feat: migrate to AWX and shared workflows

- Replace plan.yml/apply.yml with shared opentofu.yml workflow
- Update libvirt provider to >= 0.9.0
- Rename aap_* secrets to awx_* for AWX migration
- Add aap_inventory_name = libvirt to modules
- Add keyfile to libvirt_uri for SSH auth
- Align pre-commit-config with other repos
- Fix missing newlines in cloud-init files

Author: xnoto

.github/workflows/apply.yml

@@ -0,0 +1,25 @@
+name: OpenTofu
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  opentofu:
+    uses: makeitworkcloud/shared-workflows/.github/workflows/opentofu.yml@main
+    with:
+      runs-on: arc-dind
+      container: image-registry.openshift-image-registry.svc:5000/public-registry/terraform-runner:latest
+      setup-ssh: true
+    secrets:
+      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}

.github/workflows/opentofu.yml

@@ -1,15 +1,9 @@
 repos:
-- repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v6.0.0
+- repo: https://github.com/compilerla/conventional-pre-commit
+  rev: v4.0.0
   hooks:
-    - id: check-case-conflict
-    - id: check-merge-conflict
-    - id: check-symlinks
-    - id: check-vcs-permalinks
-    - id: destroyed-symlinks
-    - id: detect-private-key
-    - id: mixed-line-ending
-    - id: trailing-whitespace
+    - id: conventional-pre-commit
+      stages: [commit-msg]
 - repo: https://github.com/antonbabenko/pre-commit-terraform
   rev: v1.104.0
   hooks:
@@ -35,3 +29,15 @@ repos:
     - id: terraform_docs
       args:
         - --args=--config=.terraform-docs.yml
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v6.0.0
+  hooks:
+    - id: check-case-conflict
+    - id: check-merge-conflict
+    - id: check-symlinks
+    - id: check-vcs-permalinks
+    - id: destroyed-symlinks
+    - id: detect-private-key
+    - id: end-of-file-fixer
+    - id: mixed-line-ending
+    - id: trailing-whitespace

.github/workflows/plan.yml

@@ -56,7 +56,7 @@ migrate:
 	@${TERRAFORM} init -migrate-state -backend-config="key=${S3_KEY}" -backend-config="bucket=${S3_BUCKET}" -backend-config="region=${S3_REGION}" -backend-config="access_key=${S3_ACCESS_KEY}" -backend-config="secret_key=${S3_SECRET_KEY}"
 
 test: .git/hooks/pre-commit
-	@OPENTOFU_BACKEND=false pre-commit run -a
+	@pre-commit run -a
 
 DEPS_PRE_COMMIT=$(shell which pre-commit || echo "pre-commit not found")
 DEPS_TERRAFORM_DOCS=$(shell which terraform-docs || echo "terraform-docs not found")

.pre-commit-config.yaml

@@ -1,2 +1,2 @@
 instance-id: ${hostname}
-local-hostname: ${hostname}
+local-hostname: ${hostname}

Makefile

@@ -5,4 +5,4 @@ ethernets:
   ens4:
     dhcp4: false
     addresses:
-      - ${private_ip_addr}/24
+      - ${private_ip_addr}/24

cloud-init/meta_data.cfg

@@ -22,6 +22,7 @@ module "runner" {
   private_ip_addr                   = data.sops_file.secret_vars.data["runner_ip_addr"]
   proxyhost                         = data.sops_file.secret_vars.data["proxyhost"]
   enable_aap                        = true
+  aap_inventory_name                = "libvirt"
 }
 
 module "torwww" {
@@ -38,4 +39,5 @@ module "torwww" {
   private_ip_addr                   = data.sops_file.secret_vars.data["torwww_ip_addr"]
   proxyhost                         = data.sops_file.secret_vars.data["proxyhost"]
   enable_aap                        = true
+  aap_inventory_name                = "libvirt"
 }

cloud-init/network_config.cfg

@@ -6,10 +6,10 @@ terraform {
   required_providers {
     libvirt = {
       source  = "dmacvicar/libvirt"
-      version = ">= 0.8.2"
+      version = ">= 0.9.0"
     }
     aap = {
-      source  = "ansible/aap"
+      source  = "registry.terraform.io/ansible/aap"
       version = ">= 1.3.0"
     }
     sops = {
@@ -24,9 +24,9 @@ provider "libvirt" {
 }
 
