27fc46664f
- Replace sops -d --extract with bao kv get -field in workflow - Remove .sops.yaml and encrypted proxmox.secrets.yaml - Update .gitleaks.toml comment (remove SOPS reference) - Proxmox token now fetched from OpenBao secret/infrastructure/proxmox via AppRole authentication (atlantis role) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
44 lines
1.5 KiB
YAML
44 lines
1.5 KiB
YAML
# Atlantis repo-level config
|
|
# Defines how Atlantis should plan/apply for this repository
|
|
version: 3
|
|
projects:
|
|
- name: production
|
|
dir: environments/production
|
|
workspace: default
|
|
workflow: proxmox-secure
|
|
autoplan:
|
|
when_modified:
|
|
- "**/*.tf"
|
|
- "**/*.tfvars"
|
|
- "../../modules/**/*.tf"
|
|
- "../../modules/**/*.tftpl"
|
|
enabled: true
|
|
apply_requirements:
|
|
- approved
|
|
|
|
workflows:
|
|
proxmox-secure:
|
|
plan:
|
|
steps:
|
|
- env:
|
|
name: PROXMOX_VE_API_TOKEN
|
|
command: "source /secrets/openbao-approle && export BAO_TOKEN=$(bao write -field=token auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID) && bao kv get -field=PROXMOX_VE_API_TOKEN secret/infrastructure/proxmox"
|
|
- init
|
|
- plan
|
|
- run: |
|
|
echo "=== Checkov IaC Security Scan ==="
|
|
tofu show -json $PLANFILE > /tmp/plan.json 2>/dev/null || true
|
|
if [ -f /tmp/plan.json ]; then
|
|
checkov -f /tmp/plan.json --framework terraform_plan --soft-fail --compact --quiet 2>&1 || true
|
|
rm -f /tmp/plan.json
|
|
else
|
|
echo "No plan JSON available, skipping checkov scan"
|
|
fi
|
|
apply:
|
|
steps:
|
|
- env:
|
|
name: PROXMOX_VE_API_TOKEN
|
|
command: "source /secrets/openbao-approle && export BAO_TOKEN=$(bao write -field=token auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID) && bao kv get -field=PROXMOX_VE_API_TOKEN secret/infrastructure/proxmox"
|
|
- init
|
|
- apply
|