Module that creates a Debian repository backed by S3 and fronted by CloudFront.
Create a certificate (if you don't already have it) for signing the repository.
# gpg --full-gen-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Wed Jul 23 17:18:31 2025 PDT
Is this correct? (y/N) Y
GnuPG needs to construct a user ID to identify your key.
Real name: InfraHouse Packager
Email address: packager-jammy@infrahouse.com
Comment: key for signing Ubuntu jammy repository
You selected this USER-ID:
"InfraHouse Packager (key for signing Ubuntu jammy repository) <packager-jammy@infrahouse.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? OSave a passphrase if you provided one. Or don't provide it at all. We will chnage it later anyway.
Export a public key, save it in a file.
# gpg --armor --export packager-jammy@infrahouse.com \
> ./files/DEB-GPG-KEY-infrahouse-jammyCreate a 'regular' aws provider.
provider "aws" {
region = "us-west-1"
}ACM requires a certificate to be created in us-east-1.
So, we need a provider in us-east-1.
provider "aws" {
region = "us-east-1"
alias = "aws-us-east-1"
}Now, let's create a Debian repo for Ubuntu jammy. It will have address https://release.infrahouse.com
module "release_infrahouse_com" {
providers = {
aws = aws
aws.ue1 = aws.aws-us-east-1
}
source = "infrahouse/terraform-aws-debian-repo"
bucket_name = "infrahouse-release"
repository_codename = "jammy"
domain_name = "release.infrahouse.com"
gpg_public_key = file("./files/DEB-GPG-KEY-infrahouse-jammy")
gpg_sign_with = "packager-jammy@infrahouse.com"
index_title = "InfraHouse Releases Repository"
index_body = "Stay tuned!"
zone_id = data.aws_route53_zone.infrahouse_com.id
}NOTE 1: The module creates a secret for the GPG key, but the secret doesn't have a value. Think about the secret as a storage for the GPG key. You'll have to upload its content as a secret string in the next step.
NOTE 2: The module however generates a new passphrase and stores it in a secret. You'll have to fetch it and change it in the private GPG key.
To make the step easier install infrahouse-toolkit.
# pip install infrahouse-toolkit~=1.7Get the generated passphrase.
# ih-s3-reprepro --aws-region us-west-1 \
--bucket infrahouse-release \
get-secret-value packager-passphrase-jammyUpdate the passphrase in the GPG private key.
# gpg --edit-key packager-jammy@infrahouse.com
gpg> passwd
gpg> saveExport the private GPG key to a file.
# gpg --armor --export-secret-key packager-jammy@infrahouse.com \
> gpg-private-keyUpload the private GPG key
# ih-s3-reprepro --aws-region us-west-1 \
--bucket infrahouse-release \
secret-value packager-key-jammy gpg-private-key# ih-s3-reprepro --bucket infrahouse-release-jammy check
Checking jammy...
# echo $?
0If the output looks similar and an exit code is zero - all looks good!
The module supports HTTP basic authentication. By default, it's disabled. To enable it,
add http_auth_user and http_auth_password variables.
module "release_infrahouse_com" {
providers = {
aws = aws
aws.ue1 = aws.aws-us-east-1
}
...
http_auth_user = var.http_user
http_auth_password = var.http_password
}| Name | Version |
|---|---|
| terraform | ~> 1.5 |
| aws | >= 4.67 |
| random | ~> 3.5 |
| Name | Version |
|---|---|
| aws | >= 4.67 |
| aws.ue1 | >= 4.67 |
| random | ~> 3.5 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| bucket_admin_roles | List of AWS IAM role ARN that has permissions to upload to the bucket | list(string) |
[] |
no |
| bucket_force_destroy | If true, the repository bucket will be destroyed even if it contains files. | bool |
false |
no |
| bucket_name | S3 bucket name for the repository. | string |
n/a | yes |
| domain_name | Domain name where the repository will be available. | string |
n/a | yes |
| gpg_public_key | Content of the GPG public key used for signing the repository. Note, you'll have to upload the key manually or with 'ih-s3-reprepro ... set-secret-value packager-key-focal ~/packager-key-focal' | any |
n/a | yes |
| gpg_sign_with | Email of a packager user. | any |
n/a | yes |
| http_auth_password | Password for HTTP basic authentication. | string |
null |
no |
| http_auth_user | Username for HTTP basic authentication. If not specified, the authentication isn't enabled. | string |
null |
no |
| index_body | Content of a body tag in index.html. | string |
"Stay tuned!" |
no |
| index_title | Content of a title tag in index.html. | string |
"Debian packages repository" |
no |
| repository_codename | Repository codename. Can be focal, jammy, etc. | string |
n/a | yes |
| zone_id | Route53 zone id where the parent domain of var.domain_name is hosted. If var.domain_name is repo.foo.com, then the value should be zone_id of foo.com. | string |
n/a | yes |
| Name | Description |
|---|---|
| packager_key_passphrase_secret_arn | ARN of a secret that will store a GPG private key passphrase. |
| packager_key_passphrase_secret_id | Identifier of a secret that will store a GPG private key passphrase. |
| packager_key_secret_arn | ARN of a secret that will store a GPG private key. |
| packager_key_secret_id | Identifier of a secret that will store a GPG private key. |
| release_bucket | Bucket name that hosts repository files. |
| release_bucket_arn | Bucket ARN that hosts repository files. |
| repo_url | Repository URL. |