harcoded tag keys removed and a map added instead (opsgang#4)

ludzzz · May 16, 2018 · c7aaa62 · c7aaa62
1 parent 0832229
commit c7aaa62
Show file tree

Hide file tree

Showing 7 changed files with 94 additions and 96 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,15 +1,15 @@
 - repo: git://github.com/pre-commit/pre-commit-hooks
-  sha: v0.9.1
+  sha: v1.2.3
   hooks:
   - id: trailing-whitespace
 
 - repo: git://github.com/Lucas-C/pre-commit-hooks
-  sha: v1.0.1
+  sha: v1.1.5
   hooks:
   - id: forbid-tabs
 
 - repo: git://github.com/kintoandar/pre-commit.git
-  sha: v0.0.2
+  sha: v2.1.0
   hooks:
   - id: terraform_fmt
   - id: terraform_validate
diff --git a/README.md b/README.md
@@ -22,41 +22,39 @@ After provisioning, don't forget to run commands below:
 * **ami_id:** Amazon Linux AMI ID
 * **instance_type:** Instance type of the VPN box (t2.small is mostly enough)
 * **office_ip_cidrs:** List of office IP addresses that you can SSH and non-VPN connected users can reach temporary profile download pages
-* AWS Tags
-  * **tag_product**
-  * **tag_env**
-  * **tag_purpose**
-  * **tag_role**
+* **tags**: Map of AWS Tag key and values
 
 # Outputs
 * **vpn_instance_private_ip_address:** Private IP address of the instance
 * **vpn_public_ip_addres:** EIP of the VPN box
+* **vpn_management_ui:** URL for the management UI
 
 
 # Usage
 
 ```
-
 provider "aws" {
-	region="eu-west-1"
+  region  = "eu-west-2"
 }
 
 module "app_pritunl" {
-  source           = "github.com/opsgang/terraform_pritunl?ref=1.0.0"
-
-  aws_key_name     = "org-eu-west-1"
-  vpc_id           = "${module.vpc.vpc_id}"
-  public_subnet_id = "${module.vpc.public_subnets[1]}"
-  ami_id           = "ami-01ccc867"
-  instance_type    = "t2.small"
-  office_ip_cidrs  = [
-                      "8.8.8.8/32"
+  source = "github.com/opsgang/terraform_pritunl?ref=1.1.0"
+
+  aws_key_name         = "org-eu-west-2"
+  vpc_id               = "${module.vpc.vpc_id}"
+  public_subnet_id     = "${module.vpc.public_subnets[1]}"
+  ami_id               = "ami-403e2524"
+  instance_type        = "t2.nano"
+  resource_name_prefix = "agate-pritunl"
+
+  whitelist = [
+    "8.8.8.8/32",
   ]
 
-  tag_product      = "vpn"
-  tag_env          = "dev"
-  tag_purpose      = "networking"
-  tag_role         = "vpn"
+  tags {
+    "role" = "vpn"
+    "env"  = "prod"
+  }
 }
 ```
 

diff --git a/main.tf b/main.tf
@@ -9,34 +9,32 @@ data "template_file" "user_data" {
 
   vars {
     aws_region           = "${data.aws_region.current.name}"
-    s3_backup_bucket     = "${var.tag_product}-${var.tag_env}-backup"
-    credstash_table_name = "credstash-${var.tag_product}-${var.tag_env}"
+    s3_backup_bucket     = "${var.resource_name_prefix}-backup"
+    credstash_table_name = "${var.resource_name_prefix}-credstash"
   }
 }
 
 data "template_file" "credstash_policy" {
   template = "${file("${path.module}/templates/key_policy.json.tpl")}"
 
   vars {
-    tag_product   = "${var.tag_product}"
-    tag_env       = "${var.tag_env}"
-    key_admin_arn = "${aws_iam_role.role.arn}"
-    account_id    = "${data.aws_caller_identity.current.account_id}"
+    resource_name_prefix = "${var.resource_name_prefix}"
+    key_admin_arn        = "${aws_iam_role.role.arn}"
+    account_id           = "${data.aws_caller_identity.current.account_id}"
   }
 }
 
 data "template_file" "iam_instance_role_policy" {
   template = "${file("${path.module}/templates/iam_instance_role_policy.json.tpl")}"
 
   vars {
-    tag_product      = "${var.tag_product}"
-    tag_env          = "${var.tag_env}"
-    db_credstash_arn = "${aws_dynamodb_table.db_credstash.arn}"
+    resource_name_prefix = "${var.resource_name_prefix}"
+    db_credstash_arn     = "${aws_dynamodb_table.db_credstash.arn}"
   }
 }
 
 resource "aws_dynamodb_table" "db_credstash" {
-  name           = "credstash-${var.tag_product}-${var.tag_env}"
+  name           = "${var.resource_name_prefix}-credstash"
   read_capacity  = 1
   write_capacity = 1
   hash_key       = "name"
@@ -52,13 +50,12 @@ resource "aws_dynamodb_table" "db_credstash" {
     type = "S"
   }
 
