From 334770143ca55098f7af79869449e36589f99d83 Mon Sep 17 00:00:00 2001 From: bdeshi Date: Tue, 28 May 2024 15:02:15 +0600 Subject: [PATCH] init (resources creation ok) --- .envrc.sample | 1 + .gitignore | 36 +++++++++++++++++++++++++ .terraform-docs.yml | 6 +++++ .terraform-version | 1 + .terraform.lock.hcl | 25 ++++++++++++++++++ README.md | 32 ++++++++++++++++++++++ oci.iam.tf | 42 +++++++++++++++++++++++++++++ oci.objectstorage.tf | 47 +++++++++++++++++++++++++++++++++ terraform.backend.tfvars.sample | 5 ++++ terraform.data.tf | 4 +++ terraform.locals.tf | 12 +++++++++ terraform.outputs.tf | 21 +++++++++++++++ terraform.tf | 15 +++++++++++ terraform.tfvars.sample | 9 +++++++ terraform.variables.tf | 25 ++++++++++++++++++ 15 files changed, 281 insertions(+) create mode 100644 .envrc.sample create mode 100644 .gitignore create mode 100644 .terraform-docs.yml create mode 100644 .terraform-version create mode 100644 .terraform.lock.hcl create mode 100644 README.md create mode 100644 oci.iam.tf create mode 100644 oci.objectstorage.tf create mode 100644 terraform.backend.tfvars.sample create mode 100644 terraform.data.tf create mode 100644 terraform.locals.tf create mode 100644 terraform.outputs.tf create mode 100644 terraform.tf create mode 100644 terraform.tfvars.sample create mode 100644 terraform.variables.tf diff --git a/.envrc.sample b/.envrc.sample new file mode 100644 index 0000000..ff8c4af --- /dev/null +++ b/.envrc.sample @@ -0,0 +1 @@ +export TF_VAR_config_file_profile="${OCI_CLI_PROFILE}" diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..98a2754 --- /dev/null +++ b/.gitignore @@ -0,0 +1,36 @@ +# from: https://github.com/github/gitignore/blob/main/Terraform.gitignore + +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc diff --git a/.terraform-docs.yml b/.terraform-docs.yml new file mode 100644 index 0000000..01647c5 --- /dev/null +++ b/.terraform-docs.yml @@ -0,0 +1,6 @@ +formatter: markdown table +output: + file: README.md + mode: inject +sort: + by: required diff --git a/.terraform-version b/.terraform-version new file mode 100644 index 0000000..4131bf4 --- /dev/null +++ b/.terraform-version @@ -0,0 +1 @@ +latest-allowed diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100644 index 0000000..c3943ad --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/oracle/oci" { + version = "5.42.0" + constraints = "~> 5.42.0" + hashes = [ + "h1:FSU0QtxN1cRv9DSxPqwg8E7tdYy/fXrA0fqOqVaqhEM=", + "zh:3002adc1c0c23b56c79eac20aa8bcbeecac3ad61e959d4bf3fdbf02c43e0b6fe", + "zh:3de47921a93a72dc7a4661f82863f7d7d6e50aec42ec8b289201ebbc19569e2f", + "zh:4897dab7303c79597c5b79ed2e3158634f74582a5db22225bd3923c0019b3682", + "zh:5b816202c988397d6ca6ddc4919bb10227f93168eeb5d5dacffe552fdbcd643e", + "zh:8424d47852d1d80611d2d321c9e5aa88b77ace37cc0d3e9e3346ef0b7812d516", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a637b4e0172c588d0b8f41995b0b36526e535ad461dd3bfd5d6f739e2d9fb37c", + "zh:b6cb3e0a2e93de7475cb06b3ceed4ad47bbef5dd3d626a13c4f2095cb9c7459b", + "zh:c54c437e136eb63cf087ec66f476e9e10fdcb5ddd695c6daf45ca634985d6b55", + "zh:c7563b56f31e08a2d8fefb19834f08d116581a4b47bbb43486da9082e719d6d5", + "zh:c8f98a1463fea84486d7ff1a7149a60684de8ebb06f408adaf74dc6940914a39", + "zh:cfdb86269b01c19f0f3da9d2b087d3a56343f1eba9021cf0c49d697041357359", + "zh:d68a4bfbd7a1d11eded456724b7876428e42aa5e86ff64b53da8bba1b8a6b2c4", + "zh:d755b0f6836472327116ac9c111bddcf8719a98f4a68c2377ecaa3f42dfaa094", + "zh:f6567eadd4469e66f6d990fcccc8dd8232d8555a2f8698bc823c57384668a074", + ] +} diff --git a/README.md b/README.md new file mode 100644 index 0000000..18fbf2c --- /dev/null +++ b/README.md @@ -0,0 +1,32 @@ +# oci woodpecker cache + +sets up a cache bucket on oci for use with [woodpecker ci](https://woodpecker-ci.org/). + +depends on [terraform-oci-free](https://git.bdeshi.space/bdeshi/terraform-oci-free). + +## Usage + +```bash +terraform init -backend-config=terraform.backend.tfvars +terraform apply -var-file=terraform.tfvars +``` + +Collect the output values and create woodpecker ci user-level variables, eg: + +```yaml +CACHE_S3_ENDPOINT: +CACHE_S3_BUCKET: +CACHE_S3_ACCESS_KEY_ID: +CACHE_S3_SECRET_ACCESS_KEY: +CACHE_USE_PATH_STYLE: true +``` + +these variables can then be used with the [drone-cache](https://github.com/meltwater/drone-cache/) +plugin in a woodpecker ci pipeline. + + + +# Terraform Docs + + + diff --git a/oci.iam.tf b/oci.iam.tf new file mode 100644 index 0000000..3e2564b --- /dev/null +++ b/oci.iam.tf @@ -0,0 +1,42 @@ +resource "oci_identity_user" "woodpecker_cache" { + compartment_id = local.tenancy_id + name = local.woodpecker_cache_iam_name + description = local.woodpecker_cache_iam_name + freeform_tags = local.default_tags +} + +resource "oci_identity_user_capabilities_management" "woodpecker_cache" { + user_id = oci_identity_user.woodpecker_cache.id + can_use_customer_secret_keys = "true" + can_use_api_keys = "false" + can_use_auth_tokens = "false" + can_use_console_password = "false" + can_use_smtp_credentials = "false" +} + +resource "oci_identity_customer_secret_key" "woodpecker_cache" { + display_name = local.woodpecker_cache_iam_name + user_id = oci_identity_user.woodpecker_cache.id +} + +resource "oci_identity_group" "woodpecker_cache" { + compartment_id = local.tenancy_id + name = local.woodpecker_cache_iam_name + description = local.woodpecker_cache_iam_name + freeform_tags = local.default_tags +} + +resource "oci_identity_user_group_membership" "woodpecker_cache" { + group_id = oci_identity_group.woodpecker_cache.id + user_id = oci_identity_user.woodpecker_cache.id +} + +resource "oci_identity_policy" "woodpecker_cache" { + compartment_id = local.compartment_id + description = local.woodpecker_cache_iam_name + name = local.woodpecker_cache_iam_name + statements = [ + "ALLOW group ${oci_identity_group.woodpecker_cache.name} TO manage objects IN COMPARTMENT '${local.compartment_name}' where all {target.bucket.name = '${oci_objectstorage_bucket.woodpecker_cache.name}'}" + ] + freeform_tags = local.default_tags +} diff --git a/oci.objectstorage.tf b/oci.objectstorage.tf new file mode 100644 index 0000000..7d4d378 --- /dev/null +++ b/oci.objectstorage.tf @@ -0,0 +1,47 @@ +data "oci_objectstorage_namespace" "ns" { + compartment_id = local.compartment_id +} + +resource "oci_objectstorage_bucket" "woodpecker_cache" { + compartment_id = local.compartment_id + name = "woodpecker-cache" + namespace = data.oci_objectstorage_namespace.ns.namespace + freeform_tags = local.default_tags +} + +resource "oci_objectstorage_object_lifecycle_policy" "woodpecker_cache" { + bucket = oci_objectstorage_bucket.woodpecker_cache.name + namespace = data.oci_objectstorage_namespace.ns.namespace + rules { + is_enabled = true + action = "INFREQUENT_ACCESS" + name = "migrate-infrequent-access" + target = "objects" + time_amount = 30 + time_unit = "DAYS" + } + rules { + is_enabled = true + action = "ARCHIVE" + name = "migrate-archive" + target = "objects" + time_amount = 90 + time_unit = "DAYS" + } + rules { + is_enabled = true + action = "DELETE" + name = "delete-old-caches" + target = "objects" + time_amount = 120 + time_unit = "DAYS" + } + rules { + is_enabled = true + action = "ABORT" + name = "cancel-multipart-uploads" + target = "multipart-uploads" + time_amount = "3" + time_unit = "DAYS" + } +} diff --git a/terraform.backend.tfvars.sample b/terraform.backend.tfvars.sample new file mode 100644 index 0000000..96bc928 --- /dev/null +++ b/terraform.backend.tfvars.sample @@ -0,0 +1,5 @@ +#vim:ft=hcl +organization = "***" +workspaces { + name = "***" +} diff --git a/terraform.data.tf b/terraform.data.tf new file mode 100644 index 0000000..338dce3 --- /dev/null +++ b/terraform.data.tf @@ -0,0 +1,4 @@ +data "terraform_remote_state" "base" { + backend = var.remote_state_type + config = var.remote_state_config +} diff --git a/terraform.locals.tf b/terraform.locals.tf new file mode 100644 index 0000000..37c2db7 --- /dev/null +++ b/terraform.locals.tf @@ -0,0 +1,12 @@ +locals { + + tenancy_id = data.terraform_remote_state.base.outputs.tenancy_id + compartment_id = data.terraform_remote_state.base.outputs.compartment_id + compartment_name = data.terraform_remote_state.base.outputs.compartment_name + default_tags = { + ManagedBy = "iac/terraform" + "iac/source" = var.iac_source + "iac/component" = var.iac_component + } + woodpecker_cache_iam_name = "woodpecker-cache-operator" +} diff --git a/terraform.outputs.tf b/terraform.outputs.tf new file mode 100644 index 0000000..891c806 --- /dev/null +++ b/terraform.outputs.tf @@ -0,0 +1,21 @@ +output "s3_bucket_name" { + value = oci_objectstorage_bucket.woodpecker_cache.name +} + +output "s3_endpoint" { + value = "https://${oci_objectstorage_bucket.woodpecker_cache.namespace}.compat.objectstorage.${var.oci_region}.oraclecloud.com" +} + +output "s3_accss_key_id" { + value = oci_identity_customer_secret_key.woodpecker_cache.id +} + +output "s3_secret_access_key" { + value = oci_identity_customer_secret_key.woodpecker_cache.key + sensitive = true +} + +output "s3_use_path_style" { + description = "Use path style access for S3. This is necessary for OCI object storage." + value = true +} diff --git a/terraform.tf b/terraform.tf new file mode 100644 index 0000000..d54090c --- /dev/null +++ b/terraform.tf @@ -0,0 +1,15 @@ +terraform { + required_version = "~> 1.8.0" + required_providers { + oci = { + source = "oracle/oci" + version = "~> 5.42.0" + } + } + + backend "remote" {} +} + +provider "oci" { + region = var.oci_region +} diff --git a/terraform.tfvars.sample b/terraform.tfvars.sample new file mode 100644 index 0000000..429b2f7 --- /dev/null +++ b/terraform.tfvars.sample @@ -0,0 +1,9 @@ +#vim:ft=hcl +oci_region = "uk-london-1" +remote_state_type = "remote" +remote_state_config = { + organization = "***" + workspaces = { + name = "***" + } +} diff --git a/terraform.variables.tf b/terraform.variables.tf new file mode 100644 index 0000000..d2ddc75 --- /dev/null +++ b/terraform.variables.tf @@ -0,0 +1,25 @@ +variable "oci_region" { + type = string +} + +variable "iac_source" { + type = string + default = "git@git.bdeshi.space:bdeshi/terraform-oci-woodpecker-cache.git" + description = "Source of the iac config. used in various tags and metadata." +} + +variable "iac_component" { + type = string + default = "oci-woodpecker-cache" + description = "Component name of the iac config. used in various tags and metadata." +} + +variable "remote_state_type" { + type = string + description = "The type of the remote state backend to fetch the compartment_id from" +} + +variable "remote_state_config" { + type = any + description = "The configuration of the remote state backend to fetch the compartment_id from" +}