portfolio: initial release

Author: safesploit

.github/workflows/terraform_destroy.yml

@@ -0,0 +1,69 @@
+name: Terraform Destroy (Manually Triggered)
+
+on:
+  workflow_dispatch:
+    inputs:
+      confirm:
+        description: "Type 'DESTROY' to confirm you really want to destroy infrastructure"
+        required: true
+
+env:
+  TF_ROOT: project1_refactor
+  TF_VERSION: 1.13.0
+  AWS_REGION: eu-west-2
+
+concurrency:
+  group: terraform-destroy-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  destroy:
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write   # Required for OIDC
+      contents: read    # To checkout repo
+
+    steps:
+      - name: ⛔ Validate destroy confirmation
+        if: ${{ github.event.inputs.confirm != 'DESTROY' }}
+        run: |
+          echo "❌ Destroy not confirmed. Type 'DESTROY' in the workflow input."
+          exit 1
+
+      - name: 📥 Checkout repo
+        uses: actions/checkout@v4
+
+      - name: 🔐 Configure AWS credentials (OIDC)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: 🧪 Verify Remote State S3 Backend
+        run: |
+          aws s3api head-bucket \
+            --bucket my-eu-tf-state-bucket
+
+      - name: 🧪 Verify DynamoDB Lock Table
+        run: |
+          aws dynamodb describe-table \
+            --table-name terraform-locks
+
+      - name: 🛠️ Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+
+      - name: 📄 Terraform Init
+        run: |
+          terraform -chdir=${{ env.TF_ROOT }} \
+            init \
+            -input=false \
+            -backend-config="region=${{ env.AWS_REGION }}"
+
+      - name: 💣 Terraform Destroy
+        run: |
+          terraform -chdir=${{ env.TF_ROOT }} \
+            destroy \
+            -auto-approve

.github/workflows/terraform_provision.yml

@@ -0,0 +1,106 @@
+name: Terraform Provision (EC2 S3 VPC)
+
+on:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ main ]
+  workflow_dispatch:
+
+env:
+  TF_ROOT: project1_refactor
+  TF_VERSION: 1.13.0
+  AWS_REGION: eu-west-2
+
+concurrency:
+  group: terraform-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  terraform-provision:
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write   # Required for OIDC
+      contents: read    # To checkout repo
+
+    steps:
+      - name: 📥 Checkout repo
+        uses: actions/checkout@v4
+
+      - name: 🔐 Configure AWS credentials (OIDC)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: 🧪 Verify Remote State S3 Backend
+        run: |
+          aws s3api head-bucket \
+            --bucket my-eu-tf-state-bucket
+
+      - name: 🧪 Verify DynamoDB Lock Table
+        run: |
+          aws dynamodb describe-table \
+            --table-name terraform-locks
+
+      - name: 🛠️ Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+
+      # Pre-merge checks: 
+      # (uncomment to enable formatting check)
+      # - name: 🧼 Terraform Format
+      #   run: |
+      #     terraform -chdir=${{ env.TF_ROOT }} \
+      #       fmt -check -recursive
+
+      - name: 📄 Terraform Init
+        run: |
+          terraform -chdir=${{ env.TF_ROOT }} \
+            init \
+            -input=false \
+            -backend-config="region=${{ env.AWS_REGION }}"
+
+      - name: 🔎 Terraform Validate
+        run: |
+          terraform -chdir=${{ env.TF_ROOT }} \
+            validate
+
+      # Optional: Security linting with tfsec (uncomment to enable)
+      # - name: 🔐 tfsec (Terraform security scan)
+      #   uses: aquasecurity/tfsec-pr-commenter-action@v1.4.0
+      #   with:
+      #     working_directory: ${{ env.TF_ROOT }}
+      #     github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: 📊 Terraform Plan
+        run: |
+          terraform -chdir=${{ env.TF_ROOT }} \
+            plan \
+            -out=tfplan
+
+      # Post-merge checks
+      # Manually triggered for main branch (workflow_dispatch)
+      - name: 🚀 Terraform Apply
+        if: github.event_name == 'workflow_dispatch'
+        run: |
+          terraform -chdir=${{ env.TF_ROOT }} \
+            apply \
+            -auto-approve \
+            tfplan
+
+      # Auto apply on main branch
+      # - name: 🚀 Terraform Apply
+      #   if: github.ref == 'refs/heads/main' && github.event_name != 'pull_request'
+      #   run: |
+      #     terraform -chdir=${{ env.TF_ROOT }} \
+      #       apply -auto-approve tfplan
+
+    # Output Terraform outputs
+      - name: 📤 Terraform Output
+        if: github.event_name == 'workflow_dispatch'
+        run: |
+          terraform -chdir=${{ env.TF_ROOT }} \
+            output -json

.gitignore

@@ -0,0 +1,28 @@
+# .gitignore
+####################################
+###### COMMENT OUT FOR PROD ########
+####################################
+# terraform.tfvars
+# *.tfstate
+# *.tfstate.backup
+# .terraform/
+# .terraform.lock.hcl
+
+# Sensitive keys
+# *.pem
+# *.key
+# *.crt
+
+# Local overrides (never commit env-specific tweaks)
+# override.tf
+# override.tf.json
+# *_override.tf
+# *_override.tf.json
+
+# Ignore backend config with real values
+# backend.tf
+
+# OS Metadata
+*.DS_STORE
+Thumbs.db
+desktop.ini

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Zepher Ashe
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.