jon77p · jon77p · Dec 30, 2023 · Dec 30, 2023 · Dec 30, 2023 · Dec 30, 2023
@@ -5,6 +5,7 @@ export PATH=$PWD/node_modules/.bin:$PATH
 export KUBECONFIG=$(expand_path ./ansible/kubeconfig)
 export ANSIBLE_CONFIG=$(expand_path ./ansible.cfg)
 export GPG_TTY=$(tty)
-export NODE_OPTIONS="$NODE_OPTIONS --max-old-space-size=2048"
+export NODE_OPTIONS="$NODE_OPTIONS --max-old-space-size=4096"
 export GITGUARDIAN_API_KEY="op://Infrastructure/gitguardian/credentials/token"
+export OP_SERVICE_ACCOUNT_TOKEN="$(op read 'op://Infrastructure/Service Account Auth Token - GitHub Actions RO/credential')"
 source $(expand_path ./.config.env)
@@ -25,10 +25,6 @@ permissions:
   pull-requests: write
   issues: read
 
-env:
-  CDKTF_VERSION: 0.14.3
-  TERRAFORM_VERSION: 1.3.5
-
 jobs:
   terraform:
     name: "Terraform CDK CICD"
@@ -54,7 +50,6 @@ jobs:
       - name: Install Terraform
         uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3
         with:
-          terraform_version: ${{ env.TERRAFORM_VERSION }}
           terraform_wrapper: false
           cli_config_credentials_token: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }}
       # Fetch the node version from the .nvmrc file
@@ -79,8 +74,6 @@ jobs:
           yarn install --frozen-lockfile --immutable
       - name: Generate module and provider bindings
         working-directory: ./cdktf
-        env:
-          TERRAFORM_CLOUD_TOKEN: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }}
         run: yarn get
       - name: Determine mode
         id: determine-mode
@@ -101,14 +94,11 @@ jobs:
         uses: hashicorp/terraform-cdk-action@7a6efa0bdbd9e966036d1bf84385042d3a8fc272 # v1.0.2
         id: terraform-cdk
         with:
-          terraformVersion: ${{ env.TERRAFORM_VERSION }}
-          cdktfVersion: ${{ env.CDKTF_VERSION }}
           workingDirectory: ./cdktf
           stackName: cdktf
           mode: ${{ steps.determine-mode.outputs.mode }}
           githubToken: ${{ secrets.GITHUB_TOKEN }}
-        env:
-          TERRAFORM_CLOUD_TOKEN: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }}
+          terraformCloudToken: ${{ steps.fetch-terraform-cloud-token.outputs.TERRAFORM_CLOUD_TOKEN }}
       - name: Store generated CDKTF
         uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4
         # Only store the CDKTF output if the Terraform CDK step ran

@@ -9,3 +9,4 @@ cdktf.log
 tsconfig.tsbuildinfo
 !jest.config.js
 !setup.js
+!secrets.ts
@@ -3,7 +3,11 @@
   "app": "npx ts-node main.ts",
   "projectId": "ws-V5gxjePJpgWgsGj6",
   "sendCrashReports": "false",
-  "terraformProviders": ["oracle/oci", "tailscale/tailscale"],
+  "terraformProviders": [
+    "oracle/oci",
+    "tailscale/tailscale",
+    "1Password/onepassword@1.4.1-beta01"
+  ],
   "terraformModules": ["oracle-terraform-modules/vcn/oci"],
   "context": {
     "excludeStackIdFromLogicalIds": "true",

@@ -9,6 +9,7 @@ import * as tailscale from "./.gen/providers/tailscale"
 import { Construct } from "constructs"
 import { App, TerraformStack, TerraformVariable, VariableType } from "cdktf"
 import { OCIConfig } from "./oci/main"
+import { Secrets } from "./secrets"
 
 require("json5/lib/register") // eslint-disable-line no-eval
 
@@ -22,6 +23,8 @@ class InfrastructureStack extends TerraformStack {
       workspaces: new cdktf.NamedCloudWorkspace("infrastructure"),
     })
 
