viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/state/stacks/platform/terraform.tfstate.enc
Viktor Barzin 77143dfd6b state: per-stack Transit keys for namespace-owner access control 
- Each stack gets its own Vault Transit key (transit/keys/sops-state-<stack>)
- state-sync passes per-stack Transit URI + age keys on encrypt
- Vault policies scope namespace-owners to their stacks only:
  - sops-admin: wildcard access to all transit keys
  - sops-user-<name>: access only to owned stack keys
- Anca (plotting-book) can only decrypt plotting-book state
- Admin can decrypt everything (via admin Transit policy or age fallback)
- External group sops-plotting-book maps Authentik group to Vault policy
- Updated CLAUDE.md with state sync documentation
2026-03-17 23:08:18 +00:00

71 lines
No EOL
4.7 KiB
Text
Raw Blame History

{
"version": "ENC[AES256_GCM,data:yA==,iv:BSoTP+NUFvCbeP74IpwMyfZLhacwwUJzrFL1N4PEhuw=,tag:5Pjk3zSUeEnfBEP/EJMrOA==,type:float]",
"terraform_version": "ENC[AES256_GCM,data:aq8zIaE=,iv:hiem1Yj3I3CJklIu8Sh9ZXewlT44PMAIjszEfco7fQk=,tag:qVyCna347fzvQtS2CzP2Dg==,type:str]",
"serial": "ENC[AES256_GCM,data:hMIfAA==,iv:JyXWymvy+eaGUYmpveeMnEQvLv82hjK6tcI1gmIa73k=,tag:LZTQwuFY3lrVM7gyCwM81g==,type:float]",
"lineage": "ENC[AES256_GCM,data:4wJZQYAGFr98EGYDfruCrF4Q7t9zig4+dtBfOfGcjrwkr/mr,iv:m+ofb/Rdpig6PAkkBNMdogqFPQ+OINYZdw/OAeHQnNA=,tag:jFJKSCxBKSpiPKTnA2JoTQ==,type:str]",
"outputs": {
"mysql_host": {
"value": "ENC[AES256_GCM,data:lvWdXC4qgWyegflwk5SqNZD5r4ICcn49zDuNnQE=,iv:eZHX2/89dZgmUzgs9GfOQaumS92U6O8UiHfmcO9Z5uQ=,tag:LPKYe3IZUoBEIrigJIKQsw==,type:str]",
"type": "ENC[AES256_GCM,data:MZAqLHzb,iv:PCxKfmOC4GMxWiiUqdou/FxBS6Ougl+xjVxyJvHMf+8=,tag:gF3AqyanKiknJ6e1+k+2Eg==,type:str]"
},
"mysql_port": {
"value": "ENC[AES256_GCM,data:T/RRWg==,iv:b9qB+nk77Llq+u0ylSTolIjeYELsj8ENnjeP650OqtE=,tag:x7v0UI6MGt5ue0P94LmsiA==,type:float]",
"type": "ENC[AES256_GCM,data:9no2H/ob,iv:f5X5XKrhDnPcTwkHpdCrFdn/CDHOSiFmAyD94bWr6f8=,tag:j5YyXUoI6JEGybYDJWOn5Q==,type:str]"
},
"postgresql_host": {
"value": "ENC[AES256_GCM,data:3X+lTflHkwrCDyZwXjlyEXFjaHv3uKhj6wbPkkywswllbA==,iv:5IPP/wCv4HKruNMfI5pOuNf11rrG76hx2aSS64GPUcU=,tag:B3n5dUBXVAgxYy5NTgWvxA==,type:str]",
"type": "ENC[AES256_GCM,data:lRI/RhNw,iv:x4zT7ATRecEtvLyDQMDZubZnpja/g9bZiv3QBwjKYBo=,tag:bZFInjTY/BC463Y4BrWPmA==,type:str]"
},
"postgresql_port": {
"value": "ENC[AES256_GCM,data:TQSBRw==,iv:nyOawdelse/9/jvojPI5iqvVi0VmJGMi5RmXtYIVJ/U=,tag:v5fpDvd60QM2BUEURNuUnA==,type:float]",
"type": "ENC[AES256_GCM,data:nfIkuzVz,iv:zClbUUv+B81RLKzRBc6JKTnEljCUJzDLscGR4XEr62I=,tag:VoPHA5+2Skdg04ZDq+hDhg==,type:str]"
},
"redis_host": {
"value": "ENC[AES256_GCM,data:YeN2p+Rr5PVLNljOT+HVAUhhQxRcEhv9D3ae/98=,iv:0Tkw03PgzPUVrupqjJCBCdKSS/7j6pR0avVJyYuiNhI=,tag:YX/G3zD7ZmJoHFGjoevn9w==,type:str]",
