ldraney/pal-e-platform
1
0
Fork 0
Code Issues 104 Pull requests 7 Projects Releases Packages Wiki Activity Actions

fix: remove stale basketball-api and pal-e-app namespace references #450

Merged
ldraney merged 2 commits from fix/remove-stale-namespace-refs into main 2026-06-17 02:56:33 +00:00
Conversation 2 Commits 2 Files changed 13 +5 -1403
ldraney commented 2026-06-16 18:43:51 +00:00
Owner
Copy link

Summary

Both basketball-api and pal-e-app namespaces were deleted from the cluster but Terraform still referenced them as data sources, causing every CI apply to fail with "namespaces not found" errors. This PR removes all stale code references, orphaned dashboard JSON files, moved blocks, CI pipeline variables, and module wiring.

Changes

  • terraform/modules/database/main.tf -- Removed pal_e_production data source, paledocs_db_url secret, basketball_api data source, admin_app_user_provision job, admin_app_db_url secret, admin_app_db_url_westside_admin secret mirror, and admin_app_database_url local
  • terraform/modules/database/outputs.tf -- Removed pal_e_production_namespace, admin_app_db_url_secret_name, admin_app_db_url_namespaces outputs
  • terraform/modules/database/variables.tf -- Removed admin_app_db_password and paledocs_db_password variables (no longer consumed)
  • terraform/modules/ops/main.tf -- Removed embedding_worker_metrics service targeting pal-e-app namespace
  • terraform/modules/ops/variables.tf -- Removed pal_e_production_namespace variable
  • terraform/modules/monitoring/main.tf -- Removed pal_e_production_dashboard configmap, basketball_api_dashboard configmap, embedding_worker_service_monitor, embedding_alerts, payment_pipeline_alerts, gmail_oauth_expiry_alert, and basketball-api blackbox target
  • terraform/network-policies.tf -- Removed netpol_basketball_api resource and stale from rules referencing basketball-api/pal-e-app in keycloak and postgres netpols
  • terraform/main.tf -- Removed admin_app_db_password and paledocs_db_password from database module call, pal_e_production_namespace from ops module call, and stale moved blocks (pal_e_production_dashboard, embedding_worker_service_monitor, embedding_alerts, embedding_worker_metrics, paledocs_db_url)
  • terraform/variables.tf -- Removed admin_app_db_password and paledocs_db_password root variables
  • terraform/dashboards/ -- Deleted basketball-api-golden-signals.json and pal-e-app-golden-signals.json
  • Makefile -- Removed paledocs_db_password and admin_app_db_password from TF_SECRET_VARS
  • .woodpecker/terraform.yaml -- Removed TF_VAR_paledocs_db_password and TF_VAR_admin_app_db_password from both plan and apply steps

Test Plan

  • Validated with grep: zero references to basketball_api, pal_e_production, admin_app_db, embedding_worker_metrics, embedding_alerts, payment_pipeline, gmail_oauth_expiry, or paledocs_db remain in any .tf file
  • tofu state rm for orphaned resources must be run manually before merge (requires cluster access)
  • After merge, CI apply should no longer fail on missing namespace data sources

Review Checklist

  • Run tofu state rm for all removed resources before merging
  • Verify no Salt pillar references to removed variables need cleanup
  • Confirm Woodpecker repo secrets can be left in place (unused secrets are harmless)

Related Notes

  • Forgejo issue: #449
  • The westside_admin data source and its admin_app_db_url_westside_admin secret were also removed since they depend on the basketball-api database URL local that no longer exists

