From ed9bc457f54c827422df49bf9a76ac8c471d8a5f Mon Sep 17 00:00:00 2001 From: Jona Koudijs Date: Sun, 21 Sep 2025 22:47:38 +0200 Subject: [PATCH 01/11] Test IAC --- .github/workflows/apply.yaml | 25 +++++++++++++++++++++++++ .github/workflows/lint.yaml | 31 +++++++++++++++++++++++++++++++ .github/workflows/plan.yaml | 22 ++++++++++++++++++++++ README.md | 14 +++++++++----- terraform/backend.tf | 14 ++++++++++++++ terraform/main.tf | 2 +- terraform/variables.tf | 12 ++++++++++++ 7 files changed, 114 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/apply.yaml create mode 100644 .github/workflows/lint.yaml create mode 100644 .github/workflows/plan.yaml create mode 100644 terraform/backend.tf diff --git a/.github/workflows/apply.yaml b/.github/workflows/apply.yaml new file mode 100644 index 0000000..7b35612 --- /dev/null +++ b/.github/workflows/apply.yaml @@ -0,0 +1,25 @@ +name: Apply Terraform plan + +on: + push: + branches: + - main + +permissions: + contents: read + pull-requests: write + +jobs: + apply: + runs-on: ubuntu-latest + name: Apply Terraform plan + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Terraform apply + uses: dflook/terraform-apply@v2 + with: + path: terraform-config \ No newline at end of file diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 0000000..d71a67b --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,31 @@ +name: Lint Terraform plan + +on: + push: + branches-ignore: + - main + +jobs: + validate: + runs-on: ubuntu-latest + name: Validate Terraform configuration + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Terraform validate + uses: dflook/terraform-validate@v2 + with: + path: terraform-config + + fmt-check: + runs-on: ubuntu-latest + name: Check formatting of Terraform files + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Terraform fmt + uses: dflook/terraform-fmt-check@v2 + with: + path: terraform-config \ No newline at end of file diff --git a/.github/workflows/plan.yaml b/.github/workflows/plan.yaml new file mode 100644 index 0000000..8a929a1 --- /dev/null +++ b/.github/workflows/plan.yaml @@ -0,0 +1,22 @@ +name: Create Terraform plan + +on: [pull_request] + +permissions: + contents: read + pull-requests: write + +jobs: + plan: + runs-on: ubuntu-latest + name: Create a Terraform plan + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Terraform plan + uses: dflook/terraform-plan@v2 + with: + path: terraform-config \ No newline at end of file diff --git a/README.md b/README.md index 413558f..9d0f9d8 100644 --- a/README.md +++ b/README.md @@ -2,15 +2,18 @@ # Cloudijs Platform -Hosting platform based on Kubernetes. This repository contain the IAC used to setup this platform on [Hetzner](https://www.hetzner.com). The platform relies heavily on the amazing [terraform-hcloud-kubernetes](https://github.com/hcloud-k8s/terraform-hcloud-kubernetes) Terraform module. +Hosting platform based on Kubernetes. This repository contain the Terraform used to setup this platform on [Hetzner](https://www.hetzner.com). The platform relies heavily on the amazing [terraform-hcloud-kubernetes](https://github.com/hcloud-k8s/terraform-hcloud-kubernetes) Terraform module. ## Deployment -To deploy the platform you will need a Hetzer account and create a [token](https://docs.hetzner.com/cloud/api/getting-started/generating-api-token/). Then run Terraform or Tofu after setting the token variable: +To deploy the platform you will need a Hetzner account and create a [token](https://docs.hetzner.com/cloud/api/getting-started/generating-api-token/). In this example a Hetzner object storage is used for storing the Terraform state. Then run Terraform or Tofu after setting the required variables: ```bash -export TF_VAR_hcloud_token="" -tofu plan -tofy apply +export TF_VAR_HCLOUD_TOKEN="" +export TF_VAR_STATE_BUCKET_NAME="" +export TF_VAR_STATE_BUCKET_ACCESS_KEY="" +export TF_VAR_STATE_BUCKET_SECRET_KEY="" +terraform plan +terraform apply ``` ## Sources @@ -20,6 +23,7 @@ tofy apply * https://registry.terraform.io/providers/hetznercloud/hcloud/latest * https://docs.hetzner.cloud/changelog#2025-04-23-talos-linux-v195-iso-now-available * https://github.com/hetznercloud/hcloud-cloud-controller-manager/tree/main +* https://github.com/dflook/terraform-github-actions ## License diff --git a/terraform/backend.tf b/terraform/backend.tf new file mode 100644 index 0000000..bbe51c5 --- /dev/null +++ b/terraform/backend.tf @@ -0,0 +1,14 @@ +terraform { + backend "s3" { + bucket = var.state_bucket_name + key = "platform/terraform.tfstate" + region = "us-east-1" # required but not used by Hetzner + endpoint = "https://fsn1.your-objectstorage.com" # change to your region endpoint (e.g., fsn1, nbx1, hel1) + use_path_style = true + skip_credentials_validation = true + skip_region_validation = true + skip_metadata_api_check = true + access_key = var.state_bucket_access_key + secret_key = var.state_bucket_secret_key + } +} \ No newline at end of file diff --git a/terraform/main.tf b/terraform/main.tf index e62ea46..a6124cd 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -21,4 +21,4 @@ module "kubernetes" { worker_nodepools = [ { name = "worker", type = "cpx11", location = "fsn1", count = 2 } ] -} +} \ No newline at end of file diff --git a/terraform/variables.tf b/terraform/variables.tf index 15e218d..067e650 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,3 +1,15 @@ +# Hetzner secrets variable "hcloud_token" { sensitive = true +} + +# Terraform state +variable "state_bucket_name" { + sensitive = true +} +variable "state_bucket_access_key" { + sensitive = true +} +variable "state_bucket_secret_key" { + sensitive = true } \ No newline at end of file From 029daf9d837b93e85064e19cca4210c7a63c54e9 Mon Sep 17 00:00:00 2001 From: Jona Koudijs Date: Sun, 21 Sep 2025 22:54:52 +0200 Subject: [PATCH 02/11] Fix terraform aactions path --- .github/workflows/apply.yaml | 2 +- .github/workflows/lint.yaml | 4 ++-- .github/workflows/plan.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/apply.yaml b/.github/workflows/apply.yaml index 7b35612..5851683 100644 --- a/.github/workflows/apply.yaml +++ b/.github/workflows/apply.yaml @@ -22,4 +22,4 @@ jobs: - name: Terraform apply uses: dflook/terraform-apply@v2 with: - path: terraform-config \ No newline at end of file + path: terraform \ No newline at end of file diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index d71a67b..67ee0bf 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -16,7 +16,7 @@ jobs: - name: Terraform validate uses: dflook/terraform-validate@v2 with: - path: terraform-config + path: terraform fmt-check: runs-on: ubuntu-latest @@ -28,4 +28,4 @@ jobs: - name: Terraform fmt uses: dflook/terraform-fmt-check@v2 with: - path: terraform-config \ No newline at end of file + path: terraform \ No newline at end of file diff --git a/.github/workflows/plan.yaml b/.github/workflows/plan.yaml index 8a929a1..8667840 100644 --- a/.github/workflows/plan.yaml +++ b/.github/workflows/plan.yaml @@ -19,4 +19,4 @@ jobs: - name: Terraform plan uses: dflook/terraform-plan@v2 with: - path: terraform-config \ No newline at end of file + path: terraform \ No newline at end of file From 0c471a1d11748c2e3240471634c4020fdcfc1843 Mon Sep 17 00:00:00 2001 From: Jona Koudijs Date: Sun, 21 Sep 2025 22:57:18 +0200 Subject: [PATCH 03/11] Fix Terraform Lint --- .github/workflows/lint.yaml | 4 ++-- terraform/backend.tf | 18 +++++++++--------- terraform/variables.tf | 8 ++++---- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 67ee0bf..04f9d08 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -8,7 +8,7 @@ on: jobs: validate: runs-on: ubuntu-latest - name: Validate Terraform configuration + name: Validate Terraform steps: - name: Checkout