Skip to content

Commit 0ab92b9

Browse files
committed
adding new resources reviewed
1 parent 6ea00e5 commit 0ab92b9

File tree

5 files changed

+61
-166
lines changed

5 files changed

+61
-166
lines changed

05-iac/00-terraform/04-usando-inputs-outputs/03-demo.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ terraform apply "d1.tfplan"
1616

1717
Crear `./lab/lc_web_app/locals.tf`.
1818

19-
```tf
19+
```ini
2020
locals {
2121
common_tags = {
2222

@@ -31,7 +31,7 @@ Queremos añadir 3 valores, `company`, `project` y `billing_code`. Vamos a sacar
3131

3232
Actualizamos `variables.tf`
3333

34-
```tf
34+
```ini
3535
# ....
3636
# COMMON
3737
variable "company" {

05-iac/00-terraform/04-usando-inputs-outputs/04-demo.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,15 +12,15 @@ terraform apply "d1.tfplan"
1212

1313
Creamos `./lab/lc_web_app/outputs.tf`
1414

15-
```tf
15+
```ini
1616
output "aws_instance_public_dns" {
1717

1818
}
1919
```
2020

2121
Para la entrada tomamos el valor expuesto por la instacia en `main.tf`
2222

23-
```tf
23+
```ini
2424
resource "aws_instance" "nginx1" {
2525
```
2626

05-iac/00-terraform/05-incorporando-recursos/07-demo.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ EOF
7070

7171
Actualizamos `loadbalancer.tf`
7272

73-
```tf
73+
```ini
7474
## aws_lb
7575

7676
## aws_lb_target_group

05-iac/00-terraform/06-incorporando-nuevos-providers/15-demo.md

Lines changed: 48 additions & 159 deletions
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ Debemos añadir el servicio en si mismo también `delivery.logs.amazonaws.com`
4949

5050
Por último el servicio necesita acceso al ACL del Bucket
5151

52-
1. Introducimos como `Principal` - `Service`
52+
1. Introducimos como `Principal` - `elb`
5353
2. Seleccionamos la acción de `PutObject`
5454
3. Introducimos como Amazon Resource Name `arn:aws:s3:::${BucketName}/${KeyName}`
5555
4. Click en `Add Statement`
@@ -58,50 +58,19 @@ Ya estamos listos para generar la `Policy`, hacemos click en `Generate Policy`,
5858

5959
```json
6060
{
61-
"Id": "Policy1639995384326",
61+
"Id": "Policy1671300749955",
6262
"Version": "2012-10-17",
6363
"Statement": [
6464
{
65-
"Sid": "Stmt1639993445416",
66-
"Action": [
67-
"s3:PutObject"
68-
],
69-
"Effect": "Allow",
70-
"Resource": "arn:aws:s3:::${BucketName}/${KeyName}",
71-
"Principal": {
72-
"AWS": [
73-
"AWS"
74-
]
75-
}
76-
},
77-
{
78-
"Sid": "Stmt1639994327284",
65+
"Sid": "Stmt1671300748312",
7966
"Action": [
8067
"s3:PutObject"
8168
],
8269
"Effect": "Allow",
8370
"Resource": "arn:aws:s3:::${BucketName}/${KeyName}",
84-
"Condition": {
85-
"StringEquals": {
86-
"s3:x-amz-acl": "bucket-owner-full-control"
87-
}
88-
},
8971
"Principal": {
9072
"AWS": [
91-
"Service"
92-
]
93-
}
94-
},
95-
{
96-
"Sid": "Stmt1639994660593",
97-
"Action": [
98-
"s3:GetBucketAcl"
99-
],
100-
"Effect": "Allow",
101-
"Resource": "arn:aws:s3:::${BucketName}/${KeyName}",
102-
"Principal": {
103-
"AWS": [
104-
"Service"
73+
"elb"
10574
]
10675
}
10776
}
@@ -113,64 +82,24 @@ Ahora a partir de este esqueleto vamos a generar, el json que necesitamos
11382

11483
```diff
11584
{
116-
- "Id": "Policy1639995384326",
85+
- "Id": "Policy1671300749955",
86+
+ "Id": "Policy",
11787
"Version": "2012-10-17",
11888
"Statement": [
11989
{
120-
- "Sid": "Stmt1639993445416",
90+
- "Sid": "Stmt1671300748312",
12191
"Action": [
12292
"s3:PutObject"
12393
],
12494
"Effect": "Allow",
12595
- "Resource": "arn:aws:s3:::${BucketName}/${KeyName}",
12696
+ "Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*",
127-
- "Principal": {
128-
- "AWS": [
129-
- "AWS"
130-
- ]
131-
- }
132-
+ "Principal": {
133-
+ "AWS": "${data.aws_elb_service_account.root.arn}"
134-
+ }
135-
},
136-
{
137-
- "Sid": "Stmt1639994327284",
138-
"Action": [
139-
"s3:PutObject"
140-
],
141-
"Effect": "Allow",
142-
- "Resource": "arn:aws:s3:::${BucketName}/${KeyName}",
143-
+ "Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*",
144-
"Condition": {
145-
"StringEquals": {
146-
"s3:x-amz-acl": "bucket-owner-full-control"
147-
}
148-
},
149-
- "Principal": {
150-
- "AWS": [
151-
- "Service"
152-
- ]
153-
- }
154-
+ "Principal": {
155-
+ "Service": "delivery.logs.amazonaws.com"
156-
+ }
157-
},
158-
{
159-
- "Sid": "Stmt1639994660593",
160-
"Action": [
161-
"s3:GetBucketAcl"
162-
],
163-
"Effect": "Allow",
164-
- "Resource": "arn:aws:s3:::${BucketName}/${KeyName}",
165-
+ "Resource": "arn:aws:s3:::${local.s3_bucket_name}",
166-
- "Principal": {
167-
- "AWS": [
168-
- "Service"
169-
- ]
170-
- }
171-
+ "Principal": {
172-
+ "Service": "delivery.logs.amazonaws.com"
173-
+ }
97+
"Principal": {
98+
"AWS": [
99+
- "elb"
100+
+ "${data.aws_elb_service_account.root.arn}"
101+
]
102+
}
174103
}
175104
]
176105
}
@@ -180,6 +109,7 @@ The final `json` looks like:
180109

