propagate http backend config

Signed-off-by: Kiara Grouwstra <kiara@procolix.eu>
2025-10-06 13:46:36 +02:00 · 2025-10-06 13:46:36 +02:00 · 84ff121969
commit 84ff121969
parent fd49868cda
7 changed files with 40 additions and 10 deletions
--- a/deployment/check/common/data-model-options.nix
+++ b/deployment/check/common/data-model-options.nix
@ -21,5 +21,9 @@ in
      default = [ ];
      example = "ConnectTimeout=60";
    };
+    httpBackend = mkOption {
+      description = "environment variables to configure the TF HTTP back-end, see <https://developer.hashicorp.com/terraform/language/backend/http#configuration-variables>";
+      type = types.attrsOf (types.either types.str types.int);
+    };
  };
 }
--- a/deployment/check/common/data-model.nix
+++ b/deployment/check/common/data-model.nix
@ -23,6 +23,7 @@ let
    pathToRoot
    targetSystem
    sshOpts
+    httpBackend
    ;
  inherit (lib) mkOption types;
  eval =
@ -201,7 +202,7 @@ let
                      inherit sshOpts;
                    };
                    module = self;
-                    inherit args deployment-name;
+                    inherit args deployment-name httpBackend;
                    root-path = pathToRoot;
                  };
                };
--- a/deployment/check/data-model-tf/nixosTest.nix
+++ b/deployment/check/data-model-tf/nixosTest.nix
@ -8,10 +8,18 @@ let
  inherit (pkgs) system;
  inherit (import ./constants.nix) pathToRoot;
  nodeName = "target";
+  backendPort = builtins.toString 8080;
  deployment-config = {
    inherit nodeName pathToRoot;
    targetSystem = system;
    sshOpts = [ ];
+    httpBackend = rec {
+      TF_HTTP_USERNAME = "basic";
+      TF_HTTP_PASSWORD = "fake-secret";
+      TF_HTTP_ADDRESS = "http://localhost:${backendPort}/state/project1/example";
+      TF_HTTP_LOCK_ADDRESS = TF_HTTP_ADDRESS;
+      TF_HTTP_UNLOCK_ADDRESS = TF_HTTP_ADDRESS;
+    };
  };
  deploy =
    (import ../common/data-model.nix {
@ -54,7 +62,7 @@ in
      services.terraform-backend = {
        enable = true;
        settings = {
-          LISTEN_ADDR = ":8080";
+          LISTEN_ADDR = ":${backendPort}";
          KMS_KEY = "l99yC7MhbuuraACQ8bjaU1rMrT6L4PXEYupX6BzhJvY=";
        };
      };
--- a/deployment/data-model.nix
+++ b/deployment/data-model.nix
@ -222,6 +222,10 @@ let
            description = "The path to the root of the repository.";
            type = types.path;
          };
+          httpBackend = mkOption {
+            description = "environment variables to configure the TF HTTP back-end, see <https://developer.hashicorp.com/terraform/language/backend/http#configuration-variables>";
+            type = types.attrsOf (types.either types.str types.int);
+          };
          run = mkOption {
            type = types.package;
            # error: The option `tf-deployment.tf-host.run' is read-only, but it's set multiple times.
@ -235,6 +239,7 @@ let
                  args
                  deployment-name
                  root-path
+                  httpBackend
                  ;
                inherit (ssh)
                  host
@ -260,7 +265,7 @@ let
                    deployment-type = "tf-host";
                  };
                };
-                tf-env = pkgs.callPackage ./run/tf-single-host/tf-env.nix { };
+                tf-env = pkgs.callPackage ./run/tf-single-host/tf-env.nix { inherit httpBackend; };
              in
              pkgs.writers.writeBashBin "deploy-tf.sh"
                (withPackages [
@ -269,6 +274,7 @@ let
                ])
                ''
                  env ${toString (lib.mapAttrsToList (k: v: "TF_VAR_${k}=\"${toBash v}\"") environment)} \
+                  ${toString (lib.mapAttrsToList (k: v: "${k}=\"${toBash v}\"") httpBackend)} \
                  tf_env=${tf-env} bash ./deployment/run/tf-single-host/run.sh
                '';
          };
--- a/deployment/run/tf-setup.nix
+++ b/deployment/run/tf-setup.nix
@ -2,7 +2,21 @@
  pkgs,
  lib,
  sources,
+  httpBackend,
 }:
+let
+  # FIXME factor out
+  toBash =
+    v:
+    lib.replaceStrings [ "\"" ] [ "\\\"" ] (
+      if lib.isPath v || builtins.isNull v then
+        toString v
+      else if lib.isString v then
+        v
+      else
+        lib.strings.toJSON v
+    );
+in
 pkgs.writeScriptBin "setup" ''
  set -e
  # calculated pins
@ -12,5 +26,7 @@ pkgs.writeScriptBin "setup" ''
  rm -f .terraform.lock.hcl
  # suppress warning on architecture-specific generated lock file:
  # `Warning: Incomplete lock file information for providers`.
+  env TF_HTTP_RETRY_MAX=1 TF_HTTP_RETRY_WAIT_MIN=0 \
+  ${toString (lib.mapAttrsToList (k: v: "${k}=\"${toBash v}\"") httpBackend)} \
  tofu init -input=false 1>/dev/null
 ''
--- a/deployment/run/tf-single-host/main.tf
+++ b/deployment/run/tf-single-host/main.tf
@ -1,11 +1,5 @@
 terraform {
-  # TODO un-hardcode
  backend "http" {
-    username       = "basic"
-    password       = "fake-secret"
-    address        = "http://localhost:8080/state/project1/example"
-    lock_address   = "http://localhost:8080/state/project1/example"
-    unlock_address = "http://localhost:8080/state/project1/example"
  }
 }

--- a/deployment/run/tf-single-host/tf-env.nix
+++ b/deployment/run/tf-single-host/tf-env.nix
@ -1,6 +1,7 @@
 {
  lib,
  pkgs,
+  httpBackend,
  sources ? import ../../../npins,
 }:
 pkgs.stdenv.mkDerivation {
@ -14,7 +15,7 @@ pkgs.stdenv.mkDerivation {
    };
  buildInputs = [
    (pkgs.callPackage ./tf.nix { inherit sources; })
-    (pkgs.callPackage ../tf-setup.nix { inherit sources; })
+    (pkgs.callPackage ../tf-setup.nix { inherit sources httpBackend; })
  ];
  buildPhase = ''
    runHook preBuild