+    new Secrets(this, name, {})
+
     // Terraform Vars
     const cfAccountId = new TerraformVariable(this, "cf_account_id", {
       description: "The Cloudflare UUID for the Account the Zone lives in.",
@@ -123,6 +126,8 @@ class InfrastructureStack extends TerraformStack {
       default: {},
     })
 
+    return
+
     // Read infrastructure config from local file
     const ociConfig: Map<string, OCIConfig> = require(path.join(
       __dirname,

@@ -23,9 +23,11 @@
   },
   "dependencies": {
     "@cdktf/provider-cloudflare": "^10.0.0",
+    "@cdktf/provider-null": "^9.0.1",
     "@cdktf/provider-random": "^10.0.0",
     "@cdktf/provider-template": "^9.0.0",
     "cdktf": "^0.19.0",
+    "cdktf-local-exec": "^0.4.13",
     "constructs": "^10.1.136",
     "json5": "^2.2.3"
   },

@@ -0,0 +1,82 @@
+import * as onepassword from "./.gen/providers/onepassword"
+import * as localExec from "cdktf-local-exec";
+import * as cdktf from "cdktf";
+
+import { Construct } from "constructs";
+
+function Setup1Password(scope: Construct) {
+  const arch = "amd64"
+
+  // Fetch 1Password CLI version with typescript
+  const version = fetch("https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/N").then((response) => {
+    // Parse version from response as JSON
+    return response.json().then((json: any) => {
+      // Check if version is available
+      if (!json["version"]) {
+        throw new Error("No version found");
+      }
+
+      // Return version
+      return json["version"];
+    });
+  });
+
+  const command = `curl -sSfo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v${version}/op_linux_${arch}_v${version}.zip" && unzip -od /usr/local/bin/ op.zip && rm op.zip`
+
+  // const opPath = "tools/op"
+  const install = new localExec.LocalExec(scope, "1password-install", {
+    cwd: ".",
+    command: command,
+  });
+
+  return {
+    path: '/usr/local/bin/op',
+    install: install
+  }
+}
+
+export interface SecretsConfig {
+}
+
+export class Secrets extends Construct {
+  constructor(scope: Construct, name: string, _: SecretsConfig) {
+    super(scope, name)
+
+    // Initialize local-exec provider
+    new localExec.Provider(this, "local-exec");
+
+    // Setup 1Password
+    const setup = Setup1Password(this)
+
+    new cdktf.TerraformOutput(this, "op-path", {
+      value: setup.path,
+    });
+
+    return;
+
+    // Initialize 1Password provider
+    new onepassword.provider.OnepasswordProvider(this, "onepassword", {
+      serviceAccountToken: process.env.OP_SERVICE_ACCOUNT_TOKEN,
+      opCliPath: cdktf.Fn.join("/", [setup.install.cwd, "op"]),
+    });
+
+    // Fetch the 1Password Infrastructure vault
+    const vault = new onepassword.dataOnepasswordVault.DataOnepasswordVault(this, "vault", {
+      name: "Infrastructure",
+      provisioners: [
+        // setup.install,
+      ],
+    });
+
+    // Fetch the 1Password item for the Terraform login
+    const item = new onepassword.dataOnepasswordItem.DataOnepasswordItem(this, "item", {
+      vault: vault.id,
+      title: "terraform",
+    });
+
+    // Create output for the result
+    new cdktf.TerraformOutput(this, "item-output", {
+      value: item.title,
+    });
+  }
+}
@@ -24,19 +24,19 @@
   integrity sha512-uU27kfDRlhfKl+w1U6vp16IuvSLtjAxdArVXPa9BvLkrr7CYIsxH5adpHObeAGY/41+syctUWOZ140a2Rvkgjw==
 
