sa_8001/dsk-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
havelight-ee
2023-05-11 13:55:28 +09:00
parent 55d4828037
commit 2d70373907
1390 changed files with 0 additions and 1398 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
terraform/aws_druid/main.tf Normal file
View File

@@ -0,0 +1,36 @@
provider "aws" {
region = "ap-northeast-2"
}
resource "aws_s3_bucket" "druid-prod" {
bucket = "druid.kr.datasaker.io"
tags = {
Name = "druid.kr.datasaker.io"
}
}
resource "aws_iam_user" "druid-s3-prod" {
name = "druid-s3-prod"
}
resource "aws_iam_user_policy" "druid-s3-policy" {
name = "druid-s3-policy"
user = aws_iam_user.druid-s3-prod.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "*"
}
]
}
EOF
}

118
terraform/aws_druid/terraform.tfstate Normal file
View File

@@ -0,0 +1,118 @@
{
"version": 4,
"terraform_version": "1.3.1",
"serial": 8,
"lineage": "88958e46-0322-1f4d-59ba-b9b62c65d924",
"outputs": {},
"resources": [
{
"mode": "managed",
"type": "aws_iam_user",
"name": "druid-s3-prod",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:user/druid-s3-prod",
"force_destroy": false,
"id": "druid-s3-prod",
"name": "druid-s3-prod",
"path": "/",
"permissions_boundary": null,
"tags": {},
"tags_all": {},
"unique_id": "AIDAXMVVF3TAQSOASXJXC"
},
"sensitive_attributes": [],
"private": "bnVsbA=="
}
]
},
{
"mode": "managed",
"type": "aws_iam_user_policy",
"name": "druid-s3-policy",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "druid-s3-prod:druid-s3-policy",
"name": "druid-s3-policy",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:*\",\n \"s3-object-lambda:*\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}\n",
"user": "druid-s3-prod"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_user.druid-s3-prod"
]
}
]
},
{
"mode": "managed",
"type": "aws_s3_bucket",
"name": "druid-prod",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"acceleration_status": "",
"acl": null,
"arn": "arn:aws:s3:::druid.kr.datasaker.io",
"bucket": "druid.kr.datasaker.io",
"bucket_domain_name": "druid.kr.datasaker.io.s3.amazonaws.com",
"bucket_prefix": null,
"bucket_regional_domain_name": "druid.kr.datasaker.io.s3.ap-northeast-2.amazonaws.com",
"cors_rule": [],
"force_destroy": false,
"grant": [
{
"id": "132b0c7dc035122c1c1265a1678d5ec5dcb37d81b08544f029b8cf3f659ecad3",
"permissions": [
"FULL_CONTROL"
],
"type": "CanonicalUser",
"uri": ""
}
],
"hosted_zone_id": "Z3W03O7B5YMIYP",
"id": "druid.kr.datasaker.io",
"lifecycle_rule": [],
"logging": [],
"object_lock_configuration": [],
"object_lock_enabled": false,
"policy": "",
"region": "ap-northeast-2",
"replication_configuration": [],
"request_payer": "BucketOwner",
"server_side_encryption_configuration": [],
"tags": {
"Name": "druid.kr.datasaker.io"
},
"tags_all": {
"Name": "druid.kr.datasaker.io"
},
"timeouts": null,
"versioning": [
{
"enabled": false,
"mfa_delete": false
}
],
"website": [],
"website_domain": null,
"website_endpoint": null
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19"
}
]
}
],
"check_results": []
}

57
terraform/aws_druid/terraform.tfstate.backup Normal file
View File

@@ -0,0 +1,57 @@
{
"version": 4,
"terraform_version": "1.3.1",
"serial": 4,
"lineage": "88958e46-0322-1f4d-59ba-b9b62c65d924",
"outputs": {},
"resources": [
{
"mode": "managed",
"type": "aws_iam_user",
"name": "druid-s3-prod",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:user/druid-s3-prod",
"force_destroy": false,
"id": "druid-s3-prod",
"name": "druid-s3-prod",
"path": "/",
"permissions_boundary": null,
"tags": null,
"tags_all": {},
"unique_id": "AIDAXMVVF3TAQSOASXJXC"
},
"sensitive_attributes": [],
"private": "bnVsbA=="
}
]
},
{
"mode": "managed",
"type": "aws_iam_user_policy",
"name": "druid-s3-policy",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "druid-s3-prod:druid-s3-policy",
"name": "druid-s3-policy",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:*\",\n \"s3-object-lambda:*\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}\n",
"user": "druid-s3-prod"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_user.druid-s3-prod"
]
}
]
}
],
"check_results": []
}

