tf: store hydra credentials in state via numtide/secret

terraform/common.nix

@@ -0,0 +1,7 @@
+{
+  # Until we get some kind of KMS operational, store secrets in the state file.
+  terraform.required_providers.secret = {
+    version = "~> 1.2.1";
+    source = "numtide/secret";
+  };
+}

terraform/default.nix

@@ -1,5 +1,6 @@
 {
   imports = [
+    ./common.nix
     ./hydra.nix
     ./state.nix
   ];

terraform/hydra.nix

@@ -1,6 +1,6 @@
 { lib, config, ... }:
 let
-  inherit (lib) mkEnableOption mkIf types mkOption;
+  inherit (lib) mkEnableOption mkIf types mkOption tf;
   cfg = config.bagel.hydra;
 in
 {
@@ -14,9 +14,12 @@ in
       source = "DeterminateSystems/hydra";
     };
 
+    resource.secret_resource.hydra_password.lifecycle.prevent_destroy = true;
+
     provider.hydra = {
       host = "https://hydra.bagel.delroth.net";
-      # username/password are provided via HYDRA_USERNAME/HYDRA_PASSWORD
+      username = "terraform";
+      password = tf.ref "resource.secret_resource.hydra_password.value";
     };
 
     resource.hydra_project.forkos = {