diff --git a/README.md b/README.md index 4d82626d..85809af8 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,12 @@ Git repository. - `POLL_INTERVAL_SECONDS` - (int) (default: `5`) Number of seconds to wait between each check for new commits to the repo - `REPO_PATH_FILTERS` - (string) (default: `""`) A comma separated list of sub directories to be applied. Supports [shell file name patterns](https://golang.org/pkg/path/filepath/#Match). +#### Variables used by terraform resources + +You can also provide environment variables for use by terraform providers (such as AWS_ACCESS_KEY_ID) or variables for use in your +code (TF_VAR_your_variable_name). This is useful for providing sensitive values that you don't want to save in version control or +variables that are only available in your Kube environment + ## Monitoring ### Metrics diff --git a/manifests/base/terraform-applier.yaml b/manifests/base/terraform-applier.yaml index e69b8f7d..25aaeac5 100644 --- a/manifests/base/terraform-applier.yaml +++ b/manifests/base/terraform-applier.yaml @@ -1,9 +1,4 @@ apiVersion: v1 -kind: ServiceAccount -metadata: - name: terraform-applier ---- -apiVersion: v1 kind: Service metadata: annotations: @@ -36,7 +31,6 @@ spec: labels: app: terraform-applier spec: - serviceAccountName: terraform-applier containers: - name: git-sync image: k8s.gcr.io/git-sync:v3.1.2 @@ -64,7 +58,6 @@ spec: memory: 512Mi - name: terraform-applier image: quay.io/utilitywarehouse/terraform-applier:0.1.0 - env: volumeMounts: - name: git-repo mountPath: /src @@ -83,5 +76,5 @@ spec: emptyDir: {} - name: git-secret secret: - secretName: ssh + secretName: git-sync defaultMode: 0440 diff --git a/manifests/example/kustomization.yaml b/manifests/example/kustomization.yaml index d8ed5098..3de51411 100644 --- a/manifests/example/kustomization.yaml +++ b/manifests/example/kustomization.yaml @@ -8,14 +8,16 @@ resources: patchesStrategicMerge: - terraform-applier-patch.yaml secretGenerator: - # aws secret access key - - name: aws + # Needed by git-sync to clone repositories + - name: git-sync type: Opaque files: - - aws-secret-access-key=secrets/aws-secret-access-key - # ssh key to clone the "root" terraform modules repository, used by git-sync - - name: ssh + - ssh=secrets/git-sync-ssh-key + - known_hosts=resources/git-sync-known_hosts + # Used by terraform-applier. Will differ based on terraform resources being applied + # Example for the AWS provider and for a custom resource secret + - name: terraform-applier type: Opaque files: - - ssh=secrets/ssh - - known_hosts=resources/known_hosts + - terraform-aws-provider-secret=secrets/terraform-applier-terraform-aws-provider-secret + - example-app-s3-reader-secret=secrets/terraform-applier-example-app-s3-reader-secret diff --git a/manifests/example/resources/known_hosts b/manifests/example/resources/git-sync-known_hosts similarity index 100% rename from manifests/example/resources/known_hosts rename to manifests/example/resources/git-sync-known_hosts diff --git a/manifests/example/secrets/ssh b/manifests/example/secrets/git-sync-ssh-key similarity index 100% rename from manifests/example/secrets/ssh rename to manifests/example/secrets/git-sync-ssh-key diff --git a/manifests/example/secrets/aws-secret-access-key b/manifests/example/secrets/terraform-applier-example-app-s3-reader-secret similarity index 100% rename from manifests/example/secrets/aws-secret-access-key rename to manifests/example/secrets/terraform-applier-example-app-s3-reader-secret diff --git a/manifests/example/secrets/terraform-applier-terraform-aws-provider-secret b/manifests/example/secrets/terraform-applier-terraform-aws-provider-secret new file mode 100644 index 00000000..a3ea2516 --- /dev/null +++ b/manifests/example/secrets/terraform-applier-terraform-aws-provider-secret @@ -0,0 +1 @@ +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA diff --git a/manifests/example/terraform-applier-patch.yaml b/manifests/example/terraform-applier-patch.yaml index 52e849ec..fa57d158 100644 --- a/manifests/example/terraform-applier-patch.yaml +++ b/manifests/example/terraform-applier-patch.yaml @@ -6,24 +6,36 @@ spec: template: spec: containers: + - name: git-sync + env: + - name: GIT_SYNC_REPO + value: "git@github.com:org/repo.git" - name: terraform-applier env: - # AWS credentials for use by an S3 backend/AWS provider. Substitute the configuration for your particular - # backends and providers. - - name: AWS_ACCESS_KEY_ID - value: AAAAAAAAAAAAAAAAAAAA - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: aws - key: aws-secret-access-key + # terraform-applier vars - name: REPO_PATH value: "/src/modules/example-env" - name: REPO_PATH_FILTERS value: "my-module-1,my-module-2,env-*" - name: DIFF_URL_FORMAT value: "https://github.com/org/repo/commit/%s" - - name: git-sync - env: - - name: GIT_SYNC_REPO - value: "git@github.com:org/repo.git" + # + # Variables from now depend on what terraform providers and resources you use + # Substitute above configuration for your particular needs + # + # terraform-provider-aws vars + - name: AWS_ACCESS_KEY_ID + value: "AAAAAAAAAAAAAAAAAAAA" + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: terraform-applier + key: terraform-aws-provider-secret + # custom terraform resources vars + - name: TF_VAR_s3_reader_access_key_id + value: "AAAAAAAAAAAAAAAAAAAA" + - name: TF_VAR_s3_reader_secret_access_key + valueFrom: + secretKeyRef: + name: terraform-applier + key: example-app-s3-reader-secret