Complete and simplify the module (#6)

## Description

Implemented Terraform module to plan, create and destroy roles and
policies required for automated S3 upload.

## Type of changes

- [x] Refactoring (non-breaking change)
- [ ] New feature (non-breaking change which adds functionality)
- [x] Breaking change (fix or feature that would change existing
functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)

## Checklist

- [x] I am familiar with the [contributing
guidelines](../docs/CONTRIBUTING.md)
- [x] I have followed the code style of the project
- [x] I have added tests to cover my changes
- [x] I have updated the documentation accordingly
- [x] This PR is a result of pair or mob programming

---

## Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others
privacy, we kindly ask you to NOT including [PII (Personal Identifiable
Information) / PID (Personal Identifiable
Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public)
or any other sensitive data in this PR (Pull Request) and the codebase
changes. We will remove any PR that do contain any sensitive
information. We really appreciate your cooperation in this matter.

- [x] I confirm that neither PII/PID nor sensitive data are included in
this PR and the codebase changes.

---------

Co-authored-by: Nick Sparks <[email protected]>

.github/workflows/check-terraform-format.yaml

@@ -0,0 +1,13 @@
+name: Check Terraform Format
+
+on:
+  workflow_call:
+
+jobs:
+  check-terraform-format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: |
+          export CHECK_ONLY=true
+          ./scripts/githooks/terraform-pre-commit.sh

.github/workflows/cicd-pipeline.yaml

@@ -14,19 +14,26 @@ jobs:
       build_datetime: ${{ steps.metadata.outputs.build_datetime }}
       build_timestamp: ${{ steps.metadata.outputs.build_timestamp }}
       build_epoch: ${{ steps.metadata.outputs.build_epoch }}
+      nodejs_version: ${{ steps.metadata.outputs.nodejs_version }}
+      terraform_version: ${{ steps.metadata.outputs.terraform_version }}
     steps:
+      - uses: actions/checkout@v3
       - id: metadata
         run: |
           datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
           echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
           echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
           echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
+          echo "nodejs_version=$(grep nodejs .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "terraform_version=$(grep terraform .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
   scan-secrets:
     uses: ./.github/workflows/scan-secrets.yaml
   check-file-format:
     uses: ./.github/workflows/check-file-format.yaml
   check-markdown-format:
     uses: ./.github/workflows/check-markdown-format.yaml
+  check-terraform-format:
+    uses: ./.github/workflows/check-terraform-format.yaml
   cloc-repository:
     uses: ./.github/workflows/cloc-repository.yaml
   cicd-pipeline-test:
@@ -37,6 +44,7 @@ jobs:
         scan-secrets,
         check-file-format,
         check-markdown-format,
+        check-terraform-format,
         cloc-repository,
       ]
     timeout-minutes: 10
@@ -48,9 +56,11 @@ jobs:
           export BUILD_TIMESTAMP="${{ needs.get-metadata.outputs.build_timestamp }}"
           export BUILD_EPOCH="${{ needs.get-metadata.outputs.build_epoch }}"
           make list-variables
-      # - name: Run Tests ...
-      #   run: |
-      #     ?
+      - name: Authenticate with AWS over OIDC
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.ASSUME_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
   cicd-pipeline-build:
     permissions:
       id-token: write
@@ -69,14 +79,15 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v3
         with:
-          node-version: "16"
+          node-version: "${{ needs.get-metadata.outputs.nodejs_version }}"
           cache: yarn
-          cache-dependency-path: "./examples/react-app/react-app-s3"
-      - name: Authenticate with AWS over OIDC
-        uses: aws-actions/configure-aws-credentials@v2
-        with:
-          role-to-assume: ${{ secrets.ASSUME_ROLE_ARN }}
-          role-session-name: react-app-s3-role
-          aws-region: eu-west-2
-      - name: Copy files to the s3 website content bucket
-        run: cd examples/react-app/react-app-s3 && yarn install && yarn build && aws s3 sync dist s3://${{ secrets.AWS_S3_BUCKET_NAME }}
+      # - name: Authenticate with AWS over OIDC
+      #   uses: aws-actions/configure-aws-credentials@v2
+      #   with:
+      #     role-to-assume: ${{ secrets.ASSUME_ROLE_ARN }}
+      #     role-session-name: react-app-s3-role
+      #     aws-region: ${{ secrets.AWS_REGION }}
+      - name: Copy files to the AWS S3 website content bucket
+        run: |
+          make example-build
+          #make example-upload AWS_S3_BUCKET_NAME=${{ secrets.AWS_S3_BUCKET_NAME }}

.gitignore

@@ -37,136 +37,3 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
-
-# SEE: https://github.com/github/gitignore/blob/main/Node.gitignore
-
-# Logs
-logs
-*.log
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-lerna-debug.log*
-.pnpm-debug.log*
-
-# Diagnostic reports (https://nodejs.org/api/report.html)
-report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
-
-# Runtime data
-pids
-*.pid
-*.seed
-*.pid.lock
-
-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
-# Coverage directory used by tools like istanbul
-coverage
-*.lcov
-
-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# Bower dependency directory (https://bower.io/)
-bower_components
-
-# node-waf configuration
-.lock-wscript
-
-# Compiled binary addons (https://nodejs.org/api/addons.html)
-build/Release
-
-# Dependency directories
-node_modules/
-jspm_packages/
-
-# Snowpack dependency directory (https://snowpack.dev/)
-web_modules/
-
-# TypeScript cache
-*.tsbuildinfo
-
-# Optional npm cache directory
-.npm
-
-# Optional eslint cache
-.eslintcache
-
-# Optional stylelint cache
-.stylelintcache
-
-# Microbundle cache
-.rpt2_cache/
-.rts2_cache_cjs/
-.rts2_cache_es/
-.rts2_cache_umd/
-
-# Optional REPL history
-.node_repl_history
-
-# Output of 'npm pack'
-*.tgz
-
-# Yarn Integrity file
-.yarn-integrity
-
-# dotenv environment variable files
-.env
-.env.development.local
-.env.test.local
-.env.production.local
-.env.local
-
-# parcel-bundler cache (https://parceljs.org/)
-.cache
-.parcel-cache
-
-# Next.js build output
-.next
-out
-
-# Nuxt.js build / generate output
-.nuxt
-dist
-
-# Gatsby files
-.cache/
-# Comment in the public line in if your project uses Gatsby and not Next.js
-# https://nextjs.org/blog/next-9-1#public-directory-support
-# public
-
-# vuepress build output
-.vuepress/dist
-
-# vuepress v2.x temp and cache directory
-.temp
-.cache
-
-# Docusaurus cache and generated files
-.docusaurus
-
-# Serverless directories
-.serverless/
-
-# FuseBox cache
-.fusebox/
-
-# DynamoDB Local files
-.dynamodb/
-
-# TernJS port file
-.tern-port
-
-# Stores VSCode versions used for testing VSCode extensions
-.vscode-test
-
-# yarn v2
-.yarn/cache
-.yarn/unplugged
-.yarn/build-state.yml
-.yarn/install-state.gz
-.pnp.*

.tool-versions

@@ -0,0 +1,2 @@
+nodejs 20.3.0
+terraform 1.3.0

Makefile

@@ -1,9 +1,31 @@
-config: githooks-install # Configure development environment
+example-build: # Build example project
+	cd examples/react-app
+	yarn install
+	yarn build
+
+example-upload: # Upload example files - mandatory: AWS_S3_BUCKET_NAME=[AWS S3 bucket name]
+	cd examples/react-app
+	aws s3 sync dist s3://$(AWS_S3_BUCKET_NAME)
+
+config: # Configure development environment
+	make githooks-install
+	make \
+		node-install \
+		terraform-install \
+	||:
 
 githooks-install: # Install git hooks configured in this repository
 	echo "./scripts/githooks/pre-commit" > .git/hooks/pre-commit
 	chmod +x .git/hooks/pre-commit
 
