terraform-config/README.md

terraform

Contains Terraform code used to manage our infrastructure, Nix'ified for Terranix.

Prerequisites

• Nix with Flakes enabled
• Credentials (see configuring), if not using the shared secrets:
  • tf_cloud_token: Terraform Cloud token to use shared state
  • hcloud_api_token: Hetzner Cloud API token

Usage

• Before issuing any other commands, enter the development environment (if not using direnv):

  nix develop -c $SHELL
  

• Applying changes:

  nix run
  

• Validating logic:

  nix run .#check
  

• Showing the generated plan:

  nix run .#plan
  

• Applying changes, approving automatically:

  nix run .#cd
  

• Removing local state and derived credentials:

  nix run .#destroy
  

• Updating dependencies:

  nix flake update
  

• Simulating a CI test (substituting <SOPS_AGE_KEY>):

  woodpecker-cli exec --env "SOPS_AGE_KEY=<SOPS_AGE_KEY>"
  

Secrets

• if you want to reset secrets:

  • generate an age key pair, using rage installed as part of the nix shell:

    rage-keygen -o keys.txt
    

  • list it in sops config file .sops.yaml

• key setup: set environment variable SOPS_AGE_KEY_FILE or SOPS_AGE_KEY so sops can locate the secret key to an age key pair that has its public key listed in .sops.yaml

• encoding secrets:

  sops -e secrets.yaml > secrets.enc.yaml
  

• decoding secrets:

  sops -d secrets.enc.yaml > secrets.yaml
  

• setting Terraform Cloud credentials, either by:

  • reusing the shared session:

    source login.sh
    

  • log in to the Terraform Cloud backend:

    tofu login app.terraform.io
    

Configuring

Create a file terraform.tfvars containing override for any Terraform variables, e.g.:

hcloud_location = "nbg1"

Managed state

• go to https://gitlab.com/bij1/intranet/terraform/-/terraform
• open the triple dot menu for bij1 and select Copy Terraform init command
• substitute in a personal access token in the shown command
• run the command locally to access the shared state

HCL to Nix