Move aws ses dkim keys into terraform

This commit is contained in:
Tobias Reisinger 2024-10-22 17:44:00 +02:00
parent e17156a8ca
commit 6f9f888478
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
12 changed files with 95 additions and 20 deletions

1
.gitignore vendored
View file

@ -3,6 +3,7 @@
types-dnscontrol.d.ts types-dnscontrol.d.ts
dns/hosts.json dns/hosts.json
dns/services.json dns/services.json
dns/dkim-ses.json
secrets.auto.tfvars secrets.auto.tfvars
.terraform .terraform

View file

@ -68,6 +68,24 @@ provider "registry.opentofu.org/goauthentik/authentik" {
] ]
} }
provider "registry.opentofu.org/hashicorp/aws" {
version = "5.72.1"
constraints = "~> 5.0"
hashes = [
"h1:ckDAOn6cqqO2pJ226GYs8gIZif9TRmAuQEqnPL+LCgg=",
"zh:02ee636137e5f8cc9d6900c55a3f3c85e99166b51d17cf96bd62b27182dc7449",
"zh:04877c5ce0a0fef6b355decbfe4941e7d5f22d2b7062cd87f70dafe845d635c7",
"zh:3d129024594dcf2edac180b8276decc946f4f33d653f44d3c04c4c28b3f85dab",
"zh:6fc7ecf746791211d64a38361ce12303dfc3ddf0e609e6d854bc8f3a7f242234",
"zh:8d65352eeba3fef611c90b5161336b0cccf3fed8dc2c710537d6578925e2b189",
"zh:9c99b31104c80d885aad1846e2b2f25371cbc9c23281fb0e213be0101a415f2c",
"zh:b220737d06dc8ef3a6aa32055c1c633d08c27e046b5fb730f93969ef11abb928",
"zh:b741b0e79001765c8d2ffdb569f70c0d8b877b870b660e573f3bb6f42dd55f28",
"zh:d2434f271f261ccd28a85aa15627ee9cfc9c319a48eb6c0aeb1ffaf80b6ede20",
"zh:df4b2338e3e89d66c1697fae9be378db94cb0d7d309c9dc537024cb755b7e21a",
]
}
provider "registry.opentofu.org/hashicorp/random" { provider "registry.opentofu.org/hashicorp/random" {
version = "3.6.3" version = "3.6.3"
hashes = [ hashes = [

View file

@ -20,8 +20,7 @@ PWD := $(shell pwd)
> ./inventory/group_vars/all/opentofu.yml > ./inventory/group_vars/all/opentofu.yml
./dns/hosts.json: .FORCE ./dns/hosts.json: .FORCE
tofu output --json \ tofu output --json hosts \
| jq 'with_entries(.value |= .value).hosts' \
> ./dns/hosts.json > ./dns/hosts.json
./dns/services.json: ./inventory/group_vars/all/all_services.yml ./dns/services.json: ./inventory/group_vars/all/all_services.yml
@ -29,9 +28,16 @@ PWD := $(shell pwd)
-e services_json_file=$(PWD)/dns/services.json \ -e services_json_file=$(PWD)/dns/services.json \
playbooks/create_services_for_dnscontrol.yml playbooks/create_services_for_dnscontrol.yml
./dns/dkim-ses.json: .FORCE
tofu output --json aws_ses_dkim \
> ./dns/dkim-ses.json
output: ./dns/hosts.json ./dns/services.json ./inventory/group_vars/all/opentofu.yml
output-dns: ./dns/hosts.json ./dns/services.json ./dns/dkim-ses.json
output-ansible: ./inventory/group_vars/all/opentofu.yml
output: output-dns output-ansible
./types-dnscontrol.d.ts: ./types-dnscontrol.d.ts:
dnscontrol write-types dnscontrol write-types
@ -41,10 +47,10 @@ tofu:
@printf "\n=====\n\n" @printf "\n=====\n\n"
$(MAKE) output $(MAKE) output
dns: ./types-dnscontrol.d.ts ./dns/hosts.json ./dns/services.json dns: output-dns
dnscontrol push dnscontrol push
dns-check: ./types-dnscontrol.d.ts ./dns/hosts.json ./dns/services.json dns-check: output-dns
dnscontrol check-creds ovh dnscontrol check-creds ovh
all: all:

