Fix permissions for build pipeline aws configuration

terraform/sitespeed/.gitignore

+# Do not accidentally check in a file with secret info e.g. AWS credentials
+terraform.tfvars
+terraform.tfstate
+terraform.tfstate.backup

terraform/sitespeed/sitespeed.tf

-
 # Configure the AWS Provider
 provider "aws" {
-    access_key = "${var.aws_access_key}"
-    secret_key = "${var.aws_secret_key}"
-    region = "us-east-1"
+  access_key = "${var.aws_access_key}"
+  secret_key = "${var.aws_secret_key}"
+  region = "${var.aws_region}"
 }
 
+# Create a new IAM user
+resource "aws_iam_user" "build_pipeline_user" {
+  name = "build_pipeline_user"
+}
 
-# pipeline-provision infrastructure
-resource "aws_sqs_queue" "edx-pipeline-provision-queue" {
-	name = "${var.queue_name_pipeline}"
-	delay_seconds = "${var.queue_delay_seconds}"
-	max_message_size = "${var.queue_max_message_size}"
-	message_retention_seconds = "${var.queue_message_retention_seconds}"
-	receive_wait_time_seconds = "${var.queue_receive_wait_time_seconds}"
+# Create IAM access key for the new user
+resource "aws_iam_access_key" "build_pipeline_user_key" {
+  user = "${aws_iam_user.build_pipeline_user.name}"
 }
 
-resource "aws_sns_topic" "edx-pipeline-provision" {
+# Create the SNS topics
+resource "aws_sns_topic" "provision-topic" {
   name = "edx-pipeline-provision-topic"
 }
-
-resource "aws_sns_topic_subscription" "edx-pipeline-provision_sqs_target" {
-  topic_arn = "${aws_sns_topic.edx-pipeline-provision.arn}"
-  protocol  = "sqs"
-  endpoint  = "${aws_sqs_queue.edx-pipeline-provision-queue.arn}"
+resource "aws_sns_topic" "sitespeed-topic" {
+  name = "edx-pipeline-sitespeed-topic"
 }
 
-
-
-# pipeline-sitespeed infrastructure
-resource "aws_sqs_queue" "edx-pipeline-sitespeed-queue" {
-  name = "${var.queue_name_sitespeed}"
+# Create the SQS queues, including giving permission to
+# the SNS topics to send messages to the queue
+resource "aws_sqs_queue" "provision-queue" {
+  name = "${var.provision_queue_name}"
   delay_seconds = "${var.queue_delay_seconds}"
   max_message_size = "${var.queue_max_message_size}"
   message_retention_seconds = "${var.queue_message_retention_seconds}"
   receive_wait_time_seconds = "${var.queue_receive_wait_time_seconds}"
+  policy = <<EOF
+{
+  "Version":"2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "SQS:SendMessage",
+      "Principal": "*",
+      "Resource": "${format("arn:aws:sqs:%s:%s:%s", var.aws_region, var.aws_account_id, var.provision_queue_name)}",
+      "Condition": {
+        "ArnEquals": {
+          "aws:SourceArn": "${aws_sns_topic.provision-topic.arn}"
+        }
+      }
+    }
+  ]
 }
-
-resource "aws_sns_topic" "edx-pipeline-sitespeed" {
-  name = "edx-pipeline-sitespeed-topic"
+EOF
 }
 
-resource "aws_sns_topic_subscription" "edx-pipeline-sitespeed_sqs_target" {
-  topic_arn = "${aws_sns_topic.edx-pipeline-sitespeed.arn}"
-  protocol  = "sqs"
-  endpoint  = "${aws_sqs_queue.edx-pipeline-sitespeed-queue.arn}"
+resource "aws_sqs_queue" "sitespeed-queue" {
+  name = "${var.sitespeed_queue_name}"
+  delay_seconds = "${var.queue_delay_seconds}"
+  max_message_size = "${var.queue_max_message_size}"
+  message_retention_seconds = "${var.queue_message_retention_seconds}"
+  receive_wait_time_seconds = "${var.queue_receive_wait_time_seconds}"
+  policy = <<EOF
+{
+  "Version":"2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "SQS:SendMessage",
+      "Principal": "*",
+      "Resource": "${format("arn:aws:sqs:%s:%s:%s", var.aws_region, var.aws_account_id, var.sitespeed_queue_name)}",
+      "Condition": {
+        "ArnEquals": {
+          "aws:SourceArn": "${aws_sns_topic.sitespeed-topic.arn}"
+        }
+      }
+    }
+  ]
 }
-
-
-# Create IAM policy, user
-resource "aws_iam_user" "build_pipeline_user" {
-    name = "build_pipeline_user"
+EOF
 }
 
-resource "aws_iam_access_key" "build_pipeline_user_key" {
-    user = "${aws_iam_user.build_pipeline_user.name}"
+# Subscribe the SQS queues to the SNS topics
+resource "aws_sns_topic_subscription" "provision-subscription" {
+  topic_arn = "${aws_sns_topic.provision-topic.arn}"
+  protocol  = "sqs"
+  endpoint  = "${aws_sqs_queue.provision-queue.arn}"
+}
+resource "aws_sns_topic_subscription" "sitespeed-subscription" {
+  topic_arn = "${aws_sns_topic.sitespeed-topic.arn}"
+  protocol  = "sqs"
+  endpoint  = "${aws_sqs_queue.sitespeed-queue.arn}"
 }
 
-resource "aws_iam_user_policy" "sns_publish_policy" {
-    name = "${var.environment}-${var.deployment}-${var.service}-sender"
-    user = "${aws_iam_user.build_pipeline_user.name}"
-    policy = <<EOF
+# Allow the IAM user to publish to the SNS topics
+# and to read and delete from the SQS queues.
+# Jenkins and the build-trigger heroku app will be
+# configured to use its key.
+resource "aws_iam_user_policy" "user-pipeline-policy" {
+  name = "${var.environment}-${var.deployment}-${var.service}-sender"
+  user = "${aws_iam_user.build_pipeline_user.name}"
+  policy = <<EOF
 {
   "Version": "2012-10-17",
   "Statement": [
     {
+      "Effect": "Allow",
       "Action": [
         "sns:Publish"
       ],
+      "Resource": "${aws_sns_topic.provision-topic.arn}"
+    },
+    {
       "Effect": "Allow",
-      "Resource": "${aws_sns_topic.edx-pipeline-provision.arn}"
+      "Action": [
+        "sqs:ReceiveMessage",
+        "sqs:DeleteMessage"
+      ],
+      "Resource": "${aws_sqs_queue.provision-queue.arn}"
     },
     {
+      "Effect": "Allow",
       "Action": [
         "sns:Publish"
       ],
+      "Resource": "${aws_sns_topic.sitespeed-topic.arn}"
+    },
+    {
       "Effect": "Allow",
-      "Resource": "${aws_sns_topic.edx-pipeline-sitespeed.arn}"
+      "Action": [
+        "sqs:ReceiveMessage",
+        "sqs:DeleteMessage"
+      ],
+      "Resource": "${aws_sqs_queue.sitespeed-queue.arn}"
     }
   ]
 }
 EOF
 }
 
+# Output the AWS key and secret for the new user to the console.
+# Note that it will also be available in the terraform.tfstate file.
+output "key" {
+    value = "${aws_iam_access_key.build_pipeline_user_key.id}"
+}
+output "secret" {
+    value = "${aws_iam_access_key.build_pipeline_user_key.secret}"
+}

terraform/sitespeed/terraform.tfvars.example

 #### Copy this file and remove the '.example' extension in order to
 #### use it in a terraform execution
 
-
-
 environment = "env_foo"
 deployment = "my_deployment"
 service = "my_ci_service"
@@ -10,12 +8,4 @@ service = "my_ci_service"
 # AWS variables
 aws_access_key = "FOOBARAIAIAIA"
 aws_secret_key = "FOOBAT01010101"
-
-# SQS variables
-queue_name_pipeline = "my-pipeline-queue"
-queue_name_pipeline = "my-sitespeed-queue"
-queue_delay_seconds = 90
-queue_max_message_size = 2048
-queue_message_retention_seconds = 86400
-queue_receive_wait_time_seconds = 10
-
+aws_account_id = "123456789012"

terraform/sitespeed/variables.tf

@@ -2,18 +2,29 @@ variable "environment" {}
 variable "deployment" {}
 variable "service" {}
 
-variable "queue_name_pipeline" {
-     default = "default-queue"
+variable "aws_access_key" {}
+variable "aws_secret_key" {}
+variable "aws_account_id" {}
+variable "aws_region" {
+	default = "us-east-1"
 }
 
-variable "queue_name_sitespeed" {
-	 default = "default-queue"
+variable "provision_queue_name" {
+	default = "edx-pipeline-provision-queue"
+}
+variable "sitespeed_queue_name" {
+	default = "edx-pipeline-sitespeed-queue"
 }
 
-variable "queue_delay_seconds" {}
-variable "queue_max_message_size" {}
-variable "queue_message_retention_seconds" {}
-variable "queue_receive_wait_time_seconds" {}
-
-variable "aws_access_key" {}
-variable "aws_secret_key" {}
+variable "queue_delay_seconds" {
+	default = 0
+}
+variable "queue_max_message_size" {
+	default = 262144
+}
+variable "queue_message_retention_seconds" {
+	default = 345600
+}
+variable "queue_receive_wait_time_seconds" {
+	default = 5
+}