ci: map more secrets

jedwards1230 · Dec 18, 2023 · cf7c1f0 · cf7c1f0
1 parent ee5ccb9
commit cf7c1f0
Show file tree

Hide file tree

Showing 13 changed files with 142 additions and 116 deletions.
diff --git a/terraform/dev/main.tf b/terraform/dev/main.tf
@@ -14,4 +14,17 @@ module "infra" {
   stage        = var.stage
   project-name = var.project-name
   region       = var.region
+  domain_name  = var.domain_name
+
+  nextauth_url         = var.nextauth_url
+  nextauth_secret      = var.nextauth_secret
+  next_public_url      = var.next_public_url
+  plausible_api_key    = var.plausible_api_key
+  database_url         = var.database_url
+  direct_url           = var.direct_url
+  edge_config          = var.edge_config
+  admin_email          = var.admin_email
+  github_client_id     = var.github_client_id
+  github_client_secret = var.github_client_secret
+  openai_api_key       = var.openai_api_key
 }
diff --git a/terraform/dev/terraform.tfvars.example b/terraform/dev/terraform.tfvars.example
@@ -1,3 +1,15 @@
 project-name = ""
 stage = ""
-region = ""
+region = ""
+domain_name = ""
+nextauth_url         = ""
+nextauth_secret      = ""
+next_public_url      = ""
+plausible_api_key    = ""
+database_url         = ""
+direct_url           = ""
+edge_config          = ""
+admin_email          = ""
+github_client_id     = ""
+github_client_secret = ""
+openai_api_key       = ""
diff --git a/terraform/dev/variables.tf b/terraform/dev/variables.tf
@@ -1,14 +1,17 @@
-variable "project-name" {
-  description = "Project name"
-  default     = "personal-website"
-}
+variable "project-name" { description = "Project name" }
+variable "stage" { description = "Stage (dev, prod)" }
+variable "region" { description = "AWS region" }
+variable "domain_name" { description = "Domain name" }
 
-variable "stage" {
-  description = "Stage (dev, prod)"
-  default     = "dev"
-}
-
-variable "region" {
-  description = "AWS region"
-  default     = "us-east-1"
-}
+/* Secrets */
+variable "nextauth_url" { description = "NEXTAUTH_URL" }
+variable "nextauth_secret" { description = "NEXTAUTH_SECRET" }
+variable "next_public_url" { description = "NEXT_PUBLIC_URL" }
+variable "plausible_api_key" { description = "PLAUSIBLE_API_KEY" }
+variable "database_url" { description = "DATABASE_URL" }
+variable "direct_url" { description = "DIRECT_URL" }
+variable "edge_config" { description = "EDGE_CONFIG" }
+variable "admin_email" { description = "ADMIN_EMAIL" }
+variable "github_client_id" { description = "GITHUB_CLIENT_ID" }
+variable "github_client_secret" { description = "GITHUB_CLIENT_SECRET" }
+variable "openai_api_key" { description = "OPENAI_API_KEY" }
diff --git a/terraform/init-state/main.tf b/terraform/init-state/main.tf
@@ -24,7 +24,7 @@ resource "aws_resourcegroups_group" "resource_group" {
       TagFilters = [
         {
           Key    = "awsApplication"
-          Values = [var.common_tags["awsApplication"]]
+          Values = [local.common_tags["awsApplication"]]
         }
       ]
     })
@@ -40,12 +40,12 @@ resource "aws_resourcegroups_group" "resource_group" {
 # manage DNS records for the domain.
 resource "aws_route53_zone" "main" {
   name = var.domain_name
-  tags = var.common_tags
+  tags = local.common_tags
 }
 
 resource "aws_s3_bucket" "terraform_state" {
   bucket = local.bucket_name
-  tags   = var.common_tags
+  tags   = local.common_tags
 
