Initial commit

.gitignore

@@ -0,0 +1,29 @@
+# Local .terraform directories
+**/.terraform/*
+
+# Terraform lockfile
+.terraform.lock.hcl
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Depot Ventures LLC <[email protected]>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

main.tf

@@ -0,0 +1,104 @@
+resource "aws_iam_instance_profile" "builder" {
+  count = var.create-builder-instance-profile ? 1 : 0
+  name  = "${var.name}-builder"
+  role  = aws_iam_role.builder[0].name
+}
+
+resource "aws_iam_role" "builder" {
+  count = var.create-builder-instance-profile ? 1 : 0
+  name  = "builder"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action    = "sts:AssumeRole",
+      Principal = { Service = "ec2.amazonaws.com" },
+      Effect    = "Allow",
+    }]
+  })
+}
+
+resource "aws_security_group" "builder" {
+  name        = "${var.name}-builder"
+  description = "Builder security group for Depot connection ${var.name}"
+  vpc_id      = aws_vpc.vpc.id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.name}-builder"
+  }
+}
+
+resource "aws_iam_role" "depot" {
+  count = var.create ? 1 : 0
+  name  = "depot-${var.name}"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action    = "sts:AssumeRole",
+      Principal = { AWS = "arn:aws:iam::375021575472:root" },
+      Effect    = "Allow",
+      Condition = { StringEquals = { "sts:ExternalId" = var.external-id } },
+    }]
+  })
+}
+
+resource "aws_iam_policy" "depot" {
+  count       = var.create ? 1 : 0
+  name        = "depot-${var.name}"
+  description = "IAM policy that allows Depot to manage builder instances and cache EBS volumes"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action   = ["ec2:Describe*"]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+
+      {
+        Action    = ["ec2:CreateVolume", "ec2:RunInstances"]
+        Effect    = "Allow"
+        Resource  = "*",
+        Condition = { StringEquals = { "aws:RequestTag/depot.dev" = "managed" } }
+      },
+
+      {
+        Action    = ["ec2:DeleteVolume", "ec2:TerminateInstances"]
+        Effect    = "Allow"
+        Resource  = "*"
+        Condition = { StringEquals = { "aws:ResourceTag/depot.dev" = "managed" } }
+      },
+
+      {
+        Action    = ["ec2:AttachVolume", "ec2:DetachVolume"],
+        Effect    = "Allow",
+        Resource  = ["arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*"],
+        Condition = { StringEquals = { "aws:ResourceTag/depot.dev" = "managed" } }
+      },
+
+      {
+        Action   = ["ec2:CreateTags"],
+        Effect   = "Allow",
+        Resource = "arn:aws:ec2:*:*:*/*",
+        Condition = {
+          StringEquals = {
+            "aws:RequestTag/depot.dev" = "managed",
+            "ec2:CreateAction"         = ["CreateVolume", "RunInstances"],
+          }
+        }
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "test-attach" {
+  count      = var.create ? 1 : 0
+  role       = aws_iam_role.depot[0].name
+  policy_arn = aws_iam_policy.depot[0].arn
+}

outputs.tf

@@ -0,0 +1,4 @@
+output "vpc-id" {
+  value       = local.vpc-id
+  description = "Builder VPC ID"
+}

tags.tf

@@ -0,0 +1,5 @@
+locals {
+  common-tags = {
+    "depot.dev" = "managed"
+  }
+}

variables.tf

@@ -0,0 +1,45 @@
+variable "create" {
+  type        = bool
+  description = "Controls if Depot connection resources should be created"
+  default     = true
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "A map of tags to apply to all resources"
+  default     = {}
+}
+
+variable "name" {
+  type        = string
+  description = "Name of the Depot connection"
+}
+
+variable "external-id" {
+  type        = string
+  description = "External ID for the Depot connection (provided in the Depot console)"
+}
+
+variable "create-builder-instance-profile" {
+  type        = bool
+  description = "Create a new IAM instance profile for the builder role"
+  default     = "true"
+}
+
+variable "create-vpc" {
+  type        = bool
+  description = "Create a new VPC"
+  default     = "true"
+}
+
+variable "vpc-id" {
+  type        = string
+  description = "Custom VPC ID, if var.create-vpc = false"
+  default     = ""
+}
+
+variable "vpc-cidr-prefix" {
+  type        = string
+  description = "VPC CIDR prefix"
+  default     = "10.0"
+}

versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 0.13.1"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.72"
+    }
+  }
+}

vpc.tf

@@ -0,0 +1,64 @@
+# VPC Subnet Layout:
+#
+# SUBNET ADDRESS    RANGE OF ADDRESSES            ALLOCATED FOR
+#
+# x.x.0.0/18        x.x.0.0 - x.x.63.255          Public
+# x.x.64.0/18       x.x.64.0 - x.x.127.255        Public
+# x.x.128.0/18      x.x.128.0 - x.x.191.255       Public
+# x.x.192.0/18      x.x.192.0 - x.x.255.255       Unused
+#
+# See https://www.davidc.net/sites/default/subnets/subnets.html?network=10.101.0.0&mask=16&division=13.3d40
+
+data "aws_region" "current" {}
+
+locals {
+  cidrs = {
+    "${data.aws_region.current.name}a" = "${var.vpc-cidr-prefix}.0.0/18",
+    "${data.aws_region.current.name}b" = "${var.vpc-cidr-prefix}.64.0/18",
+    "${data.aws_region.current.name}c" = "${var.vpc-cidr-prefix}.128.0/18",
+  }
+  vpc-id = coalesce(try(aws_vpc.vpc[0].id, ""), var.vpc-id)
+}
+
+resource "aws_vpc" "vpc" {
+  count      = var.create-vpc ? 1 : 0
+  cidr_block = "${var.vpc-cidr-prefix}.0.0/16"
+  tags       = { Name = var.name }
+}
+
+resource "aws_internet_gateway" "internet-gateway" {
+  count  = var.create-vpc ? 1 : 0
+  vpc_id = aws_vpc.vpc[0].id
+  tags   = { Name = var.name }
+}
+
+resource "aws_route_table" "public" {
+  count  = var.create-vpc ? 1 : 0
+  vpc_id = aws_vpc.vpc[0].id
+  tags   = { Name = "${var.name}-public" }
+}
+
+resource "aws_route" "public-internet-gateway" {
+  count                  = var.create-vpc ? 1 : 0
+  route_table_id         = aws_route_table.public[0].id
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = aws_internet_gateway.internet-gateway[0].id
+}
+
+resource "aws_subnet" "public" {
+  for_each          = var.create-vpc ? local.cidrs : {}
+  vpc_id            = aws_vpc.vpc[0].id
+  availability_zone = each.key
+  cidr_block        = each.value
+  tags              = { "Name" = "${var.name}-public-${each.key}" }
+}
+
+resource "aws_route_table_association" "public" {
+  for_each       = var.create-vpc ? local.cidrs : {}
+  subnet_id      = aws_subnet.public[each.key].id
+  route_table_id = aws_route_table.public[0].id
+}
+
+locals {
+  public-subnet-ids = var.create-vpc ? [for s in aws_subnet.public : s.id] : []
+}