Feature: Harden secrets gitignore and add tfvars.example #232

New issue

Open

opened 2026-03-28 19:42:05 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-28 19:42:05 +00:00

Owner

Type

Feature

Lineage

Split from #231 during ticket review. Hardening companion to secrets documentation SOP.

Repo

forgejo_admin/pal-e-platform

User Story

As a superadmin
I want a tfvars example file and verified gitignore coverage
So that new contributors know what variables are needed without exposing actual values

Context

secrets.auto.tfvars is already gitignored by *.tfvars in root .gitignore — confirmed not tracked. But there's no example file showing what variables are expected. secrets_registry.sls already has a comment on line 3 ("No actual secret values here") confirming it's metadata only.

File Targets

Files the agent should create or modify:

terraform/secrets.auto.tfvars.example — expected variable names with placeholder values
Optionally: header comment in secrets_registry.sls confirming audit date

Files the agent should NOT touch:

Actual secret values anywhere
*.tfvars files (gitignored, not tracked)
pal-e-docs notes (separate ticket #231)

Acceptance Criteria

terraform/secrets.auto.tfvars.example exists with all expected variable names and placeholder values
tofu plan -lock=false still works (example file doesn't interfere)
secrets_registry.sls has audit confirmation comment

Test Expectations

tofu plan -lock=false succeeds
git status shows example file tracked, actual tfvars still ignored

Constraints

Read ~/secrets/pal-e-platform/secrets.env and terraform/variables.tf to derive the expected variable list
Use CHANGEME or <your-value-here> as placeholders, never real values
Small scope — under 3 file changes

Checklist

PR opened
Tests pass
No unrelated changes

project-pal-e-platform — platform infrastructure
#231 — companion SOP documentation ticket

### Type Feature ### Lineage Split from #231 during ticket review. Hardening companion to secrets documentation SOP. ### Repo `forgejo_admin/pal-e-platform` ### User Story As a superadmin I want a tfvars example file and verified gitignore coverage So that new contributors know what variables are needed without exposing actual values ### Context `secrets.auto.tfvars` is already gitignored by `*.tfvars` in root `.gitignore` — confirmed not tracked. But there's no example file showing what variables are expected. `secrets_registry.sls` already has a comment on line 3 ("No actual secret values here") confirming it's metadata only. ### File Targets Files the agent should create or modify: - `terraform/secrets.auto.tfvars.example` — expected variable names with placeholder values - Optionally: header comment in `secrets_registry.sls` confirming audit date Files the agent should NOT touch: - Actual secret values anywhere - `*.tfvars` files (gitignored, not tracked) - pal-e-docs notes (separate ticket #231) ### Acceptance Criteria - [ ] `terraform/secrets.auto.tfvars.example` exists with all expected variable names and placeholder values - [ ] `tofu plan -lock=false` still works (example file doesn't interfere) - [ ] `secrets_registry.sls` has audit confirmation comment ### Test Expectations - [ ] `tofu plan -lock=false` succeeds - [ ] `git status` shows example file tracked, actual tfvars still ignored ### Constraints - Read `~/secrets/pal-e-platform/secrets.env` and `terraform/variables.tf` to derive the expected variable list - Use `CHANGEME` or `<your-value-here>` as placeholders, never real values - Small scope — under 3 file changes ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-pal-e-platform` — platform infrastructure - `#231` — companion SOP documentation ticket