Merge pull request #2 from optiop/feature/ops-repository

Feature/ops repository

Author: mehr74

.gitignore

@@ -32,3 +32,4 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+.terraform.lock.hcl

ops/repository/README.md

@@ -0,0 +1,15 @@
+# Repository Infrastructure
+
+This part contains the registry of the repositories used for the project,
+as well as the access roles and permission for Github actions.
+
+
+## Usage
+Update the `terraform.tfvars` file with the required values,
+set proper backend configuration in `provider.tf` file
+and run the following commands to create the infrastructure.
+
+```bash
+terraform init
+terraform apply -var-file=terraform.tfvars
+```

ops/repository/ecr.tf

@@ -0,0 +1,15 @@
+resource "aws_ecr_repository" "postgres" {
+  name                 = "${var.name}-postgres-repo"
+  image_tag_mutability = "MUTABLE"
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
+
+resource "aws_ecr_repository" "grafana" {
+  name                 = "${var.name}-grafana-repo"
+  image_tag_mutability = "MUTABLE"
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}

ops/repository/iam.tf

@@ -0,0 +1,59 @@
+resource "aws_iam_policy" "ecr_access_policy" {
+  name        = "${var.name}-policy"
+  description = "Policy to allow pushing images to ECR"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "ecr:*"
+        ],
+        Resource = [
+          aws_ecr_repository.postgres.arn,
+          aws_ecr_repository.grafana.arn
+        ]
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "ecr:GetAuthorizationToken"
+        ],
+        Resource = [
+          "*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role" "github_action_role" {
+  name = "${var.name}-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Effect = "Allow",
+        Principal = {
+          Federated = var.github_oidc_provider_arn
+        },
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com",
+            "token.actions.githubusercontent.com:sub" = [
+              "repo:${var.github_owner}/${var.github_repo}:ref:refs/heads/main",
+            ]
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "github_action_policy_attachment" {
+  role       = aws_iam_role.github_action_role.name
+  policy_arn = aws_iam_policy.ecr_access_policy.arn
+}

ops/repository/output.tf

@@ -0,0 +1,11 @@
+output "aws_iam_role" {
+  value = aws_iam_role.github_action_role.arn
+}
+
+output "aws_ecr_db_repo" {
+  value = aws_ecr_repository.postgres.repository_url
+}
+
+output "aws_ecr_backend_repo" {
+  value = aws_ecr_repository.grafana.repository_url
+}

ops/repository/provider.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">=0.13"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+}

ops/repository/terraform.tfvars

@@ -0,0 +1,8 @@
+name                     = "postgres-grafana-on-ecs"
+github_owner             = "optiop"
+github_repo              = "postgres-grafana-on-ecs"
+github_oidc_provider_arn = 
+region                   = 
+tags = {
+  "project"   = "Visualize Postgres data on Grafana running on ECS"
+}

ops/repository/variables.tf

@@ -0,0 +1,23 @@
+variable "region" {
+  type = string
+}
+
+variable "name" {
+  type = string
+}
+
+variable "tags" {
+  type = map(string)
+}
+
+variable "github_owner" {
+  type = string
+}
+
+variable "github_repo" {
+  type = string
+}
+
+variable "github_oidc_provider_arn" {
+  type = string
+}