✨ (backend): Adds tf backend user and role

aws-iam-backend.tf

@@ -0,0 +1,166 @@
+module "label_backend" {
+  count   = var.backend_user.create ? 1 : 0
+  source  = "bendoerr-terraform-modules/label/null"
+  version = "0.4.1"
+  context = var.context
+  name    = "backend"
+}
+
+resource "aws_iam_user" "backend" {
+  count         = var.backend_user.create ? 1 : 0
+  name          = module.label_backend[0].id
+  tags          = module.label_backend[0].tags
+  force_destroy = try(var.backend_user.force_destroy, null)
+}
+
+resource "aws_iam_access_key" "backend" {
+  count   = var.backend_user.create ? 1 : 0
+  user    = aws_iam_user.backend[0].name
+  pgp_key = var.backend_user.pgp_key
+}
+
+data "aws_iam_user" "backend" {
+  count     = var.backend_user.create ? 0 : 1
+  user_name = var.backend_user.name
+}
+
+module "label_backend_dynamodb_rw" {
+  count   = var.backend_role.dynamodb_policy.create ? 1 : 0
+  source  = "bendoerr-terraform-modules/label/null"
+  version = "0.4.1"
+  context = var.context
+  name    = "backend-dynamodb-rw"
+}
+
+data "aws_iam_policy_document" "backend_dynamodb_rw" {
+  count = var.backend_role.dynamodb_policy.create ? 1 : 0
+
+  statement {
+    sid     = replace("${module.label_backend_dynamodb_rw[0].id}-0", "-", "")
+    effect  = "Allow"
+    actions = [
+      "dynamodb:DeleteItem",
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+    ]
+    resources = [var.backend_role.dynamodb_policy.table_arn]
+  }
+
+  dynamic "statement" {
+    for_each = var.backend_role.dynamodb_policy.kms_key != null ? ["this"] : []
+    content {
+      sid     =  replace("${module.label_backend_dynamodb_rw[0].id}-1", "-", "")
+      effect  = "Allow"
+      actions = [
+        "kms:Encrypt",
+        "kms:Decrypt",
+      ]
+      resources = [var.backend_role.dynamodb_policy.kms_key]
+    }
+  }
+}
+
+resource "aws_iam_policy" "backend_dynamodb_rw" {
+  count  = var.backend_role.dynamodb_policy.create ? 1 : 0
+  name   = module.label_backend_dynamodb_rw[0].id
+  tags   = module.label_backend_dynamodb_rw[0].tags
+  policy = data.aws_iam_policy_document.backend_dynamodb_rw[0].json
+}
+
+module "label_backend_s3_rw" {
+  count   = var.backend_role.s3_policy.create ? 1 : 0
+  source  = "bendoerr-terraform-modules/label/null"
+  version = "0.4.1"
+  context = var.context
+  name    = "backend-s3-rw"
+}
+
+data "aws_iam_policy_document" "backend_s3_rw" {
+  count = var.backend_role.s3_policy.create ? 1 : 0
+
+  statement {
+    sid     = replace("${module.label_backend_s3_rw[0].id}-0", "-", "")
+    effect  = "Allow"
+    actions = [
+      "s3:ListBucket",
+    ]
+    resources = [var.backend_role.s3_policy.bucket_arn]
+  }
+
+  statement {
+    sid     = replace("${module.label_backend_s3_rw[0].id}-1", "-", "")
+    effect  = "Allow"
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject",
+    ]
+    resources = ["${var.backend_role.s3_policy.bucket_arn}:*"]
+  }
+
+  dynamic "statement" {
+    for_each = var.backend_role.s3_policy.kms_key != null ? ["this"] : []
+    content {
+      sid     = replace("${module.label_backend_s3_rw[0].id}-2", "-", "")
+      effect  = "Allow"
+      actions = [
+        "kms:Encrypt",
+        "kms:Decrypt",
+      ]
+      resources = [var.backend_role.s3_policy.kms_key]
+    }
+  }
+}
+
+resource "aws_iam_policy" "backend_s3_rw" {
+  count  = var.backend_role.s3_policy.create ? 1 : 0
+  name   = module.label_backend_s3_rw[0].id
+  tags   = module.label_backend_s3_rw[0].tags
+  policy = data.aws_iam_policy_document.backend_s3_rw[0].json
+}
+
+data "aws_iam_policy_document" "assume_role" {
+  count = var.backend_role.create ? 1 : 0
+
+  statement {
+    sid     = replace("${module.label_backend[0].id}-0", "-", "")
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "AWS"
+      identifiers = [
+        var.backend_user.create ? aws_iam_user.backend[0].arn : data.aws_iam_user.backend[0].arn
+      ]
+    }
+  }
+
+  dynamic "statement" {
+    for_each = range(length(coalesce(var.backend_role.extra_principals, [])))
+    content {
+      sid     = replace("${module.label_backend[0].id}-${statement.key + 1}", "-", "")
+      actions = ["sts:AssumeRole"]
+      principals {
+        type        = var.backend_role.extra_principals[statement.key].type
+        identifiers = var.backend_role.extra_principals[statement.key].identifiers
+      }
+    }
+  }
+}
+
+resource "aws_iam_role" "backend" {
+  count              = var.backend_role.create ? 1 : 0
+  name               = module.label_backend[0].id
+  tags               = module.label_backend[0].tags
+  assume_role_policy = data.aws_iam_policy_document.assume_role[0].json
+}
+
+resource "aws_iam_role_policy_attachment" "backend_dynamodb" {
+  count      = var.backend_role.create ? 1 : 0
+  role       = aws_iam_role.backend[0].id
+  policy_arn = var.backend_role.dynamodb_policy.create ? aws_iam_policy.backend_dynamodb_rw[0].arn : var.backend_role.dynamodb_policy.policy_arn
+}
+
+resource "aws_iam_role_policy_attachment" "backend_s3" {
+  count      = var.backend_role.create ? 1 : 0
+  role       = aws_iam_role.backend[0].id
+  policy_arn = var.backend_role.s3_policy.create ? aws_iam_policy.backend_s3_rw[0].arn : var.backend_role.s3_policy.policy_arn
+}
+

