diff --git a/.envrc b/.envrc index d43e9e050..a61f8d2a6 100644 --- a/.envrc +++ b/.envrc @@ -5,6 +5,7 @@ export PATH=$PWD/node_modules/.bin:$PATH export KUBECONFIG=$(expand_path ./ansible/kubeconfig) export ANSIBLE_CONFIG=$(expand_path ./ansible.cfg) export GPG_TTY=$(tty) -export NODE_OPTIONS="$NODE_OPTIONS --max-old-space-size=2048" +export NODE_OPTIONS="$NODE_OPTIONS --max-old-space-size=4096" export GITGUARDIAN_API_KEY="op://Infrastructure/gitguardian/credentials/token" +export OP_SERVICE_ACCOUNT_TOKEN="$(op read 'op://Infrastructure/Service Account Auth Token - GitHub Actions RO/credential')" source $(expand_path ./.config.env) diff --git a/.github/workflows/cdktf-cicd.yml b/.github/workflows/cdktf-cicd.yml index 92d22d3c0..7688d16f4 100644 --- a/.github/workflows/cdktf-cicd.yml +++ b/.github/workflows/cdktf-cicd.yml @@ -25,10 +25,6 @@ permissions: pull-requests: write issues: read -env: - CDKTF_VERSION: 0.14.3 - TERRAFORM_VERSION: 1.3.5 - jobs: terraform: name: "Terraform CDK CICD" @@ -54,7 +50,6 @@ jobs: - name: Install Terraform uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3 with: - terraform_version: ${{ env.TERRAFORM_VERSION }} terraform_wrapper: false cli_config_credentials_token: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }} # Fetch the node version from the .nvmrc file @@ -79,8 +74,6 @@ jobs: yarn install --frozen-lockfile --immutable - name: Generate module and provider bindings working-directory: ./cdktf - env: - TERRAFORM_CLOUD_TOKEN: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }} run: yarn get - name: Determine mode id: determine-mode @@ -101,14 +94,11 @@ jobs: uses: hashicorp/terraform-cdk-action@7a6efa0bdbd9e966036d1bf84385042d3a8fc272 # v1.0.2 id: terraform-cdk with: - terraformVersion: ${{ env.TERRAFORM_VERSION }} - cdktfVersion: ${{ env.CDKTF_VERSION }} workingDirectory: ./cdktf stackName: cdktf mode: ${{ steps.determine-mode.outputs.mode }} githubToken: ${{ secrets.GITHUB_TOKEN }} - env: - TERRAFORM_CLOUD_TOKEN: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }} + terraformCloudToken: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }} - name: Store generated CDKTF uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4 # Only store the CDKTF output if the Terraform CDK step ran diff --git a/cdktf/.gitignore b/cdktf/.gitignore index 5f20a5665..016e47827 100644 --- a/cdktf/.gitignore +++ b/cdktf/.gitignore @@ -9,3 +9,4 @@ cdktf.log tsconfig.tsbuildinfo !jest.config.js !setup.js +!secrets.ts diff --git a/cdktf/cdktf.json b/cdktf/cdktf.json index b38070c52..e5ca0bc22 100644 --- a/cdktf/cdktf.json +++ b/cdktf/cdktf.json @@ -3,7 +3,11 @@ "app": "npx ts-node main.ts", "projectId": "ws-V5gxjePJpgWgsGj6", "sendCrashReports": "false", - "terraformProviders": ["oracle/oci", "tailscale/tailscale"], + "terraformProviders": [ + "oracle/oci", + "tailscale/tailscale", + "1Password/onepassword@1.4.1-beta01" + ], "terraformModules": ["oracle-terraform-modules/vcn/oci"], "context": { "excludeStackIdFromLogicalIds": "true", diff --git a/cdktf/main.ts b/cdktf/main.ts index 31c6c22b3..932048857 100644 --- a/cdktf/main.ts +++ b/cdktf/main.ts @@ -9,6 +9,7 @@ import * as tailscale from "./.gen/providers/tailscale" import { Construct } from "constructs" import { App, TerraformStack, TerraformVariable, VariableType } from "cdktf" import { OCIConfig } from "./oci/main" +import { Secrets } from "./secrets" require("json5/lib/register") // eslint-disable-line no-eval @@ -22,6 +23,8 @@ class InfrastructureStack extends TerraformStack { workspaces: new cdktf.NamedCloudWorkspace("infrastructure"), }) + new Secrets(this, name, {}) + // Terraform Vars const cfAccountId = new TerraformVariable(this, "cf_account_id", { description: "The Cloudflare UUID for the Account the Zone lives in.", @@ -123,6 +126,8 @@ class InfrastructureStack extends TerraformStack { default: {}, }) + return + // Read infrastructure config from local file const ociConfig: Map = require(path.join( __dirname, diff --git a/cdktf/package.json b/cdktf/package.json index 468f483fd..ee5107958 100644 --- a/cdktf/package.json +++ b/cdktf/package.json @@ -23,9 +23,11 @@ }, "dependencies": { "@cdktf/provider-cloudflare": "^10.0.0", + "@cdktf/provider-null": "^9.0.1", "@cdktf/provider-random": "^10.0.0", "@cdktf/provider-template": "^9.0.0", "cdktf": "^0.19.0", + "cdktf-local-exec": "^0.4.13", "constructs": "^10.1.136", "json5": "^2.2.3" }, diff --git a/cdktf/secrets.ts b/cdktf/secrets.ts new file mode 100644 index 000000000..9edd7accc --- /dev/null +++ b/cdktf/secrets.ts @@ -0,0 +1,82 @@ +import * as onepassword from "./.gen/providers/onepassword" +import * as localExec from "cdktf-local-exec"; +import * as cdktf from "cdktf"; + +import { Construct } from "constructs"; + +function Setup1Password(scope: Construct) { + const arch = "amd64" + + // Fetch 1Password CLI version with typescript + const version = fetch("https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/N").then((response) => { + // Parse version from response as JSON + return response.json().then((json: any) => { + // Check if version is available + if (!json["version"]) { + throw new Error("No version found"); + } + + // Return version + return json["version"]; + }); + }); + + const command = `curl -sSfo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v${version}/op_linux_${arch}_v${version}.zip" && unzip -od /usr/local/bin/ op.zip && rm op.zip` + + // const opPath = "tools/op" + const install = new localExec.LocalExec(scope, "1password-install", { + cwd: ".", + command: command, + }); + + return { + path: '/usr/local/bin/op', + install: install + } +} + +export interface SecretsConfig { +} + +export class Secrets extends Construct { + constructor(scope: Construct, name: string, _: SecretsConfig) { + super(scope, name) + + // Initialize local-exec provider + new localExec.Provider(this, "local-exec"); + + // Setup 1Password + const setup = Setup1Password(this) + + new cdktf.TerraformOutput(this, "op-path", { + value: setup.path, + }); + + return; + + // Initialize 1Password provider + new onepassword.provider.OnepasswordProvider(this, "onepassword", { + serviceAccountToken: process.env.OP_SERVICE_ACCOUNT_TOKEN, + opCliPath: cdktf.Fn.join("/", [setup.install.cwd, "op"]), + }); + + // Fetch the 1Password Infrastructure vault + const vault = new onepassword.dataOnepasswordVault.DataOnepasswordVault(this, "vault", { + name: "Infrastructure", + provisioners: [ + // setup.install, + ], + }); + + // Fetch the 1Password item for the Terraform login + const item = new onepassword.dataOnepasswordItem.DataOnepasswordItem(this, "item", { + vault: vault.id, + title: "terraform", + }); + + // Create output for the result + new cdktf.TerraformOutput(this, "item-output", { + value: item.title, + }); + } +} diff --git a/cdktf/yarn.lock b/cdktf/yarn.lock index 6258d6912..8ad888f0f 100644 --- a/cdktf/yarn.lock +++ b/cdktf/yarn.lock @@ -24,19 +24,19 @@ integrity sha512-uU27kfDRlhfKl+w1U6vp16IuvSLtjAxdArVXPa9BvLkrr7CYIsxH5adpHObeAGY/41+syctUWOZ140a2Rvkgjw== "@babel/core@^7.11.6", "@babel/core@^7.12.3": - version "7.23.6" - resolved "https://registry.yarnpkg.com/@babel/core/-/core-7.23.6.tgz#8be77cd77c55baadcc1eae1c33df90ab6d2151d4" - integrity sha512-FxpRyGjrMJXh7X3wGLGhNDCRiwpWEF74sKjTLDJSG5Kyvow3QZaG0Adbqzi9ZrVjTWpsX+2cxWXD71NMg93kdw== + version "7.23.7" + resolved "https://registry.yarnpkg.com/@babel/core/-/core-7.23.7.tgz#4d8016e06a14b5f92530a13ed0561730b5c6483f" + integrity sha512-+UpDgowcmqe36d4NwqvKsyPMlOLNGMsfMmQ5WGCu+siCe3t3dfe9njrzGfdN4qq+bcNUt0+Vw6haRxBOycs4dw== dependencies: "@ampproject/remapping" "^2.2.0" "@babel/code-frame" "^7.23.5" "@babel/generator" "^7.23.6" "@babel/helper-compilation-targets" "^7.23.6" "@babel/helper-module-transforms" "^7.23.3" - "@babel/helpers" "^7.23.6" + "@babel/helpers" "^7.23.7" "@babel/parser" "^7.23.6" "@babel/template" "^7.22.15" - "@babel/traverse" "^7.23.6" + "@babel/traverse" "^7.23.7" "@babel/types" "^7.23.6" convert-source-map "^2.0.0" debug "^4.1.0" @@ -137,13 +137,13 @@ resolved "https://registry.yarnpkg.com/@babel/helper-validator-option/-/helper-validator-option-7.23.5.tgz#907a3fbd4523426285365d1206c423c4c5520307" integrity sha512-85ttAOMLsr53VgXkTbkx8oA6YTfT4q7/HzXSLEYmjcSTJPMPQtvq1BD79Byep5xMUYbGRzEpDsjUf3dyp54IKw== -"@babel/helpers@^7.23.6": - version "7.23.6" - resolved "https://registry.yarnpkg.com/@babel/helpers/-/helpers-7.23.6.tgz#d03af2ee5fb34691eec0cda90f5ecbb4d4da145a" - integrity