aboutsummaryrefslogtreecommitdiff
path: root/terraform/concourse
diff options
context:
space:
mode:
Diffstat (limited to 'terraform/concourse')
-rw-r--r--terraform/concourse/.terraform.lock.hcl49
-rw-r--r--terraform/concourse/concourse.tf14
-rw-r--r--terraform/concourse/dns.tf2
-rw-r--r--terraform/concourse/main.tf27
-rw-r--r--terraform/concourse/pdb.tf14
-rw-r--r--terraform/concourse/sops.tf0
6 files changed, 79 insertions, 27 deletions
diff --git a/terraform/concourse/.terraform.lock.hcl b/terraform/concourse/.terraform.lock.hcl
index 2095e00..d008733 100644
--- a/terraform/concourse/.terraform.lock.hcl
+++ b/terraform/concourse/.terraform.lock.hcl
@@ -23,6 +23,25 @@ provider "registry.terraform.io/cyrilgdn/postgresql" {
]
}
+provider "registry.terraform.io/hashicorp/random" {
+ version = "3.4.3"
+ hashes = [
+ "h1:xZGZf18JjMS06pFa4NErzANI98qi59SEcBsOcS2P2yQ=",
+ "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752",
+ "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b",
+ "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53",
+ "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+ "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3",
+ "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5",
+ "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda",
+ "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6",
+ "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1",
+ "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d",
+ "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8",
+ "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93",
+ ]
+}
+
provider "registry.terraform.io/kreuzwerker/docker" {
version = "2.23.1"
constraints = "2.23.1"
@@ -67,21 +86,21 @@ provider "registry.terraform.io/linode/linode" {
]
}
-provider "registry.terraform.io/meilleursagents/ansiblevault" {
- version = "2.2.0"
- constraints = "2.2.0"
+provider "registry.terraform.io/lokkersp/sops" {
+ version = "0.6.10"
+ constraints = "0.6.10"
hashes = [
- "h1:BdAWPYZ+cwkGuc9Hy0zZfyvbRL9f3naXpcUaOnoZee8=",
- "zh:06faf88f2a6f2e9aabadb0d50565f4804636039042d37984463f0ca647f52189",
- "zh:15053cceec8b24d9b62598e9e6860607603c2ecc7871705720a0753ef297d79f",
- "zh:525f261f35d58151b4c51301cc1ae98a592c9b3400449361a91f2d84c467e2ac",
- "zh:8bfe3b2c2b975792987d0642e8525efbf436ae08b1cebb1fa266b8954cb1915e",
- "zh:93a943b494b0f70ef644334bf7646bf203ca087873385ab8ff89d406b9448771",
- "zh:c651248189d297321a48feb775907de0ba2b9a100cb35f7364357b0af0e55931",
- "zh:ccbee95f3c264c663fcddac8c8c921ec9f4fde95f15196838a73a9bf215a4020",
- "zh:d3226f7b3a3013fceeef3392f54708b976daa0f43767bc24ff8c420c8a48a1a9",
- "zh:f236d34596a51f64163eb5d13c3bcea4e10023f7e65f777b7267c463c427aad2",
- "zh:f79f848b9c4b67879c2c25f2ef5b654eaafcfd7568f442eea2566bb580519c4f",
- "zh:fbe2363c1c6a32df6443e650b53b5004a4d6f9431d23935ed98c500bed1552bd",
+ "h1:atU8NIBxpNTWY+qBubvEOfjOn4K1aCDoq1iUFocgIHQ=",
+ "zh:0f053a26392a581b1f1ce6316cb7ed8ec4cc75e7f5f1cf7cfd45050b6b3c87ea",
+ "zh:207bb96c4471fce9aeb1b3c217d772692c3d865d294cf4d2501dad41de36a15e",
+ "zh:28506e8f1f3b9eaa95d99043440328044ee6340143535e5751538328a529d001",
+ "zh:3cae3bcea9e35fdc5b3f2af1b4580cd625c996448ad0c676c772260e46b25289",
+ "zh:3e44daaf82986c2b0028aeb17b867f3c68ed5dd8ac8625ba0406cf2a5fd3d92e",
+ "zh:457fb8ca2e677af24f9a4bdd8b613b1d7b604ad7133541657e5757c19268da71",
+ "zh:473d727c228f021a3df8cc8dcc6231ad7f90ed63f9e47c36b597d591e76228da",
+ "zh:48c4c1df39fd76ec8bd5fe9ac70cdc0927ac8be95582dbe46458b3442ce0fcd9",
