From bdb6dd7c01cd350d1252553e90667bc53cd5f213 Mon Sep 17 00:00:00 2001
From: Sven Sauleau <sven@cloudflare.com>
Date: Mon, 9 Jan 2023 14:44:59 +0000
Subject: [PATCH] keep tfstate in KV

---
 .github/workflows/deploy.yml | 46 ++++++++++++++++++++++++++++++++++++
 tf/main.tf                   | 27 ++++++++++++++-------
 2 files changed, 65 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index eb65703..72d2f5b 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -80,10 +80,35 @@ jobs:
                 -H 'Authorization: Bearer ${{ secrets.CF_API_TOKEN }}' | jq -r '.result.auth_domain')
             printf "auth_domain=$auth_domain" >> $GITHUB_ENV
 
+      - name: retrieve Terraform state KV namespace
+        uses: cloudflare/wrangler-action@2.0.0
+        with:
+          command: kv:namespace list | jq -r '.[] | select( .title == "wildebeest-terraform-${{ env.OWNER_LOWER }}-state" ) | .id' | awk '{print "tfstate_kv="$1}' >> $GITHUB_ENV
+          apiToken: ${{ secrets.CF_API_TOKEN }}
+          preCommands: |
+            echo "*** pre commands ***"
+            apt-get update && apt-get -y install jq
+            echo "******"
+        env:
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
+
       - name: Init
         run: terraform init
         working-directory: ./tf
 
+      - name: download Terraform state
+        uses: cloudflare/wrangler-action@2.0.0
+        with:
+          command: kv:key get --namespace-id=${{ env.tfstate_kv }} terraform.tfstate > ./tf/terraform.tfstate
+          postCommands: |
+            echo "*** post commands ***"
+            chmod 777 ./tf/terraform.tfstate
+            echo "******"
+          apiToken: ${{ secrets.CF_API_TOKEN }}
+        env:
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
+        if: ${{ env.tfstate_kv != '' }}
+
       - name: Configure
         run: terraform plan && terraform apply -auto-approve
         continue-on-error: true
@@ -97,6 +122,27 @@ jobs:
           TF_VAR_d1_id: ${{ env.d1_id }}
           TF_VAR_access_auth_domain: ${{ env.auth_domain }}
 
+      - name: retrieve Terraform state KV namespace
+        uses: cloudflare/wrangler-action@2.0.0
+        with:
+          command: kv:namespace list | jq -r '.[] | select( .title == "wildebeest-terraform-${{ env.OWNER_LOWER }}-state" ) | .id' | awk '{print "tfstate_kv="$1}' >> $GITHUB_ENV
+          apiToken: ${{ secrets.CF_API_TOKEN }}
+          preCommands: |
+            echo "*** pre commands ***"
+            apt-get update && apt-get -y install jq
+            echo "******"
+        env:
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
+        if: ${{ env.tfstate_kv == '' }}
+
+      - name: store Terraform state
+        uses: cloudflare/wrangler-action@2.0.0
+        with:
+          command: kv:key put --namespace-id=${{ env.tfstate_kv }} terraform.tfstate --path=./tf/terraform.tfstate
+          apiToken: ${{ secrets.CF_API_TOKEN }}
+        env:
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
+
       - name: Publish
         uses: cloudflare/wrangler-action@2.0.0
         with:
diff --git a/tf/main.tf b/tf/main.tf
index 518596f..281db3a 100644
--- a/tf/main.tf
+++ b/tf/main.tf
@@ -1,17 +1,21 @@
 variable "cloudflare_account_id" {
   type = string
+  sensitive = true
 }
 
 variable "cloudflare_zone_id" {
   type = string
+  sensitive = true
 }
 
 variable "cloudflare_deploy_domain" {
   type = string
+  sensitive = true
 }
 
 variable "cloudflare_api_token" {
   type = string
+  sensitive = true
 }
 
 variable "gh_username" {
@@ -20,10 +24,12 @@ variable "gh_username" {
 
 variable "d1_id" {
   type = string
+  sensitive = true
 }
 
 variable "access_auth_domain" {
   type = string
+  sensitive = true
 }
 
 terraform {
@@ -49,6 +55,11 @@ resource "cloudflare_workers_kv_namespace" "wildebeest_cache" {
   title = "wildebeest-${lower(var.gh_username)}-cache"
 }
 
+resource "cloudflare_workers_kv_namespace" "terraform_state" {
+  account_id = var.cloudflare_account_id
+  title = "wildebeest-terraform-${lower(var.gh_username)}-state"
+}
+
 resource "random_password" "user_key" {
   length  = 256
   special = false
@@ -62,20 +73,20 @@ resource "cloudflare_pages_project" "wildebeest_pages_project" {
   deployment_configs {
     production {
       environment_variables = {
-        CF_ACCOUNT_ID = var.cloudflare_account_id
-        CF_API_TOKEN = var.cloudflare_api_token
+        CF_ACCOUNT_ID = sensitive(var.cloudflare_account_id)
+        CF_API_TOKEN = sensitive(var.cloudflare_api_token)
 
-        USER_KEY = random_password.user_key.result
+        USER_KEY = sensitive(random_password.user_key.result)
 
-        DOMAIN = trimspace(var.cloudflare_deploy_domain)
-        ACCESS_AUD = cloudflare_access_application.wildebeest_access.aud
-        ACCESS_AUTH_DOMAIN = var.access_auth_domain
+        DOMAIN = sensitive(trimspace(var.cloudflare_deploy_domain))
+        ACCESS_AUD = sensitive(cloudflare_access_application.wildebeest_access.aud)
+        ACCESS_AUTH_DOMAIN = sensitive(var.access_auth_domain)
       }
       kv_namespaces = {
-        KV_CACHE = cloudflare_workers_kv_namespace.wildebeest_cache.id
+        KV_CACHE = sensitive(cloudflare_workers_kv_namespace.wildebeest_cache.id)
       }
       d1_databases = {
-        DATABASE = var.d1_id
+        DATABASE = sensitive(var.d1_id)
       }
     }
   }