From 41d78f417f53872e2589760fe616e83d056ab712 Mon Sep 17 00:00:00 2001
From: Jennifer Weir <contact@jenniferpweir.com>
Date: Sat, 9 May 2026 13:17:38 -0400
Subject: [PATCH 1/2] fix(argocd): azure secret locations

---
 .../argocd/operator/components/argocd.yaml    |   6 +-
 terraform/okd/main.tf                         |  22 ++++
 terraform/okd/provider.tf                     |   5 -
 terraform/okd/variables.tf                    |   5 -
 terraform/proxmox/main.tf                     | 110 ++++++++++++++++++
 terraform/proxmox/provider.tf                 |  12 ++
 6 files changed, 147 insertions(+), 13 deletions(-)
 create mode 100644 terraform/proxmox/main.tf
 create mode 100644 terraform/proxmox/provider.tf

diff --git a/manifests/platform/argocd/operator/components/argocd.yaml b/manifests/platform/argocd/operator/components/argocd.yaml
index 3d23006..34c476d 100644
--- a/manifests/platform/argocd/operator/components/argocd.yaml
+++ b/manifests/platform/argocd/operator/components/argocd.yaml
@@ -103,9 +103,9 @@ spec:
   # https://argocd-operator.readthedocs.io/en/latest/reference/argocd/#oidc-config
   oidcConfig: |
     name: azure
-    issuer: https://login.microsoftonline.com/<path:projects/648542105177/secrets/azure_tenant_id#azure_tenant_id>/v2.0
-    clientID: <path:projects/648542105177/secrets/azure_client_id#azure_client_id>
-    clientSecret: <path:projects/648542105177/secrets/azure_client_secret#azure_client_secret>
+    issuer: https://login.microsoftonline.com/<path:projects/1086456784694/secrets/azure_tenant_id#azure_tenant_id>/v2.0
+    clientID: <path:projects/1086456784694/secrets/azure_client_id#azure_client_id>
+    clientSecret: <path:projects/1086456784694/secrets/azure_client_secret#azure_client_secret>
     # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
     requestedScopes: ["openid", "profile", "email", "groups"]
     # Optional set of OIDC claims to request on the ID token.
diff --git a/terraform/okd/main.tf b/terraform/okd/main.tf
index 2e326c5..f7f98d1 100644
--- a/terraform/okd/main.tf
+++ b/terraform/okd/main.tf
@@ -153,6 +153,28 @@ resource "google_secret_manager_secret_iam_member" "quay_pull_secret_accessor" {
     member    = "principal://iam.googleapis.com/projects/${data.google_project.okd_homelab.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.okd_pool.workload_identity_pool_id}/subject/system:serviceaccount:argocd:external-secrets"
 }
 
+# argocd SA access to Azure AD secrets
+resource "google_secret_manager_secret_iam_member" "argocd_azure_tenant_id_accessor" {
+    project   = data.google_project.okd_homelab.project_id
+    secret_id = "azure_tenant_id"
+    role      = "roles/secretmanager.secretAccessor"
+    member    = "principal://iam.googleapis.com/projects/${data.google_project.okd_homelab.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.okd_pool.workload_identity_pool_id}/subject/system:serviceaccount:argocd:argocd-argocd-repo-server"
+}
+
+resource "google_secret_manager_secret_iam_member" "argocd_azure_client_id_accessor" {
+    project   = data.google_project.okd_homelab.project_id
+    secret_id = "azure_client_id"
+    role      = "roles/secretmanager.secretAccessor"
+    member    = "principal://iam.googleapis.com/projects/${data.google_project.okd_homelab.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.okd_pool.workload_identity_pool_id}/subject/system:serviceaccount:argocd:argocd-argocd-repo-server"
+}
+
+resource "google_secret_manager_secret_iam_member" "argocd_azure_client_secret_accessor" {
+    project   = data.google_project.okd_homelab.project_id
+    secret_id = "azure_client_secret"
+    role      = "roles/secretmanager.secretAccessor"
+    member    = "principal://iam.googleapis.com/projects/${data.google_project.okd_homelab.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.okd_pool.workload_identity_pool_id}/subject/system:serviceaccount:argocd:argocd-argocd-repo-server"
+}
+
 # Azure ------------------------------------------------------------------------------------------------------------------
 
