# Configure state file for our main tf script.terraform { backend "s3" {

1. # Configure state file for our main tf script.
2. terraform {
3. backend "s3" {
4. bucket = "labstatebucket"
5. key = "labstatebucket/main.tfstate"
6. region = "us-west-1"
7. }
8. }
9.  
10. provider "aws"{
11. region = "us-west-1"
12. }
13.  
14. variable "ami" {
15. default = "ami-007fd5d3faa277be8" # CoreOS
16. }
17.  
18. //
19. // iam role
20. //
21.  
22. resource "aws_iam_policy" "ssmpolicy" {
23. name = "ssmPolicy"
24. policy = <<EOF
25. {
26. "Version": "2012-10-17",
27. "Statement": [
28. {
29. "Sid": "SSMDescribe",
30. "Action": [
31. "ssm:DescribeParameters"
32. ],
33. "Resource": "*",
34. "Effect": "Allow"
35. },
36. {
37. "Sid": "SSMPermissions",
38. "Action": [
39. "ssm:GetParameter",
40. "ssm:GetParameters"
41. ],
42. "Resource": "*",
43. "Effect": "Allow"
44. },
45. {
46. "Sid": "SSMDescrypt",
47. "Action": [
48. "kms:Decrypt"
49. ],
50. "Resource": "*",
51. "Effect": "Allow"
52. }
53. ]
54. }
55. EOF
56. }
57.  
58. resource "aws_iam_role" "ssmrole" {
59. name = "ssmRole"
60. assume_role_policy = <<EOF
61. {
62. "Version": "2012-10-17",
63. "Statement": [
64. {
65. "Action": "sts:AssumeRole",
66. "Principal": {
67. "Service": [
68. "ec2.amazonaws.com"
69. ]
70. },
71. "Effect": "Allow",
72. "Sid": ""
73. }
74. ]
75. }
76. EOF
77. }
78.  
79. resource "aws_iam_role_policy_attachment" "ssm-attachment" {
80. role = "${aws_iam_role.ssmrole.name}"
81. policy_arn = "${aws_iam_policy.ssmpolicy.arn}"
82. }
83.  
84. resource "aws_iam_instance_profile" "ssm-instance-profile" {
85. name = "ssm-instance-profile"
86. role = "${aws_iam_role.ssmrole.name}"
87. }
88.  
89. //
90. // secrets
91. //
92.  
93. //
94. // confd service container
95. //
96.  
97. data "template_file" "confd_service" {
98. template = "${file("confd.service.tpl")}"
99. }
100.  
101. data "ignition_systemd_unit" "confd_service" {
102. name = "confd.service"
103. content = "${data.template_file.confd_service.rendered}"
104. }
105.  
106. //
107. // ignition
108. //
109.  
110. data "template_file" "config_toml" {
111. template = "${file("myconfig.toml")}"
112. }
113.  
114. data "ignition_file" "configtoml" {
115. filesystem = "root"
116. path = "/etc/confd/conf.d/myconfig.toml"
117. mode = "0755"
118. content {
119. content = "${data.template_file.config_toml.rendered}"
120. }
121. }
122.  
123. data "template_file" "config_file" {
124. template = "${file("myconfig.conf.tmpl")}"
125. }
126.  
127. data "ignition_file" "configfile" {
128. filesystem = "root"
129. path = "/etc/confd/templates/myconfig.conf.tmpl"
130. mode = "0755"
131. content {
132. content = "${data.template_file.config_file.rendered}"
133. }
134. }
135.  
136. data "template_file" "login" {
137. template = "${file("login.conf.tmpl")}"
138. vars {
139. loc = "/dev/dockerlogin"
140. }
141. }
142.  
143. data "ignition_file" "login" {
144. filesystem = "root"
145. path = "/etc/confd/templates/login.conf.tmpl"
146. mode = "0755"
147. content {
148. content = "${data.template_file.login.rendered}"
149. }
150. }
151.  
152. data "ignition_config" "ignition" {
153.  
154. systemd = [
155. "${data.ignition_systemd_unit.confd_service.id}",
156. ]
157.  
158. files = [
159. "${data.ignition_file.configtoml.id}",
160. "${data.ignition_file.configfile.id}",
161. "${data.ignition_file.login.id}",
162. ]
163. }
164.  
165. //
166. // network security
167. //
168.  
169. resource "aws_security_group" "allow_ssh" {
170. name = "allow_ssh"
171. description = "Allow SSH inbound traffic"
172. vpc_id = "vpc-0dd1ac922930e40b2"
173. ingress {
174. # TLS (change to whatever ports you need)
175. from_port = 22
176. to_port = 22
177. protocol = "TCP"
178. # Please restrict your ingress to only necessary IPs and ports.
179. # Opening to 0.0.0.0/0 can lead to security vulnerabilities.
180. cidr_blocks = ["0.0.0.0/0"]
181. }
182.  
183. ingress {
184. # TLS (change to whatever ports you need)
185. from_port = 8080
186. to_port = 8080
187. protocol = "TCP"
188. # Opens port 80 for the honey pot.
189. cidr_blocks = ["192.168.1.1/32"]
190. }
191.  
192. egress {
193. from_port = 0
194. to_port = 0
195. protocol = "-1"
196. cidr_blocks = ["0.0.0.0/0"]
197. }
198.  
199. }
200.  
201. //
202. // compute
203. //
204.  
205. # automatically deploys to default vpc - 172.31.0.0/16
206. resource "aws_spot_instance_request" "cheap_worker" {
207. ami = "${var.ami}"
208. spot_price = "0.01"
209. instance_type = "t2.micro"
210. subnet_id = "subnet-0603b49c9f38a102a"
211. key_name = "tewest"
212. associate_public_ip_address = true
213. iam_instance_profile = "${aws_iam_instance_profile.ssm-instance-profile.id}"
214. vpc_security_group_ids = ["${aws_security_group.allow_ssh.id}"]
215. user_data = "${data.ignition_config.ignition.rendered}"
216. tags = {
217. Name = "CheapWorker"
218. }
219. }
220.  
221. output "file_loc" {
222. value = "${data.ignition_file.configtoml.id}"
223. }