init (resources creation ok)

2024-05-28 15:02:15 +06:00 · 2024-05-28 15:02:15 +06:00 · 334770143c
commit 334770143c
15 changed files with 281 additions and 0 deletions
--- a/.envrc.sample
+++ b/.envrc.sample
@ -0,0 +1 @@
 export TF_VAR_config_file_profile="${OCI_CLI_PROFILE}"
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,36 @@
 # from: https://github.com/github/gitignore/blob/main/Terraform.gitignore
 # Local .terraform directories
 **/.terraform/*
 # .tfstate files
 *.tfstate
 *.tfstate.*
 # Crash log files
 crash.log
 crash.*.log
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
 # password, private keys, and other secrets. These should not be part of version 
 # control as they are data points which are potentially sensitive and subject 
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
 override.tf
 override.tf.json
 *_override.tf
 *_override.tf.json
 # Include override files you do wish to add to version control using negated pattern
 # !example_override.tf
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
--- a/.terraform-docs.yml
+++ b/.terraform-docs.yml
@ -0,0 +1,6 @@
 formatter: markdown table
 output:
  file: README.md
  mode: inject
 sort:
  by: required
--- a/.terraform-version
+++ b/.terraform-version
@ -0,0 +1 @@
 latest-allowed
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@ -0,0 +1,25 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/oracle/oci" {
  version     = "5.42.0"
  constraints = "~> 5.42.0"
  hashes = [
    "h1:FSU0QtxN1cRv9DSxPqwg8E7tdYy/fXrA0fqOqVaqhEM=",
    "zh:3002adc1c0c23b56c79eac20aa8bcbeecac3ad61e959d4bf3fdbf02c43e0b6fe",
    "zh:3de47921a93a72dc7a4661f82863f7d7d6e50aec42ec8b289201ebbc19569e2f",
    "zh:4897dab7303c79597c5b79ed2e3158634f74582a5db22225bd3923c0019b3682",
    "zh:5b816202c988397d6ca6ddc4919bb10227f93168eeb5d5dacffe552fdbcd643e",
    "zh:8424d47852d1d80611d2d321c9e5aa88b77ace37cc0d3e9e3346ef0b7812d516",
    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
    "zh:a637b4e0172c588d0b8f41995b0b36526e535ad461dd3bfd5d6f739e2d9fb37c",
    "zh:b6cb3e0a2e93de7475cb06b3ceed4ad47bbef5dd3d626a13c4f2095cb9c7459b",
    "zh:c54c437e136eb63cf087ec66f476e9e10fdcb5ddd695c6daf45ca634985d6b55",
    "zh:c7563b56f31e08a2d8fefb19834f08d116581a4b47bbb43486da9082e719d6d5",
    "zh:c8f98a1463fea84486d7ff1a7149a60684de8ebb06f408adaf74dc6940914a39",
    "zh:cfdb86269b01c19f0f3da9d2b087d3a56343f1eba9021cf0c49d697041357359",
    "zh:d68a4bfbd7a1d11eded456724b7876428e42aa5e86ff64b53da8bba1b8a6b2c4",
    "zh:d755b0f6836472327116ac9c111bddcf8719a98f4a68c2377ecaa3f42dfaa094",
    "zh:f6567eadd4469e66f6d990fcccc8dd8232d8555a2f8698bc823c57384668a074",
  ]
 }
--- a/README.md
+++ b/README.md
@ -0,0 +1,32 @@
 # oci woodpecker cache
 sets up a cache bucket on oci for use with [woodpecker ci](https://woodpecker-ci.org/).
 depends on [terraform-oci-free](https://git.bdeshi.space/bdeshi/terraform-oci-free).
 ## Usage
 ```bash
 terraform init -backend-config=terraform.backend.tfvars
 terraform apply -var-file=terraform.tfvars
 ```
 Collect the output values and create woodpecker ci user-level variables, eg:
 ```yaml
 CACHE_S3_ENDPOINT: <s3_endpoint>
 CACHE_S3_BUCKET: <s3_bucket_name>
 CACHE_S3_ACCESS_KEY_ID: <s3_access_key_id>
 CACHE_S3_SECRET_ACCESS_KEY: <s3_secret_access_key>
 CACHE_USE_PATH_STYLE: true
 ```
 these variables can then be used with the [drone-cache](https://github.com/meltwater/drone-cache/)
 plugin in a woodpecker ci pipeline.
 <!-- markdownlint-disable -->
 # Terraform Docs
 <!-- BEGIN_TF_DOCS -->
 <!-- END_TF_DOCS -->
--- a/oci.iam.tf
+++ b/oci.iam.tf
@ -0,0 +1,42 @@
 resource "oci_identity_user" "woodpecker_cache" {
  compartment_id = local.tenancy_id
  name           = local.woodpecker_cache_iam_name
  description    = local.woodpecker_cache_iam_name
  freeform_tags  = local.default_tags
 }
 resource "oci_identity_user_capabilities_management" "woodpecker_cache" {
  user_id                      = oci_identity_user.woodpecker_cache.id
  can_use_customer_secret_keys = "true"
  can_use_api_keys             = "false"
  can_use_auth_tokens          = "false"
  can_use_console_password     = "false"
  can_use_smtp_credentials     = "false"
 }
 resource "oci_identity_customer_secret_key" "woodpecker_cache" {
  display_name = local.woodpecker_cache_iam_name
  user_id      = oci_identity_user.woodpecker_cache.id
 }
 resource "oci_identity_group" "woodpecker_cache" {
  compartment_id = local.tenancy_id
  name           = local.woodpecker_cache_iam_name
  description    = local.woodpecker_cache_iam_name
  freeform_tags  = local.default_tags
 }
 resource "oci_identity_user_group_membership" "woodpecker_cache" {
  group_id = oci_identity_group.woodpecker_cache.id
  user_id  = oci_identity_user.woodpecker_cache.id
 }
 resource "oci_identity_policy" "woodpecker_cache" {
  compartment_id = local.compartment_id
  description    = local.woodpecker_cache_iam_name
  name           = local.woodpecker_cache_iam_name
  statements = [
    "ALLOW group ${oci_identity_group.woodpecker_cache.name} TO manage objects IN COMPARTMENT '${local.compartment_name}' where all {target.bucket.name = '${oci_objectstorage_bucket.woodpecker_cache.name}'}"
  ]
  freeform_tags = local.default_tags
 }
--- a/oci.objectstorage.tf
+++ b/oci.objectstorage.tf
@ -0,0 +1,47 @@
 data "oci_objectstorage_namespace" "ns" {
  compartment_id = local.compartment_id
 }
 resource "oci_objectstorage_bucket" "woodpecker_cache" {
  compartment_id = local.compartment_id
  name           = "woodpecker-cache"
  namespace      = data.oci_objectstorage_namespace.ns.namespace
  freeform_tags  = local.default_tags
 }
 resource "oci_objectstorage_object_lifecycle_policy" "woodpecker_cache" {
  bucket    = oci_objectstorage_bucket.woodpecker_cache.name
  namespace = data.oci_objectstorage_namespace.ns.namespace
  rules {
    is_enabled  = true
    action      = "INFREQUENT_ACCESS"
    name        = "migrate-infrequent-access"
    target      = "objects"
    time_amount = 30
    time_unit   = "DAYS"
  }
  rules {
    is_enabled  = true
    action      = "ARCHIVE"
    name        = "migrate-archive"
    target      = "objects"
    time_amount = 90
    time_unit   = "DAYS"
  }
  rules {
    is_enabled  = true
    action      = "DELETE"
    name        = "delete-old-caches"
    target      = "objects"
    time_amount = 120
    time_unit   = "DAYS"
  }
  rules {
    is_enabled  = true
    action      = "ABORT"
    name        = "cancel-multipart-uploads"
    target      = "multipart-uploads"
    time_amount = "3"
    time_unit   = "DAYS"
  }
 }
--- a/terraform.backend.tfvars.sample
+++ b/terraform.backend.tfvars.sample
@ -0,0 +1,5 @@
 #vim:ft=hcl
 organization = "***"
 workspaces {
  name = "***"
 }
--- a/terraform.data.tf
+++ b/terraform.data.tf
@ -0,0 +1,4 @@
 data "terraform_remote_state" "base" {
  backend = var.remote_state_type
  config  = var.remote_state_config
 }
--- a/terraform.locals.tf
+++ b/terraform.locals.tf
@ -0,0 +1,12 @@
 locals {
  tenancy_id       = data.terraform_remote_state.base.outputs.tenancy_id
  compartment_id   = data.terraform_remote_state.base.outputs.compartment_id
  compartment_name = data.terraform_remote_state.base.outputs.compartment_name
  default_tags = {
    ManagedBy       = "iac/terraform"
    "iac/source"    = var.iac_source
    "iac/component" = var.iac_component
  }
  woodpecker_cache_iam_name = "woodpecker-cache-operator"
 }
--- a/terraform.outputs.tf
+++ b/terraform.outputs.tf
@ -0,0 +1,21 @@
 output "s3_bucket_name" {
  value = oci_objectstorage_bucket.woodpecker_cache.name
 }
 output "s3_endpoint" {
  value = "https://${oci_objectstorage_bucket.woodpecker_cache.namespace}.compat.objectstorage.${var.oci_region}.oraclecloud.com"
 }
 output "s3_accss_key_id" {
  value = oci_identity_customer_secret_key.woodpecker_cache.id
 }
 output "s3_secret_access_key" {
  value     = oci_identity_customer_secret_key.woodpecker_cache.key
  sensitive = true
 }
 output "s3_use_path_style" {
  description = "Use path style access for S3. This is necessary for OCI object storage."
  value       = true
 }
--- a/terraform.tf
+++ b/terraform.tf
@ -0,0 +1,15 @@
 terraform {
  required_version = "~> 1.8.0"
  required_providers {
    oci = {
      source  = "oracle/oci"
      version = "~> 5.42.0"
    }
  }
  backend "remote" {}
 }
 provider "oci" {
  region = var.oci_region
 }
--- a/terraform.tfvars.sample
+++ b/terraform.tfvars.sample
@ -0,0 +1,9 @@
 #vim:ft=hcl
 oci_region       = "uk-london-1"
 remote_state_type = "remote"
 remote_state_config = {
    organization = "***"
    workspaces = {
        name = "***"
    }
 }
--- a/terraform.variables.tf
+++ b/terraform.variables.tf
@ -0,0 +1,25 @@
 variable "oci_region" {
  type = string
 }
 variable "iac_source" {
  type        = string
  default     = "git@git.bdeshi.space:bdeshi/terraform-oci-woodpecker-cache.git"
  description = "Source of the iac config. used in various tags and metadata."
 }
 variable "iac_component" {
  type        = string
  default     = "oci-woodpecker-cache"
  description = "Component name of the iac config. used in various tags and metadata."
 }
 variable "remote_state_type" {
  type        = string
  description = "The type of the remote state backend to fetch the compartment_id from"
 }
 variable "remote_state_config" {
  type        = any
  description = "The configuration of the remote state backend to fetch the compartment_id from"
 }
		`@ -0,0 +1 @@`
							`export TF_VAR_config_file_profile="${OCI_CLI_PROFILE}"`