forked from taskcluster/taskcluster
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauth-service.tf
222 lines (201 loc) · 7.39 KB
/
auth-service.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
module "auth_user" {
source = "modules/taskcluster-service-iam-user"
name = "taskcluster-auth"
prefix = "${var.prefix}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "arn:aws:sts::${data.aws_caller_identity.current.account_id}:federated-user/TemporaryS3ReadWriteCredentials"
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"${aws_s3_bucket.backups.arn}",
"${aws_s3_bucket.backups.arn}/*"
]
}
]
}
EOF
}
resource "random_string" "auth_table_signing_key" {
length = 40
}
resource "random_string" "auth_table_crypto_key" {
length = 32
}
resource "random_string" "auth_root_access_token" {
length = 65
override_special = "_-"
}
module "auth_rabbitmq_user" {
source = "modules/rabbitmq-user"
prefix = "${var.prefix}"
project_name = "taskcluster-auth"
rabbitmq_vhost = "${var.rabbitmq_vhost}"
}
locals {
static_clients = [
{
clientId = "static/taskcluster/secrets"
accessToken = "${random_string.secrets_access_token.result}"
description = "..."
scopes = [
"auth:azure-table-access:${azurerm_storage_account.base.name}/Secrets",
"auth:azure-table:read-write:${azurerm_storage_account.base.name}/Secrets",
]
},
{
clientId = "static/taskcluster/index"
accessToken = "${random_string.index_access_token.result}"
description = "..."
scopes = [
"auth:azure-table-access:${azurerm_storage_account.base.name}/IndexedTasks",
"auth:azure-table-access:${azurerm_storage_account.base.name}/Namespaces",
"auth:azure-table:read-write:${azurerm_storage_account.base.name}/IndexedTasks",
"auth:azure-table:read-write:${azurerm_storage_account.base.name}/Namespaces",
"queue:get-artifact:*",
]
},
{
clientId = "static/taskcluster/worker-manager"
accessToken = "${random_string.worker_manager_access_token.result}"
description = "..."
scopes = []
},
{
clientId = "static/taskcluster/github"
accessToken = "${random_string.github_access_token.result}"
description = "..."
scopes = [
"assume:repo:github.com/*",
"assume:scheduler-id:taskcluster-github/*",
"auth:azure-table-access:${azurerm_storage_account.base.name}/TaskclusterGithubBuilds",
"auth:azure-table-access:${azurerm_storage_account.base.name}/TaskclusterIntegrationOwners",
"auth:azure-table:read-write:${azurerm_storage_account.base.name}/TaskclusterGithubBuilds",
"auth:azure-table:read-write:${azurerm_storage_account.base.name}/TaskclusterIntegrationOwners",
"auth:azure-table:read-write:${azurerm_storage_account.base.name}/TaskclusterChecksToTasks",
"auth:azure-table:read-write:${azurerm_storage_account.base.name}/TaskclusterCheckRuns",
]
},
{
clientId = "static/taskcluster/hooks"
accessToken = "${random_string.hooks_access_token.result}"
description = "..."
scopes = [
"auth:azure-table:read-write:${azurerm_storage_account.base.name}/Hooks",
"auth:azure-table:read-write:${azurerm_storage_account.base.name}/Queue",
"auth:azure-table:read-write:${azurerm_storage_account.base.name}/LastFire",
"assume:hook-id:*",
"notify:email:*",
"queue:create-task:*",
]
},
{
clientId = "static/taskcluster/notify"
accessToken = "${random_string.notify_access_token.result}"
description = "..."
scopes = [
"auth:azure-table:read-write:${azurerm_storage_account.base.name}/DenylistedNotification",
]
},
{
clientId = "static/taskcluster/built-in-workers"
accessToken = "${random_string.built_in_workers_access_token.result}"
description = "..."
scopes = [
"queue:claim-work:built-in/*",
"assume:worker-id:built-in/*",
"queue:worker-id:built-in/*",
"queue:resolve-task",
]
},
{
clientId = "static/taskcluster/queue"
accessToken = "${random_string.queue_access_token.result}"
description = "..."
scopes = ["*"]
},
{
clientId = "static/taskcluster/root"
accessToken = "${random_string.auth_root_access_token.result}"
description = "..."
scopes = ["*"]
},
]
}
module "auth_secrets" {
source = "modules/service-secrets"
project_name = "taskcluster-auth"
disabled_services = "${var.disabled_services}"
secrets = {
AWS_ACCESS_KEY_ID = "${module.auth_user.access_key_id}"
AWS_SECRET_ACCESS_KEY = "${module.auth_user.secret_access_key}"
AWS_REGION = "${var.aws_region}"
AZURE_ACCOUNT_KEY = "${azurerm_storage_account.base.primary_access_key}"
AZURE_ACCOUNT = "${azurerm_storage_account.base.name}"
AZURE_ACCOUNTS = "${jsonencode(map(
"${azurerm_storage_account.base.name}", "${azurerm_storage_account.base.primary_access_key}",
))}"
STATIC_CLIENTS = "${jsonencode(local.static_clients)}"
PULSE_HOSTNAME = "${var.rabbitmq_hostname}"
PULSE_VHOST = "${var.rabbitmq_vhost}"
PULSE_USERNAME = "${module.auth_rabbitmq_user.username}"
PULSE_PASSWORD = "${module.auth_rabbitmq_user.password}"
AZURE_CRYPTO_KEY = "${base64encode(random_string.auth_table_crypto_key.result)}"
AZURE_SIGNING_KEY = "${random_string.auth_table_signing_key.result}"
FORCE_SSL = "false"
TRUST_PROXY = "true"
LOCK_ROLES = "false"
MONITORING_ENABLE = "true"
NODE_ENV = "production"
OWNER_EMAIL = "[email protected]"
PROFILE = "production"
PUBLISH_METADATA = "false"
SENTRY_API_KEY = "TODO SENTRY 4"
SENTRY_DSN = "TODO"
SENTRY_AUTH_TOKEN = "TODO"
STATSUM_API_SECRET = "TODO"
STATSUM_BASE_URL = "TODO"
WEBHOOKTUNNEL_PROXY_URL = "TODO"
WEBHOOKTUNNEL_SECRET = "TODO"
}
}
module "auth_web_service" {
source = "modules/deployment"
project_name = "taskcluster-auth"
service_name = "auth"
proc_name = "web"
disabled_services = "${var.disabled_services}"
readiness_path = "/api/auth/v1/ping"
secret_name = "${module.auth_secrets.secret_name}"
secrets_hash = "${module.auth_secrets.secrets_hash}"
root_url = "${var.root_url}"
secret_keys = "${module.auth_secrets.env_var_keys}"
docker_image = "${local.taskcluster_image_monoimage}"
}
module "auth_purge_expired_clients" {
source = "modules/scheduled-job"
project_name = "taskcluster-auth"
service_name = "auth"
job_name = "purgeExpiredClients"
schedule = "0 0 * * *"
deadline_seconds = 86400
secret_name = "${module.auth_secrets.secret_name}"
secrets_hash = "${module.auth_secrets.secrets_hash}"
root_url = "${var.root_url}"
secret_keys = "${module.auth_secrets.env_var_keys}"
docker_image = "${local.taskcluster_image_monoimage}"
}