arcodange-org/factory
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(iac): pin cloudflare provider + lockfile, trust homelab CA in gitea provider

Browse Source 
With the runner CA fix (#11) the iac workflow now runs far enough to apply,
which exposed two provider problems:

cloudflare drift — `cloudflare/cloudflare` floated on `~> 5` with no committed
lock file, so CI pulled v5.21.1 where `cloudflare_account_token.policies[].resources`
is a JSON string, not a map ("Incorrect attribute value type"). Fix:
- pin to `~> 5.21` and commit a multi-platform `.terraform.lock.hcl`
  (linux_arm64 for the runner + darwin_arm64 for local);
- `jsonencode(...)` the module's policy resources;
- bind the cloudflare_token module to `cloudflare/cloudflare` explicitly (it was
  defaulting to `hashicorp/cloudflare`, pulling a redundant provider);
- stop `.gitignore` from hiding the lock file (the old `.terraform.*` rule did).

gitea provider TLS — it runs inside the dflook/terraform-apply container, which
doesn't trust the homelab CA (only the ubuntu-latest-ca runner does), so it
failed `x509: certificate signed by unknown authority` reaching
gitea.arcodange.lab. Fix: feed it the homelab CA via the provider's `cacert_file`
(TF_VAR_gitea_cacert_file -> the homelab.pem the workflow already materializes).

Validated locally with `tofu validate` + provider-schema inspection (no prod
calls). Complements #11. Out of scope (need a live run / operator): the OVH
consumer-key scope, and the R2 bucket "not found" on refresh (a state reconcile).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Gabriel Radureau
2026-06-24 12:56:46 +02:00
parent 3b0919b804
commit 9b545e6f8f
6 changed files with 208 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
iac/providers.tf
View File

@@ -14,7 +14,7 @@ terraform {
}
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 5"
version = "~> 5.21" # pinned + .terraform.lock.hcl committed to avoid silent v5.x drift
}
ovh = {
source = "ovh/ovh"
@@ -23,8 +23,18 @@ terraform {
}
}
variable "gitea_cacert_file" {
# The gitea provider runs inside the dflook/terraform-apply container, which does NOT trust the
# homelab CA (unlike the ubuntu-latest-ca runner). Point it at the CA the workflow already writes
# so it can verify https://gitea.arcodange.lab. Set via TF_VAR_gitea_cacert_file in CI; null locally.
description = "Path to the homelab CA cert for the Gitea provider (set in CI). Null = use system trust."
type = string
default = null
}
provider "gitea" { # https://registry.terraform.io/providers/go-gitea/gitea/latest/docs
base_url = "https://gitea.arcodange.lab"
base_url = "https://gitea.arcodange.lab"
cacert_file = var.gitea_cacert_file
# use GITEA_TOKEN env var
}