Resource Packs

Cloud

Example

Flavor

Feature

Sqs

Example: sqs resource based on AWS SQS

Configuration

This example configures a sqs Resource Definition using AWS SQS, with two different access policies:

  • basic-publisher (allowed to send messages)
  • basic-consumer (allowed to receive messages)

Those Resource Definitions can be used in your Score file using:

resources:
  ...
  queue:
    type: sqs
    class: basic-publisher

Infrastructure setup

The workload service account will be automatically assigned to the necessary AWS IAM Role with the selected IAM Policy.

graph TD;
  sqs["Amazon SQS queue"]
  policy["Amazon IAM Policy"]
  role["Amazon IAM Role"]
  subgraph EKS Cluster
    pod[workload pod]
    service[Service Account]
  end
  policy --> sqs
  policy --> role --> service --> pod
  sqs --> pod

Orchestrator setup

The Resource Graph is using delegator resources to expose shared resources with different access policies.

graph LR;
  workload_1 --> delegator_1["delegator_1, resource_type: sqs", class: basic-publisher] --> shared.sqs_1["shared.sqs_1, resource_type: sqs"]
  workload_2 --> delegator_2["delegator_2, resource_type: sqs, class: basic-consumer"] --> shared.sqs_1
  workload_2 --> shared.delegator_1["shared.delegator_1, resource_type: sqs, class: basic-consumer"]
  workload_3 --> shared.delegator_1 --> shared.sqs_2["shared.sqs_2, resource_type: sqs"]

Terraform docs

Requirements

Name Version
terraform >= 1.3.0
aws ~> 5.0
humanitec ~> 1.0
random ~> 3.5

Providers

Name Version
aws ~> 5.0
humanitec ~> 1.0
random ~> 3.5

Modules

Name Source Version
iam_policy_sqs_consumer ../../humanitec-resource-defs/iam-policy/sqs n/a
iam_policy_sqs_publisher ../../humanitec-resource-defs/iam-policy/sqs n/a
iam_role_service_account ../../humanitec-resource-defs/iam-role/service-account n/a
k8s_service_account ../../humanitec-resource-defs/k8s/service-account n/a
sqs_basic ../../humanitec-resource-defs/sqs/basic n/a
sqs_basic_consumer ../../humanitec-resource-defs/sqs/delegator n/a
sqs_basic_publisher ../../humanitec-resource-defs/sqs/delegator n/a
workload ../../humanitec-resource-defs/workload/service-account n/a

Resources

Name Type
aws_iam_role.humanitec_provisioner resource
aws_iam_role_policy_attachment.humanitec_provisioner resource
humanitec_application.example resource
humanitec_resource_account.humanitec_provisioner resource
humanitec_resource_definition_criteria.iam_policy_sqs_consumer resource
humanitec_resource_definition_criteria.iam_policy_sqs_publisher resource
humanitec_resource_definition_criteria.iam_role_service_account resource
humanitec_resource_definition_criteria.k8s_service_account resource
humanitec_resource_definition_criteria.sqs_basic resource
humanitec_resource_definition_criteria.sqs_basic_consumer resource
humanitec_resource_definition_criteria.sqs_basic_publisher resource
humanitec_resource_definition_criteria.workload resource
random_password.external_id resource
aws_iam_policy_document.instance_assume_role_policy data source

Inputs

Name Description Type Default Required
cluster_name Name of the EKS cluster string n/a yes
region AWS Region string n/a yes
name Name of the example application string "hum-rp-sqs-example" no
prefix Prefix of the created resources string "hum-rp-sqs-ex-" no
resource_packs_aws_rev AWS Resource Pack git branch string "refs/heads/main" no
resource_packs_aws_url AWS Resource Pack git url string "https://github.com/humanitec-architecture/resource-packs-aws.git" no

main.tf (view on GitHub) :

