From 97703aadcf2279bb068fbadab2f0b2f18b740bcf Mon Sep 17 00:00:00 2001
From: Mitch Riedstra <mitch@riedstra.us>
Date: Sat, 3 Oct 2020 18:56:02 -0400
Subject: Initial

---
 main.tf | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 main.tf

(limited to 'main.tf')

diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..4f34722
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,72 @@
+variable "domain" {
+	description = "Domain name to use the AWS route53 zone"
+}
+
+variable "tags" {
+	default = {
+		"purpose" = "letsencrypt delegation"
+	}
+}
+
+variable "use_pgp" {
+	default = false
+	description = "Whether or not to use a PGP key to encrypt the secret access key"
+}
+
+variable "pgp_key" {
+	description = "base64 encoded public gpg key to encrypt the secrets with"
+	default = ""
+}
+
+resource "aws_route53_zone" "_" {
+	name = var.domain
+
+	tags = var.tags
+}
+
+
+resource "aws_iam_user" "_" {
+	name = "letesencrypt-delegation-${var.domain}"
+
+	tags = merge({
+		"Name" = "Letsencrypt delegation user for ${var.domain}"
+	}, var.tags)
+}
+
+resource "aws_iam_access_key" "_" {
+	user = aws_iam_user._.name
+
+	pgp_key = var.use_pgp ? var.pgp_key : null
+}
+
+resource "aws_iam_user_policy" "_" {
+	name = "letsencrypt-delegation-${var.domain}"
+	user = aws_iam_user._.name
+	policy = data.aws_iam_policy_document.r53.json
+}
+
+data "aws_iam_policy_document" "r53" {
+	statement {
+		actions = [
+			"route53:GetChange",
+			"route53:ListHostedZones"
+		]
+
+		resources = [ "*" ]
+	}
+
+	statement {
+		actions = [
+			"route53:ChangeResourceRecordSets",
+			"route53:ListResourceRecordSets"
+		]
+
+		resources = [ "arn:aws:route53:::hostedzone/${aws_route53_zone._.id}" ]
+	}
+}
+
+output "info" {
+	value = var.use_pgp ? "\nexport AWS_ACCESS_KEY_ID=${aws_iam_access_key._.id}\nexport AWS_SECRET_ACCESS_KEY=$(echo \"${aws_iam_access_key._.encrypted_secret}\" | base64 -d | gpg -d )\n" : "\nexport AWS_ACCESS_KEY_ID=${aws_iam_access_key._.id}\nexport AWS_SECRET_ACCESS_KEY=${aws_iam_access_key._.secret}\n"
+
+}
+
-- 
cgit v1.2.3