181110
```json
182111
{
112+
"Id": "Policy",
183113
"Version": "2012-10-17",
184114
"Statement": [
185115
{
@@ -189,32 +119,9 @@ The final `json` looks like:
189119
"Effect": "Allow",
190120
"Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*",
191121
"Principal": {
192-
"AWS": "${data.aws_elb_service_account.root.arn}"
193-
}
194-
},
195-
{
196-
"Action": [
197-
"s3:PutObject"
198-
],
199-
"Effect": "Allow",
200-
"Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*",
201-
"Condition": {
202-
"StringEquals": {
203-
"s3:x-amz-acl": "bucket-owner-full-control"
204-
}
205-
},
206-
"Principal": {
207-
"Service": "delivery.logs.amazonaws.com"
208-
}
209-
},
210-
{
211-
"Action": [
212-
"s3:GetBucketAcl"
213-
],
214-
"Effect": "Allow",
215-
"Resource": "arn:aws:s3:::${local.s3_bucket_name}",
216-
"Principal": {
217-
"Service": "delivery.logs.amazonaws.com"
122+
"AWS": [
123+
"${data.aws_elb_service_account.root.arn}"
124+
]
218125
}
219126
}
220127
]
@@ -229,11 +136,23 @@ Actualizamos `s3.tf`
229136
# aws_s3_bucket
230137
resource "aws_s3_bucket" "web_bucket" {
231138
bucket = local.s3_bucket_name
232-
acl = "private"
233139
force_destroy = true
234140

141+
tags = local.common_tags
142+
}
143+
144+
# aws_s3_bucket_acl
145+
resource "aws_s3_bucket_acl" "web_bucket_acl" {
146+
bucket = aws_s3_bucket.web_bucket.id
147+
acl = "private"
148+
}
149+
150+
# aws_s3_bucket_policy
151+
resource "aws_s3_bucket_policy" "allow_elb_logging" {
152+
bucket = aws_s3_bucket.web_bucket.id
235153
policy = <<POLICY
236154
{
155+
"Id": "Policy",
237156
"Version": "2012-10-17",
238157
"Statement": [
239158
{
@@ -243,43 +162,16 @@ resource "aws_s3_bucket" "web_bucket" {
243162
"Effect": "Allow",
244163
"Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*",
245164
"Principal": {
246-
"AWS": "${data.aws_elb_service_account.root.arn}"
247-
}
248-
},
249-
{
250-
"Action": [
251-
"s3:PutObject"
252-
],
253-
"Effect": "Allow",
254-
"Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*",
255-
"Condition": {
256-
"StringEquals": {
257-
"s3:x-amz-acl": "bucket-owner-full-control"
258-
}
259-
},
260-
"Principal": {
261-
"Service": "delivery.logs.amazonaws.com"
262-
}
263-
},
264-
{
265-
"Action": [
266-
"s3:GetBucketAcl"
267-
],
268-
"Effect": "Allow",
269-
"Resource": "arn:aws:s3:::${local.s3_bucket_name}",
270-
"Principal": {
271-
"Service": "delivery.logs.amazonaws.com"
165+
"AWS": [
166+
"${data.aws_elb_service_account.root.arn}"
167+
]
272168
}
273169
}
274170
]
275171
}
276172
POLICY
277-
278-
tags = local.common_tags
279173
}
280174

281-
# aws_s3_bucket_object
282-
283175
# aws_iam_role
284176

285177
# aws_iam_role_policy
@@ -291,41 +183,38 @@ resource "aws_s3_bucket" "web_bucket" {
291183
* Tomamos el nombre del bucket de local
292184
* Establecemos `acl` como privado
293185
* Establecemos `force_destroy` para que Terraform lo elimine en el `destroy`
294-
* Policy
295-
* En el statement para la `bucket policy`, queremos permitir al balenceador de carga y al `delivery service logs` acceso al bucket de S3. Esto lo hacemos utilizando `Allow`, y vamos a referenciar como principal, nuestra cuenta de servicio `Elastic Load Balancer` desde `data source`. Recordar que esto lo hemos declarado en `loadbalancer.tf`, como la entrada `data "aws_elb_service_account" "root" {}`, este es el `data source` que necesitará referenciar la `service account` usada por el `Elastic Load Balancer` en nuestra región.
186+
* En el `resource` para la `bucket policy`, queremos permitir al balenceador de carga y al `delivery service logs` acceso al bucket de S3. Esto lo hacemos utilizando `Allow`, y vamos a referenciar como principal, nuestra cuenta de servicio `Elastic Load Balancer` desde `data source`. Recordar que esto lo hemos declarado en `loadbalancer.tf`, como la entrada `data "aws_elb_service_account" "root" {}`, este es el `data source` que necesitará referenciar la `service account` usada por el `Elastic Load Balancer` en nuestra región.
187+
296188

297-
```json
298-
"Principal": {
299-
"AWS": "${data.aws_elb_service_account.root.arn}"
300-
},
301-
```
189+
```json
190+
"Principal": {
191+
"AWS": "${data.aws_elb_service_account.root.arn}"
192+
},
193+
```
302194

303195
* Para la `action`, usamos `s3:PutObject`, y para el recurso le pasamos el nombre del bucket y el path, **alb-logs**. Esto da permisos `Elastic Load Balancer` para escribir en el path.
304196

305-
```json
306-
"Action": "s3:PutObject",
307-
"Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*"
308-
```
309-
310-
* Vamos a darle los mismos permisos al servicio `delivery.logs.amazonaws.com`, y además `s3:GetBucketAcl`
311-
197+
```json
198+
"Action": "s3:PutObject",
199+
"Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*"
200+
```
312201

313202
### Paso 4. Alimentamos los objectos del Bucket
314203

315204
Actualizamos `s3.tf`
316205

317206
```ini
318207
# ....
319-
# aws_s3_bucket_object
320-
resource "aws_s3_bucket_object" "website" {
208+
# aws_s3_object
209+
resource "aws_s3_object" "website" {
321210
bucket = aws_s3_bucket.web_bucket.bucket
322211
key = "/website/index.html"
323212
source = "./website/index.html"
324213

