fix(trufflehog): ignore pg example connection string #43

Merged
mauritz.uphoff merged 3 commits from fix/trufflehog-ignore into main 2026-06-26 09:42:35 +00:00
5 changed files with 8 additions and 3 deletions

View file

@ -31,6 +31,7 @@ resource "stackit_postgresflex_instance" "this" {
backup_schedule = "00 00 * * *"
acl = [
# WARNING: Open ACL is for development only. Restrict to your specific egress IP ranges in production.
"0.0.0.0/0"
]

View file

@ -22,6 +22,6 @@ locals {
output "pg_connection_uri" {
description = "PostgreSQL Flex User Connection String"
value = "postgres://${local.pg_username}:${local.pg_password}@${local.pg_host}:${local.pg_port}/${local.pg_database}?sslmode=require"
value = "postgres://${local.pg_username}:${local.pg_password}@${local.pg_host}:${local.pg_port}/${local.pg_database}?sslmode=require" # trufflehog:ignore
sensitive = true
}

View file

@ -15,7 +15,7 @@
stackit_organization_id = "<your-organization-id>"
## Name of the bootstrapping project
stackit_project_name = "01-example-project"
stackit_project_name = "00-bootstrap"
# Email address of the STACKIT user set as project owner.
stackit_org_admin = "<your-admin@mail.com"

View file

@ -7,7 +7,7 @@ This module contains the core infrastructure configuration. It uses the `pg` bac
1. Create a `backend.conf` file in this directory and define the connection string using the credentials generated by the bootstrap module:
```ini
conn_str = "postgres://tf_state_user:<PASSWORD>@<STACKIT_INSTANCE_HOST>:5432/terraform_state?sslmode=require"
conn_str = "postgres://tf_state_user:<PASSWORD>@<STACKIT_INSTANCE_HOST>:5432/terraform_state?sslmode=require" # trufflehog:ignore
```
2. Initialize Terraform and bind it to the remote PostgreSQL backend

View file

@ -6,3 +6,7 @@ To resolve the circular dependency of provisioning a state backend using Terrafo
1. **`00-bootstrap/`**: Provisions the backend infrastructure (PostgreSQL Flex instance, database and service user).
2. **`01-example/`**: Represents the primary infrastructure, utilizing the provisioned PostgreSQL database as its remote backend.
---
**⚠️ Security Notice:** The PostgreSQL Flex instance in `00-bootstrap/` is configured with an open ACL (`0.0.0.0/0`) for development convenience. Before deploying to production, restrict the ACL to your specific egress IP ranges to prevent the database from being accessible via the public internet.