ooni · hellais · Mar 14, 2024 · Mar 13, 2024 · Mar 13, 2024 · Mar 13, 2024
diff --git a/tf/environments/dev/.terraform.lock.hcl b/tf/environments/dev/.terraform.lock.hcl
diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
@@ -19,7 +19,6 @@ locals {
 ## AWS Setup
 
 provider "aws" {
- profile = "oonidevops_user"
  region = var.aws_region
  assume_role {
  role_arn = "arn:aws:iam::905418398257:role/oonidevops"
@@ -296,3 +295,9 @@ module "ooniapi_frontend" {
  )
 }
 
+module "oonidevops_github_user" {
+ source = "../../modules/oonidevops_github_user"
+
+ tags = local.tags
+}
+
diff --git a/tf/modules/oonidevops_github_user/main.tf b/tf/modules/oonidevops_github_user/main.tf
@@ -0,0 +1,189 @@
+resource "aws_iam_user" "oonidevops_github_user" {
+ name = "oonidevops-github"
+ path = "/"
+
+ tags = var.tags
+}
+
+data "aws_iam_policy_document" "oonidevops_github" {
+ statement {
+ effect = "Allow"
+ actions = [
+ "acm:Describe*",
+ "acm:Get*",
+ "acm:List*",
+ "application-autoscaling:Describe*",
+ "application-autoscaling:ListTagsForResource",
+ "appmesh:Describe*",
+ "appmesh:List*",
+ "autoscaling:Describe*",
+ "autoscaling:GetPredictiveScalingForecast",
+ "cloudformation:Describe*",
+ "cloudformation:Detect*",
+ "cloudformation:Estimate*",
+ "cloudformation:Get*",
+ "cloudformation:List*",
+ "cloudformation:ValidateTemplate",
+ "cloudtrail:Describe*",
+ "cloudtrail:Get*",
+ "cloudtrail:List*",
+ "cloudtrail:LookupEvents",
+ "cloudwatch:Describe*",
+ "cloudwatch:GenerateQuery",
+ "cloudwatch:Get*",
+ "cloudwatch:List*",
+ "codebuild:BatchGet*",
+ "codebuild:DescribeCodeCoverages",
+ "codebuild:DescribeTestCases",
+ "codebuild:List*",
+ "codedeploy:BatchGet*",
+ "codedeploy:Get*",
+ "codedeploy:List*",
+ "codepipeline:Get*",
+ "codepipeline:List*",
+ "codestar-connections:GetConnection",
+ "codestar-connections:GetHost",
+ "codestar-connections:GetRepositoryLink",
+ "codestar-connections:GetRepositorySyncStatus",
+ "codestar-connections:GetResourceSyncStatus",
+ "codestar-connections:GetSyncConfiguration",
+ "codestar-connections:ListConnections",
+ "codestar-connections:ListHosts",
+ "codestar-connections:ListRepositoryLinks",
+ "codestar-connections:ListRepositorySyncDefinitions",
+ "codestar-connections:ListSyncConfigurations",
+ "codestar-connections:ListTagsForResource",
+ "codestar-notifications:describeNotificationRule",
+ "codestar-notifications:listEventTypes",
+ "codestar-notifications:listNotificationRules",
+ "codestar-notifications:listTagsForResource",
+ "codestar-notifications:ListTargets",
+ "dynamodb:BatchGet*",
+ "dynamodb:Describe*",
+ "dynamodb:Get*",
+ "dynamodb:List*",
+ "dynamodb:PartiQLSelect",
+ "dynamodb:Query",
+ "dynamodb:Scan",
+ "ec2:Describe*",
+ "ec2:Get*",
+ "ec2:ListImagesInRecycleBin",
+ "ec2:ListSnapshotsInRecycleBin",
+ "ec2:SearchLocalGatewayRoutes",
+ "ec2:SearchTransitGatewayRoutes",
+ "ec2messages:Get*",
+ "ecr-public:BatchCheckLayerAvailability",
+ "ecr-public:DescribeImages",
+ "ecr-public:DescribeImageTags",
+ "ecr-public:DescribeRegistries",
+ "ecr-public:DescribeRepositories",
+ "ecr-public:GetAuthorizationToken",
+ "ecr-public:GetRegistryCatalogData",
+ "ecr-public:GetRepositoryCatalogData",
+ "ecr-public:GetRepositoryPolicy",
+ "ecr-public:ListTagsForResource",
+ "ecr:BatchCheck*",
+ "ecr:BatchGet*",
+ "ecr:Describe*",
+ "ecr:Get*",
+ "ecr:List*",
+ "ecs:Describe*",
+ "ecs:List*",
+ "elasticloadbalancing:Describe*",
+ "logs:Describe*",
