Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update main.tf #8

Merged
merged 3 commits into from
Jul 3, 2024
Merged

Update main.tf #8

merged 3 commits into from
Jul 3, 2024

Conversation

g1raffi
Copy link
Contributor

@g1raffi g1raffi commented Jul 3, 2024

No description provided.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 3, 2024

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 

terraform

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.training-cluster.hcloud_firewall.firewall will be created
  + resource "hcloud_firewall" "firewall" {
      + id     = (known after apply)
      + labels = (known after apply)
      + name   = "k8s-cluster-training"

      + apply_to {
          + label_selector = "cluster=training"
          + server         = (known after apply)
        }

      + rule {
          + destination_ips = []
          + direction       = "in"
          + port            = "22"
          + protocol        = "tcp"
          + source_ips      = [
              + "0.0.0.0/0",
              + "::/0",
            ]
        }
      + rule {
          + destination_ips = []
          + direction       = "in"
          + port            = "30000-32767"
          + protocol        = "tcp"
          + source_ips      = [
              + "0.0.0.0/0",
              + "::/0",
            ]
        }
      + rule {
          + destination_ips = []
          + direction       = "in"
          + port            = "9345"
          + protocol        = "tcp"
          + source_ips      = (known after apply)
        }
    }

  # module.training-cluster.hcloud_load_balancer.lb will be created
  + resource "hcloud_load_balancer" "lb" {
      + delete_protection  = false
      + id                 = (known after apply)
      + ipv4               = (known after apply)
      + ipv6               = (known after apply)
      + labels             = {
          + "cluster" = "training"
        }
      + load_balancer_type = "lb11"
      + location           = "nbg1"
      + name               = "lb-k8s-training"
      + network_id         = (known after apply)
      + network_ip         = (known after apply)
      + network_zone       = (known after apply)
    }

  # module.training-cluster.hcloud_load_balancer_network.lb will be created
  + resource "hcloud_load_balancer_network" "lb" {
      + enable_public_interface = true
      + id                      = (known after apply)
      + ip                      = "10.0.0.2"
      + load_balancer_id        = (known after apply)
      + network_id              = (known after apply)
    }

  # module.training-cluster.hcloud_load_balancer_service.api will be created
  + resource "hcloud_load_balancer_service" "api" {
      + destination_port = 6443
      + id               = (known after apply)
      + listen_port      = 6443
      + load_balancer_id = (known after apply)
      + protocol         = "tcp"
      + proxyprotocol    = (known after apply)

      + health_check {
          + interval = 5
          + port     = 6443
          + protocol = "tcp"
          + retries  = 2
          + timeout  = 2
        }
    }

  # module.training-cluster.hcloud_load_balancer_service.rke2 will be created
  + resource "hcloud_load_balancer_service" "rke2" {
      + destination_port = 9345
      + id               = (known after apply)
      + listen_port      = 9345
      + load_balancer_id = (known after apply)
      + protocol         = "tcp"
      + proxyprotocol    = (known after apply)

      + health_check {
          + interval = 5
          + port     = 9345
          + protocol = "tcp"
          + retries  = 5
          + timeout  = 2
        }
    }

  # module.training-cluster.hcloud_load_balancer_target.controlplane will be created
  + resource "hcloud_load_balancer_target" "controlplane" {
      + id               = (known after apply)
      + label_selector   = "cluster=training,controlplane=true"
      + load_balancer_id = (known after apply)
      + type             = "label_selector"
      + use_private_ip   = true
    }

  # module.training-cluster.hcloud_network.network will be created
  + resource "hcloud_network" "network" {
      + delete_protection        = false
      + expose_routes_to_vswitch = false
      + id                       = (known after apply)
      + ip_range                 = "10.0.0.0/8"
      + labels                   = {
          + "cluster" = "training"
        }
      + name                     = "training"
    }

  # module.training-cluster.hcloud_network_subnet.subnet will be created
  + resource "hcloud_network_subnet" "subnet" {
      + gateway      = (known after apply)
      + id           = (known after apply)
      + ip_range     = "10.0.0.0/24"
      + network_id   = (known after apply)
      + network_zone = "eu-central"
      + type         = "cloud"
    }

  # module.training-cluster.hcloud_placement_group.controlplane will be created
  + resource "hcloud_placement_group" "controlplane" {
      + id      = (known after apply)
      + labels  = {
          + "cluster"      = "training"
          + "controlplane" = "true"
        }
      + name    = "controlplane-training"
      + servers = (known after apply)
      + type    = "spread"
    }

  # module.training-cluster.hcloud_server.controlplane[0] will be created
  + resource "hcloud_server" "controlplane" {
      + allow_deprecated_images    = false
      + backup_window              = (known after apply)
      + backups                    = false
      + datacenter                 = (known after apply)
      + delete_protection          = false
      + firewall_ids               = (known after apply)
      + id                         = (known after apply)
      + ignore_remote_firewall_ids = false
      + image                      = "ubuntu-22.04"
      + ipv4_address               = (known after apply)
      + ipv6_address               = (known after apply)
      + ipv6_network               = (known after apply)
      + keep_disk                  = false
      + labels                     = {
          + "cluster"      = "training"
          + "controlplane" = "true"
        }
      + location                   = "nbg1"
      + name                       = "training-controlplane-0"
      + placement_group_id         = (known after apply)
      + primary_disk_size          = (known after apply)
      + rebuild_protection         = false
      + server_type                = "cpx31"
      + shutdown_before_deletion   = false
      + ssh_keys                   = [
          + "terraform-training",
        ]
      + status                     = (known after apply)
      + user_data                  = (sensitive value)
    }

