Initial

1 files changed, 72 insertions, 0 deletions

diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..4f34722
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,72 @@
+variable "domain" {
+	description = "Domain name to use the AWS route53 zone"
+}
+
+variable "tags" {
+	default = {
+		"purpose" = "letsencrypt delegation"
+	}
+}
+
+variable "use_pgp" {
+	default = false
+	description = "Whether or not to use a PGP key to encrypt the secret access key"
+}
+
+variable "pgp_key" {
+	description = "base64 encoded public gpg key to encrypt the secrets with"
+	default = ""
+}
+
+resource "aws_route53_zone" "_" {
+	name = var.domain
+
+	tags = var.tags
+}
+
+
+resource "aws_iam_user" "_" {
+	name = "letesencrypt-delegation-${var.domain}"
+
+	tags = merge({
+		"Name" = "Letsencrypt delegation user for ${var.domain}"
+	}, var.tags)
+}
+
+resource "aws_iam_access_key" "_" {
+	user = aws_iam_user._.name
+
+	pgp_key = var.use_pgp ? var.pgp_key : null
+}
+
+resource "aws_iam_user_policy" "_" {
+	name = "letsencrypt-delegation-${var.domain}"
+	user = aws_iam_user._.name
+	policy = data.aws_iam_policy_document.r53.json
+}
+
+data "aws_iam_policy_document" "r53" {
+	statement {
+		actions = [
+			"route53:GetChange",
+			"route53:ListHostedZones"
+		]
+
+		resources = [ "*" ]
+	}
+
+	statement {
+		actions = [
+			"route53:ChangeResourceRecordSets",
+			"route53:ListResourceRecordSets"
+		]
+
+		resources = [ "arn:aws:route53:::hostedzone/${aws_route53_zone._.id}" ]
+	}
+}
+
+output "info" {
+	value = var.use_pgp ? "\nexport AWS_ACCESS_KEY_ID=${aws_iam_access_key._.id}\nexport AWS_SECRET_ACCESS_KEY=$(echo \"${aws_iam_access_key._.encrypted_secret}\" | base64 -d | gpg -d )\n" : "\nexport AWS_ACCESS_KEY_ID=${aws_iam_access_key._.id}\nexport AWS_SECRET_ACCESS_KEY=${aws_iam_access_key._.secret}\n"
+
+}
+