====== Terraform Variables ======
setup.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "3.74.1"
}
}
backend "s3" {
region = "eu-west-2"
bucket = "statefiles"
key = "tsg/plan-apply.tfstate"
dynamodb_table = "tsg-plan-apply-lockfiles"
}
}
variables.tf
variable "regionName"{
description = "Key for looking up region code"
type = string
default = "London"
}
variable "aws_region" {
type = map # Note! TF variable type lower case
default = {
"Dublin" = "eu-west-1"
"London" = "eu-west-2"
"Broadway" = "eu-west-6"
}
}
resource "aws_ssm_parameter" "regioncode" {
name = "region_code"
type = "String" # NOTE! Quotes + Capital - AWS resource Type
value = var.aws_region[var.regionName]
}
variable "iterator" {
type = number # NOTE! just word for Terraform var type
default = 1
description = "iterator"
}
variable "cidr_blocks" {
description = "CIDR blocks"
type = list(string)
default = [
"192.168.100.0/24",
"192.168.101.0/24",
"192.168.102.0/24",
]
}
resource "aws_ssm_parameter" "cidr_block" {
name = "CIDR_block"
type = "String"
value = var.cidr_blocks[var.iterator] # 0 is 1st position
}
data-variables.tf
data "aws_iam_policy" "common_pb" {
name = "pb-Common"
}
resource "aws_ssm_parameter" "permissionsboundary" {
name = "PermissionsBoundaryARN"
type = "String"
value = data.aws_iam_policy.common_pb.arn
}
parameters.tf
resource "aws_ssm_parameter" "just_a_parameter" {
name = "just_a_parameter"
type = "String"
description = "Just a test"
tags = {
email = "andrew.2.stringer@bt.com"
}
value = "random_value"
}
resource "aws_ssm_parameter" "SaiSecureRepoSourceBucket" {
name = "SaiSecureRepoSourceBucket"
type = "String"
value = jsonencode(file("buckets.json"))
}
buckets.json
{
"secure_repo_centos": "sai-secure-repo-development",
"secure_repo_rocky": "rocky_secure_repo_bucket",
"secure_repo_ubuntu": "ubuntu-secure-repo-bucket"
}
copy_file.py
import json
import boto3
# Paths to parameters in Parameter store.
Parameter_source_bucket = 'SaiSecureRepoSourceBucket'
def read_parameter(parameter):
parameter_client = boto3.client('ssm')
if not parameter:
sys.exit("read_parameter variable 'parameter' is not set, so exiting.")
parameter_response = parameter_client.get_parameter(
Name=parameter,
)
if not parameter_response:
sys.exit("Parameter Store value is not set, so exiting.")
logger.debug('Value of %s is %s', parameter, parameter_response['Parameter']['Value'])
return parameter_response
def handler(event, context):
# username and filename are now invoked through event data, this will be supplied
# from the cli invocation, test event example below:-
"""{
"filename": "1008926332-catbert.gif",
"user_name": "secure_repo_centos/rocky/ubuntu (etc...)",
"bucket_ref": "secure_repo_centos"
}"""
# Just for testing
event = {
"user_name": "secure_repo_ubuntu",
"filename": "1008926332-catbert.gif",
"bucket_ref": "secure_repo_ubuntu"
}
# 'bucket_ref' (from event data) is used as a key to select the value from the
# returned Parameter Store dictionary.
# This is done to allow a user to control which bucket is used for upload
# whilst not allowing an arbitrary bucket to be specified, or allowing users access to Parameter Store.
# This is designed to prevent an unauthorised bucket being used as the source.
username = event['user_name']
file_to_copy = event['filename']
bucket_ref = event['bucket_ref']
source_bucket_raw = read_parameter(Parameter_source_bucket)
# Parameter store returns strings, need to convert to dict.
source_bucket_dict = json.loads(source_bucket_raw['Parameter']['Value'])
source_bucket = source_bucket_dict[bucket_ref]
print("Source Bucket is:-", source_bucket)