Merge pull request #16 from asicsdigital/casper-upgrade-12

Initial v12 upgrade
asicsdigital · Jan 31, 2020 · 509aa9b · 509aa9b
2 parents aebde4c + 028f20f
commit 509aa9b
Show file tree

Hide file tree

Showing 9 changed files with 172 additions and 124 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -3,13 +3,16 @@ version: 2
 jobs:
   build:
     docker:
-      - image: hashicorp/terraform:0.11.8
+      - image: hashicorp/terraform:0.12.17
         entrypoint: /bin/sh
     steps:
       - checkout
+      - run:
+          name: terraform init
+          command: terraform init
       - run:
           name: validate tf files (terraform validate)
-          command: find . -type f -name "*.tf" -exec dirname {} \;|sort -u | while read m; do (terraform validate -check-variables=false "$m" && echo "√ $m") || exit 1 ; done
+          command: find . -type f -name "*.tf" -exec dirname {} \;|sort -u | while read m; do (terraform validate "$m" && echo "√ $m") || exit 1 ; done
       - run:
           name: check if all tf files are formatted (terraform fmt)
           command: if [ `terraform fmt | wc -c` -ne 0 ]; then echo "Some terraform files need be formatted, run 'terraform fmt' to fix"; exit 1; fi

diff --git a/.envrc b/.envrc
@@ -0,0 +1,31 @@
+# shellcheck shell=bash
+if [[ -f .env ]]; then
+  dotenv
+fi 
+
+
+# auth against Vault if configured
+if has vault; then
+  if [[ "$VAULT_ADDR" && "$VAULT_AUTH_GITHUB_TOKEN" ]]; then
+    log_status "vault: are we already authenticated?"
+    vault token lookup -format=json > /dev/null && vault token renew -format=json > /dev/null
+
+    if [[ "$?" == "0" ]]; then
+      log_status "vault: authenticated with existing token!"
+    else
+      log_status "vault: authenticate, since our token could not be refreshed"
+      vault login -method=github -no-print
+      log_status "vault: authenticated with new token!"
+    fi
+  fi
+fi
+
+function get_vault_kv {
+  vault_path=$1
+  vault_key=${2:-value}
+  if [[ "$VAULT_ADDR" ]]; then
+    VAULT_KV=$(curl -s -H "X-Vault-Token: $(cat ~/.vault-token )" -X GET $VAULT_ADDR/v1/${vault_path} | jq -r .data.${vault_key})
+  fi
+}
+
+# vim: set et fenc=utf-8 ff=unix ft=sh sts=2 sw=2 ts=2 :
diff --git a/.terraform-version b/.terraform-version
@@ -1 +1 @@
-0.11.8
+0.12.17
diff --git a/alb.tf b/alb.tf
@@ -1,40 +1,40 @@
 # Create a new load balancer
 
 locals {
-  enable_custom_domain = "${var.dns_zone == "" ? false : true}"
+  enable_custom_domain = var.dns_zone == "" ? false : true
   custom_endpoint      = "${coalesce(var.hostname, data.aws_vpc.vpc.tags["Name"])}.${var.dns_zone}"
-  consul_url_protocol  = "${local.enable_custom_domain ? "https" : "http"}"
-  consul_url_hostname  = "${local.enable_custom_domain ? local.custom_endpoint : aws_alb.consul.dns_name}"
+  consul_url_protocol  = local.enable_custom_domain ? "https" : "http"
+  consul_url_hostname  = local.enable_custom_domain ? local.custom_endpoint : aws_alb.consul.dns_name
   consul_url           = "${local.consul_url_protocol}://${local.consul_url_hostname}"
 }
 
 resource "aws_alb" "consul" {
   name_prefix     = "consul"
-  security_groups = ["${aws_security_group.alb-web-sg.id}"]
+  security_groups = [aws_security_group.alb-web-sg.id]
   internal        = false
-  subnets         = ["${var.subnets}"]
+  subnets         = var.subnets
 
-  tags {
-    Environment = "${var.env}"
-    VPC         = "${data.aws_vpc.vpc.tags["Name"]}"
+  tags = {
+    Environment = var.env
+    VPC         = data.aws_vpc.vpc.tags["Name"]
   }
 
   access_logs {
-    bucket = "${var.alb_log_bucket}"
+    bucket = var.alb_log_bucket
     prefix = "logs/elb/${data.aws_vpc.vpc.tags["Name"]}/consul"
   }
 }
 
