From 43455a4481e5be78fbbacb9ecd7b6b78bc184282 Mon Sep 17 00:00:00 2001
From: Bernd Worsch <bernd.worsch@gmail.com>
Date: Sun, 14 Sep 2025 01:31:03 +0000
Subject: [PATCH] feat: add terraform-providers targets

---
 Makefile                              | 33 +++++++++++++++++++++
 terraform/hetzner/.terraform.lock.hcl | 42 +++++++++++++++++++++++++++
 2 files changed, 75 insertions(+)
 create mode 100644 terraform/hetzner/.terraform.lock.hcl

diff --git a/Makefile b/Makefile
index afcfae0..4c85b00 100644
--- a/Makefile
+++ b/Makefile
@@ -92,6 +92,39 @@ tf-destroy: tf-init ## Terraform destroy (tear down)
 	@[ -n "$(HCLOUD_TOKEN)" ] || (echo "HCLOUD_TOKEN empty; export SOPS_AGE_KEY or set keys.txt & fill secrets.sops.yaml" && exit 1)
 	@export HCLOUD_TOKEN=$(HCLOUD_TOKEN); terraform -chdir=terraform/hetzner destroy -auto-approve -var="hcloud_token=$(HCLOUD_TOKEN)"
 
+# --- Terraform provider/lockfile helpers ---
+TF_DIR := terraform/hetzner
+TF_TOKEN := $(HCLOUD_TOKEN)
+LOCKFILE := $(TF_DIR)/.terraform.lock.hcl
+
+tf-lock-commit: ## Commit the current provider lockfile
+	@test -f $(LOCKFILE) || (echo "❌ $(LOCKFILE) not found. Run 'make tf-init' first."; exit 1)
+	@git add $(LOCKFILE)
+	@git commit -m "chore(terraform): lock providers" || echo "ℹ No lockfile changes to commit."
+
+tf-providers-check: ## Check if newer provider versions are available (non-destructive)
+	@echo "🔎 Checking for provider upgrades (lockfile readonly)…"
+	@if terraform -chdir=$(TF_DIR) init -upgrade -lockfile=readonly >/dev/null 2>&1; then \
+		echo "✔ Providers up to date (no upgrades available)."; \
+	else \
+		echo "↗ Provider upgrades likely available (readonly lockfile blocked changes)."; \
+		echo "   Run: make tf-providers-upgrade"; \
+	fi
+
+tf-providers-upgrade: ## Upgrade providers (updates .terraform.lock.hcl)
+	@echo "⬆️  Upgrading providers…"
+	@terraform -chdir=$(TF_DIR) init -upgrade
+	@echo "— Diff for $(LOCKFILE):"
+	@git --no-pager diff -- $(LOCKFILE) || true
+	@echo "💡 If changes look good: make tf-lock-commit"
+
+tf-providers-upgrade-commit: tf-providers-upgrade tf-lock-commit ## Upgrade providers and commit the lockfile
+
+tf-providers-plan: ## Plan after an upgrade (uses HCLOUD_TOKEN if set)
+	@echo "🧪 Planning with upgraded providers…"
+	@terraform -chdir=$(TF_DIR) plan $(if $(TF_TOKEN),-var="hcloud_token=$(TF_TOKEN)")
+
+
 # ---- Ansible ----
 ansible-bootstrap: ## Run base bootstrap play (users, ssh, ufw, sops-agent)
 	cd ansible && ansible-playbook playbooks/bootstrap.yaml -u admin
diff --git a/terraform/hetzner/.terraform.lock.hcl b/terraform/hetzner/.terraform.lock.hcl
new file mode 100644
index 0000000..766ea30
--- /dev/null
+++ b/terraform/hetzner/.terraform.lock.hcl
@@ -0,0 +1,42 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/template" {
+  version     = "2.2.0"
+  constraints = "~> 2.2"
+  hashes = [
+    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}
+
+provider "registry.terraform.io/hetznercloud/hcloud" {
+  version     = "1.52.0"
+  constraints = "~> 1.49"
+  hashes = [
+    "h1:LTjrLuC+4F1Kv4TxS9e7LVVkG8/S4QQ7X4ORblvKTbc=",
+    "zh:1e9bb6b6a2ea5f441638dbae2d60fbe04ff455f58a18c740b8b7913e2197d875",
+    "zh:29c122e404ba331cfbadacc7f1294de5a31c9dfd60bdfe3e1b402271fc8e419c",
+    "zh:2bd0ae2f0bb9f16b7753f59a08e57ac7230f9c471278d7882f81406b9426c8c7",
+    "zh:4383206971873f6b5d81580a9a36e0158924f5816ebb6206b0cf2430e4e6a609",
+    "zh:47e2ca1cfa18500e4952ab51dc357a0450d00a92da9ea03e452f1f3efe6bbf75",
+    "zh:8e9fe90e3cea29bb7892b64da737642fc22b0106402df76c228a3cbe99663278",
+    "zh:a2d69350a69c471ddb63bcc74e105e585319a0fc0f4d1b7f70569f6d2ece5824",
+    "zh:a97abcc254e21c294e2d6b0fc9068acfd63614b097dda365f1c56ea8b0fd5f6b",
+    "zh:aba8d72d4fe2e89c922d5446d329e5c23d00b28227b4666e6486ba18ea2ec278",
+    "zh:ad36c333978c2d9e4bc43dcadcbff42fe771a8c5ef53d028bcacec8287bf78a7",
+    "zh:cdb1e6903b9d2f0ad8845d4eb390fbe724ee2435fb045baeab38d4319e637682",
+    "zh:df77b08757f3f36b8aadb33d73362320174047044414325c56a87983f48b5186",
+    "zh:e07513d5ad387247092b5ae1c87e21a387fc51873b3f38eee616187e38b090a7",
+    "zh:e2be02bdc59343ff4b9e26c3b93db7680aaf3e6ed13c8c4c4b144c74c2689915",
+  ]
+}