Skip to content

Module that creates a Debian repository backed by S3 and fronted by CloudFront.

Notifications You must be signed in to change notification settings

infrahouse/terraform-aws-debian-repo

Repository files navigation

terraform-aws-debian-repo

Module that creates a Debian repository backed by S3 and fronted by CloudFront.

Usage example

Step 1. GPG keypair

Create a certificate (if you don't already have it) for signing the repository.

# gpg --full-gen-key

gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Wed Jul 23 17:18:31 2025 PDT
Is this correct? (y/N) Y

GnuPG needs to construct a user ID to identify your key.

Real name: InfraHouse Packager
Email address: [email protected]
Comment: key for signing Ubuntu jammy repository
You selected this USER-ID:
    "InfraHouse Packager (key for signing Ubuntu jammy repository) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

Save a passphrase if you provided one. Or don't provide it at all. We will change it later anyway.

Export a public key, save it in a file.

# gpg --armor --export [email protected] \
    > ./files/DEB-GPG-KEY-infrahouse-jammy

Step 2. AWS resources

Create a 'regular' aws provider.

provider "aws" {
  region = "us-west-1"
}

ACM requires a certificate to be created in us-east-1. So, we need a provider in us-east-1.

provider "aws" {
  region = "us-east-1"
  alias = "aws-us-east-1"
}

Now, let's create a Debian repo for Ubuntu jammy. It will have address https://release.infrahouse.com

module "release_infrahouse_com" {
  providers = {
    aws     = aws
    aws.ue1 = aws.aws-us-east-1
  }
  source               = "registry.infrahouse.com/infrahouse/terraform-aws-debian-repo"
  version              = "~> 2.2"
  bucket_name          = "infrahouse-release"
  repository_codename  = "jammy"
  domain_name          = "release.infrahouse.com"
  gpg_public_key       = file("./files/DEB-GPG-KEY-infrahouse-jammy")
  gpg_sign_with        = "[email protected]"
  index_title          = "InfraHouse Releases Repository"
  index_body           = "Stay tuned!"
  zone_id              = data.aws_route53_zone.infrahouse_com.id
}

NOTE 1: The module creates a secret for the GPG key, but the secret doesn't have a value. Think about the secret as a storage for the GPG key. You'll have to upload its content as a secret string in the next step.

NOTE 2: The module however generates a new passphrase and stores it in a secret. You'll have to fetch it and change it in the private GPG key.

Step 3. Upload GPG private key

To make the step easier install infrahouse-toolkit.

# pip install infrahouse-toolkit~=2.25

Get the generated passphrase.

# ih-secrets --aws-region us-west-1 get packager-passphrase-jammy

Update the passphrase in the GPG private key.

# gpg --edit-key [email protected]

gpg> passwd
gpg> save

Export the private GPG key to a file.

# gpg --armor --export-secret-key [email protected] \
    > gpg-private-key

Upload the private GPG key

# ih-secrets --aws-region us-west-1 set packager-key-noble gpg-private-key

Step 4. Check the repository

# ih-s3-reprepro --bucket infrahouse-release-jammy check
Checking jammy...

# echo $?
0

If the output looks similar and an exit code is zero - all looks good!

Authentication

The module supports HTTP basic authentication. By default, it's disabled. To enable it, add http_auth_user and http_auth_password variables.

module "release_infrahouse_com" {
  providers = {
    aws     = aws
    aws.ue1 = aws.aws-us-east-1
  }
...

  http_auth_user      = var.http_user
  http_auth_password  = var.http_password
}

Requirements

Name Version
terraform ~> 1.5
aws >= 4.67
random ~> 3.5

Providers

Name Version
aws >= 4.67
aws.ue1 >= 4.67
random ~> 3.5

Modules

Name Source Version
key registry.infrahouse.com/infrahouse/secret/aws 0.5.0
passphrase registry.infrahouse.com/infrahouse/secret/aws 0.5.0

Resources

Name Type
aws_acm_certificate.repo resource
aws_acm_certificate_validation.repo resource
aws_cloudfront_cache_policy.default resource
aws_cloudfront_distribution.repo resource
aws_cloudfront_function.http_auth resource
aws_cloudfront_origin_access_control.repo-storage resource
aws_route53_record.cert_validation resource
aws_route53_record.repo resource
aws_s3_bucket.repo resource
aws_s3_bucket.repo-logs resource
aws_s3_bucket_acl.repo resource
aws_s3_bucket_acl.repo-logs resource
aws_s3_bucket_logging.server-logs resource
aws_s3_bucket_ownership_controls.repo resource
aws_s3_bucket_ownership_controls.repo-logs resource
aws_s3_bucket_policy.bucket-access resource
aws_s3_bucket_public_access_block.repo resource
aws_s3_object.deb-gpg-public-key resource
aws_s3_object.distributions resource
aws_s3_object.index-html resource
random_password.passphrase resource
aws_iam_policy_document.bucket-access data source
aws_iam_policy_document.bucket-admin data source
aws_iam_policy_document.bucket-cloudfront-access data source

Inputs

Name Description Type Default Required
bucket_admin_roles List of AWS IAM role ARN that has permissions to upload to the bucket list(string) [] no
bucket_force_destroy If true, the repository bucket will be destroyed even if it contains files. bool false no
bucket_name S3 bucket name for the repository. string n/a yes
domain_name Domain name where the repository will be available. string n/a yes
gpg_public_key Content of the GPG public key used for signing the repository. Note, you'll have to upload the key manually or with 'ih-s3-reprepro ... set-secret-value packager-key-focal ~/packager-key-focal' any n/a yes
gpg_sign_with Email of a packager user. any n/a yes
http_auth_password Password for HTTP basic authentication. string null no
http_auth_user Username for HTTP basic authentication. If not specified, the authentication isn't enabled. string null no
index_body Content of a body tag in index.html. string "Stay tuned!" no
index_title Content of a title tag in index.html. string "Debian packages repository" no
repository_codename Repository codename. Can be focal, jammy, etc. string n/a yes
signing_key_readers List of role ARNs that have permission to read GPG signing key and passphrase. list(string) null no
signing_key_writers List of role ARNs that have permission to write to GPG signing key and passphrase secrets. list(string) null no
zone_id Route53 zone id where the parent domain of var.domain_name is hosted. If var.domain_name is repo.foo.com, then the value should be zone_id of foo.com. string n/a yes

Outputs

Name Description
packager_key_passphrase_secret_arn ARN of a secret that will store a GPG private key passphrase.
packager_key_passphrase_secret_id Identifier of a secret that will store a GPG private key passphrase.
packager_key_secret_arn ARN of a secret that will store a GPG private key.
packager_key_secret_id Identifier of a secret that will store a GPG private key.
release_bucket Bucket name that hosts repository files.
release_bucket_arn Bucket ARN that hosts repository files.
repo_url Repository URL.

About

Module that creates a Debian repository backed by S3 and fronted by CloudFront.

Resources

Stars

Watchers

Forks

Packages

No packages published