From 5b4c925e99b74a4a156c28984232a856aa0e003c Mon Sep 17 00:00:00 2001 From: Alexandr Date: Wed, 25 Mar 2026 07:11:12 +0300 Subject: [PATCH] Sanitize company references and update Vault/Grafana endpoints --- .gitea/workflows/terraform-dev.yml | 6 ++++++ environments/README — копия.md | 18 ------------------ environments/dev/Seahorse/backend.tf | 13 ------------- environments/dev/Seahorse/main.tf | 2 +- environments/dev/Seahorse/providers.tf | 7 +++---- environments/dev/adibrov/backend.tf | 13 ------------- environments/dev/adibrov/main.tf | 2 +- environments/dev/adibrov/providers.tf | 7 +++---- 8 files changed, 14 insertions(+), 54 deletions(-) delete mode 100644 environments/README — копия.md diff --git a/.gitea/workflows/terraform-dev.yml b/.gitea/workflows/terraform-dev.yml index a90023e..ae1ad9d 100644 --- a/.gitea/workflows/terraform-dev.yml +++ b/.gitea/workflows/terraform-dev.yml @@ -42,12 +42,14 @@ jobs: - name: Terraform init (no backend) working-directory: ${{ env.WORKDIR }} env: + VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} run: terraform init - name: Terraform validate working-directory: ${{ env.WORKDIR }} env: + VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} run: terraform validate @@ -61,12 +63,14 @@ jobs: - name: Terraform init (no backend) working-directory: ${{ env.WORKDIR }} env: + VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} run: terraform init - name: Terraform plan working-directory: ${{ env.WORKDIR }} env: + VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} run: terraform plan -refresh=false -lock=false -out=tfplan @@ -81,11 +85,13 @@ jobs: - name: Terraform init (no backend) working-directory: ${{ env.WORKDIR }} env: + VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} run: terraform init - name: Terraform apply (manual trigger) working-directory: ${{ env.WORKDIR }} env: + VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} run: terraform apply -refresh=false -lock=false -auto-approve diff --git a/environments/README — копия.md b/environments/README — копия.md deleted file mode 100644 index 8db0311..0000000 --- a/environments/README — копия.md +++ /dev/null @@ -1,18 +0,0 @@ -# grafana-terraform -Конфигурация Grafana -## Интеграция с Hashicorp Vault -В кластере **vault.pyn.ru** создана **approle infraservice-iac** с правами на чтение секретов из хранилища `app/data/groups/infraservice/*`. -Все члены группы **/vault-infraservice** могут посмотреть role-id с помощью `vault read auth/approle/role/infraservice-iac/role-id`, а также создать secret-id командой cli `vault write -f auth/approle/role/infraservice-iac/secret-id`. -Для успешной авторизации в Vault перед запуском нужно установить переменную окружения `VAULT_TOKEN` с токеном авторизации в значении. -## Запуск -Запуск осуществляется из директории окружения, например `environments/test`. Перед запуском необходимо задать переменные окружения из файла с переменными `.env` со следующим содержимым: -```bash -set -a -# ключи для s3 backend'ов можно найти в Vault -AWS_ACCESS_KEY_ID="<ключ для доступа к s3 бэкэнду>" -AWS_SECRET_ACCESS_KEY="<секретный ключ для доступа к s3 бэкэнду>" -VAULT_ROLE_ID="" -VAULT_SECRET_ID="" -VAULT_TOKEN=$(curl -s -X POST -d "{\"role_id\":\"$VAULT_ROLE_ID\",\"secret_id\":\"$VAULT_SECRET_ID\"}" \ - https://vault.pyn.ru/v1/auth/approle/login | jq -r .auth.client_token) -``` \ No newline at end of file diff --git a/environments/dev/Seahorse/backend.tf b/environments/dev/Seahorse/backend.tf index 17aed37..4b7bab4 100644 --- a/environments/dev/Seahorse/backend.tf +++ b/environments/dev/Seahorse/backend.tf @@ -8,17 +8,4 @@ terraform { source = "hashicorp/vault" } } - - backend "s3" { - endpoints = { - s3 = "https://storage.yandexcloud.net" } - bucket = "monitoring-vcmt-core-deploy" - region = "ru-central1" - key = "dev-denis-practic/terraform.tfstate" - skip_region_validation = true - skip_credentials_validation = true - skip_requesting_account_id = true - skip_s3_checksum = true - skip_metadata_api_check = true - } } diff --git a/environments/dev/Seahorse/main.tf b/environments/dev/Seahorse/main.tf index 3e7bbf4..d5f6e87 100644 --- a/environments/dev/Seahorse/main.tf +++ b/environments/dev/Seahorse/main.tf @@ -37,7 +37,7 @@ module "grafana_contact_points01" { source = "../../../modules/grafana_contact_points" org_id = var.org_id env = var.env - grafana_url = "https://grafana-dev.hhmon.ru/" + grafana_url = "https://grafana.pvenode.ru/" contact_points = local.contact_points providers = { grafana = grafana.grafana01 diff --git a/environments/dev/Seahorse/providers.tf b/environments/dev/Seahorse/providers.tf index f324e4f..7a030e9 100644 --- a/environments/dev/Seahorse/providers.tf +++ b/environments/dev/Seahorse/providers.tf @@ -1,21 +1,20 @@ provider "vault" { - address = "https://vault.pyn.ru" skip_child_token = true } data "vault_kv_secret_v2" "secret_ext" { # Секреты для подключения к внешним источникам (mm, clickhouse и т.д.) mount = "app" - name = "groups/infraservice/monitoring/grafana/dev/ext" + name = "groups/monitoring/grafana/dev/ext" } data "vault_kv_secret_v2" "secret_int" { # Секреты для работы самой графаны mount = "app" - name = "groups/infraservice/monitoring/grafana/dev/int" + name = "groups/monitoring/grafana/dev/int" } provider "grafana" { alias = "grafana01" - url = "https://grafana-dev.hhmon.ru/" + url = "https://grafana.pvenode.ru/" auth = data.vault_kv_secret_v2.secret_int.data["grafana_local_admin_password"] http_headers = local.grafana_headers } \ No newline at end of file diff --git a/environments/dev/adibrov/backend.tf b/environments/dev/adibrov/backend.tf index e53f193..4b7bab4 100644 --- a/environments/dev/adibrov/backend.tf +++ b/environments/dev/adibrov/backend.tf @@ -8,17 +8,4 @@ terraform { source = "hashicorp/vault" } } - - backend "s3" { - endpoints = { - s3 = "https://storage.yandexcloud.net" } - bucket = "monitoring-vcmt-core-deploy" - region = "ru-central1" - key = "a.dibrov-practic/terraform.tfstate" - skip_region_validation = true - skip_credentials_validation = true - skip_requesting_account_id = true - skip_s3_checksum = true - skip_metadata_api_check = true - } } diff --git a/environments/dev/adibrov/main.tf b/environments/dev/adibrov/main.tf index 3e7bbf4..d5f6e87 100644 --- a/environments/dev/adibrov/main.tf +++ b/environments/dev/adibrov/main.tf @@ -37,7 +37,7 @@ module "grafana_contact_points01" { source = "../../../modules/grafana_contact_points" org_id = var.org_id env = var.env - grafana_url = "https://grafana-dev.hhmon.ru/" + grafana_url = "https://grafana.pvenode.ru/" contact_points = local.contact_points providers = { grafana = grafana.grafana01 diff --git a/environments/dev/adibrov/providers.tf b/environments/dev/adibrov/providers.tf index f324e4f..7a030e9 100644 --- a/environments/dev/adibrov/providers.tf +++ b/environments/dev/adibrov/providers.tf @@ -1,21 +1,20 @@ provider "vault" { - address = "https://vault.pyn.ru" skip_child_token = true } data "vault_kv_secret_v2" "secret_ext" { # Секреты для подключения к внешним источникам (mm, clickhouse и т.д.) mount = "app" - name = "groups/infraservice/monitoring/grafana/dev/ext" + name = "groups/monitoring/grafana/dev/ext" } data "vault_kv_secret_v2" "secret_int" { # Секреты для работы самой графаны mount = "app" - name = "groups/infraservice/monitoring/grafana/dev/int" + name = "groups/monitoring/grafana/dev/int" } provider "grafana" { alias = "grafana01" - url = "https://grafana-dev.hhmon.ru/" + url = "https://grafana.pvenode.ru/" auth = data.vault_kv_secret_v2.secret_int.data["grafana_local_admin_password"] http_headers = local.grafana_headers } \ No newline at end of file