-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
124 lines (106 loc) · 3.49 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
module "lambda" {
source = "terraform-aws-modules/lambda/aws"
version = "6.4.0"
function_name = "${local.name}"
runtime = "nodejs20.x"
handler = "lambda.handler"
source_path = [
"${path.module}/functions/dist/lambda.js",
"${path.module}/functions/dist/lambda.js.map"
]
publish = true
environment_variables = {
TAG_KEY_PREFIX = "${var.tagkey_prefix}"
CLAIMS_ALLOW_LIST = "${var.claims_allowlist}"
PERMITTED_GITHUB_OWNER = "${var.permitted_github_owner}"
API_URL_ARTIFACTORY = "${var.api_url_artifactory}"
API_URL_SONARQUBE = "${var.api_url_sonarqube}"
}
attach_policy_statements = true
policy_statements = {
secretsmanager = {
effect = "Allow",
actions = ["secretsmanager:GetSecretValue"],
resources = [aws_secretsmanager_secret_version.admintokens.arn]
}
}
allowed_triggers = {
APIGatewayAny = {
service = "apigateway"
source_arn = "${module.api_gateway.apigatewayv2_api_execution_arn}/*/*"
}
}
}
module "api_gateway" {
source = "terraform-aws-modules/apigateway-v2/aws"
version = "2.2.2"
name = "${local.name}"
protocol_type = "HTTP"
create_api_domain_name = var.domain_name != ""
domain_name = var.domain_name
domain_name_certificate_arn = var.domain_name_certificate_arn
default_stage_access_log_destination_arn = aws_cloudwatch_log_group.logs.arn
default_stage_access_log_format = replace(<<EOT
{
"requestId":"$context.requestId",
"ip": "$context.identity.sourceIp",
"requestTime":"$context.requestTime",
"httpMethod":"$context.httpMethod",
"routeKey":"$context.routeKey",
"status":"$context.status",
"protocol":"$context.protocol",
"responseLength":"$context.responseLength",
"error":"$context.authorizer.error",
"aud":"$context.authorizer.claims.aud",
"sub":"$context.authorizer.claims.sub",
"job_workflow_ref":"$context.authorizer.claims.job_workflow_ref"
}
EOT
, "\n", " ")
default_route_settings = {
detailed_metrics_enabled = true
throttling_burst_limit = 100
throttling_rate_limit = 100
}
cors_configuration = {
allow_headers = ["content-type", "x-amz-date", "authorization", "x-api-key", "x-amz-security-token", "x-amz-user-agent"]
allow_methods = ["*"]
allow_origins = ["*"]
}
integrations = {
"$default" = {
lambda_arn = module.lambda.lambda_function_arn
payload_format_version = "2.0"
authorizer_key = "github"
}
}
authorizers = {
"github" = {
authorizer_type = "JWT"
identity_sources = "$request.header.Authorization"
name = "github"-auth
audience = ["autoken"]
issuer = "https://token.actions.githubusercontent.com"
}
}
}
resource "aws_cloudwatch_log_group" "logs" {
name = "${local.name}"
}
resource "aws_secretsmanager_secret" "adminTokens" {
name = "${local.name}"
}
resource "aws_secretsmanager_secret_version" "admintokens" {
secret_id = aws_secretsmanager_secret.adminTokens.id
secret_string = jsonencode({
sonarqube: var.admin_token_sonarqube,
artifactory: var.admin_token_artifactory
})
}
resource "random_pet" "this" {
length = 2
}
locals {
postfix = var.postfix ? "-${var.postfix}" : "-${random_pet.this.id}"
name = "${var.prefix}autoken${local.postfix}"
}