View file

@ -4,6 +4,7 @@
require('dns/default_records.js'); require('dns/default_records.js');
require('dns/functions.js'); require('dns/functions.js');
var dkim = require('dns/dkim.json'); var dkim = require('dns/dkim.json');
var dkim_ses = require('dns/dkim-ses.json');
var hosts = require('dns/hosts.json'); var hosts = require('dns/hosts.json');
var services_json = require('dns/services.json'); var services_json = require('dns/services.json');
@ -47,11 +48,7 @@ D("msrg.cc", REG_OVH, DnsProvider(DSP_OVH),
SRV("_xmpps-client._tcp", 0, 20, 443, "xmpps.wiuwiu.de."), SRV("_xmpps-client._tcp", 0, 20, 443, "xmpps.wiuwiu.de."),
TXT("xmppconnect", "_xmpp-client-xbosh=https://wiuwiu.de:443/http-bind/"), TXT("xmppconnect", "_xmpp-client-xbosh=https://wiuwiu.de:443/http-bind/"),
verify_amazon_ses([ verify_amazon_ses(dkim_ses["msrg.cc"]),
"rg6sgmw6fr73pucbqz62h25wq2q75iet",
"rjczvv7ab3twf6kfjjzmz5fkhpmyc2j5",
"bxau47qbno4igiwug2xrmwozzk6vwdyv"
]),
// SendGrid DKIM // SendGrid DKIM
CNAME("em2339.holitime", "u26197282.wl033.sendgrid.net."), CNAME("em2339.holitime", "u26197282.wl033.sendgrid.net."),
@ -74,11 +71,7 @@ D("serguzim.me", REG_OVH, DnsProvider(DSP_OVH),
acme_challenge("db", "ca2c86c0-ff3d-458a-89e0-11bcfd2543e4"), acme_challenge("db", "ca2c86c0-ff3d-458a-89e0-11bcfd2543e4"),
acme_challenge("auth", "18a42983-3d19-4c17-8213-fc275a8be721"), acme_challenge("auth", "18a42983-3d19-4c17-8213-fc275a8be721"),
verify_amazon_ses([ verify_amazon_ses(dkim_ses["serguzim.me"]),
"dd4g333vxgahaf3rh3dafdx6g7kq7t7z",
"tbqt7mluvomvsomaj7nuhvs2xl7hd6hg",
"tl2n3zn4jxjodumvqj4jqdavfxznivvd"
]),
verify_dmarc_reports([ verify_dmarc_reports([
"msrg.cc", "msrg.cc",
@ -106,11 +99,7 @@ D("serguzim.me", REG_OVH, DnsProvider(DSP_OVH),
D("reitanlage-oranienburg.de", REG_OVH, DnsProvider(DSP_OVH), D("reitanlage-oranienburg.de", REG_OVH, DnsProvider(DSP_OVH),
all_defaults("reitanlage-oranienburg.de", false), all_defaults("reitanlage-oranienburg.de", false),
verify_amazon_ses([ verify_amazon_ses(dkim_ses["reitanlage-oranienburg.de"]),
"kseozkz37py4ukzg2h2kx7bua5r4yv2v",
"py2qx6nrsfn7r5j4uwwfpc7tgi63u7sn",
"hzmi7t2qcycinuy5edmo5uphohgtkefa"
]),
TXT("default._bimi", "v=BIMI1; l=https://www.reitanlage-oranienburg.de/user/themes/reitanlage-oranienburg/images/bimi.svg") TXT("default._bimi", "v=BIMI1; l=https://www.reitanlage-oranienburg.de/user/themes/reitanlage-oranienburg/images/bimi.svg")
); );

11
main.tf
View file

@ -1,5 +1,9 @@
terraform { terraform {
required_providers { required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
contabo = { contabo = {
source = "contabo/contabo" source = "contabo/contabo"
version = "~> 0.1.26" version = "~> 0.1.26"
@ -69,6 +73,12 @@ terraform {
} }
} }
provider "aws" {
region = var.aws_region
access_key = var.aws_access_key
secret_key = var.aws_secret_key
}
provider "contabo" { provider "contabo" {
oauth2_client_id = var.contabo_client_id oauth2_client_id = var.contabo_client_id
oauth2_client_secret = var.contabo_client_secret oauth2_client_secret = var.contabo_client_secret
@ -114,6 +124,7 @@ module "infrastructure" {
hosts = var.hosts hosts = var.hosts
services = var.services services = var.services
email_domains = var.email_domains
} }
provider "authentik" { provider "authentik" {

View file

@ -0,0 +1,4 @@
resource "aws_sesv2_email_identity" "domains" {
for_each = var.email_domains
email_identity = each.value
}

View file

@ -1,5 +1,9 @@
terraform { terraform {
required_providers { required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
contabo = { contabo = {
source = "contabo/contabo" source = "contabo/contabo"
version = "~> 0.1.26" version = "~> 0.1.26"

View file

@ -70,3 +70,10 @@ output "scaleway_registry_endpoint_public" {
output "scaleway_registry_endpoint_private" { output "scaleway_registry_endpoint_private" {
value = scaleway_registry_namespace.private.endpoint value = scaleway_registry_namespace.private.endpoint
} }
output "aws_ses_dkim" {
value = {
for key, dkim in aws_sesv2_email_identity.domains : key => dkim.dkim_signing_attributes[0].tokens
}
sensitive = true
}

View file

@ -41,3 +41,7 @@ variable "hosts" {
datacenter = optional(string) datacenter = optional(string)
})) }))
} }
variable "email_domains" {
type = set(string)
}

View file

@ -41,3 +41,8 @@ output "scaleway_registry_endpoint_public" {
output "scaleway_registry_endpoint_private" { output "scaleway_registry_endpoint_private" {
value = module.infrastructure.scaleway_registry_endpoint_private value = module.infrastructure.scaleway_registry_endpoint_private
} }
output "aws_ses_dkim" {
value = module.infrastructure.aws_ses_dkim
sensitive = true
}

View file

@ -7,6 +7,10 @@ backend_bucket = ""
authentik_token = "" authentik_token = ""
aws_region = ""
aws_access_key = ""
aws_secret_key = ""
contabo_client_id = "" contabo_client_id = ""
contabo_client_secret = "" contabo_client_secret = ""
contabo_user = "" contabo_user = ""
@ -30,3 +34,8 @@ scaleway_secret_key = ""
tailscale_api_key = "" tailscale_api_key = ""
tailscale_tailnet = "" tailscale_tailnet = ""
email_domains = [
"example.com",
]

View file

@ -32,6 +32,19 @@ variable "authentik_token" {
} }
variable "aws_region" {
default = "eu-north-1"
}
variable "aws_access_key" {
sensitive = true
}
variable "aws_secret_key" {
sensitive = true
}
variable "contabo_client_id" { variable "contabo_client_id" {
sensitive = true sensitive = true
} }
@ -169,3 +182,7 @@ variable "hosts" {
datacenter = optional(string) datacenter = optional(string)
})) }))
} }
variable "email_domains" {
type = set(string)
}