Gabriel Radureau
5de9793bdf
All checks were successful
Helm Charts / Detect changed charts (push) Successful in 1m18s
Helm Charts / Detect changed charts (pull_request) Successful in 38s
Helm Charts / Library charts tool (push) Has been skipped
Helm Charts / Library charts tool (pull_request) Has been skipped
Helm Charts / Application charts pgcat (push) Has been skipped
Helm Charts / Application charts pgcat (pull_request) Has been skipped
Phase A of the multi-environment evolution agreed in the erp repo design thread. Both modules gain an optional env coordinate that defaults to "prod"; by the elision rule, env=prod produces the existing single-env derived names character-for-character, so every existing app's tofu plan should be a no-op. app_roles (per-instance module — caller iterates over envs): - variables.tf: add optional env = "prod" - main.tf: compute local.instance via elision rule + local.owner_role (snake-case <name>_<env>_role for the Postgres owner) - main.tf: substitute local.name -> local.instance in all derived names (dynamic role name, k8s role name, SA bindings, token_policies) - outputs.tf: add env + instance outputs; kvv2_path_prefix now derives from local.instance (== local.name when env=prod -> backwards-compat) app_policy (per-repo module — accepts list of envs): - variables.tf: add optional envs = ["prod"] - main.tf: compute local.instances + local.non_prod_instances - main.tf: refactor kvv2 ops rules to dynamic blocks iterating local.instances preserving the original rule order (data, delete, undelete, destroy, metadata) so prod-only apps render a byte-identical policy document - main.tf: allowed_parameter blocks for k8s role's bound_service_account_* and token_policies use comprehensions over local.instances - main.tf: keep vault_policy.app (the env=prod runtime policy) at its original address; add vault_policy.app_non_prod via for_each over non_prod_instances for the other envs Top-level wiring: - iac/variables.tf: add envs = optional(list(string), ["prod"]) to the applications set(object) type - iac/main.tf: pass envs = each.value.envs through to app_policies `tofu validate` passes. Every existing app's tofu plan should report no changes because: (1) env="prod" defaults are used everywhere, (2) the elision rule makes local.instance == local.name for prod, (3) dynamic rule blocks preserve declaration order, (4) the new app_non_prod resource is created via for_each over an empty set when no non-prod envs are declared. Phase B (factory postgres iac + argocd + runbook docs) and Phase D (erp iac/main.tf for_each + activate sandbox) follow in their own PRs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
23 lines
741 B
HCL
23 lines
741 B
HCL
variable "gitea_app_id" {
|
|
type = string
|
|
}
|
|
variable "POSTGRES_CREDENTIALS_EDITOR_USERNAME" {
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
variable "POSTGRES_CREDENTIALS_EDITOR_PASSWORD" {
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
variable "applications" {
|
|
type = set(object({
|
|
name = string
|
|
policies = optional(list(string), [])
|
|
service_account_names = optional(list(string), [])
|
|
service_account_namespaces = optional(list(string), [])
|
|
# Multi-env extension: list of envs this app deploys to. Defaults to ["prod"] for
|
|
# every existing app — backwards compatible by the elision rule. Non-prod envs
|
|
# produce additional runtime policies named "<name>-<env>".
|
|
envs = optional(list(string), ["prod"])
|
|
}))
|
|
} |