Skip to content

Commit 7ce3f7a

Browse files
bmonkmanbmonkman
authored
Merge pull request #40 from commitdev/add-cloudfront-invalidation-support-for-ci
Allow ci user to invalidate cloudfront
2 parents 0806f59 + a8af068 commit 7ce3f7a

File tree

3 files changed

+48
-27
lines changed

3 files changed

+48
-27
lines changed

Makefile

Lines changed: 23 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -4,47 +4,49 @@ apply: apply-remote-state apply-secrets apply-env apply-k8s-utils
44

55
## remove state file only if exit code 0 from terraform apply
66
apply-remote-state:
7-
pushd terraform/bootstrap/remote-state; \
8-
terraform init; \
9-
terraform apply -var "environment=$(ENV)" && rm ./terraform.tfstate;
7+
pushd terraform/bootstrap/remote-state && \
8+
terraform init && \
9+
terraform apply -var "environment=$(ENV)" && \
10+
rm ./terraform.tfstate
1011

1112
apply-secrets:
12-
pushd terraform/bootstrap/secrets; \
13-
terraform init; \
14-
terraform apply && rm terraform.tfstate;
13+
pushd terraform/bootstrap/secrets && \
14+
terraform init && \
15+
terraform apply && \
16+
rm ./terraform.tfstate
1517

1618
apply-env:
1719
pushd terraform/environments/$(ENV); \
18-
terraform init; \
20+
terraform init && \
1921
terraform apply
2022

2123
apply-k8s-utils: update-k8s-conf
22-
pushd kubernetes/terraform/environments/$(ENV); \
23-
terraform init; \
24+
pushd kubernetes/terraform/environments/$(ENV) && \
25+
terraform init && \
2426
terraform apply
2527

26-
update-k8s-conf:
28+
update-k8s-conf:
2729
aws eks --region <% index .Params `region` %> update-kubeconfig --name <% .Name %>-$(ENV)-<% index .Params `region` %>
2830

2931
teardown: teardown-k8s-utils teardown-env teardown-secrets teardown-remote-state
3032

3133
teardown-remote-state:
32-
export AWS_PAGER=''; \
33-
aws s3 rb s3://<% .Name %>-$(ENV)-terraform-state --force; \
34-
aws dynamodb delete-table --table-name <% .Name %>-$(ENV)-terraform-state-locks;
34+
export AWS_PAGER='' && \
35+
aws s3 rb s3://<% .Name %>-$(ENV)-terraform-state --force && \
36+
aws dynamodb delete-table --table-name <% .Name %>-$(ENV)-terraform-state-locks
3537

3638
teardown-secrets:
37-
export AWS_PAGER=''; \
38-
aws secretsmanager list-secrets --query "SecretList[?Tags[?Key=='project' && Value=='<% .Name %>']].[Name]" | jq '.[] [0]' | xargs aws secretsmanager delete-secret --secret-id; \
39-
aws iam delete-access-key --user-name <% .Name %>-ci-user --access-key-id $(shell aws iam list-access-keys --user-name <% .Name %>-ci-user --query "AccessKeyMetadata[0].AccessKeyId" | sed 's/"//g'); \
40-
aws iam delete-user --user-name <% .Name %>-ci-user;
39+
export AWS_PAGER='' && \
40+
aws secretsmanager list-secrets --query "SecretList[?Tags[?Key=='project' && Value=='<% .Name %>']].[Name] | [0][0]" | xargs aws secretsmanager delete-secret --secret-id && \
41+
aws iam delete-access-key --user-name <% .Name %>-ci-user --access-key-id $(shell aws iam list-access-keys --user-name <% .Name %>-ci-user --query "AccessKeyMetadata[0].AccessKeyId" | sed 's/"//g') && \
42+
aws iam delete-user --user-name <% .Name %>-ci-user
4143

4244
teardown-env:
43-
pushd terraform/environments/$(ENV); \
44-
terraform destroy -auto-approve;
45+
pushd terraform/environments/$(ENV) && \
46+
terraform destroy
4547

4648
teardown-k8s-utils:
47-
pushd kubernetes/terraform/environments/$(ENV); \
48-
terraform destroy;
49+
pushd kubernetes/terraform/environments/$(ENV) && \
50+
terraform destroy
4951

5052
.PHONY: apply apply-remote-state apply-secrets apply-env apply-k8s-utils teardown-k8s-utils teardown-env teardown-secrets teardown-remote-state

terraform/modules/environment/iam.tf

Lines changed: 21 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -59,8 +59,8 @@ resource "aws_iam_user_policy_attachment" "ci_user_list_and_describe_policy" {
5959
policy_arn = aws_iam_policy.eks_list_and_describe_policy.arn
6060
}
6161

62-
# Allow the CI user read/write access to the frontend assets bucket
63-
data "aws_iam_policy_document" "read_write_s3_policy" {
62+
# Allow the CI user read/write access to the frontend assets bucket and CF invalidations
63+
data "aws_iam_policy_document" "deploy_assets_policy" {
6464
statement {
6565
actions = [
6666
"s3:ListBucket",
@@ -77,14 +77,29 @@ data "aws_iam_policy_document" "read_write_s3_policy" {
7777

7878
resources = formatlist("arn:aws:s3:::%s/*", var.s3_hosting_buckets)
7979
}
80+
81+
statement {
82+
actions = [
83+
"cloudfront:ListDistributions",
84+
]
85+
86+
resources = ["*"]
87+
}
88+
89+
statement {
90+
actions = [
91+
"cloudfront:CreateInvalidation",
92+
]
93+
resources = formatlist("arn:aws:cloudfront::%s:distribution/%s", data.aws_caller_identity.current.account_id, module.s3_hosting.cloudfront_distribution_ids)
94+
}
8095
}
8196

82-
resource "aws_iam_policy" "read_write_s3_policy" {
83-
name = "${var.project}_ci_s3_policy"
84-
policy = data.aws_iam_policy_document.read_write_s3_policy.json
97+
resource "aws_iam_policy" "deploy_assets_policy" {
98+
name = "${var.project}_ci_deploy_assets_policy"
99+
policy = data.aws_iam_policy_document.deploy_assets_policy.json
85100
}
86101

87102
resource "aws_iam_user_policy_attachment" "ci_s3_policy" {
88103
user = data.aws_iam_user.ci_user.user_name
89-
policy_arn = aws_iam_policy.read_write_s3_policy.arn
104+
policy_arn = aws_iam_policy.deploy_assets_policy.arn
90105
}

terraform/modules/s3_hosting/outputs.tf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
output "cloudfront_distribution_ids" {
2+
description = "Identifiers of the created cloudfront distributions"
3+
value = values(aws_cloudfront_distribution.client_assets_distribution)[*].id
4+
}

0 commit comments

Comments
 (0)