NEW: Initial commit

Terraform modules for AWS Zonal Shift demo
2025-05-17 22:10:34 +08:00
commit bc71da905f
19 changed files with 592 additions and 0 deletions
@@ -0,0 +1,12 @@
+BSD Zero Clause License
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
@@ -0,0 +1,56 @@
+<!-- This readme file is generated with terraform-docs -->
+Inline policy for IAM role is not supported by this module. Use managed policies instead.
+
+When trusted-entity is provided as an AWS service name (e.g ec2.amazonaws.com), the assume role 
+policy will be generated. Otherwise, the trusted-entity variable is assumed to be a json-encoded 
+policy. Assume role policy will be set with the json-encoded string. See examples.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| aws | >= 5.4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | >= 5.4.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_instance_profile.ip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [aws_iam_policy.p](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.r](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.pa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| create-instance-profile | Determines whether instance profile will be created | `bool` | `false` | no |
+| description | Description of IAM role | `string` | n/a | yes |
+| path | Path of IAM role. Defaults to /Customer/ | `string` | `"/Customer/"` | no |
+| policies | Map of policies to be created and attached | <pre>map(<br>    object(<br>      {<br>        description = string<br>        policy      = string<br>      }<br>    )<br>  )</pre> | `{}` | no |
+| role-name | Name of IAM role | `string` | n/a | yes |
+| trusted-entity | AWS service allowed to assume this role or a full assume role policy | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| instance-profile-arn | ARN of IAM instance profile |
+| name | Name of IAM role |
+| profile-name | Name of IAM instance profile |
+| role-arn | IAM role ARN |
+ 
+---
+## Authorship
+This module was developed by KF.
@@ -0,0 +1,47 @@
+# Assume role policy can be provided as-is, or built using the trusted-entity variable
+locals {
+  assume-role-policy = endswith(var.trusted-entity, ".com") ? jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Principal" : {
+            "Service" : [
+              var.trusted-entity
+            ]
+          },
+          "Action" : "sts:AssumeRole"
+        }
+      ]
+    }
+  ) : var.trusted-entity
+}
+
+resource "aws_iam_instance_profile" "ip" {
+  count = var.create-instance-profile ? 1 : 0
+  name  = "${var.role-name}-profile"
+  role  = aws_iam_role.r.name
+  path  = var.path
+}
+
+resource "aws_iam_role" "r" {
+  name                  = var.role-name
+  description           = var.description
+  assume_role_policy    = local.assume-role-policy
+  force_detach_policies = true
+  path                  = var.path
+}
+
+resource "aws_iam_policy" "p" {
+  for_each    = var.policies
+  description = each.value.description
+  name        = each.key
+  policy      = each.value.policy
+}
+
+resource "aws_iam_role_policy_attachment" "pa" {
+  for_each   = aws_iam_policy.p
+  role       = aws_iam_role.r.name
+  policy_arn = each.value.arn
+}
@@ -0,0 +1,19 @@
+output "profile-name" {
+  description = "Name of IAM instance profile"
+  value       = aws_iam_instance_profile.ip[*].name
+}
+
+output "role-arn" {
+  description = "IAM role ARN"
+  value       = aws_iam_role.r.arn
+}
+
+output "name" {
+  description = "Name of IAM role"
+  value       = aws_iam_role.r.name
+}
+
+output "instance-profile-arn" {
+  description = "ARN of IAM instance profile"
+  value       = aws_iam_instance_profile.ip.*.arn
+}
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.4.0"
+    }
+  }
+}
@@ -0,0 +1,39 @@
+variable "create-instance-profile" {
+  description = "Determines whether instance profile will be created"
+  type        = bool
+  default     = false
+}
+
+variable "description" {
+  description = "Description of IAM role"
+  type        = string
+}
+
+variable "policies" {
+  description = "Map of policies to be created and attached"
+  type = map(
+    object(
+      {
+        description = string
+        policy      = string
+      }
+    )
+  )
+  default = {}
+}
+
+variable "role-name" {
+  description = "Name of IAM role"
+  type        = string
+}
+
+variable "path" {
+  description = "Path of IAM role. Defaults to /Customer/"
+  type        = string
+  default     = "/Customer/"
+}
+
+variable "trusted-entity" {
+  description = "AWS service allowed to assume this role or a full assume role policy"
+  type        = string
+}