micqdf/TerraHome
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: load static token id and validate token secret
Some checks failed
Terraform Plan / Terraform Plan (push) Failing after 14s
Details

Browse Source 
- Store non-sensitive Proxmox token id in terraform.tfvars
- Inject only token secret via workflow-generated secrets.auto.tfvars
- Add variable validations for token id format and non-empty token secret
- Add workflow debug output for token secret length and selected token id
This commit is contained in:
MichaelFisher1997
2026-02-27 21:00:44 +00:00
parent c3a0ef251c
commit 59fbbb07df
4 changed files with 22 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitea/workflows/terraform-apply.yml
View File

@@ -18,7 +18,6 @@ jobs:
working-directory: terraform working-directory: terraform
run: | run: |
cat > secrets.auto.tfvars << EOF cat > secrets.auto.tfvars << EOF
pm_api_token_id = "${{ secrets.PM_API_TOKEN_ID }}"
pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}" pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
SSH_KEY_PUBLIC = "${{ secrets.SSH_KEY_PUBLIC }}" SSH_KEY_PUBLIC = "${{ secrets.SSH_KEY_PUBLIC }}"
TS_AUTHKEY = "${{ secrets.TS_AUTHKEY }}" TS_AUTHKEY = "${{ secrets.TS_AUTHKEY }}"

4
.gitea/workflows/terraform-plan.yml
View File

@@ -18,16 +18,16 @@ jobs:
- name: Create secrets.tfvars - name: Create secrets.tfvars
working-directory: terraform working-directory: terraform
run: | run: |
echo "PM_API_TOKEN_ID length: $(echo -n '${{ secrets.PM_API_TOKEN_ID }}' | wc -c)"
echo "PM_API_TOKEN_SECRET length: $(echo -n '${{ secrets.PM_API_TOKEN_SECRET }}' | wc -c)" echo "PM_API_TOKEN_SECRET length: $(echo -n '${{ secrets.PM_API_TOKEN_SECRET }}' | wc -c)"
cat > secrets.auto.tfvars << EOF cat > secrets.auto.tfvars << EOF
pm_api_token_id = "${{ secrets.PM_API_TOKEN_ID }}"
pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}" pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
SSH_KEY_PUBLIC = "${{ secrets.SSH_KEY_PUBLIC }}" SSH_KEY_PUBLIC = "${{ secrets.SSH_KEY_PUBLIC }}"
TS_AUTHKEY = "${{ secrets.TS_AUTHKEY }}" TS_AUTHKEY = "${{ secrets.TS_AUTHKEY }}"
EOF EOF
echo "Created secrets.auto.tfvars:" echo "Created secrets.auto.tfvars:"
cat secrets.auto.tfvars | sed 's/=.*/=***/' cat secrets.auto.tfvars | sed 's/=.*/=***/'
echo "Using token ID from terraform.tfvars:"
grep '^pm_api_token_id' terraform.tfvars
- name: Set up Terraform - name: Set up Terraform
uses: hashicorp/setup-terraform@v2 uses: hashicorp/setup-terraform@v2

19
terraform/terraform.tfvars
View File

@@ -1,9 +1,10 @@
target_node = "flex" target_node = "flex"
clone_template = "ubuntu-cloudinit" clone_template = "ubuntu-cloudinit"
cores = 1 cores = 1
memory = 1024 memory = 1024
disk_size = "15G" disk_size = "15G"
sockets = 1 sockets = 1
bridge = "vmbr0" bridge = "vmbr0"
storage = "Flash" storage = "Flash"
pm_api_url = "https://100.105.0.115:8006/api2/json" pm_api_url = "https://100.105.0.115:8006/api2/json"
pm_api_token_id = "terraform-prov@pve!mytoken"

10
terraform/variables.tf
View File

@@ -1,12 +1,22 @@
variable "pm_api_token_id" { variable "pm_api_token_id" {
type = string type = string
description = "Proxmox API token ID (format: user@realm!tokenid)" description = "Proxmox API token ID (format: user@realm!tokenid)"
validation {
condition = can(regex(".+!.+", trimspace(var.pm_api_token_id)))
error_message = "pm_api_token_id must be in format user@realm!tokenid."
}
} }
variable "pm_api_token_secret" { variable "pm_api_token_secret" {
type = string type = string
sensitive = true sensitive = true
description = "Proxmox API token secret" description = "Proxmox API token secret"
validation {
condition = length(trimspace(var.pm_api_token_secret)) > 0
error_message = "pm_api_token_secret cannot be empty. Check your Gitea secret PM_API_TOKEN_SECRET."
}
} }
variable "target_node" { variable "target_node" {