credstash bundled in the module

Author: leventyalcin

README.md

@@ -1,8 +1,5 @@
-# Warning
-This module has not been tested yet. Start to use after it is tagged.
-
 # Overview
-This module setups a VPN server for a VPC to connect to instances
+This module setups a VPN server for a VPC to connect to instances.
 
 *Before you start to use the module you have to make sure you've created resources below*
 
@@ -14,6 +11,8 @@ After provisioning, don't forget to run commands below:
   * `export BACKUP_ENCRYPTION_KEY=$(uuidgen)`
   * `credstash -r REGION -t CREDSTASH_TABLE_NAME put -k alias/CREDSTASH_TABLE_NAME BACKUP_ENCRYPTION_KEY $BACKUP_ENCRYPTION_KEY`
   * `credstash -r REGION -t CREDSTASH_TABLE_NAME put -k alias/CREDSTASH_TABLE_NAME HEALTHCHECKS_IO_KEY CHANGEME-WITH-THE-KEY-FROM-HEALTHCHECKS-IO`
+* **Pritunl setup**
+  * `sudo pritunl setup-key`
 
 # Input variables
 
@@ -37,27 +36,18 @@ After provisioning, don't forget to run commands below:
 # Usage
 
 ```
-provider "aws" {
-  region     = "eu-west-1"
-}
 
-data "aws_caller_identity" "current" { }
-
-module "credstash" {
-  source         = "github.com/opsgang/terraform_credstash?ref=1.0.0"
-
-  product        = "vpn"
-  env            = "dev"
-  aws_account_id = "${data.aws_caller_identity.current.account_id}"
+provider "aws" {
+	region="eu-west-1"
 }
 
 module "app_pritunl" {
   source           = "github.com/opsgang/terraform_pritunl?ref=1.0.0"
 
-  aws_key_name     = "vpn-ssh-key"
-  vpc_id           = "vpc-99999999"
-  public_subnet_id = "subnet-99999999"
-  ami_id           = "ami-99999999"
+  aws_key_name     = "org-eu-west-1"
+  vpc_id           = "${module.vpc.vpc_id}"
+  public_subnet_id = "${module.vpc.public_subnets[1]}"
+  ami_id           = "ami-01ccc867"
   instance_type    = "t2.small"
   office_ip_cidrs  = [
                       "8.8.8.8/32"

main.tf

@@ -2,19 +2,105 @@ data "aws_region" "current" {
   current = true
 }
 
+data "aws_caller_identity" "current" {}
+
 data "template_file" "user_data" {
   template = "${file("${path.module}/templates/user_data.sh.tpl")}"
 
   vars {
-    aws_region           = "${aws_region.current.name}"
+    aws_region           = "${data.aws_region.current.name}"
     s3_backup_bucket     = "${var.tag_product}-${var.tag_env}-backup"
     credstash_table_name = "credstash-${var.tag_product}-${var.tag_env}"
   }
 }
 
+data "template_file" "credstash_policy" {
+    template = "${file("${path.module}/templates/key_policy.json.tpl")}"
+
+    vars {
+      tag_product   = "${var.tag_product}"
+      tag_env       = "${var.tag_env}"
+      key_admin_arn = "${aws_iam_role.role.arn}"
+      account_id    = "${data.aws_caller_identity.current.account_id}"
+    }
+}
+
+data "template_file" "iam_instance_role_policy" {
+    template = "${file("${path.module}/templates/iam_instance_role_policy.json.tpl")}"
+
+    vars {
+      tag_product      = "${var.tag_product}"
+      tag_env          = "${var.tag_product}"
+      db_credstash_arn = "${aws_dynamodb_table.db_credstash.arn}"
+    }
+}
+
+resource "aws_dynamodb_table" "db_credstash" {
+  name           = "credstash-${var.tag_product}-${var.tag_env}"
+  read_capacity  = 1
+  write_capacity = 1
+  hash_key       = "name"
+  range_key      = "version"
+
+  attribute {
+    name = "name"
+    type = "S"
+  }
+
+  attribute {
+    name = "version"
+    type = "S"
+  }
+
+  tags {
+    Name    = "credstash-${var.tag_product}-${var.tag_env}"
+    product = "${var.tag_product}"
+    env     = "${var.tag_env}"
+    purpose = "${var.tag_purpose}"
+    role    = "${var.tag_role}"
+  }
+}
+
+resource "null_resource" "waiter" {
+
+  depends_on = ["aws_iam_instance_profile.ec2_profile"]
+
+  provisioner "local-exec" {
+    command = "sleep 15"
+  }
+}
+
+resource "aws_kms_key" "credstash" {
+
+  depends_on              = ["null_resource.waiter"]
+
+  description             = "Credstash space for ${var.tag_product}-${var.tag_env}"
+  #policy                  = "${data.template_file.credstash_policy.rendered}"
+  policy                  = "${data.template_file.credstash_policy.rendered}"
+  deletion_window_in_days = 7
+  is_enabled              = true
+  enable_key_rotation     = true
+
+  tags {
+    Name    = "credstash-${var.tag_product}-${var.tag_env}"
+    product = "${var.tag_product}"
+    env     = "${var.tag_env}"
+    purpose = "${var.tag_purpose}"
+    role    = "${var.tag_role}"
+  }
+}
+
+resource "aws_kms_alias" "credstash" {
+
+  depends_on    = ["aws_kms_key.credstash"]
+
+  name          = "alias/credstash-${var.tag_product}-${var.tag_env}"
+  target_key_id = "${aws_kms_key.credstash.key_id}"
+}
+
 resource "aws_s3_bucket" "backup" {
   bucket = "${var.tag_product}-${var.tag_env}-backup"
-  acl = "private"
+  acl    = "private"
 
   lifecycle_rule {
     prefix  = "backups"
@@ -62,104 +148,15 @@ resource "aws_iam_role_policy" "policy" {
 
   name   = "${var.tag_product}-${var.tag_env}"
   role   = "${aws_iam_role.role.id}"
