feat(terraform): add OCI, Netbird, and Tailscale Terraform environments

[dark-vex]

Summary

• OCI (terraform/oci/k8s-armchair/): proper environment scaffold replacing the skeleton — 1Password API key auth, Terraform Cloud backend (oci-k8s-armchair workspace), ready for VM import blocks once OCIDs are provided
• OCI module (terraform/modules/oci-instance/): reusable module for ARM Ampere instances (VM.Standard.A1.Flex default, prevent_destroy = true)
• Netbird (terraform/netbird/): new Terraform environment using official netbirdio/netbird ~> 0.0 provider, TFC workspace netbird, 1Password-sourced token
• Tailscale (terraform/tailscale/): new Terraform environment using official tailscale/tailscale ~> 0.28 provider, TFC workspace tailscale, 1Password-sourced API key
• CI: terraform-oci.yml and terraform-vpn.yml workflows following the same fmt→init→validate→plan→apply pattern as existing workflows
• renovate.json: added packageRules for terraform/netbird/** and terraform/tailscale/**

Pre-merge checklist

• Create Terraform Cloud workspaces: oci-k8s-armchair, netbird, tailscale in Fastnetserv org
• Create 1Password items: "OCI k8s-armchair API Key", "Netbird API Token", "Tailscale API Key" in the infra vault
• For OCI: add import blocks to terraform/oci/k8s-armchair/main.tf once OCID values are known
• For Tailscale: existing ACL config can be imported via tailscale_acl resource

Test plan

• terraform fmt -check passes in all three directories
• terraform init && terraform validate succeeds (requires TF_API_TOKEN)
• CI workflows trigger on this PR (plan output posted as comment)

🤖 Generated with Claude Code

[github-actions]

[tailscale] Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

Success! The configuration is valid.

Terraform Plan 📖failure

Show Plan

terraform
Running plan in HCP Terraform. Output will stream here. Pressing Ctrl-C
will stop streaming the logs, but will not stop the plan running remotely.

Preparing the remote plan...

To view this run in a browser, visit:
https://app.terraform.io/app/Fastnetserv/tailscale/runs/run-XWPwxG6rmXpe57oj

Waiting for the plan to start...

Terraform v1.14.8
on linux_amd64
Initializing plugins and modules...
data.onepassword_item.tailscale_credentials: Refreshing...
╷
│ Error: Client Error
│
│   with data.onepassword_item.tailscale_credentials,
│   on data.tf line 5, in data "onepassword_item" "tailscale_credentials":
│    5: data "onepassword_item" "tailscale_credentials" {
│
│ Unable to read item, got error: failed to get item using connect: Get
│ "http://1password.int.ddlns.net:31335/v1/vaults?filter=title+eq+%22infra%22":
│ dial tcp: lookup 1password.int.ddlns.net on 10.184.0.2:53: no such host
╵
Operation failed: failed running terraform plan (exit 1)

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Pusher: @dark-vex, Action: pull_request, Workflow: TF Plan on a PR - VPN (Netbird + Tailscale)

[wiz-b661a10a98]

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	-
Sensitive Data	1
Secrets	-
IaC Misconfigurations	1  3  5
Software Management Findings	-
Total	1  3  5  1

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[github-actions]

[netbird] Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

Success! The configuration is valid.

Terraform Plan 📖failure

Show Plan

terraform
Running plan in HCP Terraform. Output will stream here. Pressing Ctrl-C
will stop streaming the logs, but will not stop the plan running remotely.

Preparing the remote plan...

To view this run in a browser, visit:
https://app.terraform.io/app/Fastnetserv/netbird/runs/run-iNnYcmHbTHDg5ufu

Waiting for the plan to start...

Terraform v1.14.8
on linux_amd64
Initializing plugins and modules...
data.onepassword_item.netbird_credentials: Refreshing...
╷
│ Error: Client Error
│
│   with data.onepassword_item.netbird_credentials,
│   on data.tf line 4, in data "onepassword_item" "netbird_credentials":
│    4: data "onepassword_item" "netbird_credentials" {
│
│ Unable to read item, got error: failed to get item using connect: Get
│ "http://1password.int.ddlns.net:31335/v1/vaults?filter=title+eq+%22infra%22":
│ dial tcp: lookup 1password.int.ddlns.net on 10.184.0.2:53: no such host
╵
Operation failed: failed running terraform plan (exit 1)

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Pusher: @dark-vex, Action: pull_request, Workflow: TF Plan on a PR - VPN (Netbird + Tailscale)

[github-actions]

[oci-k8s-armchair] Terraform Format and Style 🖌failure

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

Success! The configuration is valid.

Terraform Plan 📖failure

Show Plan

terraform
Running plan in HCP Terraform. Output will stream here. Pressing Ctrl-C
will stop streaming the logs, but will not stop the plan running remotely.

Preparing the remote plan...

To view this run in a browser, visit:
https://app.terraform.io/app/Fastnetserv/oci-k8s-armchair/runs/run-iM779ZSKBKRPx7sK

Waiting for the plan to start...

