Vault terraform (#198)

* telemetry adjustments

* adding vault backend terraform to cluster create flow

Signed-off-by: johndietz <john@kubefirst.com>

cmd/create.go

@@ -234,7 +234,7 @@ to quickly create a Cobra application.`,
 			informUser("waiting for vault unseal")
 
 			log.Println("configuring vault")
-			vault.ConfigureVault(dryRun)
+			vault.ConfigureVault(dryRun, true)
 			informUser("Vault configured")
 			progressPrinter.IncrementTracker("step-vault", 1)
 
@@ -369,6 +369,17 @@ to quickly create a Cobra application.`,
 		}
 
 		//!--
+
+		if !skipVault {
+			progressPrinter.AddTracker("step-vault-be", "Configure Vault Backend", 1)
+			log.Println("configuring vault backend")
+			vault.ConfigureVault(dryRun, false)
+			informUser("Vault backend configured")
+			progressPrinter.IncrementTracker("step-vault-be", 1)
+		}
+
+
+
 
 		sendCompleteInstallTelemetry(dryRun, useTelemetry)
 		time.Sleep(time.Millisecond * 100)

internal/vault/vault.go

@@ -39,79 +39,85 @@ func GetVaultRootToken(vaultSecretClient coreV1Types.SecretInterface) (string, e
 	return vaultRootToken, nil
 }
 
-func ConfigureVault(dryRun bool) {
+func ConfigureVault(dryRun bool, bootstrapOnly bool) {
 	config := configs.ReadConfig()
-	if !viper.GetBool("create.terraformapplied.vault") {
-		if dryRun {
-			log.Printf("[#99] Dry-run mode, configureVault skipped.")
-			return
-		}
-		// ```
-		// NOTE: the terraform here produces unnecessary $var.varname vars in the atlantis secret for nonsensitive values
-		// the following atlantis secrets shouldn't have vars in the gitops source code for the atlantis secret, they
-		// should look like us-east-1, in flat string code as non-sensitive vals - refactor soon.
-		// "TF_VAR_aws_region": "us-east-1",
-		// "TF_VAR_aws_account_id": "${var.aws_account_id}",
-		// "TF_VAR_email_address": "${var.email_address}",
-		// "TF_VAR_hosted_zone_id": "${var.hosted_zone_id}",
-		// "TF_VAR_hosted_zone_name": "${var.hosted_zone_name}",
-		// "TF_VAR_vault_addr": "${var.vault_addr}",
-		// ```
-		// ... obviously keep the sensitive values bound to vars
-
-		vaultToken := viper.GetString("vault.token")
-		var kPortForwardOutb, kPortForwardErrb bytes.Buffer
-		kPortForward := exec.Command(config.KubectlClientPath, "--kubeconfig", config.KubeConfigPath, "-n", "vault", "port-forward", "svc/vault", "8200:8200")
-		kPortForward.Stdout = &kPortForwardOutb
-		kPortForward.Stderr = &kPortForwardErrb
-		err := kPortForward.Start()
-		defer kPortForward.Process.Signal(syscall.SIGTERM)
-		if err != nil {
-			log.Printf("Commad Execution STDOUT: %s", kPortForwardOutb.String())
-			log.Printf("Commad Execution STDERR: %s", kPortForwardErrb.String())
-			log.Panicf("error: failed to port-forward to vault namespce svc/vault %s", err)
-		}
-
-		// Prepare for terraform vault execution
-		envs := map[string]string{}
-		envs["VAULT_ADDR"] = "http://localhost:8200" //Should this come from init?
-		envs["VAULT_TOKEN"] = vaultToken
-		envs["AWS_SDK_LOAD_CONFIG"] = "1"
-		envs["AWS_PROFILE"] = viper.GetString("aws.profile")
-		envs["AWS_DEFAULT_REGION"] = viper.GetString("aws.region")
-
-		envs["TF_VAR_vault_addr"] = fmt.Sprintf("https://vault.%s", viper.GetString("aws.hostedzonename"))
-		envs["TF_VAR_aws_account_id"] = viper.GetString("aws.accountid")
-		envs["TF_VAR_aws_region"] = viper.GetString("aws.region")
-		envs["TF_VAR_email_address"] = viper.GetString("adminemail")
-		envs["TF_VAR_gitlab_runner_token"] = viper.GetString("gitlab.runnertoken")
-		envs["TF_VAR_gitlab_token"] = viper.GetString("gitlab.token")
-		envs["TF_VAR_hosted_zone_id"] = viper.GetString("aws.domainid")
-		envs["TF_VAR_hosted_zone_name"] = viper.GetString("aws.hostedzonename")
-		envs["TF_VAR_vault_token"] = vaultToken
-		envs["TF_VAR_vault_redirect_uris"] = "[\"will-be-patched-later\"]"
-
-		directory := fmt.Sprintf("%s/gitops/terraform/vault", config.K1FolderPath)
-		err = os.Chdir(directory)
-		if err != nil {
-			log.Panicf("error: could not change directory to " + directory)
-		}
+	if dryRun {
+		log.Printf("[#99] Dry-run mode, configureVault skipped.")
+		return
+	}
+	// ```
+	// NOTE: the terraform here produces unnecessary $var.varname vars in the atlantis secret for nonsensitive values
+	// the following atlantis secrets shouldn't have vars in the gitops source code for the atlantis secret, they
+	// should look like us-east-1, in flat string code as non-sensitive vals - refactor soon.
+	// "TF_VAR_aws_region": "us-east-1",
+	// "TF_VAR_aws_account_id": "${var.aws_account_id}",
+	// "TF_VAR_email_address": "${var.email_address}",
+	// "TF_VAR_hosted_zone_id": "${var.hosted_zone_id}",
+	// "TF_VAR_hosted_zone_name": "${var.hosted_zone_name}",
+	// "TF_VAR_vault_addr": "${var.vault_addr}",
+	// ```
+	// ... obviously keep the sensitive values bound to vars
+
+	vaultToken := viper.GetString("vault.token")
+	var kPortForwardOutb, kPortForwardErrb bytes.Buffer
+	kPortForward := exec.Command(config.KubectlClientPath, "--kubeconfig", config.KubeConfigPath, "-n", "vault", "port-forward", "svc/vault", "8200:8200")
+	kPortForward.Stdout = &kPortForwardOutb
+	kPortForward.Stderr = &kPortForwardErrb
+	err := kPortForward.Start()
+	defer kPortForward.Process.Signal(syscall.SIGTERM)
+	if err != nil {
+		log.Printf("Commad Execution STDOUT: %s", kPortForwardOutb.String())
+		log.Printf("Commad Execution STDERR: %s", kPortForwardErrb.String())
+		log.Panicf("error: failed to port-forward to vault namespce svc/vault %s", err)
+	}
 
