viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix woodpecker sync script: escape $ and %{} for HCL heredoc

Browse source 
HCL heredocs always interpolate — use $$ for literal $ and
%%{} for literal %{}. Fixes terraform plan errors.
This commit is contained in:
Viktor Barzin 2026-03-15 19:37:00 +00:00 committed by Viktor Barzin
parent 14125c1b9b
commit 7e3540e56a
1 changed files with 22 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

44
stacks/woodpecker/main.tf
View file

@ -219,55 +219,55 @@ resource "kubernetes_config_map" "vault_woodpecker_sync" {
} }
data = { data = {
"sync.sh" = <<-'SCRIPT' "sync.sh" = <<-SCRIPT
#!/bin/sh #!/bin/sh
set -e set -e
VAULT_ADDR="http://vault-active.vault.svc.cluster.local:8200" VAULT_ADDR="http://vault-active.vault.svc.cluster.local:8200"
WP_API="http://woodpecker-server.woodpecker.svc.cluster.local:8000/api" WP_API="http://woodpecker-server.woodpecker.svc.cluster.local:8000/api"
# Authenticate to Vault via K8s SA # Authenticate to Vault via K8s SA
SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) SA_TOKEN=$$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
VAULT_TOKEN=$(curl -sf -X POST "$VAULT_ADDR/v1/auth/kubernetes/login" \ VAULT_TOKEN=$$(curl -sf -X POST "$$VAULT_ADDR/v1/auth/kubernetes/login" \
-d "{\"role\":\"woodpecker-sync\",\"jwt\":\"$SA_TOKEN\"}" | jq -r .auth.client_token) -d "{\"role\":\"woodpecker-sync\",\"jwt\":\"$$SA_TOKEN\"}" | jq -r .auth.client_token)
if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then if [ -z "$$VAULT_TOKEN" ] || [ "$$VAULT_TOKEN" = "null" ]; then
echo "ERROR: Failed to authenticate to Vault" echo "ERROR: Failed to authenticate to Vault"
exit 1 exit 1
fi fi
# Get Woodpecker API token from Vault # Get Woodpecker API token from Vault
WP_TOKEN=$(curl -sf -H "X-Vault-Token: $VAULT_TOKEN" \ WP_TOKEN=$$(curl -sf -H "X-Vault-Token: $$VAULT_TOKEN" \
"$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data.woodpecker_api_token // empty') "$$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data.woodpecker_api_token // empty')
if [ -z "$WP_TOKEN" ]; then if [ -z "$$WP_TOKEN" ]; then
echo "ERROR: No woodpecker_api_token in secret/ci/global" echo "ERROR: No woodpecker_api_token in secret/ci/global"
exit 1 exit 1
fi fi
# Sync global secrets # Sync global secrets
SECRETS=$(curl -sf -H "X-Vault-Token: $VAULT_TOKEN" \ SECRETS=$$(curl -sf -H "X-Vault-Token: $$VAULT_TOKEN" \
"$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data | to_entries[] | select(.key != "woodpecker_api_token") | @base64') "$$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data | to_entries[] | select(.key != "woodpecker_api_token") | @base64')
synced=0 synced=0
for entry in $SECRETS; do for entry in $$SECRETS; do
NAME=$(echo "$entry" | base64 -d | jq -r .key) NAME=$$(echo "$$entry" | base64 -d | jq -r .key)
VALUE=$(echo "$entry" | base64 -d | jq -r .value) VALUE=$$(echo "$$entry" | base64 -d | jq -r .value)
# Try PATCH first (update), fall back to POST (create) # Try PATCH first (update), fall back to POST (create)
STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X PATCH "$WP_API/secrets/$NAME" \ STATUS=$$(curl -sf -o /dev/null -w "%%{http_code}" -X PATCH "$$WP_API/secrets/$$NAME" \
-H "Authorization: Bearer $WP_TOKEN" \ -H "Authorization: Bearer $$WP_TOKEN" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d "{\"name\":\"$NAME\",\"value\":\"$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" 2>/dev/null || echo "000") -d "{\"name\":\"$$NAME\",\"value\":\"$$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" 2>/dev/null || echo "000")
if [ "$STATUS" != "200" ]; then if [ "$$STATUS" != "200" ]; then
curl -sf -X POST "$WP_API/secrets" \ curl -sf -X POST "$$WP_API/secrets" \
-H "Authorization: Bearer $WP_TOKEN" \ -H "Authorization: Bearer $$WP_TOKEN" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d "{\"name\":\"$NAME\",\"value\":\"$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" > /dev/null -d "{\"name\":\"$$NAME\",\"value\":\"$$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" > /dev/null
fi fi
synced=$((synced + 1)) synced=$$((synced + 1))
done done
echo "Synced $synced global secrets from Vault to Woodpecker" echo "Synced $$synced global secrets from Vault to Woodpecker"
SCRIPT SCRIPT
} }
} }