Feature/tenant GitHub app (#42)

* feat: use github app for tenant auth --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
GlueOps · May 31, 2023 · 3fc9547 · 3fc9547
1 parent c8bed66
commit 3fc9547
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 60 deletions.
diff --git a/README.md b/README.md
@@ -34,7 +34,6 @@ The module also deploys a `tenant` repository with the necessary configuration f
 | <a name="provider_aws.management-tenant-dns"></a> [aws.management-tenant-dns](#provider\_aws.management-tenant-dns) | 4.67.0 |
 | <a name="provider_aws.primaryregion"></a> [aws.primaryregion](#provider\_aws.primaryregion) | 4.67.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | 3.5.1 |
-| <a name="provider_tls"></a> [tls](#provider\_tls) | n/a |
 
 ## Modules
 
@@ -44,7 +43,7 @@ The module also deploys a `tenant` repository with the necessary configuration f
 | <a name="module_captain_repository"></a> [captain\_repository](#module\_captain\_repository) | ./modules/github-captain-repository/0.1.0 | n/a |
 | <a name="module_common_s3"></a> [common\_s3](#module\_common\_s3) | ./modules/multy-s3-bucket/0.1.0 | n/a |
 | <a name="module_dnssec_key"></a> [dnssec\_key](#module\_dnssec\_key) | git::https://github.com/GlueOps/terraform-module-cloud-aws-dnssec-kms-key.git | v0.1.0 |
-| <a name="module_glueops_platform_helm_values"></a> [glueops\_platform\_helm\_values](#module\_glueops\_platform\_helm\_values) | git::https://github.com/GlueOps/platform-helm-chart-platform.git | v0.13.3 |
+| <a name="module_glueops_platform_helm_values"></a> [glueops\_platform\_helm\_values](#module\_glueops\_platform\_helm\_values) | git::https://github.com/GlueOps/platform-helm-chart-platform.git | v0.13.5 |
 | <a name="module_loki_s3"></a> [loki\_s3](#module\_loki\_s3) | ./modules/multy-s3-bucket/0.1.0 | n/a |
 | <a name="module_opsgenie_teams"></a> [opsgenie\_teams](#module\_opsgenie\_teams) | ./modules/opsgenie/0.1.0 | n/a |
 | <a name="module_tenant_readmes"></a> [tenant\_readmes](#module\_tenant\_readmes) | ./modules/tenant-readme/0.1.0 | n/a |
@@ -91,16 +90,15 @@ The module also deploys a `tenant` repository with the necessary configuration f
 | [random_password.dex_pomerium_client_secret](https://registry.terraform.io/providers/hashicorp/random/3.5.1/docs/resources/password) | resource |
 | [random_password.dex_vault_client_secret](https://registry.terraform.io/providers/hashicorp/random/3.5.1/docs/resources/password) | resource |
 | [random_password.grafana_admin_secret](https://registry.terraform.io/providers/hashicorp/random/3.5.1/docs/resources/password) | resource |
-| [tls_private_key.tenant_stack_repostory_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
 | [aws_route53_zone.management_tenant_dns](https://registry.terraform.io/providers/hashicorp/aws/4.67.0/docs/data-sources/route53_zone) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_backup_region"></a> [backup\_region](#input\_backup\_region) | The secondary S3 region to create S3 bucket in used for backups. This should be different than the primary region and will have the data from the primary region replicated to it. | `string` | n/a | yes |
-| <a name="input_cluster_environments"></a> [cluster\_environments](#input\_cluster\_environments) | The cluster environments and their respective github app ids | <pre>list(object({<br>    environment_name         = string<br>    github_app_client_id     = string<br>    github_app_client_secret = string<br>    github_api_token         = string<br>    admin_github_org_name    = string<br>    tenant_github_org_name   = string<br>    vault_github_org_team_policy_mappings = list(object({<br>      oidc_groups = list(string)<br>      policy_name = string<br>    }))<br>    argocd_rbac_policies = string<br><br>  }))</pre> | <pre>[<br>  {<br>    "admin_github_org_name": "GlueOps",<br>    "argocd_rbac_policies": "      g, GlueOps:argocd_super_admins, role:admin\n      g, glueops-rocks:developers, role:developers\n      p, role:developers, clusters, get, *, allow\n      p, role:developers, *, get, development, allow\n      p, role:developers, repositories, *, development/*, allow\n      p, role:developers, applications, *, development/*, allow\n      p, role:developers, exec, *, development/*, allow\n",<br>    "environment_name": "test",<br>    "github_api_token": "apitokengoeshere",<br>    "github_app_client_id": "apidgoeshere",<br>    "github_app_client_secret": "secretgoeshere",<br>    "tenant_github_org_name": "glueops-rocks",<br>    "vault_github_org_team_policy_mappings": [<br>      {<br>        "oidc_groups": [<br>          "GlueOps:vault_super_admins"<br>        ],<br>        "policy_name": "editor"<br>      },<br>      {<br>        "oidc_groups": [<br>          "GlueOps:vault_super_admins",<br>          "testing-okta:developers"<br>        ],<br>        "policy_name": "reader"<br>      }<br>    ]<br>  }<br>]</pre> | no |
-| <a name="input_github_owner"></a> [github\_owner](#input\_github\_owner) | The GitHub Owner | `string` | n/a | yes |
+| <a name="input_cluster_environments"></a> [cluster\_environments](#input\_cluster\_environments) | The cluster environments and their respective github app ids | <pre>list(object({<br>    environment_name                     = string<br>    github_oauth_app_client_id           = string<br>    github_oauth_app_client_secret       = string<br>    github_tenant_app_id                 = string<br>    github_tenant_app_installation_id    = string<br>    github_tenant_app_b64enc_private_key = string<br>    admin_github_org_name                = string<br>    tenant_github_org_name               = string<br>    vault_github_org_team_policy_mappings = list(object({<br>      oidc_groups = list(string)<br>      policy_name = string<br>    }))<br>    argocd_rbac_policies = string<br><br>  }))</pre> | <pre>[<br>  {<br>    "admin_github_org_name": "GlueOps",<br>    "argocd_rbac_policies": "      g, GlueOps:argocd_super_admins, role:admin\n      g, glueops-rocks:developers, role:developers\n      p, role:developers, clusters, get, *, allow\n      p, role:developers, *, get, development, allow\n      p, role:developers, repositories, *, development/*, allow\n      p, role:developers, applications, *, development/*, allow\n      p, role:developers, exec, *, development/*, allow\n",<br>    "environment_name": "test",<br>    "github_oauth_app_client_id": "oauth-app-id",<br>    "github_oauth_app_client_secret": "oauth-app-secret",<br>    "github_tenant_app_b64enc_private_key": "tenant-github-app-b64enc-private-key",<br>    "github_tenant_app_id": "tenant-github-app-id",<br>    "github_tenant_app_installation_id": "tenant-github-app-installation-id",<br>    "tenant_github_org_name": "glueops-rocks",<br>    "vault_github_org_team_policy_mappings": [<br>      {<br>        "oidc_groups": [<br>          "GlueOps:vault_super_admins"<br>        ],<br>        "policy_name": "editor"<br>      },<br>      {<br>        "oidc_groups": [<br>          "GlueOps:vault_super_admins",<br>          "testing-okta:developers"<br>        ],<br>        "policy_name": "reader"<br>      }<br>    ]<br>  }<br>]</pre> | no |
+| <a name="input_github_owner"></a> [github\_owner](#input\_github\_owner) | The GitHub Owner where the tenant repo will be deployed. | `string` | n/a | yes |
 | <a name="input_management_tenant_dns_aws_account_id"></a> [management\_tenant\_dns\_aws\_account\_id](#input\_management\_tenant\_dns\_aws\_account\_id) | The company AWS account id for the management-tenant-dns account | `string` | n/a | yes |
 | <a name="input_management_tenant_dns_zoneid"></a> [management\_tenant\_dns\_zoneid](#input\_management\_tenant\_dns\_zoneid) | The Route53 ZoneID that all the delegation is coming from. | `string` | n/a | yes |
 | <a name="input_opsgenie_emails"></a> [opsgenie\_emails](#input\_opsgenie\_emails) | List of user email addresses | `list(string)` | n/a | yes |

