Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/muhlba91/github-infrastructure

Automated creation of GitHub Repositories with optional Cloud Access.
https://github.com/muhlba91/github-infrastructure

automation aws doppler github google-cloud infrastructure pulumi vault

Last synced: about 1 month ago
JSON representation

Automated creation of GitHub Repositories with optional Cloud Access.

Host: GitHub
URL: https://github.com/muhlba91/github-infrastructure
Owner: muhlba91
License: gpl-3.0
Created: 2023-10-20T17:37:53.000Z (about 1 year ago)
Default Branch: main
Last Pushed: 2024-11-19T16:00:37.000Z (about 2 months ago)
Last Synced: 2024-11-19T17:11:59.502Z (about 2 months ago)
Topics: automation, aws, doppler, github, google-cloud, infrastructure, pulumi, vault
Language: TypeScript
Homepage:
Size: 1.09 MB
Stars: 0
Watchers: 3
Forks: 1
Open Issues: 3
Metadata Files:
- Readme: README.md
- License: LICENSE.md
- Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

# GitHub Infrastructure

[![Build status](https://img.shields.io/github/actions/workflow/status/muhlba91/github-infrastructure/pipeline.yml?style=for-the-badge)](https://github.com/muhlba91/github-infrastructure/actions/workflows/pipeline.yml)
[![License](https://img.shields.io/github/license/muhlba91/github-infrastructure?style=for-the-badge)](LICENSE.md)
[![](https://api.scorecard.dev/projects/github.com/muhlba91/github-infrastructure/badge?style=for-the-badge)](https://scorecard.dev/viewer/?uri=github.com/muhlba91/github-infrastructure)

This repository contains the automation for [GitHub Repositories](https://github.com) with optional Cloud Access using [Pulumi](http://pulumi.com).

---

## Requirements

- [NodeJS](https://nodejs.org/en), and [yarn](https://yarnpkg.com)
- [Pulumi](https://www.pulumi.com/docs/install/)

## Creating the Infrastructure

To create the repositories, a [Pulumi Stack](https://www.pulumi.com/docs/concepts/stack/) with the correct configuration needs to exists.

The stack can be deployed via:

```bash
yarn install
yarn build; pulumi up
```

## Destroying the Infrastructure

The entire infrastructure can be destroyed via:

```bash
yarn install
yarn build; pulumi destroy
```

**Attention**: you must set `ALLOW_REPOSITORY_DELETION="true"` as an environment variable to be able to delete repositories!

## Environment Variables

To successfully run, and configure the Pulumi plugins, you need to set a list of environment variables. Alternatively, refer to the used Pulumi provider's configuration documentation.

- `AWS_REGION`: the AWS region to use
- `AWS_ACCESS_KEY_ID`: the AWS secret key
- `AWS_SECRET_ACCESS_KEY`: the AWS secret access key
- `CLOUDSDK_COMPUTE_REGION` the Google Cloud (GCP) region
- `GOOGLE_APPLICATION_CREDENTIALS`: reference to a file containing the Google Cloud (GCP) service account credentials
- `GITHUB_TOKEN`: the GitHub token with permissions to manage repositories

---

## Configuration

The following section describes the configuration which must be set in the Pulumi Stack.

***Attention:*** do use [Secrets Encryption](https://www.pulumi.com/docs/concepts/secrets/#:~:text=Pulumi%20never%20sends%20authentication%20secrets,“secrets”%20for%20extra%20protection.) provided by Pulumi for secret values!

### AWS

AWS configuration is based on each allowed account.

```yaml
aws:
defaultRegion: the default region for every account
account: a map of AWS accounts to IAM role configuration
:
roleArn: the IAM role ARN to assume with correct permissions
externalId: the the ExternalID property to assume the role
```

### Google Cloud

Google Cloud configuration is based on each allowed project.

```yaml
google:
allowHmacKeys: allows creating HMAC Google Cloud Storage keys
defaultRegion: the default region for every project
projects: a list containing all allowed project identifiers
```

### Repositories

Repositories configuration sets default values and GitHub account information.

```yaml
repositories:
owner: the owner/organization of all repositories
subscription: the subscription type of the user/organization (e.g. "none")
```

### Vault

Vault connection configuration. The token will be retrieved from the corresponding stack's output.

Attention: Vault will only be used if a connection configuration can be created.

```yaml
vault:
address: the URL to the Vault instance
```

#### Repository YAML

Repositories are defined in YAML format. For each repository to create a YAML file must be created in [assets/repositories/](assets/repositories/).

The format is described in the [template](assets/templates/repository.yml).

---

## Continuous Integration and Automations

- [GitHub Actions](https://docs.github.com/en/actions) are linting, and verifying the code.
- [Renovate Bot](https://github.com/renovatebot/renovate) is updating NodeJS packages, and GitHub Actions.