chore: migrate tf state to S3

Jdavid77 · May 1, 2024 · 343cf36 · 343cf36
1 parent 0489455
commit 343cf36
Show file tree

Hide file tree

Showing 17 changed files with 189 additions and 67 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -5,5 +5,8 @@ creation_rules:
       age1ygtvf2uaevyhpsdwya27qhmjkjxd9vvyn0ajephhjwthmeeryseqx4munk
   - path_regex: infrastructure/.*\.ya?ml
     encrypted_regex: "^(id|secret|bootstraptoken|secretboxencryptionsecret|token|ca|crt|key)$"
+    age: >-
+      age1ygtvf2uaevyhpsdwya27qhmjkjxd9vvyn0ajephhjwthmeeryseqx4munk
+  - path_regex: terraform/.*\.env
     age: >-
       age1ygtvf2uaevyhpsdwya27qhmjkjxd9vvyn0ajephhjwthmeeryseqx4munk
diff --git a/terraform/akeyless/.terraform.lock.hcl b/terraform/akeyless/.terraform.lock.hcl
diff --git a/terraform/akeyless/apikey.tf b/terraform/akeyless/apikey.tf
@@ -0,0 +1,3 @@
+resource "akeyless_auth_method_api_key" "flux_key" {
+  name = "Flux-Key"
+}
diff --git a/terraform/akeyless/associations.tf b/terraform/akeyless/associations.tf
@@ -0,0 +1,6 @@
+resource "akeyless_associate_role_auth_method" "flux-ro" {
+  am_name   = akeyless_auth_method_api_key.flux_key.name
+  role_name = akeyless_role.read_only.name
+
+  depends_on = [akeyless_auth_method_api_key.flux_key, akeyless_role.read_only]
+}
diff --git a/terraform/akeyless/main.tf b/terraform/akeyless/main.tf
@@ -0,0 +1,21 @@
+terraform {
+
+  required_providers {
+    akeyless = {
+      version = ">= 1.0.0"
+      source  = "akeyless-community/akeyless"
+    }
+  }
+
+  backend "s3" {
+    bucket                      = "akeyless"
+    key                         = "cloudflare.tfstate"
+    region                      = "weur"
+    endpoint                    = "https://015ce648cc705f6d069fe6068434a576.r2.cloudflarestorage.com"
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    skip_metadata_api_check     = true
+  }
+}
+
+
diff --git a/terraform/akeyless/outputs.tf b/terraform/akeyless/outputs.tf
@@ -0,0 +1,9 @@
+output "flux_access_id" {
+  value     = akeyless_auth_method_api_key.flux_key.access_id
+  sensitive = true
+}
+
+output "flux_access_key" {
+  value     = akeyless_auth_method_api_key.flux_key.access_key
+  sensitive = true
+}
diff --git a/terraform/akeyless/providers.tf b/terraform/akeyless/providers.tf
@@ -0,0 +1,8 @@
+provider "akeyless" {
+  api_gateway_address = "https://api.akeyless.io"
+
+  api_key_login {
+    access_id  = var.akeyless_access_id
+    access_key = var.akeyless_api_key
+  }
+}
diff --git a/terraform/akeyless/roles.tf b/terraform/akeyless/roles.tf
@@ -0,0 +1,12 @@
+resource "akeyless_role" "read_only" {
+
+  name = "ReadOnly"
+
+  rules {
+    capability = ["read", "list"]
+    path       = "/*"
+    rule_type  = "item-rule"
+  }
+
+}
+
diff --git a/terraform/akeyless/variables.tf b/terraform/akeyless/variables.tf
@@ -0,0 +1,3 @@
+variable "akeyless_api_key" {
+  type = string
+}
diff --git a/terraform/cloudflare/.terraform.lock.hcl b/terraform/cloudflare/.terraform.lock.hcl
diff --git a/terraform/cloudflare/buckets.tf b/terraform/cloudflare/buckets.tf
diff --git a/terraform/cloudflare/firewall-rules.tf b/terraform/cloudflare/firewall-rules.tf
diff --git a/terraform/cloudflare/main.tf b/terraform/cloudflare/main.tf
@@ -1,17 +1,19 @@
 terraform {
 
