From 945a5f35b0292bc282d5c462075c49e162799c27 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sun, 22 Feb 2026 14:01:02 +0000
Subject: [PATCH] [ci skip] Fix path.root references for git-crypt key in
 openclaw and drone

Modules used filebase64("${path.root}/.git/git-crypt/keys/default")
which breaks with Terragrunt since path.root is now stacks/<service>/
instead of repo root. Changed to accept git_crypt_key_base64 variable
and resolve the path in the stack wrapper.
---
 modules/kubernetes/drone/main.tf    | 3 ++-
 modules/kubernetes/openclaw/main.tf | 3 ++-
 stacks/drone/main.tf                | 1 +
 stacks/openclaw/main.tf             | 1 +
 4 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/modules/kubernetes/drone/main.tf b/modules/kubernetes/drone/main.tf
index 856869ef..07e99d0e 100644
--- a/modules/kubernetes/drone/main.tf
+++ b/modules/kubernetes/drone/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "git_crypt_key_base64" { type = string }
 variable "tier" { type = string }
 variable "github_client_id" {}
 variable "github_client_secret" {}
@@ -53,7 +54,7 @@ resource "kubernetes_config_map" "git_crypt_key" {
   }
 
   data = {
-    "key" = filebase64("${path.root}/.git/git-crypt/keys/default")
+    "key" = var.git_crypt_key_base64
   }
 }
 
diff --git a/modules/kubernetes/openclaw/main.tf b/modules/kubernetes/openclaw/main.tf
index d130a519..68e621ae 100644
--- a/modules/kubernetes/openclaw/main.tf
+++ b/modules/kubernetes/openclaw/main.tf
@@ -1,4 +1,5 @@
 variable "tls_secret_name" {}
+variable "git_crypt_key_base64" { type = string }
 variable "tier" { type = string }
 variable "ssh_key" {}
 variable "gemini_api_key" { type = string }
@@ -62,7 +63,7 @@ resource "kubernetes_config_map" "git_crypt_key" {
     namespace = kubernetes_namespace.openclaw.metadata[0].name
   }
   data = {
-    "key" = filebase64("${path.root}/.git/git-crypt/keys/default")
+    "key" = var.git_crypt_key_base64
   }
 }
 
diff --git a/stacks/drone/main.tf b/stacks/drone/main.tf
index ae4d1206..84372a98 100644
--- a/stacks/drone/main.tf
+++ b/stacks/drone/main.tf
@@ -17,6 +17,7 @@ locals {
 module "drone" {
   source = "../../modules/kubernetes/drone"
   tls_secret_name                = var.tls_secret_name
+  git_crypt_key_base64           = filebase64("${path.root}/../../.git/git-crypt/keys/default")
   github_client_id               = var.drone_github_client_id
   github_client_secret           = var.drone_github_client_secret
   rpc_secret                     = var.drone_rpc_secret
diff --git a/stacks/openclaw/main.tf b/stacks/openclaw/main.tf
index 17f5a532..1013db1b 100644
--- a/stacks/openclaw/main.tf
+++ b/stacks/openclaw/main.tf
@@ -19,6 +19,7 @@ locals {
 module "openclaw" {
   source = "../../modules/kubernetes/openclaw"
   tls_secret_name                = var.tls_secret_name
+  git_crypt_key_base64           = filebase64("${path.root}/../../.git/git-crypt/keys/default")
   ssh_key                        = var.openclaw_ssh_key
   skill_secrets                  = var.openclaw_skill_secrets
   gemini_api_key                 = var.gemini_api_key