-
-
Notifications
You must be signed in to change notification settings - Fork 4
/
main.tf
117 lines (98 loc) · 3.28 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
resource "aws_iam_user" "mail" {
name = var.name
tags = var.tags
}
resource "aws_iam_user_policy_attachment" "send_mail" {
policy_arn = aws_iam_policy.send_mail.arn
user = aws_iam_user.mail.name
}
resource "aws_iam_policy" "send_mail" {
name = "${var.name}-send-mail"
policy = data.aws_iam_policy_document.send_mail.json
tags = var.tags
}
data "aws_iam_policy_document" "send_mail" {
statement {
actions = ["ses:SendRawEmail"]
resources = [local.ses_identity_arn]
}
}
module "secret" {
source = "github.com/thoughtbot/terraform-aws-secrets//secret?ref=v0.8.0"
admin_principals = var.admin_principals
description = "SMTP username and password for ${var.name}"
name = "${var.name}-credentials"
read_principals = var.read_principals
resource_tags = var.tags
trust_tags = var.trust_tags
initial_value = jsonencode({
AWS_SES_SOURCE_ARN = local.ses_identity_arn
SMTP_ADDRESS = "email-smtp.${local.region}.amazonaws.com"
SMTP_AUTH = "plain"
SMTP_DOMAIN = var.domain
SMTP_PASSWORD = ""
SMTP_PORT = 587
SMTP_REGION = local.region
SMTP_SECRET = ""
SMTP_USERNAME = ""
})
}
module "rotation" {
source = "github.com/thoughtbot/terraform-aws-secrets//secret-rotation-function?ref=v0.8.0"
handler = "lambda_function.lambda_handler"
role_arn = module.secret.rotation_role_arn
runtime = "python3.8"
secret_arn = module.secret.arn
security_group_ids = aws_security_group.function[*].id
source_file = "${path.module}/rotation/lambda_function.py"
subnet_ids = var.subnet_ids
variables = { USERNAME = aws_iam_user.mail.name }
}
resource "aws_security_group" "function" {
count = var.vpc_id == null ? 0 : 1
description = "Security group for rotation ${var.name} credentials"
name_prefix = "${var.name}-rotation"
tags = var.tags
vpc_id = var.vpc_id
lifecycle {
create_before_destroy = true
}
}
resource "aws_security_group_rule" "function_egress" {
count = var.vpc_id == null ? 0 : 1
cidr_blocks = ["0.0.0.0/0"]
description = "Allow all egress"
from_port = 0
protocol = "-1"
security_group_id = aws_security_group.function[count.index].id
to_port = 0
type = "egress"
}
resource "aws_iam_role_policy_attachment" "access_keys" {
policy_arn = aws_iam_policy.access_keys.arn
role = module.secret.rotation_role_name
}
resource "aws_iam_policy" "access_keys" {
description = "Rotate AWS IAM access keys for SMTP"
name = "${var.name}-access-keys"
policy = data.aws_iam_policy_document.access_keys.json
tags = var.tags
}
data "aws_iam_policy_document" "access_keys" {
statement {
sid = "RotateAccessKey"
actions = [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys"
]
resources = [aws_iam_user.mail.arn]
}
}
data "aws_region" "this" {}
data "aws_caller_identity" "this" {}
locals {
account_id = coalesce(var.identity_account_id, data.aws_caller_identity.this.account_id)
region = data.aws_region.this.name
ses_identity_arn = "arn:aws:ses:${local.region}:${local.account_id}:identity/${var.domain}"
}