bij1
/
terraform-config
19
0
Fork 0
Code Issues 5 Pull Requests Projects Releases Wiki Activity

just

This commit is contained in:
Kiara Grouwstra 2024-01-24 00:14:39 +01:00
parent 96a4ccf181
commit 9e62215c2a
4 changed files with 60 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.envrc
View File

@ -1 +1,2 @@
use flake
use flake
export SOPS_AGE_KEY_FILE=./keys.txt

84
README.md
View File

@ -19,94 +19,28 @@ Before issuing any other commands, enter the development environment (if not usi
nix develop -c $SHELL
```
### Commands
```sh
just -l
```
### Handling [credentials](#secrets)
### Applying changes
```sh
nix run
```
### Validating logic
```sh
nix run .#check
```
### Showing the generated plan
```sh
nix run .#plan
```
### Applying changes, approving automatically
```sh
nix run .#cd
```
### Removing local state and derived credentials
```sh
nix run .#destroy
```
### Running Nomad jobs locally
```sh
nix run .#local
```
### Updating dependencies
```sh
nix flake update
```
### Simulating a CI test
[substituting](#secrets) `<SOPS_AGE_KEY>`, run:
```sh
woodpecker-cli exec --env "SOPS_AGE_KEY=<SOPS_AGE_KEY>"
```
## Secrets
- if you want to reset secrets:
- generate an [`age`](https://age-encryption.org/) key pair, using [`rage`](https://github.com/str4d/rage) installed as part of the nix shell:
```sh
rage-keygen -o keys.txt
```
- generate keypair: `just keygen`
- list it in [`sops`](https://getsops.io/) config file `.sops.yaml`
- key setup: set environment variable `SOPS_AGE_KEY_FILE` or `SOPS_AGE_KEY` so `sops` can locate the secret key to an `age` key pair that has its public key listed in `.sops.yaml`, e.g.:
- key setup: set environment variable `SOPS_AGE_KEY_FILE` or `SOPS_AGE_KEY` so `sops` can locate the secret key to an `age` key pair that has its public key listed in `.sops.yaml`, e.g. (listed in `.envrc`):
```sh
export SOPS_AGE_KEY_FILE=./keys.txt
```
- encoding secrets:
```sh
nix run .#encode
```
- decoding secrets:
```sh
nix run .#decode
```
- setting Terraform Cloud credentials, either by:
- decode (as per above) to reuse the shared session
- log in to the Terraform Cloud backend:
```sh
tofu login app.terraform.io
```
- log in to the Terraform Cloud backend: `just login`
### Configuring

13
flake.nix
View File

@ -71,6 +71,7 @@
devShell = pkgs.mkShell {
buildInputs = with pkgs; [
treefmt
just
pkgs.sops
rage
woodpecker-cli
@ -108,20 +109,10 @@
type = "app";
program = toString (pkgs.writers.writeBash name script);
}) {
# nix run .#encode
encode = "${sops} --output-type yaml -e .auto.tfvars.json > .auto.tfvars.enc.yaml";
# nix run .#decode
decode = "${sops} --output-type json -d .auto.tfvars.enc.yaml > .auto.tfvars.json";
# nix run .#check
check = tfCommand "validate";
# nix run .#apply
validate = tfCommand "validate";
apply = tfCommand "apply";
# nix run .#plan
plan = tfCommand "plan";
# nix run .#cd
cd = tfCommand "apply -auto-approve";
# nix run .#destroy
# nix run .#local
local = locally + compile tfCfg.nomad + ''
${tf} workspace select -or-create nomad;
${tf} init && ${tf} apply -auto-approve;

47
justfile Normal file
View File

@ -0,0 +1,47 @@
# encode secrets
encode:
sops --output-type yaml -e .auto.tfvars.json > .auto.tfvars.enc.yaml
# decode secrets
decode:
sops --output-type json -d .auto.tfvars.enc.yaml > .auto.tfvars.json
# log in to the Terraform Cloud backend
login:
tofu login app.terraform.io
# validate logic
validate:
nix run .#validate
# apply changes
default:
nix run .#apply
# show generated plan
plan:
nix run .#plan
# run CI test locally
ci:
woodpecker-cli exec --env "SOPS_AGE_KEY=$SOPS_AGE_KEY"
# apply changes, approving automatically
cd:
nix run .#cd
# run Nomad jobs locally
local:
nix run .#local
# generate an [`age`](https://age-encryption.org/) key pair
keygen:
rage-keygen -o keys.txt
# remove local state and derived credentials
destroy:
nix run .#destroy
# update dependencies
update:
nix flake update