boldare · grzesjam · Sep 9, 2021 · Sep 10, 2021 · Sep 10, 2021 · krzysztof-miemiec
diff --git a/modules/oracle-container-registry/README.md b/modules/oracle-container-registry/README.md
@@ -0,0 +1,48 @@
+# Oracle Cloud container repository with permissions
+Very simple module that main purpose is to generate permissions and output docker urls in easy format for later use.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_oci"></a> [oci](#requirement\_oci) | >= 4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_oci"></a> [oci](#provider\_oci) | >= 4.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [oci_artifacts_container_repository.terraform_container_registry](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/artifacts_container_repository) | resource |
+| [oci_objectstorage_namespace.namespace](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/data-sources/objectstorage_namespace) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_compartment_id"></a> [compartment\_id](#input\_compartment\_id) | Compartment ID in which to create container registry. | `string` | n/a | yes |
+| <a name="input_container_repository_is_immutable"></a> [container\_repository\_is\_immutable](#input\_container\_repository\_is\_immutable) | Whether the repository is immutable. Images cannot be overwritten in an immutable repository. | `bool` | `false` | no |
+| <a name="input_container_repository_is_public"></a> [container\_repository\_is\_public](#input\_container\_repository\_is\_public) | Whether the repository is public. A public repository allows unauthenticated access. | `bool` | `false` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | The environment name. | `string` | n/a | yes |
+| <a name="input_group_name_for_permission"></a> [group\_name\_for\_permission](#input\_group\_name\_for\_permission) | Used only to generate permissions that can be used later, can be skipped, doesn't create any resource based on it. | `string` | `"NULL"` | no |
+| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The project name. | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | Region for container registry. | `string` | n/a | yes |
+| <a name="input_suffix"></a> [suffix](#input\_suffix) | Suffix that is going to be added in the end of CR name. | `string` | `"app"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_id"></a> [id](#output\_id) | ID of the container registry |
+| <a name="output_name"></a> [name](#output\_name) | Name of the container registry |
+| <a name="output_policy"></a> [policy](#output\_policy) | policies that allow push and pull to this container registry by user |
+| <a name="output_url"></a> [url](#output\_url) | url to push/pull containers to/from |
diff --git a/modules/oracle-container-registry/example/main.tf b/modules/oracle-container-registry/example/main.tf
@@ -0,0 +1,54 @@
+locals {
+  tenancy      = "ocid1.tenancy.oc1..aaaaaaaa1111111111111111111111111111111111111111111111111111"
+  project_name = "foo"
+  environment  = "dev"
+}
+
+provider "oci" {
+  tenancy_ocid        = local.tenancy
+  config_file_profile = "boldare"
+}
+module "container_registry_api_php" {
+  source = "./.."
+
+  compartment_id = local.tenancy
+  project_name   = local.project_name
+  environment    = local.environment
+  region         = "me-jeddah-1"
+  suffix         = "api"
+
+  group_name_for_permission         = "${local.project_name}-${local.environment}-CICD"
+  container_repository_is_immutable = false
+  container_repository_is_public    = false
+}
+
+module "container_registry_spa" {
+  source = "./.."
+
+  compartment_id = local.tenancy
+  project_name   = local.project_name
+  environment    = local.environment
+  region         = "me-jeddah-1"
+  suffix         = "spa"
+
+  group_name_for_permission         = "${local.project_name}-${local.environment}-CICD"
+  container_repository_is_immutable = false
+  container_repository_is_public    = false
+}
+
+module "user" {
+  source = "../../oracle-user"
+
+  tenancy_ocid        = local.tenancy
+  compartment_id      = local.tenancy
+  environment         = local.environment
+  user_name           = "${local.project_name}-${local.environment}-CICD"
+  group_name          = "${local.project_name}-${local.environment}-CICD"
+  create_auth_tokens  = true
+
+  policy_name = "${local.project_name}-${local.environment}-access-to-cr"
+  policy_statements = flatten([
+    module.container_registry_api_php.policy,
+    module.container_registry_spa.policy
+  ])
+}
diff --git a/modules/oracle-container-registry/main.tf b/modules/oracle-container-registry/main.tf
@@ -0,0 +1,19 @@
+/**
+ * # Oracle Cloud container repository with permissions
+ * Very simple module that main purpose is to generate permissions and output docker urls in easy format for later use.