44
terraform/aws_iam_dev2/.terraform.lock.hcl generated Normal file
View File

@@ -0,0 +1,44 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/archive" {
version = "1.3.0"
constraints = "~> 1.3"
hashes = [
"h1:T3DszgOa/75SiiONgEDRujpN5rSqIw9TvFZXHjpqMB4=",
"zh:115aa6bc7825402a8d4e2e954378a9f48e4fdbeabe081ffd04e0a2f6786159bb",
"zh:21f731ffac20a67615c64a7a8a96949c971ee28ffd5807d8c299faba73b5e273",
"zh:2e81b58e141b175cbf801ade5e87c5db4cb28933216b0547ef32c95500385904",
"zh:3acbb96fd142b4d193dc18861340281249301368029169e346d15410d0572492",
"zh:4346edee0dfe97154b6f28d9ef0fa762131db92b78bbd1b3207945201cb59818",
"zh:93916a84cc6ff6778456dd170a657326c4dd3a86b4434e424a66a87c2535b888",
"zh:ade675c3ac8b9ec91131bac5881fbd4efad46a3683f2fea2efb9493a2c1b9ffb",
"zh:b0a0cb13fc850903aa7a057ae7e06366939b8f347926dce1137cd47b9123ad93",
"zh:d6d838cceffb7f3ff27fb9b51d78fccdef15bd32408f33a726556bfe66315bd3",
"zh:ddc4ac6aea6537f8096ffeb8ff3bca355f0972793184e0f6df120aa6460b4446",
"zh:e0d1213625d40d124bd9570f0d92907416f8d61bc8c389c776e72c0a97020cce",
"zh:eb707b69f9093b97d98e2dece9822852a27849dd1627d35302e8d6b9801407ef",
]
}
provider "registry.terraform.io/hashicorp/aws" {
version = "4.57.1"
hashes = [
"h1:rqJN5HwMnJtHIvIzublREIxUibBFYIKyeQcgOov4DUQ=",
"zh:44200c213ddb138df80d2a5ad86c2ebadbb5fd1d08cd7e4fc56ec6dca927659b",
"zh:469e6fe6a9e99e60cb168d32f05e2e9a83cf161f39160d075ff96f7674c510e1",
"zh:6110ba2c15a2268652ec9ea3797dd0216de84ece428055c49eaf9caa2be1ed62",
"zh:62ed7348acca44f64fc087e879e01cfa4e084c7600cc91e8bb7683f8065a9c79",
"zh:7a80e6fa9b35be178bb566093f7984dd6ffb7ad9d40b9dd5d5907f054f0c3e60",
"zh:8793043c8575a598c1a7cbefcb65ee1776b0061eba719098e552a3adc88f3090",
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
"zh:a777a0082114e273b7b3eb14095a3f6f6e703c1aff61ffb1f0846bb869e6dfc7",
"zh:b060c3b2973097f2087a98ac6aad7c9c89fe80f7cf3027019049feafc3f8305b",
"zh:e7035e74563f4486848ea1feb60852175353790bc374e0e97e241a88dc0908f7",
"zh:eaaa8e9eba09ada41e13116d53d4baece04fead8fcf3eab68cca3a67ed738e18",
"zh:ec52d8f95a84fad8fe1aae169c89d0c54d5401f75caae0869ad8182c6b6db65b",
"zh:f0e33174025b1b57ecfbdd09f2a59c2559ee94d7681e5ae09079e2822ec54ecf",
"zh:f69790a21380e5aab9303a252564737333e1e95b5d25567681630e49b17e3ec7",
"zh:ff6053942c40a99904bd407f3c082c1fa8f927ecce0374566eb7e8ee8145e582",
]
}

22
terraform/aws_iam_dev2/iam.tf Normal file
View File

@@ -0,0 +1,22 @@
resource "aws_iam_user" "dev2" {
name = "dev2-read"
}
resource "aws_iam_access_key" "dev2_access_key" {
user = aws_iam_user.dev2.name
}
resource "aws_iam_user_login_profile" "dev2_login_profile" {
user = aws_iam_user.dev2.name
password_reset_required = true
}
data "aws_iam_policy" "read-only" {
arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
resource "aws_iam_policy_attachment" "attach-read-only-policy" {
name = "ReadOnlyAccessAttachment"
policy_arn = data.aws_iam_policy.read-only.arn
users = [aws_iam_user.dev2.name]
}

10
terraform/aws_iam_dev2/main.tf Normal file
View File

@@ -0,0 +1,10 @@
provider "aws" {
region = "ap-northeast-2"
}
terraform {
required_providers {
archive = "~> 1.3"
}
}

140
terraform/aws_iam_dev2/terraform.tfstate Normal file
View File

File diff suppressed because one or more lines are too long

35
terraform/aws_iam_dev2/variables.tf Normal file
View File

@@ -0,0 +1,35 @@
#---------------------------------------------------------------#
# Network ID
variable "VPC_ID" {
default = "vpc-00ba2b0e9ad59f0ed"
}
variable "Network_CIDR" {
default = "172.24.0.0/19"
}
variable "Private_Subnet_ID_1" {
default = "subnet-024f0deda82039fa4"
}
variable "Private_Subnet_ID_2" {
default = "subnet-050d942fa1c46540a"
}
variable "Private_Subnet_ID_3" {
default = "subnet-0946eb806af7377be"
}
variable "Public_Subnet_ID_1" {
default = "subnet-00c363356f133411d"
}
variable "Public_Subnet_ID_2" {
default = "subnet-07aa5e879a262014d"
}
variable "Public_Subnet_ID_3" {
default = "subnet-0073a61bc56a68a3e"
}

22
terraform/aws_network/.terraform.lock.hcl generated Normal file
View File

@@ -0,0 +1,22 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.36.1"
constraints = ">= 4.0.0"
hashes = [
"h1:04NI9x34nwhgghwevSGdsjssqy5zzvMsQg2Qjpmx/n0=",
"zh:19b16047b4f15e9b8538a2b925f1e860463984eed7d9bd78e870f3e884e827a7",
"zh:3c0db06a9a14b05a77f3fe1fc029a5fb153f4966964790ca8e71ecc3427d83f5",
"zh:3c7407a8229005e07bc274cbae6e3a464c441a88810bfc6eceb2414678fd08ae",
"zh:3d96fa82c037fafbd3e7f4edc1de32afb029416650f6e392c39182fc74a9e03a",
"zh:8f4f540c5f63d847c4b802ca84d148bb6275a3b0723deb09bf933a4800bc7209",
"zh:9802cb77472d6bcf24c196ce2ca6d02fac9db91558536325fec85f955b71a8a4",
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
"zh:a263352433878c89832c2e38f4fd56cf96ae9969c13b5c710d5ba043cbd95743",
"zh:aca7954a5f458ceb14bf0c04c961c4e1e9706bf3b854a1e90a97d0b20f0fe6d3",
"zh:d78f400332e87a97cce2e080db9d01beb01f38f5402514a6705d6b8167e7730d",
"zh:e14bdc49be1d8b7d2543d5c58078c84b76051085e8e6715a895dcfe6034b6098",
"zh:f2e400b88c8de170bb5027922226da1e9a6614c03f2a6756c15c3b930c2f460c",
]
}