# AWS IAM role used by Humanitec to provision resources

locals {
  admin_policy_arn   = "arn:aws:iam::aws:policy/AdministratorAccess"
  humanitec_user_arn = "arn:aws:iam::767398028804:user/humanitec"
}

resource "random_password" "external_id" {
  length  = 16
  special = false
}

data "aws_iam_policy_document" "instance_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "AWS"
      identifiers = [local.humanitec_user_arn]
    }

    condition {
      test     = "StringEquals"
      variable = "sts:ExternalId"
      values   = [random_password.external_id.result]
    }
  }
}

resource "aws_iam_role" "humanitec_provisioner" {
  name = var.name

  assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json
}

resource "aws_iam_role_policy_attachment" "humanitec_provisioner" {
  role       = aws_iam_role.humanitec_provisioner.name
  policy_arn = local.admin_policy_arn
}

resource "humanitec_resource_account" "humanitec_provisioner" {
  id   = var.name
  name = var.name
  type = "aws-role"
  credentials = jsonencode({
    aws_role    = aws_iam_role.humanitec_provisioner.arn
    external_id = random_password.external_id.result
  })

  depends_on = [
    # Otherwise the account looses permissions before the resources are deleted
    aws_iam_role_policy_attachment.humanitec_provisioner
  ]
}

# Example application and resource definition criteria

resource "humanitec_application" "example" {
  id   = var.name
  name = var.name
}

# SQS queue

locals {
  # Classes used to build the resource definition graph
  sqs_basic_class            = "basic"
  sqs_publisher_policy_class = "sqs-basic-publisher"
  sqs_consumer_policy_class  = "sqs-basic-consumer"

  # Classes that developers can select from
  sqs_basic_publisher_class = "basic-publisher"
  sqs_basic_consumer_class  = "basic-consumer"
}

# Define sqs queue basic "flavour" as base

module "sqs_basic" {
  source = "github.com/humanitec-architecture/resource-packs-aws?ref=v2024-06-14//humanitec-resource-defs/sqs/basic"

  resource_packs_aws_url = var.resource_packs_aws_url
  resource_packs_aws_rev = var.resource_packs_aws_rev
  append_logs_to_error   = true
  driver_account         = humanitec_resource_account.humanitec_provisioner.id

  region = var.region

  prefix = var.prefix
}

resource "humanitec_resource_definition_criteria" "sqs_basic" {
  resource_definition_id = module.sqs_basic.id
  app_id                 = humanitec_application.example.id
  class                  = local.sqs_basic_class

  force_delete = true
}

# Add different access policy to sqs basic queue

# Publisher

## Policy

module "iam_policy_sqs_publisher" {
  source = "github.com/humanitec-architecture/resource-packs-aws?ref=v2024-06-14//humanitec-resource-defs/iam-policy/sqs"

  resource_packs_aws_url = var.resource_packs_aws_url
  resource_packs_aws_rev = var.resource_packs_aws_rev
  append_logs_to_error   = true
  driver_account         = humanitec_resource_account.humanitec_provisioner.id

  region = var.region

  prefix             = var.prefix
  policy             = "publisher"
  sqs_resource_class = local.sqs_basic_publisher_class
}

resource "humanitec_resource_definition_criteria" "iam_policy_sqs_publisher" {
  resource_definition_id = module.iam_policy_sqs_publisher.id
  app_id                 = humanitec_application.example.id
  class                  = local.sqs_publisher_policy_class

  force_delete = true
}

## Exposed delegator resource definition
module "sqs_basic_publisher" {
  source = "github.com/humanitec-architecture/resource-packs-aws?ref=v2024-06-14//humanitec-resource-defs/sqs/delegator"

  prefix = var.prefix

  sqs_resource_class    = local.sqs_basic_class
  policy_resource_class = local.sqs_publisher_policy_class
}

resource "humanitec_resource_definition_criteria" "sqs_basic_publisher" {
  resource_definition_id = module.sqs_basic_publisher.id
  app_id                 = humanitec_application.example.id
  class                  = local.sqs_basic_publisher_class

  force_delete = true
}

# Consumer

## Policy
module "iam_policy_sqs_consumer" {
  source = "github.com/humanitec-architecture/resource-packs-aws?ref=v2024-06-14//humanitec-resource-defs/iam-policy/sqs"

  resource_packs_aws_url = var.resource_packs_aws_url
  resource_packs_aws_rev = var.resource_packs_aws_rev
  append_logs_to_error   = true
  driver_account         = humanitec_resource_account.humanitec_provisioner.id

  region = var.region

  policy = "consumer"

