pipe/ebury_devex
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
pipe
2026-02-18 01:05:05 +01:00
commit 490fad15c6
19 changed files with 558 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
README.md Normal file
View File

@@ -0,0 +1,49 @@
##
This repository contains:
- A terraform module that is meant to create s3 buckets, configure them, and apply the policies that are tied to them.
- A terraform module that can create self-hosted github actions runners on ec2 instances and a yml configuration file for the runners.
- A python script to run a simple flask API that can run terraform with certain parameters.
- A '.env' file containing the variables for region, tfstate bucket, and a pre-shared secret for the requests.
- The docker compose file used to deploy Jenkins, Vault and Selenium for a local testing environment.
### How to run the s3 bucket api
The python script provides a simplified way to request buckets for developers without getting into terraform files or the AWS console. To set it up, the required python dependencies need to be installed:
```bash
pip install dotenv marshmallow flask python_terraform
```
Then, the script can just be executed and the API will run on a machine, listening to port 8080.
Here is an example of how to perform a request with curl to create a bucket:
```bash
curl -X POST -H "Content-Type: application/json" \
-d '{"bucket_name":"mybucket-python-testing-1234999",\
"environment":"prod",\
"encryption":"Enabled",\
"versioning":"Enabled",\
"api_key":"08de5837ac8129886fec0d53d1a8626c"}'\
localhost:8080/create_bucket
```
### Terraform for the API
The terraform files follow a simple structure and handle variables that are passed through from the python script. The variables to fill the required parameters are taken from the .env file and the requests made to the API.
It is required to run terraform init the first time before the API works on deploying a bucket.
### Jenkinsfile
The jenkinsfile from requirement 1 has been placed in this repo to be used as an example of a python deployment with the required tests.
My jenkins deployment failed to install plugins after the first run. Because of time constraints, I was not able to test the full flow before publishing.
### AWS runner
The setup for creating the runners is quite easy, as the only required thing is to add a GITHUB_KEY in the runner.tf file and apply. I tried to make the permissions on the runners as slim as possible.
### Lessons learned, security considerations, and possible improvements
- Authentication could be handled not by a pre-shared secret. A better way would be to tie the authentication to IAM, which would in turn also allow nice permission management.
- This is a flask dev server, which is not stable and shouldn't be used anywhere. Transforming this into a proper service with WSGI is recommended.
- HTTP is not a secure protocol. This could be easily mitigated by running behind a reverse proxy with HTTPS (Which is easier to manage than with flask or WSGI).
- Many more variables can be added, like AWS account, user, region, ACL management, etc.
- python_terraform is not great at reporting any errors, and does not handle errors in a "python way". Maybe not the best tool for the job. Subprocess and direct terraform commands could make this better.
- Variables cannot go into the backend file. I needed to dynamically write this file on execution to manage the state file with s3.
- Plugins should have been installed on the initial setup of Jenkins, as something (unknown) changed on my local system not allowing for plugins to be installed afterward.
- The github runner code is not tested at the moment.
- The full jenkinsfile is not tested at the moment.