viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/state/stacks/reloader/terraform.tfstate.enc
Viktor Barzin 77143dfd6b state: per-stack Transit keys for namespace-owner access control 
- Each stack gets its own Vault Transit key (transit/keys/sops-state-<stack>)
- state-sync passes per-stack Transit URI + age keys on encrypt
- Vault policies scope namespace-owners to their stacks only:
  - sops-admin: wildcard access to all transit keys
  - sops-user-<name>: access only to owned stack keys
- Anca (plotting-book) can only decrypt plotting-book state
- Admin can decrypt everything (via admin Transit policy or age fallback)
- External group sops-plotting-book maps Authentik group to Vault policy
- Updated CLAUDE.md with state sync documentation
2026-03-17 23:08:18 +00:00

148 lines
No EOL
12 KiB
Text
Raw Blame History

{
"version": "ENC[AES256_GCM,data:3Q==,iv:1EWYnQO9214Kb6vVA5fwF+4Dec83oPEoBbbuk+1VVas=,tag:T6guY30FO1LKq/PZmd8O/A==,type:float]",
"terraform_version": "ENC[AES256_GCM,data:lcOQ480=,iv:3fMj6DEztEK+34GOYAsMHbGIaCKVD1QzjV9FvkUiNLM=,tag:YpsDb5mUCBdXHxL47oMqyg==,type:str]",
"serial": "ENC[AES256_GCM,data:eQ==,iv:ZE81qr/Stk8bYrKtK6PSDOun/6JcndNYUoZma2hVR/Q=,tag:bSRN2p/xrVY5igIEbWYD1g==,type:float]",
"lineage": "ENC[AES256_GCM,data:R3V1nicR7/+BMpnv9EMB8JWELx457tUJDvsKQo1TQByytq6j,iv:H56A5AdhfWdy4ZnvL95zrviw1GB433N/8TgDn/mjyKs=,tag:UmWT6WyrQMO+XuG0YoymCw==,type:str]",
"outputs": {},
"resources": [
{
"mode": "ENC[AES256_GCM,data:OT1EFQ6YOQ==,iv:7jnvc/5vuTkc02PCJfJlOrLOwxA73oFKzVTbgeiQCCo=,tag:limNrq17GybD6WjYKjp9HQ==,type:str]",
"type": "ENC[AES256_GCM,data:fIOi9uFyib57bD5H,iv:rNfmkGdQG3XcT9pGgmzGdZl+nKPM+cNoQ4bujomUH9o=,tag:+obtybppEW2LMC8gdYMaeg==,type:str]",
"name": "ENC[AES256_GCM,data:JV/DZVFxUuA=,iv:mOUmeQbXSiiJxEFx5Xc4QqncH1YjFihEoVH2Dqb7xuc=,tag:Bd0MXArvOu1pJZsSYsZofg==,type:str]",
"provider": "ENC[AES256_GCM,data:0cg7FGilaGowyHBCExgFRO61hf5dE0clMPTdwQZdaUNkLXSoPAyls6HNXnGb41tK,iv:IlWvJfYwXvQZtgLRGSYDQsZH8cDpKwFLsaWiyeFpkUQ=,tag:lBnBnl2Con7aPq2KcdaUMQ==,type:str]",
"instances": [
{
"schema_version": "ENC[AES256_GCM,data:Iw==,iv:XbH2a915VdMuC5ib0Z6fBogEnr9qayzZyZGegfoOSrk=,tag:9Mj1hakrboNpsCmVEwC7fA==,type:float]",
