viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

remove terraform.tfvars from terragrunt loading — complete Vault migration

Browse source 
All 148 secret variables were migrated to Vault KV / SOPS / ESO.
The legacy terraform.tfvars silently overrode config.tfvars values
(e.g. stale postgresql_host), creating override risk. [ci skip]
This commit is contained in:
Viktor Barzin 2026-03-24 11:14:06 +02:00
parent 540d7de807
commit 4aa0e97e1d
1 changed files with 1 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

6
terragrunt.hcl
View file

@ -13,17 +13,13 @@ remote_state {
} }
} }
# Load config.tfvars (plaintext) + terraform.tfvars (git-crypt encrypted, migration). # Load config.tfvars (plaintext). Secrets come from Vault KV — authenticate via `vault login -method=oidc`.
# Secrets come from Vault KV — authenticate via `vault login -method=oidc`.
terraform { terraform {
extra_arguments "common_vars" { extra_arguments "common_vars" {
commands = get_terraform_commands_that_need_vars() commands = get_terraform_commands_that_need_vars()
required_var_files = [ required_var_files = [
"${get_repo_root()}/config.tfvars" "${get_repo_root()}/config.tfvars"
] ]
optional_var_files = [
"${get_repo_root()}/terraform.tfvars"
]
} }
extra_arguments "no_backup" { extra_arguments "no_backup" {