+ "zh:728b19cb5c07e5e9d8b78fd94cc57d4c13582ecd24b7eb7c4cc2bf73b12fe4d1",
+ "zh:c51ed9af591779bb0910b82addeebb10f53428b994f8db653dd1dedcec60916c",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
]
}
diff --git a/terraform/concourse/concourse.tf b/terraform/concourse/concourse.tf
index 9bbb3b4..c386e91 100644
--- a/terraform/concourse/concourse.tf
+++ b/terraform/concourse/concourse.tf
@@ -1,3 +1,7 @@
+data "docker_network" "traefik" {
+ name = "traefik"
+}
+
resource "docker_image" "concourse" {
name = "concourse/concourse:7.8.3"
}
@@ -14,6 +18,10 @@ resource "docker_container" "concourse" {
name = data.docker_network.traefik.name
}
+ networks_advanced {
+ name = "bridge"
+ }
+
ports {
internal = 8080
external = 8080
@@ -44,10 +52,10 @@ resource "docker_container" "concourse" {
env = [
"CONCOURSE_POSTGRES_HOST=knot.vpn.trygvis.io",
- "CONCOURSE_POSTGRES_USER=concourse",
- "CONCOURSE_POSTGRES_PASSWORD=concourse",
- "CONCOURSE_POSTGRES_DATABASE=concourse",
"CONCOURSE_POSTGRES_PORT=5432",
+ "CONCOURSE_POSTGRES_USER=${postgresql_role.concourse.name}",
+ "CONCOURSE_POSTGRES_PASSWORD=${postgresql_role.concourse.password}",
+ "CONCOURSE_POSTGRES_DATABASE=${postgresql_database.concourse.name}",
"CONCOURSE_POSTGRES_SSLMODE=require",
"CONCOURSE_EXTERNAL_URL=https://${local.domain_name}",
"CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER=overlay",
diff --git a/terraform/concourse/dns.tf b/terraform/concourse/dns.tf
index 68e1764..a465bf8 100644
--- a/terraform/concourse/dns.tf
+++ b/terraform/concourse/dns.tf
@@ -6,5 +6,5 @@ resource "linode_domain_record" "concourse-vpn" {
domain_id = data.linode_domain.root.id
name = "concourse.vpn"
record_type = "CNAME"
- target = local.domain_name
+ target = "conflatorio.vpn.trygvis.io"
}
diff --git a/terraform/concourse/main.tf b/terraform/concourse/main.tf
index 49bad5e..49702b9 100644
--- a/terraform/concourse/main.tf
+++ b/terraform/concourse/main.tf
@@ -12,10 +12,6 @@ terraform {
}
required_providers {
- ansiblevault = {
- source = "MeilleursAgents/ansiblevault"
- version = "2.2.0"
- }
docker = {
source = "kreuzwerker/docker"
version = "2.23.1"
@@ -28,6 +24,10 @@ terraform {
source = "cyrilgdn/postgresql"
version = "1.18.0"
}
+ sops = {
+ source = "lokkersp/sops"
+ version = "0.6.10"
+ }
}
}
@@ -35,14 +35,25 @@ provider "docker" {
host = "ssh://conflatorio.vpn.trygvis.io"
}
-provider "ansiblevault" {
- root_folder = ".."
+provider "postgresql" {
+ host = "knot.vpn.trygvis.io"
+ database = "postgres"
+ username = "terraform"
+ password = data.sops_file_entry.knot_pdb_terraform_password.data
+ sslmode = "require"
}
-data "docker_network" "traefik" {
- name = "traefik"
+provider "sops" {
+ age = {
+ key = "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3"
+ }
}
locals {
domain_name = "concourse.vpn.trygvis.io"
}
+
+data "sops_file_entry" "knot_pdb_terraform_password" {
+ source_file = "../../sops.yml"
+ data_key = "knot_pdb_terraform_password"
+}
diff --git a/terraform/concourse/pdb.tf b/terraform/concourse/pdb.tf
new file mode 100644
index 0000000..3eb9dfe
--- /dev/null
+++ b/terraform/concourse/pdb.tf
@@ -0,0 +1,14 @@
+resource "random_uuid" "concourse_password" {
+}
+
+resource "postgresql_role" "concourse" {
+ name = "concourse"
+ login = true
+ password = random_uuid.concourse_password.result
+}
+
+resource "postgresql_database" "concourse" {
+ name = "concourse"
+ owner = "concourse"
+}
+
diff --git a/terraform/concourse/sops.tf b/terraform/concourse/sops.tf
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/terraform/concourse/sops.tf