viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[ci skip] phase 5+6: update CI pipelines for SOPS, add sensitive=true to secret vars

Browse source 
Phase 5 — CI pipelines:
- default.yml: add SOPS decrypt in prepare step, change git add . to
  specific paths (stacks/ state/ .woodpecker/), cleanup on success+failure
- renew-tls.yml: change git add . to git add secrets/ state/

Phase 6 — sensitive=true:
- Add sensitive = true to 256 variable declarations across 149 stack files
- Prevents secret values from appearing in terraform plan output
- Does NOT modify shared modules (ingress_factory, nfs_volume) to avoid
  breaking module interface contracts

Note: CI pipeline SOPS decryption requires sops_age_key Woodpecker secret
to be created before the pipeline will work with SOPS. Until then, the old
terraform.tfvars path continues to function.
This commit is contained in:
Viktor Barzin 2026-03-07 14:30:36 +00:00
parent 154f8ff0c1
commit db68067925
No known key found for this signature in database
GPG key ID: 0EB088298288D958
146 changed files with 921 additions and 186 deletions
Download patch file Download diff file Expand all files Collapse all files

35
stacks/webhook_handler/main.tf
View file

@ -1,11 +1,32 @@
variable "tls_secret_name" { type = string }
variable "webhook_handler_secret" { type = string }
variable "webhook_handler_fb_verify_token" { type = string }
variable "webhook_handler_fb_page_token" { type = string }
variable "webhook_handler_fb_app_secret" { type = string }
variable "tls_secret_name" {
type = string
sensitive = true
}
variable "webhook_handler_secret" {
type = string
sensitive = true
}
variable "webhook_handler_fb_verify_token" {
type = string
sensitive = true
}
variable "webhook_handler_fb_page_token" {
type = string
sensitive = true
}
variable "webhook_handler_fb_app_secret" {
type = string
sensitive = true
}
variable "webhook_handler_git_user" { type = string }
variable "webhook_handler_git_token" { type = string }
variable "webhook_handler_ssh_key" { type = string }
variable "webhook_handler_git_token" {
type = string
sensitive = true
}
variable "webhook_handler_ssh_key" {
type = string
sensitive = true
}
resource "kubernetes_namespace" "webhook-handler" {

1
stacks/webhook_handler/providers.tf
View file

@ -2,6 +2,7 @@
variable "kube_config_path" {
type = string
default = "~/.kube/config"
sensitive = true
}
provider "kubernetes" {