   lifecycle {
     prevent_destroy = true
@@ -63,7 +63,7 @@ resource "aws_dynamodb_table" "terraform_locks" {
   name         = local.dynamodb_table_name
   billing_mode = "PAY_PER_REQUEST"
   hash_key     = "LockID"
-  tags         = var.common_tags
+  tags         = local.common_tags
 
   attribute {
     name = "LockID"

diff --git a/terraform/init-state/variables.tf b/terraform/init-state/variables.tf
@@ -1,27 +1,12 @@
-variable "common_tags" {
-  description = "Common tags to be applied to all resources"
-  type        = map(string)
-  default = {
-    awsApplication = "personal-website"
-  }
-}
-
-variable "project-name" {
-  description = "Project name"
-  default     = "personal-website"
-}
-
-variable "region" {
-  description = "AWS region"
-  default     = "us-east-1"
-}
-
-variable "domain_name" {
-  description = "Domain name"
-  default     = "example.com"
-}
+variable "project-name" { description = "Project name" }
+variable "region" { description = "AWS region" }
+variable "domain_name" { description = "Domain name" }
 
 locals {
   bucket_name         = "${var.project-name}-${data.aws_caller_identity.current.account_id}-terraform-state"
   dynamodb_table_name = "${var.project-name}-terraform-locks"
+
+  common_tags = {
+    awsApplication = var.project-name
+  }
 }
diff --git a/terraform/manage.sh b/terraform/manage.sh
@@ -18,7 +18,8 @@ source .env
 check_infra() {
     if [ -d "$BASE_DIR/$1" ]; then
         cd "$BASE_DIR/$1"
-        if terraform state list > /dev/null 2>&1; then
+        local state_list=$(terraform state list)
+        if [ $? -eq 0 ] && [ ! -z "$state_list" ]; then
             echo "The infrastructure in the $1 directory is initialized."
             if [ "$1" = "init-state" ]; then
                 export S3_BUCKET_NAME=$(terraform output -raw s3_bucket_name)

diff --git a/terraform/prod/main.tf b/terraform/prod/main.tf
@@ -14,4 +14,17 @@ module "infra" {
   stage        = var.stage
   project-name = var.project-name
   region       = var.region
+  domain_name  = var.domain_name
+
+  nextauth_url         = var.nextauth_url
+  nextauth_secret      = var.nextauth_secret
+  next_public_url      = var.next_public_url
+  plausible_api_key    = var.plausible_api_key
+  database_url         = var.database_url
+  direct_url           = var.direct_url
+  edge_config          = var.edge_config
+  admin_email          = var.admin_email
+  github_client_id     = var.github_client_id
+  github_client_secret = var.github_client_secret
+  openai_api_key       = var.openai_api_key
 }
diff --git a/terraform/prod/terraform.tfvars.example b/terraform/prod/terraform.tfvars.example
@@ -1,3 +1,15 @@
 project-name = ""
 stage = ""
-region = ""
+region = ""
+domain_name = ""
+nextauth_url         = ""
+nextauth_secret      = ""
+next_public_url      = ""
+plausible_api_key    = ""
+database_url         = ""
+direct_url           = ""
+edge_config          = ""
+admin_email          = ""
+github_client_id     = ""
+github_client_secret = ""
+openai_api_key       = ""
diff --git a/terraform/prod/variables.tf b/terraform/prod/variables.tf
@@ -1,14 +1,17 @@
-variable "project-name" {
-  description = "Project name"
-  default     = "personal-website"
-}
+variable "project-name" { description = "Project name" }
+variable "stage" { description = "Stage (dev, prod)" }
+variable "region" { description = "AWS region" }
+variable "domain_name" { description = "Domain name" }
 
