This describes the main scope for running the condi.me github org itself.
PRs opened from branches in this repository trigger a terraform plan run in
a Github Action. When merged to the production branch, the changes can be
applied from a manually approved step (also as a github workflow action).
Terraform 1.0 (or compatible) is needed. You can download a specific version from the terraform releases page.
To execute the binary, you will need a consul token (for terraform state) and access to clone and decrypt condime/secrets (for provider tokens).
For personal access tokens, secrets can be stored and sourced using pass.
$ pass edit condi.me/terraform-plans
$ source <(pass condi.me/terraform-plans)
For group shared access tokens, secrets can be stored using blackbox.
$ cd ~/src/condime/terraform-plans
$ source <(blackbox_cat condi.me/terraform-plans)
If you don't have passwordstore or blackbox installed, in a pinch you can
use git and gpg directly to access the secrets.
With credentials now in the environment, you can now init and plan the
terraform runs.
$ cd ./eu-west-2 # or any region under management
$ terraform init
$ terraform plan -o output.tfplan
State is stored using the consul backend hosted at consul.condi.me, access is granted with the following Consul ACL Policy.
key_prefix "condime/terraform_state" {
policy = "write"
}
session_prefix "" {
policy = "write"
}