sa_8001/dsk-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

file 이전

Browse Source
This commit is contained in:
havelight-ee
2023-04-03 11:20:43 +09:00
parent 1b523b539d
commit c4747e51b1
229 changed files with 1081 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
aws_middle/dev2-read-iam/.terraform.lock.hcl generated Normal file
View File

@@ -0,0 +1,44 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/archive" {
version = "1.3.0"
constraints = "~> 1.3"
hashes = [
"h1:T3DszgOa/75SiiONgEDRujpN5rSqIw9TvFZXHjpqMB4=",
"zh:115aa6bc7825402a8d4e2e954378a9f48e4fdbeabe081ffd04e0a2f6786159bb",
"zh:21f731ffac20a67615c64a7a8a96949c971ee28ffd5807d8c299faba73b5e273",
"zh:2e81b58e141b175cbf801ade5e87c5db4cb28933216b0547ef32c95500385904",
"zh:3acbb96fd142b4d193dc18861340281249301368029169e346d15410d0572492",
"zh:4346edee0dfe97154b6f28d9ef0fa762131db92b78bbd1b3207945201cb59818",
"zh:93916a84cc6ff6778456dd170a657326c4dd3a86b4434e424a66a87c2535b888",
"zh:ade675c3ac8b9ec91131bac5881fbd4efad46a3683f2fea2efb9493a2c1b9ffb",
"zh:b0a0cb13fc850903aa7a057ae7e06366939b8f347926dce1137cd47b9123ad93",
"zh:d6d838cceffb7f3ff27fb9b51d78fccdef15bd32408f33a726556bfe66315bd3",
"zh:ddc4ac6aea6537f8096ffeb8ff3bca355f0972793184e0f6df120aa6460b4446",
"zh:e0d1213625d40d124bd9570f0d92907416f8d61bc8c389c776e72c0a97020cce",
"zh:eb707b69f9093b97d98e2dece9822852a27849dd1627d35302e8d6b9801407ef",
]
}
provider "registry.terraform.io/hashicorp/aws" {
version = "4.57.1"
hashes = [
"h1:rqJN5HwMnJtHIvIzublREIxUibBFYIKyeQcgOov4DUQ=",
"zh:44200c213ddb138df80d2a5ad86c2ebadbb5fd1d08cd7e4fc56ec6dca927659b",
"zh:469e6fe6a9e99e60cb168d32f05e2e9a83cf161f39160d075ff96f7674c510e1",
"zh:6110ba2c15a2268652ec9ea3797dd0216de84ece428055c49eaf9caa2be1ed62",
"zh:62ed7348acca44f64fc087e879e01cfa4e084c7600cc91e8bb7683f8065a9c79",
"zh:7a80e6fa9b35be178bb566093f7984dd6ffb7ad9d40b9dd5d5907f054f0c3e60",
"zh:8793043c8575a598c1a7cbefcb65ee1776b0061eba719098e552a3adc88f3090",
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
"zh:a777a0082114e273b7b3eb14095a3f6f6e703c1aff61ffb1f0846bb869e6dfc7",
"zh:b060c3b2973097f2087a98ac6aad7c9c89fe80f7cf3027019049feafc3f8305b",
"zh:e7035e74563f4486848ea1feb60852175353790bc374e0e97e241a88dc0908f7",
"zh:eaaa8e9eba09ada41e13116d53d4baece04fead8fcf3eab68cca3a67ed738e18",
"zh:ec52d8f95a84fad8fe1aae169c89d0c54d5401f75caae0869ad8182c6b6db65b",
"zh:f0e33174025b1b57ecfbdd09f2a59c2559ee94d7681e5ae09079e2822ec54ecf",
"zh:f69790a21380e5aab9303a252564737333e1e95b5d25567681630e49b17e3ec7",
"zh:ff6053942c40a99904bd407f3c082c1fa8f927ecce0374566eb7e8ee8145e582",
]
}

