terraform-aws-debian-repo

Module that creates a Debian repository backed by S3 and fronted by CloudFront.

Usage example

Step 1. GPG keypair

Create a certificate (if you don't already have it) for signing the repository.

# gpg --full-gen-key

gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Wed Jul 23 17:18:31 2025 PDT
Is this correct? (y/N) Y

GnuPG needs to construct a user ID to identify your key.

Real name: InfraHouse Packager
Email address: packager-jammy@infrahouse.com
Comment: key for signing Ubuntu jammy repository
You selected this USER-ID:
    "InfraHouse Packager (key for signing Ubuntu jammy repository) <packager-jammy@infrahouse.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

Save a passphrase if you provided one. Or don't provide it at all. We will change it later anyway.

Export a public key, save it in a file.

# gpg --armor --export packager-jammy@infrahouse.com \
    > ./files/DEB-GPG-KEY-infrahouse-jammy

Step 2. AWS resources

Create a 'regular' aws provider.

provider "aws" {
  region = "us-west-1"
}

ACM requires a certificate to be created in us-east-1. So, we need a provider in us-east-1.

provider "aws" {
  region = "us-east-1"
  alias = "aws-us-east-1"
}

Now, let's create a Debian repo for Ubuntu jammy. It will have address https://release.infrahouse.com

module "release_infrahouse_com" {
  providers = {
    aws     = aws
    aws.ue1 = aws.aws-us-east-1
  }
  source               = "registry.infrahouse.com/infrahouse/terraform-aws-debian-repo"
  version              = "~> 2.2"
  bucket_name          = "infrahouse-release"
  repository_codename  = "jammy"
  domain_name          = "release.infrahouse.com"
  gpg_public_key       = file("./files/DEB-GPG-KEY-infrahouse-jammy")
  gpg_sign_with        = "packager-jammy@infrahouse.com"
  index_title          = "InfraHouse Releases Repository"
  index_body           = "Stay tuned!"
  zone_id              = data.aws_route53_zone.infrahouse_com.id
}

NOTE 1: The module creates a secret for the GPG key, but the secret doesn't have a value. Think about the secret as a storage for the GPG key. You'll have to upload its content as a secret string in the next step.

NOTE 2: The module however generates a new passphrase and stores it in a secret. You'll have to fetch it and change it in the private GPG key.

Step 3. Upload GPG private key

To make the step easier install infrahouse-toolkit.

# pip install infrahouse-toolkit~=2.25

Get the generated passphrase.

# ih-secrets --aws-region us-west-1 get packager-passphrase-jammy

Update the passphrase in the GPG private key.

# gpg --edit-key packager-jammy@infrahouse.com

gpg> passwd
gpg> save

Export the private GPG key to a file.

# gpg --armor --export-secret-key packager-jammy@infrahouse.com \
    > gpg-private-key

Upload the private GPG key

# ih-secrets --aws-region us-west-1 set packager-key-noble gpg-private-key

Step 4. Check the repository

# ih-s3-reprepro --bucket infrahouse-release-jammy check
Checking jammy...

# echo $?
0

If the output looks similar and an exit code is zero - all looks good!

Authentication

The module supports HTTP basic authentication. By default, it's disabled. To enable it, add http_auth_user and http_auth_password variables.

module "release_infrahouse_com" {
  providers = {
    aws     = aws
    aws.ue1 = aws.aws-us-east-1
  }
...

  http_auth_user      = var.http_user
  http_auth_password  = var.http_password
}

Requirements

Name	Version
terraform	~> 1.5
aws	>= 4.67
random	~> 3.5

Providers

Name	Version
aws	>= 4.67
aws.ue1	>= 4.67
random	~> 3.5

Modules

Name	Source	Version
key	registry.infrahouse.com/infrahouse/secret/aws	0.5.0
passphrase	registry.infrahouse.com/infrahouse/secret/aws	0.5.0

Resources

Name	Type
aws_acm_certificate.repo	resource
aws_acm_certificate_validation.repo	resource
aws_cloudfront_cache_policy.default	resource
aws_cloudfront_distribution.repo	resource
aws_cloudfront_function.http_auth	resource
aws_cloudfront_origin_access_control.repo-storage	resource
aws_route53_record.cert_validation	resource
aws_route53_record.repo	resource
aws_s3_bucket.repo	resource
aws_s3_bucket.repo-logs	resource
aws_s3_bucket_acl.repo	resource
aws_s3_bucket_acl.repo-logs	resource
aws_s3_bucket_logging.server-logs	resource
aws_s3_bucket_ownership_controls.repo	resource
aws_s3_bucket_ownership_controls.repo-logs	resource
aws_s3_bucket_policy.bucket-access	resource
aws_s3_bucket_public_access_block.repo	resource
aws_s3_object.deb-gpg-public-key	resource
aws_s3_object.distributions	resource
aws_s3_object.index-html	resource
random_password.passphrase	resource
aws_iam_policy_document.bucket-access	data source
aws_iam_policy_document.bucket-admin	data source
aws_iam_policy_document.bucket-cloudfront-access	data source

Inputs

Name	Description	Type	Default	Required
bucket_admin_roles	List of AWS IAM role ARN that has permissions to upload to the bucket	`list(string)`	`[]`	no
bucket_force_destroy	If true, the repository bucket will be destroyed even if it contains files.	`bool`	`false`	no
bucket_name	S3 bucket name for the repository.	`string`	n/a	yes
domain_name	Domain name where the repository will be available.	`string`	n/a	yes
gpg_public_key	Content of the GPG public key used for signing the repository. Note, you'll have to upload the key manually or with 'ih-s3-reprepro ... set-secret-value packager-key-focal ~/packager-key-focal'	`any`	n/a	yes
gpg_sign_with	Email of a packager user.	`any`	n/a	yes
http_auth_password	Password for HTTP basic authentication.	`string`	`null`	no
http_auth_user	Username for HTTP basic authentication. If not specified, the authentication isn't enabled.	`string`	`null`	no
index_body	Content of a body tag in index.html.	`string`	`"Stay tuned!"`	no
index_title	Content of a title tag in index.html.	`string`	`"Debian packages repository"`	no
repository_codename	Repository codename. Can be focal, jammy, etc.	`string`	n/a	yes
signing_key_readers	List of role ARNs that have permission to read GPG signing key and passphrase.	`list(string)`	`null`	no
signing_key_writers	List of role ARNs that have permission to write to GPG signing key and passphrase secrets.	`list(string)`	`null`	no
zone_id	Route53 zone id where the parent domain of var.domain_name is hosted. If var.domain_name is repo.foo.com, then the value should be zone_id of foo.com.	`string`	n/a	yes

Outputs

Name	Description
packager_key_passphrase_secret_arn	ARN of a secret that will store a GPG private key passphrase.
packager_key_passphrase_secret_id	Identifier of a secret that will store a GPG private key passphrase.
packager_key_secret_arn	ARN of a secret that will store a GPG private key.
packager_key_secret_id	Identifier of a secret that will store a GPG private key.
release_bucket	Bucket name that hosts repository files.
release_bucket_arn	Bucket ARN that hosts repository files.
repo_url	Repository URL.

infrahouse / terraform-aws-debian-repo