From c2fa4c83645eecec20c38a29dc4c91cf93f5ee05 Mon Sep 17 00:00:00 2001 From: Zack Pollard Date: Wed, 5 Jun 2024 11:54:48 +0100 Subject: [PATCH 1/9] chore: remove unused immich.app dns records --- .../cloudflare/account/dns-immich-app.tf | 27 ------------------- 1 file changed, 27 deletions(-) diff --git a/deployment/modules/cloudflare/account/dns-immich-app.tf b/deployment/modules/cloudflare/account/dns-immich-app.tf index 6af5ef6b..ee0e7e1d 100644 --- a/deployment/modules/cloudflare/account/dns-immich-app.tf +++ b/deployment/modules/cloudflare/account/dns-immich-app.tf @@ -7,33 +7,6 @@ resource "cloudflare_record" "immich_app_a_demo" { zone_id = cloudflare_zone.immich_app.id } -resource "cloudflare_record" "immich_app_a_star_dot_preview" { - name = "*.preview" - proxied = false - ttl = 1 - type = "A" - value = "141.144.207.87" - zone_id = cloudflare_zone.immich_app.id -} - -resource "cloudflare_record" "immich_app_a_preview" { - name = "preview" - proxied = false - ttl = 1 - type = "A" - value = "141.144.207.87" - zone_id = cloudflare_zone.immich_app.id -} - -resource "cloudflare_record" "immich_app_a_testing" { - name = "testing" - proxied = true - ttl = 1 - type = "A" - value = "143.198.72.84" - zone_id = cloudflare_zone.immich_app.id -} - resource "cloudflare_record" "immich_app_aaaa_docs" { name = "docs" proxied = true From c224e8184e06f40ed5080f79312341d7c25d0abe Mon Sep 17 00:00:00 2001 From: Zack Pollard Date: Wed, 5 Jun 2024 11:55:16 +0100 Subject: [PATCH 2/9] refactor: add mich ip as a local --- deployment/modules/cloudflare/account/dns-immich-cloud.tf | 2 +- deployment/modules/cloudflare/account/locals.tf | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 deployment/modules/cloudflare/account/locals.tf diff --git a/deployment/modules/cloudflare/account/dns-immich-cloud.tf b/deployment/modules/cloudflare/account/dns-immich-cloud.tf index 2161e56b..382f4ce1 100644 --- a/deployment/modules/cloudflare/account/dns-immich-cloud.tf +++ b/deployment/modules/cloudflare/account/dns-immich-cloud.tf @@ -21,6 +21,6 @@ resource "cloudflare_record" "immich_cloud_a_mich" { proxied = false ttl = 1 type = "A" - value = "162.55.86.82" + value = local.mich_ip zone_id = cloudflare_zone.immich_cloud.id } diff --git a/deployment/modules/cloudflare/account/locals.tf b/deployment/modules/cloudflare/account/locals.tf new file mode 100644 index 00000000..471ce06c --- /dev/null +++ b/deployment/modules/cloudflare/account/locals.tf @@ -0,0 +1,3 @@ +locals { + mich_ip = "162.55.86.82" +} \ No newline at end of file From c31de6f9a77e9da17066180656ee6c24d5d585a9 Mon Sep 17 00:00:00 2001 From: Zack Pollard Date: Wed, 5 Jun 2024 11:55:55 +0100 Subject: [PATCH 3/9] refactor: give all the cloudflare api keys proper names --- deployment/modules/cloudflare/api-keys/api-keys.tf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/deployment/modules/cloudflare/api-keys/api-keys.tf b/deployment/modules/cloudflare/api-keys/api-keys.tf index 23b366df..2b876cf1 100644 --- a/deployment/modules/cloudflare/api-keys/api-keys.tf +++ b/deployment/modules/cloudflare/api-keys/api-keys.tf @@ -1,7 +1,7 @@ data "cloudflare_api_token_permission_groups" "all" {} resource "cloudflare_api_token" "terraform_cloudflare_account" { - name = "terraform" + name = "terraform_cloudflare_account" policy { permission_groups = [ data.cloudflare_api_token_permission_groups.all.account["Pages Write"], @@ -22,7 +22,7 @@ output "terraform_key_cloudflare_account" { } resource "cloudflare_api_token" "terraform_cloudflare_docs" { - name = "terraform" + name = "terraform_cloudflare_docs" policy { permission_groups = [ data.cloudflare_api_token_permission_groups.all.account["Pages Write"], @@ -39,9 +39,8 @@ output "terraform_key_cloudflare_docs" { sensitive = true } - resource "cloudflare_api_token" "terraform_cloudflare_pages_upload" { - name = "terraform" + name = "terraform_cloudflare_pages_upload" policy { permission_groups = [ data.cloudflare_api_token_permission_groups.all.account["Pages Write"], From e79a16dd310d6aa9e51be9a79aa3448073e9d709 Mon Sep 17 00:00:00 2001 From: Zack Pollard Date: Wed, 5 Jun 2024 11:56:25 +0100 Subject: [PATCH 4/9] chore: add example.env for running locally --- .gitignore | 3 +++ deployment/example.env | 7 +++++++ 2 files changed, 10 insertions(+) create mode 100644 deployment/example.env diff --git a/.gitignore b/.gitignore index 842b9edd..c28f40c4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,6 @@ +### Project gitignore +.env + ### VisualStudioCode template .vscode/* !.vscode/settings.json diff --git a/deployment/example.env b/deployment/example.env new file mode 100644 index 00000000..c006c363 --- /dev/null +++ b/deployment/example.env @@ -0,0 +1,7 @@ +export CLOUDFLARE_ACCOUNT_ID= +export CLOUDFLARE_API_TOKEN= +export TF_STATE_POSTGRES_CONN_STR= +export GITHUB_APP_INSTALLATION_ID= +export GITHUB_APP_ID= +export GITHUB_APP_PEM_FILE= +export GITHUB_OWNER= \ No newline at end of file From c4fa4a9fada25515b44bbca54412ccb955208bf5 Mon Sep 17 00:00:00 2001 From: Zack Pollard Date: Wed, 5 Jun 2024 11:57:38 +0100 Subject: [PATCH 5/9] feat: add r2 bucket and mich r2 cloudflare token --- deployment/modules/cloudflare/account/r2.tf | 5 ++++ .../modules/cloudflare/api-keys/api-keys.tf | 28 +++++++++++++++++++ .../modules/cloudflare/api-keys/locals.tf | 3 ++ 3 files changed, 36 insertions(+) create mode 100644 deployment/modules/cloudflare/account/r2.tf create mode 100644 deployment/modules/cloudflare/api-keys/locals.tf diff --git a/deployment/modules/cloudflare/account/r2.tf b/deployment/modules/cloudflare/account/r2.tf new file mode 100644 index 00000000..e24f62ea --- /dev/null +++ b/deployment/modules/cloudflare/account/r2.tf @@ -0,0 +1,5 @@ +resource "cloudflare_r2_bucket" "tf_state_database_backups" { + account_id = var.cloudflare_account_id + name = "tf-state-database-backups" + location = "weur" +} \ No newline at end of file diff --git a/deployment/modules/cloudflare/api-keys/api-keys.tf b/deployment/modules/cloudflare/api-keys/api-keys.tf index 2b876cf1..d7a0dd13 100644 --- a/deployment/modules/cloudflare/api-keys/api-keys.tf +++ b/deployment/modules/cloudflare/api-keys/api-keys.tf @@ -9,6 +9,7 @@ resource "cloudflare_api_token" "terraform_cloudflare_account" { data.cloudflare_api_token_permission_groups.all.zone["Zone Write"], data.cloudflare_api_token_permission_groups.all.zone["Zone Settings Write"], data.cloudflare_api_token_permission_groups.all.zone["Dynamic URL Redirects Write"], + data.cloudflare_api_token_permission_groups.all.account["Workers R2 Storage Write"] ] resources = { "com.cloudflare.api.account.*" = "*" @@ -55,3 +56,30 @@ output "terraform_key_cloudflare_pages_upload" { value = cloudflare_api_token.terraform_cloudflare_account.value sensitive = true } + +resource "cloudflare_api_token" "mich_cloudflare_r2_token" { + name = "mich_r2_token" + policy { + permission_groups = [ + data.cloudflare_api_token_permission_groups.all.r2["Workers R2 Storage Bucket Item Write"] + ] + resources = { + "com.cloudflare.edge.r2.bucket.