From c55b98186d9eab259669fc6e1392b7366cbe04c4 Mon Sep 17 00:00:00 2001 From: Khue Doan Date: Sat, 25 Dec 2021 02:06:05 +0700 Subject: [PATCH] refactor(external): split Cloudflare into multiple files --- external/cert_manager.tf | 30 ++++++++++++ external/cloudflare.tf | 99 ---------------------------------------- external/cloudflared.tf | 36 +++++++++++++++ external/external_dns.tf | 31 +++++++++++++ 4 files changed, 97 insertions(+), 99 deletions(-) create mode 100644 external/cert_manager.tf create mode 100644 external/cloudflared.tf create mode 100644 external/external_dns.tf diff --git a/external/cert_manager.tf b/external/cert_manager.tf new file mode 100644 index 00000000..d74a7061 --- /dev/null +++ b/external/cert_manager.tf @@ -0,0 +1,30 @@ +resource "cloudflare_api_token" "cert_manager" { + name = "homelab_cert_manager" + + policy { + permission_groups = [ + data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"], + data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"] + ] + resources = { + "com.cloudflare.api.account.zone.*" = "*" + } + } + + condition { + request_ip { + in = local.public_ips + } + } +} + +resource "kubernetes_secret" "cert_manager_token" { + metadata { + name = "cloudflare-api-token" + namespace = "cert-manager" + } + + data = { + "api-token" = cloudflare_api_token.cert_manager.value + } +} diff --git a/external/cloudflare.tf b/external/cloudflare.tf index 4b6dc585..5dafbf7f 100644 --- a/external/cloudflare.tf +++ b/external/cloudflare.tf @@ -22,102 +22,3 @@ locals { # "${chomp(data.http.public_ipv6.body)}/128" ] } - -resource "random_password" "tunnel_secret" { - length = 64 - special = false -} - -resource "cloudflare_argo_tunnel" "homelab" { - account_id = var.cloudflare_account_id - name = "homelab" - secret = base64encode(random_password.tunnel_secret.result) -} - -resource "kubernetes_secret" "cloudflared_credentials" { - metadata { - name = "cloudflared-credentials" - namespace = "cloudflared" - } - - data = { - "credentials.json" = jsonencode({ - AccountTag = var.cloudflare_account_id - TunnelName = cloudflare_argo_tunnel.homelab.name - TunnelID = cloudflare_argo_tunnel.homelab.id - TunnelSecret = base64encode(random_password.tunnel_secret.result) - }) - } -} - -resource "cloudflare_api_token" "external_dns" { - name = "homelab_external_dns" - - policy { - permission_groups = [ - data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"], - data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"] - ] - resources = { - "com.cloudflare.api.account.zone.*" = "*" - } - } - - condition { - request_ip { - in = local.public_ips - } - } -} - -# Not proxied, not accessible. Just a record for auto-created CNAMEs by external-dns. -resource "cloudflare_record" "tunnel" { - zone_id = data.cloudflare_zone.khuedoan_com.id - type = "CNAME" - name = "homelab-tunnel" - value = "${cloudflare_argo_tunnel.homelab.id}.cfargotunnel.com" - proxied = false - ttl = 1 # Auto -} - -resource "kubernetes_secret" "external_dns_token" { - metadata { - name = "cloudflare-api-token" - namespace = "external-dns" - } - - data = { - "value" = cloudflare_api_token.external_dns.value - } -} - -resource "cloudflare_api_token" "cert_manager" { - name = "homelab_cert_manager" - - policy { - permission_groups = [ - data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"], - data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"] - ] - resources = { - "com.cloudflare.api.account.zone.*" = "*" - } - } - - condition { - request_ip { - in = local.public_ips - } - } -} - -resource "kubernetes_secret" "cert_manager_token" { - metadata { - name = "cloudflare-api-token" - namespace = "cert-manager" - } - - data = { - "api-token" = cloudflare_api_token.cert_manager.value - } -} diff --git a/external/cloudflared.tf b/external/cloudflared.tf new file mode 100644 index 00000000..33f633f1 --- /dev/null +++ b/external/cloudflared.tf @@ -0,0 +1,36 @@ +resource "random_password" "tunnel_secret" { + length = 64 + special = false +} + +resource "cloudflare_argo_tunnel" "homelab" { + account_id = var.cloudflare_account_id + name = "homelab" + secret = base64encode(random_password.tunnel_secret.result) +} + +# Not proxied, not accessible. Just a record for auto-created CNAMEs by external-dns. +resource "cloudflare_record" "tunnel" { + zone_id = data.cloudflare_zone.khuedoan_com.id + type = "CNAME" + name = "homelab-tunnel" + value = "${cloudflare_argo_tunnel.homelab.id}.cfargotunnel.com" + proxied = false + ttl = 1 # Auto +} + +resource "kubernetes_secret" "cloudflared_credentials" { + metadata { + name = "cloudflared-credentials" + namespace = "cloudflared" + } + + data = { + "credentials.json" = jsonencode({ + AccountTag = var.cloudflare_account_id + TunnelName = cloudflare_argo_tunnel.homelab.name + TunnelID = cloudflare_argo_tunnel.homelab.id + TunnelSecret = base64encode(random_password.tunnel_secret.result) + }) + } +} diff --git a/external/external_dns.tf b/external/external_dns.tf new file mode 100644 index 00000000..5ac811c3 --- /dev/null +++ b/external/external_dns.tf @@ -0,0 +1,31 @@ +resource "cloudflare_api_token" "external_dns" { + name = "homelab_external_dns" + + policy { + permission_groups = [ + data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"], + data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"] + ] + resources = { + "com.cloudflare.api.account.zone.*" = "*" + } + } + + condition { + request_ip { + in = local.public_ips + } + } +} + +resource "kubernetes_secret" "external_dns_token" { + metadata { + name = "cloudflare-api-token" + namespace = "external-dns" + } + + data = { + "value" = cloudflare_api_token.external_dns.value + } +} +