From a3f051d882e17543beabcbdafbdd61479fe8dac8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorben=20G=C3=BCnther?= <admin@xenrox.net>
Date: Mon, 5 Jul 2021 00:55:54 +0200
Subject: [PATCH] terraform: Use hc vault instead of ansible

---
 misc/read-vault.py             | 26 --------------------------
 terraform_hetzner/hetzner.tf   |  7 +++----
 terraform_keycloak/keycloak.tf |  9 ++++-----
 terraform_vault/secrets.tf     |  6 ++++--
 4 files changed, 11 insertions(+), 37 deletions(-)
 delete mode 100755 misc/read-vault.py

diff --git a/misc/read-vault.py b/misc/read-vault.py
deleted file mode 100755
index 17cffaf..0000000
--- a/misc/read-vault.py
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/usr/bin/python
-
-import sys
-from json import dumps
-from os import chdir
-from pathlib import Path
-
-from ansible.cli import CLI
-from ansible.constants import DEFAULT_VAULT_IDENTITY_LIST
-from ansible.parsing.dataloader import DataLoader
-
-vault_path = sys.argv[1]
-
-project_root = Path(__file__).resolve().parents[1]
-chdir(project_root)
-
-loader = DataLoader()
-vault_secret = CLI.setup_vault_secrets(
-    loader=loader,
-    vault_ids=DEFAULT_VAULT_IDENTITY_LIST,
-    vault_password_files=["misc/vault-pass.sh"],
-)
-loader.set_vault_secrets(vault_secret)
-data = loader.load_from_file(vault_path)
-
-print(dumps(data))
diff --git a/terraform_hetzner/hetzner.tf b/terraform_hetzner/hetzner.tf
index 5c89c2a..e9c9b6a 100644
--- a/terraform_hetzner/hetzner.tf
+++ b/terraform_hetzner/hetzner.tf
@@ -4,13 +4,12 @@ terraform {
   }
 }
 
-data "external" "vault_hetzner" {
-  program = ["${path.module}/../misc/read-vault.py",
-  "group_vars/all/vault_hetzner.yml"]
+data "vault_generic_secret" "hetzner" {
+  path = "ansible/hetzner"
 }
 
 provider "hetznerdns" {
-  apitoken = data.external.vault_hetzner.result.vault_hetzner_dns_key
+  apitoken = data.vault_generic_secret.hetzner.data["dns_key"]
 }
 
 resource "hetznerdns_zone" "xenrox_net" {
diff --git a/terraform_keycloak/keycloak.tf b/terraform_keycloak/keycloak.tf
index f18670e..09ec4a7 100644
--- a/terraform_keycloak/keycloak.tf
+++ b/terraform_keycloak/keycloak.tf
@@ -8,9 +8,8 @@ data "vault_generic_secret" "keycloak" {
   path = "ansible/keycloak"
 }
 
-data "external" "vault_email" {
-  program = ["${path.module}/../misc/read-vault.py",
-  "group_vars/all/vault_email.yml"]
+data "vault_generic_secret" "email" {
+  path = "ansible/email"
 }
 
 provider "keycloak" {
@@ -41,8 +40,8 @@ resource "keycloak_realm" "xenrox" {
     ssl                   = true
 
     auth {
-      username = data.external.vault_email.result.vault_email_noreply_mail
-      password = data.external.vault_email.result.vault_email_noreply_password
+      username = data.vault_generic_secret.email.data["noreply_user"]
+      password = data.vault_generic_secret.email.data["noreply_password"]
     }
   }
 
diff --git a/terraform_vault/secrets.tf b/terraform_vault/secrets.tf
index f9a6ef8..9e41067 100644
--- a/terraform_vault/secrets.tf
+++ b/terraform_vault/secrets.tf
@@ -1,6 +1,8 @@
 locals {
-  users           = toset(["xenrox", "seeguen", "test"])
-  ansible_secrets = toset(["keycloak", "nextcloud", "peertube", "vault"])
+  users = toset(["xenrox", "seeguen", "test"])
+  ansible_secrets = toset([
+    "email", "hetzner", "keycloak", "nextcloud", "peertube", "vault"
+  ])
 }
 
 resource "vault_generic_secret" "ansible_secrets" {
-- 
2.44.0