Merge pull request #25 from lmilbaum/artifactory

artifactory module

.markdownlint.rb

@@ -0,0 +1,2 @@
+all
+exclude_rule 'MD007'

.pre-commit-config.yaml

@@ -29,6 +29,7 @@ repos:
     rev: v0.13.0
     hooks:
       - id: markdownlint
+        args: [-s, .markdownlint.rb]
   - repo: https://github.com/maxbrunet/pre-commit-renovate
     rev: 37.2.0
     hooks:
@@ -47,3 +48,7 @@ repos:
     rev: 0.2.2
     hooks:
       - id: checkmake
+  - repo: https://github.com/ansible-community/ansible-lint.git
+    rev: v6.20.2
+    hooks:
+      - id: ansible-lint

live/ci/artifactory/terragrunt.hcl

@@ -0,0 +1,15 @@
+terraform {
+  source = "../../../modules//artifactory"
+}
+
+include "root" {
+  path = find_in_parent_folders()
+}
+
+locals {
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+}
+
+inputs = merge(
+  local.environment_vars.locals
+)

live/dev/artifactory/terragrunt.hcl

@@ -0,0 +1,15 @@
+terraform {
+  source = "../../../modules//artifactory"
+}
+
+include "root" {
+  path = find_in_parent_folders()
+}
+
+locals {
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+}
+
+inputs = merge(
+  local.environment_vars.locals
+)

live/prod/artifactory/terragrunt.hcl

@@ -0,0 +1,15 @@
+terraform {
+  source = "../../../modules//artifactory"
+}
+
+include "root" {
+  path = find_in_parent_folders()
+}
+
+locals {
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+}
+
+inputs = merge(
+  local.environment_vars.locals
+)

modules/artifactory/README.md

@@ -0,0 +1,86 @@
+# artifactory
+
+IaC Spinning Artifactory instance on AWS
+
+## local DEV environment
+
+### System Requirements
+
+* AWS [credentials settings][1], profile __default__
+* Define a secret in AWS Secrets Manager:
+  * Secret name: artifactory
+  * key __artifactory_license_1__
+  * key __username__ (value must be lowercase)
+  * key __password__ (value must be lowercase)
+* `make`
+* `podman` or `docker`
+
+### pre-commit
+
+To run pre-commit locally, follow the instructions:
+
+```shell
+pip install --user pre-commit
+pre-commit install
+```
+
+### DEV Environment init
+
+```shell
+make init
+```
+
+### DEV Environment reconfigure
+
+```shell
+make reconfigure
+```
+
+### DEV Environment Up
+
+```shell
+make up
+```
+
+### DEV Environment Down
+
+```shell
+make down
+```
+
+## STAGE environment
+
+* Setup AWS profile named __stage__
+* Define a secret in AWS Secrets Manager:
+  * Secret name: artifactory
+  * key __artifactory_license_2__
+  * key __username__ (value must be lowercase)
+  * key __password__ (value must be lowercase)
+* `make`
+* `podman` or `docker`
+
+### STAGE Environment init
+
+```shell
+make init
+```
+
+### STAGE Environment reconfigure
+
+```shell
+make reconfigure
+```
+
+### STAGE Environment Up
+
+```shell
+make ENV=stage up
+```
+
+### STAGE Environment Down
+
+```shell
+make ENV=stage down
+```
+
+[1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html

modules/artifactory/main.tf

@@ -0,0 +1,143 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.19.0"
+    }
+  }
+}
+
+provider "aws" {
+  region  = var.aws_region
+  profile = var.aws_profile
+  default_tags {
+    tags = merge(var.tags, { User = var.user })
+  }
+}
+
+data "aws_ami" "centos_stream_8" {
+  most_recent = true
+  owners      = ["125523088429"]
+
+  filter {
+    name   = "name"
+    values = ["CentOS Stream 8 *"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+}
+
+resource "aws_security_group" "security_group" {
+  name        = var.artifactory_security_group_name
+  description = "Artifactory inbound and outbound traffic"
+
+  # SSH access from anywhere
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # HTTP access from anywhere
+  ingress {
+    from_port   = 8082
+    to_port     = 8082
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # HTTPS access from anywhere
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # outbound internet access
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+data "aws_iam_policy_document" "assume_policy" {
+  statement {
+    sid = "1"
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+
+    actions = [
+      "sts:AssumeRole"
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "secretmanager_iam_policy_document" {
+  statement {
+    sid = "1"
+
+    actions = [
+      "secretsmanager:GetResourcePolicy",
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:ListSecretVersionIds",
+      "secretsmanager:ListSecrets"
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}
+
+resource "aws_iam_role" "iam_role" {
+  name               = var.artifactory_iam_role_name
+  assume_role_policy = data.aws_iam_policy_document.assume_policy.json
+  inline_policy {
+    name   = var.secretsmanager_policy
+    policy = data.aws_iam_policy_document.secretmanager_iam_policy_document.json
+  }
+}
+
+resource "aws_iam_instance_profile" "iam_instance_profile" {
+  name = var.artifactory_iam_instance_profile
+  role = aws_iam_role.iam_role.name
+}
+
+resource "tls_private_key" "tls_private_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "aws_key_pair" "key_pair" {
+  key_name   = var.ssh_key_name
+  public_key = tls_private_key.tls_private_key.public_key_openssh
+}
+
+resource "local_file" "private_key" {
+  content         = tls_private_key.tls_private_key.private_key_openssh
+  filename        = var.ssh_private_file_name
+  file_permission = 0400
+}
+
+resource "aws_instance" "artifactory_instance" {
+  ami                    = data.aws_ami.centos_stream_8.id
+  instance_type          = var.artifactory_instance_type
+  vpc_security_group_ids = [aws_security_group.security_group.id]
+  iam_instance_profile   = aws_iam_instance_profile.iam_instance_profile.name
+  key_name               = aws_key_pair.key_pair.key_name
+  tags                   = merge(var.tags, { Name = var.artifactory_server_name })
+  root_block_device {
+    volume_size = 100
+  }
+}

modules/artifactory/provision/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+host_key_checking=False
+private_key_file=/workspace/tf-artifactory-ssh-key.pem
+ask_pass=false
+inventory=aws_ec2.yml
+remote_user=centos
+
+[inventory]
+enable_plugins = aws_ec2

modules/artifactory/provision/aws_ec2.yml

@@ -0,0 +1,10 @@
+plugin: aws_ec2
+aws_profile: "{{ lookup('env', 'AWS_PROFILE') | default('default', true) }}"
+regions:
+  - eu-central-1
+  - eu-west-2
+filters:
+  instance-state-name: running
+  tag:Project: platform-engineering
+include_filters:
+  - tag:User: "{{ lookup('env', 'USER') }}"