remove terraform.tfvars from terragrunt loading — complete Vault migration
All 148 secret variables were migrated to Vault KV / SOPS / ESO. The legacy terraform.tfvars silently overrode config.tfvars values (e.g. stale postgresql_host), creating override risk. [ci skip]
This commit is contained in:
Viktor Barzin
parent
540d7de807
commit
4aa0e97e1d
1 changed files with 1 additions and 5 deletions
|
|
@ -13,17 +13,13 @@ remote_state {
|
|||
}
|
||||
}
|
||||
|
||||
# Load config.tfvars (plaintext) + terraform.tfvars (git-crypt encrypted, migration).
|
||||
# Secrets come from Vault KV — authenticate via `vault login -method=oidc`.
|
||||
# Load config.tfvars (plaintext). Secrets come from Vault KV — authenticate via `vault login -method=oidc`.
|
||||
terraform {
|
||||
extra_arguments "common_vars" {
|
||||
commands = get_terraform_commands_that_need_vars()
|
||||
required_var_files = [
|
||||
"${get_repo_root()}/config.tfvars"
|
||||
]
|
||||
optional_var_files = [
|
||||
"${get_repo_root()}/terraform.tfvars"
|
||||
]
|
||||
}
|
||||
|
||||
extra_arguments "no_backup" {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue