diff --git a/deployment/check/common/data-model-options.nix b/deployment/check/common/data-model-options.nix index 57dc88c5..63f306b3 100644 --- a/deployment/check/common/data-model-options.nix +++ b/deployment/check/common/data-model-options.nix @@ -21,5 +21,9 @@ in default = [ ]; example = "ConnectTimeout=60"; }; + httpBackend = mkOption { + description = "environment variables to configure the TF HTTP back-end, see "; + type = types.attrsOf (types.either types.str types.int); + }; }; } diff --git a/deployment/check/common/data-model.nix b/deployment/check/common/data-model.nix index 9c5e942e..e45eaa02 100644 --- a/deployment/check/common/data-model.nix +++ b/deployment/check/common/data-model.nix @@ -23,6 +23,7 @@ let pathToRoot targetSystem sshOpts + httpBackend ; inherit (lib) mkOption types; eval = @@ -201,7 +202,7 @@ let inherit sshOpts; }; module = self; - inherit args deployment-name; + inherit args deployment-name httpBackend; root-path = pathToRoot; }; }; diff --git a/deployment/check/data-model-tf/nixosTest.nix b/deployment/check/data-model-tf/nixosTest.nix index c9fc5560..0246a4e3 100644 --- a/deployment/check/data-model-tf/nixosTest.nix +++ b/deployment/check/data-model-tf/nixosTest.nix @@ -8,10 +8,18 @@ let inherit (pkgs) system; inherit (import ./constants.nix) pathToRoot; nodeName = "target"; + backendPort = builtins.toString 8080; deployment-config = { inherit nodeName pathToRoot; targetSystem = system; sshOpts = [ ]; + httpBackend = rec { + TF_HTTP_USERNAME = "basic"; + TF_HTTP_PASSWORD = "fake-secret"; + TF_HTTP_ADDRESS = "http://localhost:${backendPort}/state/project1/example"; + TF_HTTP_LOCK_ADDRESS = TF_HTTP_ADDRESS; + TF_HTTP_UNLOCK_ADDRESS = TF_HTTP_ADDRESS; + }; }; deploy = (import ../common/data-model.nix { @@ -54,7 +62,7 @@ in services.terraform-backend = { enable = true; settings = { - LISTEN_ADDR = ":8080"; + LISTEN_ADDR = ":${backendPort}"; KMS_KEY = "l99yC7MhbuuraACQ8bjaU1rMrT6L4PXEYupX6BzhJvY="; }; }; diff --git a/deployment/data-model.nix b/deployment/data-model.nix index 7f59f594..ac4ee471 100644 --- a/deployment/data-model.nix +++ b/deployment/data-model.nix @@ -222,6 +222,10 @@ let description = "The path to the root of the repository."; type = types.path; }; + httpBackend = mkOption { + description = "environment variables to configure the TF HTTP back-end, see "; + type = types.attrsOf (types.either types.str types.int); + }; run = mkOption { type = types.package; # error: The option `tf-deployment.tf-host.run' is read-only, but it's set multiple times. @@ -235,6 +239,7 @@ let args deployment-name root-path + httpBackend ; inherit (ssh) host @@ -260,7 +265,7 @@ let deployment-type = "tf-host"; }; }; - tf-env = pkgs.callPackage ./run/tf-single-host/tf-env.nix { }; + tf-env = pkgs.callPackage ./run/tf-single-host/tf-env.nix { inherit httpBackend; }; in pkgs.writers.writeBashBin "deploy-tf.sh" (withPackages [ @@ -269,6 +274,7 @@ let ]) '' env ${toString (lib.mapAttrsToList (k: v: "TF_VAR_${k}=\"${toBash v}\"") environment)} \ + ${toString (lib.mapAttrsToList (k: v: "${k}=\"${toBash v}\"") httpBackend)} \ tf_env=${tf-env} bash ./deployment/run/tf-single-host/run.sh ''; }; diff --git a/deployment/run/tf-setup.nix b/deployment/run/tf-setup.nix index 5c94e6d0..871a8474 100644 --- a/deployment/run/tf-setup.nix +++ b/deployment/run/tf-setup.nix @@ -2,7 +2,21 @@ pkgs, lib, sources, + httpBackend, }: +let + # FIXME factor out + toBash = + v: + lib.replaceStrings [ "\"" ] [ "\\\"" ] ( + if lib.isPath v || builtins.isNull v then + toString v + else if lib.isString v then + v + else + lib.strings.toJSON v + ); +in pkgs.writeScriptBin "setup" '' set -e # calculated pins @@ -12,5 +26,7 @@ pkgs.writeScriptBin "setup" '' rm -f .terraform.lock.hcl # suppress warning on architecture-specific generated lock file: # `Warning: Incomplete lock file information for providers`. + env TF_HTTP_RETRY_MAX=1 TF_HTTP_RETRY_WAIT_MIN=0 \ + ${toString (lib.mapAttrsToList (k: v: "${k}=\"${toBash v}\"") httpBackend)} \ tofu init -input=false 1>/dev/null '' diff --git a/deployment/run/tf-single-host/main.tf b/deployment/run/tf-single-host/main.tf index 05bebc52..2dc0625a 100644 --- a/deployment/run/tf-single-host/main.tf +++ b/deployment/run/tf-single-host/main.tf @@ -1,11 +1,5 @@ terraform { - # TODO un-hardcode backend "http" { - username = "basic" - password = "fake-secret" - address = "http://localhost:8080/state/project1/example" - lock_address = "http://localhost:8080/state/project1/example" - unlock_address = "http://localhost:8080/state/project1/example" } } diff --git a/deployment/run/tf-single-host/tf-env.nix b/deployment/run/tf-single-host/tf-env.nix index 4f445222..c00d17f5 100644 --- a/deployment/run/tf-single-host/tf-env.nix +++ b/deployment/run/tf-single-host/tf-env.nix @@ -1,6 +1,7 @@ { lib, pkgs, + httpBackend, sources ? import ../../../npins, }: pkgs.stdenv.mkDerivation { @@ -14,7 +15,7 @@ pkgs.stdenv.mkDerivation { }; buildInputs = [ (pkgs.callPackage ./tf.nix { inherit sources; }) - (pkgs.callPackage ../tf-setup.nix { inherit sources; }) + (pkgs.callPackage ../tf-setup.nix { inherit sources httpBackend; }) ]; buildPhase = '' runHook preBuild