forgejo_admin/pal-e-platform
1
0
Fork 0
Code Issues 33 Pull requests Projects Releases Packages Wiki Activity Actions

Apply 6 pending terraform changes (validation drift from 9 merged PRs) #224

New issue
Open
opened 2026-03-28 16:02:08 +00:00 by forgejo_admin · 1 comment
forgejo_admin commented 2026-03-28 16:02:08 +00:00
Owner
Copy link

Type

Task

User Story

As the superuser, I need the 6 pending terraform changes applied so that the 9 merged PRs (#199, #205, #207-#211, #216-#218) are validated in production. Currently, code is merged but infrastructure hasn't been applied — the validation campaign revealed this drift.

Context

tofu plan -lock=false output (2026-03-28):

  • 0 to add, 4 to change, 2 to destroy

2 to destroy:

  • kubernetes_manifest.netpol_staging — orphaned staging NetworkPolicy (not in config)
  • module.staging.kubernetes_namespace_v1.staging — staging namespace removed from config

4 to change:

  • module.ci.helm_release.woodpecker — new API token + agent secret variables wired in
  • module.monitoring.helm_release.blackbox_exporter — probe URL updates (internal URLs from PR #178)
  • module.monitoring.kubernetes_secret_v1.dora_exporter — new API token for DORA metrics
  • module.storage.minio_s3_bucket_policy.assets_public_read — signatures deny policy consolidation (PR #209)

Prerequisites completed:

  • Added woodpecker_api_token and woodpecker_agent_secret to secrets.auto.tfvars (gitignored, local-only)

Scope

  1. Run tofu plan -lock=false -no-color and capture full output
  2. Review each of the 6 changes for safety
  3. Run tofu apply -lock=false with approval
  4. Verify Woodpecker agent reconnects with new secret
  5. Verify blackbox probes switch to internal URLs
  6. Verify DORA exporter uses new API token
  7. Verify MinIO signatures bucket policy is correct
  8. Verify staging namespace cleanup is safe (no running workloads)

File Targets

  • terraform/secrets.auto.tfvars (already updated locally)
  • terraform/modules/*/ (code already merged, just needs apply)

Acceptance Criteria

  • tofu plan shows 0 changes after apply
  • Woodpecker CI pipeline runs successfully on a test push
  • Blackbox probes report healthy with internal URLs
  • DORA exporter scrapes metrics via new token
  • MinIO signatures path returns 403 (not public)
  • No orphaned staging resources remain

Test Expectations

  • Post-apply tofu plan output = "No changes. Your infrastructure matches the configuration."
  • Woodpecker agent pod is Running (not CrashLoopBackOff)

Related

  • Parent validation ticket: #223
  • PRs validated by this apply: #199, #205, #207, #208, #209, #210, #211, #216, #217, #218
  • Depends on: secrets.auto.tfvars fix (completed locally)
  • Blocks: pal-e-services apply (services depend on platform stability)
### Type Task ### User Story As the superuser, I need the 6 pending terraform changes applied so that the 9 merged PRs (#199, #205, #207-#211, #216-#218) are validated in production. Currently, code is merged but infrastructure hasn't been applied — the validation campaign revealed this drift. ### Context `tofu plan -lock=false` output (2026-03-28): - **0 to add, 4 to change, 2 to destroy** **2 to destroy:** - `kubernetes_manifest.netpol_staging` — orphaned staging NetworkPolicy (not in config) - `module.staging.kubernetes_namespace_v1.staging` — staging namespace removed from config **4 to change:** - `module.ci.helm_release.woodpecker` — new API token + agent secret variables wired in - `module.monitoring.helm_release.blackbox_exporter` — probe URL updates (internal URLs from PR #178) - `module.monitoring.kubernetes_secret_v1.dora_exporter` — new API token for DORA metrics - `module.storage.minio_s3_bucket_policy.assets_public_read` — signatures deny policy consolidation (PR #209) **Prerequisites completed:** - Added `woodpecker_api_token` and `woodpecker_agent_secret` to `secrets.auto.tfvars` (gitignored, local-only) ### Scope 1. Run `tofu plan -lock=false -no-color` and capture full output 2. Review each of the 6 changes for safety 3. Run `tofu apply -lock=false` with approval 4. Verify Woodpecker agent reconnects with new secret 5. Verify blackbox probes switch to internal URLs 6. Verify DORA exporter uses new API token 7. Verify MinIO signatures bucket policy is correct 8. Verify staging namespace cleanup is safe (no running workloads) ### File Targets - `terraform/secrets.auto.tfvars` (already updated locally) - `terraform/modules/*/` (code already merged, just needs apply) ### Acceptance Criteria - [ ] `tofu plan` shows 0 changes after apply - [ ] Woodpecker CI pipeline runs successfully on a test push - [ ] Blackbox probes report healthy with internal URLs - [ ] DORA exporter scrapes metrics via new token - [ ] MinIO signatures path returns 403 (not public) - [ ] No orphaned staging resources remain ### Test Expectations - Post-apply `tofu plan` output = "No changes. Your infrastructure matches the configuration." - Woodpecker agent pod is Running (not CrashLoopBackOff) ### Related - Parent validation ticket: #223 - PRs validated by this apply: #199, #205, #207, #208, #209, #210, #211, #216, #217, #218 - Depends on: secrets.auto.tfvars fix (completed locally) - Blocks: pal-e-services apply (services depend on platform stability)
forgejo_admin commented 2026-03-28 16:15:52 +00:00
Author
Owner
Copy link

Validation Complete (2026-03-28)

All 6 terraform changes applied successfully:

  1. DORA exporter secret — new API token
  2. Staging NetworkPolicy — destroyed (orphaned)
  3. Staging namespace — destroyed (confirmed empty)
  4. Blackbox exporter — probe URLs updated to internal
  5. MinIO bucket policy — signatures deny consolidated
  6. Woodpecker helm — new token + agent secret (required Helm lock rollback from rev 17 → 16 first)

Post-apply verification:

  • tofu plan = "No changes. Your infrastructure matches the configuration."
  • Woodpecker agent: Running (32s fresh restart)
  • Woodpecker server: Running (32s fresh restart)
  • Blackbox exporter: Running

Parent ticket #223 can now be validated.

## Validation Complete (2026-03-28) All 6 terraform changes applied successfully: 1. ✅ DORA exporter secret — new API token 2. ✅ Staging NetworkPolicy — destroyed (orphaned) 3. ✅ Staging namespace — destroyed (confirmed empty) 4. ✅ Blackbox exporter — probe URLs updated to internal 5. ✅ MinIO bucket policy — signatures deny consolidated 6. ✅ Woodpecker helm — new token + agent secret (required Helm lock rollback from rev 17 → 16 first) **Post-apply verification:** - `tofu plan` = "No changes. Your infrastructure matches the configuration." - Woodpecker agent: Running (32s fresh restart) - Woodpecker server: Running (32s fresh restart) - Blackbox exporter: Running Parent ticket #223 can now be validated.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform#224
No description provided.