chore: terraform setup

Author: rcmonteiro

.github/workflows/ci.yml

@@ -45,20 +45,37 @@ jobs:
       - name: Run tests
         run: pnpm run test
 
-      - name: Login on Container Registry
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Create tag
         id: create_tag
         run: |
           SHA=$(echo $GITHUB_SHA | head -c7)
           echo "sha=$SHA" >> $GITHUB_OUTPUT
 
-      - name: Build docker image
-        run: docker build -t rcmonteiro/devops-sample-api-ci:${{ steps.create_tag.outputs.sha }} .
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::381492262362:role/ecr_role
+          aws-region: us-east-2
+
+      - name: Login to AWS ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      # Exemplo de publicação no Docker Hub
+      # - name: Login on Container Registry
+      #   uses: docker/login-action@v3
+      #   with:
+      #     username: ${{ secrets.DOCKERHUB_USERNAME }}
+      #     password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # - name: Build and Push to Docker
+      #   uses: docker/build-push-action@v5
+      #   with:
+      #     push: true
+      #     tags: rcmonteiro/devops-sample-api-ci:${{ steps.create_tag.outputs.sha }},rcmonteiro/devops-sample-api-ci:latest
 
-      - name: Push image to container registry
-        run: docker push rcmonteiro/devops-sample-api-ci:${{ steps.create_tag.outputs.sha }}
+#      - name: Build docker image
+#        run: docker build -t rcmonteiro/devops-sample-api-ci:${{ steps.create_tag.outputs.sha }} .
+#
+#      - name: Push image to container registry
+#        run: docker push rcmonteiro/devops-sample-api-ci:${{ steps.create_tag.outputs.sha }}

.gitignore

@@ -3,6 +3,8 @@
 /node_modules
 /build
 
+**/.terraform/
+
 # Logs
 logs
 *.log

iac/.terraform.lock.hcl

@@ -0,0 +1,13 @@
+resource "aws_ecr_repository" "rcmonteiro_devops_nest_api" {
+  name = "rcmonteiro_devops_nest_ci"
+
+  image_tag_mutability = "MUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  tags = {
+    IaC = "True"
+  }
+}

iac/ecr.tf

@@ -0,0 +1,73 @@
+# Step 1: Create an IAM identity provider for GitHub
+resource "aws_iam_openid_connect_provider" "openid_connect_provider" {
+  url = "https://token.actions.githubusercontent.com"
+  client_id_list = [
+    "sts.amazonaws.com",
+  ]
+  thumbprint_list = [
+    "959CB2B52B4AD201A593847ABCA32FF48F838C2E",
+  ]
+  tags = {
+    IaC = "True"
+  }
+}
+
+# Step 2: Create an IAM role for the ECR repository
+resource "aws_iam_role" "ecr_role" {
+  name = "ecr_role"
+
+  assume_role_policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Principal": {
+                "Federated": "arn:aws:iam::381492262362:oidc-provider/token.actions.githubusercontent.com"
+            },
+            "Condition": {
+                "StringEquals": {
+                    "token.actions.githubusercontent.com:aud": [
+                        "sts.amazonaws.com"
+                    ],
+                    "token.actions.githubusercontent.com:sub": [
+                        "repo:rcmonteiro/devops-create-image-nest-api:ref:refs/heads/main"
+                    ]
+                }
+            }
+        }
+    ]
+  })
+
+  # Step 3: Attach the AmazonEC2ContainerRegistryPowerUser managed policy to the IAM role
+  inline_policy {
+    name = "ecr-app-permission"
+
+    policy = jsonencode({
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ecr:GetDownloadUrlForLayer",
+                "ecr:BatchGetImage",
+                "ecr:BatchCheckLayerAvailability",
+                "ecr:PutImage",
+                "ecr:InitiateLayerUpload",
+                "ecr:UploadLayerPart",
+                "ecr:CompleteLayerUpload",
+                "ecr:GetAuthorizationToken"
+            ],
+            "Resource": "*"
+        }
+      ]
+    })
+  }
+
+  tags = {
+    IaC = "True"
+  }
+}
+
+
+

iac/iam.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "5.53.0"
+    }
+  }
+}
+
+provider "aws" {
+  profile = "rcmonteiro-iac"
+  region = "us-east-2"
+}

