From 0f5ad2d606a36b36e3d85f932ff5437c3de17f4e Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 17:43:54 -0700 Subject: [PATCH 01/21] Move state storage modules to bootstrap step in anticipation of refactor --- .../terraform/{ => modules/bootstrap}/state_storage/README.md | 0 .../{ => modules/bootstrap}/state_storage/dynamodb-policy.json | 0 .../{ => modules/bootstrap}/state_storage/state-storage.tf | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename web/deploy/terraform/{ => modules/bootstrap}/state_storage/README.md (100%) rename web/deploy/terraform/{ => modules/bootstrap}/state_storage/dynamodb-policy.json (100%) rename web/deploy/terraform/{ => modules/bootstrap}/state_storage/state-storage.tf (100%) diff --git a/web/deploy/terraform/state_storage/README.md b/web/deploy/terraform/modules/bootstrap/state_storage/README.md similarity index 100% rename from web/deploy/terraform/state_storage/README.md rename to web/deploy/terraform/modules/bootstrap/state_storage/README.md diff --git a/web/deploy/terraform/state_storage/dynamodb-policy.json b/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json similarity index 100% rename from web/deploy/terraform/state_storage/dynamodb-policy.json rename to web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json diff --git a/web/deploy/terraform/state_storage/state-storage.tf b/web/deploy/terraform/modules/bootstrap/state_storage/state-storage.tf similarity index 100% rename from web/deploy/terraform/state_storage/state-storage.tf rename to web/deploy/terraform/modules/bootstrap/state_storage/state-storage.tf From cb4d9af4e95b17afb3b2106224bc2994a103c60f Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 18:56:10 -0700 Subject: [PATCH 02/21] Refactor state bootstrap to use variables and output modules --- .../{state-storage.tf => main.tf} | 6 ++--- .../bootstrap/state_storage/outputs.tf | 9 ++++++++ .../bootstrap/state_storage/variables.tf | 22 +++++++++++++++++++ 3 files changed, 34 insertions(+), 3 deletions(-) rename web/deploy/terraform/modules/bootstrap/state_storage/{state-storage.tf => main.tf} (84%) create mode 100644 web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf create mode 100644 web/deploy/terraform/modules/bootstrap/state_storage/variables.tf diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/state-storage.tf b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf similarity index 84% rename from web/deploy/terraform/modules/bootstrap/state_storage/state-storage.tf rename to web/deploy/terraform/modules/bootstrap/state_storage/main.tf index 9970bcaa..aeaa5259 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/state-storage.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf @@ -10,11 +10,11 @@ terraform { } provider "aws" { - region = "us-east-1" + region = var.aws_region } resource "aws_s3_bucket" "tf_state" { - bucket = "osm-storage" + bucket = "${var.bucket_name}-${var.development_environment}" versioning { enabled = true } @@ -42,7 +42,7 @@ resource "aws_s3_bucket" "tf_state" { } resource "aws_dynamodb_table" "tf_locks" { - name = "terraform-locks" + name = "${var.table_name}-${var.development_environment}" billing_mode = "PAY_PER_REQUEST" hash_key = "LockID" diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf b/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf new file mode 100644 index 00000000..8ee08e13 --- /dev/null +++ b/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf @@ -0,0 +1,9 @@ +output "s3_bucket_arn" { + value = aws_s3_bucket.terraform_state.arn + description = "The ARN of the S3 bucket" +} + +output "dynamodb_table_name" { + value = aws_dynamodb_table.terraform_locks.name + description = "The name of the DynamoDB table" +} diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf b/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf new file mode 100644 index 00000000..a443b3db --- /dev/null +++ b/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf @@ -0,0 +1,22 @@ +variable "bucket_name" { + description = "The name of the S3 bucket. Must be globally unique." + type = string + default = "osm-storage" +} + +variable "table_name" { + description = "The name of the DynamoDB table. Must be unique in this AWS account." + type = string + default = "terraform-locks" +} + +variable "aws_region" { + description = "The AWS region used by the deployment" + type = string + default = "us-east-1" +} + +variable "development_environment" { + description = "The name of the development environment. Usually `stage` or `prod`." + type = string +} From ef365471186e7741eca6e2e9e48aecefebffa92d Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 19:20:39 -0700 Subject: [PATCH 03/21] Use variables in names --- .../terraform/modules/bootstrap/state_storage/main.tf | 6 +++--- .../terraform/modules/bootstrap/state_storage/variables.tf | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf index aeaa5259..7a836cbb 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf @@ -26,7 +26,7 @@ resource "aws_s3_bucket" "tf_state" { } } lifecycle_rule { - id = "tf_state" + id = "tf_state_${var.development_environment}" enabled = true transition { days = 30 @@ -37,7 +37,7 @@ resource "aws_s3_bucket" "tf_state" { } } tags = { - Name = "terraform-state-storage" + Name = "${var.bucket_name}-${var.development_environment}" } } @@ -52,6 +52,6 @@ resource "aws_dynamodb_table" "tf_locks" { } tags = { - Name = "terraform-state-locks" + Name = "${var.table_name}-${var.development_environment}" } } diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf b/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf index a443b3db..73909033 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf @@ -1,13 +1,13 @@ variable "bucket_name" { - description = "The name of the S3 bucket. Must be globally unique." + description = "The name of the S3 bucket to store Terraform state. Must be globally unique." type = string - default = "osm-storage" + default = "osm-terraform-state-storage" } variable "table_name" { description = "The name of the DynamoDB table. Must be unique in this AWS account." type = string - default = "terraform-locks" + default = "terraform-state-locks" } variable "aws_region" { From 40ea64b5d3fe67adb63d65244bc5112959f598e3 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 19:48:46 -0700 Subject: [PATCH 04/21] Refactor versioning and encryption resources --- .../modules/bootstrap/state_storage/main.tf | 46 +++++++++++++------ .../bootstrap/state_storage/outputs.tf | 4 +- 2 files changed, 33 insertions(+), 17 deletions(-) diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf index 7a836cbb..cfdc79b2 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf @@ -15,32 +15,48 @@ provider "aws" { resource "aws_s3_bucket" "tf_state" { bucket = "${var.bucket_name}-${var.development_environment}" - versioning { - enabled = true - } - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } + + tags = { + Name = "${var.bucket_name}-${var.development_environment}" } - lifecycle_rule { - id = "tf_state_${var.development_environment}" - enabled = true +} + +resource "aws_s3_bucket_lifecycle_configuration" "tf_state" { + bucket = aws_s3_bucket.tf_state.id + rule { + id = "tf_state_${var.development_environment}" + status = "Enabled" + transition { days = 30 storage_class = "STANDARD_IA" } + expiration { days = 365 } } - tags = { - Name = "${var.bucket_name}-${var.development_environment}" +} + +resource "aws_s3_bucket_versioning" "enabled" { + bucket = aws_s3_bucket.tf_state.id + + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "default" { + bucket = aws_s3_bucket.tf_state.id + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } } } + resource "aws_dynamodb_table" "tf_locks" { name = "${var.table_name}-${var.development_environment}" billing_mode = "PAY_PER_REQUEST" @@ -52,6 +68,6 @@ resource "aws_dynamodb_table" "tf_locks" { } tags = { - Name = "${var.table_name}-${var.development_environment}" + Name = "${var.bucket_name}-${var.development_environment}" } } diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf b/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf index 8ee08e13..660848bd 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf @@ -1,9 +1,9 @@ output "s3_bucket_arn" { - value = aws_s3_bucket.terraform_state.arn + value = aws_s3_bucket.tf_state.arn description = "The ARN of the S3 bucket" } output "dynamodb_table_name" { - value = aws_dynamodb_table.terraform_locks.name + value = aws_dynamodb_table.tf_locks.name description = "The name of the DynamoDB table" } From 1d79ae318bf7317619e2585423584dceac8024b3 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 20:14:30 -0700 Subject: [PATCH 05/21] Add dynamodb policy Remove `README.md` because it outlines a manual process that is not automated by terraform/opentofu --- .../modules/bootstrap/state_storage/README.md | 16 ---------------- ...modb-policy.json => dynamodb-policy.json.tpl} | 2 +- .../modules/bootstrap/state_storage/main.tf | 13 +++++++++++++ 3 files changed, 14 insertions(+), 17 deletions(-) delete mode 100644 web/deploy/terraform/modules/bootstrap/state_storage/README.md rename web/deploy/terraform/modules/bootstrap/state_storage/{dynamodb-policy.json => dynamodb-policy.json.tpl} (89%) diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/README.md b/web/deploy/terraform/modules/bootstrap/state_storage/README.md deleted file mode 100644 index 9e4ce8d0..00000000 --- a/web/deploy/terraform/modules/bootstrap/state_storage/README.md +++ /dev/null @@ -1,16 +0,0 @@ -Created bucket and table manually: - -``` -aws s3api create-bucket --bucket osm-terraform-storage --region us-east-1 -aws s3api list-buckets -aws s3api list-buckets --region us-east-1 -aws s3api put-bucket-versioning --bucket osm-terraform-storage --versioning-configuration Status=Enabled -aws s3 cp state-storage.tf s3://osm-terraform-storage/test.tf -aws s3 rm s3://osm-terraform-storage --recursive -# Failed: aws dynamodb create-table --table-name terraform-locks --attribute-definitions AttributeName=LockID,AttributeType=S --key-schema AttributeName=LockID,KeyType=HASH --billing-mode PAY_PER_REQUEST --region us-east-1 -# Created dynamodb-policy.json -aws iam create-policy --policy-name DynamoDBFullAccess --policy-document file://dynamodb-policy.json -aws iam attach-user-policy --policy-arn arn:aws:iam::507624629289:policy/DynamoDBFullAccess --user-name osm -aws iam list-attached-user-policies --user-name osm -aws dynamodb create-table --table-name terraform-locks --attribute-definitions AttributeName=LockID,AttributeType=S --key-schema AttributeName=LockID,KeyType=HASH --billing-mode PAY_PER_REQUEST --region us-east-1 -``` diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json b/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json.tpl similarity index 89% rename from web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json rename to web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json.tpl index 714b91c4..963936be 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json +++ b/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json.tpl @@ -15,7 +15,7 @@ "dynamodb:Query", "dynamodb:Scan" ], - "Resource": "arn:aws:dynamodb:us-east-1:507624629289:table/terraform-locks" + "Resource": "${resource}" }, { "Effect": "Allow", diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf index cfdc79b2..7c71ace7 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf @@ -71,3 +71,16 @@ resource "aws_dynamodb_table" "tf_locks" { Name = "${var.bucket_name}-${var.development_environment}" } } + +data "template_file" "dynamodb_policy" { + template = file("dynamodb-policy.json.tpl") + + vars = { + resource = "${aws_dynamodb_table.tf_locks.arn}" + } +} + +resource "aws_dynamodb_resource_policy" "tf_locks" { + resource_arn = aws_dynamodb_table.tf_locks.arn + policy = data.template_file.dynamodb_policy.rendered +} From e0f5437623e462e788de2782cd13451b9b3ebae6 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 20:31:17 -0700 Subject: [PATCH 06/21] Add empty bootstrap modules for staging and production --- web/deploy/terraform/production/bootstrap/state_storage/main.tf | 0 .../terraform/production/bootstrap/state_storage/variables.tf | 0 web/deploy/terraform/staging/bootstrap/state_storage/main.tf | 0 web/deploy/terraform/staging/bootstrap/state_storage/variables.tf | 0 4 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 web/deploy/terraform/production/bootstrap/state_storage/main.tf create mode 100644 web/deploy/terraform/production/bootstrap/state_storage/variables.tf create mode 100644 web/deploy/terraform/staging/bootstrap/state_storage/main.tf create mode 100644 web/deploy/terraform/staging/bootstrap/state_storage/variables.tf diff --git a/web/deploy/terraform/production/bootstrap/state_storage/main.tf b/web/deploy/terraform/production/bootstrap/state_storage/main.tf new file mode 100644 index 00000000..e69de29b diff --git a/web/deploy/terraform/production/bootstrap/state_storage/variables.tf b/web/deploy/terraform/production/bootstrap/state_storage/variables.tf new file mode 100644 index 00000000..e69de29b diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf new file mode 100644 index 00000000..e69de29b diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf b/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf new file mode 100644 index 00000000..e69de29b From abbc7756f62caf9b05915feee5c2d6761d535142 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 21:03:01 -0700 Subject: [PATCH 07/21] Add bootstrap modules for state storage for staging and production --- .../terraform/production/bootstrap/state_storage/main.tf | 6 ++++++ .../production/bootstrap/state_storage/variables.tf | 5 +++++ .../terraform/staging/bootstrap/state_storage/main.tf | 6 ++++++ .../terraform/staging/bootstrap/state_storage/variables.tf | 5 +++++ 4 files changed, 22 insertions(+) diff --git a/web/deploy/terraform/production/bootstrap/state_storage/main.tf b/web/deploy/terraform/production/bootstrap/state_storage/main.tf index e69de29b..0d9d0a6e 100644 --- a/web/deploy/terraform/production/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/production/bootstrap/state_storage/main.tf @@ -0,0 +1,6 @@ +module "prod_state_bootstrap" { + # I would like to make this path more robust using something like `path.root` + source = "../../../modules/bootstrap/state_storage/" + + development_environment = var.development_environment +} diff --git a/web/deploy/terraform/production/bootstrap/state_storage/variables.tf b/web/deploy/terraform/production/bootstrap/state_storage/variables.tf index e69de29b..153d2741 100644 --- a/web/deploy/terraform/production/bootstrap/state_storage/variables.tf +++ b/web/deploy/terraform/production/bootstrap/state_storage/variables.tf @@ -0,0 +1,5 @@ +variable "development_environment" { + description = "The name of the development environment. Usually `stage` or `prod`. Defaults to `prod`" + type = string + default = "prod" +} diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf index e69de29b..f6a47f72 100644 --- a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf @@ -0,0 +1,6 @@ +module "stage_state_bootstrap" { + # I would like to make this path more robust using something like `path.root` + source = "../../../modules/bootstrap/state_storage/" + + development_environment = var.development_environment +} diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf b/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf index e69de29b..91db6f85 100644 --- a/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf +++ b/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf @@ -0,0 +1,5 @@ +variable "development_environment" { + description = "The name of the development environment. Usually `stage` or `prod`. Defaults to `stage`" + type = string + default = "stage" +} From a5c5f9a06aadafb645d1ed52e2c3d1c528b7a317 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Sat, 21 Sep 2024 21:40:44 -0700 Subject: [PATCH 08/21] Temporarily comment out IAM policy resources --- .../modules/bootstrap/state_storage/main.tf | 34 ++++++++++++------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf index 7c71ace7..daa7c0e5 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf @@ -56,7 +56,6 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" { } } - resource "aws_dynamodb_table" "tf_locks" { name = "${var.table_name}-${var.development_environment}" billing_mode = "PAY_PER_REQUEST" @@ -72,15 +71,24 @@ resource "aws_dynamodb_table" "tf_locks" { } } -data "template_file" "dynamodb_policy" { - template = file("dynamodb-policy.json.tpl") - - vars = { - resource = "${aws_dynamodb_table.tf_locks.arn}" - } -} - -resource "aws_dynamodb_resource_policy" "tf_locks" { - resource_arn = aws_dynamodb_table.tf_locks.arn - policy = data.template_file.dynamodb_policy.rendered -} +# data "template_file" "dynamodb_policy" { +# template = file("${path.module}/dynamodb-policy.json.tpl") + +# vars = { +# resource = "${aws_dynamodb_table.tf_locks.arn}" +# } +# } + +# resource "aws_iam_policy" "tf_locks" { +# name = "DynamoDBFullAccess-${var.development_environment}" +# policy = data.template_file.dynamodb_policy.rendered +# } + +# resource "aws_iam_policy_attachment" "tf_locks" { +# name = "tf_locks-${var.development_environment}" +# policy_arn = aws_iam_policy.tf_locks.arn +# users = [ +# # This will need to be changed before merge +# "osm", +# ] +# } From 4072fbceba945ec8fa32afbefed5e844f14642e6 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 14:43:51 -0700 Subject: [PATCH 09/21] Add required version --- .../terraform/production/bootstrap/state_storage/main.tf | 4 ++++ web/deploy/terraform/staging/bootstrap/state_storage/main.tf | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/web/deploy/terraform/production/bootstrap/state_storage/main.tf b/web/deploy/terraform/production/bootstrap/state_storage/main.tf index 0d9d0a6e..ae91346f 100644 --- a/web/deploy/terraform/production/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/production/bootstrap/state_storage/main.tf @@ -1,3 +1,7 @@ +terraform { + required_version = ">= 1.0.0, < 2.0.0" +} + module "prod_state_bootstrap" { # I would like to make this path more robust