Initial commit

Author: xnoto

.checkov.yml

@@ -0,0 +1,13 @@
+block-list-secret-scan: []
+compact: true
+directory:
+  - .
+download-external-modules: false
+evaluate-variables: true
+framework:
+  - all
+output:
+  - cli
+quiet: true
+soft-fail: true
+summary-position: top

.gitignore

@@ -0,0 +1,13 @@
+# vim swap files
+**/*.sw[po]
+
+# don't commit terraform state or lock. the repo code is the only state we care about.
+# the provider state cache is auto-upgraded by default to ensure compatibility with upstream cloud provider APIs
+**/.terraform.lock.hcl
+**/.terraform
+
+# IDE Folders
+**/.vscode
+
+# Mac Finder cache
+**/.DS_Store

.pre-commit-config.yaml

@@ -0,0 +1,36 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.5.0
+  hooks:
+    - id: check-case-conflict
+    - id: check-merge-conflict
+    - id: check-symlinks
+    - id: check-vcs-permalinks
+    - id: destroyed-symlinks
+    - id: detect-private-key
+    - id: mixed-line-ending
+    - id: trailing-whitespace
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.89.1
+  hooks:
+    - id: terraform_validate
+      args:
+        - --hook-config=--retry-once-with-cleanup=true
+        - --args=-no-color
+        - --tf-init-args=-reconfigure
+        - --tf-init-args=-upgrade
+    - id: terraform_tflint
+      args:
+        - --args=--minimum-failure-severity=error
+        - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
+    - id: terraform_checkov
+      args:
+        - --args=--config-file __GIT_WORKING_DIR__/.checkov.yml
+    - id: terraform_fmt
+      args:
+        - --args=-no-color
+        - --args=-diff
+        - --args=-recursive
+    - id: terraform_docs
+      args:
+        - --args=--config=.terraform-docs.yml

.sops.yaml

@@ -0,0 +1,3 @@
+---
+creation_rules:
+  - age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l

.terraform-docs.yml

@@ -0,0 +1,18 @@
+formatter: "markdown"
+
+output:
+  file: "README.md"
+  mode: replace
+
+settings:
+  color: false
+  lockfile: false
+
+sort:
+  enabled: true
+  by: name
+
+# recursive can't be enabled until this bug is fixed:
+# https://github.com/terraform-docs/terraform-docs/issues/654
+recursive:
+  enabled: false

.tflint.hcl

@@ -0,0 +1,12 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}
+
+rule "terraform_required_providers" {
+  enabled = false
+}
+
+rule "terraform_required_version" {
+  enabled = false
+}

.tfsec.yml

@@ -0,0 +1,5 @@
+---
+min_required_version: 1.28.1
+minimum_severity: LOW
+severity_overrides: {}
+exclude: []

Makefile

@@ -0,0 +1,70 @@
+TERRAFORM     := $(shell which terraform)
+S3_REGION     := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_region     | cut -d ' ' -f 2)
+S3_BUCKET     := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_bucket     | cut -d ' ' -f 2)
+S3_KEY        := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_key        | cut -d ' ' -f 2)
+S3_ACCESS_KEY := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_access_key | cut -d ' ' -f 2)
+S3_SECRET_KEY := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_secret_key | cut -d ' ' -f 2)
+
+.PHONY: help init plan apply test pre-commit-check-deps pre-commit-install-hooks argocd-login argocd-sync sync clean
+
+help:
+	@echo "General targets"
+	@echo "----------------"
+	@echo
+	@echo "\thelp: show this help text"
+	@echo "\tclean: removes all .terraform directories"
+	@echo
+	@echo "Terraform targets"
+	@echo "-----------------"
+	@echo
+	@echo "\tinit: run 'terraform init'"
+	@echo "\ttest: run pre-commmit checks"
+	@echo "\tplan: run 'terraform plan'"
+	@echo "\tapply: run 'terraform apply'"
+	@echo
+	@echo "One-time repo init targets"
+	@echo "--------------------------"
+	@echo
+	@echo "\tpre-commit-install-hooks: install pre-commit hooks"
+	@echo "\tpre-commit-check-deps: check pre-commit dependencies"
+	@echo
+
+clean:
+	@find . -name .terraform -type d | xargs -I {} rm -rf {}
+
+init: clean .terraform/terraform.tfstate
+
+.terraform/terraform.tfstate:
+	@${TERRAFORM} init -reconfigure -upgrade -input=false -backend-config="key=${S3_KEY}" -backend-config="bucket=${S3_BUCKET}" -backend-config="region=${S3_REGION}" -backend-config="access_key=${S3_ACCESS_KEY}" -backend-config="secret_key=${S3_SECRET_KEY}"
+
+plan: init .terraform/plan
+
+.terraform/plan:
+	@${TERRAFORM} plan -compact-warnings -out .terraform/plan
+
+apply: test plan
+	@${TERRAFORM} apply -auto-approve -compact-warnings .terraform/plan
+	@rm -f .terraform/plan
+
+test: .git/hooks/pre-commit
+	@pre-commit run -a
+
+DEPS_PRE_COMMIT=$(shell which pre-commit || echo "pre-commit not found")
+DEPS_TERRAFORM_DOCS=$(shell which terraform-docs || echo "terraform-docs not found")
+DEPS_TFLINT=$(shell which tflint || echo "tflint not found,")
+DEPS_CHECKOV=$(shell which checkov || echo "checkov not found,")
+DEPS_JQ=$(shell which jq || echo "jq not found,")
+pre-commit-check-deps:
+	@echo "Checking for pre-commit and its dependencies:"
+	@echo "  pre-commit: ${DEPS_PRE_COMMIT}"
+	@echo "  terraform-docs: ${DEPS_TERRAFORM_DOCS}"
+	@echo "  tflint: ${DEPS_TFLINT}"
+	@echo "  checkov: ${DEPS_CHECKOV}"
+	@echo "  jq: ${DEPS_JQ}"
+	@echo ""
+
+pre-commit-install-hooks: .git/hooks/pre-commit
+
+.git/hooks/pre-commit: pre-commit-check-deps
+	@pre-commit install --install-hooks
+

README.md

@@ -1,2 +1,35 @@
-# libvirt
-Terraform management of libvirt hypervisor
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | > 1.3 |
+| <a name="requirement_libvirt"></a> [libvirt](#requirement\_libvirt) | 0.7.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_libvirt"></a> [libvirt](#provider\_libvirt) | 0.7.1 |
+| <a name="provider_sops"></a> [sops](#provider\_sops) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [libvirt_domain.runner](https://registry.terraform.io/providers/dmacvicar/libvirt/0.7.1/docs/resources/domain) | resource |
+| [libvirt_volume.runner](https://registry.terraform.io/providers/dmacvicar/libvirt/0.7.1/docs/resources/volume) | resource |
+| [sops_file.secret_vars](https://registry.terraform.io/providers/carlpett/sops/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

main.tf

@@ -0,0 +1,3 @@
+data "sops_file" "secret_vars" {
+  source_file = "${path.module}/secrets/secrets.yaml"
+}