Skip to content

Commit

Permalink
Manage GitHub org secrets in terraform (#65)
Browse files Browse the repository at this point in the history
* Fix typo

* Configure gh actions secrets
  • Loading branch information
ArmaanT authored Mar 17, 2021
1 parent 08c611c commit ae62ea4
Show file tree
Hide file tree
Showing 5 changed files with 46 additions and 1 deletion.
18 changes: 18 additions & 0 deletions terraform/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion terraform/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ We use [Terraform](https://www.terraform.io/docs/index.html) to manage our infra

Contains configuration to create a terraform S3 backend. `provider.tf` in is configured to use the remote S3 backend.

## bastion
## bastion.tf

Configures a bastion that allows Team Leads to exec into pods (normally to run manage.py commands).

Expand All @@ -36,6 +36,10 @@ Finally, a populated kubeconfig is pushed to vault for platform members to use.

Creates an IAM user for GitHub Actions that can assume the `kubectl` IAM role as well as describe the EKS cluster (so that it can generate its own kubeconfig).

## github.tf

Creates organization GitHub Actions secrets used by our CI. Currently just AWS credentials and our AWS account ID.

## iam.tf

Uses our [IAM Module](./modules/iam) to create IAM roles for all of our products that can be assumed by the correct Service Account in the `default` namespace.
Expand Down
17 changes: 17 additions & 0 deletions terraform/github.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
resource "github_actions_organization_secret" "aws_account_id" {
secret_name = "AWS_ACCOUNT_ID"
visibility = "all"
plaintext_value = data.aws_caller_identity.current.account_id
}

resource "github_actions_organization_secret" "aws_access_key" {
secret_name = "GH_AWS_ACCESS_KEY_ID"
visibility = "all"
plaintext_value = aws_iam_access_key.gh-actions.id
}

resource "github_actions_organization_secret" "aws_secret_key" {
secret_name = "GH_AWS_SECRET_ACCESS_KEY"
visibility = "all"
plaintext_value = aws_iam_access_key.gh-actions.secret
}
2 changes: 2 additions & 0 deletions terraform/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ locals {
traefik_lb_name = "a3b77cc4561e649d4bcc2a89e1b63d7d"
}

data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "assume-kubectl" {
statement {
actions = ["sts:AssumeRole"]
Expand Down
4 changes: 4 additions & 0 deletions terraform/provider.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@ provider "postgresql" {
sslmode = "require"
}

provider "github" {
organization = "pennlabs"
}

terraform {
backend "s3" {
region = "us-east-1"
Expand Down

0 comments on commit ae62ea4

Please sign in to comment.