iac/main.tf

@@ -0,0 +1,120 @@
+{
+  "version": 4,
+  "terraform_version": "1.8.5",
+  "serial": 13,
+  "lineage": "822cea9a-3abf-0b83-a30a-b80aa636cd29",
+  "outputs": {},
+  "resources": [
+    {
+      "mode": "managed",
+      "type": "aws_ecr_repository",
+      "name": "rcmonteiro_devops_nest_api",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:ecr:us-east-2:381492262362:repository/rcmonteiro_devops_nest_ci",
+            "encryption_configuration": [
+              {
+                "encryption_type": "AES256",
+                "kms_key": ""
+              }
+            ],
+            "force_delete": null,
+            "id": "rcmonteiro_devops_nest_ci",
+            "image_scanning_configuration": [
+              {
+                "scan_on_push": true
+              }
+            ],
+            "image_tag_mutability": "MUTABLE",
+            "name": "rcmonteiro_devops_nest_ci",
+            "registry_id": "381492262362",
+            "repository_url": "381492262362.dkr.ecr.us-east-2.amazonaws.com/rcmonteiro_devops_nest_ci",
+            "tags": {
+              "IaC": "True"
+            },
+            "tags_all": {
+              "IaC": "True"
+            },
+            "timeouts": null
+          },
+          "sensitive_attributes": [],
+          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjoxMjAwMDAwMDAwMDAwfX0="
+        }
+      ]
+    },
+    {
+      "mode": "managed",
+      "type": "aws_iam_openid_connect_provider",
+      "name": "openid_connect_provider",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:iam::381492262362:oidc-provider/token.actions.githubusercontent.com",
+            "client_id_list": [
+              "sts.amazonaws.com"
+            ],
+            "id": "arn:aws:iam::381492262362:oidc-provider/token.actions.githubusercontent.com",
+            "tags": {
+              "IaC": "True"
+            },
+            "tags_all": {
+              "IaC": "True"
+            },
+            "thumbprint_list": [
+              "959cb2b52b4ad201a593847abca32ff48f838c2e"
+            ],
+            "url": "token.actions.githubusercontent.com"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA=="
+        }
+      ]
+    },
+    {
+      "mode": "managed",
+      "type": "aws_iam_role",
+      "name": "ecr_role",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:iam::381492262362:role/ecr_role",
+            "assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":{\"StringEquals\":{\"token.actions.githubusercontent.com:aud\":[\"sts.amazonaws.com\"],\"token.actions.githubusercontent.com:sub\":[\"repo:rcmonteiro/devops-create-image-nest-api:ref:refs/heads/main\"]}},\"Effect\":\"Allow\",\"Principal\":{\"Federated\":\"arn:aws:iam::381492262362:oidc-provider/token.actions.githubusercontent.com\"}}],\"Version\":\"2012-10-17\"}",
+            "create_date": "2024-06-13T14:46:28Z",
+            "description": "",
+            "force_detach_policies": false,
+            "id": "ecr_role",
+            "inline_policy": [
+              {
+                "name": "ecr-app-permission",
+                "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"ecr:GetDownloadUrlForLayer\",\"ecr:BatchGetImage\",\"ecr:BatchCheckLayerAvailability\",\"ecr:PutImage\",\"ecr:InitiateLayerUpload\",\"ecr:UploadLayerPart\",\"ecr:CompleteLayerUpload\",\"ecr:GetAuthorizationToken\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
+              }
+            ],
+            "managed_policy_arns": [],
+            "max_session_duration": 3600,
+            "name": "ecr_role",
+            "name_prefix": "",
+            "path": "/",
+            "permissions_boundary": "",
+            "tags": {
+              "IaC": "True"
+            },
+            "tags_all": {
+              "IaC": "True"
+            },
+            "unique_id": "AROAVRUVV6XNFQSFABCAM"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA=="
+        }
+      ]
+    }
+  ],
+  "check_results": null
+}

iac/terraform.tfstate

@@ -0,0 +1,80 @@
+{
+  "version": 4,
+  "terraform_version": "1.8.5",
+  "serial": 10,
+  "lineage": "822cea9a-3abf-0b83-a30a-b80aa636cd29",
+  "outputs": {},
+  "resources": [
+    {
+      "mode": "managed",
+      "type": "aws_iam_openid_connect_provider",
+      "name": "openid_connect_provider",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:iam::381492262362:oidc-provider/token.actions.githubusercontent.com",
+            "client_id_list": [
+              "sts.amazonaws.com"
+            ],
+            "id": "arn:aws:iam::381492262362:oidc-provider/token.actions.githubusercontent.com",
+            "tags": {
+              "IaC": "True"
+            },
+            "tags_all": {
+              "IaC": "True"
+            },
+            "thumbprint_list": [
+              "959cb2b52b4ad201a593847abca32ff48f838c2e"
+            ],
+            "url": "token.actions.githubusercontent.com"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA=="
+        }
+      ]
+    },
+    {
+      "mode": "managed",
+      "type": "aws_iam_role",
+      "name": "ecr_role",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:iam::381492262362:role/ecr_role",
+            "assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":{\"StringEquals\":{\"token.actions.githubusercontent.com:aud\":[\"sts.amazonaws.com\"],\"token.actions.githubusercontent.com:sub\":[\"repo:rcmonteiro/devops-create-image-nest-api:ref:refs/heads/main\"]}},\"Effect\":\"Allow\",\"Principal\":{\"Federated\":\"arn:aws:iam::381492262362:oidc-provider/token.actions.githubusercontent.com\"}}],\"Version\":\"2012-10-17\"}",
+            "create_date": "2024-06-13T14:46:28Z",
+            "description": "",
+            "force_detach_policies": false,
+            "id": "ecr_role",
+            "inline_policy": [
+              {
+                "name": "ecr-app-permission",
+                "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"ecr:GetDownloadUrlForLayer\",\"ecr:BatchGetImage\",\"ecr:BatchCheckLayerAvailability\",\"ecr:PutImage\",\"ecr:InitiateLayerUpload\",\"ecr:UploadLayerPart\",\"ecr:CompleteLayerUpload\",\"ecr:GetAuthorizationToken\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
+              }
+            ],
+            "managed_policy_arns": [],
+            "max_session_duration": 3600,
+            "name": "ecr_role",
+            "name_prefix": "",
+            "path": "/",
+            "permissions_boundary": "",
+            "tags": {
+              "IaC": "True"
+            },
+            "tags_all": {
+              "IaC": "True"
+            },
+            "unique_id": "AROAVRUVV6XNFQSFABCAM"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA=="
+        }
+      ]
+    }
+  ],
+  "check_results": null
+}