artifactory module

.markdownlint.rb

@@ -0,0 +1,2 @@
+all
+exclude_rule 'MD007'

live/ci/artifactory/terragrunt.hcl

@@ -0,0 +1,15 @@
+terraform {
+  source = "../../../modules//artifactory"
+}
+
+include "root" {
+  path = find_in_parent_folders()
+}
+
+locals {
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+}
+
+inputs = merge(
+  local.environment_vars.locals
+)

live/dev/artifactory/terragrunt.hcl

@@ -0,0 +1,15 @@
+terraform {
+  source = "../../../modules//artifactory"
+}
+
+include "root" {
+  path = find_in_parent_folders()
+}
+
+locals {
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+}
+
+inputs = merge(
+  local.environment_vars.locals
+)

live/prod/artifactory/terragrunt.hcl

@@ -0,0 +1,15 @@
+terraform {
+  source = "../../../modules//artifactory"
+}
+
+include "root" {
+  path = find_in_parent_folders()
+}
+
+locals {
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+}
+
+inputs = merge(
+  local.environment_vars.locals
+)

modules/artifactory/README.md

@@ -0,0 +1,86 @@
+# artifactory
+
+IaC Spinning Artifactory instance on AWS
+
+## local DEV environment
+
+### System Requirements
+
+* AWS [credentials settings][1], profile __default__
+* Define a secret in AWS Secrets Manager:
+  * Secret name: artifactory
+  * key __artifactory_license_1__
+  * key __username__ (value must be lowercase)
+  * key __password__ (value must be lowercase)
+* `make`
+* `podman` or `docker`
+
+### pre-commit
+
+To run pre-commit locally, follow the instructions:
+
+```shell
+pip install --user pre-commit
+pre-commit install
+```
+
+### DEV Environment init
+
+```shell
+make init
+```
+
+### DEV Environment reconfigure
+
+```shell
+make reconfigure
+```
+
+### DEV Environment Up
+
+```shell
+make up
+```
+
+### DEV Environment Down
+
+```shell
+make down
+```
+
+## STAGE environment
+
+* Setup AWS profile named __stage__
+* Define a secret in AWS Secrets Manager:
+  * Secret name: artifactory
+  * key __artifactory_license_2__
+  * key __username__ (value must be lowercase)
+  * key __password__ (value must be lowercase)
+* `make`
+* `podman` or `docker`
+
+### STAGE Environment init
+
+```shell
+make init
+```
+
+### STAGE Environment reconfigure
+
+```shell
+make reconfigure
+```
+
+### STAGE Environment Up
+
+```shell
+make ENV=stage up
+```
+
+### STAGE Environment Down
+
+```shell
+make ENV=stage down
+```
+
+[1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html

modules/artifactory/main.tf

@@ -0,0 +1,143 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.19.0"
+    }
+  }
+}
+
+provider "aws" {
+  region  = var.aws_region
+  profile = var.aws_profile
+  default_tags {
+    tags = merge(var.tags, { User = var.user })
+  }
+}
+
+data "aws_ami" "centos_stream_8" {
+  most_recent = true
+  owners      = ["125523088429"]
+
+  filter {
+    name   = "name"
+    values = ["CentOS Stream 8 *"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+}
+
+resource "aws_security_group" "security_group" {
+  name        = var.artifactory_security_group_name
+  description = "Artifactory inbound and outbound traffic"
+
+  # SSH access from anywhere
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # HTTP access from anywhere
+  ingress {
+    from_port   = 8082
+    to_port     = 8082
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # HTTPS access from anywhere
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # outbound internet access
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+data "aws_iam_policy_document" "assume_policy" {
+  statement {
+    sid = "1"
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+
+    actions = [
+      "sts:AssumeRole"
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "secretmanager_iam_policy_document" {
+  statement {
+    sid = "1"
+
+    actions = [
+      "secretsmanager:GetResourcePolicy",
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:ListSecretVersionIds",
+      "secretsmanager:ListSecrets"
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}
+
+resource "aws_iam_role" "iam_role" {
+  name               = var.artifactory_iam_role_name
+  assume_role_policy = data.aws_iam_policy_document.assume_policy.json
+  inline_policy {
+    name   = var.secretsmanager_policy
+    policy = data.aws_iam_policy_document.secretmanager_iam_policy_document.json
+  }
+}
+
+resource "aws_iam_instance_profile" "iam_instance_profile" {
+  name = var.artifactory_iam_instance_profile
+  role = aws_iam_role.iam_role.name
+}
+
+resource "tls_private_key" "tls_private_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "aws_key_pair" "key_pair" {
+  key_name   = var.ssh_key_name
+  public_key = tls_private_key.tls_private_key.public_key_openssh
+}
+
+resource "local_file" "private_key" {
+  content         = tls_private_key.tls_private_key.private_key_openssh
+  filename        = var.ssh_private_file_name
+  file_permission = 0400
+}
+
+resource "aws_instance" "artifactory_instance" {
+  ami                    = data.aws_ami.centos_stream_8.id
+  instance_type          = var.artifactory_instance_type
+  vpc_security_group_ids = [aws_security_group.security_group.id]
+  iam_instance_profile   = aws_iam_instance_profile.iam_instance_profile.name
+  key_name               = aws_key_pair.key_pair.key_name
+  tags                   = merge(var.tags, { Name = var.artifactory_server_name })
+  root_block_device {
+    volume_size = 100
+  }
+}

