From c7392b3c6b99bffb06965c81c7bf273371ce813e Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Fri, 21 Apr 2023 19:25:57 +0300
Subject: chore(corp/ops): move terraform config into subfolder

Change-Id: Iad5ad8d9a48c300faf2e4be7003879656817b518
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8495
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
---
 corp/ops/.gitignore                        |   2 +
 corp/ops/creds.fish                        |   5 --
 corp/ops/encrypted-state-secret.key        | Bin 121 -> 0 bytes
 corp/ops/main.tf                           |  77 -----------------------------
 corp/ops/yandex/creds.fish                 |   5 ++
 corp/ops/yandex/encrypted-state-secret.key | Bin 0 -> 121 bytes
 corp/ops/yandex/main.tf                    |  77 +++++++++++++++++++++++++++++
 7 files changed, 84 insertions(+), 82 deletions(-)
 delete mode 100644 corp/ops/creds.fish
 delete mode 100644 corp/ops/encrypted-state-secret.key
 delete mode 100644 corp/ops/main.tf
 create mode 100644 corp/ops/yandex/creds.fish
 create mode 100644 corp/ops/yandex/encrypted-state-secret.key
 create mode 100644 corp/ops/yandex/main.tf

(limited to 'corp')

diff --git a/corp/ops/.gitignore b/corp/ops/.gitignore
index c035e72918..5def054d76 100644
--- a/corp/ops/.gitignore
+++ b/corp/ops/.gitignore
@@ -1,2 +1,4 @@
 .terraform
 .terraform.lock.hcl
+terraform.tfstate
+terraform.tfstate.backup
diff --git a/corp/ops/creds.fish b/corp/ops/creds.fish
deleted file mode 100644
index 2985b28808..0000000000
--- a/corp/ops/creds.fish
+++ /dev/null
@@ -1,5 +0,0 @@
-export YC_TOKEN=(yc iam create-token)
-export YC_CLOUD_ID=(yc config get cloud-id)
-export YC_FOLDER_ID=(yc config get folder-id)
-export AWS_ACCESS_KEY_ID="YCAJE6eRLY8Az-9kveNRtz4sh"
-export AWS_SECRET_ACCESS_KEY=(yc kms symmetric-crypto decrypt --name tvl-credentials --cloud-id b1ggu5m1btue982app12 --folder-name default --ciphertext-file encrypted-state-secret.key --plaintext-file /dev/stdout | head -n1)
diff --git a/corp/ops/encrypted-state-secret.key b/corp/ops/encrypted-state-secret.key
deleted file mode 100644
index 0d07158f2f..0000000000
Binary files a/corp/ops/encrypted-state-secret.key and /dev/null differ
diff --git a/corp/ops/main.tf b/corp/ops/main.tf
deleted file mode 100644
index 1b87e95115..0000000000
--- a/corp/ops/main.tf
+++ /dev/null
@@ -1,77 +0,0 @@
-# Terraform configuration for TVL corp infrastructure (on Yandex
-# Cloud).
-
-terraform {
-  required_providers {
-    yandex = {
-      source = "yandex-cloud/yandex"
-    }
-  }
-
-  # Credentials need to be sourced from creds.fish
-  backend "s3" {
-    endpoint = "storage.yandexcloud.net"
-    bucket   = "su-tvl-terraform-state"
-    region   = "ru-central1"
-    key      = "corp/ops/terraform.tfstate"
-
-    skip_region_validation      = true
-    skip_credentials_validation = true
-  }
-}
-
-provider "yandex" {
-  zone = "ru-central1-b"
-}
-
-locals {
-  tvl_cloud_id  = "b1ggu5m1btue982app12"
-  tvl_folder_id = "b1gmbeqt9o5kbl7rclln"
-  rih_cloud_id  = "b1glccvcqggi2ruibgvt"
-  rih_folder_id = "b1gsavcrsjn059d1sbh9"
-}
-
-# Storage state bucket configuration
-
-resource "yandex_iam_service_account" "tf_state_sa" {
-  folder_id = local.tvl_folder_id
-  name      = "terraform-state"
-}
-
-resource "yandex_resourcemanager_folder_iam_member" "tf_state_sa_storage" {
-  folder_id = local.tvl_folder_id
-  role      = "storage.editor"
-  member    = "serviceAccount:${yandex_iam_service_account.tf_state_sa.id}"
-}
-
-resource "yandex_iam_service_account_static_access_key" "tf_state_sa_key" {
-  service_account_id = yandex_iam_service_account.tf_state_sa.id
-  description        = "Static access key for Terraform state"
-}
-
-resource "yandex_storage_bucket" "tf_state" {
-  access_key = yandex_iam_service_account_static_access_key.tf_state_sa_key.access_key
-  secret_key = yandex_iam_service_account_static_access_key.tf_state_sa_key.secret_key
-  bucket     = "su-tvl-terraform-state"
-}
-
-resource "yandex_dns_zone" "russiaishiring_com" {
-  name      = "russiaishiring-com"
-  zone      = "russiaishiring.com."
-  public    = true
-  folder_id = local.rih_folder_id
-}
-
-# Secret management configuration
-
-resource "yandex_kms_symmetric_key" "tvl_credentials_key" {
-  name              = "tvl-credentials"
-  folder_id         = local.tvl_folder_id
-  default_algorithm = "AES_256"
-  rotation_period   = "2160h" # 90 days
-}
-
-resource "yandex_kms_secret_ciphertext" "tf_state_key" {
-  key_id    = yandex_kms_symmetric_key.tvl_credentials_key.id
-  plaintext = yandex_iam_service_account_static_access_key.tf_state_sa_key.secret_key
-}
diff --git a/corp/ops/yandex/creds.fish b/corp/ops/yandex/creds.fish
new file mode 100644
index 0000000000..2985b28808
--- /dev/null
+++ b/corp/ops/yandex/creds.fish
@@ -0,0 +1,5 @@
+export YC_TOKEN=(yc iam create-token)
+export YC_CLOUD_ID=(yc config get cloud-id)
+export YC_FOLDER_ID=(yc config get folder-id)
+export AWS_ACCESS_KEY_ID="YCAJE6eRLY8Az-9kveNRtz4sh"
+export AWS_SECRET_ACCESS_KEY=(yc kms symmetric-crypto decrypt --name tvl-credentials --cloud-id b1ggu5m1btue982app12 --folder-name default --ciphertext-file encrypted-state-secret.key --plaintext-file /dev/stdout | head -n1)
diff --git a/corp/ops/yandex/encrypted-state-secret.key b/corp/ops/yandex/encrypted-state-secret.key
new file mode 100644
index 0000000000..0d07158f2f
Binary files /dev/null and b/corp/ops/yandex/encrypted-state-secret.key differ
diff --git a/corp/ops/yandex/main.tf b/corp/ops/yandex/main.tf
new file mode 100644
index 0000000000..1b87e95115
--- /dev/null
+++ b/corp/ops/yandex/main.tf
@@ -0,0 +1,77 @@
+# Terraform configuration for TVL corp infrastructure (on Yandex
+# Cloud).
+
+terraform {
+  required_providers {
+    yandex = {
+      source = "yandex-cloud/yandex"
+    }
+  }
+
+  # Credentials need to be sourced from creds.fish
+  backend "s3" {
+    endpoint = "storage.yandexcloud.net"
+    bucket   = "su-tvl-terraform-state"
+    region   = "ru-central1"
+    key      = "corp/ops/terraform.tfstate"
+
+    skip_region_validation      = true
+    skip_credentials_validation = true
+  }
+}
+
+provider "yandex" {
+  zone = "ru-central1-b"
+}
+
+locals {
+  tvl_cloud_id  = "b1ggu5m1btue982app12"
+  tvl_folder_id = "b1gmbeqt9o5kbl7rclln"
+  rih_cloud_id  = "b1glccvcqggi2ruibgvt"
+  rih_folder_id = "b1gsavcrsjn059d1sbh9"
+}
+
+# Storage state bucket configuration
+
+resource "yandex_iam_service_account" "tf_state_sa" {
+  folder_id = local.tvl_folder_id
+  name      = "terraform-state"
+}
+
+resource "yandex_resourcemanager_folder_iam_member" "tf_state_sa_storage" {
+  folder_id = local.tvl_folder_id
+  role      = "storage.editor"
+  member    = "serviceAccount:${yandex_iam_service_account.tf_state_sa.id}"
+}
+
+resource "yandex_iam_service_account_static_access_key" "tf_state_sa_key" {
+  service_account_id = yandex_iam_service_account.tf_state_sa.id
+  description        = "Static access key for Terraform state"
+}
+
+resource "yandex_storage_bucket" "tf_state" {
+  access_key = yandex_iam_service_account_static_access_key.tf_state_sa_key.access_key
+  secret_key = yandex_iam_service_account_static_access_key.tf_state_sa_key.secret_key
+  bucket     = "su-tvl-terraform-state"
+}
+
+resource "yandex_dns_zone" "russiaishiring_com" {
+  name      = "russiaishiring-com"
+  zone      = "russiaishiring.com."
+  public    = true
+  folder_id = local.rih_folder_id
+}
+
+# Secret management configuration
+
+resource "yandex_kms_symmetric_key" "tvl_credentials_key" {
+  name              = "tvl-credentials"
+  folder_id         = local.tvl_folder_id
+  default_algorithm = "AES_256"
+  rotation_period   = "2160h" # 90 days
+}
+
+resource "yandex_kms_secret_ciphertext" "tf_state_key" {
+  key_id    = yandex_kms_symmetric_key.tvl_credentials_key.id
+  plaintext = yandex_iam_service_account_static_access_key.tf_state_sa_key.secret_key
+}
-- 
cgit 1.4.1