Add terraform/development for retrieving credentials for local development use

sample.env

@@ -1,6 +1,6 @@
 # STEPS TO SET UP
 #
-# 1. Pull down AWS creds from cloud.gov using `cf env`, then update AWS section
+# 1. Copy this file to `.env`
 #
 # 2. If trying to send data to New Relic in development (monitor_mode: true),
 #      pull down NEW_RELIC_LICENSE_KEY from cloud.gov using `cf env`, then update New Relic section
@@ -9,18 +9,12 @@
 #
 # 4. Comment out the other setup
 #
+# 5. Run `cd terraform/development; ./run.sh` to include service credentials in `.env`
 
 # ## REBUILD THE DEVCONTAINER WHEN YOU MODIFY .ENV ###
 
 #############################################################
 
-# AWS
-AWS_REGION=us-west-2
-AWS_ACCESS_KEY_ID="don't write secrets to the sample file"
-AWS_SECRET_ACCESS_KEY="don't write secrets to the sample file"
-
-#############################################################
-
 # Application
 NOTIFY_ENVIRONMENT=development
 FLASK_APP=application.py

terraform/development/main.tf

@@ -0,0 +1,74 @@
+locals {
+  cf_org_name      = "gsa-tts-benefits-studio-prototyping"
+  cf_space_name    = "notify-local-dev"
+  recursive_delete = true
+  key_name         = "${var.username}-admin-dev-key"
+}
+
+data "cloudfoundry_space" "dev" {
+  org_name = local.cf_org_name
+  name     = local.cf_space_name
+}
+
+module "logo_upload_bucket" {
+  source = "github.com/18f/terraform-cloudgov//s3?ref=v0.2.0"
+
+  cf_org_name      = local.cf_org_name
+  cf_space_name    = local.cf_space_name
+  recursive_delete = local.recursive_delete
+  name             = "${var.username}-logo-upload-bucket"
+}
+resource "cloudfoundry_service_key" "logo_key" {
+  name             = local.key_name
+  service_instance = module.logo_upload_bucket.bucket_id
+}
+
+data "cloudfoundry_service_instance" "csv_bucket" {
+  name_or_id = "${var.username}-csv-upload-bucket"
+  space      = data.cloudfoundry_space.dev.id
+}
+resource "cloudfoundry_service_key" "csv_key" {
+  name             = local.key_name
+  service_instance = data.cloudfoundry_service_instance.csv_bucket.id
+}
+
+data "cloudfoundry_service_instance" "contact_list_bucket" {
+  name_or_id = "${var.username}-contact-list-bucket"
+  space      = data.cloudfoundry_space.dev.id
+}
+resource "cloudfoundry_service_key" "contact_list_key" {
+  name             = local.key_name
+  service_instance = data.cloudfoundry_service_instance.contact_list_bucket.id
+}
+
+locals {
+  credentials = <<EOM
+
+#############################################################
+# CSV_UPLOAD_BUCKET
+CSV_BUCKET_NAME=${cloudfoundry_service_key.csv_key.credentials.bucket}
+CSV_AWS_ACCESS_KEY_ID=${cloudfoundry_service_key.csv_key.credentials.access_key_id}
+CSV_AWS_SECRET_ACCESS_KEY=${cloudfoundry_service_key.csv_key.credentials.secret_access_key}
+CSV_AWS_REGION=${cloudfoundry_service_key.csv_key.credentials.region}
+# CONTACT_LIST_BUCKET
+CONTACT_BUCKET_NAME=${cloudfoundry_service_key.contact_list_key.credentials.bucket}
+CONTACT_AWS_ACCESS_KEY_ID=${cloudfoundry_service_key.contact_list_key.credentials.access_key_id}
+CONTACT_AWS_SECRET_ACCESS_KEY=${cloudfoundry_service_key.contact_list_key.credentials.secret_access_key}
+CONTACT_AWS_REGION=${cloudfoundry_service_key.contact_list_key.credentials.region}
+# LOGO_UPLOAD_BUCKET
+LOGO_BUCKET_NAME=${cloudfoundry_service_key.logo_key.credentials.bucket}
+LOGO_AWS_ACCESS_KEY_ID=${cloudfoundry_service_key.logo_key.credentials.access_key_id}
+LOGO_AWS_SECRET_ACCESS_KEY=${cloudfoundry_service_key.logo_key.credentials.secret_access_key}
+LOGO_AWS_REGION=${cloudfoundry_service_key.logo_key.credentials.region}
+EOM
+}
+
+resource "null_resource" "output_creds_to_env" {
+  triggers = {
+    always_run = timestamp()
+  }
+  provisioner "local-exec" {
+    working_dir = "../.."
+    command     = "echo \"${local.credentials}\" >> .env"
+  }
+}

terraform/development/providers.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_version = "~> 1.0"
+  required_providers {
+    cloudfoundry = {
+      source  = "cloudfoundry-community/cloudfoundry"
+      version = "0.50.5"
+    }
+  }
+}
+
+provider "cloudfoundry" {
+  api_url      = "https://api.fr.cloud.gov"
+  user         = var.cf_user
+  password     = var.cf_password
+  app_logs_max = 30
+}

terraform/development/run.sh

@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+
+username=`whoami`
+org="gsa-tts-benefits-studio-prototyping"
+
+usage="
+$0: Create development infrastructure
+
+Usage:
+  $0 -h
+  $0 [-u <USER NAME>] [-k]
+
+Options:
+-h: show help and exit
+-u <USER NAME>: your username. Default: $username
+-k: keep service user. Default is to remove them after run
+-d: Destroy development resources. Default is to create them
+
+Notes:
+* Requires cf-cli@8
+* Requires terraform/development to be run on API app first, with the same [-u <USER NAME>]
+"
+
+action="apply"
+creds="remove"
+
+while getopts ":hkdu:" opt; do
+  case "$opt" in
+    u)
+      username=${OPTARG}
+      ;;
+    k)
+      creds="keep"
+      ;;
+    d)
+      action="destroy"
+      ;;
+    h)
+      echo "$usage"
+      exit 0
+      ;;
+  esac
+done
+
+set -e
+
+service_account="$username-terraform"
+
+if [[ ! -f "secrets.auto.tfvars" ]]; then
+  # create user in notify-local-dev space to create s3 buckets
+  ../create_service_account.sh -s notify-local-dev -u $service_account > secrets.auto.tfvars
+fi
+
+set +e
+
+terraform init
+terraform $action -var="username=$username"
+
+set -e
+
+if [[ $creds = "remove" ]]; then
+  ../destroy_service_account.sh -s notify-local-dev -u $service_account
+  rm secrets.auto.tfvars
+fi
+
+exit 0

terraform/development/variables.tf

@@ -0,0 +1,5 @@
+variable "cf_password" {
+  sensitive = true
+}
+variable "cf_user" {}
+variable "username" {}