From a2beb3ca4c2b00b9a4b3766298ac3a646494e82e Mon Sep 17 00:00:00 2001
From: amaralc <amaral.calil@gmail.com>
Date: Sun, 15 Feb 2026 12:20:21 -0300
Subject: [PATCH 1/3] fix(ci): add id-token write

---
 .github/workflows/teams-kernel-workflows-deploy.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/teams-kernel-workflows-deploy.yml b/.github/workflows/teams-kernel-workflows-deploy.yml
index d69dea28..0c10a032 100644
--- a/.github/workflows/teams-kernel-workflows-deploy.yml
+++ b/.github/workflows/teams-kernel-workflows-deploy.yml
@@ -77,6 +77,7 @@ jobs:
     name: Deploy Kernel Team
     permissions:
       contents: read
+      id-token: write
     needs: build
     uses: ./.github/workflows/teams-kernel-workflows-deploy-team.yml
     secrets:
@@ -105,6 +106,7 @@ jobs:
     name: Deploy People Team
     permissions:
       contents: read
+      id-token: write
     needs: deploy-kernel
     if: needs.deploy-kernel.result == 'success'
     uses: ./.github/workflows/teams-kernel-workflows-deploy-team.yml
@@ -135,6 +137,7 @@ jobs:
     needs: deploy-kernel
     permissions:
       contents: read
+      id-token: write
     if: needs.deploy-kernel.result == 'success'
     uses: ./.github/workflows/teams-kernel-workflows-deploy-team.yml
     secrets:

From c6b2e212aff4823534756052d61530c32503c398 Mon Sep 17 00:00:00 2001
From: amaralc <amaral.calil@gmail.com>
Date: Sun, 15 Feb 2026 12:21:02 -0300
Subject: [PATCH 2/3] fix(ci): avoid exposing project id

---
 .../teams-kernel-workflows-deploy-team.yml       | 16 ++++++++++++++++
 docs/insights-short-term.md                      |  6 +++---
 teams/kernel/iac/production/backend.tf           |  6 +++---
 3 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/teams-kernel-workflows-deploy-team.yml b/.github/workflows/teams-kernel-workflows-deploy-team.yml
index 52bd4a1a..4e49474c 100644
--- a/.github/workflows/teams-kernel-workflows-deploy-team.yml
+++ b/.github/workflows/teams-kernel-workflows-deploy-team.yml
@@ -91,6 +91,22 @@ jobs:
       - name: Generate Prisma client
         run: pnpm prisma:generate:postgres
 
+      - name: Generate Terraform Backend Configuration
+        working-directory: ${{ inputs.iac-path }}
+        env:
+          GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
+        run: |
+          cat > backend.tf <<EOF
+          # This block sets up what backend should be used for Terraform. In this case, we are using Google Cloud Storage.
+          terraform {
+            backend "gcs" {                                # The Google Cloud Storage backend
+              bucket = "$GCP_PROJECT_ID-tfstate"           # The name of the bucket to store the state file
+              prefix = "production"                        # The path to the state file within the bucket
+              # Authentication uses Application Default Credentials (ADC) from Workload Identity Federation
+            }
+          }
+          EOF
+
       - name: Authenticate to Google Cloud
         id: auth
         uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2.1.13
diff --git a/docs/insights-short-term.md b/docs/insights-short-term.md
index 1732a255..005d3935 100644
--- a/docs/insights-short-term.md
+++ b/docs/insights-short-term.md
@@ -2,6 +2,9 @@
 
 Latest 100 insights derived from recent project activity, newest first.
 
+- [2026-02-15 17:15 UTC] Backend config generation belongs in CI/CD workflows using secrets, not open-source bootstrap
+- [2026-02-15 16:45 UTC] Reusable workflows require calling job to grant `id-token: write` for OIDC authentication
+- [2026-02-15 15:30 UTC] Choose Terraform for simplicity & multi-cloud; Pulumi for complex logic in familiar languages
 - [2026-02-15 14:00 UTC] Move secrets from run blocks to env: to enable GitHub masking
 - [2026-02-14 14:35 UTC] Combine job needs with needs.X.result == 'success' to enforce deployment success
 - [2026-02-14 14:30 UTC] Complete security fixes end-to-end: implement, test, commit, push for compliance
@@ -99,6 +102,3 @@ Latest 100 insights derived from recent project activity, newest first.
 - [2026-02-10 16:00 UTC] K8s Ingress is an L7 reverse proxy routing external HTTP traffic to services via host/path rules
 - [2026-02-10 10:00 UTC] `moved` blocks + sibling modules cleanly split monolithic TF modules without state recreation
 - [2026-02-10 09:15 UTC] Crossplane is a platform layer on any K8s cluster (minikube, GKE, EKS), not env-specific infra
-- [2026-02-10 09:00 UTC] Separate infra provisioners (Crossplane) from service modules (IAM) so multiple services reuse them
-- [2026-02-10 08:30 UTC] Two-phase TF apply: targeted `-target` installs CRDs, then full apply plans resources needing them
-- [2026-02-10 08:00 UTC] Placeholder provider blocks with dummy tokens satisfy TF init for count=0 cloud modules
diff --git a/teams/kernel/iac/production/backend.tf b/teams/kernel/iac/production/backend.tf
index a2a1fe45..45d2cce9 100644
--- a/teams/kernel/iac/production/backend.tf
+++ b/teams/kernel/iac/production/backend.tf
@@ -1,8 +1,8 @@
 # This block sets up what backend should be used for Terraform. In this case, we are using Google Cloud Storage.
 terraform {
-  backend "gcs" {                                # The Google Cloud Storage backend
-    bucket = "bootstrap-5541-tfstate"           # The name of the bucket to store the state file
-    prefix = "production"                        # The path to the state file within the bucket
+  backend "gcs" {                             # The Google Cloud Storage backend
+    bucket = "project-id-placeholder-tfstate" # The name of the bucket to store the state file
+    prefix = "production"                     # The path to the state file within the bucket
     # Authentication uses Application Default Credentials (ADC) from Workload Identity Federation
   }
 }

From c97317564e55601041e9122d94bc3443c7e8b7df Mon Sep 17 00:00:00 2001
From: amaralc <amaral.calil@gmail.com>
Date: Sun, 15 Feb 2026 18:12:39 -0300
Subject: [PATCH 3/3] fix(ci): prevent failure due to absent secret

---
 .github/workflows/teams-kernel-workflows-deploy-team.yml | 8 +++++++-
 docs/insights-short-term.md                              | 4 ++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/teams-kernel-workflows-deploy-team.yml b/.github/workflows/teams-kernel-workflows-deploy-team.yml
index 4e49474c..1e64354f 100644
--- a/.github/workflows/teams-kernel-workflows-deploy-team.yml
+++ b/.github/workflows/teams-kernel-workflows-deploy-team.yml
@@ -21,7 +21,7 @@ on:
       DOMAIN_NAME:
         required: false
       GCP_PROJECT_ID:
-        required: false
+        required: true
       GCP_LOCATION:
         required: false
       SUPPORT_ACCOUNT_EMAIL:
@@ -96,6 +96,11 @@ jobs:
         env:
           GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
         run: |
+          if [ -z "$GCP_PROJECT_ID" ]; then
+            echo "❌ Error in 'Generate Terraform Backend Configuration' step: GCP_PROJECT_ID environment variable is empty"
+            echo "   This variable is required to generate backend.tf configuration"
+            exit 1
+          fi
           cat > backend.tf <<EOF
           # This block sets up what backend should be used for Terraform. In this case, we are using Google Cloud Storage.
           terraform {
@@ -106,6 +111,7 @@ jobs:
             }
           }
           EOF
+          echo "✓ Terraform backend configuration (backend.tf) generated successfully."
 
       - name: Authenticate to Google Cloud
         id: auth
diff --git a/docs/insights-short-term.md b/docs/insights-short-term.md
index 005d3935..1e699292 100644
--- a/docs/insights-short-term.md
+++ b/docs/insights-short-term.md
@@ -2,6 +2,8 @@
 
 Latest 100 insights derived from recent project activity, newest first.
 
+- [2026-02-15 18:00 UTC] Validate required secrets before use; fail fast with error naming step and target file
+- [2026-02-15 17:45 UTC] Document infrastructure changes via PR Experiment Record for organizational learning
 - [2026-02-15 17:15 UTC] Backend config generation belongs in CI/CD workflows using secrets, not open-source bootstrap
 - [2026-02-15 16:45 UTC] Reusable workflows require calling job to grant `id-token: write` for OIDC authentication
 - [2026-02-15 15:30 UTC] Choose Terraform for simplicity & multi-cloud; Pulumi for complex logic in familiar languages
@@ -100,5 +102,3 @@ Latest 100 insights derived from recent project activity, newest first.
 - [2026-02-10 17:00 UTC] Local infra layers: cluster → Crossplane → service resources → app workloads (strict order)
 - [2026-02-10 16:30 UTC] Kong can be the K8s Ingress Controller or sit behind one for API-subset routing
 - [2026-02-10 16:00 UTC] K8s Ingress is an L7 reverse proxy routing external HTTP traffic to services via host/path rules
-- [2026-02-10 10:00 UTC] `moved` blocks + sibling modules cleanly split monolithic TF modules without state recreation
-- [2026-02-10 09:15 UTC] Crossplane is a platform layer on any K8s cluster (minikube, GKE, EKS), not env-specific infra