22
aws_middle/dev2-read-iam/iam.tf Normal file
View File

@@ -0,0 +1,22 @@
resource "aws_iam_user" "dev2" {
name = "dev2-read"
}
resource "aws_iam_access_key" "dev2_access_key" {
user = aws_iam_user.dev2.name
}
resource "aws_iam_user_login_profile" "dev2_login_profile" {
user = aws_iam_user.dev2.name
password_reset_required = true
}
data "aws_iam_policy" "read-only" {
arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
resource "aws_iam_policy_attachment" "attach-read-only-policy" {
name = "ReadOnlyAccessAttachment"
policy_arn = data.aws_iam_policy.read-only.arn
users = [aws_iam_user.dev2.name]
}

10
aws_middle/dev2-read-iam/main.tf Normal file
View File

@@ -0,0 +1,10 @@
provider "aws" {
region = "ap-northeast-2"
}
terraform {
required_providers {
archive = "~> 1.3"
}
}

140
aws_middle/dev2-read-iam/terraform.tfstate Normal file
View File

File diff suppressed because one or more lines are too long

35
aws_middle/dev2-read-iam/variables.tf Normal file
View File

@@ -0,0 +1,35 @@
#---------------------------------------------------------------#
# Network ID
variable "VPC_ID" {
default = "vpc-00ba2b0e9ad59f0ed"
}
variable "Network_CIDR" {
default = "172.24.0.0/19"
}
variable "Private_Subnet_ID_1" {
default = "subnet-024f0deda82039fa4"
}
variable "Private_Subnet_ID_2" {
default = "subnet-050d942fa1c46540a"
}
variable "Private_Subnet_ID_3" {
default = "subnet-0946eb806af7377be"
}
variable "Public_Subnet_ID_1" {
default = "subnet-00c363356f133411d"
}
variable "Public_Subnet_ID_2" {
default = "subnet-07aa5e879a262014d"
}
variable "Public_Subnet_ID_3" {
default = "subnet-0073a61bc56a68a3e"
}

36
aws_middle/druid/main.tf Normal file
View File

@@ -0,0 +1,36 @@
provider "aws" {
region = "ap-northeast-2"
}
resource "aws_s3_bucket" "druid-prod" {
bucket = "druid.kr.datasaker.io"
tags = {
Name = "druid.kr.datasaker.io"
}
}
resource "aws_iam_user" "druid-s3-prod" {
name = "druid-s3-prod"
}
resource "aws_iam_user_policy" "druid-s3-policy" {
name = "druid-s3-policy"
user = aws_iam_user.druid-s3-prod.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "*"
}
]
}
EOF
}

118
aws_middle/druid/terraform.tfstate Normal file
View File

@@ -0,0 +1,118 @@
{
"version": 4,
"terraform_version": "1.3.1",
"serial": 8,
"lineage": "88958e46-0322-1f4d-59ba-b9b62c65d924",
"outputs": {},
"resources": [
{
"mode": "managed",
"type": "aws_iam_user",
"name": "druid-s3-prod",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:user/druid-s3-prod",
"force_destroy": false,
"id": "druid-s3-prod",
"name": "druid-s3-prod",
"path": "/",
"permissions_boundary": null,
"tags": {},
"tags_all": {},
"unique_id": "AIDAXMVVF3TAQSOASXJXC"
},
"sensitive_attributes": [],
"private": "bnVsbA=="
}
]
},
{
"mode": "managed",
"type": "aws_iam_user_policy",
"name": "druid-s3-policy",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "druid-s3-prod:druid-s3-policy",
"name": "druid-s3-policy",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:*\",\n \"s3-object-lambda:*\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}\n",
"user": "druid-s3-prod"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_user.druid-s3-prod"
]
}
]
},
{
"mode": "managed",
"type": "aws_s3_bucket",
"name": "druid-prod",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"acceleration_status": "",
"acl": null,
"arn": "arn:aws:s3:::druid.kr.datasaker.io",
"bucket": "druid.kr.datasaker.io",
"bucket_domain_name": "druid.kr.datasaker.io.s3.amazonaws.com",
"bucket_prefix": null,
"bucket_regional_domain_name": "druid.kr.datasaker.io.s3.ap-northeast-2.amazonaws.com",
"cors_rule": [],
"force_destroy": false,
"grant": [
{
"id": "132b0c7dc035122c1c1265a1678d5ec5dcb37d81b08544f029b8cf3f659ecad3",
"permissions": [
"FULL_CONTROL"
],
"type": "CanonicalUser",
"uri": ""
}
],
"hosted_zone_id": "Z3W03O7B5YMIYP",
"id": "druid.kr.datasaker.io",
"lifecycle_rule": [],
"logging": [],
"object_lock_configuration": [],
"object_lock_enabled": false,
"policy": "",
"region": "ap-northeast-2",
"replication_configuration": [],
"request_payer": "BucketOwner",
"server_side_encryption_configuration": [],
"tags": {
"Name": "druid.kr.datasaker.io"
},
"tags_all": {
"Name": "druid.kr.datasaker.io"
},
"timeouts": null,
"versioning": [
{
"enabled": false,
"mfa_delete": false
}
],
"website": [],
"website_domain": null,
"website_endpoint": null
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19"
}
]
}
],
"check_results": []
}

