diff --git a/.github/workflows/terragrunt.yaml b/.github/workflows/terragrunt.yaml index 9d57e665..4ed0b263 100644 --- a/.github/workflows/terragrunt.yaml +++ b/.github/workflows/terragrunt.yaml @@ -28,6 +28,20 @@ jobs: - name: 'Checkout' uses: actions/checkout@main + - name: Install 1Password CLI + uses: 1password/install-cli-action@v1 + + - name: Install Terragrunt + uses: eLco/setup-terragrunt@v1 + with: + terragrunt_version: ${{ env.tg_version }} + + - name: 'Install OpenTofu' + uses: opentofu/setup-opentofu@v1 + with: + tofu_version: ${{ env.tofu_version }} + tofu_wrapper: false + - name: Check Formatting uses: gruntwork-io/terragrunt-action@v2 with: @@ -37,16 +51,10 @@ jobs: tg_command: 'hclfmt --terragrunt-check --terragrunt-diff' - name: Check terraform fmt - uses: gruntwork-io/terragrunt-action@v2 + working-directory: ${{ env.working_dir }} env: - CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} - CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} - TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }} - with: - tofu_version: ${{ env.tofu_version }} - tg_version: ${{ env.tg_version }} - tg_dir: ${{ env.working_dir }} - tg_command: 'run-all fmt -diff -check' + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_TF_PROD_ENV }} + run: op run --env-file=".env" -- terragrunt run-all fmt -diff -check plan: runs-on: ubuntu-latest if: github.ref != 'refs/heads/main' @@ -71,18 +79,8 @@ jobs: - name: Plan All working-directory: ${{ env.working_dir }} env: - CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} - CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} - TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }} - GITHUB_APP_INSTALLATION_ID: ${{ secrets.TF_APP_INSTALLATION_ID }} - GITHUB_APP_ID: ${{ secrets.TF_APP_ID }} - GITHUB_APP_PEM_FILE: ${{ secrets.TF_APP_PEM_FILE }} - GITHUB_OWNER: ${{ secrets.TF_APP_GITHUB_OWNER }} - OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - run: terragrunt run-all plan -no-color 2>&1 | tee "${{github.workspace}}/plan_output.txt" && exit ${PIPESTATUS[0]}; + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_TF_PROD_ENV }} + run: op run --env-file=".env" -- terragrunt run-all plan -no-color 2>&1 | tee "${{github.workspace}}/plan_output.txt" && exit ${PIPESTATUS[0]}; # - name: 'List files' # run: 'ls -la ${{ github.workspace }}' @@ -118,14 +116,5 @@ jobs: - name: Deploy All working-directory: ${{ env.working_dir }} env: - CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} - CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} - TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }} - GITHUB_APP_INSTALLATION_ID: ${{ secrets.TF_APP_INSTALLATION_ID }} - GITHUB_APP_ID: ${{ secrets.TF_APP_ID }} - GITHUB_APP_PEM_FILE: ${{ secrets.TF_APP_PEM_FILE }} - GITHUB_OWNER: ${{ secrets.TF_APP_GITHUB_OWNER }} - OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - run: terragrunt run-all apply --terragrunt-non-interactive + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_TF_PROD_ENV }} + run: op run --env-file=".env" -- terragrunt run-all apply --terragrunt-non-interactive diff --git a/.gitignore b/.gitignore index 0aaec4b6..43606283 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,4 @@ ### Project gitignore -.env ### VisualStudioCode template .vscode/* diff --git a/tf/deployment/.env b/tf/deployment/.env new file mode 100644 index 00000000..e4a86505 --- /dev/null +++ b/tf/deployment/.env @@ -0,0 +1,10 @@ +export TF_VAR_cloudflare_account_id="op://tf/cloudflare/account_id" +export TF_VAR_cloudflare_api_token="op://tf/cloudflare/api_token" +export TF_VAR_tf_state_postgres_conn_str="op://tf/tf_state/postgres_conn_str" +export TF_VAR_github_app_installation_id="op://tf/github_app_immich_tofu/installation_id" +export TF_VAR_github_app_id="op://tf/github_app_immich_tofu/app_id" +export TF_VAR_github_app_pem_file="op://tf/github_app_immich_tofu/private key" +export TF_VAR_github_owner="op://tf/github_app_immich_tofu/owner" +export