github-control/secrets.tf at main · infrahouse8/github-control · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
resource "aws_secretsmanager_secret" "pypi_api_token" {
  provider                       = aws.aws-303467602807-uw1
  name                           = "${data.aws_ssm_parameter.gh_secrets_namespace.value}PYPI_API_TOKEN"
  description                    = <<-EOT
Token for "GitHub Publishing"
Permissions: Upload packages
Scope: Entire account (all projects)
Created in https://pypi.org/manage/account/
EOT
  force_overwrite_replica_secret = true
  recovery_window_in_days        = 0
}


resource "aws_secretsmanager_secret" "codacy_api_token" {
  provider                       = aws.aws-303467602807-uw1
  name                           = "${data.aws_ssm_parameter.gh_secrets_namespace.value}CODACY_PROJECT_TOKEN"
  description                    = "Token for Codacy Coverage"
  force_overwrite_replica_secret = true
  recovery_window_in_days        = 0
}


module "actions-runner-pem" {
  providers = {
    aws = aws.aws-303467602807-uw1
  }
  source             = "registry.infrahouse.com/infrahouse/secret/aws"
  version            = "1.0.1"
  environment        = local.environment
  secret_description = "A copy of infrahouse-github-terraform App private key (pem) for actions-runner tests"
  secret_name_prefix = "action-runner-pem-"
  secret_value       = module.infrahouse-github-terraform-pem.secret_value
  readers = [
    data.aws_iam_role.actions-runner-tester.arn,
    tolist(data.aws_iam_roles.sso-admin.arns)[0],
    data.aws_iam_role.ih-tf-aws-control-303467602807-admin.arn,
    "arn:aws:iam::303467602807:role/infrahouse-registration*",
    "arn:aws:iam::303467602807:role/actions-runner-*"
  ]
}

module "actions-runner-pem-493370826424-uw1" {
  providers = {
    aws = aws.aws-493370826424-uw1
  }
  source             = "registry.infrahouse.com/infrahouse/secret/aws"
  version            = "1.0.1"
  environment        = local.environment
  secret_description = "A copy of infrahouse-github-terraform App private key (pem) for actions-runner tests"
  secret_name_prefix = "action-runner-pem-"
  secret_value       = module.infrahouse-github-terraform-pem.secret_value
}


module "github-token" {
  source  = "infrahouse/secret/aws"
  version = "1.0.3"
  providers = {
    aws = aws.aws-303467602807-uw1
  }
  environment        = local.environment
  secret_description = "Classic GitHub token. Needed for action-runner tests"
  secret_name_prefix = "github-token-"
  readers = [
    "arn:aws:iam::303467602807:role/actions-runner-tester"
  ]
  writers = [
    tolist(data.aws_iam_roles.sso-admin.arns)[0],
  ]
}

module "openvpn-oauth-client-id" {
  source  = "infrahouse/secret/aws"
  version = "1.1.0"
  providers = {
    aws = aws.aws-303467602807-uw1
  }
  environment        = local.environment
  secret_description = "Get OAuth 2.0 Client IDs from https://console.cloud.google.com/auth/clients - the secret is used for CI tests in terraform-aws-openvpn"
  secret_name_prefix = "openvpn-client-id-"
  readers = [
    "arn:aws:iam::303467602807:role/openvpn-tester"
  ]
  writers = [
    tolist(data.aws_iam_roles.sso-admin.arns)[0],
  ]
}

module "anthropic_api_key" {
  source  = "infrahouse/secret/aws"
  version = "1.1.0"
  providers = {
    aws = aws.aws-303467602807-uw1
  }
  environment        = local.environment
  secret_description = "ANTHROPIC_API_KEY token for pull request code reviews"
  secret_name_prefix = "ANTHROPIC_API_KEY-"
  writers = [
    tolist(data.aws_iam_roles.sso-admin.arns)[0],
  ]
}