chore: deprecate openshift

gh-protections.tf

@@ -19,17 +19,17 @@ resource "github_branch_protection" "protections" {
     contexts = []
   }
   required_pull_request_reviews {
-    dismissal_restrictions          = ["/${github_team.admins.slug}"]
+    dismissal_restrictions          = ["${var.github_owner}/${github_team.admins.slug}"]
     dismiss_stale_reviews           = true
-    pull_request_bypassers          = ["/${github_team.admins.slug}"]
+    pull_request_bypassers          = ["${var.github_owner}/${github_team.admins.slug}"]
     require_code_owner_reviews      = true
     required_approving_review_count = 0
     require_last_push_approval      = true
     restrict_dismissals             = true
   }
   restrict_pushes {
     push_allowances = [
-      "/${github_team.admins.slug}"
+      "${var.github_owner}/${github_team.admins.slug}"
     ]
   }
   depends_on = [github_repository.repositories, github_team.admins]

main.tf

@@ -93,25 +93,6 @@ locals {
         "tfroot-github"
       ]
     }
-    "openshift_server_url" = {
-      name  = "OPENSHIFT_SERVER_URL"
-      value = data.sops_file.secret_vars.data["openshift_server_url"]
-      repositories = [
-        "images",
-        "kustomize-cluster"
-      ]
-    }
-    "openshift_username" = {
-      name  = "OPENSHIFT_USERNAME"
-      value = data.sops_file.secret_vars.data["openshift_username"]
-      repositories = [
-        "images",
-        "kustomize-cluster"
-      ]
-    }
-    # NOTE: OPENSHIFT_TOKEN is managed by ArgoCD PostSync job (ci-token-sync)
-    # in kustomize-cluster, not Terraform. This allows automatic token refresh
-    # when the cluster is recreated.
     "sops_age_key" = {
       name  = "SOPS_AGE_KEY"
       value = data.sops_file.secret_vars.data["sops_age_key"]

provider.tf

@@ -3,7 +3,13 @@ terraform {
   # stating a required minimum version should be sufficient for most use cases.
   required_version = "> 1.3"
 
-  backend "s3" {}
+  # Dummy values are present only so `terraform validate` can validate the
+  # backend schema. These values are overridden by the Makefile during init.
+  backend "s3" {
+    bucket = "validation-only"
+    key    = "validation-only.tfstate"
+    region = "us-east-1"
+  }
 
   # please don't pin provider versions unless there is a known bug being worked around.
   # please add comment-doc when pinning to reference upstream bugs/docs that show the reason for the pin.

secrets/secrets.yaml

@@ -13,8 +13,6 @@ onion_aws_region: ENC[AES256_GCM,data:kP66iQ2k6vXO,iv:5f+KdsYfkv+SPW0ra9w270TlSk
 onion_s3_bucket: ENC[AES256_GCM,data:KmfWCcoufDnZiv/KpRMeYyg1HLqbFA==,iv:5bIEcMZHl2ijTsOnd/CNk8Sqh9jrvA7ZGL4Ugx2psqs=,tag:uSXOUfk9FgIgOvB+CuT+Ug==,type:str]
 onion_aws_access_key_id: ENC[AES256_GCM,data:aP4lIpJvjUUn4tDabVG/XN5MCCw=,iv:Qt56iiwYHWSt7LmJhBGk1s8SZyeBchnUswOPkIgnMcE=,tag:+WKU5gy6xiBGebFL4qcQ8A==,type:str]
 onion_aws_secret_access_key: ENC[AES256_GCM,data:VyTmQP0ePPwub0ii3jhpeBlXCw9jJcO1n1UWElzIoQ/hKzRxYB6fuA==,iv:aVtTdR6xVgHw9GNiidvVpENgVEex/NVAauCBr5Di+c8=,tag:XyjxwZhNnTBdq1wiVlNXEA==,type:str]
-openshift_server_url: ENC[AES256_GCM,data:OK0m0QURVnKDJQUDE5UrNbsCAf6u30olJQ==,iv:Ovu064CCaiEni2xvlJd2uU6bqhg0irzpEl12lGj4biw=,tag:zwAuOwr2TR+zQVeoSxQ1ow==,type:str]
-openshift_username: ENC[AES256_GCM,data:/Vz+CqCBvCVoW116ItaYTUUjrPRsKz2r10kypoqesd2BqX7EK2CQ0WyOvlP80qpbEZA=,iv:I9fViz9ZWrJRvGzTlYr0I8wy88GgiDNP0C+/Vu8Vd6I=,tag:Z32PzBTX4Vj3KX4IGPVb6A==,type:str]
 sops_age_key: ENC[AES256_GCM,data:kK8zWix/ixpRHbkIO+7H9njNjNvyywJf47qzyUnZ1gGIDrXvsbucfsVkXQ8KCJNFaMFtV2Q8za74zHoDvaIHGMIrqO/lZEU3Mkk=,iv:ZrS0+rzlhF7c3yTP6p95cvGgiCcIKCFmR3ciNZF08a8=,tag:R7mToFSZynMeDppDrHoCcg==,type:str]
 www_aws_region: ENC[AES256_GCM,data:zNlYVEdfWSt7,iv:1EuJEcGCehdNXefjdxbsf+EIQAAriahlsLvSFX1juuQ=,tag:rKXSez3x63hQOW5dxfuORQ==,type:str]
 www_s3_bucket: ENC[AES256_GCM,data:IAv46XzbFFYnQnwvwxR6CA==,iv:1VrY1BHtSH0h1GZ33A0dB86yEuWBa7iYyYBoMPfSBEU=,tag:FASm43yXO3G0ZPG4q2TeWg==,type:str]
@@ -33,7 +31,7 @@ sops:
             YlFmOUhWbWlsd2ttYWRaYTk4T3dCbFUKzXuqXD6QH9orC7kCcSKNQhIyUNBtlITv
             FIk3D7Niz2eNMyom5OobkRKVg33NpYdOusvchxqpJc0i4ydqyGkMzw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-30T04:41:14Z"
-    mac: ENC[AES256_GCM,data:GOJ8/uoO0nWVrpEDLAF2BF+WqjoxNxg/x5nJievPPKzewyhCwDsuMkDFNCq/QWXpt9OUpxoyDSXMhEbT7igJ7aqcwlkdqvGWvDBGFBjR/uKKL0BLCH8DqD58h20baJX5h71/35jl/8AabBTR2akkE1a+lUJE/6KL/kTmPN29rc0=,iv:tnK7t0O24AGKn1glB+sSme3o9X5gt8niICMkDEMuioc=,tag:grs5kBt5GHNLk2K1Hcutog==,type:str]
+    lastmodified: "2026-04-30T16:17:12Z"
+    mac: ENC[AES256_GCM,data:kqtjOb9eAziiyyty+gToF+iadFJFnTKy8v8UftWHey868LNVL5Dq/TS8hmpYNLxzgFsu06uqHPmFNEIaeJQIPDL7ZwOdCKk6hf2tDx2BR1+EBEgGGoe9Hx7stuXGx0Vg+zhPv3/Z3yc+po46EtpuF+OyujOwWOBt2xbBEZL1yz4=,iv:A1h6EFCWD/1Oxzx7Lpt70yHKQWepiETnB9J+i8IE02g=,tag:7CBnxg3Dgp7tESpqLzeklQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.2