Merge #415

415: terraform: use sops provider, drop wrapper r=zowoq a=zowoq Co-authored-by: zowoq <59103226+zowoq@users.noreply.github.com>
2023-01-26 22:19:23 +00:00 · 2023-01-26 22:19:23 +00:00 · 7e6e64622c
commit 7e6e64622c
parent 9d68769b43 29b0bd59b7
4 changed files with 26 additions and 15 deletions
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@ -11,9 +11,14 @@ jobs:
  terraform-deploy:
    if: github.repository == 'nix-community/infra'
    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: terraform
    env:
      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
+      TF_TOKEN_app_terraform_io: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }}
      TF_IN_AUTOMATION: true
+      TF_INPUT: 0
    steps:
      - uses: actions/checkout@v3
      - uses: dorny/paths-filter@v2
@ -31,16 +36,16 @@ jobs:
            accept-flake-config = true
      - name: init
        if: steps.changes.outputs.terraform == 'true'
-        run: nix develop -c ./terraform/terraform init -input=false
+        run: nix develop -c terraform init
      - name: validate
        if: steps.changes.outputs.terraform == 'true'
-        run: nix develop -c ./terraform/terraform validate
+        run: nix develop -c terraform validate
      - name: fmt
        if: steps.changes.outputs.terraform == 'true'
-        run: nix develop -c ./terraform/terraform fmt -check
+        run: nix develop -c terraform fmt -check
      - name: plan
        if: steps.changes.outputs.terraform == 'true' && github.ref == 'refs/heads/trying'
-        run: nix develop -c ./terraform/terraform plan -input=false
+        run: nix develop -c terraform plan
      - name: apply
        if: steps.changes.outputs.terraform == 'true' && github.ref == 'refs/heads/staging'
-        run: nix develop -c ./terraform/terraform apply -auto-approve -input=false
+        run: nix develop -c terraform apply -auto-approve
--- a/shell.nix
+++ b/shell.nix
@ -11,6 +11,7 @@ mkShellNoCC {
        p.external
        p.hydra
        p.null
+        p.sops
        p.tfe
      ]
    ))
--- a/terraform/terraform
+++ b/terraform/terraform
@ -1,9 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-pushd "$(dirname "$0")" >/dev/null
-
-# terraform cloud without the remote execution part
-TF_FORCE_LOCAL_BACKEND="1" sops exec-env secrets.yaml "terraform ${*@Q}"
-
-popd >/dev/null
--- a/terraform/terraform_providers.tf
+++ b/terraform/terraform_providers.tf
@ -6,15 +6,29 @@ terraform {
    hydra = {
      source = "DeterminateSystems/hydra"
    }
+    sops = {
+      source = "carlpett/sops"
+    }
    tfe = {
      source = "hashicorp/tfe"
    }
  }
 }

-provider "cloudflare" {}
+data "sops_file" "nix-community" {
+  source_file = "secrets.yaml"
+}
+
+provider "cloudflare" {
+  api_token = data.sops_file.nix-community.data["CLOUDFLARE_API_TOKEN"]
+}

 provider "hydra" {
  host     = "https://hydra.nix-community.org"
+  password = data.sops_file.nix-community.data["HYDRA_PASSWORD"]
  username = "admin"
 }
+
+provider "tfe" {
+  token = data.sops_file.nix-community.data["TFE_TOKEN"]
+}