feat: Initial commit (#1)

* feat: Initial commit

* fix: cleanup tunnels

Author: xnoto

.checkov.yml

@@ -0,0 +1,13 @@
+block-list-secret-scan: []
+compact: true
+directory:
+  - .
+download-external-modules: false
+evaluate-variables: true
+framework:
+  - all
+output:
+  - cli
+quiet: true
+soft-fail: true
+summary-position: top

.github/workflows/opentofu.yml

@@ -0,0 +1,19 @@
+name: OpenTofu
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  opentofu:
+    uses: makeitworkcloud/shared-workflows/.github/workflows/opentofu.yml@main
+    secrets:
+      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}

.gitignore

@@ -0,0 +1,16 @@
+# vim swap files
+**/*.sw[po]
+
+# don't commit terraform state or lock. the repo code is the only state we care about.
+# the provider state cache is auto-upgraded by default to ensure compatibility with upstream cloud provider APIs
+**/.terraform.lock.hcl
+**/.terraform
+
+# IDE Folders
+**/.vscode
+
+# Mac Finder cache
+**/.DS_Store
+
+# Plan output
+plan-output.txt

.pre-commit-config.yaml

@@ -0,0 +1,36 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v6.0.0
+  hooks:
+    - id: check-case-conflict
+    - id: check-merge-conflict
+    - id: check-symlinks
+    - id: check-vcs-permalinks
+    - id: destroyed-symlinks
+    - id: detect-private-key
+    - id: mixed-line-ending
+    - id: trailing-whitespace
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.104.0
+  hooks:
+    - id: terraform_validate
+      args:
+        - --hook-config=--retry-once-with-cleanup=true
+        - --args=-no-color
+        - --tf-init-args=-reconfigure
+        - --tf-init-args=-upgrade
+    - id: terraform_tflint
+      args:
+        - --args=--minimum-failure-severity=error
+        - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
+    - id: terraform_checkov
+      args:
+        - --args=--config-file __GIT_WORKING_DIR__/.checkov.yml
+    - id: terraform_fmt
+      args:
+        - --args=-no-color
+        - --args=-diff
+        - --args=-recursive
+    - id: terraform_docs
+      args:
+        - --args=--config=.terraform-docs.yml

.sops.yaml

@@ -0,0 +1,3 @@
+---
+creation_rules:
+  - age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l

.terraform-docs.yml

@@ -0,0 +1,18 @@
+formatter: "markdown"
+
+output:
+  file: "README.md"
+  mode: replace
+
+settings:
+  color: false
+  lockfile: false
+
+sort:
+  enabled: true
+  by: name
+
+# recursive can't be enabled until this bug is fixed:
+# https://github.com/terraform-docs/terraform-docs/issues/654
+recursive:
+  enabled: false

.tflint.hcl

@@ -0,0 +1,12 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}
+
+rule "terraform_required_providers" {
+  enabled = false
+}
+
+rule "terraform_required_version" {
+  enabled = false
+}

Makefile

@@ -0,0 +1,78 @@
+SHELL         := /bin/bash
+TERRAFORM     := $(shell which tofu)
+S3_REGION     := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_region     | cut -d ' ' -f 2)
+S3_BUCKET     := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_bucket     | cut -d ' ' -f 2)
+S3_KEY        := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_key        | cut -d ' ' -f 2)
+S3_ACCESS_KEY := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_access_key | cut -d ' ' -f 2)
+S3_SECRET_KEY := $(shell sops decrypt secrets/secrets.yaml | grep ^s3_secret_key | cut -d ' ' -f 2)
+
+.PHONY: help init plan apply migrate test pre-commit-check-deps pre-commit-install-hooks argcd-login
+
+help:
+	@echo "General targets"
+	@echo "----------------"
+	@echo
+	@echo "\thelp: show this help text"
+	@echo "\tclean: removes all .terraform directories"
+	@echo
+	@echo "Terraform targets"
+	@echo "-----------------"
+	@echo
+	@echo "\tinit: run 'terraform init'"
+	@echo "\ttest: run pre-commmit checks"
+	@echo "\tplan: run 'terraform plan'"
+	@echo "\tapply: run 'terraform apply'"
+	@echo "\tmigrate; run terraform init -migrate-state"
+	@echo
+	@echo "One-time repo init targets"
+	@echo "--------------------------"
+	@echo
+	@echo "\tpre-commit-install-hooks: install pre-commit hooks"
+	@echo "\tpre-commit-check-deps: check pre-commit dependencies"
+	@echo
+
+clean:
+	@find . -name .terraform -type d | xargs -I {} rm -rf {}
+
+init: clean .terraform/terraform.tfstate
+
+.terraform/terraform.tfstate:
+	@${TERRAFORM} init -reconfigure -upgrade -input=false -backend-config="key=${S3_KEY}" -backend-config="bucket=${S3_BUCKET}" -backend-config="region=${S3_REGION}" -backend-config="access_key=${S3_ACCESS_KEY}" -backend-config="secret_key=${S3_SECRET_KEY}"
+
+plan: init .terraform/plan
+
+.terraform/plan:
+	@${TERRAFORM} plan -compact-warnings -no-color -out tfplan.bin
+	@${TERRAFORM} show -no-color tfplan.bin | tee plan-output.txt
+	@rm -f tfplan.bin
+
+apply: init .terraform/apply
+
+.terraform/apply:
+	@${TERRAFORM} apply -auto-approve -compact-warnings
+
+migrate:
+	@echo "First use -make init- using the old S3 backend, then run -make migrate- to use the new one."
+	@${TERRAFORM} init -migrate-state -backend-config="key=${S3_KEY}" -backend-config="bucket=${S3_BUCKET}" -backend-config="region=${S3_REGION}" -backend-config="access_key=${S3_ACCESS_KEY}" -backend-config="secret_key=${S3_SECRET_KEY}"
+
+test: .git/hooks/pre-commit
+	@pre-commit run -a
+
+DEPS_PRE_COMMIT=$(shell which pre-commit || echo "pre-commit not found")
+DEPS_TERRAFORM_DOCS=$(shell which terraform-docs || echo "terraform-docs not found")
+DEPS_TFLINT=$(shell which tflint || echo "tflint not found,")
+DEPS_CHECKOV=$(shell which checkov || echo "checkov not found,")
+DEPS_JQ=$(shell which jq || echo "jq not found,")
+pre-commit-check-deps:
+	@echo "Checking for pre-commit and its dependencies:"
+	@echo "  pre-commit: ${DEPS_PRE_COMMIT}"
+	@echo "  terraform-docs: ${DEPS_TERRAFORM_DOCS}"
+	@echo "  tflint: ${DEPS_TFLINT}"
+	@echo "  checkov: ${DEPS_CHECKOV}"
+	@echo "  jq: ${DEPS_JQ}"
+	@echo ""
+
+pre-commit-install-hooks: .git/hooks/pre-commit
+
+.git/hooks/pre-commit: pre-commit-check-deps
+	@pre-commit install --install-hooks

cf-dns.tf

@@ -0,0 +1,43 @@
+resource "cloudflare_dns_record" "root" {
+  zone_id = local.zone_id
+  type    = "CNAME"
+  name    = "@"
+  content = "makeitwork.cloud.s3-website.us-west-2.amazonaws.com"
+  proxied = true
+  ttl     = 1
+}
+
+resource "cloudflare_dns_record" "www" {
+  zone_id = local.zone_id
+  type    = "CNAME"
+  name    = "www"
+  content = "makeitwork.cloud.s3-website.us-west-2.amazonaws.com"
+  proxied = true
+  ttl     = 1
+}
+
+resource "cloudflare_dns_record" "mx_primary" {
+  zone_id  = local.zone_id
+  type     = "MX"
+  name     = "@"
+  content  = "mx1.privateemail.com"
+  priority = 10
+  ttl      = 1
+}
+
+resource "cloudflare_dns_record" "mx_secondary" {
+  zone_id  = local.zone_id
+  type     = "MX"
+  name     = "@"
+  content  = "mx2.privateemail.com"
+  priority = 20
+  ttl      = 1
+}
+
+resource "cloudflare_dns_record" "spf" {
+  zone_id = local.zone_id
+  type    = "TXT"
+  name    = "@"
+  content = "v=spf1 include:spf.privateemail.com ~all"
+  ttl     = 1
+}

main.tf

@@ -0,0 +1,12 @@
+data "sops_file" "secret_vars" {
+  source_file = "${path.module}/secrets/secrets.yaml"
+}
+
+locals {
+  account_id = data.sops_file.secret_vars.data["cloudflare_account_id"]
+  zone_id    = data.sops_file.secret_vars.data["cloudflare_zone_id"]
+}
+
+data "cloudflare_zone" "makeitwork_cloud" {
+  zone_id = local.zone_id
+}