add prod env

mozilla-iam · Jun 11, 2019 · a5a6971 · a5a6971
1 parent 27c9d13
commit a5a6971
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 0 deletions.
diff --git a/k8s/values/prod.yaml b/k8s/values/prod.yaml
@@ -1,2 +1,3 @@
 env: prod
 namespace: dinopark-prod
+assume_role: arn:aws:iam::320464205386:role/dino-park-whoami-role-prod-us-west-2
diff --git a/terraform/prod/data.tf b/terraform/prod/data.tf
@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}
diff --git a/terraform/prod/provider.tf b/terraform/prod/provider.tf
@@ -0,0 +1,17 @@
+#---
+# Provider Configuration
+#---
+
+provider "aws" {
+  region  = "us-west-2"
+}
+
+terraform {
+  required_version = "~> 0.11"
+
+  backend "s3" {
+    bucket = "eks-terraform-shared-state"
+    key    = "prod/us-west-2/apps/dino-park-whoami-prod/terraform.tfstate"
+    region = "us-west-2"
+  }
+}
diff --git a/terraform/prod/ssm.tf b/terraform/prod/ssm.tf
@@ -0,0 +1,59 @@
+resource "aws_iam_role" "dino_park_whoami_role" {
+  name = "dino-park-whoami-role-${var.environment}-${var.region}"
+
+  assume_role_policy = <<EOF
+{
+   "Version": "2012-10-17",
+   "Statement": [
+     {
+      "Effect": "Allow",
+      "Principal": {
+       "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+     },
+     {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/kubernetes-prod-us-west-220181206181410238800000005"
+       },
+       "Action": "sts:AssumeRole"
+      }
+   ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "dino_park_whoami_ssm_access" {
+  name        = "dino-park-whoami-ssm-access-${var.environment}-${var.region}"
+  role        = "${aws_iam_role.dino_park_whoami_role.id}"
+
+  policy      = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "ssm:GetParameterHistory",
+                "ssm:GetParametersByPath",
+                "ssm:GetParameters",
+                "ssm:GetParameter"
+            ],
+            "Resource": [
+                "arn:aws:ssm:us-west-2:${data.aws_caller_identity.current.account_id}:parameter/iam/cis/production/*"
+            ],
+            "Effect": "Allow"
+        },
+        {
+            "Action": [
+                "kms:Decrypt"
+            ],
+            "Resource": [
+                "arn:aws:kms:us-west-2:320464205386:key/ef00015d-739b-456d-a92f-482712af4f32"
+            ],
+            "Effect": "Allow"
+        }
+    ]
+}
+EOF
+}
diff --git a/terraform/prod/variables.tf b/terraform/prod/variables.tf
@@ -0,0 +1,8 @@
+variable "environment" {
+  default = "prod"
+}
+
+variable "region" {
+  default = "us-west-2"
+}
+