From b9f333eb61b815f029869b8513f0a3154a6b055c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= Date: Tue, 23 Feb 2021 13:15:21 +0100 Subject: [PATCH] use password-store provider for secrets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jakub SokoĊ‚owski --- Makefile | 7 ------- main.tf | 12 ------------ providers.tf | 11 +++++++++++ secrets.tf | 22 ++++++++++++++++++++++ versions.tf | 4 ++++ 5 files changed, 37 insertions(+), 19 deletions(-) create mode 100644 providers.tf create mode 100644 secrets.tf diff --git a/Makefile b/Makefile index 406c591..b4cf2d4 100644 --- a/Makefile +++ b/Makefile @@ -41,13 +41,6 @@ secrets: pass services/consul/ca-key > ansible/files/consul-ca.key pass services/consul/client-crt > ansible/files/consul-client.crt pass services/consul/client-key > ansible/files/consul-client.key - echo "Saving secrets to: terraform.tfvars" - @echo -e "\ -# secrets extracted from password-store\n\ -cloudflare_token = \"$(shell pass cloud/Cloudflare/token)\"\n\ -cloudflare_email = \"$(shell pass cloud/Cloudflare/email)\"\n\ -cloudflare_account = \"$(shell pass cloud/Cloudflare/account)\"\n\ -" > terraform.tfvars cleanup: rm -r $(PLUGIN_DIR)/$(ARCHIVE) diff --git a/main.tf b/main.tf index 8cf1ad6..2b622af 100644 --- a/main.tf +++ b/main.tf @@ -1,15 +1,3 @@ -provider "cloudflare" { - email = var.cloudflare_email - api_key = var.cloudflare_token - account_id = var.cloudflare_account -} - -provider "google" { - credentials = file("google-cloud.json") - project = "russia-servers" - region = "us-central1" -} - /* DATA -----------------------------------------*/ terraform { diff --git a/providers.tf b/providers.tf new file mode 100644 index 0000000..377b0c3 --- /dev/null +++ b/providers.tf @@ -0,0 +1,11 @@ +provider "cloudflare" { + email = data.pass_password.cloudflare_email.password + api_key = data.pass_password.cloudflare_token.password + account_id = data.pass_password.cloudflare_account.password +} + +provider "google" { + credentials = data.pass_password.google_cloud_cred_json.full + project = "russia-servers" + region = "us-central1" +} diff --git a/secrets.tf b/secrets.tf new file mode 100644 index 0000000..b30634a --- /dev/null +++ b/secrets.tf @@ -0,0 +1,22 @@ +# Uses PASSWORD_STORE_DIR environment variable +provider "pass" { refresh_store = false } + +/* Token for interacting with Cloudflare API. */ +data "pass_password" "cloudflare_token" { + path = "cloud/Cloudflare/token" +} + +/* Email address of Cloudflare account. */ +data "pass_password" "cloudflare_email" { + path = "cloud/Cloudflare/email" +} + +/* ID of CloudFlare Account. */ +data "pass_password" "cloudflare_account" { + path = "cloud/Cloudflare/account" +} + +/* Google Cloud API auth JSON */ +data "pass_password" "google_cloud_cred_json" { + path = "cloud/GoogleCloud/json" +} diff --git a/versions.tf b/versions.tf index 1c77460..333c1b6 100644 --- a/versions.tf +++ b/versions.tf @@ -13,5 +13,9 @@ terraform { source = "nbering/ansible" version = " = 1.0.4" } + pass = { + source = "camptocamp/pass" + version = " = 1.4.0" + } } }