Closes #449

## Summary Both `basketball-api` and `pal-e-app` namespaces were deleted from the cluster but Terraform still referenced them as data sources, causing every CI apply to fail with "namespaces not found" errors. This PR removes all stale code references, orphaned dashboard JSON files, moved blocks, CI pipeline variables, and module wiring. ## Changes - **terraform/modules/database/main.tf** -- Removed `pal_e_production` data source, `paledocs_db_url` secret, `basketball_api` data source, `admin_app_user_provision` job, `admin_app_db_url` secret, `admin_app_db_url_westside_admin` secret mirror, and `admin_app_database_url` local - **terraform/modules/database/outputs.tf** -- Removed `pal_e_production_namespace`, `admin_app_db_url_secret_name`, `admin_app_db_url_namespaces` outputs - **terraform/modules/database/variables.tf** -- Removed `admin_app_db_password` and `paledocs_db_password` variables (no longer consumed) - **terraform/modules/ops/main.tf** -- Removed `embedding_worker_metrics` service targeting pal-e-app namespace - **terraform/modules/ops/variables.tf** -- Removed `pal_e_production_namespace` variable - **terraform/modules/monitoring/main.tf** -- Removed `pal_e_production_dashboard` configmap, `basketball_api_dashboard` configmap, `embedding_worker_service_monitor`, `embedding_alerts`, `payment_pipeline_alerts`, `gmail_oauth_expiry_alert`, and basketball-api blackbox target - **terraform/network-policies.tf** -- Removed `netpol_basketball_api` resource and stale `from` rules referencing basketball-api/pal-e-app in keycloak and postgres netpols - **terraform/main.tf** -- Removed `admin_app_db_password` and `paledocs_db_password` from database module call, `pal_e_production_namespace` from ops module call, and stale moved blocks (pal_e_production_dashboard, embedding_worker_service_monitor, embedding_alerts, embedding_worker_metrics, paledocs_db_url) - **terraform/variables.tf** -- Removed `admin_app_db_password` and `paledocs_db_password` root variables - **terraform/dashboards/** -- Deleted `basketball-api-golden-signals.json` and `pal-e-app-golden-signals.json` - **Makefile** -- Removed `paledocs_db_password` and `admin_app_db_password` from TF_SECRET_VARS - **.woodpecker/terraform.yaml** -- Removed `TF_VAR_paledocs_db_password` and `TF_VAR_admin_app_db_password` from both plan and apply steps ## Test Plan - Validated with grep: zero references to `basketball_api`, `pal_e_production`, `admin_app_db`, `embedding_worker_metrics`, `embedding_alerts`, `payment_pipeline`, `gmail_oauth_expiry`, or `paledocs_db` remain in any `.tf` file - `tofu state rm` for orphaned resources must be run manually before merge (requires cluster access) - After merge, CI apply should no longer fail on missing namespace data sources ## Review Checklist - [ ] Run `tofu state rm` for all removed resources before merging - [ ] Verify no Salt pillar references to removed variables need cleanup - [ ] Confirm Woodpecker repo secrets can be left in place (unused secrets are harmless) ## Related Notes - Forgejo issue: #449 - The `westside_admin` data source and its `admin_app_db_url_westside_admin` secret were also removed since they depend on the basketball-api database URL local that no longer exists Closes #449
fix: remove stale basketball-api and pal-e-app namespace references
Some checks failed
ci/woodpecker/push/terraform Pipeline was successful
Details
ci/woodpecker/pr/terraform Pipeline failed
Details
0209b2c98f 
Both namespaces were deleted from the cluster but Terraform still
referenced them as data sources, causing every CI apply to fail with
'namespaces not found' errors. Removes all code references, orphaned
dashboard JSON files, moved blocks, and module wiring.

State rm for orphaned resources must be run separately before merge.

Closes #449

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ldraney commented 2026-06-16 18:47:27 +00:00
Author
Owner
Copy link

PR #450 Review

DOMAIN REVIEW

Tech stack: Terraform/HCL (Plugin Framework resources, modules, moved blocks), Woodpecker CI YAML, Makefile, Grafana dashboard JSON. This is a Terraform/k8s/IaC domain review.

Nature of change: Pure deletion PR -- 1,401 lines removed, 3 lines added (whitespace alignment in terraform/main.tf). Removes all references to two decommissioned namespaces (basketball-api, pal-e-app) that were causing CI apply failures due to missing namespace data sources.

Scope of deletions (verified across all 13 files):

Layer What was removed Correct?
CI secrets TF_VAR_paledocs_db_password, TF_VAR_admin_app_db_password from plan + apply steps (4 removals) Yes
Makefile paledocs_db_password, admin_app_db_password from TF_SECRET_VARS Yes
Root variables paledocs_db_password, admin_app_db_password declarations Yes
Module calls Removed variable pass-throughs in main.tf for database + ops modules Yes
Database module Removed pal_e_production data source, paledocs_db_url secret, basketball_api data source, admin_app_user_provision job, admin_app_db_url secret, westside_admin data source + mirror secret, admin_app_database_url local Yes
Database outputs Removed pal_e_production_namespace, admin_app_db_url_secret_name, admin_app_db_url_namespaces Yes
Database variables Removed paledocs_db_password, admin_app_db_password Yes
Ops module Removed embedding_worker_metrics service + pal_e_production_namespace variable Yes
Monitoring module Removed pal_e_production_dashboard, basketball_api_dashboard configmaps, embedding_worker_service_monitor, embedding_alerts, payment_pipeline_alerts, gmail_oauth_expiry_alert PrometheusRules, basketball-api blackbox target Yes
Network policies Removed netpol_basketball_api entirely, removed basketball-api from keycloak ingress, removed pal-e-app + basketball-api from postgres ingress Yes
Moved blocks Removed 5 stale moved blocks referencing deleted resources Yes
Dashboard JSON Deleted basketball-api-golden-signals.json and pal-e-app-golden-signals.json Yes

Terraform-specific assessment:

  • Moved blocks for deleted resources are correctly removed (stale moved blocks cause plan errors once the source/target no longer exists in state)
  • Module interface changes are consistent: variables removed from declaration, from module call, and from CI secret injection -- the full chain is clean
  • No orphaned references detected in the diff -- every variable/output/data source removal cascades properly
  • The sensitive = true annotations on removed variables were correct originally; no secrets exposure risk from this deletion

State management concern (addressed in PR body):
The PR body correctly notes that tofu state rm must be run for orphaned resources before merge. This is the correct procedure -- Terraform will attempt to destroy resources it manages but can no longer reach (deleted namespaces), which would fail. The Review Checklist item for this is appropriate.

BLOCKERS

None.

This is a pure deletion PR removing references to already-decommissioned infrastructure. There is no new functionality, so the "no tests for new functionality" blocker does not apply. The deletions are internally consistent -- every variable/output/resource removal is traced through the full module call chain.

NITS

  1. Alignment whitespace (line 812-813): The only "additions" are re-aligning cnpg_iam_user_name and cnpg_iam_user_secret in terraform/main.tf after removing the two lines above them. This is fine -- tofu fmt compliance. Not a concern.

  2. Comment cleanup in monitoring/main.tf (line 1207-1209): The removed basketball-api blackbox target also removed the comment # - pal-e-app (redirects, expected non-2xx on /). Good -- stale comments were cleaned up alongside the code.

  3. Relationship to issues #411 and #412: The issue list shows open issues #411 ("Remove deprecated pal-e-app references from Terraform") and #412 ("Remove deprecated westside-admin references from Terraform"). This PR appears to address the substance of both. Consider closing those issues as well if this PR fully covers their scope, or note in their comments that #449/#450 subsumes them.

  4. Unused Woodpecker repo secrets: The Review Checklist notes "Confirm Woodpecker repo secrets can be left in place (unused secrets are harmless)." This is correct -- unused secrets in Woodpecker settings do not cause errors. However, for hygiene, consider cleaning them up in a follow-up to avoid confusion.

SOP COMPLIANCE

  • PR body has: Summary, Changes, Test Plan, Related -- all present and detailed
  • Changes section is thorough -- per-file breakdown with specific resource names
  • Test Plan describes grep validation and manual state cleanup steps
  • Review Checklist with 3 actionable items (state rm, Salt pillar check, Woodpecker secrets)
  • No secrets committed -- deleted code contained variable references (not actual values), dashboard JSON had no credentials
  • No unnecessary file changes -- every file change directly relates to removing basketball-api/pal-e-app references
  • Commit message follows conventional commits (fix: remove stale basketball-api and pal-e-app namespace references)
  • Branch naming follows convention (fix/remove-stale-namespace-refs)
  • PR links to parent issue (#449) with Closes #449

PROCESS OBSERVATIONS

  • DORA impact (positive): This PR unblocks CI apply, which was failing on every run. Fixing CI pipeline reliability directly improves Deployment Frequency and Change Failure Rate.
  • Change failure risk: LOW. Pure deletions of references to already-deleted infrastructure. The only operational risk is if tofu state rm is not run before merge, which the PR body explicitly calls out.
  • Scope alignment: The PR touches exactly the files needed -- no scope creep. The 1,401 deleted lines are entirely basketball-api/pal-e-app related.
  • Pre-merge gate: The Review Checklist item "Run tofu state rm for all removed resources before merging" is a hard prerequisite. If state rm is not performed, the first apply after merge will attempt to destroy resources in non-existent namespaces and fail.

