/github-infrastructure

Automated creation of GitHub Repositories with optional Cloud Access.

Primary LanguageTypeScriptGNU General Public License v3.0GPL-3.0

GitHub Infrastructure

Build status License

This repository contains the automation for GitHub Repositories with optional Cloud Access using Pulumi.

Requirements

Creating the Infrastructure

To create the repositories, a Pulumi Stack with the correct configuration needs to exists.

The stack can be deployed via:

yarn install
yarn build; pulumi up

Destroying the Infrastructure

The entire infrastructure can be destroyed via:

yarn install
yarn build; pulumi destroy

Attention: you must set ALLOW_REPOSITORY_DELETION="true" as an environment variable to be able to delete repositories!

Environment Variables

To successfully run, and configure the Pulumi plugins, you need to set a list of environment variables. Alternatively, refer to the used Pulumi provider's configuration documentation.

  • AWS_REGION: the AWS region to use
  • AWS_ACCESS_KEY_ID: the AWS secret key
  • AWS_SECRET_ACCESS_KEY: the AWS secret access key
  • CLOUDSDK_COMPUTE_REGION the Google Cloud (GCP) region
  • GOOGLE_APPLICATION_CREDENTIALS: reference to a file containing the Google Cloud (GCP) service account credentials
  • GITHUB_TOKEN: the GitHub token with permissions to manage repositories

Configuration

The following section describes the configuration which must be set in the Pulumi Stack.

Attention: do use Secrets Encryption provided by Pulumi for secret values!

AWS

AWS configuration is based on each allowed account.

aws:
  defaultRegion: the default region for every account
  account: a map of AWS accounts to IAM role configuration
    <ACCOUNT_ID>:
      roleArn: the IAM role ARN to assume with correct permissions
      externalId: the the ExternalID property to assume the role

Google Cloud

Google Cloud configuration is based on each allowed project.

google:
  allowHmacKeys: allows creating HMAC Google Cloud Storage keys
  defaultRegion: the default region for every project
  projects: a list containing all allowed project identifiers

Repositories

Repositories configuration sets default values and GitHub account information.

repositories:
  owner: the owner/organization of all repositories
  subscription: the subscription type of the user/organization (e.g. "none")

Vault

Vault connection configuration. The token will be retrieved from the corresponding stack's output.

Attention: Vault will only be used if a connection configuration can be created.

vault:
  address: the URL to the Vault instance

Repository YAML

Repositories are defined in YAML format. For each repository to create a YAML file must be created in assets/repositories/.

The format is described in the template.

Continuous Integration and Automations