mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
The .terraform.lock.hcl was gitignored while providers use floating ~> constraints, so every CI 'tofu init' resolved provider versions fresh and could drift from what was tested locally, with no checksum verification on the providers. Track the lock file instead, with hashes for linux_amd64 (CI) plus darwin_arm64/amd64 (local). Dependabot's terraform updates now surface exact provider version bumps as reviewable, hash-pinned changes. |
||
|---|---|---|
| .. | ||
| grafana | ||
| hetzner | ||
| pagerduty | ||
| .gitignore | ||
| .terraform.lock.hcl | ||
| main.tf | ||
| Makefile | ||
| providers.tf | ||
| README.md | ||
| secrets.enc.yaml | ||
| vars.tf | ||
Terraform
Infrastructure-as-code for cloud and edge services. Uses OpenTofu (drop-in Terraform replacement).
What's managed
- Hetzner Cloud — Two servers (
nuremberg-a,helsinki-a), firewalls, and DNS forpez.sh - Grafana Cloud — Stack, dashboards, synthetic monitoring checks, alert rules, Fleet collectors and pipelines
- PagerDuty — Service, escalation policy, and Grafana integration
Secrets
Secrets are stored encrypted in secrets.enc.yaml via SOPS and decrypted at plan/apply time into secrets.yaml. The Makefile handles decryption automatically.
Required secret keys: hetzner_token, grafana_cloud_access_policy, grafana_synthetic_monitoring_access_token, grafana_fleet_management_auth, grafana_service_account_token, pagerduty_token, plex_token, backblaze_key_id.
State
State is stored in a Backblaze B2 bucket (pez-infra-tfstate) using an S3-compatible backend. Credentials are read from AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY environment variables.
Usage
make init # initialize providers and backend
make plan # preview changes
make apply # apply changes
make fmt # format all .tf files
Provider versions
| Provider | Source | Version |
|---|---|---|
| Hetzner Cloud | hetznercloud/hcloud |
~> 1.45 |
| Grafana | grafana/grafana |
~> 4.35 |
| PagerDuty | pagerduty/pagerduty |
~> 2.2 |
| OpenTofu | — | >= 1.6.0 |