ci: Add terraform (wip)

Author: pythoninthegrass

.gitignore

@@ -1,6 +1,7 @@
 # ETC
 !.gitkeep
 *.sqlite
+tfplan
 
 # Byte-compiled / optimized / DLL files
 __pycache__/
@@ -237,3 +238,38 @@ dist
 .yarn/build-state.yml
 .yarn/install-state.gz
 .pnp.*
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

.tflint.hcl

@@ -0,0 +1,66 @@
+# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/module-inspection.md
+# borrowed & modified indefinitely from https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust/blob/main/.tflint.hcl
+
+plugin "aws" {
+  enabled = true
+  version = "0.14.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+config {
+  module = true
+  force  = false
+}
+
+rule "terraform_required_providers" {
+  enabled = true
+}
+
+rule "terraform_required_version" {
+  enabled = true
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+  format  = "snake_case"
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_deprecated_index" {
+  enabled = true
+}
+
+rule "terraform_deprecated_interpolation" {
+  enabled = true
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_module_pinned_source" {
+  enabled = true
+}
+
+rule "terraform_standard_module_structure" {
+  enabled = true
+}
+
+rule "terraform_workspace_remote" {
+  enabled = true
+}

.tool-versions

@@ -1,2 +1,4 @@
+golang 1.20.6
 python 3.11.6
 poetry 1.7.1
+terraform 1.7.3

terraform/.terraform.lock.hcl

@@ -0,0 +1,66 @@
+# TODO: fix unauthorized errors (test w/raw api)
+# λ tfa tfplan
+# render_service.db: Creating...
+# render_service.web: Creating...
+# ╷
+# │ Error: failed to create service
+# │
+# │   with render_service.web,
+# │   on main.tf line 1, in resource "render_service" "web":
+# │    1: resource "render_service" "web" {
+# │
+# │ Unauthorized
+# │
+# │ Error: failed to create service
+# │
+# │   with render_service.db,
+# │   on main.tf line 28, in resource "render_service" "db":
+# │   28: resource "render_service" "db" {
+# │
+# │ Unauthorized
+
+resource "render_service" "web" {
+  name        = "qaas-web"
+  type        = "web_service"
+  repo        = "https://github.com/pythoninthegrass/qaas.git"
+  branch      = "main"
+  auto_deploy = true
+  owner       = local.owner
+
+  web_service_details = {
+    env                           = "docker"
+    plan                          = "starter"
+    region                        = "ohio"
+    pull_request_previews_enabled = true
+    health_check_path             = "/healthz"
+  }
+}
+
+resource "render_service_environment" "web" {
+  service = render_service.web.id
+  variables = [{
+    key   = "PORT"
+    value = "8000"
+    key   = "POSTGRES_URI"
+    value = render_service.db.private_service_details.url
+  }]
+}
+
+resource "render_service" "db" {
+  name   = "qaas-postgres"
+  type   = "private_service"
+  repo   = "hhttps://github.com/pythoninthegrass/render-postgres"
+  branch = "main"
+  owner  = local.owner
+
+  private_service_details = {
+    env  = "docker"
+    plan = "free"
+    disk = {
+      name       = "quotes"
+      mount_path = "/data/db"
+      size_gb    = 5
+    }
+  }
+}
+

terraform/main.tf

@@ -0,0 +1,7 @@
+output "web_url" {
+  value = render_service.web.web_service_details.url
+}
+
+output "db_url" {
+  value = render_service.db.private_service_details.url
+}

terraform/outputs.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    render = {
+      source  = "jackall3n/render"
+      version = "1.3.0"
+    }
+  }
+}
+
+provider "render" {
+  # email   = local.email
+  api_key = base64encode(local.api_token)
+}

terraform/provider.tf

@@ -0,0 +1,9 @@
+# SOURCE: https://stackoverflow.com/a/76194380/15454191
+locals {
+  dot_env_file_path = "../.render.env"
+  dot_env_regex     = "(?m:^\\s*([^#\\s]\\S*)\\s*=\\s*[\"']?(.*[^\"'\\s])[\"']?\\s*$)"
+  dot_env           = { for tuple in regexall(local.dot_env_regex, file(local.dot_env_file_path)) : tuple[0] => sensitive(tuple[1]) }
+  api_token         = local.dot_env["RENDER_API_KEY"]
+  email             = local.dot_env["RENDER_EMAIL"]
+  owner             = local.dot_env["OWNER"]
+}