Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- variable "unique_example_string" {
- type = string
- default = "mytest123"
- description = "Unique string to avoid resource naming conflicts in order to allow the example to function"
- }
- resource "aws_vpc" "vpc" {
- cidr_block = "192.168.0.0/22"
- }
- data "aws_availability_zones" "azs" {
- state = "available"
- }
- resource "aws_subnet" "subnet_az1" {
- availability_zone = data.aws_availability_zones.azs.names[0]
- cidr_block = "192.168.0.0/24"
- vpc_id = aws_vpc.vpc.id
- }
- resource "aws_security_group" "sg" {
- name_prefix = var.unique_example_string
- vpc_id = aws_vpc.vpc.id
- }
- data "aws_ami" "ami" {
- most_recent = true
- owners = ["amazon"]
- filter {
- name = "name"
- values = ["amzn2-ami-ecs-hvm-2.0.*"]
- }
- filter {
- name = "root-device-type"
- values = ["ebs"]
- }
- filter {
- name = "virtualization-type"
- values = ["hvm"]
- }
- filter {
- name = "architecture"
- values = ["x86_64"]
- }
- }
- data "aws_region" "current" {}
- data "aws_caller_identity" "current" {}
- # Policy copied and adapted from alias/aws/ebs KMS key.
- data "aws_iam_policy_document" "kms_policy" {
- statement {
- sid = "Allow access through EBS for all principals in the account that are authorized to use EBS"
- effect = "Allow"
- principals {
- type = "AWS"
- identifiers = ["*"]
- }
- actions = [
- # Tried both with and without kms:* action (no change in result).
- "kms:Encrypt",
- "kms:Decrypt",
- "kms:ReEncrypt*",
- "kms:GenerateDataKey*",
- "kms:CreateGrant",
- "kms:DescribeKey"
- ]
- # Tried both with and without conditions (no change in result).
- condition {
- test = "StringEquals"
- variable = "kms:CallerAccount"
- values = [data.aws_caller_identity.current.account_id]
- }
- condition {
- test = "StringEquals"
- variable = "kms:ViaService"
- values = ["ec2.${data.aws_region.current.name}.amazonaws.com"]
- }
- }
- statement {
- sid = "Enable IAM User Permissions"
- effect = "Allow"
- principals {
- type = "AWS"
- identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
- }
- actions = ["kms:*"]
- resources = ["*"]
- }
- }
- resource "aws_kms_key" "kms" {
- description = var.unique_example_string
- # Tried both with and without an explicit policy (no change in result).
- policy = data.aws_iam_policy_document.kms_policy.json
- }
- resource "aws_launch_template" "example" {
- name_prefix = var.unique_example_string
- ebs_optimized = true
- image_id = data.aws_ami.ami.image_id
- instance_type = "t3.nano"
- vpc_security_group_ids = [aws_security_group.sg.id]
- block_device_mappings {
- device_name = data.aws_ami.ami.root_device_name
- ebs {
- delete_on_termination = true
- encrypted = true
- volume_type = "gp2"
- volume_size = 30
- # Tried both with and without kms_key_id (only works WITHOUT kms_key_id or when pointing to alias/aws/ebs).
- #kms_key_id = aws_kms_key.kms.arn
- }
- }
- }
- resource "aws_autoscaling_group" "example" {
- name_prefix = var.unique_example_string
- vpc_zone_identifier = [aws_subnet.subnet_az1.id]
- min_size = 1
- max_size = 1
- launch_template {
- id = aws_launch_template.example.id
- version = "$Latest"
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement