From 4be62a69ed3d1cdfe281d907933c63783604da9f Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Tue, 7 Feb 2023 23:25:29 +0100 Subject: [PATCH] Improve terraform secrets management --- .envrc | 3 +- config.tf | 37 ------------------- secrets.enc.yml | 8 +++-- terraform/config.tf | 49 ++++++++++++++++++++++++++ dns.tf => terraform/dns.tf | 0 instances.tf => terraform/instances.tf | 0 outputs.tf => terraform/outputs.tf | 0 7 files changed, 57 insertions(+), 40 deletions(-) delete mode 100644 config.tf create mode 100644 terraform/config.tf rename dns.tf => terraform/dns.tf (100%) rename instances.tf => terraform/instances.tf (100%) rename outputs.tf => terraform/outputs.tf (100%) diff --git a/.envrc b/.envrc index 3b2cfd9..9eed314 100644 --- a/.envrc +++ b/.envrc @@ -1,2 +1,3 @@ use flake -export SOPS_PGP_FP="3AC6F170F01133CE393BCD94BE948AFD7E7873BE" + +export TF_HTTP_PASSWORD=`sops -d --extract '["gitlab"]["password"]' secrets.enc.yml` \ No newline at end of file diff --git a/config.tf b/config.tf deleted file mode 100644 index 0a2e05b..0000000 --- a/config.tf +++ /dev/null @@ -1,37 +0,0 @@ -terraform { - backend "http" { - } - required_providers { - hcloud = { - source = "hetznercloud/hcloud" - version = "1.24.1" - } - - hetznerdns = { - source = "timohirt/hetznerdns" - version = ">= 1.1.1" - } - - sops = { - source = "carlpett/sops" - version = "~> 0.5" - } - } -} - -variable "hcloud_token" {} - -provider "hcloud" { - token = var.hcloud_token -} - -resource "hcloud_ssh_key" "froidmpa-desktop" { - name = "froidmpa-desktop" - public_key = file("ssh_keys/froidmpa-desktop.pub") -} - -variable "hetznerdns_token" {} - -provider "hetznerdns" { - apitoken = var.hetznerdns_token -} diff --git a/secrets.enc.yml b/secrets.enc.yml index 7555c73..ca74e71 100644 --- a/secrets.enc.yml +++ b/secrets.enc.yml @@ -1,8 +1,12 @@ +hcloud: + token: ENC[AES256_GCM,data:cLSwCwwtCaSn1eewHeLpCj4eS05z5+p5fpi0qZRj7/aNnKvugcME/eG3VR90hvpsS0g/EIWGmYK9Bv6thWEn1A==,iv:X9r7bQrNqaGRK7QwA6OtwyqUnoNCAf+ZbnMe/26cF2w=,tag:emGH0SWvFTE3AmYRNHKXcQ==,type:str] + dns_token: ENC[AES256_GCM,data:v41w2CkGH1bBDIv0MfhOKEYDn842zLoG8tpuVcuspic=,iv:+8fH5X0b+K4QOepvxFMOZIEUqeF+eCBZVfznXoefEUg=,tag:x78M9UQ0klJeVxtnPwMHGQ==,type:str] grafana: admin_password: ENC[AES256_GCM,data:seXajvIHrEU7XR/XVD6uG/dmZ5I2oiL5IxsM+sMlV9awLwnYpDI0u0gJbYqSYvMRhXS/ZhXuXaTJhgXD,iv:oavt6HtbCCLznPgpSSLKHcHPuJSP+7hPPLepu5orqm0=,tag:Gubg8LEYUMInZpXE1SDYtQ==,type:str] nix: cache_secret_key: ENC[AES256_GCM,data:Q2mRU+EuTyqjYNvbuyGLqoDSqa/7EPlzNuCJU7QUBRSozf1D4dDzAPNU47xZ2rKcjz6Eg4OhAZLlGeFw9le8SzHOSJ65UYHoMMc6Rpvv/fPhgg2s2UMArrqyO3ultj1pVe3eIIRzBQcdoFqVDg==,iv:jhMTWEO6ahcZl+Dq6mA+mWIie8T0Dq1ZYe/HHYAD5ss=,tag:2GRmd2z96+TGI7MdvOBEdA==,type:str] gitlab: + password: ENC[AES256_GCM,data:+DptcLNXBmI7c8TrlF2U3+4FAeg=,iv:POtL7Cu6KvgEs9SFokR1G9yviqvqUcy8KNlB42FU9PQ=,tag:yWgsuDou+R05EEe7j8r7WA==,type:str] runner_registration_config: ENC[AES256_GCM,data:BxkP4+moNV4eip9g2MoOFzZgWvYHELQ3qOJxMAGV9Ffdy5Fhl7mFNE85yv2I09hg2hwd68V3ThwiZ7eBoOi87bDRN82PeIyDqPtjbNA1ZcLJqE8=,iv:I/1wzcVSiz90cgRqMhGfN1wdB0EVQYVPyFn3RvSbTaw=,tag:8hMKQfmtPZf3nbs4LjnH3w==,type:str] synapse: db_password: ENC[AES256_GCM,data:hy2BgTsRaZDQZULTW/csmnRy5ZjDEuPqxyuINv0ov5pFzDkozJVL1wut3HgBXjYZ8bqNjS5pCPQtkznw,iv:i41zKGwvPGIEZP0ZjhRaY4UMeOXBovQmLr1e1ewZhV4=,tag:3kKKYouH+lOrNxPJE5ul/Q==,type:str] @@ -66,8 +70,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2022-11-30T23:53:32Z" - mac: ENC[AES256_GCM,data:zb23kjrAAAsgSzkpx3fU2vzaZXii5euZyrkv8v4nyq20dLbuoW0N7UuvLushRq8t0PHaDaBvH/iiiBJkGq0r+pFasyKaFu7dGh2ApEBcm4Nu7SUbOslZRvzXakBbEChMvMBUEn2LcXu8P9144L83ztygmDO3VDGRP7SCSSExz7s=,iv:R/JbRCFFSQSNbmcq41MpDF/tTVls+3djiSxZ+NYWrew=,tag:ajwb+40N/vCzikvonBNH4w==,type:str] + lastmodified: "2023-02-07T22:18:44Z" + mac: ENC[AES256_GCM,data:rmoEZq8DCkEsw7OOY/a8c9z4JCWEe0cdgVOY2IArDEYEXj8e2s38d8djMHUwvv/7T/FjCafp8LDvlke3pYXNFOVDFMl2HJgIsLeRyVM/V38BaXbOFImid7RKv/s0QiqqucOV6ajqCUmG6SbwyB64Ju9ZWkB2NKyhiI4NxeV4Qd8=,iv:U4IwXdWSxs8Dv6mzM42G3dDyv8fWE6wahmvkwRwynmg=,tag:GMqn4GXbCvqfeTWM1POLZw==,type:str] pgp: - created_at: "2021-11-29T00:57:34Z" enc: | diff --git a/terraform/config.tf b/terraform/config.tf new file mode 100644 index 0000000..6817042 --- /dev/null +++ b/terraform/config.tf @@ -0,0 +1,49 @@ +terraform { + backend "http" { + address = "https://gitlab.com/api/v4/projects/22845244/terraform/state/prod" + lock_address = "https://gitlab.com/api/v4/projects/22845244/terraform/state/prod/lock" + lock_method = "POST" + unlock_address = "https://gitlab.com/api/v4/projects/22845244/terraform/state/prod/lock" + unlock_method = "DELETE" + username = "phfroidmont" + } + required_providers { + hcloud = { + source = "hetznercloud/hcloud" + version = "1.24.1" + } + + hetznerdns = { + source = "timohirt/hetznerdns" + version = ">= 2.2.0" + } + + sops = { + source = "carlpett/sops" + version = "~> 0.7" + } + } +} + +data "sops_file" "secrets" { + source_file = "../secrets.enc.yml" +} + + +provider "hcloud" { + token = data.sops_file.secrets.data["hcloud.token"] +} + +provider "hetznerdns" { + apitoken = data.sops_file.secrets.data["hcloud.dns_token"] +} + +resource "hcloud_ssh_key" "froidmpa-desktop" { + name = "froidmpa-desktop" + public_key = file("../ssh_keys/froidmpa-desktop.pub") +} + +resource "hcloud_ssh_key" "froidmpa-laptop" { + name = "froidmpa-laptop" + public_key = file("../ssh_keys/froidmpa-laptop.pub") +} diff --git a/dns.tf b/terraform/dns.tf similarity index 100% rename from dns.tf rename to terraform/dns.tf diff --git a/instances.tf b/terraform/instances.tf similarity index 100% rename from instances.tf rename to terraform/instances.tf diff --git a/outputs.tf b/terraform/outputs.tf similarity index 100% rename from outputs.tf rename to terraform/outputs.tf