diff --git a/external/cert_manager.tf b/external/cert_manager.tf deleted file mode 100644 index d74a7061..00000000 --- a/external/cert_manager.tf +++ /dev/null @@ -1,30 +0,0 @@ -resource "cloudflare_api_token" "cert_manager" { - name = "homelab_cert_manager" - - policy { - permission_groups = [ - data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"], - data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"] - ] - resources = { - "com.cloudflare.api.account.zone.*" = "*" - } - } - - condition { - request_ip { - in = local.public_ips - } - } -} - -resource "kubernetes_secret" "cert_manager_token" { - metadata { - name = "cloudflare-api-token" - namespace = "cert-manager" - } - - data = { - "api-token" = cloudflare_api_token.cert_manager.value - } -} diff --git a/external/cloudflare.tf b/external/cloudflare.tf deleted file mode 100644 index ee7af037..00000000 --- a/external/cloudflare.tf +++ /dev/null @@ -1,20 +0,0 @@ -data "cloudflare_zone" "zone" { - name = "khuedoan.com" -} - -data "cloudflare_api_token_permission_groups" "all" {} - -data "http" "public_ipv4" { - url = "https://ipv4.icanhazip.com" -} - -# data "http" "public_ipv6" { -# url = "https://ipv6.icanhazip.com" -# } - -locals { - public_ips = [ - "${chomp(data.http.public_ipv4.body)}/32", - # "${chomp(data.http.public_ipv6.body)}/128" - ] -} diff --git a/external/cloudflared.tf b/external/cloudflared.tf deleted file mode 100644 index 8db9fef9..00000000 --- a/external/cloudflared.tf +++ /dev/null @@ -1,36 +0,0 @@ -resource "random_password" "tunnel_secret" { - length = 64 - special = false -} - -resource "cloudflare_argo_tunnel" "homelab" { - account_id = var.cloudflare_account_id - name = "homelab" - secret = base64encode(random_password.tunnel_secret.result) -} - -# Not proxied, not accessible. Just a record for auto-created CNAMEs by external-dns. -resource "cloudflare_record" "tunnel" { - zone_id = data.cloudflare_zone.zone.id - type = "CNAME" - name = "homelab-tunnel" - value = "${cloudflare_argo_tunnel.homelab.id}.cfargotunnel.com" - proxied = false - ttl = 1 # Auto -} - -resource "kubernetes_secret" "cloudflared_credentials" { - metadata { - name = "cloudflared-credentials" - namespace = "cloudflared" - } - - data = { - "credentials.json" = jsonencode({ - AccountTag = var.cloudflare_account_id - TunnelName = cloudflare_argo_tunnel.homelab.name - TunnelID = cloudflare_argo_tunnel.homelab.id - TunnelSecret = base64encode(random_password.tunnel_secret.result) - }) - } -} diff --git a/external/external_dns.tf b/external/external_dns.tf deleted file mode 100644 index 5ac811c3..00000000 --- a/external/external_dns.tf +++ /dev/null @@ -1,31 +0,0 @@ -resource "cloudflare_api_token" "external_dns" { - name = "homelab_external_dns" - - policy { - permission_groups = [ - data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"], - data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"] - ] - resources = { - "com.cloudflare.api.account.zone.*" = "*" - } - } - - condition { - request_ip { - in = local.public_ips - } - } -} - -resource "kubernetes_secret" "external_dns_token" { - metadata { - name = "cloudflare-api-token" - namespace = "external-dns" - } - - data = { - "value" = cloudflare_api_token.external_dns.value - } -} - diff --git a/external/main.tf b/external/main.tf new file mode 100644 index 00000000..af4baff0 --- /dev/null +++ b/external/main.tf @@ -0,0 +1,6 @@ +module "cloudflare" { + source = "./modules/cloudflare" + cloudflare_account_id = var.cloudflare_account_id + cloudflare_email = var.cloudflare_email + cloudflare_api_key = var.cloudflare_api_key +} diff --git a/external/modules/cloudflare/main.tf b/external/modules/cloudflare/main.tf new file mode 100644 index 00000000..dcdb0bda --- /dev/null +++ b/external/modules/cloudflare/main.tf @@ -0,0 +1,119 @@ +data "cloudflare_zone" "zone" { + name = "khuedoan.com" +} + +data "cloudflare_api_token_permission_groups" "all" {} + +data "http" "public_ipv4" { + url = "https://ipv4.icanhazip.com" +} + +# data "http" "public_ipv6" { +# url = "https://ipv6.icanhazip.com" +# } + +locals { + public_ips = [ + "${chomp(data.http.public_ipv4.body)}/32", + # "${chomp(data.http.public_ipv6.body)}/128" + ] +} + +resource "random_password" "tunnel_secret" { + length = 64 + special = false +} + +resource "cloudflare_argo_tunnel" "homelab" { + account_id = var.cloudflare_account_id + name = "homelab" + secret = base64encode(random_password.tunnel_secret.result) +} + +# Not proxied, not accessible. Just a record for auto-created CNAMEs by external-dns. +resource "cloudflare_record" "tunnel" { + zone_id = data.cloudflare_zone.zone.id + type = "CNAME" + name = "homelab-tunnel" + value = "${cloudflare_argo_tunnel.homelab.id}.cfargotunnel.com" + proxied = false + ttl = 1 # Auto +} + +resource "kubernetes_secret" "cloudflared_credentials" { + metadata { + name = "cloudflared-credentials" + namespace = "cloudflared" + } + + data = { + "credentials.json" = jsonencode({ + AccountTag = var.cloudflare_account_id + TunnelName = cloudflare_argo_tunnel.homelab.name + TunnelID = cloudflare_argo_tunnel.homelab.id + TunnelSecret = base64encode(random_password.tunnel_secret.result) + }) + } +} + +resource "cloudflare_api_token" "external_dns" { + name = "homelab_external_dns" + + policy { + permission_groups = [ + data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"], + data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"] + ] + resources = { + "com.cloudflare.api.account.zone.*" = "*" + } + } + + condition { + request_ip { + in = local.public_ips + } + } +} + +resource "kubernetes_secret" "external_dns_token" { + metadata { + name = "cloudflare-api-token" + namespace = "external-dns" + } + + data = { + "value" = cloudflare_api_token.external_dns.value + } +} + +resource "cloudflare_api_token" "cert_manager" { + name = "homelab_cert_manager" + + policy { + permission_groups = [ + data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"], + data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"] + ] + resources = { + "com.cloudflare.api.account.zone.*" = "*" + } + } + + condition { + request_ip { + in = local.public_ips + } + } +} + +resource "kubernetes_secret" "cert_manager_token" { + metadata { + name = "cloudflare-api-token" + namespace = "cert-manager" + } + + data = { + "api-token" = cloudflare_api_token.cert_manager.value + } +} diff --git a/external/modules/cloudflare/variables.tf b/external/modules/cloudflare/variables.tf new file mode 100644 index 00000000..c5a4b342 --- /dev/null +++ b/external/modules/cloudflare/variables.tf @@ -0,0 +1,12 @@ +variable "cloudflare_email" { + type = string +} + +variable "cloudflare_api_key" { + type = string + sensitive = true +} + +variable "cloudflare_account_id" { + type = string +} diff --git a/external/modules/cloudflare/versions.tf b/external/modules/cloudflare/versions.tf new file mode 100644 index 00000000..ded55375 --- /dev/null +++ b/external/modules/cloudflare/versions.tf @@ -0,0 +1,28 @@ +terraform { + required_providers { + cloudflare = { + source = "cloudflare/cloudflare" + version = "~> 3.8.0" + } + + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.7.0" + } + + http = { + source = "hashicorp/http" + version = "~> 2.1.0" + } + } +} + +provider "cloudflare" { + email = var.cloudflare_email + api_key = var.cloudflare_api_key +} + +provider "kubernetes" { + # Use KUBE_CONFIG_PATH environment variables + # Or in cluster service account +} diff --git a/external/tekton.tf b/external/tekton.tf deleted file mode 100644 index f06d4673..00000000 --- a/external/tekton.tf +++ /dev/null @@ -1,11 +0,0 @@ -resource "kubernetes_secret" "terraform_secrets" { - metadata { - name = "terraform-secrets" - namespace = "tekton-pipelines" - } - - data = { - "credentials.tfrc.json" = file("~/.terraform.d/credentials.tfrc.json") - "terraform.tfvars" = file("${path.root}/terraform.tfvars") - } -}