+ */
+
+locals {
+  cr_name = "${var.project_name}-${var.environment}-${var.suffix}"
+}
+data "oci_objectstorage_namespace" "namespace" {
+  compartment_id = var.compartment_id
+}
+
+resource "oci_artifacts_container_repository" "terraform_container_registry" {
+  compartment_id = var.compartment_id
+  display_name   = local.cr_name
+
+  is_immutable = var.container_repository_is_immutable
+  is_public    = var.container_repository_is_public
+}
diff --git a/modules/oracle-container-registry/outputs.tf b/modules/oracle-container-registry/outputs.tf
@@ -0,0 +1,20 @@
+output "id" {
+  description = "ID of the container registry"
+  value       = oci_artifacts_container_repository.terraform_container_registry.id
+}
+output "name" {
+  description = "Name of the container registry"
+  value       = oci_artifacts_container_repository.terraform_container_registry.display_name
+}
+output "url" {
+  description = "url to push/pull containers to/from"
+  value       = "${var.region}.ocir.io/${data.oci_objectstorage_namespace.namespace.namespace}/${oci_artifacts_container_repository.terraform_container_registry.display_name}"
+}
+output "policy" {
+  description = "policies that allow push and pull to this container registry by user"
+  value = [
+    "Allow group ${var.group_name_for_permission} to read repos in compartment id ${var.compartment_id} where any { target.repo.name=/${oci_artifacts_container_repository.terraform_container_registry.display_name}*/}",
+    "Allow group ${var.group_name_for_permission} to use repos in compartment id ${var.compartment_id} where any { target.repo.name=/${oci_artifacts_container_repository.terraform_container_registry.display_name}*/}",
+    "Allow group ${var.group_name_for_permission} to manage repos in compartment id ${var.compartment_id} where any { target.repo.name=/${oci_artifacts_container_repository.terraform_container_registry.display_name}*/}",
+  ]
+}
diff --git a/modules/oracle-container-registry/variables.tf b/modules/oracle-container-registry/variables.tf
@@ -0,0 +1,36 @@
+variable "compartment_id" {
+  description = "Compartment ID in which to create container registry."
+  type        = string
+}
+variable "project_name" {
+  description = "The project name."
+  type        = string
+}
+variable "environment" {
+  description = "The environment name."
+  type        = string
+}
+variable "region" {
+  description = "Region for container registry."
+  type        = string
+}
+variable "suffix" {
+  description = "Suffix that is going to be added in the end of CR name."
+  type        = string
+  default     = "app"
+}
+variable "group_name_for_permission" {
+  type        = string
+  default     = "NULL"
+  description = "Used only to generate permissions that can be used later, can be skipped, doesn't create any resource based on it."
+}
+variable "container_repository_is_immutable" {
+  description = "Whether the repository is immutable. Images cannot be overwritten in an immutable repository."
+  type        = bool
+  default     = false
+}
+variable "container_repository_is_public" {
+  description = "Whether the repository is public. A public repository allows unauthenticated access."
+  type        = bool
+  default     = false
+}
diff --git a/modules/oracle-container-registry/versions.tf b/modules/oracle-container-registry/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    oci = {
+      source  = "hashicorp/oci"
+      version = ">= 4.0"
+    }
+  }
+}
diff --git a/modules/oracle-s3-compatible/README.md b/modules/oracle-s3-compatible/README.md
@@ -0,0 +1,58 @@
+# Oracle Cloud object storage s3 compatible
+Module creating object storage bucket with user, groups and all permissions required to use it as drop in replacement for s3.
