From 1a5921d9b06c7a36cf86b16f7f618f736adf0efe Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 11 Jun 2026 23:21:51 +1000 Subject: [PATCH 1/6] feat: only run apply when plan detects changes --- .woodpecker/apply.yaml | 3 +-- Makefile | 13 +++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.woodpecker/apply.yaml b/.woodpecker/apply.yaml index 36986f1..112d696 100644 --- a/.woodpecker/apply.yaml +++ b/.woodpecker/apply.yaml @@ -9,8 +9,7 @@ steps: VAULT_AUTH_METHOD: kubernetes commands: - dnf install vault -y - - make plan - - make apply + - make apply-if-changes backend_options: kubernetes: serviceAccountName: terraform-git diff --git a/Makefile b/Makefile index 640077e..332592c 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,19 @@ plan: init @$(call vault_env) && \ terragrunt run --all --parallelism 4 --non-interactive plan +apply-if-changes: init + @$(call vault_env) && \ + terragrunt run --all --parallelism 4 --non-interactive plan -- -detailed-exitcode -out=tfplan; \ + EXIT_CODE=$$?; \ + if [ $$EXIT_CODE -eq 2 ]; then \ + $(call vault_env) && \ + terragrunt run --all --parallelism 2 --non-interactive apply -- tfplan; \ + elif [ $$EXIT_CODE -eq 0 ]; then \ + echo "No changes detected, skipping apply."; \ + else \ + exit $$EXIT_CODE; \ + fi + apply: init @$(call vault_env) && \ terragrunt run --all --parallelism 2 --non-interactive apply From 1b127941f8dfdb76d2b386792bbe61bf50e0f68b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 11 Jun 2026 00:35:02 +1000 Subject: [PATCH 2/6] feat: add terraform-git - add new repo - change write -> none --- .../unkin/repository/terraform-git.yaml | 14 ++++++++++++++ config/git.unkin.net/unkin/team/docker.yaml | 2 +- config/git.unkin.net/unkin/team/puppet.yaml | 2 +- config/git.unkin.net/unkin/team/pybuild.yaml | 2 +- config/git.unkin.net/unkin/team/rpmbuild.yaml | 2 +- config/git.unkin.net/unkin/team/terraform.yaml | 2 +- modules/gitea_instance/imports.tf | 11 +++++++++++ 7 files changed, 30 insertions(+), 5 deletions(-) create mode 100644 config/git.unkin.net/unkin/repository/terraform-git.yaml diff --git a/config/git.unkin.net/unkin/repository/terraform-git.yaml b/config/git.unkin.net/unkin/repository/terraform-git.yaml new file mode 100644 index 0000000..bb42939 --- /dev/null +++ b/config/git.unkin.net/unkin/repository/terraform-git.yaml @@ -0,0 +1,14 @@ +description: "Manage Gitea resources, teams, repos, and Woodpecker CI via Terraform" +private: false +default_branch: "main" +woodpecker: true +branch_protection: + - rule_name: "main" + enable_push: false + status_check_contexts: + - "ci/woodpecker/pr/pre-commit" + - "ci/woodpecker/pr/plan" + approval_whitelist_users: + - "unkinben" + approval_whitelist_teams: + - "Owners" diff --git a/config/git.unkin.net/unkin/team/docker.yaml b/config/git.unkin.net/unkin/team/docker.yaml index 3438f91..c79f27c 100644 --- a/config/git.unkin.net/unkin/team/docker.yaml +++ b/config/git.unkin.net/unkin/team/docker.yaml @@ -1,5 +1,5 @@ description: "manage docker related repositories" -permission: write +permission: none include_all_repositories: false can_create_repos: false repositories: diff --git a/config/git.unkin.net/unkin/team/puppet.yaml b/config/git.unkin.net/unkin/team/puppet.yaml index 78dc0ff..5d5efa4 100644 --- a/config/git.unkin.net/unkin/team/puppet.yaml +++ b/config/git.unkin.net/unkin/team/puppet.yaml @@ -1,5 +1,5 @@ description: "owners of the puppet system" -permission: write +permission: none include_all_repositories: false can_create_repos: false repositories: diff --git a/config/git.unkin.net/unkin/team/pybuild.yaml b/config/git.unkin.net/unkin/team/pybuild.yaml index 8190795..be5f62c 100644 --- a/config/git.unkin.net/unkin/team/pybuild.yaml +++ b/config/git.unkin.net/unkin/team/pybuild.yaml @@ -1,5 +1,5 @@ description: "Python package builers" -permission: write +permission: none include_all_repositories: false can_create_repos: false repositories: diff --git a/config/git.unkin.net/unkin/team/rpmbuild.yaml b/config/git.unkin.net/unkin/team/rpmbuild.yaml index 40ec10f..f50c259 100644 --- a/config/git.unkin.net/unkin/team/rpmbuild.yaml +++ b/config/git.unkin.net/unkin/team/rpmbuild.yaml @@ -1,5 +1,5 @@ description: "manage rpmbuild repos" -permission: write +permission: none include_all_repositories: false can_create_repos: false repositories: diff --git a/config/git.unkin.net/unkin/team/terraform.yaml b/config/git.unkin.net/unkin/team/terraform.yaml index dfb44ab..b776a91 100644 --- a/config/git.unkin.net/unkin/team/terraform.yaml +++ b/config/git.unkin.net/unkin/team/terraform.yaml @@ -1,5 +1,5 @@ description: "terraform job maintainers" -permission: write +permission: none include_all_repositories: false can_create_repos: false repositories: diff --git a/modules/gitea_instance/imports.tf b/modules/gitea_instance/imports.tf index a7620e5..337d850 100644 --- a/modules/gitea_instance/imports.tf +++ b/modules/gitea_instance/imports.tf @@ -217,3 +217,14 @@ import { to = module.woodpecker_repository["git.unkin.net/unkin/terraform-provider-artifactapi"].woodpecker_repository.this id = "unkin/terraform-provider-artifactapi" } + +import { + to = module.repository["git.unkin.net/unkin/terraform-git"].gitea_repository.this + id = "144" +} + +import { + to = module.woodpecker_repository["git.unkin.net/unkin/terraform-git"].woodpecker_repository.this + id = "unkin/terraform-git" +} + From 6203e4d0e26684427df38e594df4fb51ec49e151 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 11 Jun 2026 23:25:32 +1000 Subject: [PATCH 3/6] fix: add terraform.tf for pre-commit validation Required for tofu-validate and tflint to work standalone without the terragrunt-generated backend.tf. --- modules/gitea_instance/terraform.tf | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 modules/gitea_instance/terraform.tf diff --git a/modules/gitea_instance/terraform.tf b/modules/gitea_instance/terraform.tf new file mode 100644 index 0000000..4a11ea7 --- /dev/null +++ b/modules/gitea_instance/terraform.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.10" + required_providers { + gitea = { + source = "go-gitea/gitea" + version = "0.7.0" + } + woodpecker = { + source = "Kichiyaki/woodpecker" + version = "0.5.0" + } + } +} From 8e3eac286c9cdb2b357cb0686a571ac4139d9fd5 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 11 Jun 2026 23:26:29 +1000 Subject: [PATCH 4/6] feat: add make pre-commit target --- Makefile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 332592c..53410c1 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: init plan apply format +.PHONY: init plan apply apply-if-changes format pre-commit VAULT_AUTH_METHOD ?= approle VAULT_K8S_ROLE ?= woodpecker_terraform_git @@ -47,3 +47,6 @@ format: @tofu fmt -recursive . @echo "Formatting Terragrunt files..." @terragrunt hcl fmt + +pre-commit: + @uvx pre-commit run --all-files From 883faee35c0bb153c06739abf2b8a37cc15271af Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 11 Jun 2026 23:28:02 +1000 Subject: [PATCH 5/6] style: tofu fmt alignment --- modules/gitea_instance/variables.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/gitea_instance/variables.tf b/modules/gitea_instance/variables.tf index 8e78559..fbb4540 100644 --- a/modules/gitea_instance/variables.tf +++ b/modules/gitea_instance/variables.tf @@ -15,8 +15,8 @@ variable "organisation" { variable "repository" { description = "Map of repositories to create" type = map(object({ - name = string - organisation = string + name = string + organisation = string description = optional(string) private = optional(bool) default_branch = optional(string) @@ -32,7 +32,7 @@ variable "repository" { repo_template = optional(bool) website = optional(string) autodetect_manual_merge = optional(bool) - woodpecker = optional(bool, false) + woodpecker = optional(bool, false) })) default = {} } From dc9f3cd59547631433f93eff35cdbea310eba228 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 11 Jun 2026 23:30:23 +1000 Subject: [PATCH 6/6] fix: remove unused deploy_key variable and duplicate required_providers --- environments/au/syd1/terragrunt.hcl | 1 - environments/root.hcl | 15 --------------- modules/gitea_instance/variables.tf | 12 ------------ 3 files changed, 28 deletions(-) diff --git a/environments/au/syd1/terragrunt.hcl b/environments/au/syd1/terragrunt.hcl index 4c92627..73a4bdf 100644 --- a/environments/au/syd1/terragrunt.hcl +++ b/environments/au/syd1/terragrunt.hcl @@ -20,6 +20,5 @@ inputs = { organisation = local.config.organisation repository = local.config.repository branch_protection = local.config.branch_protection - deploy_key = local.config.deploy_key team = local.config.team } diff --git a/environments/root.hcl b/environments/root.hcl index 14abeb5..aa28cfd 100644 --- a/environments/root.hcl +++ b/environments/root.hcl @@ -19,21 +19,6 @@ terraform { lock = true ca_file = "/etc/pki/tls/certs/ca-bundle.crt" } - required_version = ">= 1.10" - required_providers { - gitea = { - source = "go-gitea/gitea" - version = "0.7.0" - } - woodpecker = { - source = "Kichiyaki/woodpecker" - version = "0.5.0" - } - consul = { - source = "hashicorp/consul" - version = "2.23.0" - } - } } EOF } diff --git a/modules/gitea_instance/variables.tf b/modules/gitea_instance/variables.tf index fbb4540..a4b0324 100644 --- a/modules/gitea_instance/variables.tf +++ b/modules/gitea_instance/variables.tf @@ -64,18 +64,6 @@ variable "branch_protection" { default = {} } -variable "deploy_key" { - description = "Map of deploy keys to create" - type = map(object({ - repository = string - organisation = string - gitea_url = string - title = string - key = string - read_only = optional(bool, true) - })) - default = {} -} variable "team" { description = "Map of teams to create"