ldraney/pal-e-platform
1
0
Fork 0
Code Issues 104 Pull requests 7 Projects Releases Packages Wiki Activity Actions

Remove deprecated westside-admin references from Terraform #412

New issue
Open
opened 2026-06-05 12:22:43 +00:00 by ldraney · 1 comment
ldraney commented 2026-06-05 12:22:43 +00:00
Owner
Copy link

Type

Bug

Lineage

Discovered during tofu apply for paldocs NetworkPolicy fix (PR #398). Apply fails on 1 resource targeting the non-existent westside-admin namespace.

Repo

ldraney/pal-e-platform

What Broke

tofu apply fails with namespaces "westside-admin" not found on:

  • module.database.kubernetes_secret_v1.admin_app_db_url_westside_admin (mirrors admin-app-db-url into westside-admin)

The westside-admin namespace was deprecated and removed. The mirror secret resource (PR #310) was never successfully applied.

Additionally, module.database.kubernetes_job_v1.admin_app_user_provision provisions an admin_app Postgres role on the basketball-api database for westside-admin. If westside-admin is fully deprecated, this job and the admin_app_db_url secret in basketball-api should also be removed.

Repro Steps

  1. Run tofu plan -lock=false in pal-e-platform/terraform
  2. Observe resource targeting westside-admin namespace that will fail on apply

Expected Behavior

No references to deprecated westside-admin namespace or its associated database role provisioning.

Environment

  • Cluster: archbox k3s
  • westside-admin namespace does not exist
  • Resources defined in terraform/modules/database/main.tf (lines 116, 262, 301, 317)

Acceptance Criteria

  • admin_app_db_url_westside_admin resource removed from modules/database/main.tf
  • admin_app_user_provision job removed (if westside-admin is fully deprecated)
  • admin_app_db_url secret in basketball-api removed (if no other consumers)
  • data.kubernetes_namespace_v1.westside_admin data source removed if no longer referenced
  • tofu state rm run for any resources in state that are being deleted from code
  • tofu plan shows no resources targeting westside-admin

Related

  • PR #398 (paldocs NetworkPolicy) — triggered discovery
  • PR #310 (mirror admin-app-db-url into westside-admin) — added the failing resource
  • PR #302 (admin_app Postgres role) — added the provisioning job
### Type Bug ### Lineage Discovered during `tofu apply` for paldocs NetworkPolicy fix (PR #398). Apply fails on 1 resource targeting the non-existent `westside-admin` namespace. ### Repo `ldraney/pal-e-platform` ### What Broke `tofu apply` fails with `namespaces "westside-admin" not found` on: - `module.database.kubernetes_secret_v1.admin_app_db_url_westside_admin` (mirrors admin-app-db-url into `westside-admin`) The `westside-admin` namespace was deprecated and removed. The mirror secret resource (PR #310) was never successfully applied. Additionally, `module.database.kubernetes_job_v1.admin_app_user_provision` provisions an `admin_app` Postgres role on the basketball-api database for westside-admin. If westside-admin is fully deprecated, this job and the `admin_app_db_url` secret in basketball-api should also be removed. ### Repro Steps 1. Run `tofu plan -lock=false` in `pal-e-platform/terraform` 2. Observe resource targeting `westside-admin` namespace that will fail on apply ### Expected Behavior No references to deprecated `westside-admin` namespace or its associated database role provisioning. ### Environment - Cluster: archbox k3s - `westside-admin` namespace does not exist - Resources defined in `terraform/modules/database/main.tf` (lines 116, 262, 301, 317) ### Acceptance Criteria - [ ] `admin_app_db_url_westside_admin` resource removed from `modules/database/main.tf` - [ ] `admin_app_user_provision` job removed (if westside-admin is fully deprecated) - [ ] `admin_app_db_url` secret in basketball-api removed (if no other consumers) - [ ] `data.kubernetes_namespace_v1.westside_admin` data source removed if no longer referenced - [ ] `tofu state rm` run for any resources in state that are being deleted from code - [ ] `tofu plan` shows no resources targeting `westside-admin` ### Related - PR #398 (paldocs NetworkPolicy) — triggered discovery - PR #310 (mirror admin-app-db-url into westside-admin) — added the failing resource - PR #302 (admin_app Postgres role) — added the provisioning job
ldraney commented 2026-06-05 12:25:49 +00:00
Author
Owner
Copy link

Ticket #412 Review

SCOPE ASSESSMENT

The issue is well-scoped as a targeted Terraform cleanup: remove resources that reference the deprecated westside-admin namespace so that tofu apply stops failing. The lineage (discovered during PR #398) and repro steps are clear.

FILE TARGET VERIFICATION

The issue cites terraform/modules/database/main.tf lines 116, 262, 301, 317. I verified these targets against the main branch:

Resource Location Confirmed
kubernetes_job_v1.admin_app_user_provision ~line 116 Yes
kubernetes_secret_v1.admin_app_db_url ~line 262 Yes
locals.admin_app_database_url ~line 301 Yes
kubernetes_secret_v1.admin_app_db_url_westside_admin ~line 317 Yes
data.kubernetes_namespace_v1.westside_admin (referenced in AC) Yes

All five targets exist on main and reference westside-admin.

ACCEPTANCE CRITERIA REVIEW

The AC items are reasonable but have two gaps:

Gap 1 -- Incomplete file scope. The AC only targets main.tf resources, but westside-admin references also exist in:

  • terraform/modules/database/outputs.tf -- admin_app_db_url_namespaces output references admin_app_db_url_westside_admin; description says "mirrored into both basketball-api and westside-admin namespaces"
  • terraform/modules/database/variables.tf -- description on admin_app_db_password says "Consumers: westside-admin (Track B)"
  • scripts/woodpecker-update-tag-step.yaml -- overlay mapping westside-admin -> OVERLAY=westside-admin

The outputs.tf gap is a potential blocker: removing admin_app_db_url_westside_admin from main.tf while outputs.tf still references it will cause a Terraform validation error. The variables.tf and scripts references are comment-level and less urgent but should be cleaned for accuracy.

Gap 2 -- admin_app role scope ambiguity. The AC says "Remove admin_app_user_provision job (if westside-admin deprecated)" and "Remove admin_app_db_url secret in basketball-api (if no other consumers)." These conditionals are appropriate but need a decision recorded in the ticket. The admin_app_db_password variable has a deep footprint across 7+ files (Woodpecker CI secrets, Salt pillar, Makefile, root terraform variables). If the admin_app Postgres role is ONLY used by westside-admin, the full cleanup is much larger than the AC suggests. If basketball-api itself also uses this role, then only the westside-admin mirror secret should be removed. The ticket should document which case applies.

RELATED ISSUE OVERLAP

Issue #374 ("Remove stale projects: mcd-tracker, westside-admin, capacitor-mobile") also tracks westside-admin removal. This ticket (#412) is more narrowly scoped to the Terraform-blocking resources, which is fine, but the relationship should be documented in the Related section to avoid duplicate work.

SOP COMPLIANCE

  • Branch exists: 412-remove-deprecated-westside-admin-referen (follows convention, truncated by Forgejo)
  • Issue body has clear scope, repro steps, and acceptance criteria
  • Missing plan slug reference in Related section
  • No secrets in issue text
  • outputs.tf not listed as a file target (will cause TF validation failure if missed)

RECOMMENDATIONS

  1. Add outputs.tf to the AC -- removing the admin_app_db_url_westside_admin resource without updating outputs.tf will break tofu validate.
  2. Resolve the admin_app role question -- explicitly state whether the admin_app Postgres role and its admin_app_db_url secret in basketball-api have consumers beyond westside-admin. If not, the AC should expand to cover the full admin_app teardown (or spawn a follow-up issue). If yes, narrow the AC to only the westside-admin mirror.
  3. Add scripts/woodpecker-update-tag-step.yaml to AC -- the westside-admin overlay mapping is stale.
  4. Cross-reference #374 in the Related section to avoid scope overlap.

VERDICT: NEEDS_WORK

The core scope is correct and the issue is close to ready, but the outputs.tf omission will cause a Terraform validation failure if not addressed in the AC, and the admin_app role scope question needs a documented decision before implementation begins.

## Ticket #412 Review ### SCOPE ASSESSMENT The issue is well-scoped as a targeted Terraform cleanup: remove resources that reference the deprecated `westside-admin` namespace so that `tofu apply` stops failing. The lineage (discovered during PR #398) and repro steps are clear. ### FILE TARGET VERIFICATION The issue cites `terraform/modules/database/main.tf` lines 116, 262, 301, 317. I verified these targets against the `main` branch: | Resource | Location | Confirmed | |----------|----------|-----------| | `kubernetes_job_v1.admin_app_user_provision` | ~line 116 | Yes | | `kubernetes_secret_v1.admin_app_db_url` | ~line 262 | Yes | | `locals.admin_app_database_url` | ~line 301 | Yes | | `kubernetes_secret_v1.admin_app_db_url_westside_admin` | ~line 317 | Yes | | `data.kubernetes_namespace_v1.westside_admin` | (referenced in AC) | Yes | All five targets exist on `main` and reference `westside-admin`. ### ACCEPTANCE CRITERIA REVIEW The AC items are reasonable but have two gaps: **Gap 1 -- Incomplete file scope.** The AC only targets `main.tf` resources, but `westside-admin` references also exist in: - `terraform/modules/database/outputs.tf` -- `admin_app_db_url_namespaces` output references `admin_app_db_url_westside_admin`; description says "mirrored into both basketball-api and westside-admin namespaces" - `terraform/modules/database/variables.tf` -- description on `admin_app_db_password` says "Consumers: westside-admin (Track B)" - `scripts/woodpecker-update-tag-step.yaml` -- overlay mapping `westside-admin -> OVERLAY=westside-admin` The outputs.tf gap is a potential blocker: removing `admin_app_db_url_westside_admin` from main.tf while outputs.tf still references it will cause a Terraform validation error. The variables.tf and scripts references are comment-level and less urgent but should be cleaned for accuracy. **Gap 2 -- admin_app role scope ambiguity.** The AC says "Remove `admin_app_user_provision` job (if westside-admin deprecated)" and "Remove `admin_app_db_url` secret in basketball-api (if no other consumers)." These conditionals are appropriate but need a decision recorded in the ticket. The `admin_app_db_password` variable has a deep footprint across 7+ files (Woodpecker CI secrets, Salt pillar, Makefile, root terraform variables). If the admin_app Postgres role is ONLY used by westside-admin, the full cleanup is much larger than the AC suggests. If basketball-api itself also uses this role, then only the westside-admin mirror secret should be removed. The ticket should document which case applies. ### RELATED ISSUE OVERLAP Issue #374 ("Remove stale projects: mcd-tracker, westside-admin, capacitor-mobile") also tracks westside-admin removal. This ticket (#412) is more narrowly scoped to the Terraform-blocking resources, which is fine, but the relationship should be documented in the Related section to avoid duplicate work. ### SOP COMPLIANCE - [x] Branch exists: `412-remove-deprecated-westside-admin-referen` (follows convention, truncated by Forgejo) - [x] Issue body has clear scope, repro steps, and acceptance criteria - [ ] Missing plan slug reference in Related section - [x] No secrets in issue text - [ ] outputs.tf not listed as a file target (will cause TF validation failure if missed) ### RECOMMENDATIONS 1. **Add `outputs.tf` to the AC** -- removing the `admin_app_db_url_westside_admin` resource without updating `outputs.tf` will break `tofu validate`. 2. **Resolve the admin_app role question** -- explicitly state whether the `admin_app` Postgres role and its `admin_app_db_url` secret in basketball-api have consumers beyond westside-admin. If not, the AC should expand to cover the full admin_app teardown (or spawn a follow-up issue). If yes, narrow the AC to only the westside-admin mirror. 3. **Add `scripts/woodpecker-update-tag-step.yaml` to AC** -- the westside-admin overlay mapping is stale. 4. **Cross-reference #374** in the Related section to avoid scope overlap. ### VERDICT: NEEDS_WORK The core scope is correct and the issue is close to ready, but the outputs.tf omission will cause a Terraform validation failure if not addressed in the AC, and the admin_app role scope question needs a documented decision before implementation begins.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix-dashboard-metric-names
netpol-westside-ror
spec-board-centric-renderer
457-add-dns-and-caddy-config-for-myvibes-wor
411-remove-deprecated-pal-e-app-references-f
412-remove-deprecated-westside-admin-referen
fix-gem-bin-path
fix-woodpecker-multi-pipeline
345-harbor-mobile-css
290-payment-pipeline-observability
284-fix-add-pal-e-docs-namespace-to-postgres
284-add-pal-e-docs-postgres-netpol
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform#412
No description provided.