feat(vms): implement terraform script to deploy AWS inf

ctrlc03 · ctrlc03 · commit b168cd0b8461 · 2023-06-30T17:08:47.000+01:00
diff --git a/packages/backend/.gitignore b/packages/backend/.gitignore
@@ -69,4 +69,14 @@ dist/
 node_modules/
 
 # Admin SDK key
-serviceAccountKey.json
+serviceAccountKey.json
+
+# AWS related files
+aws/.terraform 
+aws/lambda.zip
+aws/terraform.tfstate
+aws/terraform.tfstate.json
+aws/terraform.tfstate.backup
+aws/.terraform.lock.hcl
+aws/lambda/node_modules 
+aws/lambda/package-lock.json
diff --git a/packages/backend/aws/lambda/lambda.js b/packages/backend/aws/lambda/lambda.js
@@ -0,0 +1,50 @@
+import { EC2Client, DescribeInstancesCommand, StopInstancesCommand, CreateTagsCommand } from "@aws-sdk/client-ec2";
+
+const ec2 = new EC2Client({ region: 'us-east-1' });
+
+export const handler = async (event) => {
+    console.log('Received event:', JSON.stringify(event, null, 2));
+
+    // Extract the SNS message which will be the instanceId
+    const instanceId = event.Records[0].Sns.Message;
+
+    // Get information about the instance
+    const params = {
+        InstanceIds: [instanceId]
+    };
+
+    try {
+        const describeInstancesCommand = new DescribeInstancesCommand(params)
+        let data = await ec2.send(describeInstancesCommand)
+        const instance = data.Reservations[0].Instances[0]
+
+        // Check if the instance has the "p0tionec2instance" name tag
+        const hasCorrectNameTag = instance.Tags.some(tag => tag.Key === 'Name' && tag.Value === 'p0tionec2instance')
+        // Check if the instance has been already initialized
+        const alreadyInitialized = instance.Tags.some(tag => tag.Key === 'Initialized' && tag.Value === 'true')
+
+        if (hasCorrectNameTag && !alreadyInitialized) {
+            // If the instance has the correct name tag and it is not initialized yet, stop it
+            const stopInstancesCommand = new StopInstancesCommand(params)
+            data = await ec2.send(stopInstancesCommand)
+            console.log('StopInstances succeeded:', data)
+
+            // Mark the instance as initialized
+            const createTagsCommand = new CreateTagsCommand({
+                Resources: [instanceId],
+                Tags: [
+                    {
+                        Key: 'Initialized',
+                        Value: 'true'
+                    }
+                ]
+            })
+            await ec2.send(createTagsCommand)
+            console.log(`Instance ${instanceId} has been marked as initialized.`)
+        } else {
+            console.log(`Instance ${instanceId} does not meet the requirements, ignoring...`)
+        }
+    } catch (err) {
+        console.log('Error', err)
+    }
+}
diff --git a/packages/backend/aws/lambda/package.json b/packages/backend/aws/lambda/package.json
@@ -0,0 +1,12 @@
+{
+  "name": "p0tion-lambda",
+  "version": "1.0.0",
+  "description": "A Lambda function to stop ec2 instances",
+  "main": "lambda.js",
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "@aws-sdk/client-ec2": "^3.363.0"
+  }
+}
diff --git a/packages/backend/aws/main.tf b/packages/backend/aws/main.tf
@@ -0,0 +1,260 @@
+provider "aws" {
+    region = "us-east-1"
+}
+
+# create SNS
+resource "aws_sns_topic" "p0tion_sns_topic" {
+  name = "p0tion_sns_topic"
+}
+
+# create Lambda execution role
+data "aws_iam_policy_document" "p0tion_assume_role_policy_lambda" {
+    statement {
+      actions = ["sts:AssumeRole"]
+
+      principals {
+        type        = "Service"
+        identifiers = ["lambda.amazonaws.com"]
+      }
+    }
+}
+
+resource "aws_iam_role" "p0tion_lambda_role" {
+  name               = "p0tion_lambda_role"
+  assume_role_policy = data.aws_iam_policy_document.p0tion_assume_role_policy_lambda.json
+}
+
+# Execution role with EC2 and logs permissions
+resource "aws_iam_role_policy" "p0tion_lambda_exec_role_policy" {
+    name = "p0tion_lambda_exec_role_policy"
+    role = aws_iam_role.p0tion_lambda_role.id
+
+    policy = <<EOF
+{
+"Version": "2012-10-17",
+"Statement": [
+    {
+        "Sid": "p0tionLambdaExec",
+        "Effect": "Allow",
+        "Action": [
+            "ec2:DescribeInstances",
+            "ec2:StopInstances",
+            "ec2:CreateTags",
+            "logs:CreateLogGroup",
+            "logs:CreateLogStream",
+            "logs:PutLogEvents"
+        ],
+        "Resource": "*"
+    }
+]
+}
+    EOF
+}
+
+# Deploy the Lambda with the code to stop the EC2 instance
+resource "aws_lambda_function" "p0tion_lambda_stop_vm" {
+    filename = "./lambda.zip"
+    function_name = "p0tion_lambda_stop_vm"
+    role = aws_iam_role.p0tion_lambda_role.arn
+    handler = "lambda_function.lambda_handler"
+
+    runtime = "nodejs18.x"
+    source_code_hash = filebase64sha256("./lambda.zip")
+    timeout = 300
