viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix woodpecker sync script: escape $ and %{} for HCL heredoc

Browse source 
HCL heredocs always interpolate — use $$ for literal $ and
%%{} for literal %{}. Fixes terraform plan errors.
This commit is contained in:
Viktor Barzin 2026-03-15 19:37:00 +00:00
parent 0f262ceda3
commit 1ffce19611
1 changed files with 22 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

44
stacks/woodpecker/main.tf
View file

@ -219,55 +219,55 @@ resource "kubernetes_config_map" "vault_woodpecker_sync" {
}
data = {
"sync.sh" = <<-'SCRIPT'
"sync.sh" = <<-SCRIPT
#!/bin/sh
set -e
VAULT_ADDR="http://vault-active.vault.svc.cluster.local:8200"
WP_API="http://woodpecker-server.woodpecker.svc.cluster.local:8000/api"
# Authenticate to Vault via K8s SA
SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
VAULT_TOKEN=$(curl -sf -X POST "$VAULT_ADDR/v1/auth/kubernetes/login" \
-d "{\"role\":\"woodpecker-sync\",\"jwt\":\"$SA_TOKEN\"}" | jq -r .auth.client_token)
SA_TOKEN=$$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
VAULT_TOKEN=$$(curl -sf -X POST "$$VAULT_ADDR/v1/auth/kubernetes/login" \
-d "{\"role\":\"woodpecker-sync\",\"jwt\":\"$$SA_TOKEN\"}" | jq -r .auth.client_token)
if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
if [ -z "$$VAULT_TOKEN" ] || [ "$$VAULT_TOKEN" = "null" ]; then
echo "ERROR: Failed to authenticate to Vault"
exit 1
fi
# Get Woodpecker API token from Vault
WP_TOKEN=$(curl -sf -H "X-Vault-Token: $VAULT_TOKEN" \
"$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data.woodpecker_api_token // empty')
WP_TOKEN=$$(curl -sf -H "X-Vault-Token: $$VAULT_TOKEN" \
"$$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data.woodpecker_api_token // empty')
if [ -z "$WP_TOKEN" ]; then
if [ -z "$$WP_TOKEN" ]; then
echo "ERROR: No woodpecker_api_token in secret/ci/global"
exit 1
fi
# Sync global secrets
SECRETS=$(curl -sf -H "X-Vault-Token: $VAULT_TOKEN" \
"$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data | to_entries[] | select(.key != "woodpecker_api_token") | @base64')
SECRETS=$$(curl -sf -H "X-Vault-Token: $$VAULT_TOKEN" \
"$$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data | to_entries[] | select(.key != "woodpecker_api_token") | @base64')
synced=0
for entry in $SECRETS; do
NAME=$(echo "$entry" | base64 -d | jq -r .key)
VALUE=$(echo "$entry" | base64 -d | jq -r .value)
for entry in $$SECRETS; do
NAME=$$(echo "$$entry" | base64 -d | jq -r .key)
VALUE=$$(echo "$$entry" | base64 -d | jq -r .value)
# Try PATCH first (update), fall back to POST (create)
STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X PATCH "$WP_API/secrets/$NAME" \
-H "Authorization: Bearer $WP_TOKEN" \
STATUS=$$(curl -sf -o /dev/null -w "%%{http_code}" -X PATCH "$$WP_API/secrets/$$NAME" \
-H "Authorization: Bearer $$WP_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"name\":\"$NAME\",\"value\":\"$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" 2>/dev/null || echo "000")
-d "{\"name\":\"$$NAME\",\"value\":\"$$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" 2>/dev/null || echo "000")
if [ "$STATUS" != "200" ]; then
curl -sf -X POST "$WP_API/secrets" \
-H "Authorization: Bearer $WP_TOKEN" \
if [ "$$STATUS" != "200" ]; then
curl -sf -X POST "$$WP_API/secrets" \
-H "Authorization: Bearer $$WP_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"name\":\"$NAME\",\"value\":\"$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" > /dev/null
-d "{\"name\":\"$$NAME\",\"value\":\"$$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" > /dev/null
fi
synced=$((synced + 1))
synced=$$((synced + 1))
done
echo "Synced $synced global secrets from Vault to Woodpecker"
echo "Synced $$synced global secrets from Vault to Woodpecker"
SCRIPT
}
}