iac: add backend infrastructure terraform config

bdeshi 2024-05-17 06:52:49 +06:00
commit 21373e0372
17 changed files with 510 additions and 0 deletions

.envrc.sample Normal file
@ -0,0 +1,15 @@
export TF_WORKSPACE=production
export TF_TOKEN_app_terraform_io=***
export AWS_PROFILE=***
export AWS_ACCESS_KEY_ID=***
export GITEA_BASE_URL=***
export GITEA_TOKEN=***

.gitignore vendored Normal file
@ -0,0 +1,34 @@
# Local .terraform directories
# .tfstate files
# Crash log files
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files

.terraform-version Normal file
@ -0,0 +1 @@
1.8.3

.terraform.lock.hcl Normal file
@ -0,0 +1,71 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/adduc/woodpecker" {
version = "0.4.0"
constraints = "~> 0.4.0"
hashes = [
provider "registry.terraform.io/go-gitea/gitea" {
version = "0.3.0"
constraints = "~> 0.3.0"
hashes = [
provider "registry.terraform.io/hashicorp/aws" {
version = "5.49.0"
constraints = "~> 5.49.0"
hashes = [

provider.aws.acm.tf Normal file
@ -0,0 +1,13 @@
resource "aws_acm_certificate" "created" {
domain_name = var.domain_name
validation_method = "DNS"
subject_alternative_names = []
validation_option {
domain_name = var.domain_name
validation_domain = var.domain_name
resource "aws_acm_certificate_validation" "created" {
certificate_arn = aws_acm_certificate.created.arn

@ -0,0 +1,49 @@
data "aws_cloudfront_cache_policy" "caching_optimized" {
name = "Managed-CachingOptimized"
locals {
cloudfront_s3_origin_id = "s3origin"
resource "aws_cloudfront_distribution" "created" {
enabled = true
is_ipv6_enabled = true
aliases = [var.domain_name]
default_root_object = var.aws_cloudfront_default_root_object
price_class = var.aws_cloudfront_price_class
http_version = "http2and3"
origin {
domain_name = aws_s3_bucket.created.bucket_regional_domain_name
origin_id = local.cloudfront_s3_origin_id
origin_access_control_id = aws_cloudfront_origin_access_control.s3_access.id
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
cache_policy_id = data.aws_cloudfront_cache_policy.caching_optimized.id
target_origin_id = local.cloudfront_s3_origin_id
viewer_protocol_policy = "redirect-to-https"
compress = true
restrictions {
geo_restriction {
restriction_type = "none"
locations = []
viewer_certificate {
acm_certificate_arn = aws_acm_certificate.created.arn
minimum_protocol_version = var.aws_cloudfront_minimum_protocol_version
ssl_support_method = "sni-only"
depends_on = [aws_acm_certificate_validation.created]
resource "aws_cloudfront_origin_access_control" "s3_access" {
name = "${var.domain_name}_s3"
origin_access_control_origin_type = "s3"
signing_behavior = "always"
signing_protocol = "sigv4"

provider.aws.data.tf Normal file
@ -0,0 +1,37 @@
data "aws_caller_identity" "current" {}
data "aws_iam_policy_document" "s3_cloudfront_access" {
statement {
principals {
type = "Service"
identifiers = ["cloudfront.amazonaws.com"]
actions = [
resources = [
condition {
test = "StringEquals"
variable = "AWS:SourceArn"
values = [aws_cloudfront_distribution.created.arn]
data "aws_iam_policy_document" "pubilsher" {
statement {
actions = [
resources = [

provider.aws.iam.tf Normal file
@ -0,0 +1,19 @@
resource "aws_iam_user" "publisher" {
name = "${var.domain_name}_publisher"
path = "/${var.aws_tag_iac_identifier}/${local.workspace_env}/"
force_destroy = true
resource "aws_iam_access_key" "publisher" {
user = aws_iam_user.publisher.name
resource "aws_iam_policy" "publisher" {
name_prefix = "${var.domain_name}_publisher"
policy = data.aws_iam_policy_document.pubilsher.json
resource "aws_iam_user_policy_attachment" "publisher" {
policy_arn = aws_iam_policy.publisher.arn
user = aws_iam_user.publisher.name

provider.aws.s3.tf Normal file
@ -0,0 +1,27 @@
resource "aws_s3_bucket" "created" {
bucket_prefix = var.aws_s3_use_domain_prefix ? var.domain_name : var.aws_s3_bucket_prefix
force_destroy = var.aws_s3_force_destroy
resource "aws_s3_bucket_public_access_block" "created" {
bucket = aws_s3_bucket.created.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
resource "aws_s3_bucket_server_side_encryption_configuration" "created" {
bucket = aws_s3_bucket.created.id
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "aws/s3"
sse_algorithm = "aws:kms"
resource "aws_s3_bucket_policy" "created" {
bucket = aws_s3_bucket.created.id
policy = data.aws_iam_policy_document.s3_cloudfront_access.json

provider.gitea.tf Normal file
@ -0,0 +1,6 @@
data "gitea_user" "current" {}
data "gitea_repo" "source" {
name = var.gitea_repo
username = coalesce(var.gitea_user, data.gitea_user.current.username)

provider.woodpecker.tf Normal file
@ -0,0 +1,28 @@
locals {
secrets_map = {
aws_region = { value = var.aws_region }
aws_access_key_id = { value = aws_iam_access_key.publisher.id }
aws_secret_access_key = { value = aws_iam_access_key.publisher.secret }
cloudfront_distribution = { value = aws_cloudfront_distribution.created.id }
s3_bucket = { value = aws_s3_bucket.created.id }
data "woodpecker_self" "current" {}
resource "woodpecker_repository" "created" {
name = data.gitea_repo.source.name
# woodpecker username can come from associated gitea username
owner = coalesce(var.woodpecker_user, var.gitea_user, data.woodpecker_self.current.login)
visibility = data.gitea_repo.source.private ? "Public" : "Private"
resource "woodpecker_repository_secret" "secrets" {
count = length(keys(local.secrets_map))
repo_owner = woodpecker_repository.created.owner
repo_name = woodpecker_repository.created.name
name = upper(keys(local.secrets_map)[count.index])
value = values(local.secrets_map)[count.index].value
events = try(values(local.secrets_map)[count.index].events, var.woodpecker_secrets_events, [])

@ -0,0 +1,2 @@
organization = "bdeshi-space"
workspaces { prefix = "resume-manpage-" }

terraform.outputs.tf Normal file
@ -0,0 +1,40 @@
output "aws_account_id" {
value = data.aws_caller_identity.current.account_id
description = "ID of the AWS account."
output "s3_bucket" {
value = aws_s3_bucket.created.id
description = "name of the created S3 bucket."
output "cloudfront_distribution" {
value = aws_cloudfront_distribution.created.id
description = "ID of the created CloudFront distribution."
output "acm_certificate_arn" {
value = aws_acm_certificate.created.arn
description = "ARN of the created ACM certificate."
output "acm_validation_options" {
value = aws_acm_certificate.created.domain_validation_options
description = "ACM domain validation records."
output "iam_access_key_id" {
value = aws_iam_access_key.publisher.id
description = "access key ID of the publisher IAM user."
output "iam_secret_access_key" {
value = aws_iam_access_key.publisher.secret
sensitive = true
description = "secret access key of the publisher IAM user."
output "domain_name" {
value = var.domain_name
description = "target publishing domain name."

terraform.tf Normal file
@ -0,0 +1,51 @@
terraform {
required_version = "~> 1.8.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~>5.49.0"
woodpecker = {
source = "adduc/woodpecker"
version = "~> 0.4.0"
gitea = {
source = "go-gitea/gitea"
version = "~>0.3.0"
backend "remote" {}
# cloud {
# organization = collected from TF_CLOUD_ORGANIZATION env
# workspaces {
# project = collected from TF_CLOUD_PROJECT env
# }
# }
provider "aws" {
# profile = collected from AWS_PROFILE env
region = var.aws_region
default_tags {
tags = {
"ManagedBy" = var.aws_tag_iac_identifier
"iac/project" = var.aws_tag_iac_project_name
"iac/source" = "${data.gitea_repo.source.ssh_url}/${var.aws_tag_iac_project_subpath}"
"iac/environment" = local.workspace_env
provider "woodpecker" {
# server = collected from WOODPECKER_SERVER env
# token = collected from WOODPECKER_TOKEN env
provider "gitea" {
# base_url = collected from GITEA_BASE_URL env
# token = collected from GITEA_TOKEN env

terraform.tfvars.sample Normal file
@ -0,0 +1,5 @@
domain_name = "sammay.sarkar.website"
aws_tag_iac_project_name = "resume-manpage"
aws_tag_iac_project_subpath = "/iac"
gitea_repo = "resume-manpage"
woodpecker_secrets_events = ["push", "deployment", "manual"]

terraform.variables.tf Normal file
@ -0,0 +1,103 @@
#### commons ####
variable "domain_name" {
type = string
description = "domain name where the built site is published."
#### aws ####
variable "aws_tag_iac_identifier" {
type = string
default = "iac/terraform"
description = "IaC tool name added as a tag to AWS resources, also used in iam user path."
variable "aws_tag_iac_project_name" {
type = string
description = "IaC project name added as a tag to AWS resources."
variable "aws_tag_iac_project_subpath" {
type = string
description = "IaC project source path added as a tag to AWS resources."
variable "aws_region" {
type = string
default = "us-east-1"
description = "AWS region passed to AWS provider."
variable "aws_s3_bucket_prefix" {
type = string
default = null
description = "AWS S3 bucket name prefix."
variable "aws_s3_use_domain_prefix" {
type = bool
default = true
description = "use var.domain_name as AWS S3 bucket name prefix."
variable "aws_s3_force_destroy" {
type = bool
default = true
description = "delete all bucket objects to allow clean bucket destroy operation."
variable "aws_cloudfront_default_root_object" {
type = string
default = "index.html"
description = "default root object name for the CloudFront distribution."
variable "aws_cloudfront_price_class" {
type = string
default = "PriceClass_200"
description = "price class for the CloudFront distribution: PriceClass_All|PriceClass_200|PriceClass_100."
variable "aws_cloudfront_minimum_protocol_version" {
type = string
default = "TLSv1.2_2021"
description = "name of the minimum SSL protocol version used by CloudFront for HTTPS requests."
#### gitea ####
variable "gitea_repo" {
type = string
description = "name of source Gitea repository."
variable "gitea_user" {
type = string
default = null
description = "username of Gitea repo owner."
# woodpecker #
variable "woodpecker_user" {
type = string
default = null
description = "username of Woodpecker server."
variable "woodpecker_secrets_events" {
type = list(string)
default = ["push"]
description = "default list of allowed events for Woodpecker secrets created."

terraforn.locals.tf Normal file
@ -0,0 +1,9 @@
locals {
# terraform remote backend prefix key means local and remote
# wokspace names can differ.
# assuming workspace are named as `prefix+env`, this section
# extracts the env from both local or remote workspace names.
_workspace_name_segments = split("-", terraform.workspace)
_workspace_name_segments_count = length(local._workspace_name_segments)
workspace_env = local._workspace_name_segments[local._workspace_name_segments_count - 1]