-  cloud {
-    organization = "jnobrega"
-
-    workspaces {
-      name = "cloudflare"
-    }
+  backend "s3" {
+    bucket                      = "cloudflare"
+    key                         = "cloudflare.tfstate"
+    region                      = "weur"
+    endpoint                    = "https://015ce648cc705f6d069fe6068434a576.r2.cloudflarestorage.com/cloudflare"
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    skip_metadata_api_check     = true
   }
-  
+
   required_providers {
     cloudflare = {
       source  = "cloudflare/cloudflare"
-      version = "~> 4.0"
+      version = "4.30.0"
     }
   }
 

diff --git a/terraform/cloudflare/records.tf b/terraform/cloudflare/records.tf
@@ -3,18 +3,7 @@ data "cloudflare_record" "a_record" {
   hostname = var.cloudflare_domain_com
 }
 
-resource "cloudflare_record" "cname_record" {
 
-  count = length(var.cloudflare_records)
-
-  zone_id = lookup(data.cloudflare_zones.domain_com.zones[0], "id")
-  name    = var.cloudflare_records[count.index]
-  value   = var.cloudflare_domain_com
-  type    = "CNAME"
-  ttl     = 1
-  proxied = true
-
-}
 
 
 

diff --git a/terraform/cloudflare/rules.tf b/terraform/cloudflare/rules.tf
@@ -0,0 +1,25 @@
+resource "cloudflare_filter" "notportugal" {
+  zone_id     = lookup(data.cloudflare_zones.domain_com.zones[0], "id")
+  description = "Block Requests that dont come from Portugal"
+  expression  = "(ip.geoip.country ne \"PT\")" 
+}
+
+resource "cloudflare_firewall_rule" "notportugal" {
+  zone_id     = lookup(data.cloudflare_zones.domain_com.zones[0], "id")
+  description = "Block Requests that don't come from Portugal"
+  filter_id   = cloudflare_filter.notportugal.id
+  action      = "block"
+}
+
+resource "cloudflare_filter" "blockbots" {
+  zone_id     = lookup(data.cloudflare_zones.domain_com.zones[0], "id")
+  description = "Block Known Bots"
+  expression  = "(cf.client.bot)" 
+}
+
+resource "cloudflare_firewall_rule" "blockbots" {
+  zone_id     = lookup(data.cloudflare_zones.domain_com.zones[0], "id")
+  description = "Block Known Bots"
+  filter_id   = cloudflare_filter.blockbots.id
+  action      = "block"
+}
diff --git a/terraform/cloudflare/variables.tf b/terraform/cloudflare/variables.tf
@@ -4,7 +4,7 @@ variable "cloudflare_email" {
 }
 
 variable "cloudflare_account_id" {
-  type = string
+  type        = string
   description = "Cloudflare Account ID"
 }
 
@@ -22,13 +22,3 @@ variable "cloudflare_domain_com" {
   type        = string
   description = "My .com domain"
 }
-
-variable "cloudflare_records" {
-  type = list(string)
-  description = "CNAME Records"
-} 
-
-variable "cloudflare_buckets" {
-  type = list(string)
-  description = "R2 Buckets"
-} 
diff --git a/terraform/cloudflare/zone.tf b/terraform/cloudflare/zone.tf
@@ -0,0 +1,47 @@
+resource "cloudflare_zone_settings_override" "cloudflare_settings_com" {
+  zone_id = lookup(data.cloudflare_zones.domain_com.zones[0], "id")
+  settings {
+    # /ssl-tls
+    ssl = "strict"
+    # /ssl-tls/edge-certificates
+    always_use_https         = "on"
+    min_tls_version          = "1.2"
+    opportunistic_encryption = "on"
+    tls_1_3                  = "zrt"
+    automatic_https_rewrites = "on"
+    universal_ssl            = "on"
+    # /firewall/settings
+    browser_check  = "on"
+    challenge_ttl  = 1800
+    privacy_pass   = "on"
+    security_level = "medium"
+    # /speed/optimization
+    brotli = "on"
+    minify {
+      css  = "on"
+      js   = "on"
+      html = "on"
+    }
+    rocket_loader = "off"
+    # /caching/configuration
+    always_online    = "off"
+    development_mode = "off"
+    # /network
+    http3               = "on"
+    zero_rtt            = "on"
+    ipv6                = "on"
+    websockets          = "on"
+    opportunistic_onion = "on"
+    pseudo_ipv4         = "off"
+    ip_geolocation      = "on"
+    # /content-protection
+    email_obfuscation   = "on"
+    server_side_exclude = "on"
+    hotlink_protection  = "off"
+    # /workers
+    security_header {
+      enabled = false
+    }
+
+  }
+}