mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 07:36:17 +00:00
The .terraform.lock.hcl was gitignored while providers use floating ~> constraints, so every CI 'tofu init' resolved provider versions fresh and could drift from what was tested locally, with no checksum verification on the providers. Track the lock file instead, with hashes for linux_amd64 (CI) plus darwin_arm64/amd64 (local). Dependabot's terraform updates now surface exact provider version bumps as reviewable, hash-pinned changes.
55 lines
694 B
Text
55 lines
694 B
Text
# Terraform
|
|
*.tfstate
|
|
*.tfstate.backup
|
|
*.tfstate.*.backup
|
|
.terraform/
|
|
# .terraform.lock.hcl is intentionally committed to pin provider versions
|
|
# and checksums for reproducible init across machines and CI.
|
|
crash.log
|
|
override.tf
|
|
override.tf.json
|
|
*_override.tf
|
|
*_override.tf.json
|
|
|
|
# Ansible
|
|
*.retry
|
|
|
|
# Secrets — never commit plaintext secrets
|
|
*.key
|
|
*.pem
|
|
*.crt
|
|
*.p12
|
|
*.pfx
|
|
.vault_pass
|
|
.vault-password
|
|
secrets.yml
|
|
config.yml
|
|
secrets.yaml
|
|
vault.yml
|
|
vault.yaml
|
|
**/secret.env
|
|
**/.env.secret
|
|
|
|
# SOPS (encrypted files are OK, but age keys are not)
|
|
keys.txt
|
|
*.agekey
|
|
|
|
# Editor / OS
|
|
.vscode/
|
|
.idea/
|
|
*.swp
|
|
*.swo
|
|
*~
|
|
.DS_Store
|
|
Thumbs.db
|
|
|
|
# Python
|
|
__pycache__/
|
|
*.pyc
|
|
.venv/
|
|
venv/
|
|
|
|
# Misc
|
|
*.log
|
|
*.bak
|
|
*.tmp
|