add: terraform

.gitignore

@@ -0,0 +1,33 @@
+# Local .terraform directories
+**/.terraform/*
+*.terraform.lock*
+*.vscode
+**/.build/*
+# .tfstate files
+*.tfstate
+*.tfstate.*
+.local-state*
+
+# Crash log files
+crash.log
+.DS_Store
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+# *.tfvars
+# *.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore draw.io temporary files
+.$*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

.pre-commit-config.yaml

@@ -0,0 +1,47 @@
+repos:
+  - repo: https://github.com/aws-samples/automated-security-helper
+    rev: "1.0.9-e-16May2023" # update with the latest tagged version in the repository
+    hooks:
+      - id: ash
+        name: scan files using ash
+        stages: [manual]
+        # uncomment the line below if using "finch" on MacOS
+        args:
+          - --oci-runner finch
+
+  # FORMATTING & MISC
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: check-case-conflict
+      - id: check-merge-conflict
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: mixed-line-ending
+        args: ["--fix=lf"]
+      - id: fix-byte-order-marker
+      - id: detect-private-key
+      - id: detect-aws-credentials
+        args:
+          - --allow-missing-credentials
+
+  # Terraform
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.77.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_validate
+      - id: terraform_tflint
+        args:
+          - --args=--module
+          - --args=--enable-rule=terraform_documented_variables
+      - id: terraform_docs
+        args:
+          - --hook-config=--path-to-file=README.md
+          - --hook-config=--add-to-existing-file=true
+          - --hook-config=--create-file-if-not-exist=true
+          - --args=--config=.terraform-docs.yml
+      - id: terraform_checkov
+        args:
+          - --args=--soft-fail
+          - --args=--compact

.terraform-docs.yml

@@ -0,0 +1,50 @@
+version: ">= 0.14.1"
+
+formatter: markdown table
+
+header-from: main.tf
+footer-from: ""
+
+sections:
+  hide:
+    - providers
+    - resources
+    - data-sources
+
+recursive:
+  enabled: false
+  path: modules
+
+content: ""
+
+output:
+  file: "README.md"
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+
+    {{ .Content }}
+
+    <!-- END_TF_DOCS -->
+
+output-values:
+  enabled: false
+  from: ""
+
+sort:
+  enabled: true
+  by: required
+
+settings:
+  anchor: true
+  color: true
+  default: true
+  description: false
+  escape: true
+  hide-empty: true
+  html: true
+  indent: 3
+  lockfile: true
+  required: true
+  sensitive: true
+  type: true

README.md

@@ -0,0 +1,36 @@
+# Github Runner on AWS Codebuild
+
+This sample demonstrates how to deploy and run Github runners with AWS Codebuild. More informations  [here](https://aws.amazon.com/fr/blogs/devops/aws-codebuild-managed-self-hosted-github-action-runners/). A workflow trigger is visible in the `Actions` of this repository.
+
+## Prerequisites
+
+1. Create a connexion between AWS and your github account/organization, to do this you need to go in the console `Developer Tools > Connections > Create connection`
+2. Set the connexion as [the default connexion](https://eu-west-1.console.aws.amazon.com/codesuite/codebuild/sourceCredentials/default?provider=github&region=eu-west-1) `https://**your-region**.console.aws.amazon.com/codesuite/codebuild/sourceCredentials/default?provider=github&region=eu-west-1`
+## Architecture diagram
+
+![infra-diagrams](./docs/architecture/terraform-aws-codebuild-hosted-github-action-runner.png)
+
+Choosing a VPC is *optional*.
+<!-- BEGIN_TF_DOCS -->
+
+### Requirements
+
+| Name                                                                      | Version  |
+| ------------------------------------------------------------------------- | -------- |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6.2 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws)                   | >=5.59.0 |
+
+### Inputs
+
+| Name                                                                  | Description                            | Type          | Default                                                           | Required |
+| --------------------------------------------------------------------- | -------------------------------------- | ------------- | ----------------------------------------------------------------- | :------: |
+| <a name="input_app_env"></a> [app\_env](#input\_app\_env)             | Environment name of the application.   | `string`      | `"test"`                                                          |    no    |
+| <a name="input_app_name"></a> [app\_name](#input\_app\_name)          | Name of the application.               | `string`      | `"terraform-aws-codebuild-hosted-github-action-runner"`           |    no    |
+| <a name="input_app_owner"></a> [app\_owner](#input\_app\_owner)       | Owner of the application.              | `string`      | `"me"`                                                            |    no    |
+| <a name="input_custom_tags"></a> [custom\_tags](#input\_custom\_tags) | A map of tags to add to all resources. | `map(string)` | `{}`                                                              |    no    |
+| <a name="input_repo_name"></a> [repo\_name](#input\_repo\_name)       | Name of the repository.                | `string`      | `"JulienQNN/terraform-aws-codebuild-hosted-github-action-runner"` |    no    |
+
+<!-- END_TF_DOCS -->
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+README.md updated successfully
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

