[ci skip] phase 5+6: update CI pipelines for SOPS, add sensitive=true to secret vars

Phase 5 — CI pipelines: - default.yml: add SOPS decrypt in prepare step, change git add . to specific paths (stacks/ state/ .woodpecker/), cleanup on success+failure - renew-tls.yml: change git add . to git add secrets/ state/ Phase 6 — sensitive=true: - Add sensitive = true to 256 variable declarations across 149 stack files - Prevents secret values from appearing in terraform plan output - Does NOT modify shared modules (ingress_factory, nfs_volume) to avoid breaking module interface contracts Note: CI pipeline SOPS decryption requires sops_age_key Woodpecker secret to be created before the pipeline will work with SOPS. Until then, the old terraform.tfvars path continues to function.
2026-03-07 14:30:36 +00:00 · 2026-03-07 14:30:36 +00:00 · 1f2c1ca361
commit 1f2c1ca361
parent fb1347a130
146 changed files with 921 additions and 186 deletions
--- a/stacks/platform/modules/crowdsec/main.tf
+++ b/stacks/platform/modules/crowdsec/main.tf
@ -3,9 +3,15 @@ variable "homepage_username" {}
 variable "homepage_password" {}
 variable "db_password" {}
 variable "enroll_key" {}
-variable "crowdsec_dash_api_key" { type = string }          # used for web dash
+variable "crowdsec_dash_api_key" {
+  type = string
+  sensitive = true
+}
 variable "crowdsec_dash_machine_id" { type = string }       # used for web dash
-variable "crowdsec_dash_machine_password" { type = string } # used for web dash
+variable "crowdsec_dash_machine_password" {
+  type = string
+  sensitive = true
+}
 variable "tier" { type = string }
 variable "slack_webhook_url" { type = string }
 variable "mysql_host" { type = string }
--- a/stacks/platform/modules/dbaas/main.tf
+++ b/stacks/platform/modules/dbaas/main.tf
@ -12,7 +12,10 @@ variable "prod" {
  type    = bool
 }
 variable "nfs_server" { type = string }
-variable "kube_config_path" { type = string }
+variable "kube_config_path" {
+  type = string
+  sensitive = true
+}

 resource "kubernetes_namespace" "dbaas" {
  metadata {
--- a/stacks/platform/modules/mailserver/roundcubemail.tf
+++ b/stacks/platform/modules/mailserver/roundcubemail.tf
@ -1,4 +1,7 @@
-variable "roundcube_db_password" { type = string }
+variable "roundcube_db_password" {
+  type = string
+  sensitive = true
+}
 variable "mysql_host" { type = string }

 module "nfs_roundcube_html" {
--- a/stacks/platform/modules/monitoring/main.tf
+++ b/stacks/platform/modules/monitoring/main.tf
@ -8,13 +8,29 @@ variable "idrac_username" {
 }
 variable "idrac_password" {
  default = "calvin"
+  sensitive = true
 }
 variable "alertmanager_slack_api_url" {}
-variable "tiny_tuya_service_secret" { type = string }
-variable "haos_api_token" { type = string }
-variable "pve_password" { type = string }
-variable "grafana_db_password" { type = string }
-variable "grafana_admin_password" { type = string }
+variable "tiny_tuya_service_secret" {
+  type = string
+  sensitive = true
+}
+variable "haos_api_token" {
+  type = string
+  sensitive = true
+}
+variable "pve_password" {
+  type = string
+  sensitive = true
+}
+variable "grafana_db_password" {
+  type = string
+  sensitive = true
+}
+variable "grafana_admin_password" {
+  type = string
+  sensitive = true
+}
 variable "tier" { type = string }
 variable "mysql_host" { type = string }

--- a/stacks/platform/modules/reverse_proxy/factory/main.tf
+++ b/stacks/platform/modules/reverse_proxy/factory/main.tf
@ -17,6 +17,7 @@ variable "protected" {
 variable "ingress_path" {
  type    = list(string)
  default = ["/"]
+  sensitive = true
 }
 variable "max_body_size" {
  type    = string
--- a/stacks/platform/modules/technitium/main.tf
+++ b/stacks/platform/modules/technitium/main.tf
@ -5,7 +5,10 @@ variable "technitium_db_password" {}
 variable "nfs_server" { type = string }
 variable "mysql_host" { type = string }
 variable "technitium_username" { type = string }
-variable "technitium_password" { type = string }
+variable "technitium_password" {
+  type = string
+  sensitive = true
+}

 resource "kubernetes_namespace" "technitium" {
  metadata {
--- a/stacks/platform/modules/traefik/main.tf
+++ b/stacks/platform/modules/traefik/main.tf
@ -1,5 +1,8 @@
 variable "tier" { type = string }
-variable "crowdsec_api_key" { type = string }
+variable "crowdsec_api_key" {
+  type = string
+  sensitive = true
+}
 variable "redis_host" { type = string }
 variable "tls_secret_name" {}
 variable "auth_fallback_htpasswd" {
--- a/stacks/platform/modules/vpa/main.tf
+++ b/stacks/platform/modules/vpa/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "tier" { type = string }

 resource "kubernetes_namespace" "vpa" {
--- a/stacks/platform/modules/xray/main.tf
+++ b/stacks/platform/modules/xray/main.tf
@ -1,7 +1,10 @@
 variable "tls_secret_name" {}
 variable "tier" { type = string }
 variable "xray_reality_clients" { type = list(map(string)) }
-variable "xray_reality_private_key" { type = string }
+variable "xray_reality_private_key" {
+  type = string
+  sensitive = true
+}
 variable "xray_reality_short_ids" { type = list(string) }

 # Github repo - https://github.com/teddysun/across/blob/master/docker/xray/README.md