Merge pull request #459 from NixOS/terraform-iam-cleanups

Terraform cleanups

flake.nix

@@ -15,7 +15,10 @@
         "x86_64-darwin"
         "aarch64-darwin"
       ];
-      imports = [ ./formatter/default.nix ];
+      imports = [
+        ./formatter/flake-module.nix
+        ./terraform/flake-module.nix
+      ];
     };
 
 }

terraform-iam/.envrc

@@ -1,4 +1,4 @@
-use flake
+use flake .#terraform
 
 export AWS_CONFIG_FILE=$PWD/aws-config
 export AWS_PROFILE=nixos-prod

terraform-iam/README.md

@@ -1,9 +1,11 @@
-# For the bits that are not nixops-able
+# User & permission management
 
 This module is for superadmins in the team.
 
 This terraform root module manages:
 * IAM roles
+* fastly log module
+* infrastructure for archeologist team
 
 ## Setup
 
@@ -15,26 +17,21 @@ Run `aws sso login` to acquire a temporary token.
 
 ## Usage
 
-The first time the following command has to be run to initialize the state
-file and plugins:
-
-```sh
-terraform init
-```
+We use opentofu, which is a fork of https://www.terraform.io/ maintained by the Linux foundation.
 
 Then run the following command to diff the changes and then apply if approved:
 
 ```sh
-terraform apply
+./tf.sh apply
 ```
 
 ## Terraform workflow
 
-Write the Terraform code and test the changes using `terraform validate`.
+Write the Tofu code and test the changes using `./tf.sh validate`.
 
-Before committing run `terraform fmt`. 
+Before committing run `nix fmt`.
 
 Once the code is ready to be deployed, create a new PR with the attached
-output of `terraform plan`.
+output of `./tf.sh plan`.
 
-Once the PR is merged, run `terraform apply` to apply the changes.
+Once the PR is merged, run `./tf.sh apply` to apply the changes.

terraform-iam/tf.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+cd "$(dirname "$0")"
+rm -f .terraform.lock.hcl
+tofu init
+tofu "$@"

terraform/.envrc

@@ -1,4 +1,4 @@
-use flake
+use flake .#terraform
 
 export AWS_CONFIG_FILE=$PWD/aws-config
 export AWS_PROFILE=nixos-prod

terraform/README.md

@@ -21,26 +21,21 @@ Run `aws sso login` to acquire a temporary token.
 
 ## Usage
 
-The first time the following command has to be run to initialize the state
-file and plugins:
-
-```sh
-terraform init
-```
+We use opentofu, which is a fork of https://www.terraform.io/ maintained by the Linux foundation.
 
 Then run the following command to diff the changes and then apply if approved:
 
 ```sh
-terraform apply
+./tf.sh apply
 ```
 
 ## Terraform workflow
 
-Write the Terraform code and test the changes using `terraform validate`.
+Write the Tofu code and test the changes using `./tf.sh validate`.
 
-Before committing run `terraform fmt`. 
+Before committing run `nix fmt`.
 
 Once the code is ready to be deployed, create a new PR with the attached
-output of `terraform plan`.
+output of `./tf.sh plan`.
 
-Once the PR is merged, run `terraform apply` to apply the changes.
+Once the PR is merged, run `./tf.sh apply` to apply the changes.

terraform/flake-module.nix

@@ -0,0 +1,36 @@
+let
+  convert2Tofu =
+    provider:
+    provider.override (prev: {
+      homepage = builtins.replaceStrings [ "registry.terraform.io/providers" ] [
+        "registry.opentofu.org"
+      ] prev.homepage;
+    });
+in
+{
+  perSystem =
+    { pkgs, ... }:
+    {
+      devShells.terraform = pkgs.mkShellNoCC {
+        packages = [
+          pkgs.awscli2
+          (pkgs.opentofu.withPlugins (
+            p:
+            builtins.map convert2Tofu [
+              p.aws
+              p.fastly
+              p.netlify
+              p.secret
+            ]
+            ++ [
+              # FIXME: for our `terraform` target our state file still uses the old registry prefix
+              p.aws
+              p.fastly
+              p.netlify
+              p.secret
+            ]
+          ))
+        ];
+      };
+    };
+}

terraform/tf.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+cd "$(dirname "$0")"
+rm -f .terraform.lock.hcl
+tofu init
+tofu "$@"