This describes the meta scope for running the condi.me github org itself. Once bootstrapped (i.e. the resources described here have been created by manually running terraform), then terraform-plans can be used to manage resources with significantly less privileges.
PRs opened from branches in this repository trigger a terraform plan-only run
as a GitHub Action. PRs merged to the production branch will trigger a full
terraform apply run, with an approval step to verify that the plan is safe.
The Terraform action can also be manually triggered at any time, based on a
workflow_dispatch trigger.
Terraform 1.0 (or compatible) is needed. You can download a specific version from the terraform releases page.
To execute the binary, you will need a consul token (for terraform state) and access to clone and decrypt condime/secrets (for provider tokens).
For personal access tokens, secrets can be stored and sourced using pass.
$ pass edit condi.me/meta-terraform-plans
$ source <(pass condi.me/meta-terraform-plans)
For group shared access tokens, secrets can be stored using blackbox.
$ cd ~/src/condime/meta-terraform-plans
$ source <(blackbox_cat condi.me/meta-terraform-plans)
If you don't have passwordstore or blackbox installed, in a pinch you can
use git and gpg directly to access the secrets.
With credentials now in the environment, you can now init and plan the
terraform runs.
$ cd ~/src/condime/meta-terraform-plans
$ terraform init
$ terraform plan -o output.tfplan
State is stored using the consul backend hosted at consul.condi.me, access is granted with the following Consul ACL Policy.
key_prefix "condime/meta_terraform_state" {
policy = "write"
}
session_prefix "" {
policy = "write"
}