-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmain.tf
176 lines (153 loc) · 4.29 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.48"
}
}
}
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
locals {
username = coalesce(var.override_name, lower(regex(".+[:/](?P<username>.*)", data.aws_caller_identity.current.arn).username))
ami_filters = {
common = {
"root-device-type" : "ebs",
"virtualization-type" : "hvm"
}
windows = {
"platform" : "windows",
"name" : "Windows_Server-2019-English-Full-Base*"
}
linux = {
"name" : "al2023-ami-2023*",
"architecture" : "x86_64"
}
}
user_data = templatefile("${path.module}/user_data.sh", {
additional_user_data = var.additional_user_data != null ? var.additional_user_data : ""
})
common_tags = merge({
"tf-workspace" : terraform.workspace
"creator" : local.username
"comment" : var.comment != "" ? var.comment : null
},
var.additional_tags)
required_policies = [
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
]
}
resource "random_string" "module_suffix" {
length = 4
special = false
}
data "aws_ami" "this" {
owners = ["amazon"]
most_recent = "true"
# common filters
dynamic "filter" {
for_each = local.ami_filters.common
content {
name = filter.key
values = [filter.value]
}
}
# windows
dynamic "filter" {
for_each = var.windows ? local.ami_filters.windows : {}
content {
name = filter.key
values = [filter.value]
}
}
# linux
dynamic "filter" {
for_each = !var.windows ? local.ami_filters.linux : {}
content {
name = filter.key
values = [filter.value]
}
}
}
resource "aws_iam_role_policy_attachment" "policies" {
for_each = { for i, val in concat(var.additional_role_policies, local.required_policies) : i => val }
role = aws_iam_role.role.name
policy_arn = each.value
}
# Role for server
resource "aws_iam_role" "role" {
name = "${local.username}-tmp-instance-${random_string.module_suffix.result}"
assume_role_policy = data.aws_iam_policy_document.assume_policy.json
tags = merge(local.common_tags)
lifecycle {
ignore_changes = [
tags["created"]
]
}
}
# Link Role to an Instance Profile (this is how the role is passed to a server)
resource "aws_iam_instance_profile" "profile" {
role = aws_iam_role.role.name
}
# Create the EC2 compute server
resource "aws_instance" "instance" {
key_name = var.key_name != "" ? var.key_name : null
instance_type = var.instance_type
ami = var.ami != "" ? var.ami : data.aws_ami.this.image_id
user_data = local.user_data
iam_instance_profile = aws_iam_instance_profile.profile.id
subnet_id = var.subnet_id
associate_public_ip_address = var.associate_public_ip_address
vpc_security_group_ids = concat(
var.additional_security_groups,
[aws_security_group.security_group.id]
)
tags = merge(
local.common_tags,
{
"Name" : var.instance_name_override != null ? "${var.instance_name_override}-${random_string.module_suffix.result}" : "${local.username}-tmp-instance-${random_string.module_suffix.result}"
}
)
volume_tags = {}
root_block_device {
volume_size = var.volume_size
}
lifecycle {
ignore_changes = [
tags["created"]
]
create_before_destroy = true
}
}
resource "aws_ec2_instance_state" "instance" {
instance_id = aws_instance.instance.id
state = var.state
}
# Create a security group that allows access to internet to pull down yum dependencies
resource "aws_security_group" "security_group" {
name = "${local.username}-tmp-instance-${random_string.module_suffix.result}"
description = "sg for the workspace instance"
vpc_id = var.vpc_id
egress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 0
protocol = "-1"
to_port = 0
}
tags = merge(local.common_tags)
lifecycle {
ignore_changes = [
tags["created"]
]
}
}
data "aws_iam_policy_document" "assume_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}