From c8b86c74435b96ebee501b2bf4b6cf01a984430a Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Fri, 27 Feb 2026 20:02:22 +0000
Subject: [PATCH] fix: switch to API token authentication for Proxmox

- Replace user/password auth with API token auth
- Update provider config to use pm_api_token_id and pm_api_token_secret
- Update workflow secrets to use PM_API_TOKEN_ID and PM_API_TOKEN_SECRET
- Remove unused pm_user and proxmox_password variables
---
 .gitea/workflows/terraform-apply.yml |  3 ++-
 .gitea/workflows/terraform-plan.yml  |  3 ++-
 terraform/main.tf                    |  8 ++++----
 terraform/terraform.tfvars           |  2 +-
 terraform/variables.tf               | 15 +++++++++------
 5 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/.gitea/workflows/terraform-apply.yml b/.gitea/workflows/terraform-apply.yml
index 4180a91..c09caa6 100644
--- a/.gitea/workflows/terraform-apply.yml
+++ b/.gitea/workflows/terraform-apply.yml
@@ -18,7 +18,8 @@ jobs:
     env:
       TF_VAR_SSH_KEY_PUBLIC: ${{ secrets.SSH_KEY_PUBLIC }}
       TF_VAR_TS_AUTHKEY: ${{ secrets.TS_AUTHKEY }}
-      TF_VAR_proxmox_password: ${{ secrets.PROXMOX_PASSWORD }}
+      TF_VAR_pm_api_token_id: ${{ secrets.PM_API_TOKEN_ID }}
+      TF_VAR_pm_api_token_secret: ${{ secrets.PM_API_TOKEN_SECRET }}
 
     steps:
       - name: Checkout repository
diff --git a/.gitea/workflows/terraform-plan.yml b/.gitea/workflows/terraform-plan.yml
index 51f09d0..579437e 100644
--- a/.gitea/workflows/terraform-plan.yml
+++ b/.gitea/workflows/terraform-plan.yml
@@ -19,7 +19,8 @@ jobs:
     env:
       TF_VAR_SSH_KEY_PUBLIC: ${{ secrets.SSH_KEY_PUBLIC }}
       TF_VAR_TS_AUTHKEY: ${{ secrets.TS_AUTHKEY }}
-      TF_VAR_proxmox_password: ${{ secrets.PROXMOX_PASSWORD }}
+      TF_VAR_pm_api_token_id: ${{ secrets.PM_API_TOKEN_ID }}
+      TF_VAR_pm_api_token_secret: ${{ secrets.PM_API_TOKEN_SECRET }}
 
     steps:
       - name: Checkout repository
diff --git a/terraform/main.tf b/terraform/main.tf
index bfca2ee..fc6134d 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -8,10 +8,10 @@ terraform {
 }
 
 provider "proxmox" {
-  pm_api_url      = var.pm_api_url
-  pm_user         = var.pm_user
-  pm_password     = var.proxmox_password
-  pm_tls_insecure = true
+  pm_api_url          = var.pm_api_url
+  pm_api_token_id     = var.pm_api_token_id
+  pm_api_token_secret = var.pm_api_token_secret
+  pm_tls_insecure     = true
 }
 
 resource "proxmox_vm_qemu" "alpacas" {
diff --git a/terraform/terraform.tfvars b/terraform/terraform.tfvars
index b91f2d7..6d6354e 100644
--- a/terraform/terraform.tfvars
+++ b/terraform/terraform.tfvars
@@ -7,4 +7,4 @@ sockets        = 1
 bridge         = "vmbr0"
 storage        = "Flash"
 pm_api_url     = "https://100.105.0.115:8006/api2/json"
-pm_user        = "terraform-prov@pve"
+pm_api_token_id = "terraform-prov@pve!mytoken"
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 737b552..c4f1b2c 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -1,5 +1,12 @@
-variable "proxmox_password" {
-  type = string
+variable "pm_api_token_id" {
+  type        = string
+  description = "Proxmox API token ID (format: user@realm!tokenid)"
+}
+
+variable "pm_api_token_secret" {
+  type        = string
+  sensitive   = true
+  description = "Proxmox API token secret"
 }
 
 variable "target_node" {
@@ -38,10 +45,6 @@ variable "pm_api_url" {
   type = string
 }
 
-variable "pm_user" {
-  type = string
-}
-
 variable "alpaca_vm_count" {
   type        = number
   default     = 1