Terraform Upgrade to 1.x (#3)

Co-authored-by: Hashfyre <[email protected]>

.gitignore

@@ -3,6 +3,7 @@
 .terraform
 *.tfstate
 *.tfstate.backup
+*.terraform.lock.hcl
 *.out
 *.backup
 secrets

.terraform-version

@@ -1 +1 @@
-0.11.13
+1.0.9

HACKING.md

@@ -0,0 +1,18 @@
+# Hacking on the thing
+
+Generate certs as per:
+
+https://gist.github.com/captn3m0/2c2e723b2dcd5cdaad733aad12be59a2
+
+Copy ca.pem, server-cert.pem, server-key.pem to /etc/docker/certs.
+
+Make sure server-key.pem is 0400 in permissions.
+
+Run `systemctl edit docker`
+
+````
+/etc/systemd/system/docker.service.d/override.conf
+[Service]
+ExecStart=
+ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem -H=0.0.0.0:2376 -H unix:///var/run/docker.sock
+````

cloudflare/main.tf

@@ -4,146 +4,146 @@
  */
 
 resource "cloudflare_record" "home" {
-  domain = "${var.domain}"
-  name   = "in"
-  value  = "${var.ips["eth0"]}"
-  type   = "A"
+  zone_id = var.zone_id
+  name    = "in"
+  value   = var.ips["eth0"]
+  type    = "A"
 }
 
 resource "cloudflare_record" "home-wildcard" {
-  domain = "${var.domain}"
-  name   = "*.in"
-  value  = "${cloudflare_record.home.hostname}"
-  type   = "CNAME"
-  ttl    = 3600
+  zone_id = var.zone_id
+  name    = "*.in"
+  value   = cloudflare_record.home.hostname
+  type    = "CNAME"
+  ttl     = 3600
 }
 
 /**
  *    bb8.fun -> static IP address
  * *.bb8.fun  -> bb8.fun
  */
 resource "cloudflare_record" "internet" {
-  domain = "${var.domain}"
-  name   = "@"
-  value  = "${var.droplet_ip}"
-  type   = "A"
+  zone_id = var.zone_id
+  name    = "@"
+  value   = var.droplet_ip
+  type    = "A"
 }
 
 resource "cloudflare_record" "internet-wildcard" {
-  domain = "${var.domain}"
-  name   = "*.${var.domain}"
-  value  = "${cloudflare_record.internet.hostname}"
-  type   = "CNAME"
-  ttl    = 3600
+  zone_id = var.zone_id
+  name    = var.domain
+  value   = cloudflare_record.internet.hostname
+  type    = "CNAME"
+  ttl     = 3600
 }
 
 resource "cloudflare_record" "dns" {
-  domain = "${var.domain}"
-  name   = "dns"
-  value  = "${var.ips["static"]}"
-  type   = "A"
+  zone_id = var.zone_id
+  name    = "dns"
+  value   = var.ips["static"]
+  type    = "A"
 }
 
 resource "cloudflare_record" "doh" {
-  domain = "${var.domain}"
-  name   = "doh"
-  value  = "${var.ips["static"]}"
-  type   = "A"
+  zone_id = var.zone_id
+  name    = "doh"
+  value   = var.ips["static"]
+  type    = "A"
 }
 
 // This ensures that _acme-challenge is not a CNAME
 // alongside the above wildcard CNAME entry.
 resource "cloudflare_record" "acme-no-cname-1" {
-  domain = "${var.domain}"
-  name   = "_acme-challenge.${var.domain}"
-  type   = "A"
-  value  = "127.0.0.1"
-  ttl    = "300"
+  zone_id = var.zone_id
+  name    = "_acme-challenge.${var.domain}"
+  type    = "A"
+  value   = "127.0.0.1"
+  ttl     = "300"
 }
 
 /**
  *   vpn.bb8.fun
  * *.vpn.bb8.fun
  */
 resource "cloudflare_record" "vpn" {
-  domain = "${var.domain}"
-  name   = "vpn"
-  value  = "${var.ips["tun0"]}"
-  type   = "A"
+  zone_id = var.zone_id
+  name    = "vpn"
+  value   = var.ips["tun0"]
+  type    = "A"
 }
 
 resource "cloudflare_record" "vpn_wildcard" {
-  domain = "${var.domain}"
-  name   = "*.vpn.${var.domain}"
-  value  = "${cloudflare_record.vpn.hostname}"
-  type   = "CNAME"
-  ttl    = 3600
+  zone_id = var.zone_id
+  name    = "*.vpn.${var.domain}"
+  value   = cloudflare_record.vpn.hostname
+  type    = "CNAME"
+  ttl     = 3600
 }
 