 provider "aap" {
-  host     = data.sops_file.secret_vars.data["aap_controller"]
-  username = data.sops_file.secret_vars.data["aap_username"]
-  password = data.sops_file.secret_vars.data["aap_password"]
+  host     = data.sops_file.secret_vars.data["awx_controller"]
+  username = data.sops_file.secret_vars.data["awx_username"]
+  password = data.sops_file.secret_vars.data["awx_password"]
 }
 
 provider "sops" {}

main.tf

@@ -1,28 +1,28 @@
-proxyhost: ENC[AES256_GCM,data:/icWDAmtkvSxjDtHs/yBkzunpdi4RhtWSOo=,iv:JYGLJ+eJnzu/pd2xaheb08sc9JLgFzm3YNad7RpR+tw=,tag:Q2qSa1uRp1JuxQktB8sj6Q==,type:str]
-aap_controller: ENC[AES256_GCM,data:Rwxynd3UKvjswQbV9i9vMLpZFumV7Hdixu88Mj2EYq4=,iv:U6aQYm/0OfmBJAph1/4g7q+ZR6q7vYZwzmOwlqD4ZYI=,tag:0r/0x+/yjqkajH63a5o5/w==,type:str]
-aap_username: ENC[AES256_GCM,data:ocx+igg=,iv:a9/NUR8KsCreLk1o9WEVPdu9eQqqiuLySyQXP3GZKso=,tag:NAG+LeZeU8JzqMkktK3YDA==,type:str]
-aap_password: ENC[AES256_GCM,data:/9RTHF/jsRiMfAbAC/DFj0pqxIjuLBXIFrHHYNefJtg=,iv:2RJxCIAScikrDJKoLvYnehQRS1P2F09u05mX3Dy007Y=,tag:YhLoeqXrsIlKFIUOYY7tbw==,type:str]
-torwww_ip_addr: ENC[AES256_GCM,data:XVsdB2WISbDu1/30hIA=,iv:m7k8+Nc2JvMmpXV2tIe505ke9CfGoxW/P2x63XVGA6Y=,tag:GUzkHEMHCBbLgwIc4Xm4mg==,type:str]
-runner_ip_addr: ENC[AES256_GCM,data:S+WZkRpT5fcr8VXqlYA=,iv:iUNQdnEImzFT2U36j2LT7a7dmlVXn1xCUslJhVGAICU=,tag:Qz2PFOXeXSLkQE5zzJlRvQ==,type:str]
-ssh_admin_pubkey: ENC[AES256_GCM,data:6DCqXStCEBbEr2KHVP/DsTaipw+6W8kQfjHfhOWLQSuYyo8TnSgfyKpmju3s5LJOH6po2nqKAu9pxQks6r9z98KWi/zMIhWF2oyuPXX8eZwT7u8H8QwKyP0zOqgVeHYK/lhFf9E13MB38f0YEL/oCiweahHCuRe95y5D7AaDccdz1CEZfxVkyLXPle6Ei4jOjWyYwSatLPoGKfhLYuvR3jhHg5synvmeh8WjCWCFAWy2jz3xYyIFejNd6SAJQE1Yr8a9XHrYbDABIkCT+YrRCAC6ODqecJ1yHE8wDSfLUmowkYA9UIIbVgxm47bBNWwB/0OArJHJDSMMVDPdK+CulyJcvUEuVMU5V9vPEtdQ3wZhboS/tEDIqCFvbAo6V5J4/Sl29Tk3kDwi6d/rAGDkQqNQhwy22f/HUXyfySIhXJ3T0F+LQvx+nkGOlmqF31v6iTBFLaswbLAn1L99OyjUCwZEGEXaXgJts2u+Oe3DHga6Vc0doG/1gmQBIRUhi7lLwEf0iL6R/jsEQd4qDnZz5rTno0v/GTbRnhOOecdUcTWcizHscgIveWGiiOAdLW2LWuXJa6sGCzzQTCk1DCCKo0QJCiw4BlwQZUzpt5dc5SirdDsU6M8IiP9ZjBF8uEQmvcpuDX8pM0M+5qSwLc7lJDlY6Wip80nRd5yQNTQNibAOXtZk5IQDrHJ7a3iR8h2dS51vw7wDBhuJRzzaaOMBBmB0C7/kvqx498hoa2XjL2Z6JYYtW3TxXX391ZdfS+TXdAwDTvZpWJZ9rWpuHsEZvXS8NgjmGMz5yG8cDCJEimCbdpC6QLx61czNXRV1IGufHXPtz8ctdZniIuGkwS57LX27mcpeqteTONc9aeiSTF9XWLjQaS8Ni/XELWcV+MjYy0Atrm0TGD8mTXxx0DCD02CPvW5qtG/qyfU0XMryESeX8NMOhLD8fTyDBYwTPIlouOJJGA==,iv:gT01Y/zgwlM6abfxROZJNMBe3gN1E3sSm3M9Sf836bQ=,tag:AX3pGSI00sFg9JtHiZXvSw==,type:str]
-libvirt_uri: ENC[AES256_GCM,data:T6LmWPhu5q/or41NgVEyAYGPrgfNf28TQcY0NQ4Fk1OYVgrDd/cOZdyJzEBSMbTBtDV7yAYrr329wDqB,iv:lHVJ313PLOhqjyY0Mt6h2t6oDkjDu1Wo+0p65HrrSgM=,tag:bzejrUSqqr2uqaFnEAXecQ==,type:str]
-s3_bucket: ENC[AES256_GCM,data:+MQgHNBrA9uo/QZcZRxjQy1xrLqp,iv:MATvS4d0BbJNw0wGIUkLOPUK1E7oQZvkC3tls5dT4fg=,tag:zQEgGmyTCpPMwtJEmgMG2Q==,type:str]
-s3_key: ENC[AES256_GCM,data:MnSLvEUyD3TpAetiOeh9mA==,iv:IzbWRtPZJAXWSG7/+4vpWyNLWnAsqJkDtSsu3rMiCvg=,tag:c7N6RDnxZDqDsfju5ZsDWQ==,type:str]
-s3_region: ENC[AES256_GCM,data:bW9LX1MvGLUW,iv:XsmnFQ7xqKnOeAwQ6Fgyexvn9YXQIDtZTJm1PJYckxA=,tag:95El6ki7awk1iwswHGgHYg==,type:str]
-s3_access_key: ENC[AES256_GCM,data:XY7zjs5rrmai3B89291zyze9zSY=,iv:e4Hm9RDSYaikfj2xZarCWCiOM9PKjx/6b397g/oYv7Q=,tag:mEisqO8fLSfmWyp//mx4Ug==,type:str]
-s3_secret_key: ENC[AES256_GCM,data:phGSI2mGnPDMGgCZ5iAT6ZFqwiB6MAMmB5TTAY4Rzu8cL1o3/GQ7hg==,iv:Z/MLAm+l6awU7BZtv/mhSCdUKEL18rrlU7ohazKIuaY=,tag:4JTx40ysaMMV/snNV0oLLg==,type:str]
+proxyhost: ENC[AES256_GCM,data:LeAR5fm+FVBhPQbUMldvYAdp2JU9I6O6eog=,iv:QNZe0OIVfqepmNz90XySziJvJit82I6uFS+3mBq7nSY=,tag:IskeIIWDwE8i1jwl0n44HQ==,type:str]
+torwww_ip_addr: ENC[AES256_GCM,data:g8wz/KtzZ9Vh01VfPgw=,iv:6rrx9IzoD3CenJEC6lMhb/DbQgeR1/YptPt9W3UWFGI=,tag:1DyH/NrPO4U+GMwZWNed1w==,type:str]
+runner_ip_addr: ENC[AES256_GCM,data:hGhUN/UZkLB17+zskW0=,iv:HHgLXBDCtM+tVAkdBb/aJFLaWuWLMNRUMphjC8MjHNQ=,tag:5C9P9WxR2nJKlco1OGwgOg==,type:str]
