diff --git a/.gitignore b/.gitignore index 146575e..c06d39b 100644 --- a/.gitignore +++ b/.gitignore @@ -37,3 +37,4 @@ override.tf.json .terraformrc terraform.rc +.envrc diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100644 index 0000000..86a3326 --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/ceski23/garage2" { + version = "0.1.1" + constraints = "0.1.1" + hashes = [ + "h1:6swSZBYakNwgULxyEXAQ8Hu6Ql52XomxKcKqy/dFgyM=", + "zh:01d14700eef322749a57e162f1f24d3cec6d50771d03a292c0d7a1bd5cdbcce9", + "zh:0fa82a384b25a58b65523e0ea4768fa1212b1f5cfc0c9379d31162454fedcc9d", + "zh:435ea22c3523269b4bd5fb9223c4c1bb175b21a3454a32304169d800403f398c", + "zh:446ad92af8d5078807917dfb8c1136a07d57c0e869b980c718c9e755ae5756e4", + "zh:45bd7f5c40c8bcc76552761a6e05a00db1c83c2fa440814301f4e60d9fdeaa8b", + "zh:46484ca224b295929de7dc7a1d06954b1c22f8e08122b72eef20c786576c083a", + "zh:535307b09175c58ef7cedf58659caa14c577f38ab3c69939be5de397433268b4", + "zh:53c6be15762c923123ddd12cddefb0693e2c589aaf65bf6682aed96c116954c5", + "zh:5dc389e32e1aa83ecf1497772487dc0c52f8b0783c36569947a8968929403227", + "zh:698fcdcdb04ced92d1e389d2b5aacd4015e339dbcbb5a7dc547cdf8882f8000c", + "zh:b03959af664897bf458592ab57c5c271008c0720f54045dfb28b23fd97db67a8", + "zh:b80e817625309e5d28dc2a98172935792be17940e5b7d3e3155e64a80a07bbb4", + "zh:ce7855b3fec54bda00b7d5f92dfe7d4dfc180f88148dede0cbaabaa43414ef72", + "zh:d28a231d590a30bf7c42568df280cfa5ab29bfa921b89121fdaffacdda9445d9", + "zh:d5042dec828f7a81a17ca76d52c3bbb81d4ba228a60cd33dd3aa4a01992e2f30", + ] +} diff --git a/README.md b/README.md index 26ba0fe..1ccab83 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,22 @@ -# garage +# How to -Garage Tofu \ No newline at end of file +The environment variables you need to have: +```bash +AWS_ACCESS_KEY_ID= +AWS_SECRET_ACCESS_KEY= +AWS_EC2_METADATA_DISABLED=1 +GARAGE_TOKEN= +TF_VAR_env=prd +``` + +To execute the first time: +```bash +tofu workspace new ${TF_VAR_env} +tofu apply -var-file=vars/${TF_VAR_env}/terraform.tfvars +``` + +Afterwards: +```bash +tofu workspace select ${TF_VAR_env} +tofu apply -var-file=vars/${TF_VAR_env}/terraform.tfvars +``` diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..d712a72 --- /dev/null +++ b/main.tf @@ -0,0 +1,20 @@ +module "key" { + source = "./modules/keys" + + for_each = toset(var.keys) + + name = each.key +} + +module "bucket" { + source = "./modules/buckets" + + for_each = var.buckets + + name = each.key + website_access_enabled = each.value.website_access_enabled + global_aliases = each.value.aliases + allowed_keys = each.value.allowed_keys + + global_keys = module.key +} diff --git a/modules/buckets/locals.tf b/modules/buckets/locals.tf new file mode 100644 index 0000000..1b714a9 --- /dev/null +++ b/modules/buckets/locals.tf @@ -0,0 +1,3 @@ +locals { + aliases = concat([var.name], var.global_aliases) +} diff --git a/modules/buckets/main.tf b/modules/buckets/main.tf new file mode 100644 index 0000000..5fb3eaa --- /dev/null +++ b/modules/buckets/main.tf @@ -0,0 +1,22 @@ +resource "garage_bucket" "bucket" { + website_access_enabled = var.website_access_enabled + website_config_index_document = var.website_access_enabled == true ? "index.html" : null +} + +resource "garage_bucket_global_alias" "bucket_alias" { + bucket_id = garage_bucket.bucket.id + + for_each = toset(local.aliases) + + alias = each.key +} + +resource "garage_bucket_key" "authorized_keys" { + bucket_id = garage_bucket.bucket.id + + for_each = var.allowed_keys + access_key_id = var.global_keys[each.key].access_key_id + read = each.value.read + write = each.value.write + owner = each.value.owner +} diff --git a/modules/buckets/providers.tf b/modules/buckets/providers.tf new file mode 100644 index 0000000..5564155 --- /dev/null +++ b/modules/buckets/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + garage = { + source = "ceski23/garage2" + version = "0.1.1" + } + } +} diff --git a/modules/buckets/variables.tf b/modules/buckets/variables.tf new file mode 100644 index 0000000..0b71600 --- /dev/null +++ b/modules/buckets/variables.tf @@ -0,0 +1,32 @@ +variable "name" { + description = "Global alias of the bucket" + type = string +} + +variable "website_access_enabled" { + description = "Is direct HTTP access enabled?" + type = bool + default = false +} + +variable "global_aliases" { + description = "Optional list of aliases for the bucket" + type = list(string) + default = [] +} + +variable "global_keys" { + description = "List of all keys of the Garage instance" + type = map(object({ + access_key_id = string + })) +} + +variable "allowed_keys" { + description = "Keys authorized for that specific bucket, with their authorization" + type = map(object({ + read = optional(bool, false) + write = optional(bool, false) + owner = optional(bool, false) + })) +} diff --git a/modules/keys/main.tf b/modules/keys/main.tf new file mode 100644 index 0000000..4c297d6 --- /dev/null +++ b/modules/keys/main.tf @@ -0,0 +1,6 @@ +resource "garage_key" "key" { + name = var.name + permissions = { + create_bucket = false + } +} diff --git a/modules/keys/outputs.tf b/modules/keys/outputs.tf new file mode 100644 index 0000000..419db2f --- /dev/null +++ b/modules/keys/outputs.tf @@ -0,0 +1,3 @@ +output "access_key_id" { + value = garage_key.key.access_key_id +} diff --git a/modules/keys/providers.tf b/modules/keys/providers.tf new file mode 100644 index 0000000..5564155 --- /dev/null +++ b/modules/keys/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + garage = { + source = "ceski23/garage2" + version = "0.1.1" + } + } +} diff --git a/modules/keys/variables.tf b/modules/keys/variables.tf new file mode 100644 index 0000000..80e79ce --- /dev/null +++ b/modules/keys/variables.tf @@ -0,0 +1,4 @@ +variable "name" { + description = "Name of the key to add" + type = string +} diff --git a/providers.tf b/providers.tf new file mode 100644 index 0000000..1fde9f4 --- /dev/null +++ b/providers.tf @@ -0,0 +1,27 @@ +terraform { + required_providers { + garage = { + source = "ceski23/garage2" + version = "0.1.1" + } + } + + backend "s3" { + bucket = "opentofu" + region = "garage" + key = "garage/terraform.tfstate" + endpoints = { + s3 = "https://garage.mateu.be" + } + use_path_style = true + skip_credentials_validation = true + skip_region_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true + } +} + +provider "garage" { + host = var.url + scheme = var.scheme +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..5de16cb --- /dev/null +++ b/variables.tf @@ -0,0 +1,34 @@ +variable "url" { + description = "The URL for Garage Admin API" + type = string +} + +variable "scheme" { + description = "HTTP or HTTPS scheme (default to HTTPS)" + type = string + default = "https" +} + +variable "keys" { + description = "Complete declarative description of a S3 Garage Key" + type = list(string) +} + +variable "buckets" { + description = "Complete declarative description of a S3 Garage Bucket" + type = map(object({ + website_access_enabled = optional(bool, false) + aliases = optional(list(string), []) + allowed_keys = map(object({ + read = optional(bool, false) + write = optional(bool, false) + owner = optional(bool, false) + })) + })) +} + +variable "env" { + description = "The target env for Garage configuration" + type = string + default = "prd" +}