Kiara Grouwstra
1bda4d5e9c
|
||
|---|---|---|
| lib | ||
| ssh-keys | ||
| .envrc | ||
| .gitignore | ||
| .sops.yaml | ||
| .terraform.lock.hcl | ||
| .woodpecker.yml | ||
| README.md | ||
| config.nix | ||
| flake.lock | ||
| flake.nix | ||
| secrets.enc.yaml | ||
| treefmt.toml | ||
README.md
terraform
Contains Terraform code used to manage our infrastructure, Nix'ified for Terranix.
Prerequisites
- Nix with Flakes enabled
- Credentials (see configuring), if not using the shared secrets:
tf_cloud_token: Terraform Cloud token to use shared statehcloud_api_token: Hetzner Cloud API token
Usage
-
Before issuing any other commands, enter the development environment (if not using
direnv):nix develop -c $SHELL -
Applying changes:
nix run -
Validating logic:
nix run .#check -
Showing the generated plan:
nix run .#plan -
Applying changes, approving automatically:
nix run .#cd -
Removing local state and derived credentials:
nix run .#destroy -
Updating dependencies:
nix flake update -
Simulating a CI test (substituting
<SOPS_AGE_KEY>):woodpecker-cli exec --env "SOPS_AGE_KEY=<SOPS_AGE_KEY>"
Secrets
-
if you want to reset secrets:
-
key setup: set environment variable
SOPS_AGE_KEY_FILEorSOPS_AGE_KEYsosopscan locate the secret key to anagekey pair that has its public key listed in.sops.yaml -
encoding secrets:
sops -e secrets.yaml > secrets.enc.yaml -
decoding secrets:
sops -d secrets.enc.yaml > secrets.yaml -
setting Terraform Cloud credentials, either by:
-
reusing the shared session:
source login.sh -
log in to the Terraform Cloud backend:
tofu login app.terraform.io
-
Configuring
Create a file terraform.tfvars containing override for any Terraform variables, e.g.:
hcloud_location = "nbg1"
Managed state
- go to https://gitlab.com/bij1/intranet/terraform/-/terraform
- open the triple dot menu for
bij1and selectCopy Terraform init command - substitute in a personal access token in the shown command
- run the command locally to access the shared state