diff options
author | Vincent Ambo <mail@tazj.in> | 2023-04-21T16·25+0300 |
---|---|---|
committer | tazjin <tazjin@tvl.su> | 2023-04-24T10·56+0000 |
commit | c7392b3c6b99bffb06965c81c7bf273371ce813e (patch) | |
tree | 98374bc74f4cebe09fcd4ad0901d015ea0ab596a /corp/ops/yandex/main.tf | |
parent | 111e1d38e5ac177bcf4defe70aee1e853206bc6d (diff) |
chore(corp/ops): move terraform config into subfolder r/6110
Change-Id: Iad5ad8d9a48c300faf2e4be7003879656817b518 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8495 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
Diffstat (limited to 'corp/ops/yandex/main.tf')
-rw-r--r-- | corp/ops/yandex/main.tf | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/corp/ops/yandex/main.tf b/corp/ops/yandex/main.tf new file mode 100644 index 000000000000..1b87e95115ca --- /dev/null +++ b/corp/ops/yandex/main.tf @@ -0,0 +1,77 @@ +# Terraform configuration for TVL corp infrastructure (on Yandex +# Cloud). + +terraform { + required_providers { + yandex = { + source = "yandex-cloud/yandex" + } + } + + # Credentials need to be sourced from creds.fish + backend "s3" { + endpoint = "storage.yandexcloud.net" + bucket = "su-tvl-terraform-state" + region = "ru-central1" + key = "corp/ops/terraform.tfstate" + + skip_region_validation = true + skip_credentials_validation = true + } +} + +provider "yandex" { + zone = "ru-central1-b" +} + +locals { + tvl_cloud_id = "b1ggu5m1btue982app12" + tvl_folder_id = "b1gmbeqt9o5kbl7rclln" + rih_cloud_id = "b1glccvcqggi2ruibgvt" + rih_folder_id = "b1gsavcrsjn059d1sbh9" +} + +# Storage state bucket configuration + +resource "yandex_iam_service_account" "tf_state_sa" { + folder_id = local.tvl_folder_id + name = "terraform-state" +} + +resource "yandex_resourcemanager_folder_iam_member" "tf_state_sa_storage" { + folder_id = local.tvl_folder_id + role = "storage.editor" + member = "serviceAccount:${yandex_iam_service_account.tf_state_sa.id}" +} + +resource "yandex_iam_service_account_static_access_key" "tf_state_sa_key" { + service_account_id = yandex_iam_service_account.tf_state_sa.id + description = "Static access key for Terraform state" +} + +resource "yandex_storage_bucket" "tf_state" { + access_key = yandex_iam_service_account_static_access_key.tf_state_sa_key.access_key + secret_key = yandex_iam_service_account_static_access_key.tf_state_sa_key.secret_key + bucket = "su-tvl-terraform-state" +} + +resource "yandex_dns_zone" "russiaishiring_com" { + name = "russiaishiring-com" + zone = "russiaishiring.com." + public = true + folder_id = local.rih_folder_id +} + +# Secret management configuration + +resource "yandex_kms_symmetric_key" "tvl_credentials_key" { + name = "tvl-credentials" + folder_id = local.tvl_folder_id + default_algorithm = "AES_256" + rotation_period = "2160h" # 90 days +} + +resource "yandex_kms_secret_ciphertext" "tf_state_key" { + key_id = yandex_kms_symmetric_key.tvl_credentials_key.id + plaintext = yandex_iam_service_account_static_access_key.tf_state_sa_key.secret_key +} |