From 1393fa55b33dbd4efaa96daa19d24e1d701e7d59 Mon Sep 17 00:00:00 2001
From: Jon Gjengset <jon@thesquareplanet.com>
Date: Mon, 1 Jan 2024 16:27:16 +0100
Subject: [PATCH] Set up AWS/TFCloud integration

---
 .terraformignore          |   5 ++
 infra/.terraform.lock.hcl |  40 +++++++++-
 infra/main.tf             |  40 +++++++---
 infra/terraform.tf        | 162 ++++++++++++++++++++++++++++++++++++++
 infra/terraform.tfvars    |   3 +
 5 files changed, 238 insertions(+), 12 deletions(-)
 create mode 100644 .terraformignore
 create mode 100644 infra/terraform.tf
 create mode 100644 infra/terraform.tfvars

diff --git a/.terraformignore b/.terraformignore
new file mode 100644
index 0000000..e8c09ff
--- /dev/null
+++ b/.terraformignore
@@ -0,0 +1,5 @@
+client/
+!client/dist/
+server/target/release
+server/target/aarch64-unknown-linux-gnu
+server/target/debug
diff --git a/infra/.terraform.lock.hcl b/infra/.terraform.lock.hcl
index d962954..ab04543 100644
--- a/infra/.terraform.lock.hcl
+++ b/infra/.terraform.lock.hcl
@@ -22,7 +22,7 @@ provider "registry.terraform.io/hashicorp/archive" {
 
 provider "registry.terraform.io/hashicorp/aws" {
   version     = "5.31.0"
-  constraints = "~> 5.0"
+  constraints = "~> 5.31.0"
   hashes = [
     "h1:WwgMbMOhZblxZTdjHeJf9XB2/hcSHHmpuywLxuTWYw0=",
     "zh:0cdb9c2083bf0902442384f7309367791e4640581652dda456f2d6d7abf0de8d",
@@ -42,3 +42,41 @@ provider "registry.terraform.io/hashicorp/aws" {
     "zh:e3127ebd2cb0374cd1808f911e6bffe2f4ac4d84317061381242353f3a7bc27d",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/tfe" {
+  version = "0.51.1"
+  hashes = [
+    "h1:ku9ToIZ6AYWp9GejxbmzfERVX06i2n0RT9S1+x0OoJo=",
+    "zh:08f5c2296a7eba39fb3b86cc9f294ac7a9ca06eee1dec44fbf14615523fd24d0",
+    "zh:46ea31b9ca5450d947c0b28b698aca6df97714e671f25a2e2c9ea3ba0e0d45a0",
+    "zh:6326962e8afda2da9c2724a465eee4ae12c514700ccfaead7be81c73d6d7f8cd",
+    "zh:649639793e0cbfe8732377052110441ae24b4a3b2e35126aab5d0b9da291ac9a",
+    "zh:8ca07718347273bbbc8a7c0f488da22efa38a67ec05b6db3bf97d01d9ba600c0",
+    "zh:a9065ad79c7a3d91ee1f7021edea02f92ace116830fa0857580dcd267643a016",
+    "zh:bc6014f7597b281ca9aa73fe91c9060f29311096a543c2cf794803920662edc4",
+    "zh:c48897ce5820983c1a94b6912317fbf4927b4eca9f550c7d5e1af40a4bc9fd5f",
+    "zh:ca32cc1543d65a1e418eaadccd0f00d6a626ff0b40d495e508b444d95b290ed0",
+    "zh:d179e1f38f789ebefb4cfce8148181999bd2e24f860b2e18cdaeca2b37fbe7f6",
+    "zh:d95ec293fa70e946b6cd657912b33155f8be3413e6128ed2bfa5a493f788e439",
+    "zh:fe9538fc1da16bbd675f33176ac3d2a20c264b5c7a14389c552a889f7a1c46e4",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+  version = "4.0.5"
+  hashes = [
+    "h1:e4LBdJoZJNOQXPWgOAG0UuPBVhCStu98PieNlqJTmeU=",
+    "zh:01cfb11cb74654c003f6d4e32bbef8f5969ee2856394a96d127da4949c65153e",
+    "zh:0472ea1574026aa1e8ca82bb6df2c40cd0478e9336b7a8a64e652119a2fa4f32",
+    "zh:1a8ddba2b1550c5d02003ea5d6cdda2eef6870ece86c5619f33edd699c9dc14b",
+    "zh:1e3bb505c000adb12cdf60af5b08f0ed68bc3955b0d4d4a126db5ca4d429eb4a",
+    "zh:6636401b2463c25e03e68a6b786acf91a311c78444b1dc4f97c539f9f78de22a",
+    "zh:76858f9d8b460e7b2a338c477671d07286b0d287fd2d2e3214030ae8f61dd56e",
+    "zh:a13b69fb43cb8746793b3069c4d897bb18f454290b496f19d03c3387d1c9a2dc",
+    "zh:a90ca81bb9bb509063b736842250ecff0f886a91baae8de65c8430168001dad9",
+    "zh:c4de401395936e41234f1956ebadbd2ed9f414e6908f27d578614aaa529870d4",
+    "zh:c657e121af8fde19964482997f0de2d5173217274f6997e16389e7707ed8ece8",
+    "zh:d68b07a67fbd604c38ec9733069fbf23441436fecf554de6c75c032f82e1ef19",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
diff --git a/infra/main.tf b/infra/main.tf
index fbd93b8..22a6b85 100644
--- a/infra/main.tf
+++ b/infra/main.tf
@@ -9,23 +9,37 @@ terraform {
   required_version = ">= 1.6.6"
 }
 