+terraform-install: # Install Terraform
+	asdf plugin add terraform ||:
+	asdf install terraform
+
+node-install: # Install Node.js
+	asdf plugin add nodejs ||:
+	asdf install nodejs
+
 # ==============================================================================
 
 help: # List Makefile targets

README.md

@@ -1,4 +1,4 @@
-# Repository Template
+# Terraform GitHub AWS S3 Upload
 
 This module provides the iam role and policy for a GitHub action to use to upload files to an S3 bucket. This module includes the following:
 
@@ -7,7 +7,7 @@ This module provides the iam role and policy for a GitHub action to use to uploa
 
 ## Table of Contents
 
-- [Repository Template](#repository-template)
+- [Terraform GitHub AWS S3 Upload](#terraform-github-aws-s3-upload)
   - [Table of Contents](#table-of-contents)
   - [Installation](#installation)
     - [Prerequisites](#prerequisites)
@@ -24,18 +24,17 @@ This module provides the iam role and policy for a GitHub action to use to uploa
 This module can be called by including the following:
 
 ```hcl
-module "github_action_s3_upload" {
+module "github_aws_s3_upload" {
   source               = "github.com/nhs-england-tools/terraform-github-action-s3-upload?ref=v0.0.1"
-  project_name         = "my_github_action_s3_upload1"
-  s3_bucket_name       = "my_s3_bucket_to_upload_to"
-  s3_bucket_actions    = ["s3:PutObject"]
-  s3_bucket_resources  = [
-    "arn:aws:s3:::my_s3_bucket_to_upload_to/some_file.js",
-    "arn:aws:s3:::my_s3_bucket_to_upload_to/some_other_file.js"
+  project_name         = "my-github-aws-s3-upload"
+  github_organisation  = "my-github-organisation"
+  github_repository    = "my-github-repository"
+  github_branch        = "my-main-branch"
+  bucket_name          = "my-bucket-to-upload-to"
+  bucket_resources     = [
+    "arn:aws:s3:::my_bucket_to_upload_to/some_file.js",
+    "arn:aws:s3:::my_bucket_to_upload_to/some_other_file.js"
     ]
-  github_organisation  = "my_github_organisation"
-  github_repo          = "my_github_repo"
-  github_branch        = "my_main_branch"
 }
 ```
 

examples/.gitignore

@@ -0,0 +1 @@
+terraform.tfplan

examples/Makefile

@@ -0,0 +1,17 @@
+terraform-init: # Initialize Terraform
+	terraform init
+
+terraform-plan: # Plan Terraform
+	terraform plan -out=terraform.tfplan
+
+terraform-apply: # Apply Terraform
+	terraform apply -auto-approve "terraform.tfplan"
+
+terraform-destroy: # Destroy artefacts created by Terraform
+	terraform destroy -auto-approve
+
+.SILENT: \
+	terraform-apply \
+	terraform-destroy \
+	terraform-init \
+	terraform-plan

examples/locals.tf

@@ -0,0 +1,6 @@
+locals {
+  bucket_name = "your-bucket-name"
+  tags = {
+    environment = "dev"
+  }
+}

examples/main.tf

@@ -0,0 +1,17 @@
+module "github_aws_s3_upload" {
+  source = "../"
+  # The project name must be 40 characters long or less
+  project_name        = "gh-nhset-tf-github-aws-s3-upload-example"
+  github_organisation = "nhs-england-tools"
+  github_repository   = "terraform-github-aws-s3-upload"
+  github_branch       = "*"
+  bucket_name         = local.bucket_name
+  bucket_resources = [
+    "arn:aws:s3:::${local.bucket_name}/index.html",
+    "arn:aws:s3:::${local.bucket_name}/assets/*.js",
+    "arn:aws:s3:::${local.bucket_name}/assets/*.css",
+    "arn:aws:s3:::${local.bucket_name}/assets/*.svg",
+    "arn:aws:s3:::${local.bucket_name}/*.svg",
+  ]
+  tags = local.tags
+}

examples/providers.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = "eu-west-2"
+}