55
terraform/aws_network/01_vpc.tf Normal file
View File

@@ -0,0 +1,55 @@
terraform {
required_version = ">= 0.15.0"
required_providers {
aws = {
"configuration_aliases" = [aws.files]
"source" = "hashicorp/aws"
"version" = ">= 4.0.0"
}
}
}
provider "aws" {
alias = "files"
region = "ap-northeast-2"
}
output "vpc_prod_datasaker_id" {
value = aws_vpc.vpc-prod-datasaker.id
}
output "vpc_prod_datasaker_cidr_block" {
value = aws_vpc.vpc-prod-datasaker.cidr_block
}
resource "aws_vpc" "vpc-prod-datasaker" {
assign_generated_ipv6_cidr_block = true
cidr_block = "172.24.0.0/19"
enable_dns_hostnames = true
enable_dns_support = true
tags = {
"Name" = "vpc-prod-datasaker"
}
}
resource "aws_vpc_dhcp_options" "vpc-dhcp-prod-datasaker" {
domain_name = "ap-northeast-2.compute.internal"
domain_name_servers = ["AmazonProvidedDNS"]
tags = {
"Name" = "vpc-dhcp-prod-datasaker"
}
}
resource "aws_vpc_dhcp_options_association" "vpc-dhcp-asso-prod-datasaker" {
dhcp_options_id = aws_vpc_dhcp_options.vpc-dhcp-prod-datasaker.id
vpc_id = aws_vpc.vpc-prod-datasaker.id
}
resource "aws_internet_gateway" "igw-prod-datasaker" {
tags = {
"Name" = "igw-prod-datasaker"
}
vpc_id = aws_vpc.vpc-prod-datasaker.id
}

153
terraform/aws_network/02_dmz_route.tf Normal file
View File

@@ -0,0 +1,153 @@
output "sbn_dmz_prod_a_id" {
value = aws_subnet.sbn-prod-dmz-a.id
}
output "sbn_dmz_prod_b_id" {
value = aws_subnet.sbn-prod-dmz-b.id
}
output "sbn_dmz_prod_c_id" {
value = aws_subnet.sbn-prod-dmz-c.id
}
resource "aws_subnet" "sbn-prod-dmz-a" {
availability_zone = "ap-northeast-2a"
cidr_block = "172.24.0.0/24"
enable_resource_name_dns_a_record_on_launch = true
private_dns_hostname_type_on_launch = "resource-name"
tags = {
"Name"= "sbn-prod-dmz-a.datasaker"
"SubnetType" = "Utility"
"kubernetes.io/cluster/datasaker" = "owned"
"kubernetes.io/cluster/prod.datasaker.io" = "shared"
"kubernetes.io/role/nlb" = "1"
"kubernetes.io/role/internal-nlb" = "1"
}
vpc_id = aws_vpc.vpc-prod-datasaker.id
}
resource "aws_subnet" "sbn-prod-dmz-b" {
availability_zone = "ap-northeast-2b"
cidr_block = "172.24.1.0/24"
enable_resource_name_dns_a_record_on_launch = true
private_dns_hostname_type_on_launch = "resource-name"
tags = {
"Name" = "sbn-prod-dmz-b.datasaker"
"SubnetType" = "Utility"
"kubernetes.io/cluster/datasaker" = "owned"
"kubernetes.io/cluster/prod.datasaker.io" = "shared"
"kubernetes.io/role/nlb" = "1"
"kubernetes.io/role/internal-nlb" = "1"
}
vpc_id = aws_vpc.vpc-prod-datasaker.id
}
resource "aws_subnet" "sbn-prod-dmz-c" {
availability_zone = "ap-northeast-2c"
cidr_block = "172.24.2.0/24"
enable_resource_name_dns_a_record_on_launch = true
private_dns_hostname_type_on_launch = "resource-name"
tags = {
"Name" = "sbn-prod-dmz-c.datasaker"
"SubnetType" = "Utility"
"kubernetes.io/cluster/datasaker" = "owned"
"kubernetes.io/cluster/prod.datasaker.io" = "shared"
"kubernetes.io/role/nlb" = "1"
"kubernetes.io/role/internal-nlb" = "1"
}
vpc_id = aws_vpc.vpc-prod-datasaker.id
}
resource "aws_route_table" "rt-prod-datasaker-pub" {
tags = {
"Name" = "rt-prod-datasaker-pub"
}
vpc_id = aws_vpc.vpc-prod-datasaker.id
}
resource "aws_route" "r-0-0-0-0--0" {
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw-prod-datasaker.id
route_table_id = aws_route_table.rt-prod-datasaker-pub.id
}
resource "aws_route" "r-__--0" {
destination_ipv6_cidr_block = "::/0"
gateway_id = aws_internet_gateway.igw-prod-datasaker.id
route_table_id = aws_route_table.rt-prod-datasaker-pub.id
}
resource "aws_route_table_association" "rta-prod-dmz-a" {
route_table_id = aws_route_table.rt-prod-datasaker-pub.id
subnet_id = aws_subnet.sbn-prod-dmz-a.id
}
resource "aws_route_table_association" "rta-prod-dmz-b" {
route_table_id = aws_route_table.rt-prod-datasaker-pub.id
subnet_id = aws_subnet.sbn-prod-dmz-b.id
}
resource "aws_route_table_association" "rta-prod-dmz-c" {
route_table_id = aws_route_table.rt-prod-datasaker-pub.id
subnet_id = aws_subnet.sbn-prod-dmz-c.id
}
resource "aws_eip" "eip-bastion-prod-datasaker" {
vpc = true
tags = {
Name = "eip-bastion-prod-datasaker"
}
}
resource "aws_eip" "eip-natgw-prod-a-datasaker" {
vpc = true
tags = {
Name = "eip-natgw-prod-a-datasaker"
}
}
resource "aws_eip" "eip-natgw-prod-b-datasaker" {
vpc = true
tags = {
Name = "eip-natgw-prod-b-datasaker"
}
}
resource "aws_eip" "eip-natgw-prod-c-datasaker" {
vpc = true
tags = {
Name = "eip-natgw-prod-c-datasaker"
}
}
resource "aws_nat_gateway" "natgw-prod-a-datasaker" {
allocation_id = aws_eip.eip-natgw-prod-a-datasaker.id
subnet_id = aws_subnet.sbn-prod-dmz-a.id
tags = {
Name = "natgw-prod-a-datasaker"
}
depends_on = [aws_internet_gateway.igw-prod-datasaker]
}
resource "aws_nat_gateway" "natgw-prod-b-datasaker" {
allocation_id = aws_eip.eip-natgw-prod-b-datasaker.id
subnet_id = aws_subnet.sbn-prod-dmz-b.id
tags = {
Name = "natgw-prod-b-datasaker"
}
depends_on = [aws_internet_gateway.igw-prod-datasaker]
}
resource "aws_nat_gateway" "natgw-prod-c-datasaker" {
allocation_id = aws_eip.eip-natgw-prod-c-datasaker.id
subnet_id = aws_subnet.sbn-prod-dmz-c.id
tags = {
Name = "natgw-prod-c-datasaker"
}
depends_on = [aws_internet_gateway.igw-prod-datasaker]
}

