domain-incoming/apps/wordpress/wordpress_Secret.tf

resource "random_password" "AUTH_KEY" {
  length           = 32
  special          = false
}

resource "random_password" "SECURE_AUTH_KEY" {
  length           = 32
  special          = false
}

resource "random_password" "LOGGED_IN_KEY" {
  length           = 32
  special          = false
}

resource "random_password" "NONCE_KEY" {
  length           = 32
  special          = false
}

resource "random_password" "AUTH_SALT" {
  length           = 32
  special          = false
}

resource "random_password" "SECURE_AUTH_SALT" {
  length           = 32
  special          = false
}

resource "random_password" "LOGGED_IN_SALT" {
  length           = 32
  special          = false
}

resource "random_password" "NONCE_SALT" {
  length           = 32
  special          = false
}

resource "random_password" "ADM_PASS" {
  length           = 18
  special          = false
}

locals {
  sso_config = {
    "${var.sso.name}" = {
      "ssoprotocol" ="oauth"
      "apptype" = "oauth"
      "send_headers" = "1"
      "send_body" = "0"
      "send_state" = 1
      "show_on_login_page" = 1
      "appId" = "other"
      "scope" = "email openid profile"
      "username_attr" = "preferred_username"
      "clientid" = "${module.oauth2.client_id}"
      "clientsecret" = "${module.oauth2.client_secret}"
      "redirecturi" = "https://${local.dns_name}"
      "authorizeurl" = "${module.oauth2.sso_authorize_url}"
      "accesstokenurl" = "${module.oauth2.sso_token_url}"
      "resourceownerdetailsurl" = "${module.oauth2.sso_userinfo_url}"
    }
  }
}
resource "kubectl_manifest" "secret" {
  yaml_body  = <<-EOF
    apiVersion: v1
    kind: Secret
    metadata:
      name: "${var.instance}-${var.component}"
      labels: ${jsonencode(local.secret_labels)}
      namespace: ${var.namespace}
    stringData:
      WORDPRESS_SSO_CONFIG: "${replace(jsonencode(local.sso_config),"\"","\\\"")}"
      WORDPRESS_AUTH_KEY: "${random_password.AUTH_KEY.result}"
      WORDPRESS_SECURE_AUTH_KEY: "${random_password.SECURE_AUTH_KEY.result}"
      WORDPRESS_LOGGED_IN_KEY: "${random_password.LOGGED_IN_KEY.result}"
      WORDPRESS_NONCE_KEY: "${random_password.NONCE_KEY.result}"
      WORDPRESS_AUTH_SALT: "${random_password.AUTH_SALT.result}"
      WORDPRESS_SECURE_AUTH_SALT: "${random_password.SECURE_AUTH_SALT.result}"
      WORDPRESS_LOGGED_IN_SALT: "${random_password.LOGGED_IN_SALT.result}"
      WORDPRESS_NONCE_SALT: "${random_password.NONCE_SALT.result}"
      WORDPRESS_DB_PASSWORD: "${random_password.mysql_comp_pass.result}"
      WORDPRESS_ADMIN_NAME: "${var.config.admin_name}"
      WORDPRESS_ADMIN_PASSWORD: "${random_password.ADM_PASS.result}"
EOF
}

resource "kubectl_manifest" "pre_backup_sa" {
  count = var.backups.enable?1:0
  ignore_fields = ["metadata.annotations"]
  yaml_body  = <<-EOF
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: "${var.instance}-${var.component}-backup-secret"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.secrets_labels)}
  EOF
}

resource "kubectl_manifest" "pre_backup_role" {
  count = var.backups.enable?1:0
  ignore_fields = ["metadata.annotations"]
  yaml_body  = <<-EOF
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: "${var.instance}-${var.component}-backup-secret"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.secrets_labels)}
    rules:
    - apiGroups:
      - ""
      resources:
      - secrets
      verbs:
      - get
      - list
  EOF
}

resource "kubectl_manifest" "pre_backup_rb" {
  count = var.backups.enable?1:0
  ignore_fields = ["metadata.annotations"]
  yaml_body  = <<-EOF
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: "${var.instance}-${var.component}-backup-secret"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.secrets_labels)}
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: ${kubectl_manifest.pre_backup_role[count.index].name}
    subjects:
    - kind: ServiceAccount
      name: ${kubectl_manifest.pre_backup_sa[count.index].name}
      namespace: "${var.namespace}"
  EOF
}

resource "kubectl_manifest" "pre_backup_pod_secret" {
  count = var.backups.enable?1:0
  ignore_fields = ["metadata.annotations"]
  yaml_body  = <<-EOF
    apiVersion: k8up.io/v1
    kind: PreBackupPod
    metadata:
      name: "${var.instance}-${var.component}-secret"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.secrets_labels)}
    spec:
      backupCommand: kubectl get secrets -o yaml -l k8up.io/backup=true
      pod:
        spec:
          containers:
          - command:
            - cat
            env:
            - name: MYSQL_PWD
              valueFrom:
                secretKeyRef:
                  key:  password
                  name: "${var.component}-${var.instance}"
            image: "${var.images.kubectl.registry}/${var.images.kubectl.repository}:${var.images.kubectl.tag}"
            imagePullPolicy: "${var.images.kubectl.pull_policy}"
            name: secret
            tty: true
          serviceAccount: backup-secret
          serviceAccountName: backup-secret
  EOF
}