Experiment with Nix to apply Terraform

2023-09-08 11:26:32 +01:00 · 2023-09-08 11:26:32 +01:00 · 26bc849577
parent 0f3ac88640
commit 26bc849577
8 changed files with 168 additions and 183 deletions
--- a/.gitignore
+++ b/.gitignore
@ -42,3 +42,5 @@ output/
 result
 .direnv/
 .env
+plan.out
+config.tf.json
--- a/flake.lock
+++ b/flake.lock
@ -20,6 +20,38 @@
        "type": "github"
      }
    },
+    "bats-assert": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1636059754,
+        "narHash": "sha256-ewME0l27ZqfmAwJO4h5biTALc9bDLv7Bl3ftBzBuZwk=",
+        "owner": "bats-core",
+        "repo": "bats-assert",
+        "rev": "34551b1d7f8c7b677c1a66fc0ac140d6223409e5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "bats-core",
+        "repo": "bats-assert",
+        "type": "github"
+      }
+    },
+    "bats-support": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1548869839,
+        "narHash": "sha256-Gr4ntadr42F2Ks8Pte2D4wNDbijhujuoJi4OPZnTAZU=",
+        "owner": "bats-core",
+        "repo": "bats-support",
+        "rev": "d140a65044b2d6810381935ae7f0c94c7023c8c3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "bats-core",
+        "repo": "bats-support",
+        "type": "github"
+      }
+    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
@ -42,6 +74,21 @@
        "type": "github"
      }
    },
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1634851050,
+        "narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c91f3de5adaf1de973b797ef7485e441a65b8935",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -185,13 +232,66 @@
        "type": "github"
      }
    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1636823747,
+        "narHash": "sha256-oWo1nElRAOZqEf90Yek2ixdHyjD+gqtS/pAgwaQ9UhQ=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "f6a2ed2082d9a51668c86ba27d0b5496f7a2ea93",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "home-manager": "home-manager_2",
        "nixinate": "nixinate",
        "nixos-generators": "nixos-generators",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_3",
+        "terranix": "terranix"
+      }
+    },
+    "terranix": {
+      "inputs": {
+        "bats-assert": "bats-assert",
+        "bats-support": "bats-support",
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs_4",
+        "terranix-examples": "terranix-examples"
+      },
+      "locked": {
+        "lastModified": 1684906298,
+        "narHash": "sha256-pNuJxmVMGbBHw7pa+Bx0HY0orXIXoyyAXOKuQ1zpfus=",
+        "owner": "terranix",
+        "repo": "terranix",
+        "rev": "c0dd15076856c6cb425795b8c7d5d37d3a1e922a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "terranix",
+        "repo": "terranix",
+        "type": "github"
+      }
+    },
+    "terranix-examples": {
+      "locked": {
+        "lastModified": 1636300201,
+        "narHash": "sha256-0n1je1WpiR6XfCsvi8ZK7GrpEnMl+DpwhWaO1949Vbc=",
+        "owner": "terranix",
+        "repo": "terranix-examples",
+        "rev": "a934aa1cf88f6bd6c6ddb4c77b77ec6e1660bd5e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "terranix",
+        "repo": "terranix-examples",
+        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -2,6 +2,7 @@
  description = "Nix flake for my infrastructure";
  inputs = {
    agenix.url = "github:ryantm/agenix";
+    terranix.url = "github:terranix/terranix";
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    nixinate.url = "github:matthewcroughan/nixinate";
    home-manager.url = "github:nix-community/home-manager";
@ -12,9 +13,13 @@
    };
  };

-  outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix }:
+  outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix, terranix }:
    let
      pkgs = nixpkgs.legacyPackages.x86_64-linux;
+      tf = terranix.lib.terranixConfiguration {
+        system = "x86_64-linux";
+        modules = [ ./terraform/main.nix ];
+      };
    in {
      devShells.x86_64-linux.default = with pkgs; mkShell {
        shellHook =
@ -40,7 +45,30 @@
          format = "sd-aarch64-installer";
        };
      };
-      apps = nixinate.nixinate.x86_64-linux self;
+
+      apps = nixinate.nixinate.x86_64-linux self // {
+        x86_64-linux = {
+          tf-plan = {
+            type = "app";
+            program = toString (pkgs.writers.writeBash "plan" ''
+            if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi
+            cp ${tf} terraform/config.tf.json \
+              && ${pkgs.terraform}/bin/terraform -chdir=terraform init \
+              && ${pkgs.terraform}/bin/terraform -chdir=terraform plan -out=plan.out
+          '');
+          };
+          tf-apply = {
+            type = "app";
+            program = toString (pkgs.writers.writeBash "apply" ''
+            if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi
+            cp ${tf} terraform/config.tf.json \
+              && ${pkgs.terraform}/bin/terraform -chdir=terraform init \
+              && ${pkgs.terraform}/bin/terraform -chdir=terraform apply plan.out
+          '');
+          };
+        };
+      };
+
      homeConfigurations."gsimmer" = home-manager.lib.homeManagerConfiguration {
        inherit pkgs;
        modules = [ ./nix/london/gsimmer.nix ];
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@ -43,51 +43,6 @@ provider "registry.terraform.io/hashicorp/aws" {
  ]
 }

-provider "registry.terraform.io/hetznercloud/hcloud" {
-  version     = "1.36.1"
-  constraints = "1.36.1"
-  hashes = [
-    "h1:xZSvxx6aUo0oZp2uqNxi/+wqnCNEBBuu8y7GeXIO9qA=",
-    "zh:16558b25c7f92f187278e94e951b0ab687882b06acff5b1387f3293f27939f8c",
-    "zh:28fc79ac2189ff0f5e6c9535ada8f57552b6e21c978b59dc78e086c27b9e4b23",
-    "zh:373907f9f7f2cefa94e2d5638bf5bef3d3b17e7655dc84dd6089346c6f4f9096",
-    "zh:394716cd877de682a0772d660f1bdb3838c5d751eca2211105d5ede248c48c39",
-    "zh:3c438c6590fcc8ac65a10039b2f5ba9ee379a734cb93a59c6cf74f385d891e87",
-    "zh:3f777a460a62fd23b283c269f1533b3887bf0c5564581e1e96cf294e077f5a8a",
-    "zh:4f62967553d7ce81ec14db7685306b625970ba6640b5764dc0137675ab97af0b",
-    "zh:56da08f8d75f596d6f9da4f0fd16bd60d1733cabcc260e885e1d7a711d6d3d8b",
-    "zh:62776c885bfa8e715dba6662f1744b5251f4cdd523dd4d1e4ccb2e25489593e9",
-    "zh:64cbb68139aa65f95ab3e654d872f9d34ef991fbf667fc30e0f29b96b5e8b4ed",
-    "zh:75a4b7a73ff0a537214d12d820438b7ae7a33d660e5d793f4ae0ebe3152bff00",
-    "zh:7b59d72538772ada7d51eaa50c905285200b1889ab29948b533412ccdf4d18de",
-    "zh:b84eeaa82bf765c6dd945ae83f1a9271fa5fad53b861b18b09cb8deda67dae13",
-    "zh:e81c3ea971e32a6ca3fdb0cd9e644614308ab2cf2a19482dd8a109d67fe3fb6f",
-  ]
-}
-
-provider "registry.terraform.io/sharkyrawr/cloudns" {
-  version     = "0.0.7"
-  constraints = "0.0.7"
-  hashes = [
-    "h1:9j02xibBw0ol2nDg7dd/w5A3IwT9Ih2fQWC3LWmPrBw=",
-    "zh:00981e00a0efacc99e118cf72708b3889622afc8e997a18e29649a646bb25e83",
-    "zh:357235742de49011118f173e121e1406ef26a2bdda6864cd2f13c4cc9af73d3e",
-    "zh:3fa3db9190f8d44452f8d6528f7aebda15e66f5c33a8423bae32c352b157df38",
-    "zh:4bae8164457b0f94bcdcfed18d7296fabc01a46ac03f6ec21e38dbf442aabddb",
-    "zh:a27c5153b1fde30e7037ed19b354af8e1d9a4952ec420e5f6e09bdc148263e9e",
-    "zh:aa7d6555c0a345dbb094bb903d2ae5261ced464d8b58c2e24c561970130be824",
-    "zh:bc188c2ff5351453ae23e65b3baa00567cd0be8ca26c2be08fb0168a9b88d5d2",
-    "zh:c8e72151976d2bcdc107a926c3d9c9cee6e5ac0ce7e446544a60cca1d35217c3",
-    "zh:d648371729035dc52b0437462e9f91b24f3fea6427e043c0016e02a91c60b7eb",
-    "zh:d8dc24aa0c586a12ea19e46cf14e3e6fc1ec6e3281aafaba35da9d4e26f23cd0",
-    "zh:e43b20807b37db5c2bd2806350321b0bd6831c0675abe0d74d42c1cc894f711d",
-    "zh:fa101cec498688add26a3f5cee96bc409d09e1d611b4e934d4233a56d812f81b",
-    "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25",
-    "zh:fd5bc423d1d68aa6905ba01e0e5e3f552e4f656f636117cd26e1f2394a6d1bf4",
-    "zh:fe80010ea109e573561da1c93d91af7d8525387e0d2ff1185672f7464fb26956",
-  ]
-}
-
 provider "registry.terraform.io/vercel/vercel" {
  version     = "0.14.0"
  constraints = "0.14.0"
--- a/terraform/gmem.ca.tf
+++ b/terraform/gmem.ca.tf
@ -194,34 +194,16 @@ output "website_endpoint" {
  value = aws_s3_bucket_website_configuration.gmem-ca-static_site.website_domain
 }

