use password-store provider for secrets

Signed-off-by: Jakub Sokołowski <jakub@status.im>
2021-02-23 13:15:21 +01:00 · 2021-02-23 13:15:21 +01:00 · b9f333eb61
parent eebeadd4fa
commit b9f333eb61
5 changed files with 37 additions and 19 deletions
--- a/7
+++ b/7
@ -41,13 +41,6 @@ secrets:
 	pass services/consul/ca-key > ansible/files/consul-ca.key
 	pass services/consul/client-crt > ansible/files/consul-client.crt
 	pass services/consul/client-key > ansible/files/consul-client.key
-	echo "Saving secrets to: terraform.tfvars"
-	@echo -e "\
-# secrets extracted from password-store\n\
-cloudflare_token   = \"$(shell pass cloud/Cloudflare/token)\"\n\
-cloudflare_email   = \"$(shell pass cloud/Cloudflare/email)\"\n\
-cloudflare_account = \"$(shell pass cloud/Cloudflare/account)\"\n\
-" > terraform.tfvars

 cleanup:
 	rm -r $(PLUGIN_DIR)/$(ARCHIVE)
--- a/main.tf
+++ b/main.tf
@ -1,15 +1,3 @@
-provider "cloudflare" {
-  email      = var.cloudflare_email
-  api_key    = var.cloudflare_token
-  account_id = var.cloudflare_account
-}
-
-provider "google" {
-  credentials = file("google-cloud.json")
-  project     = "russia-servers"
-  region      = "us-central1"
-}
-
 /* DATA -----------------------------------------*/

 terraform {
--- a/providers.tf
+++ b/providers.tf
@ -0,0 +1,11 @@
+provider "cloudflare" {
+  email      = data.pass_password.cloudflare_email.password
+  api_key    = data.pass_password.cloudflare_token.password
+  account_id = data.pass_password.cloudflare_account.password
+}
+
+provider "google" {
+  credentials = data.pass_password.google_cloud_cred_json.full
+  project     = "russia-servers"
+  region      = "us-central1"
+}
--- a/secrets.tf
+++ b/secrets.tf
@ -0,0 +1,22 @@
+# Uses PASSWORD_STORE_DIR environment variable
+provider "pass" { refresh_store = false }
+
+/* Token for interacting with Cloudflare API. */
+data "pass_password" "cloudflare_token" {
+  path = "cloud/Cloudflare/token"
+}
+
+/* Email address of Cloudflare account. */
+data "pass_password" "cloudflare_email" {
+  path = "cloud/Cloudflare/email"
+}
+
+/* ID of CloudFlare Account. */
+data "pass_password" "cloudflare_account" {
+  path = "cloud/Cloudflare/account"
+}
+
+/* Google Cloud API auth JSON */
+data "pass_password" "google_cloud_cred_json" {
+  path = "cloud/GoogleCloud/json"
+}
--- a/versions.tf
+++ b/versions.tf
@ -13,5 +13,9 @@ terraform {
      source  = "nbering/ansible"
      version = " = 1.0.4"
    }
+    pass = {
+      source  = "camptocamp/pass"
+      version = " = 1.4.0"
+    }
  }
 }