  # module.training-cluster.hcloud_server.controlplane[1] will be created
  + resource "hcloud_server" "controlplane" {
      + allow_deprecated_images    = false
      + backup_window              = (known after apply)
      + backups                    = false
      + datacenter                 = (known after apply)
      + delete_protection          = false
      + firewall_ids               = (known after apply)
      + id                         = (known after apply)
      + ignore_remote_firewall_ids = false
      + image                      = "ubuntu-22.04"
      + ipv4_address               = (known after apply)
      + ipv6_address               = (known after apply)
      + ipv6_network               = (known after apply)
      + keep_disk                  = false
      + labels                     = {
          + "cluster"      = "training"
          + "controlplane" = "true"
        }
      + location                   = "nbg1"
      + name                       = "training-controlplane-1"
      + placement_group_id         = (known after apply)
      + primary_disk_size          = (known after apply)
      + rebuild_protection         = false
      + server_type                = "cpx31"
      + shutdown_before_deletion   = false
      + ssh_keys                   = [
          + "terraform-training",
        ]
      + status                     = (known after apply)
      + user_data                  = (sensitive value)
    }

  # module.training-cluster.hcloud_server.controlplane[2] will be created
  + resource "hcloud_server" "controlplane" {
      + allow_deprecated_images    = false
      + backup_window              = (known after apply)
      + backups                    = false
      + datacenter                 = (known after apply)
      + delete_protection          = false
      + firewall_ids               = (known after apply)
      + id                         = (known after apply)
      + ignore_remote_firewall_ids = false
      + image                      = "ubuntu-22.04"
      + ipv4_address               = (known after apply)
      + ipv6_address               = (known after apply)
      + ipv6_network               = (known after apply)
      + keep_disk                  = false
      + labels                     = {
          + "cluster"      = "training"
          + "controlplane" = "true"
        }
      + location                   = "nbg1"
      + name                       = "training-controlplane-2"
      + placement_group_id         = (known after apply)
      + primary_disk_size          = (known after apply)
      + rebuild_protection         = false
      + server_type                = "cpx31"
      + shutdown_before_deletion   = false
      + ssh_keys                   = [
          + "terraform-training",
        ]
      + status                     = (known after apply)
      + user_data                  = (sensitive value)
    }

  # module.training-cluster.hcloud_server.worker[0] will be created
  + resource "hcloud_server" "worker" {
      + allow_deprecated_images    = false
      + backup_window              = (known after apply)
      + backups                    = false
      + datacenter                 = (known after apply)
      + delete_protection          = false
      + firewall_ids               = (known after apply)
      + id                         = (known after apply)
      + ignore_remote_firewall_ids = false
      + image                      = "ubuntu-22.04"
      + ipv4_address               = (known after apply)
      + ipv6_address               = (known after apply)
      + ipv6_network               = (known after apply)
      + keep_disk                  = false
      + labels                     = {
          + "cluster" = "training"
          + "worker"  = "true"
        }
      + location                   = "nbg1"
      + name                       = "training-worker-0"
      + primary_disk_size          = (known after apply)
      + rebuild_protection         = false
      + server_type                = "cpx41"
      + shutdown_before_deletion   = false
      + ssh_keys                   = [
          + "terraform-training",
        ]
      + status                     = (known after apply)
      + user_data                  = (sensitive value)
    }

  # module.training-cluster.hcloud_server.worker[1] will be created
  + resource "hcloud_server" "worker" {
      + allow_deprecated_images    = false
      + backup_window              = (known after apply)
      + backups                    = false
      + datacenter                 = (known after apply)
      + delete_protection          = false
      + firewall_ids               = (known after apply)
      + id                         = (known after apply)
      + ignore_remote_firewall_ids = false
      + image                      = "ubuntu-22.04"
      + ipv4_address               = (known after apply)
      + ipv6_address               = (known after apply)
      + ipv6_network               = (known after apply)
      + keep_disk                  = false
      + labels                     = {
          + "cluster" = "training"
          + "worker"  = "true"
        }
      + location                   = "nbg1"
      + name                       = "training-worker-1"
      + primary_disk_size          = (known after apply)
      + rebuild_protection         = false
      + server_type                = "cpx41"
      + shutdown_before_deletion   = false
      + ssh_keys                   = [
          + "terraform-training",
        ]
      + status                     = (known after apply)
      + user_data                  = (sensitive value)
    }

  # module.training-cluster.hcloud_server.worker[2] will be created
  + resource "hcloud_server" "worker" {
      + allow_deprecated_images    = false
      + backup_window              = (known after apply)
      + backups                    = false
      + datacenter                 = (known after apply)
      + delete_protection          = false
      + firewall_ids               = (known after apply)
      + id                         = (known after apply)
      + ignore_remote_firewall_ids = false
      + image                      = "ubuntu-22.04"
      + ipv4_address               = (known after apply)
      + ipv6_address               = (known after apply)
      + ipv6_network               = (known after apply)
      + keep_disk                  = false
      + labels                     = {
          + "cluster" = "training"
          + "worker"  = "true"
        }
      + location                   = "nbg1"
      + name                       = "training-worker-2"
      + primary_disk_size          = (known after apply)
      + rebuild_protection         = false
      + server_type                = "cpx41"
      + shutdown_before_deletion   = false
      + ssh_keys                   = [
          + "terraform-training",
        ]
      + status                     = (known after apply)
      + user_data                  = (sensitive value)
    }

  # module.training-cluster.hcloud_server_network.controlplane[0] will be created
  + resource "hcloud_server_network" "controlplane" {
      + id          = (known after apply)
      + ip          = (known after apply)
      + mac_address = (known after apply)
      + network_id  = (known after apply)
      + server_id   = (known after apply)
    }

  # module.training-cluster.hcloud_server_network.controlplane[1] will be created
  + resource "hcloud_server_network" "controlplane" {
      + id          = (known after apply)
      + ip          = (known after apply)
      + mac_address = (known after apply)
      + network_id  = (known after apply)
      + server_id   = (known after apply)
    }

  # module.training-cluster.hcloud_server_network.controlplane[2] will be created
  + resource "hcloud_server_network" "controlplane" {
      + id          = (known after apply)
      + ip          = (known after apply)
      + mac_address = (known after apply)
      + network_id  = (known after apply)
      + server_id   = (known after apply)
    }

  # module.training-cluster.hcloud_server_network.worker[0] will be created
  + resource "hcloud_server_network" "worker" {
      + id          = (known after apply)
      + ip          = (known after apply)
      + mac_address = (known after apply)
      + network_id  = (known after apply)
      + server_id   = (known after apply)
    }