 resource "azuread_application" "okd_cluster" {
diff --git a/terraform/okd/provider.tf b/terraform/okd/provider.tf
index a3f944f..4f82524 100644
--- a/terraform/okd/provider.tf
+++ b/terraform/okd/provider.tf
@@ -1,8 +1,3 @@
-provider "google" {
-  project = var.homelab_project_id
-  region  = "us-east1"
-}
-
 provider "azuread" {
   tenant_id = var.azure_tenant_id
 }
\ No newline at end of file
diff --git a/terraform/okd/variables.tf b/terraform/okd/variables.tf
index e273a87..497ea6e 100644
--- a/terraform/okd/variables.tf
+++ b/terraform/okd/variables.tf
@@ -1,8 +1,3 @@
-variable "homelab_project_id" {
-  description = "The GCP project ID for homelab management."
-  type        = string
-}
-
 variable "azure_tenant_id" {
   description = "The tenant ID for Azure Active Directory."
   type        = string
diff --git a/terraform/proxmox/main.tf b/terraform/proxmox/main.tf
new file mode 100644
index 0000000..c9ac72a
--- /dev/null
+++ b/terraform/proxmox/main.tf
@@ -0,0 +1,110 @@
+resource "proxmox_virtual_environment_vm" "fedora_vm" {
+  name        = "terraform-provider-proxmox-fedora-vm"
+  description = "Managed by Terraform"
+  tags        = ["terraform", "fedora"]
+
+  node_name = "first-node"
+  vm_id     = 4321
+
+  agent {
+    # read 'Qemu guest agent' section, change to true only when ready
+    enabled = false
+  }
+  # if agent is not enabled, the VM may not be able to shutdown properly, and may need to be forced off
+  stop_on_destroy = true
+
+  startup {
+    order      = "3"
+    up_delay   = "60"
+    down_delay = "60"
+  }
+
+  cpu {
+    cores        = 2
+    type         = "x86-64-v2-AES"  # recommended for modern CPUs
+  }
+
+  memory {
+    dedicated = 2048
+    floating  = 2048 # set equal to dedicated to enable ballooning
+  }
+
+  disk {
+    datastore_id = "local-lvm"
+    import_from  = proxmox_virtual_environment_download_file.latest_fedora_22_jammy_qcow2_img.id
+    interface    = "scsi0"
+  }
+
+  initialization {
+    # uncomment and specify the datastore for cloud-init disk if default `local-lvm` is not available
+    # datastore_id = "local-lvm"
+
+    ip_config {
+      ipv4 {
+        address = "dhcp"
+      }
+    }
+
+    user_account {
+      keys     = [trimspace(tls_private_key.fedora_vm_key.public_key_openssh)]
+      password = random_password.fedora_vm_password.result
+      username = "fedora"
+    }
+
+    user_data_file_id = proxmox_virtual_environment_file.cloud_config.id
+  }
+
+  network_device {
+    bridge = "vmbr0"
+  }
+
+  operating_system {
+    type = "l26"
+  }
+
+  tpm_state {
+    version = "v2.0"
+  }
+
+  serial_device {}
+
+  virtiofs {
+    mapping = "data_share"
+    cache = "always"
+    direct_io = true
+  }
+}
+
+resource "proxmox_virtual_environment_download_file" "latest_fedora_22_jammy_qcow2_img" {
+  content_type = "import"
+  datastore_id = "local"
+  node_name    = "pve"
+  url = "https://cloud-images.fedora.com/jammy/current/jammy-server-cloudimg-amd64.img"
+  # need to rename the file to *.qcow2 to indicate the actual file format for import
+  file_name = "jammy-server-cloudimg-amd64.qcow2"
+}
+
+resource "random_password" "fedora_vm_password" {
+  length           = 16
+  override_special = "_%@"
+  special          = true
+}
+
+resource "tls_private_key" "fedora_vm_key" {
+  algorithm = "RSA"
+  rsa_bits  = 2048
+}
+
+output "fedora_vm_password" {
+  value     = random_password.fedora_vm_password.result
+  sensitive = true
+}
+
+output "fedora_vm_private_key" {
+  value     = tls_private_key.fedora_vm_key.private_key_pem
+  sensitive = true
+}
+
+output "fedora_vm_public_key" {
+  value = tls_private_key.fedora_vm_key.public_key_openssh
+}
\ No newline at end of file
diff --git a/terraform/proxmox/provider.tf b/terraform/proxmox/provider.tf
new file mode 100644
index 0000000..cfa148d
--- /dev/null
+++ b/terraform/proxmox/provider.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    proxmox = {
+      source = "bpg/proxmox"
+      version = "0.89.0"
+    }
+  }
+}
+
+provider "proxmox" {
+  # Configuration options
+}
\ No newline at end of file

