feat: add GitHub Actions secrets management

kuzzleio · Jul 26, 2024 · 5fb698a · 5fb698a
1 parent 4fc9d24
commit 5fb698a
Show file tree

Hide file tree

Showing 8 changed files with 101 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -248,3 +248,4 @@ $RECYCLE.BIN/
 
 # End of https://www.toptal.com/developers/gitignore/api/windows,macos,linux,intellij+all,visualstudiocode,vim,terraform,terragrunt
 
+gh_secrets.json
diff --git a/README.md b/README.md
@@ -20,7 +20,64 @@ This hosts the monitor and status page for Kuzzle, powered by [Upptime](https://
 
 <!--end: status pages-->
 
-## 📄 License
+## Infrastructure
+
+The [`hosting/`](./hosting/) directory holds the Terraform files for deploying the status page infrastructure.
+
+### Installation
+
+To work on the infrastructure, you will need to install several tools:
+- [just](https://github.com/casey/just) to have access to the pre-defined commands.
+- [Kourou](https://github.com/kuzzleio/kourou) to decrypt and encrypt the secret files.
+- Terraform, either [directly](https://developer.hashicorp.com/terraform/install?product_intent=terraform) or using [tfenv](https://github.com/tfutils/tfenv).
+- The [Scaleway CLI](https://github.com/scaleway/scaleway-cli), then log in to your Scaleway account by [creating an API key for yourself](https://www.scaleway.com/en/docs/identity-and-access-management/iam/how-to/create-api-keys/).  
+**Note**: you'll need to select the "default" project as the project used for Object Storage operations.
+- The [GitHub CLI](https://cli.github.com/), then log in to your GitHub account.
+- The [AWS CLI](https://aws.amazon.com/cli/), then log in to your AWS account using `aws configure` (the profile that will be used is `default`).
+
+### Preparation
+
+If this is your first time working with the infrastructure, you will need to first initialize the directory:
+
+```sh
+just init
+kourou vault:decrypt gh_secrets.enc.json --vault-key '<VAULT_PASSWORD>'
+```
+
+> [!NOTE]
+> The Vault password can be found in the company password manager.
+
+### Applying changes
+
+To preview your changes to the infrastructure:
+
+```sh
+just preview
+```
+
+To apply them:
+
+```sh
+just apply
+```
+
+If you changed a GitHub Actions secret, you'll need to re-encrypt the file before committing it:
+
+```sh
+kourou vault:encrypt gh_secrets.json --vault-key '<VAULT_PASSWORD>'
+```
+
+### Miscellaneous
+
+#### Exporting the keys
+
+If you need to directly use the Terraform CLI, you can export the access and secret keys used to authenticate against the S3 backend:
+
+```sh
+eval `just export-keys`
+```
+
+## License
 
 - Code: [MIT](./LICENSE) © [Anand Chowdhary](https://anandchowdhary.com), supported by [Pabio](https://pabio.com)
 - Data in the `./history` directory: [Open Database License](https://opendatacommons.org/licenses/odbl/1-0/)
diff --git a/hosting/gh_secrets.enc.json b/hosting/gh_secrets.enc.json
@@ -0,0 +1,3 @@
+{
+  "SITE_URL_PAAS_PACKAGES": "6c53d0f9ba58d417846931e7341a1d72c5c0e38a589f6908246f0115162f4dff.81b5b15857cee8b0ffc0a642f10e5442"
+}
diff --git a/hosting/main.tf b/hosting/main.tf
@@ -1,5 +1,7 @@
 locals {
   tfstate_bucket_name = "status-page.tfstate"
+
+  github_secrets = jsondecode(file("${path.module}/gh_secrets.json"))
 }
 
 # Project
@@ -20,3 +22,10 @@ module "gh-pages" {
   hosted_zone_name = var.route53_hosted_zone_name
   domain_name      = var.domain_name
 }
+
+module "gh-secrets" {
+  source = "./modules/gh-secrets"
+
+  github_repository = var.github_repository
+  secrets           = local.github_secrets
+}
diff --git a/hosting/modules/gh-secrets/main.tf b/hosting/modules/gh-secrets/main.tf
@@ -0,0 +1,8 @@
+# GitHub
+resource "github_actions_secret" "secrets" {
+  for_each = var.secrets
+
+  repository       = var.github_repository
+  secret_name      = each.key
+  plaintext_value  = each.value
+}
diff --git a/hosting/modules/gh-secrets/terraform.tf b/hosting/modules/gh-secrets/terraform.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    github = {
+      source = "integrations/github"
+    }
+  }
+}
diff --git a/hosting/modules/gh-secrets/variables.tf b/hosting/modules/gh-secrets/variables.tf
@@ -0,0 +1,9 @@
+variable "github_repository" {
+  description = "The of the GitHub repository where the status page code is hosted"
+  type        = string
+}
+
+variable "secrets" {
+  description = "The GitHub Actions secrets to add to the repository"
+  type        = map(string)
+}
diff --git a/hosting/variables.tf b/hosting/variables.tf
@@ -10,6 +10,12 @@ variable "github_organization" {
   default     = "kuzzleio"
 }
 
+variable "github_repository" {
+  description = "The of the GitHub repository where the status page code is hosted"
+  type        = string
+  default     = "status-page"
+}
+
 variable "route53_hosted_zone_name" {
   description = "The name of the Route 53 hosted zone"
   type        = string
Original file line number	Diff line number	Diff line change
Expand Up		@@ -248,3 +248,4 @@ $RECYCLE.BIN/

		# End of https://www.toptal.com/developers/gitignore/api/windows,macos,linux,intellij+all,visualstudiocode,vim,terraform,terragrunt

		gh_secrets.json