diff options
| author | Trygve Laugstøl <trygvis@inamo.no> | 2021-01-10 22:23:13 +0100 |
|---|---|---|
| committer | Trygve Laugstøl <trygvis@inamo.no> | 2021-01-10 22:23:13 +0100 |
| commit | dcf9d7e3efbbe791db1a21de1dd21abf2ff22f81 (patch) | |
| tree | 4c16e01fed19fa5e5de8902785b450fdcd063ddb | |
| parent | 16795884f3e915ed6d8b086fd5b6b93fc4858a27 (diff) | |
| download | infra-dcf9d7e3efbbe791db1a21de1dd21abf2ff22f81.tar.gz infra-dcf9d7e3efbbe791db1a21de1dd21abf2ff22f81.tar.bz2 infra-dcf9d7e3efbbe791db1a21de1dd21abf2ff22f81.tar.xz infra-dcf9d7e3efbbe791db1a21de1dd21abf2ff22f81.zip | |
terraform in minio
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | .settings.sh | 14 | ||||
| -rw-r--r-- | ansible/.gitignore | 1 | ||||
| -rw-r--r-- | bin/.gitignore (renamed from tools/.gitignore) | 0 | ||||
| -rwxr-xr-x | bin/dhall (renamed from tools/dhall) | 0 | ||||
| l--------- | bin/dhall-to-json (renamed from tools/dhall-to-json) | 0 | ||||
| l--------- | bin/dhall-to-yaml-ng (renamed from tools/dhall-to-yaml-ng) | 0 | ||||
| l--------- | bin/json-to-dhall (renamed from tools/json-to-dhall) | 0 | ||||
| -rwxr-xr-x | bin/terraform | 25 | ||||
| l--------- | bin/yaml-to-dhall (renamed from tools/yaml-to-dhall) | 0 | ||||
| -rw-r--r-- | terraform-minio/README.md | 5 | ||||
| -rw-r--r-- | terraform-minio/main.tf | 29 | ||||
| -rw-r--r-- | terraform-minio/root.tf | 46 | ||||
| l--------- | terraform/dns/terraform.d | 1 | ||||
| -rw-r--r-- | terraform/main.tf | 12 | ||||
| -rw-r--r-- | terraform/minio/README.md | 3 |
16 files changed, 133 insertions, 5 deletions
@@ -1 +1,3 @@ secrets/ +.terraform +.settings-vault diff --git a/.settings.sh b/.settings.sh index 61442c9..b8ecb8a 100644 --- a/.settings.sh +++ b/.settings.sh @@ -3,5 +3,15 @@ basedir=$(dirname "$_") basedir=$(cd "$basedir" && pwd) -echo "Adding tools/ to path" -PATH="$basedir/tools:$PATH" +echo "Adding bin/ to path" +PATH="$basedir/bin:$PATH" + +if [[ ! -r .settings-vault ]] +then + echo "Missing .settings-vault" +else + echo "Loading secrets" + source <(cd $basedir/ansible; ansible-vault view ../.settings-vault) +fi + +alias terraform="ANSIBLE_VAULT_PASS=\$($(pwd)/ansible/.vault-password) $basedir/bin/terraform" diff --git a/ansible/.gitignore b/ansible/.gitignore index 81e8ccb..52f3df5 100644 --- a/ansible/.gitignore +++ b/ansible/.gitignore @@ -6,3 +6,4 @@ .vault-password.asc *.pyc env +*.local.* diff --git a/tools/.gitignore b/bin/.gitignore index ba077a4..ba077a4 100644 --- a/tools/.gitignore +++ b/bin/.gitignore diff --git a/tools/dhall-to-json b/bin/dhall-to-json index ffe753a..ffe753a 120000 --- a/tools/dhall-to-json +++ b/bin/dhall-to-json diff --git a/tools/dhall-to-yaml-ng b/bin/dhall-to-yaml-ng index ffe753a..ffe753a 120000 --- a/tools/dhall-to-yaml-ng +++ b/bin/dhall-to-yaml-ng diff --git a/tools/json-to-dhall b/bin/json-to-dhall index ffe753a..ffe753a 120000 --- a/tools/json-to-dhall +++ b/bin/json-to-dhall diff --git a/bin/terraform b/bin/terraform new file mode 100755 index 0000000..06c2a76 --- /dev/null +++ b/bin/terraform @@ -0,0 +1,25 @@ +#!/bin/bash + +set -euo pipefail +#set -x + +basedir="$(dirname $0)" + +terraform_version=0.13.5 +terraform_url=https://releases.hashicorp.com/terraform/$terraform_version/terraform_${terraform_version}_linux_amd64.zip + +dl_d=$basedir/.terraform/dl +zip_file=$dl_d/terraform-${terraform_version}.zip +unzip_d=$basedir/.terraform/unzip/$terraform_version +cmd=$unzip_d/terraform + +if [[ ! -x $cmd ]] +then + mkdir -p $dl_d + curl -L -o "$zip_file" $terraform_url + rm -rf $unzip_d + mkdir -p $unzip_d + unzip $zip_file -d $unzip_d +fi + +exec "$cmd" "${@}" diff --git a/tools/yaml-to-dhall b/bin/yaml-to-dhall index ffe753a..ffe753a 120000 --- a/tools/yaml-to-dhall +++ b/bin/yaml-to-dhall diff --git a/terraform-minio/README.md b/terraform-minio/README.md new file mode 100644 index 0000000..0e54eba --- /dev/null +++ b/terraform-minio/README.md @@ -0,0 +1,5 @@ +Special Terraform setup for creating user's in Minio for keeping other +Terraform setups in Minio. + + export TF_VAR_minio_access_key= + export TF_VAR_minio_secret_key= diff --git a/terraform-minio/main.tf b/terraform-minio/main.tf new file mode 100644 index 0000000..a08c04a --- /dev/null +++ b/terraform-minio/main.tf @@ -0,0 +1,29 @@ +terraform { + required_version = ">= 0.13" + + backend "local" { + path = "state" + } + + required_providers { + minio = { + source = "tidalf/minio" + version = "1.1.1" + } + } +} + +variable "minio_access_key" { + type = string +} + +variable "minio_secret_key" { + type = string +} + +provider "minio" { + minio_server = "minio.trygvis.io:443" + minio_ssl = "true" + minio_access_key = var.minio_access_key + minio_secret_key = var.minio_secret_key +} diff --git a/terraform-minio/root.tf b/terraform-minio/root.tf new file mode 100644 index 0000000..9751f27 --- /dev/null +++ b/terraform-minio/root.tf @@ -0,0 +1,46 @@ +resource "minio_s3_bucket" "terraform" { + bucket = "terraform" + acl = "public-read-write" +} + +resource "minio_iam_policy" "terraform-access" { + name = "terraform-access" + policy= <<EOF +{ + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket" + ], + "Resource": "arn:aws:s3:::terraform-trygvis" + }, + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject" + ], + "Resource": "arn:aws:s3:::terraform/*" + } + ] +} +EOF +} + +# Users + +resource "minio_iam_user" "terraform-trygvis" { + name = "terraform-trygvis" +} + +resource "minio_iam_user_policy_attachment" "terraform-trygvis" { + user_name = minio_iam_user.terraform-trygvis.id + policy_name = minio_iam_policy.terraform-access.id +} + +output "terraform-trygvis_secret" { + value = minio_iam_user.terraform-trygvis.secret +} diff --git a/terraform/dns/terraform.d b/terraform/dns/terraform.d deleted file mode 120000 index 11a3f4b..0000000 --- a/terraform/dns/terraform.d +++ /dev/null @@ -1 +0,0 @@ -../terraform.d
\ No newline at end of file diff --git a/terraform/main.tf b/terraform/main.tf index 853a87d..71db6a8 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -1,8 +1,16 @@ terraform { required_version = ">= 0.13" - backend "local" { - path = "../state/dns" + backend "s3" { + key = "trygvis-infra" + region = "us-east-1" + bucket = "terraform" + endpoint = "https://minio.trygvis.io" + + skip_credentials_validation = true + skip_metadata_api_check = true + skip_region_validation = true + force_path_style = true } required_providers { diff --git a/terraform/minio/README.md b/terraform/minio/README.md new file mode 100644 index 0000000..18a7202 --- /dev/null +++ b/terraform/minio/README.md @@ -0,0 +1,3 @@ +# Using `mc` directly instead of Terraform + + export MC_HOST_<alias>=https://<Access Key>:<Secret Key>@<YOUR-S3-ENDPOINT> |