From 59fbbb07dfd7130d6f7fcf0fcbc0792b76a9a56f Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Fri, 27 Feb 2026 21:00:44 +0000
Subject: [PATCH] fix: load static token id and validate token secret

- Store non-sensitive Proxmox token id in terraform.tfvars
- Inject only token secret via workflow-generated secrets.auto.tfvars
- Add variable validations for token id format and non-empty token secret
- Add workflow debug output for token secret length and selected token id
---
 .gitea/workflows/terraform-apply.yml |  1 -
 .gitea/workflows/terraform-plan.yml  |  4 ++--
 terraform/terraform.tfvars           | 19 ++++++++++---------
 terraform/variables.tf               | 10 ++++++++++
 4 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/.gitea/workflows/terraform-apply.yml b/.gitea/workflows/terraform-apply.yml
index c27a8ff..f319a29 100644
--- a/.gitea/workflows/terraform-apply.yml
+++ b/.gitea/workflows/terraform-apply.yml
@@ -18,7 +18,6 @@ jobs:
         working-directory: terraform
         run: |
           cat > secrets.auto.tfvars << EOF
-          pm_api_token_id     = "${{ secrets.PM_API_TOKEN_ID }}"
           pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
           SSH_KEY_PUBLIC      = "${{ secrets.SSH_KEY_PUBLIC }}"
           TS_AUTHKEY          = "${{ secrets.TS_AUTHKEY }}"
diff --git a/.gitea/workflows/terraform-plan.yml b/.gitea/workflows/terraform-plan.yml
index 3838bff..48c6427 100644
--- a/.gitea/workflows/terraform-plan.yml
+++ b/.gitea/workflows/terraform-plan.yml
@@ -18,16 +18,16 @@ jobs:
       - name: Create secrets.tfvars
         working-directory: terraform
         run: |
-          echo "PM_API_TOKEN_ID length: $(echo -n '${{ secrets.PM_API_TOKEN_ID }}' | wc -c)"
           echo "PM_API_TOKEN_SECRET length: $(echo -n '${{ secrets.PM_API_TOKEN_SECRET }}' | wc -c)"
           cat > secrets.auto.tfvars << EOF
-          pm_api_token_id     = "${{ secrets.PM_API_TOKEN_ID }}"
           pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
           SSH_KEY_PUBLIC      = "${{ secrets.SSH_KEY_PUBLIC }}"
           TS_AUTHKEY          = "${{ secrets.TS_AUTHKEY }}"
           EOF
           echo "Created secrets.auto.tfvars:"
           cat secrets.auto.tfvars | sed 's/=.*/=***/'
+          echo "Using token ID from terraform.tfvars:"
+          grep '^pm_api_token_id' terraform.tfvars
 
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@v2
diff --git a/terraform/terraform.tfvars b/terraform/terraform.tfvars
index f176df7..c5223ab 100644
--- a/terraform/terraform.tfvars
+++ b/terraform/terraform.tfvars
@@ -1,9 +1,10 @@
-target_node    = "flex"
-clone_template = "ubuntu-cloudinit"
-cores          = 1
-memory         = 1024
-disk_size      = "15G"
-sockets        = 1
-bridge         = "vmbr0"
-storage        = "Flash"
-pm_api_url     = "https://100.105.0.115:8006/api2/json"
+target_node     = "flex"
+clone_template  = "ubuntu-cloudinit"
+cores           = 1
+memory          = 1024
+disk_size       = "15G"
+sockets         = 1
+bridge          = "vmbr0"
+storage         = "Flash"
+pm_api_url      = "https://100.105.0.115:8006/api2/json"
+pm_api_token_id = "terraform-prov@pve!mytoken"
diff --git a/terraform/variables.tf b/terraform/variables.tf
index c4f1b2c..42e3073 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -1,12 +1,22 @@
 variable "pm_api_token_id" {
   type        = string
   description = "Proxmox API token ID (format: user@realm!tokenid)"
+
+  validation {
+    condition     = can(regex(".+!.+", trimspace(var.pm_api_token_id)))
+    error_message = "pm_api_token_id must be in format user@realm!tokenid."
+  }
 }
 
 variable "pm_api_token_secret" {
   type        = string
   sensitive   = true
   description = "Proxmox API token secret"
+
+  validation {
+    condition     = length(trimspace(var.pm_api_token_secret)) > 0
+    error_message = "pm_api_token_secret cannot be empty. Check your Gitea secret PM_API_TOKEN_SECRET."
+  }
 }
 
 variable "target_node" {