main.tf


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

variable "domain" {
	description = "Domain name to use the AWS route53 zone"
}

variable "tags" {
	default = {
		"purpose" = "letsencrypt delegation"
	}
}

variable "use_pgp" {
	default = false
	description = "Whether or not to use a PGP key to encrypt the secret access key"
}

variable "pgp_key" {
	description = "base64 encoded public gpg key to encrypt the secrets with"
	default = ""
}

resource "aws_route53_zone" "_" {
	name = var.domain

	tags = var.tags
}


resource "aws_iam_user" "_" {
	name = "letesencrypt-delegation-${var.domain}"

	tags = merge({
		"Name" = "Letsencrypt delegation user for ${var.domain}"
	}, var.tags)
}

resource "aws_iam_access_key" "_" {
	user = aws_iam_user._.name

	pgp_key = var.use_pgp ? var.pgp_key : null
}

resource "aws_iam_user_policy" "_" {
	name = "letsencrypt-delegation-${var.domain}"
	user = aws_iam_user._.name
	policy = data.aws_iam_policy_document.r53.json
}

data "aws_iam_policy_document" "r53" {
	statement {
		actions = [
			"route53:GetChange",
			"route53:ListHostedZones"
		]

		resources = [ "*" ]
	}

	statement {
		actions = [
			"route53:ChangeResourceRecordSets",
			"route53:ListResourceRecordSets"
		]

		resources = [ "arn:aws:route53:::hostedzone/${aws_route53_zone._.id}" ]
	}
}

output "info" {
	value = var.use_pgp ? "\nexport AWS_ACCESS_KEY_ID=${aws_iam_access_key._.id}\nexport AWS_SECRET_ACCESS_KEY=$(echo \"${aws_iam_access_key._.encrypted_secret}\" | base64 -d | gpg -d )\n" : "\nexport AWS_ACCESS_KEY_ID=${aws_iam_access_key._.id}\nexport AWS_SECRET_ACCESS_KEY=${aws_iam_access_key._.secret}\n"

}