fix(provision): remove TF apply from pipeline, notify for manual apply

Vault stack can't be applied in CI (git-crypt TLS certs + sensitive for_each on k8s_users). Pipeline now automates Vault KV update + Authentik group creation, then notifies admin to apply stacks manually. This matches the existing pattern — vault is not in default.yml either.
2026-03-18 00:23:06 +00:00 · 2026-03-18 00:23:06 +00:00 · 82403a933c
commit 82403a933c
parent d76b4b698f
1 changed files with 9 additions and 71 deletions
--- a/.woodpecker/provision-user.yml
+++ b/.woodpecker/provision-user.yml
@ -124,86 +124,24 @@ steps:

        echo "Added user $PROVISION_USERNAME (pk=$USER_PK) to group $SOPS_GROUP"

-  - name: terragrunt-apply
-    image: alpine
-    backend_options:
-      kubernetes:
-        resources:
-          requests:
-            memory: 2Gi
-          limits:
-            memory: 4Gi
+  - name: notify-apply-needed
+    image: curlimages/curl
    commands:
-      - |
-        set -e
-        apk update && apk add curl unzip git git-crypt openssh-client python3 py3-pip py3-yaml jq
-        # Re-unlock git-crypt in this step (workspace is shared but env is not)
-        curl -sk https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key \
-          -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
-          | jq -r .data.key | base64 -d > /tmp/key
-        git-crypt unlock /tmp/key && rm /tmp/key
-        # Install sops
-        wget -qO /usr/local/bin/sops https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64
-        chmod 755 /usr/local/bin/sops
-        # Install Terraform
-        wget -qO /tmp/terraform.zip https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_linux_amd64.zip
-        unzip -o /tmp/terraform.zip -d /usr/local/bin/ && chmod 755 /usr/local/bin/terraform
-        # Install Terragrunt
-        wget -qO /usr/local/bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/download/v0.99.4/terragrunt_linux_amd64
-        chmod 755 /usr/local/bin/terragrunt
-        # Source Vault token (must be in same shell block)
-        . .vault-env
-        export VAULT_ADDR
-        export VAULT_TOKEN
-        echo "Vault token acquired, applying stacks..."
-        # Apply vault stack with -target for namespace + identity resources first
-        # (for_each on user_namespaces needs two-pass apply for new users)
-        echo "=== Applying vault stack (targeted — new user resources) ==="
-        cd stacks/vault
-        ../../scripts/state-sync decrypt vault || true
-        terragrunt apply --non-interactive -auto-approve -backup=- \
-          -target='kubernetes_namespace.user_namespace["'"$USERNAME"'"]' \
-          -target='vault_identity_entity.user["'"$USERNAME"'"]' \
-          -target='vault_policy.namespace_owner["'"$USERNAME"'"]' || true
-        # Full vault apply (now for_each keys are known)
-        terragrunt apply --non-interactive -auto-approve -backup=-
-        ../../scripts/state-sync encrypt vault || true
-        cd ../..
-        echo "=== Done: vault ==="
-        # Apply remaining stacks sequentially
-        for stack in rbac cloudflared woodpecker; do
-          echo "=== Applying stack: $stack ==="
-          cd "stacks/$stack"
-          ../../scripts/state-sync decrypt "$stack" || true
-          terragrunt apply --non-interactive -auto-approve -backup=-
-          ../../scripts/state-sync encrypt "$stack" || true
-          cd ../..
-          echo "=== Done: $stack ==="
-        done
-
-  - name: commit-and-push
-    image: alpine
-    commands:
-      - "apk update && apk add openssh-client git git-crypt"
-      - "mkdir -p ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts"
-      - "chmod 400 secrets/deploy_key"
      - |
        . .provision-env
-        # Only add state files
-        git add state/ || true
-        git remote set-url origin git@github.com:ViktorBarzin/infra.git
-        git commit -m "feat(provision): auto-provision user ${PROVISION_USERNAME} [CI SKIP]" || echo "No changes to commit"
-        GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git pull --rebase origin master || true
-        GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master
-    when:
-      status: [success, failure]
+        echo "User $PROVISION_USERNAME added to Vault KV and Authentik sops group."
+        echo "Manual step needed: apply vault + rbac + woodpecker stacks."
+        echo "  cd stacks/vault && ../../scripts/tg apply --non-interactive"
+        echo "  cd stacks/rbac && ../../scripts/tg apply --non-interactive"
+        echo "  cd stacks/woodpecker && ../../scripts/tg apply --non-interactive"

  - name: slack
    image: curlimages/curl
    commands:
      - |
+        . .provision-env 2>/dev/null || true
        curl -s -X POST -H 'Content-type: application/json' \
-          --data "{\"channel\":\"general\",\"text\":\"Woodpecker CI: User provisioning $CI_PIPELINE_STATUS\"}" \
+          --data "{\"channel\":\"general\",\"text\":\"Woodpecker CI: User provisioned — $PROVISION_USERNAME added to Vault KV + Authentik. Run: cd stacks/vault && ../../scripts/tg apply --non-interactive && cd ../rbac && ../../scripts/tg apply --non-interactive\"}" \
          "$SLACK_WEBHOOK" || true
    environment:
      SLACK_WEBHOOK: