arcodange-org/factory
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: arcodange-org:arcodange/iac-provider-fixes
Branches Tags
arcodange-org:main arcodange-org:claude/adr-multi-env arcodange-org:arcodange/r2-import-cleanup arcodange-org:arcodange/r2-state-import arcodange-org:arcodange/iac-provider-fixes arcodange-org:arcodange/focused-dirac-151213 arcodange-org:docs/telegram-gateway-auth-adr arcodange-org:vibe/batch-pr-factory5-conditional-vault-disable arcodange-org:vibe/batch-pr-factory4-secret-propagation-inventory arcodange-org:vibe/batch-pr-factory3-vault-oauth-user arcodange-org:vibe/batch-pr-factory2-postgres-dlc arcodange-org:vibe/batch-pr-factory1-argocd-dlc
...
pull from: arcodange-org:arcodange/r2-state-import
Branches Tags
arcodange-org:claude/adr-multi-env arcodange-org:main arcodange-org:arcodange/r2-import-cleanup arcodange-org:arcodange/r2-state-import arcodange-org:arcodange/iac-provider-fixes arcodange-org:arcodange/focused-dirac-151213 arcodange-org:docs/telegram-gateway-auth-adr arcodange-org:vibe/batch-pr-factory5-conditional-vault-disable arcodange-org:vibe/batch-pr-factory4-secret-propagation-inventory arcodange-org:vibe/batch-pr-factory3-vault-oauth-user arcodange-org:vibe/batch-pr-factory2-postgres-dlc arcodange-org:vibe/batch-pr-factory1-argocd-dlc

4 Commits
arcodange/ ... arcodange/

Author SHA1 Message Date
Gabriel Radureau
a0fbe5c655 fix(iac): import existing EU R2 bucket into state 
Run #28 applied cleanly except cloudflare_r2_bucket.arcodange_tf: the bucket
exists in the EU jurisdiction, but its prior state entry lacked the jurisdiction,
so cloudflare provider >=5.20 read it as not-found, removed it from state, and
then failed to recreate it ("already exists"). Add a config-driven import block
with the jurisdiction-qualified id (<account_id>/<bucket_name>/<jurisdiction>) so
the next apply adopts the real bucket. No-op once reconciled; removable after.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-24 13:19:32 +02:00
arcodange
fc28c52b85 Merge pull request 'fix(iac): pin cloudflare provider + lockfile, trust homelab CA in gitea provider' (#12) from arcodange/iac-provider-fixes into main 2026-06-24 13:03:16 +02:00
arcodange
bfa05ff633 Merge pull request 'fix(ci): run factory tofu workflows on the CA-trusting runner' (#11) from arcodange/focused-dirac-151213 into main 2026-06-24 13:02:58 +02:00
Gabriel Radureau
e5c537a967 fix(ci): run factory tofu workflows on the CA-trusting runner 
After the move to the self-signed internal DNS (gitea.arcodange.lab /
vault.arcodange.lab), the default `ubuntu-latest` runner image does not
trust the homelab CA, so the `uses:` clone of the vault-action over HTTPS
fails TLS verification. webapp's workflows already moved to the
`ubuntu-latest-ca` runner (whose image ships the homelab CA); apply the
same to the factory `iac` and `postgres` tofu workflows.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-24 11:22:54 +02:00
3 changed files with 14 additions and 4 deletions
Expand all files Collapse all files

4
.gitea/workflows/iac.yaml
View File

@@ -36,7 +36,7 @@ concurrency:
jobs: jobs:
gitea_vault_auth: gitea_vault_auth:
name: Auth with gitea for vault name: Auth with gitea for vault
runs-on: ubuntu-latest runs-on: ubuntu-latest-ca
outputs: outputs:
gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}} gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
steps: steps:
@@ -50,7 +50,7 @@ jobs:
name: Tofu name: Tofu
needs: needs:
- gitea_vault_auth - gitea_vault_auth
runs-on: ubuntu-latest runs-on: ubuntu-latest-ca
env: env:
OPENTOFU_VERSION: 1.8.2 OPENTOFU_VERSION: 1.8.2
TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }} TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}

4
.gitea/workflows/postgres.yaml
View File

@@ -33,7 +33,7 @@ concurrency:
jobs: jobs:
gitea_vault_auth: gitea_vault_auth:
name: Auth with gitea for vault name: Auth with gitea for vault
runs-on: ubuntu-latest runs-on: ubuntu-latest-ca
outputs: outputs:
gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}} gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
steps: steps:
@@ -47,7 +47,7 @@ jobs:
name: Tofu - Postgres name: Tofu - Postgres
needs: needs:
- gitea_vault_auth - gitea_vault_auth
runs-on: ubuntu-latest runs-on: ubuntu-latest-ca
env: env:
OPENTOFU_VERSION: 1.8.2 OPENTOFU_VERSION: 1.8.2
TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }} TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}

10
iac/cloudflare.tf
View File

@@ -14,6 +14,16 @@ resource "cloudflare_r2_bucket" "arcodange_tf" {
jurisdiction = "eu" jurisdiction = "eu"
} }
# One-time state reconcile. The arcodange-tf R2 bucket already exists in the EU jurisdiction, but its
# prior state entry lacked the jurisdiction, so cloudflare provider >= 5.20 read it as "not found" and
# tried to recreate it (which fails: "already exists"). Re-import it with the jurisdiction-qualified id
# (<account_id>/<bucket_name>/<jurisdiction>) so the next apply adopts the real bucket instead.
# This block is a no-op once the bucket is in state and can be removed afterwards.
import {
to = cloudflare_r2_bucket.arcodange_tf
id = "f7fcf28c0823cecb44e53b6e92d5144f/arcodange-tf/eu"
}
module "cf_r2_arcodange_tf_token" { module "cf_r2_arcodange_tf_token" {
source = "./modules/cloudflare_token" source = "./modules/cloudflare_token"
account_id = local.cloudflare_account_id account_id = local.cloudflare_account_id