Merge pull request #32 from tfutils/release_1.6.1

Zordrak · web-flow · commit a7eae198b2ea · 2021-06-11T17:30:49.000+01:00
Update v1.6.1
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,22 @@
+## 1.6.1 (24/05/2021)
+
+FEATURES:
+
+ * Added `-d/--detailed-exitcode` to propagate terraform exit codes to shell
+ * Added `-n/--no-color` appends -co-color to all tf calls
+ * Added `-w/--compact-warnings` appends -compact-warnings to all terraform calls
+
+BUG FIXES:
+
+ * Getopt fixes
+ * Various small fixes
+
+NOTES:
+
+ * Support for early versions of terraform has been dropped (<0.11)
+ * Default backend bucket name has changed, pass in -b to overwrite
+ * Scaffold bootstrap updated
+
 ## 1.4.3 (16/12/2019)
 
  * Remove extraneous eval from secret parsing
diff --git a/README.md b/README.md
@@ -105,14 +105,17 @@ The terraformscaffold script is invoked as bin/terraform.sh. Once a state bucket
 
 ```bash
 bin/terraform.sh \
-  -a/--action        `action` \
-  -b/--bucket-prefix `bucket_prefix` \
-  -c/--component     `component_name` \
-  -e/--environment   `environment` \
-  -g/--group         `group` (optional) \
-  -i/--build-id      `build_id` (optional) \
-  -p/--project       `project` \
-  -r/--region        `region` \
+  -a/--action            `action` \
+  -b/--bucket-prefix     `bucket_prefix` \
+  -c/--component         `component_name` \
+  -e/--environment       `environment` \
+  -g/--group             `group` (optional) \
+  -i/--build-id          `build_id` (optional) \
+  -p/--project           `project` \
+  -r/--region            `region` \
+  -d/--detailed-exitcode (optional) \
+  -n/--no-color          (optional) \
+  -w/--compact-warnings  (optional) \
   -- \
   <additional arguments to forward to the terraform binary call>
 ```
@@ -133,4 +136,7 @@ Where:
 * `group` (optional): The name of the group to which the environment belongs, permitting the use of a group tfvars file as a "meta-environment" shared by more than one environment
 * `project`: The name of the project being deployed, as per the default bucket-prefix and state file keyspace
 * `region` (optional): The AWS region name unique to all components and terraform processes. Defaults to the value of the _AWS_DEFAULT_REGION_ environment variable.
+* `detailed-exitcode` (optional): Passes detailed exit code flag to terraform.
+* `no-color` (optional): Passes no-color flag to terraform.
+* `compact-warnings` (optional): Passes compact-warnings flag to terraform.
 * `additional arguments`: Any arguments provided after "--" will be passed directly to terraform as its own arguments, e.g. allowing the provision of a 'target=value' parameter.
diff --git a/bin/terraform.sh b/bin/terraform.sh
diff --git a/bootstrap/.terraform-version b/bootstrap/.terraform-version
@@ -1 +1 @@
-latest:^0.11
+0.14.7
diff --git a/bootstrap/data_iam_policy_document_bucket.tf b/bootstrap/data_iam_policy_document_bucket.tf
@@ -0,0 +1,68 @@
+data "aws_iam_policy_document" "bucket" {
+  statement {
+    sid    = "DontAllowNonSecureConnection"
+    effect = "Deny"
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      aws_s3_bucket.bucket.arn,
+      "${aws_s3_bucket.bucket.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "*",
+      ]
+    }
+
+    condition {
+      test = "Bool"
+      variable = "aws:SecureTransport"
+
+      values = [
+        "false",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToList"
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      aws_s3_bucket.bucket.arn,
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = local.ro_principals
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToGet"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+    ]
+
+    resources = [
+      "${aws_s3_bucket.bucket.arn}/*",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = local.ro_principals
+    }
+  }
+}
diff --git a/bootstrap/data_iam_policy_document_kms_key_s3.tf b/bootstrap/data_iam_policy_document_kms_key_s3.tf
@@ -0,0 +1,46 @@
+data "aws_iam_policy_document" "kms_key_s3" {
+  statement {
+    sid    = "AllowLocalIAMAdministration"
+    effect = "Allow"
+
+    actions = [
+      "*",
+    ]
+
+    resources = [
+      "*",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root",
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToUse"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey",
+      "kms:Encrypt",
+      "kms:GenerateDataKey",
+      "kms:GenerateDataKeyPair",
+      "kms:GenerateDataKeyPairWithoutPlaintext",
+      "kms:GenerateDataKeyWithoutPlaintext",
+      "kms:ReEncrypt",
+    ]
+
+    resources = [
+      "*",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = local.ro_principals
+    }
+  }
+}
diff --git a/bootstrap/kms_key_s3.tf b/bootstrap/kms_key_s3.tf
@@ -0,0 +1,17 @@
+resource "aws_kms_key" "s3" {
+  description             = "tfscaffold Bootstrap S3 Bucket"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+
+  policy = data.aws_iam_policy_document.kms_key_s3.json
+
+  # This does not use default tag map merging because bootstrapping is special
+  # You should use default tag map merging elsewhere
+  tags = {
+    Name        = "tfscaffold Bootstrap S3 Bucket"
+    Environment = var.environment
+    Project     = var.project
+    Component   = var.component
+    Account     = var.aws_account_id
+  }
+}
diff --git a/bootstrap/locals.tf b/bootstrap/locals.tf
@@ -0,0 +1,6 @@
+locals {
+  ro_principals = compact(distinct(flatten([
+    var.tfscaffold_ro_principals,
+    "arn:aws:iam::${var.aws_account_id}:root",
+  ])))
+}
diff --git a/bootstrap/outputs.tf b/bootstrap/outputs.tf
@@ -1,3 +1,23 @@
+output "bucket_arn" {
+  value = aws_s3_bucket.bucket.arn
+}
+
 output "bucket_name" {
-  value = "${aws_s3_bucket.bucket.id}"
+  value = aws_s3_bucket.bucket.id
+}
+
+output "bucket_policy" {
+  value = data.aws_iam_policy_document.bucket.json
+}
+
+output "kms_key_arn" {
+  value = aws_kms_key.s3.arn
+}
+
+output "kms_key_id" {
+  value = aws_kms_key.s3.id
+}
+
+output "kms_key_policy" {
+  value = data.aws_iam_policy_document.kms_key_s3.json
 }
diff --git a/bootstrap/provider_aws.tf b/bootstrap/provider_aws.tf
@@ -1,12 +1,12 @@
 # The default AWS provider in the default region
 provider "aws" {
-  region = "${var.region}"
+  region  = var.region
 
