Initial commit

.github/settings.yml

@@ -1,11 +1,7 @@
 # Upstream changes from _extends are only recognized when modifications are made to this file in the default branch.
 _extends: .github
 repository:
-  name: template
-  description: Template for Terraform Components
+  name: aws-runs-on
+  description: This component is responsible for provisioning an RunsOn (https://runs-on
   homepage: https://cloudposse.com/accelerate
   topics: terraform, terraform-component
-
-
-
-

src/main.tf

@@ -1,8 +1,101 @@
 locals {
   enabled = module.this.enabled
+
+  parameters = merge({
+    "EC2InstanceCustomPolicy" = module.iam_policy.policy_arn
+  }, var.parameters)
+
+}
+
+module "iam_policy" {
+  source  = "cloudposse/iam-policy/aws"
+  version = "v2.0.1"
+
+  context = module.this.context
+  enabled = module.this.enabled
+
+  iam_policy_enabled = true
+  iam_policy = [
+    {
+      version   = "2012-10-17"
+      policy_id = "example"
+      statements = [
+        {
+          sid    = "AllowECRActions"
+          effect = "Allow"
+          actions = [
+            "ecr:UploadLayerPart",
+            "ecr:UntagResource",
+            "ecr:TagResource",
+            "ecr:StartLifecyclePolicyPreview",
+            "ecr:StartImageScan",
+            "ecr:PutLifecyclePolicy",
+            "ecr:PutImageTagMutability",
+            "ecr:PutImageScanningConfiguration",
+            "ecr:PutImage",
+            "ecr:ListImages",
+            "ecr:InitiateLayerUpload",
+            "ecr:GetRepositoryPolicy",
+            "ecr:GetLifecyclePolicyPreview",
+            "ecr:GetLifecyclePolicy",
+            "ecr:GetDownloadUrlForLayer",
+            "ecr:GetAuthorizationToken",
+            "ecr:DescribeRepositories",
+            "ecr:DescribeImages",
+            "ecr:DescribeImageScanFindings",
+            "ecr:DeleteLifecyclePolicy",
+            "ecr:CompleteLayerUpload",
+            "ecr:BatchGetImage",
+            "ecr:BatchDeleteImage",
+            "ecr:BatchCheckLayerAvailability",
+          ]
+          resources = ["*"]
+        }
+      ]
+    }
+  ]
 }
 
+module "cloudformation_stack" {
+  count = local.enabled ? 1 : 0
 
+  source  = "cloudposse/cloudformation-stack/aws"
+  version = "v0.7.1"
 
+  enabled = var.enabled
+  context = module.this.context
 
+  template_url       = var.template_url
+  parameters         = local.parameters
+  capabilities       = var.capabilities
+  on_failure         = var.on_failure
+  timeout_in_minutes = var.timeout_in_minutes
+  policy_body        = var.policy_body
 
+  depends_on = [module.iam_policy]
+}
+
+locals {
+  vpc_id         = one(module.cloudformation_stack[*].outputs["RunsOnVPCId"])
+  vpc_cidr_block = one(module.cloudformation_stack[*].outputs["RunsOnVpcCidrBlock"])
+  public_subnet_ids = compact([
+    one(module.cloudformation_stack[*].outputs["RunsOnPublicSubnet1"]),
+    one(module.cloudformation_stack[*].outputs["RunsOnPublicSubnet2"]),
+    one(module.cloudformation_stack[*].outputs["RunsOnPublicSubnet3"]),
+  ])
+  private_subnet_ids = compact([
+    one(module.cloudformation_stack[*].outputs["RunsOnPrivateSubnet1"]),
+    one(module.cloudformation_stack[*].outputs["RunsOnPrivateSubnet2"]),
+    one(module.cloudformation_stack[*].outputs["RunsOnPrivateSubnet3"]),
+  ])
+  private_route_table_ids = compact([
+    one(module.cloudformation_stack[*].outputs["RunsOnPrivateRouteTable1Id"]),
+    one(module.cloudformation_stack[*].outputs["RunsOnPrivateRouteTable2Id"]),
+    one(module.cloudformation_stack[*].outputs["RunsOnPrivateRouteTable3Id"]),
+  ])
+}
+
+data "aws_nat_gateways" "ngws" {
+  count  = local.enabled ? 1 : 0
+  vpc_id = local.vpc_id
+}