  # module.training-cluster.hcloud_server_network.worker[1] will be created
  + resource "hcloud_server_network" "worker" {
      + id          = (known after apply)
      + ip          = (known after apply)
      + mac_address = (known after apply)
      + network_id  = (known after apply)
      + server_id   = (known after apply)
    }

  # module.training-cluster.hcloud_server_network.worker[2] will be created
  + resource "hcloud_server_network" "worker" {
      + id          = (known after apply)
      + ip          = (known after apply)
      + mac_address = (known after apply)
      + network_id  = (known after apply)
      + server_id   = (known after apply)
    }

  # module.training-cluster.hcloud_ssh_key.terraform will be created
  + resource "hcloud_ssh_key" "terraform" {
      + fingerprint = (known after apply)
      + id          = (known after apply)
      + labels      = {}
      + name        = "terraform-training"
      + public_key  = (known after apply)
    }

  # module.training-cluster.helm_release.appset-trainee-env[0] will be created
  + resource "helm_release" "appset-trainee-env" {
      + atomic                     = false
      + chart                      = "argocd-apps"
      + cleanup_on_fail            = false
      + create_namespace           = false
      + dependency_update          = false
      + disable_crd_hooks          = false
      + disable_openapi_validation = false
      + disable_webhooks           = false
      + force_update               = false
      + id                         = (known after apply)
      + lint                       = false
      + manifest                   = (known after apply)
      + max_history                = 2
      + metadata                   = (known after apply)
      + name                       = "trainee-env"
      + namespace                  = "argocd"
      + pass_credentials           = false
      + recreate_pods              = false
      + render_subchart_notes      = true
      + replace                    = false
      + repository                 = "https://argoproj.github.io/argo-helm"
      + reset_values               = false
      + reuse_values               = false
      + skip_crds                  = false
      + status                     = "deployed"
      + timeout                    = 300
      + values                     = (known after apply)
      + verify                     = false
      + version                    = "2.0.0"
      + wait                       = true
      + wait_for_jobs              = false
    }

  # module.training-cluster.helm_release.appset-trainee-webshell[0] will be created
  + resource "helm_release" "appset-trainee-webshell" {
      + atomic                     = false
      + chart                      = "argocd-apps"
      + cleanup_on_fail            = false
      + create_namespace           = false
      + dependency_update          = false
      + disable_crd_hooks          = false
      + disable_openapi_validation = false
      + disable_webhooks           = false
      + force_update               = false
      + id                         = (known after apply)
      + lint                       = false
      + manifest                   = (known after apply)
      + max_history                = 2
      + metadata                   = (known after apply)
      + name                       = "trainee-webshell"
      + namespace                  = "argocd"
      + pass_credentials           = false
      + recreate_pods              = false
      + render_subchart_notes      = true
      + replace                    = false
      + repository                 = "https://argoproj.github.io/argo-helm"
      + reset_values               = false
      + reuse_values               = false
      + skip_crds                  = false
      + status                     = "deployed"
      + timeout                    = 300
      + values                     = (known after apply)
      + verify                     = false
      + version                    = "2.0.0"
      + wait                       = true
      + wait_for_jobs              = false
    }

  # module.training-cluster.helm_release.argocd will be created
  + resource "helm_release" "argocd" {
      + atomic                     = false
      + chart                      = "argo-cd"
      + cleanup_on_fail            = false
      + create_namespace           = false
      + dependency_update          = false
      + disable_crd_hooks          = false
      + disable_openapi_validation = false
      + disable_webhooks           = false
      + force_update               = false
      + id                         = (known after apply)
      + lint                       = false
      + manifest                   = (known after apply)
      + max_history                = 2
      + metadata                   = (known after apply)
      + name                       = "argocd"
      + namespace                  = "argocd"
      + pass_credentials           = false
      + recreate_pods              = false
      + render_subchart_notes      = true
      + replace                    = false
      + repository                 = "https://argoproj.github.io/argo-helm"
      + reset_values               = false
      + reuse_values               = false
      + skip_crds                  = false
      + status                     = "deployed"
      + timeout                    = 300
      + values                     = (known after apply)
      + verify                     = false
      + version                    = "7.2.0"
      + wait                       = true
      + wait_for_jobs              = false

      + set {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      + set {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      + set {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      + set {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      + set {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      + set {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
    }

