-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
150 lines (124 loc) · 4.68 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.0"
}
}
}
data "aws_caller_identity" "current" {}
resource "aws_iam_role" "for_worklytics_tenant" {
name = "${var.resource_name_prefix}Tenant"
# if `worklytics_tenant_id` is null, then use a placeholder `assume_role_policy` that allows,
# to support pre-production use case (where infra is created for review, but inaccessible)
assume_role_policy = var.worklytics_tenant_id == null ? jsonencode({
Version = "2012-10-17"
Statement = {
Sid = "AllowOwnAccountToAssumeRole"
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
"AWS" = data.aws_caller_identity.current.account_id
}
}
}) : jsonencode({
Version = "2012-10-17"
Statement = {
Sid = "AllowWorklyticsTenantToAssumeRole"
Action = "sts:AssumeRoleWithWebIdentity"
Effect = "Allow"
Principal = {
Federated = "accounts.google.com"
}
Condition = {
StringEquals = {
"accounts.google.com:aud" = var.worklytics_tenant_id
}
}
}
})
}
resource "aws_s3_bucket" "worklytics_export" {
bucket_prefix = replace(lower(var.resource_name_prefix), "_", "-")
lifecycle {
ignore_changes = [
# don't conflict with tags customers might wish to add themselves
tags,
]
}
}
# you can use `aws_s3_bucket_public_access_block` to disable this, as these defaults are extreme.
# if you do, we recommend setting something similar outside this module
resource "aws_s3_bucket_public_access_block" "worklytics_export" {
count = var.enable_aws_s3_bucket_public_access_block ? 1 : 0
bucket = aws_s3_bucket.worklytics_export.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
# TODO if key, need perm to "kms:GenerateDataKey" and "kms:Decrypt" ??
# q - do we leave that to customer, or support it natively since pretty common case??
resource "aws_iam_policy" "allow_worklytics_tenant_bucket_access" {
name = "${var.resource_name_prefix}TenantBucketAccess"
policy = jsonencode({
Version = "2012-10-17",
Id = "WorklyticsTenantAccessExportBucket",
Statement = [
{
Sid = "AllowWorklyticsTenantBucketAccess"
Effect = "Allow"
Action = [
"s3:PutObject",
# to support rsync, has to be able to list and get objects
"s3:GetObject",
"s3:ListBucket",
]
Resource = [
"arn:aws:s3:::${aws_s3_bucket.worklytics_export.id}",
"arn:aws:s3:::${aws_s3_bucket.worklytics_export.id}/*"
]
},
]
})
}
resource "aws_iam_policy_attachment" "allow_worklytics_tenant_bucket_access" {
name = "allow_worklytics_tenant_bucket_access"
policy_arn = aws_iam_policy.allow_worklytics_tenant_bucket_access.arn
roles = [
aws_iam_role.for_worklytics_tenant.name
]
}
locals {
todo_content = <<EOT
# Configure Data Export in Worklytics
1. Ensure you're authenticated with Worklytics. Either sign-in at [https://${var.worklytics_host}](https://${var.worklytics_host})
with your organization's SSO provider *or* request OTP link from your Worklytics support.
2. Visit `https://${var.worklytics_host}/analytics/data-export/connect?type=AMAZON_S3&bucket=${aws_s3_bucket
.worklytics_export.bucket}&roleArn=${aws_iam_role.for_worklytics_tenant.arn}`
3. Review any additional settings (such as the Dataset type you'd like to export) and adjust
values as you see fit, then click "Create Data Export".
Alternatively, you may follow the manual instructions below:
1. Visit [https://${var.worklytics_host}/analytics/data-export](https://${var.worklytics_host}/analytics/data-export)
(or login into Worklytics, and navigate to Manage --> Export Data).
2. Click on the 'Create New Data Export' button in the upper right.
3. Fill in the form with the following values:
- **Data Export Name** - choose a name that will help you identify this export in the future.
- **Data Export Type** - choose the type of data you'd like to export. Check our
[Data Export Documentation](https://${var.worklytics_host}/docs/data-export) for a complete
description of all the available datasets.
- **Data Destination** - choose 'Amazon S3', use `${aws_s3_bucket.worklytics_export.bucket}`
for the **Bucket** field, and `${aws_iam_role.for_worklytics_tenant.arn}` for the **Role ARN**
field.
EOT
}
resource "local_file" "todo" {
count = var.todos_as_local_files ? 1 : 0
filename = "TODO - configure export in worklytics.md"
content = local.todo_content
}
# moved in 0.4.0
moved {
from = local_file.todo
to = local_file.todo[0]
}