From 02a146c507681c88b651532baeb8ffe44ce7052c Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 10 Sep 2024 10:25:29 +0200 Subject: [PATCH] dns: switch to opentofu + terraform-backend-git, use opentofu encrypted state feature https://opentofu.org/docs/language/state/encryption/#new-project --- docs/dns.md | 27 +++++++++------------ flake.lock | 17 ------------- flake.nix | 5 ++-- terraform/.terraform.lock.hcl | 37 +++++++++++++++-------------- terraform/providers.tf | 4 ++-- terraform/remote-backend.tf | 9 ------- terraform/state-encryption.tf | 30 +++++++++++++++++++++++ terraform/terraform-backend-git.hcl | 3 +++ 8 files changed, 67 insertions(+), 65 deletions(-) delete mode 100644 terraform/remote-backend.tf create mode 100644 terraform/state-encryption.tf create mode 100644 terraform/terraform-backend-git.hcl diff --git a/docs/dns.md b/docs/dns.md index c5725ff6..36f0d7da 100644 --- a/docs/dns.md +++ b/docs/dns.md @@ -1,18 +1,10 @@ # Changing DNS entries Our current DNS provider is [namecheap](https://www.namecheap.com/). -We use [Terraform](https://www.terraform.io) to declaratively manage our pub.solar DNS records. +We use [OpenTofu](https://opentofu.org) to declaratively manage our pub.solar DNS records. ### Initial setup -Skip this step if you already have a `triton` profile setup. - -``` -triton profile create -``` - -Please follow https://docs.greenbaum.cloud/en/devops/triton-cli.html for the details. - You will need to setup the following [namecheap API credentials](https://www.namecheap.com/support/api/intro), look for "namecheap API key" in the pub.solar Keepass database. @@ -28,13 +20,15 @@ You will probably also need to add your external IP to the [API allow list](http dig -4 ip @dns.toys ``` -Now, change into the terraform directory and initialize the terraform providers. +Now, change into the terraform directory and initialize the terraform providers. To decrypt existing state, +search for "terraform state passphrase" in the pub.solar Keepass database. ``` cd terraform -export TRITON_KEY_ID=$(cat ~/.config/triton/profiles.d/lev-1-pub_solar.json | jq --raw-output .keyId) +export TF_VAR_state_passphrase=$(secret-tool lookup pub.solar terraform-state-passphrase-dns) -terraform init +alias tofu="terraform-backend-git --access-logs --tf tofu git terraform" +tofu init ``` Make your changes, e.g. in `dns.tf`. @@ -46,20 +40,21 @@ $EDITOR dns.tf Plan your changes using: ``` -terraform plan -out pub-solar-infra.plan +tofu plan -out pub-solar-infra.plan ``` After verification, apply your changes with: ``` -terraform apply "pub-solar-infra.plan" +tofu apply "pub-solar-infra.plan" ``` ### Useful links -We use the Manta remote backend to save the terraform state for collaboration. +We use terraform-backend-git remote backend with opentofu state encryption for collaboration. -- https://www.terraform.io/language/v1.2.x/settings/backends/manta +- https://github.com/plumber-cd/terraform-backend-git +- https://opentofu.org/docs/language/state/encryption Namecheap Terraform provider docs: diff --git a/flake.lock b/flake.lock index 8becded8..7d27f124 100644 --- a/flake.lock +++ b/flake.lock @@ -349,22 +349,6 @@ "type": "github" } }, - "nixpkgs-2205": { - "locked": { - "lastModified": 1685573264, - "narHash": "sha256-Zffu01pONhs/pqH07cjlF10NnMDLok8ix5Uk4rhOnZQ=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "380be19fbd2d9079f677978361792cb25e8a3635", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-22.05", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-lib": { "locked": { "lastModified": 1722555339, @@ -391,7 +375,6 @@ "nix-darwin": "nix-darwin", "nixos-flake": "nixos-flake", "nixpkgs": "nixpkgs", - "nixpkgs-2205": "nixpkgs-2205", "simple-nixos-mailserver": "simple-nixos-mailserver", "unstable": "unstable" } diff --git a/flake.nix b/flake.nix index 0dd26702..49fa80c2 100644 --- a/flake.nix +++ b/flake.nix @@ -4,8 +4,6 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs-2205.url = "github:nixos/nixpkgs/nixos-22.05"; - nix-darwin.url = "github:lnl7/nix-darwin/master"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; @@ -113,7 +111,8 @@ shfmt treefmt nixos-generators - inputs.nixpkgs-2205.legacyPackages.${system}.terraform + inputs.unstable.legacyPackages.