Initial commit: set up DigitalOcean Terraform backend

2020-12-03 13:35:17 -05:00 · 2020-12-03 13:35:17 -05:00 · d9fa6a96ff
commit d9fa6a96ff
6 changed files with 83 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,4 @@
+/.envrc
+/backend-config.tf
+*/**/.terraform
+*.tfstate*
--- a/README.md
+++ b/README.md
@ -0,0 +1,23 @@
+# My personal infrastructure-as-code
+
+This repository contains the configuration files and scripts to support the infrastructure I use for personal projects.
+
+## Terraform environment variables and config
+Terraform state is stored in a DigitalOcean Spaces bucket. In order to access the bucket, the Terraform backend configuration needs the `access_key` and `secret_key` variables set. These variables are the DigitalOcean Spaces access key and secret key, respectively, which are generated from the DigitalOcean Spaces UI. I'm passing them to Terraform via the `-backend-config` `terraform init` option. I create a file `backend-config.tf` in the root directory containing the necessary variables:
+
+```terraform
+access_key = "xxxxxxxxxxxxxxxxxxxx"
+secret_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+```
+
+Then run `terraform init -backend-config=backend-config.tf` when I need to run any Terraform commands. This operation is encapsulated in the `tf-init.sh` script.
+
+The Terraform scripts also require some environment variables set:
+
+```bash
+export TF_VAR_do_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+export TF_VAR_spaces_access_id=xxxxxxxxxxxxxxxxxxxx
+export TF_VAR_spaces_secret_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+```
+
+The `do_token` is the DigitalOcean API token, generated from the DigitalOcean API console UI, and the `spaces_access_id` and `spaces_secret_key` are the same Spaces configuration values as above. I'm setting these variables via [`direnv`](https://direnv.net/) with a `.envrc` file at the repository root.
--- a/mgmt/do-spaces/main.tf
+++ b/mgmt/do-spaces/main.tf
@ -0,0 +1,14 @@
+provider "digitalocean" {
+  token             = var.do_token
+  spaces_access_id  = var.spaces_access_id
+  spaces_secret_key = var.spaces_secret_key
+}
+
+resource "digitalocean_spaces_bucket" "jdormit_tf_state" {
+  name   = "jdormit-tf-state"
+  region = "nyc3"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
--- a/mgmt/do-spaces/terraform.tf
+++ b/mgmt/do-spaces/terraform.tf
@ -0,0 +1,21 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "~> 2.3.0"
+    }
+  }
+
+  # This DO Spaces bucket is created via main.tf, so to bootstrap this
+  # module comment out the following backend configuration, run
+  # Terraform, then uncomment it and run terraform init again
+  backend "s3" {
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    # Need to specify an AWS region to stop Terraform complaining
+    region                      = "us-east-1"
+    endpoint                    = "nyc3.digitaloceanspaces.com"
+    bucket                      = "jdormit-tf-state"
+    key                         = "mgmt/do-spaces.tfstate"
+  }
+}
--- a/mgmt/do-spaces/variables.tf
+++ b/mgmt/do-spaces/variables.tf
@ -0,0 +1,11 @@
+variable "do_token" {
+  type = string
+}
+
+variable "spaces_access_id" {
+  type = string
+}
+
+variable "spaces_secret_key" {
+  type = string
+}
--- a/tf-init.sh
+++ b/tf-init.sh
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+BACKEND_FILE="$(dirname $0)/backend-config.tf"
+
+if [ -f "$BACKEND_FILE" ]; then
+    terraform init -backend-config="$BACKEND_FILE"
+else
+    echo "Could not find $BACKEND_FILE"
+    exit 1
+fi