feat: Add s3_outputs module to write shared values.

eshiferax · eshiferax · commit 5b60a2e8836f · 2025-06-08T17:40:34.000-04:00
diff --git a/modules/controlplane_rift/README.md b/modules/controlplane_rift/README.md
@@ -72,6 +72,9 @@ output "tecton" {
 | <a name="output_cross_account_role_arn"></a> [cross\_account\_role\_arn](#output\_cross\_account\_role\_arn) | n/a |
 | <a name="output_deployment_name"></a> [deployment\_name](#output\_deployment\_name) | n/a |
 | <a name="output_kms_key_arn"></a> [kms\_key\_arn](#output\_kms\_key\_arn) | n/a |
+| <a name="output_outputs_bucket_arn"></a> [outputs\_bucket\_arn](#output\_outputs\_bucket\_arn) | ARN of the S3 bucket storing module outputs |
+| <a name="output_outputs_bucket_name"></a> [outputs\_bucket\_name](#output\_outputs\_bucket\_name) | Name of the S3 bucket storing module outputs |
+| <a name="output_outputs_s3_uri"></a> [outputs\_s3\_uri](#output\_outputs\_s3\_uri) | S3 URI of the outputs.json file |
 | <a name="output_region"></a> [region](#output\_region) | n/a |
 <!-- END_TF_DOCS -->
 
diff --git a/modules/controlplane_rift/infrastructure.tf b/modules/controlplane_rift/infrastructure.tf
@@ -24,3 +24,24 @@ module "tecton" {
   use_rift_cross_account_policy     = true
   kms_key_id                        = var.kms_key_id
 }
+
+# S3 module to store outputs
+module "s3_outputs" {
+  source          = "../s3_outputs"
+  deployment_name = var.deployment_name
+
+  control_plane_account_id = var.tecton_control_plane_account_id
+
+  outputs_data = {
+    deployment_name           = var.deployment_name
+    region                   = var.region
+    cross_account_role_arn   = module.tecton.cross_account_role_arn
+    cross_account_external_id = var.cross_account_external_id
+    kms_key_arn              = module.tecton.kms_key_arn
+  }
+
+  # Ensure S3 outputs are created after all other resources
+  depends_on_resources = [
+    module.tecton
+  ]
+}
diff --git a/modules/controlplane_rift/outputs.tf b/modules/controlplane_rift/outputs.tf
@@ -13,4 +13,20 @@ output "cross_account_external_id" {
 
 output "kms_key_arn" {
   value = module.tecton.kms_key_arn
+}
+
+# S3 outputs bucket information
+output "outputs_bucket_name" {
+  description = "Name of the S3 bucket storing module outputs"
+  value = module.s3_outputs.bucket_name
+}
+
+output "outputs_bucket_arn" {
+  description = "ARN of the S3 bucket storing module outputs"
+  value = module.s3_outputs.bucket_arn
+}
+
+output "outputs_s3_uri" {
+  description = "S3 URI of the outputs.json file"
+  value = module.s3_outputs.outputs_s3_uri
 }
diff --git a/modules/dataplane_rift/README.md b/modules/dataplane_rift/README.md
@@ -99,6 +99,9 @@ output "tecton" {
 | <a name="output_deployment_name"></a> [deployment\_name](#output\_deployment\_name) | Name of the Tecton deployment |
 | <a name="output_kms_key_arn"></a> [kms\_key\_arn](#output\_kms\_key\_arn) | ARN of the KMS key for encrypting data at rest |
 | <a name="output_nat_gateway_public_ips"></a> [nat\_gateway\_public\_ips](#output\_nat\_gateway\_public\_ips) | List of public IPs associated with NAT gateways in Rift VPC. Empty if existing\_vpc is provided as NATs are not managed by the module in that case. |
+| <a name="output_outputs_bucket_arn"></a> [outputs\_bucket\_arn](#output\_outputs\_bucket\_arn) | ARN of the S3 bucket storing module outputs |
+| <a name="output_outputs_bucket_name"></a> [outputs\_bucket\_name](#output\_outputs\_bucket\_name) | Name of the S3 bucket storing module outputs |
