From 075b6349aca4613aa620f68a51a801e32aa7364b Mon Sep 17 00:00:00 2001 From: Gerald Manipon Date: Thu, 23 May 2024 11:46:15 -0700 Subject: [PATCH] added initial terraform code --- .gitignore | 4 + .pre-commit-config.yaml | 27 ++++++- README.md | 27 ++++--- scripts/install_dev_tools.sh | 57 ++++++++++++++ terraform-unity/.terraform.lock.hcl | 45 +++++++++++ terraform-unity/README.md | 52 +++++++++++++ terraform-unity/main.tf | 116 ++++++++++++++++++++++++++++ terraform-unity/terraform.tf | 17 ++++ terraform-unity/variables.tf | 21 +++++ terraform-unity/versions.tf | 14 ++++ 10 files changed, 365 insertions(+), 15 deletions(-) create mode 100755 scripts/install_dev_tools.sh create mode 100644 terraform-unity/.terraform.lock.hcl create mode 100644 terraform-unity/README.md create mode 100644 terraform-unity/main.tf create mode 100644 terraform-unity/terraform.tf create mode 100644 terraform-unity/variables.tf create mode 100644 terraform-unity/versions.tf diff --git a/.gitignore b/.gitignore index 68bc17f..b346c16 100644 --- a/.gitignore +++ b/.gitignore @@ -158,3 +158,7 @@ cython_debug/ # and can be added to the global gitignore or merged into this file. For a more nuclear # option (not recommended) you can uncomment the following to ignore the entire idea folder. #.idea/ + +# terraform +.terraform +terraform.tfstate* diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index dfdcf3b..986fcc3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,7 +1,7 @@ fail_fast: true repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v4.6.0 hooks: # Git style - id: check-merge-conflict @@ -9,7 +9,7 @@ repos: - id: trailing-whitespace - repo: https://github.com/pycqa/isort - rev: 5.12.0 + rev: 5.13.2 hooks: - id: isort args: ["--profile", "black", "--filter-files"] @@ -27,7 +27,7 @@ repos: - repo: https://github.com/astral-sh/ruff-pre-commit # Ruff version. - rev: v0.4.2 + rev: v0.4.5 hooks: - id: ruff args: ["--ignore", "E501,E402"] @@ -39,6 +39,25 @@ repos: args: ["--severity-level=high", "--confidence-level=high"] - repo: https://github.com/PyCQA/prospector - rev: 1.10.0 + rev: v1.10.3 hooks: - id: prospector + + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.90.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + hooks: + # Terraform Tests + - id: terraform_fmt + - id: terraform_docs + args: + - --hook-config=--path-to-file=README.md # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc. + - --hook-config=--add-to-existing-file=true # Boolean. true or false + - --hook-config=--create-file-if-not-exist=true # Boolean. true or false + - id: terraform_validate + - id: terraform_providers_lock + - id: terraform_tflint + - id: terraform_tfsec + args: + - > + --args=--minimum-severity=CRITICAL + --no-color diff --git a/README.md b/README.md index 00fd463..0271d53 100644 --- a/README.md +++ b/README.md @@ -70,10 +70,9 @@ This guide provides a quick way to get started with our project. Please see our cd unity-initiator hatch env create ``` -1. Install pre-commit: +1. Install dev tools: ``` - pip install pre-commit - pre-commit install + ./scripts/install_dev_tools.sh ``` 1. Test pre-commit run: ``` @@ -81,14 +80,20 @@ This guide provides a quick way to get started with our project. Please see our ``` You should see the following output: ``` - check for merge conflicts................................................Passed - check for broken symlinks............................(no files to check)Skipped - trim trailing whitespace.................................................Passed - isort....................................................................Passed - black....................................................................Passed - ruff.....................................................................Passed - bandit...................................................................Passed - prospector...............................................................Passed + check for merge conflicts...............................................................Passed + check for broken symlinks...........................................