  # module.training-cluster.kubernetes_manifest.external-secrets-secretstore["cert-manager"] will be created
  + resource "kubernetes_manifest" "external-secrets-secretstore" {
      + manifest = {
          + apiVersion = "external-secrets.io/v1beta1"
          + kind       = "ClusterSecretStore"
          + metadata   = {
              + name = "cluster-training.cluster.acend.ch-cert-manager"
            }
          + spec       = {
              + provider = {
                  + kubernetes = {
                      + auth            = {
                          + cert = {
                              + clientCert = {
                                  + key       = "cert"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                              + clientKey  = {
                                  + key       = "key"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                            }
                        }
                      + remoteNamespace = "cert-manager"
                      + server          = {
                          + caProvider = {
                              + key       = "ca"
                              + name      = "credentials-training.cluster.acend.ch"
                              + namespace = "external-secrets"
                              + type      = "Secret"
                            }
                          + url        = (known after apply)
                        }
                    }
                }
            }
        }
      + object   = {
          + apiVersion = "external-secrets.io/v1beta1"
          + kind       = "ClusterSecretStore"
          + metadata   = {
              + annotations                = (known after apply)
              + creationTimestamp          = (known after apply)
              + deletionGracePeriodSeconds = (known after apply)
              + deletionTimestamp          = (known after apply)
              + finalizers                 = (known after apply)
              + generateName               = (known after apply)
              + generation                 = (known after apply)
              + labels                     = (known after apply)
              + managedFields              = (known after apply)
              + name                       = "cluster-training.cluster.acend.ch-cert-manager"
              + namespace                  = (known after apply)
              + ownerReferences            = (known after apply)
              + resourceVersion            = (known after apply)
              + selfLink                   = (known after apply)
              + uid                        = (known after apply)
            }
          + spec       = {
              + conditions      = (known after apply)
              + controller      = (known after apply)
              + provider        = {
                  + akeyless                 = {
                      + akeylessGWApiURL = (known after apply)
                      + authSecretRef    = {
                          + kubernetesAuth = {
                              + accessID          = (known after apply)
                              + k8sConfName       = (known after apply)
                              + secretRef         = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + secretRef      = {
                              + accessID        = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + accessType      = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + accessTypeParam = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + caBundle         = (known after apply)
                      + caProvider       = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                    }
                  + alibaba                  = {
                      + auth     = {
                          + rrsa      = {
                              + oidcProviderArn   = (known after apply)
                              + oidcTokenFilePath = (known after apply)
                              + roleArn           = (known after apply)
                              + sessionName       = (known after apply)
                            }
                          + secretRef = {
                              + accessKeyIDSecretRef     = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + accessKeySecretSecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + regionID = (known after apply)
                    }
                  + aws                      = {
                      + additionalRoles   = (known after apply)
                      + auth              = {
                          + jwt       = {
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + secretRef = {
                              + accessKeyIDSecretRef     = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + secretAccessKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + sessionTokenSecretRef    = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + externalID        = (known after apply)
                      + region            = (known after apply)
                      + role              = (known after apply)
                      + secretsManager    = {
                          + forceDeleteWithoutRecovery = (known after apply)
                          + recoveryWindowInDays       = (known after apply)
                        }
                      + service           = (known after apply)
                      + sessionTags       = (known after apply)
                      + transitiveTagKeys = (known after apply)
                    }
                  + azurekv                  = {
                      + authSecretRef     = {
                          + clientCertificate = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + clientId          = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + clientSecret      = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + tenantId          = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + authType          = (known after apply)
                      + environmentType   = (known after apply)
                      + identityId        = (known after apply)
                      + serviceAccountRef = {
                          + audiences = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                        }
                      + tenantId          = (known after apply)
                      + vaultUrl          = (known after apply)
                    }
                  + chef                     = {
                      + auth      = {
                          + secretRef = {
                              + privateKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + serverUrl = (known after apply)
                      + username  = (known after apply)
                    }
                  + conjur                   = {
                      + auth       = {
                          + apikey = {
                              + account   = (known after apply)
                              + apiKeyRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + userRef   = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + jwt    = {
                              + account           = (known after apply)
                              + hostId            = (known after apply)
                              + secretRef         = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceID         = (known after apply)
                            }
                        }
                      + caBundle   = (known after apply)
                      + caProvider = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                      + url        = (known after apply)
                    }
                  + delinea                  = {
                      + clientId     = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                      + clientSecret = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                      + tenant       = (known after apply)
                      + tld          = (known after apply)
                      + urlTemplate  = (known after apply)
                    }
                  + doppler                  = {
                      + auth            = {
                          + secretRef = {
                              + dopplerToken = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + config          = (known after apply)
                      + format          = (known after apply)
                      + nameTransformer = (known after apply)
                      + project         = (known after apply)
                    }
                  + fake                     = {
                      + data = (known after apply)
                    }
                  + fortanix                 = {
                      + apiKey = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + apiUrl = (known after apply)
                    }
                  + gcpsm                    = {
                      + auth      = {
                          + secretRef        = {
                              + secretAccessKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + workloadIdentity = {
                              + clusterLocation   = (known after apply)
                              + clusterName       = (known after apply)
                              + clusterProjectID  = (known after apply)
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + projectID = (known after apply)
                    }
                  + gitlab                   = {
                      + auth              = {
                          + SecretRef = {
                              + accessToken = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + environment       = (known after apply)
                      + groupIDs          = (known after apply)
                      + inheritFromGroups = (known after apply)
                      + projectID         = (known after apply)
                      + url               = (known after apply)
                    }
                  + ibm                      = {
                      + auth       = {
                          + containerAuth = {
                              + iamEndpoint   = (known after apply)
                              + profile       = (known after apply)
                              + tokenLocation = (known after apply)
                            }
                          + secretRef     = {
                              + secretApiKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + serviceUrl = (known after apply)
                    }
                  + keepersecurity           = {
                      + authRef  = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                        }
                      + folderID = (known after apply)
                    }
                  + kubernetes               = {
                      + auth            = {
                          + cert           = {
                              + clientCert = {
                                  + key       = "cert"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                              + clientKey  = {
                                  + key       = "key"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                            }
                          + serviceAccount = {
                              + audiences = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + token          = {
                              + bearerToken = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + remoteNamespace = "cert-manager"
                      + server          = {
                          + caBundle   = (known after apply)
                          + caProvider = {
                              + key       = "ca"
                              + name      = "credentials-training.cluster.acend.ch"
                              + namespace = "external-secrets"
                              + type      = "Secret"
                            }
                          + url        = (known after apply)
                        }
                    }
                  + onboardbase              = {
                      + apiHost     = (known after apply)
                      + auth        = {
                          + apiKeyRef   = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + passcodeRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + environment = (known after apply)
                      + project     = (known after apply)
                    }
                  + onepassword              = {
                      + auth        = {
                          + secretRef = {
                              + connectTokenSecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + connectHost = (known after apply)
                      + vaults      = (known after apply)
                    }
                  + oracle                   = {
                      + auth              = {
                          + secretRef = {
                              + fingerprint = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + privatekey  = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + tenancy   = (known after apply)
                          + user      = (known after apply)
                        }
                      + compartment       = (known after apply)
                      + encryptionKey     = (known after apply)
                      + principalType     = (known after apply)
                      + region            = (known after apply)
                      + serviceAccountRef = {
                          + audiences = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                        }
                      + vault             = (known after apply)
                    }
                  + passbolt                 = {
                      + auth = {
                          + passwordSecretRef   = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + privateKeySecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + host = (known after apply)
                    }
                  + passworddepot            = {
                      + auth     = {
                          + secretRef = {
                              + credentials = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + database = (known after apply)
                      + host     = (known after apply)
                    }
                  + pulumi                   = {
                      + accessToken  = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + apiUrl       = (known after apply)
                      + environment  = (known after apply)
                      + organization = (known after apply)
                    }
                  + scaleway                 = {
                      + accessKey = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                      + apiUrl    = (known after apply)
                      + projectId = (known after apply)
                      + region    = (known after apply)
                      + secretKey = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                    }
                  + senhasegura              = {
                      + auth                 = {
                          + clientId              = (known after apply)
                          + clientSecretSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + ignoreSslCertificate = (known after apply)
                      + module               = (known after apply)
                      + url                  = (known after apply)
                    }
                  + vault                    = {
                      + auth                = {
                          + appRole        = {
                              + path      = (known after apply)
                              + roleId    = (known after apply)
                              + roleRef   = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + secretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + cert           = {
                              + clientCert = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + secretRef  = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + iam            = {
                              + externalID          = (known after apply)
                              + jwt                 = {
                                  + serviceAccountRef = {
                                      + audiences = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                }
                              + path                = (known after apply)
                              + region              = (known after apply)
                              + role                = (known after apply)
                              + secretRef           = {
                                  + accessKeyIDSecretRef     = {
                                      + key       = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                  + secretAccessKeySecretRef = {
                                      + key       = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                  + sessionTokenSecretRef    = {
                                      + key       = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                }
                              + vaultAwsIamServerID = (known after apply)
                              + vaultRole           = (known after apply)
                            }
                          + jwt            = {
                              + kubernetesServiceAccountToken = {
                                  + audiences         = (known after apply)
                                  + expirationSeconds = (known after apply)
                                  + serviceAccountRef = {
                                      + audiences = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                }
                              + path                          = (known after apply)
                              + role                          = (known after apply)
                              + secretRef                     = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + kubernetes     = {
                              + mountPath         = (known after apply)
                              + role              = (known after apply)
                              + secretRef         = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + ldap           = {
                              + path      = (known after apply)
                              + secretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + username  = (known after apply)
                            }
                          + namespace      = (known after apply)
                          + tokenSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + userPass       = {
                              + path      = (known after apply)
                              + secretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + username  = (known after apply)
                            }
                        }
                      + caBundle            = (known after apply)
                      + caProvider          = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                      + forwardInconsistent = (known after apply)
                      + namespace           = (known after apply)
                      + path                = (known after apply)
                      + readYourWrites      = (known after apply)
                      + server              = (known after apply)
                      + tls                 = {
                          + certSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + keySecretRef  = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + version             = (known after apply)
                    }
                  + webhook                  = {
                      + body       = (known after apply)
                      + caBundle   = (known after apply)
                      + caProvider = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                      + headers    = (known after apply)
                      + method     = (known after apply)
                      + result     = {
                          + jsonPath = (known after apply)
                        }
                      + secrets    = (known after apply)
                      + timeout    = (known after apply)
                      + url        = (known after apply)
                    }
                  + yandexcertificatemanager = {
                      + apiEndpoint = (known after apply)
                      + auth        = {
                          + authorizedKeySecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + caProvider  = {
                          + certSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                    }
                  + yandexlockbox            = {
                      + apiEndpoint = (known after apply)
                      + auth        = {
                          + authorizedKeySecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + caProvider  = {
                          + certSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                    }
                }
              + refreshInterval = (known after apply)
              + retrySettings   = {
                  + maxRetries    = (known after apply)
                  + retryInterval = (known after apply)
                }
            }
        }
    }

