#!/usr/bin/env python
"""Module with Terraform state resources."""
from __future__ import print_function
import awacs.dynamodb
import awacs.s3
from awacs.aws import Allow, PolicyDocument, Statement
from troposphere import Equals, If, Join, NoValue, Or, Output, dynamodb, iam, s3
from runway.cfngin.blueprints.base import Blueprint
from runway.cfngin.blueprints.variables.types import CFNString
[docs]class TfState(Blueprint):
"""Stacker blueprint for creating Terraform state resources."""
VARIABLES = {
"BucketName": {
"type": CFNString,
"description": "(optional) Name for the S3 bucket",
"default": "",
},
"TableName": {
"type": CFNString,
"description": "(optional) Name for the DynamoDB table",
"default": "",
},
}
[docs] def create_template(self):
"""Create template (main function called by Stacker)."""
template = self.template
variables = self.get_variables()
self.template.set_version("2010-09-09")
self.template.set_description("Terraform State Resources")
# Conditions
for i in ["BucketName", "TableName"]:
template.add_condition(
"%sOmitted" % i,
Or(Equals(variables[i].ref, ""), Equals(variables[i].ref, "undefined")),
)
# Resources
terraformlocktable = template.add_resource(
dynamodb.Table(
"TerraformStateTable",
AttributeDefinitions=[
dynamodb.AttributeDefinition(
AttributeName="LockID", AttributeType="S"
)
],
KeySchema=[dynamodb.KeySchema(AttributeName="LockID", KeyType="HASH")],
ProvisionedThroughput=dynamodb.ProvisionedThroughput(
ReadCapacityUnits=2, WriteCapacityUnits=2
),
TableName=If("TableNameOmitted", NoValue, variables["TableName"].ref),
)
)
template.add_output(
Output(
"%sName" % terraformlocktable.title,
Description="Name of DynamoDB table for Terraform state",
Value=terraformlocktable.ref(),
)
)
terraformstatebucket = template.add_resource(
s3.Bucket(
"TerraformStateBucket",
DeletionPolicy="Retain",
AccessControl=s3.Private,
BucketName=If(
"BucketNameOmitted", NoValue, variables["BucketName"].ref
),
LifecycleConfiguration=s3.LifecycleConfiguration(
Rules=[
s3.LifecycleRule(
NoncurrentVersionExpirationInDays=90, Status="Enabled"
)
]
),
VersioningConfiguration=s3.VersioningConfiguration(Status="Enabled"),
)
)
template.add_output(
Output(
"%sName" % terraformstatebucket.title,
Description="Name of bucket storing Terraform state",
Value=terraformstatebucket.ref(),
)
)
template.add_output(
Output(
"%sArn" % terraformstatebucket.title,
Description="Arn of bucket storing Terraform state",
Value=terraformstatebucket.get_att("Arn"),
)
)
managementpolicy = template.add_resource(
iam.ManagedPolicy(
"ManagementPolicy",
Description="Managed policy for Terraform state management.",
Path="/",
PolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
# https://www.terraform.io/docs/backends/types/s3.html#s3-bucket-permissions
Statement(
Action=[awacs.s3.ListBucket],
Effect=Allow,
Resource=[terraformstatebucket.get_att("Arn")],
),
Statement(
Action=[awacs.s3.GetObject, awacs.s3.PutObject],
Effect=Allow,
Resource=[
Join("", [terraformstatebucket.get_att("Arn"), "/*"])
],
),
Statement(
Action=[
awacs.dynamodb.GetItem,
awacs.dynamodb.PutItem,
awacs.dynamodb.DeleteItem,
],
Effect=Allow,
Resource=[terraformlocktable.get_att("Arn")],
),
],
),
)
)
template.add_output(
Output(
"PolicyArn",
Description="Managed policy Arn",
Value=managementpolicy.ref(),
)
)
# Helper section to enable easy blueprint -> template generation
# (just run `python <thisfile>` to output the json)
if __name__ == "__main__":
from runway.cfngin.context import Context
print(TfState("test", Context({"namespace": "test"}), None).to_json())