🚧 terraform

2025-09-17 18:24:14 +02:00 · 2023-11-21 21:39:03 +01:00
parent 8c64aa1b86
commit 19491c9d8c
7 changed files with 35 additions and 32 deletions
--- a/kubernetes/apps/flux-system/tf-controller/terraforms/kustomization.yaml
+++ b/kubernetes/apps/flux-system/tf-controller/terraforms/kustomization.yaml
@@ -4,4 +4,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./ocirepository.yaml
-  #- ./terraform.yaml
+  - ./terraform.yaml
--- a/kubernetes/apps/flux-system/tf-controller/terraforms/terraform.yaml
+++ b/kubernetes/apps/flux-system/tf-controller/terraforms/terraform.yaml
@@ -8,15 +8,11 @@ spec:
  suspend: false
  approvePlan: auto
  interval: 12h
-  path: ./storage/apps
+  path: ./storage/minio
  sourceRef:
    kind: OCIRepository
    name: terraform
    namespace: flux-system
-  backendConfig:
-    disable: true
-  cliConfigSecretRef:
-    name: tf-controller-tfrc-secret
  runnerPodTemplate:
    spec:
      env:
--- a/shell.nix
+++ b/shell.nix
@@ -0,0 +1,13 @@
+let
+  # Configure Nix to allow unfree packages.
+  config = {
+    allowUnfree = true;
+  };
+  pkgs = import <nixpkgs> {inherit config;};
+in
+  pkgs.mkShell {
+    buildInputs = with pkgs; [
+      terraform
+      tflint
+    ];
+  }
--- a/terraform/storage/minio/main.tf
+++ b/terraform/storage/minio/main.tf
@@ -7,10 +7,6 @@ terraform {
    }
  }
  required_providers {
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = "2.23.0"
-    }
    sops = {
      source  = "carlpett/sops"
      version = "1.0.0"
@@ -19,10 +15,14 @@ terraform {
      source  = "hashicorp/time"
      version = "0.9.1"
    }
+    minio = {
+      source  = "aminueza/minio"
+      version = "~> 2.0"  # Replace with your desired version constraint
+    }
  }
  required_version = ">= 1.3.0"
 }

 data "sops_file" "secrets" {
-  source_file = "secrets.sops.yaml"
+  source_file = "./secrets.sops.yaml"
 }
--- a/terraform/storage/minio/providers.tf
+++ b/terraform/storage/minio/providers.tf
@@ -1,12 +1,7 @@
-provider "aws" {
-  access_key = "your_access_key"
-  secret_key = "your_secret_key"
-  region     = "us-east-1"
-  endpoints {
-    s3 = "base64decode(data.sops_file.secrets.data["minio_endpoint"])"
-  }
-  skip_credentials_validation = true
-  skip_metadata_api_check     = true
-  skip_requesting_account_id  = true
-  s3_force_path_style         = true
+provider "minio" {
+  minio_server   = data.sops_file.secrets.data["minio_server"]
+  minio_user     = data.sops_file.secrets.data["minio_root_user"]
+  minio_password = data.sops_file.secrets.data["minio_root_password"]
+  minio_region   = "us-east-1"
+  minio_ssl      = true
 }
--- a/terraform/storage/minio/secrets.sops.yaml
+++ b/terraform/storage/minio/secrets.sops.yaml
@@ -1,4 +1,4 @@
-minio_endpoint: ENC[AES256_GCM,data:Lx05cjWbTqmXpGMVjJIuFS0blA7m9P0gJH0p+Z8OteM=,iv:SvcuQojEK4nMXY+80oSGSnovKtN221xgGtRHd0U5OaA=,tag:UrWetEvmP4qkBo5kMfzALg==,type:str]
+minio_server: ENC[AES256_GCM,data:NYLbkjMG3Fr/aPhwirJPWQbiNgn+oSRDzw==,iv:BX5TwBgI/Qe+LZKJ343TNLOnTwtxv4UPDYWMtZof4QM=,tag:a/9r9UPYu2X6YpZFKeFhng==,type:str]
 minio_root_user: ENC[AES256_GCM,data:9n5EvcU=,iv:hMpFlmvwYcjHdcdg6zNfHimjhltgTUe7nBUMV6HQi/U=,tag:nSwSU0ebzbH1SWR0ULLhKg==,type:str]
 minio_root_password: ENC[AES256_GCM,data:TE4Etq58bqOdB6ya13cLfZBdgnI=,iv:y0UF4eC1Gx6zdNEuXTS5GbiYran45w63YjEu4od+ExY=,tag:Qyk+r8NIMc3NltagK5Rrjw==,type:str]
 sops:
@@ -16,8 +16,8 @@ sops:
            ZFlyQ1lGbnVPaSs4cytQYzNwRnJabmcKP0ogZqsaoD6heCqmObwttBgE039aLqe2
            R55NPkQJJyFSbDbdDmPApE4IwtXay54QGw2RR4AxOZW4G2dWhdzP3w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-16T01:41:33Z"
-    mac: ENC[AES256_GCM,data:PBr4A9D6grWs7HgMGloDnDOhhT4/v4PvyqFxhdfzsm38FfZomceh7PpfMbdEH/Fv6Jsv9Z8f7aWTCt4IiSCGENJyZSGIL14ABDw/ao44Q1wtsh2Axjm4KWPr1iWWtu/Cbdv22vdbK2hlM0sXkCfiPboWIkVpaFTQQ5EW7+stryw=,iv:2Vdp7i4EdL/LVo9BD3PVCn5lan/J0khVdOcIIv66ayE=,tag:X5LdJESAcdDRXOQNlYoP3A==,type:str]
+    lastmodified: "2023-11-21T21:49:39Z"
+    mac: ENC[AES256_GCM,data:c88bI6mQ7jWt2x4+TUqyMYEcymeDrelAxn71Sk0UrDhy/nVQwzUK5kpgSsxKLm54KAYSgedhK+gd9lZtIMFb31tQovsqH2L3YwZEfZj/gRbeysfFNKDSNyYGcR1Qn21YlsVG3hjCow6/c7wadJdYH+7GfoGw4yMzfcreUs6QbYs=,iv:ElJDRvMhNPDgvBR2DKLJY2Nan7nY+SoK7AhZ+zEoAfs=,tag:bYYS/iTCLHNLr/srjyY72Q==,type:str]
    pgp: []
    unencrypted_regex: ^(kind)$
    version: 3.8.1
--- a/terraform/storage/minio/svc_volsync.tf
+++ b/terraform/storage/minio/svc_volsync.tf
@@ -1,15 +1,14 @@
-resource "aws_s3_bucket" "volsync" {
+resource "minio_s3_bucket" "volsync" {
  bucket = "volsync"
  acl    = "private"
 }

-resource "aws_iam_user" "volsync_user" {
+resource "minio_iam_user" "volsync_user" {
  name = "volsync"
 }

-resource "aws_iam_policy" "volsync_private" {
+resource "minio_iam_policy" "volsync_private" {
  name        = "volsync_private"
-  description = "Policy for volsync user to access volsync bucket"

  policy = jsonencode({
    Version = "2012-10-17",
@@ -31,7 +30,7 @@ resource "aws_iam_policy" "volsync_private" {
  })
 }

-resource "aws_iam_user_policy_attachment" "volsync_user_policy_attachment" {
-  user       = aws_iam_user.volsync_user.name
-  policy_arn = aws_iam_policy.volsync_private.arn
+resource "minio_iam_user_policy_attachment" "volsync_user_policy_attachment" {
+  user_name   = minio_iam_user.volsync_user.name
+  policy_name = minio_iam_policy.volsync_private.name
 }