-variable "stage" {
-  description = "Stage (dev, prod)"
-  default     = "dev"
-}
-
-variable "region" {
-  description = "AWS region"
-  default     = "us-east-1"
-}
+/* Secrets */
+variable "nextauth_url" { description = "NEXTAUTH_URL" }
+variable "nextauth_secret" { description = "NEXTAUTH_SECRET" }
+variable "next_public_url" { description = "NEXT_PUBLIC_URL" }
+variable "plausible_api_key" { description = "PLAUSIBLE_API_KEY" }
+variable "database_url" { description = "DATABASE_URL" }
+variable "direct_url" { description = "DIRECT_URL" }
+variable "edge_config" { description = "EDGE_CONFIG" }
+variable "admin_email" { description = "ADMIN_EMAIL" }
+variable "github_client_id" { description = "GITHUB_CLIENT_ID" }
+variable "github_client_secret" { description = "GITHUB_CLIENT_SECRET" }
+variable "openai_api_key" { description = "OPENAI_API_KEY" }
diff --git a/terraform/shared/main.tf b/terraform/shared/main.tf
@@ -5,7 +5,7 @@ provider "aws" {
 # Build Resource Group
 # Creates an AWS Resource Group to organize and manage AWS resources based on specific criteria, such as tags.
 resource "aws_resourcegroups_group" "resource_group" {
-  name = "${var.project-name}-${var.stage}"
+  name = local.name
 
   resource_query {
     query = jsonencode({
@@ -20,12 +20,12 @@ resource "aws_resourcegroups_group" "resource_group" {
   }
 
   tags = {
-    awsApplication = "${var.project-name}"
+    awsApplication = var.project-name
   }
 }
 
 resource "aws_iam_policy" "secrets_access" {
-  name        = "secrets_access"
+  name        = "${local.name}-secrets-access"
   description = "Allow ECS tasks to access secrets"
   tags        = local.common_tags
 
@@ -59,132 +59,132 @@ resource "aws_iam_policy" "secrets_access" {
 # Create Secrets Manager
 # NEXTAUTH_URL
 resource "aws_secretsmanager_secret" "nextauth_url" {
-  name        = "${var.project-name}-${var.stage}-nextauth_url"
+  name        = "${local.name}-nextauth_url"
   description = "NEXTAUTH_URL for your application"
   tags        = local.common_tags
 }
 
 resource "aws_secretsmanager_secret_version" "nextauth_url_version" {
   secret_id     = aws_secretsmanager_secret.nextauth_url.id
-  secret_string = "http://localhost:3000"
+  secret_string = var.nextauth_url
 }
 
 # NEXTAUTH_SECRET
 resource "aws_secretsmanager_secret" "nextauth_secret" {
-  name        = "${var.project-name}-${var.stage}-nextauth_secret"
+  name        = "${local.name}-nextauth_secret"
   description = "NEXTAUTH_SECRET for your application"
   tags        = local.common_tags
 }
 
 resource "aws_secretsmanager_secret_version" "nextauth_secret_version" {
   secret_id     = aws_secretsmanager_secret.nextauth_secret.id
-  secret_string = "abc"
+  secret_string = var.nextauth_secret
 }
 
 # NEXT_PUBLIC_URL
 resource "aws_secretsmanager_secret" "next_public_url" {
-  name        = "${var.project-name}-${var.stage}-next_public_url"
+  name        = "${local.name}-next_public_url"
   description = "NEXT_PUBLIC_URL for your application"
   tags        = local.common_tags
 }
 
 resource "aws_secretsmanager_secret_version" "next_public_url_version" {
   secret_id     = aws_secretsmanager_secret.next_public_url.id
-  secret_string = "http://localhost:3000"
+  secret_string = var.next_public_url
 }
 
 # PLAUSIBLE_API_KEY
 resource "aws_secretsmanager_secret" "plausible_api_key" {
-  name        = "${var.project-name}-${var.stage}-plausible_api_key"
+  name        = "${local.name}-plausible_api_key"
   description = "PLAUSIBLE_API_KEY for your application"
   tags        = local.common_tags
 }
 
 resource "aws_secretsmanager_secret_version" "plausible_api_key_version" {
   secret_id     = aws_secretsmanager_secret.plausible_api_key.id
-  secret_string = "abc"
+  secret_string = var.plausible_api_key
 }
 
 # DATABASE_URL
 resource "aws_secretsmanager_secret" "database_url" {
-  name        = "${var.project-name}-${var.stage}-database_url"
+  name        = "${local.name}-database_url"
   description = "DATABASE_URL for your application"
   tags        = local.common_tags
 }
 
 resource "aws_secretsmanager_secret_version" "database_url_version" {
   secret_id     = aws_secretsmanager_secret.database_url.id
-  secret_string = "abc"
+  secret_string = var.database_url
 }
 
 # DIRECT_URL
 resource "aws_secretsmanager_secret" "direct_url" {
-  name        = "${var.project-name}-${var.stage}-direct_url"
+  name        = "${local.name}-direct_url"
   description = "DIRECT_URL for your application"
   tags        = local.common_tags
 }
 
 resource "aws_secretsmanager_secret_version" "direct_url_version" {
   secret_id     = aws_secretsmanager_secret.direct_url.id
-  secret_string = "abc"
+  secret_string = var.direct_url
 }
 
 # EDGE_CONFIG
 resource "aws_secretsmanager_secret" "edge_config" {
-  name        = "${var.project-name}-${var.stage}-edge_config"
+  name        = "${local.name}-edge_config"
   description = "EDGE_CONFIG for your application"
   tags        = local.common_tags
 }
 
 resource "aws_secretsmanager_secret_version" "edge_config_version" {
   secret_id     = aws_secretsmanager_secret.edge_config.id
-  secret_string = "abc"
+  secret_string = var.edge_config
 }
 
 # ADMIN_EMAIL
 resource "aws_secretsmanager_secret" "admin_email" {
-  name        = "${var.project-name}-${var.stage}-admin_email"
+  name        = "${local.name}-admin_email"
   description = "ADMIN_EMAIL for your application"
   tags        = local.common_tags
 }
 
 resource "aws_secretsmanager_secret_version" "admin_email_version" {
   secret_id     = aws_secretsmanager_secret.admin_email.id
-  secret_string = "abc"
+  secret_string = var.admin_email
 }
 
 # GITHUB_CLIENT_ID
 resource "aws_secretsmanager_secret" "github_client_id" {
-  name        = "${var.project-name}-${var.stage}-github_client_id"
+  name        = "${local.name}-github_client_id"
   description = "GITHUB_CLIENT_ID for your application"
   tags        = local.common_tags
 }
 
 resource "aws_secretsmanager_secret_version" "github_client_id_version" {
   secret_id     = aws_secretsmanager_secret.github_client_id.id
-  secret_string = "abc"
+  secret_string = var.github_client_id
 }
 
 # GITHUB_CLIENT_SECRET
 resource "aws_secretsmanager_secret" "github_client_secret" {
-  name        = "${var.project-name}-${var.stage}-github_client_secret"
+  name        = "${local.name}-github_client_secret"
   description = "GITHUB_CLIENT_SECRET for your application"
   tags        = local.common_tags
 }
 
 resource "aws_secretsmanager_secret_version" "github_client_secret_version" {
   secret_id     = aws_secretsmanager_secret.github_client_secret.id
-  secret_string = "abc"
+  secret_string = var.github_client_secret
 }
 
 # OPENAI_API_KEY
 resource "aws_secretsmanager_secret" "openai_api_key" {
-  name        = "${var.project-name}-${var.stage}-openai_api_key"
+  name        = "${local.name}-openai_api_key"
   description = "OPENAI_API_KEY for your application"
   tags        = local.common_tags
 }
 
 resource "aws_secretsmanager_secret_version" "openai_api_key_version" {
   secret_id     = aws_secretsmanager_secret.openai_api_key.id
-  secret_string = "abc"
+  secret_string = var.openai_api_key
 }