VERDICT: APPROVED

## PR #450 Review ### DOMAIN REVIEW **Tech stack:** Terraform/HCL (Plugin Framework resources, modules, moved blocks), Woodpecker CI YAML, Makefile, Grafana dashboard JSON. This is a Terraform/k8s/IaC domain review. **Nature of change:** Pure deletion PR -- 1,401 lines removed, 3 lines added (whitespace alignment in `terraform/main.tf`). Removes all references to two decommissioned namespaces (`basketball-api`, `pal-e-app`) that were causing CI apply failures due to missing namespace data sources. **Scope of deletions (verified across all 13 files):** | Layer | What was removed | Correct? | |-------|-----------------|----------| | CI secrets | `TF_VAR_paledocs_db_password`, `TF_VAR_admin_app_db_password` from plan + apply steps (4 removals) | Yes | | Makefile | `paledocs_db_password`, `admin_app_db_password` from `TF_SECRET_VARS` | Yes | | Root variables | `paledocs_db_password`, `admin_app_db_password` declarations | Yes | | Module calls | Removed variable pass-throughs in `main.tf` for database + ops modules | Yes | | Database module | Removed `pal_e_production` data source, `paledocs_db_url` secret, `basketball_api` data source, `admin_app_user_provision` job, `admin_app_db_url` secret, `westside_admin` data source + mirror secret, `admin_app_database_url` local | Yes | | Database outputs | Removed `pal_e_production_namespace`, `admin_app_db_url_secret_name`, `admin_app_db_url_namespaces` | Yes | | Database variables | Removed `paledocs_db_password`, `admin_app_db_password` | Yes | | Ops module | Removed `embedding_worker_metrics` service + `pal_e_production_namespace` variable | Yes | | Monitoring module | Removed `pal_e_production_dashboard`, `basketball_api_dashboard` configmaps, `embedding_worker_service_monitor`, `embedding_alerts`, `payment_pipeline_alerts`, `gmail_oauth_expiry_alert` PrometheusRules, basketball-api blackbox target | Yes | | Network policies | Removed `netpol_basketball_api` entirely, removed `basketball-api` from keycloak ingress, removed `pal-e-app` + `basketball-api` from postgres ingress | Yes | | Moved blocks | Removed 5 stale moved blocks referencing deleted resources | Yes | | Dashboard JSON | Deleted `basketball-api-golden-signals.json` and `pal-e-app-golden-signals.json` | Yes | **Terraform-specific assessment:** - Moved blocks for deleted resources are correctly removed (stale moved blocks cause plan errors once the source/target no longer exists in state) - Module interface changes are consistent: variables removed from declaration, from module call, and from CI secret injection -- the full chain is clean - No orphaned references detected in the diff -- every variable/output/data source removal cascades properly - The `sensitive = true` annotations on removed variables were correct originally; no secrets exposure risk from this deletion **State management concern (addressed in PR body):** The PR body correctly notes that `tofu state rm` must be run for orphaned resources before merge. This is the correct procedure -- Terraform will attempt to destroy resources it manages but can no longer reach (deleted namespaces), which would fail. The Review Checklist item for this is appropriate. ### BLOCKERS None. This is a pure deletion PR removing references to already-decommissioned infrastructure. There is no new functionality, so the "no tests for new functionality" blocker does not apply. The deletions are internally consistent -- every variable/output/resource removal is traced through the full module call chain. ### NITS 1. **Alignment whitespace (line 812-813):** The only "additions" are re-aligning `cnpg_iam_user_name` and `cnpg_iam_user_secret` in `terraform/main.tf` after removing the two lines above them. This is fine -- `tofu fmt` compliance. Not a concern. 2. **Comment cleanup in monitoring/main.tf (line 1207-1209):** The removed basketball-api blackbox target also removed the comment `# - pal-e-app (redirects, expected non-2xx on /)`. Good -- stale comments were cleaned up alongside the code. 3. **Relationship to issues #411 and #412:** The issue list shows open issues #411 ("Remove deprecated pal-e-app references from Terraform") and #412 ("Remove deprecated westside-admin references from Terraform"). This PR appears to address the substance of both. Consider closing those issues as well if this PR fully covers their scope, or note in their comments that #449/#450 subsumes them. 4. **Unused Woodpecker repo secrets:** The Review Checklist notes "Confirm Woodpecker repo secrets can be left in place (unused secrets are harmless)." This is correct -- unused secrets in Woodpecker settings do not cause errors. However, for hygiene, consider cleaning them up in a follow-up to avoid confusion. ### SOP COMPLIANCE - [x] PR body has: Summary, Changes, Test Plan, Related -- all present and detailed - [x] Changes section is thorough -- per-file breakdown with specific resource names - [x] Test Plan describes grep validation and manual state cleanup steps - [x] Review Checklist with 3 actionable items (state rm, Salt pillar check, Woodpecker secrets) - [x] No secrets committed -- deleted code contained variable references (not actual values), dashboard JSON had no credentials - [x] No unnecessary file changes -- every file change directly relates to removing basketball-api/pal-e-app references - [x] Commit message follows conventional commits (`fix: remove stale basketball-api and pal-e-app namespace references`) - [x] Branch naming follows convention (`fix/remove-stale-namespace-refs`) - [x] PR links to parent issue (#449) with `Closes #449` ### PROCESS OBSERVATIONS - **DORA impact (positive):** This PR unblocks CI apply, which was failing on every run. Fixing CI pipeline reliability directly improves Deployment Frequency and Change Failure Rate. - **Change failure risk: LOW.** Pure deletions of references to already-deleted infrastructure. The only operational risk is if `tofu state rm` is not run before merge, which the PR body explicitly calls out. - **Scope alignment:** The PR touches exactly the files needed -- no scope creep. The 1,401 deleted lines are entirely basketball-api/pal-e-app related. - **Pre-merge gate:** The Review Checklist item "Run `tofu state rm` for all removed resources before merging" is a hard prerequisite. If state rm is not performed, the first apply after merge will attempt to destroy resources in non-existent namespaces and fail. ### VERDICT: APPROVED
ldraney commented 2026-06-16 18:52:05 +00:00
Author
Owner
Copy link

