ractf · thebeanogamer · Jun 12, 2020 · Jun 12, 2020 · Jun 12, 2020 · Jun 12, 2020
diff --git a/main.tf b/main.tf
@@ -33,3 +33,15 @@ module "shortener_dns" {
   domain   = var.ractf_shortener_domain
   endpoint = var.shortener_endpoint
 }
+
+module "github_repos" {
+  source = "./modules/github/repos"
+}
+
+module "github_ci" {
+  source           = "./modules/github/ci"
+  shell_repo       = module.github_repos.shell_repo
+  shell_deploy_id  = module.frontend.shell_deploy_id
+  shell_deploy_key = module.frontend.shell_deploy_key
+  shell_bucket     = module.frontend.s3_bucket
+}
diff --git a/modules/aws/frontend/main.tf b/modules/aws/frontend/main.tf
@@ -87,3 +87,8 @@ resource "aws_cloudfront_distribution" "frontend_distribution" {
   }
 }
 
+module "deploy_user" {
+  source      = "./modules/deploy_user"
+  bucket_name = aws_s3_bucket.frontend_bucket.id
+  bucket_arn  = aws_s3_bucket.frontend_bucket.arn
+}
diff --git a/modules/aws/frontend/modules/deploy_user/README.md b/modules/aws/frontend/modules/deploy_user/README.md
@@ -0,0 +1,3 @@
+# Deploy User
+
+Create the deploy user for shell.
diff --git a/modules/aws/frontend/modules/deploy_user/inputs.tf b/modules/aws/frontend/modules/deploy_user/inputs.tf
@@ -0,0 +1,9 @@
+variable "bucket_name" {
+  type        = string
+  description = "The name of the shell bucket"
+}
+
+variable "bucket_arn" {
+  type        = string
+  description = "The arn of the shell bucket"
+}
diff --git a/modules/aws/frontend/modules/deploy_user/main.tf b/modules/aws/frontend/modules/deploy_user/main.tf
@@ -0,0 +1,44 @@
+resource "aws_iam_access_key" "shell_deploy_key" {
+  user = aws_iam_user.shell_deploy.name
+}
+
+resource "aws_iam_user" "shell_deploy" {
+  name = "shell_deploy"
+  path = "/system/"
+}
+
+resource "aws_iam_user_policy" "lb_ro" {
+  name = "test"
+  user = aws_iam_user.shell_deploy.name
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+        {
+            "Sid": "CI-Permissions-Read",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "${aws_iam_user.shell_deploy.arn}"
+            },
+            "Action": "s3:ListBucket",
+            "Resource": "${var.bucket_arn}"
+        },
+        {
+            "Sid": "CI-Permissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "${aws_iam_user.shell_deploy.arn}"
+            },
+            "Action": [
+                "s3:PutObject",
+                "s3:PutObjectAcl",
+                "s3:GetObject",
+                "s3:DeleteObject"
+            ],
+            "Resource": "${var.bucket_arn}/*"
+        }
+  ]
+}
+EOF
+}
diff --git a/modules/aws/frontend/modules/deploy_user/outputs.tf b/modules/aws/frontend/modules/deploy_user/outputs.tf
@@ -0,0 +1,9 @@
+output "shell_deploy_id" {
+  value       = aws_iam_access_key.shell_deploy_key.id
+  description = "The ID of the AWS deploy key for shell"
+}
+
+output "shell_deploy_key" {
+  value       = aws_iam_access_key.shell_deploy_key.secret
+  description = "The key for the AWS deploy key for shell"
+}
diff --git a/modules/aws/frontend/outputs.tf b/modules/aws/frontend/outputs.tf
@@ -1,3 +1,18 @@
 output "endpoint" {
   value = aws_cloudfront_distribution.frontend_distribution.domain_name
-}
+}
+
+output "s3_bucket" {
+  value       = aws_s3_bucket.frontend_bucket.id
+  description = "The S3 bucket containing frontend"
+}
+
+output "shell_deploy_id" {
+  value       = module.deploy_user.shell_deploy_id
+  description = "The ID of the AWS deploy key for shell"
+}
+
+output "shell_deploy_key" {
+  value       = module.deploy_user.shell_deploy_key
+  description = "The key for the AWS deploy key for shell"
+}
diff --git a/modules/github/ci/README.md b/modules/github/ci/README.md
@@ -0,0 +1,3 @@
+# CI
+
+Automatically inject secrets into GitHub Actions secrets.
diff --git a/modules/github/ci/inputs.tf b/modules/github/ci/inputs.tf
@@ -0,0 +1,19 @@
+variable "shell_repo" {
+  type        = string
+  description = "The full name of the shell repo"
+}
+
+variable "shell_deploy_id" {
+  type        = string
+  description = "The ID of the AWS deploy key for shell"
+}
+
+variable "shell_deploy_key" {
+  type        = string
+  description = "The key for the AWS deploy key for shell"
+}
+
+variable "shell_bucket" {
+  type        = string
+  description = "The S3 bucket for shell"
+}
diff --git a/modules/github/ci/main.tf b/modules/github/ci/main.tf
@@ -0,0 +1,17 @@
+resource "github_actions_secret" "access_key_id" {
+  repository      = var.shell_repo
+  secret_name     = "AWS_ACCESS_KEY_ID"
+  plaintext_value = var.shell_deploy_id
+}
+
+resource "github_actions_secret" "access_key" {
+  repository      = var.shell_repo
+  secret_name     = "AWS_SECRET_ACCESS_KEY"
+  plaintext_value = var.shell_deploy_key
+}
+
+resource "github_actions_secret" "shell_bucket" {
+  repository      = var.shell_repo
+  secret_name     = "AWS_S3_BUCKET"
+  plaintext_value = var.shell_bucket
+}
diff --git a/modules/github/ci/output.tf b/modules/github/ci/output.tf
diff --git a/modules/github/repos/README.md b/modules/github/repos/README.md
@@ -0,0 +1,3 @@
+# Repos
+
+Manage GitHub repositories
diff --git a/modules/github/repos/inputs.tf b/modules/github/repos/inputs.tf
diff --git a/modules/github/repos/main.tf b/modules/github/repos/main.tf
@@ -0,0 +1,53 @@
+resource "github_repository" "shell" {
+  name        = "shell"
+  description = "A shiny new SPA frontend for the RACTF core."
+  private     = false
+}
+
+resource "github_repository" "core" {
+  name        = "core"
+  description = "The public RACTF backend."
+  private     = false
+}
+
+resource "github_repository" "infrastructure" {
+  name        = "infrastructure"
+  description = "The infrastructure-as-code which runs the cloud components of RACTF."
+  private     = false
+}
+
+resource "github_repository" "ui-kit" {
+  name        = "ui-kit"
+  description = "The RACTF UI framework."
+  private     = false
+}
+
+resource "github_repository" "challenges" {
+  name        = "challenges"
+  description = "RACTF challenges."
+  private     = true
+}
+
+resource "github_repository" "homepage" {
+  name        = "homepage"
+  description = "The RACTF UI homepage."
+  private     = true
+}
+
+resource "github_repository" "writeups" {
+  name        = "writeups"
+  description = "Community-contributed writeups for RACTF!"
+  private     = false
+}
+
+resource "github_repository" "andromeda" {
+  name        = "andromeda"
+  description = "Manages challenge docker containers for RACTF."
+  private     = false
+}
+
+resource "github_repository" "backend" {
+  name        = "backend"
+  description = "The proprietary RACTF backend."
+  private     = true
+}
diff --git a/modules/github/repos/output.tf b/modules/github/repos/output.tf
@@ -0,0 +1,3 @@
+output "shell_repo" {
+  value = github_repository.shell.full_name
+}
diff --git a/providers.tf b/providers.tf
@@ -14,3 +14,8 @@ provider "cloudflare" {
   email   = var.cloudflare_email
   api_key = var.cloudflare_api_key
 }
+
+provider "github" {
+  token        = var.github_login_token
+  organization = var.github_organization
+}
diff --git a/variables.tf b/variables.tf
@@ -40,3 +40,13 @@ variable "github_token" {
   type        = string
   description = "GitHub verification token"
 }
+
+variable "github_login_token" {
+  type        = string
+  description = "Token to login to GitHub"
+}
+
+variable "github_organization" {
+  type        = string
+  description = "GitHub organisation name"
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# Deploy User

		Create the deploy user for shell.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# CI

		Automatically inject secrets into GitHub Actions secrets.