separate remote-state by env

Author: davidcheung

Makefile

@@ -2,15 +2,16 @@ ENV ?= staging
 
 apply: apply-remote-state apply-secrets apply-env apply-k8s-utils
 
+## remove state file only if exit code 0 from terraform apply
 apply-remote-state:
 	pushd terraform/bootstrap/remote-state; \
 	terraform init; \
-	terraform apply -var "environment=$(ENV)"
+	terraform apply -var "environment=$(ENV)" && rm ./terraform.tfstate;
 
 apply-secrets:
 	pushd terraform/bootstrap/secrets; \
 	terraform init; \
-	terraform apply
+	terraform apply && rm terraform.tfstate;
 
 apply-env:
 	pushd terraform/environments/$(ENV); \
@@ -28,12 +29,15 @@ update-k8s-conf:
 teardown: teardown-k8s-utils teardown-env teardown-secrets teardown-remote-state
 
 teardown-remote-state:
-	pushd terraform/bootstrap/remote-state; \
-	terraform destroy -auto-approve -var "environment=$(ENV)";
+	export AWS_PAGER=''; \
+	aws s3 rb s3://<% .Name %>-$(ENV)-terraform-state --force; \
+	aws dynamodb delete-table --table-name <% .Name %>-$(ENV)-terraform-state-locks;
 
 teardown-secrets:
-	pushd terraform/bootstrap/secrets; \
-	terraform destroy -auto-approve;
+	export AWS_PAGER=''; \
+	aws secretsmanager  list-secrets --query "SecretList[?Tags[?Key=='project' && Value=='<% .Name %>']].[Name]" | jq  '.[] [0]' | xargs aws secretsmanager delete-secret --secret-id; \
+	aws iam delete-access-key --user-name <% .Name %>-ci-user --access-key-id $(shell aws iam list-access-keys --user-name <% .Name %>-ci-user --query "AccessKeyMetadata[0].AccessKeyId" | sed 's/"//g'); \
+	aws iam delete-user --user-name <% .Name %>-ci-user;
 
 teardown-env:
 	pushd terraform/environments/$(ENV); \

terraform/bootstrap/remote-state/main.tf

@@ -34,5 +34,5 @@ resource "aws_dynamodb_table" "terraform_state_locks" {
 }
 
 variable "environment" {
-  description = "The environment (development/staging/production)"
+  description = "The environment (staging/production)"
 }

terraform/bootstrap/secrets/main.tf

@@ -29,4 +29,5 @@ module "ci_user_keys" {
   name_prefix    = "ci-user-aws-keys"
   type    = "map"
   values  = map("access_key_id", aws_iam_access_key.ci_user.id, "secret_key", aws_iam_access_key.ci_user.secret)
+  tags = map("project", local.project)
 }

terraform/modules/secret/main.tf

@@ -1,6 +1,7 @@
 # Add the keys to AWS secrets manager
 resource "aws_secretsmanager_secret" "secret" {
   name_prefix = var.name_prefix
+  tags = var.tags
 }
 
 resource "aws_secretsmanager_secret_version" "string_secret" {

terraform/modules/secret/variables.tf

@@ -22,3 +22,9 @@ variable "random_length" {
   description = "The length of the generated string if type is random. Suitable for a db master password for example"
   default = 16
 }
+
+variable "tags" {
+  description = "Tags to include in the secret"
+  type = map
+  default = {}
+}