Wednesday, 22 December 2021

CircleCI Orbs

version: '2.1'
orbs:
  aws-s3: circleci/aws-s3@3.0

jobs:
  s3_sync_dev:
    docker:
      - image: 'cimg/python:3.10'
    resource_class: small
    steps:
      - checkout
      - aws-s3/sync:
          aws-access-key-id: ACCESS_ID_DEV
          aws-secret-access-key: SECRET_KEY_DEV
          aws-region: AWS_REGION_DEV
          from: .
          to: 's3://ansible-bucket-test'
      - run: aws --version
  s3_sync_prod:
    docker:
      - image: 'cimg/python:3.10'
    resource_class: small
    steps:
      - checkout
      - aws-s3/sync:
          aws-access-key-id: ACCESS_ID_PROD
          aws-secret-access-key: SECRET_KEY_PROD
          aws-region: AWS_REGION_PROD
          from: .
          to: 's3://ansible-bucket-prod'
      - run: aws --version

workflows:
  s3-execution:
    jobs:
      - s3_sync_dev:
          filters:
            branches:
              only: dev
      - s3_sync_prod:
          filters:
            branches:
              only: prod
Posted by at No comments:

Terraform user with secrets in aws secret manager

 data "aws_iam_policy_document" "ci_user_s3_policy" {

  statement {

    actions = [

      "s3:DeleteObject",

      "s3:DeleteObjectTagging",

      "s3:DeleteObjectVersion",

      "s3:DeleteObjectVersionTagging",

      "s3:ListBucket",

      "s3:GetObject*",

      "s3:PutObject*",

      "s3:ReplicateObject",

      "s3:RestoreObject"

    ]

    resources = [

      "arn:aws:s3:::ansible-bucket-${var.environment}/*",

      "arn:aws:s3:::ansible-bucket-${var.environment}"

    ]

  }

}

variable "environment" {

  type = string

}


variable "vaultpass" {

  type = string

}


resource "aws_s3_bucket" "ansible_bucket" {

  bucket        = "ansible-bucket-${var.environment}"

  acl           = "private"

  force_destroy = true

}


resource "aws_iam_user" "user" {

  name = "ansible-ci-upload"

}


resource "aws_iam_access_key" "ansible_repo" {

  user = aws_iam_user.user.name

}


resource "aws_iam_policy" "ci_user_s3_policy" {

  policy = data.aws_iam_policy_document.ci_user_s3_policy.json

}


resource "aws_iam_user_policy_attachment" "attach-policy" {

  user       = aws_iam_user.user.name

  policy_arn = aws_iam_policy.ci_user_s3_policy.arn

}


resource "aws_secretsmanager_secret" "ansible_credentials" {

  name = "ansible-circleci-user-creds"

}


resource "aws_secretsmanager_secret" "ansible_git_credentials" {

  name = "ansible-git-creds"

}


resource "aws_secretsmanager_secret_version" "ansible_credentials" {

  secret_id = aws_secretsmanager_secret.ansible_credentials.id

  secret_string = jsonencode({

    access_key    = aws_iam_access_key.ansible_repo.id

    access_secret = aws_iam_access_key.ansible_repo.secret

    vault_pass    = var.vaultpass

  })

}


resource "aws_secretsmanager_secret_version" "ansible_credentials_key" {

  secret_id     = aws_secretsmanager_secret.ansible_git_credentials.id

  secret_string = file("/mnt/workspace/AnsibleMaster.pem")

}

Posted by at No comments:
Subscribe to: Posts (Atom)