added initial terraform code

unity-sds · May 23, 2024 · 075b634 · 075b634
1 parent ebd22f8
commit 075b634
Show file tree

Hide file tree

Showing 10 changed files with 365 additions and 15 deletions.
diff --git a/.gitignore b/.gitignore
@@ -158,3 +158,7 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+# terraform
+.terraform
+terraform.tfstate*
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,15 +1,15 @@
 fail_fast: true
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       # Git style
       - id: check-merge-conflict
       - id: check-symlinks
       - id: trailing-whitespace
 
   - repo: https://github.com/pycqa/isort
-    rev: 5.12.0
+    rev: 5.13.2
     hooks:
       - id: isort
         args: ["--profile", "black", "--filter-files"]
@@ -27,7 +27,7 @@ repos:
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.4.2
+    rev: v0.4.5
     hooks:
       - id: ruff
         args: ["--ignore", "E501,E402"]
@@ -39,6 +39,25 @@ repos:
         args: ["--severity-level=high", "--confidence-level=high"]
 
   - repo: https://github.com/PyCQA/prospector
-    rev: 1.10.0
+    rev: v1.10.3
     hooks:
       - id: prospector
+
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.90.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    hooks:
+      # Terraform Tests
+      - id: terraform_fmt
+      - id: terraform_docs
+        args:
+          - --hook-config=--path-to-file=README.md # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc.
+          - --hook-config=--add-to-existing-file=true # Boolean. true or false
+          - --hook-config=--create-file-if-not-exist=true # Boolean. true or false
+      - id: terraform_validate
+      - id: terraform_providers_lock
+      - id: terraform_tflint
+      - id: terraform_tfsec
+        args:
+          - >
+            --args=--minimum-severity=CRITICAL
+            --no-color
diff --git a/README.md b/README.md
@@ -70,25 +70,30 @@ This guide provides a quick way to get started with our project. Please see our
    cd unity-initiator
    hatch env create
    ```
-1. Install pre-commit:
+1. Install dev tools:
    ```
-   pip install pre-commit
-   pre-commit install
+   ./scripts/install_dev_tools.sh
    ```
 1. Test pre-commit run:
    ```
    pre-commit run --all-files
    ```
    You should see the following output:
    ```
-   check for merge conflicts................................................Passed
-   check for broken symlinks............................(no files to check)Skipped
-   trim trailing whitespace.................................................Passed
-   isort....................................................................Passed
-   black....................................................................Passed
-   ruff.....................................................................Passed
-   bandit...................................................................Passed
-   prospector...............................................................Passed
+   check for merge conflicts...............................................................Passed
+   check for broken symlinks...........................................(no files to check)Skipped
+   trim trailing whitespace................................................................Passed
+   isort...................................................................................Passed
+   black...................................................................................Passed
+   ruff....................................................................................Passed
+   bandit..................................................................................Passed
+   prospector..............................................................................Passed
+   Terraform fmt...........................................................................Passed
+   Terraform docs..........................................................................Passed
+   Terraform validate......................................................................Passed
+   Lock terraform provider versions........................................................Passed
+   Terraform validate with tflint..........................................................Passed
+   Terraform validate with tfsec (deprecated, use "terraform_trivy").......................Passed
    ```
 
 <!-- ☝️ Replace with a numbered list of how to set up your software prior to running ☝️ -->

diff --git a/scripts/install_dev_tools.sh b/scripts/install_dev_tools.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+set -e
+
+pip install pre-commit
+pip install bandit
+
+pre-commit install
+pre-commit autoupdate
+
+# Check the operating system
+if [[ "$OSTYPE" == "darwin"* ]]; then
+    # macOS
+    echo "Detected macOS. Installing dependencies using Homebrew..."
+
+    # Install dependencies
+    brew install tflint tfsec terraform-docs
+
+    echo "Dependencies installed successfully."
+
+elif [[ "$OSTYPE" == "linux-gnu"* ]]; then
+    # Linux
+    echo "Detected Linux. Downloading and installing pre-built binaries..."
+
+    # Ensure bin directory exists
+    mkdir -p "$HOME"/bin
+
+    # Download the pre-built binaries to bin directory
+    curl -L -o "$HOME"/bin/tflint.zip https://github.com/terraform-linters/tflint/releases/download/v0.51.1/tflint_linux_amd64.zip
+    curl -L -o "$HOME"/bin/tfsec.tar.gz https://github.com/aquasecurity/tfsec/releases/download/v1.28.6/tfsec_1.28.6_linux_amd64.tar.gz
+    curl -L -o "$HOME"/bin/terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.17.0/terraform-docs-v0.17.0-linux-amd64.tar.gz
+
+    # Unzip/Untar the binaries in the bin directory
+    unzip "$HOME"/bin/tflint.zip -d "$HOME"/bin
+    tar -xvf "$HOME"/bin/terraform-docs.tar.gz -C "$HOME"/bin
+    tar -xvf "$HOME"/bin/tfsec.tar.gz -C "$HOME"/bin
+
+    # Make the binaries executable
+    chmod +x "$HOME"/bin/tflint "$HOME"/bin/terraform-docs "$HOME"/bin/tfsec
+
+    # Verify if the binaries work
+    "$HOME"/bin/tflint --version
+    "$HOME"/bin/tfsec --version
+    "$HOME"/bin/terraform-docs --version
+
+elif [[ "$OSTYPE" == "msys" ]]; then
+    # Windows
+    echo "Detected Windows. Installing dependencies using Chocolatey..."
+
+    # Install dependencies
+    choco install tflint tfsec terraform-docs
+
+    echo "Dependencies installed successfully."
+
+else
+    # Unsupported operating system
+    echo "Unsupported operating system. Please install the dependencies manually."
+fi
diff --git a/terraform-unity/.terraform.lock.hcl b/terraform-unity/.terraform.lock.hcl
diff --git a/terraform-unity/README.md b/terraform-unity/README.md
@@ -0,0 +1,52 @@
+# terraform-unity
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.4.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >=5.50.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >=3.2.2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.50.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.initiator_lambda_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.initiator_lambda_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.lambda_base_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.lambda_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_lambda_function.initiator_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_security_group.initiator_lambda_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_ssm_parameter.initiator_lambda_function_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [aws_iam_policy.mcp_operator_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_ssm_parameter.subnet_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.vpc_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_deployment_name"></a> [deployment\_name](#input\_deployment\_name) | The deployment name | `string` | n/a | yes |
+| <a name="input_project"></a> [project](#input\_project) | The unity project its installed into | `string` | `"UnknownProject"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags | `map(string)` | n/a | yes |
+| <a name="input_venue"></a> [venue](#input\_venue) | The unity venue its installed into | `string` | `"UnknownVenue"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_lambda_function_arn"></a> [lambda\_function\_arn](#output\_lambda\_function\_arn) | The ARN of the Lambda function |
+| <a name="output_lambda_function_name"></a> [lambda\_function\_name](#output\_lambda\_function\_name) | The name of the Lambda function |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/terraform-unity/main.tf b/terraform-unity/main.tf
@@ -0,0 +1,116 @@
+resource "aws_lambda_function" "initiator_lambda" {
+  function_name = "${var.deployment_name}-inititator"
+
+  filename = "${path.module}/lambda.zip"
+  handler  = "lambda.lambda_handler"
+  runtime  = "python3.11"
+  role     = aws_iam_role.initiator_lambda_iam_role.arn
+
+  environment {
+    variables = {
+      ROUTER_CFG_URL = "s3://test_bucket/test_router.yaml"
+    }
+  }
+
+  vpc_config {
+    subnet_ids         = local.subnet_ids
+    security_group_ids = [aws_security_group.initiator_lambda_sg.id]
+  }
+  tags = var.tags
+}
+
+resource "aws_security_group" "initiator_lambda_sg" {
+  name        = "${var.deployment_name}-initiator_lambda_sg"
+  description = "Security group for the initiator lambda service"
+  vpc_id      = data.aws_ssm_parameter.vpc_id.value
+
+  // Inbound rules
+  // Example: Allow HTTP and HTTPS
+  // ingress {
+  //   from_port   = 2049
+  //   to_port     = 2049
+  //   protocol    = "tcp"
+  //   cidr_blocks = ["0.0.0.0/0"]
+  // }
+
+  // Outbound rules
+  // Example: Allow all outbound traffic
+  // egress {
+  //   from_port   = 0
+  //   to_port     = 0
+  //   protocol    = "-1"
+  //   cidr_blocks = ["0.0.0.0/0"]
+  // }
+
+  tags = var.tags
+}
+
+
+resource "aws_iam_role" "initiator_lambda_iam_role" {
+  name = "${var.deployment_name}-initiator_lambda_iam_role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = "sts:AssumeRole",
+        Effect = "Allow",
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        },
+      },
+    ],
+  })
+  permissions_boundary = data.aws_iam_policy.mcp_operator_policy.arn
+}
+
+resource "aws_iam_policy" "initiator_lambda_policy" {
+  name        = "${var.deployment_name}-initiator_lambda_policy"
+  description = "A policy for the Lambda function to access S3"
+
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Sid" : "ListObjectsInBucket",
+        "Effect" : "Allow",
+        "Action" : ["s3:ListBucket"],
+        "Resource" : ["arn:aws:s3:::*"]
+      },
+      {
+        "Sid" : "AllObjectActions",
+        "Effect" : "Allow",
+        "Action" : "s3:*Object",
+        "Resource" : ["arn:aws:s3:::*"]
+      }
+    ]
+  })
+
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_base_policy_attachment" {
+  role       = aws_iam_role.initiator_lambda_iam_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_policy_attachment" {
+  role       = aws_iam_role.initiator_lambda_iam_role.name
+  policy_arn = aws_iam_policy.initiator_lambda_policy.arn
+}
+
+resource "aws_ssm_parameter" "initiator_lambda_function_name" {
+  name  = "/unity/${var.project}/${var.venue}/od/initiator/lambda-name"
+  type  = "String"
+  value = aws_lambda_function.initiator_lambda.function_name
+}
+
+
+output "lambda_function_arn" {
+  description = "The ARN of the Lambda function"
+  value       = aws_lambda_function.initiator_lambda.arn
+}
+
+output "lambda_function_name" {
+  description = "The name of the Lambda function"
+  value       = aws_lambda_function.initiator_lambda.function_name
+}
diff --git a/terraform-unity/terraform.tf b/terraform-unity/terraform.tf
@@ -0,0 +1,17 @@
+data "aws_ssm_parameter" "vpc_id" {
+  name = "/unity/account/network/vpc_id"
+}
+
+data "aws_ssm_parameter" "subnet_list" {
+  name = "/unity/account/network/subnet_list"
+}
+
+data "aws_iam_policy" "mcp_operator_policy" {
+  name = "mcp-tenantOperator-AMI-APIG"
+}
+
+locals {
+  subnet_map = jsondecode(data.aws_ssm_parameter.subnet_list.value)
+  subnet_ids = nonsensitive(local.subnet_map["private"])
+  // public_subnet_ids = nonsensitive(local.subnet_map["public"])
+}