From 4aa0e97e1dc231d260634be53fec016ee2286b63 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Tue, 24 Mar 2026 11:14:06 +0200
Subject: [PATCH] =?UTF-8?q?remove=20terraform.tfvars=20from=20terragrunt?=
 =?UTF-8?q?=20loading=20=E2=80=94=20complete=20Vault=20migration?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

All 148 secret variables were migrated to Vault KV / SOPS / ESO.
The legacy terraform.tfvars silently overrode config.tfvars values
(e.g. stale postgresql_host), creating override risk. [ci skip]
---
 terragrunt.hcl | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/terragrunt.hcl b/terragrunt.hcl
index 89051111..24413559 100644
--- a/terragrunt.hcl
+++ b/terragrunt.hcl
@@ -13,17 +13,13 @@ remote_state {
   }
 }
 
-# Load config.tfvars (plaintext) + terraform.tfvars (git-crypt encrypted, migration).
-# Secrets come from Vault KV — authenticate via `vault login -method=oidc`.
+# Load config.tfvars (plaintext). Secrets come from Vault KV — authenticate via `vault login -method=oidc`.
 terraform {
   extra_arguments "common_vars" {
     commands = get_terraform_commands_that_need_vars()
     required_var_files = [
       "${get_repo_root()}/config.tfvars"
     ]
-    optional_var_files = [
-      "${get_repo_root()}/terraform.tfvars"
-    ]
   }
 
   extra_arguments "no_backup" {