uses: actions/checkout@v4 @@ -20,7 +20,7 @@ jobs: fmt-check: runs-on: ubuntu-latest - name: Check formatting of Terraform files + name: Check Terraform formatting steps: - name: Checkout uses: actions/checkout@v4 diff --git a/terraform/backend.tf b/terraform/backend.tf index bbe51c5..abd2bd3 100644 --- a/terraform/backend.tf +++ b/terraform/backend.tf @@ -1,14 +1,14 @@ terraform { backend "s3" { - bucket = var.state_bucket_name - key = "platform/terraform.tfstate" - region = "us-east-1" # required but not used by Hetzner - endpoint = "https://fsn1.your-objectstorage.com" # change to your region endpoint (e.g., fsn1, nbx1, hel1) - use_path_style = true + bucket = var.state_bucket_name + key = "platform/terraform.tfstate" + region = "us-east-1" # required but not used by Hetzner + endpoint = "https://fsn1.your-objectstorage.com" # change to your region endpoint (e.g., fsn1, nbx1, hel1) + use_path_style = true skip_credentials_validation = true - skip_region_validation = true - skip_metadata_api_check = true - access_key = var.state_bucket_access_key - secret_key = var.state_bucket_secret_key + skip_region_validation = true + skip_metadata_api_check = true + access_key = var.state_bucket_access_key + secret_key = var.state_bucket_secret_key } } \ No newline at end of file diff --git a/terraform/variables.tf b/terraform/variables.tf index 067e650..b25d6ca 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,15 +1,15 @@ # Hetzner secrets variable "hcloud_token" { - sensitive = true + sensitive = true } # Terraform state variable "state_bucket_name" { - sensitive = true + sensitive = true } variable "state_bucket_access_key" { - sensitive = true + sensitive = true } variable "state_bucket_secret_key" { - sensitive = true + sensitive = true } \ No newline at end of file From 3e07923a46ec7d2f16a0422d1b3adf10eb9f6d60 Mon Sep 17 00:00:00 2001 From: Jona Koudijs Date: Sun, 21 Sep 2025 23:00:30 +0200 Subject: [PATCH 04/11] Rename GH action --- .github/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 04f9d08..8ff4bf6 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -20,7 +20,7 @@ jobs: fmt-check: runs-on: ubuntu-latest - name: Check Terraform formatting + name: Terraform formatting steps: - name: Checkout uses: actions/checkout@v4 From 982dec62204504b4560a2bf76a781e8f1fda0c7e Mon Sep 17 00:00:00 2001 From: Jona Koudijs Date: Mon, 22 Sep 2025 00:29:22 +0200 Subject: [PATCH 05/11] Test secrets --- .github/workflows/apply.yaml | 6 +++++- .github/workflows/plan.yaml | 6 +++++- terraform/backend.tf | 6 +++--- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/apply.yaml b/.github/workflows/apply.yaml index 5851683..96f2651 100644 --- a/.github/workflows/apply.yaml +++ b/.github/workflows/apply.yaml @@ -22,4 +22,8 @@ jobs: - name: Terraform apply uses: dflook/terraform-apply@v2 with: - path: terraform \ No newline at end of file + path: terraform + backend_config: | + bucket=${{ secrets.TF_STATE_BUCKET_NAME }} + access_key=${{ secrets.TF_STATE_ACCESS_KEY }} + secret_key=${{ secrets.TF_STATE_SECRET_KEY }} \ No newline at end of file diff --git a/.github/workflows/plan.yaml b/.github/workflows/plan.yaml index 8667840..00cba7c 100644 --- a/.github/workflows/plan.yaml +++ b/.github/workflows/plan.yaml @@ -19,4 +19,8 @@ jobs: - name: Terraform plan uses: dflook/terraform-plan@v2 with: - path: terraform \ No newline at end of file + path: terraform + backend_config: | + bucket=${{ secrets.TF_STATE_BUCKET_NAME }} + access_key=${{ secrets.TF_STATE_ACCESS_KEY }} + secret_key=${{ secrets.TF_STATE_SECRET_KEY }} \ No newline at end of file diff --git a/terraform/backend.tf b/terraform/backend.tf index abd2bd3..e51b314 100644 --- a/terraform/backend.tf +++ b/terraform/backend.tf @@ -1,6 +1,6 @@ terraform { backend "s3" { - bucket = var.state_bucket_name + #bucket = var.state_bucket_name key = "platform/terraform.tfstate" region = "us-east-1" # required but not used by Hetzner endpoint = "https://fsn1.your-objectstorage.com" # change to your region endpoint (e.g., fsn1, nbx1, hel1) @@ -8,7 +8,7 @@ terraform { skip_credentials_validation = true skip_region_validation = true skip_metadata_api_check = true - access_key = var.state_bucket_access_key - secret_key = var.state_bucket_secret_key + #access_key = var.state_bucket_access_key + #secret_key = var.state_bucket_secret_key } } \ No newline at end of file From 1a481bf0aa846179aae1de03a60d3c5e3914f8ed Mon Sep 17 00:00:00 2001 From: Jona Koudijs Date: Mon, 22 Sep 2025 00:35:25 +0200 Subject: [PATCH 06/11] Test secrets --- terraform/backend.tf | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/terraform/backend.tf b/terraform/backend.tf index e51b314..a16eeec 100644 --- a/terraform/backend.tf +++ b/terraform/backend.tf @@ -1,9 +1,11 @@ terraform { backend "s3" { #bucket = var.state_bucket_name - key = "platform/terraform.tfstate" - region = "us-east-1" # required but not used by Hetzner - endpoint = "https://fsn1.your-objectstorage.com" # change to your region endpoint (e.g., fsn1, nbx1, hel1) + key = "platform/terraform.tfstate" + region = "us-east-1" # required but not used by Hetzner + endpoints = { + s3 = "https://fsn1.your-objectstorage.com" # change to your region endpoint (e.g., fsn1, nbx1, hel1) + } use_path_style = true skip_credentials_validation = true skip_region_validation = true From 2ba607bee6be4a0072a7819b474b8c9fea28016e Mon Sep 17 00:00:00 2001 From: Jona Koudijs Date: Mon, 22 Sep 2025 00:53:28 +0200 Subject: [PATCH 07/11] Test secrets --- terraform/backend.tf | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/terraform/backend.tf b/terraform/backend.tf index a16eeec..4dae2dc 100644 --- a/terraform/backend.tf +++ b/terraform/backend.tf @@ -1,16 +1,14 @@ terraform { backend "s3" { - #bucket = var.state_bucket_name + bucket = "platform-state" key = "platform/terraform.tfstate" region = "us-east-1" # required but not used by Hetzner endpoints = { - s3 = "https://fsn1.your-objectstorage.com" # change to your region endpoint (e.g., fsn1, nbx1, hel1) + s3 = "https://fsn1.your-objectstorage.com" # Falkenstein region } use_path_style = true skip_credentials_validation = true skip_region_validation = true skip_metadata_api_check = true - #access_key = var.state_bucket_access_key - #secret_key = var.state_bucket_secret_key } } \ No newline at end of file From 13e055258d9388d7c48e387a8fa1ed36c72dbed9 Mon Sep 17 00:00:00 2001 From: Jona Koudijs Date: Mon, 22 Sep 2025 01:02:36 +0200 Subject: [PATCH 08/11] Test secrets --- .github/workflows/apply.yaml | 9 ++++----- .github/workflows/plan.yaml | 9 ++++----- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/.github/workflows/apply.yaml b/.github/workflows/apply.yaml index 96f2651..943af25 100644 --- a/.github/workflows/apply.yaml +++ b/.github/workflows/apply.yaml @@ -15,6 +15,9 @@ jobs: name: Apply Terraform plan env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ secrets.TF_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_STATE_SECRET_KEY }} + AWS_CA_BUNDLE: "" steps: - name: Checkout uses: actions/checkout@v4 @@ -22,8 +25,4 @@ jobs: - name: Terraform apply uses: dflook/terraform-apply@v2 with: - path: terraform - backend_config: | - bucket=${{ secrets.TF_STATE_BUCKET_NAME }} - access_key=${{ secrets.TF_STATE_ACCESS_KEY }} - secret_key=${{ secrets.TF_STATE_SECRET_KEY }} \ No newline at end of file + path: terraform \ No newline at end of file diff --git a/.github/workflows/plan.yaml b/.github/workflows/plan.yaml index 00cba7c..87c0b05 100644 --- a/.github/workflows/plan.yaml +++ b/.github/workflows/plan.yaml @@ -12,6 +12,9 @@ jobs: name: Create a Terraform plan env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ secrets.TF_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_STATE_SECRET_KEY }} + AWS_CA_BUNDLE: "" steps: - name: Checkout uses: actions/checkout@v4 @@ -19,8 +22,4 @@ jobs: - name: Terraform plan uses: dflook/terraform-plan@v2 with: - path: terraform - backend_config: | - bucket=${{ secrets.TF_STATE_BUCKET_NAME }} - access_key=${{ secrets.TF_STATE_ACCESS_KEY }} - secret_key=${{ secrets.TF_STATE_SECRET_KEY }} \ No newline at end of file + path: terraform \ No newline at end of file From 58d6f853a782e25666ab40564dc41f0b36575e53 Mon Sep 17 00:00:00 2001 From: Jona Koudijs Date: Mon, 22 Sep 2025 09:22:42 +0200 Subject: [PATCH 09/11] Test secrets --- terraform/backend.tf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/terraform/backend.tf b/terraform/backend.tf index 4dae2dc..498d3d0 100644 --- a/terraform/backend.tf +++ b/terraform/backend.tf @@ -3,12 +3,11 @@ terraform { bucket = "platform-state" key = "platform/terraform.tfstate" region = "us-east-1" # required but not used by Hetzner - endpoints = { - s3 = "https://fsn1.your-objectstorage.com" # Falkenstein region - } + endpoints = { s3 = "https://fsn1.your-objectstorage.com" } # Falkenstein region use_path_style = true skip_credentials_validation = true skip_region_validation = true + skip_requesting_account_id = true skip_metadata_api_check = true } } \ No newline at end of file From 7ea30350e71cc8c3aa8a8b2f021e177bad280c38 Mon Sep 17 00:00:00 2001 From: Jona Koudijs Date: Mon, 22 Sep 2025 09:26:40 +0200 Subject: [PATCH 10/11] Test secrets --- .github/workflows/apply.yaml | 1 + .github/workflows/plan.yaml | 1 + terraform/variables.tf | 11 ----------- 3 files changed, 2 insertions(+), 11 deletions(-) diff --git a/.github/workflows/apply.yaml b/.github/workflows/apply.yaml index 943af25..c784e44 100644 --- a/.github/workflows/apply.yaml +++ b/.github/workflows/apply.yaml @@ -15,6 +15,7 @@ jobs: name: Apply Terraform plan env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TF_VAR_hcloud_token: ${{ secrets.TF_HCLOUD_TOKEN }} AWS_ACCESS_KEY_ID: ${{ secrets.TF_STATE_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_STATE_SECRET_KEY }} AWS_CA_BUNDLE: "" diff --git a/.github/workflows/plan.yaml b/.github/workflows/plan.yaml index 87c0b05..3fffb52 100644 --- a/.github/workflows/plan.yaml +++ b/.github/workflows/plan.yaml @@ -12,6 +12,7 @@ jobs: name: Create a Terraform plan env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TF_VAR_hcloud_token: ${{ secrets.TF_HCLOUD_TOKEN }} AWS_ACCESS_KEY_ID: ${{ secrets.TF_STATE_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_STATE_SECRET_KEY }} AWS_CA_BUNDLE: "" diff --git a/terraform/variables.tf b/terraform/variables.tf index b25d6ca..7ac31a3 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,15 +1,4 @@ # Hetzner secrets variable "hcloud_token" { sensitive = true -} - -# Terraform state -variable "state_bucket_name" { - sensitive = true -} -variable "state_bucket_access_key" { - sensitive = true -} -variable "state_bucket_secret_key" { - sensitive = true } \ No newline at end of file From 1ff2456ee39807b8fe501a2e8111bc41d55a77a7 Mon Sep 17 00:00:00 2001 From: Jona Koudijs Date: Mon, 22 Sep 2025 09:28:34 +0200 Subject: [PATCH 11/11] Test --- terraform/backend.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/backend.tf b/terraform/backend.tf index 498d3d0..f49c4bf 100644 --- a/terraform/backend.tf +++ b/terraform/backend.tf @@ -1,9 +1,9 @@ terraform { backend "s3" { - bucket = "platform-state" - key = "platform/terraform.tfstate" - region = "us-east-1" # required but not used by Hetzner - endpoints = { s3 = "https://fsn1.your-objectstorage.com" } # Falkenstein region + bucket = "platform-state" + key = "platform/terraform.tfstate" + region = "us-east-1" # required but not used by Hetzner + endpoints = { s3 = "https://fsn1.your-objectstorage.com" } # Falkenstein region use_path_style = true skip_credentials_validation = true skip_region_validation = true