"attributes": {
"atomic": "ENC[AES256_GCM,data:3lXq7g==,iv:D35gADjsy0tM8+ULNp81WvYDpUO49UqPDgrie4d6gMY=,tag:ltPqkus1MFAoV5hXjBt7cA==,type:bool]",
"chart": "ENC[AES256_GCM,data:Ecl+yXEpRdA=,iv:rUosupdbyf7+DElgEn8HOKITSZvkA1OwNi9vNjy6paA=,tag:k2wezEXmUhYhkv66ZewpQw==,type:str]",
"cleanup_on_fail": "ENC[AES256_GCM,data:L45N2xw=,iv:K9We2aHq0PnHZHDaSJ1XRTNt6XzBYTdiz4sN/y5MphY=,tag:l7A3EFFXxwx0hOHoJdJkGg==,type:bool]",
"create_namespace": "ENC[AES256_GCM,data:eEloPo4=,iv:LbcDirpIgqxxzwDQ3tB/QDzCzCfUgMkQVi0JEdn8Sek=,tag:ke2S99dtt2Ca9gcid0J8+Q==,type:bool]",
"dependency_update": "ENC[AES256_GCM,data:ReeXXTg=,iv:OslQuCQAkdilHOryF/VT6OlcxrqmG5+ugttO6Sxe4oQ=,tag:+EliGqa5FrhMhig8qVO0kQ==,type:bool]",
"description": null,
"devel": null,
"disable_crd_hooks": "ENC[AES256_GCM,data:CqtOYXc=,iv:0os+Z0Cb65Jw11OpTZGbZCZMGyN/cSIvfBvORnZks/o=,tag:/WEdYuaGdrxzEEPg5QWdYw==,type:bool]",
"disable_openapi_validation": "ENC[AES256_GCM,data:QwT4d3w=,iv:UV5TUY61YXFk0cKF853QLMUz3M6uQT32td7iY7aH/BQ=,tag:HCBouvgLz54NBcdU0LHuxw==,type:bool]",
"disable_webhooks": "ENC[AES256_GCM,data:YbABQoI=,iv:UrmjrwkvXjxPL7AALMOMAmEsoSACvJOWqXmQDDeFrDw=,tag:vLNAjkiIKbSpzAwXL8v/2A==,type:bool]",
"force_update": "ENC[AES256_GCM,data:z2/yVe8=,iv:y9VXtnumXKPQH2wdmZGtQh1x7VnsXLt5JIjQlu8kSx8=,tag:WY4TVuicLDSd7ICVXV0OJQ==,type:bool]",
"id": "ENC[AES256_GCM,data:roKj5+fcKa8=,iv:xshbyyz2rbdhay+igqcU9+SOW13SoV1fKZdBziwXOBg=,tag:6eKvzyeooRdFUv2GCKw1xQ==,type:str]",
"keyring": null,
"lint": "ENC[AES256_GCM,data:w8Jh9Vo=,iv:/03o6/6mtL35Cxi/unkJIEDH60kyje0ho8yVteqhPmk=,tag:gEWaxV9A+5yQhmT/UsZr6g==,type:bool]",
"manifest": null,
"max_history": "ENC[AES256_GCM,data:kQ==,iv:fejPH/Zmgj3Ads+g2xPajpkeeXDtlu8gvUC4DpooLz8=,tag:Cm+AhPdrkxGTIMeeo3ciww==,type:float]",
"metadata": {
"app_version": "ENC[AES256_GCM,data:z7UL1w5CzA==,iv:zajyzsAQne/MKIb3XYkJ0TwBdyfxBLZl1kQnsE4PFJ0=,tag:pyky0HYafRu9l0u9bs/0Ug==,type:str]",
"chart": "ENC[AES256_GCM,data:xgZu3w6yDww=,iv:5AIvZxZRSmwAN7AERhXYNRRSjE9pI0qrppzaNWdIeQ4=,tag:hPPch0JM+ugE0qC7trggyQ==,type:str]",
"first_deployed": "ENC[AES256_GCM,data:ynCTldEb5OJoYQ==,iv:vqILmmRWEvEYkFQAiff5UcaIRJq4RsfP+JF8DPD5kQY=,tag:g1H/2O8ltiQzdOqtzuea7g==,type:float]",
