configure ovh client and allow cms project to access zoho client

iac/ovh.tf

@@ -0,0 +1,57 @@
+data "ovh_me" "account" {}
+data "ovh_iam_reference_actions" "domain" {
+    type = "domain"
+}
+locals {
+  domain_read_permissions = [ for a in data.ovh_iam_reference_actions.domain.actions: a if contains(a.categories, "READ") ]
+}
+
+resource "ovh_me_api_oauth2_client" "cms" {
+  name = "cms repo"
+  description = "arcodange.fr management"
+  flow = "CLIENT_CREDENTIALS"
+}
+resource "ovh_iam_policy" "cms" {
+  name        = "cms_manager"
+  description = "Permissions related to www.arcodange.fr domain"
+  identities  = [ovh_me_api_oauth2_client.cms.identity]
+  resources   = [
+    data.ovh_me.account.urn,
+    # ovh_me_api_oauth2_client.cms.identity,
+    "urn:v1:eu:resource:domain:arcodange.fr",
+  ]
+  # these are all the actions
+  allow = concat([
+    "account:apiovh:me/get",
+    "account:apiovh:me/supportLevel/get",
+    "account:apiovh:me/certificates/get",
+    "account:apiovh:me/tag/get",
+    "account:apiovh:services/get",
+  ],
+  local.domain_read_permissions[*].action,
+  [
+    "domain:apiovh:nameServer/edit",
+  ])
+}
+
+resource "gitea_repository_actions_secret" "ovh_cms_client_id" {
+  repository       = data.gitea_repo.cms.name
+  repository_owner = data.gitea_repo.cms.username
+  secret_name      = "OVH_CLIENT_ID"
+  secret_value     = ovh_me_api_oauth2_client.cms.client_id
+}
+resource "gitea_repository_actions_secret" "ovh_cms_client_secret" {
+  repository       = data.gitea_repo.cms.name
+  repository_owner = data.gitea_repo.cms.username
+  secret_name      = "OVH_CLIENT_SECRET"
+  secret_value     = ovh_me_api_oauth2_client.cms.client_secret
+}
+
+resource "vault_kv_secret" "ovh_cms_token" {
+  path = "kvv1/ovh/cms/app"
+  data_json = jsonencode({
+    client_id = ovh_me_api_oauth2_client.cms.client_id
+    client_secret = ovh_me_api_oauth2_client.cms.client_secret
+    urn = ovh_me_api_oauth2_client.cms.identity
+  })
+}