*" = "*" + } + } + condition { + request_ip { + in = local.mich_cidrs + } + } +} + +output "mich_cloudflare_r2_token_id" { + value = cloudflare_api_token.mich_cloudflare_r2_token.id + sensitive = true +} + +output "mich_cloudflare_r2_token_value" { + value = cloudflare_api_token.mich_cloudflare_r2_token.value + sensitive = true +} \ No newline at end of file diff --git a/deployment/modules/cloudflare/api-keys/locals.tf b/deployment/modules/cloudflare/api-keys/locals.tf new file mode 100644 index 00000000..7692e6be --- /dev/null +++ b/deployment/modules/cloudflare/api-keys/locals.tf @@ -0,0 +1,3 @@ +locals { + mich_cidrs = ["162.55.86.82/32"] +} From afc7217e7361f8decdf1884f1fddc864e5c6c087 Mon Sep 17 00:00:00 2001 From: Zack Pollard Date: Wed, 5 Jun 2024 12:47:06 +0100 Subject: [PATCH 6/9] feat: add github org iac for secrets initially --- .../modules/cloudflare/account/terragrunt.hcl | 8 +++++-- .../cloudflare/api-keys/terragrunt.hcl | 8 +++++-- deployment/modules/cloudflare/cloudflare.hcl | 9 +++++++ .../modules/github/org/.terraform.lock.hcl | 24 +++++++++++++++++++ deployment/modules/github/org/config.tf | 13 ++++++++++ deployment/modules/github/org/providers.tf | 3 +++ deployment/modules/github/org/remote-state.tf | 8 +++++++ deployment/modules/github/org/secrets.tf | 5 ++++ deployment/modules/github/org/terragrunt.hcl | 15 ++++++++++++ deployment/modules/github/org/variables.tf | 1 + deployment/{state.hcl => root.hcl} | 5 ---- 11 files changed, 90 insertions(+), 9 deletions(-) create mode 100644 deployment/modules/cloudflare/cloudflare.hcl create mode 100644 deployment/modules/github/org/.terraform.lock.hcl create mode 100644 deployment/modules/github/org/config.tf create mode 100644 deployment/modules/github/org/providers.tf create mode 100644 deployment/modules/github/org/remote-state.tf create mode 100644 deployment/modules/github/org/secrets.tf create mode 100644 deployment/modules/github/org/terragrunt.hcl create mode 100644 deployment/modules/github/org/variables.tf rename deployment/{state.hcl => root.hcl} (52%) diff --git a/deployment/modules/cloudflare/account/terragrunt.hcl b/deployment/modules/cloudflare/account/terragrunt.hcl index 8c9e7854..435c8515 100644 --- a/deployment/modules/cloudflare/account/terragrunt.hcl +++ b/deployment/modules/cloudflare/account/terragrunt.hcl @@ -6,8 +6,12 @@ terraform { } } -include { - path = find_in_parent_folders("state.hcl") +include "cloudflare" { + path = find_in_parent_folders("cloudflare.hcl") +} + +include "root" { + path = find_in_parent_folders("root.hcl") } dependencies { diff --git a/deployment/modules/cloudflare/api-keys/terragrunt.hcl b/deployment/modules/cloudflare/api-keys/terragrunt.hcl index 5fb7106e..701e5b0c 100644 --- a/deployment/modules/cloudflare/api-keys/terragrunt.hcl +++ b/deployment/modules/cloudflare/api-keys/terragrunt.hcl @@ -6,6 +6,10 @@ terraform { } } -include { - path = find_in_parent_folders("state.hcl") +include "cloudflare" { + path = find_in_parent_folders("cloudflare.hcl") +} + +include "root" { + path = find_in_parent_folders("root.hcl") } diff --git a/deployment/modules/cloudflare/cloudflare.hcl b/deployment/modules/cloudflare/cloudflare.hcl new file mode 100644 index 00000000..53f44c12 --- /dev/null +++ b/deployment/modules/cloudflare/cloudflare.hcl @@ -0,0 +1,9 @@ +locals { + cloudflare_account_id = get_env("CLOUDFLARE_ACCOUNT_ID") + cloudflare_api_token = get_env("CLOUDFLARE_API_TOKEN") +} + +inputs = { + cloudflare_account_id = local.cloudflare_account_id + cloudflare_api_token = local.cloudflare_api_token +} \ No newline at end of file diff --git a/deployment/modules/github/org/.terraform.lock.hcl b/deployment/modules/github/org/.terraform.lock.hcl new file mode 100644 index 00000000..b8643fae --- /dev/null +++ b/deployment/modules/github/org/.terraform.lock.hcl @@ -0,0 +1,24 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/integrations/github" { + version = "6.2.1" + constraints = "~> 6.0" + hashes = [ + "h1:ip7024qn1ewDqlNucxh07DHvuhSLZSqtTGewxNLeYYU=", + "zh:172aa5141c525174f38504a0d2e69d0d16c0a0b941191b7170fe6ae4d7282e30", + "zh:1a098b731fa658c808b591d030cc17cc7dfca1bf001c3c32e596f8c1bf980e9f", + "zh:245d6a1c7e632d8ae4bdd2da2516610c50051e81505cf420a140aa5fa076ea90", + "zh:43c61c230fb4ed26ff1b04b857778e65be3d8f80292759abbe2a9eb3c95f6d97", + "zh:59bb7dd509004921e4322a196be476a2f70471b462802f09d03d6ce96f959860", + "zh:5cb2ab8035d015c0732107c109210243650b6eb115e872091b0f7b98c2763777", + "zh:69d2a6acfcd686f7e859673d1c8a07fc1fc1598a881493f19d0401eb74c0f325", + "zh:77f36d3f46911ace5c50dee892076fddfd64a289999a5099f8d524c0143456d1", + "zh:87df41097dfcde72a1fbe89caca882af257a4763c2e1af669c74dcb8530f9932", + "zh:899dbe621f32d58cb7c6674073a6db8328a9db66eecfb0cc3fc13299fd4e62e7", + "zh:ad2eb7987f02f7dd002076f65a685730705d04435313b5cf44d3a6923629fb29", + "zh:b2145ae7134dba893c7f74ad7dfdc65fdddf6c7b1d0ce7e2f3baa96212322fd8", + "zh:bd6bae3ac5c3f96ad9219d3404aa006ef1480e9041d4c95df1808737e37d911b", + "zh:e89758b20ae59f1b9a6d32c107b17846ddca9634b868cf8f5c927cbb894b1b1f", + ] +} diff --git a/deployment/modules/github/org/config.tf b/deployment/modules/github/org/config.tf new file mode 100644 index 00000000..a17104f0 --- /dev/null +++ b/deployment/modules/github/org/config.tf @@ -0,0 +1,13 @@ +terraform { + backend "pg" { + schema_name = "prod_github_org" + } + required_version = "~> 1.7" + + required_providers { + github = { + source = "integrations/github" + version = "~> 6.0" + } + } +} \ No newline at end of file diff --git a/deployment/modules/github/org/providers.tf b/deployment/modules/github/org/providers.tf new file mode 100644 index 00000000..af1f9a30 --- /dev/null +++ b/deployment/modules/github/org/providers.tf @@ -0,0 +1,3 @@ +provider "github" { + app_auth {} +} \ No newline at end of file diff --git a/deployment/modules/github/org/remote-state.tf b/deployment/modules/github/org/remote-state.tf new file mode 100644 index 00000000..99df6e63 --- /dev/null +++ b/deployment/modules/github/org/remote-state.tf @@ -0,0 +1,8 @@ +data "terraform_remote_state" "api_keys_state" { + backend = "pg" + + config = { + conn_str = var.tf_state_postgres_conn_str + schema_name = "prod_cloudflare_api_keys" + } +} diff --git a/deployment/modules/github/org/secrets.tf b/deployment/modules/github/org/secrets.tf new file mode 100644 index 00000000..893ab0d7 --- /dev/null +++ b/deployment/modules/github/org/secrets.tf @@ -0,0 +1,5 @@ +resource "github_actions_organization_secret" "cloudflare_api_token_pages_upload" { + secret_name = "CLOUDFLARE_API_TOKEN_PAGES_UPLOAD" + plaintext_value = data.terraform_remote_state.api_keys_state.outputs.terraform_key_cloudflare_pages_upload + visibility = "all" +} diff --git a/deployment/modules/github/org/terragrunt.hcl b/deployment/modules/github/org/terragrunt.hcl new file