teutat3s
02a146c507
use opentofu encrypted state feature https://opentofu.org/docs/language/state/encryption/#new-project
1.5 KiB
1.5 KiB
Changing DNS entries
Our current DNS provider is namecheap. We use OpenTofu to declaratively manage our pub.solar DNS records.
Initial setup
You will need to setup the following namecheap API credentials, look for "namecheap API key" in the pub.solar Keepass database.
NAMECHEAP_API_KEY
NAMECHEAP_API_USER
NAMECHEAP_USER_NAME
You will probably also need to add your external IP to the API allow list.
dig -4 ip @dns.toys
Now, change into the terraform directory and initialize the terraform providers. To decrypt existing state, search for "terraform state passphrase" in the pub.solar Keepass database.
cd terraform
export TF_VAR_state_passphrase=$(secret-tool lookup pub.solar terraform-state-passphrase-dns)
alias tofu="terraform-backend-git --access-logs --tf tofu git terraform"
tofu init
Make your changes, e.g. in dns.tf
.
$EDITOR dns.tf
Plan your changes using:
tofu plan -out pub-solar-infra.plan
After verification, apply your changes with:
tofu apply "pub-solar-infra.plan"
Useful links
We use terraform-backend-git remote backend with opentofu state encryption for collaboration.
- https://github.com/plumber-cd/terraform-backend-git
- https://opentofu.org/docs/language/state/encryption
Namecheap Terraform provider docs: