refactor(external)!: use separate modules for each provider

external/cert_manager.tf

@@ -1,30 +0,0 @@
-resource "cloudflare_api_token" "cert_manager" {
-  name = "homelab_cert_manager"
-
-  policy {
-    permission_groups = [
-      data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"],
-      data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"]
-    ]
-    resources = {
-      "com.cloudflare.api.account.zone.*" = "*"
-    }
-  }
-
-  condition {
-    request_ip {
-      in = local.public_ips
-    }
-  }
-}
-
-resource "kubernetes_secret" "cert_manager_token" {
-  metadata {
-    name      = "cloudflare-api-token"
-    namespace = "cert-manager"
-  }
-
-  data = {
-    "api-token" = cloudflare_api_token.cert_manager.value
-  }
-}

external/cloudflare.tf

@@ -1,20 +0,0 @@
-data "cloudflare_zone" "zone" {
-  name = "khuedoan.com"
-}
-
-data "cloudflare_api_token_permission_groups" "all" {}
-
-data "http" "public_ipv4" {
-  url = "https://ipv4.icanhazip.com"
-}
-
-# data "http" "public_ipv6" {
-#   url = "https://ipv6.icanhazip.com"
-# }
-
-locals {
-  public_ips = [
-    "${chomp(data.http.public_ipv4.body)}/32",
-    # "${chomp(data.http.public_ipv6.body)}/128"
-  ]
-}

external/cloudflared.tf

@@ -1,36 +0,0 @@
-resource "random_password" "tunnel_secret" {
-  length  = 64
-  special = false
-}
-
-resource "cloudflare_argo_tunnel" "homelab" {
-  account_id = var.cloudflare_account_id
-  name       = "homelab"
-  secret     = base64encode(random_password.tunnel_secret.result)
-}
-
-# Not proxied, not accessible. Just a record for auto-created CNAMEs by external-dns.
-resource "cloudflare_record" "tunnel" {
-  zone_id = data.cloudflare_zone.zone.id
-  type    = "CNAME"
-  name    = "homelab-tunnel"
-  value   = "${cloudflare_argo_tunnel.homelab.id}.cfargotunnel.com"
-  proxied = false
-  ttl     = 1 # Auto
-}
-
-resource "kubernetes_secret" "cloudflared_credentials" {
-  metadata {
-    name      = "cloudflared-credentials"
-    namespace = "cloudflared"
-  }
-
-  data = {
-    "credentials.json" = jsonencode({
-      AccountTag   = var.cloudflare_account_id
-      TunnelName   = cloudflare_argo_tunnel.homelab.name
-      TunnelID     = cloudflare_argo_tunnel.homelab.id
-      TunnelSecret = base64encode(random_password.tunnel_secret.result)
-    })
-  }
-}

external/external_dns.tf

@@ -1,31 +0,0 @@
-resource "cloudflare_api_token" "external_dns" {
-  name = "homelab_external_dns"
-
-  policy {
-    permission_groups = [
-      data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"],
-      data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"]
-    ]
-    resources = {
-      "com.cloudflare.api.account.zone.*" = "*"
-    }
-  }
-
-  condition {
-    request_ip {
-      in = local.public_ips
-    }
-  }
-}
-
-resource "kubernetes_secret" "external_dns_token" {
-  metadata {
-    name      = "cloudflare-api-token"
-    namespace = "external-dns"
-  }
-
-  data = {
-    "value" = cloudflare_api_token.external_dns.value
-  }
-}
-

external/main.tf

@@ -0,0 +1,6 @@
+module "cloudflare" {
+  source                = "./modules/cloudflare"
+  cloudflare_account_id = var.cloudflare_account_id
+  cloudflare_email      = var.cloudflare_email
+  cloudflare_api_key    = var.cloudflare_api_key
+}

external/modules/cloudflare/main.tf

@@ -0,0 +1,119 @@
+data "cloudflare_zone" "zone" {
+  name = "khuedoan.com"
+}
+
+data "cloudflare_api_token_permission_groups" "all" {}
+
+data "http" "public_ipv4" {
+  url = "https://ipv4.icanhazip.com"
+}
+
+# data "http" "public_ipv6" {
+#   url = "https://ipv6.icanhazip.com"
+# }
+
+locals {
+  public_ips = [
+    "${chomp(data.http.public_ipv4.body)}/32",
+    # "${chomp(data.http.public_ipv6.body)}/128"
+  ]
+}
+
+resource "random_password" "tunnel_secret" {
+  length  = 64
+  special = false
+}
+
+resource "cloudflare_argo_tunnel" "homelab" {
+  account_id = var.cloudflare_account_id
+  name       = "homelab"
+  secret     = base64encode(random_password.tunnel_secret.result)
+}
+
+# Not proxied, not accessible. Just a record for auto-created CNAMEs by external-dns.
+resource "cloudflare_record" "tunnel" {
+  zone_id = data.cloudflare_zone.zone.id
+  type    = "CNAME"
+  name    = "homelab-tunnel"
+  value   = "${cloudflare_argo_tunnel.homelab.id}.cfargotunnel.com"
+  proxied = false
+  ttl     = 1 # Auto
+}
+
+resource "kubernetes_secret" "cloudflared_credentials" {
+  metadata {
+    name      = "cloudflared-credentials"
+    namespace = "cloudflared"
+  }
+
+  data = {
+    "credentials.json" = jsonencode({
+      AccountTag   = var.cloudflare_account_id
+      TunnelName   = cloudflare_argo_tunnel.homelab.name
+      TunnelID     = cloudflare_argo_tunnel.homelab.id
+      TunnelSecret = base64encode(random_password.tunnel_secret.result)
+    })
+  }
+}
+
+resource "cloudflare_api_token" "external_dns" {
+  name = "homelab_external_dns"
+
+  policy {
+    permission_groups = [
+      data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"],
+      data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"]
+    ]
+    resources = {
+      "com.cloudflare.api.account.zone.*" = "*"
+    }
+  }
+
+  condition {
+    request_ip {
+      in = local.public_ips
+    }
+  }
+}
+
+resource "kubernetes_secret" "external_dns_token" {
+  metadata {
+    name      = "cloudflare-api-token"
+    namespace = "external-dns"
+  }
+
+  data = {
+    "value" = cloudflare_api_token.external_dns.value
+  }
+}
+
+resource "cloudflare_api_token" "cert_manager" {
+  name = "homelab_cert_manager"
+
+  policy {
+    permission_groups = [
+      data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"],
+      data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"]
+    ]
+    resources = {
+      "com.cloudflare.api.account.zone.*" = "*"
+    }
+  }
+
+  condition {
+    request_ip {
+      in = local.public_ips
+    }
+  }
+}
+
+resource "kubernetes_secret" "cert_manager_token" {
+  metadata {
+    name      = "cloudflare-api-token"
+    namespace = "cert-manager"
+  }
+
+  data = {
+    "api-token" = cloudflare_api_token.cert_manager.value
+  }
+}

external/modules/cloudflare/variables.tf

@@ -0,0 +1,12 @@
+variable "cloudflare_email" {
+  type = string
+}
+
+variable "cloudflare_api_key" {
+  type      = string
+  sensitive = true
+}
+
+variable "cloudflare_account_id" {
+  type = string
+}

external/modules/cloudflare/versions.tf

@@ -0,0 +1,28 @@
+terraform {
+  required_providers {
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 3.8.0"
+    }
+
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.7.0"
+    }
+
+    http = {
+      source  = "hashicorp/http"
+      version = "~> 2.1.0"
+    }
+  }
+}
+
+provider "cloudflare" {
+  email   = var.cloudflare_email
+  api_key = var.cloudflare_api_key
+}
+
+provider "kubernetes" {
+  # Use KUBE_CONFIG_PATH environment variables
+  # Or in cluster service account
+}

external/tekton.tf

@@ -1,11 +0,0 @@
-resource "kubernetes_secret" "terraform_secrets" {
-  metadata {
-    name      = "terraform-secrets"
-    namespace = "tekton-pipelines"
-  }
-
-  data = {
-    "credentials.tfrc.json" = file("~/.terraform.d/credentials.tfrc.json")
-    "terraform.tfvars" = file("${path.root}/terraform.tfvars")
-  }
-}