 "@babel/core@^7.11.6", "@babel/core@^7.12.3":
-  version "7.23.6"
-  resolved "https://registry.yarnpkg.com/@babel/core/-/core-7.23.6.tgz#8be77cd77c55baadcc1eae1c33df90ab6d2151d4"
-  integrity sha512-FxpRyGjrMJXh7X3wGLGhNDCRiwpWEF74sKjTLDJSG5Kyvow3QZaG0Adbqzi9ZrVjTWpsX+2cxWXD71NMg93kdw==
+  version "7.23.7"
+  resolved "https://registry.yarnpkg.com/@babel/core/-/core-7.23.7.tgz#4d8016e06a14b5f92530a13ed0561730b5c6483f"
+  integrity sha512-+UpDgowcmqe36d4NwqvKsyPMlOLNGMsfMmQ5WGCu+siCe3t3dfe9njrzGfdN4qq+bcNUt0+Vw6haRxBOycs4dw==
   dependencies:
     "@ampproject/remapping" "^2.2.0"
     "@babel/code-frame" "^7.23.5"
     "@babel/generator" "^7.23.6"
     "@babel/helper-compilation-targets" "^7.23.6"
     "@babel/helper-module-transforms" "^7.23.3"
-    "@babel/helpers" "^7.23.6"
+    "@babel/helpers" "^7.23.7"
     "@babel/parser" "^7.23.6"
     "@babel/template" "^7.22.15"
-    "@babel/traverse" "^7.23.6"
+    "@babel/traverse" "^7.23.7"
     "@babel/types" "^7.23.6"
     convert-source-map "^2.0.0"
     debug "^4.1.0"
@@ -137,13 +137,13 @@
   resolved "https://registry.yarnpkg.com/@babel/helper-validator-option/-/helper-validator-option-7.23.5.tgz#907a3fbd4523426285365d1206c423c4c5520307"
   integrity sha512-85ttAOMLsr53VgXkTbkx8oA6YTfT4q7/HzXSLEYmjcSTJPMPQtvq1BD79Byep5xMUYbGRzEpDsjUf3dyp54IKw==
 
-"@babel/helpers@^7.23.6":
-  version "7.23.6"
-  resolved "https://registry.yarnpkg.com/@babel/helpers/-/helpers-7.23.6.tgz#d03af2ee5fb34691eec0cda90f5ecbb4d4da145a"
-  integrity sha512-wCfsbN4nBidDRhpDhvcKlzHWCTlgJYUUdSJfzXb2NuBssDSIjc3xcb+znA7l+zYsFljAcGM0aFkN40cR3lXiGA==
+"@babel/helpers@^7.23.7":
+  version "7.23.7"
+  resolved "https://registry.yarnpkg.com/@babel/helpers/-/helpers-7.23.7.tgz#eb543c36f81da2873e47b76ee032343ac83bba60"
+  integrity sha512-6AMnjCoC8wjqBzDHkuqpa7jAKwvMo4dC+lr/TFBz+ucfulO1XMpDnwWPGBNwClOKZ8h6xn5N81W/R5OrcKtCbQ==
   dependencies:
     "@babel/template" "^7.22.15"
-    "@babel/traverse" "^7.23.6"
+    "@babel/traverse" "^7.23.7"
     "@babel/types" "^7.23.6"
 
 "@babel/highlight@^7.23.4":
@@ -267,10 +267,10 @@
     "@babel/parser" "^7.22.15"
     "@babel/types" "^7.22.15"
 
-"@babel/traverse@^7.23.6":
-  version "7.23.6"
-  resolved "https://registry.yarnpkg.com/@babel/traverse/-/traverse-7.23.6.tgz#b53526a2367a0dd6edc423637f3d2d0f2521abc5"
-  integrity sha512-czastdK1e8YByZqezMPFiZ8ahwVMh/ESl9vPgvgdB9AmFMGP5jfpFax74AQgl5zj4XHzqeYAg2l8PuUeRS1MgQ==
+"@babel/traverse@^7.23.7":
+  version "7.23.7"
+  resolved "https://registry.yarnpkg.com/@babel/traverse/-/traverse-7.23.7.tgz#9a7bf285c928cb99b5ead19c3b1ce5b310c9c305"
+  integrity sha512-tY3mM8rH9jM0YHFGyfC0/xf+SB5eKUu7HPj7/k3fpi9dAlsMc5YbQvDi0Sh2QTPXqMhyaAtzAr807TIyfQrmyg==
   dependencies:
     "@babel/code-frame" "^7.23.5"
     "@babel/generator" "^7.23.6"
@@ -406,9 +406,9 @@
     prebuild-install "^7.1.1"
 