using something like `path.root` source = "../../../modules/bootstrap/state_storage/" diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf index f6a47f72..901a8c09 100644 --- a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf @@ -1,3 +1,7 @@ +terraform { + required_version = ">= 1.0.0, < 2.0.0" +} + module "stage_state_bootstrap" { # I would like to make this path more robust using something like `path.root` source = "../../../modules/bootstrap/state_storage/" From e5a3c8f5e6b5737122f1589e0c2a85318f07edc9 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 14:44:34 -0700 Subject: [PATCH 10/21] Run validate before lint and format --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f876c570..a4e89459 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,6 +37,6 @@ repos: - repo: https://github.com/tofuutils/pre-commit-opentofu rev: v1.0.4 hooks: + - id: tofu_validate - id: tofu_fmt - id: tofu_tflint - - id: tofu_validate From 6ed16caad0f2da333eabd2a85d079aa48e68f396 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 15:04:49 -0700 Subject: [PATCH 11/21] Refactor outputs to their own files --- .../modules/shared_resources/main.tf | 26 -------------- .../modules/shared_resources/outputs.tf | 27 ++++++++++++++ web/deploy/terraform/staging/main.tf | 31 ---------------- web/deploy/terraform/staging/outputs.tf | 35 +++++++++++++++++++ 4 files changed, 62 insertions(+), 57 deletions(-) create mode 100644 web/deploy/terraform/modules/shared_resources/outputs.tf create mode 100644 web/deploy/terraform/staging/outputs.tf diff --git a/web/deploy/terraform/modules/shared_resources/main.tf b/web/deploy/terraform/modules/shared_resources/main.tf index 905c429b..f639a7f5 100644 --- a/web/deploy/terraform/modules/shared_resources/main.tf +++ b/web/deploy/terraform/modules/shared_resources/main.tf @@ -192,29 +192,3 @@ data "aws_ami" "ubuntu" { values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] } } - - - - -# Outputs -output "vpc_id" { - value = aws_vpc.main.id -} -output "subnet_id" { - value = aws_subnet.main.id -} -output "security_group_id" { - value = aws_security_group.allow_all.id -} -output "internet_gateway_id" { - value = aws_internet_gateway.main.id -} -output "route_table_id" { - value = aws_route_table.main.id -} -output "aws_network_acl_id" { - value = aws_network_acl.allow_all.id -} -output "ami_id" { - value = data.aws_ami.ubuntu.id -} diff --git a/web/deploy/terraform/modules/shared_resources/outputs.tf b/web/deploy/terraform/modules/shared_resources/outputs.tf new file mode 100644 index 00000000..07d8bd0b --- /dev/null +++ b/web/deploy/terraform/modules/shared_resources/outputs.tf @@ -0,0 +1,27 @@ +output "vpc_id" { + value = aws_vpc.main.id +} + +output "subnet_id" { + value = aws_subnet.main.id +} + +output "security_group_id" { + value = aws_security_group.allow_all.id +} + +output "internet_gateway_id" { + value = aws_internet_gateway.main.id +} + +output "route_table_id" { + value = aws_route_table.main.id +} + +output "aws_network_acl_id" { + value = aws_network_acl.allow_all.id +} + +output "ami_id" { + value = data.aws_ami.ubuntu.id +} diff --git a/web/deploy/terraform/staging/main.tf b/web/deploy/terraform/staging/main.tf index b2eae00c..a16b3c88 100644 --- a/web/deploy/terraform/staging/main.tf +++ b/web/deploy/terraform/staging/main.tf @@ -69,34 +69,3 @@ resource "aws_eip_association" "staging" { instance_id = aws_instance.staging.id allocation_id = aws_eip.staging.id } - -output "vpc_id" { - value = module.shared_resources.vpc_id -} -output "internet_gateway_id" { - value = module.shared_resources.internet_gateway_id -} -output "route_table_id" { - value = module.shared_resources.route_table_id -} -output "network_acl_id" { - value = module.shared_resources.aws_network_acl_id -} -output "security_group_id" { - value = module.shared_resources.security_group_id -} -output "subnet_id" { - value = module.shared_resources.subnet_id -} - -output "instance_id" { - value = aws_instance.staging.id -} - -output "public_dns" { - value = aws_eip.staging.public_dns -} - -output "public_ip" { - value = aws_eip.staging.public_ip -} diff --git a/web/deploy/terraform/staging/outputs.tf b/web/deploy/terraform/staging/outputs.tf new file mode 100644 index 00000000..74805845 --- /dev/null +++ b/web/deploy/terraform/staging/outputs.tf @@ -0,0 +1,35 @@ +output "vpc_id" { + value = module.shared_resources.vpc_id +} + +output "internet_gateway_id" { + value = module.shared_resources.internet_gateway_id +} + +output "route_table_id" { + value = module.shared_resources.route_table_id +} + +output "network_acl_id" { + value = module.shared_resources.aws_network_acl_id +} + +output "security_group_id" { + value = module.shared_resources.security_group_id +} + +output "subnet_id" { + value = module.shared_resources.subnet_id +} + +output "instance_id" { + value = aws_instance.staging.id +} + +output "public_dns" { + value = aws_eip.staging.public_dns +} + +output "public_ip" { + value = aws_eip.staging.public_ip +} From d62a7eb61aaea5e6db62ddc67cfad4fdea05669e Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 21:24:38 -0700 Subject: [PATCH 12/21] Remove logic for iam policy from bootstrap stage --- .../state_storage/dynamodb-policy.json.tpl | 29 ------------------- .../modules/bootstrap/state_storage/main.tf | 22 -------------- 2 files changed, 51 deletions(-) delete mode 100644 web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json.tpl diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json.tpl b/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json.tpl deleted file mode 100644 index 963936be..00000000 --- a/web/deploy/terraform/modules/bootstrap/state_storage/dynamodb-policy.json.tpl +++ /dev/null @@ -1,29 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "dynamodb:CreateTable", - "dynamodb:DeleteTable", - "dynamodb:DescribeTable", - "dynamodb:ListTables", - "dynamodb:UpdateTable", - "dynamodb:PutItem", - "dynamodb:GetItem", - "dynamodb:DeleteItem", - "dynamodb:Query", - "dynamodb:Scan" - ], - "Resource": "${resource}" - }, - { - "Effect": "Allow", - "Action": [ - "dynamodb:ListTables", - "dynamodb:ListTagsOfResource" - ], - "Resource": "*" - } - ] -} diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf index daa7c0e5..0b291511 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf @@ -70,25 +70,3 @@ resource "aws_dynamodb_table" "tf_locks" { Name = "${var.bucket_name}-${var.development_environment}" } } - -# data "template_file" "dynamodb_policy" { -# template = file("${path.module}/dynamodb-policy.json.tpl") - -# vars = { -# resource = "${aws_dynamodb_table.tf_locks.arn}" -# } -# } - -# resource "aws_iam_policy" "tf_locks" { -# name = "DynamoDBFullAccess-${var.development_environment}" -# policy = data.template_file.dynamodb_policy.rendered -# } - -# resource "aws_iam_policy_attachment" "tf_locks" { -# name = "tf_locks-${var.development_environment}" -# policy_arn = aws_iam_policy.tf_locks.arn -# users = [ -# # This will need to be changed before merge -# "osm", -# ] -# } From 552e8165665dae1c0c9669a2464b298d523a65f5 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 21:30:40 -0700 Subject: [PATCH 13/21] Refactor to move variables to separate file --- .../modules/shared_resources/main.tf | 28 ------------------- .../modules/shared_resources/variables.tf | 27 ++++++++++++++++++ 2 files changed, 27 insertions(+), 28 deletions(-) create mode 100644 web/deploy/terraform/modules/shared_resources/variables.tf diff --git a/web/deploy/terraform/modules/shared_resources/main.tf b/web/deploy/terraform/modules/shared_resources/main.tf index f639a7f5..ba856059 100644 --- a/web/deploy/terraform/modules/shared_resources/main.tf +++ b/web/deploy/terraform/modules/shared_resources/main.tf @@ -9,34 +9,6 @@ terraform { } } -# tflint-ignore: terraform_unused_declarations -variable "aws_region" { - description = "AWS region" - default = "us-east-1" - type = string -} - -# tflint-ignore: terraform_unused_declarations -variable "s3_bucket" { - description = "S3 bucket for Terraform state" - default = "osm-storage" - type = string -} - -# tflint-ignore: terraform_unused_declarations -variable "dynamodb_table" { - description = "DynamoDB table for Terraform state locking" - default = "terraform-locks" - type = string -} - -# tflint-ignore: terraform_unused_declarations -variable "ssh_port" { - description = "Non-standard port for SSH" - default = 22 - type = number -} - # VPC resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" diff --git a/web/deploy/terraform/modules/shared_resources/variables.tf b/web/deploy/terraform/modules/shared_resources/variables.tf new file mode 100644 index 00000000..ceae8d73 --- /dev/null +++ b/web/deploy/terraform/modules/shared_resources/variables.tf @@ -0,0 +1,27 @@ +# tflint-ignore: terraform_unused_declarations +variable "aws_region" { + description = "AWS region" + default = "us-east-1" + type = string +} + +# tflint-ignore: terraform_unused_declarations +variable "s3_bucket" { + description = "S3 bucket for Terraform state" + default = "osm-storage" + type = string +} + +# tflint-ignore: terraform_unused_declarations +variable "dynamodb_table" { + description = "DynamoDB table for Terraform state locking" + default = "terraform-locks" + type = string +} + +# tflint-ignore: terraform_unused_declarations +variable "ssh_port" { + description = "Non-standard port for SSH" + default = 22 + type = number +} From 6a569b13f59dafe6b9e9d44c76638d067c25203c Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 21:53:38 -0700 Subject: [PATCH 14/21] Rename `development_environment` variable to `environment`x --- .../terraform/modules/bootstrap/state_storage/main.tf | 10 +++++----- .../modules/bootstrap/state_storage/variables.tf | 2 +- .../production/bootstrap/state_storage/main.tf | 2 +- .../production/bootstrap/state_storage/variables.tf | 2 +- .../terraform/staging/bootstrap/state_storage/main.tf | 2 +- .../staging/bootstrap/state_storage/variables.tf | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf index 0b291511..e3f304b5 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/main.tf @@ -14,17 +14,17 @@ provider "aws" { } resource "aws_s3_bucket" "tf_state" { - bucket = "${var.bucket_name}-${var.development_environment}" + bucket = "${var.bucket_name}-${var.environment}" tags = { - Name = "${var.bucket_name}-${var.development_environment}" + Name = "${var.bucket_name}-${var.environment}" } } resource "aws_s3_bucket_lifecycle_configuration" "tf_state" { bucket = aws_s3_bucket.tf_state.id rule { - id = "tf_state_${var.development_environment}" + id = "tf_state_${var.environment}" status = "Enabled" transition { @@ -57,7 +57,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" { } resource "aws_dynamodb_table" "tf_locks" { - name = "${var.table_name}-${var.development_environment}" + name = "${var.table_name}-${var.environment}" billing_mode = "PAY_PER_REQUEST" hash_key = "LockID" @@ -67,6 +67,6 @@ resource "aws_dynamodb_table" "tf_locks" { } tags = { - Name = "${var.bucket_name}-${var.development_environment}" + Name = "${var.bucket_name}-${var.environment}" } } diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf b/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf index 73909033..3fef1596 100644 --- a/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf +++ b/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf @@ -16,7 +16,7 @@ variable "aws_region" { default = "us-east-1" } -variable "development_environment" { +variable "environment" { description = "The name of the development environment. Usually `stage` or `prod`." type = string } diff --git a/web/deploy/terraform/production/bootstrap/state_storage/main.tf b/web/deploy/terraform/production/bootstrap/state_storage/main.tf index ae91346f..e4c48785 100644 --- a/web/deploy/terraform/production/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/production/bootstrap/state_storage/main.tf @@ -6,5 +6,5 @@ module "prod_state_bootstrap" { # I would like to make this path more robust using something like `path.root` source = "../../../modules/bootstrap/state_storage/" - development_environment = var.development_environment + environment = var.environment } diff --git a/web/deploy/terraform/production/bootstrap/state_storage/variables.tf b/web/deploy/terraform/production/bootstrap/state_storage/variables.tf index 153d2741..67aaa8e0 100644 --- a/web/deploy/terraform/production/bootstrap/state_storage/variables.tf +++ b/web/deploy/terraform/production/bootstrap/state_storage/variables.tf @@ -1,4 +1,4 @@ -variable "development_environment" { +variable "environment" { description = "The name of the development environment. Usually `stage` or `prod`. Defaults to `prod`" type = string default = "prod" diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf index 901a8c09..d86f1e4e 100644 --- a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf +++ b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf @@ -6,5 +6,5 @@ module "stage_state_bootstrap" { # I would like to make this path more robust using something like `path.root` source = "../../../modules/bootstrap/state_storage/" - development_environment = var.development_environment + environment = var.environment } diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf b/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf index 91db6f85..d7e81385 100644 --- a/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf +++ b/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf @@ -1,4 +1,4 @@ -variable "development_environment" { +variable "environment" { description = "The name of the development environment. Usually `stage` or `prod`. Defaults to `stage`" type = string default = "stage" From 31dd6a0d343d13fa4b06a5ea9935db5b12e84fbb Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 22:22:26 -0700 Subject: [PATCH 15/21] Move all state bootstrap files to a single directory --- .../production/bootstrap/state_storage/main.tf | 10 ---------- .../production/bootstrap/state_storage/variables.tf | 5 ----- .../staging/bootstrap/state_storage/main.tf | 10 ---------- .../staging/bootstrap/state_storage/variables.tf | 5 ----- .../state_storage => state/bootstrap}/main.tf | 0 .../state_storage => state/bootstrap}/outputs.tf | 0 .../state_storage => state/bootstrap}/variables.tf | 0 web/deploy/terraform/state/main.tf | 13 +++++++++++++ 8 files changed, 13 insertions(+), 30 deletions(-) delete mode 100644 web/deploy/terraform/production/bootstrap/state_storage/main.tf delete mode 100644 web/deploy/terraform/production/bootstrap/state_storage/variables.tf delete mode 100644 web/deploy/terraform/staging/bootstrap/state_storage/main.tf delete mode 100644 web/deploy/terraform/staging/bootstrap/state_storage/variables.tf rename web/deploy/terraform/{modules/bootstrap/state_storage => state/bootstrap}/main.tf (100%) rename web/deploy/terraform/{modules/bootstrap/state_storage => state/bootstrap}/outputs.tf (100%) rename web/deploy/terraform/{modules/bootstrap/state_storage => state/bootstrap}/variables.tf (100%) create mode 100644 web/deploy/terraform/state/main.tf diff --git a/web/deploy/terraform/production/bootstrap/state_storage/main.tf b/web/deploy/terraform/production/bootstrap/state_storage/main.tf deleted file mode 100644 index e4c48785..00000000 --- a/web/deploy/terraform/production/bootstrap/state_storage/main.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.0.0, < 2.0.0" -} - -module "prod_state_bootstrap" { - # I would like to make this path more robust using something like `path.root` - source = "../../../modules/bootstrap/state_storage/" - - environment = var.environment -} diff --git a/web/deploy/terraform/production/bootstrap/state_storage/variables.tf b/web/deploy/terraform/production/bootstrap/state_storage/variables.tf deleted file mode 100644 index 67aaa8e0..00000000 --- a/web/deploy/terraform/production/bootstrap/state_storage/variables.tf +++ /dev/null @@ -1,5 +0,0 @@ -variable "environment" { - description = "The name of the development environment. Usually `stage` or `prod`. Defaults to `prod`" - type = string - default = "prod" -} diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf b/web/deploy/terraform/staging/bootstrap/state_storage/main.tf deleted file mode 100644 index d86f1e4e..00000000 --- a/web/deploy/terraform/staging/bootstrap/state_storage/main.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.0.0, < 2.0.0" -} - -module "stage_state_bootstrap" { - # I would like to make this path more robust using something like `path.root` - source = "../../../modules/bootstrap/state_storage/" - - environment = var.environment -} diff --git a/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf b/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf deleted file mode 100644 index d7e81385..00000000 --- a/web/deploy/terraform/staging/bootstrap/state_storage/variables.tf +++ /dev/null @@ -1,5 +0,0 @@ -variable "environment" { - description = "The name of the development environment. Usually `stage` or `prod`. Defaults to `stage`" - type = string - default = "stage" -} diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/main.tf b/web/deploy/terraform/state/bootstrap/main.tf similarity index 100% rename from web/deploy/terraform/modules/bootstrap/state_storage/main.tf rename to web/deploy/terraform/state/bootstrap/main.tf diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf b/web/deploy/terraform/state/bootstrap/outputs.tf similarity index 100% rename from web/deploy/terraform/modules/bootstrap/state_storage/outputs.tf rename to web/deploy/terraform/state/bootstrap/outputs.tf diff --git a/web/deploy/terraform/modules/bootstrap/state_storage/variables.tf b/web/deploy/terraform/state/bootstrap/variables.tf similarity index 100% rename from web/deploy/terraform/modules/bootstrap/state_storage/variables.tf rename to web/deploy/terraform/state/bootstrap/variables.tf diff --git a/web/deploy/terraform/state/main.tf b/web/deploy/terraform/state/main.tf new file mode 100644 index 00000000..2aefb443 --- /dev/null +++ b/web/deploy/terraform/state/main.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.0.0, < 2.0.0" +} + +module "stage_state" { + source = "./bootstrap/" + environment = "stage" +} + +module "prod_state" { + source = "./bootstrap/" + environment = "prod" +} From 8376d61d7f20171be77ff9515ca641035d7fa5e3 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Mon, 23 Sep 2024 22:29:30 -0700 Subject: [PATCH 16/21] Add deprecated files for reference --- .../terraform/state/deprecated/README.md | 3 ++ .../state/deprecated/dynamodb-policy.json | 29 +++++++++++++++++++ .../deprecated/manual-bucket-creation.md | 16 ++++++++++ 3 files changed, 48 insertions(+) create mode 100644 web/deploy/terraform/state/deprecated/README.md create mode 100644 web/deploy/terraform/state/deprecated/dynamodb-policy.json create mode 100644 web/deploy/terraform/state/deprecated/manual-bucket-creation.md diff --git a/web/deploy/terraform/state/deprecated/README.md b/web/deploy/terraform/state/deprecated/README.md new file mode 100644 index 00000000..90299444 --- /dev/null +++ b/web/deploy/terraform/state/deprecated/README.md @@ -0,0 +1,3 @@ +The files in this directory are deprecated and only included for reference. + +This directory might be removed in the future diff --git a/web/deploy/terraform/state/deprecated/dynamodb-policy.json b/web/deploy/terraform/state/deprecated/dynamodb-policy.json new file mode 100644 index 00000000..714b91c4 --- /dev/null +++ b/web/deploy/terraform/state/deprecated/dynamodb-policy.json @@ -0,0 +1,29 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "dynamodb:CreateTable", + "dynamodb:DeleteTable", + "dynamodb:DescribeTable", + "dynamodb:ListTables", + "dynamodb:UpdateTable", + "dynamodb:PutItem", + "dynamodb:GetItem", + "dynamodb:DeleteItem", + "dynamodb:Query", + "dynamodb:Scan" + ], + "Resource": "arn:aws:dynamodb:us-east-1:507624629289:table/terraform-locks" + }, + { + "Effect": "Allow", + "Action": [ + "dynamodb:ListTables", + "dynamodb:ListTagsOfResource" + ], + "Resource": "*" + } + ] +} diff --git a/web/deploy/terraform/state/deprecated/manual-bucket-creation.md b/web/deploy/terraform/state/deprecated/manual-bucket-creation.md new file mode 100644 index 00000000..9e4ce8d0 --- /dev/null +++ b/web/deploy/terraform/state/deprecated/manual-bucket-creation.md @@ -0,0 +1,16 @@ +Created bucket and table manually: + +``` +aws s3api create-bucket --bucket osm-terraform-storage --region us-east-1 +aws s3api list-buckets +aws s3api list-buckets --region us-east-1 +aws s3api put-bucket-versioning --bucket osm-terraform-storage --versioning-configuration Status=Enabled +aws s3 cp state-storage.tf s3://osm-terraform-storage/test.tf +aws s3 rm s3://osm-terraform-storage --recursive +# Failed: aws dynamodb create-table --table-name terraform-locks --attribute-definitions AttributeName=LockID,AttributeType=S --key-schema AttributeName=LockID,KeyType=HASH --billing-mode PAY_PER_REQUEST --region us-east-1 +# Created dynamodb-policy.json +aws iam create-policy --policy-name DynamoDBFullAccess --policy-document file://dynamodb-policy.json +aws iam attach-user-policy --policy-arn arn:aws:iam::507624629289:policy/DynamoDBFullAccess --user-name osm +aws iam list-attached-user-policies --user-name osm +aws dynamodb create-table --table-name terraform-locks --attribute-definitions AttributeName=LockID,AttributeType=S --key-schema AttributeName=LockID,KeyType=HASH --billing-mode PAY_PER_REQUEST --region us-east-1 +``` From 6d82ff6937210c8a7dbaf19227451fbcc0e3fcca Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 25 Sep 2024 21:31:23 -0700 Subject: [PATCH 17/21] Reorganize modules --- .../{modules/shared_resources => shared/networking}/main.tf | 0 .../shared_resources => shared/networking}/outputs.tf | 0 .../shared_resources => shared/networking}/variables.tf | 0 web/deploy/terraform/state/main.tf | 4 ++-- web/deploy/terraform/state/{bootstrap => modules}/main.tf | 0 web/deploy/terraform/state/{bootstrap => modules}/outputs.tf | 0 .../terraform/state/{bootstrap => modules}/variables.tf | 0 7 files changed, 2 insertions(+), 2 deletions(-) rename web/deploy/terraform/{modules/shared_resources => shared/networking}/main.tf (100%) rename web/deploy/terraform/{modules/shared_resources => shared/networking}/outputs.tf (100%) rename web/deploy/terraform/{modules/shared_resources => shared/networking}/variables.tf (100%) rename web/deploy/terraform/state/{bootstrap => modules}/main.tf (100%) rename web/deploy/terraform/state/{bootstrap => modules}/outputs.tf (100%) rename web/deploy/terraform/state/{bootstrap => modules}/variables.tf (100%) diff --git a/web/deploy/terraform/modules/shared_resources/main.tf b/web/deploy/terraform/shared/networking/main.tf similarity index 100% rename from web/deploy/terraform/modules/shared_resources/main.tf rename to web/deploy/terraform/shared/networking/main.tf diff --git a/web/deploy/terraform/modules/shared_resources/outputs.tf b/web/deploy/terraform/shared/networking/outputs.tf similarity index 100% rename from web/deploy/terraform/modules/shared_resources/outputs.tf rename to web/deploy/terraform/shared/networking/outputs.tf diff --git a/web/deploy/terraform/modules/shared_resources/variables.tf b/web/deploy/terraform/shared/networking/variables.tf similarity index 100% rename from web/deploy/terraform/modules/shared_resources/variables.tf rename to web/deploy/terraform/shared/networking/variables.tf diff --git a/web/deploy/terraform/state/main.tf b/web/deploy/terraform/state/main.tf index 2aefb443..5454e134 100644 --- a/web/deploy/terraform/state/main.tf +++ b/web/deploy/terraform/state/main.tf @@ -3,11 +3,11 @@ terraform { } module "stage_state" { - source = "./bootstrap/" + source = "./modules/" environment = "stage" } module "prod_state" { - source = "./bootstrap/" + source = "./modules/" environment = "prod" } diff --git a/web/deploy/terraform/state/bootstrap/main.tf b/web/deploy/terraform/state/modules/main.tf similarity index 100% rename from web/deploy/terraform/state/bootstrap/main.tf rename to web/deploy/terraform/state/modules/main.tf diff --git a/web/deploy/terraform/state/bootstrap/outputs.tf b/web/deploy/terraform/state/modules/outputs.tf similarity index 100% rename from web/deploy/terraform/state/bootstrap/outputs.tf rename to web/deploy/terraform/state/modules/outputs.tf diff --git a/web/deploy/terraform/state/bootstrap/variables.tf b/web/deploy/terraform/state/modules/variables.tf similarity index 100% rename from web/deploy/terraform/state/bootstrap/variables.tf rename to web/deploy/terraform/state/modules/variables.tf From 6c99c12c419c89659585b4e517304a8ad31f346b Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 25 Sep 2024 21:33:00 -0700 Subject: [PATCH 18/21] Add shared state storage --- web/deploy/terraform/state/main.