feat: bootstrap infrastructure (#1)

Co-authored-by: Timothée Aufort <taufort@ippon.fr>

.github/workflows/deploy.yml

@@ -0,0 +1,56 @@
+name: Deploy
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  AWS_REGION: eu-west-3
+
+# Permission can be added at job level or workflow level
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
+jobs:
+  terraform-10-boostrap:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: infrastructure/10_bootstrap
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::448878779811:role/twitch-live-1710204-my-web-site
+          role-session-name: github-ipppontech-my-web-site-to-aws-via-oidc
+          aws-region: ${{ env.AWS_REGION }}
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.9.7"
+          terraform_wrapper: false
+      - run: terraform fmt -check -recursive
+      - run: terraform init -backend=false
+      - run: terraform validate
+      - run: terraform init
+      - run: terraform plan -out=tfplan.out
+      - run: terraform apply -input=false tfplan.out
+
+  build:
+    needs:
+      - terraform-10-boostrap
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use Node.js LTS
+        uses: actions/setup-node@v4
+        with:
+          cache: 'npm'
+          node-version: 'lts/*'
+          registry-url: 'https://registry.npmjs.org'
+      - name: build
+        run: |
+          npm ci
+          npm run build

infrastructure/10_bootstrap/backend.tf

@@ -0,0 +1,10 @@
+# Note: at the moment, it's not possible to use variables in Terraform backend
+terraform {
+  backend "s3" {
+    bucket         = "twitch-live-17102024-tf-states"
+    key            = "10_bootstrap/terraform.tfstate"
+    region         = "eu-west-3"
+    dynamodb_table = "twitch-live-17102024-tf-states-lock"
+    encrypt        = true
+  }
+}

infrastructure/10_bootstrap/data.tf

@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}

infrastructure/10_bootstrap/github_oidc.tf

@@ -0,0 +1,108 @@
+locals {
+  role_name = "twitch-live-1710204-my-web-site"
+}
+
+import {
+  to = aws_iam_openid_connect_provider.github
+  id = "arn:aws:iam::448878779811:oidc-provider/token.actions.githubusercontent.com"
+}
+
+resource "aws_iam_openid_connect_provider" "github" {
+  url = "https://token.actions.githubusercontent.com"
+
+  client_id_list = [
+    "sts.amazonaws.com",
+  ]
+
+  thumbprint_list = ["d89e3bd43d5d909b47a18977aa9d5ce36cee184c"]
+}
+
+import {
+  to = aws_iam_role.twitch_live
+  id = local.role_name
+}
+
+resource "aws_iam_role" "twitch_live" {
+  name               = local.role_name
+  description        = "Role dedicated to deploy infrastructure during the Twitch Live on October 17th 2024 with Arnaud and Timothee"
+  assume_role_policy = data.aws_iam_policy_document.twitch_live_assume_role.json
+}
+
+data "aws_iam_policy_document" "twitch_live_assume_role" {
+  statement {
+    effect = "Allow"
+    principals {
+      type = "Federated"
+      identifiers = [
+        aws_iam_openid_connect_provider.github.arn
+      ]
+    }
+    actions = [
+      "sts:AssumeRoleWithWebIdentity"
+    ]
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values = [
+        "sts.amazonaws.com"
+      ]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values = [
+        "repo:ippontech/my-web-site:*"
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "cloudfront" {
+  role       = aws_iam_role.twitch_live.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudFrontFullAccess"
+}
+
+resource "aws_iam_role_policy" "twitch_live_runner" {
+  name   = "${local.role_name}-runner"
+  role   = aws_iam_role.twitch_live.id
+  policy = data.aws_iam_policy_document.twitch_live_runner.json
+}
+
+data "aws_iam_policy_document" "twitch_live_runner" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:*"
+    ]
+    resources = [
+      "arn:aws:s3:::twitch-live-17102024-*"
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "dynamodb:*"
+    ]
+    resources = [
+      "arn:aws:dynamodb:${var.region}:${data.aws_caller_identity.current.account_id}:table/twitch-live-17102024-tf-states-lock"
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "iam:*OpenID*"
+    ]
+    resources = [
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "iam:*"
+    ]
+    resources = [
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/twitch-live-1710204-my-web-site"
+    ]
+  }
+}

infrastructure/10_bootstrap/providers.tf

@@ -0,0 +1,10 @@
+provider "aws" {
+  region = var.region
+
+  default_tags {
+    tags = {
+      project    = basename(abspath("${path.module}/../.."))
+      subproject = basename(abspath(path.module))
+    }
+  }
+}

infrastructure/10_bootstrap/variables.tf

@@ -0,0 +1,5 @@
+variable "region" {
+  description = "Default AWS region"
+  default     = "eu-west-3"
+  type        = string
+}

infrastructure/10_bootstrap/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = "~> 1.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}