Switch to terraform

terraform/README.md

@@ -0,0 +1,86 @@
+# NetBird IaC
+
+Terraform configuration for managing NetBird VPN resources via GitOps.
+
+## Resources Managed
+
+- **Groups:** ground-stations, pilots, operators, fusion-servers
+- **Policies:** Access control between groups
+- **Setup Keys:** For peer enrollment
+
+## Usage
+
+### Making Changes
+
+1. Edit the relevant `.tf` file
+2. Create a PR
+3. CI runs `terraform plan` - review the changes
+4. Merge PR
+5. CI runs `terraform apply` - changes applied
+
+### Adding a New Group
+
+```hcl
+# groups.tf
+resource "netbird_group" "new_team" {
+  name = "new-team"
+}
+```
+
+### Adding a Setup Key (Per-Ticket)
+
+```hcl
+# setup_keys.tf
+resource "netbird_setup_key" "ticket_1234_pilot" {
+  name        = "ticket-1234-pilot-ivanov"
+  type        = "one-off"
+  auto_groups = [netbird_group.pilots.id]
+  usage_limit = 1
+  ephemeral   = false
+}
+
+# outputs.tf
+output "ticket_1234_pilot_key" {
+  value     = netbird_setup_key.ticket_1234_pilot.key
+  sensitive = true
+}
+```
+
+### Retrieving Setup Keys
+
+After apply, retrieve keys locally:
+
+```bash
+terraform output -raw gs_setup_key
+terraform output -raw pilot_setup_key
+```
+
+## Local Development
+
+```bash
+# Create tfvars (copy from example)
+cp terraform.tfvars.example terraform.tfvars
+# Edit with your NetBird PAT
+
+# Init and plan
+terraform init
+terraform plan
+
+# Apply (be careful!)
+terraform apply
+```
+
+## CI/CD
+
+Configured in `.gitea/workflows/terraform.yml`:
+- PR: `terraform plan`
+- Merge to main: `terraform apply`
+
+Required secrets in Gitea:
+- `NETBIRD_TOKEN`: NetBird PAT
+
+## State Management
+
+State is committed to git (`terraform.tfstate`). This is acceptable for single-operator scenarios but not recommended for production with multiple operators.
+
+For production, configure a remote backend (S3, Terraform Cloud, etc.).