From 343cf362231ce0a95cf5a2b7e71631f40bbcaff9 Mon Sep 17 00:00:00 2001 From: jnobrega Date: Wed, 1 May 2024 09:15:23 +0100 Subject: [PATCH] chore: migrate tf state to S3 --- .sops.yaml | 3 ++ terraform/akeyless/.terraform.lock.hcl | 24 ++++++++++++ terraform/akeyless/apikey.tf | 3 ++ terraform/akeyless/associations.tf | 6 +++ terraform/akeyless/main.tf | 21 +++++++++++ terraform/akeyless/outputs.tf | 9 +++++ terraform/akeyless/providers.tf | 8 ++++ terraform/akeyless/roles.tf | 12 ++++++ terraform/akeyless/variables.tf | 3 ++ terraform/cloudflare/.terraform.lock.hcl | 34 ++++++++--------- terraform/cloudflare/buckets.tf | 8 ---- terraform/cloudflare/firewall-rules.tf | 12 ------ terraform/cloudflare/main.tf | 18 +++++---- terraform/cloudflare/records.tf | 11 ------ terraform/cloudflare/rules.tf | 25 +++++++++++++ terraform/cloudflare/variables.tf | 12 +----- terraform/cloudflare/zone.tf | 47 ++++++++++++++++++++++++ 17 files changed, 189 insertions(+), 67 deletions(-) create mode 100644 terraform/akeyless/.terraform.lock.hcl create mode 100644 terraform/akeyless/apikey.tf create mode 100644 terraform/akeyless/associations.tf create mode 100644 terraform/akeyless/main.tf create mode 100644 terraform/akeyless/outputs.tf create mode 100644 terraform/akeyless/providers.tf create mode 100644 terraform/akeyless/roles.tf create mode 100644 terraform/akeyless/variables.tf delete mode 100644 terraform/cloudflare/buckets.tf delete mode 100644 terraform/cloudflare/firewall-rules.tf create mode 100644 terraform/cloudflare/rules.tf create mode 100644 terraform/cloudflare/zone.tf diff --git a/.sops.yaml b/.sops.yaml index af3514f0..99746308 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,5 +5,8 @@ creation_rules: age1ygtvf2uaevyhpsdwya27qhmjkjxd9vvyn0ajephhjwthmeeryseqx4munk - path_regex: infrastructure/.*\.ya?ml encrypted_regex: "^(id|secret|bootstraptoken|secretboxencryptionsecret|token|ca|crt|key)$" + age: >- + age1ygtvf2uaevyhpsdwya27qhmjkjxd9vvyn0ajephhjwthmeeryseqx4munk + - path_regex: terraform/.*\.env age: >- age1ygtvf2uaevyhpsdwya27qhmjkjxd9vvyn0ajephhjwthmeeryseqx4munk \ No newline at end of file diff --git a/terraform/akeyless/.terraform.lock.hcl b/terraform/akeyless/.terraform.lock.hcl new file mode 100644 index 00000000..bb67b9dd --- /dev/null +++ b/terraform/akeyless/.terraform.lock.hcl @@ -0,0 +1,24 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/akeyless-community/akeyless" { + version = "1.4.4" + constraints = ">= 1.0.0" + hashes = [ + "h1:7mOveG3wGlVzp6Nxx8OdWaRGwA0jqTP2eFxpQUy5MAo=", + "zh:083fed7372738aa0c53b354bcfa14f9b8ccaeea70e80ef71d8a601fcb4b613fa", + "zh:0ce7eabf882caef65380698efe338fdd1491433e9b04378857d3824a7649a74b", + "zh:14c5b0e43c16549e7ed32ac28294f93c27d257d4f9e509818dd5e6a9c64cfe6d", + "zh:17b407299b49aa98407b92221208f5535fb0d217afc0f2d58279f47848eb4edc", + "zh:23c0deabd37d98590f09206754bb94fe616cd6ff24eb8547248b492cd8917687", + "zh:3df94670439ba0097764fb0c9b3b6d207a1b7d0878470160ecd00a6c0415873c", + "zh:52bc6e7eca00c9d81fa7a19850b89689f6f2c9490a51f311257576b3f4d0ede9", + "zh:7a2a691cda3788ccc279d9066772b17469f3b91ce84533f6929b2748f6478776", + "zh:a0f5480e472cff383953586949be931a9ae430b4589d8fa94e004055ea355070", + "zh:a8896642c55ca8408c35c17e625f2f844d9e088f68af973566921fc0a2e13cfe", + "zh:b33b13942a7934da5b27e64ab1b75ed2a194152e13a1be3ef81abdf0bd50613c", + "zh:cc2482f9ba525899466d5f5b0af91dd0603021832686423bcf02596e8518009e", + "zh:e19d06cc8532d51b7c3e1ccd312647fae47dcac76800ac053bec194ce0a2ffdd", + "zh:e911839b0911771806d47e658a066905ba080967e2f8e8d2c0f7192c76de0813", + ] +} diff --git a/terraform/akeyless/apikey.tf b/terraform/akeyless/apikey.tf new file mode 100644 index 00000000..b26f65ec --- /dev/null +++ b/terraform/akeyless/apikey.tf @@ -0,0 +1,3 @@ +resource "akeyless_auth_method_api_key" "flux_key" { + name = "Flux-Key" +} \ No newline at end of file diff --git a/terraform/akeyless/associations.tf b/terraform/akeyless/associations.tf new file mode 100644 index 00000000..44a5e014 --- /dev/null +++ b/terraform/akeyless/associations.tf @@ -0,0 +1,6 @@ +resource "akeyless_associate_role_auth_method" "flux-ro" { + am_name = akeyless_auth_method_api_key.flux_key.name + role_name = akeyless_role.read_only.name + + depends_on = [akeyless_auth_method_api_key.flux_key, akeyless_role.read_only] +} \ No newline at end of file diff --git a/terraform/akeyless/main.tf b/terraform/akeyless/main.tf new file mode 100644 index 00000000..f10ec266 --- /dev/null +++ b/terraform/akeyless/main.tf @@ -0,0 +1,21 @@ +terraform { + + required_providers { + akeyless = { + version = ">= 1.0.0" + source = "akeyless-community/akeyless" + } + } + + backend "s3" { + bucket = "akeyless" + key = "cloudflare.tfstate" + region = "weur" + endpoint = "https://015ce648cc705f6d069fe6068434a576.r2.cloudflarestorage.com" + skip_credentials_validation = true + skip_region_validation = true + skip_metadata_api_check = true + } +} + + diff --git a/terraform/akeyless/outputs.tf b/terraform/akeyless/outputs.tf new file mode 100644 index 00000000..35e1862d --- /dev/null +++ b/terraform/akeyless/outputs.tf @@ -0,0 +1,9 @@ +output "flux_access_id" { + value = akeyless_auth_method_api_key.flux_key.access_id + sensitive = true +} + +output "flux_access_key" { + value = akeyless_auth_method_api_key.flux_key.access_key + sensitive = true +} \ No newline at end of file diff --git a/terraform/akeyless/providers.tf b/terraform/akeyless/providers.tf new file mode 100644 index 00000000..b54ee247 --- /dev/null +++ b/terraform/akeyless/providers.tf @@ -0,0 +1,8 @@ +provider "akeyless" { + api_gateway_address = "https://api.akeyless.io" + + api_key_login { + access_id = var.akeyless_access_id + access_key = var.akeyless_api_key + } +} \ No newline at end of file diff --git a/terraform/akeyless/roles.tf b/terraform/akeyless/roles.tf new file mode 100644 index 00000000..2d0873ba --- /dev/null +++ b/terraform/akeyless/roles.tf @@ -0,0 +1,12 @@ +resource "akeyless_role" "read_only" { + + name = "ReadOnly" + + rules { + capability = ["read", "list"] + path = "/*" + rule_type = "item-rule" + } + +} + diff --git a/terraform/akeyless/variables.tf b/terraform/akeyless/variables.tf new file mode 100644 index 00000000..a4033977 --- /dev/null +++ b/terraform/akeyless/variables.tf @@ -0,0 +1,3 @@ +variable "akeyless_api_key" { + type = string +} diff --git a/terraform/cloudflare/.terraform.lock.hcl b/terraform/cloudflare/.terraform.lock.hcl index f59b1460..06ce131d 100644 --- a/terraform/cloudflare/.terraform.lock.hcl +++ b/terraform/cloudflare/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/cloudflare/cloudflare" { - version = "4.11.0" - constraints = "~> 4.0" + version = "4.30.0" + constraints = "4.30.0" hashes = [ - "h1:PlO6FpJceI6h72OCstvpXZL6+ARDpPEawD+mjEAs3FA=", - "zh:09d620903d0f191ab7dee88ce75833307a03c7a9f88dfb2c2a58025283b80ff4", - "zh:0fb59cccc066c867750d633d6dfea8b99e75f5545ae4e7c090be465c6858eb73", - "zh:16b35bf2b88a629c05aefc6ebdbcc039447ee23a5b32594d844ca83f92ac8507", - "zh:5cc3f5df54891bb9efab51cca3266c59a82fd7dcc5667aa3451562325002235a", - "zh:6f384c9ba3e844b41c3de8455a3b91e3e3b32c1fa34b8b1ece4eae36d347c67e", - "zh:8000b3567ba7a43837bb8ccf7fdbcd03cc30103ec6abed84a40ee1c5b99f933f", - "zh:8687603e979a5fe82f2a65bc0cfb2a20acce4d871b01f04ffeabb9aa17c079ca", - "zh:88ed3e07913ad564ae3ae3280c868054d85e37b16db250b9cbdfca0c58f75dce", + "h1:05UXM990Xso5MGGhB75CbiZnCs4pGNF+ov6vMXoKuDw=", + "zh:218d1948b59e3d2e3af082724a0d057bcca5a5643c5e7c3b85eefc02430edd6b", + "zh:24eb677bc1b205565efb5c0d1c464f63d1e240aac61f5b2ef15165fe842cb7e2", + "zh:27896ed2a4f05f6a46ef25e674e445e89bd4bfba8cddbe95940109c6dc3179cc", + "zh:38b3b8297a9650b0ed09d57e0d802f5d851062bdadf72825652232c9a67346ac", + "zh:58d49ec9f414d0ff71e94cc991e1e3e33a13502ce0fea1393edd1297d0877bab", + "zh:5ed92c556e72cc4ea7fdf6db9e0dd7b093d179e26f2d2989b21a004a6402f2ae", + "zh:71f5c64702a7b2102f6d5edfd767953cd5b1248093c05983b909de06cf0c40cc", + "zh:788a023967db63b8eda9c0415851a743daf4073bab66b0bd1204bccbb54c9f8f", + "zh:7b9cd30355b4f63941284998167c3f3e5d208685e5176928275436de012f62d2", "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f", - "zh:a1faa7112d35aee74eb2b90543570ea56209112c0e2c1c06ad503a9c2464676d", - "zh:a433640c433f1815ca3cf92927a3764669095b8c668a73363ca9017a0b1d0349", - "zh:a63b6cf55baaa37cd4bf98bce94b7624bb54efe5abf8b86f24384df7996229f0", - "zh:a6696b0bdadb17d6f2ef7702b922c4006b21b4125530b0a8ac3bcfce1aafe2d8", - "zh:b2b3e16aa9c9d10409132fa7f181598bb67a1e5684c54535745ce0e3dcbd5d23", - "zh:d8c65b2e8a18141bb3ee53c7bf37422ff3679a67733702a631696586666ca885", + "zh:923ec04258fde407f0fce80488268f4277ffac68fb7240eee4f4373a344c5469", + "zh:97473bdb848a7f77832fde6d0e68877bdcc17bf47ae3639fb09e1aeff4a92a01", + "zh:9b8754d8f7c15878ecb8897a6ffc4e9ec95f4e5f0560f4129af82a8200e602ea", + "zh:b890723ed524d34e7fbee6c119714be23e1783b82441ce4c18871c9d54f10cbd", + "zh:c75e0e5f406653c9b4928d97a38410ad7bb20d48e260c17ae3125a77b0457bf5", ] } diff --git a/terraform/cloudflare/buckets.tf b/terraform/cloudflare/buckets.tf deleted file mode 100644 index 65514564..00000000 --- a/terraform/cloudflare/buckets.tf +++ /dev/null @@ -1,8 +0,0 @@ -resource "cloudflare_r2_bucket" "bucket" { - - count = length(var.cloudflare_buckets) - - account_id = var.cloudflare_account_id - name = var.cloudflare_buckets[count.index] - -} \ No newline at end of file diff --git a/terraform/cloudflare/firewall-rules.tf b/terraform/cloudflare/firewall-rules.tf deleted file mode 100644 index 6aeddd9d..00000000 --- a/terraform/cloudflare/firewall-rules.tf +++ /dev/null @@ -1,12 +0,0 @@ -resource "cloudflare_filter" "terraformcloud" { - zone_id = lookup(data.cloudflare_zones.domain_com.zones[0], "id") - description = "Allow Requests from Terraform Cloud" - expression = "(http.user_agent contains \"terraform\")" -} - -resource "cloudflare_firewall_rule" "terraform" { - zone_id = lookup(data.cloudflare_zones.domain_com.zones[0], "id") - description = "Allow Requests from Terraform Cloud" - filter_id = cloudflare_filter.terraformcloud.id - action = "allow" -} \ No newline at end of file diff --git a/terraform/cloudflare/main.tf b/terraform/cloudflare/main.tf index 14070ebe..abcc272c 100644 --- a/terraform/cloudflare/main.tf +++ b/terraform/cloudflare/main.tf @@ -1,17 +1,19 @@ terraform { - cloud { - organization = "jnobrega" - - workspaces { - name = "cloudflare" - } + backend "s3" { + bucket = "cloudflare" + key = "cloudflare.tfstate" + region = "weur" + endpoint = "https://015ce648cc705f6d069fe6068434a576.r2.cloudflarestorage.com/cloudflare" + skip_credentials_validation = true + skip_region_validation = true + skip_metadata_api_check = true } - + required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 4.0" + version = "4.30.0" } } diff --git a/terraform/cloudflare/records.tf b/terraform/cloudflare/records.tf index 65a0fa33..f0abeceb 100644 --- a/terraform/cloudflare/records.tf +++ b/terraform/cloudflare/records.tf @@ -3,18 +3,7 @@ data "cloudflare_record" "a_record" { hostname = var.cloudflare_domain_com } -resource "cloudflare_record" "cname_record" { - count = length(var.cloudflare_records) - - zone_id = lookup(data.cloudflare_zones.domain_com.zones[0], "id") - name = var.cloudflare_records[count.index] - value = var.cloudflare_domain_com - type = "CNAME" - ttl = 1 - proxied = true - -} diff --git a/terraform/cloudflare/rules.tf b/terraform/cloudflare/rules.tf new file mode 100644 index 00000000..a8da788c --- /dev/null +++ b/terraform/cloudflare/rules.tf @@ -0,0 +1,25 @@ +resource "cloudflare_filter" "notportugal" { + zone_id = lookup(data.cloudflare_zones.domain_com.zones[0], "id") + description = "Block Requests that dont come from Portugal" + expression = "(ip.geoip.country ne \"PT\")" +} + +resource "cloudflare_firewall_rule" "notportugal" { + zone_id = lookup(data.cloudflare_zones.domain_com.zones[0], "id") + description = "Block Requests that don't come from Portugal" + filter_id = cloudflare_filter.notportugal.id + action = "block" +} + +resource "cloudflare_filter" "blockbots" { + zone_id = lookup(data.cloudflare_zones.domain_com.zones[0], "id") + description = "Block Known Bots" + expression = "(cf.client.bot)" +} + +resource "cloudflare_firewall_rule" "blockbots" { + zone_id = lookup(data.cloudflare_zones.domain_com.zones[0], "id") + description = "Block Known Bots" + filter_id = cloudflare_filter.blockbots.id + action = "block" +} \ No newline at end of file diff --git a/terraform/cloudflare/variables.tf b/terraform/cloudflare/variables.tf index 2074b011..7b090e26 100644 --- a/terraform/cloudflare/variables.tf +++ b/terraform/cloudflare/variables.tf @@ -4,7 +4,7 @@ variable "cloudflare_email" { } variable "cloudflare_account_id" { - type = string + type = string description = "Cloudflare Account ID" } @@ -22,13 +22,3 @@ variable "cloudflare_domain_com" { type = string description = "My .com domain" } - -variable "cloudflare_records" { - type = list(string) - description = "CNAME Records" -} - -variable "cloudflare_buckets" { - type = list(string) - description = "R2 Buckets" -} \ No newline at end of file diff --git a/terraform/cloudflare/zone.tf b/terraform/cloudflare/zone.tf new file mode 100644 index 00000000..4c653a78 --- /dev/null +++ b/terraform/cloudflare/zone.tf @@ -0,0 +1,47 @@ +resource "cloudflare_zone_settings_override" "cloudflare_settings_com" { + zone_id = lookup(data.cloudflare_zones.domain_com.zones[0], "id") + settings { + # /ssl-tls + ssl = "strict" + # /ssl-tls/edge-certificates + always_use_https = "on" + min_tls_version = "1.2" + opportunistic_encryption = "on" + tls_1_3 = "zrt" + automatic_https_rewrites = "on" + universal_ssl = "on" + # /firewall/settings + browser_check = "on" + challenge_ttl = 1800 + privacy_pass = "on" + security_level = "medium" + # /speed/optimization + brotli = "on" + minify { + css = "on" + js = "on" + html = "on" + } + rocket_loader = "off" + # /caching/configuration + always_online = "off" + development_mode = "off" + # /network + http3 = "on" + zero_rtt = "on" + ipv6 = "on" + websockets = "on" + opportunistic_onion = "on" + pseudo_ipv4 = "off" + ip_geolocation = "on" + # /content-protection + email_obfuscation = "on" + server_side_exclude = "on" + hotlink_protection = "off" + # /workers + security_header { + enabled = false + } + + } +} \ No newline at end of file