feat(external): create API token for external-dns

external/applicationset.tf

@@ -1,6 +1,5 @@
 provider "kubernetes" {
-  # Environment variables
-  # KUBE_CONFIG_PATH
+  config_path = "${path.root}/../metal/kubeconfig.yaml"
 }
 
 resource "kubernetes_manifest" "external_applicationset" {

external/cloudflare.tf

@@ -11,6 +11,12 @@ data "cloudflare_zone" "khuedoan_com" {
   name = "khuedoan.com"
 }
 
+data "cloudflare_api_token_permission_groups" "all" {}
+
+data "http" "public_ip" {
+  url = "https://icanhazip.com"
+}
+
 resource "random_password" "tunnel_secret" {
   length  = 64
   special = false
@@ -68,3 +74,36 @@ resource "kubernetes_secret" "cloudflared_credentials" {
     })
   }
 }
+
+resource "cloudflare_api_token" "external_dns" {
+  name = "homelab_external_dns"
+
+  policy {
+    permission_groups = [
+      data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"],
+      data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"]
+    ]
+    resources = {
+      "com.cloudflare.api.account.zone.*" = "*"
+    }
+  }
+
+  condition {
+    request_ip {
+      in = [
+        data.http.public_ip.body
+      ]
+    }
+  }
+}
+
+resource "kubernetes_secret" "external_dns_token" {
+  metadata {
+    name = "cloudflare-api-token"
+    namespace = "external-dns"
+  }
+
+  data = {
+    "value" = cloudflare_api_token.external_dns.value
+  }
+}

external/external-dns/values.yaml

@@ -1,2 +1,8 @@
 external-dns:
   provider: cloudflare
+  env:
+  - name: CF_API_TOKEN
+    valueFrom:
+      secretKeyRef:
+        name: cloudflare-api-token
+        key: value

external/versions.tf

@@ -25,5 +25,10 @@ terraform {
       source = "hashicorp/kubernetes"
       version = "~> 2.7.0"
     }
+
+    http = {
+      source = "hashicorp/http"
+      version = "~> 2.1.0"
+    }
   }
 }