60 lines
1.8 KiB
HCL
60 lines
1.8 KiB
HCL
module "aws_iam_role_core" {
|
|
providers = { aws = aws.core }
|
|
source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-role?depth=1&ref=1.1.0"
|
|
|
|
name = var.name
|
|
policy_statements = jsonencode(concat(
|
|
[
|
|
{ # Read and Write access on the repository's own tofu state
|
|
Action = [
|
|
"s3:GetObject",
|
|
"s3:PutObject",
|
|
]
|
|
Effect = "Allow"
|
|
Resource = "arn:aws:s3:::adyxax-tofu-states/repositories/${var.name}"
|
|
},
|
|
{ # Read Write Delete access on the dynamoDB locks
|
|
Action = [
|
|
"dynamodb:DeleteItem",
|
|
"dynamodb:GetItem",
|
|
"dynamodb:PutItem",
|
|
]
|
|
Effect = "Allow"
|
|
Resource = format(
|
|
"arn:aws:dynamodb:eu-west-3:*:table/tofu-states",
|
|
)
|
|
},
|
|
],
|
|
jsondecode(var.core_policy_statements),
|
|
))
|
|
}
|
|
|
|
module "aws_iam_role_test" {
|
|
providers = { aws = aws.tests }
|
|
source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-role?depth=1&ref=1.1.0"
|
|
|
|
name = var.name
|
|
policy_statements = var.tests_policy_statements
|
|
}
|
|
|
|
module "aws_iam_user" {
|
|
providers = { aws = aws.root }
|
|
source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-user?depth=1&ref=1.1.0"
|
|
|
|
assume_role_account_names = ["core", "tests"]
|
|
name = var.name
|
|
}
|
|
|
|
resource "forgejo_repository_actions_secret" "aws_iam_user" {
|
|
data = module.aws_iam_user.access_key_secret
|
|
name = "AWS_ACCESS_KEY_SECRET"
|
|
owner = var.forgejo_repository.owner
|
|
repository = var.forgejo_repository.name
|
|
}
|
|
|
|
resource "forgejo_repository_actions_variable" "aws_iam_user" {
|
|
data = module.aws_iam_user.access_key_id
|
|
name = "AWS_ACCESS_KEY_ID"
|
|
owner = var.forgejo_repository.owner
|
|
repository = var.forgejo_repository.name
|
|
}
|