diff --git a/.github/workflows/check_ansible.yml b/.github/workflows/check_ansible.yml new file mode 100644 index 00000000..0d5e295d --- /dev/null +++ b/.github/workflows/check_ansible.yml @@ -0,0 +1,95 @@ +# For docs on this see: +# * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions +# * https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request +# * https://docs.github.com/en/webhooks/webhook-events-and-payloads?actionType=synchronize#pull_request +on: + pull_request: + types: + - opened + - synchronize # when commits are pushed to the PR + - reopened + - edited # title or body of a pull request was edited, or the base branch of a pull request was changed + +jobs: + ansible: + strategy: + matrix: + environment: ["dev"] + runs-on: ubuntu-latest + defaults: + run: + working-directory: ansible/ + permissions: + pull-requests: write + steps: + - uses: actions/checkout@v4 + + - name: Install Ansible + run: | + sudo apt update + sudo apt install software-properties-common + sudo add-apt-repository --yes --update ppa:ansible/ansible-9 + sudo apt install -y ansible + + - name: Write devops ssh key to .ssh + run: | + mkdir -p ~/.ssh/ + chmod 700 ~/.ssh/ + echo "${{ secrets.AWS_SSH_KEY }}" > ~/.ssh/ooni-devops-prod.pem + chmod 600 ~/.ssh/ooni-devops-prod.pem + + - name: Run Ansible Playbook + id: playbook + env: + ANSIBLE_SSH_ARGS: "-o UserKnownHostsFile=known_hosts" + INVENTORY_FILE_PATH: "../tf/modules/ansible_inventory/inventories/inventory-${{ matrix.environment }}.ini" + run: | + echo "ansible_playbook<> "$GITHUB_OUTPUT" + echo "\$ ansible-playbook playbook.yml --check --diff -i $INVENTORY_FILE_PATH" >> "$GITHUB_OUTPUT" + ansible-playbook playbook.yml --check --diff -i $INVENTORY_FILE_PATH \ + --key-file ~/.ssh/ooni-devops-prod.pem 2>&1 | tee -a "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" + continue-on-error: true + + # This can be uncommmented to make it possible to ssh into the container to debug the run + #- name: Setup tmate session + # uses: mxschmitt/action-tmate@v3 + + - uses: actions/github-script@v6 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const commentTitle = "Ansible Run Output"; + const ansiblePlaybookOutput = `${{ steps.playbook.outputs.ansible_playbook}}`; + const parts = ansiblePlaybookOutput.split(/PLAY RECAP \*+/); + const ansiblePlaybookRecap = parts.length > 1 ? parts[1].trim() : ''; + + const commentBody = ` + #### Ansible Playbook Recap 🔍 + + \`\`\`\n + ${ansiblePlaybookRecap} + \`\`\` + + #### Ansible playbook output 📖\`${{ steps.playbook.outcome }}\` + +
Show Execution + + \`\`\`\n + ${ansiblePlaybookOutput} + \`\`\` + +
+ + | | | + |-------------------|------------------------------------| + | Pusher | @${{ github.actor }} | + | Action | ${{ github.event_name }} | + | Working Directory | ${{ env.tf_actions_working_dir }} | + | Workflow | ${{ github.workflow }} | + | Last updated | ${(new Date()).toUTCString()} | + `; + + // Call the script to write the comment + const script = require('./scripts/ghactions/comment-on-pr.js'); + await script({github, context, core, commentTitle, commentBody}); diff --git a/.github/workflows/check_deploy.yml b/.github/workflows/check_terraform.yml similarity index 56% rename from .github/workflows/check_deploy.yml rename to .github/workflows/check_terraform.yml index 98d894be..8b2a4d2b 100644 --- a/.github/workflows/check_deploy.yml +++ b/.github/workflows/check_terraform.yml @@ -10,108 +10,39 @@ on: - reopened - edited # title or body of a pull request was edited, or the base branch of a pull request was changed -env: - tf_actions_working_dir: "./tf/environments/dev" - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - jobs: - ansible: - needs: terraform - runs-on: ubuntu-latest - defaults: - run: - working-directory: ${{ env.tf_actions_working_dir }}/ansible - permissions: - pull-requests: write - steps: - - uses: actions/checkout@v4 - - - name: Install Ansible - run: | - sudo apt update - sudo apt install software-properties-common - sudo add-apt-repository --yes --update ppa:ansible/ansible-9 - sudo apt install -y ansible - - - name: Write devops ssh key to .ssh - run: | - mkdir -p ~/.ssh/ - chmod 700 ~/.ssh/ - echo "${{ secrets.AWS_SSH_KEY }}" > ~/.ssh/ooni-devops-prod.pem - chmod 600 ~/.ssh/ooni-devops-prod.pem - - - name: Run Ansible Playbook - id: playbook - env: - ANSIBLE_SSH_ARGS: "-o UserKnownHostsFile=known_hosts" - run: | - echo "ansible_playbook<> "$GITHUB_OUTPUT" - echo "\$ ansible-playbook playbook.yml --check --diff -i inventory.ini" >> "$GITHUB_OUTPUT" - ansible-playbook playbook.yml --check --diff -i inventory.ini --key-file ~/.ssh/ooni-devops-prod.pem 2>&1 | tee -a "$GITHUB_OUTPUT" - echo "EOF" >> "$GITHUB_OUTPUT" - continue-on-error: true - - # This can be uncommmented to make it possible to ssh into the container to debug the run - #- name: Setup tmate session - # uses: mxschmitt/action-tmate@v3 - - - uses: actions/github-script@v6 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const commentTitle = "Ansible Run Output"; - const ansiblePlaybookOutput = `${{ steps.playbook.outputs.ansible_playbook}}`; - const parts = ansiblePlaybookOutput.split(/PLAY RECAP \*+/); - const ansiblePlaybookRecap = parts.length > 1 ? parts[1].trim() : ''; - - const commentBody = ` - #### Ansible Playbook Recap 🔍 - - \`\`\`\n - ${ansiblePlaybookRecap} - \`\`\` - - #### Ansible playbook output 📖\`${{ steps.playbook.outcome }}\` - -
Show Execution - - \`\`\`\n - ${ansiblePlaybookOutput} - \`\`\` - -
- - | | | - |-------------------|------------------------------------| - | Pusher | @${{ github.actor }} | - | Action | ${{ github.event_name }} | - | Working Directory | ${{ env.tf_actions_working_dir }} | - | Workflow | ${{ github.workflow }} | - | Last updated | ${(new Date()).toUTCString()} | - `; - - // Call the script to write the comment - const script = require('./scripts/ghactions/comment-on-pr.js'); - await script({github, context, core, commentTitle, commentBody}); - terraform: + strategy: + matrix: + environment: ["dev"] + runs-on: ubuntu-latest if: ${{ !startsWith(github.event.head_commit.message, 'skip-terraform:') }} defaults: run: - working-directory: ${{ env.tf_actions_working_dir }} + working-directory: tf/environments/${{ matrix.environment }} permissions: contents: write pull-requests: write - env: - TF_VAR_aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} - TF_VAR_aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - TF_VAR_ooni_pg_password: ${{ secrets.OONI_PG_PASSWORD }} steps: - uses: actions/checkout@v4 + - name: Configure AWS credentials + run: | + mkdir ~/.aws/ + cat < ~/.aws/credentials + [default] + aws_access_key_id = ${{ secrets.OONIDEVOPS_AWS_ACCESS_KEY_ID }} + aws_secret_access_key = ${{ secrets.OONIDEVOPS_AWS_SECRET_ACCESS_KEY }} + + [oonidevops_user] + aws_access_key_id = ${{ secrets.OONIDEVOPS_AWS_ACCESS_KEY_ID }} + aws_secret_access_key = ${{ secrets.OONIDEVOPS_AWS_SECRET_ACCESS_KEY }} + EOF + chmod 700 ~/.aws/ + chmod 600 ~/.aws/credentials + - name: Install Terraform run: | wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg @@ -194,7 +125,7 @@ jobs: |-------------------|------------------------------------| | Pusher | @${{ github.actor }} | | Action | ${{ github.event_name }} | - | Working Directory | ${{ env.tf_actions_working_dir }} | + | Environment | ${{ matrix.environment }} | | Workflow | ${{ github.workflow }} | | Last