askrella · steve-hb · Oct 5, 2025 · Oct 5, 2025 · Oct 5, 2025
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -1,3 +1,3 @@
 name: Lint

 on:
@@ -23,7 +23,7 @@
         path: ~/.tflint.d/plugins
         key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }}
 
-    - uses: terraform-linters/setup-tflint@v4
+    - uses: terraform-linters/setup-tflint@v6
       name: Setup TFLint
       with:
         tflint_version: v0.52.0

diff --git a/.github/workflows/quality_gates.yml b/.github/workflows/quality_gates.yml
@@ -1,3 +1,3 @@
 name: Quality Gates

 on:
@@ -21,7 +21,7 @@
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: "1.10.3"
+          terraform_version: "1.13.3"
 
       - name: Remove S3 backend from Terraform
         run: sed -i '/backend \"s3\" { /,/}/d' terraform.tf

diff --git a/terraform/cloudflare/cloudflare.tf b/terraform/cloudflare/cloudflare.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     cloudflare = {
       source  = "cloudflare/cloudflare"
-      version = ">= 4.49.1"
+      version = ">= 5.11.0"
     }
   }
 }
@@ -67,20 +67,19 @@ resource "cloudflare_load_balancer_pool" "pool" {
   name    = "monitoring-cluster-pool"
   monitor = cloudflare_load_balancer_monitor.monitor[0].id
 
-  dynamic "origins" {
-    //TODO: when ipv6 is enabled, us it; fallback to ipv4
-    for_each = { for i, addr in var.ipv6_addresses : i => addr }
-    content {
-      name    = "node-${origins.key}"
-      address = "node-${origins.key}.${var.domain}"
-      header {
-        header = "Host"
-        values = ["node-${origins.key}.${var.domain}"]
+  origins = [
+    for i, addr in var.ipv6_addresses : {
+      name    = "node-${i}"
+      address = "node-${i}.${var.domain}"
+
+      header  = {
+        host = ["node-${i}.${var.domain}"]
       }
+
       enabled = true
       weight  = 1
     }
-  }
+  ]
 
   account_id = var.cloudflare_account_id
 }
@@ -89,10 +88,12 @@ resource "cloudflare_load_balancer_pool" "pool" {
 data "cloudflare_zone" "domain" {
   count = var.cloudflare_api_token == "" ? 0 : 1 # Option to disable by providing no token
 
-  name = var.base_domain
+  filter = {
+    name = var.base_domain
+  }
 }
 
-resource "cloudflare_record" "monitoring_nodes_ipv6" {
+resource "cloudflare_dns_record" "monitoring_nodes_ipv6" {
   count   = var.cloudflare_api_token == "" ? 0 : length(var.ipv6_addresses)
   zone_id = data.cloudflare_zone.domain[0].id
   name    = "node-${count.index}.${var.domain}"
@@ -102,7 +103,7 @@ resource "cloudflare_record" "monitoring_nodes_ipv6" {
   ttl     = 60
 }
 
-resource "cloudflare_record" "monitoring_nodes_ipv4" {
+resource "cloudflare_dns_record" "monitoring_nodes_ipv4" {
   count   = var.cloudflare_api_token == "" ? 0 : length(var.ipv4_addresses)
   zone_id = data.cloudflare_zone.domain[0].id
   name    = "node-${count.index}.${var.domain}"
@@ -118,8 +119,8 @@ resource "cloudflare_load_balancer" "lb" {
 
   zone_id          = data.cloudflare_zone.domain[0].id
   name             = var.domain
-  default_pool_ids    = [cloudflare_load_balancer_pool.pool[0].id]
-  fallback_pool_id    = cloudflare_load_balancer_pool.pool[0].id
+  default_pools    = [cloudflare_load_balancer_pool.pool[0].id]
+  fallback_pool    = cloudflare_load_balancer_pool.pool[0].id
   enabled          = true
   proxied          = true
   session_affinity = "cookie"

diff --git a/terraform/cluster/docker/alloy.tf b/terraform/cluster/docker/alloy.tf
@@ -1,5 +1,5 @@
 resource "docker_image" "alloy" {
-  name         = "grafana/alloy-dev:v1.7.0-devel-adf80dbfe"
+  name         = var.alloy_image
   keep_locally = true
 
   depends_on = [null_resource.docker_network]

diff --git a/terraform/cluster/docker/caddy.tf b/terraform/cluster/docker/caddy.tf
@@ -1,5 +1,5 @@
 resource "docker_image" "caddy" {
-  name         = "caddy:2.9"
+  name         = "caddy:${var.caddy_version}"
   keep_locally = true
 
   depends_on = [null_resource.docker_network]

diff --git a/terraform/cluster/docker/docker.tf b/terraform/cluster/docker/docker.tf
@@ -2,11 +2,11 @@ terraform {
   required_providers {
     docker = {
       source  = "kreuzwerker/docker"
-      version = "3.0.2"
+      version = "3.6.2"
     }
     null = {
       source  = "hashicorp/null"
-      version = "~> 3.0"
+      version = "~> 3.0" # Do NOT upgrade, newer versions seem to have bugs regarding to Apple Silicon
     }
     ssh = {
       source  = "askrella/ssh"
@@ -115,54 +115,24 @@ variable "minio_region" {
   description = "The MinIO region"
 }
 
-variable "loki_version" {
-  type        = string
-  default     = "3.3.2"
-  description = "The version of Loki to use"
-}
-
-variable "promtail_version" {
-  type        = string
-  default     = "3.3.2"
-  description = "The version of Promtail to use"
-}
-
 variable "node_exporter_port" {
   type        = number
   default     = 9100
   description = "The port to expose Node Exporter on"
 }
 
-variable "prometheus_version" {
-  type        = string
-  default     = "v3.1.0-rc.1"
-  description = "The version of Prometheus to use"
-}
-
 variable "prometheus_port" {
   type        = number
   default     = 9090
   description = "The port to expose Prometheus on"
 }
 
-variable "cadvisor_version" {
-  type        = string
-  default     = "v0.49.2"
-  description = "The version of cAdvisor to use"
-}
-
 variable "cadvisor_port" {
   type        = number
   default     = 8080
   description = "The port to expose cAdvisor on"
 }
 
-variable "grafana_version" {
-  type        = string
-  default     = "11.4.0"
-  description = "The version of Grafana to use"
-}
-
 variable "grafana_port" {
   type        = number
   default     = 3000

diff --git a/terraform/cluster/docker/mariadb.tf b/terraform/cluster/docker/mariadb.tf
@@ -1,5 +1,5 @@
 resource "docker_image" "mariadb" {
-  name         = "bitnami/mariadb-galera:11.4.4"
+  name         = "bitnamilegacy/mariadb-galera:${var.mariadb_galera_version}" # TODO: Move EVERYTHING off bitnami, they pulled everything and broke production systems by doing this
   keep_locally = true
 
   depends_on = [null_resource.docker_network]

diff --git a/terraform/cluster/docker/node-exporter.tf b/terraform/cluster/docker/node-exporter.tf
@@ -1,6 +1,6 @@
 
 resource "docker_image" "node_exporter" {
-  name         = "prom/node-exporter:latest"
+  name         = "prom/node-exporter:${var.node_exporter_version}"
   keep_locally = true
 
   depends_on = [null_resource.docker_network]

diff --git a/terraform/cluster/docker/tempo.tf b/terraform/cluster/docker/tempo.tf
@@ -1,9 +1,3 @@
-variable "tempo_version" {
-  type        = string
-  default     = "2.6.1"
-  description = "The version of Tempo to use"
-}
-
 variable "tempo_port" {
   type        = number
   default     = 3200

diff --git a/terraform/cluster/docker/thanos.tf b/terraform/cluster/docker/thanos.tf
@@ -1,5 +1,5 @@
 resource "docker_image" "thanos" {
-    name         = "quay.io/thanos/thanos:v0.37.2"
+    name         = "quay.io/thanos/thanos:v0.39.2"
     keep_locally = true
 
     depends_on = [

diff --git a/terraform/cluster/docker/versions.tf b/terraform/cluster/docker/versions.tf
@@ -0,0 +1,60 @@
+variable "cadvisor_version" {
+  type        = string
+  default     = "v0.52.0"
+  description = "The version of cAdvisor to use"
+}
+
+variable "prometheus_version" {
+  type        = string
+  default     = "v3.6.0"
+  description = "The version of Prometheus to use"
+}
+
+variable "promtail_version" {
+  type        = string
+  default     = "3.5.5"
+  description = "The version of Promtail to use"
+}
+
+variable "alloy_image" {
+  type = string
+  default = "grafana/alloy:v1.11.0"
+  description = "The alloy image to use" # We sometimes use dev versions due to changes we contributed to Alloy
+}
+
+variable "grafana_version" {
+  type        = string
+  default     = "12.2.0"
+  description = "The version of Grafana to use"
+}
+
+variable "tempo_version" {
+  type        = string
+  default     = "2.8.2"
+  description = "The version of Tempo to use"
+}
+
+variable "loki_version" {
+  type        = string
+  default     = "3.5.5"
+  description = "The version of Loki to use"
+}
+
+variable "caddy_version" {
+  type = string
+  default = "2.10.2"
+  description = "The Caddy version to use"
+}
+
+variable "mariadb_galera_version" {
+  type = string
+  default = "11.4.4"
+  description = "The Mariadb Galera version to use"
+}
+
+variable "node_exporter_version" {
+  type = string
+  default = "v1.9.1"
+  description = "The Node Exporter version to use"
+}
+
diff --git a/terraform/hetzner_server/server.tf b/terraform/hetzner_server/server.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     hcloud = {
       source  = "hetznercloud/hcloud"
-      version = "1.49.1"
+      version = "1.53.1"
     }
   }
 }
@@ -115,6 +115,7 @@ resource "hcloud_server" "server" {
   network {
     network_id = hcloud_network.network.id
     ip         = "10.0.0.${each.value + 2}"
+    alias_ips = []
   }
 
   labels = local.labels

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -1,18 +1,18 @@
 terraform {
-  required_version = ">= v1.10.3"
+  required_version = ">= v1.13.3"
 
   required_providers {
     hcloud = {
       source  = "hetznercloud/hcloud"
-      version = "1.49.1"
+      version = "1.53.1"
     }
     minio = {
       source  = "aminueza/minio"
-      version = "3.2.2"
+      version = "3.6.5"
     }
     cloudflare = {
       source  = "cloudflare/cloudflare"
-      version = "4.49.1"
+      version = "5.11.0"
     }
   }
 }