Gabriel Radureau
9b545e6f8f
With the runner CA fix (#11) the iac workflow now runs far enough to apply, which exposed two provider problems: cloudflare drift — `cloudflare/cloudflare` floated on `~> 5` with no committed lock file, so CI pulled v5.21.1 where `cloudflare_account_token.policies[].resources` is a JSON string, not a map ("Incorrect attribute value type"). Fix: - pin to `~> 5.21` and commit a multi-platform `.terraform.lock.hcl` (linux_arm64 for the runner + darwin_arm64 for local); - `jsonencode(...)` the module's policy resources; - bind the cloudflare_token module to `cloudflare/cloudflare` explicitly (it was defaulting to `hashicorp/cloudflare`, pulling a redundant provider); - stop `.gitignore` from hiding the lock file (the old `.terraform.*` rule did). gitea provider TLS — it runs inside the dflook/terraform-apply container, which doesn't trust the homelab CA (only the ubuntu-latest-ca runner does), so it failed `x509: certificate signed by unknown authority` reaching gitea.arcodange.lab. Fix: feed it the homelab CA via the provider's `cacert_file` (TF_VAR_gitea_cacert_file -> the homelab.pem the workflow already materializes). Validated locally with `tofu validate` + provider-schema inspection (no prod calls). Complements #11. Out of scope (need a live run / operator): the OVH consumer-key scope, and the R2 bucket "not found" on refresh (a state reconcile). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
71 lines
2.2 KiB
YAML
71 lines
2.2 KiB
YAML
---
|
|
# template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
|
|
name: IAC
|
|
|
|
on: #[push,pull_request]
|
|
workflow_dispatch: {}
|
|
push: &tofuPaths
|
|
paths:
|
|
- 'iac/*.tf'
|
|
- 'iac/*.tfvars'
|
|
- 'iac/**/*.tf'
|
|
- 'iac/**/*.tfvars'
|
|
pull_request: *tofuPaths
|
|
|
|
# cancel any previously-started, yet still active runs of this workflow on the same branch
|
|
concurrency:
|
|
group: ${{ github.ref }}-${{ github.workflow }}
|
|
cancel-in-progress: true
|
|
|
|
.vault_step: &vault_step
|
|
name: read vault secret
|
|
uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
|
|
id: vault-secrets
|
|
with:
|
|
url: https://vault.arcodange.lab
|
|
caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
|
|
jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
|
|
role: gitea_cicd
|
|
method: jwt
|
|
path: gitea_jwt
|
|
secrets: |
|
|
kvv1/google/credentials credentials | GOOGLE_CREDENTIALS ;
|
|
kvv1/admin/gitea token | GITEA_TOKEN ;
|
|
kvv1/admin/cloudflare iam_token | CLOUDFLARE_API_TOKEN ;
|
|
kvv1/admin/ovh/app * | OVH_ ;
|
|
jobs:
|
|
gitea_vault_auth:
|
|
name: Auth with gitea for vault
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
|
|
steps:
|
|
|
|
- name: Auth with gitea for vault
|
|
id: gitea_vault_jwt
|
|
run: |
|
|
echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
|
|
|
|
tofu:
|
|
name: Tofu
|
|
needs:
|
|
- gitea_vault_auth
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
OPENTOFU_VERSION: 1.8.2
|
|
TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
|
|
VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
|
|
steps:
|
|
- *vault_step
|
|
- uses: actions/checkout@v4
|
|
- name: prepare vault self signed cert
|
|
run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
|
|
- name: terraform apply
|
|
uses: dflook/terraform-apply@v1
|
|
env:
|
|
# the apply runs in dflook's container, which doesn't trust the homelab CA;
|
|
# hand the gitea provider the CA cert the step above wrote to the workspace
|
|
TF_VAR_gitea_cacert_file: "${{ github.workspace }}/homelab.pem"
|
|
with:
|
|
path: iac
|
|
auto_approve: true |