From 5111368af8adf7f79c537932e36ccca9cda87892 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Wed, 19 Jun 2024 10:16:26 -0400 Subject: [PATCH 1/2] adding a configuration to setup github variables and secrets for aws oidc --- .../github-foundations/aws-oidc-variables.tf | 39 +++++++++++++++++++ modules/github-foundations/variables.tf | 13 +++++++ 2 files changed, 52 insertions(+) create mode 100644 modules/github-foundations/aws-oidc-variables.tf diff --git a/modules/github-foundations/aws-oidc-variables.tf b/modules/github-foundations/aws-oidc-variables.tf new file mode 100644 index 0000000..6591f2f --- /dev/null +++ b/modules/github-foundations/aws-oidc-variables.tf @@ -0,0 +1,39 @@ +resource "github_actions_organization_variable" "s3_bucket" { + count = var.oidc_configuration.aws != null ? 1 : 0 + + variable_name = coalesce(var.oidc_configuration.aws.s3_bucket_variable_name, "AWS_S3_BUCKET") + value = var.oidc_configuration.aws.s3_bucket + visibility = "selected" + selected_repository_ids = [ + github_repository.bootstrap_repo.repo_id, + github_repository.organizations_repo.repo_id + ] +} + +resource "github_actions_organization_variable" "region" { + count = var.oidc_configuration.aws != null ? 1 : 0 + + variable_name = coalesce(var.oidc_configuration.aws.region_variable_name, "AWS_REGION") + value = var.oidc_configuration.aws.region + visibility = "selected" + selected_repository_ids = [ + github_repository.bootstrap_repo.repo_id, + github_repository.organizations_repo.repo_id + ] +} + +resource "github_actions_secret" "organizations_iam_role" { + count = var.oidc_configuration.aws != null ? 1 : 0 + + repository = github_repository.organizations_repo.name + secret_name = coalesce(var.oidc_configuration.aws.organizations_role_variable_name, "AWS_IAM_ROLE") + plaintext_value = var.oidc_configuration.aws.organizations_role +} + +resource "github_actions_variable" "dynamodb_table_name" { + count = var.oidc_configuration.aws != null ? 1 : 0 + + repository = github_repository.organizations_repo.name + variable_name = coalesce(var.oidc_configuration.aws.dynamodb_table_variable_name, "AWS_DYNAMO_DB_TABLE") + value = var.oidc_configuration.aws.dynamodb_table +} \ No newline at end of file diff --git a/modules/github-foundations/variables.tf b/modules/github-foundations/variables.tf index 9ee1866..446e4c2 100644 --- a/modules/github-foundations/variables.tf +++ b/modules/github-foundations/variables.tf @@ -68,6 +68,19 @@ variable "oidc_configuration" { key_vault_id_variable_name = optional(string) key_vault_id = string })) + aws = optional(object({ + s3_bucket_variable_name = optional(string) + s3_bucket = string + + region_variable_name = optional(string) + region = string + + organizations_role_variable_name = optional(string) + organizations_role = string + + dynamodb_table_variable_name = optional(string) + dynamodb_table = string + })) custom = optional(object({ organization_secrets = map(string) organization_variables = map(string) From 443ab04e5889c82a5fc92697769aaec407d01e47 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 19 Jun 2024 14:18:45 +0000 Subject: [PATCH 2/2] terraform-docs: automated action --- modules/github-foundations/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/github-foundations/README.md b/modules/github-foundations/README.md index 79d9854..65c6099 100644 --- a/modules/github-foundations/README.md +++ b/modules/github-foundations/README.md @@ -29,7 +29,9 @@ | [github_actions_organization_variable.container_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource | | [github_actions_organization_variable.custom_oidc_organization_variable](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource | | [github_actions_organization_variable.key_vault_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource | +| [github_actions_organization_variable.region](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource | | [github_actions_organization_variable.resource_group_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource | +| [github_actions_organization_variable.s3_bucket](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource | | [github_actions_organization_variable.storage_account_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource | | [github_actions_organization_variable.subscription_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource | | [github_actions_organization_variable.tf_state_bucket_location](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource | @@ -38,7 +40,9 @@ | [github_actions_secret.bootstrap_managed_identity_client_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource | | [github_actions_secret.organization_managed_identity_client_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource | | [github_actions_secret.organization_workload_identity_sa](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource | +| [github_actions_secret.organizations_iam_role](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource | | [github_actions_secret.repository_secret](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource | +| [github_actions_variable.dynamodb_table_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource | | [github_actions_variable.gcp_secret_manager_project_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource | | [github_actions_variable.repository_variable](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource | | [github_issue_labels.drift_labels](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/issue_labels) | resource | @@ -57,7 +61,7 @@ | [account\_type](#input\_account\_type) | The type of GitHub account being used. Should be one of either `Personal`, `Organization`, or `Enterprise`. | `string` | n/a | yes | | [bootstrap\_repository\_name](#input\_bootstrap\_repository\_name) | The name of the bootstrap repository. | `string` | `"bootstrap"` | no | | [foundation\_devs\_team\_name](#input\_foundation\_devs\_team\_name) | The name of the foundation developers team. | `string` | `"foundation-devs"` | no | -| [oidc\_configuration](#input\_oidc\_configuration) | n/a | 
object({
    gcp = optional(object({
      workload_identity_provider_name_secret_name = optional(string)
      workload_identity_provider_name             = string

      organization_workload_identity_sa_secret_name = optional(string)
      organization_workload_identity_sa             = string

      gcp_secret_manager_project_id_variable_name = optional(string)
      gcp_secret_manager_project_id               = string

      gcp_tf_state_bucket_project_id_variable_name = optional(string)
      gcp_tf_state_bucket_project_id               = string

      bucket_name_variable_name = optional(string)
      bucket_name               = string

      bucket_location_variable_name = optional(string)
      bucket_location               = string
    }))
    azure = optional(object({
      bootstrap_client_id_variable_name = optional(string)
      bootstrap_client_id               = string

      organization_client_id_variable_name = optional(string)
      organization_client_id               = string

      tenant_id_variable_name = optional(string)
      tenant_id               = string

      subscription_id_variable_name = optional(string)
      subscription_id               = string

      resource_group_name_variable_name = optional(string)
      resource_group_name               = string

      storage_account_name_variable_name = optional(string)
      storage_account_name               = string

      container_name_variable_name = optional(string)
      container_name               = string

      key_vault_id_variable_name = optional(string)
      key_vault_id               = string
    }))
    custom = optional(object({
      organization_secrets   = map(string)
      organization_variables = map(string)
      repository_secrets     = map(map(string))
      repository_variables   = map(map(string))
    }))
  })
| n/a | yes | +| [oidc\_configuration](#input\_oidc\_configuration) | n/a | 
object({
    gcp = optional(object({
      workload_identity_provider_name_secret_name = optional(string)
      workload_identity_provider_name             = string

      organization_workload_identity_sa_secret_name = optional(string)
      organization_workload_identity_sa             = string

      gcp_secret_manager_project_id_variable_name = optional(string)
      gcp_secret_manager_project_id               = string

      gcp_tf_state_bucket_project_id_variable_name = optional(string)
      gcp_tf_state_bucket_project_id               = string

      bucket_name_variable_name = optional(string)
      bucket_name               = string

      bucket_location_variable_name = optional(string)
      bucket_location               = string
    }))
    azure = optional(object({
      bootstrap_client_id_variable_name = optional(string)
      bootstrap_client_id               = string

      organization_client_id_variable_name = optional(string)
      organization_client_id               = string

      tenant_id_variable_name = optional(string)
      tenant_id               = string

      subscription_id_variable_name = optional(string)
      subscription_id               = string

      resource_group_name_variable_name = optional(string)
      resource_group_name               = string

      storage_account_name_variable_name = optional(string)
      storage_account_name               = string

      container_name_variable_name = optional(string)
      container_name               = string

      key_vault_id_variable_name = optional(string)
      key_vault_id               = string
    }))
    aws = optional(object({
      s3_bucket_variable_name = optional(string)
      s3_bucket               = string

      region_variable_name = optional(string)
      region               = string

      organizations_role_variable_name = optional(string)
      organizations_role               = string

      dynamodb_table_variable_name = optional(string)
      dynamodb_table               = string
    }))
    custom = optional(object({
      organization_secrets   = map(string)
      organization_variables = map(string)
      repository_secrets     = map(map(string))
      repository_variables   = map(map(string))
    }))
  })
| n/a | yes | | [organizations\_repository\_name](#input\_organizations\_repository\_name) | The name of the organizations repository. | `string` | `"organizations"` | no | | [readme\_path](#input\_readme\_path) | Local Path to the README file in your current codebase. Pushed to the github foundation repository. | `string` | `""` | no |