diff --git a/Makefile b/Makefile index 506c24f..6b945d0 100644 --- a/Makefile +++ b/Makefile @@ -4,47 +4,49 @@ apply: apply-remote-state apply-secrets apply-env apply-k8s-utils ## remove state file only if exit code 0 from terraform apply apply-remote-state: - pushd terraform/bootstrap/remote-state; \ - terraform init; \ - terraform apply -var "environment=$(ENV)" && rm ./terraform.tfstate; + pushd terraform/bootstrap/remote-state && \ + terraform init && \ + terraform apply -var "environment=$(ENV)" && \ + rm ./terraform.tfstate apply-secrets: - pushd terraform/bootstrap/secrets; \ - terraform init; \ - terraform apply && rm terraform.tfstate; + pushd terraform/bootstrap/secrets && \ + terraform init && \ + terraform apply && \ + rm ./terraform.tfstate apply-env: pushd terraform/environments/$(ENV); \ - terraform init; \ + terraform init && \ terraform apply apply-k8s-utils: update-k8s-conf - pushd kubernetes/terraform/environments/$(ENV); \ - terraform init; \ + pushd kubernetes/terraform/environments/$(ENV) && \ + terraform init && \ terraform apply -update-k8s-conf: +update-k8s-conf: aws eks --region <% index .Params `region` %> update-kubeconfig --name <% .Name %>-$(ENV)-<% index .Params `region` %> teardown: teardown-k8s-utils teardown-env teardown-secrets teardown-remote-state teardown-remote-state: - export AWS_PAGER=''; \ - aws s3 rb s3://<% .Name %>-$(ENV)-terraform-state --force; \ - aws dynamodb delete-table --table-name <% .Name %>-$(ENV)-terraform-state-locks; + export AWS_PAGER='' && \ + aws s3 rb s3://<% .Name %>-$(ENV)-terraform-state --force && \ + aws dynamodb delete-table --table-name <% .Name %>-$(ENV)-terraform-state-locks teardown-secrets: - export AWS_PAGER=''; \ - aws secretsmanager list-secrets --query "SecretList[?Tags[?Key=='project' && Value=='<% .Name %>']].[Name]" | jq '.[] [0]' | xargs aws secretsmanager delete-secret --secret-id; \ - aws iam delete-access-key --user-name <% .Name %>-ci-user --access-key-id $(shell aws iam list-access-keys --user-name <% .Name %>-ci-user --query "AccessKeyMetadata[0].AccessKeyId" | sed 's/"//g'); \ - aws iam delete-user --user-name <% .Name %>-ci-user; + export AWS_PAGER='' && \ + aws secretsmanager list-secrets --query "SecretList[?Tags[?Key=='project' && Value=='<% .Name %>']].[Name] | [0][0]" | xargs aws secretsmanager delete-secret --secret-id && \ + aws iam delete-access-key --user-name <% .Name %>-ci-user --access-key-id $(shell aws iam list-access-keys --user-name <% .Name %>-ci-user --query "AccessKeyMetadata[0].AccessKeyId" | sed 's/"//g') && \ + aws iam delete-user --user-name <% .Name %>-ci-user teardown-env: - pushd terraform/environments/$(ENV); \ - terraform destroy -auto-approve; + pushd terraform/environments/$(ENV) && \ + terraform destroy teardown-k8s-utils: - pushd kubernetes/terraform/environments/$(ENV); \ - terraform destroy; + pushd kubernetes/terraform/environments/$(ENV) && \ + terraform destroy .PHONY: apply apply-remote-state apply-secrets apply-env apply-k8s-utils teardown-k8s-utils teardown-env teardown-secrets teardown-remote-state diff --git a/terraform/modules/environment/iam.tf b/terraform/modules/environment/iam.tf index ac292f5..6446233 100644 --- a/terraform/modules/environment/iam.tf +++ b/terraform/modules/environment/iam.tf @@ -59,8 +59,8 @@ resource "aws_iam_user_policy_attachment" "ci_user_list_and_describe_policy" { policy_arn = aws_iam_policy.eks_list_and_describe_policy.arn } -# Allow the CI user read/write access to the frontend assets bucket -data "aws_iam_policy_document" "read_write_s3_policy" { +# Allow the CI user read/write access to the frontend assets bucket and CF invalidations +data "aws_iam_policy_document" "deploy_assets_policy" { statement { actions = [ "s3:ListBucket", @@ -77,14 +77,29 @@ data "aws_iam_policy_document" "read_write_s3_policy" { resources = formatlist("arn:aws:s3:::%s/*", var.s3_hosting_buckets) } + + statement { + actions = [ + "cloudfront:ListDistributions", + ] + + resources = ["*"] + } + + statement { + actions = [ + "cloudfront:CreateInvalidation", + ] + resources = formatlist("arn:aws:cloudfront::%s:distribution/%s", data.aws_caller_identity.current.account_id, module.s3_hosting.cloudfront_distribution_ids) + } } -resource "aws_iam_policy" "read_write_s3_policy" { - name = "${var.project}_ci_s3_policy" - policy = data.aws_iam_policy_document.read_write_s3_policy.json +resource "aws_iam_policy" "deploy_assets_policy" { + name = "${var.project}_ci_deploy_assets_policy" + policy = data.aws_iam_policy_document.deploy_assets_policy.json } resource "aws_iam_user_policy_attachment" "ci_s3_policy" { user = data.aws_iam_user.ci_user.user_name - policy_arn = aws_iam_policy.read_write_s3_policy.arn + policy_arn = aws_iam_policy.deploy_assets_policy.arn } diff --git a/terraform/modules/s3_hosting/outputs.tf b/terraform/modules/s3_hosting/outputs.tf new file mode 100644 index 0000000..2f61542 --- /dev/null +++ b/terraform/modules/s3_hosting/outputs.tf @@ -0,0 +1,4 @@ +output "cloudfront_distribution_ids" { + description = "Identifiers of the created cloudfront distributions" + value = values(aws_cloudfront_distribution.client_assets_distribution)[*].id +}