diff --git a/module/move/willbe/template/deploy/Makefile.hbs b/module/move/willbe/template/deploy/Makefile.hbs index 7f79a8adad..f978b887eb 100644 --- a/module/move/willbe/template/deploy/Makefile.hbs +++ b/module/move/willbe/template/deploy/Makefile.hbs @@ -1,16 +1,5 @@ .PHONY: deploy -# Secrets that can be provided via ENV vars or files in ./key/ directory. - -# Hetzner API token -export SECRET_CSP_HETZNER ?= $(shell cat key/SECRET_CSP_HETZNER 2> /dev/null) -# Cloud Storage file encryption key -export SECRET_STATE_ARCHIVE_KEY ?= $(shell cat key/SECRET_STATE_ARCHIVE_KEY 2> /dev/null) -# AWS Access Key id -export SECRET_AWS_ACCESS_KEY_ID ?= $(shell cat key/SECRET_AWS_ACCESS_KEY_ID 2> /dev/null) -# AWS Access Key -export SECRET_AWS_ACCESS_KEY ?= $(shell cat key/SECRET_AWS_ACCESS_KEY 2> /dev/null) - # Configuration variables for deployment. Can be edited for desired behavior. # Base terraform directory @@ -24,7 +13,7 @@ export TF_VAR_REPO_NAME ?= {{gcp_artifact_repo_name}} # Pushed image name export TF_VAR_IMAGE_NAME ?= {{docker_image_name}} # Path to the service account credentials -export google_sa_creds ?= key/service_account.json +export google_sa_creds ?= key/-service_account.json # Cloud Storage bucket name export TF_VAR_BUCKET_NAME ?= {{docker_image_name}}_tfstate # Specifies where to deploy the project. Possible values: `hetzner`, `gce`, `aws` @@ -45,40 +34,29 @@ export AWS_SECRET_ACCESS_KEY ?= $(SECRET_AWS_ACCESS_KEY) # Check Hetzner and deployment related keys check-hetzner-keys: - @[ -f key/SECRET_CSP_HETZNER ] \ - || [ ! -z "${SECRET_CSP_HETZNER}" ] \ - || { echo "ERROR: File key/SECRET_CSP_HETZNER does not exist"; exit 1; } + @[ ! -z "${SECRET_CSP_HETZNER}" ] \ + || { echo "ERROR: Key SECRET_CSP_HETZNER does not exist"; exit 1; } # Check AWS and deployment related keys check-aws-keys: - @[ -f key/SECRET_AWS_ACCESS_KEY_ID ] \ - || [ ! -z "${SECRET_AWS_ACCESS_KEY_ID}" ] \ - || echo "ERROR: File key/SECRET_AWS_ACCESS_KEY_ID does not exist" - @[ -f key/SECRET_AWS_ACCESS_KEY ] \ - || [ ! -z "${SECRET_AWS_ACCESS_KEY}" ] \ - || echo "ERROR: File key/SECRET_AWS_ACCESS_KEY does not exist" - @[ -f key/SECRET_AWS_ACCESS_KEY_ID ] \ - || [ ! -z "${SECRET_AWS_ACCESS_KEY_ID}" ] \ - || exit 1 - @[ -f key/SECRET_AWS_ACCESS_KEY ] \ - || [ ! -z "${SECRET_AWS_ACCESS_KEY}" ] \ - || exit 1 + @[ ! -z "${SECRET_AWS_ACCESS_KEY_ID}" ] \ + || echo "ERROR: Key SECRET_AWS_ACCESS_KEY_ID does not exist" + @[ ! -z "${SECRET_AWS_ACCESS_KEY}" ] \ + || echo "ERROR: Key SECRET_AWS_ACCESS_KEY does not exist" + @[ ! -z "${SECRET_AWS_ACCESS_KEY_ID}" ] || exit 1 + @[ ! -z "${SECRET_AWS_ACCESS_KEY}" ] || exit 1 check-gce-keys: @echo "All required GCE keys are the same as GCP keys" # Check if required GCP keys are present check-gcp-keys: - @[ -f key/service_account.json ] \ - || echo "ERROR: File key/service_account.json does not exist" - @[ -f key/SECRET_STATE_ARCHIVE_KEY ] \ - || [ ! -z "${SECRET_STATE_ARCHIVE_KEY}" ] \ - || echo "ERROR: File key/SECRET_STATE_ARCHIVE_KEY does not exist" - @[ -f key/service_account.json ] \ - || exit 1 - @[ -f key/SECRET_STATE_ARCHIVE_KEY ] \ - || [ ! -z "${SECRET_STATE_ARCHIVE_KEY}" ] \ - || exit 1 + @[ -f key/-service_account.json ] \ + || echo "ERROR: Key file key/-service_account.json does not exist" + @[ ! -z "${SECRET_STATE_ARCHIVE_KEY}" ] \ + || echo "ERROR: Key SECRET_STATE_ARCHIVE_KEY does not exist" + @[ -f key/-service_account.json ] || exit 1 + @[ ! -z "${SECRET_STATE_ARCHIVE_KEY}" ] || exit 1 # Start local