examples/simple/ctx.tf

@@ -0,0 +1,27 @@
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+variable "namespace" {
+  type = string
+}
+
+module "context" {
+  source      = "bendoerr-terraform-modules/context/null"
+  version     = "0.4.1"
+  namespace   = var.namespace
+  environment = "example"
+  role        = "tfuser"
+  region      = "us-east-1"
+  project     = "simple"
+}

examples/simple/infracost-usage.yml

@@ -0,0 +1,47 @@
+# You can use this file to define resource usage estimates for Infracost to use when calculating
+# the cost of usage-based resource, such as AWS S3 or Lambda.
+# `infracost breakdown --usage-file infracost-usage.yml [other flags]`
+# See https://infracost.io/usage-file/ for docs
+version: 0.1
+resource_usage:
+  module.tfuser.module.store.aws_s3_bucket.this[0]:
+    standard:
+      storage_gb:
+        # Total storage in GB.
+        # Estimate 10 workspaces at 2MB each
+        0.02
+
+      monthly_tier_1_requests:
+        # Monthly PUT, COPY, POST, LIST requests (Tier 1).
+        # 2 LIST & 1 PUT per apply
+        # Estimate: 5 applies a day for each workspace
+        #   = 3 * 5 * 10 * 30 = 4500
+        4500
+
+      monthly_tier_2_requests:
+        # Monthly GET, SELECT, and all other requests (Tier 2).
+        # 2 GET per apply
+        # Estimate: 5 applies a day for each workspace
+        #   = 2 * 5 * 10 * 30 = 3000
+        3000
+
+      monthly_select_data_scanned_gb: 0.0 # Monthly data scanned by S3 Select in GB.
+      monthly_select_data_returned_gb: 0.0 # Monthly data returned by S3 Select in GB.
+
+  module.tfuser.aws_dynamodb_table.locks:
+    monthly_write_request_units:
+      # Monthly write request units in (used for on-demand DynamoDB).
+      # Estimate: 1 per apply 5 applies a day for each workspace
+      #   = 5 * 10 * 30
+      1500
+
+    monthly_read_request_units:
+      # Monthly write request units in (used for on-demand DynamoDB).
+      1500
+
+    storage_gb: 0.0000001 # Total storage for tables in GB.
+
+    pitr_backup_storage_gb: 0 # Total storage for Point-In-Time Recovery (PITR) backups in GB.
+    on_demand_backup_storage_gb: 0 # Total storage for on-demand backups in GB.
+    monthly_data_restored_gb: 0 # Monthly size of restored data in GB.
+    monthly_streams_read_request_units: 0 # Monthly streams read request units.

examples/simple/main.tf

@@ -0,0 +1,21 @@
+module "tfuser" {
+  source  = "../.."
+  context = module.context.shared
+
+  backend_user = {
+    create : true,
+    pgp_key : "keybase:bendoerr"
+  }
+
+  backend_role = {
+    create = true
+    dynamodb_policy = {
+      create    = true
+      table_arn = "example:table:arn"
+    }
+    s3_policy = {
+      create     = true
+      bucket_arn = "example:bucket:arn"
+    }
+  }
+}

outputs.tf

@@ -0,0 +1,35 @@
+output "backend_user_arn" {
+  value = var.backend_user.create ? aws_iam_user.backend[0].arn : ""
+}
+
+output "backend_user_name" {
+  value = var.backend_user.create ? aws_iam_user.backend[0].name : ""
+}
+
+output "backend_user_unique_id" {
+  value = var.backend_user.create ? aws_iam_user.backend[0].unique_id : ""
+}
+
+output "backend_user_access_key_id" {
+  value = var.backend_user.create ? aws_iam_access_key.backend[0].id : ""
+}
+
+output "backend_user_access_key_encrypted_secret" {
+  value = var.backend_user.create ? aws_iam_access_key.backend[0].encrypted_secret : ""
+}
+
+output "backend_role_arn" {
+  value = var.backend_role.create ? aws_iam_role.backend[0].arn : ""
+}
+
+output "backend_role_name" {
+  value = var.backend_role.create ? aws_iam_role.backend[0].name : ""
+}
+
+output "backend_dynamodb_rw_policy_arn" {
+  value = var.backend_role.dynamodb_policy.create ? aws_iam_policy.backend_s3_rw[0].arn : var.backend_role.s3_policy.policy_arn
+}
+
+output "backend_s3_rw_policy_arn" {
+  value = var.backend_role.s3_policy.create ? aws_iam_policy.backend_s3_rw[0].arn : var.backend_role.s3_policy.policy_arn
+}