102
terraform/aws_network/03_prod_route.tf Normal file
View File

@@ -0,0 +1,102 @@
resource "aws_route_table" "private-prod-a-datasaker" {
tags = {
"Name" = "private-prod-a-datasaker"
}
vpc_id = aws_vpc.vpc-prod-datasaker.id
}
resource "aws_route_table" "private-prod-b-datasaker" {
tags = {
"Name" = "private-prod-b-datasaker"
}
vpc_id = aws_vpc.vpc-prod-datasaker.id
}
resource "aws_route_table" "private-prod-c-datasaker" {
tags = {
"Name" = "private-prod-c-datasaker"
}
vpc_id = aws_vpc.vpc-prod-datasaker.id
}
resource "aws_route" "route-private-rt-prod-a-datasaker-0-0-0-0--0" {
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.natgw-prod-a-datasaker.id
route_table_id = aws_route_table.private-prod-a-datasaker.id
}
resource "aws_route" "route-private-rt-prod-b-datasaker-0-0-0-0--0" {
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.natgw-prod-b-datasaker.id
route_table_id = aws_route_table.private-prod-b-datasaker.id
}
resource "aws_route" "route-private-rt-prod-c-datasaker-0-0-0-0--0" {
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.natgw-prod-c-datasaker.id
route_table_id = aws_route_table.private-prod-c-datasaker.id
}
resource "aws_subnet" "sbn-prod-a" {
availability_zone = "ap-northeast-2a"
cidr_block = "172.24.8.0/23"
enable_resource_name_dns_a_record_on_launch = true
private_dns_hostname_type_on_launch = "resource-name"
tags = {
"Name" = "sbn-prod-a-datasaker"
"SubnetType" = "Private"
"kubernetes.io/cluster/datasaker" = "owned"
"kubernetes.io/cluster/prod.datasaker.io" = "shared"
"kubernetes.io/role/nlb" = "1"
"kubernetes.io/role/internal-nlb" = "1"
}
vpc_id = aws_vpc.vpc-prod-datasaker.id
}
resource "aws_subnet" "sbn-prod-b" {
availability_zone = "ap-northeast-2b"
cidr_block = "172.24.10.0/23"
enable_resource_name_dns_a_record_on_launch = true
private_dns_hostname_type_on_launch = "resource-name"
tags = {
"Name" = "sbn-prod-b-datasaker"
"SubnetType" = "Private"
"kubernetes.io/cluster/datasaker" = "owned"
"kubernetes.io/cluster/prod.datasaker.io" = "shared"
"kubernetes.io/role/nlb" = "1"
"kubernetes.io/role/internal-nlb" = "1"
}
vpc_id = aws_vpc.vpc-prod-datasaker.id
}
resource "aws_subnet" "sbn-prod-c" {
availability_zone = "ap-northeast-2c"
cidr_block = "172.24.12.0/23"
enable_resource_name_dns_a_record_on_launch = true
private_dns_hostname_type_on_launch = "resource-name"
tags = {
"Name" = "sbn-prod-c-datasaker"
"SubnetType" = "Private"
"kubernetes.io/cluster/datasaker" = "owned"
"kubernetes.io/cluster/prod.datasaker.io" = "shared"
"kubernetes.io/role/nlb" = "1"
"kubernetes.io/role/internal-nlb" = "1"
}
vpc_id = aws_vpc.vpc-prod-datasaker.id
}
resource "aws_route_table_association" "rta-prod-a" {
route_table_id = aws_route_table.private-prod-a-datasaker.id
subnet_id = aws_subnet.sbn-prod-a.id
}
resource "aws_route_table_association" "rta-prod-b" {
route_table_id = aws_route_table.private-prod-b-datasaker.id
subnet_id = aws_subnet.sbn-prod-b.id
}
resource "aws_route_table_association" "rta-prod-c" {
route_table_id = aws_route_table.private-prod-c-datasaker.id
subnet_id = aws_subnet.sbn-prod-c.id
}

24
terraform/aws_network/04_prod_bastion.tf Normal file
View File

@@ -0,0 +1,24 @@
resource "aws_instance" "bastion-k8s-prod-datasaker-io" {
ami = "ami-0b6591f49cf24e237"
instance_type = "t3.small"
count = 1
key_name = "kp-jay-bastion-datasaker"
vpc_security_group_ids = ["${aws_security_group.prod-dmz-sg-datasaker.id}"]
subnet_id = aws_subnet.sbn-prod-dmz-a.id
associate_public_ip_address = true
root_block_device {
delete_on_termination = true
encrypted = false
tags = {
Name = "bastion-k8s-prod-datasaker-io"
}
volume_size = 20
volume_type = "gp3"
iops = 3000
}
tags = {
Name = "bastion-k8s-prod-datasaker-io"
}
}

74
terraform/aws_network/05_security_group.tf Normal file
View File

@@ -0,0 +1,74 @@
resource "aws_security_group" "prod-dmz-sg-datasaker" {
description = "Security group dmz-datasaker"
name = "prod-dmz-sg-datasaker"
tags = {
"Name" = "prod-dmz-sg-datasaker"
}
vpc_id = aws_vpc.vpc-prod-datasaker.id
}
resource "aws_security_group_rule" "pub-only-exem" {
cidr_blocks = ["115.178.73.2/32","115.178.73.91/32"]
from_port = 22
protocol = "tcp"
security_group_id = aws_security_group.prod-dmz-sg-datasaker.id
to_port = 22
type = "ingress"
}
resource "aws_security_group_rule" "pub-out-any" {
cidr_blocks = ["0.0.0.0/0"]
from_port = 0
protocol = "tcp"
security_group_id = aws_security_group.prod-dmz-sg-datasaker.id
to_port = 65535
type = "egress"
}
################################################################################
resource "aws_security_group" "prod-priv-sg-datasaker" {
description = "Security group prod-datasaker"
name = "prod-priv-sg-datasaker"
tags = {
"Name" = "prod-priv-sg-datasaker"
}
vpc_id = aws_vpc.vpc-prod-datasaker.id
}
resource "aws_security_group_rule" "priv-in-any" {
cidr_blocks = ["0.0.0.0/0"]
from_port = 22
protocol = "tcp"
security_group_id = aws_security_group.prod-priv-sg-datasaker.id
to_port = 22
type = "ingress"
}
resource "aws_security_group_rule" "priv-in-icmp" {
cidr_blocks = ["0.0.0.0/0"]
from_port = 8
protocol = "icmp"
security_group_id = aws_security_group.prod-priv-sg-datasaker.id
to_port = 8
type = "ingress"
}
resource "aws_security_group_rule" "priv-out-icmp" {
cidr_blocks = ["0.0.0.0/0"]
from_port = 8
protocol = "icmp"
security_group_id = aws_security_group.prod-priv-sg-datasaker.id
to_port = 8
type = "egress"
}
resource "aws_security_group_rule" "priv-out-any" {
cidr_blocks = ["0.0.0.0/0"]
from_port = 0
protocol = "tcp"
security_group_id = aws_security_group.prod-priv-sg-datasaker.id
to_port = 65535
type = "egress"
}

19
terraform/aws_network/06_nlb.tf Normal file
View File

@@ -0,0 +1,19 @@
resource "aws_alb" "nlb-prod-kr-ingress" {
name = "nlb-prod-kr-ingress"
internal = false
load_balancer_type = "network"
subnet_mapping {
subnet_id = aws_subnet.sbn-prod-dmz-a.id
}
subnet_mapping {
subnet_id = aws_subnet.sbn-prod-dmz-b.id
}
subnet_mapping {
subnet_id = aws_subnet.sbn-prod-dmz-c.id
}
enable_deletion_protection = true
tags = {
Environment = "nlb-prod-kr-ingress"
}
}

21
terraform/aws_network/07_nlb_listener.tf Normal file
View File

@@ -0,0 +1,21 @@
resource "aws_alb_listener" "nlb-listener-http-prod" {
load_balancer_arn = aws_alb.nlb-prod-kr-ingress.arn
port = "443"
protocol = "TCP"
default_action {
type = "forward"
target_group_arn = aws_alb_target_group.tg-prod-kr-tcp-30001.arn
}
}
resource "aws_alb_listener" "nlb-listener-tls-prod" {
load_balancer_arn = aws_alb.nlb-prod-kr-ingress.arn
port = "80"
protocol = "TCP"
default_action {
type = "forward"
target_group_arn = aws_alb_target_group.tg-prod-kr-tcp-30000.arn
}
}

85
terraform/aws_network/08_nlb_target_group.tf Normal file
View File

@@ -0,0 +1,85 @@
variable "k8s-prod-master-2a" {
default = "i-082bb4e2813521de0"
}
variable "k8s-prod-master-2b" {
default = "i-045a073c83b7f23c2"
}
variable "k8s-prod-master-2c" {
default = "i-049f35ffe56207c62"
}
##################################################################################
resource "aws_alb_target_group" "tg-prod-kr-tcp-30000" {
name = "tg-prod-kr-tcp-30000"
port = 30000
protocol = "TCP"
vpc_id = aws_vpc.vpc-prod-datasaker.id
health_check {
interval = 30
protocol = "TCP"
healthy_threshold = 3
unhealthy_threshold = 3
}
}
resource "aws_alb_target_group_attachment" "prod-master-http-2a" {
target_group_arn = "${aws_alb_target_group.tg-prod-kr-tcp-30000.arn}"
target_id = "${var.k8s-prod-master-2a}"
port = 30000
}
resource "aws_alb_target_group_attachment" "prod-master-http-2b" {
target_group_arn = "${aws_alb_target_group.tg-prod-kr-tcp-30000.arn}"
target_id = "${var.k8s-prod-master-2b}"
port = 30000
}
resource "aws_alb_target_group_attachment" "prod-master-http-2c" {
target_group_arn = "${aws_alb_target_group.tg-prod-kr-tcp-30000.arn}"
target_id = "${var.k8s-prod-master-2c}"
port = 30000
}
###############################################################################
resource "aws_alb_target_group" "tg-prod-kr-tcp-30001" {
name = "tg-prod-kr-tcp-30001"
port = 30001
protocol = "TCP"
vpc_id = aws_vpc.vpc-prod-datasaker.id
health_check {
interval = 30
protocol = "TCP"
healthy_threshold = 3
unhealthy_threshold = 3
}
}
resource "aws_alb_target_group_attachment" "prod-master-tls-2a" {
target_group_arn = "${aws_alb_target_group.tg-prod-kr-tcp-30001.arn}"
target_id = "${var.k8s-prod-master-2a}"
port = 30001
}
resource "aws_alb_target_group_attachment" "prod-master-tls-2b" {
target_group_arn = "${aws_alb_target_group.tg-prod-kr-tcp-30001.arn}"
target_id = "${var.k8s-prod-master-2b}"
port = 30001
}
resource "aws_alb_target_group_attachment" "prod-master-tls-2c" {
target_group_arn = "${aws_alb_target_group.tg-prod-kr-tcp-30001.arn}"
target_id = "${var.k8s-prod-master-2c}"
port = 30001
}
###############################################################################

132
terraform/aws_network/09_route53.tf Normal file
View File

@@ -0,0 +1,132 @@
variable "datasaker-ai" {
default = "Z06479772L265DHVJW30F"
}
variable "datasaker-com" {
default = "Z0218361HIZ723RV9EX4"
}
variable "datasaker-io" {
default = "Z072735718G25WNVKU834"
}
variable "datasaker-co-kr" {
default = "Z06528191YJHOMRBYTXXT"
}
variable "datasaker-net" {
default = "Z072720912UR7SY03M9F8"
}
##############################################################################
resource "aws_route53_record" "prod-dns-krakend" {
zone_id = "${var.datasaker-io}"
name = "api.kr.datasaker.io"
type = "A"
alias {
name = aws_alb.nlb-prod-kr-ingress.dns_name
zone_id = aws_alb.nlb-prod-kr-ingress.zone_id
evaluate_target_health = true
}
}
resource "aws_route53_record" "prod-dns-keycloak" {
zone_id = "${var.datasaker-io}"
name = "auth.kr.datasaker.io"
type = "A"
alias {
name = aws_alb.nlb-prod-kr-ingress.dns_name
zone_id = aws_alb.nlb-prod-kr-ingress.zone_id
evaluate_target_health = true
}
}
resource "aws_route53_record" "prod-dns-dsk-agentmanager" {
zone_id = "${var.datasaker-io}"
name = "am.kr.datasaker.io"
type = "A"
alias {
name = aws_alb.nlb-prod-kr-ingress.dns_name
zone_id = aws_alb.nlb-prod-kr-ingress.zone_id
evaluate_target_health = true
}
}
resource "aws_route53_record" "prod-dns-datagate-metric" {
zone_id = "${var.datasaker-io}"
name = "megate.kr.datasaker.io"
type = "A"
alias {
name = aws_alb.nlb-prod-kr-ingress.dns_name
zone_id = aws_alb.nlb-prod-kr-ingress.zone_id
evaluate_target_health = true
}
}
resource "aws_route53_record" "prod-dns-datagate-jaeger" {
zone_id = "${var.datasaker-io}"
name = "trgate.kr.datasaker.io"
type = "A"
alias {
name = aws_alb.nlb-prod-kr-ingress.dns_name
zone_id = aws_alb.nlb-prod-kr-ingress.zone_id
evaluate_target_health = true
}
}
resource "aws_route53_record" "prod-dns-datagate-manifest" {
zone_id = "${var.datasaker-io}"
name = "magate.kr.datasaker.io"
type = "A"
alias {
name = aws_alb.nlb-prod-kr-ingress.dns_name
zone_id = aws_alb.nlb-prod-kr-ingress.zone_id
evaluate_target_health = true
}
}
resource "aws_route53_record" "prod-dns-loggate" {
zone_id = "${var.datasaker-io}"
name = "lgate.kr.datasaker.io"
type = "A"
alias {
name = aws_alb.nlb-prod-kr-ingress.dns_name
zone_id = aws_alb.nlb-prod-kr-ingress.zone_id
evaluate_target_health = true
}
}
resource "aws_route53_record" "prod-dns-ui" {
zone_id = "${var.datasaker-io}"
name = "app.kr.datasaker.io"
type = "A"
alias {
name = aws_alb.nlb-prod-kr-ingress.dns_name
zone_id = aws_alb.nlb-prod-kr-ingress.zone_id
evaluate_target_health = true
}
}
resource "aws_route53_record" "prod-test" {
zone_id = "${var.datasaker-io}"
name = "kubedash.kr.datasaker.io"
type = "A"
alias {
name = aws_alb.nlb-prod-kr-ingress.dns_name
zone_id = aws_alb.nlb-prod-kr-ingress.zone_id
evaluate_target_health = true
}
}
resource "aws_route53_record" "prod-test2" {
zone_id = "${var.datasaker-io}"
name = "jenkins-prod.kr.datasaker.io"
type = "A"
alias {
name = aws_alb.nlb-prod-kr-ingress.dns_name
zone_id = aws_alb.nlb-prod-kr-ingress.zone_id
evaluate_target_health = true
}
}