+| <a name="output_outputs_s3_uri"></a> [outputs\_s3\_uri](#output\_outputs\_s3\_uri) | S3 URI of the outputs.json file |
 | <a name="output_region"></a> [region](#output\_region) | Region of the Tecton deployment |
 | <a name="output_rift_compute_security_group_id"></a> [rift\_compute\_security\_group\_id](#output\_rift\_compute\_security\_group\_id) | Security Group ID for Rift compute instances |
 | <a name="output_vm_workload_subnet_ids"></a> [vm\_workload\_subnet\_ids](#output\_vm\_workload\_subnet\_ids) | List (comma-separated string) of subnet IDs for Rift compute instances |
diff --git a/modules/dataplane_rift/infrastructure.tf b/modules/dataplane_rift/infrastructure.tf
@@ -57,4 +57,33 @@ module "rift" {
   use_network_firewall = var.use_network_firewall
   # Domains can be extended as needed:
   additional_allowed_egress_domains = var.additional_allowed_egress_domains
+}
+
+# S3 module to store outputs
+module "s3_outputs" {
+  source          = "../s3_outputs"
+  deployment_name = var.deployment_name
+
+  control_plane_account_id = var.tecton_control_plane_account_id
+
+  outputs_data = {
+    deployment_name                = var.deployment_name
+    region                         = var.region
+    cross_account_role_arn         = module.tecton.cross_account_role_arn
+    cross_account_external_id      = var.cross_account_external_id
+    kms_key_arn                    = module.tecton.kms_key_arn
+    compute_manager_arn            = module.rift.compute_manager_arn
+    compute_instance_profile_arn   = module.rift.compute_instance_profile_arn
+    compute_arn                    = module.rift.compute_arn
+    vm_workload_subnet_ids         = module.rift.vm_workload_subnet_ids
+    anyscale_docker_target_repo    = module.rift.anyscale_docker_target_repo
+    nat_gateway_public_ips         = module.rift.nat_gateway_public_ips
+    rift_compute_security_group_id = module.rift.rift_compute_security_group_id
+  }
+
+  # Ensure S3 outputs are created after all other resources
+  depends_on_resources = [
+    module.tecton,
+    module.rift
+  ]
 }
diff --git a/modules/dataplane_rift/outputs.tf b/modules/dataplane_rift/outputs.tf
@@ -46,3 +46,19 @@ output "rift_compute_security_group_id" {
   description = "Security Group ID for Rift compute instances"
   value = module.rift.rift_compute_security_group_id
 }
+
+# S3 outputs bucket information
+output "outputs_bucket_name" {
+  description = "Name of the S3 bucket storing module outputs"
+  value = module.s3_outputs.bucket_name
+}
+
+output "outputs_bucket_arn" {
+  description = "ARN of the S3 bucket storing module outputs"
+  value = module.s3_outputs.bucket_arn
+}
+
+output "outputs_s3_uri" {
+  description = "S3 URI of the outputs.json file"
+  value = module.s3_outputs.outputs_s3_uri
+}
diff --git a/modules/s3_outputs/README.md b/modules/s3_outputs/README.md
@@ -0,0 +1,81 @@
+# S3 Outputs Module
+
+This shared sub-module creates an S3 bucket for each Tecton module and stores all module outputs as JSON files in that bucket.
+
+## Features
+
+- Creates a dedicated S3 bucket for each module
+- Stores outputs as `outputs.json` (latest) and timestamped files for versioning
+- Enables bucket versioning and encryption
+- Blocks public access for security
+
+## Usage
+
+Add this to your module's `infrastructure.tf` or `main.tf`:
+
+```hcl
+module "s3_outputs" {
+  source          = "../s3_outputs"
+  deployment_name = var.deployment_name
+  module_name     = "your-module-name"  # e.g., "dataplane-rift", "controlplane", etc.
