feat(make): offsite TF token injection + directory inventory + tf-inventory-offsite
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
127ade59a3
commit
07af037ff3
2 changed files with 21 additions and 7 deletions
26
Makefile
26
Makefile
|
|
@ -13,18 +13,26 @@ MOLECULE := $(VENV)/bin/molecule
|
|||
VAULT_ARGS :=
|
||||
# Default vault file for edit-vault / check-vault (override with VAULT=<path>).
|
||||
VAULT ?= inventories/production/group_vars/all/vault.yml
|
||||
INVENTORY := -i inventories/production/hosts.yml
|
||||
INVENTORY := -i inventories/production/
|
||||
|
||||
TF := terraform
|
||||
TF_ENV ?= staging
|
||||
MOLECULE_IMAGE := forgejo.nyumbani.baobab.band/sjat/molecule-debian13:latest
|
||||
MOLECULE_DOCKERFILE := .docker/molecule-debian13/Dockerfile
|
||||
|
||||
# For TF_ENV=offsite, source the Hetzner token from the vault into the environment
|
||||
# (rbw must be unlocked). Read in-memory; never written to a tfvars file (CLAUDE.md).
|
||||
ifeq ($(TF_ENV),offsite)
|
||||
TF_TOKEN_ENV := TF_VAR_hcloud_token="$$($(ANSIBLE)-vault view inventories/production/group_vars/all/vault.yml | $(PYTHON) -c 'import sys, yaml; print(yaml.safe_load(sys.stdin)["vault"]["hetzner"]["token"])')"
|
||||
else
|
||||
TF_TOKEN_ENV :=
|
||||
endif
|
||||
|
||||
.DEFAULT_GOAL := help
|
||||
|
||||
.PHONY: help setup collections lint test test-all check deploy encrypt decrypt \
|
||||
edit-vault check-vault new-role \
|
||||
tf-init tf-plan tf-apply tf-output tf-inventory \
|
||||
tf-init tf-plan tf-apply tf-output tf-inventory tf-inventory-offsite \
|
||||
molecule-image molecule-image-push
|
||||
|
||||
help:
|
||||
|
|
@ -49,6 +57,7 @@ help:
|
|||
@echo " make tf-apply [TF_ENV=staging] Apply Terraform changes"
|
||||
@echo " make tf-output [TF_ENV=staging] Print Terraform outputs as JSON"
|
||||
@echo " make tf-inventory [TF_ENV=staging] Regenerate Ansible inventory from Terraform outputs"
|
||||
@echo " make tf-inventory-offsite Generate offsite_hosts inventory (askari) into inventories/production/"
|
||||
@echo ""
|
||||
@echo " TF_ENV defaults to 'staging'. Use TF_ENV=production for production."
|
||||
@echo ""
|
||||
|
|
@ -137,16 +146,16 @@ molecule-image-push: molecule-image
|
|||
# ── Terraform ─────────────────────────────────────────────────────────────────
|
||||
|
||||
tf-init:
|
||||
$(TF) -chdir=terraform/environments/$(TF_ENV) init
|
||||
$(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/$(TF_ENV) init
|
||||
|
||||
tf-plan:
|
||||
$(TF) -chdir=terraform/environments/$(TF_ENV) plan
|
||||
$(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/$(TF_ENV) plan
|
||||
|
||||
tf-apply:
|
||||
$(TF) -chdir=terraform/environments/$(TF_ENV) apply
|
||||
$(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/$(TF_ENV) apply
|
||||
|
||||
tf-output:
|
||||
$(TF) -chdir=terraform/environments/$(TF_ENV) output -json
|
||||
$(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/$(TF_ENV) output -json
|
||||
|
||||
tf-inventory:
|
||||
ifndef TF_ENV
|
||||
|
|
@ -156,6 +165,11 @@ endif
|
|||
| $(PYTHON) scripts/tf_to_inventory.py > inventories/$(TF_ENV)/hosts.yml
|
||||
@echo "Inventory written to inventories/$(TF_ENV)/hosts.yml"
|
||||
|
||||
tf-inventory-offsite:
|
||||
$(TF_TOKEN_ENV) $(TF) -chdir=terraform/environments/offsite output -json \
|
||||
| $(PYTHON) scripts/tf_to_inventory.py > inventories/production/offsite.yml
|
||||
@echo "Offsite inventory written to inventories/production/offsite.yml"
|
||||
|
||||
# ── Role scaffolding ──────────────────────────────────────────────────────────
|
||||
|
||||
new-role:
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
[defaults]
|
||||
inventory = inventories/production/hosts.yml
|
||||
inventory = inventories/production/
|
||||
roles_path = roles
|
||||
collections_path = .collections
|
||||
vault_password_file = scripts/vault-pass-client.sh
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue