feat: support for sops, Taskfile, GitHub Action CD, and consolidated …

…task runner logic
eearomatics · Aug 31, 2024 · 7511c74 · 7511c74
1 parent f2437ba
commit 7511c74
Show file tree

Hide file tree

Showing 14 changed files with 192 additions and 75 deletions.
diff --git a/.env b/.env
@@ -0,0 +1,15 @@
+export TF_VAR_r2_api_token=ENC[AES256_GCM,data:40h3RbMyi7cOtP6Vwa0fHjw2r0YxT8pkxmv3s7/KkQVO7b/J8ZqLfQ==,iv:9ATHKMnTJ3Ryo56g6fuCE/sI6Izvg60D3FOgtuWoYJU=,tag:0FN+1nX0R7SKnvR0e+Qnow==,type:str]
+export AWS_REGION=ENC[AES256_GCM,data:WzAyxNCO7zv0,iv:AEZej35DAnzIyQWADTECth+zRoy+dVRwdVb8UmRZ+p4=,tag:W9RELYaj/UyVE/0H9Y49Uw==,type:str]
+export AWS_ACCESS_KEY_ID=ENC[AES256_GCM,data:5860MzxfP5FmNYXUOSbQoSLAUWWf7PkuOuCi1joJCPo=,iv:0XL/KY3G1sbRgv/y14lE10OEGlJPAMmf2RkP8y5PynU=,tag:UG8L6nyw1CZXXLnWCPaDDw==,type:str]
+export AWS_SECRET_ACCESS_KEY=ENC[AES256_GCM,data:xx9ey0PYlBJAuISWH9p9VjguMv9Bk9RXdaGNBQ4eZ14MOHjocF0KUQKeWcsgvUOCjD/74gR/kWD79R58sgBBvw==,iv:K8pSQHd0kXAdtJs0Msa7O98iUs0Zeq8d/FYnY5eMzqQ=,tag:kWW6TKWu9tnmOIAmLC9Jyw==,type:str]
+export AWS_ENDPOINT_URL_S3=ENC[AES256_GCM,data:AF+Cj5tiXc7lKGloA6BnOymq+K351hpIQxbJ38hFHmRVKpqS9tg+d5irWbUBtp29ztrzTuhrTUwAh0tBA9Wlv/w=,iv:PsnVqoyORX+yBs4vQIbOoXKVDcO1DvpJLsk74B9NL2U=,tag:MSUaDYpdfz0ABUto54qw6w==,type:str]
+sops_lastmodified=2024-08-31T03:21:20Z
+sops_mac=ENC[AES256_GCM,data:UueWMruDj0SectELoia5zdXo0WEHidS/HXcxlXHOYiHBhUqcIxnAe6yUdRCuJJU4ge3NB8jaIxTJDTMJydd2cAsX5Yf0VP/NMLRfavTwsL/45gpbkJim5quQQXryiv9N0JNK3LdNcc7we3r47rl/O2My07dplrDl6aqA4op0zqs=,iv:9piKBYyb0bT8xN76xPE4VGheSOjFAjSy+WSoSVt29dY=,tag:UouX3K3yy3A/AQgea6UHXw==,type:str]
+sops_pgp__list_0__map_created_at=2024-08-31T03:04:48Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4Dfu30CGPZ6+wSAQdACveWxObGYeWvStd03/ry3eAQ6pemG5QOf2/BCZf/e3Aw\nndcrGHjQX/g/la2OlpJk7Ybfizi5ZNEGkI/t/uPln64aB0NEs9phntDM+qzv0YWm\n0lwBTX3j9W7d/Y7IFDb91ZF24BUc6SiehmN7SLJhZCi/3NkFXukZ/sPStAT4X7sS\nS3sJMQzqixiz2mHgsJuDI9eBYTbhfL0IN5R26lcjL9xwGdRY9oqIwih4TU0Z+A==\n=VOIy\n-----END PGP MESSAGE-----
+sops_pgp__list_0__map_fp=C856EB7F2EF6AFDD39332A41307E0B68C5D0049B
+sops_pgp__list_1__map_created_at=2024-08-31T03:04:48Z
+sops_pgp__list_1__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DhJDU4MDke4MSAQdAfX/nXK2an6qR9uEf1mQZNbKYLvD0TJYCuUGSFoYIRHIw\nu6zCzXoqM5DNmsU8o/vOfP1pPHpi74uUJiPjertbtAJNBkWZQhw7c5PAgf69sBJE\n0lwB8/mITwNGPs++ismiy7QIyHfItwI8iYe+3bKXYE3sHnGrXKIjvYwbZ8d1tbIG\nOGsPETXIc+S3PETDNMMluw5lazvhJd0vD7CpgGE9tebs79efWnI1setA7+eTmA==\n=x491\n-----END PGP MESSAGE-----
+sops_pgp__list_1__map_fp=73B80689F3A1C97CBD0DC4A0B5586D0F5E565A60
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1
diff --git a/.envrc b/.envrc
@@ -1,2 +1,2 @@
-source_env .env
-use flake
+use flake
+source_env .env.dec
diff --git a/.github/workflows/continuous-delivery.yml b/.github/workflows/continuous-delivery.yml
@@ -0,0 +1,19 @@
+name: "Continuous Delivery"
+on:
+  push:
+    branches:
+      - main
+jobs:
+  terraform:
+    strategy:
+      matrix:
+        project: [ee, tr]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@v9
+      - uses: DeterminateSystems/magic-nix-cache-action@v2
+      - run: nix-shell --run "echo -n $SOPS_GPG_KEY_B64E | base64 -d | gpg --import"
+      - run: nix-shell --run "task ${{ matrix.project }}:init"
+      - run: nix-shell --run "task ${{ matrix.project }}:plan"
+      - run: nix-shell --run "task ${{ matrix.project }}:apply"
diff --git a/.gitignore b/.gitignore
@@ -6,7 +6,7 @@ node_modules/
 /.direnv
 
 # project secrets
-.env
+.env.dec
 
 # terraform
 /infrastructure/*/config/*.hcl

diff --git a/.sops.yaml b/.sops.yaml
@@ -0,0 +1,3 @@
+creation_rules:
+  # default rule for all files
+  - pgp: 'C856EB7F2EF6AFDD39332A41307E0B68C5D0049B,73B80689F3A1C97CBD0DC4A0B5586D0F5E565A60'
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -3,7 +3,9 @@
 	"cSpell.words": [
 		"deno",
 		"dotenv",
-		"terragrunt"
+		"terragrunt",
+		"eearomatics",
+		"torinreine"
 	],
 	"deno.enable": true,
 	"editor.formatOnSave": false

diff --git a/README.md b/README.md
@@ -10,10 +10,18 @@ This project defines the foundations of various critical technologies at Etherea
 
 ## Tech
 
-- OpenTofu
-- Nix
+_*Sorted alphabetically_
+
+- Cloudflare
 - Direnv
+- GitHub Actions
+- GPG
+- Nix
 - NodeJS
+- OpenTofu
+- S3
+- SOPS
+- Taskfile
 - TypeScript
 - Yarn
 
@@ -52,12 +60,16 @@ Everything lives under `packages/` for now. This supports a basic monorepo struc
 
 You can get started with the OpenTofu stack with the shared S3 state in Cloudflare R2.
 
+There are two **major** requirements:
+
 > ⚠️ Make sure you're inside the `infrastructure/${project}` directory for all the commands, e.g. `infrastructure/torinreine`
 
-Initialize the project:
+> ⚠️ Make sure you have the necessary environment variables sourced to your shell from the `.env` file. This is **encrypted** by `sops`.
+
+Now, initialize the project:
 
 ```sh
-tofu init -backend-config=config/backend.hcl
+tofu init -backend-config=../backends/cloudflare-r2.conf
 ```
 
