ldraney/pal-e-platform
1
0
Fork 0
Code Issues 104 Pull requests 7 Projects Releases Packages Wiki Activity Actions

fix: wire missing TF_VAR secrets into CI plan and apply steps #446

Merged
ldraney merged 1 commit from fix/ci-missing-tf-vars into main 2026-06-16 02:35:28 +00:00
Conversation 1 Commits 1 Files changed 2 +58 -1
ldraney commented 2026-06-16 02:04:50 +00:00
Owner
Copy link

Summary

  • Three required terraform variables existed in Woodpecker repo secrets but were never wired into .woodpecker/terraform.yaml environment blocks
  • Every push-to-main tofu apply has failed since these variables were introduced, blocking DNS and all subsequent terraform changes
  • Adds CI secret inventory and wiring docs to docs/secrets.md

Changes

  • .woodpecker/terraform.yaml: Add TF_VAR_hetzner_api_token, TF_VAR_edge_ssh_public_key, TF_VAR_telegram_landscaping_chat_id to both plan and apply step environments
  • docs/secrets.md: Add CI secret wiring section with full inventory table, update "Adding a New Secret" checklist with CI steps 6-7

Test Plan

  • PR pipeline passes (validate + plan steps succeed with the new env vars)
  • After merge, push-to-main apply step succeeds
  • palinks.app and landscaping-assistant.app resolve to 178.156.129.142
  • No regressions in existing terraform resources

Review Checklist

  • Passed automated review-fix loop
  • No secrets committed
  • No unnecessary file changes
  • Commit messages are descriptive
  • Feature flag needed? No — CI pipeline fix, no user-visible changes

Related Notes

  • Closes ldraney/pal-e-platform#435 — Add GoDaddy DNS A records via godaddy-tofu provider
  • pal-e-platform — platform infrastructure project
## Summary - Three required terraform variables existed in Woodpecker repo secrets but were never wired into `.woodpecker/terraform.yaml` environment blocks - Every push-to-main `tofu apply` has failed since these variables were introduced, blocking DNS and all subsequent terraform changes - Adds CI secret inventory and wiring docs to `docs/secrets.md` ## Changes - `.woodpecker/terraform.yaml`: Add `TF_VAR_hetzner_api_token`, `TF_VAR_edge_ssh_public_key`, `TF_VAR_telegram_landscaping_chat_id` to both `plan` and `apply` step environments - `docs/secrets.md`: Add CI secret wiring section with full inventory table, update "Adding a New Secret" checklist with CI steps 6-7 ## Test Plan - [ ] PR pipeline passes (validate + plan steps succeed with the new env vars) - [ ] After merge, push-to-main apply step succeeds - [ ] `palinks.app` and `landscaping-assistant.app` resolve to 178.156.129.142 - [ ] No regressions in existing terraform resources ## Review Checklist - [ ] Passed automated review-fix loop - [ ] No secrets committed - [ ] No unnecessary file changes - [ ] Commit messages are descriptive - [ ] Feature flag needed? No — CI pipeline fix, no user-visible changes ## Related Notes - Closes ldraney/pal-e-platform#435 — Add GoDaddy DNS A records via godaddy-tofu provider - `pal-e-platform` — platform infrastructure project
fix: wire missing TF_VAR secrets into CI plan and apply steps
All checks were successful
ci/woodpecker/push/terraform Pipeline was successful
Details
ci/woodpecker/pr/terraform Pipeline was successful
Details
ci/woodpecker/pull_request_closed/terraform Pipeline was successful
Details
6d05cadb0a 
Three required terraform variables (hetzner_api_token, edge_ssh_public_key,
telegram_landscaping_chat_id) existed in Woodpecker repo secrets but were
never added to the pipeline environment block. Every push-to-main apply
has failed since these variables were introduced, blocking DNS records
and all subsequent terraform changes from being applied.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ldraney commented 2026-06-16 02:08:46 +00:00
Author
Owner
Copy link

PR #446 Review

DOMAIN REVIEW

Tech stack: Woodpecker CI pipeline YAML + Terraform variable wiring + documentation (Markdown).

Correctness of the fix: The three added variables are all required for CI to succeed:

  • hetzner_api_token -- sensitive = true, no default. Would cause tofu plan failure. Correct to wire.
  • edge_ssh_public_key -- NOT marked sensitive = true, no default. Still required -- without it tofu plan fails with "No value for required variable." Correct to wire via from_secret since Woodpecker has no other injection mechanism.
  • telegram_landscaping_chat_id -- sensitive = true, no default. Would cause failure. Correct to wire.

Symmetry: All three are added to BOTH plan and apply steps. After this PR, both steps will have 28 TF_VAR_* entries (up from 25). The entries are inserted at the same position relative to godaddy_api_secret in both blocks, maintaining consistent ordering. Good.

Inventory table: 29 rows (28 TF_VAR_* + 1 kubeconfig_content). Matches the post-PR pipeline state with one exception noted below.

docs/secrets.md updates: Steps 6-7 added to the "Adding a New Secret" checklist are correct and prevent this exact class of bug from recurring. The rewrite of the Woodpecker CI Secrets section clearly documents the two-step requirement (add secret value + wire in YAML) and the failure mode (silent until apply).

BLOCKERS

None.

