Note(ethanndickson): Though this is marked as a feat, I don't think there's any point calling it out in the changelog. It's a scaletesting infrastructure change only, and we're moving that to a private repo.

Removes the requirement to obtain a Cloudflare DNS token from our scaletest/terraform/action builds. Instead, by default, we pull the token from Google Secrets Manager and use thescaletest.dev DNS domain.

Removes cloudflare_email as this was unneeded.

Removes the cloudflare_zone_id and instead pulls it from a data source via the Cloudflare API.

closescoder/internal#839

github-actionsbot assignedspikecurtis

Aug 21, 2025

spikecurtis requested a review fromethanndickson

August 21, 2025 12:17

Copy link

ContributorAuthor

spikecurtis commentedAug 21, 2025

feat: use cloud secret for DNS token in scaletest TF #19466 👈(View in Graphite)
main

This stack of pull requests is managed byGraphite. Learn more aboutstacking.

spikecurtis marked this pull request as ready for review

August 21, 2025 12:19

feat: use cloud secret for DNS token in scaletest TF

d160d09

spikecurtis force-pushed the08-21-feat_use_cloud_secret_for_dns_token_in_scaletest_tf branch frombf1837e tod160d09Compare

August 21, 2025 12:30

ethanndickson approved these changes

Aug 22, 2025

View reviewed changes

Copy link

Member

ethanndickson left a comment•
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I actually had this in#19412, but mine doesn't let you override with a var, and uses a slightly different* data source to pull the token, i'll update mine to match and we can merge this.

This is similar to thegoogle_secret_manager_secret_version datasource, but it only requires theSecret Manager Secret Accessor role

ethanndickson reviewed

Aug 22, 2025

View reviewed changes

scaletest/terraform/action/vars.tf


		variable"cloudflare_zone_id" {
		description="Cloudflare zone ID."
		default="scaletest.dev"

Copy link

Member

ethanndicksonAug 22, 2025•
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

We haven't mentioned this domain publicly anywhere else, could omit it here?

Copy link

Member

ethanndicksonAug 22, 2025•
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Also, just realising, we should probably not use a hardcoded password on these coder deployments, now that they're accessible on the public web.

Copy link

ContributorAuthor

spikecurtisAug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

They've always been accessible on the public web.

I agree we shouldn't use a hardcoded password; didn't realize we did.coder/internal#932

Beyond the scope of this PR.

Copy link

ContributorAuthor

spikecurtisAug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

We haven't mentioned this domain publicly anywhere else, could omit it here?

If we're cagey about leaking details like this, we should move all this terraform into a private repo. We have an obvious choice in coder/scaletest

WDYT@deansheather @jdomeracki-coder

Copy link

Member

deansheatherAug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I do think we should move it to a private repo. I haven't heard of any customers using it, and a lot of it was clickops'd anyways so I don't see the point of keeping the Terraform public