Operations grimoire/Deploy with Terraform: Difference between revisions
No edit summary |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 8: | Line 8: | ||
== Specific deployment notes == | == Specific deployment notes == | ||
=== Vault / OpenBao === | === Vault / OpenBao === | ||
==== General notes ==== | |||
;OpenTofu support | ;OpenTofu support | ||
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead. | As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead. | ||
| Line 20: | Line 21: | ||
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token | $ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token | ||
$ cd /opt/salt | $ cd /opt/salt/nasqueron-operations/terraform/openbao | ||
$ terraform init # if you've a new entry requiring a module, it needs to be installed | |||
$ terraform plan | $ terraform plan | ||
$ terraform apply | $ terraform apply | ||
| Line 26: | Line 28: | ||
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management. | It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management. | ||
==== Propagate secrets (DRP) ==== | |||
;No automatic secret rotation | |||
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>. | |||
To rotate a secret, it needs first to be destroyed from terraform state: | |||
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code> | |||
;Full procedure | |||
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files. | |||
<syntaxhighlight lang="shell"> | |||
$ cd /opt/salt/nasqueron-operations/terraform/openbao | |||
$ terraform init # if you've a new entry requiring a module, it needs to be installed | |||
$ terraform plan | |||
$ terraform apply | |||
$ cd /opt/salt/nasqueron-operations | |||
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config | |||
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config | |||
</syntaxhighlight> | |||
== Table of Terraform states == | == Table of Terraform states == | ||
Latest revision as of 11:34, 8 February 2026
Where to work?
We deploy from Complector using /opt/salt/nasqueron-operations as our local copy of rOPS, authoritative for both Salt and Terraform
You need to belong to the ops group to be able to have access and have write-rights on the repository
It's important to work from there to save a shared Terraform state.
Specific deployment notes
Vault / OpenBao
General notes
- OpenTofu support
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.
- Vault
You need a Vault token to allow the provider to connect.
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1
$ export VAULT_ADDR=https://172.27.27.7:8200
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token
$ cd /opt/salt/nasqueron-operations/terraform/openbao
$ terraform init # if you've a new entry requiring a module, it needs to be installed
$ terraform plan
$ terraform apply
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.
Propagate secrets (DRP)
- No automatic secret rotation
Secrets rotation is disabled with a lifecycle management ignore_changes = [ secret_id, ].
To rotate a secret, it needs first to be destroyed from terraform state:
terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this
- Full procedure
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.
$ cd /opt/salt/nasqueron-operations/terraform/openbao
$ terraform init # if you've a new entry requiring a module, it needs to be installed
$ terraform plan
$ terraform apply
$ cd /opt/salt/nasqueron-operations
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config
Table of Terraform states
| Configuration | State back-end | Path | Software to use |
|---|---|---|---|
| openbao | On disk | /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate | Terraform |
On disk paths are stored in Complector.
Troubleshoot
Error: Module not installed
You need to run tofu init to prepare for any new provider.
$ tofu plan
│ Error: Module not installed
│
│ on rhyne_wyse.tf line 23:
│ 23: module "rhyne_wyse_approle" {
│
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.
Error: Incompatible provider version
$ tofu init
Initializing the backend...
Initializing modules...
- rhyne_wyse_approle in modules/app_credentials
Initializing provider plugins...
- Finding hashicorp/vault versions matching "5.3.0"...
╷
│ Error: Incompatible provider version
│
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.
│
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD. Switch to Terraform pending a solution to help the OpenTofu builds.