+ssh_admin_pubkey: ENC[AES256_GCM,data:Yir4qZwormceT2M5Mr5/nrNqis4qiNDVJY2HSsOnKu+suATI+KB0NNoaj32moWzQs1GGUj2ygbB0Dy6Eg5qyAbvWG0bj+kVsXunkoOI50yRZwGUZMrDFeqSBhIUFnGvg17x5uNtHdvEMj2pcfymRGgi9h/WgaCo9eOzOCEMtCdJddrNIWamUNBMo4e/JsAPB9NYa5UBcKU6hVSNyKXb7GVxNWP6Y9r/ZlWidxVrECjZr1nQFpvRpAxOTn8qKfBDBgSJD5bDWc3XCfQh5E+9UDQU8buH9hGeXJQIXXkh5JStEzum6+8jhcdCOQfNoSGH9y0wWx7m2upccZTC+vLtkhGZRdfBXZHfLSqGbtKYRUFR0RbVHcTxEjdv7fjIZA7mj8kLEEGCW5fbiA7LTe4Zxj51XvQ3nh8R3vhkssrX1zq6zwv5dwgEc1TEM1e4Q8ECgQsYQyDHtWcjAEwHOSGpQlrHt6+t/xa756+LCK00maqddeGnmFiowfBxgyDoyIRatu5auSfiYRFHfizudfZshkcRMEhnBb6K3Gheeclvn2obbotBReXQS71tXOjrLdd7Zzby+caaeJ76Mvwg+u6wiIpZWyI/zG1aOCSF4GtnDN6CMrpagey33h9lzFwO2cls9pCwXYZzvOSrf0l9DdQyV/UMvedtXIT0XsJ+Yrn/AhN41yVYWrrSYN8f3dqvWf0Ueg7abR1vjiRubbjK3ENlzddIYv8lDERI/waI/i4GJl49JF0X0Ux5GBfQl4UvEbGoy4P6TGujAqdiZdw56s6NhpxuyChiSkUp+sQVgjlqpHpKOtJ8LR84jUZgnDWnJ4xcxFe6NtxPRdmEqJ6IwL+aKLWgt4xzjWxVTolhxZMFH/R0p/SItlgjPYaIfx4EbJTYrMvM4LVK+Oe2xVLindyR/LUWHaevs/gXqLH7On1w+hIhWHnbqNXrgLrF9m18SFq1k2v/xyQ==,iv:ayzcRvxzKc+x3dgYMZrzr8QOq/Zsapb+W+RTgQ44WhE=,tag:zy062T9+EwFgRCg1YVdy1Q==,type:str]
+libvirt_uri: ENC[AES256_GCM,data:YHyZjDd065W2t2kdP+7kysYtrwSRvJiCfXmqJxlKJnDGjoQf+gRzqb4hE2wlWVbrzMcYDheNQcKGFglyN6yi/34mHi1tLW9tSBZrSjuTp+njWA==,iv:+YoLFO3hbROrGJOHw3dQBmSc3zITyr3mb0dHR+7nRe4=,tag:UB4JtVkKaQWB1V7H2W/ayA==,type:str]
+s3_bucket: ENC[AES256_GCM,data:ZP5MpWzjM3iZsiNL21y6j+k7Fq4O,iv:BhER0FjvQJYQAO1g4ngitu+Yx3Cw9reGOUFgWWOZ0nA=,tag:gUJyIkUgGJluYeQDB7FJXg==,type:str]
+s3_key: ENC[AES256_GCM,data:zx49aN4VuY4ejdFASJAA3w==,iv:0AJGsg7uG2ekmPK/Wu/EHcreP1JJsQObOlNDAjeeUwk=,tag:eSU5dHZM4RcjVDCSeJTvZA==,type:str]
+s3_region: ENC[AES256_GCM,data:XW+G7meDa6DY,iv:otrxE/N2I+K/j0ScPfB7FJfla1FQJywWV/9UVkXhQOg=,tag:TDSFSVWrmxdogPd15mrFWQ==,type:str]
+s3_access_key: ENC[AES256_GCM,data:bX0xzUN8F/9Lik3+dl3ETfOuEqs=,iv:zy0Yt78q5kY8FmJ1EAzS9x/89WMjnlHE/zwzwHqm1hA=,tag:zHLYG5RUCFnlaL9Dc52Kdw==,type:str]
+s3_secret_key: ENC[AES256_GCM,data:XaCjZ4JtlG7tyvD0mOY0gG8yigNOYTSpFFPJEfYtkDCVX4CMbWwfjA==,iv:+dwvmpTAOPA++NsRwmiS/oH5xjx430W45bgVsObQOm0=,tag:6I88iVbyth1MI88+6UZi8Q==,type:str]
