From ff7205a8cd910130bfda8cc839634f33f29fa124 Mon Sep 17 00:00:00 2001 From: smerle33 Date: Thu, 3 Oct 2024 11:05:03 +0200 Subject: [PATCH 1/6] feat(pipeline): using the infra-developer profile --- Jenkinsfile_k8s | 2 +- providers.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile_k8s b/Jenkinsfile_k8s index eba60d8..26df399 100644 --- a/Jenkinsfile_k8s +++ b/Jenkinsfile_k8s @@ -3,7 +3,7 @@ if (env.BRANCH_IS_PRIMARY) { properties([pipelineTriggers([cron('@daily')])]) } withEnv([ - "TF_VAR_aws_profile=default" + "TF_VAR_aws_profile=infra-developer" ]) { terraform( stagingCredentials: [ diff --git a/providers.tf b/providers.tf index e66df9b..e601f25 100644 --- a/providers.tf +++ b/providers.tf @@ -1,6 +1,6 @@ provider "aws" { region = "us-east-1" - # profile = var.aws_profile + profile = var.aws_profile default_tags { tags = local.common_tags From 96b3cd05062b65de74b21547618927d491c52c05 Mon Sep 17 00:00:00 2001 From: smerle33 Date: Thu, 3 Oct 2024 11:08:51 +0200 Subject: [PATCH 2/6] WIP --- providers.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/providers.tf b/providers.tf index e601f25..e66df9b 100644 --- a/providers.tf +++ b/providers.tf @@ -1,6 +1,6 @@ provider "aws" { region = "us-east-1" - profile = var.aws_profile + # profile = var.aws_profile default_tags { tags = local.common_tags From d499bf30c79ee280c2a3349ba4b104102bd4fbd6 Mon Sep 17 00:00:00 2001 From: smerle33 Date: Thu, 3 Oct 2024 14:20:59 +0200 Subject: [PATCH 3/6] wip with assume role --- providers.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/providers.tf b/providers.tf index e66df9b..7283b21 100644 --- a/providers.tf +++ b/providers.tf @@ -1,6 +1,9 @@ provider "aws" { region = "us-east-1" # profile = var.aws_profile + assume_role { + role_arn = "arn:aws:iam::326712726440:role/infra-developer" + } default_tags { tags = local.common_tags From 29757fdb944b7be10eb0f2ac255f9cfda401ce9e Mon Sep 17 00:00:00 2001 From: smerle33 Date: Thu, 3 Oct 2024 15:52:58 +0200 Subject: [PATCH 4/6] feat(packer-user) remove as migrated to terraform-states --- packer-resources.tf | 100 -------------------------------------------- 1 file changed, 100 deletions(-) delete mode 100644 packer-resources.tf diff --git a/packer-resources.tf b/packer-resources.tf deleted file mode 100644 index a99adc8..0000000 --- a/packer-resources.tf +++ /dev/null @@ -1,100 +0,0 @@ -resource "aws_iam_user" "terraform_packer_user" { - name = "terraform-packer-user" - - tags = { - scope = "terraform-managed" - } -} - -resource "aws_iam_access_key" "terraform_packer_api_keys" { - user = aws_iam_user.terraform_packer_user.name - # TODO CHECK WITH DAMIEN No pgp_key provided: the secret value is unencrypted in the state file (which is fine: we encrypt the state file here with sops) -} - -resource "aws_iam_policy" "packer" { - name = "packer.iam_policy" - path = "/" - description = "IAM Policy to allow packer user usage on AWS" - - policy = data.aws_iam_policy_document.packer.json -} - -data "aws_iam_policy_document" "packer" { - statement { - sid = "ec2" - effect = "Allow" - - actions = [ - "ec2:AllocateAddress", - "ec2:AssignPrivateIpAddresses", - "ec2:Associate*", - "ec2:AttachInternetGateway", - "ec2:AttachNetworkInterface", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateDefaultSubnet", - "ec2:CreateDhcpOptions", - "ec2:CreateEgressOnlyInternetGateway", - "ec2:CreateInternetGateway", - "ec2:CreateKeyPair", - "ec2:CreateLaunchTemplate", - "ec2:CreateLaunchTemplateVersion", - "ec2:CreateNatGateway", - "ec2:CreateNetworkInterface", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:DeleteDhcpOptions", - "ec2:DeleteEgressOnlyInternetGateway", - "ec2:DeleteInternetGateway", - "ec2:DeleteKeyPair", - "ec2:DeleteLaunchTemplate", - "ec2:DeleteLaunchTemplateVersions", - "ec2:DeleteNatGateway", - "ec2:DeleteNetworkInterface", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSubnet", - "ec2:DeleteTags", - "ec2:DeleteVolume", - "ec2:DeleteVpc", - "ec2:DeleteVpnGateway", - "ec2:Describe*", - "ec2:DescribeKeyPairs", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DetachInternetGateway", - "ec2:DetachNetworkInterface", - "ec2:DetachVolume", - "ec2:Disassociate*", - "ec2:GetLaunchTemplateData", - "ec2:ImportKeyPair", - "ec2:ModifyLaunchTemplate", - "ec2:ModifyNetworkInterfaceAttribute", - "ec2:ModifySubnetAttribute", - "ec2:ModifyVpcAttribute", - "ec2:ModifyVpcEndpoint", - "ec2:ReleaseAddress", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:RunInstances", - "ec2:UpdateSecurityGroupRuleDescriptionsEgress", - "ec2:UpdateSecurityGroupRuleDescriptionsIngress", - ] - - # TODO: list all resources and remove the tfsec ignore rule - #tfsec:ignore:AWS099 - resources = ["*"] - } -} - -resource "aws_iam_user_policy_attachment" "allow_packer_user" { - user = resource.aws_iam_user.terraform_packer_user.name - policy_arn = aws_iam_policy.packer.arn -} From 25d417b2f23505b7dd4167513e6a57311be76290 Mon Sep 17 00:00:00 2001 From: smerle33 Date: Thu, 3 Oct 2024 15:54:34 +0200 Subject: [PATCH 5/6] back to default --- Jenkinsfile_k8s | 33 +++++++++++++++------------------ providers.tf | 3 --- 2 files changed, 15 insertions(+), 21 deletions(-) diff --git a/Jenkinsfile_k8s b/Jenkinsfile_k8s index 26df399..124c9a1 100644 --- a/Jenkinsfile_k8s +++ b/Jenkinsfile_k8s @@ -2,22 +2,19 @@ if (env.BRANCH_IS_PRIMARY) { // Only trigger a daily check on the principal branch properties([pipelineTriggers([cron('@daily')])]) } -withEnv([ - "TF_VAR_aws_profile=infra-developer" -]) { - terraform( - stagingCredentials: [ - string(variable: 'AWS_ACCESS_KEY_ID', credentialsId: 'staging-terraform-aws-sponsorship-access-key'), - string(variable: 'AWS_SECRET_ACCESS_KEY', credentialsId:'staging-terraform-aws-sponsorship-secret-key'), - file(variable: 'BACKEND_CONFIG_FILE', credentialsId: 'staging-terraform-aws-sponsorship-backend-config'), - ], - productionCredentials: [ - string(variable: 'AWS_ACCESS_KEY_ID', credentialsId: 'production-terraform-aws-sponsorship-access-key'), - string(variable: 'AWS_SECRET_ACCESS_KEY', credentialsId:'production-terraform-aws-sponsorship-secret-key'), - file(variable: 'BACKEND_CONFIG_FILE', credentialsId: 'production-terraform-aws-sponsorship-backend-config'), - ], - // TODO: generate a local report to be published - // publishReports: ['jenkins-infra-data-reports/aws-sponsorship.json'], - ) -} +terraform( + stagingCredentials: [ + string(variable: 'AWS_ACCESS_KEY_ID', credentialsId: 'staging-terraform-aws-sponsorship-access-key'), + string(variable: 'AWS_SECRET_ACCESS_KEY', credentialsId:'staging-terraform-aws-sponsorship-secret-key'), + file(variable: 'BACKEND_CONFIG_FILE', credentialsId: 'staging-terraform-aws-sponsorship-backend-config'), + ], + productionCredentials: [ + string(variable: 'AWS_ACCESS_KEY_ID', credentialsId: 'production-terraform-aws-sponsorship-access-key'), + string(variable: 'AWS_SECRET_ACCESS_KEY', credentialsId:'production-terraform-aws-sponsorship-secret-key'), + + file(variable: 'BACKEND_CONFIG_FILE', credentialsId: 'production-terraform-aws-sponsorship-backend-config'), + ], + // TODO: generate a local report to be published + // publishReports: ['jenkins-infra-data-reports/aws-sponsorship.json'], +) diff --git a/providers.tf b/providers.tf index 7283b21..e66df9b 100644 --- a/providers.tf +++ b/providers.tf @@ -1,9 +1,6 @@ provider "aws" { region = "us-east-1" # profile = var.aws_profile - assume_role { - role_arn = "arn:aws:iam::326712726440:role/infra-developer" - } default_tags { tags = local.common_tags From 920ac48c46a3fe11e951ef77199f2761bfb19f77 Mon Sep 17 00:00:00 2001 From: smerle33 Date: Thu, 3 Oct 2024 15:57:01 +0200 Subject: [PATCH 6/6] terraform fmt -recursive --- providers.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/providers.tf b/providers.tf index e66df9b..5162abd 100644 --- a/providers.tf +++ b/providers.tf @@ -1,5 +1,5 @@ provider "aws" { - region = "us-east-1" + region = "us-east-1" # profile = var.aws_profile default_tags {