feat: use cloud secret for DNS token in scaletest TF #19466
Conversation
bf1837e to
d160d09
Compare
There was a problem hiding this comment.
I actually had this in #19412, but mine doesn't let you override with a var, and uses a slightly different* data source to pull the token, i'll update mine to match and we can merge this.
*
This is similar to the google_secret_manager_secret_version datasource, but it only requires the Secret Manager Secret Accessor role
|
|
||
| variable "cloudflare_zone_id" { | ||
| description = "Cloudflare zone ID." | ||
| default = "scaletest.dev" |
There was a problem hiding this comment.
We haven't mentioned this domain publicly anywhere else, could omit it here?
There was a problem hiding this comment.
Also, just realising, we should probably not use a hardcoded password on these coder deployments, now that they're accessible on the public web.
There was a problem hiding this comment.
They've always been accessible on the public web.
I agree we shouldn't use a hardcoded password; didn't realize we did. coder/internal#932
Beyond the scope of this PR.
There was a problem hiding this comment.
We haven't mentioned this domain publicly anywhere else, could omit it here?
If we're cagey about leaking details like this, we should move all this terraform into a private repo. We have an obvious choice in coder/scaletest
There was a problem hiding this comment.
I do think we should move it to a private repo. I haven't heard of any customers using it, and a lot of it was clickops'd anyways so I don't see the point of keeping the Terraform public
There was a problem hiding this comment.
I think we definitely should move it 💯
Removes the requirement to obtain a Cloudflare DNS token from our scaletest/terraform/action builds. Instead, by default, we pull the token from Google Secrets Manager and use the
scaletest.devDNS domain.Removes cloudflare_email as this was unneeded.
Removes the cloudflare_zone_id and instead pulls it from a data source via the Cloudflare API.
closes coder/internal#839