 "@cdktf/provider-cloudflare@^10.0.0":
-  version "10.0.4"
-  resolved "https://registry.yarnpkg.com/@cdktf/provider-cloudflare/-/provider-cloudflare-10.0.4.tgz#f285e5f7431ad8b47d5f71b88ee2f2289795774f"
-  integrity sha512-GrgwNUk2BHkOWZEMzyp9Bu4gWgrvs3HbEJrXKhFTDvt7Af74Y/FpZxd6IzIE7qk0CV2eqpBpKeqA92AM47pAVQ==
+  version "10.1.0"
+  resolved "https://registry.yarnpkg.com/@cdktf/provider-cloudflare/-/provider-cloudflare-10.1.0.tgz#28c850e031f51de889274b51096e44d14cca0316"
+  integrity sha512-f9fXmH8Z9SK5hdP14FeYw5MMrU1PhlCexC1KDY+PATLyssu2KgqN5kFAnkeQZtFTGGz2QY9X5GD0/ruDWlWgoQ==
 
 "@cdktf/provider-generator@0.19.2":
   version "0.19.2"
@@ -424,6 +424,11 @@
     fs-extra "^8.1.0"
     jsii-srcmak "^0.1.954"
 
+"@cdktf/provider-null@^9.0.1":
+  version "9.0.1"
+  resolved "https://registry.yarnpkg.com/@cdktf/provider-null/-/provider-null-9.0.1.tgz#fd54f09fdbfd6994fb253ed672526a6a8e7909f0"
+  integrity sha512-unmz1i944Y0gIavZTYl54jZBXQh95i21SStCRqRfiFyrsc88aw665HJt1G69uQXK3VtPuwjFSSVsG9UMRmZh6A==
+
 "@cdktf/provider-random@^10.0.0":
   version "10.0.1"
   resolved "https://registry.yarnpkg.com/@cdktf/provider-random/-/provider-random-10.0.1.tgz#1b8f448a0b3a3f019f0becb01b80128d805ab487"
@@ -1050,9 +1055,9 @@
     "@types/node" "*"
 
 "@types/node@*", "@types/node@^20.4.0", "@types/node@^20.4.2", "@types/node@^20.9.0":
-  version "20.10.5"
-  resolved "https://registry.yarnpkg.com/@types/node/-/node-20.10.5.tgz#47ad460b514096b7ed63a1dae26fad0914ed3ab2"
-  integrity sha512-nNPsNE65wjMxEKI93yOP+NPGGBJz/PoN3kZsVLee0XMiJolxSekEVD8wRwBUBqkwc7UWop0edW50yrCQW4CyRw==
+  version "20.10.6"
+  resolved "https://registry.yarnpkg.com/@types/node/-/node-20.10.6.tgz#a3ec84c22965802bf763da55b2394424f22bfbb5"
+  integrity sha512-Vac8H+NlRNNlAmDfGUP7b5h/KA+AtWIzuXy0E6OyP8f1tCLYAtPvKRRDJjAPqhpCb0t6U2j7/xqAuLEebW2kiw==
   dependencies:
     undici-types "~5.26.4"
 
