tofu setup

2026-04-27 21:00:07 +02:00
parent 7132f5000e
commit d3690d0597
63 changed files with 4809 additions and 9 deletions
--- a/.tofu/platforms/aks/modules/cluster/outputs.tf
+++ b/.tofu/platforms/aks/modules/cluster/outputs.tf
@@ -0,0 +1,117 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+output "cluster_name" {
+  description = "AKS cluster name"
+  value       = azurerm_kubernetes_cluster.main.name
+}
+
+output "resource_group_name" {
+  description = "Resource group name"
+  value       = azurerm_resource_group.main.name
+}
+
+output "kubernetes_version" {
+  description = "Kubernetes version"
+  value       = azurerm_kubernetes_cluster.main.kubernetes_version
+}
+
+output "location" {
+  description = "Azure region"
+  value       = azurerm_resource_group.main.location
+}
+
+# ─── PostgreSQL ───────────────────────────────────────────────────────
+
+output "pg_host" {
+  description = "PostgreSQL Flexible Server FQDN (private, reachable from AKS)"
+  value       = azurerm_postgresql_flexible_server.main.fqdn
+}
+
+output "pg_port" {
+  description = "PostgreSQL port"
+  value       = 5432
+}
+
+output "pg_admin_login" {
+  description = "PostgreSQL administrator login"
+  value       = azurerm_postgresql_flexible_server.main.administrator_login
+}
+
+output "pg_admin_password" {
+  description = "PostgreSQL administrator password"
+  value       = random_password.pg_admin.result
+  sensitive   = true
+}
+
+output "pg_keycloak_password" {
+  description = "Pre-generated password for keycloak DB user — create user post-provision"
+  value       = random_password.pg_keycloak.result
+  sensitive   = true
+}
+
+output "pg_gitlab_password" {
+  description = "Pre-generated password for gitlab DB user — create user post-provision"
+  value       = random_password.pg_gitlab.result
+  sensitive   = true
+}
+
+# ─── Redis ────────────────────────────────────────────────────────────
+
+output "redis_host" {
+  description = "Azure Cache for Redis hostname"
+  value       = azurerm_redis_cache.main.hostname
+}
+
+output "redis_port" {
+  description = "Redis SSL port (6380)"
+  value       = azurerm_redis_cache.main.ssl_port
+}
+
+output "redis_password" {
+  description = "Redis primary access key"
+  value       = azurerm_redis_cache.main.primary_access_key
+  sensitive   = true
+}
+
+# ─── Blob Storage ─────────────────────────────────────────────────────
+
+output "storage_account_name" {
+  description = "Azure Storage Account name"
+  value       = azurerm_storage_account.main.name
+}
+
+output "storage_primary_access_key" {
+  description = "Storage Account primary access key (used for registry; main GitLab storage uses managed identity)"
+  value       = azurerm_storage_account.main.primary_access_key
+  sensitive   = true
+}
+
+# ─── Entra ID ────────────────────────────────────────────────────────
+
+output "entra_tenant_id" {
+  description = "Entra ID tenant ID — used in Keycloak IdP OIDC endpoint URLs"
+  value       = data.azurerm_client_config.current.tenant_id
+}
+
+output "entra_keycloak_client_id" {
+  description = "App Registration client ID for the Keycloak IdP"
+  value       = azuread_application.keycloak_idp.client_id
+}
+
+output "entra_keycloak_client_secret" {
+  description = "App Registration client secret for the Keycloak IdP"
+  value       = azuread_application_password.keycloak_idp.value
+  sensitive   = true
+}
+
+# ─── Workload Identity ────────────────────────────────────────────────
+
+output "gitlab_identity_client_id" {
+  description = "Client ID of the GitLab managed identity — annotate the K8s service account with this value"
+  value       = azurerm_user_assigned_identity.gitlab.client_id
+}
+
+output "external_dns_identity_client_id" {
+  description = "Client ID of the external-dns managed identity — written to config.yaml by sync-tofu-outputs.sh"
+  value       = azurerm_user_assigned_identity.external_dns.client_id
+}