From e2691f89e7a6e5f79e5c4d5d7d9f66c1669bf7f5 Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Thu, 10 Apr 2025 23:46:01 +0200 Subject: [PATCH] feat(module): initial import --- .forgejo/workflows/main.yaml | 16 ++ .gitignore | 2 + CHANGELOG.md | 9 + LICENSE | 287 ++++++++++++++++++++++++ README.md | 31 +++ infrastructure/tofu/.gitignore | 1 + infrastructure/tofu/.terraform.lock.hcl | 21 ++ infrastructure/tofu/main.tf | 50 +++++ infrastructure/tofu/providers.tf | 24 ++ main.tf | 46 ++++ main.tftest.hcl | 28 +++ outputs.tf | 11 + providers.tf | 8 + variables.tf | 19 ++ 14 files changed, 553 insertions(+) create mode 100644 .forgejo/workflows/main.yaml create mode 100644 .gitignore create mode 100644 CHANGELOG.md create mode 100644 LICENSE create mode 100644 README.md create mode 100644 infrastructure/tofu/.gitignore create mode 100644 infrastructure/tofu/.terraform.lock.hcl create mode 100644 infrastructure/tofu/main.tf create mode 100644 infrastructure/tofu/providers.tf create mode 100644 main.tf create mode 100644 main.tftest.hcl create mode 100644 outputs.tf create mode 100644 providers.tf create mode 100644 variables.tf diff --git a/.forgejo/workflows/main.yaml b/.forgejo/workflows/main.yaml new file mode 100644 index 0000000..2e4bd1f --- /dev/null +++ b/.forgejo/workflows/main.yaml @@ -0,0 +1,16 @@ +--- +name: 'main' + +on: + push: + workflow_dispatch: + +jobs: + test: + runs-on: 'self-hosted' + steps: + - uses: 'actions/checkout@v4' + - uses: "https://git.adyxax.org/adyxax/action-tofu-aws-test@1.0.0" + with: + aws-access-key-id: "${{ vars.AWS_ACCESS_KEY_ID }}" + aws-access-key-secret: "${{ secrets.AWS_ACCESS_KEY_SECRET }}" diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a49b9cf --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.terraform.lock.hcl +.terraform/ diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..d511684 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,9 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +## 1.0.0 - 2025-04-11 + +### Added + +- initial import diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..4153cd3 --- /dev/null +++ b/LICENSE @@ -0,0 +1,287 @@ + EUROPEAN UNION PUBLIC LICENCE v. 1.2 + EUPL © the European Union 2007, 2016 + +This European Union Public Licence (the ‘EUPL’) applies to the Work (as defined +below) which is provided under the terms of this Licence. Any use of the Work, +other than as authorised under this Licence is prohibited (to the extent such +use is covered by a right of the copyright holder of the Work). + +The Work is provided under the terms of this Licence when the Licensor (as +defined below) has placed the following notice immediately following the +copyright notice for the Work: + + Licensed under the EUPL + +or has expressed by any other means his willingness to license under the EUPL. + +1. Definitions + +In this Licence, the following terms have the following meaning: + +- ‘The Licence’: this Licence. + +- ‘The Original Work’: the work or software distributed or communicated by the + Licensor under this Licence, available as Source Code and also as Executable + Code as the case may be. + +- ‘Derivative Works’: the works or software that could be created by the + Licensee, based upon the Original Work or modifications thereof. This Licence + does not define the extent of modification or dependence on the Original Work + required in order to classify a work as a Derivative Work; this extent is + determined by copyright law applicable in the country mentioned in Article 15. + +- ‘The Work’: the Original Work or its Derivative Works. + +- ‘The Source Code’: the human-readable form of the Work which is the most + convenient for people to study and modify. + +- ‘The Executable Code’: any code which has generally been compiled and which is + meant to be interpreted by a computer as a program. + +- ‘The Licensor’: the natural or legal person that distributes or communicates + the Work under the Licence. + +- ‘Contributor(s)’: any natural or legal person who modifies the Work under the + Licence, or otherwise contributes to the creation of a Derivative Work. + +- ‘The Licensee’ or ‘You’: any natural or legal person who makes any usage of + the Work under the terms of the Licence. + +- ‘Distribution’ or ‘Communication’: any act of selling, giving, lending, + renting, distributing, communicating, transmitting, or otherwise making + available, online or offline, copies of the Work or providing access to its + essential functionalities at the disposal of any other natural or legal + person. + +2. Scope of the rights granted by the Licence + +The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, +sublicensable licence to do the following, for the duration of copyright vested +in the Original Work: + +- use the Work in any circumstance and for all usage, +- reproduce the Work, +- modify the Work, and make Derivative Works based upon the Work, +- communicate to the public, including the right to make available or display + the Work or copies thereof to the public and perform publicly, as the case may + be, the Work, +- distribute the Work or copies thereof, +- lend and rent the Work or copies thereof, +- sublicense rights in the Work or copies thereof. + +Those rights can be exercised on any media, supports and formats, whether now +known or later invented, as far as the applicable law permits so. + +In the countries where moral rights apply, the Licensor waives his right to +exercise his moral right to the extent allowed by law in order to make effective +the licence of the economic rights here above listed. + +The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to +any patents held by the Licensor, to the extent necessary to make use of the +rights granted on the Work under this Licence. + +3. Communication of the Source Code + +The Licensor may provide the Work either in its Source Code form, or as +Executable Code. If the Work is provided as Executable Code, the Licensor +provides in addition a machine-readable copy of the Source Code of the Work +along with each copy of the Work that the Licensor distributes or indicates, in +a notice following the copyright notice attached to the Work, a repository where +the Source Code is easily and freely accessible for as long as the Licensor +continues to distribute or communicate the Work. + +4. Limitations on copyright + +Nothing in this Licence is intended to deprive the Licensee of the benefits from +any exception or limitation to the exclusive rights of the rights owners in the +Work, of the exhaustion of those rights or of other applicable limitations +thereto. + +5. Obligations of the Licensee + +The grant of the rights mentioned above is subject to some restrictions and +obligations imposed on the Licensee. Those obligations are the following: + +Attribution right: The Licensee shall keep intact all copyright, patent or +trademarks notices and all notices that refer to the Licence and to the +disclaimer of warranties. The Licensee must include a copy of such notices and a +copy of the Licence with every copy of the Work he/she distributes or +communicates. The Licensee must cause any Derivative Work to carry prominent +notices stating that the Work has been modified and the date of modification. + +Copyleft clause: If the Licensee distributes or communicates copies of the +Original Works or Derivative Works, this Distribution or Communication will be +done under the terms of this Licence or of a later version of this Licence +unless the Original Work is expressly distributed only under this version of the +Licence — for example by communicating ‘EUPL v. 1.2 only’. The Licensee +(becoming Licensor) cannot offer or impose any additional terms or conditions on +the Work or Derivative Work that alter or restrict the terms of the Licence. + +Compatibility clause: If the Licensee Distributes or Communicates Derivative +Works or copies thereof based upon both the Work and another work licensed under +a Compatible Licence, this Distribution or Communication can be done under the +terms of this Compatible Licence. For the sake of this clause, ‘Compatible +Licence’ refers to the licences listed in the appendix attached to this Licence. +Should the Licensee's obligations under the Compatible Licence conflict with +his/her obligations under this Licence, the obligations of the Compatible +Licence shall prevail. + +Provision of Source Code: When distributing or communicating copies of the Work, +the Licensee will provide a machine-readable copy of the Source Code or indicate +a repository where this Source will be easily and freely available for as long +as the Licensee continues to distribute or communicate the Work. + +Legal Protection: This Licence does not grant permission to use the trade names, +trademarks, service marks, or names of the Licensor, except as required for +reasonable and customary use in describing the origin of the Work and +reproducing the content of the copyright notice. + +6. Chain of Authorship + +The original Licensor warrants that the copyright in the Original Work granted +hereunder is owned by him/her or licensed to him/her and that he/she has the +power and authority to grant the Licence. + +Each Contributor warrants that the copyright in the modifications he/she brings +to the Work are owned by him/her or licensed to him/her and that he/she has the +power and authority to grant the Licence. + +Each time You accept the Licence, the original Licensor and subsequent +Contributors grant You a licence to their contributions to the Work, under the +terms of this Licence. + +7. Disclaimer of Warranty + +The Work is a work in progress, which is continuously improved by numerous +Contributors. It is not a finished work and may therefore contain defects or +‘bugs’ inherent to this type of development. + +For the above reason, the Work is provided under the Licence on an ‘as is’ basis +and without warranties of any kind concerning the Work, including without +limitation merchantability, fitness for a particular purpose, absence of defects +or errors, accuracy, non-infringement of intellectual property rights other than +copyright as stated in Article 6 of this Licence. + +This disclaimer of warranty is an essential part of the Licence and a condition +for the grant of any rights to the Work. + +8. Disclaimer of Liability + +Except in the cases of wilful misconduct or damages directly caused to natural +persons, the Licensor will in no event be liable for any direct or indirect, +material or moral, damages of any kind, arising out of the Licence or of the use +of the Work, including without limitation, damages for loss of goodwill, work +stoppage, computer failure or malfunction, loss of data or any commercial +damage, even if the Licensor has been advised of the possibility of such damage. +However, the Licensor will be liable under statutory product liability laws as +far such laws apply to the Work. + +9. Additional agreements + +While distributing the Work, You may choose to conclude an additional agreement, +defining obligations or services consistent with this Licence. However, if +accepting obligations, You may act only on your own behalf and on your sole +responsibility, not on behalf of the original Licensor or any other Contributor, +and only if You agree to indemnify, defend, and hold each Contributor harmless +for any liability incurred by, or claims asserted against such Contributor by +the fact You have accepted any warranty or additional liability. + +10. Acceptance of the Licence + +The provisions of this Licence can be accepted by clicking on an icon ‘I agree’ +placed under the bottom of a window displaying the text of this Licence or by +affirming consent in any other similar way, in accordance with the rules of +applicable law. Clicking on that icon indicates your clear and irrevocable +acceptance of this Licence and all of its terms and conditions. + +Similarly, you irrevocably accept this Licence and all of its terms and +conditions by exercising any rights granted to You by Article 2 of this Licence, +such as the use of the Work, the creation by You of a Derivative Work or the +Distribution or Communication by You of the Work or copies thereof. + +11. Information to the public + +In case of any Distribution or Communication of the Work by means of electronic +communication by You (for example, by offering to download the Work from a +remote location) the distribution channel or media (for example, a website) must +at least provide to the public the information requested by the applicable law +regarding the Licensor, the Licence and the way it may be accessible, concluded, +stored and reproduced by the Licensee. + +12. Termination of the Licence + +The Licence and the rights granted hereunder will terminate automatically upon +any breach by the Licensee of the terms of the Licence. + +Such a termination will not terminate the licences of any person who has +received the Work from the Licensee under the Licence, provided such persons +remain in full compliance with the Licence. + +13. Miscellaneous + +Without prejudice of Article 9 above, the Licence represents the complete +agreement between the Parties as to the Work. + +If any provision of the Licence is invalid or unenforceable under applicable +law, this will not affect the validity or enforceability of the Licence as a +whole. Such provision will be construed or reformed so as necessary to make it +valid and enforceable. + +The European Commission may publish other linguistic versions or new versions of +this Licence or updated versions of the Appendix, so far this is required and +reasonable, without reducing the scope of the rights granted by the Licence. New +versions of the Licence will be published with a unique version number. + +All linguistic versions of this