updated | ${ (new Date()).toUTCString() } | `; diff --git a/tf/modules/ansible_inventory/ansible/known_hosts b/ansible/known_hosts similarity index 100% rename from tf/modules/ansible_inventory/ansible/known_hosts rename to ansible/known_hosts diff --git a/tf/modules/ansible_inventory/ansible/playbook.yml b/ansible/playbook.yml similarity index 100% rename from tf/modules/ansible_inventory/ansible/playbook.yml rename to ansible/playbook.yml diff --git a/tf/modules/ansible_inventory/ansible/roles/clickhouse/tasks/main.yml b/ansible/roles/clickhouse/tasks/main.yml similarity index 100% rename from tf/modules/ansible_inventory/ansible/roles/clickhouse/tasks/main.yml rename to ansible/roles/clickhouse/tasks/main.yml diff --git a/tf/modules/ansible_inventory/ansible/roles/clickhouse/templates/ooni_users.xml b/ansible/roles/clickhouse/templates/ooni_users.xml similarity index 100% rename from tf/modules/ansible_inventory/ansible/roles/clickhouse/templates/ooni_users.xml rename to ansible/roles/clickhouse/templates/ooni_users.xml diff --git a/tf/environments/dev/.terraform.lock.hcl b/tf/environments/dev/.terraform.lock.hcl index a1c04fd7..036d2518 100644 --- a/tf/environments/dev/.terraform.lock.hcl +++ b/tf/environments/dev/.terraform.lock.hcl @@ -6,6 +6,7 @@ provider "registry.terraform.io/hashicorp/aws" { constraints = ">= 4.9.0, >= 4.66.1" hashes = [ "h1:KEqMoJwLw6Z9bTO4K8nPVvQQa6YiM+bvz89Sw7tNFJw=", + "h1:vnFdR2OxkoCLwmyi1DmuAoM+fdqW3g66Hx7mYsR6b1E=", "zh:11f177a2385703740bd26d0652d3dba08575101d7639f386ce5637bdb0e29a13", "zh:203fc43e69634f1bd487a9dc24b01944dfd568beac78e491f26677d103d343ed", "zh:3697ebad4929da30ea98276a85d4ce5ebfc48508f4dd149e17e1dcdc7f306c6e", @@ -28,6 +29,7 @@ provider "registry.terraform.io/hashicorp/local" { version = "2.4.1" constraints = ">= 2.0.0" hashes = [ + "h1:FzraUapGrJoH3ZOWiUT2m6QpZAD+HmU+JmqZgM4/o2Y=", "h1:gpp25uNkYJYzJVnkyRr7RIBVfwLs9GSq2HNnFpTRBg0=", "zh:244b445bf34ddbd167731cc6c6b95bbed231dc4493f8cc34bd6850cfe1f78528", "zh:3c330bdb626123228a0d1b1daa6c741b4d5d484ab1c7ae5d2f48d4c9885cc5e9", @@ -48,6 +50,7 @@ provider "registry.terraform.io/hashicorp/null" { version = "3.2.2" hashes = [ "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=", + "h1:zT1ZbegaAYHwQa+QwIFugArWikRJI9dqohj8xb0GY88=", "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", @@ -67,6 +70,7 @@ provider "registry.terraform.io/hashicorp/random" { version = "3.6.0" hashes = [ "h1:I8MBeauYA8J8yheLJ8oSMWqB0kovn16dF/wKZ1QTdkk=", + "h1:R5Ucn26riKIEijcsiOMBR3uOAjuOMfI1x7XvH4P6B1w=", "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d", "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211", "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829", @@ -86,6 +90,7 @@ provider "registry.terraform.io/hashicorp/time" { version = "0.10.0" constraints = ">= 0.7.1" hashes = [ + "h1:EeF/Lb4db1Kl1HEHzT1StTC7RRqHn/eB7aDR3C3yjVg=", "h1:NAl8eupFAZXCAbE5uiHZTz+Yqler55B3fMG+jNPrjjM=", "zh:0ab31efe760cc86c9eef9e8eb070ae9e15c52c617243bbd9041632d44ea70781", "zh:0ee4e906e28f23c598632eeac297ab098d6d6a90629d15516814ab90ad42aec8", @@ -105,6 +110,7 @@ provider "registry.terraform.io/hashicorp/time" { provider "registry.terraform.io/hashicorp/tls" { version = "4.0.5" hashes = [ + "h1:e4LBdJoZJNOQXPWgOAG0UuPBVhCStu98PieNlqJTmeU=", "h1:zeG5RmggBZW/8JWIVrdaeSJa0OG62uFX5HY1eE8SjzY=", "zh:01cfb11cb74654c003f6d4e32bbef8f5969ee2856394a96d127da4949c65153e", "zh:0472ea1574026aa1e8ca82bb6df2c40cd0478e9336b7a8a64e652119a2fa4f32", diff --git a/tf/environments/dev/backend.tf b/tf/environments/dev/backend.tf index 55dd5c14..1bd2f01a 100644 --- a/tf/environments/dev/backend.tf +++ b/tf/environments/dev/backend.tf @@ -9,9 +9,5 @@ terraform { encrypt = "true" dynamodb_table = "oonidevops-dev-terraform-state-lock" - - assume_role = { - role_arn = "arn:aws:iam::905418398257:role/oonidevops" - } } } diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 8a795277..8aa72f1e 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -1,18 +1,18 @@ # Local variable definitions locals { environment = "dev" - name = "oonidevops-${local.environment}" + name = "oonidevops-${local.environment}" dns_zone_ooni_nu = "Z091407123AEJO90Z3H6D" # dev.ooni.nu hosted zone dns_zone_ooni_io = "Z055356431RGCLK3JXZDL" # dev.ooni.io hosted zone ooni_main_org_id = "082866812839" # account ID for the admin@openobservatory.org account - ooni_dev_org_id = "905418398257" # account ID for the admin+dev@ooni.org account + ooni_dev_org_id = "905418398257" # account ID for the admin+dev@ooni.org account tags = { - Name = local.name + Name = local.name Environment = local.environment - Repository = "https://github.com/ooni/devops" + Repository = "https://github.com/ooni/devops" } } @@ -21,9 +21,11 @@ locals { provider "aws" { profile = "oonidevops_user" region = var.aws_region - assume_role { - role_arn = "arn:aws:iam::905418398257:role/oonidevops" - } + # You will have to setup your own credentials in ~/.aws/credentials like this: + # [oonidevops_user] + # aws_access_key_id = YYYY + # aws_secret_access_key = ZZZ + # role_arn = arn:aws:iam::905418398257:role/oonidevops } data "aws_availability_zones" "available" {} @@ -60,6 +62,7 @@ module "adm_iam_roles" { authorized_accounts = [ "arn:aws:iam::${local.ooni_dev_org_id}:user/mehul", + "arn:aws:iam::${local.ooni_dev_org_id}:user/art", "arn:aws:iam::${local.ooni_main_org_id}:user/art" ] } @@ -92,6 +95,8 @@ module "ansible_inventory" { ## "all" has special meaning and is reserved "mygroup" = [] } + + environment = local.environment } module "network" { @@ -296,3 +301,9 @@ module "ooniapi_frontend" { ) } +module "oonidevops_github_user" { + source = "../../modules/oonidevops_github_user" + + tags = local.tags +} + diff --git a/tf/modules/ansible_inventory/ansible/inventory.ini b/tf/modules/ansible_inventory/inventories/inventory-dev.ini similarity index 100% rename from tf/modules/ansible_inventory/ansible/inventory.ini rename to tf/modules/ansible_inventory/inventories/inventory-dev.ini diff --git a/tf/modules/ansible_inventory/main.tf b/tf/modules/ansible_inventory/main.tf index f9bac1a2..51a937a6 100644 --- a/tf/modules/ansible_inventory/main.tf +++ b/tf/modules/ansible_inventory/main.tf @@ -7,7 +7,7 @@ resource "local_file" "ansible_inventory" { content = templatefile("${path.module}/templates/ansible-inventory.tpl", { server_groups = var.server_groups } ) - filename = "${path.module}/ansible/inventory.ini" + filename = "${path.module}/inventories/inventory-${var.environment}.ini" } resource "null_resource" "ansible_update_known_hosts" { diff --git a/tf/modules/ansible_inventory/variables.tf b/tf/modules/ansible_inventory/variables.tf index ce517012..be73a408 100644 --- a/tf/modules/ansible_inventory/variables.tf +++ b/tf/modules/ansible_inventory/variables.tf @@ -1,3 +1,7 @@ variable "server_groups" { type = map(list(string)) } + +variable "environment" { + type = string +} diff --git a/tf/modules/ecs_cluster/variables.tf b/tf/modules/ecs_cluster/variables.tf index 9703d9fc..128ec72a 100644 --- a/tf/modules/ecs_cluster/variables.tf +++ b/tf/modules/ecs_cluster/variables.tf @@ -49,7 +49,7 @@ variable "admin_cidr_ingress" { } variable "instance_type" { - default = "t2.micro" + default = "t2.small" } variable "instance_volume_size" { diff --git a/tf/modules/ooniapi_service/variables.tf b/tf/modules/ooniapi_service/variables.tf index c61ef3bc..b2b541b9 100644 --- a/tf/modules/ooniapi_service/variables.tf +++ b/tf/modules/ooniapi_service/variables.tf @@ -31,7 +31,7 @@ variable "tags" { variable "service_desired_count" { description = "Desired numbers of instances in the ecs service" - default = 1 + default = 2 } variable "task_cpu" { diff --git a/tf/modules/oonidevops_github_user/main.tf b/tf/modules/oonidevops_github_user/main.tf new file mode 100644 index 00000000..3c698767 --- /dev/null +++ b/tf/modules/oonidevops_github_user/main.tf @@ -0,0 +1,35 @@ +resource "aws_iam_user" "oonidevops_github" { + name = "oonidevops-github" + path = "/" + + tags = var.tags +} + +resource "aws_iam_policy" "oonidevops_github" { + name = "oonidevops-github-policy" + description = "A test policy" + policy = file("${path.module}/templates/oonidevops_github_policy.json") +} + +resource "aws_iam_user_policy_attachment" "oonidevops_github" { + user = aws_iam_user.oonidevops_github.name + policy_arn = aws_iam_policy.oonidevops_github.arn +} + +resource "aws_iam_access_key" "oonidevops_github" { + user = aws_iam_user.oonidevops_github.name +} + +resource "aws_secretsmanager_secret" "oonidevops_github" { + name = "oonidevops/github_user/access_key_json" + + tags = var.tags +} + +resource "aws_secretsmanager_secret_version" "oonidevops_github" { + secret_id = aws_secretsmanager_secret.oonidevops_github.id + secret_string = jsonencode({ + "AccessKeyId" = aws_iam_access_key.oonidevops_github.id, + "SecretAccessKey" = aws_iam_access_key.oonidevops_github.secret + }) +} diff --git a/tf/modules/oonidevops_github_user/outputs.tf b/tf/modules/oonidevops_github_user/outputs.tf new file mode 100644 index 00000000..143dc5fb --- /dev/null +++ b/tf/modules/oonidevops_github_user/outputs.tf @@ -0,0 +1,7 @@ +output "oonidevops_github_user_arn" { + value = aws_iam_user.oonidevops_github.arn +} + +output "oonidevops_github_user_secrets_id" { + value = aws_secretsmanager_secret.oonidevops_github.id +} diff --git a/tf/modules/oonidevops_github_user/templates/oonidevops_github_policy.json b/tf/modules/oonidevops_github_user/templates/oonidevops_github_policy.json new file mode 100644 index 00000000..85ed8450 --- /dev/null +++ b/tf/modules/oonidevops_github_user/templates/oonidevops_github_policy.json @@ -0,0 +1,168 @@ +{ + "Statement": [ + { + "Action": [ + "acm:Describe*", + "acm:Get*", + "acm:List*", + "application-autoscaling:Describe*", + "application-autoscaling:ListTagsForResource", + "appmesh:Describe*", + "appmesh:List*", + "autoscaling:Describe*", + "autoscaling:GetPredictiveScalingForecast", + "cloudformation:Describe*", + "cloudformation:Detect*", + "cloudformation:Estimate*", + "cloudformation:Get*", + "cloudformation:List*", + "cloudformation:ValidateTemplate", + "cloudtrail:Describe*", + "cloudtrail:Get*", + "cloudtrail:List*", + "cloudtrail:LookupEvents", + "cloudwatch:Describe*", + "cloudwatch:GenerateQuery", + "cloudwatch:Get*", + "cloudwatch:List*", + "codebuild:BatchGet*", + "codebuild:DescribeCodeCoverages", + "codebuild:DescribeTestCases", + "codebuild:List*", + "codedeploy:BatchGet*", + "codedeploy:Get*", + "codedeploy:List*", + "codepipeline:Get*", + "codepipeline:List*", + "codestar-connections:GetConnection", + "codestar-connections:GetHost", + "codestar-connections:GetRepositoryLink", + "codestar-connections:GetRepositorySyncStatus", + "codestar-connections:GetResourceSyncStatus", + "codestar-connections:GetSyncConfiguration", + "codestar-connections:ListConnections", + "codestar-connections:ListHosts", + "codestar-connections:ListRepositoryLinks", + "codestar-connections:ListRepositorySyncDefinitions", + "codestar-connections:ListSyncConfigurations", + "codestar-connections:ListTagsForResource", + "codestar-notifications:describeNotificationRule", + "codestar-notifications:listEventTypes", + "codestar-notifications:listNotificationRules", + "codestar-notifications:listTagsForResource", + "codestar-notifications:ListTargets", + "dynamodb:BatchGet*", + "dynamodb:Describe*", + "dynamodb:Get*", + "dynamodb:List*", + "dynamodb:PartiQLSelect", + "dynamodb:Query", + "dynamodb:Scan", + "ec2:Describe*", + "ec2:Get*", + "ec2:ListImagesInRecycleBin", + "ec2:ListSnapshotsInRecycleBin", + "ec2:SearchLocalGatewayRoutes", + "ec2:SearchTransitGatewayRoutes", + "ec2messages:Get*", + "ecr-public:BatchCheckLayerAvailability", + "ecr-public:DescribeImages", + "ecr-public:DescribeImageTags", + "ecr-public:DescribeRegistries", + "ecr-public:DescribeRepositories", + "ecr-public:GetAuthorizationToken", + "ecr-public:GetRegistryCatalogData", + "ecr-public:GetRepositoryCatalogData", + "ecr-public:GetRepositoryPolicy", + "ecr-public:ListTagsForResource", + "ecr:BatchCheck*", + "ecr:BatchGet*", + "ecr:Describe*", + "ecr:Get*", + "ecr:List*", + "ecs:Describe*", + "ecs:List*", + "elasticloadbalancing:Describe*", + "logs:Describe*", + "logs:FilterLogEvents", + "logs:Get*", + "logs:ListAnomalies", + "logs:ListLogAnomalyDetectors", + "logs:ListLogDeliveries", + "logs:ListTagsForResource", + "logs:ListTagsLogGroup", + "logs:StartLiveTail", + "logs:StartQuery", + "logs:StopLiveTail", + "logs:StopQuery", + "logs:TestMetricFilter", + "iam:Generate*", + "iam:Get*", + "iam:List*", + "iam:Simulate*", + "rds:Describe*", + "rds:Download*", + "rds:List*", + "route53-recovery-cluster:Get*", + "route53-recovery-cluster:ListRoutingControls", + "route53-recovery-control-config:Describe*", + "route53-recovery-control-config:GetResourcePolicy", + "route53-recovery-control-config:List*", + "route53-recovery-readiness:Get*", + "route53-recovery-readiness:List*", + "route53:Get*", + "route53:List*", + "route53:Test*", + "route53domains:Check*", + "route53domains:Get*", + "route53domains:List*", + "route53domains:View*", + "route53resolver:Get*", + "route53resolver:List*", + "s3:DescribeJob", + "s3:Get*", + "s3:List*", + "secretsmanager:Describe*", + "secretsmanager:GetResourcePolicy", + "secretsmanager:List*", + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret", + "servicediscovery:DiscoverInstances", + "servicediscovery:DiscoverInstancesRevision", + "servicediscovery:Get*", + "servicediscovery:List*", + "ssm:Describe*", + "ssm:Get*", + "ssm:List*", + "ssm:GetParameter", + "secretsmanager:GetSecretValue", + "states:Describe*", + "states:GetExecutionHistory", + "states:List*", + "vpc-lattice:GetAccessLogSubscription", + "vpc-lattice:GetAuthPolicy", + "vpc-lattice:GetListener", + "vpc-lattice:GetResourcePolicy", + "vpc-lattice:GetRule", + "vpc-lattice:GetService", + "vpc-lattice:GetServiceNetwork", + "vpc-lattice:GetServiceNetworkServiceAssociation", + "vpc-lattice:GetServiceNetworkVpcAssociation", + "vpc-lattice:GetTargetGroup", + "vpc-lattice:ListAccessLogSubscriptions", + "vpc-lattice:ListListeners", + "vpc-lattice:ListRules", + "vpc-lattice:ListServiceNetworks", + "vpc-lattice:ListServiceNetworkServiceAssociations", + "vpc-lattice:ListServiceNetworkVpcAssociations", + "vpc-lattice:ListServices", + "vpc-lattice:ListTagsForResource", + "vpc-lattice:ListTargetGroups", + "vpc-lattice:ListTargets" + ], + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" +} \ No newline at end of file diff --git a/tf/modules/oonidevops_github_user/variables.tf b/tf/modules/oonidevops_github_user/variables.tf new file mode 100644 index 00000000..433e987a --- /dev/null +++ b/tf/modules/oonidevops_github_user/variables.tf @@ -0,0 +1,5 @@ +variable "tags" { + description = "tags to apply to the resources" + default = {} + type = map(string) +}