use pass provider for secrets and drop terraform.tfvars

https://registry.terraform.io/providers/camptocamp/pass Signed-off-by: Jakub Sokołowski <jakub@status.im>
2020-09-26 16:28:34 +02:00 · 2020-09-26 16:28:34 +02:00 · 985c745049
parent 262735b0eb
commit 985c745049
7 changed files with 44 additions and 67 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,11 +2,6 @@
 *.tfstate
 *.tfstate.d/
 *.tfstate.backup
-*.tfvars
 *.retry

-*.zip
-
 ansible/files/*
-
-google-cloud.json
--- a/21
+++ b/21
@ -1,5 +1,3 @@
-#!/usr/bin/env bash
-
 OS = $(strip $(shell uname -s))
 ARCH = linux_amd64
 PLATFORM = linux
@ -23,11 +21,6 @@ plugins: install-provisioner
 requirements:
 	ansible-galaxy install --ignore-errors --force -r ansible/requirements.yml

-check-unzip:
-ifeq (, $(shell which unzip))
-	$(error "No unzip in PATH, consider doing apt install unzip")
-endif
-
 install-provisioner:
 	if [ ! -e $(PLUGIN_DIR)/$(ARCH)/$(PROVISIONER_NAME)_$(PROVISIONER_VERSION) ]; then \
 		mkdir -p $(PLUGIN_DIR); \
@ -38,25 +31,13 @@ install-provisioner:
 init-terraform:
 	terraform init -upgrade=true

-consul-certs:
+secrets:
 	@echo "Saving Consul certificates: ansible/files/consul*"
 	pass services/consul/ca-crt > ansible/files/consul-ca.crt
 	pass services/consul/ca-key > ansible/files/consul-ca.key
 	pass services/consul/client-crt > ansible/files/consul-client.crt
 	pass services/consul/client-key > ansible/files/consul-client.key

-tf-secrets:
-	@echo "Saving secrets to: terraform.tfvars"
-	@echo -e "\
-# secrets extracted from password-store\n\
-cloudflare_token   = \"$(shell pass cloud/Cloudflare/token)\"\n\
-cloudflare_email   = \"$(shell pass cloud/Cloudflare/email)\"\n\
-cloudflare_account = \"$(shell pass cloud/Cloudflare/account)\"\n\
-aws_access_key     = \"$(shell pass cloud/AWS/Nimbus/access-key)\"\n\
-aws_secret_key     = \"$(shell pass cloud/AWS/Nimbus/secret-key)\"\n\
-" > terraform.tfvars
-
-secrets: consul-certs tf-secrets

 cleanup:
 	rm -r $(PLUGIN_DIR)/$(ARCHIVE)
--- a/main.tf
+++ b/main.tf
@ -1,18 +1,3 @@
-/* PROVIDERS ------------------------------------*/
-
-provider "aws" {
-  version    = "~> 2.0"
-  region     = var.aws_zone
-  access_key = var.aws_access_key
-  secret_key = var.aws_secret_key
-}
-
-provider "cloudflare" {
-  email      = var.cloudflare_email
-  api_key    = var.cloudflare_token
-  account_id = var.cloudflare_account
-}
-
 /* DATA -----------------------------------------*/

 terraform {
--- a/providers.tf
+++ b/providers.tf
@ -0,0 +1,12 @@
+provider "aws" {
+  version    = "~> 2.0"
+  region     = "eu-central-1"
+  access_key = data.pass_password.aws_access_key.password
+  secret_key = data.pass_password.aws_secret_key.password
+}
+
+provider "cloudflare" {
+  email      = data.pass_password.cloudflare_email.password
+  api_key    = data.pass_password.cloudflare_token.password
+  account_id = data.pass_password.cloudflare_account.password
+}
--- a/secrets.tf
+++ b/secrets.tf
@ -0,0 +1,27 @@
+# Uses PASSWORD_STORE_DIR environment variable
+provider "pass" { refresh_store = false }
+
+/* Token for interacting with Cloudflare API. */
+data "pass_password" "cloudflare_token" {
+  path = "cloud/Cloudflare/token"
+}
+
+/* Email address of Cloudflare account. */
+data "pass_password" "cloudflare_email" {
+  path = "cloud/Cloudflare/email"
+}
+
+/* ID of the CloudFlare organization. */
+data "pass_password" "cloudflare_account" {
+  path = "cloud/Cloudflare/account"
+}
+
+/* Access key for the AWS API. */
+data "pass_password" "aws_access_key" {
+  path = "cloud/AWS/Nimbus/access-key"
+}
+
+/* Secret key for the AWS API. */
+data "pass_password" "aws_secret_key" {
+  path = "cloud/AWS/Nimbus/secret-key"
+}
--- a/variables.tf
+++ b/variables.tf
@ -1,30 +1,3 @@
-/* REQUIRED -------------------------------------*/
-
-variable "cloudflare_email" {
-  description = "Email address of Cloudflare account."
-}
-
-variable "cloudflare_token" {
-  description = "Token for interacting with Cloudflare API."
-}
-
-variable "cloudflare_account" {
-  description = "ID of the CloudFlare organization."
-}
-
-variable "aws_access_key" {
-  description = "Access key for the AWS API."
-}
-
-variable "aws_secret_key" {
-  description = "Secret key for the AWS API."
-}
-
-variable "aws_zone" {
-  description = "Name of the AWS Availability Zone."
-  default     = "eu-central-1"
-}
-
 /* GENERAL --------------------------------------*/

 variable "public_domain" {
--- a/versions.tf
+++ b/versions.tf
@ -9,5 +9,9 @@ terraform {
      source  = "hashicorp/aws"
      version = " = 2.46.0"
    }
+    pass = {
+      source  = "camptocamp/pass"
+      version = " = 1.4.0"
+    }
  }
 }