Github Configuration
The basic configuration for all (relevant) Github Repositories is done from a Github Actions workflow to ensure all repositories are set up in a similar way and to avoid manual steps as much as possible. Additionally the config is updated to the desired state regularly to avoid (invalid) updates (which mostly are done manually). Terraform is used to ensure this desired consistent state accross all repositories.
-
The Github Actions workflow: Apply global Github config
Prerequisites
-
Create a Personal Access Token for your Github Account to use with Terraform. The minimum required scopes are
repoandread:user -
Create Actions secrets for sebastian-sommerfeld-io/configs repo
-
BW_CLIENT_ID: https://vault.bitwarden.com → Account Settings → Security → View API key -
BW_CLIENT_SECRET: https://vault.bitwarden.com → Account Settings → Security → View API key -
BW_MASTER_PASS: https://vault.bitwarden.com → Account Settings → Security → View API key -
TERRAFORM: The Github Personal Access Token github.com/settings/tokens → Settings Developer settings → Tokens (classic)
-
Building Blocks
The Github Actions workflow configures issue labels and secrets for a lot of Github repositories. It needs four Actions secrets configured (see Prerequisites) to access Bitwarden (BW_* → load other secrets) and to access Github repositories and projects (TERRAFORM).
The Terraform state is stored in a separate private repository. The pipeline clones this repo, applies the Terraform config and pushes the updated Terraform state back to the repository.
Terraform Config
Available (Terraform) commands
The apply-config.sh script can handle these commands. Wile developing use run-local.sh on your localhost instead of direct calls to this script. run-local.sh provides a more conviniert
way to trigger the terraform commands.
-
apply→ Executes the actions proposed in a Terraform plan. -
cleanup→ Cleanup local filesystem. -
docs→ Generate Asciidoc for this Terraform configration and write into Antora partials directory. -
fmt→ Rewrite Terraform configuration files to a canonical format and style. -
init→ Initializes a working directory containing Terraform configuration files. This is the first command that should be run. -
lint→ Run TFLint in Docker container to check the Terraform config. -
plan→ Create an execution plan, which lets you preview the changes that Terraform plans to make. -
validate→ Validates configuration files in a directory, referring only to configuration and not accessing any remote services. -
-version→ Display Terraform version.
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
Bitwarden Client ID (Github Actions Secret) - Needed for Terraform Provider to read Data from Bitwarden |
|
n/a |
yes |
|
Bitwarden Client Secret (Github Actions Secret) - Needed for Terraform Provider to read Data from Bitwarden |
|
n/a |
yes |
|
Bitwarden Email - Needed for Terraform Provider to read Data from Bitwarden |
|
no |
||
Bitwarden Master Key (Github Actions Secret) - Needed for Terraform Provider to read Data from Bitwarden |
|
n/a |
yes |
Resources
| Name | Type |
|---|---|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |
|
data source |