-resource "aws_acm_certificate" "gmem-ca-cert" {
-  domain_name       = aws_route53_zone.gmemca.name
-  validation_method = "DNS"
-  provider          = aws.virginia
-}
-
 resource "aws_route53_record" "gmem-ca-cert_validation" {
-  for_each = {
-    for dvo in aws_acm_certificate.gmem-ca-cert.domain_validation_options : dvo.domain_name => {
-      name   = dvo.resource_record_name
-      record = dvo.resource_record_value
-      type   = dvo.resource_record_type
-    }
-  }
-
-  name    = each.value.name
-  records = [each.value.record]
+  name    = "_3adc54fd4a6993b9586a54e190b9fb71.gmem.ca"
+  records = [
+	"_094fa9d82c24dca77f6e9059f535d155.fpgkgnzppq.acm-validations.aws."
+  ]
  ttl     = 60
-  type    = each.value.type
+  type    = "CNAME"
  zone_id = aws_route53_zone.gmemca.zone_id
 }

-resource "aws_acm_certificate_validation" "gmem-ca-cert" {
-  certificate_arn         = aws_acm_certificate.gmem-ca-cert.arn
-  validation_record_fqdns = [for record in aws_route53_record.gmem-ca-cert_validation : record.fqdn]
-  provider                = aws.virginia
-}
-
 resource "aws_cloudfront_distribution" "gmem-ca-s3_distribution" {
  origin {
    domain_name = aws_s3_bucket.gmem-ca-static_site.bucket_regional_domain_name
@ -257,7 +239,7 @@ resource "aws_cloudfront_distribution" "gmem-ca-s3_distribution" {
  comment             = "S3 Static Site Distribution for gmem.ca"
  default_root_object = "index.html"

-  aliases = [aws_acm_certificate.gmem-ca-cert.domain_name]
+  aliases = [ "gmem.ca", "arch.dog" ]

  default_cache_behavior {
    allowed_methods            = ["GET", "HEAD", "OPTIONS"]
@ -301,7 +283,7 @@ resource "aws_cloudfront_distribution" "gmem-ca-s3_distribution" {
  }

  viewer_certificate {
-    acm_certificate_arn      = aws_acm_certificate_validation.gmem-ca-cert.certificate_arn
+    acm_certificate_arn      = "arn:aws:acm:us-east-1:939265269301:certificate/1aa4bae9-701d-4f55-bad4-85144f6c1297"
    ssl_support_method       = "sni-only"
    minimum_protocol_version = "TLSv1.2_2021"
  }
--- a/terraform/hcloud-kubernetes-cluster.tf
+++ b/terraform/hcloud-kubernetes-cluster.tf
@ -1,62 +0,0 @@
-resource "hcloud_network" "kube-network" {
-  name     = "kube-network"
-  ip_range = "10.0.0.0/16"
-}
-
-resource "hcloud_network_subnet" "kube-subnet" {
-  network_id   = hcloud_network.kube-network.id
-  type         = "cloud"
-  network_zone = "eu-central"
-  ip_range     = "10.0.1.0/24"
-}
-
-resource "hcloud_ssh_key" "default" {
-  name       = "YubiKey"
-  public_key = file("~/.ssh/id_ed25519_sk.pub")
-}
-
-resource "hcloud_server" "control-plane" {
-  count       = 0
-  name        = "control-plane"
-  server_type = "cx21"
-  image       = "ubuntu-22.04"
-  location    = "nbg1"
-
-  network {
-    network_id = hcloud_network.kube-network.id
-    ip         = "10.0.1.1"
-  }
-
-  depends_on = [
-    hcloud_network_subnet.kube-subnet
-  ]
-
-  user_data = templatefile("${path.module}/templates/tailscale-kube-control-plane.yaml.tpl", {
-    tailscale_key = var.tailscale_key
-  })
-
-  ssh_keys = [hcloud_ssh_key.default.id]
-}
-
-resource "hcloud_server" "worker-node" {
-  count       = 0
-  name        = "worker-node-${count.index + 1}"
-  server_type = "cx21"
-  image       = "ubuntu-22.04"
-  location    = "nbg1"
-
-  network {
-    network_id = hcloud_network.kube-network.id
-    ip         = "10.0.1.${count.index + 2}"
-  }
-
-  depends_on = [
-    hcloud_network_subnet.kube-subnet
-  ]
-
-  user_data = templatefile("${path.module}/templates/tailscale-kube-worker.yaml.tpl", {
-    tailscale_key = var.tailscale_key
-  })
-
-  ssh_keys = [hcloud_ssh_key.default.id]
-}
--- a/terraform/main.nix
+++ b/terraform/main.nix
@ -0,0 +1,28 @@
+{ ... }: {
+  terraform = {
+    required_providers = {
+      cloudflare.source = "cloudflare/cloudflare";
+      vercel.source = "vercel/vercel";
+    };
+    backend."s3" = {
+      bucket = "gsimmer-terraform-state";
+      key    = "state/personal.tfstate";
+      region = "eu-west-2";
+
+      dynamodb_table = "gsimmer-terraform-lock";
+    };
+  };
+  
+  provider = {
+    "cloudflare" = {};
+    "aws" = [
+      {
+        region = "us-east-1";
+        alias = "virginia";
+      }
+      {
+        region = "eu-west-2";
+      }
+    ];
+  };
+}
--- a/terraform/main.tf
+++ b/terraform/main.tf
@ -1,48 +0,0 @@
-terraform {
-  required_providers {
-    vercel = {
-      source  = "vercel/vercel"
-      version = "0.14.0"
-    }
-    aws = {
-      source  = "hashicorp/aws"
-      version = "4.28.0"
-    }
-    hcloud = {
-      source  = "hetznercloud/hcloud"
-      version = "1.36.1"
-    }
-    cloudflare = {
-      source  = "cloudflare/cloudflare"
-      version = "3.33.1"
-	}
-	cloudns = {
-      source = "SharkyRawr/cloudns"
-      version = "0.0.7"
-    }
-  }
-  backend "s3" {
-    bucket = "gsimmer-terraform-state"
-    key    = "state/personal.tfstate"
-    region = "eu-west-2"
-
-    dynamodb_table = "gsimmer-terraform-lock"
-  }
-}
-
-provider "aws" {
-  alias  = "virginia"
-  region = "us-east-1"
-}
-
-provider "aws" {
-  region = "eu-west-2"
-}
-
-provider "hcloud" {}
-
-variable "tailscale_key" {
-  type = string
-}
-
-provider "cloudns" {}