-  tags {
-    Name    = "credstash-${var.tag_product}-${var.tag_env}"
-    product = "${var.tag_product}"
-    env     = "${var.tag_env}"
-    purpose = "${var.tag_purpose}"
-    role    = "${var.tag_role}"
-  }
+  tags = "${
+            merge(
+              map("Name", format("%s-%s", var.resource_name_prefix, "credstash")),
+              var.tags,
+            )
+          }"
 }
 
 resource "null_resource" "waiter" {
@@ -72,32 +69,30 @@ resource "null_resource" "waiter" {
 resource "aws_kms_key" "credstash" {
   depends_on = ["null_resource.waiter"]
 
-  description = "Credstash space for ${var.tag_product}-${var.tag_env}"
+  description = "Credstash space for ${var.resource_name_prefix}"
 
-  #policy                  = "${data.template_file.credstash_policy.rendered}"
   policy                  = "${data.template_file.credstash_policy.rendered}"
   deletion_window_in_days = 7
   is_enabled              = true
   enable_key_rotation     = true
 
-  tags {
-    Name    = "credstash-${var.tag_product}-${var.tag_env}"
-    product = "${var.tag_product}"
-    env     = "${var.tag_env}"
-    purpose = "${var.tag_purpose}"
-    role    = "${var.tag_role}"
-  }
+  tags = "${
+            merge(
+              map("Name", format("%s-%s", var.resource_name_prefix, "credstash")),
+              var.tags,
+            )
+          }"
 }
 
 resource "aws_kms_alias" "credstash" {
   depends_on = ["aws_kms_key.credstash"]
 
-  name          = "alias/credstash-${var.tag_product}-${var.tag_env}"
+  name          = "alias/${var.resource_name_prefix}-credstash"
   target_key_id = "${aws_kms_key.credstash.key_id}"
 }
 
 resource "aws_s3_bucket" "backup" {
-  bucket = "${var.tag_product}-${var.tag_env}-backup"
+  bucket = "${var.resource_name_prefix}-backup"
   acl    = "private"
 
   lifecycle_rule {
@@ -111,18 +106,17 @@ resource "aws_s3_bucket" "backup" {
     abort_incomplete_multipart_upload_days = 7
   }
 
-  tags {
-    Name    = "${var.tag_product}-${var.tag_env}-backup"
-    product = "${var.tag_product}"
-    env     = "${var.tag_env}"
-    purpose = "${var.tag_purpose}"
-    role    = "${var.tag_role}"
-  }
+  tags = "${
+            merge(
+              map("Name", format("%s-%s", var.resource_name_prefix, "backup")),
+              var.tags,
+            )
+          }"
 }
 
 # ec2 iam role
 resource "aws_iam_role" "role" {
-  name = "${var.tag_product}-${var.tag_env}"
+  name = "${var.resource_name_prefix}"
 
   assume_role_policy = <<EOF
 {
@@ -144,21 +138,21 @@ EOF
 resource "aws_iam_role_policy" "policy" {
   depends_on = ["aws_iam_role.role"]
 
-  name   = "${var.tag_product}-${var.tag_env}"
+  name   = "${var.resource_name_prefix}-instance-policy"
   role   = "${aws_iam_role.role.id}"
   policy = "${data.template_file.iam_instance_role_policy.rendered}"
 }
 
 resource "aws_iam_instance_profile" "ec2_profile" {
   depends_on = ["aws_iam_role.role", "aws_iam_role_policy.policy"]
 
-  name = "${var.tag_product}-${var.tag_env}"
+  name = "${var.resource_name_prefix}-instance"
   role = "${aws_iam_role.role.name}"
 }
 
 resource "aws_security_group" "pritunl" {
-  name        = "${var.tag_product}-${var.tag_env}-pritunl-vpn"
-  description = "${var.tag_product}-${var.tag_env}-pritunl-vpn"
+  name        = "${var.resource_name_prefix}-vpn"
+  description = "${var.resource_name_prefix}-vpn"
   vpc_id      = "${var.vpc_id}"
 
   # SSH access
@@ -201,17 +195,16 @@ resource "aws_security_group" "pritunl" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 
-  tags {
-    Name    = "${var.tag_product}-${var.tag_env}-pritunl-vpn"
-    product = "${var.tag_product}"
-    env     = "${var.tag_env}"
-    purpose = "${var.tag_purpose}"
-    role    = "${var.tag_role}"
-  }
+  tags = "${
+            merge(
+              map("Name", format("%s-%s", var.resource_name_prefix, "vpn")),
+              var.tags,
+            )
+          }"
 }
 
 resource "aws_security_group" "allow_from_office" {
-  name        = "${var.tag_product}-${var.tag_env}-allow-from-office"
+  name        = "${var.resource_name_prefix}-whitelist"
   description = "Allows SSH connections and HTTP(s) connections from office"
   vpc_id      = "${var.vpc_id}"
 