 Plan the project:
@@ -70,4 +82,20 @@ Apply the project:
 
 ```sh
 tofu apply
-```
+```
+
+## Tasks
+
+Common tasks are defined in the `Taskfile.yml` file. Read more on [Taskfile] to learn how to use and interact with it. This will require the `task` CLI.
+
+You can list all tasks with `task --list-all`.
+
+## Secrets
+
+Secrets are managed with [sops] and [gnupg]. You can edit existing sops files, granted you have sufficient access to, with `sops $filepath`. Older version of `sops` also had a command for this using `sops edit $filename`.
+
+<!-- Requirements -->
+
+[Taskfile]: https://taskfile.dev/usage
+[sops]: https://getsops.io/
+[gnupg]: https://gnupg.org/
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -1,44 +1,98 @@
-# https://taskfile.dev
-
 version: '3'
 
-dotenv:
-  - .env
-
 tasks:
-  init:secrets:
-    dir: "scripts/"
+  init:
     cmds:
-      - onboard_secrets.sh
+      - task: ee:clean
+      - task: ee:init
+      - task: tr:clean
+      - task: tr:init
 
-  init:terragrunt:
-    dir: "infrastructure/"
+  tf:init:
+    desc: Common tf initialization task.
+    preconditions: &necessary-tf-envs
+      # - sh: 'test -d "{{.TF_PROJECT_DIR}}"'
+      #   msg: "Missing Terraform project directory var"
+      - sh: 'test -n "$TF_VAR_r2_api_token"'
+        msg: "Missing TF_VAR_r2_api_token in your environment"
+      - sh: 'test -n "$AWS_REGION"'
+        msg: "Missing AWS_REGION in your environment"
+      - sh: 'test -n "$AWS_ACCESS_KEY_ID"'
+        msg: "Missing AWS_ACCESS_KEY_ID in your environment"
+      - sh: 'test -n "$AWS_SECRET_ACCESS_KEY"'
+        msg: "Missing AWS_SECRET_ACCESS_KEY in your environment"
+      - sh: 'test -n "$AWS_ENDPOINT_URL_S3"'
+        msg: "Missing AWS_ENDPOINT_URL_S3 in your environment"
+    requires:
+      vars: [TF_PROJECT_DIR]
+    dir: '{{.TF_PROJECT_DIR}}'
     cmds:
-      - terragrunt init
-
-  validate:
-    dir: "infrastructure/"
+      - tofu init -backend-config=../backends/cloudflare-r2.conf
+  tf:plan:
+    desc: Common tf plan task.
+    dir: '{{.TF_PROJECT_DIR}}'
+    preconditions: *necessary-tf-envs
     cmds:
-      - terragrunt validate
-
-  upgrade-providers:
-    dir: "infrastructure/"
+      - tofu plan
+  tf:apply:
+    desc: Common tf apply task.
+    dir: '{{.TF_PROJECT_DIR}}'
+    preconditions: *necessary-tf-envs
     cmds:
-      - terragrunt init -upgrade
-      - terragrunt providers lock -platform=darwin_amd64 -platform=linux_amd64 -platform=darwin_arm64 -platform=linux_arm64
-
-  plan:
-    dir: "infrastructure/"
+      - tofu apply
+  tf:clean:
+    desc: Common tf project cleaning task.
+    dir: '{{.TF_PROJECT_DIR}}'
+    preconditions: *necessary-tf-envs
     cmds:
-      - task: init
-      - terragrunt plan {{.CLI_ARGS}}
+      - rm -rf ./.terraform .terraform.lock.hcl
 
-  show:
-    dir: "infrastructure/"
+  ee:init:
+    desc: Initialize the eearomatics.com Terraform module
+    cmds:
+      - task: tf:init
+        vars:
+          TF_PROJECT_DIR: infrastructure/eearomatics
+  ee:plan:
+    desc: Plan the eearomatics.com Terraform module
     cmds:
-      - terragrunt show {{.CLI_ARGS}}
+      - task: tf:plan
+        vars:
+          TF_PROJECT_DIR: infrastructure/eearomatics
+  ee:apply:
+    desc: Apply the eearomatics.com Terraform module
+    cmds:
+      - task: tf:apply
+        vars:
+          TF_PROJECT_DIR: infrastructure/eearomatics
+  ee:clean:
+    desc: Clean the eearomatics.com Terraform module