325214
tags = local.common_tags
326215
}
327216

328-
resource "aws_s3_bucket_object" "graphic" {
217+
resource "aws_s3_object" "graphic" {
329218
bucket = aws_s3_bucket.web_bucket.bucket
330219
key = "/website/fruits.png"
331220
source = "./website/fruits.png"
@@ -426,7 +315,7 @@ resource "aws_iam_role_policy" "allow_s3_all" {
426315
}
427316
```
428317

429-
Por útimo creamos el [perfil de instamcia](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)
318+
Por útimo creamos el [perfil de instancia](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)
430319

431320
```ini
432321
# aws_iam_instance_profile

05-iac/00-terraform/06-incorporando-nuevos-providers/17-demo.md

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,10 @@ resource "aws_instance" "nginx1" {
2525
vpc_security_group_ids = [aws_security_group.nginx-sg.id]
2626
iam_instance_profile = aws_iam_instance_profile.nginx_profile.name
2727
depends_on = [
28-
aws_iam_role_policy.allow_s3_all
28+
- aws_iam_role_policy.allow_s3_all
29+
+ aws_iam_role_policy.allow_s3_all,
30+
+ aws_s3_object.website,
31+
+ aws_s3_object.graphic
2932
]
3033

3134
user_data = <<EOF
@@ -51,7 +54,10 @@ resource "aws_instance" "nginx2" {
5154
vpc_security_group_ids = [aws_security_group.nginx-sg.id]
5255
iam_instance_profile = aws_iam_instance_profile.nginx_profile.name
5356
depends_on = [
54-
aws_iam_role_policy.allow_s3_all
57+
- aws_iam_role_policy.allow_s3_all
58+
+ aws_iam_role_policy.allow_s3_all,
59+
+ aws_s3_object.website,
60+
+ aws_s3_object.graphic
5561
]
5662

5763
user_data = <<EOF

0 commit comments

Comments
 (0)