From 82403a933cb4ead3bdf07729641020979ad940f0 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Wed, 18 Mar 2026 00:23:06 +0000
Subject: [PATCH] fix(provision): remove TF apply from pipeline, notify for
 manual apply
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Vault stack can't be applied in CI (git-crypt TLS certs + sensitive
for_each on k8s_users). Pipeline now automates Vault KV update +
Authentik group creation, then notifies admin to apply stacks manually.
This matches the existing pattern — vault is not in default.yml either.
---
 .woodpecker/provision-user.yml | 80 ++++------------------------------
 1 file changed, 9 insertions(+), 71 deletions(-)

diff --git a/.woodpecker/provision-user.yml b/.woodpecker/provision-user.yml
index 980ac5cf..fc65249d 100644
--- a/.woodpecker/provision-user.yml
+++ b/.woodpecker/provision-user.yml
@@ -124,86 +124,24 @@ steps:
 
         echo "Added user $PROVISION_USERNAME (pk=$USER_PK) to group $SOPS_GROUP"
 
-  - name: terragrunt-apply
-    image: alpine
-    backend_options:
-      kubernetes:
-        resources:
-          requests:
-            memory: 2Gi
-          limits:
-            memory: 4Gi
+  - name: notify-apply-needed
+    image: curlimages/curl
     commands:
-      - |
-        set -e
-        apk update && apk add curl unzip git git-crypt openssh-client python3 py3-pip py3-yaml jq
-        # Re-unlock git-crypt in this step (workspace is shared but env is not)
-        curl -sk https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key \
-          -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
-          | jq -r .data.key | base64 -d > /tmp/key
-        git-crypt unlock /tmp/key && rm /tmp/key
-        # Install sops
-        wget -qO /usr/local/bin/sops https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64
-        chmod 755 /usr/local/bin/sops
-        # Install Terraform
-        wget -qO /tmp/terraform.zip https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_linux_amd64.zip
-        unzip -o /tmp/terraform.zip -d /usr/local/bin/ && chmod 755 /usr/local/bin/terraform
-        # Install Terragrunt
-        wget -qO /usr/local/bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/download/v0.99.4/terragrunt_linux_amd64
-        chmod 755 /usr/local/bin/terragrunt
-        # Source Vault token (must be in same shell block)
-        . .vault-env
-        export VAULT_ADDR
-        export VAULT_TOKEN
-        echo "Vault token acquired, applying stacks..."
-        # Apply vault stack with -target for namespace + identity resources first
-        # (for_each on user_namespaces needs two-pass apply for new users)
-        echo "=== Applying vault stack (targeted — new user resources) ==="
-        cd stacks/vault
-        ../../scripts/state-sync decrypt vault || true
-        terragrunt apply --non-interactive -auto-approve -backup=- \
-          -target='kubernetes_namespace.user_namespace["'"$USERNAME"'"]' \
-          -target='vault_identity_entity.user["'"$USERNAME"'"]' \
-          -target='vault_policy.namespace_owner["'"$USERNAME"'"]' || true
-        # Full vault apply (now for_each keys are known)
-        terragrunt apply --non-interactive -auto-approve -backup=-
-        ../../scripts/state-sync encrypt vault || true
-        cd ../..
-        echo "=== Done: vault ==="
-        # Apply remaining stacks sequentially
-        for stack in rbac cloudflared woodpecker; do
-          echo "=== Applying stack: $stack ==="
-          cd "stacks/$stack"
-          ../../scripts/state-sync decrypt "$stack" || true
-          terragrunt apply --non-interactive -auto-approve -backup=-
-          ../../scripts/state-sync encrypt "$stack" || true
-          cd ../..
-          echo "=== Done: $stack ==="
-        done
-
-  - name: commit-and-push
-    image: alpine
-    commands:
-      - "apk update && apk add openssh-client git git-crypt"
-      - "mkdir -p ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts"
-      - "chmod 400 secrets/deploy_key"
       - |
         . .provision-env
-        # Only add state files
-        git add state/ || true
-        git remote set-url origin git@github.com:ViktorBarzin/infra.git
-        git commit -m "feat(provision): auto-provision user ${PROVISION_USERNAME} [CI SKIP]" || echo "No changes to commit"
-        GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git pull --rebase origin master || true
-        GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master
-    when:
-      status: [success, failure]
+        echo "User $PROVISION_USERNAME added to Vault KV and Authentik sops group."
+        echo "Manual step needed: apply vault + rbac + woodpecker stacks."
+        echo "  cd stacks/vault && ../../scripts/tg apply --non-interactive"
+        echo "  cd stacks/rbac && ../../scripts/tg apply --non-interactive"
+        echo "  cd stacks/woodpecker && ../../scripts/tg apply --non-interactive"
 
   - name: slack
     image: curlimages/curl
     commands:
       - |
+        . .provision-env 2>/dev/null || true
         curl -s -X POST -H 'Content-type: application/json' \
-          --data "{\"channel\":\"general\",\"text\":\"Woodpecker CI: User provisioning $CI_PIPELINE_STATUS\"}" \
+          --data "{\"channel\":\"general\",\"text\":\"Woodpecker CI: User provisioned — $PROVISION_USERNAME added to Vault KV + Authentik. Run: cd stacks/vault && ../../scripts/tg apply --non-interactive && cd ../rbac && ../../scripts/tg apply --non-interactive\"}" \
           "$SLACK_WEBHOOK" || true
     environment:
       SLACK_WEBHOOK: