Add Terraform deployment for StackIt project team-iac-test01 (#1)

* Update gitignore

Signed-off-by: Roman Schwarz <rs@cloudeteer.de>

* Add initial Terraform code for test deployment on team-iac-test01 project

Signed-off-by: Roman Schwarz <rs@cloudeteer.de>

* Add GitHub workflow for test deployment on team-iac-test01 project

Signed-off-by: Roman Schwarz <rs@cloudeteer.de>

* Add example network

Signed-off-by: Roman Schwarz <rs@cloudeteer.de>

---------

Signed-off-by: Roman Schwarz <rs@cloudeteer.de>

Author: rswrz

.github/workflows/prod-stackit-terraform-team-iac-test01.yaml

@@ -0,0 +1,35 @@
+name: prod-stackit-terraform-team-iac-test01
+
+on:
+  workflow_dispatch:
+    inputs:
+      terraform-force-unlock:
+        default: false
+        description: Terraform force unlock
+        required: false
+        type: boolean
+      terraform-force-unlock-id:
+        description: Terraform LOCK_ID
+        required: false
+        type: string
+  pull_request:
+    paths:
+      - prod-stackit/terraform/team-iac-test01/**
+      - .github/workflows/prod-stackit-terraform-team-iac-test01.yaml
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  terraform:
+    name: Terraform
+    uses: cloudeteer/iac-deployment-framework/.github/workflows/terraform-deploy-stackit.yaml@wip/stackit
+    with:
+      directory: prod-stackit/terraform/team-iac-test01
+      terraform-force-unlock-id: ${{ github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true && inputs.terraform-force-unlock-id }}
+      terraform-force-unlock: ${{ github.event_name == 'workflow_dispatch' && inputs.terraform-force-unlock == true && inputs.terraform-force-unlock }}
+    secrets:
+      stackit_service_account_key: ${{ secrets.CDT_IAC_STACKIT_SERVICE_ACCOUNT_KEY_TEAM_IAC_TEST01 }}
+      backend_s3_secret_key: ${{ secrets.CDT_IAC_STACKIT_BACKEND_S3_SECRET_KEY_TEAM_IAC_TEST01 }}
+      backend_s3_access_key: ${{ secrets.CDT_IAC_STACKIT_BACKEND_S3_ACCESS_KEY_TEAM_IAC_TEST01 }}

.gitignore

@@ -10,8 +10,8 @@ crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json
@@ -35,3 +35,6 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
+# Ignore lokal direnv configuration file
+.envrc

prod-stackit/terraform/README.md

@@ -0,0 +1,3 @@
+# /prod-stackit/terraform
+
+Create a subdirectory for each StackIT project

prod-stackit/terraform/team-iac-test01/.terraform.lock.hcl

@@ -0,0 +1,29 @@
+# Terraform: team-iac-test01
+
+## Getting started
+
+### Create Object Store
+
+```shell
+brew tap stackitcloud/tap
+brew install stackit
+```
+
+```shell
+stackit auth login
+stackit config set --project-id 341539db-8c67-43cf-ba1f-fd14157a0a5b # team-iac-test01
+stackit object-storage enable
+```
+
+```shell
+stackit object-storage bucket create team-iac-test01-tfstate
+```
+
+```shell
+# Get object ID
+credential_group_id=$(stackit object-storage credentials-group list --output-format json |
+jq -r '.[] | select(.displayName == "default") | .credentialsGroupId)
+
+# Create access key
+stackit object-storage credentials create --credentials-group-id "$credential_group_id"
+```

prod-stackit/terraform/team-iac-test01/README.md

@@ -0,0 +1,47 @@
+terraform {
+  required_providers {
+    stackit = {
+      source  = "stackitcloud/stackit"
+      version = "0.43.3"
+    }
+  }
+
+  backend "s3" {
+    bucket = "team-iac-test01-tfstate"
+    key    = "terraform.tfstate"
+    endpoints = {
+      s3 = "https://object.storage.eu01.onstackit.cloud"
+    }
+    region                      = "eu01"
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    skip_s3_checksum            = true
+    skip_requesting_account_id  = true
+
+    # secret_key = null  # Set by ENV AWS_SECRET_ACCESS_KEY
+    # access_key = null  # Set by ENV AWS_ACCESS_KEY_ID
+  }
+}
+
+provider "stackit" {
+  region = "eu01"
+
+  # Note: There are no environment variables available for these parameters.
+  # Instead, we use TF_VAR_service_account_key and TF_VAR_private_key.
+  service_account_key = var.service_account_key
+  private_key         = var.private_key
+}
+
+data "stackit_resourcemanager_project" "team_iac_test01" {
+  project_id   = "341539db-8c67-43cf-ba1f-fd14157a0a5b"
+  container_id = "team-iac-test01"
+}
+
+output "project_name" {
+  value = data.stackit_resourcemanager_project.team_iac_test01.name
+}
+
+resource "stackit_network" "example_with_name" {
+  project_id = data.stackit_resourcemanager_project.team_iac_test01.project_id
+  name       = "example-network"
+}

prod-stackit/terraform/team-iac-test01/main.tf

@@ -0,0 +1,6 @@
+variable "service_account_key" {
+}
+
+variable "private_key" {
+  default = null
+}