strip cluster bootstraps

2026-04-27 21:34:11 +02:00
parent 0353803d4f
commit 96dde22884
42 changed files with 65 additions and 2338 deletions
--- a/.tofu/platforms/aks/modules/cluster/outputs.tf
+++ b/.tofu/platforms/aks/modules/cluster/outputs.tf
@@ -20,98 +20,13 @@ output "location" {
  value       = azurerm_resource_group.main.location
 }

-# ─── PostgreSQL ───────────────────────────────────────────────────────
-
-output "pg_host" {
-  description = "PostgreSQL Flexible Server FQDN (private, reachable from AKS)"
-  value       = azurerm_postgresql_flexible_server.main.fqdn
+output "oidc_issuer_url" {
+  description = "AKS OIDC issuer URL (for workload identity federation)"
+  value       = azurerm_kubernetes_cluster.main.oidc_issuer_url
 }

-output "pg_port" {
-  description = "PostgreSQL port"
-  value       = 5432
-}
-
-output "pg_admin_login" {
-  description = "PostgreSQL administrator login"
-  value       = azurerm_postgresql_flexible_server.main.administrator_login
-}
-
-output "pg_admin_password" {
-  description = "PostgreSQL administrator password"
-  value       = random_password.pg_admin.result
+output "kubeconfig" {
+  description = "Kubeconfig for the AKS cluster"
+  value       = azurerm_kubernetes_cluster.main.kube_config_raw
  sensitive   = true
 }
-
-output "pg_keycloak_password" {
-  description = "Pre-generated password for keycloak DB user — create user post-provision"
-  value       = random_password.pg_keycloak.result
-  sensitive   = true
-}
-
-output "pg_gitlab_password" {
-  description = "Pre-generated password for gitlab DB user — create user post-provision"
-  value       = random_password.pg_gitlab.result
-  sensitive   = true
-}
-
-# ─── Redis ────────────────────────────────────────────────────────────
-
-output "redis_host" {
-  description = "Azure Cache for Redis hostname"
-  value       = azurerm_redis_cache.main.hostname
-}
-
-output "redis_port" {
-  description = "Redis SSL port (6380)"
-  value       = azurerm_redis_cache.main.ssl_port
-}
-
-output "redis_password" {
-  description = "Redis primary access key"
-  value       = azurerm_redis_cache.main.primary_access_key
-  sensitive   = true
-}
-
-# ─── Blob Storage ─────────────────────────────────────────────────────
-
-output "storage_account_name" {
-  description = "Azure Storage Account name"
-  value       = azurerm_storage_account.main.name
-}
-
-output "storage_primary_access_key" {
-  description = "Storage Account primary access key (used for registry; main GitLab storage uses managed identity)"
-  value       = azurerm_storage_account.main.primary_access_key
-  sensitive   = true
-}
-
-# ─── Entra ID ────────────────────────────────────────────────────────
-
-output "entra_tenant_id" {
-  description = "Entra ID tenant ID — used in Keycloak IdP OIDC endpoint URLs"
-  value       = data.azurerm_client_config.current.tenant_id
-}
-
-output "entra_keycloak_client_id" {
-  description = "App Registration client ID for the Keycloak IdP"
-  value       = azuread_application.keycloak_idp.client_id
-}
-
-output "entra_keycloak_client_secret" {
-  description = "App Registration client secret for the Keycloak IdP"
-  value       = azuread_application_password.keycloak_idp.value
-  sensitive   = true
-}
-
-# ─── Workload Identity ────────────────────────────────────────────────
-
-output "gitlab_identity_client_id" {
-  description = "Client ID of the GitLab managed identity — annotate the K8s service account with this value"
-  value       = azurerm_user_assigned_identity.gitlab.client_id
-}
-
-output "external_dns_identity_client_id" {
-  description = "Client ID of the external-dns managed identity — written to config.yaml by sync-tofu-outputs.sh"
-  value       = azurerm_user_assigned_identity.external_dns.client_id
-}