  prefix = var.prefix

  sqs_resource_class = local.sqs_basic_consumer_class
}

resource "humanitec_resource_definition_criteria" "iam_policy_sqs_consumer" {
  resource_definition_id = module.iam_policy_sqs_consumer.id
  app_id                 = humanitec_application.example.id
  class                  = local.sqs_consumer_policy_class

  force_delete = true
}

## Exposed delegator resource definition
module "sqs_basic_consumer" {
  source = "github.com/humanitec-architecture/resource-packs-aws?ref=v2024-06-14//humanitec-resource-defs/sqs/delegator"

  prefix = var.prefix

  sqs_resource_class    = local.sqs_basic_class
  policy_resource_class = local.sqs_consumer_policy_class
}

resource "humanitec_resource_definition_criteria" "sqs_basic_consumer" {
  resource_definition_id = module.sqs_basic_consumer.id
  app_id                 = humanitec_application.example.id
  class                  = local.sqs_basic_consumer_class

  force_delete = true
}


# Required resources for workload identity

module "k8s_service_account" {
  source = "github.com/humanitec-architecture/resource-packs-aws?ref=v2024-06-14//humanitec-resource-defs/k8s/service-account"

  prefix = var.prefix
}

resource "humanitec_resource_definition_criteria" "k8s_service_account" {
  resource_definition_id = module.k8s_service_account.id
  app_id                 = humanitec_application.example.id

  force_delete = true
}

module "iam_role_service_account" {
  source = "github.com/humanitec-architecture/resource-packs-aws?ref=v2024-06-14//humanitec-resource-defs/iam-role/service-account"

  resource_packs_aws_url = var.resource_packs_aws_url
  resource_packs_aws_rev = var.resource_packs_aws_rev
  append_logs_to_error   = true
  driver_account         = humanitec_resource_account.humanitec_provisioner.id

  region = var.region

  cluster_name = var.cluster_name
  prefix       = var.prefix
}

resource "humanitec_resource_definition_criteria" "iam_role_service_account" {
  resource_definition_id = module.iam_role_service_account.id
  app_id                 = humanitec_application.example.id

  force_delete = true
}

module "workload" {
  source = "github.com/humanitec-architecture/resource-packs-aws?ref=v2024-06-14//humanitec-resource-defs/workload/service-account"

  prefix = var.prefix
}

resource "humanitec_resource_definition_criteria" "workload" {
  resource_definition_id = module.workload.id
  app_id                 = humanitec_application.example.id

  force_delete = true
}


providers.tf (view on GitHub) :

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
    humanitec = {
      source  = "humanitec/humanitec"
      version = "~> 1.0"
    }
    random = {
      source  = "hashicorp/random"
      version = "~> 3.5"
    }
  }

  required_version = ">= 1.3.0"
}

provider "aws" {
  default_tags {
    tags = {
      "managed_by" = "terraform"
      "source"     = "github.com/humanitec-architecture/resource-pack-aws"
    }
  }
}

provider "humanitec" {}

provider "random" {}


terraform.tfvars.example (view on GitHub) :


# Name of the EKS cluster
cluster_name = ""

# Name of the example application
name = "hum-rp-sqs-example"

# Prefix of the created resources
prefix = "hum-rp-sqs-ex-"

# AWS Region
region = ""

# AWS Resource Pack git branch
resource_packs_aws_rev = "refs/tags/v2024-06-14"

# AWS Resource Pack git url
resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"

variables.tf (view on GitHub) :

variable "region" {
  description = "AWS Region"
  type        = string
}

variable "cluster_name" {
  description = "Name of the EKS cluster"
  type        = string
}

variable "resource_packs_aws_url" {
  description = "AWS Resource Pack git url"
  type        = string
  default     = "https://github.com/humanitec-architecture/resource-packs-aws.git"
}

variable "resource_packs_aws_rev" {
  description = "AWS Resource Pack git branch"
  type        = string
  default     = "refs/tags/v2024-06-14"
}

variable "name" {
  description = "Name of the example application"
  type        = string
  default     = "hum-rp-sqs-example"
}

variable "prefix" {
  description = "Prefix of the created resources"
  type        = string
  default     = "hum-rp-sqs-ex-"
}

Top