feat(github): add Cloudflare secrets for www repo

Add CLOUDFLARE_ZONE_ID and CLOUDFLARE_API_TOKEN secrets to be
pushed to www repository for cache purge workflow integration.

Note: Secrets in secrets.yaml need to be encrypted with sops
before terraform apply.

Author: xnoto

main.tf

@@ -57,7 +57,17 @@ locals {
     }
     "www_secret_access_key" = {
       name         = "AWS_SECRET_ACCESS_KEY"
-      value        = data.sops_file.secret_vars.data["www_aws_secret_access_key"]
+      value        = data.sops_file.secret_vars.data["www_secret_access_key"]
+      repositories = ["www"]
+    }
+    "cloudflare_zone_id" = {
+      name         = "CLOUDFLARE_ZONE_ID"
+      value        = data.sops_file.secret_vars.data["cloudflare_zone_id"]
+      repositories = ["www"]
+    }
+    "cloudflare_api_token" = {
+      name         = "CLOUDFLARE_API_TOKEN"
+      value        = data.sops_file.secret_vars.data["cloudflare_api_token"]
       repositories = ["www"]
     }
     "cloudflare_auth_client_id" = {

secrets/secrets.yaml

@@ -23,6 +23,10 @@ www_aws_region: ENC[AES256_GCM,data:FGG18pa8W54s,iv:XONX1alV5yMSmSZqihE7K2snoPMW
 www_s3_bucket: ENC[AES256_GCM,data:ovdb1LxW/Gow0UwyF37QLw==,iv:GxN692DPExJ1YiayL3+cFjZMfLZ3xqr7jGSASylSbHc=,tag:JiaCAZJ9PPFIWfUMJqOH0g==,type:str]
 www_aws_access_key_id: ENC[AES256_GCM,data:5bkGYnDRQ4jpV8s6rmJOPYQivyU=,iv:j+JqaXs+POLKIO4y/fptIgTfFlqdp2SoVMq7DhcfWlc=,tag:OtNAaCOuSSiuQdDBJSQ8eA==,type:str]
 www_aws_secret_access_key: ENC[AES256_GCM,data:x9stZafuvAyiJ5Cr2YdvYasf8uYtW/zCgik1TW0y6DIJeNToQevuIA==,iv:NLvUGqAqwPSOAhEbVuNShR/4ROAwI6rXVlaRKcFg0Jo=,tag:A2YjBVM1ly6d/um8icVGFA==,type:str]
+# TODO: Encrypt these values with `sops encrypt -i secrets.yaml`
+# Values should match those in tfroot-cloudflare/secrets/secrets.yaml
+cloudflare_zone_id: PLACEHOLDER_ENCRYPT_WITH_SOPS
+cloudflare_api_token: PLACEHOLDER_ENCRYPT_WITH_SOPS
 sops:
     age:
         - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l