Sanitize company references and update Vault/Grafana endpoints

2026-03-25 07:11:12 +03:00
parent 558a23d916
commit 5b4c925e99
8 changed files with 14 additions and 54 deletions
--- a/.gitea/workflows/terraform-dev.yml
+++ b/.gitea/workflows/terraform-dev.yml
@ -42,12 +42,14 @@ jobs:
      - name: Terraform init (no backend)
        working-directory: ${{ env.WORKDIR }}
        env:
          VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
          VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
        run: terraform init
      - name: Terraform validate
        working-directory: ${{ env.WORKDIR }}
        env:
          VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
          VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
        run: terraform validate
@ -61,12 +63,14 @@ jobs:
      - name: Terraform init (no backend)
        working-directory: ${{ env.WORKDIR }}
        env:
          VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
          VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
        run: terraform init
      - name: Terraform plan
        working-directory: ${{ env.WORKDIR }}
        env:
          VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
          VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
        run: terraform plan -refresh=false -lock=false -out=tfplan
@ -81,11 +85,13 @@ jobs:
      - name: Terraform init (no backend)
        working-directory: ${{ env.WORKDIR }}
        env:
          VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
          VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
        run: terraform init
      - name: Terraform apply (manual trigger)
        working-directory: ${{ env.WORKDIR }}
        env:
          VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
          VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
        run: terraform apply -refresh=false -lock=false -auto-approve
--- a/environments/README
+++ b/environments/README
@ -1,18 +0,0 @@
 # grafana-terraform
 Конфигурация Grafana
 ## Интеграция с Hashicorp Vault
 В кластере **vault.pyn.ru** создана **approle infraservice-iac** с правами на чтение секретов из хранилища `app/data/groups/infraservice/*`.
 Все члены группы **/vault-infraservice** могут посмотреть role-id с помощью `vault read auth/approle/role/infraservice-iac/role-id`, а также создать secret-id командой cli `vault write -f auth/approle/role/infraservice-iac/secret-id`.
 Для успешной авторизации в Vault перед запуском нужно установить переменную окружения `VAULT_TOKEN` с токеном авторизации в значении.
 ## Запуск
 Запуск осуществляется из директории окружения, например `environments/test`. Перед запуском необходимо задать переменные окружения из файла с переменными `.env` со следующим содержимым:
 ```bash
 set -a
 # ключи для s3 backend'ов можно найти в Vault
 AWS_ACCESS_KEY_ID="<ключ для доступа к s3 бэкэнду>"
 AWS_SECRET_ACCESS_KEY="<секретный ключ для доступа к s3 бэкэнду>"
 VAULT_ROLE_ID="<role_id для approle vault>"
 VAULT_SECRET_ID="<secret_id для approle vault>"
 VAULT_TOKEN=$(curl -s -X POST -d "{\"role_id\":\"$VAULT_ROLE_ID\",\"secret_id\":\"$VAULT_SECRET_ID\"}" \
  https://vault.pyn.ru/v1/auth/approle/login | jq -r .auth.client_token)
 ```
--- a/environments/dev/Seahorse/backend.tf
+++ b/environments/dev/Seahorse/backend.tf
@ -8,17 +8,4 @@ terraform {
      source  = "hashicorp/vault"
    }
  }
  backend "s3" {
    endpoints = {
      s3 = "https://storage.yandexcloud.net" }
    bucket                      = "monitoring-vcmt-core-deploy"
    region                      = "ru-central1"
    key                         = "dev-denis-practic/terraform.tfstate"
    skip_region_validation      = true
    skip_credentials_validation = true
    skip_requesting_account_id  = true
    skip_s3_checksum            = true
    skip_metadata_api_check     = true
  }
 }
--- a/environments/dev/Seahorse/main.tf
+++ b/environments/dev/Seahorse/main.tf
@ -37,7 +37,7 @@ module "grafana_contact_points01" {
  source         = "../../../modules/grafana_contact_points"
  org_id         = var.org_id
  env            = var.env
-  grafana_url    = "https://grafana-dev.hhmon.ru/"
+  grafana_url    = "https://grafana.pvenode.ru/"
  contact_points = local.contact_points
  providers = {
    grafana = grafana.grafana01
--- a/environments/dev/Seahorse/providers.tf
+++ b/environments/dev/Seahorse/providers.tf
@ -1,21 +1,20 @@
 provider "vault" { 
  address          = "https://vault.pyn.ru"
  skip_child_token = true
 }
 data "vault_kv_secret_v2" "secret_ext" { # Секреты для подключения к внешним источникам (mm, clickhouse и т.д.)
 mount = "app"
- name  = "groups/infraservice/monitoring/grafana/dev/ext"
+ name  = "groups/monitoring/grafana/dev/ext"
 }
 data "vault_kv_secret_v2" "secret_int" { # Секреты для работы самой графаны
  mount = "app"
-  name  = "groups/infraservice/monitoring/grafana/dev/int"
+  name  = "groups/monitoring/grafana/dev/int"
 }
 provider "grafana" {
  alias        = "grafana01"
-  url          = "https://grafana-dev.hhmon.ru/"
+  url          = "https://grafana.pvenode.ru/"
  auth         = data.vault_kv_secret_v2.secret_int.data["grafana_local_admin_password"]
  http_headers = local.grafana_headers
 }
--- a/environments/dev/adibrov/backend.tf
+++ b/environments/dev/adibrov/backend.tf
@ -8,17 +8,4 @@ terraform {
      source  = "hashicorp/vault"
    }
  }
  backend "s3" {
    endpoints = {
      s3 = "https://storage.yandexcloud.net" }
    bucket                      = "monitoring-vcmt-core-deploy"
    region                      = "ru-central1"
    key                         = "a.dibrov-practic/terraform.tfstate"
    skip_region_validation      = true
    skip_credentials_validation = true
    skip_requesting_account_id  = true
    skip_s3_checksum            = true
    skip_metadata_api_check     = true
  }
 }
--- a/environments/dev/adibrov/main.tf
+++ b/environments/dev/adibrov/main.tf
@ -37,7 +37,7 @@ module "grafana_contact_points01" {
  source         = "../../../modules/grafana_contact_points"
  org_id         = var.org_id
  env            = var.env
-  grafana_url    = "https://grafana-dev.hhmon.ru/"
+  grafana_url    = "https://grafana.pvenode.ru/"
  contact_points = local.contact_points
  providers = {
    grafana = grafana.grafana01
--- a/environments/dev/adibrov/providers.tf
+++ b/environments/dev/adibrov/providers.tf
@ -1,21 +1,20 @@
 provider "vault" { 
  address          = "https://vault.pyn.ru"
  skip_child_token = true
 }
 data "vault_kv_secret_v2" "secret_ext" { # Секреты для подключения к внешним источникам (mm, clickhouse и т.д.)
 mount = "app"
- name  = "groups/infraservice/monitoring/grafana/dev/ext"
+ name  = "groups/monitoring/grafana/dev/ext"
 }
 data "vault_kv_secret_v2" "secret_int" { # Секреты для работы самой графаны
  mount = "app"
-  name  = "groups/infraservice/monitoring/grafana/dev/int"
+  name  = "groups/monitoring/grafana/dev/int"
 }
 provider "grafana" {
  alias        = "grafana01"
-  url          = "https://grafana-dev.hhmon.ru/"
+  url          = "https://grafana.pvenode.ru/"
  auth         = data.vault_kv_secret_v2.secret_int.data["grafana_local_admin_password"]
  http_headers = local.grafana_headers
 }