Wednesday, 22 December 2021

Terraform user with secrets in aws secret manager

 data "aws_iam_policy_document" "ci_user_s3_policy" {

  statement {

    actions = [

      "s3:DeleteObject",

      "s3:DeleteObjectTagging",

      "s3:DeleteObjectVersion",

      "s3:DeleteObjectVersionTagging",

      "s3:ListBucket",

      "s3:GetObject*",

      "s3:PutObject*",

      "s3:ReplicateObject",

      "s3:RestoreObject"

    ]

    resources = [

      "arn:aws:s3:::ansible-bucket-${var.environment}/*",

      "arn:aws:s3:::ansible-bucket-${var.environment}"

    ]

  }

}

variable "environment" {

  type = string

}


variable "vaultpass" {

  type = string

}


resource "aws_s3_bucket" "ansible_bucket" {

  bucket        = "ansible-bucket-${var.environment}"

  acl           = "private"

  force_destroy = true

}


resource "aws_iam_user" "user" {

  name = "ansible-ci-upload"

}


resource "aws_iam_access_key" "ansible_repo" {

  user = aws_iam_user.user.name

}


resource "aws_iam_policy" "ci_user_s3_policy" {

  policy = data.aws_iam_policy_document.ci_user_s3_policy.json

}


resource "aws_iam_user_policy_attachment" "attach-policy" {

  user       = aws_iam_user.user.name

  policy_arn = aws_iam_policy.ci_user_s3_policy.arn

}


resource "aws_secretsmanager_secret" "ansible_credentials" {

  name = "ansible-circleci-user-creds"

}


resource "aws_secretsmanager_secret" "ansible_git_credentials" {

  name = "ansible-git-creds"

}


resource "aws_secretsmanager_secret_version" "ansible_credentials" {

  secret_id = aws_secretsmanager_secret.ansible_credentials.id

  secret_string = jsonencode({

    access_key    = aws_iam_access_key.ansible_repo.id

    access_secret = aws_iam_access_key.ansible_repo.secret

    vault_pass    = var.vaultpass

  })

}


resource "aws_secretsmanager_secret_version" "ansible_credentials_key" {

  secret_id     = aws_secretsmanager_secret.ansible_git_credentials.id

  secret_string = file("/mnt/workspace/AnsibleMaster.pem")

}

No comments:

Post a Comment