From bdb6dd7c01cd350d1252553e90667bc53cd5f213 Mon Sep 17 00:00:00 2001 From: Sven Sauleau Date: Mon, 9 Jan 2023 14:44:59 +0000 Subject: [PATCH] keep tfstate in KV --- .github/workflows/deploy.yml | 46 ++++++++++++++++++++++++++++++++++++ tf/main.tf | 27 ++++++++++++++------- 2 files changed, 65 insertions(+), 8 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index eb65703..72d2f5b 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -80,10 +80,35 @@ jobs: -H 'Authorization: Bearer ${{ secrets.CF_API_TOKEN }}' | jq -r '.result.auth_domain') printf "auth_domain=$auth_domain" >> $GITHUB_ENV + - name: retrieve Terraform state KV namespace + uses: cloudflare/wrangler-action@2.0.0 + with: + command: kv:namespace list | jq -r '.[] | select( .title == "wildebeest-terraform-${{ env.OWNER_LOWER }}-state" ) | .id' | awk '{print "tfstate_kv="$1}' >> $GITHUB_ENV + apiToken: ${{ secrets.CF_API_TOKEN }} + preCommands: | + echo "*** pre commands ***" + apt-get update && apt-get -y install jq + echo "******" + env: + CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }} + - name: Init run: terraform init working-directory: ./tf + - name: download Terraform state + uses: cloudflare/wrangler-action@2.0.0 + with: + command: kv:key get --namespace-id=${{ env.tfstate_kv }} terraform.tfstate > ./tf/terraform.tfstate + postCommands: | + echo "*** post commands ***" + chmod 777 ./tf/terraform.tfstate + echo "******" + apiToken: ${{ secrets.CF_API_TOKEN }} + env: + CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }} + if: ${{ env.tfstate_kv != '' }} + - name: Configure run: terraform plan && terraform apply -auto-approve continue-on-error: true @@ -97,6 +122,27 @@ jobs: TF_VAR_d1_id: ${{ env.d1_id }} TF_VAR_access_auth_domain: ${{ env.auth_domain }} + - name: retrieve Terraform state KV namespace + uses: cloudflare/wrangler-action@2.0.0 + with: + command: kv:namespace list | jq -r '.[] | select( .title == "wildebeest-terraform-${{ env.OWNER_LOWER }}-state" ) | .id' | awk '{print "tfstate_kv="$1}' >> $GITHUB_ENV + apiToken: ${{ secrets.CF_API_TOKEN }} + preCommands: | + echo "*** pre commands ***" + apt-get update && apt-get -y install jq + echo "******" + env: + CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }} + if: ${{ env.tfstate_kv == '' }} + + - name: store Terraform state + uses: cloudflare/wrangler-action@2.0.0 + with: + command: kv:key put --namespace-id=${{ env.tfstate_kv }} terraform.tfstate --path=./tf/terraform.tfstate + apiToken: ${{ secrets.CF_API_TOKEN }} + env: + CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }} + - name: Publish uses: cloudflare/wrangler-action@2.0.0 with: diff --git a/tf/main.tf b/tf/main.tf index 518596f..281db3a 100644 --- a/tf/main.tf +++ b/tf/main.tf @@ -1,17 +1,21 @@ variable "cloudflare_account_id" { type = string + sensitive = true } variable "cloudflare_zone_id" { type = string + sensitive = true } variable "cloudflare_deploy_domain" { type = string + sensitive = true } variable "cloudflare_api_token" { type = string + sensitive = true } variable "gh_username" { @@ -20,10 +24,12 @@ variable "gh_username" { variable "d1_id" { type = string + sensitive = true } variable "access_auth_domain" { type = string + sensitive = true } terraform { @@ -49,6 +55,11 @@ resource "cloudflare_workers_kv_namespace" "wildebeest_cache" { title = "wildebeest-${lower(var.gh_username)}-cache" } +resource "cloudflare_workers_kv_namespace" "terraform_state" { + account_id = var.cloudflare_account_id + title = "wildebeest-terraform-${lower(var.gh_username)}-state" +} + resource "random_password" "user_key" { length = 256 special = false @@ -62,20 +73,20 @@ resource "cloudflare_pages_project" "wildebeest_pages_project" { deployment_configs { production { environment_variables = { - CF_ACCOUNT_ID = var.cloudflare_account_id - CF_API_TOKEN = var.cloudflare_api_token + CF_ACCOUNT_ID = sensitive(var.cloudflare_account_id) + CF_API_TOKEN = sensitive(var.cloudflare_api_token) - USER_KEY = random_password.user_key.result + USER_KEY = sensitive(random_password.user_key.result) - DOMAIN = trimspace(var.cloudflare_deploy_domain) - ACCESS_AUD = cloudflare_access_application.wildebeest_access.aud - ACCESS_AUTH_DOMAIN = var.access_auth_domain + DOMAIN = sensitive(trimspace(var.cloudflare_deploy_domain)) + ACCESS_AUD = sensitive(cloudflare_access_application.wildebeest_access.aud) + ACCESS_AUTH_DOMAIN = sensitive(var.access_auth_domain) } kv_namespaces = { - KV_CACHE = cloudflare_workers_kv_namespace.wildebeest_cache.id + KV_CACHE = sensitive(cloudflare_workers_kv_namespace.wildebeest_cache.id) } d1_databases = { - DATABASE = var.d1_id + DATABASE = sensitive(var.d1_id) } } }