diff --git a/captain-repo.tf b/captain-repo.tf
@@ -3,25 +3,23 @@ module "captain_repository" {
   source          = "./modules/github-captain-repository/0.1.0"
   repository_name = "${each.value.environment_name}.${aws_route53_zone.main.name}"
   files_to_create = {
-    "argocd.yaml"   = module.argocd_helm_values[each.value.environment_name].helm_values
-    "platform.yaml" = module.glueops_platform_helm_values[each.value.environment_name].helm_values
-    "README.md"     = module.tenant_readmes[each.value.environment_name].tenant_readme
-
-    "${each.value.tenant_github_org_name}-glueops-${var.tenant_key}-${each.value.environment_name}-stack.pub" = tls_private_key.tenant_stack_repostory_key[each.value.environment_name].public_key_openssh
-    "terraform/kubernetes/.gitkeep"                                                                           = ""
-    ".gitignore"                                                                                              = <<EOT
+    "argocd.yaml"                            = module.argocd_helm_values[each.value.environment_name].helm_values
+    "platform.yaml"                          = module.glueops_platform_helm_values[each.value.environment_name].helm_values
+    "README.md"                              = module.tenant_readmes[each.value.environment_name].tenant_readme
+    "terraform/kubernetes/.gitkeep"          = ""
+    ".gitignore"                             = <<EOT
 
 .terraform
 .terraform.lock.hcl
 
 EOT
-    "terraform/vault/initialization/main.tf"                                                                  = <<EOT
+    "terraform/vault/initialization/main.tf" = <<EOT
 module "initialize_vault_cluster" {
   source = "git::https://github.com/GlueOps/terraform-module-kubernetes-hashicorp-vault-initialization.git?ref=v0.3.0"
 }
 
 EOT
-    "terraform/vault/configuration/main.tf"                                                                   = <<EOT
+    "terraform/vault/configuration/main.tf"  = <<EOT
 module "configure_vault_cluster" {
     source = "git::https://github.com/GlueOps/terraform-module-kubernetes-hashicorp-vault-configuration.git?ref=v0.4.3"
     oidc_client_secret = "${random_password.dex_vault_client_secret[each.key].result}"

diff --git a/generate-helm-values.tf b/generate-helm-values.tf
@@ -34,41 +34,39 @@ resource "random_password" "grafana_admin_secret" {
   special  = local.random_password_special_characters
 }
 
-resource "tls_private_key" "tenant_stack_repostory_key" {
-  for_each  = local.cluster_environments
-  algorithm = "ED25519"
-}
 
 
 module "glueops_platform_helm_values" {
-  for_each                      = local.environment_map
-  source                        = "git::https://github.com/GlueOps/platform-helm-chart-platform.git?ref=v0.13.3"
-  dex_github_client_id          = each.value.github_app_client_id
-  dex_github_client_secret      = each.value.github_app_client_secret
-  dex_argocd_client_secret      = random_password.dex_argocd_client_secret[each.value.environment_name].result
-  dex_grafana_client_secret     = random_password.dex_grafana_client_secret[each.value.environment_name].result
-  dex_vault_client_secret       = random_password.dex_vault_client_secret[each.value.environment_name].result
-  dex_pomerium_client_secret    = random_password.dex_pomerium_client_secret[each.value.environment_name].result
-  vault_aws_access_key          = aws_iam_access_key.vault_s3[each.value.environment_name].id
-  vault_aws_secret_key          = aws_iam_access_key.vault_s3[each.value.environment_name].secret
-  loki_aws_access_key           = aws_iam_access_key.loki_s3[each.value.environment_name].id
-  loki_aws_secret_key           = aws_iam_access_key.loki_s3[each.value.environment_name].secret
-  loki_exporter_aws_access_key  = aws_iam_access_key.loki_log_exporter_s3[each.value.environment_name].id
-  loki_exporter_aws_secret_key  = aws_iam_access_key.loki_log_exporter_s3[each.value.environment_name].secret
-  certmanager_aws_access_key    = aws_iam_access_key.certmanager[each.value.environment_name].id
-  certmanager_aws_secret_key    = aws_iam_access_key.certmanager[each.value.environment_name].secret
-  externaldns_aws_access_key    = aws_iam_access_key.externaldns[each.value.environment_name].id
-  externaldns_aws_secret_key    = aws_iam_access_key.externaldns[each.value.environment_name].secret
-  glueops_root_domain           = data.aws_route53_zone.management_tenant_dns.name
-  cluster_environment           = each.value.environment_name
-  aws_region                    = var.primary_region
-  tenant_key                    = var.tenant_key
-  opsgenie_api_key              = lookup(module.opsgenie_teams.opsgenie_prometheus_api_keys, split(".", each.value.environment_name)[0], null)
-  admin_github_org_name         = each.value.admin_github_org_name
-  tenant_github_org_name        = each.value.tenant_github_org_name
-  grafana_admin_password        = random_password.grafana_admin_secret[each.value.environment_name].result
-  tenant_b64enc_ssh_private_key = base64encode(tls_private_key.tenant_stack_repostory_key[each.value.environment_name].private_key_openssh)
-  github_api_token              = each.value.github_api_token
+  for_each                             = local.environment_map
+  source                               = "git::https://github.com/GlueOps/platform-helm-chart-platform.git?ref=v0.13.5"
+  this_is_development                  = var.this_is_development
+  dex_github_client_id                 = each.value.github_oauth_app_client_id
+  dex_github_client_secret             = each.value.github_oauth_app_client_secret
+  dex_argocd_client_secret             = random_password.dex_argocd_client_secret[each.value.environment_name].result
+  dex_grafana_client_secret            = random_password.dex_grafana_client_secret[each.value.environment_name].result
+  dex_vault_client_secret              = random_password.dex_vault_client_secret[each.value.environment_name].result
+  dex_pomerium_client_secret           = random_password.dex_pomerium_client_secret[each.value.environment_name].result
+  vault_aws_access_key                 = aws_iam_access_key.vault_s3[each.value.environment_name].id
+  vault_aws_secret_key                 = aws_iam_access_key.vault_s3[each.value.environment_name].secret
+  loki_aws_access_key                  = aws_iam_access_key.loki_s3[each.value.environment_name].id
+  loki_aws_secret_key                  = aws_iam_access_key.loki_s3[each.value.environment_name].secret
+  loki_exporter_aws_access_key         = aws_iam_access_key.loki_log_exporter_s3[each.value.environment_name].id
+  loki_exporter_aws_secret_key         = aws_iam_access_key.loki_log_exporter_s3[each.value.environment_name].secret
+  certmanager_aws_access_key           = aws_iam_access_key.certmanager[each.value.environment_name].id
+  certmanager_aws_secret_key           = aws_iam_access_key.certmanager[each.value.environment_name].secret
+  externaldns_aws_access_key           = aws_iam_access_key.externaldns[each.value.environment_name].id
+  externaldns_aws_secret_key           = aws_iam_access_key.externaldns[each.value.environment_name].secret
+  glueops_root_domain                  = data.aws_route53_zone.management_tenant_dns.name
+  cluster_environment                  = each.value.environment_name
+  aws_region                           = var.primary_region
+  tenant_key                           = var.tenant_key
+  opsgenie_api_key                     = lookup(module.opsgenie_teams.opsgenie_prometheus_api_keys, split(".", each.value.environment_name)[0], null)
+  admin_github_org_name                = each.value.admin_github_org_name
+  tenant_github_org_name               = each.value.tenant_github_org_name
+  grafana_admin_password               = random_password.grafana_admin_secret[each.value.environment_name].result
+  github_tenant_app_id                 = each.value.github_tenant_app_id
+  github_tenant_app_installation_id    = each.value.github_tenant_app_installation_id
+  github_tenant_app_b64enc_private_key = each.value.github_tenant_app_b64enc_private_key
 }
 