PR #450 Review

Parent issue: #449
Scope: Remove all Terraform references to deleted basketball-api and pal-e-app k8s namespaces (13 files, +3/-1401)

DOMAIN REVIEW

Stack: Terraform (HCL), Woodpecker CI YAML, Makefile, Grafana dashboard JSON

Deletion scope verified correct. Cross-referenced every removed resource against the codebase. The PR removes:

  • Namespace data sources: basketball_api, pal_e_production (pal-e-app), westside_admin -- all correct. westside-admin is not a standalone namespace; it only consumed a mirrored secret from basketball-api resources, so removing it here is correct.
  • Kubernetes secrets: paledocs_db_url (deployed to pal-e-app ns), admin_app_db_url (basketball-api ns), admin_app_db_url_westside_admin (mirror) -- all scoped to deleted namespaces.
  • Kubernetes job: admin_app_user_provision -- provisioned a Postgres role for basketball-api. Correct to remove.
  • Monitoring: 2 Grafana dashboard JSON files, 2 dashboard ConfigMaps, 1 ServiceMonitor (embedding-worker), 3 PrometheusRule resources (embedding alerts, payment pipeline alerts, Gmail OAuth expiry alert) -- all scoped to basketball-api or pal-e-app.
  • Network policies: Removed basketball-api and pal-e-app from keycloak and postgres ingress from rules. Removed the entire netpol_basketball_api resource. Other valid entries (tailscale, monitoring, pal-e-docs, westside-contracts, westside-ai-assistant) are untouched in remaining policies.
  • Ops: Removed embedding_worker_metrics service (pal-e-app namespace) and its pal_e_production_namespace variable.
  • Variables: Removed paledocs_db_password and admin_app_db_password at root and module levels, plus CI pipeline secret wiring.
  • Moved blocks: 5 removed. All 5 reference resources whose to targets are also being deleted in this PR. Safe to remove -- Terraform state migration already completed on prior applies; the moved blocks were only needed for the initial state rename.

paledocs_db_password removal is correct. This variable was ONLY used to construct the paledocs-db-url secret deployed into the pal-e-app namespace. The pal-e-docs service (separate namespace, still live) does NOT use this variable -- it connects to postgres through its own CNPG-managed credentials. No dangling dependency.

