feat: wire WOODPECKER_ENCRYPTION_KEY through Terraform #99

New issue

Closed

opened 2026-03-17 04:01:35 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented 2026-03-17 04:01:35 +00:00

Owner

Copy link

Lineage

todo-woodpecker-secrets-terraform (no plan ancestry)

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want the Woodpecker encryption key managed by Terraform
So that stored secrets survive CNPG database migrations without becoming undecryptable

Context

Every time CNPG rebuilds the Woodpecker database, the encryption key stored in the DB is lost. This makes all stored secrets (repo secrets, global secrets) undecryptable, requiring manual re-entry of every secret. The fix is to pass WOODPECKER_ENCRYPTION_KEY as an externally-managed env var via Helm values so Woodpecker uses that key instead of generating one internally. The key then lives in terraform state (sourced from Salt pillar), not the DB.

File Targets

Files the agent should modify:

• terraform/variables.tf -- add woodpecker_encryption_key variable (sensitive)
• terraform/main.tf -- add set_sensitive block for the encryption key in the Woodpecker helm_release
• Makefile -- add woodpecker_encryption_key to TF_SECRET_VARS
• .woodpecker.yaml -- add TF_VAR_woodpecker_encryption_key to plan and apply step environments

Files the agent should NOT touch:

• salt/pillar/secrets/platform.sls -- the actual secret value is added by the operator separately

Acceptance Criteria

• woodpecker_encryption_key variable exists in terraform/variables.tf as a sensitive string
• set_sensitive block passes the key to server.env.WOODPECKER_ENCRYPTION_KEY in the Woodpecker helm_release
• Makefile TF_SECRET_VARS includes woodpecker_encryption_key
• .woodpecker.yaml plan step includes TF_VAR_woodpecker_encryption_key from secret
• .woodpecker.yaml apply step includes TF_VAR_woodpecker_encryption_key from secret
• tofu fmt -check passes
• tofu validate shows no syntax errors (missing variable value is expected)

Test Expectations

• tofu fmt -check -recursive exits 0
• tofu validate fails only with "No value for required variable" (not syntax error)
• Run command: cd terraform && tofu fmt -check -recursive && tofu validate

Constraints

• Follow existing set_sensitive pattern (lines 755-777 of main.tf) -- do NOT put sensitive values in the yamlencode block
• Follow existing TF_SECRET_VARS naming convention in Makefile
• Follow existing Woodpecker CI env var pattern in .woodpecker.yaml

Checklist

• PR opened
• Tests pass
• No unrelated changes

Related

• pal-e-platform -- project this affects

### Lineage `todo-woodpecker-secrets-terraform` (no plan ancestry) ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want the Woodpecker encryption key managed by Terraform So that stored secrets survive CNPG database migrations without becoming undecryptable ### Context Every time CNPG rebuilds the Woodpecker database, the encryption key stored in the DB is lost. This makes all stored secrets (repo secrets, global secrets) undecryptable, requiring manual re-entry of every secret. The fix is to pass `WOODPECKER_ENCRYPTION_KEY` as an externally-managed env var via Helm values so Woodpecker uses that key instead of generating one internally. The key then lives in terraform state (sourced from Salt pillar), not the DB. ### File Targets Files the agent should modify: - `terraform/variables.tf` -- add `woodpecker_encryption_key` variable (sensitive) - `terraform/main.tf` -- add `set_sensitive` block for the encryption key in the Woodpecker helm_release - `Makefile` -- add `woodpecker_encryption_key` to `TF_SECRET_VARS` - `.woodpecker.yaml` -- add `TF_VAR_woodpecker_encryption_key` to plan and apply step environments Files the agent should NOT touch: - `salt/pillar/secrets/platform.sls` -- the actual secret value is added by the operator separately ### Acceptance Criteria - [ ] `woodpecker_encryption_key` variable exists in `terraform/variables.tf` as a sensitive string - [ ] `set_sensitive` block passes the key to `server.env.WOODPECKER_ENCRYPTION_KEY` in the Woodpecker helm_release - [ ] `Makefile` `TF_SECRET_VARS` includes `woodpecker_encryption_key` - [ ] `.woodpecker.yaml` plan step includes `TF_VAR_woodpecker_encryption_key` from secret - [ ] `.woodpecker.yaml` apply step includes `TF_VAR_woodpecker_encryption_key` from secret - [ ] `tofu fmt -check` passes - [ ] `tofu validate` shows no syntax errors (missing variable value is expected) ### Test Expectations - [ ] `tofu fmt -check -recursive` exits 0 - [ ] `tofu validate` fails only with "No value for required variable" (not syntax error) - Run command: `cd terraform && tofu fmt -check -recursive && tofu validate` ### Constraints - Follow existing `set_sensitive` pattern (lines 755-777 of main.tf) -- do NOT put sensitive values in the `yamlencode` block - Follow existing `TF_SECRET_VARS` naming convention in Makefile - Follow existing Woodpecker CI env var pattern in `.woodpecker.yaml` ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `pal-e-platform` -- project this affects

forgejo_admin referenced this issue from a commit 2026-03-17 04:03:26 +00:00

feat: wire WOODPECKER_ENCRYPTION_KEY through Terraform

forgejo_admin referenced this issue from a pull request that will close it, 2026-03-17 04:04:15 +00:00

feat: wire WOODPECKER_ENCRYPTION_KEY through Terraform #102

forgejo_admin closed this issue 2026-03-17 04:12:12 +00:00

forgejo_admin referenced this issue 2026-03-18 16:01:48 +00:00

feat: add westside-dev blackbox probe #106

forgejo_admin referenced this issue 2026-03-18 16:39:45 +00:00

Platform cleanup: resolve 15 active alerts + stabilize CI #109

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

188-cross-repo-worktree-isolation-for-parall

111-fix-keycloak-probe

86-fix-rotate-woodpecker-api-token-in-salt

71-feat-deploy-pyrra-slo-manager-with-servi

64-hotfix-woodpecker-oauth-login-broken-for

18-fix-grafana-duplicate-default-datasource-v2

18-fix-grafana-duplicate-default-datasource

13-fix-cnpg-all-parameters

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/pal-e-platform#99

No description provided.