 resource "aws_s3_object" "platform_helm_values" {

diff --git a/modules/tenant-readme/0.1.0/readme.tf b/modules/tenant-readme/0.1.0/readme.tf
@@ -37,7 +37,7 @@ locals {
   codespace_version         = "v0.23.0"
   argocd_crd_version        = "v2.7.2"
   argocd_helm_chart_version = "5.33.3"
-  glueops_platform_version  = "0.13.4"
+  glueops_platform_version  = "0.13.5"
   tools_version             = "v0.1.3"
 }
 

diff --git a/variables.tf b/variables.tf
@@ -26,7 +26,7 @@ variable "tenant_account_id" {
 }
 
 variable "github_owner" {
-  description = "The GitHub Owner"
+  description = "The GitHub Owner where the tenant repo will be deployed."
   type        = string
   nullable    = false
 }
@@ -40,12 +40,14 @@ variable "management_tenant_dns_aws_account_id" {
 variable "cluster_environments" {
   description = "The cluster environments and their respective github app ids"
   type = list(object({
-    environment_name         = string
-    github_app_client_id     = string
-    github_app_client_secret = string
-    github_api_token         = string
-    admin_github_org_name    = string
-    tenant_github_org_name   = string
+    environment_name                     = string
+    github_oauth_app_client_id           = string
+    github_oauth_app_client_secret       = string
+    github_tenant_app_id                 = string
+    github_tenant_app_installation_id    = string
+    github_tenant_app_b64enc_private_key = string
+    admin_github_org_name                = string
+    tenant_github_org_name               = string
     vault_github_org_team_policy_mappings = list(object({
       oidc_groups = list(string)
       policy_name = string
@@ -55,12 +57,14 @@ variable "cluster_environments" {
   }))
   default = [
     {
-      environment_name         = "test"
-      github_app_client_id     = "apidgoeshere"
-      github_app_client_secret = "secretgoeshere"
-      github_api_token         = "apitokengoeshere"
-      admin_github_org_name    = "GlueOps"
-      tenant_github_org_name   = "glueops-rocks"
+      environment_name                     = "test"
+      github_oauth_app_client_id           = "oauth-app-id"
+      github_oauth_app_client_secret       = "oauth-app-secret"
+      github_tenant_app_id                 = "tenant-github-app-id"
+      github_tenant_app_installation_id    = "tenant-github-app-installation-id"
+      github_tenant_app_b64enc_private_key = "tenant-github-app-b64enc-private-key"
+      admin_github_org_name                = "GlueOps"
+      tenant_github_org_name               = "glueops-rocks"
       vault_github_org_team_policy_mappings = [
         {
           oidc_groups = ["GlueOps:vault_super_admins"]