No dangling references found. After applying this diff, no remaining Terraform code references basketball-api, pal-e-app, admin_app_db_password, paledocs_db_password, or pal_e_production_namespace.

State management: The commit message correctly notes "State rm for orphaned resources must be run separately before merge." This is critical -- tofu state rm must be executed for all removed resources before tofu apply, otherwise Terraform will attempt to destroy resources in non-existent namespaces and fail. Ensure this is documented in the test plan.

BLOCKERS

None.

No new functionality (pure deletion), no user input handling, no secrets in code, no auth logic changes. All deletion targets are scoped to confirmed-dead namespaces.

NITS

  1. secrets.auto.tfvars.example not updated. The example file (line 36: paledocs_db_password, line 41: admin_app_db_password) still lists both removed variables. While .tfvars files are gitignored and the example is just a template, it should be updated so new contributors don't set variables that no longer exist. Low priority since it won't break anything.

  2. PR body does not follow the repo's PR template. The repo has a PR template at .github/PULL_REQUEST_TEMPLATE.md requiring ## Summary, ## Discovered Scope, ## Terraform Changes (with tofu plan output, tofu fmt/tofu validate checkboxes), ## README Impact, and ## Review Checklist. The PR currently has only a commit message as its description. The tofu plan output is especially valuable here to confirm the destroy plan matches expectations.

SOP COMPLIANCE

  • PR body follows template (## Summary, ## Terraform Changes with plan output, ## Review Checklist -- all missing)
  • No secrets committed (secrets.auto.tfvars is gitignored; no credentials in diff)
  • No unnecessary file changes (all 13 files are directly related to the namespace cleanup)
  • Commit message is descriptive and references the parent issue
  • tofu plan output not included (important for deletion PRs to verify destroy targets)

PROCESS OBSERVATIONS

  • Change failure risk: LOW. This is a pure deletion PR with no new logic. The risk is in the state management step (pre-merge tofu state rm), not in the code changes themselves.
  • Operational dependency: The commit message mentions state rm must happen separately. This should be elevated to the PR body as a prerequisite, not buried in a commit message. Consider adding a pre-merge checklist item.
  • Documentation impact: If any docs reference basketball-api or pal-e-app architecture (e.g., docs/networking.md, docs/database.md), those may need updates. The diff shows some docs files being deleted on the branch but they are not part of this PR's 13 changed files -- verify those are handled separately or in this PR.

VERDICT: APPROVED

The code changes are correct, complete within their stated scope, and introduce no regressions. The two nits (example tfvars file, PR body template) are non-blocking. The critical operational step (state rm) is acknowledged in the commit message. Approve contingent on the state rm being executed before apply.

