Merge pull request #666 from rust-lang/rustc-ci-rust-lang-rust

provision aws tokens for rust-lang/rust

Author: marcoieni

terragrunt/accounts/legacy/rustc-ci-prod/.terraform.lock.hcl

@@ -0,0 +1,17 @@
+terraform {
+  source = "../../../modules//rustc-ci"
+}
+
+include {
+  path           = find_in_parent_folders()
+  merge_strategy = "deep"
+}
+
+inputs = {
+  repo             = "rust"
+  caches_bucket    = "rust-lang-ci-sccache2"
+  artifacts_bucket = "rust-lang-ci2"
+  artifacts_domain = "ci-artifacts.rust-lang.org"
+  caches_domain    = "ci-caches.rust-lang.org"
+  inventories_bucket = "rust-inventories"
+}

terragrunt/accounts/legacy/rustc-ci-prod/terragrunt.hcl

@@ -0,0 +1,12 @@
+terraform {
+  source = "../../../modules//rustc-ci"
+}
+
+include {
+  path           = find_in_parent_folders()
+  merge_strategy = "deep"
+}
+
+inputs = {
+  repo = "bors-kindergarten"
+}

terragrunt/accounts/legacy/rustc-ci-staging/.terraform.lock.hcl

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     github = {
       source  = "integrations/github"
-      version = "~> 6.2.3"
+      version = "~> 6.2"
     }
   }
 }
@@ -19,14 +19,34 @@ resource "aws_iam_access_key" "ci" {
   user = aws_iam_user.ci.name
 }
 
+# Create repository secrets if the variable `environment` is not specified
 resource "github_actions_secret" "aws_access_key_id" {
+  count           = var.environment == null ? 1 : 0
   repository      = var.repo
   secret_name     = "${var.env_prefix != null ? "${var.env_prefix}_" : ""}AWS_ACCESS_KEY_ID"
   plaintext_value = aws_iam_access_key.ci.id
 }
 
 resource "github_actions_secret" "aws_secret_access_key" {
+  count           = var.environment == null ? 1 : 0
   repository      = var.repo
   secret_name     = "${var.env_prefix != null ? "${var.env_prefix}_" : ""}AWS_SECRET_ACCESS_KEY"
   plaintext_value = aws_iam_access_key.ci.secret
 }
+
+# Create environment secrets if `environment` is specified
+resource "github_actions_environment_secret" "aws_access_key_id" {
+  count           = var.environment != null ? 1 : 0
+  repository      = var.repo
+  environment     = var.environment
+  secret_name     = "${var.env_prefix != null ? "${var.env_prefix}_" : ""}AWS_ACCESS_KEY_ID"
+  plaintext_value = aws_iam_access_key.ci.id
+}
+
+resource "github_actions_environment_secret" "aws_secret_access_key" {
+  count           = var.environment != null ? 1 : 0
+  repository      = var.repo
+  environment     = var.environment
+  secret_name     = "${var.env_prefix != null ? "${var.env_prefix}_" : ""}AWS_SECRET_ACCESS_KEY"
+  plaintext_value = aws_iam_access_key.ci.secret
+}

terragrunt/accounts/legacy/rustc-ci-staging/terragrunt.hcl

@@ -19,3 +19,9 @@ variable "env_prefix" {
   default     = null
   description = "Prefix the environment variables in GitHub Actions should have"
 }
+
+variable "environment" {
+  type        = string
+  default     = null
+  description = "The name of the GitHub environment where GitHub Actions environment secrets are stored. If omitted, GitHub Actions repository secrets are created instead."
+}

terragrunt/modules/gha-iam-user/main.tf

@@ -0,0 +1,91 @@
+terraform {
+  required_version = "~> 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.86"
+    }
+
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.2"
+    }
+  }
+}
+
+provider "github" {
+  owner = "rust-lang"
+}
+
+data "terraform_remote_state" "shared" {
+  backend = "s3"
+  config = {
+    bucket = "rust-terraform"
+    key    = "simpleinfra/shared.tfstate"
+    region = "us-west-1"
+  }
+}
+
+variable "repo" {
+  description = "GitHub repository to authorize. E.g. `rust`. GitHub org is hardcoded to `rust-lang`."
+  type        = string
+  validation {
+    condition     = !can(regex("/", var.repo))
+    error_message = "The repo variable must not contain `/`. Only provide the repository name."
+  }
+  validation {
+    condition     = length(var.repo) > 0
+    error_message = "The repo variable must not be empty."
+  }
+}
+
+variable "artifacts_bucket" {
+  description = "ID of the S3 bucket to store build artifacts. If unspecified, it is automatically generated, based on the repo name."
+  type        = string
+  default     = null
+  validation {
+    condition     = var.artifacts_bucket == null ? true : length(var.artifacts_bucket) > 0
+    error_message = "The artifacts_bucket variable must not be empty when specified."
+  }
+}
+
+variable "inventories_bucket" {
+  description = "ID of the S3 bucket to store rust inventories. If unspecified, it is automatically generated, based on the repo name."
+  type        = string
+  default     = null
+  validation {
+    condition     = var.inventories_bucket == null ? true : length(var.inventories_bucket) > 0
+    error_message = "The inventories_bucket variable must not be empty when specified."
+  }
+}
+
+variable "caches_bucket" {
+  description = "ID of the S3 bucket to store caches. If unspecified, it is automatically generated, based on the repo name."
+  type        = string
+  default     = null
+  validation {
+    condition     = var.caches_bucket == null ? true : length(var.caches_bucket) > 0
+    error_message = "The caches_bucket variable must not be empty when specified."
+  }
+}
+
+variable "artifacts_domain" {
+  description = "Domain name for the CloudFront distribution in front of the artifacts bucket. If unspecified, it is automatically generated, based on the repo name."
+  type        = string
+  default     = null
+  validation {
+    condition     = var.artifacts_domain == null ? true : length(var.artifacts_domain) > 0
+    error_message = "The artifacts_domain variable must not be empty when specified."
+  }
+}
+
+variable "caches_domain" {
+  description = "Domain name for the CloudFront distribution in front of the caches bucket. If unspecified, it is automatically generated, based on the repo name."
+  type        = string
+  default     = null
+  validation {
+    condition     = var.caches_domain == null ? true : length(var.caches_domain) > 0
+    error_message = "The caches_domain variable must not be empty when specified."
+  }
+}