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-      {
-          "Effect": "Allow",
-          "Action": [
-              "kms:*",
-              "dynamodb:*"
-          ],
-          "Resource": "*"
-      },
-      {
-        "Effect": "Allow",
-        "Action": [
-          "s3:ListBucket",
-          "s3:GetBucketLocation"
-        ],
-        "Resource": [ "arn:aws:s3:::${var.tag_product}-${var.tag_env}-backup" ]
-      },
-      {
-        "Effect": "Allow",
-        "Action": [
-          "s3:AbortMultipartUpload",
-          "s3:PutObject*",
-          "s3:Get*",
-          "s3:List*",
-          "s3:DeleteObject"
-        ],
-        "Resource": [ "arn:aws:s3:::${var.tag_product}-${var.tag_env}-backup/*" ]
-      },
-      {
-        "Effect": "Allow",
-        "Action": [
-            "ssm:DescribeAssociation",
-            "ssm:GetDocument",
-            "ssm:ListAssociations",
-            "ssm:UpdateAssociationStatus",
-            "ssm:UpdateInstanceInformation"
-        ],
-        "Resource": "*"
-      },
-      {
-          "Effect": "Allow",
-          "Action": [
-              "ec2messages:AcknowledgeMessage",
-              "ec2messages:DeleteMessage",
-              "ec2messages:FailMessage",
-              "ec2messages:GetEndpoint",
-              "ec2messages:GetMessages",
-              "ec2messages:SendReply"
-          ],
-          "Resource": "*"
-      },
-      {
-          "Effect": "Allow",
-          "Action": [
-              "cloudwatch:PutMetricData"
-          ],
-          "Resource": "*"
-      },
-      {
-          "Effect": "Allow",
-          "Action": [
-              "ec2:DescribeInstanceStatus"
-          ],
-          "Resource": "*"
-      },
-      {
-          "Effect": "Allow",
-          "Action": [
-              "ds:CreateComputer",
-              "ds:DescribeDirectories"
-          ],
-          "Resource": "*"
-      },
-      {
-          "Effect": "Allow",
-          "Action": [
-              "logs:CreateLogGroup",
-              "logs:CreateLogStream",
-              "logs:DescribeLogGroups",
-              "logs:DescribeLogStreams",
-              "logs:PutLogEvents"
-          ],
-          "Resource": "*"
-      }
-    ]
-}
-EOF
+  policy = "${data.template_file.iam_instance_role_policy.rendered}"
 }
 
 resource "aws_iam_instance_profile" "ec2_profile" {
 
   depends_on = ["aws_iam_role.role", "aws_iam_role_policy.policy"]
 
-  name  = "${var.tag_product}-${var.tag_env}"
-  roles = ["${aws_iam_role.role.name}"]
+  name = "${var.tag_product}-${var.tag_env}"
+  role = "${aws_iam_role.role.name}"
 }
 
 resource "aws_security_group" "pritunl" {

templates/iam_instance_role_policy.json.tpl

@@ -0,0 +1,90 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Action": [
+          "dynamodb:PutItem",
+          "dynamodb:GetItem",
+          "dynamodb:Query",
+          "dynamodb:Scan"
+        ],
+        "Effect": "Allow",
+        "Resource": "${db_credstash_arn}"
+      },
+      {
+        "Effect": "Allow",
+        "Action": [
+          "s3:ListBucket",
+          "s3:GetBucketLocation"
+        ],
+        "Resource": [ "arn:aws:s3:::${tag_product}-${tag_env}-backup" ]
+      },
+      {
+        "Effect": "Allow",
+        "Action": [
+          "s3:AbortMultipartUpload",
+          "s3:PutObject*",
+          "s3:Get*",
+          "s3:List*",
+          "s3:DeleteObject"
+        ],
+        "Resource": [ "arn:aws:s3:::${tag_product}-${tag_env}-backup/*" ]
+      },
+      {
+        "Effect": "Allow",
+        "Action": [
+            "ssm:DescribeAssociation",
+            "ssm:GetDocument",
+            "ssm:ListAssociations",
+            "ssm:UpdateAssociationStatus",
+            "ssm:UpdateInstanceInformation"
+        ],
+        "Resource": "*"
+      },
+      {
+          "Effect": "Allow",
+          "Action": [
+              "ec2messages:AcknowledgeMessage",
+              "ec2messages:DeleteMessage",
+              "ec2messages:FailMessage",
+              "ec2messages:GetEndpoint",
+              "ec2messages:GetMessages",
+              "ec2messages:SendReply"
+          ],
+          "Resource": "*"
+      },
+      {
+          "Effect": "Allow",
+          "Action": [
+              "cloudwatch:PutMetricData"
+          ],
+          "Resource": "*"
+      },
+      {
+          "Effect": "Allow",
+          "Action": [
+              "ec2:DescribeInstanceStatus"
+          ],
+          "Resource": "*"
+      },
+      {
+          "Effect": "Allow",
+          "Action": [
+              "ds:CreateComputer",
+              "ds:DescribeDirectories"
+          ],
+          "Resource": "*"
+      },
+      {
+          "Effect": "Allow",
+          "Action": [
+              "logs:CreateLogGroup",
+              "logs:CreateLogStream",
+              "logs:DescribeLogGroups",
+              "logs:DescribeLogStreams",
+              "logs:PutLogEvents"
+          ],
+          "Resource": "*"
+      }
+    ]
+}