From 3a0663192fe35e9be9e99859d4a29f4fa4a3ec8b Mon Sep 17 00:00:00 2001 From: xnoto Date: Thu, 30 Apr 2026 10:36:08 -0600 Subject: [PATCH 1/2] chore: deprecating openshift content --- main.tf | 19 ------------------- provider.tf | 8 +++++++- secrets/secrets.yaml | 6 ++---- 3 files changed, 9 insertions(+), 24 deletions(-) diff --git a/main.tf b/main.tf index 9a93d56..45c7958 100644 --- a/main.tf +++ b/main.tf @@ -93,25 +93,6 @@ locals { "tfroot-github" ] } - "openshift_server_url" = { - name = "OPENSHIFT_SERVER_URL" - value = data.sops_file.secret_vars.data["openshift_server_url"] - repositories = [ - "images", - "kustomize-cluster" - ] - } - "openshift_username" = { - name = "OPENSHIFT_USERNAME" - value = data.sops_file.secret_vars.data["openshift_username"] - repositories = [ - "images", - "kustomize-cluster" - ] - } - # NOTE: OPENSHIFT_TOKEN is managed by ArgoCD PostSync job (ci-token-sync) - # in kustomize-cluster, not Terraform. This allows automatic token refresh - # when the cluster is recreated. "sops_age_key" = { name = "SOPS_AGE_KEY" value = data.sops_file.secret_vars.data["sops_age_key"] diff --git a/provider.tf b/provider.tf index dfb8efe..05ca471 100644 --- a/provider.tf +++ b/provider.tf @@ -3,7 +3,13 @@ terraform { # stating a required minimum version should be sufficient for most use cases. required_version = "> 1.3" - backend "s3" {} + # Dummy values are present only so `terraform validate` can validate the + # backend schema. These values are overridden by the Makefile during init. + backend "s3" { + bucket = "validation-only" + key = "validation-only.tfstate" + region = "us-east-1" + } # please don't pin provider versions unless there is a known bug being worked around. # please add comment-doc when pinning to reference upstream bugs/docs that show the reason for the pin. diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index f132a4d..afa3d22 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -13,8 +13,6 @@ onion_aws_region: ENC[AES256_GCM,data:kP66iQ2k6vXO,iv:5f+KdsYfkv+SPW0ra9w270TlSk onion_s3_bucket: ENC[AES256_GCM,data:KmfWCcoufDnZiv/KpRMeYyg1HLqbFA==,iv:5bIEcMZHl2ijTsOnd/CNk8Sqh9jrvA7ZGL4Ugx2psqs=,tag:uSXOUfk9FgIgOvB+CuT+Ug==,type:str] onion_aws_access_key_id: ENC[AES256_GCM,data:aP4lIpJvjUUn4tDabVG/XN5MCCw=,iv:Qt56iiwYHWSt7LmJhBGk1s8SZyeBchnUswOPkIgnMcE=,tag:+WKU5gy6xiBGebFL4qcQ8A==,type:str] onion_aws_secret_access_key: ENC[AES256_GCM,data:VyTmQP0ePPwub0ii3jhpeBlXCw9jJcO1n1UWElzIoQ/hKzRxYB6fuA==,iv:aVtTdR6xVgHw9GNiidvVpENgVEex/NVAauCBr5Di+c8=,tag:XyjxwZhNnTBdq1wiVlNXEA==,type:str] -openshift_server_url: ENC[AES256_GCM,data:OK0m0QURVnKDJQUDE5UrNbsCAf6u30olJQ==,iv:Ovu064CCaiEni2xvlJd2uU6bqhg0irzpEl12lGj4biw=,tag:zwAuOwr2TR+zQVeoSxQ1ow==,type:str] -openshift_username: ENC[AES256_GCM,data:/Vz+CqCBvCVoW116ItaYTUUjrPRsKz2r10kypoqesd2BqX7EK2CQ0WyOvlP80qpbEZA=,iv:I9fViz9ZWrJRvGzTlYr0I8wy88GgiDNP0C+/Vu8Vd6I=,tag:Z32PzBTX4Vj3KX4IGPVb6A==,type:str] sops_age_key: ENC[AES256_GCM,data:kK8zWix/ixpRHbkIO+7H9njNjNvyywJf47qzyUnZ1gGIDrXvsbucfsVkXQ8KCJNFaMFtV2Q8za74zHoDvaIHGMIrqO/lZEU3Mkk=,iv:ZrS0+rzlhF7c3yTP6p95cvGgiCcIKCFmR3ciNZF08a8=,tag:R7mToFSZynMeDppDrHoCcg==,type:str] www_aws_region: ENC[AES256_GCM,data:zNlYVEdfWSt7,iv:1EuJEcGCehdNXefjdxbsf+EIQAAriahlsLvSFX1juuQ=,tag:rKXSez3x63hQOW5dxfuORQ==,type:str] www_s3_bucket: ENC[AES256_GCM,data:IAv46XzbFFYnQnwvwxR6CA==,iv:1VrY1BHtSH0h1GZ33A0dB86yEuWBa7iYyYBoMPfSBEU=,tag:FASm43yXO3G0ZPG4q2TeWg==,type:str] @@ -33,7 +31,7 @@ sops: YlFmOUhWbWlsd2ttYWRaYTk4T3dCbFUKzXuqXD6QH9orC7kCcSKNQhIyUNBtlITv FIk3D7Niz2eNMyom5OobkRKVg33NpYdOusvchxqpJc0i4ydqyGkMzw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-30T04:41:14Z" - mac: ENC[AES256_GCM,data:GOJ8/uoO0nWVrpEDLAF2BF+WqjoxNxg/x5nJievPPKzewyhCwDsuMkDFNCq/QWXpt9OUpxoyDSXMhEbT7igJ7aqcwlkdqvGWvDBGFBjR/uKKL0BLCH8DqD58h20baJX5h71/35jl/8AabBTR2akkE1a+lUJE/6KL/kTmPN29rc0=,iv:tnK7t0O24AGKn1glB+sSme3o9X5gt8niICMkDEMuioc=,tag:grs5kBt5GHNLk2K1Hcutog==,type:str] + lastmodified: "2026-04-30T16:17:12Z" + mac: ENC[AES256_GCM,data:kqtjOb9eAziiyyty+gToF+iadFJFnTKy8v8UftWHey868LNVL5Dq/TS8hmpYNLxzgFsu06uqHPmFNEIaeJQIPDL7ZwOdCKk6hf2tDx2BR1+EBEgGGoe9Hx7stuXGx0Vg+zhPv3/Z3yc+po46EtpuF+OyujOwWOBt2xbBEZL1yz4=,iv:A1h6EFCWD/1Oxzx7Lpt70yHKQWepiETnB9J+i8IE02g=,tag:7CBnxg3Dgp7tESpqLzeklQ==,type:str] unencrypted_suffix: _unencrypted version: 3.12.2 From 5f119a5fb0bf40b177b586aadbb063989536909e Mon Sep 17 00:00:00 2001 From: xnoto Date: Thu, 30 Apr 2026 10:41:04 -0600 Subject: [PATCH 2/2] fix(protections): use org/team-slug actor format for admins team The provider parses "/admins" as a user named "admins"; teams must use "/". The wrong format silently dropped on each apply, causing recurring drift in dismissal_restrictions, pull_request_bypassers, and push_allowances. Co-Authored-By: Claude Opus 4.7 (1M context) --- gh-protections.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gh-protections.tf b/gh-protections.tf index e78fb8d..50d2ade 100644 --- a/gh-protections.tf +++ b/gh-protections.tf @@ -19,9 +19,9 @@ resource "github_branch_protection" "protections" { contexts = [] } required_pull_request_reviews { - dismissal_restrictions = ["/${github_team.admins.slug}"] + dismissal_restrictions = ["${var.github_owner}/${github_team.admins.slug}"] dismiss_stale_reviews = true - pull_request_bypassers = ["/${github_team.admins.slug}"] + pull_request_bypassers = ["${var.github_owner}/${github_team.admins.slug}"] require_code_owner_reviews = true required_approving_review_count = 0 require_last_push_approval = true @@ -29,7 +29,7 @@ resource "github_branch_protection" "protections" { } restrict_pushes { push_allowances = [ - "/${github_team.admins.slug}" + "${var.github_owner}/${github_team.admins.slug}" ] } depends_on = [github_repository.repositories, github_team.admins]