"type": "ENC[AES256_GCM,data:k9rPVUSa,iv:tzVlz1lcUIfnGymroHgPHvMJw+S43jsOr38wFE2amKs=,tag:kfKzH3+mU6Sctc/bKM9yIg==,type:str]"
},
"smtp_host": {
"value": "ENC[AES256_GCM,data:rr7MykepqGgbnhlakwAOAqljLRU=,iv:J9InnSsIKZYK96RwSBzpXzlXhOgj0Xq9edZWOqmmj2w=,tag:gWlJiMQGdH8mnjbLvhjdrw==,type:str]",
"type": "ENC[AES256_GCM,data:OmVmV/iW,iv:93pEBYFVEPdrAXW5JwLMXZDzmznexFnjdlm5/ka+Z/E=,tag:OQizFVcC0ECg6m/8GZ9uaw==,type:str]"
},
"smtp_port": {
"value": "ENC[AES256_GCM,data:CXll,iv:40H/A1MRA4tgxAwBXcLF4XmLONHHUp756oxAHheU5Rk=,tag:Ln0ytYDCsCk9EbrWPV35uw==,type:float]",
"type": "ENC[AES256_GCM,data:vqT/H9Kb,iv:xNf3hEW/1zbsNjUDsz4V65OxzC1SyDYKSs8kKw7iZDY=,tag:KoT1caTl7RR2mTdXPZg/QA==,type:str]"
},
"tls_secret_name": {
"value": "ENC[AES256_GCM,data:/Kraa0mohefv4Q==,iv:4fkhC/8ZzPGyF7yGGNk3FjQ1HIaX+ACWuo5KIzFD36k=,tag:JulhEIHK+SLSv3GQ7sr1sQ==,type:str]",
"type": "ENC[AES256_GCM,data:xUtYk/Ct,iv:f8o+boem+EjIoaJZDTJR4f+gDY9HR2mzql9Bm/lD2IA=,tag:72MkzghQQYywn/BI2zVWfg==,type:str]"
}
},
"resources": [],
"check_results": null,
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": [
{
"vault_address": "https://vault.viktorbarzin.me",
"engine_path": "transit",
"key_name": "sops-state-platform",
"created_at": "2026-03-17T23:05:53Z",
"enc": "vault:v1:PX9CSplQvwNBlZ0sZF5hx90ORdkl+iSvN6ZiXheQovi7qltbYQv2yUVA8KZ/47IZr77l4XqilYrUq+fZ"
}
],
"age": [
{
"recipient": "age1z64h9t3acsm2rr74pz7j4846kwj5tutx9sk78jqv46y8fln4vs2sy920ce",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZlI5bHR5bmx5aGJ0YkY0\nSHQ0MzJCZ0pWU2hNZEZvclFXSVl1NU14d3h3CkJQQTBjWFh6WnRWKys3M29ma3Zt\nSnlBZ1B4WENHZkttOU52UDkwUFZHdDAKLS0tIFI1S0R6dTVySGRXQmtiVThva3Jl\nZS9oeGloQ1kyRlhwQi8yR0EwdnkxWGsKYShT4ouaN5UztBb1okBUjM5HrH68P5F2\nWd2puk788twCFJC4Aib8jo86BhpA6dfK+O9fyc5icKz8J8Jt9cnP4A==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1rekkad48r2wzhwqgfetw5yugu3ln3qlht4xg3txmx55tee8cveess60r90",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOWh2L2h4UkVPNVZiT3Fh\nNGwwYUlyeitGQnlGSFBuNHhzYWh2aXlnWndVCmR4cXp0UW9Qc0g0VmN0WkdnMmJp\neXBQek5ackkwTmhVOXdOQUE1Nzd5YncKLS0tIDVWMUZoT2tIS1Y4UE1LRzIzWmVl\neFBLeExDdmp2aHNqU2EyR1o0Y2ZRWW8Kjt+xzO4nAqd6tRY5Yj+PL4AngBt5uQIc\nkVbmv7OadrkigxFEfBLTY40EGfnijEPKtuLF6gr2mKOFWfEfIF2wcA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2026-03-17T23:05:53Z",
"mac": "ENC[AES256_GCM,data:ZoP2ySinAnlTxAhp3Ym62xWzURCFWXPIBFOjnQvi2SdnbXVAAKbj8dCmhK5xXUSD2X4G3Xwpq7/RaTv1R9gE4CeH9PhsRHvaUd6Bepy8GRIVw66/eKox+OGeXWsCp7QTDFDmJzQBgym6jVtvYzWUAVRd7hwg3q7uDmWGHhECBsc=,iv:T2EySTI0AYi62/jw5Wo1cGWR7XRvyPHiOqOHErGOYP4=,tag:59mPCkFQW2Q7x5bxfY/LsA==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.4"
}
}
Reference in a new issue View git blame Copy permalink