-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathmain.tf
343 lines (274 loc) · 9.28 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
terraform {
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 3.0"
}
github = {
source = "integrations/github"
version = "6.4.0"
}
random = {
source = "hashicorp/random"
version = "3.6.3"
}
helm = {
source = "hashicorp/helm"
version = "2.17.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.35.1"
}
}
cloud {
organization = "GiganticMinecraft"
workspaces {
name = "seichi_infra"
}
}
}
locals {
# NOTE: account_idとzone_idは非シークレット
# https://github.com/cloudflare/wrangler-legacy/issues/209#issuecomment-541654484
cloudflare_account_id = "9e9e88e2b19878c4a911c3c8a715a168"
cloudflare_zone_id = "77c10fdfa7c65de4d14903ed8879ebcb"
root_domain = "seichi.click"
github_org_name = "GiganticMinecraft"
}
#region cloudflare provider
variable "cloudflare_email" {
description = "email used for Cloudflare API authentication"
type = string
sensitive = true
}
variable "cloudflare_api_key" {
description = "API key used for Cloudflare API authentication"
type = string
sensitive = true
}
provider "cloudflare" {
email = var.cloudflare_email
api_key = var.cloudflare_api_key
}
#endregion
#region cloudflare-github integration settings
variable "github_cloudflare_oauth_client_id" {
description = "Client ID of Cloudflare as seens as an OAuth App on GitHub"
type = string
sensitive = true
}
variable "github_cloudflare_oauth_client_secret" {
description = "Client secret of Cloudflare as seens as an OAuth App on GitHub"
type = string
sensitive = true
}
#endregion
#region terraform-github integration settings
variable "terraform_github_app_id" {
description = "App ID of the GitHub App used for Terraform automation"
type = string
sensitive = true
}
# Found at
# https://github.com/organizations/GiganticMinecraft/settings/installations/:installation_id
variable "terraform_github_app_installation_id" {
description = "Client installation ID of the GitHub App used for Terraform automation"
type = string
sensitive = true
}
variable "terraform_github_app_pem" {
description = "Client private key of the GitHub App used for Terraform automation"
type = string
sensitive = true
}
provider "github" {
owner = local.github_org_name
app_auth {
id = var.terraform_github_app_id
installation_id = var.terraform_github_app_installation_id
pem_file = var.terraform_github_app_pem
}
}
#endregion
#region on-premise k8s access configuration
variable "onp_k8s_server_url" {
description = "URL at which k8s server is exposed"
type = string
sensitive = true
}
variable "onp_k8s_kubeconfig" {
description = "On-premise cluster's kubeconfig.yaml content"
type = string
sensitive = true
}
# オンプレクラスタの kubeconfig.yaml は、cluster CA certificate、client certificate、client keyをそれぞれ
# - clusters[?].cluster.certificate-authority-data に
# - users[?].user.client-certificate-data に
# - users[?].user.client-key-data に
# base64で保持している。
locals {
onp_kubernetes_cluster_ca_certificate = base64decode(yamldecode(var.onp_k8s_kubeconfig).clusters[0].cluster.certificate-authority-data)
onp_kubernetes_client_certificate = base64decode(yamldecode(var.onp_k8s_kubeconfig).users[0].user.client-certificate-data)
onp_kubernetes_client_key = base64decode(yamldecode(var.onp_k8s_kubeconfig).users[0].user.client-key-data)
}
provider "kubernetes" {
host = var.onp_k8s_server_url
cluster_ca_certificate = local.onp_kubernetes_cluster_ca_certificate
client_certificate = local.onp_kubernetes_client_certificate
client_key = local.onp_kubernetes_client_key
}
provider "helm" {
kubernetes {
host = var.onp_k8s_server_url
cluster_ca_certificate = local.onp_kubernetes_cluster_ca_certificate
client_certificate = local.onp_kubernetes_client_certificate
client_key = local.onp_kubernetes_client_key
}
}
#endregion
#region on-premise ArgoCD to GitHub integration
variable "onp_k8s_argocd_github_oauth_app_secret" {
description = "The OAuth app secret for ArgoCD-GitHub integration on On-Premise Kubernetes cluster"
type = string
sensitive = true
}
variable "onp_k8s_argocd_applicationset_controller_github_app_id" {
description = "App ID of the GitHub App used to avoid GitHub rate limit on the ApplicationSet Controller"
type = string