mode 100644 index 00000000..53d976a8 --- /dev/null +++ b/deployment/modules/github/org/terragrunt.hcl @@ -0,0 +1,15 @@ +terraform { + source = "." + + extra_arguments custom_vars { + commands = get_terraform_commands_that_need_vars() + } +} + +include "root" { + path = find_in_parent_folders("root.hcl") +} + +dependencies { + paths = ["../../cloudflare/api-keys"] +} \ No newline at end of file diff --git a/deployment/modules/github/org/variables.tf b/deployment/modules/github/org/variables.tf new file mode 100644 index 00000000..81b2d15f --- /dev/null +++ b/deployment/modules/github/org/variables.tf @@ -0,0 +1 @@ +variable "tf_state_postgres_conn_str" {} diff --git a/deployment/state.hcl b/deployment/root.hcl similarity index 52% rename from deployment/state.hcl rename to deployment/root.hcl index 5c3fc7cf..48b98e94 100644 --- a/deployment/state.hcl +++ b/deployment/root.hcl @@ -1,7 +1,4 @@ locals { - cloudflare_account_id = get_env("CLOUDFLARE_ACCOUNT_ID") - cloudflare_api_token = get_env("CLOUDFLARE_API_TOKEN") - tf_state_postgres_conn_str = get_env("TF_STATE_POSTGRES_CONN_STR") } @@ -14,7 +11,5 @@ remote_state { } inputs = { - cloudflare_account_id = local.cloudflare_account_id - cloudflare_api_token = local.cloudflare_api_token tf_state_postgres_conn_str = local.tf_state_postgres_conn_str } From 5f328e50d22d8a6b97d07809234d93b8f179b2a6 Mon Sep 17 00:00:00 2001 From: Zack Pollard Date: Wed, 5 Jun 2024 14:27:46 +0100 Subject: [PATCH 7/9] chore: add and tell IDE's to add newlines to end of files --- .editorconfig | 16 ++++++++++++++++ .github/workflows/terragrunt.yaml | 2 -- deployment/README.md | 2 +- deployment/example.env | 2 +- deployment/modules/cloudflare/account/locals.tf | 2 +- .../modules/cloudflare/account/pages-project.tf | 2 +- deployment/modules/cloudflare/account/r2.tf | 2 +- .../modules/cloudflare/api-keys/api-keys.tf | 2 +- deployment/modules/cloudflare/api-keys/config.tf | 2 +- deployment/modules/cloudflare/cloudflare.hcl | 6 +++--- deployment/modules/github/org/config.tf | 2 +- deployment/modules/github/org/providers.tf | 2 +- deployment/modules/github/org/terragrunt.hcl | 2 +- 13 files changed, 29 insertions(+), 15 deletions(-) create mode 100644 .editorconfig diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 00000000..3abce03c --- /dev/null +++ b/.editorconfig @@ -0,0 +1,16 @@ +# Editor configuration, see https://editorconfig.org +root = true + +[*] +charset = utf-8 +indent_style = space +indent_size = 2 +insert_final_newline = true +trim_trailing_whitespace = true + +[*.{md,mdx}] +max_line_length = off +trim_trailing_whitespace = false + +[*.{yml,yaml}] +quote_type = single diff --git a/.github/workflows/terragrunt.yaml b/.github/workflows/terragrunt.yaml index 6c7ff855..76a99d2f 100644 --- a/.github/workflows/terragrunt.yaml +++ b/.github/workflows/terragrunt.yaml @@ -76,5 +76,3 @@ jobs: tg_version: ${{ env.tg_version }} tg_dir: ${{ env.working_dir }} tg_command: 'run-all apply' - - diff --git a/deployment/README.md b/deployment/README.md index 6ffbb6a8..ba20ea3c 100644 --- a/deployment/README.md +++ b/deployment/README.md @@ -10,4 +10,4 @@ To deploy the OpenTofu modules, follow these steps: 1. Install Terragrunt with `tenv terragrunt install ${version}` then run `tenv terragrunt use ${version}` 1. Set `CLOUDFLARE_API_TOKEN`, `CLOUDFLARE_ACCOUNT_ID` and `TF_STATE_POSTGRES_CONN_STR` in your environment 1. Switch to the `deployment/modules` folder -1. Run `terragrunt run-all