  # module.training-cluster.kubernetes_manifest.external-secrets-secretstore["kube-system"] will be created
  + resource "kubernetes_manifest" "external-secrets-secretstore" {
      + manifest = {
          + apiVersion = "external-secrets.io/v1beta1"
          + kind       = "ClusterSecretStore"
          + metadata   = {
              + name = "cluster-training.cluster.acend.ch-kube-system"
            }
          + spec       = {
              + provider = {
                  + kubernetes = {
                      + auth            = {
                          + cert = {
                              + clientCert = {
                                  + key       = "cert"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                              + clientKey  = {
                                  + key       = "key"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                            }
                        }
                      + remoteNamespace = "kube-system"
                      + server          = {
                          + caProvider = {
                              + key       = "ca"
                              + name      = "credentials-training.cluster.acend.ch"
                              + namespace = "external-secrets"
                              + type      = "Secret"
                            }
                          + url        = (known after apply)
                        }
                    }
                }
            }
        }
      + object   = {
          + apiVersion = "external-secrets.io/v1beta1"
          + kind       = "ClusterSecretStore"
          + metadata   = {
              + annotations                = (known after apply)
              + creationTimestamp          = (known after apply)
              + deletionGracePeriodSeconds = (known after apply)
              + deletionTimestamp          = (known after apply)
              + finalizers                 = (known after apply)
              + generateName               = (known after apply)
              + generation                 = (known after apply)
              + labels                     = (known after apply)
              + managedFields              = (known after apply)
              + name                       = "cluster-training.cluster.acend.ch-kube-system"
              + namespace                  = (known after apply)
              + ownerReferences            = (known after apply)
              + resourceVersion            = (known after apply)
              + selfLink                   = (known after apply)
              + uid                        = (known after apply)
            }
          + spec       = {
              + conditions      = (known after apply)
              + controller      = (known after apply)
              + provider        = {
                  + akeyless                 = {
                      + akeylessGWApiURL = (known after apply)
                      + authSecretRef    = {
                          + kubernetesAuth = {
                              + accessID          = (known after apply)
                              + k8sConfName       = (known after apply)
                              + secretRef         = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + secretRef      = {
                              + accessID        = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + accessType      = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + accessTypeParam = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + caBundle         = (known after apply)
                      + caProvider       = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                    }
                  + alibaba                  = {
                      + auth     = {
                          + rrsa      = {
                              + oidcProviderArn   = (known after apply)
                              + oidcTokenFilePath = (known after apply)
                              + roleArn           = (known after apply)
                              + sessionName       = (known after apply)
                            }
                          + secretRef = {
                              + accessKeyIDSecretRef     = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + accessKeySecretSecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + regionID = (known after apply)
                    }
                  + aws                      = {
                      + additionalRoles   = (known after apply)
                      + auth              = {
                          + jwt       = {
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + secretRef = {
                              + accessKeyIDSecretRef     = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + secretAccessKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + sessionTokenSecretRef    = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + externalID        = (known after apply)
                      + region            = (known after apply)
                      + role              = (known after apply)
                      + secretsManager    = {
                          + forceDeleteWithoutRecovery = (known after apply)
                          + recoveryWindowInDays       = (known after apply)
                        }
                      + service           = (known after apply)
                      + sessionTags       = (known after apply)
                      + transitiveTagKeys = (known after apply)
                    }
                  + azurekv                  = {
                      + authSecretRef     = {
                          + clientCertificate = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + clientId          = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + clientSecret      = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + tenantId          = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + authType          = (known after apply)
                      + environmentType   = (known after apply)
                      + identityId        = (known after apply)
                      + serviceAccountRef = {
                          + audiences = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                        }
                      + tenantId          = (known after apply)
                      + vaultUrl          = (known after apply)
                    }
                  + chef                     = {
                      + auth      = {
                          + secretRef = {
                              + privateKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + serverUrl = (known after apply)
                      + username  = (known after apply)
                    }
                  + conjur                   = {
                      + auth       = {
                          + apikey = {
                              + account   = (known after apply)
                              + apiKeyRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + userRef   = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + jwt    = {
                              + account           = (known after apply)
                              + hostId            = (known after apply)
                              + secretRef         = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceID         = (known after apply)
                            }
                        }
                      + caBundle   = (known after apply)
                      + caProvider = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                      + url        = (known after apply)
                    }
                  + delinea                  = {
                      + clientId     = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                      + clientSecret = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                      + tenant       = (known after apply)
                      + tld          = (known after apply)
                      + urlTemplate  = (known after apply)
                    }
                  + doppler                  = {
                      + auth            = {
                          + secretRef = {
                              + dopplerToken = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + config          = (known after apply)
                      + format          = (known after apply)
                      + nameTransformer = (known after apply)
                      + project         = (known after apply)
                    }
                  + fake                     = {
                      + data = (known after apply)
                    }
                  + fortanix                 = {
                      + apiKey = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + apiUrl = (known after apply)
                    }
                  + gcpsm                    = {
                      + auth      = {
                          + secretRef        = {
                              + secretAccessKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + workloadIdentity = {
                              + clusterLocation   = (known after apply)
                              + clusterName       = (known after apply)
                              + clusterProjectID  = (known after apply)
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + projectID = (known after apply)
                    }
                  + gitlab                   = {
                      + auth              = {
                          + SecretRef = {
                              + accessToken = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + environment       = (known after apply)
                      + groupIDs          = (known after apply)
                      + inheritFromGroups = (known after apply)
                      + projectID         = (known after apply)
                      + url               = (known after apply)
                    }
                  + ibm                      = {
                      + auth       = {
                          + containerAuth = {
                              + iamEndpoint   = (known after apply)
                              + profile       = (known after apply)
                              + tokenLocation = (known after apply)
                            }
                          + secretRef     = {
                              + secretApiKeySecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + serviceUrl = (known after apply)
                    }
                  + keepersecurity           = {
                      + authRef  = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                        }
                      + folderID = (known after apply)
                    }
                  + kubernetes               = {
                      + auth            = {
                          + cert           = {
                              + clientCert = {
                                  + key       = "cert"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                              + clientKey  = {
                                  + key       = "key"
                                  + name      = "credentials-training.cluster.acend.ch"
                                  + namespace = "external-secrets"
                                }
                            }
                          + serviceAccount = {
                              + audiences = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + token          = {
                              + bearerToken = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + remoteNamespace = "kube-system"
                      + server          = {
                          + caBundle   = (known after apply)
                          + caProvider = {
                              + key       = "ca"
                              + name      = "credentials-training.cluster.acend.ch"
                              + namespace = "external-secrets"
                              + type      = "Secret"
                            }
                          + url        = (known after apply)
                        }
                    }
                  + onboardbase              = {
                      + apiHost     = (known after apply)
                      + auth        = {
                          + apiKeyRef   = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + passcodeRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + environment = (known after apply)
                      + project     = (known after apply)
                    }
                  + onepassword              = {
                      + auth        = {
                          + secretRef = {
                              + connectTokenSecretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + connectHost = (known after apply)
                      + vaults      = (known after apply)
                    }
                  + oracle                   = {
                      + auth              = {
                          + secretRef = {
                              + fingerprint = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + privatekey  = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + tenancy   = (known after apply)
                          + user      = (known after apply)
                        }
                      + compartment       = (known after apply)
                      + encryptionKey     = (known after apply)
                      + principalType     = (known after apply)
                      + region            = (known after apply)
                      + serviceAccountRef = {
                          + audiences = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                        }
                      + vault             = (known after apply)
                    }
                  + passbolt                 = {
                      + auth = {
                          + passwordSecretRef   = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + privateKeySecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + host = (known after apply)
                    }
                  + passworddepot            = {
                      + auth     = {
                          + secretRef = {
                              + credentials = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                        }
                      + database = (known after apply)
                      + host     = (known after apply)
                    }
                  + pulumi                   = {
                      + accessToken  = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + apiUrl       = (known after apply)
                      + environment  = (known after apply)
                      + organization = (known after apply)
                    }
                  + scaleway                 = {
                      + accessKey = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                      + apiUrl    = (known after apply)
                      + projectId = (known after apply)
                      + region    = (known after apply)
                      + secretKey = {
                          + secretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + value     = (known after apply)
                        }
                    }
                  + senhasegura              = {
                      + auth                 = {
                          + clientId              = (known after apply)
                          + clientSecretSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + ignoreSslCertificate = (known after apply)
                      + module               = (known after apply)
                      + url                  = (known after apply)
                    }
                  + vault                    = {
                      + auth                = {
                          + appRole        = {
                              + path      = (known after apply)
                              + roleId    = (known after apply)
                              + roleRef   = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + secretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + cert           = {
                              + clientCert = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + secretRef  = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + iam            = {
                              + externalID          = (known after apply)
                              + jwt                 = {
                                  + serviceAccountRef = {
                                      + audiences = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                }
                              + path                = (known after apply)
                              + region              = (known after apply)
                              + role                = (known after apply)
                              + secretRef           = {
                                  + accessKeyIDSecretRef     = {
                                      + key       = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                  + secretAccessKeySecretRef = {
                                      + key       = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                  + sessionTokenSecretRef    = {
                                      + key       = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                }
                              + vaultAwsIamServerID = (known after apply)
                              + vaultRole           = (known after apply)
                            }
                          + jwt            = {
                              + kubernetesServiceAccountToken = {
                                  + audiences         = (known after apply)
                                  + expirationSeconds = (known after apply)
                                  + serviceAccountRef = {
                                      + audiences = (known after apply)
                                      + name      = (known after apply)
                                      + namespace = (known after apply)
                                    }
                                }
                              + path                          = (known after apply)
                              + role                          = (known after apply)
                              + secretRef                     = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + kubernetes     = {
                              + mountPath         = (known after apply)
                              + role              = (known after apply)
                              + secretRef         = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + serviceAccountRef = {
                                  + audiences = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                            }
                          + ldap           = {
                              + path      = (known after apply)
                              + secretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + username  = (known after apply)
                            }
                          + namespace      = (known after apply)
                          + tokenSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + userPass       = {
                              + path      = (known after apply)
                              + secretRef = {
                                  + key       = (known after apply)
                                  + name      = (known after apply)
                                  + namespace = (known after apply)
                                }
                              + username  = (known after apply)
                            }
                        }
                      + caBundle            = (known after apply)
                      + caProvider          = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                      + forwardInconsistent = (known after apply)
                      + namespace           = (known after apply)
                      + path                = (known after apply)
                      + readYourWrites      = (known after apply)
                      + server              = (known after apply)
                      + tls                 = {
                          + certSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                          + keySecretRef  = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + version             = (known after apply)
                    }
                  + webhook                  = {
                      + body       = (known after apply)
                      + caBundle   = (known after apply)
                      + caProvider = {
                          + key       = (known after apply)
                          + name      = (known after apply)
                          + namespace = (known after apply)
                          + type      = (known after apply)
                        }
                      + headers    = (known after apply)
                      + method     = (known after apply)
                      + result     = {
                          + jsonPath = (known after apply)
                        }
                      + secrets    = (known after apply)
                      + timeout    = (known after apply)
                      + url        = (known after apply)
                    }
                  + yandexcertificatemanager = {
                      + apiEndpoint = (known after apply)
                      + auth        = {
                          + authorizedKeySecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + caProvider  = {
                          + certSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                    }
                  + yandexlockbox            = {
                      + apiEndpoint = (known after apply)
                      + auth        = {
                          + authorizedKeySecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                      + caProvider  = {
                          + certSecretRef = {
                              + key       = (known after apply)
                              + name      = (known after apply)
                              + namespace = (known after apply)
                            }
                        }
                    }
                }
              + refreshInterval = (known after apply)
              + retrySettings   = {
                  + maxRetries    = (known after apply)
                  + retryInterval = (known after apply)
                }
            }
        }
    }

  # module.training-cluster.kubernetes_namespace.argocd will be created
  + resource "kubernetes_namespace" "argocd" {
      + id                               = (known after apply)
      + wait_for_default_service_account = false

      + metadata {
          + generation       = (known after apply)
          + labels           = {
              + "certificate-wildcard"        = "true"
              + "kubernetes.io/metadata.name" = "argocd"
            }
          + name             = "argocd"
          + resource_version = (known after apply)
          + uid              = (known after apply)
        }
    }

  # module.training-cluster.kubernetes_secret.argocd-cluster will be created
  + resource "kubernetes_secret" "argocd-cluster" {
      + data                           = (sensitive value)
      + id                             = (known after apply)
      + type                           = "Opaque"
      + wait_for_service_account_token = true

      + metadata {
          + generation       = (known after apply)
          + labels           = {
              + "argocd.argoproj.io/secret-type" = "cluster"
              + "flavor"                         = "k8s"
              + "type"                           = "training"
            }
          + name             = "training"
          + namespace        = "argocd"
          + resource_version = (known after apply)
          + uid              = (known after apply)
        }
    }

  # module.training-cluster.kubernetes_secret.secretstore-secret will be created
  + resource "kubernetes_secret" "secretstore-secret" {
      + data                           = (sensitive value)
      + id                             = (known after apply)
      + type                           = "Opaque"
      + wait_for_service_account_token = true

      + metadata {
          + generation       = (known after apply)
          + name             = "credentials-training.cluster.acend.ch"
          + namespace        = "external-secrets"
          + resource_version = (known after apply)
          + uid              = (known after apply)
        }
    }

  # module.training-cluster.null_resource.cleanup-argo-cr-before-destroy will be created
  + resource "null_resource" "cleanup-argo-cr-before-destroy" {
      + id       = (known after apply)
      + triggers = {
          + "kubeconfig" = (known after apply)
        }
    }

  # module.training-cluster.null_resource.wait_for_k8s_api will be created
  + resource "null_resource" "wait_for_k8s_api" {
      + id       = (known after apply)
      + triggers = {
          + "k8s_api_ip" = (known after apply)
        }
    }

  # module.training-cluster.random_password.argocd-admin-password will be created
  + resource "random_password" "argocd-admin-password" {
      + bcrypt_hash      = (sensitive value)
      + id               = (known after apply)
      + length           = 16
      + lower            = true
      + min_lower        = 0
      + min_numeric      = 0
      + min_special      = 0
      + min_upper        = 0
      + number           = true
      + numeric          = true
      + override_special = "_%@"
      + result           = (sensitive value)
      + special          = true
      + upper            = true
    }