   # For no reason other than redundant safety
   # we only allow the use of the AWS Account
   # specified in the environment variables.
   # This helps to prevent accidents.
   allowed_account_ids = [
-    "${var.aws_account_id}",
+    var.aws_account_id,
   ]
 }
diff --git a/bootstrap/s3_bucket.tf b/bootstrap/s3_bucket.tf
@@ -1,15 +1,11 @@
 resource "aws_s3_bucket" "bucket" {
-  bucket = "${var.bucket_name}"
+  bucket = var.bucket_name
   acl    = "private"
 
   force_destroy = "false"
 
-  versioning {
-    enabled = "true"
-  }
-
   lifecycle_rule {
-    prefix  = "/"
+    prefix  = ""
     enabled = "true"
 
     noncurrent_version_transition {
@@ -27,13 +23,26 @@ resource "aws_s3_bucket" "bucket" {
     }
   }
 
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.s3.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
+  versioning {
+    enabled = "true"
+  }
+
   # This does not use default tag map merging because bootstrapping is special
   # You should use default tag map merging elsewhere
-  tags {
-    "Name"        = "Terraform Scaffold State File Bucket for account ${var.aws_account_id} in region ${var.region}"
-    "Environment" = "${var.environment}"
-    "Project"     = "${var.project}"
-    "Component"   = "${var.component}"
-    "Account"     = "${var.aws_account_id}"
+  tags = {
+    Name        = "Terraform Scaffold State File Bucket for account ${var.aws_account_id} in region ${var.region}"
+    Environment = var.environment
+    Project     = var.project
+    Component   = var.component
+    Account     = var.aws_account_id
   }
 }
diff --git a/bootstrap/s3_bucket_policy.tf b/bootstrap/s3_bucket_policy.tf
@@ -0,0 +1,8 @@
+resource "aws_s3_bucket_policy" "bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  policy = data.aws_iam_policy_document.bucket.json
+
+  depends_on = [
+    aws_s3_bucket_public_access_block.bucket,
+  ]
+}
diff --git a/bootstrap/s3_bucket_public_access_block.tf b/bootstrap/s3_bucket_public_access_block.tf
@@ -0,0 +1,8 @@
+resource "aws_s3_bucket_public_access_block" "bucket" {
+  bucket = aws_s3_bucket.bucket.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
diff --git a/bootstrap/variables.tf b/bootstrap/variables.tf
@@ -1,31 +1,37 @@
 variable "project" {
-  type        = "string"
-  description = "The name of the Project we are bootstrapping terraformscaffold for"
+  type        = string
+  description = "The name of the Project we are bootstrapping tfscaffold for"
 }
 
 variable "aws_account_id" {
-  type        = "string"
-  description = "The AWS Account ID into which we are bootstrapping terraformscaffold"
+  type        = string
+  description = "The AWS Account ID into which we are bootstrapping tfscaffold"
 }
 
 variable "region" {
-  type        = "string"
-  description = "The AWS Region into which we are bootstrapping terraformscaffold"
+  type        = string
+  description = "The AWS Region into which we are bootstrapping tfscaffold"
 }
 
 variable "environment" {
-  type        = "string"
+  type        = string
   description = "The name of the environment for the bootstrapping process; which is always bootstrap"
   default     = "bootstrap"
 }
 
 variable "component" {
-  type        = "string"
+  type        = string
   description = "The name of the component for the bootstrapping process; which is always bootstrap"
   default     = "bootstrap"
 }
 
 variable "bucket_name" {
-  type        = "string"
-  description = "The name to use for the terraformscaffold bucket"
+  type        = string
+  description = "The name to use for the tfscaffold bucket. This should be provided from tfscaffold shell, not environment or group tfvars"
+}
+
+variable "tfscaffold_ro_principals" {
+  type        = list(string)
+  description = "A list of Principals permitted to ListBucket and GetObject for Remote State purposes. Normally the root principal of the account"
+  default     = []
 }
diff --git a/bootstrap/versions.tf b/bootstrap/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.31.0"
+    }
+  }
+
+  required_version = ">= 0.14.7"
+}

Original file line number	Diff line number	Diff line change
`@@ -1,12 +1,12 @@`
`1`	`1`	`# The default AWS provider in the default region`
`2`	`2`	`provider "aws" {`
`3`		`- region = "${var.region}"`
	`3`	`+ region = var.region`
`4`	`4`
`5`	`5`	`# For no reason other than redundant safety`
`6`	`6`	`# we only allow the use of the AWS Account`
`7`	`7`	`# specified in the environment variables.`
`8`	`8`	`# This helps to prevent accidents.`
`9`	`9`	`allowed_account_ids = [`
`10`		`- "${var.aws_account_id}",`
	`10`	`+ var.aws_account_id,`
`11`	`11`	`]`
`12`	`12`	`}`