Add create and tag variables

abdulkunnummal · Apr 14, 2023 · 09c6da5 · 09c6da5
1 parent 564d877
commit 09c6da5
Show file tree

Hide file tree

Showing 6 changed files with 135 additions and 132 deletions.
diff --git a/.github/workflows/pr-title.yaml b/.github/workflows/pr-title.yaml
@@ -0,0 +1,17 @@
+name: Lint PR
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/README.md b/README.md
@@ -7,7 +7,6 @@ Terraform module which creates an SSM compatible EC2 instance on AWS. By default
 ```hcl
 module "ec2" {
   source    = "github.com/stuxcd/terraform-aws-ssm-ec2"
-  # version = ""
 
   ## required
   vpc_id    = "vpc-1234567890"
@@ -89,40 +88,39 @@ No modules.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.28.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.3.2 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.63.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.5.1 |
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_role"></a> [role](#module\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | 5.17.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
-| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_instance.launch_template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
 | [aws_instance.standalone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
-| [aws_kms_key.ec2_volume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [random_pet.global_name](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
 | [aws_ami.ubuntu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.ec2_volume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_kms_key.ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_security_group_ids"></a> [additional\_security\_group\_ids](#input\_additional\_security\_group\_ids) | The identifier of a custom security group ID, replaces default | `list(string)` | `[]` | no |
-| <a name="input_instance_size"></a> [instance\_size](#input\_instance\_size) | The size of the EC2 instance to deploy | `string` | `"t3a.small"` | no |
+| <a name="input_create"></a> [create](#input\_create) | Controls if EKS resources should be created (affects nearly all resources) | `bool` | `true` | no |
+| <a name="input_instance_size"></a> [instance\_size](#input\_instance\_size) | The size of the EC2 instance to deploy | `string` | `"t3.micro"` | no |
 | <a name="input_launch_template_name"></a> [launch\_template\_name](#input\_launch\_template\_name) | The name of the launch template to use | `string` | `""` | no |
 | <a name="input_launch_template_version"></a> [launch\_template\_version](#input\_launch\_template\_version) | The launch template version | `string` | `"$Default"` | no |
 | <a name="input_subnet_id"></a> [subnet\_id](#input\_subnet\_id) | The identifier of subnet to deploy EC2 instance into | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The identifier of VPC to deploy EC2 instance into | `string` | `""` | no |
 
 ## Outputs

diff --git a/data.tf b/data.tf
@@ -1,10 +1,10 @@
 #################################
-# GENERAL
+# AWS
 #################################
 
-data "aws_caller_identity" "current" {}
-
-data "aws_region" "current" {}
+data "aws_kms_key" "ebs" {
+  key_id = "alias/aws/ebs"
+}
 
 #################################
 # AMI
@@ -24,37 +24,3 @@ data "aws_ami" "ubuntu" {
     values = ["hvm"]
   }
 }
-
-#################################
-# IAM
-#################################
-
-data "aws_iam_policy_document" "ec2_volume" {
-  statement {
-    actions = ["kms:*"]
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
-    }
-    resources = ["*"]
-  }
-
-  statement {
-    actions = ["kms:*"]
-    principals {
-      type        = "AWS"
-      identifiers = ["*"]
-    }
-    resources = ["*"]
-    condition {
-      test     = "StringEquals"
-      variable = "kms:ViaService"
-      values   = ["ec2.${data.aws_region.current.name}.amazonaws.com"]
-    }
-    condition {
-      test     = "StringEquals"
-      variable = "kms:CallerAccount"
-      values   = [data.aws_caller_identity.current.account_id]
-    }
-  }
-}
diff --git a/examples/main/main.tf b/examples/main/main.tf
@@ -16,7 +16,4 @@ module "ec2" {
   ## required
   vpc_id    = ""
   subnet_id = ""
-
-  ## optional
-  instance_size = "t3a.small"
 }
diff --git a/main.tf b/main.tf
@@ -3,82 +3,20 @@
 ##########################################
 
 locals {
-  global_name = random_pet.global_name.id
+  global_name = random_pet.global_name[0].id
 
-  # optional variables
-  launch_template = var.launch_template_name != "" ? true : false
-}
-
-resource "random_pet" "global_name" {
-  length = 4
-}
-
-##########################################
-# ENCRYPTION
-##########################################
+  create                      = var.create
+  create_supporting_resources = local.create && !local.use_launch_template
 
-resource "aws_kms_key" "ec2_volume" {
-  count = local.launch_template ? 0 : 1
+  use_launch_template = var.launch_template_name != ""
 
-  description             = "KMS key for EC2 EBS volume"
-  deletion_window_in_days = 10
-  policy                  = data.aws_iam_policy_document.ec2_volume.json
+  tags = var.tags
 }
 
-##########################################
-# NETWORKING
-##########################################
-
-resource "aws_security_group" "this" {
-  count = local.launch_template ? 0 : 1
-
-  description = "Allow TLS inbound traffic"
-  vpc_id      = var.vpc_id
-}
-
-resource "aws_security_group_rule" "this" {
-  count = local.launch_template ? 0 : 1
-
-  type              = "egress"
-  from_port         = 0
-  to_port           = 0
-  protocol          = "-1"
-  cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = aws_security_group.this[0].id
-}
-
-##########################################
-# IAM
-##########################################
-
-resource "aws_iam_instance_profile" "this" {
-  count = local.launch_template ? 0 : 1
-
-  role = aws_iam_role.this[0].name
-}
-
-resource "aws_iam_role" "this" {
-  count = local.launch_template ? 0 : 1
-
-  name               = local.global_name
-  description        = "The role for the SSM EC2 instance"
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": {
-    "Effect": "Allow",
-    "Principal": {"Service": "ec2.amazonaws.com"},
-    "Action": "sts:AssumeRole"
-  }
-}
-EOF
-}
-
-resource "aws_iam_role_policy_attachment" "this" {
-  count = local.launch_template ? 0 : 1
+resource "random_pet" "global_name" {
+  count = local.create ? 1 : 0
 
-  role       = aws_iam_role.this[0].name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  length = 4
 }
 
 ##########################################
@@ -90,7 +28,7 @@ locals {
 }
 
 resource "aws_instance" "standalone" {
-  count = local.launch_template ? 0 : 1
+  count = local.create_supporting_resources ? 1 : 0
 
   ami           = data.aws_ami.ubuntu.id
   instance_type = var.instance_size
@@ -110,26 +48,97 @@ resource "aws_instance" "standalone" {
       device_name           = ebs_block_device.value.device_name
       delete_on_termination = true
       encrypted             = true
-      kms_key_id            = aws_kms_key.ec2_volume[0].id
+      kms_key_id            = data.aws_kms_key.ebs.arn
       volume_size           = ebs_block_device.value.ebs.volume_size
       volume_type           = ebs_block_device.value.ebs.volume_type
     }
   }
 
-  tags = {
-    Name = local.global_name
-  }
+  tags = merge(
+    local.tags,
+    {
+      Name = local.global_name
+    }
+  )
 }
 
 resource "aws_instance" "launch_template" {
-  count = local.launch_template ? 1 : 0
+  count = local.create && local.use_launch_template ? 1 : 0
 
   launch_template {
     name    = var.launch_template_name
     version = var.launch_template_version
   }
 
-  tags = {
-    Name = local.global_name
-  }
+  tags = merge(
+    local.tags,
+    {
+      Name = local.global_name
+    }
+  )
+}
+
+##########################################
+# NETWORKING
+##########################################
+
+resource "aws_security_group" "this" {
+  count = local.create_supporting_resources ? 1 : 0
+
+  description = "Allow TLS inbound traffic"
+  vpc_id      = var.vpc_id
+
+  tags = merge(
+    local.tags,
+    {
+      Name = local.global_name
+    }
+  )
+}
+
+resource "aws_security_group_rule" "this" {
+  count = local.create_supporting_resources ? 1 : 0
+
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.this[0].id
+}
+
+##########################################
+# IAM
+##########################################
+
+resource "aws_iam_instance_profile" "this" {
+  count = local.create_supporting_resources ? 1 : 0
+
+  role = module.role.iam_role_arn
+
+  tags = merge(
+    local.tags,
+    {
+      Name = local.global_name
+    }
+  )
+}
+
+module "role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "5.17.0"
+
+
+  create_role       = local.create_supporting_resources
+  role_name         = local.global_name
+  role_requires_mfa = false
+
+  trusted_role_services = ["ec2.amazonaws.com"]
+
+  custom_role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  ]
+  number_of_custom_role_policy_arns = 1
+
+  tags = local.tags
 }
diff --git a/variables.tf b/variables.tf
@@ -1,11 +1,27 @@
+##########################################
+# GLOBAL
+##########################################
+
+variable "create" {
+  description = "Controls if EKS resources should be created (affects nearly all resources)"
+  type        = bool
+  default     = true
+}
+
+variable "tags" {
+  description = "A map of tags to add to all resources"
+  type        = map(string)
+  default     = {}
+}
+
 ##########################################
 # COMPUTE
 ##########################################
 
 variable "instance_size" {
   type        = string
   description = "The size of the EC2 instance to deploy"
-  default     = "t3a.small"
+  default     = "t3.micro"
 }
 
 ##########################################