57
aws_middle/druid/terraform.tfstate.backup Normal file
View File

@@ -0,0 +1,57 @@
{
"version": 4,
"terraform_version": "1.3.1",
"serial": 4,
"lineage": "88958e46-0322-1f4d-59ba-b9b62c65d924",
"outputs": {},
"resources": [
{
"mode": "managed",
"type": "aws_iam_user",
"name": "druid-s3-prod",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:user/druid-s3-prod",
"force_destroy": false,
"id": "druid-s3-prod",
"name": "druid-s3-prod",
"path": "/",
"permissions_boundary": null,
"tags": null,
"tags_all": {},
"unique_id": "AIDAXMVVF3TAQSOASXJXC"
},
"sensitive_attributes": [],
"private": "bnVsbA=="
}
]
},
{
"mode": "managed",
"type": "aws_iam_user_policy",
"name": "druid-s3-policy",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "druid-s3-prod:druid-s3-policy",
"name": "druid-s3-policy",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:*\",\n \"s3-object-lambda:*\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}\n",
"user": "druid-s3-prod"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_user.druid-s3-prod"
]
}
]
}
],
"check_results": []
}

8
aws_middle/vault/00-main.tf Normal file
View File

@@ -0,0 +1,8 @@
provider "aws" {
region = var.aws_region
}
resource "random_pet" "env" {
length = 2
separator = "_"
}

55
aws_middle/vault/01-instance-profile.tf Normal file
View File

@@ -0,0 +1,55 @@
resource "aws_kms_key" "vault" {
description = "Vault unseal key"
deletion_window_in_days = 10
tags = {
Name = "vault-kms-unseal-${random_pet.env.id}"
}
}
resource "aws_kms_alias" "vault-a" {
name = "alias/prod-vault-auto-unseal"
target_key_id = aws_kms_key.vault.key_id
}
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
data "aws_iam_policy_document" "vault-kms-unseal" {
statement {
sid = "VaultKMSUnseal"
effect = "Allow"
resources = [aws_kms_key.vault.arn]
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey",
]
}
}
resource "aws_iam_role" "vault-kms-unseal" {
name = "vault-kms-role-${random_pet.env.id}"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_iam_role_policy" "vault-kms-unseal" {
name = "Vault-KMS-Unseal-${random_pet.env.id}"
role = aws_iam_role.vault-kms-unseal.id
policy = data.aws_iam_policy_document.vault-kms-unseal.json
}
resource "aws_iam_instance_profile" "vault-kms-unseal" {
name = "vault-kms-unseal-${random_pet.env.id}"
role = aws_iam_role.vault-kms-unseal.name
}

3
aws_middle/vault/02-versions.tf Normal file
View File

@@ -0,0 +1,3 @@
terraform {
required_version = ">= 0.12"
}

7
aws_middle/vault/10-variables.tf Normal file
View File

@@ -0,0 +1,7 @@
variable "aws_region" {
default = "ap-northeast-2"
}
variable "aws_zone" {
default = "ap-northeast-2b"
}

31
aws_middle/vault/README.md Normal file
View File

@@ -0,0 +1,31 @@
# Vault Auto-unseal using AWS KMS
These assets are provided to perform the tasks described in the [Vault Auto-unseal with AWS KMS](https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms) guide.
---
## Demo Steps
### Setup
1. Set this location as your working directory
1. Set your AWS credentials as environment variables: `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`
1. Set Vault Enterprise URL in a file named `terraform.tfvars` (see `terraform.tfvars.example`)
### Commands Cheat Sheet
```bash
# Pull necessary plugins
$ terraform init
$ terraform plan
# Output provides the SSH instruction
$ terraform apply
#----------------------------------
# Clean up...
$ terraform destroy -force
$ rm -rf .terraform terraform.tfstate* private.key
```

272
aws_middle/vault/terraform.tfstate Normal file
View File

@@ -0,0 +1,272 @@
{
"version": 4,
"terraform_version": "1.3.1",
"serial": 14,
"lineage": "e3e93a0f-93ed-63a2-17ab-4fa507053640",
"outputs": {},
"resources": [
{
"mode": "data",
"type": "aws_iam_policy_document",
"name": "assume_role",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "1903849331",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json": null,
"override_policy_documents": null,
"policy_id": null,
"source_json": null,
"source_policy_documents": null,
"statement": [
{
"actions": [
"sts:AssumeRole"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [
{
"identifiers": [
"ec2.amazonaws.com"
],
"type": "Service"
}
],
"resources": [],
"sid": ""
}
],
"version": "2012-10-17"
},
"sensitive_attributes": []
}
]
},
{
"mode": "data",
"type": "aws_iam_policy_document",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "2560863897",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}",
"override_json": null,
"override_policy_documents": null,
"policy_id": null,
"source_json": null,
"source_policy_documents": null,
"statement": [
{
"actions": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": [
"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1"
],
"sid": "VaultKMSUnseal"
}
],
"version": "2012-10-17"
},
"sensitive_attributes": []
}
]
},
{
"mode": "managed",
"type": "aws_iam_instance_profile",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:instance-profile/vault-kms-unseal-mighty_terrier",
"create_date": "2022-12-12T08:20:12Z",
"id": "vault-kms-unseal-mighty_terrier",
"name": "vault-kms-unseal-mighty_terrier",
"name_prefix": null,
"path": "/",
"role": "vault-kms-role-mighty_terrier",
"tags": {},
"tags_all": {},
"unique_id": "AIPAXMVVF3TAVAWIQ62TS"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_role.vault-kms-unseal",
"data.aws_iam_policy_document.assume_role",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_iam_role",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:role/vault-kms-role-mighty_terrier",
"assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}",
"create_date": "2022-12-12T08:20:10Z",
"description": "",
"force_detach_policies": false,
"id": "vault-kms-role-mighty_terrier",
"inline_policy": [
{
"name": "Vault-KMS-Unseal-mighty_terrier",
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}"
}
],
"managed_policy_arns": [],
"max_session_duration": 3600,
"name": "vault-kms-role-mighty_terrier",
"name_prefix": "",
"path": "/",
"permissions_boundary": null,
"tags": {},
"tags_all": {},
"unique_id": "AROAXMVVF3TA3MJDOSJFJ"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_iam_policy_document.assume_role",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "vault-kms-role-mighty_terrier:Vault-KMS-Unseal-mighty_terrier",
"name": "Vault-KMS-Unseal-mighty_terrier",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}",
"role": "vault-kms-role-mighty_terrier"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_role.vault-kms-unseal",
"data.aws_iam_policy_document.assume_role",
"data.aws_iam_policy_document.vault-kms-unseal",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_kms_alias",
"name": "vault-a",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:kms:ap-northeast-2:508259851457:alias/prod-vault-auto-unseal",
"id": "alias/prod-vault-auto-unseal",
"name": "alias/prod-vault-auto-unseal",
"name_prefix": "",
"target_key_arn": "arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"target_key_id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_kms_key.vault",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_kms_key",
"name": "vault",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"bypass_policy_lockout_safety_check": false,
"custom_key_store_id": "",
"customer_master_key_spec": "SYMMETRIC_DEFAULT",
"deletion_window_in_days": 10,
"description": "Vault unseal key",
"enable_key_rotation": false,
"id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"is_enabled": true,
"key_id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"key_usage": "ENCRYPT_DECRYPT",
"multi_region": false,
"policy": "{\"Id\":\"key-default-1\",\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::508259851457:root\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM User Permissions\"}],\"Version\":\"2012-10-17\"}",
"tags": {
"Name": "vault-kms-unseal-mighty_terrier"
},
"tags_all": {
"Name": "vault-kms-unseal-mighty_terrier"
}
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "random_pet",
"name": "env",
"provider": "provider[\"registry.terraform.io/hashicorp/random\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "mighty_terrier",
"keepers": null,
"length": 2,
"prefix": null,
"separator": "_"
},
"sensitive_attributes": []
}
]
}
],
"check_results": []
}