12
terraform/aws_network/data.sh Executable file
View File

@@ -0,0 +1,12 @@
#!/bin/bash
sudo curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
sudo curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
sudo chmod 700 get_helm.sh
sudo ./get_helm.sh
echo "source <(kubectl completion bash)" >> /etc/profile
echo "alias k=kubectl" >> /etc/profile
echo "complete -o default -F __start_kubectl k" >> /etc/profile

2667
terraform/aws_network/terraform.tfstate Normal file
View File

File diff suppressed because it is too large Load Diff

2436
terraform/aws_network/terraform.tfstate.backup Normal file
View File

File diff suppressed because it is too large Load Diff

8
terraform/aws_vault/00-main.tf Normal file
View File

@@ -0,0 +1,8 @@
provider "aws" {
region = var.aws_region
}
resource "random_pet" "env" {
length = 2
separator = "_"
}

55
terraform/aws_vault/01-instance-profile.tf Normal file
View File

@@ -0,0 +1,55 @@
resource "aws_kms_key" "vault" {
description = "Vault unseal key"
deletion_window_in_days = 10
tags = {
Name = "vault-kms-unseal-${random_pet.env.id}"
}
}
resource "aws_kms_alias" "vault-a" {
name = "alias/prod-vault-auto-unseal"
target_key_id = aws_kms_key.vault.key_id
}
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
data "aws_iam_policy_document" "vault-kms-unseal" {
statement {
sid = "VaultKMSUnseal"
effect = "Allow"
resources = [aws_kms_key.vault.arn]
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey",
]
}
}
resource "aws_iam_role" "vault-kms-unseal" {
name = "vault-kms-role-${random_pet.env.id}"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_iam_role_policy" "vault-kms-unseal" {
name = "Vault-KMS-Unseal-${random_pet.env.id}"
role = aws_iam_role.vault-kms-unseal.id
policy = data.aws_iam_policy_document.vault-kms-unseal.json
}
resource "aws_iam_instance_profile" "vault-kms-unseal" {
name = "vault-kms-unseal-${random_pet.env.id}"
role = aws_iam_role.vault-kms-unseal.name
}

3
terraform/aws_vault/02-versions.tf Normal file
View File

@@ -0,0 +1,3 @@
terraform {
required_version = ">= 0.12"
}

7
terraform/aws_vault/10-variables.tf Normal file
View File

@@ -0,0 +1,7 @@
variable "aws_region" {
default = "ap-northeast-2"
}
variable "aws_zone" {
default = "ap-northeast-2b"
}

31
terraform/aws_vault/README.md Normal file
View File

@@ -0,0 +1,31 @@
# Vault Auto-unseal using AWS KMS
These assets are provided to perform the tasks described in the [Vault Auto-unseal with AWS KMS](https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms) guide.
---
## Demo Steps
### Setup
1. Set this location as your working directory
1. Set your AWS credentials as environment variables: `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`
1. Set Vault Enterprise URL in a file named `terraform.tfvars` (see `terraform.tfvars.example`)
### Commands Cheat Sheet
```bash
# Pull necessary plugins
$ terraform init
$ terraform plan
# Output provides the SSH instruction
$ terraform apply
#----------------------------------
# Clean up...
$ terraform destroy -force
$ rm -rf .terraform terraform.tfstate* private.key
```

272
terraform/aws_vault/terraform.tfstate Normal file
View File

@@ -0,0 +1,272 @@
{
"version": 4,
"terraform_version": "1.3.1",
"serial": 14,
"lineage": "e3e93a0f-93ed-63a2-17ab-4fa507053640",
"outputs": {},
"resources": [
{
"mode": "data",
"type": "aws_iam_policy_document",
"name": "assume_role",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "1903849331",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json": null,
"override_policy_documents": null,
"policy_id": null,
"source_json": null,
"source_policy_documents": null,
"statement": [
{
"actions": [
"sts:AssumeRole"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [
{
"identifiers": [
"ec2.amazonaws.com"
],
"type": "Service"
}
],
"resources": [],
"sid": ""
}
],
"version": "2012-10-17"
},
"sensitive_attributes": []
}
]
},
{
"mode": "data",
"type": "aws_iam_policy_document",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "2560863897",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}",
"override_json": null,
"override_policy_documents": null,
"policy_id": null,
"source_json": null,
"source_policy_documents": null,
"statement": [
{
"actions": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": [
"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1"
],
"sid": "VaultKMSUnseal"
}
],
"version": "2012-10-17"
},
"sensitive_attributes": []
}
]
},
{
"mode": "managed",
"type": "aws_iam_instance_profile",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:instance-profile/vault-kms-unseal-mighty_terrier",
"create_date": "2022-12-12T08:20:12Z",
"id": "vault-kms-unseal-mighty_terrier",
"name": "vault-kms-unseal-mighty_terrier",
"name_prefix": null,
"path": "/",
"role": "vault-kms-role-mighty_terrier",
"tags": {},
"tags_all": {},
"unique_id": "AIPAXMVVF3TAVAWIQ62TS"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_role.vault-kms-unseal",
"data.aws_iam_policy_document.assume_role",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_iam_role",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:role/vault-kms-role-mighty_terrier",
"assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}",
"create_date": "2022-12-12T08:20:10Z",
"description": "",
"force_detach_policies": false,
"id": "vault-kms-role-mighty_terrier",
"inline_policy": [
{
"name": "Vault-KMS-Unseal-mighty_terrier",
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}"
}
],
"managed_policy_arns": [],
"max_session_duration": 3600,
"name": "vault-kms-role-mighty_terrier",
"name_prefix": "",
"path": "/",
"permissions_boundary": null,
"tags": {},
"tags_all": {},
"unique_id": "AROAXMVVF3TA3MJDOSJFJ"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_iam_policy_document.assume_role",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "vault-kms-role-mighty_terrier:Vault-KMS-Unseal-mighty_terrier",
"name": "Vault-KMS-Unseal-mighty_terrier",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}",
"role": "vault-kms-role-mighty_terrier"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_role.vault-kms-unseal",
"data.aws_iam_policy_document.assume_role",
"data.aws_iam_policy_document.vault-kms-unseal",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_kms_alias",
"name": "vault-a",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:kms:ap-northeast-2:508259851457:alias/prod-vault-auto-unseal",
"id": "alias/prod-vault-auto-unseal",
"name": "alias/prod-vault-auto-unseal",
"name_prefix": "",
"target_key_arn": "arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"target_key_id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_kms_key.vault",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_kms_key",
"name": "vault",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"bypass_policy_lockout_safety_check": false,
"custom_key_store_id": "",
"customer_master_key_spec": "SYMMETRIC_DEFAULT",
"deletion_window_in_days": 10,
"description": "Vault unseal key",
"enable_key_rotation": false,
"id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"is_enabled": true,
"key_id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"key_usage": "ENCRYPT_DECRYPT",
"multi_region": false,
"policy": "{\"Id\":\"key-default-1\",\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::508259851457:root\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM User Permissions\"}],\"Version\":\"2012-10-17\"}",
"tags": {
"Name": "vault-kms-unseal-mighty_terrier"
},
"tags_all": {
"Name": "vault-kms-unseal-mighty_terrier"
}
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "random_pet",
"name": "env",
"provider": "provider[\"registry.terraform.io/hashicorp/random\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "mighty_terrier",
"keepers": null,
"length": 2,
"prefix": null,
"separator": "_"
},
"sensitive_attributes": []
}
]
}
],
"check_results": []
}