NITS

  1. Inventory table omits minio_oidc_client_secret. The variable exists in terraform/variables.tf (lines 122-127) with sensitive = true and default = "". It is NOT wired in the pipeline YAML and is absent from the "canonical list" in the inventory table. This is not a CI blocker (the empty default prevents failure), but the table declares itself canonical -- omitting a sensitive variable undermines that claim. Consider either adding it to the table with a note like "default empty, not yet wired" or adding the full wiring. Low priority since it does not block CI.

  2. edge_ssh_public_key in a secrets table. This variable is not marked sensitive = true in variables.tf. Storing it as a Woodpecker secret is fine (no harm), but listing it alongside actual secrets in the inventory table without distinguishing it could be mildly confusing. A comment in the table noting it is non-sensitive but stored as a secret for convenience would add clarity.

SOP COMPLIANCE

  • PR body follows template (Summary, Changes, Test Plan, Review Checklist, Related Notes)
  • No secrets or credentials committed
  • No unnecessary file changes -- scope is tight (1 pipeline YAML + 1 docs file)
  • Commit messages are descriptive (title: fix: wire missing TF_VAR secrets into CI plan and apply steps)
  • Changes are symmetric across plan and apply steps (no drift between the two)

PROCESS OBSERVATIONS

  • Root cause is a process gap, now fixed. The "Adding a New Secret" checklist lacked CI wiring steps. Steps 6-7 close this gap. Future secret additions should not hit this failure mode.
  • DORA impact: This unblocks push-to-main deploys that have been failing since the Hetzner/GoDaddy/Telegram variables were introduced. Lead time for changes has been artificially inflated by the broken pipeline. Merging this restores deployment frequency.
  • Deployment risk: Low. The change is additive (new env vars only), references secrets that already exist in Woodpecker, and cannot break existing resources. The apply step will now proceed where it previously failed.

VERDICT: APPROVED

## PR #446 Review ### DOMAIN REVIEW **Tech stack:** Woodpecker CI pipeline YAML + Terraform variable wiring + documentation (Markdown). **Correctness of the fix:** The three added variables are all required for CI to succeed: - `hetzner_api_token` -- `sensitive = true`, no default. Would cause `tofu plan` failure. Correct to wire. - `edge_ssh_public_key` -- NOT marked `sensitive = true`, no default. Still required -- without it `tofu plan` fails with "No value for required variable." Correct to wire via `from_secret` since Woodpecker has no other injection mechanism. - `telegram_landscaping_chat_id` -- `sensitive = true`, no default. Would cause failure. Correct to wire. **Symmetry:** All three are added to BOTH plan and apply steps. After this PR, both steps will have 28 `TF_VAR_*` entries (up from 25). The entries are inserted at the same position relative to `godaddy_api_secret` in both blocks, maintaining consistent ordering. Good. **Inventory table:** 29 rows (28 `TF_VAR_*` + 1 `kubeconfig_content`). Matches the post-PR pipeline state with one exception noted below. **docs/secrets.md updates:** Steps 6-7 added to the "Adding a New Secret" checklist are correct and prevent this exact class of bug from recurring. The rewrite of the Woodpecker CI Secrets section clearly documents the two-step requirement (add secret value + wire in YAML) and the failure mode (silent until apply). ### BLOCKERS None. ### NITS 1. **Inventory table omits `minio_oidc_client_secret`.** The variable exists in `terraform/variables.tf` (lines 122-127) with `sensitive = true` and `default = ""`. It is NOT wired in the pipeline YAML and is absent from the "canonical list" in the inventory table. This is not a CI blocker (the empty default prevents failure), but the table declares itself canonical -- omitting a sensitive variable undermines that claim. Consider either adding it to the table with a note like "default empty, not yet wired" or adding the full wiring. Low priority since it does not block CI. 2. **`edge_ssh_public_key` in a secrets table.** This variable is not marked `sensitive = true` in `variables.tf`. Storing it as a Woodpecker secret is fine (no harm), but listing it alongside actual secrets in the inventory table without distinguishing it could be mildly confusing. A comment in the table noting it is non-sensitive but stored as a secret for convenience would add clarity. ### SOP COMPLIANCE - [x] PR body follows template (Summary, Changes, Test Plan, Review Checklist, Related Notes) - [x] No secrets or credentials committed - [x] No unnecessary file changes -- scope is tight (1 pipeline YAML + 1 docs file) - [x] Commit messages are descriptive (title: `fix: wire missing TF_VAR secrets into CI plan and apply steps`) - [x] Changes are symmetric across plan and apply steps (no drift between the two) ### PROCESS OBSERVATIONS - **Root cause is a process gap, now fixed.** The "Adding a New Secret" checklist lacked CI wiring steps. Steps 6-7 close this gap. Future secret additions should not hit this failure mode. - **DORA impact:** This unblocks push-to-main deploys that have been failing since the Hetzner/GoDaddy/Telegram variables were introduced. Lead time for changes has been artificially inflated by the broken pipeline. Merging this restores deployment frequency. - **Deployment risk:** Low. The change is additive (new env vars only), references secrets that already exist in Woodpecker, and cannot break existing resources. The apply step will now proceed where it previously failed. ### VERDICT: APPROVED
ldraney deleted branch fix/ci-missing-tf-vars 2026-06-16 02:35:28 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform!446
No description provided.