-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathdynamodb.tf
128 lines (113 loc) · 4.14 KB
/
dynamodb.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# From https://github.com/gravitational/teleport/blob/b9813e3/examples/aws/terraform/dynamo.tf#L1-L36
module "dynamodb_state_table" {
source = "git::https://github.com/cloudposse/terraform-aws-dynamodb.git?ref=tags/0.7.0"
namespace = var.namespace
stage = var.stage
name = var.name
delimiter = var.delimiter
attributes = ["${compact(concat(var.attributes, list("cluster_state")))}"]
tags = var.tags
enable_encryption = "true"
enable_streams = "true"
stream_view_type = "NEW_IMAGE"
hash_key = "HashKey"
hash_key_type = "S"
range_key = "FullPath"
range_key_type = "S"
ttl_attribute = "Expires"
# min_read and min_write set the provisioned capacity even if the autoscaler is not enabled
autoscale_min_read_capacity = var.autoscale_min_read_capacity
autoscale_min_write_capacity = var.autoscale_min_write_capacity
enable_autoscaler = "true"
autoscale_read_target = var.autoscale_read_target
autoscale_write_target = var.autoscale_write_target
autoscale_max_read_capacity = var.autoscale_max_read_capacity
autoscale_max_write_capacity = var.autoscale_max_write_capacity
}
# From https://github.com/gravitational/teleport/blob/b9813e3/examples/aws/terraform/dynamo.tf#L38-L91
module "dynamodb_audit_table" {
source = "git::https://github.com/cloudposse/terraform-aws-dynamodb.git?ref=tags/0.7.0"
namespace = var.namespace
stage = var.stage
name = var.name
delimiter = var.delimiter
attributes = ["${compact(concat(var.attributes, list("events")))}"]
tags = var.tags
enable_encryption = "true"
hash_key = "SessionID"
hash_key_type = "S"
range_key = "EventIndex"
range_key_type = "N"
ttl_attribute = "Expires"
dynamodb_attributes = [
{
name = "SessionID"
type = "S"
},
{
name = "EventIndex"
type = "N"
},
{
name = "EventNamespace"
type = "S"
},
{
name = "CreatedAt"
type = "N"
},
]
global_secondary_index_map = [{
name = "timesearch"
hash_key = "EventNamespace"
range_key = "CreatedAt"
read_capacity = "${var.autoscale_min_read_capacity}"
write_capacity = "${var.autoscale_min_write_capacity}"
projection_type = "ALL"
}]
# min_read and min_write set the provisioned capacity even if the autoscaler is not enabled
autoscale_min_read_capacity = var.autoscale_min_read_capacity
autoscale_min_write_capacity = var.autoscale_min_write_capacity
enable_autoscaler = "true"
autoscale_read_target = var.autoscale_read_target
autoscale_write_target = var.autoscale_write_target
autoscale_max_read_capacity = var.autoscale_max_read_capacity
autoscale_max_write_capacity = var.autoscale_max_write_capacity
}
module "label_dynamodb" {
source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3"
namespace = var.namespace
stage = var.stage
name = var.name
delimiter = var.delimiter
attributes = ["${compact(concat(var.attributes, list("dynamodb")))}"]
tags = var.tags
}
data "aws_iam_policy_document" "dynamodb" {
statement {
effect = "Allow"
actions = ["dynamodb:*"]
resources = [
"${module.dynamodb_audit_table.table_arn}",
"${module.dynamodb_state_table.table_arn}",
]
}
}
resource "aws_iam_role" "dynamodb" {
name = module.label_dynamodb.id
assume_role_policy = data.aws_iam_policy_document.assume_role.json
max_session_duration = var.iam_role_max_session_duration
}
resource "aws_iam_policy" "dynamodb" {
name = module.label_dynamodb.id
description = "Allow Teleport Auth service full access to DynamoDB table"
policy = data.aws_iam_policy_document.dynamodb.json
}
resource "aws_iam_role_policy_attachment" "dynamodb" {
role = aws_iam_role.dynamodb.name
policy_arn = aws_iam_policy.dynamodb.arn
}
resource "aws_iam_instance_profile" "dynamodb" {
name = module.label_dynamodb.id
role = aws_iam_role.dynamodb.name
}