modules/artifactory/provision/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+host_key_checking=False
+private_key_file=/workspace/tf-artifactory-ssh-key.pem
+ask_pass=false
+inventory=aws_ec2.yml
+remote_user=centos
+
+[inventory]
+enable_plugins = aws_ec2

modules/artifactory/provision/aws_ec2.yml

@@ -0,0 +1,10 @@
+plugin: aws_ec2
+aws_profile: "{{ lookup('env', 'AWS_PROFILE') | default('default', true) }}"
+regions:
+  - eu-central-1
+  - eu-west-2
+filters:
+  instance-state-name: running
+  tag:Project: platform-engineering
+include_filters:
+  - tag:User: "{{ lookup('env', 'USER') }}"

modules/artifactory/provision/main.yml

@@ -0,0 +1,85 @@
+- name: Artifactory IaC
+  hosts: all
+  gather_facts: false
+  vars:
+    license_string: "{{ lookup('amazon.aws.aws_secret', 'artifactory') | from_json}}"
+    admin_user: "{{ license_string.username }}"
+    admin_password: "{{ license_string.password }}"
+    env: "{{ ENV }}"
+
+  tasks:
+    - name: Wait until the instance is ready
+      ansible.builtin.wait_for_connection:
+
+    - name: Gather facts for first time
+      ansible.builtin.setup:
+
+    - name: Artifactory repository added
+      become: true
+      ansible.builtin.yum_repository:
+        name: artifactory-pro-rpms
+        description: artifactory Pro
+        baseurl: https://releases.jfrog.io/artifactory/artifactory-pro-rpms/
+
+    - name: Artifactory Pro installed
+      become: true
+      ansible.builtin.dnf:
+        name: jfrog-artifactory-pro
+        update_cache: true
+        disable_gpg_check: true
+        state: present
+
+    - name: Create /opt/jfrog/artifactory/var/etc/access directory
+      become: true
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: directory
+        owner: artifactory
+        group: artifactory
+        mode: u=rwx,g=rx
+      with_items:
+        - /opt/jfrog/artifactory/var/etc/access
+        - /opt/jfrog/artifactory/var/etc/artifactory
+
+    - name: Re-configure built-in administrator creds
+      become: true
+      ansible.builtin.template:
+        src: "{{ playbook_dir }}/templates/bootstrap.creds.j2"
+        dest: /opt/jfrog/artifactory/var/etc/access/bootstrap.creds
+        owner: artifactory
+        group: artifactory
+        mode: u=rw
+
+    - name: Set license for non STAGE environment
+      ansible.builtin.set_fact:
+        license: "{{ license_string.artifactory_license1 }}"
+      when: env != "stage"
+
+    - name: Set license for STAGE environment
+      ansible.builtin.set_fact:
+        license: "{{ license_string.artifactory_license2 }}"
+      when: env == "stage"
+
+    - name: Use license strings
+      become: true
+      ansible.builtin.copy:
+        dest: /opt/jfrog/artifactory/var/etc/artifactory/artifactory.lic
+        content: "{{ license }}"
+        mode: "0644"
+
+    - name: Artifactory service is enabled and running
+      become: true
+      ansible.builtin.systemd:
+        state: started
+        enabled: true
+        name: artifactory
+
+    - name: Make sure artifactory is healthy
+      ansible.builtin.uri:
+        url: http://{{ inventory_hostname }}:8082/router/api/v1/system/health
+        timeout: 130
+        status_code: 200
+      register: result
+      until: result is succeeded
+      retries: 25
+      delay: 5

modules/artifactory/provision/requirements.yml

@@ -0,0 +1,5 @@
+---
+collections:
+  - name: amazon.aws
+    version: 6.4.0
+    type: galaxy

modules/artifactory/provision/templates/bootstrap.creds.j2

@@ -0,0 +1 @@
+{{ admin_user }}@*={{ admin_password }}