S3 migration (#4)

* working on migrating repos to s3 objects * Update code to migrate repositories to S3 objects * updating * adding ghe-runner configuration * triaging * fixing creds * Update terraform-plan.yaml --------- Co-authored-by: Dave Arnold <dave@roknsound.com>
CSVD · Aug 9, 2024 · 31f6313 · 31f6313
1 parent 7587e49
commit 31f6313
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 50 deletions.
diff --git a/.github/workflows/terraform-plan.yaml b/.github/workflows/terraform-plan.yaml
@@ -2,35 +2,29 @@
 
 name: Terraform Plan
 
+
 # Controls when the workflow will run
 on:
-  # Triggers the workflow on push or pull request events but only for the "main" branch
   pull_request:
-    branches: [ "main" ]
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "build"
   build:
     # The type of runner that the job will run on
-    runs-on: [ image-pipeline ]
+    runs-on: [ aws-image-pipeline ]
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - uses: actions/checkout@v3
 
-      - uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_wrapper: false
-
       # Runs a set of commands using the runners shell
       - name: Run a multi-line script
+        env:
+          AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+          AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
+          AWS_SESSION_TOKEN: "${{ secrets.AWS_SESSION_TOKEN }}"
         run: |
           terraform init -upgrade
           terraform plan
-        env:
-          AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_ACCESS_KEY_ID=${{ vars.AWS_ACCESS_KEY_ID }}
diff --git a/.gitignore b/.gitignore
@@ -35,3 +35,4 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+ghe-runner
diff --git a/linux.tf b/linux.tf
@@ -1,3 +1,7 @@
+moved {
+  from = module.main
+  to = module.amazon_linux
+}
 
 module "amazon_linux" {
   source                    = "HappyPathway/image-pipeline/aws"
@@ -18,7 +22,11 @@ module "amazon_linux" {
       type  = "PLAINTEXT"
     }
   ]
-  packer_repo   = data.aws_codecommit_repository.linux
+  packer_source_type = "S3"
+  packer_bucket = {
+    name =  aws_s3_bucket.assets_bucket.bucket
+    key  =  "linux-image-pipeline.zip"
+  }
   ansible_repo  = data.aws_codecommit_repository.ansible
   goss_repo     = data.aws_codecommit_repository.goss
   goss_profile  = "base-test"
@@ -32,11 +40,11 @@ output "linux_iam_arn" {
   value = module.amazon_linux.iam_arn
 }
 
-output "linux_codebuild_user" {
-  value = module.amazon_linux.build_user.name
-}
-
 output "linux_parameters" {
   value     = keys(module.amazon_linux.parameters)
   sensitive = true
-}
+}
+
+output linux_bucket {
+  value = module.amazon_linux.s3_bucket
+}
diff --git a/main.tf b/main.tf
@@ -4,9 +4,17 @@ resource "aws_s3_bucket" "state_bucket" {
   bucket = "inf-test-${random_uuid.random.result}"
 }
 
-resource "aws_s3_bucket_server_side_encryption_configuration" "state_bucket_encryption" {
-  bucket = aws_s3_bucket.state_bucket.bucket
+resource "aws_s3_bucket" "assets_bucket" {
+  bucket = "image-pipeline-assets"
+}
 
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "state_bucket_encryption" {
+  for_each = tomap({
+    state_bucket = aws_s3_bucket.state_bucket.bucket
+    assets_bucket = aws_s3_bucket.assets_bucket.bucket
+  })
+  bucket = each.value
   rule {
     apply_server_side_encryption_by_default {
       sse_algorithm = "aws:kms"
@@ -18,7 +26,10 @@ data "aws_iam_policy_document" "s3_access" {
   statement {
     effect    = "Allow"
     actions   = ["s3:*"]
-    resources = ["*"]
+    resources = [
+      aws_s3_bucket.state_bucket.arn,
+      aws_s3_bucket.assets_bucket.arn
+    ]
   }
 }
 

diff --git a/rhel.tf b/rhel.tf
@@ -27,16 +27,3 @@ module "rhel" {
   source_ami    = "ami-03fadeeea589a106b" # x86_64 compatible AMI
   instance_type = "t3.micro"              # x86_64 compatible instance type
 }
-
-output "rhel_iam_arn" {
-  value = module.amazon_linux.iam_arn
-}
-
-output "rhel_codebuild_user" {
-  value = module.amazon_linux.build_user.name
-}
-
-output "rhel_parameters" {
-  value     = keys(module.amazon_linux.parameters)
-  sensitive = true
-}
diff --git a/windows.tf b/windows.tf
@@ -35,19 +35,3 @@ module "windows" {
   instance_type = "t2.xlarge"             # x86_64 compatible instance type
 }
 
-output "winrm_password" {
-  value = nonsensitive(random_password.winrm.result)
-}
-
-output "windows_iam_arn" {
-  value = module.amazon_linux.iam_arn
-}
-
-output "windows_codebuild_user" {
-  value = module.amazon_linux.build_user.name
-}
-
-output "windows_parameters" {
-  value     = keys(module.amazon_linux.parameters)
-  sensitive = true
-}