ldraney/pal-e-platform
1
0
Fork 0
Code Issues 91 Pull requests 5 Projects Releases Packages Wiki Activity Actions

Add admin_app_db_password to Makefile TF_SECRET_VARS (gates #304 apply) #314

New issue
Closed
opened 2026-04-28 04:49:54 +00:00 by forgejo_admin · 1 comment
forgejo_admin commented 2026-04-28 04:49:54 +00:00
Contributor
Copy link

Type

Bug

Lineage

Discovered scope from operator-side make tofu-apply attempt (2026-04-26 by Ava following Lucas's "do it" auth). PR #304 declared admin_app_db_password as a terraform variable. PR #308 added the GPG-encrypted entry to the Salt pillar. Neither updated the Makefile's TF_SECRET_VARS list, so the pillar key never renders into terraform/secrets.auto.tfvars, causing make tofu-validate-secrets to fail and gating any apply.

Repo

forgejo_admin/pal-e-platform

What Broke

Running make tofu-apply (or make tofu-secrets then make tofu-validate-secrets) succeeds at writing the rendered tfvars but does NOT include admin_app_db_password because the Makefile's TF_SECRET_VARS list doesn't reference it. As a result, terraform plan/apply errors with "no value for required variable admin_app_db_password".

PR #308's QA (review-pr-308-2026-04-26) claimed "TF_SECRET_VARS at line 51 of Makefile already includes admin_app_db_password" — that claim was incorrect. Inspection of current main (as of 2026-04-27) confirms the variable is absent from the list.

Repro Steps

  1. Pull latest pal-e-platform main
  2. make tofu-secrets — succeeds, writes 17 vars (does NOT include admin_app_db_password)
  3. grep admin_app_db_password terraform/secrets.auto.tfvars — returns nothing
  4. cd terraform && tofu plan — errors on missing required variable

Expected Behavior

After PR #304 (var declared) and PR #308 (pillar entry) both merged, make tofu-secrets should render admin_app_db_password into terraform/secrets.auto.tfvars, allowing make tofu-apply to proceed.

Environment

  • pal-e-platform Makefile at lines 46-54 (TF_SECRET_VARS)
  • Salt pillar at salt/pillar/secrets/platform.sls (entry exists per #308)
  • TF variable declared in terraform/variables.tf (per #304)

User Story

story:admin-row-crud — As the operator running make tofu-apply to provision the admin_app Postgres role for westside-admin, I need the Makefile to render the password from the Salt pillar so the apply doesn't fail on the missing variable.

Architecture

arch:salt

Context

Two-step gap that fell through the cracks: TF_SECRET_VARS is the explicit allow-list filtering pillar keys into rendered tfvars. Adding a new TF variable backed by a pillar key requires updates in three places: variables.tf (PR #304 ✓), pillar (PR #308 ✓), Makefile allow-list (this PR).

Worth a follow-up to either:

  • Document the three-step requirement in convention-secrets-pipeline (or similar)
  • Auto-derive the allow-list from variables.tf inspection (eliminates manual sync)

File Targets

  • Makefile line 46-54 (TF_SECRET_VARS definition) — append admin_app_db_password to the appropriate continuation line

Acceptance Criteria

  • admin_app_db_password listed in TF_SECRET_VARS
  • make tofu-secrets writes the password into terraform/secrets.auto.tfvars
  • make tofu-validate-secrets passes
  • make tofu-apply proceeds without "no value for required variable" error

Test Expectations

  • After fix: make tofu-secrets && grep admin_app_db_password terraform/secrets.auto.tfvars returns the rendered line
  • tofu plan -lock=false (in terraform/) shows the planned admin_app resources (Job + Secret) without variable errors

Constraints

  • Don't reorder existing entries in TF_SECRET_VARS — preserve the existing alphabetical/grouping pattern
  • Don't add entries for other unrelated vars

Checklist

  • Reviewed via /review-ticket
  • Makefile edited
  • Local make tofu-secrets confirmed render
  • PR opened with Closes #THIS
  • Merged via standard hook

