carnegierobotics/terraform-aws-concourse-keys-s3

terraform-aws-concourse-keys-s3

Terraform module for deploying Concourse TLS / SSH keys to S3.

---

Usage

TODO

Makefile Targets

Available targets:

  help                                Help screen
  help/all                            Display help for all targets
  help/short                          This help short screen

Requirements

Name	Version
terraform	~> 0.14.0
aws	~> 3.32
external	~> 2.1
http	~> 2.0
local	~> 2.0
template	~> 2.2
utils	~> 0.3

Providers

Name	Version
aws	~> 3.32
tls	n/a

Modules

Name	Source	Version
this	cloudposse/label/null	0.24.1

Resources

Name	Type
aws_iam_role.keys	resource
aws_iam_role_policy.concourse_keys_cross_account	resource
aws_s3_bucket.keys	resource
aws_s3_bucket_object.authorized_worker_keys	resource
aws_s3_bucket_object.session_signing_key	resource
aws_s3_bucket_object.session_signing_pub_key	resource
aws_s3_bucket_object.tsa_host_key	resource
aws_s3_bucket_object.tsa_host_pub_key	resource
aws_s3_bucket_object.worker_key	resource
aws_s3_bucket_object.worker_pub_key	resource
aws_s3_bucket_policy.keys	resource
tls_private_key.session_signing	resource
tls_private_key.tsa_host	resource
tls_private_key.worker	resource
aws_iam_policy_document.assume_role	data source
aws_iam_policy_document.cross_account	data source

Inputs

Name	Description	Type	Default	Required
additional_tag_map	Additional tags for appending to tags_as_list_of_maps. Not added to tags.	map(string)	{}	no
attributes	Additional attributes (e.g. 1)	list(string)	[]	no
bucket_force_destroy	A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable	bool	false	no
context	Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as null to use default value. Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged.	object({ enabled = bool namespace = string environment = string stage = string name = string delimiter = string attributes = list(string) tags = map(string) additional_tag_map = map(string) regex_replace_chars = string label_order = list(string) id_length_limit = number })	{ "additional_tag_map": {}, "attributes": [], "delimiter": null, "enabled": true, "environment": null, "id_length_limit": null, "label_order": [], "name": null, "namespace": null, "regex_replace_chars": null, "stage": null, "tags": {} }	no
delimiter	Delimiter to be used between namespace, environment, stage, name and attributes. Defaults to - (hyphen). Set to "" to use no delimiter at all.	string	null	no
enabled	Set to false to prevent the module from creating any resources	bool	null	no
environment	Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT'	string	null	no
generate_keys	If set to true this module will generate the necessary RSA keys with the tls_private_key resource and upload them to S3 (server-side encrypted). Be aware that this will store the generated unencrypted keys in the Terraform state, so be sure to use a secure state backend (e.g. S3 encrypted), or set this to false and generate the keys manually	string	true	no
id_length_limit	Limit id to this many characters. Set to 0 for unlimited length. Set to null for default, which is 0. Does not affect id_full.	number	null	no
keys_version	Change this if you want to re-generate Concourse keys	string	"1"	no
label_order	The naming order of the id output and Name tag. Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 5 elements, but at least one must be present.	list(string)	null	no
name	Solution name, e.g. 'app' or 'jenkins'	string	null	no
namespace	Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp'	string	null	no
regex_replace_chars	Regex to replace chars with empty string in namespace, environment, stage and name. If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.	string	null	no
stage	Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release'	string	null	no
tags	Additional tags (e.g. map('BusinessUnit','XYZ')	map(string)	{}	no
worker_iam_role_arns	List of ARNs for the IAM roles that will be able to assume the role to access concourse keys in S3. Normally you'll include the Concourse worker IAM role here	list(string)	n/a	yes

Outputs

Name	Description
bucket_arn	The ARN of the S3 bucket where the concourse keys are stored
bucket_id	The id (name) of the S3 bucket where the concourse keys are stored
cross_account_role_arn	IAM role ARN that Concourse workers on other AWS accounts will need to assume to access the Concourse keys bucket

Related Projects

Check out these related projects.

• terraform-aws-concourse-web - Terraform module for deploying Concourse on ECS
• terraform-aws-concourse-ec2-worker - Terraform module for deploying a Concourse EC2 worker ASG
• terraform-aws-concourse-sidecred-lambda - Terraform module to create a sidecred lambda for injecting and rotating credentials into SSM
• terraform-root-modules - Terraform root modules to provision top level account

Contributing

Bug Reports & Feature Requests

Please use the issue tracker to report any bugs or file feature requests.

Developing

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

1. Fork the repo on GitHub
2. Clone the project to your own machine
3. Commit changes to your own branch
4. Push your work back up to your fork
5. Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

Copyrights

Copyright © 2017-2021 Cloud Posse, LLC

Copyright © 2020-2021 Carnegie Robotics, LLC

Trademarks

All other trademarks referenced herein are the property of their respective owners.

About

This project is maintained and funded by Carnegie Robotics, LLC.