From eed1456d3c549e4015abeeaf2bb60de837965ad4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Sun, 28 Feb 2021 05:03:04 +0100
Subject: [PATCH] Move generating of the secrets to terraform

---
 deploy.tf                   | 14 +++++++++++---
 launch.sh                   | 12 ------------
 secrets.auto.tfvars.example |  5 -----
 3 files changed, 11 insertions(+), 20 deletions(-)
 delete mode 100644 secrets.auto.tfvars.example

diff --git a/deploy.tf b/deploy.tf
index bed6ab3..db58a8e 100644
--- a/deploy.tf
+++ b/deploy.tf
@@ -135,8 +135,12 @@ resource "openstack_compute_volume_attach_v2" "volume-attach" {
 	volume_id   = openstack_blockstorage_volume_v3.volume[count.index].id
 }
 
-variable "secrets" {
-	type = map(string)
+resource "random_password" "secrets" {
+	count = 3
+	length = "36"
+	keepers = {
+		masterid = openstack_compute_instance_v2.server[0].id
+	}
 }
 
 output "config" {
@@ -147,7 +151,11 @@ output "config" {
 		master_hostname = var.master_hostname,
 		node_hostname = var.node_hostname,
 		type = var.type,
-		secrets = var.secrets,
+		secrets = {
+			http_signature_secret = random_password.secrets[0].result,
+			kerberos_admin_password = random_password.secrets[1].result,
+			kerberos_master_password = random_password.secrets[2].result,
+		},
 		volumes = var.volumes,
 	}
 	sensitive = true
diff --git a/launch.sh b/launch.sh
index 383772d..5abc307 100755
--- a/launch.sh
+++ b/launch.sh
@@ -2,18 +2,6 @@
 
 TERRAFORM="`PATH=$PATH:. which terraform`"
 
-if [ ! -s ./secrets.auto.tfvars ]; then
-	touch ./secrets.auto.tfvars
-	chmod 0600 ./secrets.auto.tfvars
-	{
-		echo 'secrets = {'
-		for k in kerberos_master_password kerberos_admin_password http_signature_secret; do
-			echo "	$k = \"`dd if=/dev/random bs=27 count=1 2>/dev/null | base64 -`\""
-		done
-		echo "}"
-	} >> ./secrets.auto.tfvars
-fi
-
 $TERRAFORM init >/dev/null
 
 $TERRAFORM apply -auto-approve "$@"
diff --git a/secrets.auto.tfvars.example b/secrets.auto.tfvars.example
deleted file mode 100644
index 6a513a7..0000000
--- a/secrets.auto.tfvars.example
+++ /dev/null
@@ -1,5 +0,0 @@
-secrets = {
-	kerberos_master_password = "SECRET"
-	kerberos_admin_password = "SECRET"
-	http_signature_secret = "SECRET"
-}
-- 
GitLab