2.6 KiB
terraform
Contains Terraform code used to manage our infrastructure, Nix'ified for Terranix.
Prerequisites
- Nix with Flakes enabled
- Credentials (see configuring), if not using the shared secrets:
tf_cloud_token
: Terraform Cloud token to use shared statehcloud_api_token
: Hetzner Cloud API token
Usage
-
Before issuing any other commands, enter the development environment (if not using
direnv
):nix develop -c $SHELL
-
Applying changes:
nix run
-
Validating logic:
nix run .#check
-
Showing the generated plan:
nix run .#plan
-
Applying changes, approving automatically:
nix run .#cd
-
Removing local state and derived credentials:
nix run .#destroy
-
Updating dependencies:
nix flake update
-
Simulating a CI test (substituting
<SOPS_AGE_KEY>
):woodpecker-cli exec --env "SOPS_AGE_KEY=<SOPS_AGE_KEY>"
Secrets
-
if you want to reset secrets:
-
key setup: set environment variable
SOPS_AGE_KEY_FILE
orSOPS_AGE_KEY
sosops
can locate the secret key to anage
key pair that has its public key listed in.sops.yaml
-
encoding secrets:
sops -e secrets.yaml > secrets.enc.yaml
-
decoding secrets:
sops -d secrets.enc.yaml > secrets.yaml
-
setting Terraform Cloud credentials, either by:
-
reusing the shared session:
source login.sh
-
log in to the Terraform Cloud backend:
tofu login app.terraform.io
-
Configuring
Create a file terraform.tfvars
containing override for any Terraform variables, e.g.:
hcloud_location = "nbg1"
Managed state
- go to https://gitlab.com/bij1/intranet/terraform/-/terraform
- open the triple dot menu for
bij1
and selectCopy Terraform init command
- substitute in a personal access token in the shown command
- run the command locally to access the shared state