Move gitlab runner configuration to a separate terraform module

terraform/modules/spack/main.tf

@@ -36,3 +36,9 @@ data "aws_region" "current" {}
 
 # Data source that allows us to dynamically determine id of the current "canonical user"
 data "aws_canonical_user_id" "current" {}
+
+data "aws_caller_identity" "current" {}
+
+data "gitlab_project" "spack" {
+  path_with_namespace = "spack/spack"
+}

terraform/modules/spack/gitlab_runner_iam.tf → terraform/modules/spack/modules/gitlab_runner_configuration/main.tf

@@ -1,3 +1,16 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+    gitlab = {
+      source  = "gitlabhq/gitlab"
+      version = "16.3.0"
+    }
+  }
+}
+
 locals {
   gitlab_domain = "gitlab${var.deployment_name == "prod" ? "" : ".staging"}.spack.io"
 
@@ -26,6 +39,7 @@ data "gitlab_project" "spack" {
   path_with_namespace = "spack/spack"
 }
 
+
 data "tls_certificate" "gitlab" {
   url = "https://${local.gitlab_domain}"
 }
@@ -78,7 +92,7 @@ data "aws_iam_policy_document" "gitlab_runner" {
     actions = ["s3:PutObject", "s3:DeleteObject"]
 
     resources = [
-      each.key == "protected_binary_mirror" ? "${module.protected_binary_mirror.bucket_arn}/*" : "${module.pr_binary_mirror.bucket_arn}/*",
+      each.key == "protected_binary_mirror" ? "${var.protected_binary_bucket_arn}/*" : "${var.pr_binary_bucket_arn}/*",
     ]
   }
 }
@@ -110,7 +124,7 @@ resource "gitlab_project_variable" "binary_mirror_role_arn" {
 resource "gitlab_project_variable" "pr_binary_mirror_bucket_arn" {
   project = data.gitlab_project.spack.id
   key     = "PR_BINARY_MIRROR_BUCKET_ARN"
-  value   = module.pr_binary_mirror.bucket_arn
+  value   = var.pr_binary_bucket_arn
 }
 
 # attachments for the pre-existing hardcoded policies in production

terraform/modules/spack/modules/gitlab_runner_configuration/variables.tf

@@ -0,0 +1,14 @@
+variable "deployment_name" {
+  description = "The name of the deployment. This will be used as a prefix for all resources."
+  type        = string
+}
+
+variable "protected_binary_bucket_arn" {
+  description = "The ARN of the S3 bucket that contains protected binaries."
+  type        = string
+}
+
+variable "pr_binary_bucket_arn" {
+  description = "The ARN of the S3 bucket that contains PR binaries."
+  type        = string
+}

terraform/modules/spack/outputs.tf

@@ -21,3 +21,11 @@ output "oidc_provider" {
 output "oidc_provider_arn" {
   value = module.eks.oidc_provider_arn
 }
+
+output "protected_binary_bucket_arn" {
+  value = module.protected_binary_mirror.bucket_arn
+}
+
+output "pr_binary_bucket_arn" {
+  value = module.pr_binary_mirror.bucket_arn
+}

terraform/production/main.tf

@@ -159,3 +159,12 @@ module "production_cluster" {
 
   ses_email_domain = "spack.io"
 }
+
+module "gitlab_runner_configuration" {
+  source = "../modules/spack/modules/gitlab_runner_configuration"
+
+  deployment_name = "prod"
+
+  protected_binary_bucket_arn = module.production_cluster.protected_binary_bucket_arn
+  pr_binary_bucket_arn        = module.production_cluster.pr_binary_bucket_arn
+}

terraform/staging/main.tf

@@ -158,3 +158,12 @@ module "staging_cluster" {
 
   ses_email_domain = "staging.spack.io"
 }
+
+module "gitlab_runner_configuration" {
+  source = "../modules/spack/modules/gitlab_runner_configuration"
+
+  deployment_name = "staging"
+
+  protected_binary_bucket_arn = module.staging_cluster.protected_binary_bucket_arn
+  pr_binary_bucket_arn        = module.staging_cluster.pr_binary_bucket_arn
+}