Merge pull request #21 from remerge/op-secrets-module

Add op/secrets module
remerge · Dec 13, 2023 · 126a4e1 · 126a4e1
2 parents ca0cc22 + b1de7a2
commit 126a4e1
Show file tree

Hide file tree

Showing 10 changed files with 74 additions and 8 deletions.
diff --git a/.copier-answers.yml b/.copier-answers.yml
@@ -1,11 +1,10 @@
 ---
 # Changes here will be overwritten by Copier
-_commit: v2.2.0
+_commit: v2.8.0
 _src_path: gh:remerge/template
 project_id: terraform-modules
 project_license: apache-2.0
 project_name: Terraform Modules
 project_owner: core
 project_type: terraform-module
-run_workflows_for_all_branches: false
 use_python: false
diff --git a/.envrc b/.envrc
@@ -10,7 +10,8 @@
 strict_env
 
 # Loads a ".env" file into the current environment
-dotenv_if_exists
+dotenv_if_exists "${PWD}"/../.env
+dotenv_if_exists "${PWD}"/.env
 
 # Add local scripts to PATH
 PATH_add "${PWD}/bin"

diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
@@ -0,0 +1,8 @@
+---
+self-hosted-runner:
+  labels:
+    - generic
+    - self-hosted
+    - nomad
+    - docker
+    - default
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -6,7 +6,20 @@ on:
   push:
     branches: [main, master]
 
-permissions: read-all
+permissions:
+  actions: none
+  checks: none
+  contents: read
+  deployments: none
+  discussions: none
+  id-token: none
+  issues: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
 
 jobs:
   pre-commit:

diff --git a/.gitignore b/.gitignore
@@ -573,3 +573,6 @@ id_*
 # only.
 !*.tfvars
 !*.tfvars.json
+
+# Ignore direnv files
+.direnv/

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -33,7 +33,7 @@ repos:
 
   # https://github.com/pre-commit/mirrors-prettier/tags
   - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: "v3.0.3"
+    rev: "v3.1.0"
     hooks:
       - id: prettier
         exclude: "^project/"
@@ -47,7 +47,7 @@ repos:
 
   # https://github.com/adrienverge/yamllint/tags
   - repo: https://github.com/adrienverge/yamllint
-    rev: "v1.32.0"
+    rev: "v1.33.0"
     hooks:
       - id: yamllint
         entry: yamllint --strict
@@ -74,7 +74,7 @@ repos:
 
   # https://github.com/antonbabenko/pre-commit-terraform/tags
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: "v1.83.5"
+    rev: "v1.83.6"
     hooks:
       - id: terraform_fmt
         name: terraform-fmt
@@ -83,7 +83,7 @@ repos:
 
   # https://github.com/bridgecrewio/checkov/tags
   - repo: https://github.com/bridgecrewio/checkov
-    rev: "3.0.21"
+    rev: "3.1.30"
     hooks:
       - id: checkov
         name: checkov
@@ -100,3 +100,4 @@ repos:
     rev: "v0.19.0"
     hooks:
       - id: woke-from-source
+        args: [--config=.woke.yaml]
diff --git a/.woke.yaml b/.woke.yaml
@@ -0,0 +1 @@
+---
diff --git a/op/secrets/main.tf b/op/secrets/main.tf
@@ -0,0 +1,15 @@
+data "onepassword_vault" "secrets" {
+  name = "secrets"
+}
+
+resource "onepassword_item" "secrets" {
+  for_each = var.secrets
+  vault    = data.onepassword_vault.secrets.id
+  title    = "${var.prefix}_${each.key}"
+  category = "password"
+  password = each.value
+  tags = concat(var.tags, [
+    "prefix:${var.prefix}",
+    "workspace:${var.workspace}",
+  ])
+}
diff --git a/op/secrets/variables.tf b/op/secrets/variables.tf
@@ -0,0 +1,16 @@
+variable "workspace" {
+  type = string
+}
+
+variable "prefix" {
+  type = string
+}
+
+variable "tags" {
+  type    = list(string)
+  default = []
+}
+
+variable "secrets" {
+  type = map(string)
+}
diff --git a/op/secrets/versions.tf b/op/secrets/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    # https://registry.terraform.io/providers/1Password/onepassword/latest
+    onepassword = {
+      source  = "1Password/onepassword"
+      version = "~> 1.3"
+    }
+  }
+}