Set up AWS/TFCloud integration

.terraformignore

@@ -0,0 +1,5 @@
+client/
+!client/dist/
+server/target/release
+server/target/aarch64-unknown-linux-gnu
+server/target/debug

infra/main.tf

@@ -9,23 +9,37 @@ terraform {
   required_version = ">= 1.6.6"
 }
 
+variable "tfc_aws_dynamic_credentials" {
+  description = "Object containing AWS dynamic credentials configuration"
+  type = object({
+    default = object({
+      shared_config_file = string
+    })
+    aliases = map(object({
+      shared_config_file = string
+    }))
+  })
+}
+
 provider "aws" {
-  region = "eu-north-1"
-  assume_role {
-    role_arn    = "arn:aws:iam::880545379339:role/OrganizationAccountAccessRole"
-    external_id = "terraform"
-  }
+  region              = "eu-north-1"
+  shared_config_files = [var.tfc_aws_dynamic_credentials.default.shared_config_file]
+  # assume_role {
+  #   role_arn    = "arn:aws:iam::880545379339:role/OrganizationAccountAccessRole"
+  #   external_id = "terraform"
+  # }
 }
 
 # for ACM cert for CloudFront
 # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-aws-region
 provider "aws" {
-  region = "us-east-1"
-  alias  = "us-east-1"
-  assume_role {
-    role_arn    = "arn:aws:iam::880545379339:role/OrganizationAccountAccessRole"
-    external_id = "terraform"
-  }
+  region              = "us-east-1"
+  alias               = "us-east-1"
+  shared_config_files = [var.tfc_aws_dynamic_credentials.default.shared_config_file]
+  # assume_role {
+  #   role_arn    = "arn:aws:iam::880545379339:role/OrganizationAccountAccessRole"
+  #   external_id = "terraform"
+  # }
 }
 
 data "aws_region" "current" {}
@@ -38,3 +52,7 @@ terraform {
     }
   }
 }
+
+provider "tfe" {
+  hostname = var.tfc_hostname
+}

infra/terraform.tf

@@ -0,0 +1,162 @@
+# https://github.com/hashicorp/terraform-dynamic-credentials-setup-examples/tree/main/aws
+
+variable "tfc_aws_audience" {
+  type        = string
+  default     = "aws.workload.identity"
+  description = "The audience value to use in run identity tokens"
+}
+
+variable "tfc_hostname" {
+  type        = string
+  default     = "app.terraform.io"
+  description = "The hostname of the TFC or TFE instance you'd like to use with AWS"
+}
+
+variable "tfc_organization_name" {
+  type        = string
+  description = "The name of your Terraform Cloud organization"
+}
+
+variable "tfc_project_name" {
+  type        = string
+  default     = "Default Project"
+  description = "The project under which a workspace will be created"
+}
+
+variable "tfc_workspace_name" {
+  type        = string
+  default     = "my-aws-workspace"
+  description = "The name of the workspace that you'd like to create and connect to AWS"
+}
+
+# Data source used to grab the TLS certificate for Terraform Cloud.
+#
+# https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate
+data "tls_certificate" "tfc_certificate" {
+  url = "https://${var.tfc_hostname}"
+}
+
+# Creates an OIDC provider which is restricted to
+#
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider
+resource "aws_iam_openid_connect_provider" "tfc_provider" {
+  url             = data.tls_certificate.tfc_certificate.url
+  client_id_list  = [var.tfc_aws_audience]
+  thumbprint_list = [data.tls_certificate.tfc_certificate.certificates[0].sha1_fingerprint]
+}
+
+# Creates a role which can only be used by the specified Terraform
+# cloud workspace.
+#
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
+resource "aws_iam_role" "tfc_role" {
+  name = "tfc-role"
+
+  assume_role_policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+   {
+     "Effect": "Allow",
+     "Principal": {
+       "Federated": "${aws_iam_openid_connect_provider.tfc_provider.arn}"
+     },
+     "Action": "sts:AssumeRoleWithWebIdentity",
+     "Condition": {
+       "StringEquals": {
+         "${var.tfc_hostname}:aud": "${one(aws_iam_openid_connect_provider.tfc_provider.client_id_list)}"
+       },
+       "StringLike": {
+         "${var.tfc_hostname}:sub": "organization:${var.tfc_organization_name}:project:${var.tfc_project_name}:workspace:${var.tfc_workspace_name}:run_phase:*"
+       }
+     }
+   }
+ ]
+}
+EOF
+}
+
+# Creates a policy that will be used to define the permissions that
+# the previously created role has within AWS.
+#
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
+resource "aws_iam_policy" "tfc_policy" {
+  name        = "tfc-policy"
+  description = "TFC run policy"
+
+  policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+   {
+     "Effect": "Allow",
+     "Action": "*",
+     "Resource": "*"
+   }
+ ]
+}
+EOF
+}
+
+# Creates an attachment to associate the above policy with the
+# previously created role.
+#
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
+resource "aws_iam_role_policy_attachment" "tfc_policy_attachment" {
+  role       = aws_iam_role.tfc_role.name
+  policy_arn = aws_iam_policy.tfc_policy.arn
+}
+
+# Data source used to grab the project under which a workspace will be created.
+#
+# https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/data-sources/project
+# TODO: https://github.com/hashicorp/terraform-provider-tfe/issues/882#issuecomment-1664306823
+# data "tfe_project" "www" {
+#   name         = var.tfc_project_name
+#   organization = var.tfc_organization_name
+# }
+
+# Runs in this workspace will be automatically authenticated
+# to AWS with the permissions set in the AWS policy.
+#
+# https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/workspace
+resource "tfe_workspace" "www" {
+  name         = var.tfc_workspace_name
+  organization = var.tfc_organization_name
+  # https://github.com/hashicorp/terraform-provider-tfe/issues/882#issuecomment-1664306823
+  # project_id   = data.tfe_project.www.id
+  project_id = "prj-WUc8qgSPdJY2D64L"
+
+  file_triggers_enabled = false
+  queue_all_runs        = false
+  working_directory     = "infra"
+  vcs_repo {
+    github_app_installation_id = "ghain-nWxKvtfhePtbP3sZ"
+    identifier                 = "jonhoo/wewerewondering"
+    ingress_submodules         = false
+  }
+}
+
+# The following variables must be set to allow runs
+# to authenticate to AWS.
+#
+# https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/variable
+resource "tfe_variable" "enable_aws_provider_auth" {
+  workspace_id = tfe_workspace.www.id
+
+  key      = "TFC_AWS_PROVIDER_AUTH"
+  value    = "true"
+  category = "env"
+
+  description = "Enable the Workload Identity integration for AWS."
+}
+
+resource "tfe_variable" "tfc_aws_role_arn" {
+  workspace_id = tfe_workspace.www.id
+
+  key      = "TFC_AWS_RUN_ROLE_ARN"
+  value    = aws_iam_role.tfc_role.arn
+  category = "env"
+
+  description = "The AWS role arn runs will use to authenticate."
+}

infra/terraform.tfvars

@@ -0,0 +1,3 @@
+tfc_organization_name = "wewerewondering"
+tfc_workspace_name    = "wewerewondering"
+tfc_project_name      = "default"