diff --git a/.forgejo/workflows/main.yaml b/.forgejo/workflows/main.yaml new file mode 100644 index 0000000..2e4bd1f --- /dev/null +++ b/.forgejo/workflows/main.yaml @@ -0,0 +1,16 @@ +--- +name: 'main' + +on: + push: + workflow_dispatch: + +jobs: + test: + runs-on: 'self-hosted' + steps: + - uses: 'actions/checkout@v4' + - uses: "https://git.adyxax.org/adyxax/action-tofu-aws-test@1.0.0" + with: + aws-access-key-id: "${{ vars.AWS_ACCESS_KEY_ID }}" + aws-access-key-secret: "${{ secrets.AWS_ACCESS_KEY_SECRET }}" diff --git a/CHANGELOG.md b/CHANGELOG.md index d511684..b005c50 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,8 +2,18 @@ All notable changes to this project will be documented in this file. +## 1.1.0 - 2025-04-12 + +### Added + +- Added output variable `arn`. + +### Deprecated + +- Deprecated output variable `iam_role_arn`. Use `arn` instead. + ## 1.0.0 - 2025-04-11 ### Added -- initial import +- Initial import. diff --git a/README.md b/README.md index af5a1f6..bfc8605 100644 --- a/README.md +++ b/README.md @@ -11,9 +11,9 @@ continuous integration tasks on AWS. ``` hcl module "aws_iam_role" { - source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-role?depth=1&ref=1.0.0" + source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-role?depth=1&ref=1.1.0" - name = local.name + name = local.name policy_statements = jsonencode([ { Action = "acm:*" @@ -24,6 +24,11 @@ module "aws_iam_role" { } ``` +## Assume role policy + +This role is designed to be used with AWS Identity Center and provisions a trust +relationship to the root organization account. + ## Policies The IAM role is granted the following permissions on the AWS account: diff --git a/infrastructure/tofu/.gitignore b/infrastructure/tofu/.gitignore new file mode 100644 index 0000000..a8c8222 --- /dev/null +++ b/infrastructure/tofu/.gitignore @@ -0,0 +1 @@ +!.terraform.lock.hcl diff --git a/infrastructure/tofu/.terraform.lock.hcl b/infrastructure/tofu/.terraform.lock.hcl new file mode 100644 index 0000000..3c0cd99 --- /dev/null +++ b/infrastructure/tofu/.terraform.lock.hcl @@ -0,0 +1,36 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/adyxax/forgejo" { + version = "1.1.0" + constraints = "1.1.0" + hashes = [ + "h1:xa2K1rn2OzQofizev01UBKEgq4WHo3EM5/fiPCxFL/E=", + "zh:0a9fb11ae6b14abca1a5376b3c83182586e8735e67aa863b223737af1edb9802", + "zh:16a86c5a4b394f04ab14992b15ee812daee38c88570a6431a9dd7c0b961c3166", + "zh:2c2f2703fad8d682d74832ea650cb58efbaf7b63e67c57f4344561ab529c81de", + "zh:38326430e210fb899981a5d99b3dd17f0040356ef1879e0a3fe96c9d13d27b4b", + "zh:7757c16957287f8e1cca39d349d5c219fc31ef8ce55b60db9f83099e10cd3a93", + "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f", + "zh:b91bd40d90199ff8c811e241f94931a540d571807743dcd9768625d177c38e29", + "zh:efb6d4c30e3412a727c63af9d04ed4b24dfdde251d18343d62a45ae967e4f6ab", + "zh:f5357ef185a3183f01555371602471aeadc340a16b1f1355e706fedbfd1f9dad", + ] +} + +provider "registry.opentofu.org/hashicorp/aws" { + version = "6.2.0" + constraints = "6.2.0" + hashes = [ + "h1:UcBl0SyNxOTHOa3Ske3ClmzA7V1S7e/I4+29DLGe85A=", + "zh:26072ed06da98bfeff0a9ef54edd215c7af005658a670e098dc6445c10bf2b55", + "zh:39aba613926547b289128a8c37baa0b8762dce974ed0e5859c1fd24afaa753b0", + "zh:3a97a68258a7cb707ae571a43cfb44142c00a4543689fea4dcbe2e9db2336310", + "zh:3af54af122ffc4477ee23dc855b27fdeb3682fff09ac8394b37eac3164faaa65", + "zh:4ab39e61f699b9189386b037ba8a6725634e99115a6d24946baae2f461ce519e", + "zh:98455edb4f11267c144f15eb36a25adec3121ac8af34754ebfac9e6e00fd5ec7", + "zh:b51e505cd73ddf015ce765f4df5ddc5f7e5a42eb596f57bcf0f1eae5338d4efa", + "zh:c132a00c0495ae62a14affd1f41bcd7d11f91cf559c6229aa168f326938aedbe", + "zh:e14ddc80f4ca1d394889e27d9188f4368ac7d3437e6a10490d1314da66039bf4", + ] +} diff --git a/infrastructure/tofu/main.tf b/infrastructure/tofu/main.tf new file mode 100644 index 0000000..973f6bd --- /dev/null +++ b/infrastructure/tofu/main.tf @@ -0,0 +1,23 @@ +locals { + name = "tofu-module-aws-iam-role" +} + +module "aws_iam_ci_user" { + providers = { + aws.core = aws.all["core"] + aws.root = aws.all["root"] + aws.tests = aws.all["tests"] + } + source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.1.0" + + forgejo_repository = { + name = local.name + owner = "adyxax" + } + name = local.name + tests_policy_statements = jsonencode([{ + Action = "iam:*" + Effect = "Allow" + Resource = "arn:aws:iam::*:role/tftest-role", + }]) +} diff --git a/infrastructure/tofu/providers.tf b/infrastructure/tofu/providers.tf new file mode 100644 index 0000000..a312874 --- /dev/null +++ b/infrastructure/tofu/providers.tf @@ -0,0 +1,32 @@ +terraform { + backend "s3" { + bucket = "adyxax-tofu-states" + dynamodb_table = "tofu-states" + key = "repositories/${local.name}" + profile = "core" + region = "eu-west-3" + } + required_providers { + aws = { + source = "hashicorp/aws" + version = "6.2.0" + } + forgejo = { + source = "adyxax/forgejo" + version = "1.1.0" + } + } +} + +provider "aws" { + for_each = toset(["core", "root", "tests"]) + + alias = "all" + default_tags { tags = { "managed-by" = "tofu" } } + profile = each.key + region = "eu-west-3" +} + +provider "forgejo" { + base_uri = "https://git.adyxax.org/" +} diff --git a/main.tftest.hcl b/main.tftest.hcl new file mode 100644 index 0000000..68f4c3b --- /dev/null +++ b/main.tftest.hcl @@ -0,0 +1,15 @@ +provider "aws" { + profile = "tests" + region = "eu-west-3" +} + +run "main" { + assert { + condition = output.arn != null + error_message = "invalid IAM role ARN" + } +} + +variables { + name = "tftest-role" +} diff --git a/outputs.tf b/outputs.tf index f3ef649..ebfd120 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,3 +1,10 @@ +output "arn" { + description = "AWS IAM role ARN." + sensitive = false + value = aws_iam_role.main.id +} + +# Deprecated since 1.1.0 output "iam_role_arn" { description = "AWS IAM role ARN." sensitive = false