+ "logs:FilterLogEvents",
+ "logs:Get*",
+ "logs:ListAnomalies",
+ "logs:ListLogAnomalyDetectors",
+ "logs:ListLogDeliveries",
+ "logs:ListTagsForResource",
+ "logs:ListTagsLogGroup",
+ "logs:StartLiveTail",
+ "logs:StartQuery",
+ "logs:StopLiveTail",
+ "logs:StopQuery",
+ "logs:TestMetricFilter",
+ "iam:Generate*",
+ "iam:Get*",
+ "iam:List*",
+ "iam:Simulate*",
+ "rds:Describe*",
+ "rds:Download*",
+ "rds:List*",
+ "route53-recovery-cluster:Get*",
+ "route53-recovery-cluster:ListRoutingControls",
+ "route53-recovery-control-config:Describe*",
+ "route53-recovery-control-config:GetResourcePolicy",
+ "route53-recovery-control-config:List*",
+ "route53-recovery-readiness:Get*",
+ "route53-recovery-readiness:List*",
+ "route53:Get*",
+ "route53:List*",
+ "route53:Test*",
+ "route53domains:Check*",
+ "route53domains:Get*",
+ "route53domains:List*",
+ "route53domains:View*",
+ "route53resolver:Get*",
+ "route53resolver:List*",
+ "s3:DescribeJob",
+ "s3:Get*",
+ "s3:List*",
+ "secretsmanager:Describe*",
+ "secretsmanager:GetResourcePolicy",
+ "secretsmanager:List*",
+ "servicediscovery:DiscoverInstances",
+ "servicediscovery:DiscoverInstancesRevision",
+ "servicediscovery:Get*",
+ "servicediscovery:List*",
+ "ssm:Describe*",
+ "ssm:Get*",
+ "ssm:List*",
+ "states:Describe*",
+ "states:GetExecutionHistory",
+ "states:List*",
+ "vpc-lattice:GetAccessLogSubscription",
+ "vpc-lattice:GetAuthPolicy",
+ "vpc-lattice:GetListener",
+ "vpc-lattice:GetResourcePolicy",
+ "vpc-lattice:GetRule",
+ "vpc-lattice:GetService",
+ "vpc-lattice:GetServiceNetwork",
+ "vpc-lattice:GetServiceNetworkServiceAssociation",
+ "vpc-lattice:GetServiceNetworkVpcAssociation",
+ "vpc-lattice:GetTargetGroup",
+ "vpc-lattice:ListAccessLogSubscriptions",
+ "vpc-lattice:ListListeners",
+ "vpc-lattice:ListRules",
+ "vpc-lattice:ListServiceNetworks",
+ "vpc-lattice:ListServiceNetworkServiceAssociations",
+ "vpc-lattice:ListServiceNetworkVpcAssociations",
+ "vpc-lattice:ListServices",
+ "vpc-lattice:ListTagsForResource",
+ "vpc-lattice:ListTargetGroups",
+ "vpc-lattice:ListTargets"
+ ]
+ resources = ["*"]
+ }
+}
+
+resource "aws_iam_user_policy" "oonidevops_github" {
+ name = "OONIDevopsGithubPolicy"
+ user = aws_iam_user.oonidevops_github_user.name
+ policy = data.aws_iam_policy_document.oonidevops_github.json
+}
+
+resource "aws_iam_access_key" "oonidevops_github_user" {
+ user = aws_iam_user.oonidevops_github_user.name
+} 
+
+resource "aws_secretsmanager_secret" "oonidevops_github_user_secrets" {
+ name = "oonidevops/github_user/access_key_json"
+
+ tags = var.tags
+}
+
+resource "aws_secretsmanager_secret_version" "oonidevops_github_user_secrets" {
+ secret_id = aws_secretsmanager_secret.oonidevops_github_user_secrets.id
+ secret_string = jsonencode({"AccessKey": aws_iam_access_key.oonidevops_github_user.id, "SecretAccessKey" = aws_iam_access_key.oonidevops_github_user.secret})
+}
diff --git a/tf/modules/oonidevops_github_user/outputs.tf b/tf/modules/oonidevops_github_user/outputs.tf
@@ -0,0 +1,7 @@
+output "oonidevops_github_user_arn" {
+ value = aws_iam_user.oonidevops_github_user.arn
+}
+
+output "oonidevops_github_user_secrets_id" {
+ value = aws_secretsmanager_secret.oonidevops_github_user_secrets.id
+}
diff --git a/tf/modules/oonidevops_github_user/variables.tf b/tf/modules/oonidevops_github_user/variables.tf
@@ -0,0 +1,5 @@
+variable "tags" {
+ description = "tags to apply to the resources"
+ default = {}
+ type = map(string)
+}