+
+**WARNING! This module by default allows doing HEAD request, it leads to "leaking" out names of OTHER buckets in compartment!**
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_oci"></a> [oci](#requirement\_oci) | >= 4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_oci"></a> [oci](#provider\_oci) | >= 4.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [oci_identity_customer_secret_key.bucket_access](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/identity_customer_secret_key) | resource |
+| [oci_identity_group.group](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/identity_group) | resource |
+| [oci_identity_policy.allow_head](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/identity_policy) | resource |
+| [oci_identity_policy.allow_read](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/identity_policy) | resource |
+| [oci_identity_user.bucket](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/identity_user) | resource |
+| [oci_identity_user_group_membership.group_member](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/identity_user_group_membership) | resource |
+| [oci_objectstorage_bucket.bucket](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/objectstorage_bucket) | resource |
+| [oci_objectstorage_namespace.namespace](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/data-sources/objectstorage_namespace) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_allow_head"></a> [allow\_head](#input\_allow\_head) | READ WARNING!! If bucket user can run HEAD request. Required by PHP to check if bucket exist. | `bool` | `true` | no |
+| <a name="input_auto_tiering"></a> [auto\_tiering](#input\_auto\_tiering) | Enabling object storage's auto tiering feature. | `bool` | `false` | no |
+| <a name="input_compartment_id"></a> [compartment\_id](#input\_compartment\_id) | Compartment ID in which to create object storage. | `string` | n/a | yes |
+| <a name="input_environment"></a> [environment](#input\_environment) | The environment name. | `string` | n/a | yes |
+| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The project name. | `string` | n/a | yes |
+| <a name="input_public_access"></a> [public\_access](#input\_public\_access) | Accessibility of bucket, if it should be public or private | `bool` | `false` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region for object storage. | `string` | n/a | yes |
+| <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | Tenancy ocid needed to create groups. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_name"></a> [name](#output\_name) | Name of the bucket |
+| <a name="output_namespace"></a> [namespace](#output\_namespace) | Namespace id of your account |
+| <a name="output_s3_access_key"></a> [s3\_access\_key](#output\_s3\_access\_key) | S3 compatible access key for backend |
+| <a name="output_s3_access_secret"></a> [s3\_access\_secret](#output\_s3\_access\_secret) | S3 compatible secret key for backend |
+| <a name="output_s3_endpoint"></a> [s3\_endpoint](#output\_s3\_endpoint) | Endpoint used for accessing S3 by backend and token authenticated files |
+| <a name="output_s3_url"></a> [s3\_url](#output\_s3\_url) | Url used for accessing publicly accessible files |
diff --git a/modules/oracle-s3-compatible/example/main.tf b/modules/oracle-s3-compatible/example/main.tf
@@ -0,0 +1,27 @@
+locals {
+  tenancy = "ocid1.tenancy.oc1..aaaaaaaa1111111111111111111111111111111111111111111111111111"
+}
+provider "oci" {
+  tenancy_ocid        = local.tenancy
+  config_file_profile = "boldare"
+}
+
+module "private-s3" {
+  source         = "./.."
+  compartment_id = local.tenancy
+  environment    = "dev"
+  project_name   = "my-project"
+  tenancy_ocid   = local.tenancy
+  region         = "me-jeddah-1"
+  public_access  = false
+}
+
+module "public-s3" {
+  source         = "./.."
+  compartment_id = local.tenancy
+  environment    = "dev"
+  project_name   = "my-project-public"
+  tenancy_ocid   = local.tenancy
+  region         = "me-jeddah-1"
+  public_access  = true
+}
diff --git a/modules/oracle-s3-compatible/main.tf b/modules/oracle-s3-compatible/main.tf
@@ -0,0 +1,61 @@
+/**
+ * # Oracle Cloud object storage s3 compatible
+ * Module creating object storage bucket with user, groups and all permissions required to use it as drop in replacement for s3.
+ *
+ * **WARNING! This module by default allows doing HEAD request, it leads to "leaking" out names of OTHER buckets in compartment!**
+ */
+
+data "oci_objectstorage_namespace" "namespace" {
+  compartment_id = var.compartment_id
+}
+
+resource "oci_objectstorage_bucket" "bucket" {
+  #Required
+  compartment_id = var.compartment_id
+  name           = "${var.project_name}-${var.environment}"
+  namespace      = data.oci_objectstorage_namespace.namespace.namespace
+
+  access_type  = var.public_access ? "ObjectRead" : "NoPublicAccess"
+  auto_tiering = var.auto_tiering ? "InfrequentAccess" : "Disabled"
+  # https://blogs.oracle.com/cloud-infrastructure/post/introducing-object-storage-auto-tiering
+
+}
+
+resource "oci_identity_group" "group" {
+  #Required
+  compartment_id = var.tenancy_ocid
+  description    = "group with access to ${var.project_name}-${var.environment} s3"
+  name           = "${var.project_name}-${var.environment}-group"
+}
+
+resource "oci_identity_user" "bucket" {
+  #Required
+  compartment_id = var.tenancy_ocid
+  description    = "User used for access to ${var.project_name}-${var.environment} S3"
+  name           = "${var.project_name}-${var.environment}-bucket"
+}
+
+resource "oci_identity_user_group_membership" "group_member" {
+  group_id = oci_identity_group.group.id
+  user_id  = oci_identity_user.bucket.id
+}
+
+resource "oci_identity_customer_secret_key" "bucket_access" {
+  display_name = "s3-access-keys"
+  user_id      = oci_identity_user.bucket.id
+}
+
+resource "oci_identity_policy" "allow_head" {
+  count          = var.allow_head ? 1 : 0
+  compartment_id = var.compartment_id
+  description    = "allow user to check for buckets s3 (HEAD)"
+  name           = "${var.project_name}-${var.environment}-bucket-head-policy"
+  statements     = ["Allow group ${oci_identity_group.group.name} to inspect buckets in compartment id ${var.compartment_id}"]
+}
+
+resource "oci_identity_policy" "allow_read" {
+  compartment_id = var.compartment_id
+  description    = "allow user to connect to ${var.project_name}-${var.environment} s3"
+  name           = "${var.project_name}-${var.environment}-bucket-rw-policy"
+  statements     = ["Allow group ${oci_identity_group.group.name} to manage objects in compartment id ${var.compartment_id} where all {target.bucket.name='${oci_objectstorage_bucket.bucket.name}', any {request.permission='OBJECT_INSPECT', request.permission='OBJECT_CREATE', request.permission='OBJECT_DELETE', request.permission='OBJECT_READ' }}"]
+}
diff --git a/modules/oracle-s3-compatible/outputs.tf b/modules/oracle-s3-compatible/outputs.tf
@@ -0,0 +1,24 @@
+output "s3_access_key" {
+  description = "S3 compatible access key for backend"
+  value       = oci_identity_customer_secret_key.bucket_access.id
+}
+output "s3_access_secret" {
+  description = "S3 compatible secret key for backend"
+  value       = oci_identity_customer_secret_key.bucket_access.key
+}
+output "namespace" {
+  description = "Namespace id of your account"
+  value       = data.oci_objectstorage_namespace.namespace.namespace
+}
+output "name" {
+  description = "Name of the bucket"
+  value       = oci_objectstorage_bucket.bucket.name
+}
+output "s3_endpoint" {
+  description = "Endpoint used for accessing S3 by backend and token authenticated files"
+  value       = "https://${data.oci_objectstorage_namespace.namespace.namespace}.compat.objectstorage.${var.region}.oraclecloud.com"
+}
+output "s3_url" {
+  description = "Url used for accessing publicly accessible files"
+  value       = "https://objectstorage.${var.region}.oraclecloud.com/n/${data.oci_objectstorage_namespace.namespace.namespace}/b/${oci_objectstorage_bucket.bucket.name}/o/"
+}