"last_deployed": "ENC[AES256_GCM,data:aKfVVO0hjs+Bzg==,iv:TrfxO5b2rbs4PG/kCBfaRJMRj76O883af0uQhImL0Y0=,tag:tTDmV/SvZNm1Vv8jGsLUZw==,type:float]",
"name": "ENC[AES256_GCM,data:WMH+bXDHm58=,iv:WmFaB2cbza3zr79sUWownzHouXUnmagTwY6BdufGC/Y=,tag:AhComxmWlE5V9V5Zpqx3Kg==,type:str]",
"namespace": "ENC[AES256_GCM,data:TzfrkY7MahA=,iv:v50sHLUpXaTYTHP+jZZQyjIDnB3PTanODBia0weUHIg=,tag:g/dbDB4b/Xe7ihX/uNvT+g==,type:str]",
"notes": "ENC[AES256_GCM,data:qq/KYkwBsvy9LziJsiiT7pup9kipS2Bw7Pnk1BxIWbp/oxUOdoZ/UertJCqb6dsqq1eBaKwsb6me7rcPqwwPD4HmyDbMcKmowupwcDA3ZgA5eDWOQvZeVjBhzR/Izi+MvDREerdCtVFO2sovXoAkwHi0R6aHV3/mQ+Qpqu2m6jvo+Xk48AVJbuPAK9Gs4AiiyW5NDId2ofbja+S+hBjx60EmjwC3cN4LRmKeyvaA/1IwokLXKMKbmXAMi+kaDptR2RT7HCmlK8MU7oe/73W3GdtqQpoSmk2LSJ5wwOmxygnAPc1RKstzwXa8STrSJPQg/8x5ZIeGPVTvAJFas/S2w/y8brxMHhsUGviuucd3zFH3Jt4iS+iwRa6Bcd+PTgsIKHUTGncPOUHmXdCROc8VL6Kn+hkFIgUkAse5DFU8vkabXi4KzEBpsSZyuagnICw1yHFmCpOjtxiYHMjMssRMSQeh1fhp5yQUoNq/gfIVxMby4GHq7OjH4qDoSVLhS1bANEadd5y/HV62enj4ozklsxd/OYHcRIip7ozNfX/vjXN0u+1RBmkm8qTq+ceCIizS2yK1m4zuDC/f+TQA5ijUAHPmsnlL8K1wHt1pcZhZupSgbN6xTYJBbHDMPHrKhduHOPL57x75eHu7YP/GRgPGclQ4AI9uVfqVI6HotXrAgxA=,iv:mKdOlUhvwj9AruQN3BHuZP+IEt23qTArNPjNHY2MAG4=,tag:L8oHEqF4Cufht2YDL+EadA==,type:str]",
"revision": "ENC[AES256_GCM,data:oA==,iv:8tGO5QfwhwpXwHZ90iJxby9u7OfXXO8brzd0PO6/wPo=,tag:Uf+ElepI0ax719eiFyxdfw==,type:float]",
"values": "ENC[AES256_GCM,data:D70=,iv:0sOMsSd5SLPFYBp7KuAtnLtvpmSHB3dIKHFoOW6cCaw=,tag:4mOu3ZbzaklxhzuhedocNA==,type:str]",
"version": "ENC[AES256_GCM,data:6ZhO0js=,iv:0MsK/zXK6TlP8hjIHNMPbroFb3lcF5Xj//ohVzRF7QE=,tag:/NG9nc28sl07HayQtgvZGQ==,type:str]"
},
"name": "ENC[AES256_GCM,data:s2P3VuTSr6I=,iv:EwLNm5SoIFo1YCNOe7sxj3ftWwybRUz8MeVOjUwte7o=,tag:giRWui/EfZO+yFoDWbIDTg==,type:str]",
"namespace": "ENC[AES256_GCM,data:YNY0NGDK0Bg=,iv:13Z0Q52fTCFwt/VTwWJOaFApkQIt8ZAdq3g097agCH4=,tag:kCpxsyaThMjbRJMo2fiSwA==,type:str]",
"pass_credentials": "ENC[AES256_GCM,data:0iY84ck=,iv:y/OObuI8a+fR2IYdELwoMZPC1gBM61www4BeIvNARwY=,tag:46o8wlGVFptpizglvj7h8w==,type:bool]",
"postrender": null,
"recreate_pods": "ENC[AES256_GCM,data:uzfHU50=,iv:NC9mDU9EbagiqemlYZmquJ/MuAJae/6UkA3bY2puAkQ=,tag:b+KzBcIq55RgrwTV58sgyQ==,type:bool]",