From dae00813da0e70c919bbd28de7f080a9aa862893 Mon Sep 17 00:00:00 2001
From: Jennifer Weir <contact@jenniferpweir.com>
Date: Sat, 9 May 2026 13:19:37 -0400
Subject: [PATCH 2/2] fix(argocd): azure secret locations

---
 terraform/proxmox/main.tf     | 110 ----------------------------------
 terraform/proxmox/provider.tf |  12 ----
 2 files changed, 122 deletions(-)
 delete mode 100644 terraform/proxmox/main.tf
 delete mode 100644 terraform/proxmox/provider.tf

diff --git a/terraform/proxmox/main.tf b/terraform/proxmox/main.tf
deleted file mode 100644
index c9ac72a..0000000
--- a/terraform/proxmox/main.tf
+++ /dev/null
@@ -1,110 +0,0 @@
-resource "proxmox_virtual_environment_vm" "fedora_vm" {
-  name        = "terraform-provider-proxmox-fedora-vm"
-  description = "Managed by Terraform"
-  tags        = ["terraform", "fedora"]
-
-  node_name = "first-node"
-  vm_id     = 4321
-
-  agent {
-    # read 'Qemu guest agent' section, change to true only when ready
-    enabled = false
-  }
-  # if agent is not enabled, the VM may not be able to shutdown properly, and may need to be forced off
-  stop_on_destroy = true
-
-  startup {
-    order      = "3"
-    up_delay   = "60"
-    down_delay = "60"
-  }
-
-  cpu {
-    cores        = 2
-    type         = "x86-64-v2-AES"  # recommended for modern CPUs
-  }
-
-  memory {
-    dedicated = 2048
-    floating  = 2048 # set equal to dedicated to enable ballooning
-  }
-
-  disk {
-    datastore_id = "local-lvm"
-    import_from  = proxmox_virtual_environment_download_file.latest_fedora_22_jammy_qcow2_img.id
-    interface    = "scsi0"
-  }
-
-  initialization {
-    # uncomment and specify the datastore for cloud-init disk if default `local-lvm` is not available
-    # datastore_id = "local-lvm"
-
-    ip_config {
-      ipv4 {
-        address = "dhcp"
-      }
-    }
-
-    user_account {
-      keys     = [trimspace(tls_private_key.fedora_vm_key.public_key_openssh)]
-      password = random_password.fedora_vm_password.result
-      username = "fedora"
-    }
-
-    user_data_file_id = proxmox_virtual_environment_file.cloud_config.id
-  }
-
-  network_device {
-    bridge = "vmbr0"
-  }
-
-  operating_system {
-    type = "l26"
-  }
-
-  tpm_state {
-    version = "v2.0"
-  }
-
-  serial_device {}
-
-  virtiofs {
-    mapping = "data_share"
-    cache = "always"
-    direct_io = true
-  }
-}
-
-resource "proxmox_virtual_environment_download_file" "latest_fedora_22_jammy_qcow2_img" {
-  content_type = "import"
-  datastore_id = "local"
-  node_name    = "pve"
-  url = "https://cloud-images.fedora.com/jammy/current/jammy-server-cloudimg-amd64.img"
-  # need to rename the file to *.qcow2 to indicate the actual file format for import
-  file_name = "jammy-server-cloudimg-amd64.qcow2"
-}
-
-resource "random_password" "fedora_vm_password" {
-  length           = 16
-  override_special = "_%@"
-  special          = true
-}
-
-resource "tls_private_key" "fedora_vm_key" {
-  algorithm = "RSA"
-  rsa_bits  = 2048
-}
-
-output "fedora_vm_password" {
-  value     = random_password.fedora_vm_password.result
-  sensitive = true
-}
-
-output "fedora_vm_private_key" {
-  value     = tls_private_key.fedora_vm_key.private_key_pem
-  sensitive = true
-}
-
-output "fedora_vm_public_key" {
-  value = tls_private_key.fedora_vm_key.public_key_openssh
-}
\ No newline at end of file
diff --git a/terraform/proxmox/provider.tf b/terraform/proxmox/provider.tf
deleted file mode 100644
index cfa148d..0000000
--- a/terraform/proxmox/provider.tf
+++ /dev/null
@@ -1,12 +0,0 @@
-terraform {
-  required_providers {
-    proxmox = {
-      source = "bpg/proxmox"
-      version = "0.89.0"
-    }
-  }
-}
-
-provider "proxmox" {
-  # Configuration options
-}
\ No newline at end of file