fix: add missing Keycloak variables to destroy workflow

Author: USHER-PB

lgtm-stack/terraform/grafana.tf

@@ -223,7 +223,6 @@ resource "grafana_data_source" "tempo" {
 #
 # REQUIRES: Grafana OSS with accesscontrol feature flag enabled
 # (set GF_FEATURE_TOGGLES_ENABLE: accesscontrol in grafana-values.yaml)
-# OR Grafana Enterprise.
 
 resource "grafana_data_source_permission" "loki" {
   for_each = toset(var.tenants)
@@ -235,8 +234,8 @@ resource "grafana_data_source_permission" "loki" {
   }
 
   depends_on = [
-    helm_release.grafana,
-    null_resource.wait_for_grafana
+    grafana_data_source.loki,
+    grafana_team.tenants
   ]
 }
 
@@ -250,8 +249,8 @@ resource "grafana_data_source_permission" "mimir" {
   }
 
   depends_on = [
-    helm_release.grafana,
-    null_resource.wait_for_grafana
+    grafana_data_source.mimir,
+    grafana_team.tenants
   ]
 }
 
@@ -265,8 +264,8 @@ resource "grafana_data_source_permission" "prometheus" {
   }
 
   depends_on = [
-    helm_release.grafana,
-    null_resource.wait_for_grafana
+    grafana_data_source.prometheus,
+    grafana_team.tenants
   ]
 }
 
@@ -280,8 +279,8 @@ resource "grafana_data_source_permission" "tempo" {
   }
 
   depends_on = [
-    helm_release.grafana,
-    null_resource.wait_for_grafana
+    grafana_data_source.tempo,
+    grafana_team.tenants
   ]
 }
 
@@ -301,6 +300,27 @@ resource "grafana_folder" "tenants" {
   ]
 }
 
+# ---- Global Data Sources (Cluster Admins) -----------------------
+# These data sources point to the "default" tenant where 
+# infrastructure metrics and logs are stored.
+# Restricted to the grafana-admins team.
+
+resource "grafana_data_source" "global_loki" {
+  name = "Global-Loki"
+  type = "loki"
+  url  = "http://monitoring-loki-gateway:80"
+  http_headers = { "X-Scope-OrgID" = "default" }
+  depends_on = [helm_release.grafana, null_resource.wait_for_grafana]
+}
+
+resource "grafana_data_source" "global_mimir" {
+  name = "Global-Mimir"
+  type = "prometheus"
+  url  = "http://monitoring-mimir-nginx:80/prometheus"
+  http_headers = { "X-Scope-OrgID" = "default" }
+  depends_on = [helm_release.grafana, null_resource.wait_for_grafana]
+}
+
 resource "grafana_folder_permission" "tenants" {
   for_each = toset(var.tenants)
 

lgtm-stack/terraform/main.tf

@@ -221,6 +221,12 @@ module "cert_manager" {
   issuer_namespace   = var.namespace
   ingress_class_name = var.ingress_class_name
 
+  # Pass GKE credentials for module-internal providers
+  gke_endpoint       = var.gke_endpoint
+  gke_ca_certificate = var.gke_ca_certificate
+  project_id         = var.project_id
+  region             = var.region
+
   # Ensure namespace exists before issuer creation (handled inside module)
 }
 
@@ -233,6 +239,12 @@ module "ingress_nginx" {
   release_name          = var.nginx_ingress_release_name
   namespace             = var.nginx_ingress_namespace
   ingress_class_name    = var.ingress_class_name
+
+  # Pass GKE credentials for module-internal providers
+  gke_endpoint       = var.gke_endpoint
+  gke_ca_certificate = var.gke_ca_certificate
+  project_id         = var.project_id
+  region             = var.region
 }
 
 # Loki