Related

  • Blocks: pal-e-platform PR #304 apply
  • Should-have-been-caught-by: PR #308 QA review (false-positive on Makefile inclusion check)
  • Memory: feedback_discovered_scope_always_tracked, feedback_verification_before_completion
### Type Bug ### Lineage Discovered scope from operator-side `make tofu-apply` attempt (2026-04-26 by Ava following Lucas's "do it" auth). PR #304 declared `admin_app_db_password` as a terraform variable. PR #308 added the GPG-encrypted entry to the Salt pillar. Neither updated the Makefile's `TF_SECRET_VARS` list, so the pillar key never renders into `terraform/secrets.auto.tfvars`, causing `make tofu-validate-secrets` to fail and gating any apply. ### Repo forgejo_admin/pal-e-platform ### What Broke Running `make tofu-apply` (or `make tofu-secrets` then `make tofu-validate-secrets`) succeeds at writing the rendered tfvars but does NOT include `admin_app_db_password` because the Makefile's `TF_SECRET_VARS` list doesn't reference it. As a result, terraform plan/apply errors with "no value for required variable `admin_app_db_password`". PR #308's QA (review-pr-308-2026-04-26) claimed "TF_SECRET_VARS at line 51 of Makefile already includes admin_app_db_password" — that claim was incorrect. Inspection of current main (as of 2026-04-27) confirms the variable is absent from the list. ### Repro Steps 1. Pull latest pal-e-platform main 2. `make tofu-secrets` — succeeds, writes 17 vars (does NOT include admin_app_db_password) 3. `grep admin_app_db_password terraform/secrets.auto.tfvars` — returns nothing 4. `cd terraform && tofu plan` — errors on missing required variable ### Expected Behavior After PR #304 (var declared) and PR #308 (pillar entry) both merged, `make tofu-secrets` should render `admin_app_db_password` into `terraform/secrets.auto.tfvars`, allowing `make tofu-apply` to proceed. ### Environment - pal-e-platform Makefile at lines 46-54 (`TF_SECRET_VARS`) - Salt pillar at `salt/pillar/secrets/platform.sls` (entry exists per #308) - TF variable declared in `terraform/variables.tf` (per #304) ### User Story story:admin-row-crud — As the operator running `make tofu-apply` to provision the admin_app Postgres role for westside-admin, I need the Makefile to render the password from the Salt pillar so the apply doesn't fail on the missing variable. ### Architecture arch:salt ### Context Two-step gap that fell through the cracks: `TF_SECRET_VARS` is the explicit allow-list filtering pillar keys into rendered tfvars. Adding a new TF variable backed by a pillar key requires updates in **three** places: variables.tf (PR #304 ✓), pillar (PR #308 ✓), Makefile allow-list (this PR). Worth a follow-up to either: - Document the three-step requirement in `convention-secrets-pipeline` (or similar) - Auto-derive the allow-list from variables.tf inspection (eliminates manual sync) ### File Targets - `Makefile` line 46-54 (`TF_SECRET_VARS` definition) — append `admin_app_db_password` to the appropriate continuation line ### Acceptance Criteria - [ ] `admin_app_db_password` listed in `TF_SECRET_VARS` - [ ] `make tofu-secrets` writes the password into `terraform/secrets.auto.tfvars` - [ ] `make tofu-validate-secrets` passes - [ ] `make tofu-apply` proceeds without "no value for required variable" error ### Test Expectations - After fix: `make tofu-secrets && grep admin_app_db_password terraform/secrets.auto.tfvars` returns the rendered line - `tofu plan -lock=false` (in terraform/) shows the planned admin_app resources (Job + Secret) without variable errors ### Constraints - Don't reorder existing entries in `TF_SECRET_VARS` — preserve the existing alphabetical/grouping pattern - Don't add entries for other unrelated vars ### Checklist - [ ] Reviewed via /review-ticket - [ ] Makefile edited - [ ] Local `make tofu-secrets` confirmed render - [ ] PR opened with `Closes #THIS` - [ ] Merged via standard hook ### Related - Blocks: pal-e-platform PR #304 apply - Should-have-been-caught-by: PR #308 QA review (false-positive on Makefile inclusion check) - Memory: `feedback_discovered_scope_always_tracked`, `feedback_verification_before_completion`
forgejo_admin commented 2026-04-28 04:50:22 +00:00
Author
Contributor
Copy link

Closing — false alarm by Ava. Latest main DOES include admin_app_db_password in TF_SECRET_VARS (line 51). Earlier diagnosis was reading the Makefile from ~/pal-e-platform working tree which sits on the stale 290-payment-pipeline-observability branch. Lesson: always inspect target file from a worktree off latest main when validating CI/build scripts. Closing as not-a-bug.

Closing — false alarm by Ava. Latest main DOES include admin_app_db_password in TF_SECRET_VARS (line 51). Earlier diagnosis was reading the Makefile from ~/pal-e-platform working tree which sits on the stale 290-payment-pipeline-observability branch. Lesson: always inspect target file from a worktree off latest main when validating CI/build scripts. Closing as not-a-bug.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix-gem-bin-path
netpol-westside-ror
fix-woodpecker-multi-pipeline
345-harbor-mobile-css
290-payment-pipeline-observability
spec-board-centric-renderer
284-fix-add-pal-e-docs-namespace-to-postgres
284-add-pal-e-docs-postgres-netpol
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform#314
No description provided.