fix(iac): import existing EU R2 bucket into state

Run #28 applied cleanly except cloudflare_r2_bucket.arcodange_tf: the bucket exists in the EU jurisdiction, but its prior state entry lacked the jurisdiction, so cloudflare provider >=5.20 read it as not-found, removed it from state, and then failed to recreate it ("already exists"). Add a config-driven import block with the jurisdiction-qualified id (<account_id>/<bucket_name>/<jurisdiction>) so the next apply adopts the real bucket. No-op once reconciled; removable after. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Merge pull request 'fix(iac): pin cloudflare provider + lockfile, trust homelab CA in gitea provider' (#12 ) from arcodange/iac-provider-fixes into main
2026-06-24 13:19:32 +02:00 · 2026-06-24 13:03:16 +02:00 · 2026-06-24 13:02:58 +02:00 · 2026-06-24 11:22:54 +02:00
3 changed files with 14 additions and 4 deletions
--- a/.gitea/workflows/iac.yaml
+++ b/.gitea/workflows/iac.yaml
@@ -36,7 +36,7 @@ concurrency:
 jobs:
  gitea_vault_auth:
    name: Auth with gitea for vault
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-ca
    outputs:
      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
    steps:
@@ -50,7 +50,7 @@ jobs:
    name: Tofu
    needs:
      - gitea_vault_auth
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-ca
    env:
      OPENTOFU_VERSION: 1.8.2
      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
--- a/.gitea/workflows/postgres.yaml
+++ b/.gitea/workflows/postgres.yaml
@@ -33,7 +33,7 @@ concurrency:
 jobs:
  gitea_vault_auth:
    name: Auth with gitea for vault
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-ca
    outputs:
      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
    steps:
@@ -47,7 +47,7 @@ jobs:
    name: Tofu - Postgres
    needs:
      - gitea_vault_auth
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-ca
    env:
      OPENTOFU_VERSION: 1.8.2
      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
--- a/iac/cloudflare.tf
+++ b/iac/cloudflare.tf
@@ -14,6 +14,16 @@ resource "cloudflare_r2_bucket" "arcodange_tf" {
  jurisdiction = "eu"
 }
 # One-time state reconcile. The arcodange-tf R2 bucket already exists in the EU jurisdiction, but its
 # prior state entry lacked the jurisdiction, so cloudflare provider >= 5.20 read it as "not found" and
 # tried to recreate it (which fails: "already exists"). Re-import it with the jurisdiction-qualified id
 # (<account_id>/<bucket_name>/<jurisdiction>) so the next apply adopts the real bucket instead.
 # This block is a no-op once the bucket is in state and can be removed afterwards.
 import {
  to = cloudflare_r2_bucket.arcodange_tf
  id = "f7fcf28c0823cecb44e53b6e92d5144f/arcodange-tf/eu"
 }
 module "cf_r2_arcodange_tf_token" {
  source     = "./modules/cloudflare_token"
  account_id = local.cloudflare_account_id
Author	SHA1	Message	Date
Gabriel Radureau	a0fbe5c655	fix(iac): import existing EU R2 bucket into state Run #28 applied cleanly except cloudflare_r2_bucket.arcodange_tf: the bucket exists in the EU jurisdiction, but its prior state entry lacked the jurisdiction, so cloudflare provider >=5.20 read it as not-found, removed it from state, and then failed to recreate it ("already exists"). Add a config-driven import block with the jurisdiction-qualified id (<account_id>/<bucket_name>/<jurisdiction>) so the next apply adopts the real bucket. No-op once reconciled; removable after. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-24 13:19:32 +02:00
arcodange	fc28c52b85	Merge pull request 'fix(iac): pin cloudflare provider + lockfile, trust homelab CA in gitea provider' (#12 ) from arcodange/iac-provider-fixes into main	2026-06-24 13:03:16 +02:00
arcodange	bfa05ff633	Merge pull request 'fix(ci): run factory tofu workflows on the CA-trusting runner' (#11 ) from arcodange/focused-dirac-151213 into main	2026-06-24 13:02:58 +02:00
Gabriel Radureau	e5c537a967	fix(ci): run factory tofu workflows on the CA-trusting runner After the move to the self-signed internal DNS (gitea.arcodange.lab / vault.arcodange.lab), the default `ubuntu-latest` runner image does not trust the homelab CA, so the `uses:` clone of the vault-action over HTTPS fails TLS verification. webapp's workflows already moved to the `ubuntu-latest-ca` runner (whose image ships the homelab CA); apply the same to the factory `iac` and `postgres` tofu workflows. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-24 11:22:54 +02:00