 # DNS Alias for the LB
 resource "aws_route53_record" "consul" {
-  count   = "${local.enable_custom_domain ? 1 : 0}"
-  zone_id = "${data.aws_route53_zone.zone.zone_id}"
-  name    = "${local.custom_endpoint}"
+  count   = local.enable_custom_domain ? 1 : 0
+  zone_id = data.aws_route53_zone.zone[0].zone_id
+  name    = local.custom_endpoint
   type    = "A"
 
   alias {
-    name                   = "${aws_alb.consul.dns_name}"
-    zone_id                = "${aws_alb.consul.zone_id}"
+    name                   = aws_alb.consul.dns_name
+    zone_id                = aws_alb.consul.zone_id
     evaluate_target_health = false
   }
 }
@@ -43,8 +43,8 @@ resource "aws_route53_record" "consul" {
 resource "aws_alb_target_group" "consul_ui" {
   port                 = 4180
   protocol             = "HTTP"
-  vpc_id               = "${data.aws_vpc.vpc.id}"
-  deregistration_delay = "${var.lb_deregistration_delay}"
+  vpc_id               = data.aws_vpc.vpc.id
+  deregistration_delay = var.lb_deregistration_delay
 
   health_check {
     path    = "/ping"
@@ -56,41 +56,42 @@ resource "aws_alb_target_group" "consul_ui" {
     enabled = true
   }
 
-  tags {
-    Environment = "${var.env}"
-    VPC         = "${data.aws_vpc.vpc.tags["Name"]}"
+  tags = {
+    Environment = var.env
+    VPC         = data.aws_vpc.vpc.tags["Name"]
   }
 }
 
 # Create a new alb listener
 resource "aws_alb_listener" "consul_https" {
-  count             = "${local.enable_custom_domain ? 1 : 0}"
-  load_balancer_arn = "${aws_alb.consul.arn}"
+  count             = local.enable_custom_domain ? 1 : 0
+  load_balancer_arn = aws_alb.consul.arn
   port              = "443"
   protocol          = "HTTPS"
   ssl_policy        = "ELBSecurityPolicy-2016-08"
-  certificate_arn   = "${data.aws_acm_certificate.cert.arn}"
+  certificate_arn   = data.aws_acm_certificate.cert[0].arn
 
   default_action {
-    target_group_arn = "${aws_alb_target_group.consul_ui.arn}"
+    target_group_arn = aws_alb_target_group.consul_ui.arn
     type             = "forward"
   }
 }
 
 resource "aws_alb_listener" "consul_http" {
-  count             = "${local.enable_custom_domain ? 0 : 1}"
-  load_balancer_arn = "${aws_alb.consul.arn}"
+  count             = local.enable_custom_domain ? 0 : 1
+  load_balancer_arn = aws_alb.consul.arn
   port              = "80"
   protocol          = "HTTP"
 
   default_action {
-    target_group_arn = "${aws_alb_target_group.consul_ui.arn}"
+    target_group_arn = aws_alb_target_group.consul_ui.arn
     type             = "forward"
   }
 }
 
 resource "aws_alb_listener_certificate" "consul_https" {
-  count           = "${local.enable_custom_domain ? 1 : 0}"
-  listener_arn    = "${aws_alb_listener.consul_https.arn}"
-  certificate_arn = "${data.aws_acm_certificate.cert.arn}"
+  count           = local.enable_custom_domain ? 1 : 0
+  listener_arn    = aws_alb_listener.consul_https[0].arn
+  certificate_arn = data.aws_acm_certificate.cert[0].arn
 }
+
diff --git a/iam.tf b/iam.tf
@@ -26,7 +26,6 @@ data "aws_iam_policy_document" "consul_task_policy" {
       "arn:aws:s3:::${var.s3_backup_bucket}/*",
     ]
   }
-
   ##
 }
 
@@ -42,19 +41,19 @@ data "aws_iam_policy_document" "assume_role_consul_task" {
 }
 
 resource "aws_iam_role" "consul_task" {
-  path               = "${var.iam_path}"
-  assume_role_policy = "${data.aws_iam_policy_document.assume_role_consul_task.json}"
+  path               = var.iam_path
+  assume_role_policy = data.aws_iam_policy_document.assume_role_consul_task.json
 }
 
 resource "aws_iam_role_policy" "consul_ecs_task" {
-  role   = "${aws_iam_role.consul_task.id}"
-  policy = "${data.aws_iam_policy_document.consul_task_policy.json}"
+  role   = aws_iam_role.consul_task.id
+  policy = data.aws_iam_policy_document.consul_task_policy.json
 }
 
 # ecsServiceRole for consul
 
 resource "aws_iam_role" "ecsServiceRole" {
-  path = "${var.iam_path}"
+  path = var.iam_path
 
   assume_role_policy = <<EOF
 {
@@ -72,9 +71,11 @@ resource "aws_iam_role" "ecsServiceRole" {
   ]
 }
 EOF
+
 }
 
 resource "aws_iam_role_policy_attachment" "attach-ecsServiceRole" {
-  role       = "${aws_iam_role.ecsServiceRole.name}"
+  role       = aws_iam_role.ecsServiceRole.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole"
 }
+