feat: pull TF env from 1pass (#277)

.github/workflows/terragrunt.yaml

@@ -28,6 +28,20 @@ jobs:
       - name: 'Checkout'
         uses: actions/checkout@main
 
+      - name: Install 1Password CLI
+        uses: 1password/install-cli-action@v1
+
+      - name: Install Terragrunt
+        uses: eLco/setup-terragrunt@v1
+        with:
+          terragrunt_version: ${{ env.tg_version }}
+
+      - name: 'Install OpenTofu'
+        uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version: ${{ env.tofu_version }}
+          tofu_wrapper: false
+
       - name: Check Formatting
         uses: gruntwork-io/terragrunt-action@v2
         with:
@@ -37,16 +51,10 @@ jobs:
           tg_command: 'hclfmt --terragrunt-check --terragrunt-diff'
 
       - name: Check terraform fmt
-        uses: gruntwork-io/terragrunt-action@v2
+        working-directory: ${{ env.working_dir }}
         env:
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
-        with:
-          tofu_version: ${{ env.tofu_version }}
-          tg_version: ${{ env.tg_version }}
-          tg_dir: ${{ env.working_dir }}
-          tg_command: 'run-all fmt -diff -check'
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_TF_PROD_ENV }}
+        run: op run --env-file=".env" -- terragrunt run-all fmt -diff -check
   plan:
     runs-on: ubuntu-latest
     if: github.ref != 'refs/heads/main'
@@ -71,18 +79,8 @@ jobs:
       - name: Plan All
         working-directory: ${{ env.working_dir }}
         env:
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
-          GITHUB_APP_INSTALLATION_ID: ${{ secrets.TF_APP_INSTALLATION_ID }}
-          GITHUB_APP_ID: ${{ secrets.TF_APP_ID }}
-          GITHUB_APP_PEM_FILE: ${{ secrets.TF_APP_PEM_FILE }}
-          GITHUB_OWNER: ${{ secrets.TF_APP_GITHUB_OWNER }}
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-        run: terragrunt run-all plan -no-color 2>&1 | tee "${{github.workspace}}/plan_output.txt" && exit ${PIPESTATUS[0]};
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_TF_PROD_ENV }}
+        run: op run --env-file=".env" -- terragrunt run-all plan -no-color 2>&1 | tee "${{github.workspace}}/plan_output.txt" && exit ${PIPESTATUS[0]};
 
 #      - name: 'List files'
 #        run: 'ls -la ${{ github.workspace }}'
@@ -118,14 +116,5 @@ jobs:
       - name: Deploy All
         working-directory: ${{ env.working_dir }}
         env:
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
-          GITHUB_APP_INSTALLATION_ID: ${{ secrets.TF_APP_INSTALLATION_ID }}
-          GITHUB_APP_ID: ${{ secrets.TF_APP_ID }}
-          GITHUB_APP_PEM_FILE: ${{ secrets.TF_APP_PEM_FILE }}
-          GITHUB_OWNER: ${{ secrets.TF_APP_GITHUB_OWNER }}
-          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-        run: terragrunt run-all apply --terragrunt-non-interactive
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_TF_PROD_ENV }}
+        run: op run --env-file=".env" -- terragrunt run-all apply --terragrunt-non-interactive

.gitignore

@@ -1,5 +1,4 @@
 ### Project gitignore
-.env
 
 ### VisualStudioCode template
 .vscode/*

tf/deployment/.env

@@ -0,0 +1,10 @@
+export TF_VAR_cloudflare_account_id="op://tf/cloudflare/account_id"
+export TF_VAR_cloudflare_api_token="op://tf/cloudflare/api_token"
+export TF_VAR_tf_state_postgres_conn_str="op://tf/tf_state/postgres_conn_str"
+export TF_VAR_github_app_installation_id="op://tf/github_app_immich_tofu/installation_id"
+export TF_VAR_github_app_id="op://tf/github_app_immich_tofu/app_id"
+export TF_VAR_github_app_pem_file="op://tf/github_app_immich_tofu/private key"
+export TF_VAR_github_owner="op://tf/github_app_immich_tofu/owner"
+export TF_VAR_op_service_account_token="op://tf/1pass_service_account/api_token"
+export DOCKER_USERNAME="op://tf/dockerhub/username"
+export DOCKER_PASSWORD="op://tf/dockerhub/password"

tf/deployment/README.md

@@ -8,6 +8,6 @@ To deploy the OpenTofu modules, follow these steps:
 1. Find the versions for OpenTofu and Terragrunt we're currently using in the github action workflow [here](../.github/workflows/terragrunt.yml)
 1. Install OpenTofu with `tenv tofu install ${version}` then run `tenv tofu use ${version}`
 1. Install Terragrunt with `tenv terragrunt install ${version}` then run `tenv terragrunt use ${version}`
-1. Set `CLOUDFLARE_API_TOKEN`, `CLOUDFLARE_ACCOUNT_ID` and `TF_STATE_POSTGRES_CONN_STR` in your environment
-1. Switch to the `tf/deployment/modules` folder
-1. Run `terragrunt run-all plan` to see what changes will be applied for your changes
+1. Install 1password cli `op`
+1. Setup 1password cli with `op account add` and then `eval $(op signin)`
+1. Run `op run --env-file=".env" -- terragrunt run-all plan` to see any terraform changes

tf/deployment/modules/1password/account/providers.tf

@@ -0,0 +1,3 @@
+provider "onepassword" {
+  service_account_token = var.op_service_account_token
+}

tf/deployment/modules/1password/account/variables.tf

@@ -0,0 +1 @@
+variable "op_service_account_token" {}

tf/deployment/modules/cloudflare/account/1password.tf

@@ -76,7 +76,7 @@ resource "onepassword_item" "mich_cloudflare_r2_outline_volsync_backup" {
 
     field {
       label = "RESTIC_REPOSITORY"
-      type  = "string"
+      type  = "STRING"
       value = "s3:https://${cloudflare_r2_bucket.outline_volsync_backups.account_id}.r2.cloudflarestorage.com/${cloudflare_r2_bucket.outline_volsync_backups.name}"
     }
 

tf/deployment/modules/cloudflare/account/providers.tf

@@ -1,3 +1,7 @@
 provider "cloudflare" {
   api_token = data.terraform_remote_state.api_keys_state.outputs.terraform_key_cloudflare_account
 }
+
+provider "onepassword" {
+  service_account_token = var.op_service_account_token
+}

tf/deployment/modules/cloudflare/account/terragrunt.hcl

@@ -6,10 +6,6 @@ terraform {
   }
 }
 
-include "cloudflare" {
-  path = find_in_parent_folders("cloudflare.hcl")
-}
-
 include "root" {
   path = find_in_parent_folders("root.hcl")
 }

tf/deployment/modules/cloudflare/account/variables.tf

@@ -1,2 +1,3 @@
 variable "cloudflare_account_id" {}
 variable "tf_state_postgres_conn_str" {}
+variable "op_service_account_token" {}

tf/deployment/modules/cloudflare/api-keys/providers.tf

@@ -1,3 +1,7 @@
-provider "cloudflare" {}
+provider "cloudflare" {
+  api_token = var.cloudflare_api_token
+}
 
-provider "onepassword" {}
+provider "onepassword" {
+  service_account_token = var.op_service_account_token
+}

tf/deployment/modules/cloudflare/api-keys/terragrunt.hcl

@@ -6,10 +6,6 @@ terraform {
   }
 }
 
-include "cloudflare" {
-  path = find_in_parent_folders("cloudflare.hcl")
-}
-
 include "root" {
   path = find_in_parent_folders("root.hcl")
 }

tf/deployment/modules/cloudflare/api-keys/variables.tf

@@ -0,0 +1,2 @@
+variable "op_service_account_token" {}
+variable "cloudflare_api_token" {}

tf/deployment/modules/github/org/providers.tf

@@ -1,5 +1,12 @@
 provider "github" {
-  app_auth {}
+  app_auth {
+    id              = var.github_app_id
+    installation_id = var.github_app_installation_id
+    pem_file        = var.github_app_pem_file
+  }
+  owner = var.github_owner
 }
 
-provider "onepassword" {}
+provider "onepassword" {
+  service_account_token = var.op_service_account_token
+}

tf/deployment/modules/github/org/remote-state.tf

@@ -16,10 +16,6 @@ data "terraform_remote_state" "docker_org_state" {
   }
 }
 
-data "onepassword_vault" "opentofu_vault" {
-  name = "OpenTofu"
-}
-
 data "onepassword_vault" "kubernetes" {
   name = "Kubernetes"
 }

tf/deployment/modules/github/org/variables.tf

@@ -1 +1,8 @@
 variable "tf_state_postgres_conn_str" {}
+
+variable "github_app_id" {}
+variable "github_app_installation_id" {}
+variable "github_app_pem_file" {}
+variable "github_owner" {}
+
+variable "op_service_account_token" {}

tf/deployment/root.hcl

@@ -1,5 +1,5 @@
 locals {
-  tf_state_postgres_conn_str = get_env("TF_STATE_POSTGRES_CONN_STR")
+  tf_state_postgres_conn_str = get_env("TF_VAR_tf_state_postgres_conn_str")
 }
 
 remote_state {
@@ -9,7 +9,3 @@ remote_state {
     conn_str = local.tf_state_postgres_conn_str
   }
 }
-
-inputs = {
-  tf_state_postgres_conn_str = local.tf_state_postgres_conn_str
-}