terraform: use sops provider, drop wrapper
This commit is contained in:
parent
dfff37bddf
commit
b3f8f7b669
4 changed files with 25 additions and 15 deletions
14
.github/workflows/terraform.yml
vendored
14
.github/workflows/terraform.yml
vendored
|
@ -11,8 +11,12 @@ jobs:
|
||||||
terraform-deploy:
|
terraform-deploy:
|
||||||
if: github.repository == 'nix-community/infra'
|
if: github.repository == 'nix-community/infra'
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
defaults:
|
||||||
|
run:
|
||||||
|
working-directory: terraform
|
||||||
env:
|
env:
|
||||||
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
|
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
|
||||||
|
TF_TOKEN_app_terraform_io: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }}
|
||||||
TF_IN_AUTOMATION: true
|
TF_IN_AUTOMATION: true
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
|
@ -31,16 +35,16 @@ jobs:
|
||||||
accept-flake-config = true
|
accept-flake-config = true
|
||||||
- name: init
|
- name: init
|
||||||
if: steps.changes.outputs.terraform == 'true'
|
if: steps.changes.outputs.terraform == 'true'
|
||||||
run: nix develop -c ./terraform/terraform init -input=false
|
run: nix develop -c terraform init -input=false
|
||||||
- name: validate
|
- name: validate
|
||||||
if: steps.changes.outputs.terraform == 'true'
|
if: steps.changes.outputs.terraform == 'true'
|
||||||
run: nix develop -c ./terraform/terraform validate
|
run: nix develop -c terraform validate
|
||||||
- name: fmt
|
- name: fmt
|
||||||
if: steps.changes.outputs.terraform == 'true'
|
if: steps.changes.outputs.terraform == 'true'
|
||||||
run: nix develop -c ./terraform/terraform fmt -check
|
run: nix develop -c terraform fmt -check
|
||||||
- name: plan
|
- name: plan
|
||||||
if: steps.changes.outputs.terraform == 'true' && github.ref == 'refs/heads/trying'
|
if: steps.changes.outputs.terraform == 'true' && github.ref == 'refs/heads/trying'
|
||||||
run: nix develop -c ./terraform/terraform plan -input=false
|
run: nix develop -c terraform plan -input=false
|
||||||
- name: apply
|
- name: apply
|
||||||
if: steps.changes.outputs.terraform == 'true' && github.ref == 'refs/heads/staging'
|
if: steps.changes.outputs.terraform == 'true' && github.ref == 'refs/heads/staging'
|
||||||
run: nix develop -c ./terraform/terraform apply -auto-approve -input=false
|
run: nix develop -c terraform apply -auto-approve -input=false
|
||||||
|
|
|
@ -11,6 +11,7 @@ mkShellNoCC {
|
||||||
p.external
|
p.external
|
||||||
p.hydra
|
p.hydra
|
||||||
p.null
|
p.null
|
||||||
|
p.sops
|
||||||
p.tfe
|
p.tfe
|
||||||
]
|
]
|
||||||
))
|
))
|
||||||
|
|
|
@ -1,9 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
pushd "$(dirname "$0")" >/dev/null
|
|
||||||
|
|
||||||
# terraform cloud without the remote execution part
|
|
||||||
TF_FORCE_LOCAL_BACKEND="1" sops exec-env secrets.yaml "terraform ${*@Q}"
|
|
||||||
|
|
||||||
popd >/dev/null
|
|
|
@ -6,15 +6,29 @@ terraform {
|
||||||
hydra = {
|
hydra = {
|
||||||
source = "DeterminateSystems/hydra"
|
source = "DeterminateSystems/hydra"
|
||||||
}
|
}
|
||||||
|
sops = {
|
||||||
|
source = "carlpett/sops"
|
||||||
|
}
|
||||||
tfe = {
|
tfe = {
|
||||||
source = "hashicorp/tfe"
|
source = "hashicorp/tfe"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
provider "cloudflare" {}
|
data "sops_file" "nix-community" {
|
||||||
|
source_file = "secrets.yaml"
|
||||||
|
}
|
||||||
|
|
||||||
|
provider "cloudflare" {
|
||||||
|
api_token = data.sops_file.nix-community.data["CLOUDFLARE_API_TOKEN"]
|
||||||
|
}
|
||||||
|
|
||||||
provider "hydra" {
|
provider "hydra" {
|
||||||
host = "https://hydra.nix-community.org"
|
host = "https://hydra.nix-community.org"
|
||||||
|
password = data.sops_file.nix-community.data["HYDRA_PASSWORD"]
|
||||||
username = "admin"
|
username = "admin"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
provider "tfe" {
|
||||||
|
token = data.sops_file.nix-community.data["TFE_TOKEN"]
|
||||||
|
}
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue