teleport" Name = "teleport-auth-state" @@ -230,7 +233,10 @@ resource "aws_dynamodb_table" "teleport_events" { } lifecycle { - ignore_changes = ["read_capacity", "write_capacity"] + ignore_changes = [ + read_capacity, + write_capacity, + ] } attribute { @@ -258,8 +264,8 @@ resource "aws_dynamodb_table" "teleport_events" { enabled = true } - tags { - env = "${var.env}" + tags = { + env = var.env terraform = "true" app = "teleport" Name = "teleport-auth-audit" @@ -282,14 +288,14 @@ resource "aws_s3_bucket" "recordings" { server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { - kms_master_key_id = "${data.aws_kms_key.main.arn}" #TODO(bob) switch to unique, restricted key here? + kms_master_key_id = data.aws_kms_key.main.arn #TODO(bob) switch to unique, restricted key here? sse_algorithm = "aws:kms" } } } - tags { - env = "${var.env}" + tags = { + env = var.env terraform = "true" app = "teleport" } @@ -301,7 +307,7 @@ resource "aws_s3_bucket" "recordings" { resource "aws_iam_instance_profile" "auth" { name = "${var.env}-teleport-auth" - role = "${aws_iam_role.auth.name}" + role = aws_iam_role.auth.name } // Auth instance profile and roles @@ -320,12 +326,13 @@ resource "aws_iam_role" "auth" { ] } EOF + } // Auth server uses DynamoDB as a backend, and this is to allow read/write from the dynamo tables resource "aws_iam_role_policy" "auth_dynamo" { name = "${var.env}-teleport-auth-dynamo" - role = "${aws_iam_role.auth.id}" + role = aws_iam_role.auth.id policy = <