"render_subchart_notes": "ENC[AES256_GCM,data:wERUyg==,iv:GdQPU1kU1dY/5B/afk4s8lg/wysRaGqX7bsMm4DBD4I=,tag:ES2MxNjrYsoa58f+T5RQhg==,type:bool]",
"replace": "ENC[AES256_GCM,data:nRBCmuU=,iv:M0EJQtMGWcpeqfsf3b0/ELxrY4Dd4uGe7JFkhPPsAys=,tag:fdakCz6PPUKVYpKCn255EQ==,type:bool]",
"repository": "ENC[AES256_GCM,data:P5JS59q62dT2Ntl4jCgFZPd+RAzk0Wsdp84F1uLiymvUM/H8f+ySG8aV,iv:cGJ/KaZto+8qoHyRkzr5O7Nh/zhLObhPjZAo/3dDGow=,tag:RRd7KWzEivlUuQKzxnFgmA==,type:str]",
"repository_ca_file": null,
"repository_cert_file": null,
"repository_key_file": null,
"repository_password": null,
"repository_username": null,
"reset_values": "ENC[AES256_GCM,data:BAns6Qs=,iv:o19kw/vlaH4tae3cogMbmO+Rei5CWwvzT+DaDFUUPwE=,tag:ZJFvcKBZN1GRx74/tVoDzw==,type:bool]",
"resources": null,
"reuse_values": "ENC[AES256_GCM,data:c6BGeWo=,iv:mWFa983ByqkGTyWH96t6WcoDmR+ya02FWeD/uXdG48w=,tag:vTPGzsvE8DJsQiWpDkfSyg==,type:bool]",
"set": null,
"set_list": null,
"set_sensitive": null,
"set_wo": null,
"set_wo_revision": null,
"skip_crds": "ENC[AES256_GCM,data:sr+LebY=,iv:rmvPLWN1UAXqD1MMcdI4p6l9HlhbL7+l1UmyI4mHwZU=,tag:U8kMg9agmi4WrLGOfqYdgA==,type:bool]",
"status": "ENC[AES256_GCM,data:oWfPXR0mSsQ=,iv:23Uv+w+E9GaXbbPMecFzT59Vo1CH08y0kC6pvg/WfAQ=,tag:4S/8Q3F7wwc73Xrh77tafQ==,type:str]",
"take_ownership": "ENC[AES256_GCM,data:CqZVaAg=,iv:Ga2a3HvBosIjgvufytm8woK1G4nkhOAPhnW3d/pubDo=,tag:7HdD0Uf+ZT7GyHYGyX5ffg==,type:bool]",
"timeout": "ENC[AES256_GCM,data:zMP8,iv:L5lINXNmhnAuBmRIf3jg3h1s2AVwhxB3kLSob7PhXz0=,tag:r0aF+O7pIBMGu385z4HzmQ==,type:float]",
"timeouts": null,
"upgrade_install": "ENC[AES256_GCM,data:GzpHAvQ=,iv:bS6E+PEKmSjXw9nO8rvOP7oda1sKjEK4ZrnuFt0Gth8=,tag:YDrEjqKfWma38SuiDAKBJw==,type:bool]",
"values": null,
"verify": "ENC[AES256_GCM,data:cbkNobQ=,iv:/czDETIaYIC7vUNGa6+eS8MX3roC4GsLjGaItJNVcFY=,tag:qhvs8UGh3veXbm8KPvYH2Q==,type:bool]",
"version": "ENC[AES256_GCM,data:maewQKE=,iv:njM4l/zF+4i6oI4wCwmGLKHWpcfmCeY4v0Kh56U9rhI=,tag:q2zRuPWowptv0iv003HkDQ==,type:str]",
"wait": "ENC[AES256_GCM,data:xKq7jA==,iv:+TeCABmEpzFJqg1ftnYc5WNnTwnKvlpPZWMYmh5IMdg=,tag:4/PVDJLPEn1qPePvimiUlA==,type:bool]",
"wait_for_jobs": "ENC[AES256_GCM,data:4bDG3Mc=,iv:wCICzvDAqKU6FSMHGjTEU/a/JZ8P2xLmIX5ePkK2tpI=,tag:snRT4GD2QY8V4fzeVNb+ew==,type:bool]"
},
"sensitive_attributes": [],
"dependencies": [
"ENC[AES256_GCM,data:ECKKGdHTAkDjx6Nm1kHqeae7VYjZN7T8VMXvE6s=,iv:PpRweTRijhB4cJ7Lq4Ecfx3FkatXjJzfVVVTsxJChQs=,tag:N0maCVt7oa/2G0/0El+Vpw==,type:str]"
]
}
]
},
{
"mode": "ENC[AES256_GCM,data:8iq3Nn7YnQ==,iv:BI2MKPEE92V2IGauhL83S/bAGb/uAOPI7nYyAtXcvmU=,tag:/8ZIrXjx9QRRrfN2RQeznQ==,type:str]",
"type": "ENC[AES256_GCM,data:0v+2520MKNNMEvpZr1HQo2kjZoI=,iv:FfFTBMFB63t5/jhbO23oeCX60OnaUlyO3hMI+b7mc+A=,tag:WXAl04lXYegZ95YjFaw3Bg==,type:str]",
"name": "ENC[AES256_GCM,data:lDj6ielQKto=,iv:CUt0s09MdfoPv/ee/aUP3xHtgxyuQfrCGLqMxm6+3fs=,tag:AJbGz79GyzKyjWJyhMvcYg==,type:str]",
"provider": "ENC[AES256_GCM,data:8p0WoFLKvwwZc/X5Nqyu2bCQXVucl0bZ+SlRrfBpBXPgR97A+9Cq5l80fhFgb+pelgA8SyL3,iv:NifnEzNU3CCWRl61mOykMhOnzpfVVV6GNAsY339pwzU=,tag:OPkV6ntfrR6xNpzTYQ197w==,type:str]",
"instances": [
{
"schema_version": "ENC[AES256_GCM,data:Iw==,iv:bRMXMkaYrrv6x0h9GoncJYILyIfN9CxZ4U8t8g5z/P8=,tag:G7taa4Jm0UvwDQe3rWGZnA==,type:float]",
"attributes": {
"id": "ENC[AES256_GCM,data:lBTFA84dBlM=,iv:4LXQf5idxZwD5l8nHRKQfZ6hyYVBOKpkWShyo7MZOA4=,tag:blVbTWlQPXZsrQcwsT7m5g==,type:str]",
"metadata": [
{
"annotations": {},
"generate_name": "",
"generation": "ENC[AES256_GCM,data:Cg==,iv:wx6EIII+UmurV17dfNLEdg1lPqmq7ulPXkbJbLM9QQE=,tag:4tlZiJCr83pSZW2t+h12VQ==,type:float]",
"labels": {
"goldilocks.fairwinds.com/vpa-update-mode": "ENC[AES256_GCM,data:9afY,iv:YleaIwzBVxc+QsZzLSrwDjhR2pzTBJSgemeH/YGJxeY=,tag:ldvgXD3zYYbc3HCt2dgg2w==,type:str]",
"tier": "ENC[AES256_GCM,data:WGAsVew=,iv:eQ+FEywJ+EKzn7WoAuhUBFw93MKny2yGQg2ESF9Bv2E=,tag:F7Dq7QkzIhFM+b6pcv85Ow==,type:str]"
},
"name": "ENC[AES256_GCM,data:d65fUrlnej8=,iv:d0jUhYz/3xHPHZei3SYXzHxj1nGb4dv2TIWkKfEzCrs=,tag:gVvxqk1gUVvu8Ttkz2v22w==,type:str]",
"resource_version": "ENC[AES256_GCM,data:E7rUDseGHpLy,iv:m/82hOlYQSiQx1CwIiCV0nHgETAvb2LhE+j5YVph4h0=,tag:gbmTHnxmmH54sjH+bh1Q5g==,type:str]",
"uid": "ENC[AES256_GCM,data:wAVU4S9YxFvQCHahkDL9NwdMHeUoWVtoEL1+vKT2h/SsqK9J,iv:XlfYhCsrmuB/4kfFDfcbaKCpu1YjgokWtn1j2xxrKqY=,tag:iOjxSy3ix3j5sgkcXm4krQ==,type:str]"