TF_VAR_op_service_account_token="op://tf/1pass_service_account/api_token" +export DOCKER_USERNAME="op://tf/dockerhub/username" +export DOCKER_PASSWORD="op://tf/dockerhub/password" diff --git a/tf/deployment/README.md b/tf/deployment/README.md index 4488accb..a4626fe3 100644 --- a/tf/deployment/README.md +++ b/tf/deployment/README.md @@ -8,6 +8,6 @@ To deploy the OpenTofu modules, follow these steps: 1. Find the versions for OpenTofu and Terragrunt we're currently using in the github action workflow [here](../.github/workflows/terragrunt.yml) 1. Install OpenTofu with `tenv tofu install ${version}` then run `tenv tofu use ${version}` 1. Install Terragrunt with `tenv terragrunt install ${version}` then run `tenv terragrunt use ${version}` -1. Set `CLOUDFLARE_API_TOKEN`, `CLOUDFLARE_ACCOUNT_ID` and `TF_STATE_POSTGRES_CONN_STR` in your environment -1. Switch to the `tf/deployment/modules` folder -1. Run `terragrunt run-all plan` to see what changes will be applied for your changes +1. Install 1password cli `op` +1. Setup 1password cli with `op account add` and then `eval $(op signin)` +1. Run `op run --env-file=".env" -- terragrunt run-all plan` to see any terraform changes diff --git a/tf/deployment/example.env b/tf/deployment/example.env deleted file mode 100644 index 1a3aff70..00000000 --- a/tf/deployment/example.env +++ /dev/null @@ -1,10 +0,0 @@ -export CLOUDFLARE_ACCOUNT_ID= -export CLOUDFLARE_API_TOKEN= -export TF_STATE_POSTGRES_CONN_STR= -export GITHUB_APP_INSTALLATION_ID= -export GITHUB_APP_ID= -export GITHUB_APP_PEM_FILE= -export GITHUB_OWNER= -export OP_SERVICE_ACCOUNT_TOKEN= -export DOCKER_USERNAME= -export DOCKER_PASSWORD= diff --git a/tf/deployment/modules/1password/account/providers.tf b/tf/deployment/modules/1password/account/providers.tf new file mode 100644 index 00000000..06633bea --- /dev/null +++ b/tf/deployment/modules/1password/account/providers.tf @@ -0,0 +1,3 @@ +provider "onepassword" { + service_account_token = var.op_service_account_token +} diff --git a/tf/deployment/modules/1password/account/variables.tf b/tf/deployment/modules/1password/account/variables.tf new file mode 100644 index 00000000..f89a2765 --- /dev/null +++ b/tf/deployment/modules/1password/account/variables.tf @@ -0,0 +1 @@ +variable "op_service_account_token" {} diff --git a/tf/deployment/modules/cloudflare/account/1password.tf b/tf/deployment/modules/cloudflare/account/1password.tf index 54471d80..4e128e46 100644 --- a/tf/deployment/modules/cloudflare/account/1password.tf +++ b/tf/deployment/modules/cloudflare/account/1password.tf @@ -76,7 +76,7 @@ resource "onepassword_item" "mich_cloudflare_r2_outline_volsync_backup" { field { label = "RESTIC_REPOSITORY" - type = "string" + type = "STRING" value = "s3:https://${cloudflare_r2_bucket.outline_volsync_backups.account_id}.r2.cloudflarestorage.com/${cloudflare_r2_bucket.outline_volsync_backups.name}" } diff --git a/tf/deployment/modules/cloudflare/account/providers.tf b/tf/deployment/modules/cloudflare/account/providers.tf index 1bd1877f..12a66613 100644 --- a/tf/deployment/modules/cloudflare/account/providers.tf +++ b/tf/deployment/modules/cloudflare/account/providers.tf @@ -1,3 +1,7 @@ provider "cloudflare" { api_token = data.terraform_remote_state.api_keys_state.outputs.terraform_key_cloudflare_account } + +provider "onepassword" { + service_account_token = var.op_service_account_token +} diff --git a/tf/deployment/modules/cloudflare/account/terragrunt.hcl b/tf/deployment/modules/cloudflare/account/terragrunt.hcl index 435c8515..438d839c 100644 --- a/tf/deployment/modules/cloudflare/account/terragrunt.hcl +++ b/tf/deployment/modules/cloudflare/account/terragrunt.hcl @@ -6,10 +6,6 @@ terraform { } } -include "cloudflare" { - path = find_in_parent_folders("cloudflare.hcl") -} - include "root" { path = find_in_parent_folders("root.hcl") } diff --git a/tf/deployment/modules/cloudflare/account/variables.tf b/tf/deployment/modules/cloudflare/account/variables.tf index 73ee751f..c11f93f4 100644 --- a/tf/deployment/modules/cloudflare/account/variables.tf +++ b/tf/deployment/modules/cloudflare/account/variables.tf @@ -1,2 +1,3 @@ variable "cloudflare_account_id" {} variable "tf_state_postgres_conn_str" {} +variable "op_service_account_token" {} diff --git a/tf/deployment/modules/cloudflare/api-keys/providers.tf b/tf/deployment/modules/cloudflare/api-keys/providers.tf index a04d765a..65ff119b 100644 --- a/tf/deployment/modules/cloudflare/api-keys/providers.tf +++ b/tf/deployment/modules/cloudflare/api-keys/providers.tf @@ -1,3 +1,7 @@ -provider "cloudflare" {} +provider "cloudflare" { + api_token = var.cloudflare_api_token +} -provider "onepassword" {} +provider "onepassword" { + service_account_token = var.op_service_account_token +} diff --git a/tf/deployment/modules/cloudflare/api-keys/terragrunt.hcl b/tf/deployment/modules/cloudflare/api-keys/terragrunt.hcl index 701e5b0c..0b1fa8bd 100644 --- a/tf/deployment/modules/cloudflare/api-keys/terragrunt.hcl +++ b/tf/deployment/modules/cloudflare/api-keys/terragrunt.hcl @@ -6,10 +6,6 @@ terraform { } } -include "cloudflare" { - path = find_in_parent_folders("cloudflare.hcl") -} - include "root" { path = find_in_parent_folders("root.hcl") } diff --git a/tf/deployment/modules/cloudflare/api-keys/variables.tf b/tf/deployment/modules/cloudflare/api-keys/variables.tf new file mode 100644 index 00000000..8a999d0a --- /dev/null +++ b/tf/deployment/modules/cloudflare/api-keys/variables.tf @@ -0,0 +1,2 @@ +variable "op_service_account_token" {} +variable "cloudflare_api_token" {} diff --git a/tf/deployment/modules/cloudflare/cloudflare.hcl b/tf/deployment/modules/cloudflare/cloudflare.hcl deleted file mode 100644 index 42b540a5..00000000 --- a/tf/deployment/modules/cloudflare/cloudflare.hcl +++ /dev/null @@ -1,9 +0,0 @@ -locals { - cloudflare_account_id = get_env("CLOUDFLARE_ACCOUNT_ID") - cloudflare_api_token = get_env("CLOUDFLARE_API_TOKEN") -} - -inputs = { - cloudflare_account_id = local.cloudflare_account_id - cloudflare_api_token = local.cloudflare_api_token -} diff --git a/tf/deployment/modules/github/org/providers.tf b/tf/deployment/modules/github/org/providers.tf index 9d441bc5..f577f67e 100644 --- a/tf/deployment/modules/github/org/providers.tf +++ b/tf/deployment/modules/github/org/providers.tf @@ -1,5 +1,12 @@ provider "github" { - app_auth {} + app_auth { + id = var.github_app_id + installation_id = var.github_app_installation_id + pem_file = var.github_app_pem_file + } + owner = var.github_owner } -provider "onepassword" {} +provider "onepassword" { + service_account_token = var.op_service_account_token +} diff --git a/tf/deployment/modules/github/org/remote-state.tf b/tf/deployment/modules/github/org/remote-state.tf index efddd95f..a8ca2614 100644 --- a/tf/deployment/modules/github/org/remote-state.tf +++ b/tf/deployment/modules/github/org/remote-state.tf @@ -16,10 +16,6 @@ data "terraform_remote_state" "docker_org_state" { } } -data "onepassword_vault" "opentofu_vault" { - name = "OpenTofu" -} - data "onepassword_vault" "kubernetes" { name = "Kubernetes" } diff --git a/tf/deployment/modules/github/org/variables.tf b/tf/deployment/modules/github/org/variables.tf index 81b2d15f..6f6d9fd1 100644 --- a/tf/deployment/modules/github/org/variables.tf +++ b/tf/deployment/modules/github/org/variables.tf @@ -1 +1,8 @@ variable "tf_state_postgres_conn_str" {} + +variable "github_app_id" {} +variable "github_app_installation_id" {} +variable "github_app_pem_file" {} +variable "github_owner" {} + +variable "op_service_account_token" {} diff --git a/tf/deployment/root.hcl b/tf/deployment/root.hcl index 48b98e94..0ef604a9 100644 --- a/tf/deployment/root.hcl +++ b/tf/deployment/root.hcl @@ -1,5 +1,5 @@ locals { - tf_state_postgres_conn_str = get_env("TF_STATE_POSTGRES_CONN_STR") + tf_state_postgres_conn_str = get_env("TF_VAR_tf_state_postgres_conn_str") } remote_state { @@ -9,7 +9,3 @@ remote_state { conn_str = local.tf_state_postgres_conn_str } } - -inputs = { - tf_state_postgres_conn_str = local.tf_state_postgres_conn_str -}