-
Notifications
You must be signed in to change notification settings - Fork 9
/
main.tf
96 lines (71 loc) · 2.67 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#############################################################
# Locals
#############################################################
locals {
#tfsec:ignore:GEN002
authentication_token_ssm_param = var.authentication_token_ssm_param != null ? var.authentication_token_ssm_param : "/${module.auth_token_ssm_param_label.id}"
#tfsec:ignore:GEN002
authentication_token_ssm_param_kms_key_provided = var.authentication_token_ssm_param_kms_key != null ? true : false
}
#############################################################
# Labels
#############################################################
module "default_label" {
source = "cloudposse/label/null"
version = "0.25.0"
attributes = var.attributes
delimiter = var.delimiter
name = var.name
namespace = var.namespace
stage = var.stage
tags = var.tags
}
module "auth_token_ssm_param_label" {
enabled = var.authentication_token_ssm_param != null ? false : true
source = "cloudposse/label/null"
version = "0.25.0"
context = module.default_label.context
attributes = compact(concat(var.attributes, ["auth_token"]))
delimiter = "/"
}
#############################################################
# Data sources
#############################################################
data "aws_region" "default" {
}
data "aws_availability_zone" "default" {
name = "${data.aws_region.default.name}${var.availability_zone}"
state = "available"
}
data "aws_partition" "default" {}
data "aws_caller_identity" "default" {}
#############################################################
# SSM Param for storing runner's auth token
#############################################################
# The following is mostly required to be 100% sure that runner will be
# unregistered from Gitlab
data "aws_kms_key" "authentication_token" {
count = local.authentication_token_ssm_param_kms_key_provided ? 1 : 0
key_id = var.authentication_token_ssm_param_kms_key
}
resource "aws_ssm_parameter" "authentication_token" {
name = local.authentication_token_ssm_param
type = "SecureString"
value = "empty"
tags = module.default_label.tags
key_id = join("", data.aws_kms_key.authentication_token.*.arn)
lifecycle {
ignore_changes = [value]
}
}
#############################################################
# Service-Linked Roles
#############################################################
resource "aws_iam_service_linked_role" "spot" {
count = var.create_spot_service_linked_role ? 1 : 0
aws_service_name = "spot.amazonaws.com"
}
resource "aws_iam_service_linked_role" "autoscaling" {
count = var.create_autoscaling_service_linked_role ? 1 : 0
aws_service_name = "autoscaling.amazonaws.com"
}