@@ -1108,9 +1113,9 @@ acorn-walk@^8.1.1:
   integrity sha512-TgUZgYvqZprrl7YldZNoa9OciCAyZR+Ejm9eXzKCmjsF5IKp/wgQ7Z/ZpjpGTIUPwrHQIcYeI8qDh4PsEwxMbw==
 
 acorn@^8.4.1:
-  version "8.11.2"
-  resolved "https://registry.yarnpkg.com/acorn/-/acorn-8.11.2.tgz#ca0d78b51895be5390a5903c5b3bdcdaf78ae40b"
-  integrity sha512-nc0Axzp/0FILLEVsm4fNwLCwMttvhEI263QtVPQcbpfZZ3ts0hLsZGOpE6czNlid7CJ9MlyH8reXkpsf3YUY4w==
+  version "8.11.3"
+  resolved "https://registry.yarnpkg.com/acorn/-/acorn-8.11.3.tgz#71e0b14e13a4ec160724b38fb7b0f233b1b81d7a"
+  integrity sha512-Y9rRfJG5jcKOE0CLisYbojUjIrIEE7AGMzA/Sm4BslANhbS+cDMpgBdcPT91oJ7OuJ9hYJBx59RjbhxVnrF8Xg==
 
 address@^1.0.1:
   version "1.2.2"
@@ -1451,9 +1456,9 @@ camelcase@^6.2.0, camelcase@^6.3.0:
   integrity sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA==
 
 caniuse-lite@^1.0.30001565:
-  version "1.0.30001571"
-  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001571.tgz#4182e93d696ff42930f4af7eba515ddeb57917ac"
-  integrity sha512-tYq/6MoXhdezDLFZuCO/TKboTzuQ/xR5cFdgXPfDtM7/kchBO3b4VWghE/OAi/DV7tTdhmLjZiZBZi1fA/GheQ==
+  version "1.0.30001572"
+  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001572.tgz#1ccf7dc92d2ee2f92ed3a54e11b7b4a3041acfa0"
+  integrity sha512-1Pbh5FLmn5y4+QhNyJE9j3/7dK44dGB83/ZMjv/qJk86TvDbjk0LosiZo0i0WB0Vx607qMX9jYrn1VLHCkN4rw==
 
 case@^1.6.3:
   version "1.6.3"
@@ -1491,6 +1496,11 @@ cdktf-cli@^0.19.0:
     yoga-layout-prebuilt "^1.10.0"
     zod "^3.22.4"
 
+cdktf-local-exec@^0.4.13:
+  version "0.4.13"
+  resolved "https://registry.yarnpkg.com/cdktf-local-exec/-/cdktf-local-exec-0.4.13.tgz#1c7adf374afbd5b4a5edd3169fdfdc2cd672eb36"
+  integrity sha512-lRFDotoy29k7BhPMbpTHdoM7tGa8yjtD0C4x06Af80VMJ+AFDOJ1+Xa0ZQARiDrlSm914VgwJvqjSbMZbLJnfA==
+
 cdktf@0.19.2, cdktf@^0.19.0:
   version "0.19.2"
   resolved "https://registry.yarnpkg.com/cdktf/-/cdktf-0.19.2.tgz#c93b794a9c8ac6b4e50bc24e80d06d84089a8766"
@@ -4473,9 +4483,9 @@ typescript@^5.0.0, typescript@~5.3:
   integrity sha512-pXWcraxM0uxAS+tN0AG/BF2TyqmHO014Z070UsJ+pFvYuRSq8KH8DmWpnbXe0pEPDHXZV3FcAbJkijJ5oNEnWw==
 
 typescript@next:
-  version "5.4.0-dev.20231224"
-  resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.4.0-dev.20231224.tgz#92bdc3844e2480bacd20dcc4bd04360c7069b995"
-  integrity sha512-FbcuMRM2iUkY4cxHsHAGWm40kQ2fwkqmLNciqrzfBMEnuLN88t3iTEJhOAxJjVOl8LY58odFb0crTILOB/VtCw==
+  version "5.4.0-dev.20231229"
+  resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.4.0-dev.20231229.tgz#235ab24e925c13f1dfbe513ab2cbdda64e55491d"
+  integrity sha512-XFSQ1IdxXaQOAwS8Jz6uSrms9jVnbwLdqnmiaBIW+xJQL/09S4cp5h+0PhawoxcBAK+gtffIIS5/qU2oioAjgA==
 
 typescript@~3.9.10:
   version "3.9.10"