terraform review done

Author: Jaime Salas Zancada

05-iac/00-terraform/.devcontainer/devcontainer.json

@@ -0,0 +1,27 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
+{
+	"name": "Ubuntu",
+	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+	"image": "mcr.microsoft.com/devcontainers/base:jammy",
+	"features": {
+		"ghcr.io/devcontainers/features/aws-cli:1": {},
+		"ghcr.io/devcontainers/features/azure-cli:1": {},
+		"ghcr.io/devcontainers/features/terraform:1": {}
+	},
+
+	// Features to add to the dev container. More info: https://containers.dev/features.
+	// "features": {},
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	// "postCreateCommand": "uname -a",
+
+	// Configure tool-specific properties.
+	// "customizations": {},
+
+	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+	"remoteUser": "root"
+}

05-iac/00-terraform/03-desplegando-config-base/readme.md

@@ -41,7 +41,7 @@ aws_instance.web_server.name
 
 Abrimos `./.start-app/main.tf`
 
-```tf
+```ini
 provider "aws" {
   access_key = "ACCESS_KEY"
   secret_key = "SECRET_KEY"
@@ -51,7 +51,7 @@ provider "aws" {
 
 Este bloque le indica a Terraform que usaremos `AWS` como **provider**.
 
-```tf
+```ini
 data "aws_ssm_parameter" "ami" {
   name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2"
 }
@@ -63,7 +63,7 @@ Este es un **service manager parameter**, al cual le damos como nombre de etique
 
 En la sección de `NETWORKING` creamos la `VPC`
 
-```tf
+```ini
 resource "aws_vpc" "vpc" {
   cidr_block           = "10.0.0.0/16"
   enable_dns_hostnames = "true"
@@ -73,7 +73,7 @@ resource "aws_vpc" "vpc" {
 
 Después creamos la `internet gateway`, y lo asociamos con la VPC que creamos previamente. Para tal fin usamos `vpc_id = aws_vpc.vpc.id`
 
-```tf
+```ini
 resource "aws_internet_gateway" "igw" {
   vpc_id = aws_vpc.vpc.id
 
@@ -84,7 +84,7 @@ resource "aws_internet_gateway" "igw" {
 
 Creamos una `subnet` asociada a la `VPC`. Gracias a esta entrada `map_public_ip_on_launch = "true"`, obtenemos una IP pública
 
-```tf
+```ini
 resource "aws_subnet" "subnet1" {
   cidr_block              = "10.0.0.0/24"
   vpc_id                  = aws_vpc.vpc.id
@@ -94,7 +94,7 @@ resource "aws_subnet" "subnet1" {
 
 Creamos una `route table`, y la asociamos a nuestra `VPC`. Para ver la documentación oficial de este recurso, seguir el siguiente enlace [Route tables official Docs](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) 
 
-```tf
+```ini
 resource "aws_route_table" "rtb" {
   vpc_id = aws_vpc.vpc.id
 
@@ -109,7 +109,7 @@ En el bloque anidado, podemos especificar un `route` para añadir a la `route ta
 
 Por último asociamos nuestra `route table` con una única `subnet`
 
-```tf
+```ini
 resource "aws_route_table_association" "rta-subnet1" {
   subnet_id      = aws_subnet.subnet1.id
   route_table_id = aws_route_table.rtb.id
@@ -118,7 +118,7 @@ resource "aws_route_table_association" "rta-subnet1" {
 
 Creamos un `security group` que permita al puerto 80 de cualquier dirección hablar nuestra instancia `EC2`
 
-```tf
+```ini
 # Nginx security group 
 resource "aws_security_group" "nginx-sg" {
   name   = "nginx_sg"
@@ -146,7 +146,7 @@ Estamos asocaindo este `security group` con nuestra `VPC`, y estamos creando un
 
 Por último tenemos la instancia EC2.
 
-```tf
+```ini
 resource "aws_instance" "nginx1" {
   ami                    = nonsensitive(data.aws_ssm_parameter.ami.value)
   instance_type          = "t2.micro"

05-iac/00-terraform/04-usando-inputs-outputs/02-demo.md

@@ -245,7 +245,8 @@ resource "aws_security_group" "nginx-sg" {
 }
 # ....
 ```
-mapas entradas en `variables.tf` para las instancias
+
+Creamos entradas en `variables.tf` para las instancias
 
 ```diff
 

05-iac/00-terraform/05-incorporando-recursos/11-demo.md

@@ -162,6 +162,10 @@ resource "aws_lb_target_group" "nginx" {
 
 ```
 
+```bash
+terraform validate
+```
+
 ### Paso 2. Crear el plan
 
 Ahora estamos listos, para generar el `plan`, pero antes registrar las credenciales, si no están registradas en la terminal:

05-iac/00-terraform/06-incorporando-nuevos-providers/12-demo.md

@@ -24,12 +24,12 @@ Aquí podemos encontrar un [ejemplo de uso del provider](https://registry.terraf
 
 Creamos el fichero `./lab/lc_web_app/providers.tf`
 
-```tf
+```ini
 terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = "~> 5.0"
     }
   }
 }
@@ -82,7 +82,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = "~> 5.0"
     }
   }
 }

05-iac/00-terraform/06-incorporando-nuevos-providers/13-demo.md

@@ -29,7 +29,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = "~> 5.0"
     }
 +
 +   random = {

05-iac/00-terraform/06-incorporando-nuevos-providers/14-demo.md

@@ -19,10 +19,10 @@ Crear `lab/lc_web_app/s3.tf`
 ```tf
 # aws_s3_bucket
 
