Update Airflow Module (#413)

ManagedKube · Mar 10, 2023 · b28342f · b28342f
1 parent c898562
commit b28342f
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 2 deletions.
diff --git a/terraform-modules/aws/airflow/main.tf b/terraform-modules/aws/airflow/main.tf
@@ -1,12 +1,50 @@
+resource "aws_s3_bucket" "airflow" {
+  bucket = var.source_bucket_name
+  tags   = var.tags
+}
+
+resource "aws_s3_bucket_versioning" "this" {
+  bucket = aws_s3_bucket.airflow.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_acl" "this" {
+  bucket = aws_s3_bucket.airflow.id
+  acl    = "private"
+}
+
+# Using the default AWS KMS master key
+resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
+  bucket = aws_s3_bucket.airflow.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "AES256" #"aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "this" {
+  bucket = aws_s3_bucket.airflow.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 resource "aws_mwaa_environment" "this" {
   name               = var.airflow_name
   airflow_version    = var.airflow_version
   environment_class  = var.environment_class
   max_workers        = var.max_workers
   min_workers        = var.min_workers
-  source_bucket_arn  = var.source_bucket_arn
+  source_bucket_arn  = aws_s3_bucket.airflow.arn
   dag_s3_path        = var.dag_s3_path
   execution_role_arn = module.iam_assumable_role_admin.iam_role_arn
+  webserver_access_mode = var.webserver_access_mode
 
   logging_configuration {
     dag_processing_logs {
@@ -47,7 +85,7 @@ data "aws_caller_identity" "current" {}
 
 module "iam_assumable_role_admin" {
   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
-  version                       = "4.14.0"
+  version                       = "5.11.2"
 
   create_role             = true
   role_name               = "airflow-${var.airflow_name}"

diff --git a/terraform-modules/aws/airflow/variables.tf b/terraform-modules/aws/airflow/variables.tf
@@ -101,4 +101,15 @@ variable "worker_log_level" {
   type        = string
   default     = "INFO"
   description = "The log level: INFO | WARNING | ERROR | CRITICAL"
+}
+
+variable "webserver_access_mode" {
+  description = "(Optional) Specifies whether the webserver should be accessible over the internet or via your specified VPC. Possible options: PRIVATE_ONLY (default) and PUBLIC_ONLY"
+  type        = string
+  default     = "PRIVATE_ONLY"
+
+  validation {
+    condition     = contains(["PRIVATE_ONLY", "PUBLIC_ONLY"], var.webserver_access_mode)
+    error_message = "Invalid input, options: \"PRIVATE_ONLY\", \"PUBLIC_ONLY\"."
+  }
 }