infra/.gitignore
Viktor Barzin 5d5d9752cb
All checks were successful
ci/woodpecker/push/default Pipeline was successful
guard: ignore + git-crypt kubeconfig files so they can't leak to the public mirror
A GitGuardian audit of the infra repo showed the recent alerts were test
fixtures (false positives), but surfaced a real historical leak: a
cluster-admin kubeconfig was once committed as stacks/f1-stream/.../.config
(now expired, reachable only via a GitHub PR ref). The .gitignore already had
a `config` rule for kubeconfigs but missed the dotfile form `.config` — which
is exactly how that file slipped onto the public mirror.

Close the gap in two layers:
- .gitignore: also ignore `.config`, `kubeconfig`, `*.kubeconfig`,
  `admin.conf`, `.kube/` so they're never staged by accident.
- .gitattributes: route `.config`, `kubeconfig`, `*.kubeconfig`, `admin.conf`
  through git-crypt so a force-add or rename still lands as ciphertext (never
  plaintext) on the public GitHub mirror.

No tracked files match these names today, so there is zero retroactive impact
— purely forward-looking prevention.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-02 07:14:58 +00:00

125 lines
2.9 KiB
Text
Executable file

# Created by https://www.toptal.com/developers/gitignore/api/terraform
# Edit at https://www.toptal.com/developers/gitignore?templates=terraform
### Terraform ###
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.backup
# Crash log files
crash.log
# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
# .tfvars files are managed as part of configuration and so should be included in
# version control.
#
# example.tfvars
#*.tfvars
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
git_crypt.key
# SOPS — decrypted secrets (temporary, never commit)
/secrets.auto.tfvars.json
/secrets.auto.tfvars.json.*
# Claude Code - temporary/sensitive files
.claude/cmd_input.txt
.claude/cmd_output.txt
.claude/cmd_status.txt
.claude/settings.local.json
.claude/._*
._*
# Terragrunt
.terragrunt-cache/
# Terraform state — plaintext is ignored, encrypted is committed
state/stacks/*/terraform.tfstate
state/stacks/*/terraform.tfstate.backup
state/stacks/*/*.backup
state/backups/
state/terraform.tfstate
state/infra/
# Allow encrypted state
!state/stacks/*/terraform.tfstate.enc
# Terragrunt-generated files (providers, backend config)
backend.tf
providers.tf
.terraform.lock.hcl
cloudflare_provider.tf
tiers.tf
stacks/*/cloudflare_provider.tf
stacks/*/tiers.tf
stacks/*/terragrunt_rendered.json
# Kubernetes config / cluster credentials (sensitive) — never commit in plaintext.
# `config` alone missed the dotfile form: an admin kubeconfig once leaked to the
# public mirror as `.config` (GitGuardian, 2026-07-02). Cover the common names.
config
.config
kubeconfig
*.kubeconfig
admin.conf
.kube/
# Node.js (not part of infra)
node_modules/
package-lock.json
package.json
# Archived - secrets now in SOPS (secrets.auto.tfvars.json)
terraform.tfvars
# Beads / Dolt files (added by bd init)
.dolt/
*.db
.beads-credential-key
# Build artifacts — binaries should be built by CI, not committed
cli/cli
cli/infra_cli
stacks/terminal/clipboard-upload/clipboard-upload
*.zip
*.tar.gz
*.tgz
*.iso
*.img
*.bin
*.exe
*.dmg
# Plaintext terraform state — NEVER commit (use SOPS-encrypted .tfstate.enc only)
terraform.tfstate
terraform.tfstate.backup
# Per-feature git worktrees (worktree-first workflow — execution.md)
.worktrees/
# Timestamped terraform state backups (terraform.tfstate.<ts>.backup) — plaintext Tier-0
# secrets; created by terraform state ops. The patterns above miss the timestamped form.
terraform.tfstate.*.backup
# Python test artifacts (pytest bytecode cache) — e.g. from
# stacks/k8s-version-upgrade/scripts/test_compat_gate.py
__pycache__/
*.pyc
.pytest_cache/