From e698fb44de86f205ae93e8c614f18b9436e1528f Mon Sep 17 00:00:00 2001
From: Khue Doan <khuedoan98@gmail.com>
Date: Sun, 12 Dec 2021 12:00:24 +0700
Subject: [PATCH] feat(external): create API token for external-dns

---
 external/applicationset.tf        |  3 +--
 external/cloudflare.tf            | 39 +++++++++++++++++++++++++++++++
 external/external-dns/values.yaml |  6 +++++
 external/versions.tf              |  5 ++++
 4 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/external/applicationset.tf b/external/applicationset.tf
index 09295f8e..43b2e70a 100644
--- a/external/applicationset.tf
+++ b/external/applicationset.tf
@@ -1,6 +1,5 @@
 provider "kubernetes" {
-  # Environment variables
-  # KUBE_CONFIG_PATH
+  config_path = "${path.root}/../metal/kubeconfig.yaml"
 }
 
 resource "kubernetes_manifest" "external_applicationset" {
diff --git a/external/cloudflare.tf b/external/cloudflare.tf
index 4700d737..0bad1304 100644
--- a/external/cloudflare.tf
+++ b/external/cloudflare.tf
@@ -11,6 +11,12 @@ data "cloudflare_zone" "khuedoan_com" {
   name = "khuedoan.com"
 }
 
+data "cloudflare_api_token_permission_groups" "all" {}
+
+data "http" "public_ip" {
+  url = "https://icanhazip.com"
+}
+
 resource "random_password" "tunnel_secret" {
   length  = 64
   special = false
@@ -68,3 +74,36 @@ resource "kubernetes_secret" "cloudflared_credentials" {
     })
   }
 }
+
+resource "cloudflare_api_token" "external_dns" {
+  name = "homelab_external_dns"
+
+  policy {
+    permission_groups = [
+      data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"],
+      data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"]
+    ]
+    resources = {
+      "com.cloudflare.api.account.zone.*" = "*"
+    }
+  }
+
+  condition {
+    request_ip {
+      in = [
+        data.http.public_ip.body
+      ]
+    }
+  }
+}
+
+resource "kubernetes_secret" "external_dns_token" {
+  metadata {
+    name = "cloudflare-api-token"
+    namespace = "external-dns"
+  }
+
+  data = {
+    "value" = cloudflare_api_token.external_dns.value
+  }
+}
diff --git a/external/external-dns/values.yaml b/external/external-dns/values.yaml
index e46e623c..31b5c61c 100644
--- a/external/external-dns/values.yaml
+++ b/external/external-dns/values.yaml
@@ -1,2 +1,8 @@
 external-dns:
   provider: cloudflare
+  env:
+  - name: CF_API_TOKEN
+    valueFrom:
+      secretKeyRef:
+        name: cloudflare-api-token
+        key: value
diff --git a/external/versions.tf b/external/versions.tf
index 7dda1255..8977ba82 100644
--- a/external/versions.tf
+++ b/external/versions.tf
@@ -25,5 +25,10 @@ terraform {
       source = "hashicorp/kubernetes"
       version = "~> 2.7.0"
     }
+
+    http = {
+      source = "hashicorp/http"
+      version = "~> 2.1.0"
+    }
   }
 }