priority-pass: parameterise image_tag via var pattern (matches job-hunter)

Adopts the always-latest convention used by job-hunter, payslip-ingest, and fire-planner: image SHA lives in stacks/priority-pass/terragrunt.hcl inputs, default in main.tf var. The priority-pass GHA build workflow auto-commits new SHAs to this file on every successful push. - Add `variable "image_tag"` (default = current value 7c01448d). - Both containers now use `local.{frontend,backend}_image` interpolation. - Replace symlinked terragrunt.hcl with a real file so the stack-local inputs block can override image_tag (mirrors payslip-ingest exactly). State note: priority-pass TF state is currently empty (Tier 1 PG migration skipped this stack). A subsequent `terragrunt import` is required to adopt the live deployment + namespace + ingress before running apply. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 21:03:46 +00:00 · 2026-05-05 21:03:46 +00:00 · fb454e16d5
commit fb454e16d5
parent 4c8d12229f
2 changed files with 38 additions and 3 deletions
--- a/stacks/priority-pass/main.tf
+++ b/stacks/priority-pass/main.tf
@ -1,8 +1,19 @@
+variable "image_tag" {
+  type        = string
+  default     = "7c01448d"
+  description = "priority-pass image tag (applies to both frontend + backend). Use 8-char git SHA in CI; :latest only for local trials."
+}
+
 variable "tls_secret_name" {
  type      = string
  sensitive = true
 }

+locals {
+  frontend_image = "docker.io/viktorbarzin/priority-pass-frontend:${var.image_tag}"
+  backend_image  = "docker.io/viktorbarzin/priority-pass-backend:${var.image_tag}"
+}
+
 resource "kubernetes_namespace" "priority-pass" {
  metadata {
    name = "priority-pass"
@ -80,7 +91,7 @@ resource "kubernetes_deployment" "priority-pass" {
        }
        container {
          name  = "frontend"
-          image = "docker.io/viktorbarzin/priority-pass-frontend:7c01448d"
+          image = local.frontend_image
          port {
            container_port = 3000
          }
@ -104,7 +115,7 @@ resource "kubernetes_deployment" "priority-pass" {
        }
        container {
          name  = "backend"
-          image = "docker.io/viktorbarzin/priority-pass-backend:7c01448d"
+          image = local.backend_image
          port {
            container_port = 8000
          }
--- a/stacks/priority-pass/terragrunt.hcl
+++ b/stacks/priority-pass/terragrunt.hcl
@ -1 +0,0 @@
-../../terragrunt.hcl
--- a/stacks/priority-pass/terragrunt.hcl
+++ b/stacks/priority-pass/terragrunt.hcl
@ -0,0 +1,25 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+dependency "platform" {
+  config_path  = "../platform"
+  skip_outputs = true
+}
+
+dependency "vault" {
+  config_path  = "../vault"
+  skip_outputs = true
+}
+
+dependency "external-secrets" {
+  config_path  = "../external-secrets"
+  skip_outputs = true
+}
+
+inputs = {
+  # priority-pass repo HEAD — auto-bumped by GHA `build-and-deploy.yml`
+  # on every successful build. Manual edits welcome for local trials,
+  # but CI will overwrite on the next push to main.
+  image_tag = "7c01448d"
+}