 /**
  *   vpn.bb8.fun
  * *.vpn.bb8.fun
  */
 resource "cloudflare_record" "dovpn" {
-  domain = "${var.domain}"
-  name   = "dovpn"
-  value  = "${var.ips["dovpn"]}"
-  type   = "A"
+  zone_id = var.zone_id
+  name    = "dovpn"
+  value   = var.ips["dovpn"]
+  type    = "A"
 }
 
 resource "cloudflare_record" "dovpn_wildcard" {
-  domain = "${var.domain}"
-  name   = "*.dovpn.${var.domain}"
-  value  = "${cloudflare_record.dovpn.hostname}"
-  type   = "CNAME"
-  ttl    = 3600
+  zone_id = var.zone_id
+  name    = "*.dovpn.${var.domain}"
+  value   = cloudflare_record.dovpn.hostname
+  type    = "CNAME"
+  ttl     = 3600
 }
 
 resource "cloudflare_record" "etcd" {
-  domain = "${var.domain}"
-  name   = "etcd"
-  value  = "${var.ips["dovpn"]}"
-  type   = "A"
+  zone_id = var.zone_id
+  name    = "etcd"
+  value   = var.ips["dovpn"]
+  type    = "A"
 }
 
 ########################
 ## Mailgun Mailing Lists
 ########################
 
 resource "cloudflare_record" "mailgun-spf" {
-  domain = "${var.domain}"
-  name   = "l"
-  value  = "v=spf1 include:mailgun.org ~all"
-  type   = "TXT"
+  zone_id = var.zone_id
+  name    = "l"
+  value   = "v=spf1 include:mailgun.org ~all"
+  type    = "TXT"
 }
 
 resource "cloudflare_record" "mailgun-dkim" {
-  domain = "${var.domain}"
-  name   = "k1._domainkey.l"
-  value  = "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnbP+IQkuPkgmUhpqCKzIdDSZ0HazaMp+cdBH++LBed8oY8/jmV8BhxMp5JwyePzRTxneT8ASsRtcp7CQ3z4nMC7aFX0kH6Bnu2v+u2JWudxs8x0I02OrPbSaQ5QVQdbAaCUCEfCQ06LJsn8aqPNrRIOWEMnxln+ebFJ0wKGscFQIDAQAB"
-  type   = "TXT"
+  zone_id = var.zone_id
+  name    = "k1._domainkey.l"
+  value   = "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnbP+IQkuPkgmUhpqCKzIdDSZ0HazaMp+cdBH++LBed8oY8/jmV8BhxMp5JwyePzRTxneT8ASsRtcp7CQ3z4nMC7aFX0kH6Bnu2v+u2JWudxs8x0I02OrPbSaQ5QVQdbAaCUCEfCQ06LJsn8aqPNrRIOWEMnxln+ebFJ0wKGscFQIDAQAB"
+  type    = "TXT"
 }
 
 resource "cloudflare_record" "mailgun-mxa" {
-  domain   = "${var.domain}"
+  zone_id  = var.zone_id
   name     = "l"
   value    = "mxa.mailgun.org"
   type     = "MX"
   priority = 10
 }
 
 resource "cloudflare_record" "mailgun-mxb" {
-  domain   = "${var.domain}"
+  zone_id  = var.zone_id
   name     = "l"
   value    = "mxb.mailgun.org"
   type     = "MX"
   priority = 20
 }
 
 resource "cloudflare_record" "k8s" {
-  domain = "${var.domain}"
-  name   = "k8s"
-  value  = "10.8.0.1"
-  type   = "A"
-  ttl    = 3600
+  zone_id = var.zone_id
+  name    = "k8s"
+  value   = "10.8.0.1"
+  type    = "A"
+  ttl     = 3600
 }

cloudflare/providers.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    cloudflare = {
+      source = "cloudflare/cloudflare"
+    }
+  }
+}