plan` to see what changes will be applied for your changes \ No newline at end of file +1. Run `terragrunt run-all plan` to see what changes will be applied for your changes diff --git a/deployment/example.env b/deployment/example.env index c006c363..4508d785 100644 --- a/deployment/example.env +++ b/deployment/example.env @@ -4,4 +4,4 @@ export TF_STATE_POSTGRES_CONN_STR= export GITHUB_APP_INSTALLATION_ID= export GITHUB_APP_ID= export GITHUB_APP_PEM_FILE= -export GITHUB_OWNER= \ No newline at end of file +export GITHUB_OWNER= diff --git a/deployment/modules/cloudflare/account/locals.tf b/deployment/modules/cloudflare/account/locals.tf index 471ce06c..f81138ec 100644 --- a/deployment/modules/cloudflare/account/locals.tf +++ b/deployment/modules/cloudflare/account/locals.tf @@ -1,3 +1,3 @@ locals { mich_ip = "162.55.86.82" -} \ No newline at end of file +} diff --git a/deployment/modules/cloudflare/account/pages-project.tf b/deployment/modules/cloudflare/account/pages-project.tf index 3bc85f1a..093e0cec 100644 --- a/deployment/modules/cloudflare/account/pages-project.tf +++ b/deployment/modules/cloudflare/account/pages-project.tf @@ -39,4 +39,4 @@ output "immich_app_preview_pages_project_name" { output "immich_app_preview_pages_project_subdomain" { value = cloudflare_pages_project.immich_app_preview.subdomain -} \ No newline at end of file +} diff --git a/deployment/modules/cloudflare/account/r2.tf b/deployment/modules/cloudflare/account/r2.tf index e24f62ea..7ee633aa 100644 --- a/deployment/modules/cloudflare/account/r2.tf +++ b/deployment/modules/cloudflare/account/r2.tf @@ -2,4 +2,4 @@ resource "cloudflare_r2_bucket" "tf_state_database_backups" { account_id = var.cloudflare_account_id name = "tf-state-database-backups" location = "weur" -} \ No newline at end of file +} diff --git a/deployment/modules/cloudflare/api-keys/api-keys.tf b/deployment/modules/cloudflare/api-keys/api-keys.tf index d7a0dd13..8e734c51 100644 --- a/deployment/modules/cloudflare/api-keys/api-keys.tf +++ b/deployment/modules/cloudflare/api-keys/api-keys.tf @@ -82,4 +82,4 @@ output "mich_cloudflare_r2_token_id" { output "mich_cloudflare_r2_token_value" { value = cloudflare_api_token.mich_cloudflare_r2_token.value sensitive = true -} \ No newline at end of file +} diff --git a/deployment/modules/cloudflare/api-keys/config.tf b/deployment/modules/cloudflare/api-keys/config.tf index e695147b..95bd0500 100644 --- a/deployment/modules/cloudflare/api-keys/config.tf +++ b/deployment/modules/cloudflare/api-keys/config.tf @@ -10,4 +10,4 @@ terraform { version = "4.34.0" } } -} \ No newline at end of file +} diff --git a/deployment/modules/cloudflare/cloudflare.hcl b/deployment/modules/cloudflare/cloudflare.hcl index 53f44c12..42b540a5 100644 --- a/deployment/modules/cloudflare/cloudflare.hcl +++ b/deployment/modules/cloudflare/cloudflare.hcl @@ -4,6 +4,6 @@ locals { } inputs = { - cloudflare_account_id = local.cloudflare_account_id - cloudflare_api_token = local.cloudflare_api_token -} \ No newline at end of file + cloudflare_account_id = local.cloudflare_account_id + cloudflare_api_token = local.cloudflare_api_token +} diff --git a/deployment/modules/github/org/config.tf b/deployment/modules/github/org/config.tf index a17104f0..eba7e624 100644 --- a/deployment/modules/github/org/config.tf +++ b/deployment/modules/github/org/config.tf @@ -10,4 +10,4 @@ terraform { version = "~> 6.0" } } -} \ No newline at end of file +} diff --git