@@ -220,23 +213,23 @@ resource "aws_security_group" "allow_from_office" {
     from_port   = 22
     to_port     = 22
     protocol    = "tcp"
-    cidr_blocks = ["${var.office_ip_cidrs}"]
+    cidr_blocks = ["${var.whitelist}"]
   }
 
   # HTTP access
   ingress {
     from_port   = 443
     to_port     = 443
     protocol    = "tcp"
-    cidr_blocks = ["${var.office_ip_cidrs}"]
+    cidr_blocks = ["${var.whitelist}"]
   }
 
   # ICMP
   ingress {
     from_port   = -1
     to_port     = -1
     protocol    = "icmp"
-    cidr_blocks = ["${var.office_ip_cidrs}"]
+    cidr_blocks = ["${var.whitelist}"]
   }
 
   # outbound internet access
@@ -247,13 +240,12 @@ resource "aws_security_group" "allow_from_office" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 
-  tags {
-    Name    = "${var.tag_product}-${var.tag_env}-allow-from-office"
-    product = "${var.tag_product}"
-    env     = "${var.tag_env}"
-    purpose = "${var.tag_purpose}"
-    role    = "${var.tag_role}"
-  }
+  tags = "${
+            merge(
+              map("Name", format("%s-%s", var.resource_name_prefix, "whitelist")),
+              var.tags,
+            )
+          }"
 }
 
 resource "aws_instance" "pritunl" {
@@ -270,13 +262,12 @@ resource "aws_instance" "pritunl" {
   subnet_id            = "${var.public_subnet_id}"
   iam_instance_profile = "${aws_iam_instance_profile.ec2_profile.name}"
 
-  tags {
-    Name    = "${var.tag_product}-${var.tag_env}-vpn"
-    product = "${var.tag_product}"
-    env     = "${var.tag_env}"
-    purpose = "${var.tag_purpose}"
-    role    = "${var.tag_role}"
-  }
+  tags = "${
+            merge(
+              map("Name", format("%s-%s", var.resource_name_prefix, "vpn")),
+              var.tags,
+            )
+          }"
 }
 
 resource "aws_eip" "pritunl" {

diff --git a/outputs.tf b/outputs.tf
@@ -5,3 +5,7 @@ output "vpn_instance_private_ip_address" {
 output "vpn_public_ip_addres" {
   value = "${aws_eip.pritunl.public_ip}"
 }
+
+output "vpn_management_ui" {
+  value = "https://${aws_eip.pritunl.public_ip}"
+}
diff --git a/templates/iam_instance_role_policy.json.tpl b/templates/iam_instance_role_policy.json.tpl
@@ -17,7 +17,7 @@
           "s3:ListBucket",
           "s3:GetBucketLocation"
         ],
-        "Resource": [ "arn:aws:s3:::${tag_product}-${tag_env}-backup" ]
+        "Resource": [ "arn:aws:s3:::${resource_name_prefix}-backup" ]
       },
       {
         "Effect": "Allow",
@@ -28,7 +28,7 @@
           "s3:List*",
           "s3:DeleteObject"
         ],
-        "Resource": [ "arn:aws:s3:::${tag_product}-${tag_env}-backup/*" ]
+        "Resource": [ "arn:aws:s3:::${resource_name_prefix}-backup/*" ]
       },
       {
         "Effect": "Allow",

diff --git a/templates/key_policy.json.tpl b/templates/key_policy.json.tpl
@@ -1,6 +1,6 @@
 {
   "Version": "2012-10-17",
-  "Id": "credstash-${tag_product}-${tag_env}-key",
+  "Id": "${resource_name_prefix}-credstash",
   "Statement": [
     {
       "Sid": "Enable IAM User Permissions",

diff --git a/variables.tf b/variables.tf
@@ -18,12 +18,17 @@ variable "instance_type" {
   description = "Instance type for VPN Box"
 }
 
-variable "office_ip_cidrs" {
+variable "whitelist" {
   description = "[List] Office IP CIDRs for SSH and HTTPS"
   type        = "list"
 }
 
-variable "tag_product" {}
-variable "tag_env" {}
-variable "tag_purpose" {}
-variable "tag_role" {}
+variable "tags" {
+  description = "A map of tags to add to all resources"
+  default     = {}
+}
+
+variable "resource_name_prefix" {
+  description = "All the resources will be prefixed with this varible"
+  default     = "pritunl"
+}