Home Verkennen Help
Registreren Inloggen
AFS
/
xdr-terraform-modules
2
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Boom: 6683be31d8
Aftakkingen Labels
xdr-terraform-m...
/
base
/
codebuild_splunk_apps
/
cloudwatch.tf

cloudwatch.tf 2.5 KB
Geschiedenis Ruwe

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697 
  1. # creates a role and schedules a build for each server type
    2. 

  2. # 
    3. 

  3. # Being polite aws users, we randomize the schedule over the hours of the early morning
    4. 

  4. resource "random_integer" "hour" {
    5. 

  5.   min = 5  # Midnight ET
    6. 

  6.   max = 11 # 6am ET
    7. 

  7. }
    8. 

  8. 

  9. resource "random_integer" "minute" {
    10. 

  10.   min = 0
    11. 

  11.   max = 59
    12. 

  12. }
    13. 

  13. 

  14. resource "aws_cloudwatch_event_rule" "schedule_rule" {
    15. 

  15.   for_each = local.splunk_server_types
    16. 

  16. 

  17.   name                = "scheduled_build_${var.repository}_${each.value}"
    18. 

  18.   schedule_expression = "cron(${random_integer.minute.result} ${random_integer.hour.result} * * ? *)"
    19. 

  19. }
    20. 

  20. 

  21. resource "aws_iam_role" "codebuild_role" {
    22. 

  22.   name_prefix = "splunk_apps_codebuild_role"
    23. 

  23.   path        = "/aws_services/"
    24. 

  24. 

  25.   assume_role_policy = <<EOF
    26. 

  26. {
    27. 

  27.   "Version": "2012-10-17",
    28. 

  28.   "Statement": [
    29. 

  29.     {
    30. 

  30.       "Effect": "Allow",
    31. 

  31.       "Principal": {
    32. 

  32.         "Service": [
    33. 

  33.           "events.amazonaws.com",
    34. 

  34.           "codebuild.amazonaws.com"
    35. 

  35.         ]
    36. 

  36.       },
    37. 

  37.       "Action": "sts:AssumeRole"
    38. 

  38.     }
    39. 

  39.   ]
    40. 

  40. }
    41. 

  41. EOF
    42. 

  42. }
    43. 

  43. 

  44. resource "aws_iam_policy" "codebuild_policy" {
    45. 

  45.   name_prefix = "splunk_apps_policy"
    46. 

  46.   path        = "/aws_services/"
    47. 

  47. 

  48.   policy = <<POLICY
    49. 

  49. {
    50. 

  50.     "Version": "2012-10-17",
    51. 

  51.     "Statement": [
    52. 

  52.         {
    53. 

  53.             "Effect": "Allow",
    54. 

  54.             "Resource": [
    55. 

  55.                 "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:/aws/codebuild/*"
    56. 

  56.             ],
    57. 

  57.             "Action": [
    58. 

  58.                 "logs:CreateLogGroup",
    59. 

  59.                 "logs:CreateLogStream",
    60. 

  60.                 "logs:PutLogEvents"
    61. 

  61.             ]
    62. 

  62.         },
    63. 

  63.         {
    64. 

  64.            "Action": [
    65. 

  65.               "codebuild:StartBuild",
    66. 

  66.               "codebuild:StopBuild",
    67. 

  67.               "codebuild:BatchGet*",
    68. 

  68.               "codebuild:Get*",
    69. 

  69.               "codebuild:List*",
    70. 

  70.               "codecommit:GetBranch",
    71. 

  71.               "codecommit:GetCommit",
    72. 

  72.               "codecommit:GetRepository",
    73. 

  73.               "codecommit:ListBranches"
    74. 

  74.             ],
    75. 

  75.             "Effect": "Allow",
    76. 

  76.             "Resource": "*"
    77. 

  77.           }
    78. 

  78.     ]
    79. 

  79. }
    80. 

  80. POLICY
    81. 

  81. }
    82. 

  82. 

  83. resource "aws_iam_policy_attachment" "service_role_attachment" {
    84. 

  84.   name       = "splunk_apps_policy_attachment"
    85. 

  85.   policy_arn = aws_iam_policy.codebuild_policy.arn
    86. 

  86.   roles      = [aws_iam_role.codebuild_role.id]
    87. 

  87. }
    88. 

  88. 

  89. resource "aws_cloudwatch_event_target" "trigger_build" {
    90. 

  90.   for_each = local.splunk_server_types
    91. 

  91. 

  92.   target_id = "trigger_build_${var.repository}_${each.value}"
    93. 

  93.   rule      = aws_cloudwatch_event_rule.schedule_rule[each.value].name
    94. 

  94.   arn       = aws_codebuild_project.this[each.value].id
    95. 

  95. 

  96.   role_arn = aws_iam_role.codebuild_role.arn
    97. 

  97. }
    98.