From 8a40d2567590f0eaeaf0976b13b52a0f5a5ef8b9 Mon Sep 17 00:00:00 2001 From: Gabriel Radureau Date: Wed, 6 May 2026 13:20:14 +0200 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20feat(deploy):=20iac/=20Vault=20prov?= =?UTF-8?q?isioning=20+=20workflow=20(uses=20app=5Froles=20module=20from?= =?UTF-8?q?=20tools)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitea/workflows/vault.yaml | 59 +++++++++++++++++++++++++++++++++++++ iac/backend.tf | 6 ++++ iac/main.tf | 10 +++++++ iac/providers.tf | 17 +++++++++++ 4 files changed, 92 insertions(+) create mode 100644 .gitea/workflows/vault.yaml create mode 100644 iac/backend.tf create mode 100644 iac/main.tf create mode 100644 iac/providers.tf diff --git a/.gitea/workflows/vault.yaml b/.gitea/workflows/vault.yaml new file mode 100644 index 0000000..7e5aaf5 --- /dev/null +++ b/.gitea/workflows/vault.yaml @@ -0,0 +1,59 @@ +--- +name: Hashicorp Vault + +on: + workflow_dispatch: {} + push: &vaultPaths + paths: + - 'iac/*.tf' + pull_request: *vaultPaths + +concurrency: + group: ${{ github.ref }}-${{ github.workflow }} + cancel-in-progress: true + +.vault_step: &vault_step + name: read vault secret + uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main + id: vault-secrets + with: + url: https://vault.arcodange.lab + caCertificate: ${{ secrets.HOMELAB_CA_CERT }} + jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }} + role: gitea_cicd_dance-lessons-coach + method: jwt + path: gitea_jwt + secrets: | + kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ; + +jobs: + gitea_vault_auth: + name: Auth with gitea for vault + runs-on: ubuntu-latest-ca + outputs: + gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}} + steps: + - name: Auth with gitea for vault + id: gitea_vault_jwt + run: | + echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash + + tofu: + name: Tofu - Vault + needs: + - gitea_vault_auth + runs-on: ubuntu-latest-ca + env: + OPENTOFU_VERSION: 1.8.2 + TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }} + VAULT_CACERT: "${{ github.workspace }}/homelab.pem" + steps: + - *vault_step + - uses: actions/checkout@v4 + - name: prepare vault self signed cert + run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT + - name: terraform apply + uses: dflook/terraform-apply@v1 + with: + path: iac + auto_approve: true diff --git a/iac/backend.tf b/iac/backend.tf new file mode 100644 index 0000000..465e97b --- /dev/null +++ b/iac/backend.tf @@ -0,0 +1,6 @@ +terraform { + backend "gcs" { + bucket = "arcodange-tf" + prefix = "dance-lessons-coach/main" + } +} diff --git a/iac/main.tf b/iac/main.tf new file mode 100644 index 0000000..b8921ee --- /dev/null +++ b/iac/main.tf @@ -0,0 +1,10 @@ +locals { + app = { + name = "dance-lessons-coach" + } +} + +module "app_roles" { + source = "git::ssh://git@192.168.1.202:2222/arcodange-org/tools.git//hashicorp-vault/iac/modules/app_roles?depth=1&ref=main" + name = local.app.name +} diff --git a/iac/providers.tf b/iac/providers.tf new file mode 100644 index 0000000..bfa8f12 --- /dev/null +++ b/iac/providers.tf @@ -0,0 +1,17 @@ +terraform { + required_providers { + vault = { + source = "vault" + version = "4.4.0" + } + } +} + +provider "vault" { + address = "https://vault.arcodange.lab" + auth_login_jwt { + # TERRAFORM_VAULT_AUTH_JWT environment variable, set by the gitea OIDC step + mount = "gitea_jwt" + role = "gitea_cicd_dance-lessons-coach" + } +} -- 2.49.1