cloudflare/variables.tf

@@ -1,9 +1,10 @@
 variable "domain" {
-  type = "string"
+  type = string
 }
 
 variable "ips" {
-  type = "map"
+  type = map
 }
 
 variable "droplet_ip" {}
+variable "zone_id" {}

data.tf

@@ -1,3 +1,11 @@
 data "docker_network" "bridge" {
   name = "bridge"
 }
+
+data "cloudflare_zones" "bb8" {
+  filter {
+    name        = "bb8"
+    lookup_type = "exact"
+    match       = "bb8.fun"
+  }
+}

db/network.tf

@@ -8,3 +8,4 @@ resource "docker_network" "postgres" {
     gateway = "172.20.0.9"
   }
 }
+

db/outputs.tf

@@ -1,3 +1,4 @@
 output "postgres-network-id" {
-  value = "${docker_network.postgres.name}"
+  value = docker_network.postgres.name
 }
+

db/postgres.tf

@@ -1,26 +1,26 @@
 resource "docker_container" "postgres" {
   name  = "postgres"
-  image = "${docker_image.postgres.latest}"
+  image = docker_image.postgres.latest
 
   volumes {
-    volume_name    = "${docker_volume.postgres_volume.name}"
+    volume_name    = docker_volume.postgres_volume.name
     container_path = "/var/lib/postgresql/data"
-    host_path      = "${docker_volume.postgres_volume.mountpoint}"
+    host_path      = docker_volume.postgres_volume.mountpoint
   }
 
   // This is so that other host-only services can share this
   ports {
     internal = 5432
     external = 5432
-    ip       = "${var.ips["eth0"]}"
+    ip       = var.ips["eth0"]
   }
 
   // This is a not-so-great idea
   // TODO: Figure out a better way to make terraform SSH and then connect to localhost
   ports {
     internal = 5432
     external = 5432
-    ip       = "${var.ips["tun0"]}"
+    ip       = var.ips["tun0"]
   }
 
   memory                = 256
@@ -32,12 +32,12 @@ resource "docker_container" "postgres" {
     "POSTGRES_PASSWORD=${var.postgres-root-password}",
   ]
 
-  networks = ["${docker_network.postgres.id}", "${data.docker_network.bridge.id}"]
+  networks = [docker_network.postgres.id, data.docker_network.bridge.id]
 }
 
 resource "docker_image" "postgres" {
-  name          = "${data.docker_registry_image.postgres.name}"
-  pull_triggers = ["${data.docker_registry_image.postgres.sha256_digest}"]
+  name          = data.docker_registry_image.postgres.name
+  pull_triggers = [data.docker_registry_image.postgres.sha256_digest]
 }
 
 data "docker_registry_image" "postgres" {
@@ -47,3 +47,4 @@ data "docker_registry_image" "postgres" {
 data "docker_network" "bridge" {
   name = "bridge"
 }
+

db/providers.tf

@@ -0,0 +1,19 @@
+terraform {
+  required_providers {
+    pass = {
+      source = "camptocamp/pass"
+    }
+    digitalocean = {
+      source = "digitalocean/digitalocean"
+    }
+    postgresql = {
+      source = "cyrilgdn/postgresql"
+    }
+    cloudflare = {
+      source = "cloudflare/cloudflare"
+    }
+    docker = {
+      source = "kreuzwerker/docker"
+    }
+  }
+}

db/variables.tf

@@ -4,7 +4,9 @@ variable "postgres-version" {
 }
 
 variable "ips" {
-  type = "map"
+  type = map(string)
+}
+
+variable "postgres-root-password" {
 }
 
-variable "postgres-root-password" {}

db/volumes.tf

@@ -1,3 +1,4 @@
 resource "docker_volume" "postgres_volume" {
   name = "postgres_volume"
 }
+

digitalocean/droplets.tf

@@ -1,5 +1,5 @@
 resource "digitalocean_droplet" "sydney" {
-  image              = ""
+  image              = "??"
   name               = "sydney.captnemo.in"
   region             = "blr1"
   size               = "s-1vcpu-2gb"
@@ -18,5 +18,6 @@ resource "digitalocean_droplet" "sydney" {
 }
 
 output "droplet_ipv4" {
-  value = "${digitalocean_droplet.sydney.ipv4_address}"
+  value = digitalocean_droplet.sydney.ipv4_address
 }
+