sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

terraform: use sops provider, drop wrapper

Browse source
This commit is contained in:
zowoq 2023-01-25 08:40:00 +10:00
parent dfff37bddf
commit b3f8f7b669
4 changed files with 25 additions and 15 deletions

14
.github/workflows/terraform.yml vendored
View file

@ -11,8 +11,12 @@ jobs:
terraform-deploy: terraform-deploy:
if: github.repository == 'nix-community/infra' if: github.repository == 'nix-community/infra'
runs-on: ubuntu-latest runs-on: ubuntu-latest
defaults:
run:
working-directory: terraform
env: env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
TF_TOKEN_app_terraform_io: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }}
TF_IN_AUTOMATION: true TF_IN_AUTOMATION: true
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
@ -31,16 +35,16 @@ jobs:
accept-flake-config = true accept-flake-config = true
- name: init - name: init
if: steps.changes.outputs.terraform == 'true' if: steps.changes.outputs.terraform == 'true'
run: nix develop -c ./terraform/terraform init -input=false run: nix develop -c terraform init -input=false
- name: validate - name: validate
if: steps.changes.outputs.terraform == 'true' if: steps.changes.outputs.terraform == 'true'
run: nix develop -c ./terraform/terraform validate run: nix develop -c terraform validate
- name: fmt - name: fmt
if: steps.changes.outputs.terraform == 'true' if: steps.changes.outputs.terraform == 'true'
run: nix develop -c ./terraform/terraform fmt -check run: nix develop -c terraform fmt -check
- name: plan - name: plan
if: steps.changes.outputs.terraform == 'true' && github.ref == 'refs/heads/trying' if: steps.changes.outputs.terraform == 'true' && github.ref == 'refs/heads/trying'
run: nix develop -c ./terraform/terraform plan -input=false run: nix develop -c terraform plan -input=false
- name: apply - name: apply
if: steps.changes.outputs.terraform == 'true' && github.ref == 'refs/heads/staging' if: steps.changes.outputs.terraform == 'true' && github.ref == 'refs/heads/staging'
run: nix develop -c ./terraform/terraform apply -auto-approve -input=false run: nix develop -c terraform apply -auto-approve -input=false

1
shell.nix
View file

@ -11,6 +11,7 @@ mkShellNoCC {
p.external p.external
p.hydra p.hydra
p.null p.null
p.sops
p.tfe p.tfe
] ]
)) ))

9
terraform/terraform
View file

@ -1,9 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
pushd "$(dirname "$0")" >/dev/null
# terraform cloud without the remote execution part
TF_FORCE_LOCAL_BACKEND="1" sops exec-env secrets.yaml "terraform ${*@Q}"
popd >/dev/null

16
terraform/terraform_providers.tf
View file

@ -6,15 +6,29 @@ terraform {
hydra = { hydra = {
source = "DeterminateSystems/hydra" source = "DeterminateSystems/hydra"
} }
sops = {
source = "carlpett/sops"
}
tfe = { tfe = {
source = "hashicorp/tfe" source = "hashicorp/tfe"
} }
} }
} }
provider "cloudflare" {} data "sops_file" "nix-community" {
source_file = "secrets.yaml"
}
provider "cloudflare" {
api_token = data.sops_file.nix-community.data["CLOUDFLARE_API_TOKEN"]
}
provider "hydra" { provider "hydra" {
host = "https://hydra.nix-community.org" host = "https://hydra.nix-community.org"
password = data.sops_file.nix-community.data["HYDRA_PASSWORD"]
username = "admin" username = "admin"
} }
provider "tfe" {
token = data.sops_file.nix-community.data["TFE_TOKEN"]
}