+
+  outputs_data = {
+    # Include all outputs you want to store
+    deployment_name = var.deployment_name
+    region         = var.region
+    # ... add all other outputs from your outputs.tf
+  }
+
+  # Ensure S3 outputs are created after all other resources
+  depends_on_resources = [
+    # List all modules that should be created first
+    module.tecton,
+    module.rift
+  ]
+}
+```
+
+Then add these to your module's `outputs.tf`:
+
+```hcl
+# S3 outputs bucket information
+output "outputs_bucket_name" {
+  description = "Name of the S3 bucket storing module outputs"
+  value = module.s3_outputs.bucket_name
+}
+
+output "outputs_bucket_arn" {
+  description = "ARN of the S3 bucket storing module outputs"
+  value = module.s3_outputs.bucket_arn
+}
+
+output "outputs_s3_uri" {
+  description = "S3 URI of the outputs.json file"
+  value = module.s3_outputs.outputs_s3_uri
+}
+```
+
+<!-- BEGIN_TF_DOCS -->
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_control_plane_account_id"></a> [control\_plane\_account\_id](#input\_control\_plane\_account\_id) | AWS account ID of the control plane | `string` | n/a | yes |
+| <a name="input_depends_on_resources"></a> [depends\_on\_resources](#input\_depends\_on\_resources) | List of resources that must be created before writing outputs | `list(any)` | `[]` | no |
+| <a name="input_deployment_name"></a> [deployment\_name](#input\_deployment\_name) | Name of the Tecton deployment | `string` | n/a | yes |
+| <a name="input_outputs_data"></a> [outputs\_data](#input\_outputs\_data) | Map of outputs data to store in S3 | `map(any)` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Additional tags to apply to resources | `map(string)` | `{}` | no |  
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_bucket_arn"></a> [bucket\_arn](#output\_bucket\_arn) | ARN of the S3 bucket storing outputs |
+| <a name="output_bucket_name"></a> [bucket\_name](#output\_bucket\_name) | Name of the S3 bucket storing outputs |
+| <a name="output_outputs_s3_uri"></a> [outputs\_s3\_uri](#output\_outputs\_s3\_uri) | S3 URI of the outputs.json file |
+<!-- END_TF_DOCS -->
diff --git a/modules/s3_outputs/main.tf b/modules/s3_outputs/main.tf
@@ -0,0 +1,93 @@
+# S3 bucket for storing module outputs
+resource "aws_s3_bucket" "outputs" {
+  bucket = "${var.deployment_name}-tecton-outputs"
+
+  tags = merge(var.tags, {
+    Name = "${var.deployment_name}-tecton-outputs"
+    Purpose = "TectonModuleOutputs"
+  })
+}
+
+# Bucket policy to allow control plane to read outputs
+resource "aws_s3_bucket_policy" "outputs" {
+  bucket = aws_s3_bucket.outputs.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${var.control_plane_account_id}:root"
+        }
+        Action = [
+          "s3:ListBucket"
+        ]
+        Resource = "arn:aws:s3:::${aws_s3_bucket.outputs.id}"
+      },
+      {
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${var.control_plane_account_id}:root"
+        }
+        Action = [
+          "s3:GetObject",
+          "s3:GetObjectVersion"
+        ]
+        Resource = "arn:aws:s3:::${aws_s3_bucket.outputs.id}/*"
+      }
+    ]
+  })
+  depends_on = [aws_s3_bucket.outputs]
+}
+
+resource "aws_s3_bucket_versioning" "outputs" {
+  bucket = aws_s3_bucket.outputs.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "outputs" {
+  bucket = aws_s3_bucket.outputs.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "outputs" {
+  bucket = aws_s3_bucket.outputs.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+# Store the outputs as JSON in S3
+resource "aws_s3_object" "outputs_json" {
+  bucket       = aws_s3_bucket.outputs.id
+  key          = "outputs.json"
+  content      = jsonencode(var.outputs_data)
+  content_type = "application/json"
+
+  # Ensure outputs are written after resources are created
+  depends_on = [var.depends_on_resources]
+
+  tags = var.tags
+}
+
+# Store outputs with timestamp for versioning
+resource "aws_s3_object" "outputs_timestamped" {
+  bucket       = aws_s3_bucket.outputs.id
+  key          = "outputs-${formatdate("YYYY-MM-DD-hhmm", timestamp())}.json"
+  content      = jsonencode(var.outputs_data)
+  content_type = "application/json"
+
+  # Ensure outputs are written after resources are created
+  depends_on = [var.depends_on_resources]
+
+  tags = var.tags
+} 
diff --git a/modules/s3_outputs/outputs.tf b/modules/s3_outputs/outputs.tf
@@ -0,0 +1,14 @@
+output "bucket_name" {
+  description = "Name of the S3 bucket storing outputs"
+  value       = aws_s3_bucket.outputs.bucket
+}
+
+output "bucket_arn" {
+  description = "ARN of the S3 bucket storing outputs"
+  value       = aws_s3_bucket.outputs.arn
+}
+
+output "outputs_s3_uri" {
+  description = "S3 URI of the outputs.json file"
+  value       = "s3://${aws_s3_bucket.outputs.bucket}/outputs.json"
+}
diff --git a/modules/s3_outputs/variables.tf b/modules/s3_outputs/variables.tf
@@ -0,0 +1,26 @@
+variable "deployment_name" {
+  description = "Name of the Tecton deployment"
+  type        = string
+}
+
+variable "outputs_data" {
+  description = "Map of outputs data to store in S3"
+  type        = map(any)
+}
+
+variable "tags" {
+  description = "Additional tags to apply to resources"
+  type        = map(string)
+  default     = {}
+}
+
+variable "depends_on_resources" {
+  description = "List of resources that must be created before writing outputs"
+  type        = list(any)
+  default     = []
+}
+
+variable "control_plane_account_id" {
+  description = "AWS account ID of the control plane"
+  type        = string
+}
