infra/github.tf at main · datasektionen/infra · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
resource "github_actions_organization_variable" "nomad_addr" {
  variable_name = "NOMAD_ADDR"
  value         = "https://nomad.datasektionen.se"
  visibility    = "all"
}

locals {
  # Workspace to list of repos that deploy to the workspace. The workspace must already exist.
  deploy-tokens = {
    auth = [
      "dfunkt",
      "hive",
      "pls",
      "sso",
    ],
    ddagen = [
      "ddagen",
    ],
    default = [
      "aaallt2",
      "audio",
      "aurora",
      "bawang",
      "bea",
      "chilibea",
      "betting",
      "calypso",
      "damm2",
      "darkmode",
      "dbuggen",
      "djubileet",
      "durn-the-third",
      "femto",
      "harmony",
      "metasl2",
      "metastudent",
      "meta-tv-rs",
      "methone",
      "nymblan",
      "pandora",
      "pax2",
      "rfinger",
      "skywhale",
      "smingo",
      "spam",
      "spam-rs",
      "ston",
      "styrdokument-bawang",
      "taitan",
      "typst-bot",
      "wookieleaks",
      "yoggi",
      "zaiko",
      "zfinger",
    ],
    dive = [
      "dive-workshop",
    ],
    djulkalendern = [
      "dhost-chat",
      "dhost-commoners",
      "dhost-duckbolt",
      "dhost-sallad",
      "djulkalendern",
      "duckbot",
      "duckbot-jr",
    ],
    jml = [
      "jml",
    ],
    metaspexet = [
      "haj",
      "metaspexet2",
      "tiki",
    ],
    money = [
      "cashflow",
      "gordian",
    ],
  }
}

resource "nomad_acl_policy" "deploy" {
  for_each  = local.deploy-tokens
  name      = "deploy-${each.key}"
  rules_hcl = <<HCL
    namespace "${each.key}" {
      capabilities = ["read-job", "submit-job"]
    }
  HCL
}

resource "nomad_acl_token" "deploy" {
  for_each = local.deploy-tokens
  name     = "deploy-${each.key}"
  policies = [nomad_acl_policy.deploy[each.key].name]
  type     = "client"
}

resource "github_actions_secret" "nomad_deploy_token" {
  for_each        = { for repo, ws in transpose(local.deploy-tokens) : repo => ws[0] }
  repository      = each.key
  secret_name     = "NOMAD_TOKEN"
  plaintext_value = nomad_acl_token.deploy[each.value].secret_id
}