-# aws_s3_bucket_acl
-
 # aws_s3_bucket_policy
 
+# aws_s3_object
+
 # aws_iam_role
 
 # aws_iam_role_policy

05-iac/00-terraform/06-incorporando-nuevos-providers/15-demo.md

@@ -58,74 +58,102 @@ Ya estamos listos para generar la `Policy`, hacemos click en `Generate Policy`,
 
 ```json
 {
-  "Id": "Policy1671300749955",
+  "Id": "Policy1704786378589",
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Sid": "Stmt1671300748312",
+      "Sid": "Stmt1704786159953",
       "Action": [
         "s3:PutObject"
       ],
       "Effect": "Allow",
       "Resource": "arn:aws:s3:::${BucketName}/${KeyName}",
       "Principal": {
         "AWS": [
-          "elb"
+          "AWS"
         ]
       }
-    }
-  ]
-}
-```
-
-Ahora a partir de este esqueleto vamos a generar, el json que necesitamos
-
-```diff
-{
-- "Id": "Policy1671300749955",
-+ "Id": "Policy",
-  "Version": "2012-10-17",
-  "Statement": [
+    },
     {
--     "Sid": "Stmt1671300748312",
+      "Sid": "Stmt1704786312412",
       "Action": [
         "s3:PutObject"
       ],
       "Effect": "Allow",
--     "Resource": "arn:aws:s3:::${BucketName}/${KeyName}",
-+     "Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*",
+      "Resource": "arn:aws:s3:::${BucketName}/${KeyName}",
+      "Condition": {
+        "StringEquals": {
+          "s3:x-amz-acl": "bucket-owner-full-control"
+        }
+      },
       "Principal": {
         "AWS": [
--         "elb"
-+         "${data.aws_elb_service_account.root.arn}"
+          "Service"
+        ]
+      }
+    },
+    {
+      "Sid": "Stmt1704786376560",
+      "Action": [
+        "s3:PutObject"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::${BucketName}/${KeyName}",
+      "Principal": {
+        "AWS": [
+          "elb"
         ]
       }
     }
   ]
 }
 ```
 
-The final `json` looks like:
+Ahora a partir de este esqueleto vamos a generar, el json que necesitamos,  el recurso del nombre del bucket lo subtituimos por el calculado en `locals`:
+
+```diff
+-"Resource": "arn:aws:s3:::${BucketName}/${KeyName}",
++"Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*",
+```
+
+El resultado final del `json` que debemos aplicar:
 
 ```json
 {
-  "Id": "Policy",
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Action": [
-        "s3:PutObject"
-      ],
       "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*",
       "Principal": {
-        "AWS": [
-          "${data.aws_elb_service_account.root.arn}"
-        ]
+        "AWS": "${data.aws_elb_service_account.root.arn}"
+      },
+      "Action": "s3:PutObject",
+      "Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*"
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "delivery.logs.amazonaws.com"
+      },
+      "Action": "s3:PutObject",
+      "Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*",
+      "Condition": {
+        "StringEquals": {
+          "s3:x-amz-acl": "bucket-owner-full-control"
+        }
       }
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "delivery.logs.amazonaws.com"
+      },
+      "Action": "s3:GetBucketAcl",
+      "Resource": "arn:aws:s3:::${local.s3_bucket_name}"
     }
   ]
 }
+
 ```
 
 ### Paso 3. Generamos el Bucket
@@ -141,37 +169,46 @@ resource "aws_s3_bucket" "web_bucket" {
   tags = local.common_tags
 }
 
-# aws_s3_bucket_acl
-resource "aws_s3_bucket_acl" "web_bucket_acl" {
-  bucket = aws_s3_bucket.web_bucket.id
-  acl    = "private"
-}
-
-# aws_s3_bucket_policy
-resource "aws_s3_bucket_policy" "allow_elb_logging" {
+## aws_s3_bucket_policy
+resource "aws_s3_bucket_policy" "bucket_policy" {
   bucket = aws_s3_bucket.web_bucket.id
   policy = <<POLICY
 {
-  "Id": "Policy",
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Action": [
-        "s3:PutObject"
-      ],
       "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*",
       "Principal": {
-        "AWS": [
-          "${data.aws_elb_service_account.root.arn}"
-        ]
+        "AWS": "${data.aws_elb_service_account.root.arn}"
+      },
+      "Action": "s3:PutObject",
+      "Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*"
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "delivery.logs.amazonaws.com"
+      },
+      "Action": "s3:PutObject",
+      "Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*",
+      "Condition": {
+        "StringEquals": {
+          "s3:x-amz-acl": "bucket-owner-full-control"
+        }
       }
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "delivery.logs.amazonaws.com"
+      },
+      "Action": "s3:GetBucketAcl",
+      "Resource": "arn:aws:s3:::${local.s3_bucket_name}"
     }
   ]
 }
   POLICY
 }
-
 # aws_iam_role
 
 # aws_iam_role_policy
@@ -181,7 +218,6 @@ resource "aws_s3_bucket_policy" "allow_elb_logging" {
 ```
 
 * Tomamos el nombre del bucket de local
-* Establecemos `acl` como privado
 * Establecemos `force_destroy` para que Terraform lo elimine en el `destroy`
 * En el `resource` para la `bucket policy`, queremos permitir al balenceador de carga y al `delivery service logs` acceso al bucket de S3. Esto lo hacemos utilizando `Allow`, y vamos a referenciar como principal, nuestra cuenta de servicio `Elastic Load Balancer` desde `data source`. Recordar que esto lo hemos declarado en `loadbalancer.tf`, como la entrada `data "aws_elb_service_account" "root" {}`, este es el `data source` que necesitará referenciar la `service account` usada por el `Elastic Load Balancer` en nuestra región.