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/web/deploy/terraform/state/main.tf b/web/deploy/terraform/state/main.tf index 5454e134..a2588933 100644 --- a/web/deploy/terraform/state/main.tf +++ b/web/deploy/terraform/state/main.tf @@ -11,3 +11,8 @@ module "prod_state" { source = "./modules/" environment = "prod" } + +module "shared_state" { + source = "./modules/" + environment = "shared" +} From 7aaf0d0247b894d94fd2938e59ac4145b5c6bda4 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 25 Sep 2024 21:52:38 -0700 Subject: [PATCH 19/21] Prevent destruction of state infrastructure --- web/deploy/terraform/state/modules/main.tf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/web/deploy/terraform/state/modules/main.tf b/web/deploy/terraform/state/modules/main.tf index e3f304b5..399590cc 100644 --- a/web/deploy/terraform/state/modules/main.tf +++ b/web/deploy/terraform/state/modules/main.tf @@ -16,6 +16,10 @@ provider "aws" { resource "aws_s3_bucket" "tf_state" { bucket = "${var.bucket_name}-${var.environment}" + lifecycle { + prevent_destroy = true + } + tags = { Name = "${var.bucket_name}-${var.environment}" } @@ -36,6 +40,10 @@ resource "aws_s3_bucket_lifecycle_configuration" "tf_state" { days = 365 } } + + lifecycle { + prevent_destroy = true + } } resource "aws_s3_bucket_versioning" "enabled" { @@ -44,6 +52,10 @@ resource "aws_s3_bucket_versioning" "enabled" { versioning_configuration { status = "Enabled" } + + lifecycle { + prevent_destroy = true + } } resource "aws_s3_bucket_server_side_encryption_configuration" "default" { @@ -54,6 +66,10 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" { sse_algorithm = "AES256" } } + + lifecycle { + prevent_destroy = true + } } resource "aws_dynamodb_table" "tf_locks" { @@ -66,6 +82,10 @@ resource "aws_dynamodb_table" "tf_locks" { type = "S" } + lifecycle { + prevent_destroy = true + } + tags = { Name = "${var.bucket_name}-${var.environment}" } From bf7263f16107941a42ee08db3e018b43bc216718 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Wed, 25 Sep 2024 21:56:32 -0700 Subject: [PATCH 20/21] Add `.terraform.lock.hcl` to version control --- .../terraform/state/.terraform.lock.hcl | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 web/deploy/terraform/state/.terraform.lock.hcl diff --git a/web/deploy/terraform/state/.terraform.lock.hcl b/web/deploy/terraform/state/.terraform.lock.hcl new file mode 100644 index 00000000..f324fcc5 --- /dev/null +++ b/web/deploy/terraform/state/.terraform.lock.hcl @@ -0,0 +1,20 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/hashicorp/aws" { + version = "5.68.0" + constraints = "~> 5.0" + hashes = [ + "h1:VMfgVqBZ6PPm6vIk0z1jHKX8SHK+/x4IfbOkZhaD6p4=", + "zh:0501ccb379b74832366860699ca6d5993b164ec44314a054453877d39c384869", + "zh:315b4eb957f84ce5580fed31e4b99b25d41634832a6939cd016fb0c4963164c9", + "zh:31defa4c379a4f1761504617824bae1b5efc93f456f055f85d1131676433085d", + "zh:3702a13f06369ee90eea413ec32db6ffa9c59648b3545301f9917f6774a840cb", + "zh:7c524cb809267ec68dd67124aa8d9fbab7722814fa875b1306d527f71b8b3bea", + "zh:ab37ec8b17be8062d804c17f5f4ddd9deaf50b3a48e6c0b979b60ef80f85192b", + "zh:baaf2c46edfe596f085f0f8f389e908a874e45c42ea5e5d5f24de1dbfed7542e", + "zh:cb37278073ede7b5e18116faebea49d5d47496d5093cec6c69065fb9ad1f622d", + "zh:ec4b64d66470b078162c13479446ad6819c93099149b478f43d990702f937fd3", + "zh:f55c3a3ba975ecfe73c729a085efb0432c02c74e91edaf40d351cdb231c3836b", + ] +} From ceaa2b91785d86b2fa7b59ad8b92314f173d8b74 Mon Sep 17 00:00:00 2001 From: smokestacklightnin <125844868+smokestacklightnin@users.noreply.github.com> Date: Fri, 27 Sep 2024 18:38:56 -0700 Subject: [PATCH 21/21] Move state modules to appropriate directory --- web/deploy/terraform/state/main.tf | 6 +++--- web/deploy/terraform/state/modules/{ => state}/main.tf | 0 web/deploy/terraform/state/modules/{ => state}/outputs.tf | 0 web/deploy/terraform/state/modules/{ => state}/variables.tf | 0 4 files changed, 3 insertions(+), 3 deletions(-) rename web/deploy/terraform/state/modules/{ => state}/main.tf (100%) rename web/deploy/terraform/state/modules/{ => state}/outputs.tf (100%) rename web/deploy/terraform/state/modules/{ => state}/variables.tf (100%) diff --git a/web/deploy/terraform/state/main.tf b/web/deploy/terraform/state/main.tf index a2588933..463189bc 100644 --- a/web/deploy/terraform/state/main.tf +++ b/web/deploy/terraform/state/main.tf @@ -3,16 +3,16 @@ terraform { } module "stage_state" { - source = "./modules/" + source = "./modules/state/" environment = "stage" } module "prod_state" { - source = "./modules/" + source = "./modules/state/" environment = "prod" } module "shared_state" { - source = "./modules/" + source = "./modules/state/" environment = "shared" } diff --git a/web/deploy/terraform/state/modules/main.tf b/web/deploy/terraform/state/modules/state/main.tf similarity index 100% rename from web/deploy/terraform/state/modules/main.tf rename to web/deploy/terraform/state/modules/state/main.tf diff --git a/web/deploy/terraform/state/modules/outputs.tf b/web/deploy/terraform/state/modules/state/outputs.tf similarity index 100% rename from web/deploy/terraform/state/modules/outputs.tf rename to web/deploy/terraform/state/modules/state/outputs.tf diff --git a/web/deploy/terraform/state/modules/variables.tf b/web/deploy/terraform/state/modules/state/variables.tf similarity index 100% rename from web/deploy/terraform/state/modules/variables.tf rename to web/deploy/terraform/state/modules/state/variables.tf