Changes:
- Added default values to datacenter, cluster_name, and environment variables
- Default values match production environment (WBYC-DC01, wbyc-cluster01, prd)
- Updated variable descriptions to note CI/CD secret usage
- terraform.tfvars has been cleaned locally (already in .gitignore)
Benefits:
- No terraform.tfvars file needed for standard deployment
- CI/CD secrets can override defaults when needed
- Cleaner repository without sensitive data
- Variables have sensible defaults for this environment
- New terraform-apply job runs after terraform-init
- Requires manual approval via production environment gate
- Only runs on push to master branch
- Downloads plan file from MinIO
- Applies the exact plan that was reviewed
- Includes all necessary environment variables for Vault and vSphere
- Removed actions/upload-artifact@v4 (not supported in Gitea)
- Added terraform show output to create human-readable plan text
- Upload both binary plan and text version to MinIO
- Plan stored at: s3://bucket/terraform-plans/repo/run-number/
- Uses existing AWS CLI with S3-compatible endpoint
- Added terraform plan step that outputs plan to tfplan file
- Plan includes all required environment variables for Vault and MinIO
- Plan artifact uploaded with 30-day retention for later apply step
- Plan file can be downloaded and used for terraform apply
- Updated backend.tf to use partial configuration
- Modified workflow to pass backend settings via -backend-config flags
- Follows Azure-style pattern with environment variables
- Improves flexibility and keeps configuration out of version control
- Required secrets: MINIO_ENDPOINT, MINIO_BUCKET, MINIO_STATE_KEY
- Enabled Terraform recommended preset
- Added rules for documentation, naming conventions, and unused declarations
- Note: No TFLint plugins available for vsphere or vault providers
- Core Terraform ruleset will still catch syntax errors and best practices
- Added TFLint job to catch Terraform errors and best practices
- TFLint runs before Checkov for early error detection
- Uses latest TFLint version with automatic initialization
- Pipeline flow: TFLint -> Checkov -> SonarQube
- Added Checkov security scan job that runs before SonarQube
- Configured for Terraform-specific IaC compliance checks
- Outputs results in CLI and SARIF formats
- Uploads scan results as artifacts for review
- SonarQube job now depends on Checkov passing
- Renamed workflow to reflect both quality and security scanning
- Updated SonarQube action from kitabisa/sonarqube-action@v1.2.0 to sonarsource/sonarqube-scan-action@v4
- Official action uses Java 17, compatible with SonarQube 25.10
- Added sonar-project.properties with Terraform-specific exclusions
- Fixes: java.lang.UnsupportedClassVersionError (class file version 61.0 vs 55.0)
- Add vSphere resource pool management
- Configure CPU and memory allocation controls
- Implement tagging system for organization
- Add comprehensive documentation
