-
Notifications
You must be signed in to change notification settings - Fork 0
/
terragrunt.hcl
122 lines (106 loc) · 3.03 KB
/
terragrunt.hcl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
retry_max_attempts = 3
retry_sleep_interval_sec = 10
locals {
// /home/andrey/gh/self
root = get_repo_root()
// self
project_name = basename(local.root)
// self/infra/project
tfstate_path = "${local.project_name}/${get_path_from_repo_root()}"
self_secrets_val = get_env("self_secrets")
self_secrets = try(
jsondecode(local.self_secrets_val),
run_cmd("sh", "-c", <<EOF
echo "There was an issue parsing self_secrets:"
echo '${local.self_secrets_val}'
EOF
)
)
providers = read_terragrunt_config("providers.hcl").locals.providers
}
inputs = {
self_secrets = local.self_secrets
}
terraform {
source = "${get_repo_root()}/_modules//"
}
remote_state {
generate = {
path = "zz_generated.backend.tf"
if_exists = "overwrite"
}
backend = "http"
config = {
username = local.self_secrets.setup.tf_backend_username
password = local.self_secrets.setup.tf_backend_password
address = "https://tf.kaipov.com/${local.tfstate_path}"
lock_address = "https://tf.kaipov.com/${local.tfstate_path}"
unlock_address = "https://tf.kaipov.com/${local.tfstate_path}"
}
}
// pass secrets to our terragrunt modules
generate "secrets" {
path = "zz_generated.secrets.tf"
if_exists = "overwrite"
contents = <<EOF
variable "self_secrets" {
type = string
}
locals {
secrets = jsondecode(var.self_secrets)
}
EOF
}
# declare providers based on contents of providers.hcl in child modules.
# in case our terragrunt module declares their own providers, we use the
# override directive to avoid conflicts:
# https://developer.hashicorp.com/terraform/language/files/override
generate "provider_override" {
path = "zz_generated.provider_override.tf"
if_exists = "overwrite"
contents = <<EOF
terraform {
required_providers {
%{~if contains(local.providers, "azure")~}
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.0, < 4.0"
}
%{~endif~}
%{~if contains(local.providers, "cloudflare")~}
cloudflare = {
source = "cloudflare/cloudflare"
version = ">= 4.0, < 5.0"
}
%{~endif~}
%{~if contains(local.providers, "onepassword")~}
onepassword = {
source = "1Password/onepassword"
version = ">= 1.0, < 2.0"
}
%{~endif~}
}
}
%{~if contains(local.providers, "azure")}
provider "azurerm" {
features {}
skip_provider_registration = true
client_id = local.secrets.setup.az_service_principal.appId
client_secret = local.secrets.setup.az_service_principal.password
tenant_id = local.secrets.setup.az_service_principal.tenantId
subscription_id = local.secrets.setup.az_service_principal.subscriptionId
}
%{~endif}
%{~if contains(local.providers, "cloudflare")}
provider "cloudflare" {
api_token = local.secrets.setup.cloudflare_api_token
}
%{~endif}
%{~if contains(local.providers, "onepassword")}
provider "onepassword" {
// set via OP_SERVICE_ACCOUNT_TOKEN env var
// it's how we got all the other secrets
}
%{~endif}
EOF
}