From 929bdeced53004ad4bcea4e2ff9b369d4f2f4636 Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Tue, 17 Mar 2026 18:22:15 +0100
Subject: [PATCH] Generate .gitignore in terraform/ to prevent state file
 commits
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both paths (app.yaml expander and custom TF boilerplate) now generate
a .gitignore if one doesn't exist. Covers .terraform/, *.tfstate,
*.tfplan, and lock files. Non-destructive — won't overwrite existing.
---
 scripts/ensure-tf-boilerplate.sh | 15 +++++++++++++++
 scripts/expand-modules.py        |  7 ++++++-
 scripts/registry.py              | 11 +++++++++++
 3 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/scripts/ensure-tf-boilerplate.sh b/scripts/ensure-tf-boilerplate.sh
index 6b5e7d2..a1d019c 100755
--- a/scripts/ensure-tf-boilerplate.sh
+++ b/scripts/ensure-tf-boilerplate.sh
@@ -67,3 +67,18 @@ provider "aws" {
 EOF
   echo "Generated providers.tf (project=${REPO_NAME}, team=${TEAM})"
 fi
+
+# --- Generate .gitignore if missing ---
+if [ ! -f "$TF_ROOT/.gitignore" ]; then
+  cat > "$TF_ROOT/.gitignore" <<'EOF'
+# Terraform working files — never commit these
+.terraform/
+.terraform.lock.hcl
+*.tfstate
+*.tfstate.backup
+*.tfplan
+override.tf
+override.tf.json
+EOF
+  echo "Generated .gitignore"
+fi
diff --git a/scripts/expand-modules.py b/scripts/expand-modules.py
index 763a5aa..6a03259 100644
--- a/scripts/expand-modules.py
+++ b/scripts/expand-modules.py
@@ -29,7 +29,7 @@
 sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
 from registry import (
     REGISTRY, PROJECT, DOMAIN,
-    BACKEND_TEMPLATE, PROVIDERS_TEMPLATE, OUTPUTS_TEMPLATE,
+    BACKEND_TEMPLATE, PROVIDERS_TEMPLATE, OUTPUTS_TEMPLATE, GITIGNORE_TEMPLATE,
 )
 
 GENERATED_MARKER = "# GENERATED FROM app.yaml — do not edit, changes will be overwritten"
@@ -678,6 +678,11 @@ def main():
         os.path.join(tf_root, "outputs.tf"),
         OUTPUTS_TEMPLATE.format(host=app_host),
     )
+    # Ensure .gitignore exists so tfstate/working files never get committed
+    gitignore_path = os.path.join(tf_root, ".gitignore")
+    if not os.path.exists(gitignore_path):
+        with open(gitignore_path, "w") as f:
+            f.write(GITIGNORE_TEMPLATE)
 
     # -- Write expanded module files --
     for filename, content in file_contents.items():
diff --git a/scripts/registry.py b/scripts/registry.py
index a0267f4..03aea58 100644
--- a/scripts/registry.py
+++ b/scripts/registry.py
@@ -388,6 +388,17 @@
 }}
 """
 
+GITIGNORE_TEMPLATE = """\
+# Terraform working files — never commit these
+.terraform/
+.terraform.lock.hcl
+*.tfstate
+*.tfstate.backup
+*.tfplan
+override.tf
+override.tf.json
+"""
+
 OUTPUTS_TEMPLATE = """\
 # GENERATED FROM app.yaml — do not edit, changes will be overwritten
 output "service_url" {{