diff --git a/.github/workflows/digger-plan.yml b/.github/workflows/digger-plan.yml new file mode 100644 index 0000000..b4bd910 --- /dev/null +++ b/.github/workflows/digger-plan.yml @@ -0,0 +1,40 @@ +name: Digger Plan + +on: + pull_request: + branches: [ "main" ] + types: [ opened, synchronize ] + issue_comment: + types: [created] + workflow_dispatch: + + +jobs: + plan: + runs-on: ubuntu-latest + permissions: + contents: write # required to merge PRs + id-token: write # required for workload-identity-federation + pull-requests: write # required to post PR comments + statuses: write # required to validate combined PR status + + steps: + - uses: actions/checkout@v4 + # Unlike GCP; the role assumption is handled inline + - name: digger run + uses: diggerhq/digger@v0.2.0 + with: + setup-aws: true + + #Uncomment below line if using OIDC + #aws-role-to-assume: arn:aws:sts::{secrets.AccountID}:assumed-role/{secrets.RoleName}/{FunctionName} + + #Comment the following two lines out if using OIDC. + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + ##End comment block + aws-region: us-east-1 + env: + GITHUB_CONTEXT: ${{ toJson(github) }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9a5675f --- /dev/null +++ b/.gitignore @@ -0,0 +1,28 @@ +gcp_key.json + +# Local .terraform directories +**/.terraform/* +.terraform +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +.terraform.lock.hcl \ No newline at end of file diff --git a/README.md b/README.md index 0286787..fbf50af 100644 --- a/README.md +++ b/README.md @@ -1 +1,17 @@ # quickstart-actions-aws + +This is the repository for a sample quickstart action with digger. + +# backend +this folder will provision (most) of the backend required. +Main.tf provisions the following resources. + +1. The Backend state bucket for terraform to store state in +2. The required DynamoDB table for Digger to store locks. + +# prod +This is a sample terraform prod code that will (if given the chance) spin up a vpc + an EC2 instance, and required security groups. +The instance is locked down to not be accessible from outside the network. + +# .github/workflows +Contains digger-plan.yml with two different potential ways of authenticating against an AWS account. Please review the main digger documentation on details as to which scheme to use. \ No newline at end of file diff --git a/backend/main.tf b/backend/main.tf new file mode 100644 index 0000000..f0fc96f --- /dev/null +++ b/backend/main.tf @@ -0,0 +1,41 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "5.23.1" + } + } +} + +provider "aws" { + region = "us-east-1" # Replace with your desired AWS region +} + +resource "random_string" "bucket_prefix" { + length = 8 + special = false +} + +resource "aws_s3_bucket" "default" { + bucket = "${random_string.bucket_prefix.result}-bucket-tfstate" +} + +resource "aws_s3_bucket_versioning" "versioning_example" { + bucket = aws_s3_bucket.default.id + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_s3_bucket_acl" "example" { + bucket = aws_s3_bucket.default.id + acl = "private" +} + + +resource "aws_dynamodb_table" "DiggerDynamoDBLockTable" { + name = "DiggerDynamoDBLockTable" + billing_mode = "PAY_PER_REQUEST" + stream_enabled = true + stream_view_type = "NEW_AND_OLD_IMAGES" +} diff --git a/digger.yml b/digger.yml new file mode 100644 index 0000000..2099587 --- /dev/null +++ b/digger.yml @@ -0,0 +1,3 @@ +projects: +- name: production + dir: prod \ No newline at end of file diff --git a/prod/main.tf b/prod/main.tf new file mode 100644 index 0000000..1b332c9 --- /dev/null +++ b/prod/main.tf @@ -0,0 +1,56 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "3.0.0" # Use an appropriate version + } + } + backend "s3" { + bucket = "8046b8f4c208f5bb-bucket-tfstate" + key = "terraform/state" + region = "us-east-1" + } + +} + +provider "aws" { + region = "us-east-1" # Replace with your desired AWS region +} + +resource "aws_vpc" "vpc_network" { + cidr_block = "10.0.0.0/16" + tags = { + Name = "terraform-network" + } +} + +resource "aws_subnet" "vpc_subnet" { + vpc_id = aws_vpc.vpc_network.id + cidr_block = "10.0.1.0/24" + availability_zone = "us-east-2a" + map_public_ip_on_launch = true + + tags = { + Name = "terraform-subnet" + } +} + +resource "aws_security_group" "security_group" { + name_prefix = "terraform-" + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_instance" "vm_instance" { + ami = "ami-0b17ac7207aae009f" #Debian 11 (bullsey AMI provided by the Debian Project https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye) + instance_type = "t2.micro" + subnet_id = aws_subnet.vpc_subnet.id + security_groups = [aws_security_group.security_group.name] + tags = { + Name = "terraform-instance" + } +}