Secrets Checklist

Phase: 1 - Prerequisites & Secrets
Duration: 5-10 minutes
Purpose: Validate all required credentials before infrastructure deployment

📋 Complete Checklist

Use this checklist to ensure you have all required credentials before proceeding to Phase 2.

GitLab OAuth Application

• [ ] Application Created - OAuth app created in GitLab
• [ ] Application ID - Recorded (not secret)
• [ ] Client Secret - Recorded (sensitive)
• [ ] Redirect URIs - Both callback URLs added
• [ ] Scopes - All 4 required scopes selected

Slack Integration

• [ ] Webhook URL - Slack webhook URL obtained
• [ ] Channel Configured - #blueberry-ci channel exists
• [ ] Permissions - Webhook has post permissions
• [ ] Test Message - Optional test message sent

Cloudflare API Access

• [ ] API Token - Token created with DNS permissions
• [ ] Zone ID - Zone ID recorded for DNS zone
• [ ] Permissions - Zone:DNS:Edit permissions granted
• [ ] Test Access - Optional API access tested

GitLab Personal Access Token

• [ ] PAT Created - Personal Access Token created
• [ ] API Scope - Token has 'api' scope
• [ ] Expiration - Token expiration date noted
• [ ] Permissions - Token has project access

Environment Configuration

• [ ] Environment File - .env file created in blueberry-terraform/
• [ ] All Variables - All required variables populated
• [ ] Syntax Check - No syntax errors in .env file
• [ ] File Permissions - .env file not committed to git

🔧 Environment File Template

Create blueberry-terraform/.env with these variables:

# GitLab OAuth Application (for ArgoCD)
TF_VAR_gitlab_oauth_client_id="your-application-id-here"
TF_VAR_gitlab_oauth_client_secret="your-secret-here"

# GitLab Personal Access Token (for Terraform)
TF_VAR_gitlab_token_secret_value="your-pat-here"

# Slack Integration
TF_VAR_slack_webhook_url_value="https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX"

# GitLab Webhook Token (auto-generated if not provided)
TF_VAR_gitlab_webhook_token_value="your-webhook-token-here"

# Cloudflare API Token (for DNS management)
CLOUDFLARE_API_TOKEN="your-cloudflare-api-token-here"

# Google Cloud Project (should match your terraform variables)
GOOGLE_CLOUD_PROJECT="development-454916"

✅ Validation Steps

Step 1: Check File Exists

cd blueberry-terraform
ls -la .env

Step 2: Validate Environment Variables

# Check that all required variables are set
grep -E "^TF_VAR_|^CLOUDFLARE_|^GOOGLE_" .env

Step 3: Test Credentials (Optional)

GitLab PAT Test

# Test GitLab API access
curl -H "Authorization: Bearer $TF_VAR_gitlab_token_secret_value" \
     "https://gitlab.com/api/v4/user"

Cloudflare API Test

# Test Cloudflare API access
curl -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
     "https://api.cloudflare.com/client/v4/user/tokens/verify"

Slack Webhook Test

# Test Slack webhook
curl -X POST -H 'Content-type: application/json' \
     --data '{"text":"Test message from Blueberry IDP setup"}' \
     "$TF_VAR_slack_webhook_url_value"

🚨 Common Issues

Issue: "Variable not set"

Cause: Missing environment variable
Solution: Add the missing variable to .env file

Issue: "Invalid token format"

Cause: Token copied incorrectly
Solution: Re-copy the token from the source

Issue: "Permission denied"

Cause: Token doesn't have required permissions
Solution: Check and update token permissions

Issue: "File not found"

Cause: .env file not in correct location
Solution: Ensure .env is in blueberry-terraform/ directory

🔒 Security Verification

• [ ] Git Ignore - Verify .env is in .gitignore
• [ ] File Permissions - .env file is readable only by owner
• [ ] No Logging - Secrets are not logged in terminal history
• [ ] Secure Storage - Secrets are stored securely (password manager)

📊 Credential Summary

⏭️ Next Steps

Once all items are checked:

1. Double-check all sensitive values are correct
2. Verify .env file is not committed to git
3. Proceed to Phase 2: Infrastructure Setup

🆘 Need Help?

If you're missing any credentials:

• GitLab OAuth: GitLab OAuth Setup
• Slack Webhook: Slack Webhook Setup
• Cloudflare API: Cloudflare API Setup
• GitLab PAT: GitLab PAT Setup

Related: Phase 1 Overview | Phase 2: Infrastructure Setup