+
+    environment {
+        variables = {
+            SNS_TOPIC_ARN = aws_sns_topic.p0tion_sns_topic.arn
+        }
+    }
+}
+
+# Allow the lambda to be triggered by SNS
+resource "aws_lambda_permission" "sns" {
+    statement_id = "AllowExecutionFromSNS"
+    action = "lambda:InvokeFunction"
+    function_name = aws_lambda_function.p0tion_lambda_stop_vm.function_name
+    principal = "sns.amazonaws.com"
+    source_arn = aws_sns_topic.p0tion_sns_topic.arn
+}
+
+resource "aws_sns_topic_subscription" "lambda" {
+    topic_arn = aws_sns_topic.p0tion_sns_topic.arn
+    protocol = "lambda"
+    endpoint = aws_lambda_function.p0tion_lambda_stop_vm.arn
+}
+
+# Create instance role for EC2
+data "aws_iam_policy_document" "p0tion_assume_role_policy_ec2" {
+    statement {
+        actions = ["sts:AssumeRole"]
+    
+        principals {
+            type        = "Service"
+            identifiers = ["ec2.amazonaws.com"]
+        }
+    }
+}
+
+# Associate the role with the instance profile
+resource "aws_iam_role" "p0tion_ec2_role" {
+    name = "p0tion_ec2_role"
+    assume_role_policy = data.aws_iam_policy_document.p0tion_assume_role_policy_ec2.json
+}
+
+# EC2 SNS policy
+resource "aws_iam_role_policy" "p0tion_ec2_sns" {
+    name = "p0tion_ec2_sns"
+    role = aws_iam_role.p0tion_ec2_role.id 
+
+    policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+        "Sid": "p0tionEC2SNS",
+        "Effect": "Allow",
+        "Action": "sns:Publish",
+        "Resource": "${aws_sns_topic.p0tion_sns_topic.arn}"
+        }
+    ]
+}
+    EOF
+}
+
+# EC2 S3 and SSM policy
+resource "aws_iam_role_policy" "p0tion_ec2_s3_ssm" {
+    name = "p0tion_ec2_s3_ssm"
+    role = aws_iam_role.p0tion_ec2_role.id 
+
+    policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+        "Sid": "p0tionEc2S3SSM",
+        "Effect": "Allow",
+        "Action": [
+            "s3:ListBucket",
+            "s3:PutObject",
+            "s3:GetObject",
+            "s3:PutObjectAcl",
+            "ssm:UpdateInstanceInformation",
+            "ssmmessages:CreateControlChannel",
+            "ssmmessages:CreateDataChannel",
+            "ssmmessages:OpenControlChannel",
+            "ssmmessages:OpenDataChannel"
+        ],
+        "Resource": "${aws_sns_topic.p0tion_sns_topic.arn}"
+        }
+    ]
+}
+    EOF
+}
+
+# IAM user for all operations 
+resource "aws_iam_user" "p0tion_iam_user" {
+    name = "p0tion_iam_user"
+}
+
+resource "aws_iam_access_key" "p0tion_access_key" {
+  user = aws_iam_user.p0tion_iam_user.name
+}
+
+resource "aws_iam_user_policy" "p0tion_s3_ssm" {
+  name = "p0tion_s3_ssm"
+  user = aws_iam_user.p0tion_iam_user.name
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "S3andEC2andSSM",
+            "Effect": "Allow",
+            "Action": [
+                "s3:CreateBucket",
+                "s3:ListBucket",
+                "s3:ListMultipartUploadParts",
+                "s3:GetObject",
+                "s3:AbortMultipartUpload",
+                "s3:GetObjectVersion",
+                "s3:HeadBucket",
+                "ec2:RunInstances",
+                "ec2:DescribeInstanceStatus",
+                "ec2:CreateTags",
+                "iam:PassRole"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_user_policy" "p0tion_ec2_privileged" {
+  name = "p0tion_ec2_privileged"
+  user = aws_iam_user.p0tion_iam_user.name
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "EC2Privileged",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:StopInstances",
+                "ec2:TerminateInstances",
+                "ec2:StartInstances",
+                "ssm:SendCommand",
+                "ssm:GetCommandInvocation"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_user_policy" "p0tion_s3_privileged" {
+  name = "p0tion_s3_privileged"
+  user = aws_iam_user.p0tion_iam_user.name
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "S3Privileged",
+            "Effect": "Allow",
+            "Action": [
+                "s3:DeleteObject",
+                "s3:DeleteBucket",
+                "s3:PutBucketPublicAccessBlock",
+                "s3:PutBucketCORS",
+                "s3:PutBucketObjectLockConfiguration",
+                "s3:PutBucketAcl",
+                "s3:PutBucketVersioning",
+                "s3:PutObject",
+                "s3:PutObjectAcl",
+                "s3:PutBucketOwnershipControls"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
+
+# The user access keys
+output "access_key" {
+  value = aws_iam_access_key.p0tion_access_key.id
+  description = "The access key ID"
+}
+
+output "secret_key" {
+  value = aws_iam_access_key.p0tion_access_key.secret
+  description = "The secret access key. This key will be encrypted and stored in the state file, use terraform output secret_key"
+  sensitive = true
+}