a/deployment/modules/github/org/providers.tf b/deployment/modules/github/org/providers.tf index af1f9a30..1dabfab9 100644 --- a/deployment/modules/github/org/providers.tf +++ b/deployment/modules/github/org/providers.tf @@ -1,3 +1,3 @@ provider "github" { app_auth {} -} \ No newline at end of file +} diff --git a/deployment/modules/github/org/terragrunt.hcl b/deployment/modules/github/org/terragrunt.hcl index 53d976a8..d81ebdcb 100644 --- a/deployment/modules/github/org/terragrunt.hcl +++ b/deployment/modules/github/org/terragrunt.hcl @@ -12,4 +12,4 @@ include "root" { dependencies { paths = ["../../cloudflare/api-keys"] -} \ No newline at end of file +} From 90b187b8fa2f839263f71af5906ef68e9662df9f Mon Sep 17 00:00:00 2001 From: Zack Pollard Date: Wed, 5 Jun 2024 15:01:32 +0100 Subject: [PATCH 8/9] feat: deploy github org iac through github actions --- .github/workflows/terragrunt.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/terragrunt.yaml b/.github/workflows/terragrunt.yaml index 76a99d2f..35c1dad9 100644 --- a/.github/workflows/terragrunt.yaml +++ b/.github/workflows/terragrunt.yaml @@ -8,7 +8,7 @@ on: env: tofu_version: '1.7.1' tg_version: '0.58.12' - working_dir: 'deployment/modules/cloudflare' + working_dir: 'deployment' jobs: check: @@ -50,6 +50,10 @@ jobs: CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }} + GITHUB_APP_INSTALLATION_ID: ${{ secrets.TF_APP_INSTALLATION_ID }} + GITHUB_APP_ID: ${{ secrets.TF_APP_ID }} + GITHUB_APP_PEM_FILE: ${{ secrets.TF_APP_PEM_FILE }} + GITHUB_OWNER: ${{ secrets.TF_APP_GITHUB_OWNER }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: tofu_version: ${{ env.tofu_version }} @@ -71,6 +75,10 @@ jobs: CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }} + GITHUB_APP_INSTALLATION_ID: ${{ secrets.TF_APP_INSTALLATION_ID }} + GITHUB_APP_ID: ${{ secrets.TF_APP_ID }} + GITHUB_APP_PEM_FILE: ${{ secrets.TF_APP_PEM_FILE }} + GITHUB_OWNER: ${{ secrets.TF_APP_GITHUB_OWNER }} with: tofu_version: ${{ env.tofu_version }} tg_version: ${{ env.tg_version }} From 657ba753ec3b6eeb7dee2ecde6f9c42fa8fa1a81 Mon Sep 17 00:00:00 2001 From: Zack Pollard Date: Wed, 5 Jun 2024 15:01:47 +0100 Subject: [PATCH 9/9] docs: add manual setup steps required for IAC in github actions --- deployment/manual-setup.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 deployment/manual-setup.md diff --git a/deployment/manual-setup.md b/deployment/manual-setup.md new file mode 100644 index 00000000..37148988 --- /dev/null +++ b/deployment/manual-setup.md @@ -0,0 +1,15 @@ +# Manual Setup Steps + +This lists all the steps required to manually setup the IAC deployments in Github Actions. + +### Github Secrets + +| Secret | Secret Type | Description | +|-----------------------------|-----------------|-----------------------------------------------------------------------------| +| TF_APP_INSTALLATION_ID | Organisation | The installation ID of the Immich Github App | +| TF_APP_ID | Organisation | The ID of the Immich Github App | +| TF_APP_PEM_FILE | Repo (devtools) | The contents of the PEM file for the Github App | +| TF_APP_GITHUB_OWNER | Organisation | The Github owner of the repository (immich-app) | +| CLOUDFLARE_API_TOKEN | Repo (devtools) | The Cloudflare API token scoped to create new API keys | +| CLOUDFLARE_ACCOUNT_ID | Organisation | The Cloudflare account ID | +| TF_STATE_POSTGRES_CONN_STR | Organisation | The connection string for the Postgres database for Terraform state storage |