From 3f284b7112cdeb2984ba7be683aff786d94dc7ef Mon Sep 17 00:00:00 2001 From: Rasmus Wejlgaard Date: Thu, 11 Jun 2026 18:52:01 +0100 Subject: [PATCH] make Dependabot tofu validate stubs satisfy provider validators The secret-free Dependabot path stubbed every secret as "stub", which trips provider config validation: hcloud wants a 64-char token and Grafana wants fleet_management_auth as username:password. So the tofu plan check went red on every Dependabot PR and I'd merge past it after checking locally. Generate stubs that pass the format checks instead - 64 chars for tokens, stub:stub for *_auth keys. Verified locally: validate fails with the old stubs (both errors reproduced) and passes with these. --- .github/workflows/validate-terraform.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/workflows/validate-terraform.yml b/.github/workflows/validate-terraform.yml index 6daf4dd..bdda9a8 100644 --- a/.github/workflows/validate-terraform.yml +++ b/.github/workflows/validate-terraform.yml @@ -37,9 +37,19 @@ jobs: # secrets.yaml is decrypted from SOPS at plan time and can't be # produced here, so stub the keys the config reads (kept in sync by # deriving them from the actual secrets["..."] references). + # Stub values must satisfy provider config validators: hcloud + # requires a 64-char token, and Grafana's fleet_management_auth + # must look like `username:password`. + stub64=$(printf 'stub%.0s' {1..16}) grep -rhoE 'secrets\["[^"]+"\]' . \ - | sed -E 's/.*secrets\["([^"]+)"\].*/\1: "stub"/' \ - | sort -u > secrets.yaml + | sed -E 's/.*secrets\["([^"]+)"\].*/\1/' \ + | sort -u \ + | while read -r key; do + case "$key" in + *_auth) echo "$key: \"stub:stub\"" ;; + *) echo "$key: \"$stub64\"" ;; + esac + done > secrets.yaml tofu init -backend=false tofu validate