}
],
"timeouts": null,
"wait_for_default_service_account": "ENC[AES256_GCM,data:EVSSb+8=,iv:VGABPF7S42eQxA6lYNIy1hYeWMJTuHjgduKOgjR7p10=,tag:hzeClUDjzBxktwHjYss52w==,type:bool]"
},
"sensitive_attributes": [],
"private": "ENC[AES256_GCM,data:m8afKOw8iLrxCzX6hzKQl25YSvr8nzSNhNj8ZrtEsogrLisLW3tkZEQQkUf9x2SvZrx9ELMbSI36FDnzXqnjIVeazZoglpqGuuu4jK5hi2cYgk3e8oVNgA==,iv:fYBhPARcObgktJs6mIiPD55aau/5X/oseTeSu4UN+30=,tag:/96lcNLcHplAgcZ6NmYJbg==,type:str]"
}
]
}
],
"check_results": null,
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": [
{
"vault_address": "https://vault.viktorbarzin.me",
"engine_path": "transit",
"key_name": "sops-state-reloader",
"created_at": "2026-03-17T23:05:54Z",
"enc": "vault:v1:K2CpVBVMik5GTP1J3KqO8E1B6+qQmsRYbINbBTwJUtaiG4RpvI3pP5Lxry8OUln1RfmZ8pQU2uMkiDxU"
}
],
"age": [
{
"recipient": "age1z64h9t3acsm2rr74pz7j4846kwj5tutx9sk78jqv46y8fln4vs2sy920ce",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2OTFvMktOeU91Y2huL2tQ\nUzBSUnN0SmJZcDROMnROcEdYV2VhK0tYZGd3ClNQZktDVktMcWQ1M3MyVnhLT0lP\nMXdEM2s0RmM4M2cyaE90Z2wydW5UdjQKLS0tIFh3cHhiTzVNN2tLUzJHNkJWNEFR\nMzNYNGh2cEc2UUhRZDhFYjA0dlhYTnMKmkk7ny3E5M94GYmYq571927NVgQBeLi3\n+WIHtxjoNasOGr50af9CaJ1eRZihbmPFoBxRz+GZLNfXf1b+QPWLQQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1rekkad48r2wzhwqgfetw5yugu3ln3qlht4xg3txmx55tee8cveess60r90",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrS3R0c3JYY2hROXNxQ3Nz\nTmRrbWNiWGFQS2YvQzFlTS9Tdk5Kei9EanhJCkF5LzVRdUVWcGdNbG9OaHFaWUVR\nLzIvUFpRRHBLd1BiTHpWT1JaNUlxUm8KLS0tIGg1U0R4WE5rUTlGTjZJMTExSlNa\nRjhFWGI1VGsxUzBIS3JDak1Wb1psRVkKteFUVcsFiYIB13phm3CuV2WY8gpNyF4/\nPOXYRHAkgVw3G6oWjXHCZMDJCKmaFaMvNva65FsUH1ZpNOYRMmHYFQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2026-03-17T23:05:54Z",
"mac": "ENC[AES256_GCM,data:nBwiK9WOhX/uHVKOPDRLXdB9DCwdJecIFSYklRyu3dNabukoJSv2PsZ/kU5lQRCNMqNaTDuSAgClItoKuZEozKKKKf0gB7q+nnqlNhjMik6H+aFNdXyqQ65Q3Z99ZgalJEE/zUQE2aOHUj2um2oPNVYnJ9xBU0O9SFoQ3ph2HoU=,iv:y6nAbKbPPIE64q1AJTDtaWUTxpXVtVxIKO+74ldKlX0=,tag:8OeTxzdxA9hqnkgfdpUt9w==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.4"
}
}
Reference in a new issue View git blame Copy permalink