Gabriel Radureau
9b545e6f8f
With the runner CA fix (#11) the iac workflow now runs far enough to apply, which exposed two provider problems: cloudflare drift — `cloudflare/cloudflare` floated on `~> 5` with no committed lock file, so CI pulled v5.21.1 where `cloudflare_account_token.policies[].resources` is a JSON string, not a map ("Incorrect attribute value type"). Fix: - pin to `~> 5.21` and commit a multi-platform `.terraform.lock.hcl` (linux_arm64 for the runner + darwin_arm64 for local); - `jsonencode(...)` the module's policy resources; - bind the cloudflare_token module to `cloudflare/cloudflare` explicitly (it was defaulting to `hashicorp/cloudflare`, pulling a redundant provider); - stop `.gitignore` from hiding the lock file (the old `.terraform.*` rule did). gitea provider TLS — it runs inside the dflook/terraform-apply container, which doesn't trust the homelab CA (only the ubuntu-latest-ca runner does), so it failed `x509: certificate signed by unknown authority` reaching gitea.arcodange.lab. Fix: feed it the homelab CA via the provider's `cacert_file` (TF_VAR_gitea_cacert_file -> the homelab.pem the workflow already materializes). Validated locally with `tofu validate` + provider-schema inspection (no prod calls). Complements #11. Out of scope (need a live run / operator): the OVH consumer-key scope, and the R2 bucket "not found" on refresh (a state reconcile). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
58 lines
1.6 KiB
HCL
58 lines
1.6 KiB
HCL
terraform {
|
|
required_providers {
|
|
gitea = {
|
|
source = "go-gitea/gitea"
|
|
version = "0.6.0"
|
|
}
|
|
vault = {
|
|
source = "vault"
|
|
version = "4.4.0"
|
|
}
|
|
google = {
|
|
source = "google"
|
|
version = "7.0.1"
|
|
}
|
|
cloudflare = {
|
|
source = "cloudflare/cloudflare"
|
|
version = "~> 5.21" # pinned + .terraform.lock.hcl committed to avoid silent v5.x drift
|
|
}
|
|
ovh = {
|
|
source = "ovh/ovh"
|
|
version = "2.8.0"
|
|
}
|
|
}
|
|
}
|
|
|
|
variable "gitea_cacert_file" {
|
|
# The gitea provider runs inside the dflook/terraform-apply container, which does NOT trust the
|
|
# homelab CA (unlike the ubuntu-latest-ca runner). Point it at the CA the workflow already writes
|
|
# so it can verify https://gitea.arcodange.lab. Set via TF_VAR_gitea_cacert_file in CI; null locally.
|
|
description = "Path to the homelab CA cert for the Gitea provider (set in CI). Null = use system trust."
|
|
type = string
|
|
default = null
|
|
}
|
|
|
|
provider "gitea" { # https://registry.terraform.io/providers/go-gitea/gitea/latest/docs
|
|
base_url = "https://gitea.arcodange.lab"
|
|
cacert_file = var.gitea_cacert_file
|
|
# use GITEA_TOKEN env var
|
|
}
|
|
|
|
provider "vault" {
|
|
address = "https://vault.arcodange.lab"
|
|
auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
|
|
mount = "gitea_jwt"
|
|
role = "gitea_cicd"
|
|
}
|
|
}
|
|
|
|
provider "google" {
|
|
project = "arcodange"
|
|
region = "US-EAST1"
|
|
}
|
|
|
|
provider "cloudflare" {} # CLOUDFLARE_API_TOKEN environment variable required
|
|
|
|
provider "ovh" { # OVH_APPLICATION_KEY OVH_APPLICATION_SECRET OVH_CONSUMER_KEY
|
|
endpoint = "ovh-eu"
|
|
} |