+variable "tfc_aws_dynamic_credentials" {
+  description = "Object containing AWS dynamic credentials configuration"
+  type = object({
+    default = object({
+      shared_config_file = string
+    })
+    aliases = map(object({
+      shared_config_file = string
+    }))
+  })
+}
+
 provider "aws" {
-  region = "eu-north-1"
-  assume_role {
-    role_arn    = "arn:aws:iam::880545379339:role/OrganizationAccountAccessRole"
-    external_id = "terraform"
-  }
+  region              = "eu-north-1"
+  shared_config_files = [var.tfc_aws_dynamic_credentials.default.shared_config_file]
+  # assume_role {
+  #   role_arn    = "arn:aws:iam::880545379339:role/OrganizationAccountAccessRole"
+  #   external_id = "terraform"
+  # }
 }
 
 # for ACM cert for CloudFront
 # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-aws-region
 provider "aws" {
-  region = "us-east-1"
-  alias  = "us-east-1"
-  assume_role {
-    role_arn    = "arn:aws:iam::880545379339:role/OrganizationAccountAccessRole"
-    external_id = "terraform"
-  }
+  region              = "us-east-1"
+  alias               = "us-east-1"
+  shared_config_files = [var.tfc_aws_dynamic_credentials.default.shared_config_file]
+  # assume_role {
+  #   role_arn    = "arn:aws:iam::880545379339:role/OrganizationAccountAccessRole"
+  #   external_id = "terraform"
+  # }
 }
 
 data "aws_region" "current" {}
@@ -38,3 +52,7 @@ terraform {
     }
   }
 }
+
+provider "tfe" {
+  hostname = var.tfc_hostname
+}
diff --git a/infra/terraform.tf b/infra/terraform.tf
new file mode 100644
index 0000000..0765fc8
--- /dev/null
+++ b/infra/terraform.tf
@@ -0,0 +1,162 @@
+# https://github.com/hashicorp/terraform-dynamic-credentials-setup-examples/tree/main/aws
+
+variable "tfc_aws_audience" {
+  type        = string
+  default     = "aws.workload.identity"
+  description = "The audience value to use in run identity tokens"
+}
+
+variable "tfc_hostname" {
+  type        = string
+  default     = "app.terraform.io"
+  description = "The hostname of the TFC or TFE instance you'd like to use with AWS"
+}
+
+variable "tfc_organization_name" {
+  type        = string
+  description = "The name of your Terraform Cloud organization"
+}
+
+variable "tfc_project_name" {
+  type        = string
+  default     = "Default Project"
+  description = "The project under which a workspace will be created"
+}
+
+variable "tfc_workspace_name" {
+  type        = string
+  default     = "my-aws-workspace"
+  description = "The name of the workspace that you'd like to create and connect to AWS"
+}
+
+# Data source used to grab the TLS certificate for Terraform Cloud.
+#
+# https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate
+data "tls_certificate" "tfc_certificate" {
+  url = "https://${var.tfc_hostname}"
+}
+
+# Creates an OIDC provider which is restricted to
+#
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider
+resource "aws_iam_openid_connect_provider" "tfc_provider" {
+  url             = data.tls_certificate.tfc_certificate.url
+  client_id_list  = [var.tfc_aws_audience]
+  thumbprint_list = [data.tls_certificate.tfc_certificate.certificates[0].sha1_fingerprint]
+}
+
+# Creates a role which can only be used by the specified Terraform
+# cloud workspace.
+#
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
+resource "aws_iam_role" "tfc_role" {
+  name = "tfc-role"
+
+  assume_role_policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+   {
+     "Effect": "Allow",
+     "Principal": {
+       "Federated": "${aws_iam_openid_connect_provider.tfc_provider.arn}"
+     },
+     "Action": "sts:AssumeRoleWithWebIdentity",
+     "Condition": {
+       "StringEquals": {
+         "${var.tfc_hostname}:aud": "${one(aws_iam_openid_connect_provider.tfc_provider.client_id_list)}"
+       },
+       "StringLike": {
+         "${var.tfc_hostname}:sub": "organization:${var.tfc_organization_name}:project:${var.tfc_project_name}:workspace:${var.tfc_workspace_name}:run_phase:*"
+       }
+     }
+   }
+ ]
+}
+EOF
+}
+
+# Creates a policy that will be used to define the permissions that
+# the previously created role has within AWS.
+#
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
+resource "aws_iam_policy" "tfc_policy" {
+  name        = "tfc-policy"
+  description = "TFC run policy"
+
+  policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+   {
+     "Effect": "Allow",
+     "Action": "*",
+     "Resource": "*"
+   }
+ ]
+}
+EOF
+}
+
+# Creates an attachment to associate the above policy with the
+# previously created role.
+#
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
+resource "aws_iam_role_policy_attachment" "tfc_policy_attachment" {
+  role       = aws_iam_role.tfc_role.name
+  policy_arn = aws_iam_policy.tfc_policy.arn
+}
+
+# Data source used to grab the project under which a workspace will be created.
+#
+# https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/data-sources/project
+# TODO: https://github.com/hashicorp/terraform-provider-tfe/issues/882#issuecomment-1664306823
+# data "tfe_project" "www" {
+#   name         = var.tfc_project_name
+#   organization = var.tfc_organization_name
+# }
+
+# Runs in this workspace will be automatically authenticated
+# to AWS with the permissions set in the AWS policy.
+#
+# https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/workspace
+resource "tfe_workspace" "www" {
+  name         = var.tfc_workspace_name
+  organization = var.tfc_organization_name
+  # https://github.com/hashicorp/terraform-provider-tfe/issues/882#issuecomment-1664306823
+  # project_id   = data.tfe_project.www.id
+  project_id = "prj-WUc8qgSPdJY2D64L"
+
+  file_triggers_enabled = false
+  queue_all_runs        = false
+  working_directory     = "infra"
+  vcs_repo {
+    github_app_installation_id = "ghain-nWxKvtfhePtbP3sZ"
+    identifier                 = "jonhoo/wewerewondering"
+    ingress_submodules         = false
+  }
+}
+
+# The following variables must be set to allow runs
+# to authenticate to AWS.
+#
+# https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/variable
+resource "tfe_variable" "enable_aws_provider_auth" {
+  workspace_id = tfe_workspace.www.id
+
+  key      = "TFC_AWS_PROVIDER_AUTH"
+  value    = "true"
+  category = "env"
+
+  description = "Enable the Workload Identity integration for AWS."
+}
+
+resource "tfe_variable" "tfc_aws_role_arn" {
+  workspace_id = tfe_workspace.www.id
+
+  key      = "TFC_AWS_RUN_ROLE_ARN"
+  value    = aws_iam_role.tfc_role.arn
+  category = "env"
+
+  description = "The AWS role arn runs will use to authenticate."
+}
diff --git a/infra/terraform.tfvars b/infra/terraform.tfvars
new file mode 100644
index 0000000..e0388ac
--- /dev/null
+++ b/infra/terraform.tfvars
@@ -0,0 +1,3 @@
+tfc_organization_name = "wewerewondering"
+tfc_workspace_name    = "wewerewondering"
+tfc_project_name      = "default"