README
¶
GitHub Infrastructure
This repository contains the automation for GitHub Repositories with optional Cloud Access using Pulumi.
Requirements
Creating the Infrastructure
To create the services, a Pulumi Stack with the correct configuration needs to exists.
The stack can be deployed via:
pulumi up
Destroying the Infrastructure
The entire infrastructure can be destroyed via:
pulumi destroy
Attention: you must set ALLOW_REPOSITORY_DELETION="true" as an environment variable to be able to delete repositories!
Environment Variables
To successfully run, and configure the Pulumi plugins, you need to set a list of environment variables. Alternatively, refer to the used Pulumi provider's configuration documentation.
ALLOW_REPOSITORY_DELETION: set totrueto allow repository deletionIGNORE_UNMANAGED_REPOSITORIES: set totrueto skip repositories not defined inassets/repositories/AWS_REGION: the AWS region to useAWS_ACCESS_KEY_ID: the AWS secret keyAWS_SECRET_ACCESS_KEY: the AWS secret access keyCLOUDSDK_COMPUTE_REGION: the Google Cloud (GCP) regionGOOGLE_APPLICATION_CREDENTIALS: reference to a file containing the Google Cloud (GCP) service account credentialsSCW_ACCESS_KEY: the Scaleway access keySCW_SECRET_KEY: the Scaleway secret keySCW_ORGANIZATION_ID: the Scaleway organization IDSCW_PROJECT_ID: the Scaleway project IDSCW_DEFAULT_REGION: the Scaleway default regionSCW_DEFAULT_ZONE: the Scaleway default zoneGITHUB_TOKEN: the GitHub token with permissions to manage repositoriesGITLAB_TOKEN: the GitLab token with permissions to manage accessPULUMI_ACCESS_TOKEN: the Pulumi access tokenOAUTH_CLIENT_ID: Tailscale OAuth client IDOAUTH_CLIENT_SECRET: Tailscale OAuth client secret
Configuration
The following section describes the configuration which must be set in the Pulumi Stack.
Attention: do use Secrets Encryption provided by Pulumi for secret values!
AWS
AWS configuration is based on each allowed account.
aws:
defaultRegion: the default region for every account
account: a map of AWS accounts to IAM role configuration
<ACCOUNT_ID>:
roleArn: the IAM role ARN to assume with correct permissions
externalId: the the ExternalID property to assume the role
Google Cloud
Google Cloud configuration is based on each allowed project.
google:
allowHmacKeys: allows creating HMAC Google Cloud Storage keys
defaultRegion: the default region for every project
projects: a list containing all allowed project identifiers
Repositories
Repositories configuration sets default values and GitHub account information.
repositories:
owner: the owner/organization of all repositories
subscription: the subscription type of the user/organization (e.g. "none")
Scaleway
Scaleway configuration is based on each allowed project.
scaleway:
defaultRegion: the default region for every project
defaultZone: the default zone for every project
organizationID: the Scaleway organization ID
projects: a map containing all allowed project identifiers
Vault
Vault connection configuration. The token will be retrieved from the corresponding stack's output.
Attention: Vault will only be used if a connection configuration can be created.
vault:
address: the URL to the Vault instance
enabled: whether Vault integration is enabled
Repository YAML
Repositories are defined in YAML format. For each repository to create a YAML file must be created in assets/repositories/.
The format is described in the template.
Continuous Integration and Automations
- GitHub Actions are linting, and verifying the code.
- Renovate Bot is updating Go modules, and GitHub Actions.
Documentation
¶
There is no documentation for this package.
Source Files
Directories