backend.tf

@@ -0,0 +1,4 @@
+terraform {
+  backend "local" {
+  }
+}

codebuild.tf

@@ -0,0 +1,162 @@
+resource "aws_codebuild_project" "myapp" {
+  name           = local.codebuild_project
+  description    = local.codebuild_project
+  build_timeout  = 5
+  queued_timeout = 10
+  service_role   = aws_iam_role.myapp.arn
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  environment {
+    compute_type                = "BUILD_GENERAL1_SMALL"
+    image                       = "aws/codebuild/amazonlinux2-x86_64-standard:5.0"
+    type                        = "LINUX_CONTAINER"
+    image_pull_credentials_type = "CODEBUILD"
+  }
+
+  source {
+    type            = "GITHUB"
+    location        = local.source_location
+    git_clone_depth = 1
+
+    git_submodules_config {
+      fetch_submodules = true
+    }
+    report_build_status = true
+  }
+
+
+  vpc_config {
+    vpc_id = local.vpc_id
+
+    subnets = [
+      local.private_subnet_1_id,
+    ]
+
+    security_group_ids = [
+      aws_security_group.codebuild_allow_tls.id,
+    ]
+  }
+  tags = local.tags
+}
+
+
+resource "aws_codebuild_webhook" "myapp" {
+  project_name = aws_codebuild_project.myapp.name
+  build_type   = "BUILD"
+  filter_group {
+    filter {
+      type    = "EVENT"
+      pattern = "WORKFLOW_JOB_QUEUED"
+    }
+  }
+}
+
+#IAM
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["codebuild.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "myapp" {
+  name               = "codebuild_myapp_${local.app_env}"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+}
+
+data "aws_iam_policy_document" "myapp" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "ec2:CreateNetworkInterface",
+      "ec2:DescribeDhcpOptions",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:DeleteNetworkInterface",
+      "ec2:DescribeSubnets",
+      "ec2:DescribeSecurityGroups",
+      "ec2:DescribeVpcs",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "ec2:CreateNetworkInterfacePermission"
+    ]
+    resources = ["arn:aws:ec2:eu-west-1:${local.account_id}:network-interface/*"]
+    condition {
+      test     = "StringEquals"
+      variable = "ec2:Subnet"
+      values   = ["arn:aws:ec2:eu-west-1:${local.account_id}:subnet/${local.private_subnet_1_id}"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "ec2:AuthorizedService"
+      values   = ["codebuild.amazonaws.com"]
+    }
+  }
+
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "codestar-connections:GetConnectionToken",
+      "codestar-connections:GetConnection",
+      "codeconnections:GetConnectionToken",
+      "codeconnections:GetConnection",
+      "codeconnections:UseConnection"
+    ]
+    resources = ["*"]
+  }
+
+}
+
+resource "aws_iam_role_policy" "myapp" {
+  name   = "code_build_policy"
+  role   = aws_iam_role.myapp.name
+  policy = data.aws_iam_policy_document.myapp.json
+}
+
+
+#SG
+resource "aws_security_group" "codebuild_allow_tls" {
+  name        = "codebuild_allow_tls"
+  description = "Allow TLS inbound traffic and all outbound traffic"
+  vpc_id      = local.vpc_id
+}
+
+resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4" {
+  security_group_id = aws_security_group.codebuild_allow_tls.id
+  cidr_ipv4         = local.vpc_cidr
+  from_port         = 443
+  ip_protocol       = "tcp"
+  to_port           = 443
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" {
+  security_group_id = aws_security_group.codebuild_allow_tls.id
+  cidr_ipv4         = "0.0.0.0/0"
+  ip_protocol       = "-1" # semantically equivalent to all ports
+}

main.tf

@@ -0,0 +1,34 @@
+locals {
+  account_id         = data.aws_caller_identity.current.account_id
+
+  app_env   = var.app_env
+  app_name  = var.app_name
+  app_owner = var.app_owner
+
+  codebuild_project = "${local.app_env}-${local.app_name}"
+
+  # Github
+  source_location = "https://github.com/${var.repo_name}.git"
+
+  # Network
+  vpc_name            = "${local.app_env}-shared-vpc"
+  vpc_id              = data.aws_ssm_parameter.vpc_id.value
+  vpc_cidr            = data.aws_ssm_parameter.shared_vpc_cidr.value
+  private_subnet_1_id = data.aws_ssm_parameter.private_subnet_1_id.value
+
+}
+
+data "aws_caller_identity" "current" {}
+
+# Network
+data "aws_ssm_parameter" "vpc_id" {
+  name = "/org/landing-zone/network/${local.vpc_name}/id"
+}
+
+data "aws_ssm_parameter" "shared_vpc_cidr" {
+  name = "/org/landing-zone/network/${local.vpc_name}/cidr"
+}
+
+data "aws_ssm_parameter" "private_subnet_1_id" {
+  name = "/org/landing-zone/network/${local.vpc_name}/private-subnet-1/id"
+}

provider.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = "eu-west-1"
+}

tags.tf

@@ -0,0 +1,14 @@
+locals {
+
+  mandatory_tags = {
+    "app:name" : local.app_name,
+    "app:env" : local.app_env,
+    "app:owner" : local.app_owner
+  }
+
+  tags = merge(
+    local.mandatory_tags,
+    var.custom_tags
+  )
+
+}