Module that creates a Debian repository backed by S3 and fronted by CloudFront.
Create a certificate (if you don't already have it) for signing the repository.
# gpg --full-gen-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Wed Jul 23 17:18:31 2025 PDT
Is this correct? (y/N) Y
GnuPG needs to construct a user ID to identify your key.
Real name: InfraHouse Packager
Email address: [email protected]
Comment: key for signing Ubuntu jammy repository
You selected this USER-ID:
"InfraHouse Packager (key for signing Ubuntu jammy repository) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
Save a passphrase if you provided one. Or don't provide it at all. We will change it later anyway.
Export a public key, save it in a file.
# gpg --armor --export [email protected] \
> ./files/DEB-GPG-KEY-infrahouse-jammy
Create a 'regular' aws provider.
provider "aws" {
region = "us-west-1"
}
ACM requires a certificate to be created in us-east-1
.
So, we need a provider in us-east-1
.
provider "aws" {
region = "us-east-1"
alias = "aws-us-east-1"
}
Now, let's create a Debian repo for Ubuntu jammy. It will have address https://release.infrahouse.com
module "release_infrahouse_com" {
providers = {
aws = aws
aws.ue1 = aws.aws-us-east-1
}
source = "registry.infrahouse.com/infrahouse/terraform-aws-debian-repo"
version = "~> 2.2"
bucket_name = "infrahouse-release"
repository_codename = "jammy"
domain_name = "release.infrahouse.com"
gpg_public_key = file("./files/DEB-GPG-KEY-infrahouse-jammy")
gpg_sign_with = "[email protected]"
index_title = "InfraHouse Releases Repository"
index_body = "Stay tuned!"
zone_id = data.aws_route53_zone.infrahouse_com.id
}
NOTE 1: The module creates a secret for the GPG key, but the secret doesn't have a value. Think about the secret as a storage for the GPG key. You'll have to upload its content as a secret string in the next step.
NOTE 2: The module however generates a new passphrase and stores it in a secret. You'll have to fetch it and change it in the private GPG key.
To make the step easier install infrahouse-toolkit.
# pip install infrahouse-toolkit~=2.25
Get the generated passphrase.
# ih-secrets --aws-region us-west-1 get packager-passphrase-jammy
Update the passphrase in the GPG private key.
# gpg --edit-key [email protected]
gpg> passwd
gpg> save
Export the private GPG key to a file.
# gpg --armor --export-secret-key [email protected] \
> gpg-private-key
Upload the private GPG key
# ih-secrets --aws-region us-west-1 set packager-key-noble gpg-private-key
# ih-s3-reprepro --bucket infrahouse-release-jammy check
Checking jammy...
# echo $?
0
If the output looks similar and an exit code is zero - all looks good!
The module supports HTTP basic authentication. By default, it's disabled. To enable it,
add http_auth_user
and http_auth_password
variables.
module "release_infrahouse_com" {
providers = {
aws = aws
aws.ue1 = aws.aws-us-east-1
}
...
http_auth_user = var.http_user
http_auth_password = var.http_password
}
Name | Version |
---|---|
terraform | ~> 1.5 |
aws | >= 4.67 |
random | ~> 3.5 |
Name | Version |
---|---|
aws | >= 4.67 |
aws.ue1 | >= 4.67 |
random | ~> 3.5 |
Name | Source | Version |
---|---|---|
key | registry.infrahouse.com/infrahouse/secret/aws | 0.5.0 |
passphrase | registry.infrahouse.com/infrahouse/secret/aws | 0.5.0 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
bucket_admin_roles | List of AWS IAM role ARN that has permissions to upload to the bucket | list(string) |
[] |
no |
bucket_force_destroy | If true, the repository bucket will be destroyed even if it contains files. | bool |
false |
no |
bucket_name | S3 bucket name for the repository. | string |
n/a | yes |
domain_name | Domain name where the repository will be available. | string |
n/a | yes |
gpg_public_key | Content of the GPG public key used for signing the repository. Note, you'll have to upload the key manually or with 'ih-s3-reprepro ... set-secret-value packager-key-focal ~/packager-key-focal' | any |
n/a | yes |
gpg_sign_with | Email of a packager user. | any |
n/a | yes |
http_auth_password | Password for HTTP basic authentication. | string |
null |
no |
http_auth_user | Username for HTTP basic authentication. If not specified, the authentication isn't enabled. | string |
null |
no |
index_body | Content of a body tag in index.html. | string |
"Stay tuned!" |
no |
index_title | Content of a title tag in index.html. | string |
"Debian packages repository" |
no |
repository_codename | Repository codename. Can be focal, jammy, etc. | string |
n/a | yes |
signing_key_readers | List of role ARNs that have permission to read GPG signing key and passphrase. | list(string) |
null |
no |
signing_key_writers | List of role ARNs that have permission to write to GPG signing key and passphrase secrets. | list(string) |
null |
no |
zone_id | Route53 zone id where the parent domain of var.domain_name is hosted. If var.domain_name is repo.foo.com, then the value should be zone_id of foo.com. | string |
n/a | yes |
Name | Description |
---|---|
packager_key_passphrase_secret_arn | ARN of a secret that will store a GPG private key passphrase. |
packager_key_passphrase_secret_id | Identifier of a secret that will store a GPG private key passphrase. |
packager_key_secret_arn | ARN of a secret that will store a GPG private key. |
packager_key_secret_id | Identifier of a secret that will store a GPG private key. |
release_bucket | Bucket name that hosts repository files. |
release_bucket_arn | Bucket ARN that hosts repository files. |
repo_url | Repository URL. |