+    cmds:
+      - task: tf:clean
+        vars:
+          TF_PROJECT_DIR: infrastructure/eearomatics
 
-  apply:
-    dir: "infrastructure/"
+  tr:init:
+    desc: Initialize the torinreine.com Terraform module
+    cmds:
+      - task: tf:init
+        vars:
+          TF_PROJECT_DIR: infrastructure/torinreine
+  tr:plan:
+    desc: Plan the torinreine.com Terraform module
+    cmds:
+      - task: tf:plan
+        vars:
+          TF_PROJECT_DIR: infrastructure/torinreine
+  tr:apply:
+    desc: Apply the torinreine.com Terraform module
+    cmds:
+      - task: tf:apply
+        vars:
+          TF_PROJECT_DIR: infrastructure/torinreine
+  tr:clean:
+    desc: Clean the torinreine.com Terraform module
     cmds:
-      - terragrunt apply {{.CLI_ARGS}}
+      - task: tf:clean
+        vars:
+          TF_PROJECT_DIR: infrastructure/torinreine
diff --git a/flake.nix b/flake.nix
@@ -18,6 +18,10 @@
                 git
                 go-task
 
+                # Secrets management
+                gnupg
+                sops
+
                 # NodeJS development
                 nodejs_18
                 yarn
@@ -28,9 +32,6 @@
                 terragrunt
                 cf-terraforming
 
-                # secrets management
-                age
-
                 (pkgs.writeShellScriptBin
                   "cftofu"
                   "cf-terraforming --terraform-binary-path ${pkgs.opentofu}/bin/tofu -t $TF_VAR_r2_api_token $@"
@@ -48,6 +49,11 @@
                   "cftofu-import"
                   "cftofu import $@ | sed 's/terraform/tofu/' | $SHELL"
                 )
+
+                (pkgs.writeShellScriptBin
+                  "decrypt-env-to-shell"
+                  "${pkgs.sops}/bin/sops -d .env > .env.dec"
+                )
             ];
 
 
@@ -67,6 +73,9 @@
                 echo
                 echo Prisma has been configured from Nixpkgs
                 echo
+                echo Decrypting environment to shell
+                echo
+                decrypt-env-to-shell
             '';
           };
         };

diff --git a/infrastructure/backends/cloudflare-r2.conf b/infrastructure/backends/cloudflare-r2.conf
@@ -0,0 +1,15 @@
+region = "auto"
+skip_credentials_validation = true
+skip_region_validation      = true
+skip_requesting_account_id  = true
+skip_metadata_api_check     = true
+skip_s3_checksum            = true
+
+## Remaining configuration requirements
+# bucket = "name-of-bucket"
+# key = "key/to/object"
+# endpoints = {
+#     s3 = "https://<account-id>.r2.cloudflarestorage.com"
+# }
+# access_key                  = "<access_key>"
+# secret_key                  = "<secret_key>"
diff --git a/infrastructure/eearomatics/config/backend.hcl.example b/infrastructure/eearomatics/config/backend.hcl.example
diff --git a/infrastructure/eearomatics/versions.tf b/infrastructure/eearomatics/versions.tf
@@ -7,6 +7,7 @@ terraform {
   }
 
   backend "s3" {
-    # sourced from config/backend.hcl
+    bucket = "tofu-state"
+    key = "eearomatics.com/iac/prod"
   }
 }
diff --git a/infrastructure/torinreine/config/backend.hcl.example b/infrastructure/torinreine/config/backend.hcl.example
diff --git a/infrastructure/torinreine/versions.tf b/infrastructure/torinreine/versions.tf
@@ -7,6 +7,7 @@ terraform {
   }
 
   backend "s3" {
-    # sourced from config/backend.hcl
+    bucket = "tofu-state"
+    key = "torinreine.com/iac/prod"
   }
 }