generated from cloudposse/terraform-example-module
-
Notifications
You must be signed in to change notification settings - Fork 8
/
main.tf
123 lines (100 loc) · 4.1 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
locals {
primary_tag = coalesce(var.primary_tag, module.this.id)
prefixed_primary_tag = "tag:${local.primary_tag}"
prefixed_additional_tags = [for tag in var.additional_tags : "tag:${tag}"]
ssm_state_param_name = var.ssm_state_enabled ? "/tailscale/${module.this.id}/state" : null
ssm_state_flag = var.ssm_state_enabled ? "--state=${module.ssm_state[0].arn_map[local.ssm_state_param_name]}" : ""
tailscale_tags = concat([local.prefixed_primary_tag], local.prefixed_additional_tags)
tailscaled_extra_flags = join(" ", compact(concat(var.tailscaled_extra_flags, [local.ssm_state_flag])))
tailscaled_extra_flags_enabled = length(local.tailscaled_extra_flags) > 0
tailscale_up_extra_flags_enabled = length(var.tailscale_up_extra_flags) > 0
userdata = templatefile("${path.module}/userdata.sh.tmpl", {
authkey = tailscale_tailnet_key.default.key
exit_node_enabled = var.exit_node_enabled
hostname = module.this.id
routes = join(",", var.advertise_routes)
ssh_enabled = var.ssh_enabled
tags = join(",", local.tailscale_tags)
tailscaled_extra_flags_enabled = local.tailscaled_extra_flags_enabled
tailscaled_extra_flags = local.tailscaled_extra_flags
tailscale_up_extra_flags_enabled = local.tailscale_up_extra_flags_enabled
tailscale_up_extra_flags = join(" ", var.tailscale_up_extra_flags)
})
}
# Note: `trunk` ignores that this rule is already listed in `.trivyignore` file.
# Bucket does not have versioning enabled
# trivy:ignore:AVD-AWS-0090
module "tailscale_subnet_router" {
source = "masterpointio/ssm-agent/aws"
version = "1.2.0"
context = module.this.context
tags = module.this.tags
vpc_id = var.vpc_id
subnet_ids = var.subnet_ids
key_pair_name = var.key_pair_name
create_run_shell_document = var.create_run_shell_document
additional_security_group_ids = var.additional_security_group_ids
session_logging_kms_key_alias = var.session_logging_kms_key_alias
session_logging_enabled = var.session_logging_enabled
session_logging_ssm_document_name = var.session_logging_ssm_document_name
ami = var.ami
instance_type = var.instance_type
max_size = var.max_size
min_size = var.min_size
desired_capacity = var.desired_capacity
monitoring_enabled = var.monitoring_enabled
associate_public_ip_address = var.associate_public_ip_address
user_data = base64encode(length(var.user_data) > 0 ? var.user_data : local.userdata)
}
resource "tailscale_tailnet_key" "default" {
reusable = var.reusable
ephemeral = var.ephemeral
preauthorized = var.preauthorized
expiry = var.expiry
# A device is automatically tagged when it is authenticated with this key.
tags = local.tailscale_tags
}
module "ssm_state" {
count = var.ssm_state_enabled ? 1 : 0
source = "cloudposse/ssm-parameter-store/aws"
version = "0.13.0"
ignore_value_changes = true
parameter_write = [
{
name = local.ssm_state_param_name
type = "SecureString"
overwrite = "true"
value = "{}"
description = "Tailscaled state of ${module.this.id} subnet router."
}
]
context = module.this.context
tags = module.this.tags
}
module "ssm_policy" {
count = var.ssm_state_enabled ? 1 : 0
source = "cloudposse/iam-policy/aws"
version = "2.0.1"
name = "ssm"
description = "Additional SSM access for SSM Agent"
iam_policy_enabled = true
iam_policy = [{
statements = [
{
sid = "SSMAgentPutParameter"
effect = "Allow"
actions = ["ssm:PutParameter"]
resources = [
module.ssm_state[0].arn_map[local.ssm_state_param_name],
]
},
]
}]
context = module.this.context
tags = module.this.tags
}
resource "aws_iam_role_policy_attachment" "default" {
count = var.ssm_state_enabled ? 1 : 0
role = module.tailscale_subnet_router.role_id
policy_arn = module.ssm_policy[0].policy_arn
}