  # module.training-cluster.random_password.rke2_cluster_secret will be created
  + resource "random_password" "rke2_cluster_secret" {
      + bcrypt_hash = (sensitive value)
      + id          = (known after apply)
      + length      = 256
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = true
      + numeric     = true
      + result      = (sensitive value)
      + special     = false
      + upper       = true
    }

  # module.training-cluster.random_password.student-passwords[0] will be created
  + resource "random_password" "student-passwords" {
      + bcrypt_hash      = (sensitive value)
      + id               = (known after apply)
      + length           = 16
      + lower            = true
      + min_lower        = 0
      + min_numeric      = 0
      + min_special      = 0
      + min_upper        = 0
      + number           = true
      + numeric          = true
      + override_special = ".-_"
      + result           = (sensitive value)
      + special          = true
      + upper            = true
    }

  # module.training-cluster.random_password.student-passwords[1] will be created
  + resource "random_password" "student-passwords" {
      + bcrypt_hash      = (sensitive value)
      + id               = (known after apply)
      + length           = 16
      + lower            = true
      + min_lower        = 0
      + min_numeric      = 0
      + min_special      = 0
      + min_upper        = 0
      + number           = true
      + numeric          = true
      + override_special = ".-_"
      + result           = (sensitive value)
      + special          = true
      + upper            = true
    }

  # module.training-cluster.random_password.student-passwords[2] will be created
  + resource "random_password" "student-passwords" {
      + bcrypt_hash      = (sensitive value)
      + id               = (known after apply)
      + length           = 16
      + lower            = true
      + min_lower        = 0
      + min_numeric      = 0
      + min_special      = 0
      + min_upper        = 0
      + number           = true
      + numeric          = true
      + override_special = ".-_"
      + result           = (sensitive value)
      + special          = true
      + upper            = true
    }

  # module.training-cluster.random_password.student-passwords[3] will be created
  + resource "random_password" "student-passwords" {
      + bcrypt_hash      = (sensitive value)
      + id               = (known after apply)
      + length           = 16
      + lower            = true
      + min_lower        = 0
      + min_numeric      = 0
      + min_special      = 0
      + min_upper        = 0
      + number           = true
      + numeric          = true
      + override_special = ".-_"
      + result           = (sensitive value)
      + special          = true
      + upper            = true
    }

  # module.training-cluster.random_password.student-passwords[4] will be created
  + resource "random_password" "student-passwords" {
      + bcrypt_hash      = (sensitive value)
      + id               = (known after apply)
      + length           = 16
      + lower            = true
      + min_lower        = 0
      + min_numeric      = 0
      + min_special      = 0
      + min_upper        = 0
      + number           = true
      + numeric          = true
      + override_special = ".-_"
      + result           = (sensitive value)
      + special          = true
      + upper            = true
    }

  # module.training-cluster.ssh_resource.getkubeconfig will be created
  + resource "ssh_resource" "getkubeconfig" {
      + agent                              = false
      + bastion_port                       = "22"
      + commands                           = [
          + "until [ -f /etc/rancher/rke2/rke2.yaml ]; do sleep 10; done;",
          + "cat /etc/rancher/rke2/rke2.yaml",
        ]
      + commands_after_file_changes        = true
      + host                               = (known after apply)
      + id                                 = (known after apply)
      + ignore_no_supported_methods_remain = false
      + port                               = "22"
      + private_key                        = (sensitive value)
      + result                             = (known after apply)
      + retry_delay                        = "5s"
      + timeout                            = "15m"
      + user                               = "root"
      + when                               = "create"
    }

  # module.training-cluster.time_sleep.wait_for_argocd-cleanup will be created
  + resource "time_sleep" "wait_for_argocd-cleanup" {
      + destroy_duration = "180s"
      + id               = (known after apply)
    }

  # module.training-cluster.time_sleep.wait_for_bootstrap will be created
  + resource "time_sleep" "wait_for_bootstrap" {
      + create_duration  = "30s"
      + destroy_duration = "30s"
      + id               = (known after apply)
    }

  # module.training-cluster.tls_private_key.terraform will be created
  + resource "tls_private_key" "terraform" {
      + algorithm                     = "ECDSA"
      + ecdsa_curve                   = "P384"
      + id                            = (known after apply)
      + private_key_openssh           = (sensitive value)
      + private_key_pem               = (sensitive value)
      + private_key_pem_pkcs8         = (sensitive value)
      + public_key_fingerprint_md5    = (known after apply)
      + public_key_fingerprint_sha256 = (known after apply)
      + public_key_openssh            = (known after apply)
      + public_key_pem                = (known after apply)
      + rsa_bits                      = 2048
    }

  # module.training-cluster.module.api-a-record.restapi_object.a-record[0] will be created
  + resource "restapi_object" "a-record" {
      + api_data        = (known after apply)
      + api_response    = (known after apply)
      + create_response = (known after apply)
      + data            = (known after apply)
      + id              = (known after apply)
      + id_attribute    = "data/id"
      + path            = "/api/user/v1/zones/242898/records"
    }

  # module.training-cluster.module.api-aaaa-record.restapi_object.aaaa-record[0] will be created
  + resource "restapi_object" "aaaa-record" {
      + api_data        = (known after apply)
      + api_response    = (known after apply)
      + create_response = (known after apply)
      + data            = (known after apply)
      + id              = (known after apply)
      + id_attribute    = "data/id"
      + path            = "/api/user/v1/zones/242898/records"
    }

Plan: 45 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + argocd-admin-password = (sensitive value)
  + count-students        = 5
  + student-passwords     = (sensitive value)
  + studentname-prefix    = "user"
  + training-kubeconfig   = (sensitive value)

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Pusher: @g1raffi, Workflow: Deploy

@g1raffi g1raffi merged commit 294298f into main Jul 3, 2024
1 check passed
@splattner splattner deleted the g1raffi-patch-1-1 branch September 17, 2024 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@g1raffi