243
terraform/aws_vault/terraform.tfstate.backup Normal file
View File

@@ -0,0 +1,243 @@
{
"version": 4,
"terraform_version": "1.3.1",
"serial": 7,
"lineage": "e3e93a0f-93ed-63a2-17ab-4fa507053640",
"outputs": {},
"resources": [
{
"mode": "data",
"type": "aws_iam_policy_document",
"name": "assume_role",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "1903849331",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json": null,
"override_policy_documents": null,
"policy_id": null,
"source_json": null,
"source_policy_documents": null,
"statement": [
{
"actions": [
"sts:AssumeRole"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [
{
"identifiers": [
"ec2.amazonaws.com"
],
"type": "Service"
}
],
"resources": [],
"sid": ""
}
],
"version": "2012-10-17"
},
"sensitive_attributes": []
}
]
},
{
"mode": "data",
"type": "aws_iam_policy_document",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "2560863897",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}",
"override_json": null,
"override_policy_documents": null,
"policy_id": null,
"source_json": null,
"source_policy_documents": null,
"statement": [
{
"actions": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": [
"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1"
],
"sid": "VaultKMSUnseal"
}
],
"version": "2012-10-17"
},
"sensitive_attributes": []
}
]
},
{
"mode": "managed",
"type": "aws_iam_instance_profile",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:instance-profile/vault-kms-unseal-mighty_terrier",
"create_date": "2022-12-12T08:20:12Z",
"id": "vault-kms-unseal-mighty_terrier",
"name": "vault-kms-unseal-mighty_terrier",
"name_prefix": null,
"path": "/",
"role": "vault-kms-role-mighty_terrier",
"tags": null,
"tags_all": {},
"unique_id": "AIPAXMVVF3TAVAWIQ62TS"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_role.vault-kms-unseal",
"data.aws_iam_policy_document.assume_role",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_iam_role",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:role/vault-kms-role-mighty_terrier",
"assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}",
"create_date": "2022-12-12T08:20:10Z",
"description": "",
"force_detach_policies": false,
"id": "vault-kms-role-mighty_terrier",
"inline_policy": [],
"managed_policy_arns": [],
"max_session_duration": 3600,
"name": "vault-kms-role-mighty_terrier",
"name_prefix": "",
"path": "/",
"permissions_boundary": null,
"tags": null,
"tags_all": {},
"unique_id": "AROAXMVVF3TA3MJDOSJFJ"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_iam_policy_document.assume_role",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "vault-kms-role-mighty_terrier:Vault-KMS-Unseal-mighty_terrier",
"name": "Vault-KMS-Unseal-mighty_terrier",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}",
"role": "vault-kms-role-mighty_terrier"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_role.vault-kms-unseal",
"aws_kms_key.vault",
"data.aws_iam_policy_document.assume_role",
"data.aws_iam_policy_document.vault-kms-unseal",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_kms_key",
"name": "vault",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"bypass_policy_lockout_safety_check": false,
"custom_key_store_id": "",
"customer_master_key_spec": "SYMMETRIC_DEFAULT",
"deletion_window_in_days": 10,
"description": "Vault unseal key",
"enable_key_rotation": false,
"id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"is_enabled": true,
"key_id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"key_usage": "ENCRYPT_DECRYPT",
"multi_region": false,
"policy": "{\"Id\":\"key-default-1\",\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::508259851457:root\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM User Permissions\"}],\"Version\":\"2012-10-17\"}",
"tags": {
"Name": "vault-kms-unseal-mighty_terrier"
},
"tags_all": {
"Name": "vault-kms-unseal-mighty_terrier"
}
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "random_pet",
"name": "env",
"provider": "provider[\"registry.terraform.io/hashicorp/random\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "mighty_terrier",
"keepers": null,
"length": 2,
"prefix": null,
"separator": "_"
},
"sensitive_attributes": []
}
]
}
],
"check_results": []
}