${system}.opentofu + terraform-backend-git terraform-ls jq ]; diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index e007f5b1..23a248b2 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -1,23 +1,24 @@ -# This file is maintained automatically by "terraform init". +# This file is maintained automatically by "tofu init". # Manual edits may be lost in future updates. -provider "registry.terraform.io/namecheap/namecheap" { - version = "2.1.0" - constraints = "2.1.0" +provider "registry.opentofu.org/namecheap/namecheap" { + version = "2.1.2" + constraints = "2.1.2" hashes = [ - "h1:p8LqzJtI4Mkxhcam2s73eFJzctlAZXZJ0Wwgd51Kyto=", - "zh:3731f5f14a0958cd27a589ef7daa9be786b6490f2309c429eb2e9862aa4ac5f7", - "zh:3cbceb12ec3521d9dfbd890eee731a40f4e1f42de30d28fc1d1e524091148caa", - "zh:44095af1b1d1ee6d4b930e21e3c5bf0f81d9df65fe04f6f1e55d46713c240b21", - "zh:693e169228fe0c5fb1989425b1ad42c1206f8187c9932b4daee5a5c5e851a28e", - "zh:6b04c3c2666db3050f49bc85151496fe33cf852db9ad8fc6f455d1daf0a2bba6", - "zh:85fd126a573cc468f8d5d1b90f4a94f5977ea40623b1c5cd7c799bb95ef233bd", - "zh:99014437ef4e96161b0029efa12f05fa1ab63ff9bc0a255b0a249e17b4f8587a", - "zh:a4d8288ef01d4002a5aa07d1e64e4504757f07d6ada24fbf7d3670ceb24d2871", - "zh:d27f7798cbe1957294bb08459b1fbabe68721cc9cc50afee80bda87ce674dab8", - "zh:d85483f90380829d05b8a2725ce50bf2ee766d6c1cbef223b388d19c5a92dce2", - "zh:ddfecfbefd32e40386b482a2610e4173a52591afea3861f041041439d51d34da", - "zh:f9a10edfe11dbc4947cbb2f0db8935050693d5fff3b6559096288c689c2dd847", - "zh:fae14a74781a94bcaac07b6d533dd9eb1e40c1d152eb6ee49b2a44cdf5740cfe", + "h1:CxrZrPIQwzPgWoU/YkCrU03GsB6EVgjPPRuUUnu7zs0=", + "zh:0aed3d71075afa43797e72fdeddd444b6e61c4b891efb06b3d1e32ae50f8c443", + "zh:11d6119e3b9e0c92342ed5b3d230f0a9461242f07fa6c6e03f09619a4b82bb9c", + "zh:12ce14c749e1e6089ac779fd9dd11d35a5934490e480acaf325ab24a869821b3", + "zh:331fe9b343870f75bc046e9e94cb4ecf13b0197ffc1ac1350e14ced371295360", + "zh:38d8f7ee36f1b3ca6bb2c4a4acadcefc39f556b0d45212fd593ca78d7600a90e", + "zh:3f5decea8777964b4ff40a42fc9154d4d7d8c43985c544f865aa627ade85f78f", + "zh:78bfc4a448c868b07c66e7aee4190ddc9c62c677408e3e075a665ee59d0745fa", + "zh:80c8be9b56825d61393f1b2366b6a5c1072b39fac4f0a62c4b7e28e5dab932c1", + "zh:87c8070cf579a850a8099e5652c930bd9d0923e4d3af8509e3123defc4d2d4c7", + "zh:8cb6954feb50fc39bbb0a08e030e731f54357261741c7620e05a7bc24070f37e", + "zh:993a3e876209b1de0bb8266b451b75783ac65613302d18002f09e13ec5b64f42", + "zh:a501d7681e9fd3842d3516e8b168a08a7ab8ee1722f43425b09c3bd950dbdad5", + "zh:bf59b03f9bbf455bc63e1dfb19cc67247252680681a31f4283f0802bba11d7e8", + "zh:e97bd12923b0148e3e7ea769443f7f71beaeb7e78ad9ced0ebe21d3ad6c47b64", ] } diff --git a/terraform/providers.tf b/terraform/providers.tf index 0301fd5c..92debc2c 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -1,9 +1,9 @@ terraform { - required_version = "~> 1.2.3" + required_version = "~> 1.8.0" required_providers { namecheap = { source = "namecheap/namecheap" - version = "2.1.0" + version = "2.1.2" } } } diff --git a/terraform/remote-backend.tf b/terraform/remote-backend.tf deleted file mode 100644 index e18597e2..00000000 --- a/terraform/remote-backend.tf +++ /dev/null @@ -1,9 +0,0 @@ -# https://www.terraform.io/language/v1.2.x/settings/backends/manta -terraform { - backend "manta" { - path = "pub-solar/nachtigall" - object_name = "terraform.tfstate" - account = "pub_solar" - url = "https://eu-central.manta.greenbaum.zone" - } -} diff --git a/terraform/state-encryption.tf b/terraform/state-encryption.tf new file mode 100644 index 00000000..4c267b33 --- /dev/null +++ b/terraform/state-encryption.tf @@ -0,0 +1,30 @@ +# https://opentofu.org/docs/language/state/encryption/#new-project +# Set env var TF_VAR_state_passphrase +variable "state_passphrase" { + type = string +} + +terraform { + encryption { + ## Step 1: Add the desired key provider: + key_provider "pbkdf2" "pub_solar_key" { + passphrase = var.state_passphrase + } + ## Step 2: Set up your encryption method: + method "aes_gcm" "pub_solar_method" { + keys = key_provider.pbkdf2.pub_solar_key + } + + state { + ## Step 3: Link the desired encryption method: + method = method.aes_gcm.pub_solar_method + + ## Step 4: Run "tofu apply". + + ## Step 5: Consider adding the "enforced" option: + # enforced = true + } + + ## Step 6: Repeat steps 3-5 for plan{} if needed. + } +} diff --git a/terraform/terraform-backend-git.hcl b/terraform/terraform-backend-git.hcl new file mode 100644 index 00000000..117d185b --- /dev/null +++ b/terraform/terraform-backend-git.hcl @@ -0,0 +1,3 @@ +git.repository = "gitea@git.pub.solar:pub-solar/terraform-state.git" +git.ref = "main" +git.state = "dns-pub.solar.json"