+awx_controller: ENC[AES256_GCM,data:dCaEGKwFg2DbldF4zpJwrZOypTvxMy2/lI3izJ2gmrk=,iv:mwc8HryS9ERmlnuTrsDlPStxGjK7p3PhmD8RFiAUeoE=,tag:h50Xky7N23wifuYaOXLe8Q==,type:str]
+awx_username: ENC[AES256_GCM,data:ppSLWlU=,iv:VQxpWSHWmHm5zxatXFGcqu66NR8HaP7VnMOka94+P6o=,tag:/CamONaLQcPeSvfSWrWSYw==,type:str]
+awx_password: ENC[AES256_GCM,data:JSd6lrCmWPaBLVULcqB4rouTisudVHQVYlwmIZynKl0=,iv:wTVwZcBVazXkjHFnfJasyBNCni+el2GUAIJOHgWcisE=,tag:miWK7wWE1JFFxILni0HKLg==,type:str]
 sops:
     age:
         - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqa1V4WGpuWGVlY2xMcVk5
-            QlJFeHk3ZjdrcVpnRDFRSmlRQ2FTZnE4WTFRCjQ5UmRONDV3a2xTc3Mya0wvekN6
-            RmJrQ09nZzk4VkZxRGlremcrUWU1Z2MKLS0tIHpFZFVpV3lpOUJNSDFwdDRpazJK
-            d2pVcDh3cDNqY1gzSVR5Z2NXcld1Qm8KRdv8vKhMBi1R8fGIphdmY4pfHV1sAqSb
-            nAXWA6Ut5/KAPIluSnBtWFkcakulcXYT01XorziztVS0X4nJDzEvMg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRV0dFc0hiKzQ0TnVRdFUz
+            aE5iMkE3S3R2dFZPZnhsSFBTZ3N4RFJiQVQ4CmhwclZ4dUQyYVdvZHhUMkxJM0dL
+            MTFBaitmS1ROVDFPRWU5eWdGZ2NKQlkKLS0tIDlaemNHRGpxM2MvQVNOdnlvL0NW
+            Zjc3NWxtVWNSYmQrTTNOTC9qUktrREUKGcow4vWQub9YwDJiemIppgpfFFWQyyKA
+            UDHzLiAbqLTHKiWr76XTA8rT9DMmoPBm2mLA1m3QlNvPbvW1qQ73Xw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-30T04:30:10Z"
-    mac: ENC[AES256_GCM,data:8cu+EgGa1t2W3S0U3fEZ1rCLSYx/0yNQY1sWOZXMaRJIQCR5R5z6rEjpfsyOUC96Wp0rSoUaEZKVqMtLYIM5snYJxsvb9xm5MXUk6hdOWulegICNlqeSZlgUDRKaOU50T7wWLSB7s0+g/r7LNVcE/jNq8YJkZCHWDUquayTevZU=,iv:qUlG4dno3HYEd+hinhECQdmCStX5jF6gTuVb/wUMbMk=,tag:BMn2+CSJn7pdOscRvFINfw==,type:str]
+    lastmodified: "2025-12-22T00:50:43Z"
+    mac: ENC[AES256_GCM,data:ZCOcQgIYB+CG5vI5O4cQ/3YWci5l2GfvP4Tn222pNFP+rm/dZvnuc5/xcTvahCS+WTPH36jI2H2qOL/4MpvwKZqgkNrEdhW25YCPGlceN8sEAqrx8oQ3DTfFu5bBbzN9SXkDz4nr2W6xoBNwciCb66BwW8IYcVD1iKL0Bmte61c=,iv:CtdWpLQ9KfTUy39v/qU22cg/dBhwNHYUP0FgMsIMAak=,tag:u5n33dP5/e+9B1HYs7X22Q==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2