Licence, approved by the European Commission, +have identical value. Parties can take advantage of the linguistic version of +their choice. + +14. Jurisdiction + +Without prejudice to specific agreement between parties, + +- any litigation resulting from the interpretation of this License, arising + between the European Union institutions, bodies, offices or agencies, as a + Licensor, and any Licensee, will be subject to the jurisdiction of the Court + of Justice of the European Union, as laid down in article 272 of the Treaty on + the Functioning of the European Union, + +- any litigation arising between other parties and resulting from the + interpretation of this License, will be subject to the exclusive jurisdiction + of the competent court where the Licensor resides or conducts its primary + business. + +15. Applicable Law + +Without prejudice to specific agreement between parties, + +- this Licence shall be governed by the law of the European Union Member State + where the Licensor has his seat, resides or has his registered office, + +- this licence shall be governed by Belgian law if the Licensor has no seat, + residence or registered office inside a European Union Member State. + +Appendix + +‘Compatible Licences’ according to Article 5 EUPL are: + +- GNU General Public License (GPL) v. 2, v. 3 +- GNU Affero General Public License (AGPL) v. 3 +- Open Software License (OSL) v. 2.1, v. 3.0 +- Eclipse Public License (EPL) v. 1.0 +- CeCILL v. 2.0, v. 2.1 +- Mozilla Public Licence (MPL) v. 2 +- GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3 +- Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for + works other than software +- European Union Public Licence (EUPL) v. 1.1, v. 1.2 +- Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong + Reciprocity (LiLiQ-R+). + +The European Commission may update this Appendix to later versions of the above +licences without producing a new version of the EUPL, as long as they provide +the rights granted in Article 2 of this Licence and protect the covered Source +Code from exclusive appropriation. + +All other changes or additions to this Appendix require the production of a new +EUPL version. diff --git a/README.md b/README.md new file mode 100644 index 0000000..bff3aa4 --- /dev/null +++ b/README.md @@ -0,0 +1,31 @@ +# AWS IAM CI user + +This module creates and manages an IAM user in a root AWS account and its +corresponding roles in sub-accounts. + +It provides a default set of policies allowing my Forgejo workflows to run tests +and continuous integration tasks on AWS. + +## Usage example + +``` hcl +module "aws_iam_ci_user" { + source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.0.0" + + core_policy_statements = jsonencode([ + { + Action = "route53:*" + Effect = "Allow" + Resource = "*" + } + ]) + name = local.name + tests_policy_statements = jsonencode([ + { + Action = "acm:*" + Effect = "Allow" + Resource = "*" + }, + ]) +} +``` diff --git a/infrastructure/tofu/.gitignore b/infrastructure/tofu/.gitignore new file mode 100644 index 0000000..a8c8222 --- /dev/null +++ b/infrastructure/tofu/.gitignore @@ -0,0 +1 @@ +!.terraform.lock.hcl diff --git a/infrastructure/tofu/.terraform.lock.hcl b/infrastructure/tofu/.terraform.lock.hcl new file mode 100644 index 0000000..9ee3c83 --- /dev/null +++ b/infrastructure/tofu/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/hashicorp/aws" { + version = "5.91.0" + constraints = "5.91.0" + hashes = [ + "h1:g+uDHz6bZ36QaxoKWmJEYGh7OP5RAE5MPbxLohzcU18=", + "h1:qw1Sp5py+7rRwzHgHNJvgYTeTkBnPHY7WercO1BsOh0=", + "zh:057e6cb85e3efe2c30ef5ca47cc47abc8217e2e0dddce2e92a8d2d6f18b6cee6", + "zh:0f15d3f599e07307ac9771c602dcaaf0c46dd259649da985cb3cb80a7a647cea", + "zh:187086070cc878ab0a27163939516983e3efae65ebff78dc3466619cdf978dee", + "zh:67a58fc85c630bcc6c772f573813caabe6c9af291c71c7207590fc4792e4d94e", + "zh:68abb9382928ce29c0f3dd9a75b41ad2a453f3a46330f484d1ea858589146c1b", + "zh:772134ba713e879e5b70d614d08a6650f156e7a3fa724d538bfa85632b1ed639", + "zh:bf67439e47cf6720dcec7a1e2988d6c10c56d7eea69bb1ecff1b22d6bb63a36d", + "zh:bfd0b91dc4ae338eb79ec41bede5eed7a0740380bffbdfbda362f7ed08e0e2ad", + "zh:ca3c3313cd4971850da45ce4337b027a804389db740c310ba637bc0a86775eef", + "zh:d75a8ec54a4783c25cb806b887f0d3c67cded08db8c496fd9cf831791e4c8482", + ] +} diff --git a/infrastructure/tofu/main.tf b/infrastructure/tofu/main.tf new file mode 100644 index 0000000..ba9cd0a --- /dev/null +++ b/infrastructure/tofu/main.tf @@ -0,0 +1,50 @@ +locals { + name = "tofu-module-aws-iam-ci-user" +} + +module "aws_iam_ci_user" { + providers = { + aws.core = aws.all["core"] + aws.root = aws.all["root"] + aws.tests = aws.all["tests"] + } + source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.0.0" + + core_policy_statements = jsonencode([ + { + Action = "iam:*" + Effect = "Allow" + Resource = "arn:aws:iam::*:role/tftest" + }, + ]) + name = local.name + tests_policy_statements = jsonencode([{ + Action = "iam:*" + Effect = "Allow" + Resource = "arn:aws:iam::*:role/tftest", + }]) +} + +resource "aws_iam_policy" "tftest" { + provider = aws.all["root"] + + name = "${local.name}-tftest" + policy = jsonencode({ + Statement = [{ + Action = "iam:*" + Effect = "Allow" + Resource = [ + "arn:aws:iam::*:user/tftest", + "arn:aws:iam::*:policy/${local.name}-tftest", + ] + }] + Version = "2012-10-17" + }) +} + +resource "aws_iam_user_policy_attachment" "tftest" { + provider = aws.all["root"] + + policy_arn = aws_iam_policy.tftest.arn + user = local.name +} diff --git a/infrastructure/tofu/providers.tf b/infrastructure/tofu/providers.tf new file mode 100644 index 0000000..8b42979 --- /dev/null +++ b/infrastructure/tofu/providers.tf @@ -0,0 +1,24 @@ +terraform { + backend "s3" { + bucket = "adyxax-tofu-states" + dynamodb_table = "tofu-states" + key = "repositories/${local.name}" + profile = "core" + region = "eu-west-3" + } + required_providers { + aws = { + source = "hashicorp/aws" + version = "5.91.0" + } + } +} + +provider "aws" { + for_each = toset(["core", "root", "tests"]) + + alias = "all" + default_tags { tags = { "managed-by" = "tofu" } } + profile = each.key + region = "eu-west-3" +} diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..e5adc9e --- /dev/null +++ b/main.tf @@ -0,0 +1,46 @@ +module "aws_iam_role_core" { + providers = { aws = aws.core } + source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-role?depth=1&ref=1.0.0" + + name = var.name + policy_statements = jsonencode(concat( + [ + { # Read and Write access on the repository's own tofu state + Action = [ + "s3:GetObject", + "s3:PutObject", + ] + Effect = "Allow" + Resource = "arn:aws:s3:::adyxax-tofu-states/repositories/${var.name}" + }, + { # Read Write Delete access on the dynamoDB locks + Action = [ + "dynamodb:DeleteItem", + "dynamodb:GetItem", + "dynamodb:PutItem", + ] + Effect = "Allow" + Resource = format( + "arn:aws:dynamodb:eu-west-3:*:table/tofu-states", + ) + }, + ], + jsondecode(var.core_policy_statements), + )) +} + +module "aws_iam_role_test" { + providers = { aws = aws.tests } + source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-role?depth=1&ref=1.0.0" + + name = var.name + policy_statements = var.tests_policy_statements +} + +module "aws_iam_user" { + providers = { aws = aws.root } + source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-user?depth=1&ref=1.0.0" + + assume_role_account_names = ["core", "tests"] + name = var.name +} diff --git a/main.tftest.hcl b/main.tftest.hcl new file mode 100644 index 0000000..e7ab4d2 --- /dev/null +++ b/main.tftest.hcl @@ -0,0 +1,28 @@ +provider "aws" { + alias = "core" + profile = "core" + region = "eu-west-3" +} + +provider "aws" { + alias = "root" + profile = "root" + region = "eu-west-3" +} + +provider "aws" { + alias = "tests" + profile = "tests" + region = "eu-west-3" +} + +run "main" { + assert { + condition = output.access_key_id != null + error_message = "invalid iam user access key id" + } +} + +variables { + name = "tftest" +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..c82c2be --- /dev/null +++ b/outputs.tf @@ -0,0 +1,11 @@ +output "access_key_id" { + description = "AWS IAM access key id." + sensitive = false + value = module.aws_iam_user.access_key_id +} + +output "access_key_secret" { + description = "AWS IAM access key secret." + sensitive = true + value = module.aws_iam_user.access_key_secret +} diff --git a/providers.tf b/providers.tf new file mode 100644 index 0000000..da38d32 --- /dev/null +++ b/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + aws = { + configuration_aliases = [aws.core, aws.root, aws.tests] + source = "hashicorp/aws" + } + } +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..3e4c100 --- /dev/null +++ b/variables.tf @@ -0,0 +1,19 @@ +variable "core_policy_statements" { + default = "[]" + description = "The JSON encoded list of AWS policy statements for the role in the core AWS account." + nullable = false + type = string +} + +variable "name" { + description = "The IAM user's name." + nullable = false + type = string +} + +variable "tests_policy_statements" { + default = "[]" + description = "The JSON encoded list of AWS policy statements for the role in the tests AWS account." + nullable = false + type = string +}