feat: remove terraform token from terrafrom pod, SD-1235

SergeyDeminSaritasa · SergeyDeminSaritasa · commit 806f398bf982 · 2025-11-10T12:23:05.000+07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,13 @@
 
 [dev]
 
+- [associated PR](https://github.com/saritasa-nest/saritasa-devops-helm-charts/pull/181)
+- Update terraform-pod to not use terraform token secret
+
+## 2025-10-16
+
+[dev]
+
 - [associated PR](https://github.com/saritasa-nest/saritasa-devops-helm-charts/pull/178)
 - Update slack-notification `get-failed-info` step
 
diff --git a/charts/terraform-pod/Chart.yaml b/charts/terraform-pod/Chart.yaml
@@ -6,7 +6,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.40
+version: 0.0.41
 
 maintainers:
   - url: https://www.saritasa.com/
diff --git a/charts/terraform-pod/README.md b/charts/terraform-pod/README.md
@@ -83,7 +83,6 @@ For infra-aws repos you may want to pass short-term TTL AWS credentials from the
     --set github.username=YOUR-GITHUB-USERNAME \
     --set github.email=YOUR-GITHUB-EMAIL \
     --set gitCryptKey=$(base64 -w 0 path/to/git-crypt-key) \
-    --set terraform.token=xxx \
     --set aws.accessKeyId=$(echo $creds | jq -r ".AccessKeyId") \
     --set aws.secretAccessKey=$(echo $creds | jq -r ".SecretAccessKey") \
     --set aws.sessionToken="$(echo $creds | jq -r ".SessionToken")" \
@@ -189,6 +188,4 @@ unset creds
 | terraform.client | string | `""` | terraform client name (used to decide what workspace in the org to use) |
 | terraform.initCommand | string | `"make _dev init"` | makefile target in the Makefile of  the repository to run during initialization phase (can be any valid bash one-liner if you want to skip the makefile targets of the repository) |
 | terraform.organization | string | `"saritasa-team"` | terraform org |
-| terraform.token | string | `""` | terraform api token value (optional, if passed - takes precedence over tokenSecret) |
-| terraform.tokenSecret | string | `"terraform-cli-token-saritasa-team"` | secret name containing terraform team API token name (optional) |
 | tolerations | list | `[]` | tolerations |
diff --git a/charts/terraform-pod/templates/_helpers.tpl b/charts/terraform-pod/templates/_helpers.tpl
@@ -151,22 +151,9 @@ Define env vars containing argocd access to be passed as TF_VAR value into terra
 Define env vars for terraform
 */}}
 {{- define "terraform-pod.terraform-env-vars" -}}
-{{- $hasCustomTerraformToken := gt (len .Values.terraform.token) 0 -}}
-{{- $secretName := ternary (include "terraform-pod.terraform-token" .) .Values.terraform.tokenSecret $hasCustomTerraformToken }}
-
 # terraform vars
 - name: TF_ORG
   value: {{ .Values.terraform.organization }}
-- name: TF_TOKEN_app_terraform_io
-  valueFrom:
-    secretKeyRef:
-      name: {{ printf "%s" $secretName }}
-      key: token
-- name: TF_TOKEN_registry_terraform_io
-  valueFrom:
-    secretKeyRef:
-      name: {{ printf "%s" $secretName }}
-      key: token
 {{ include "terraform-pod.terraform-env-database-vars" . }}
 {{ include "terraform-pod.terraform-env-argocd-vars" . }}
 {{ include "terraform-pod.terraform-env-sentry-vars" . }}
@@ -315,14 +302,6 @@ terraform.organization:
 terraform.client:
     `client` is required and should be a non-empty string. It should contain client name, which would be used as a suffix for the workspace for infra-dev-aws solutions (skipped otherwise)
 {{- end -}}
-{{ if not (or (and .Values.terraform.tokenSecret (kindIs "string" .Values.terraform.tokenSecret))
-              (and .Values.terraform.token (kindIs "string" .Values.terraform.token))
-          ) }}
-terraform.tokenSecret|token:
-    You didn't set either tokenSecret or token. One is required for the terraform pod to be functional.
-    `tokenSecret` is required and should be a non-empty string. It should contain a name of the secret containing terraform auth token for the organnization.
-    or
-    `token` is required and should be a non-empty string. It should terraform api token as a string
 {{- end -}}
 {{ if not (and .Values.terraform.initCommand (kindIs "string" .Values.terraform.initCommand)) }}
 terraform.initCommand:
diff --git a/charts/terraform-pod/values.yaml b/charts/terraform-pod/values.yaml
@@ -32,10 +32,6 @@ terraform:
   organization: saritasa-team
   # -- terraform client name (used to decide what workspace in the org to use)
   client: ""
-  # -- secret name containing terraform team API token name (optional)
-  tokenSecret: terraform-cli-token-saritasa-team
-  # -- terraform api token value (optional, if passed - takes precedence over tokenSecret)
-  token: ""
   # -- makefile target in the Makefile of  the repository to run during initialization phase (can be any valid bash one-liner if you want to skip the makefile targets of the repository)
   initCommand: make _dev init
 
