pez-infra/.gitignore
Rasmus Wejlgaard 8e6469d66e chore: commit terraform lock file for reproducible provider versions
The .terraform.lock.hcl was gitignored while providers use floating
~> constraints, so every CI 'tofu init' resolved provider versions
fresh and could drift from what was tested locally, with no checksum
verification on the providers.

Track the lock file instead, with hashes for linux_amd64 (CI) plus
darwin_arm64/amd64 (local). Dependabot's terraform updates now surface
exact provider version bumps as reviewable, hash-pinned changes.
2026-06-06 13:17:32 +01:00

55 lines
694 B
Text

# Terraform
*.tfstate
*.tfstate.backup
*.tfstate.*.backup
.terraform/
# .terraform.lock.hcl is intentionally committed to pin provider versions
# and checksums for reproducible init across machines and CI.
crash.log
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Ansible
*.retry
# Secrets — never commit plaintext secrets
*.key
*.pem
*.crt
*.p12
*.pfx
.vault_pass
.vault-password
secrets.yml
config.yml
secrets.yaml
vault.yml
vault.yaml
**/secret.env
**/.env.secret
# SOPS (encrypted files are OK, but age keys are not)
keys.txt
*.agekey
# Editor / OS
.vscode/
.idea/
*.swp
*.swo
*~
.DS_Store
Thumbs.db
# Python
__pycache__/
*.pyc
.venv/
venv/
# Misc
*.log
*.bak
*.tmp