(no files to check)Skipped + trim trailing whitespace................................................................Passed + isort...................................................................................Passed + black...................................................................................Passed + ruff....................................................................................Passed + bandit..................................................................................Passed + prospector..............................................................................Passed + Terraform fmt...........................................................................Passed + Terraform docs..........................................................................Passed + Terraform validate......................................................................Passed + Lock terraform provider versions........................................................Passed + Terraform validate with tflint..........................................................Passed + Terraform validate with tfsec (deprecated, use "terraform_trivy").......................Passed ``` diff --git a/scripts/install_dev_tools.sh b/scripts/install_dev_tools.sh new file mode 100755 index 0000000..3b0d8e0 --- /dev/null +++ b/scripts/install_dev_tools.sh @@ -0,0 +1,57 @@ +#!/bin/bash +set -e + +pip install pre-commit +pip install bandit + +pre-commit install +pre-commit autoupdate + +# Check the operating system +if [[ "$OSTYPE" == "darwin"* ]]; then + # macOS + echo "Detected macOS. Installing dependencies using Homebrew..." + + # Install dependencies + brew install tflint tfsec terraform-docs + + echo "Dependencies installed successfully." + +elif [[ "$OSTYPE" == "linux-gnu"* ]]; then + # Linux + echo "Detected Linux. Downloading and installing pre-built binaries..." + + # Ensure bin directory exists + mkdir -p "$HOME"/bin + + # Download the pre-built binaries to bin directory + curl -L -o "$HOME"/bin/tflint.zip https://github.com/terraform-linters/tflint/releases/download/v0.51.1/tflint_linux_amd64.zip + curl -L -o "$HOME"/bin/tfsec.tar.gz https://github.com/aquasecurity/tfsec/releases/download/v1.28.6/tfsec_1.28.6_linux_amd64.tar.gz + curl -L -o "$HOME"/bin/terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.17.0/terraform-docs-v0.17.0-linux-amd64.tar.gz + + # Unzip/Untar the binaries in the bin directory + unzip "$HOME"/bin/tflint.zip -d "$HOME"/bin + tar -xvf "$HOME"/bin/terraform-docs.tar.gz -C "$HOME"/bin + tar -xvf "$HOME"/bin/tfsec.tar.gz -C "$HOME"/bin + + # Make the binaries executable + chmod +x "$HOME"/bin/tflint "$HOME"/bin/terraform-docs "$HOME"/bin/tfsec + + # Verify if the binaries work + "$HOME"/bin/tflint --version + "$HOME"/bin/tfsec --version + "$HOME"/bin/terraform-docs --version + +elif [[ "$OSTYPE" == "msys" ]]; then + # Windows + echo "Detected Windows. Installing dependencies using Chocolatey..." + + # Install dependencies + choco install tflint tfsec terraform-docs + + echo "Dependencies installed successfully." + +else + # Unsupported operating system + echo "Unsupported operating system. Please install the dependencies manually." +fi diff --git a/terraform-unity/.terraform.lock.hcl b/terraform-unity/.terraform.lock.hcl new file mode 100644 index 0000000..d87817f --- /dev/null +++ b/terraform-unity/.terraform.lock.hcl @@ -0,0 +1,45 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.50.0" + constraints = ">= 5.50.0" + hashes = [ + "h1:LevuTzPS4S7t+Vh6Kpz77pBNDAwChaos91/6+CVnD4w=", + "zh:19be42f5a545d6712dee4bdb704b018d23bacf5d902ac3cb061eb1750dfe6a20", + "zh:1d880bdba95ce96efde37e5bcf457a57df2c1effa9b47bc67fa29c1a264ae53b", + "zh:1e9c78e324d7492be5e7744436ed71d66fe4eca3fb6af07a28efd0d1e3bf7640", + "zh:27ac672aa61b3795931561fdbe4a306ad1132af517d7711c14569429b2cc694f", + "zh:3b978423dead02f9a98d25de118adf264a2331acdc4550ea93bed01feabc12e7", + "zh:490d7eb4b922ba1b57e0ab8dec1a08df6517485febcab1e091fd6011281c3472", + "zh:64e7c84e18dac1af5778d6f516e01a46f9c91d710867c39fbc7efa3cd972dc62", + "zh:73867ac2956dcdd377121b3aa8fe2e1085e77fae9b61d018f56a863277ea4b6e", + "zh:7ed899d0d5c49f009b445d7816e4bf702d9c48205c24cf884cd2ae0247160455", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9b93784b3fb13d08cf95a4131c49b56bf7e1cd35daad6156b3658a89ce6fb58f", + "zh:b29d77eb75de474e46eb47e539c48916628d85599bcf14e5cc500b14a4578e75", + "zh:bbd9cec8ca705452e4a3d21d56474eacb8cc7b1b74b7f310fdea4bdcffebab32", + "zh:c352eb3169efa0e27a29b99a2630e8298710a084453c519caa39e5972ff6d1fc", + "zh:e32f4744b43be1708b309a734e0ac10b5c0f9f92e5849298cf1a90f2b906f6f3", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.2" + constraints = ">= 3.2.2" + hashes = [ + "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=", + "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", + "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", + "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", + "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", + "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", + "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", + "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", + "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", + "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", + "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", + ] +} diff --git a/terraform-unity/README.md b/terraform-unity/README.md new file mode 100644 index 0000000..a10701b --- /dev/null +++ b/terraform-unity/README.md @@ -0,0 +1,52 @@ +# terraform-unity + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.4.6 | +| [aws](#requirement\_aws) | >=5.50.0 | +| [null](#requirement\_null) | >=3.2.2 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.50.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.initiator_lambda_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.initiator_lambda_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.lambda_base_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.lambda_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lambda_function.initiator_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_security_group.initiator_lambda_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_ssm_parameter.initiator_lambda_function_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_iam_policy.mcp_operator_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_ssm_parameter.subnet_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | +| [aws_ssm_parameter.vpc_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [deployment\_name](#input\_deployment\_name) | The deployment name | `string` | n/a | yes | +| [project](#input\_project) | The unity project its installed into | `string` | `"UnknownProject"` | no | +| [tags](#input\_tags) | AWS Tags | `map(string)` | n/a | yes | +| [venue](#input\_venue) | The unity venue its installed into | `string` | `"UnknownVenue"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [lambda\_function\_arn](#output\_lambda\_function\_arn) | The ARN of the Lambda function | +| [lambda\_function\_name](#output\_lambda\_function\_name) | The name of the Lambda function | + diff --git a/terraform-unity/main.tf b/terraform-unity/main.tf new file mode 100644 index 0000000..7d33506 --- /dev/null +++ b/terraform-unity/main.tf @@ -0,0 +1,116 @@ +resource "aws_lambda_function" "initiator_lambda" { + function_name = "${var.deployment_name}-inititator" + + filename = "${path.module}/lambda.zip" + handler = "lambda.lambda_handler" + runtime = "python3.11" + role = aws_iam_role.initiator_lambda_iam_role.arn + + environment { + variables = { + ROUTER_CFG_URL = "s3://test_bucket/test_router.yaml" + } + } + + vpc_config { + subnet_ids = local.subnet_ids + security_group_ids = [aws_security_group.initiator_lambda_sg.id] + } + tags = var.tags +} + +resource "aws_security_group" "initiator_lambda_sg" { + name = "${var.deployment_name}-initiator_lambda_sg" + description = "Security group for the initiator lambda service" + vpc_id = data.aws_ssm_parameter.vpc_id.value + + // Inbound rules + // Example: Allow HTTP and HTTPS + // ingress { + // from_port = 2049 + // to_port = 2049 + // protocol = "tcp" + // cidr_blocks = ["0.0.0.0/0"] + // } + + // Outbound rules + // Example: Allow all outbound traffic + // egress { + // from_port = 0 + // to_port = 0 + // protocol = "-1" + // cidr_blocks = ["0.0.0.0/0"] + // } + + tags = var.tags +} + + +resource "aws_iam_role" "initiator_lambda_iam_role" { + name = "${var.deployment_name}-initiator_lambda_iam_role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Action = "sts:AssumeRole", + Effect = "Allow", + Principal = { + Service = "lambda.amazonaws.com" + }, + }, + ], + }) + permissions_boundary = data.aws_iam_policy.mcp_operator_policy.arn +} + +resource "aws_iam_policy" "initiator_lambda_policy" { + name = "${var.deployment_name}-initiator_lambda_policy" + description = "A policy for the Lambda function to access S3" + + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "ListObjectsInBucket", + "Effect" : "Allow", + "Action" : ["s3:ListBucket"], + "Resource" : ["arn:aws:s3:::*"] + }, + { + "Sid" : "AllObjectActions", + "Effect" : "Allow", + "Action" : "s3:*Object", + "Resource" : ["arn:aws:s3:::*"] + } + ] + }) + +} + +resource "aws_iam_role_policy_attachment" "lambda_base_policy_attachment" { + role = aws_iam_role.initiator_lambda_iam_role.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" +} + +resource "aws_iam_role_policy_attachment" "lambda_policy_attachment" { + role = aws_iam_role.initiator_lambda_iam_role.name + policy_arn = aws_iam_policy.initiator_lambda_policy.arn +} + +resource "aws_ssm_parameter" "initiator_lambda_function_name" { + name = "/unity/${var.project}/${var.venue}/od/initiator/lambda-name" + type = "String" + value = aws_lambda_function.initiator_lambda.function_name +} + + +output "lambda_function_arn" { + description = "The ARN of the Lambda function" + value = aws_lambda_function.initiator_lambda.arn +} + +output "lambda_function_name" { + description = "The name of the Lambda function" + value = aws_lambda_function.initiator_lambda.function_name +} diff --git a/terraform-unity/terraform.tf b/terraform-unity/terraform.tf new file mode 100644 index 0000000..2db49d6 --- /dev/null +++ b/terraform-unity/terraform.tf @@ -0,0 +1,17 @@ +data "aws_ssm_parameter" "vpc_id" { + name = "/unity/account/network/vpc_id" +} + +data "aws_ssm_parameter" "subnet_list" { + name = "/unity/account/network/subnet_list" +} + +data "aws_iam_policy" "mcp_operator_policy" { + name = "mcp-tenantOperator-AMI-APIG" +} + +locals { + subnet_map = jsondecode(data.aws_ssm_parameter.subnet_list.value) + subnet_ids = nonsensitive(local.subnet_map["private"]) + // public_subnet_ids = nonsensitive(local.subnet_map["public"]) +} diff --git a/terraform-unity/variables.tf b/terraform-unity/variables.tf new file mode 100644 index 0000000..0099dab --- /dev/null +++ b/terraform-unity/variables.tf @@ -0,0 +1,21 @@ +variable "tags" { + description = "AWS Tags" + type = map(string) +} + +variable "deployment_name" { + description = "The deployment name" + type = string +} + +variable "project" { + description = "The unity project its installed into" + type = string + default = "UnknownProject" +} + +variable "venue" { + description = "The unity venue its installed into" + type = string + default = "UnknownVenue" +} \ No newline at end of file diff --git a/terraform-unity/versions.tf b/terraform-unity/versions.tf new file mode 100644 index 0000000..91e8698 --- /dev/null +++ b/terraform-unity/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = "~> 1.4.6" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">=5.50.0" + } + null = { + source = "hashicorp/null" + version = ">=3.2.2" + } + } +}