Gabriel Radureau 5de9793bdf
All checks were successful
Helm Charts / Detect changed charts (push) Successful in 1m18s
Helm Charts / Detect changed charts (pull_request) Successful in 38s
Helm Charts / Library charts tool (push) Has been skipped
Helm Charts / Library charts tool (pull_request) Has been skipped
Helm Charts / Application charts pgcat (push) Has been skipped
Helm Charts / Application charts pgcat (pull_request) Has been skipped
modules: add env/envs parameter to app_roles + app_policy (multi-env)
Phase A of the multi-environment evolution agreed in the erp repo design
thread. Both modules gain an optional env coordinate that defaults to
"prod"; by the elision rule, env=prod produces the existing single-env
derived names character-for-character, so every existing app's tofu plan
should be a no-op.

app_roles (per-instance module — caller iterates over envs):
- variables.tf: add optional env = "prod"
- main.tf: compute local.instance via elision rule + local.owner_role
  (snake-case <name>_<env>_role for the Postgres owner)
- main.tf: substitute local.name -> local.instance in all derived names
  (dynamic role name, k8s role name, SA bindings, token_policies)
- outputs.tf: add env + instance outputs; kvv2_path_prefix now derives
  from local.instance (== local.name when env=prod -> backwards-compat)

app_policy (per-repo module — accepts list of envs):
- variables.tf: add optional envs = ["prod"]
- main.tf: compute local.instances + local.non_prod_instances
- main.tf: refactor kvv2 ops rules to dynamic blocks iterating local.instances
  preserving the original rule order (data, delete, undelete, destroy,
  metadata) so prod-only apps render a byte-identical policy document
- main.tf: allowed_parameter blocks for k8s role's bound_service_account_*
  and token_policies use comprehensions over local.instances
- main.tf: keep vault_policy.app (the env=prod runtime policy) at its
  original address; add vault_policy.app_non_prod via for_each over
  non_prod_instances for the other envs

Top-level wiring:
- iac/variables.tf: add envs = optional(list(string), ["prod"]) to the
  applications set(object) type
- iac/main.tf: pass envs = each.value.envs through to app_policies

`tofu validate` passes. Every existing app's tofu plan should report no
changes because: (1) env="prod" defaults are used everywhere, (2) the
elision rule makes local.instance == local.name for prod, (3) dynamic
rule blocks preserve declaration order, (4) the new app_non_prod resource
is created via for_each over an empty set when no non-prod envs are
declared.

Phase B (factory postgres iac + argocd + runbook docs) and Phase D
(erp iac/main.tf for_each + activate sandbox) follow in their own PRs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-15 13:35:04 +02:00
2026-01-02 19:07:46 +01:00
2026-03-18 16:21:31 +01:00
2026-01-03 19:17:04 +01:00
2026-03-18 17:07:35 +01:00
2026-03-18 16:21:31 +01:00
2025-08-27 18:54:16 +02:00
2025-12-09 12:14:57 +01:00
2024-09-04 11:00:44 +02:00

Tools

CICD:
pousser la library helm dans le registre helm de gitea

pour chaque dossier de premier niveau contenant un fichier Chart.yaml (sauf les dossier library et chart)
le pousser dans le registre helm de gitea

pgbouncer

prometheus

hashicorp vault

experiment with sops

Description
No description provided
Readme 709 KiB
Languages
HCL 100%