From cd7b2df0953f28a8b2ac4648c701cee2ed8b4a5c Mon Sep 17 00:00:00 2001
From: entlein <einentlein@gmail.com>
Date: Sun, 24 May 2026 18:34:43 +0200
Subject: [PATCH 1/2] Fix typo: cockpick-config -> cockpit-config

The kubeconfig path was misspelled in cloud_deps/provider.tf, causing
the kubernetes and kustomization providers to look for the kubeconfig
at ~/.kube/cockpick-config rather than ~/.kube/cockpit-config.
---
 terraform/kubernetes/cloud_deps/provider.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/terraform/kubernetes/cloud_deps/provider.tf b/terraform/kubernetes/cloud_deps/provider.tf
index 527cf2b4295..7be032f04d7 100644
--- a/terraform/kubernetes/cloud_deps/provider.tf
+++ b/terraform/kubernetes/cloud_deps/provider.tf
@@ -16,11 +16,11 @@ terraform {
 }
 
 provider "kubernetes" {
-  config_path    = "~/.kube/cockpick-config"
+  config_path    = "~/.kube/cockpit-config"
   config_context = "default"
 }
 
 provider "kustomization" {
   context = "default"
-  kubeconfig_path = "~/.kube/cockpick-config"
+  kubeconfig_path = "~/.kube/cockpit-config"
 }

From 76316d70bebbd18cdf1153e6264c5ab42fa9ac62 Mon Sep 17 00:00:00 2001
From: entlein <einentlein@gmail.com>
Date: Sun, 24 May 2026 19:34:14 +0200
Subject: [PATCH 2/2] cloud_deps: read auth0 client_id/secret from
 terraform_remote_state

Replace the sops_file-based lookup of auth0_config.yaml with a
data.terraform_remote_state.auth0 reference so the cloud_deps state can
consume the live values produced by the auth0 terraform run instead of
relying on a separately-encrypted committed file.

- core_resource_deps.tf: data.sops_file.auth0 -> data.terraform_remote_state.auth0
- variables.tf: new auth0_state_* vars (backend config for the remote state)
- provider.tf: drop the sops provider (no longer referenced)

Outputs expected on the auth0 state: pixie_client_id, pixie_client_secret.
---
 .../cloud_deps/core_resource_deps.tf           | 15 +++++++++++----
 terraform/kubernetes/cloud_deps/provider.tf    |  4 ----
 terraform/kubernetes/cloud_deps/variables.tf   | 18 ++++++++++++++++++
 3 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/terraform/kubernetes/cloud_deps/core_resource_deps.tf b/terraform/kubernetes/cloud_deps/core_resource_deps.tf
index 1d82f493f28..f549ffd64d4 100644
--- a/terraform/kubernetes/cloud_deps/core_resource_deps.tf
+++ b/terraform/kubernetes/cloud_deps/core_resource_deps.tf
@@ -83,8 +83,15 @@ resource "kubernetes_secret_v1" "db_secrets" {
   wait_for_service_account_token = false
 }
 
-data "sops_file" "auth0" {
-  source_file = "${path.module}/../../credentials/cockpit/auth0_config.yaml"
+data "terraform_remote_state" "auth0" {
+  backend = "azurerm"
+  config = {
+    resource_group_name  = var.auth0_state_resource_group
+    storage_account_name = var.auth0_state_storage_account
+    container_name       = var.auth0_state_container
+    key                  = var.auth0_state_key
+    use_azuread_auth     = true
+  }
 }
 
 resource "kubernetes_secret_v1" "cloud_auth0" {
@@ -94,8 +101,8 @@ resource "kubernetes_secret_v1" "cloud_auth0" {
   }
 
   data = {
-    "auth0-client-id"     = data.sops_file.auth0.data["stringData.auth0-client-id"]
-    "auth0-client-secret" = data.sops_file.auth0.data["stringData.auth0-client-secret"]
+    "auth0-client-id"     = data.terraform_remote_state.auth0.outputs.pixie_client_id
+    "auth0-client-secret" = data.terraform_remote_state.auth0.outputs.pixie_client_secret
   }
 
   type                           = "Opaque"
diff --git a/terraform/kubernetes/cloud_deps/provider.tf b/terraform/kubernetes/cloud_deps/provider.tf
index 7be032f04d7..0453dc57823 100644
--- a/terraform/kubernetes/cloud_deps/provider.tf
+++ b/terraform/kubernetes/cloud_deps/provider.tf
@@ -8,10 +8,6 @@ terraform {
       source  = "kbst/kustomization"
       version = "0.9.7"
     }
-    sops = {
-      source  = "carlpett/sops"
-      version = "~> 1.0"
-    }
   }
 }
 
diff --git a/terraform/kubernetes/cloud_deps/variables.tf b/terraform/kubernetes/cloud_deps/variables.tf
index 88b789f3ec0..f7349926ab7 100644
--- a/terraform/kubernetes/cloud_deps/variables.tf
+++ b/terraform/kubernetes/cloud_deps/variables.tf
@@ -39,3 +39,21 @@ variable "cluster_internal_issuer" {
 variable "public_issuer" {
   default = "letsencrypt-prod"
 }
+
+# Auth0 remote state lookup — reads pixie_client_id / pixie_client_secret
+# outputs from the auth0 terraform state. All four must be supplied by the
+# caller (pipeline passes them as -var).
+variable "auth0_state_resource_group" {
+  type = string
+}
+variable "auth0_state_storage_account" {
+  type = string
+}
+variable "auth0_state_container" {
+  type    = string
+  default = "tfoscaas-0001"
+}
+variable "auth0_state_key" {
+  type    = string
+  default = "auth0-ckp2.tfstate"
+}