243
aws_middle/vault/terraform.tfstate.backup Normal file
View File

@@ -0,0 +1,243 @@
{
"version": 4,
"terraform_version": "1.3.1",
"serial": 7,
"lineage": "e3e93a0f-93ed-63a2-17ab-4fa507053640",
"outputs": {},
"resources": [
{
"mode": "data",
"type": "aws_iam_policy_document",
"name": "assume_role",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "1903849331",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json": null,
"override_policy_documents": null,
"policy_id": null,
"source_json": null,
"source_policy_documents": null,
"statement": [
{
"actions": [
"sts:AssumeRole"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [
{
"identifiers": [
"ec2.amazonaws.com"
],
"type": "Service"
}
],
"resources": [],
"sid": ""
}
],
"version": "2012-10-17"
},
"sensitive_attributes": []
}
]
},
{
"mode": "data",
"type": "aws_iam_policy_document",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "2560863897",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}",
"override_json": null,
"override_policy_documents": null,
"policy_id": null,
"source_json": null,
"source_policy_documents": null,
"statement": [
{
"actions": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": [
"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1"
],
"sid": "VaultKMSUnseal"
}
],
"version": "2012-10-17"
},
"sensitive_attributes": []
}
]
},
{
"mode": "managed",
"type": "aws_iam_instance_profile",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:instance-profile/vault-kms-unseal-mighty_terrier",
"create_date": "2022-12-12T08:20:12Z",
"id": "vault-kms-unseal-mighty_terrier",
"name": "vault-kms-unseal-mighty_terrier",
"name_prefix": null,
"path": "/",
"role": "vault-kms-role-mighty_terrier",
"tags": null,
"tags_all": {},
"unique_id": "AIPAXMVVF3TAVAWIQ62TS"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_role.vault-kms-unseal",
"data.aws_iam_policy_document.assume_role",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_iam_role",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:role/vault-kms-role-mighty_terrier",
"assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}",
"create_date": "2022-12-12T08:20:10Z",
"description": "",
"force_detach_policies": false,
"id": "vault-kms-role-mighty_terrier",
"inline_policy": [],
"managed_policy_arns": [],
"max_session_duration": 3600,
"name": "vault-kms-role-mighty_terrier",
"name_prefix": "",
"path": "/",
"permissions_boundary": null,
"tags": null,
"tags_all": {},
"unique_id": "AROAXMVVF3TA3MJDOSJFJ"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_iam_policy_document.assume_role",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "vault-kms-role-mighty_terrier:Vault-KMS-Unseal-mighty_terrier",
"name": "Vault-KMS-Unseal-mighty_terrier",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}",
"role": "vault-kms-role-mighty_terrier"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_role.vault-kms-unseal",
"aws_kms_key.vault",
"data.aws_iam_policy_document.assume_role",
"data.aws_iam_policy_document.vault-kms-unseal",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_kms_key",
"name": "vault",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"bypass_policy_lockout_safety_check": false,
"custom_key_store_id": "",
"customer_master_key_spec": "SYMMETRIC_DEFAULT",
"deletion_window_in_days": 10,
"description": "Vault unseal key",
"enable_key_rotation": false,
"id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"is_enabled": true,
"key_id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"key_usage": "ENCRYPT_DECRYPT",
"multi_region": false,
"policy": "{\"Id\":\"key-default-1\",\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::508259851457:root\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM User Permissions\"}],\"Version\":\"2012-10-17\"}",
"tags": {
"Name": "vault-kms-unseal-mighty_terrier"
},
"tags_all": {
"Name": "vault-kms-unseal-mighty_terrier"
}
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "random_pet",
"name": "env",
"provider": "provider[\"registry.terraform.io/hashicorp/random\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "mighty_terrier",
"keepers": null,
"length": 2,
"prefix": null,
"separator": "_"
},
"sensitive_attributes": []
}
]
}
],
"check_results": []
}