-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathterraform.tf
132 lines (110 loc) · 3.5 KB
/
terraform.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
// Create a secretsmanager secret to store the CA information
locals {
// do not fill these they are just used to initialise the secret structure
ca = {
private_key = ""
private_key_passphrase = ""
public_key = ""
}
}
resource "aws_secretsmanager_secret" "ca" {
name = "sign-ssh-key-ca"
}
resource "aws_secretsmanager_secret_version" "ca" {
secret_id = aws_secretsmanager_secret.ca.id
secret_string = jsonencode(local.ca)
lifecycle {
ignore_changes = [secret_string]
}
}
// Create an execution role for the lambda
data "aws_iam_policy_document" "lambda_assume" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
}
}
resource "aws_iam_role" "ssh_key_signer" {
name = "ssh-key-signer"
assume_role_policy = data.aws_iam_policy_document.lambda_assume.json
}
// Create a policy granting read access to the CA secret
data "aws_iam_policy_document" "read_ca_secret" {
statement {
actions = ["secretsmanager:GetSecretValue"]
resources = [aws_secretsmanager_secret.ca.id]
}
}
resource "aws_iam_policy" "read_ca_secret" {
name = "read-sign-ssh-key-ca"
policy = data.aws_iam_policy_document.read_ca_secret.json
}
// Attach the policy to the lambda execution role
resource "aws_iam_role_policy_attachment" "read_ca_secret" {
role = aws_iam_role.ssh_key_signer.name
policy_arn = aws_iam_policy.read_ca_secret.arn
}
// Build the lambda binary
resource "null_resource" "build" {
triggers = {
build = sha1(file("main.go"))
config = sha1(file("prod.json"))
}
provisioner "local-exec" {
command = "GOOS=linux GOARCH=amd64 go build -o lambda-sign-ssh-key && chmod +x lambda-sign-ssh-key && zip lambda lambda-sign-ssh-key prod.json"
}
}
resource "aws_lambda_function" "lambda" {
filename = "${path.module}/lambda.zip"
function_name = "sign-ssh-key"
role = aws_iam_role.ssh_key_signer.arn
handler = "lambda-sign-ssh-key"
source_code_hash = base64sha256("${path.module}/lambda.zip")
runtime = "go1.x"
depends_on = [null_resource.build]
}
output "lambda_arn" {
value = aws_lambda_function.lambda.arn
}
// Create a role to be assumed by users requesting signatures
variable "ssh_signature_requester_account_ids" {
type = list(string)
default = []
}
data "aws_iam_policy_document" "requester_assume" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = var.ssh_signature_requester_account_ids
}
}
}
resource "aws_iam_role" "ssh_key_signature_requester" {
name = "ssh-key-signature-requester"
assume_role_policy = data.aws_iam_policy_document.requester_assume.json
}
output "ssh_key_signature_requester_arn" {
value = aws_iam_role.ssh_key_signature_requester.arn
}
// Create a policy to allow the role to call the lambda
data "aws_iam_policy_document" "ssh_key_signature_request" {
statement {
actions = ["lambda:InvokeFunction"]
resources = [
aws_lambda_function.lambda.arn
]
}
}
resource "aws_iam_policy" "ssh_key_signature_request" {
name = "ssh-key-signature-request"
policy = data.aws_iam_policy_document.ssh_key_signature_request.json
}
// Attach the policy to the requester role
resource "aws_iam_role_policy_attachment" "ssh_key_signature_request" {
role = aws_iam_role.ssh_key_signature_requester.name
policy_arn = aws_iam_policy.ssh_key_signature_request.arn
}