From 040f73ad05e98c075f570a1be57f8b86f3ada8fe Mon Sep 17 00:00:00 2001
From: Jonas Chevalier <zimbatm@zimbatm.com>
Date: Tue, 24 Jan 2023 22:32:15 +0100
Subject: [PATCH] terraform: invite admins to cloudflare (#408)

---
 terraform/cloudflare.tf      | 20 ++++++++++++++++++++
 terraform/locals.tf          | 10 ++++++++++
 terraform/secrets.yaml       |  6 +++---
 terraform/terraform_cloud.tf |  9 +--------
 4 files changed, 34 insertions(+), 11 deletions(-)
 create mode 100644 terraform/cloudflare.tf
 create mode 100644 terraform/locals.tf

diff --git a/terraform/cloudflare.tf b/terraform/cloudflare.tf
new file mode 100644
index 0000000..f503f0a
--- /dev/null
+++ b/terraform/cloudflare.tf
@@ -0,0 +1,20 @@
+locals {
+  cf_account_id = "e4a2db52c495db230973c839a0699ae1"
+  cf_roles_by_name = {
+    for role in data.cloudflare_account_roles.account_roles.roles :
+    role.name => role
+  }
+  cf_admins = local.admins
+}
+
+data "cloudflare_account_roles" "account_roles" {
+  account_id = local.cf_account_id
+}
+
+resource "cloudflare_account_member" "member" {
+  for_each      = local.cf_admins
+  email_address = each.value
+  role_ids = [
+    local.cf_roles_by_name["Administrator"].id
+  ]
+}
diff --git a/terraform/locals.tf b/terraform/locals.tf
new file mode 100644
index 0000000..4269548
--- /dev/null
+++ b/terraform/locals.tf
@@ -0,0 +1,10 @@
+locals {
+  # The set of admins
+  admins = {
+    adisbladis = "adisbladis@gmail.com"
+    mic92      = "joerg@thalheim.io"
+    ryantm     = "ryan@ryantm.com"
+    zimbatm    = "zimbatm@zimbatm.com"
+    zowoq      = "zowoq.gh@gmail.com"
+  }
+}
diff --git a/terraform/secrets.yaml b/terraform/secrets.yaml
index 6c5676e..d9d8b32 100644
--- a/terraform/secrets.yaml
+++ b/terraform/secrets.yaml
@@ -1,4 +1,4 @@
-CLOUDFLARE_API_TOKEN: ENC[AES256_GCM,data:YDe1kQGBXn1DxIAInQkZociCuZhfVMQq7KaUeI4bkZDQhXlc38E67A==,iv:z/7VchAdz6zFMOmf67801V+yAU7vk4MyITVpvzIH4U8=,tag:krlU7ogI3E7UYxKdBuLO9w==,type:str]
+CLOUDFLARE_API_TOKEN: ENC[AES256_GCM,data:RCXy2ccuRjpLqrbqy6Xx3ZA6XO4ZgKKyK3vrl3WgeclRelrxZxOmhA==,iv:uyiU9UC2l8nm6tCcyuDa8Psk+bf4hyi5yruc+Q0jd9s=,tag:bpHTP7nJi58fu3TxJ+jcIA==,type:str]
 HYDRA_PASSWORD: ENC[AES256_GCM,data:7o8RuTWxYY7HNbMDgl9ur0j+ehI1bf0JSA==,iv:oZ6iHGGL4xbCC54kQ+mjpYYrm3Kn2PAlhDOyX8K6VCY=,tag:hXSlJSgjQymbsriHBiMy4w==,type:str]
 TF_TOKEN_app_terraform_io: ENC[AES256_GCM,data:htOyHZEIKxwPHzgpao+m3YIhLBM6ihZdq54YVlIw9bNHup7qrwgjJbT4nX6SIrFQvGQmqbVvhoFN6+UYyfcPlOWfdiIMUgZfa2F4zMceIsArNAcXMtv7Efzy,iv:RmDIHFfPJ5hHNDwvjdb7vxTnpE6JIlbLmbFzfGo+YAc=,tag:gzFY4HOGmuT5BrrFhzBtxw==,type:str]
 TFE_TOKEN: ENC[AES256_GCM,data:OiC6uMy/ilF3v/4cI0boZh7jYkVFwyeIASukif3d6PlWkIUkPonCbXmTXOcp+tpuCg7KzJC7r/bwsSM1BlFmCjXwOs7oeRK5sfNg+a071CEZnHpkMTgdwEqU,iv:mHIn4vwLS4oTYrhDVlmGbG0yzYrhcFbizIevGDIoaAs=,tag:UhKQ8w8Hk2POnZnr7BCBTg==,type:str]
@@ -53,8 +53,8 @@ sops:
             MnhHSHdqd2xxbk5OWEx1Q3hGTGcySWsKnGKLLHKPewnG83Ejc+NJkfKsl8Z6vmSA
             Ao8Dc09GJzou5X0fP2h1/CpsB6XASD1Qox2oxEYPZvWNtiFGAaq9tg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-22T11:13:37Z"
-    mac: ENC[AES256_GCM,data:j6QLlmykZJfGkUXCQ4/i2uZDIMTFObqD/agsEDwy5hrqNPsNFD77X3tivUsjjw9RgBgortSBuVjNY8r8lOcupx1GJOBckc8fyvY+oodfdBUgWfjv9oUU332g8swo+oW+vABplmFk4OcMbfAgTyi/wqhjW+LA1PNPUKHNAcTTrqE=,iv:na6eLhoxFiyqblKBKAV5aNxPEHTt3hSKl89PfK/QFQg=,tag:mJjMB97cWYv/+YUNGMpLpw==,type:str]
+    lastmodified: "2023-01-24T00:16:00Z"
+    mac: ENC[AES256_GCM,data:vHtOQcP2mwr2bI8ss3M7NzyNmPj3guDzF4Xaj0Z8/GcVPC1VR4s4aqnIsvVPN6XXv7ORcZXGJ/laKX8dn44HcTkmN1wrvsbggaedOsq8SGqspsvciFmudnGlPUMlqXtQ5Hwsk4qYM/aGYZkC0S36ctCPMcA4WkczAws238DFA5w=,iv:QUgOBLMctB3nuJW8SLb6tq0aAWyuLqJtXfBanTOeqo4=,tag:Pa7NfLRhaMcsfha9Vvvs2Q==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3
diff --git a/terraform/terraform_cloud.tf b/terraform/terraform_cloud.tf
index a553315..665fd32 100644
--- a/terraform/terraform_cloud.tf
+++ b/terraform/terraform_cloud.tf
@@ -3,15 +3,8 @@
 # Terraform Cloud is used only for one thing: to store the terraform state.
 #
 locals {
-  # FIXME: add all the admins of the org
   # NOTE: there is a limit of 5 members in the free plan
-  tfe_owners = {
-    adisbladis = "adisbladis@gmail.com"
-    mic92      = "joerg@thalheim.io"
-    ryantm     = "ryan@ryantm.com"
-    zimbatm    = "zimbatm@zimbatm.com"
-    zowoq      = "zowoq.gh@gmail.com"
-  }
+  tfe_owners = local.admins
 
   tfe_org = "nix-community" #tfe_organization.nix-community.name
 }