chore: init repo

Author: 01walid

.vscode/extensions.json

@@ -0,0 +1,6 @@
+{
+  "recommendations": [
+    "hashicorp.terraform",
+    "nefrob.vscode-just-syntax",
+  ]
+}

LICENSE

@@ -0,0 +1,13 @@
+# Copyright 2025 Yassir Incorporated
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

README.md

@@ -0,0 +1,3 @@
+# Yassir Terraform modules
+
+A set of standalone, agnostic terraform modules abstracting away common infra provisioning.

modules/aws/.gitkeep

@@ -0,0 +1,5 @@
+
+
+It would have been nice if we could offer the possibility to enable IAP for GCS backend services
+but it's not currently possible:
+https://issuetracker.google.com/issues/114133245?pli=1

modules/gcp/gcs-lb-domain/README.md

@@ -0,0 +1 @@
+data "google_client_config" "current" {}

modules/gcp/gcs-lb-domain/data.tf

@@ -0,0 +1,16 @@
+locals {
+  project = data.google_client_config.current.project
+
+  labels = merge({
+    namespace = var.namespace,
+    domains   = join(", ", var.domains),
+    terraform = "true"
+    tf_module = "gcp/gcs-lb-domain"
+    project   = local.project
+  }, var.labels)
+
+  services = var.enable_services ? [
+    "compute.googleapis.com",
+    "servicenetworking.googleapis.com",
+  ] : []
+}

modules/gcp/gcs-lb-domain/locals.tf

@@ -0,0 +1,57 @@
+# Setup custom domains and external load balancer for a given bucket  
+
+# Enable the services needed for this module
+resource "google_project_service" "services" {
+  for_each           = local.services
+  project            = data.google_client_config.current.project
+  service            = each.value
+  disable_on_destroy = false
+}
+
+# Reserve an external IP
+resource "google_compute_global_address" "static_ip" {
+  name   = "${var.namespace}-ip"
+  labels = local.labels
+
+  depends_on = [google_project_service.services]
+}
+
+# Create a backend service for the given bucket
+resource "google_compute_backend_bucket" "backend_bucket" {
+  name        = "${var.namespace}-backend"
+  description = "Contains files needed by ${var.bucket_name}"
+  bucket_name = var.bucket_name
+  enable_cdn  = var.enable_cdn
+}
+
+# Create HTTPS certificate
+resource "google_compute_managed_ssl_certificate" "ssl_cert" {
+  name = "${var.namespace}-cert"
+  managed {
+    domains = var.domains
+  }
+}
+
+# GCP URL MAP
+resource "google_compute_url_map" "url_map" {
+  name            = "${var.namespace}-lb"
+  default_service = google_compute_backend_bucket.backend_bucket.self_link
+}
+
+# GCP target proxy
+resource "google_compute_target_https_proxy" "target_proxy" {
+  name             = "${var.namespace}-target-proxy"
+  url_map          = google_compute_url_map.url_map.self_link
+  ssl_certificates = [google_compute_managed_ssl_certificate.ssl_cert.self_link]
+}
+
+# GCP forwarding rule
+resource "google_compute_global_forwarding_rule" "forwarding_rule" {
+  name                  = "${var.namespace}-fwd-rule"
+  load_balancing_scheme = "EXTERNAL"
+  ip_address            = google_compute_global_address.static_ip.address
+  ip_protocol           = "TCP"
+  port_range            = "443"
+  target                = google_compute_target_https_proxy.target_proxy.self_link
+  labels                = local.labels
+}

modules/gcp/gcs-lb-domain/main.tf

@@ -0,0 +1,43 @@
+# Export the objects created by this module
+
+output "ip" {
+  description = "The IP address object"
+  value       = google_compute_global_address.static_ip
+}
+
+output "ssl_certificate" {
+  description = "The SSL certificate object"
+  value       = google_compute_managed_ssl_certificate.ssl_cert
+  sensitive   = true
+}
+
+output "url_map" {
+  description = "The URL map object"
+  value       = google_compute_url_map.url_map
+}
+
+output "target_proxy" {
+  description = "The target proxy object"
+  value       = google_compute_target_https_proxy.target_proxy
+}
+
+output "forwarding_rule" {
+  description = "The forwarding rule object"
+  value       = google_compute_global_forwarding_rule.forwarding_rule
+}
+
+# Construct the https URLs
+output "urls" {
+  description = "The URLs of the GCS LB domain"
+  value = {
+    for domain in var.domains : domain => "https://${domain}"
+  }
+}
+
+# Export the labels used by this module
+output "labels" {
+  description = "The labels used by this module"
+  value = {
+    for key, value in local.labels : key => value
+  }
+}

modules/gcp/gcs-lb-domain/outputs.tf

@@ -0,0 +1,32 @@
+variable "namespace" {
+  description = "The namespace to prefix the GCP resources IDs with"
+  type        = string
+}
+
+variable "bucket_name" {
+  description = "The name of the bucket to serve"
+  type        = string
+}
+
+variable "enable_cdn" { 
+  description = "Whether to enable CDN for the bucket backend"
+  type        = bool
+  default     = false
+}
+
+variable "domains" {
+  description = "The domain name to serve the bucket on"
+  type        = list(string)
+}
+
+variable "labels" {
+  description = "Resource labels."
+  type        = map(string)
+  default     = {}
+}
+
+variable "enable_services" {
+  description = "Whether to enable the services needed for this module"
+  type        = bool
+  default     = true
+}

modules/gcp/gcs-lb-domain/variables.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_version = ">= 1.10.2, < 2.0.0"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 6.15.0"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 6.15.0"
+    }
+  }
+}

modules/gcp/gcs-lb-domain/versions.tf

@@ -0,0 +1,45 @@
+# workload_identity
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_iam_workload_identity_pool.wip_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource |
+| [google_iam_workload_identity_pool_provider.wip_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
+| [google_project_iam_member.sa_roles](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_service_account_iam_member.yassir-dns-sa-iam-member](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_access_type"></a> [access\_type](#input\_access\_type) | The type of access to be granted | `string` | n/a | yes |
+| <a name="input_github_organization"></a> [github\_organization](#input\_github\_organization) | Github Organization name to restrict service accounts deploying from Yassir owned repos, not public ones | `string` | `"YAtechnologies"` | no |
+| <a name="input_members"></a> [members](#input\_members) | A list of principals | `list(string)` | n/a | yes |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The project ID (not number). Could be the same as project.name | `string` | n/a | yes |
+| <a name="input_repositories"></a> [repositories](#input\_repositories) | A list of repositories in the form of 'owner/repo' | `list(string)` | `[]` | no |
+| <a name="input_roles"></a> [roles](#input\_roles) | Project roles | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_project_id"></a> [project\_id](#output\_project\_id) | The GCP project name |
+| <a name="output_service_account"></a> [service\_account](#output\_service\_account) | The service account to use for CI/CD |
+| <a name="output_wip_provider"></a> [wip\_provider](#output\_wip\_provider) | The Worload Identity Provider to use for Github Actions |
+<!-- END_TF_DOCS -->

modules/gcp/wif-github/TFDOC.md

@@ -0,0 +1 @@
+data "google_client_config" "current" {}

modules/gcp/wif-github/data.tf

@@ -0,0 +1,4 @@
+locals {
+  project = data.google_client_config.current.project
+  service_account_id = "projects/${project}/serviceAccounts/${var.service_account_email}"
+}

modules/gcp/wif-github/locals.tf

@@ -0,0 +1,36 @@
+# Setup Workload Identity Federation for the given project
+
+resource "google_iam_workload_identity_pool" "wip" {
+  workload_identity_pool_id = "${var.namespace}-wip"
+  display_name              = "Workload identity pool for ${var.namespace}"
+  description               = "Workload identity pool to be used in Github Actions"
+  disabled                  = false
+}
+
+resource "google_iam_workload_identity_pool_provider" "wip_provider" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.wip.workload_identity_pool_id
+  workload_identity_pool_provider_id = "${var.namespace}-wip-provider"
+  display_name                       = "Github WIP provider for ${var.namespace}"
+  description                        = "The Workload Identity Pool Provider to be used for CI/CD with Github actions"
+
+  attribute_mapping = {
+    "google.subject"       = "assertion.sub"
+    "attribute.actor"      = "assertion.actor"
+    "attribute.aud"        = "assertion.aud"
+    "attribute.repository" = "assertion.repository"
+  }
+
+  oidc {
+    issuer_uri = "https://token.actions.githubusercontent.com"
+  }
+
+  attribute_condition = "assertion.repository_owner=='${var.github_organization}'"
+}
+
+resource "google_service_account_iam_member" "repositories_iam" {
+  for_each           = toset(var.repositories)
+  service_account_id = local.service_account_id
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.wip.name}/attribute.repository/${each.value}"
+  depends_on         = [google_iam_workload_identity_pool_provider.wip_provider]
+}

modules/gcp/wif-github/main.tf

@@ -0,0 +1,18 @@
+output "service_account" {
+  value       = var.service_account_email
+  description = "The service account to use for CI/CD"
+}
+
+output "wip_provider" {
+  value       = google_iam_workload_identity_pool_provider.wip_provider.workload_identity_pool_provider_id
+  description = "The Workload Identity Provider to use for Github Actions"
+}
+
+output "connection_info" {
+  value = {
+    project      = local.project
+    service_account = var.service_account_email
+    wip_provider = google_iam_workload_identity_pool_provider.wip_provider.workload_identity_pool_provider_id
+    repositories = var.repositories
+  }
+}

modules/gcp/wif-github/outputs.tf

@@ -0,0 +1,30 @@
+variable "namespace" {
+  type        = string
+  description = "The namespace to use as a prefix for the resources created by this module"
+}
+
+variable "repositories" {
+  type        = list(string)
+  description = "A list of repositories in the form of 'owner/repo'"
+
+  validation {
+    condition     = length(var.repositories) > 0
+    error_message = "The repositories variable must contain at least one repository"
+  }
+
+  validation {
+    condition     = alltrue(flatten([for repo in var.repositories : can(regex("^[a-zA-Z0-9_-]+/[a-zA-Z0-9_-]+$", repo))]))
+    error_message = "Each repository must be in the format 'owner/repo'"
+  }
+}
+
+variable "github_organization" {
+  default     = "YAtechnologies"
+  type        = string
+  description = "A Github Organization name to use as a constraint for the workload identity federation"
+}
+
+variable "service_account_email" {
+  type        = string
+  description = "The service account email to use for the workload identity federation"
+}