From 0c27914a7c4efe22f6f1d528f0e58eb229ac0baf Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Wed, 9 Jul 2025 00:32:50 +0200 Subject: [PATCH] feat(module): add provisioning of the AWS IAM user access key to a Forgejo runner repository's secret and variable --- CHANGELOG.md | 6 ++++++ README.md | 6 +++++- infrastructure/tofu/.terraform.lock.hcl | 17 +++++++++++++++++ infrastructure/tofu/main.tf | 6 +++++- infrastructure/tofu/providers.tf | 8 ++++++++ main.tf | 14 ++++++++++++++ providers.tf | 3 +++ variables.tf | 9 +++++++++ 8 files changed, 67 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4badb7b..7cec4f1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ All notable changes to this project will be documented in this file. +## 1.1.0 - 2025-07-09 + +### Added + +- Added provisioning of the AWS IAM user access key to a Forgejo runner repository's secret and variable. + ## 1.0.1 - 2025-04-12 ### Changed diff --git a/README.md b/README.md index 639d34b..3f71fa8 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ and continuous integration tasks on AWS. ``` hcl module "aws_iam_ci_user" { - source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.0.1" + source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.1.0" core_policy_statements = jsonencode([ { @@ -19,6 +19,10 @@ module "aws_iam_ci_user" { Resource = "*" } ]) + forgejo_repository = { + name = local.name + owner = "adyxax" + } name = local.name tests_policy_statements = jsonencode([ { diff --git a/infrastructure/tofu/.terraform.lock.hcl b/infrastructure/tofu/.terraform.lock.hcl index 9ee3c83..ca609ef 100644 --- a/infrastructure/tofu/.terraform.lock.hcl +++ b/infrastructure/tofu/.terraform.lock.hcl @@ -1,6 +1,23 @@ # This file is maintained automatically by "tofu init". # Manual edits may be lost in future updates. +provider "registry.opentofu.org/adyxax/forgejo" { + version = "1.1.0" + constraints = "1.1.0" + hashes = [ + "h1:xa2K1rn2OzQofizev01UBKEgq4WHo3EM5/fiPCxFL/E=", + "zh:0a9fb11ae6b14abca1a5376b3c83182586e8735e67aa863b223737af1edb9802", + "zh:16a86c5a4b394f04ab14992b15ee812daee38c88570a6431a9dd7c0b961c3166", + "zh:2c2f2703fad8d682d74832ea650cb58efbaf7b63e67c57f4344561ab529c81de", + "zh:38326430e210fb899981a5d99b3dd17f0040356ef1879e0a3fe96c9d13d27b4b", + "zh:7757c16957287f8e1cca39d349d5c219fc31ef8ce55b60db9f83099e10cd3a93", + "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f", + "zh:b91bd40d90199ff8c811e241f94931a540d571807743dcd9768625d177c38e29", + "zh:efb6d4c30e3412a727c63af9d04ed4b24dfdde251d18343d62a45ae967e4f6ab", + "zh:f5357ef185a3183f01555371602471aeadc340a16b1f1355e706fedbfd1f9dad", + ] +} + provider "registry.opentofu.org/hashicorp/aws" { version = "5.91.0" constraints = "5.91.0" diff --git a/infrastructure/tofu/main.tf b/infrastructure/tofu/main.tf index 73d7556..315bc92 100644 --- a/infrastructure/tofu/main.tf +++ b/infrastructure/tofu/main.tf @@ -8,7 +8,11 @@ module "aws_iam_ci_user" { aws.root = aws.all["root"] aws.tests = aws.all["tests"] } - source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.0.1" + source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.1.0" + forgejo_repository = { + name = local.name + owner = "adyxax" + } name = local.name } diff --git a/infrastructure/tofu/providers.tf b/infrastructure/tofu/providers.tf index 8b42979..a55c202 100644 --- a/infrastructure/tofu/providers.tf +++ b/infrastructure/tofu/providers.tf @@ -11,6 +11,10 @@ terraform { source = "hashicorp/aws" version = "5.91.0" } + forgejo = { + source = "adyxax/forgejo" + version = "1.1.0" + } } } @@ -22,3 +26,7 @@ provider "aws" { profile = each.key region = "eu-west-3" } + +provider "forgejo" { + base_uri = "https://git.adyxax.org/" +} diff --git a/main.tf b/main.tf index cabed22..f9d2817 100644 --- a/main.tf +++ b/main.tf @@ -44,3 +44,17 @@ module "aws_iam_user" { assume_role_account_names = ["core", "tests"] name = var.name } + +resource "forgejo_repository_actions_secret" "aws_iam_user" { + data = module.aws_iam_user.access_key_secret + name = "AWS_ACCESS_KEY_SECRET" + owner = var.forgejo_repository.owner + repository = var.forgejo_repository.name +} + +resource "forgejo_repository_actions_variable" "aws_iam_user" { + data = module.aws_iam_user.access_key_id + name = "AWS_ACCESS_KEY_ID" + owner = var.forgejo_repository.owner + repository = var.forgejo_repository.name +} diff --git a/providers.tf b/providers.tf index da38d32..2f656e5 100644 --- a/providers.tf +++ b/providers.tf @@ -4,5 +4,8 @@ terraform { configuration_aliases = [aws.core, aws.root, aws.tests] source = "hashicorp/aws" } + forgejo = { + source = "adyxax/forgejo" + } } } diff --git a/variables.tf b/variables.tf index 3e4c100..54633ca 100644 --- a/variables.tf +++ b/variables.tf @@ -11,6 +11,15 @@ variable "name" { type = string } +variable "forgejo_repository" { + description = "The Forgejo's repository information the IAM user's access key will be provisioned to." + nullable = false + type = object({ + name = string + owner = string + }) +} + variable "tests_policy_statements" { default = "[]" description = "The JSON encoded list of AWS policy statements for the role in the tests AWS account."