sha512-wCfsbN4nBidDRhpDhvcKlzHWCTlgJYUUdSJfzXb2NuBssDSIjc3xcb+znA7l+zYsFljAcGM0aFkN40cR3lXiGA== +"@babel/helpers@^7.23.7": + version "7.23.7" + resolved "https://registry.yarnpkg.com/@babel/helpers/-/helpers-7.23.7.tgz#eb543c36f81da2873e47b76ee032343ac83bba60" + integrity sha512-6AMnjCoC8wjqBzDHkuqpa7jAKwvMo4dC+lr/TFBz+ucfulO1XMpDnwWPGBNwClOKZ8h6xn5N81W/R5OrcKtCbQ== dependencies: "@babel/template" "^7.22.15" - "@babel/traverse" "^7.23.6" + "@babel/traverse" "^7.23.7" "@babel/types" "^7.23.6" "@babel/highlight@^7.23.4": @@ -267,10 +267,10 @@ "@babel/parser" "^7.22.15" "@babel/types" "^7.22.15" -"@babel/traverse@^7.23.6": - version "7.23.6" - resolved "https://registry.yarnpkg.com/@babel/traverse/-/traverse-7.23.6.tgz#b53526a2367a0dd6edc423637f3d2d0f2521abc5" - integrity sha512-czastdK1e8YByZqezMPFiZ8ahwVMh/ESl9vPgvgdB9AmFMGP5jfpFax74AQgl5zj4XHzqeYAg2l8PuUeRS1MgQ== +"@babel/traverse@^7.23.7": + version "7.23.7" + resolved "https://registry.yarnpkg.com/@babel/traverse/-/traverse-7.23.7.tgz#9a7bf285c928cb99b5ead19c3b1ce5b310c9c305" + integrity sha512-tY3mM8rH9jM0YHFGyfC0/xf+SB5eKUu7HPj7/k3fpi9dAlsMc5YbQvDi0Sh2QTPXqMhyaAtzAr807TIyfQrmyg== dependencies: "@babel/code-frame" "^7.23.5" "@babel/generator" "^7.23.6" @@ -406,9 +406,9 @@ prebuild-install "^7.1.1" "@cdktf/provider-cloudflare@^10.0.0": - version "10.0.4" - resolved "https://registry.yarnpkg.com/@cdktf/provider-cloudflare/-/provider-cloudflare-10.0.4.tgz#f285e5f7431ad8b47d5f71b88ee2f2289795774f" - integrity sha512-GrgwNUk2BHkOWZEMzyp9Bu4gWgrvs3HbEJrXKhFTDvt7Af74Y/FpZxd6IzIE7qk0CV2eqpBpKeqA92AM47pAVQ== + version "10.1.0" + resolved "https://registry.yarnpkg.com/@cdktf/provider-cloudflare/-/provider-cloudflare-10.1.0.tgz#28c850e031f51de889274b51096e44d14cca0316" + integrity sha512-f9fXmH8Z9SK5hdP14FeYw5MMrU1PhlCexC1KDY+PATLyssu2KgqN5kFAnkeQZtFTGGz2QY9X5GD0/ruDWlWgoQ== "@cdktf/provider-generator@0.19.2": version "0.19.2" @@ -424,6 +424,11 @@ fs-extra "^8.1.0" jsii-srcmak "^0.1.954" +"@cdktf/provider-null@^9.0.1": + version "9.0.1" + resolved "https://registry.yarnpkg.com/@cdktf/provider-null/-/provider-null-9.0.1.tgz#fd54f09fdbfd6994fb253ed672526a6a8e7909f0" + integrity sha512-unmz1i944Y0gIavZTYl54jZBXQh95i21SStCRqRfiFyrsc88aw665HJt1G69uQXK3VtPuwjFSSVsG9UMRmZh6A== + "@cdktf/provider-random@^10.0.0": version "10.0.1" resolved "https://registry.yarnpkg.com/@cdktf/provider-random/-/provider-random-10.0.1.tgz#1b8f448a0b3a3f019f0becb01b80128d805ab487" @@ -1050,9 +1055,9 @@ "@types/node" "*" "@types/node@*", "@types/node@^20.4.0", "@types/node@^20.4.2", "@types/node@^20.9.0": - version "20.10.5" - resolved "https://registry.yarnpkg.com/@types/node/-/node-20.10.5.tgz#47ad460b514096b7ed63a1dae26fad0914ed3ab2" - integrity sha512-nNPsNE65wjMxEKI93yOP+NPGGBJz/PoN3kZsVLee0XMiJolxSekEVD8wRwBUBqkwc7UWop0edW50yrCQW4CyRw== + version "20.10.6" + resolved "https://registry.yarnpkg.com/@types/node/-/node-20.10.6.tgz#a3ec84c22965802bf763da55b2394424f22bfbb5" + integrity sha512-Vac8H+NlRNNlAmDfGUP7b5h/KA+AtWIzuXy0E6OyP8f1tCLYAtPvKRRDJjAPqhpCb0t6U2j7/xqAuLEebW2kiw== dependencies: undici-types "~5.26.4" @@ -1108,9 +1113,9 @@ acorn-walk@^8.1.1: integrity sha512-TgUZgYvqZprrl7YldZNoa9OciCAyZR+Ejm9eXzKCmjsF5IKp/wgQ7Z/ZpjpGTIUPwrHQIcYeI8qDh4PsEwxMbw== acorn@^8.4.1: - version "8.11.2" - resolved "https://registry.yarnpkg.com/acorn/-/acorn-8.11.2.tgz#ca0d78b51895be5390a5903c5b3bdcdaf78ae40b" - integrity sha512-nc0Axzp/0FILLEVsm4fNwLCwMttvhEI263QtVPQcbpfZZ3ts0hLsZGOpE6czNlid7CJ9MlyH8reXkpsf3YUY4w== + version "8.11.3" + resolved "https://registry.yarnpkg.com/acorn/-/acorn-8.11.3.tgz#71e0b14e13a4ec160724b38fb7b0f233b1b81d7a" + integrity sha512-Y9rRfJG5jcKOE0CLisYbojUjIrIEE7AGMzA/Sm4BslANhbS+cDMpgBdcPT91oJ7OuJ9hYJBx59RjbhxVnrF8Xg== address@^1.0.1: version "1.2.2" @@ -1451,9 +1456,9 @@ camelcase@^6.2.0, camelcase@^6.3.0: integrity sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA== caniuse-lite@^1.0.30001565: - version "1.0.30001571" - resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001571.tgz#4182e93d696ff42930f4af7eba515ddeb57917ac" - integrity sha512-tYq/6MoXhdezDLFZuCO/TKboTzuQ/xR5cFdgXPfDtM7/kchBO3b4VWghE/OAi/DV7tTdhmLjZiZBZi1fA/GheQ== + version "1.0.30001572" + resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001572.tgz#1ccf7dc92d2ee2f92ed3a54e11b7b4a3041acfa0" + integrity sha512-1Pbh5FLmn5y4+QhNyJE9j3/7dK44dGB83/ZMjv/qJk86TvDbjk0LosiZo0i0WB0Vx607qMX9jYrn1VLHCkN4rw== case@^1.6.3: version "1.6.3" @@ -1491,6 +1496,11 @@ cdktf-cli@^0.19.0: yoga-layout-prebuilt "^1.10.0" zod "^3.22.4" +cdktf-local-exec@^0.4.13: + version "0.4.13" + resolved "https://registry.yarnpkg.com/cdktf-local-exec/-/cdktf-local-exec-0.4.13.tgz#1c7adf374afbd5b4a5edd3169fdfdc2cd672eb36" + integrity sha512-lRFDotoy29k7BhPMbpTHdoM7tGa8yjtD0C4x06Af80VMJ+AFDOJ1+Xa0ZQARiDrlSm914VgwJvqjSbMZbLJnfA== + cdktf@0.19.2, cdktf@^0.19.0: version "0.19.2" resolved "https://registry.yarnpkg.com/cdktf/-/cdktf-0.19.2.tgz#c93b794a9c8ac6b4e50bc24e80d06d84089a8766" @@ -4473,9 +4483,9 @@ typescript@^5.0.0, typescript@~5.3: integrity sha512-pXWcraxM0uxAS+tN0AG/BF2TyqmHO014Z070UsJ+pFvYuRSq8KH8DmWpnbXe0pEPDHXZV3FcAbJkijJ5oNEnWw== typescript@next: - version "5.4.0-dev.20231224" - resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.4.0-dev.20231224.tgz#92bdc3844e2480bacd20dcc4bd04360c7069b995" - integrity sha512-FbcuMRM2iUkY4cxHsHAGWm40kQ2fwkqmLNciqrzfBMEnuLN88t3iTEJhOAxJjVOl8LY58odFb0crTILOB/VtCw== + version "5.4.0-dev.20231229" + resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.4.0-dev.20231229.tgz#235ab24e925c13f1dfbe513ab2cbdda64e55491d" + integrity sha512-XFSQ1IdxXaQOAwS8Jz6uSrms9jVnbwLdqnmiaBIW+xJQL/09S4cp5h+0PhawoxcBAK+gtffIIS5/qU2oioAjgA== typescript@~3.9.10: version "3.9.10"