Refactor provider and encryption settings into dedicated files for improved organization and clarity

[brettcurtis]

Summary by CodeRabbit

• New Features

  • Enforced encryption for both plan and state using a managed key for improved security.
  • Standardized provider configuration for Datadog using variables.

• Refactor

  • Consolidated Terraform/provider setup into a dedicated configuration, simplifying structure.

• Chores

  • Removed obsolete top-level blocks and a forced-apply workaround.
  • Cleaned up commented bootstrapping configuration.
  • Retained existing integration and project/IAM modules without functional changes.

[coderabbitai]

Walkthrough

Splits provider and Terraform configuration out of main.tofu into providers.tofu. Removes top-level terraform, provider (datadog/google), and null_resource force_apply from main.tofu while keeping module usages intact. Adds encryption (GCP KMS, AES-GCM) and required_providers plus datadog provider configuration in providers.tofu; google provider remains commented.

Changes

Cohort / File(s)	Change summary
Root module cleanup main.tofu	Removed top-level terraform block (state/plan encryption and guidance), removed provider "datadog" and commented "google" provider, removed null_resource "force_apply". Module blocks for Datadog integration and GCP project/IAM unchanged.
Providers and encryption configuration providers.tofu	Added terraform.encryption (GCP KMS key provider, AES-GCM method) with enforced plan/state encryption; added required_providers (datadog, google, null); added provider "datadog" using variables; added commented bootstrapping provider "google".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Migrate to OpenTofu #297 — Also modifies root Terraform files (main.tofu) and provider/bootstrap configuration, indicating a coordinated change to provider setup and initialization.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch encrypt

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

providers.tofu (5)

20-37: Pin minimum OpenTofu version to guard feature availability.

Add required_version so CI fails fast if an older CLI without encryption support runs.

 terraform {
+  required_version = ">= 1.8.0"

---

44-49: Cosmetic: fix Datadog docs link casing.

Use lowercase org in the comment URL to match the source string and avoid redirects.

-    # https://search.opentofu.org/provider/DataDog/datadog/latest/docs
+    # https://search.opentofu.org/provider/datadog/datadog/latest/docs

---

64-67: Harden Datadog secrets handling.

Ensure variables are marked sensitive and not defaulted in repo; env vars also work as a fallback (DATADOG_API_KEY/APP_KEY).

Outside this file:

variable "datadog_api_key" { type = string, sensitive = true }
variable "datadog_app_key" { type = string, sensitive = true }

---

69-77: Commented google provider stub: consider moving to docs or .tfdisabled.

Keeps providers.tofu lean while retaining bootstrap guidance. Optional.

---

39-61: Drop the unused null provider
No null_resource or provider "null" references found in the codebase, so you can safely remove the null block from required_providers.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d389106 and dfc86c1.

📒 Files selected for processing (2)

• main.tofu (0 hunks)
• providers.tofu (1 hunks)

💤 Files with no reviewable changes (1)

• main.tofu

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: brettcurtis
PR: osinfra-io/google-cloud-kubernetes#55
File: regional/main.tf:0-0
Timestamp: 2024-10-08T15:39:14.063Z
Learning: When suggesting changes to Terraform module references, ensure to use specific version tags for stability and reproducibility. The user, brettcurtis, prefers using specific version tags for Terraform module references.

Learnt from: brettcurtis
PR: osinfra-io/google-cloud-kubernetes#55
File: regional/main.tf:0-0
Timestamp: 2024-07-14T11:40:35.132Z
Learning: When suggesting changes to Terraform module references, ensure to use specific version tags for stability and reproducibility. The user, brettcurtis, prefers using specific version tags for Terraform module references.

📚 Learning: 2024-10-12T15:53:20.695Z

Learnt from: brettcurtis
PR: osinfra-io/google-cloud-kubernetes#150
File: regional/cert-manager/main.tf:5-22
Timestamp: 2024-10-12T15:53:20.695Z
Learning: In this project, `.terraform.lock.hcl` and Dependabot are used to manage the provider versions, so specifying version constraints in the `required_providers` block isn't necessary.

Applied to files:

• providers.tofu

🔇 Additional comments (2)

providers.tofu (2)

1-7: Nice separation and clarity.

Moving encryption/provider setup out of main and adding bootstrap notes improves organization.

---

11-18: Remove list wrapping for aes_gcm keys — OpenTofu’s method "aes_gcm" accepts a single key-provider reference (keys = key_provider.gcp_kms.default), and kms_encryption_key is the correct attribute name.

Likely an incorrect or invalid review comment.