Ajout de l'IAM pour Github backups

infrastructure/iac-gip-inclusion/iam/terraform/README.md

@@ -20,15 +20,20 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [scaleway_iam_api_key.github_backups_api_key](https://registry.terraform.io/providers/scaleway/scaleway/2.55.0/docs/resources/iam_api_key) | resource |
 | [scaleway_iam_api_key.terraform_ci_api_key](https://registry.terraform.io/providers/scaleway/scaleway/2.55.0/docs/resources/iam_api_key) | resource |
+| [scaleway_iam_application.github_backups](https://registry.terraform.io/providers/scaleway/scaleway/2.55.0/docs/resources/iam_application) | resource |
 | [scaleway_iam_application.terraform_ci](https://registry.terraform.io/providers/scaleway/scaleway/2.55.0/docs/resources/iam_application) | resource |
 | [scaleway_iam_group.emplois_cnav](https://registry.terraform.io/providers/scaleway/scaleway/2.55.0/docs/resources/iam_group) | resource |
 | [scaleway_iam_policy.emplois_cnav](https://registry.terraform.io/providers/scaleway/scaleway/2.55.0/docs/resources/iam_policy) | resource |
+| [scaleway_iam_policy.github_backups](https://registry.terraform.io/providers/scaleway/scaleway/2.55.0/docs/resources/iam_policy) | resource |
 | [scaleway_iam_policy.terraform_ci](https://registry.terraform.io/providers/scaleway/scaleway/2.55.0/docs/resources/iam_policy) | resource |
+| [scaleway_secret_version.github_backups_api_key](https://registry.terraform.io/providers/scaleway/scaleway/2.55.0/docs/resources/secret_version) | resource |
 | [scaleway_account_project.default](https://registry.terraform.io/providers/scaleway/scaleway/2.55.0/docs/data-sources/account_project) | data source |
 | [scaleway_account_project.emplois_cnav](https://registry.terraform.io/providers/scaleway/scaleway/2.55.0/docs/data-sources/account_project) | data source |
 | [scaleway_account_project.site_institutionnel_2025](https://registry.terraform.io/providers/scaleway/scaleway/2.55.0/docs/data-sources/account_project) | data source |
 | [scaleway_account_project.terraform](https://registry.terraform.io/providers/scaleway/scaleway/2.55.0/docs/data-sources/account_project) | data source |
+| [scaleway_secret.github_backups_api_key](https://registry.terraform.io/providers/scaleway/scaleway/2.55.0/docs/data-sources/secret) | data source |
 
 ## Inputs
 

infrastructure/iac-gip-inclusion/iam/terraform/data.tf

@@ -13,3 +13,8 @@ data "scaleway_account_project" "emplois_cnav" {
 data "scaleway_account_project" "site_institutionnel_2025" {
   name = "site-institutionnel-2025"
 }
+
+data "scaleway_secret" "github_backups_api_key" {
+  name       = "github-backups-api-key"
+  project_id = data.scaleway_account_project.default.id
+}

infrastructure/iac-gip-inclusion/iam/terraform/main.tf

@@ -85,3 +85,38 @@ resource "scaleway_iam_policy" "emplois_cnav" {
     ]
   }
 }
+
+resource "scaleway_iam_application" "github_backups" {
+  name        = "github-backups"
+  description = var.managed
+}
+
+resource "scaleway_iam_api_key" "github_backups_api_key" {
+  application_id = scaleway_iam_application.github_backups.id
+  description    = var.managed
+}
+
+resource "scaleway_iam_policy" "github_backups" {
+  name           = "github-backups"
+  description    = var.managed
+  application_id = scaleway_iam_application.github_backups.id
+  rule {
+    project_ids = [data.scaleway_account_project.default.project_id]
+    permission_set_names = [
+      "ObjectStorageBucketsRead",
+      "ObjectStorageObjectsRead",
+      "ObjectStorageObjectsWrite",
+    ]
+  }
+}
+
+resource "scaleway_secret_version" "github_backups_api_key" {
+  description = var.managed
+  secret_id   = data.scaleway_secret.github_backups_api_key.id
+  data = jsonencode(
+    {
+      access_key = scaleway_iam_api_key.github_backups_api_key.access_key
+      secret_key = scaleway_iam_api_key.github_backups_api_key.secret_key
+    }
+  )
+}

infrastructure/iac-gip-inclusion/secret-manager/terraform/README.md

@@ -0,0 +1,41 @@
+# Secrets gérés par Terraform pour le GIP Plateforme de l'inclusion
+
+Les secrets relatifs à un projet spécifique n'ont pas leur place ici !
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.10 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_scaleway"></a> [scaleway](#provider\_scaleway) | 2.60.5 |
+| <a name="provider_scaleway.tmp"></a> [scaleway.tmp](#provider\_scaleway.tmp) | 2.60.5 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [scaleway_secret.github_backups_api_key](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/secret) | resource |
+| [scaleway_account_project.default](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/data-sources/account_project) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_managed"></a> [managed](#input\_managed) | Indicates the resource is managed by Terraform | `string` | `"Managed by Terraform"` | no |
+| <a name="input_scw_region"></a> [scw\_region](#input\_scw\_region) | Scaleway region for resources | `string` | n/a | yes |
+| <a name="input_scw_zone"></a> [scw\_zone](#input\_scw\_zone) | Scaleway zone for resources | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

infrastructure/iac-gip-inclusion/secret-manager/terraform/backend.tf

@@ -0,0 +1,14 @@
+terraform {
+  backend "s3" {
+    bucket                      = "gip-inclusion-state"
+    key                         = "iac-gip-inclusion/secret-manager/terraform/terraform.tfstate"
+    region                      = "fr-par"
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    skip_region_validation      = true
+    skip_requesting_account_id  = true
+    endpoints = {
+      s3 = "https://s3.fr-par.scw.cloud"
+    }
+  }
+}

infrastructure/iac-gip-inclusion/secret-manager/terraform/data.tf

@@ -0,0 +1,4 @@
+data "scaleway_account_project" "default" {
+  name     = "default"
+  provider = scaleway.tmp
+}

infrastructure/iac-gip-inclusion/secret-manager/terraform/main.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    scaleway = {
+      source = "scaleway/scaleway"
+    }
+  }
+  required_version = ">= 1.10"
+}
+
+resource "scaleway_secret" "github_backups_api_key" {
+  name        = "github-backups-api-key"
+  protected   = true
+  description = var.managed
+  type        = "key_value"
+}

infrastructure/iac-gip-inclusion/secret-manager/terraform/providers.tf

@@ -0,0 +1,9 @@
+provider "scaleway" {
+  alias = "tmp"
+}
+
+provider "scaleway" {
+  region     = var.scw_region
+  zone       = var.scw_zone
+  project_id = data.scaleway_account_project.default.id
+}

infrastructure/iac-gip-inclusion/secret-manager/terraform/terraform.tfvars

@@ -0,0 +1,2 @@
+scw_region = "fr-par"
+scw_zone   = "fr-par-1"

infrastructure/iac-gip-inclusion/secret-manager/terraform/variables.tf

@@ -0,0 +1,15 @@
+variable "scw_region" {
+  type        = string
+  description = "Scaleway region for resources"
+}
+
+variable "scw_zone" {
+  type        = string
+  description = "Scaleway zone for resources"
+}
+
+variable "managed" {
+  type        = string
+  description = "Indicates the resource is managed by Terraform"
+  default     = "Managed by Terraform"
+}