docker container start: diff --git a/module/move/willbe/template/deploy/deploy/aws/variables.tf b/module/move/willbe/template/deploy/deploy/aws/variables.tf index ed15e05028..c536019a13 100644 --- a/module/move/willbe/template/deploy/deploy/aws/variables.tf +++ b/module/move/willbe/template/deploy/deploy/aws/variables.tf @@ -20,15 +20,15 @@ variable "IMAGE_NAME" { # Google Cloud Platform credentials data "local_sensitive_file" "service_account_creds" { - filename = "${path.module}/../../key/service_account.json" + filename = "${path.module}/../../key/-service_account.json" } # Private key for SSH connection data "local_sensitive_file" "ssh_private_key" { - filename = "${path.module}/../../key/rsa_ssh_key" + filename = "${path.module}/../../key/-rsa_ssh_key" } # Public key for SSH connection data "local_sensitive_file" "ssh_public_key" { - filename = "${path.module}/../../key/rsa_ssh_key.pub" + filename = "${path.module}/../../key/-rsa_ssh_key.pub" } diff --git a/module/move/willbe/template/deploy/deploy/hetzner/variables.tf b/module/move/willbe/template/deploy/deploy/hetzner/variables.tf index 4d445400eb..a6c27db413 100644 --- a/module/move/willbe/template/deploy/deploy/hetzner/variables.tf +++ b/module/move/willbe/template/deploy/deploy/hetzner/variables.tf @@ -25,15 +25,15 @@ variable "IMAGE_NAME" { # Google Cloud Platform credentials data "local_sensitive_file" "service_account_creds" { - filename = "${path.module}/../../key/service_account.json" + filename = "${path.module}/../../key/-service_account.json" } # Private key for SSH connection data "local_sensitive_file" "ssh_private_key" { - filename = "${path.module}/../../key/rsa_ssh_key" + filename = "${path.module}/../../key/-rsa_ssh_key" } # Public key for SSH connection data "local_sensitive_file" "ssh_public_key" { - filename = "${path.module}/../../key/rsa_ssh_key.pub" + filename = "${path.module}/../../key/-rsa_ssh_key.pub" } diff --git a/module/move/willbe/template/deploy/key/.gitignore b/module/move/willbe/template/deploy/key/.gitignore index 38b7807347..96870e1f6b 100644 --- a/module/move/willbe/template/deploy/key/.gitignore +++ b/module/move/willbe/template/deploy/key/.gitignore @@ -2,3 +2,4 @@ !.gitignore !*.md !pack.sh +-* diff --git a/module/move/willbe/template/deploy/key/Readme.md b/module/move/willbe/template/deploy/key/Readme.md index 84fc765608..d46ad6df48 100644 --- a/module/move/willbe/template/deploy/key/Readme.md +++ b/module/move/willbe/template/deploy/key/Readme.md @@ -1,50 +1,82 @@ -# Deploy credentials +# Keys -A list of all keys you'd need to deploy your project on different hosts. +This document provides a concise example of an environment configuration script, used to set up environment variables for a project. +These variables configure application behavior without altering the code. -- [Deploy credentials](#deploy-credentials) - - [Files](#files) - - [Env vars](#env-vars) +- [Keys](#keys) + - [Examples](#examples) + - [`-gcp.sh`](#-gcpsh) + - [`-hetzner.sh`](#-hetznersh) + - [`-aws.sh`](#-awssh) + - [How to Run](#how-to-run) - [Retrieving keys](#retrieving-keys) - [How to get `service_account.json`](#how-to-get-service_accountjson) - [How to get `SECRET_STATE_ARCHIVE_KEY`](#how-to-get-secret_state_archive_key) - [How to get `SECRET_CSP_HETZNER`](#how-to-get-secret_csp_hetzner) - [How to get `SECRET_AWS_ACCESS_KEY_ID` and `SECRET_AWS_ACCESS_KEY`](#how-to-get-secret_aws_access_key_id-and-secret_aws_access_key) -## Files -All secrets can be provided as files in current directory: +## Examples -- [service_account.json](./service_account.json) - default credentials for the service account to use in deployment. -- [rsa_ssh_key](./rsa_ssh_key) - SSH Private key that will be used for redeployment. -- [rsa_ssh_key.pub](./rsa_ssh_key.pub) - SSH Private key that will be used for redeployment. -- [`SECRET_STATE_ARCHIVE_KEY`](./SECRET_STATE_ARCHIVE_KEY) - [📃] base64 encoded AES256 key to encrypt and decrypt .tfstate files. -- [`SECRET_CSP_HETZNER`](./SECRET_CSP_HETZNER) - [📃] Hetzner token for deploying a server. -- [`SECRET_AWS_ACCESS_KEY_ID`](./SECRET_AWS_ACCESS_KEY_ID) - [📃] Access Key ID from AWS Credentials. Created at the same time as the Access Key itself. -- [`SECRET_AWS_ACCESS_KEY`](./SECRET_AWS_ACCESS_KEY) - [📃] Access Key for AWS API. Has to be accompanied with respectful Access Key ID. +### `-gcp.sh` -## Env vars +Contents example for the file `-gcp.sh`. This is a required configuration for all deploy targets. -Some secrets can be presented as an env var: +```bash +#!/bin/bash +CSP=gce +SECRET_STATE_ARCHIVE_KEY=qK1/4m60aZvclYi4bZFeBl8GxpyWcJ2iEevHN+uMy7w= -- [`SECRET_STATE_ARCHIVE_KEY`](./SECRET_STATE_ARCHIVE_KEY) - [📃] base64 encoded AES256 key to encrypt and decrypt .tfstate files. -- [`SECRET_CSP_HETZNER`](./SECRET_CSP_HETZNER) - [📃] Hetzner token for deploying a server. -- [`SECRET_AWS_ACCESS_KEY_ID`](./SECRET_AWS_ACCESS_KEY_ID) - [📃] Access Key ID from AWS Credentials. Created at the same time as the Access Key itself. -- [`SECRET_AWS_ACCESS_KEY`](./SECRET_AWS_ACCESS_KEY) - [📃] Access Key for AWS API. Has to be accompanied with respectful Access Key ID. +FILE_PATH="$( realpath -qms "${BASH_SOURCE[0]:-$PWD}" )" +DIR_PATH="${FILE_PATH%/*}" +head -c -1 << EOF > ${DIR_PATH}/-service_account.json +{ + // Your service_account information +} +EOF +``` + +- `CSP`: (Optional) Specifies deployment to GCE. +- `SECRET_STATE_ARCHIVE_KEY`: Base64 encoded AES256 key to encrypt and decrypt .tfstate files. +- `-service_account.json`: Default credentials for the service account to use in deployment. + +### `-hetzner.sh` + +Contents example for the file `-hetzner.sh`: + +```bash +CSP=hetzner +SECRET_CSP_HETZNER=your_token_here +``` -Env vars have a higher priority then the files. +- `CSP`: Specifies deployment to Hetzner. +- `SECRET_CSP_HETZNER`: Hetzner token for deploying a server. -For ENV [📃] secrets values can be placed in files in this directory for automatic exporting to env during deployment. +### `-aws.sh` -Example of a file that will be pulled to env vars: +Contents example for the file `-aws.sh`: -File name: `SECRET_CSP_HETZNER` -File contents: +```bash +CSP=aws +SECRET_AWS_ACCESS_KEY_ID=aws_credentials_here +SECRET_AWS_ACCESS_KEY=aws_credentials_here ``` -hetzner_token_123 + +- `CSP`: Specifies deployment to AWS. +- `SECRET_AWS_ACCESS_KEY_ID`: Access Key ID from AWS Credentials. Created at the same time as the Access Key itself. +- `SECRET_AWS_ACCESS_KEY`: Access Key for AWS API. Has to be accompanied with respectful Access Key ID. + +## How to Run + +To apply these variables to your current shell session, use: + +```bash +. ./key/-gcp.sh +. ./key/-hetzner.sh ``` -Will export a variable to env like so `SECRET_CSP_HETZNER=hetzner_token_123` +This command sources the script, making the variables available in your current session and allowing deployment to Hetzner. +Ensure `-env.sh` is in the `key` directory relative to your current location. ## Retrieving keys