KyMidd
diff --git a/‎buildspec_terraform_apply.yml
+16 b/‎buildspec_terraform_apply.yml
+16
diff --git a/‎buildspec_terraform_plan.yml
+17 b/‎buildspec_terraform_plan.yml
+17
diff --git a/‎main.tf
+71 b/‎main.tf
+71
diff --git a/‎modules/bootstrap/bootstrap.tf
+241 b/‎modules/bootstrap/bootstrap.tf
+241
diff --git a/‎modules/bootstrap/bootstrap_variables.tf
+25 b/‎modules/bootstrap/bootstrap_variables.tf
+25
@@ -0,0 +1,16 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.7
+    commands:
+      - tf_version=$TERRAFORM_VERSION
+      - wget https://releases.hashicorp.com/terraform/"$TERRAFORM_VERSION"/terraform_"$TERRAFORM_VERSION"_linux_amd64.zip
+      - unzip terraform_"$TERRAFORM_VERSION"_linux_amd64.zip
+      - mv terraform /usr/local/bin/
+  build:
+    commands:
+      - terraform --version
+      - terraform init -input=false
+      - terraform apply -auto-approve -input=false
@@ -0,0 +1,17 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.7
+    commands:
+      - tf_version=$TERRAFORM_VERSION
+      - wget https://releases.hashicorp.com/terraform/"$TERRAFORM_VERSION"/terraform_"$TERRAFORM_VERSION"_linux_amd64.zip
+      - unzip terraform_"$TERRAFORM_VERSION"_linux_amd64.zip
+      - mv terraform /usr/local/bin/
+  build:
+    commands:
+      - terraform --version
+      - terraform init -input=false
+      - terraform validate
+      - terraform plan -lock=false -input=false
@@ -0,0 +1,71 @@
+# Require TF version to be same as or greater than 0.12.16
+terraform {
+  required_version = ">=0.12.16"
+  backend "s3" {
+    bucket         = "kyler-codebuild-demo-terraform-tfstate"
+    key            = "terraform.tfstate"
+    region         = "us-east-1"
+    dynamodb_table = "codebuild-dynamodb-terraform-locking"
+    encrypt        = true
+  }
+}
+
+# Download any stable version in AWS provider of 2.36.0 or higher in 2.36 train
+provider "aws" {
+  region  = "us-east-1"
+  version = "~> 2.36.0"
+  assume_role {
+    # Remember to update this account ID to yours
+    role_arn     = "arn:aws:iam::718626770228:role/TerraformAssumedIamRole"
+    session_name = "terraform"
+  }
+}
+
+
+## Step 1: Build an IAM user with administrative rights
+# Export the access key and secret access key into global bash variables. The commands will look like this:
+# export AWS_ACCESS_KEY_ID="AKIA2OULU2K4324HLYFNU"
+# export AWS_SECRET_ACCESS_KEY="b8ma12345678901234567890toWCOjo"
+
+
+## Step 2: Build an S3 bucket and DynamoDB for Terraform state and locking
+module "bootstrap" {
+  source                              = "./modules/bootstrap"
+  s3_tfstate_bucket                   = "kyler-codebuild-demo-terraform-tfstate"
+  s3_logging_bucket_name              = "kyler-codebuild-demo-logging-bucket"
+  dynamo_db_table_name                = "codebuild-dynamodb-terraform-locking"
+  codebuild_iam_role_name             = "CodeBuildIamRole"
+  codebuild_iam_role_policy_name      = "CodeBuildIamRolePolicy"
+  terraform_codecommit_repo_arn       = module.codecommit.terraform_codecommit_repo_arn
+  tf_codepipeline_artifact_bucket_arn = module.codepipeline.tf_codepipeline_artifact_bucket_arn
+}
+
+## Step 3: Build a CodeCommit git repo
+module "codecommit" {
+  source          = "./modules/codecommit"
+  repository_name = "CodeCommitTerraform"
+}
+
+
+## Step 4: Build CodeBuild projects for Terraform Plan and Terraform Apply
+module "codebuild" {
+  source                                 = "./modules/codebuild"
+  codebuild_project_terraform_plan_name  = "TerraformPlan"
+  codebuild_project_terraform_apply_name = "TerraformApply"
+  s3_logging_bucket_id                   = module.bootstrap.s3_logging_bucket_id
+  codebuild_iam_role_arn                 = module.bootstrap.codebuild_iam_role_arn
+  s3_logging_bucket                      = module.bootstrap.s3_logging_bucket
+}
+
+
+## Step 5: Build a CodePipeline
+module "codepipeline" {
+  source                               = "./modules/codepipeline"
+  tf_codepipeline_name                 = "TerraformCodePipeline"
+  tf_codepipeline_artifact_bucket_name = "kyler-codebuild-demo-artifact-bucket-name"
+  tf_codepipeline_role_name            = "TerraformCodePipelineIamRole"
+  tf_codepipeline_role_policy_name     = "TerraformCodePipelineIamRolePolicy"
+  terraform_codecommit_repo_name       = module.codecommit.terraform_codecommit_repo_name
+  codebuild_terraform_plan_name        = module.codebuild.codebuild_terraform_plan_name
+  codebuild_terraform_apply_name       = module.codebuild.codebuild_terraform_apply_name
+}
@@ -0,0 +1,241 @@
+##
+# Module to build the Azure DevOps "seed" configuration
+##
+
+# Build an S3 bucket to store TF state
+resource "aws_s3_bucket" "state_bucket" {
+  bucket = var.s3_tfstate_bucket
+
+  # Tells AWS to encrypt the S3 bucket at rest by default
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
+  # Prevents Terraform from destroying or replacing this object - a great safety mechanism
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  # Tells AWS to keep a version history of the state file
+  versioning {
+    enabled = true
+  }
+
+  tags = {
+    Terraform = "true"
+  }
+}
+
+# Build a DynamoDB to use for terraform state locking
+resource "aws_dynamodb_table" "tf_lock_state" {
+  name = var.dynamo_db_table_name
+
+  # Pay per request is cheaper for low-i/o applications, like our TF lock state
+  billing_mode = "PAY_PER_REQUEST"
+
+  # Hash key is required, and must be an attribute
+  hash_key = "LockID"
+
+  # Attribute LockID is required for TF to use this table for lock state
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+
+  tags = {
+    Name      = var.dynamo_db_table_name
+    Terraform = "true"
+  }
+}
+
+
+# Build an AWS S3 bucket for logging
+resource "aws_s3_bucket" "s3_logging_bucket" {
+  bucket = var.s3_logging_bucket_name
+  acl    = "private"
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+}
+
+# Output name of S3 logging bucket back to main.tf
+output "s3_logging_bucket_id" {
+  value = aws_s3_bucket.s3_logging_bucket.id
+}
+output "s3_logging_bucket" {
+  value = aws_s3_bucket.s3_logging_bucket.bucket
+}
+
+# Create an IAM role for CodeBuild to assume
+resource "aws_iam_role" "codebuild_iam_role" {
+  name = var.codebuild_iam_role_name
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codebuild.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+# Output the CodeBuild IAM role
+output "codebuild_iam_role_arn" {
+  value = aws_iam_role.codebuild_iam_role.arn
+}
+
+
+# Create an IAM role policy for CodeBuild to use implicitly
+resource "aws_iam_role_policy" "codebuild_iam_role_policy" {
+  name = var.codebuild_iam_role_policy_name
+  role = aws_iam_role.codebuild_iam_role.name
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Resource": [
+        "*"
+      ],
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:*"
+      ],
+      "Resource": [
+        "${aws_s3_bucket.s3_logging_bucket.arn}",
+        "${aws_s3_bucket.s3_logging_bucket.arn}/*",
+        "${aws_s3_bucket.state_bucket.arn}",
+        "${aws_s3_bucket.state_bucket.arn}/*",
+        "arn:aws:s3:::codepipeline-us-east-1*",
+        "arn:aws:s3:::codepipeline-us-east-1*/*",
+        "${var.tf_codepipeline_artifact_bucket_arn}",
+        "${var.tf_codepipeline_artifact_bucket_arn}/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "dynamodb:*"
+      ],
+      "Resource": "${aws_dynamodb_table.tf_lock_state.arn}"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "codecommit:BatchGet*",
+        "codecommit:BatchDescribe*",
+        "codecommit:Describe*",
+        "codecommit:EvaluatePullRequestApprovalRules",
+        "codecommit:Get*",
+        "codecommit:List*",
+        "codecommit:GitPull"
+      ],
+      "Resource": "${var.terraform_codecommit_repo_arn}"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:Get*",
+        "iam:List*"
+      ],
+      "Resource": "${aws_iam_role.codebuild_iam_role.arn}"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRole",
+      "Resource": "${aws_iam_role.codebuild_iam_role.arn}"
+    }
+  ]
+}
+POLICY
+}
+
+
+# Create IAM role for Terraform builder to assume
+resource "aws_iam_role" "tf_iam_assumed_role" {
+  name = "TerraformAssumedIamRole"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "${aws_iam_role.codebuild_iam_role.arn}"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  tags = {
+    Terraform = "true"
+  }
+}
+
+
+# Create broad IAM policy Terraform to use to build, modify resources
+resource "aws_iam_policy" "tf_iam_assumed_policy" {
+  name = "TerraformAssumedIamPolicy"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowAllPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "*"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+# Attach IAM assume role to policy
+resource "aws_iam_role_policy_attachment" "tf_iam_attach_assumed_role_to_permissions_policy" {
+  role       = aws_iam_role.tf_iam_assumed_role.name
+  policy_arn = aws_iam_policy.tf_iam_assumed_policy.arn
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
@@ -0,0 +1,25 @@
+##
+# Define variables for Azure DevOps Seed Module
+##
+
+variable "s3_tfstate_bucket" {
+  description = "Name of the S3 bucket used for Terraform state storage"
+}
+variable "s3_logging_bucket_name" {
+  description = "Name of S3 bucket to use for access logging"
+}
+variable "dynamo_db_table_name" {
+  description = "Name of DynamoDB table used for Terraform locking"
+}
+variable "codebuild_iam_role_name" {
+  description = "Name for IAM Role utilized by CodeBuild"
+}
+variable "codebuild_iam_role_policy_name" {
+  description = "Name for IAM policy used by CodeBuild"
+}
+variable "terraform_codecommit_repo_arn" {
+  description = "Terraform CodeCommit git repo ARN"
+}
+variable "tf_codepipeline_artifact_bucket_arn" {
+  description = "Codepipeline artifact bucket ARN"
+}