src/outputs.tf

@@ -1,4 +1,52 @@
-output "mock" {
-  description = "Mock output example for the Cloud Posse Terraform component template"
-  value       = local.enabled ? "hello ${basename(abspath(path.module))}" : ""
+output "name" {
+  value       = one(module.cloudformation_stack[*].name)
+  description = "Name of the CloudFormation Stack"
+}
+
+output "id" {
+  value       = one(module.cloudformation_stack[*].id)
+  description = "ID of the CloudFormation Stack"
+}
+
+output "outputs" {
+  value       = one(module.cloudformation_stack[*].outputs)
+  description = "Outputs of the CloudFormation Stack"
+}
+
+output "vpc_id" {
+  value       = local.vpc_id
+  description = "ID of the VPC created by RunsOn CloudFormation Stack"
+}
+
+output "vpc_cidr" {
+  value       = local.vpc_cidr_block
+  description = "CIDR of the VPC created by RunsOn CloudFormation Stack"
+}
+
+output "nat_gateway_ids" {
+  value       = one(data.aws_nat_gateways.ngws[*].ids)
+  description = "NAT Gateway IDs"
+}
+
+// Required by TGW Component but not created by RunsOn CloudFormation Stack
+output "nat_instance_ids" {
+  value       = []
+  description = "NAT Instance IDs"
+}
+
+output "private_subnet_ids" {
+  value = local.private_subnet_ids
+  #   value       = one(data.aws_subnets.private_subnets[*].ids)
+  description = "Private subnet IDs"
+}
+
+output "public_subnet_ids" {
+  value = local.public_subnet_ids
+  #   value       = one(data.aws_subnets.public_subnets[*].ids)
+  description = "Public subnet IDs"
+}
+
+output "private_route_table_ids" {
+  value       = local.private_route_table_ids
+  description = "Private subnet route table IDs"
 }

src/providers.tf

@@ -0,0 +1,19 @@
+provider "aws" {
+  region = var.region
+
+  # Profile is deprecated in favor of terraform_role_arn. When profiles are not in use, terraform_profile_name is null.
+  profile = module.iam_roles.terraform_profile_name
+
+  dynamic "assume_role" {
+    # module.iam_roles.terraform_role_arn may be null, in which case do not assume a role.
+    for_each = compact([module.iam_roles.terraform_role_arn])
+    content {
+      role_arn = assume_role.value
+    }
+  }
+}
+
+module "iam_roles" {
+  source  = "../account-map/modules/iam-roles"
+  context = module.this.context
+}

src/remote-state.tf

@@ -0,0 +1,13 @@
+module "vpc" {
+  count = local.enabled && var.vpc_peering_component != null ? 1 : 0
+
+  source  = "cloudposse/stack-config/yaml//modules/remote-state"
+  version = "1.5.0"
+
+  component   = var.vpc_peering_component.component
+  tenant      = var.vpc_peering_component.tenant
+  environment = var.vpc_peering_component.environment
+  stage       = var.vpc_peering_component.stage
+
+  context = module.this.context
+}

src/variables.tf

@@ -0,0 +1,50 @@
+variable "region" {
+  type        = string
+  description = "AWS Region"
+}
+
+variable "template_url" {
+  type        = string
+  description = "Amazon S3 bucket URL location of a file containing the CloudFormation template body. Maximum file size: 460,800 bytes"
+}
+
+variable "parameters" {
+  type        = map(string)
+  description = "Key-value map of input parameters for the Stack Set template. (_e.g._ map(\"BusinessUnit\",\"ABC\")"
+  default     = {}
+}
+
+variable "capabilities" {
+  type        = list(string)
+  description = "A list of capabilities. Valid values: CAPABILITY_IAM, CAPABILITY_NAMED_IAM, CAPABILITY_AUTO_EXPAND"
+  default     = []
+}
+
+variable "on_failure" {
+  type        = string
+  default     = "ROLLBACK"
+  description = "Action to be taken if stack creation fails. This must be one of: `DO_NOTHING`, `ROLLBACK`, or `DELETE`"
+}
+
+variable "timeout_in_minutes" {
+  type        = number
+  default     = 30
+  description = "The amount of time that can pass before the stack status becomes `CREATE_FAILED`"
+}
+
+variable "policy_body" {
+  type        = string
+  default     = ""
+  description = "Structure containing the stack policy body"
+}
+
+variable "vpc_peering_component" {
+  default = null
+  type = object({
+    component   = string
+    environment = optional(string)
+    tenant      = optional(string)
+    stage       = optional(string)
+  })
+  description = "The component name of the VPC Peering Connection"
+}

src/versions.tf

@@ -1,5 +1,10 @@
 terraform {
   required_version = ">= 1.0.0"
 
-  required_providers {}
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.9.0"
+    }
+  }
 }