-		err = pkg.ExecShellWithVars(envs, config.TerraformPath, "init")
-		if err != nil {
-			log.Panicf("error: terraform init failed %s", err)
-		}
+	// Prepare for terraform vault execution
+	envs := map[string]string{}
+	envs["VAULT_ADDR"] = "http://localhost:8200" //Should this come from init?
+	envs["VAULT_TOKEN"] = vaultToken
+	envs["AWS_SDK_LOAD_CONFIG"] = "1"
+	envs["AWS_PROFILE"] = viper.GetString("aws.profile")
+	envs["AWS_DEFAULT_REGION"] = viper.GetString("aws.region")
+
+	envs["TF_VAR_vault_addr"] = fmt.Sprintf("https://vault.%s", viper.GetString("aws.hostedzonename"))
+	envs["TF_VAR_aws_account_id"] = viper.GetString("aws.accountid")
+	envs["TF_VAR_aws_region"] = viper.GetString("aws.region")
+	envs["TF_VAR_email_address"] = viper.GetString("adminemail")
+	envs["TF_VAR_gitlab_runner_token"] = viper.GetString("gitlab.runnertoken")
+	envs["TF_VAR_gitlab_token"] = viper.GetString("gitlab.token")
+	envs["TF_VAR_hosted_zone_id"] = viper.GetString("aws.domainid")
+	envs["TF_VAR_hosted_zone_name"] = viper.GetString("aws.hostedzonename")
+	envs["TF_VAR_vault_token"] = vaultToken
+	envs["TF_VAR_vault_redirect_uris"] = "[\"will-be-patched-later\"]"
+
+	directory := fmt.Sprintf("%s/gitops/terraform/vault", config.K1FolderPath)
+	err = os.Chdir(directory)
+	if err != nil {
+		log.Panicf("error: could not change directory to " + directory)
+	}
 
-		err = pkg.ExecShellWithVars(envs, config.TerraformPath, "apply", "-target", "module.bootstrap", "-auto-approve")
-		if err != nil {
-			log.Panicf("error: terraform apply failed %s", err)
+	err = pkg.ExecShellWithVars(envs, config.TerraformPath, "init")
+	if err != nil {
+		log.Panicf("error: terraform init failed %s", err)
+	}
+	if bootstrapOnly {
+		if !viper.GetBool("create.terraformapplied.vault") {
+			err = pkg.ExecShellWithVars(envs, config.TerraformPath, "apply", "-target", "module.bootstrap", "-auto-approve")
+			if err != nil {
+				log.Panicf("error: terraform apply failed %s", err)
+			}
+			viper.Set("create.terraformapplied.vault", true)
 		}
-
-		viper.Set("create.terraformapplied.vault", true)
-		viper.WriteConfig()
 	} else {
-		log.Println("Skipping: configureVault")
+		if !viper.GetBool("create.terraformapplied.vaultbackend") {
+			err = pkg.ExecShellWithVars(envs, config.TerraformPath, "apply", "-auto-approve")
+			if err != nil {
+				log.Panicf("error: terraform apply failed %s", err)
+			}
+		}
+		viper.Set("create.terraformapplied.vaultbackend", true)
 	}
+	viper.WriteConfig()
 }
 
 func AddGitlabOidcApplications(dryRun bool) {