sensitive = true
}
# Found at
# https://github.com/organizations/GiganticMinecraft/settings/installations/:installation_id
variable "onp_k8s_argocd_applicationset_controller_github_app_installation_id" {
description = "Client installation ID of the GitHub App used to avoid GitHub rate limit on the ApplicationSet Controller"
type = string
sensitive = true
}
variable "onp_k8s_argocd_applicationset_controller_github_app_pem" {
description = "Client private key of the GitHub App used to avoid GitHub rate limit on the ApplicationSet Controller"
type = string
sensitive = true
}
variable "onp_k8s_argo_workflows_sso_client_secret" {
description = "Client Secret of Argo Workflows SSO on ArgoCD dex"
type = string
sensitive = true
}
#endregion
#region on-premise Grafana to GitHub integration
variable "onp_k8s_grafana_github_oauth_app_id" {
description = "The OAuth app id for Grafana-GitHub integration on On-Premise Kubernetes cluster"
type = string
sensitive = true
}
variable "onp_k8s_grafana_github_oauth_app_secret" {
description = "The OAuth app secret for Grafana-GitHub integration on On-Premise Kubernetes cluster"
type = string
sensitive = true
}
#endregion
#region on-premise Synology CSI Driver Secret
variable "onp_k8s_synology_csi_config" {
description = "Synology CSI Driver Token for On-Premise Kubernetes Cluster"
type = string
sensitive = true
}
#endregion
#region on-premise Cloudflared tunnel secret
# オンプレ k8s で走る cloudflared の認証情報。
# cloudflared login で得られる .pem ファイルの中身を設定してください。
#
# 2022/06/01 現在、適切な権限を持った Cloduflare ユーザーが
# https://dash.cloudflare.com/argotunnel にアクセスして seichi-network を対象に認証することでも .pem が得られます。
variable "onp_k8s_cloudflared_tunnel_credential" {
description = "Cloudflared tunnel credential for On-Premise Kubernetes Cluster"
type = string
sensitive = true
}
#endregion
#region on-premise MinIO
variable "minio_root_password" {
description = "MinIO root password"
type = string
sensitive = true
}
variable "minio_prod_access_key" {
description = "MinIO access key in production environment"
type = string
sensitive = true
}
variable "minio_prod_access_secret" {
description = "MinIO access secret in production environment"
type = string
sensitive = true
}
variable "minio_debug_access_key" {
description = "MinIO access key in debug environment"
type = string
sensitive = true
}
variable "minio_debug_access_secret" {
description = "MinIO access secret in debug environment"
type = string
sensitive = true
}
#endregion
#region on-premise minecraft config secrets
variable "minecraft__discordsrv_bot_token" {
description = "DiscordSRV bot token"
type = string
sensitive = true
}
variable "minecraft__prod_one_day_to_reset__morning_glory_seed_webhook_url" {
description = "Webhook URL for MorningGlorySeeds on one-day-to-reset server in production env"
type = string
sensitive = true
}
variable "minecraft__prod_kagawa__morning_glory_seed_webhook_url" {
description = "Webhook URL for MorningGlorySeeds on kagawa server in production env"
type = string
sensitive = true
}
variable "minecraft__prod_game_db__password" {
description = "Password set to the production game database"
type = string
sensitive = true
}
#endregion
#region on-premise discord bot secrets
variable "discord_bot__idea_reaction__discord_token" {
description = "Token set to the production idea-reaction"
type = string
sensitive = true
}
variable "discord_bot__idea_reaction__redmine_api_key" {
description = "Redmine API Key set to the production idea-reaction"
type = string
sensitive = true
}
variable "discord_bot__babyrite__discord_token" {
description = "Token set to the production babyrite"
type = string
sensitive = true
}
#endregion
#region env variables for Cloudflare Pages projects
variable "cloudflare_pages__seichi_portal__next_public_backend_api_url" {
description = "The url of Seichi Portal backend API"
type = string
sensitive = true
}
variable "cloudflare_pages__seichi_portal__next_public_ms_app_client_id" {
description = "The application cliend ID on Microsoft Azure Portal for Seichi Portal"
type = string
sensitive = true
}
#endregion
# region env variables for ArgoEvents
variable "argo_events_github_access_token" {
description = "ArgoEvents GitHub access token"
type = string
sensitive = true
}
# endregion