feat: first version

2025-10-22 15:58:46 +02:00
parent 2a74b6cf6c
commit 5ed688ff16
14 changed files with 214 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -37,3 +37,4 @@ override.tf.json
 .terraformrc
 terraform.rc

+.envrc
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -0,0 +1,25 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/ceski23/garage2" {
+  version     = "0.1.1"
+  constraints = "0.1.1"
+  hashes = [
+    "h1:6swSZBYakNwgULxyEXAQ8Hu6Ql52XomxKcKqy/dFgyM=",
+    "zh:01d14700eef322749a57e162f1f24d3cec6d50771d03a292c0d7a1bd5cdbcce9",
+    "zh:0fa82a384b25a58b65523e0ea4768fa1212b1f5cfc0c9379d31162454fedcc9d",
+    "zh:435ea22c3523269b4bd5fb9223c4c1bb175b21a3454a32304169d800403f398c",
+    "zh:446ad92af8d5078807917dfb8c1136a07d57c0e869b980c718c9e755ae5756e4",
+    "zh:45bd7f5c40c8bcc76552761a6e05a00db1c83c2fa440814301f4e60d9fdeaa8b",
+    "zh:46484ca224b295929de7dc7a1d06954b1c22f8e08122b72eef20c786576c083a",
+    "zh:535307b09175c58ef7cedf58659caa14c577f38ab3c69939be5de397433268b4",
+    "zh:53c6be15762c923123ddd12cddefb0693e2c589aaf65bf6682aed96c116954c5",
+    "zh:5dc389e32e1aa83ecf1497772487dc0c52f8b0783c36569947a8968929403227",
+    "zh:698fcdcdb04ced92d1e389d2b5aacd4015e339dbcbb5a7dc547cdf8882f8000c",
+    "zh:b03959af664897bf458592ab57c5c271008c0720f54045dfb28b23fd97db67a8",
+    "zh:b80e817625309e5d28dc2a98172935792be17940e5b7d3e3155e64a80a07bbb4",
+    "zh:ce7855b3fec54bda00b7d5f92dfe7d4dfc180f88148dede0cbaabaa43414ef72",
+    "zh:d28a231d590a30bf7c42568df280cfa5ab29bfa921b89121fdaffacdda9445d9",
+    "zh:d5042dec828f7a81a17ca76d52c3bbb81d4ba228a60cd33dd3aa4a01992e2f30",
+  ]
+}
--- a/README.md
+++ b/README.md
@@ -1,3 +1,22 @@
-# garage
+# How to

-Garage Tofu
+The environment variables you need to have:
+```bash
+AWS_ACCESS_KEY_ID=<REDACTED>
+AWS_SECRET_ACCESS_KEY=<REDACTED>
+AWS_EC2_METADATA_DISABLED=1
+GARAGE_TOKEN=<REDACTED>
+TF_VAR_env=prd
+```
+
+To execute the first time:
+```bash
+tofu workspace new ${TF_VAR_env}
+tofu apply -var-file=vars/${TF_VAR_env}/terraform.tfvars
+```
+
+Afterwards:
+```bash
+tofu workspace select ${TF_VAR_env}
+tofu apply -var-file=vars/${TF_VAR_env}/terraform.tfvars
+```
--- a/main.tf
+++ b/main.tf
@@ -0,0 +1,20 @@
+module "key" {
+  source = "./modules/keys"
+
+  for_each = toset(var.keys)
+
+  name = each.key
+}
+
+module "bucket" {
+  source = "./modules/buckets"
+
+  for_each = var.buckets
+
+  name                   = each.key
+  website_access_enabled = each.value.website_access_enabled
+  global_aliases         = each.value.aliases
+  allowed_keys           = each.value.allowed_keys
+
+  global_keys = module.key
+}
--- a/modules/buckets/locals.tf
+++ b/modules/buckets/locals.tf
@@ -0,0 +1,3 @@
+locals {
+  aliases = concat([var.name], var.global_aliases)
+}
--- a/modules/buckets/main.tf
+++ b/modules/buckets/main.tf
@@ -0,0 +1,22 @@
+resource "garage_bucket" "bucket" {
+  website_access_enabled        = var.website_access_enabled
+  website_config_index_document = var.website_access_enabled == true ? "index.html" : null
+}
+
+resource "garage_bucket_global_alias" "bucket_alias" {
+  bucket_id = garage_bucket.bucket.id
+
+  for_each = toset(local.aliases)
+
+  alias = each.key
+}
+
+resource "garage_bucket_key" "authorized_keys" {
+  bucket_id = garage_bucket.bucket.id
+
+  for_each      = var.allowed_keys
+  access_key_id = var.global_keys[each.key].access_key_id
+  read          = each.value.read
+  write         = each.value.write
+  owner         = each.value.owner
+}
--- a/modules/buckets/providers.tf
+++ b/modules/buckets/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    garage = {
+      source  = "ceski23/garage2"
+      version = "0.1.1"
+    }
+  }
+}
--- a/modules/buckets/variables.tf
+++ b/modules/buckets/variables.tf
@@ -0,0 +1,32 @@
+variable "name" {
+  description = "Global alias of the bucket"
+  type        = string
+}
+
+variable "website_access_enabled" {
+  description = "Is direct HTTP access enabled?"
+  type        = bool
+  default     = false
+}
+
+variable "global_aliases" {
+  description = "Optional list of aliases for the bucket"
+  type        = list(string)
+  default     = []
+}
+
+variable "global_keys" {
+  description = "List of all keys of the Garage instance"
+  type = map(object({
+    access_key_id = string
+  }))
+}
+
+variable "allowed_keys" {
+  description = "Keys authorized for that specific bucket, with their authorization"
+  type = map(object({
+    read  = optional(bool, false)
+    write = optional(bool, false)
+    owner = optional(bool, false)
+  }))
+}
--- a/modules/keys/main.tf
+++ b/modules/keys/main.tf
@@ -0,0 +1,6 @@
+resource "garage_key" "key" {
+  name = var.name
+  permissions = {
+    create_bucket = false
+  }
+}
--- a/modules/keys/outputs.tf
+++ b/modules/keys/outputs.tf
@@ -0,0 +1,3 @@
+output "access_key_id" {
+  value = garage_key.key.access_key_id
+}
--- a/modules/keys/providers.tf
+++ b/modules/keys/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    garage = {
+      source  = "ceski23/garage2"
+      version = "0.1.1"
+    }
+  }
+}
--- a/modules/keys/variables.tf
+++ b/modules/keys/variables.tf
@@ -0,0 +1,4 @@
+variable "name" {
+  description = "Name of the key to add"
+  type        = string
+}
--- a/providers.tf
+++ b/providers.tf
@@ -0,0 +1,27 @@
+terraform {
+  required_providers {
+    garage = {
+      source  = "ceski23/garage2"
+      version = "0.1.1"
+    }
+  }
+
+  backend "s3" {
+    bucket = "opentofu"
+    region = "garage"
+    key    = "garage/terraform.tfstate"
+    endpoints = {
+      s3 = "https://garage.mateu.be"
+    }
+    use_path_style              = true
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    skip_requesting_account_id  = true
+    skip_metadata_api_check     = true
+  }
+}
+
+provider "garage" {
+  host   = var.url
+  scheme = var.scheme
+}
--- a/variables.tf
+++ b/variables.tf
@@ -0,0 +1,34 @@
+variable "url" {
+  description = "The URL for Garage Admin API"
+  type        = string
+}
+
+variable "scheme" {
+  description = "HTTP or HTTPS scheme (default to HTTPS)"
+  type        = string
+  default     = "https"
+}
+
+variable "keys" {
+  description = "Complete declarative description of a S3 Garage Key"
+  type        = list(string)
+}
+
+variable "buckets" {
+  description = "Complete declarative description of a S3 Garage Bucket"
+  type = map(object({
+    website_access_enabled = optional(bool, false)
+    aliases                = optional(list(string), [])
+    allowed_keys = map(object({
+      read  = optional(bool, false)
+      write = optional(bool, false)
+      owner = optional(bool, false)
+    }))
+  }))
+}
+
+variable "env" {
+  description = "The target env for Garage configuration"
+  type        = string
+  default     = "prd"
+}