## PR #450 Review **Parent issue:** #449 **Scope:** Remove all Terraform references to deleted `basketball-api` and `pal-e-app` k8s namespaces (13 files, +3/-1401) --- ### DOMAIN REVIEW **Stack:** Terraform (HCL), Woodpecker CI YAML, Makefile, Grafana dashboard JSON **Deletion scope verified correct.** Cross-referenced every removed resource against the codebase. The PR removes: - **Namespace data sources:** `basketball_api`, `pal_e_production` (pal-e-app), `westside_admin` -- all correct. `westside-admin` is not a standalone namespace; it only consumed a mirrored secret from `basketball-api` resources, so removing it here is correct. - **Kubernetes secrets:** `paledocs_db_url` (deployed to pal-e-app ns), `admin_app_db_url` (basketball-api ns), `admin_app_db_url_westside_admin` (mirror) -- all scoped to deleted namespaces. - **Kubernetes job:** `admin_app_user_provision` -- provisioned a Postgres role for basketball-api. Correct to remove. - **Monitoring:** 2 Grafana dashboard JSON files, 2 dashboard ConfigMaps, 1 ServiceMonitor (embedding-worker), 3 PrometheusRule resources (embedding alerts, payment pipeline alerts, Gmail OAuth expiry alert) -- all scoped to basketball-api or pal-e-app. - **Network policies:** Removed basketball-api and pal-e-app from keycloak and postgres ingress `from` rules. Removed the entire `netpol_basketball_api` resource. Other valid entries (tailscale, monitoring, pal-e-docs, westside-contracts, westside-ai-assistant) are untouched in remaining policies. - **Ops:** Removed `embedding_worker_metrics` service (pal-e-app namespace) and its `pal_e_production_namespace` variable. - **Variables:** Removed `paledocs_db_password` and `admin_app_db_password` at root and module levels, plus CI pipeline secret wiring. - **Moved blocks:** 5 removed. All 5 reference resources whose `to` targets are also being deleted in this PR. Safe to remove -- Terraform state migration already completed on prior applies; the `moved` blocks were only needed for the initial state rename. **`paledocs_db_password` removal is correct.** This variable was ONLY used to construct the `paledocs-db-url` secret deployed into the `pal-e-app` namespace. The `pal-e-docs` service (separate namespace, still live) does NOT use this variable -- it connects to postgres through its own CNPG-managed credentials. No dangling dependency. **No dangling references found.** After applying this diff, no remaining Terraform code references `basketball-api`, `pal-e-app`, `admin_app_db_password`, `paledocs_db_password`, or `pal_e_production_namespace`. **State management:** The commit message correctly notes "State rm for orphaned resources must be run separately before merge." This is critical -- `tofu state rm` must be executed for all removed resources before `tofu apply`, otherwise Terraform will attempt to destroy resources in non-existent namespaces and fail. Ensure this is documented in the test plan. --- ### BLOCKERS None. No new functionality (pure deletion), no user input handling, no secrets in code, no auth logic changes. All deletion targets are scoped to confirmed-dead namespaces. --- ### NITS 1. **`secrets.auto.tfvars.example` not updated.** The example file (line 36: `paledocs_db_password`, line 41: `admin_app_db_password`) still lists both removed variables. While `.tfvars` files are gitignored and the example is just a template, it should be updated so new contributors don't set variables that no longer exist. Low priority since it won't break anything. 2. **PR body does not follow the repo's PR template.** The repo has a PR template at `.github/PULL_REQUEST_TEMPLATE.md` requiring `## Summary`, `## Discovered Scope`, `## Terraform Changes` (with `tofu plan` output, `tofu fmt`/`tofu validate` checkboxes), `## README Impact`, and `## Review Checklist`. The PR currently has only a commit message as its description. The `tofu plan` output is especially valuable here to confirm the destroy plan matches expectations. --- ### SOP COMPLIANCE - [ ] PR body follows template (`## Summary`, `## Terraform Changes` with plan output, `## Review Checklist` -- all missing) - [x] No secrets committed (secrets.auto.tfvars is gitignored; no credentials in diff) - [x] No unnecessary file changes (all 13 files are directly related to the namespace cleanup) - [x] Commit message is descriptive and references the parent issue - [ ] `tofu plan` output not included (important for deletion PRs to verify destroy targets) --- ### PROCESS OBSERVATIONS - **Change failure risk: LOW.** This is a pure deletion PR with no new logic. The risk is in the state management step (pre-merge `tofu state rm`), not in the code changes themselves. - **Operational dependency:** The commit message mentions state rm must happen separately. This should be elevated to the PR body as a prerequisite, not buried in a commit message. Consider adding a pre-merge checklist item. - **Documentation impact:** If any docs reference basketball-api or pal-e-app architecture (e.g., docs/networking.md, docs/database.md), those may need updates. The diff shows some docs files being deleted on the branch but they are not part of this PR's 13 changed files -- verify those are handled separately or in this PR. --- ### VERDICT: APPROVED The code changes are correct, complete within their stated scope, and introduce no regressions. The two nits (example tfvars file, PR body template) are non-blocking. The critical operational step (state rm) is acknowledged in the commit message. Approve contingent on the state rm being executed before apply.
style: fix tofu fmt alignment in main.tf
All checks were successful
ci/woodpecker/push/terraform Pipeline was successful
Details
ci/woodpecker/pr/terraform Pipeline was successful
Details
ci/woodpecker/pull_request_closed/terraform Pipeline was successful
Details
e950b69979 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ldraney deleted branch fix/remove-stale-namespace-refs 2026-06-17 02:56:33 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform!450
No description provided.