Terraform v1.14.8
on linux_amd64
Initializing plugins and modules...
data.onepassword_item.oci_credentials: Refreshing...
╷
│ Error: Client Error
│
│   with data.onepassword_item.oci_credentials,
│   on data.tf line 7, in data "onepassword_item" "oci_credentials":
│    7: data "onepassword_item" "oci_credentials" {
│
│ Unable to read item, got error: failed to get item using connect: Get
│ "http://1password.int.ddlns.net:31335/v1/vaults?filter=title+eq+%22infra%22":
│ dial tcp: lookup 1password.int.ddlns.net on 10.184.0.2:53: no such host
╵
Operation failed: failed running terraform plan (exit 1)

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Pusher: @dark-vex, Action: pull_request, Workflow: TF Plan on a PR - OCI

[wiz-b661a10a98]

 IaC Finding

Compute instance should use IMDSv2
on resource oci_core_instance[this]

More Details

This rule checks if the Compute Instance uses Instance Metadata Service Version 1 (IMDSv1). This rule fails if `instanceOptions.areLegacyImdsEndpointsDisabled` is set to `false`. The instance metadata service provides information about a running instance. This service is accessible in two versions which work with different methods. IMDSv2 is considered more secure. It is recommended that compute instances use Instance Metadata Service Version 2 (IMDSv2).

Expected

'oci_core_instance[this].instance_options' should be defined with 'are_legacy_imds_endpoints_disabled' set to true

Found

'oci_core_instance[this].instance_options' is undefined

Security Frameworks: wf-id-1, wf-id-87, b6482082-27a2-4d2c-a0a2-1756c384b3e1, 3e41cf6d-e231-43ff-bc12-1760a95c9955, 08423177-d25d-41fc-82e3-5a62df21e7a1, wf-id-99, wf-id-225, 515ad73f-c3f3-41b4-b939-a0e2c221c59e, 526f4898-c7ac-470c-bca1-940495e656b2, 28450513-db4c-4e64-a040-09654e7dbfc6, 86166614-75c0-44b3-a281-836559f472e7, e50221fd-f699-42d5-bd0e-62989389295b, 8fdac460-5094-4444-b759-7d1df59667d5, c3245b7c-92e2-4fcc-8839-4cc1ce413dfb, bb148ed4-7eba-401d-907a-8ef9c788eadb, e017e406-6804-48c4-ba3c-d203f0ce858e, 6e3958ac-d01d-4c4e-bd74-f678c9e02300, wf-id-121, wf-id-129, ee84c0ea-0659-4272-bd37-f602d5a3c5df, 695a722c-93dc-4d96-a109-1ea59e77b77e, 6f818951-f0c3-457d-8ebf-2ca6a97154ea, 8124f4a4-ab43-4b15-8ddc-fdccec66fee8, wf-id-119, 4f515083-b235-4ca5-b4d1-501d0406b6c5, 24d12b4f-52e2-4de0-8bd0-d1cb7621a831, 4689268c-9363-404b-ba5a-08d12c00422c, wf-id-24, wf-id-4, 47c1a016-501c-4480-9c7d-494d6e6a984b, 4dacc368-b035-4343-a55e-7d6d7ab479d9, 6760d078-0f72-4518-a527-72698e65e2e0, wf-id-183, wf-id-111, 45b90c56-c5d1-4a16-b725-07ba1ee3f0ba, 1a22b5e3-8c61-4ee5-aaf1-f906e76727eb, 3b13db0e-d1b6-4498-873e-b46b431966ee, bbfd8a1d-9bed-4976-aa60-3e9b350fded2, 171a846f-9987-4f9d-9658-8d7f140a5e8a, 0dcd6f9f-e26e-427e-a75b-0acaff9c5b22, f4cd281a-aeb3-4211-a64d-d3f8aa193088, 92e9ee2d-1ab3-4583-a2a8-f00040e19027, 6b6298dd-c142-42c3-9cfe-ab9091efd6fd, 2470f74c-b62b-4f85-98e5-39a99d0cba81, 233a783c-709f-4123-b29d-c61f65b9585c, 7026f321-a1a3-4567-b232-aeebdecd6f31, b5c87587-fee1-4165-b9fc-bd8e7f1adea4, a4c9b72b-0a8b-4002-ac85-fc3f9cb90767, d2eb33bc-52ff-4774-a7dd-449e643ceebb, 0eebe8cc-69b7-4e84-9d86-03cc29fa38d4, 92bdedba-5e77-48ea-97cf-fbf1c3d507ca, ba636dbf-7c6c-416e-ab0f-3616e385967c, wf-id-161, 7ecd236d-f71b-4710-94a8-56cf17acd1dd, wf-id-5, 3329fc38-b36c-4838-8e60-fabdfccda5b3, 7735e098-647d-4d57-91b5-bc680fb69ab0, wf-id-105, wf-id-120, e151efd3-2dfd-4bbc-8795-3e6b72717053, 32bce6e4-a482-4228-92e1-19153b32be31, 6607aa80-22b8-4e46-bc3d-94509165f711, 755d9d37-7056-4a95-bb8c-7f42a6e91acb, 440cd909-7978-4651-9b8e-39fcb292f171, 32dbe93b-7840-476c-ab4e-d20d0110ef63, wf-id-101, 40d1e38a-1b01-4747-9056-68954f953267

Rule ID: 1848aecb-e32b-4417-a3a9-fc2a717aa284

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate