Makefile: use sops only when needed

2023-05-06 16:35:46 -04:00 · 2023-05-06 16:35:46 -04:00 · 6fb97a7b8e
parent 64d3385291
commit 6fb97a7b8e
1 changed files with 19 additions and 6 deletions
--- a/25
+++ b/25
@ -6,6 +6,7 @@ ENVIRONMENT := production
 REGION := sfo3
 ROOT_DIR := $(shell pwd)
 TERRAFORM := $(ROOT_DIR)/out/terraform
+SOPS := $(ROOT_DIR)/out/sops
 KEYS := \
 	6B61ECD76088748C70590D55E90A401336C8AAA9 \
 	88823A75ECAA786B0FF38B148E401478A3FBEF72 \
@ -59,29 +60,41 @@ infra/main/.terraform: | \

 infra/backend/$(ENVIRONMENT).tfstate: \
 	$(OUT_DIR)/terraform \
+	$(OUT_DIR)/sops \
 	infra/backend/.terraform
-	env -C infra/backend $(TERRAFORM) apply \
+	$(SOPS) exec-env secrets/production.enc.env '\
+		env -C infra/backend \
+		$(TERRAFORM) apply \
 		-var environment=$(ENVIRONMENT) \
 		-var namespace=$(ENVIRONMENT) \
 		-var region=$(REGION) \
-		-state ../../$@
+		-state ../../$@ \
+		'

 config/$(ENVIRONMENT).tfbackend: | \
 	$(OUT_DIR)/terraform
+	$(OUT_DIR)/sops \
 	# File is not committed and this has no shared state
 	$(MAKE) infra/backend/$(ENVIRONMENT).tfstate
-	env -C infra/backend $(TERRAFORM) \
+	$(SOPS) exec-env secrets/production.enc.env '\
+		env -C infra/backend \
+		$(TERRAFORM) \
 		output -state ../../$< \
-		> $@
+		> $@ \
+		'

 .PHONY:
 apply: \
 	$(OUT_DIR)/terraform \
+	$(OUT_DIR)/sops \
 	infra/main/.terraform
-	env -C infra/main $(TERRAFORM) apply \
+	$(SOPS) exec-env secrets/production.enc.env '\
+		env -C infra/main \
+		$(TERRAFORM) apply \
 		-var environment=$(ENVIRONMENT) \
 		-var namespace=$(ENVIRONMENT) \
-		-var region=$(REGION)
+		-var region=$(REGION) \
+		'

 $(CACHE_DIR)/secrets:
 	mkdir -p $@