[PLT-890] add legacy variable to tfstate service and create backends #212
Conversation
juliareynolds-nava
requested review from
christopher-maboh,
gfreeman-navapbc and
jscott-nava
|
AB2D SBX TF plan is failing, looks like aws_iam_account_alias doesn't exist in that account? |
gfreeman-navapbc
left a comment
gfreeman-navapbc
left a comment
There was a problem hiding this comment.
LGTM, but these buckets seem to only exist in the non-prod account atm, just something to be aware of
I see now that there's a resource we're creating for these before the data call, disregard |
terraform/modules/bucket/main.tf
Outdated
| bucket = "${data.aws_caller_identity.current.account_id}-bucket-access-logs" | ||
| bucket = (var.legacy == true ? "${data.aws_caller_identity.current.account_id}-bucket-access-logs" : | ||
| data.aws_iam_account_alias.current.account_alias == "aws-cms-oeda-bcda-non-prod" ? "bucket-access-logs-20250409172631068600000001" : | ||
| "bucket-access-logs-tbd") |
There was a problem hiding this comment.
The "tbd" can be replaced with the suffix for the access logs bucket created in the prod account.
gsf
left a comment
gsf
left a comment
There was a problem hiding this comment.
Let's also switch out the deprecated dynamodb_table for use_lockfile in these new backends (see https://developer.hashicorp.com/terraform/language/backend/s3#state-locking). Those dynamodb tables will also need to be removed, and the tfstate terraform will need to be updated to avoid creating tables in greenfield.
…use_lockfile = true in tfstate/terraform
| role-to-assume: arn:aws:iam::${{ secrets.BCDA_ACCOUNT }}:role/delegatedadmin/developer/bcda-mgmt-github-actions | ||
| aws-region: ${{ vars.AWS_REGION }} | ||
| - run: terraform init -backend-config=../../backends/bcda-mgmt.s3.tfbackend | ||
| - run: terraform init -backend-config=../../backends/bcda-test.s3.tfbackend |
There was a problem hiding this comment.
This should be kept at bcda-mgmt for now to support the legacy accounts.
terraform/.terraform-version
Outdated
| @@ -1 +1 @@ | |||
| 1.5.5 | |||
| 1.10.0 | |||
There was a problem hiding this comment.
As long as we're updating, we should switch to the latest patch under 1.10, which would be 1.10.5.
| @@ -0,0 +1 @@ | |||
| bucket = "ab2d-dev-tfstate" | |||
There was a problem hiding this comment.
Shouldn't this have a suffix on the bucket name? Also, please run terraform fmt over these files.
| @@ -1,2 +1 @@ | |||
| bucket = "ab2d-dev-tfstate" | |||
| dynamodb_table = "ab2d-dev-tfstate" | |||
There was a problem hiding this comment.
The dynamodb_table attribute should be kept for legacy backends.
There was a problem hiding this comment.
Update your editor configuration to end files with a newline.
| @@ -0,0 +1,3 @@ | |||
| bucket = "ab2d-prod-tfstate-20250411202936776600000001" | |||
|
|
|||
|
|
|||
| backend "s3" { | ||
| key = "tfstate/terraform.tfstate" | ||
| key = "tfstate/terraform.tfstate" | ||
| use_lockfile = true |
There was a problem hiding this comment.
The use_lockfile attribute should be in the backend files for greenfield.
| key = "github-actions/terraform.tfstate" | ||
| } | ||
| required_version = "~> 1.5.5" | ||
| required_version = "~> 1.10.0" |
Remove mgmt env in greenfield
revert workflow changes
gsf
left a comment
gsf
left a comment
There was a problem hiding this comment.
Looks good and should be ready to merge once tfstate resources are all created (and extras cleaned up).
# Conflicts: # terraform/backends/ab2d-sandbox-gf.s3.tfbackend # terraform/backends/bcda-sandbox-gf.s3.tfbackend # terraform/backends/dpc-sandbox-gf.s3.tfbackend
|
|
||
| terraform { | ||
| # Comment out backend block and init without -backend-config for initial creation of resources | ||
| # # Comment out backend block and init without -backend-config for initial creation of resources |
There was a problem hiding this comment.
| # # Comment out backend block and init without -backend-config for initial creation of resources | |
| # Comment out backend block and init without -backend-config for initial creation of resources |
terraform/modules/bucket/main.tf
Outdated
| bucket = data.aws_s3_bucket.bucket_access_logs.bucket | ||
|
|
||
| target_bucket = data.aws_s3_bucket.bucket_access_logs.bucket |
There was a problem hiding this comment.
This sets the wrong bucket as the source bucket for logging. Patch incoming.
terraform/modules/bucket/main.tf
Outdated
| module "bucket_key" { | ||
| source = "../key" | ||
| name = "${var.name}-bucket" | ||
| name = data.aws_s3_bucket.bucket_access_logs.bucket |
There was a problem hiding this comment.
The key is for the bucket created in this module, not the access logs bucket. Patch incoming.
There was a problem hiding this comment.
Also, I think we may run into issues if we start renaming all of the kms keys in legacy.
🎫 Ticket
https://jira.cms.gov/browse/PLT-890
🛠 Changes
backend files defining s3 state buckets for greenfield apps
ℹ️ Context
Add backends to the TF in the platform repo (each backend is a 2-line file for each of the vpcs). We expect to have 12 new VPCs.
🧪 Validation
Buckets are created in S3 with tfstate files for each new backend definition file.