amaralc · amaralc · Feb 15, 2026 · Feb 15, 2026 · Feb 15, 2026 · Feb 15, 2026
@@ -21,7 +21,7 @@ on:
       DOMAIN_NAME:
         required: false
       GCP_PROJECT_ID:
-        required: false
+        required: true
       GCP_LOCATION:
         required: false
       SUPPORT_ACCOUNT_EMAIL:
@@ -91,6 +91,28 @@ jobs:
       - name: Generate Prisma client
         run: pnpm prisma:generate:postgres
 
+      - name: Generate Terraform Backend Configuration
+        working-directory: ${{ inputs.iac-path }}
+        env:
+          GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
+        run: |
+          if [ -z "$GCP_PROJECT_ID" ]; then
+            echo "❌ Error in 'Generate Terraform Backend Configuration' step: GCP_PROJECT_ID environment variable is empty"
+            echo "   This variable is required to generate backend.tf configuration"
+            exit 1
+          fi
+          cat > backend.tf <<EOF
+          # This block sets up what backend should be used for Terraform. In this case, we are using Google Cloud Storage.
+          terraform {
+            backend "gcs" {                                # The Google Cloud Storage backend
+              bucket = "$GCP_PROJECT_ID-tfstate"           # The name of the bucket to store the state file
+              prefix = "production"                        # The path to the state file within the bucket
+              # Authentication uses Application Default Credentials (ADC) from Workload Identity Federation
+            }
+          }
+          EOF
+          echo "✓ Terraform backend configuration (backend.tf) generated successfully."
+
       - name: Authenticate to Google Cloud
         id: auth
         uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2.1.13

@@ -77,6 +77,7 @@ jobs:
     name: Deploy Kernel Team
     permissions:
       contents: read
+      id-token: write
     needs: build
     uses: ./.github/workflows/teams-kernel-workflows-deploy-team.yml
     secrets:
@@ -105,6 +106,7 @@ jobs:
     name: Deploy People Team
     permissions:
       contents: read
+      id-token: write
     needs: deploy-kernel
     if: needs.deploy-kernel.result == 'success'
     uses: ./.github/workflows/teams-kernel-workflows-deploy-team.yml
@@ -135,6 +137,7 @@ jobs:
     needs: deploy-kernel
     permissions:
       contents: read
+      id-token: write
     if: needs.deploy-kernel.result == 'success'
     uses: ./.github/workflows/teams-kernel-workflows-deploy-team.yml
     secrets:

@@ -2,6 +2,11 @@
 
 Latest 100 insights derived from recent project activity, newest first.
 
+- [2026-02-15 18:00 UTC] Validate required secrets before use; fail fast with error naming step and target file
+- [2026-02-15 17:45 UTC] Document infrastructure changes via PR Experiment Record for organizational learning
+- [2026-02-15 17:15 UTC] Backend config generation belongs in CI/CD workflows using secrets, not open-source bootstrap
+- [2026-02-15 16:45 UTC] Reusable workflows require calling job to grant `id-token: write` for OIDC authentication
+- [2026-02-15 15:30 UTC] Choose Terraform for simplicity & multi-cloud; Pulumi for complex logic in familiar languages
 - [2026-02-15 14:00 UTC] Move secrets from run blocks to env: to enable GitHub masking
 - [2026-02-14 14:35 UTC] Combine job needs with needs.X.result == 'success' to enforce deployment success
 - [2026-02-14 14:30 UTC] Complete security fixes end-to-end: implement, test, commit, push for compliance
@@ -97,8 +102,3 @@ Latest 100 insights derived from recent project activity, newest first.
 - [2026-02-10 17:00 UTC] Local infra layers: cluster → Crossplane → service resources → app workloads (strict order)
 - [2026-02-10 16:30 UTC] Kong can be the K8s Ingress Controller or sit behind one for API-subset routing
 - [2026-02-10 16:00 UTC] K8s Ingress is an L7 reverse proxy routing external HTTP traffic to services via host/path rules
-- [2026-02-10 10:00 UTC] `moved` blocks + sibling modules cleanly split monolithic TF modules without state recreation
-- [2026-02-10 09:15 UTC] Crossplane is a platform layer on any K8s cluster (minikube, GKE, EKS), not env-specific infra
-- [2026-02-10 09:00 UTC] Separate infra provisioners (Crossplane) from service modules (IAM) so multiple services reuse them
-- [2026-02-10 08:30 UTC] Two-phase TF apply: targeted `-target` installs CRDs, then full apply plans resources needing them
-- [2026-02-10 08:00 UTC] Placeholder provider blocks with dummy tokens satisfy TF init for count=0 cloud modules
@@ -1,8 +1,8 @@
 # This block sets up what backend should be used for Terraform. In this case, we are using Google Cloud Storage.
 terraform {
-  backend "gcs" {                                # The Google Cloud Storage backend
-    bucket = "bootstrap-5541-tfstate"           # The name of the bucket to store the state file
-    prefix = "production"                        # The path to the state file within the bucket
+  backend "gcs" {                             # The Google Cloud Storage backend
+    bucket = "project-id-placeholder-tfstate" # The name of the bucket to store the state file
+    prefix = "production"                     # The path to the state file within the bucket
     # Authentication uses Application Default Credentials (ADC) from Workload Identity Federation
   }
 }