Add terraform/development for retrieving credentials for local development use

2026-02-03 18:01:08 -05:00 · 2023-03-13 12:58:50 -04:00
parent 886db509a0
commit 627149402c
6 changed files with 238 additions and 36 deletions
--- a/terraform/development/main.tf
+++ b/terraform/development/main.tf
@@ -0,0 +1,91 @@
+locals {
+  cf_org_name      = "gsa-tts-benefits-studio-prototyping"
+  cf_space_name    = "notify-local-dev"
+  recursive_delete = true
+  key_name         = "${var.username}-dev-key"
+}
+
+module "csv_upload_bucket" {
+  source = "github.com/18f/terraform-cloudgov//s3?ref=v0.2.0"
+
+  cf_org_name      = local.cf_org_name
+  cf_space_name    = local.cf_space_name
+  recursive_delete = local.recursive_delete
+  name             = "${var.username}-csv-upload-bucket"
+}
+resource "cloudfoundry_service_key" "csv_key" {
+  name             = local.key_name
+  service_instance = module.csv_upload_bucket.bucket_id
+}
+
+module "contact_list_bucket" {
+  source = "github.com/18f/terraform-cloudgov//s3?ref=v0.2.0"
+
+  cf_org_name      = local.cf_org_name
+  cf_space_name    = local.cf_space_name
+  recursive_delete = local.recursive_delete
+  name             = "${var.username}-contact-list-bucket"
+}
+resource "cloudfoundry_service_key" "contact_list_key" {
+  name             = local.key_name
+  service_instance = module.contact_list_bucket.bucket_id
+}
+
+data "cloudfoundry_space" "staging" {
+  org_name = local.cf_org_name
+  name     = "notify-staging"
+}
+
+data "cloudfoundry_service_instance" "ses_email" {
+  name_or_id = "notify-api-ses-staging"
+  space      = data.cloudfoundry_space.staging.id
+}
+resource "cloudfoundry_service_key" "ses_key" {
+  name             = local.key_name
+  service_instance = data.cloudfoundry_service_instance.ses_email.id
+}
+
+data "cloudfoundry_service_instance" "sns_sms" {
+  name_or_id = "notify-api-sns-staging"
+  space      = data.cloudfoundry_space.staging.id
+}
+resource "cloudfoundry_service_key" "sns_key" {
+  name             = local.key_name
+  service_instance = data.cloudfoundry_service_instance.sns_sms.id
+}
+
+locals {
+  credentials = <<EOM
+
+#############################################################
+# CSV_UPLOAD_BUCKET
+CSV_BUCKET_NAME=${cloudfoundry_service_key.csv_key.credentials.bucket}
+CSV_AWS_ACCESS_KEY_ID=${cloudfoundry_service_key.csv_key.credentials.access_key_id}
+CSV_AWS_SECRET_ACCESS_KEY=${cloudfoundry_service_key.csv_key.credentials.secret_access_key}
+CSV_AWS_REGION=${cloudfoundry_service_key.csv_key.credentials.region}
+# CONTACT_LIST_BUCKET
+CONTACT_BUCKET_NAME=${cloudfoundry_service_key.contact_list_key.credentials.bucket}
+CONTACT_AWS_ACCESS_KEY_ID=${cloudfoundry_service_key.contact_list_key.credentials.access_key_id}
+CONTACT_AWS_SECRET_ACCESS_KEY=${cloudfoundry_service_key.contact_list_key.credentials.secret_access_key}
+CONTACT_AWS_REGION=${cloudfoundry_service_key.contact_list_key.credentials.region}
+# SES_EMAIL
+SES_AWS_ACCESS_KEY_ID=${cloudfoundry_service_key.ses_key.credentials.smtp_user}
+SES_AWS_SECRET_ACCESS_KEY=${cloudfoundry_service_key.ses_key.credentials.secret_access_key}
+SES_AWS_REGION=${cloudfoundry_service_key.ses_key.credentials.region}
+SES_DOMAIN_ARN=${cloudfoundry_service_key.ses_key.credentials.domain_arn}
+# SNS_SMS
+SNS_AWS_ACCESS_KEY_ID=${cloudfoundry_service_key.sns_key.credentials.aws_access_key_id}
+SNS_AWS_SECRET_ACCESS_KEY=${cloudfoundry_service_key.sns_key.credentials.aws_secret_access_key}
+SNS_AWS_REGION=${cloudfoundry_service_key.sns_key.credentials.region}
+EOM
+}
+
+resource "null_resource" "output_creds_to_env" {
+  triggers = {
+    always_run = timestamp()
+  }
+  provisioner "local-exec" {
+    working_dir = "../.."
+    command     = "echo \"${local.credentials}\" >> .env"
+  }
+}
--- a/terraform/development/providers.tf
+++ b/terraform/development/providers.tf
@@ -0,0 +1,16 @@
+terraform {
+  required_version = "~> 1.0"
+  required_providers {
+    cloudfoundry = {
+      source  = "cloudfoundry-community/cloudfoundry"
+      version = "0.50.5"
+    }
+  }
+}
+
+provider "cloudfoundry" {
+  api_url      = "https://api.fr.cloud.gov"
+  user         = var.cf_user
+  password     = var.cf_password
+  app_logs_max = 30
+}
--- a/terraform/development/run.sh
+++ b/terraform/development/run.sh
@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+
+username=`whoami`
+org="gsa-tts-benefits-studio-prototyping"
+
+usage="
+$0: Create development infrastructure
+
+Usage:
+  $0 -h
+  $0 [-u <USER NAME>] [-k]
+
+Options:
+-h: show help and exit
+-u <USER NAME>: your username. Default: $username
+-k: keep service user. Default is to remove them after run
+-d: Destroy development resources. Default is to create them
+
+Notes:
+* Requires cf-cli@8
+"
+
+action="apply"
+creds="remove"
+
+while getopts ":hkdu:" opt; do
+  case "$opt" in
+    u)
+      username=${OPTARG}
+      ;;
+    k)
+      creds="keep"
+      ;;
+    d)
+      action="destroy"
+      ;;
+    h)
+      echo "$usage"
+      exit 0
+      ;;
+  esac
+done
+
+set -e
+
+service_account="$username-terraform"
+
+if [[ ! -f "secrets.auto.tfvars" ]]; then
+  # create user in notify-local-dev space to create s3 buckets
+  ../create_service_account.sh -s notify-local-dev -u $service_account > secrets.auto.tfvars
+
+  # grant user access to notify-staging to create a service key for SES and SNS
+  cg_username=`cf service-key $service_account service-account-key | tail -n +2 | jq -r '.credentials.username'`
+  cf set-space-role $cg_username $org notify-staging SpaceDeveloper
+fi
+
+set +e
+
+terraform init
+terraform $action -var="username=$username"
+
+set -e
+
+if [[ $creds = "remove" ]]; then
+  ../destroy_service_account.sh -s notify-local-dev -u $service_account
+  rm secrets.auto.tfvars
+fi
+
+exit 0
--- a/terraform/development/variables.tf
+++ b/terraform/development/variables.tf
@@ -0,0 +1,5 @@
+variable "cf_password" {
+  sensitive = true
+}
+variable "cf_user" {}
+variable "username" {}