[Task]: Pin terraform version in every Github Action #1790
Assignees
Labels
project: grants.gov
Grants.gov Modernization tickets
Comments
github-project-automation
bot
moved this to Icebox
in Simpler.Grants.gov Product Backlog
coilysiren
moved this from Icebox
to Sprint Ready
in Simpler.Grants.gov Product Backlog
aplybeah
moved this from Sprint Ready
to In Progress
in Simpler.Grants.gov Product Backlog
aplybeah
moved this from In Progress
to Sprint Ready
in Simpler.Grants.gov Product Backlog
aplybeah
moved this from Sprint Ready
to In Progress
in Simpler.Grants.gov Product Backlog
aplybeah
added a commit
that referenced
this issue
May 2, 2024
## Summary Fixes #1790 ### Time to review: __x mins__ ## Changes proposed * narrow down acceptable versions of terraform in modules * Pin the latest version of terraform in workflows (1.8.2 as of this writing) ## Context for reviewers > Some of our Github Actions are floating their installed terraform version. This caused all of our deploys to break when the version was silently upgraded to 1.8.0. We should pin our installed terraform version, to avoid running into issues like this in the future. ## Additional information Terraform plan for `infra/api/service` in `dev` functioning normally: ``` # aws_sfn_state_machine.copy_oracle_data will be updated in-place ~ resource "aws_sfn_state_machine" "copy_oracle_data" { ~ definition = jsonencode( { - StartAt = "ExecuteECSTask" - States = { - ExecuteECSTask = { - End = true - Parameters = { - Cluster = "arn:aws:ecs:us-east-1:315341936575:cluster/api-dev" - LaunchType = "FARGATE" - NetworkConfiguration = { - AwsvpcConfiguration = { - SecurityGroups = [ - "sg-0eab49e76a34379f9", ] - Subnets = [ - "subnet-0a5ea667d3751639f", - "subnet-068ede7dcfd9469ab", - "subnet-019f469ba97dc6ec7", ] } } - Overrides = { - ContainerOverrides = [ - { - Command = [ - "poetry", - "run", - "flask", - "data-migration", - "copy-oracle-data", ] - Environment = [ - { - Name = "FLASK_APP" - Value = "src.app:create_app()" }, ] - Name = "api-dev" }, ] } - TaskDefinition = "arn:aws:ecs:us-east-1:315341936575:task-definition/api-dev:130" } - Resource = "arn:aws:states:::ecs:runTask.sync" - Type = "Task" } } } ) -> (known after apply) id = "arn:aws:states:us-east-1:315341936575:stateMachine:api-dev-copy-oracle-data" name = "api-dev-copy-oracle-data" tags = {} # (11 unchanged attributes hidden) # (2 unchanged blocks hidden) } # module.service.aws_ecs_service.app will be updated in-place ~ resource "aws_ecs_service" "app" { id = "arn:aws:ecs:us-east-1:315341936575:service/api-dev/api-dev" name = "api-dev" tags = {} ~ task_definition = "arn:aws:ecs:us-east-1:315341936575:task-definition/api-dev:130" -> (known after apply) # (15 unchanged attributes hidden) # (4 unchanged blocks hidden) } # module.service.aws_ecs_task_definition.app must be replaced -/+ resource "aws_ecs_task_definition" "app" { ~ arn = "arn:aws:ecs:us-east-1:315341936575:task-definition/api-dev:131" -> (known after apply) ~ arn_without_revision = "arn:aws:ecs:us-east-1:315341936575:task-definition/api-dev" -> (known after apply) ~ container_definitions = jsonencode( ~ [ ~ { ~ linuxParameters = { ~ capabilities = { - add = [] # (1 unchanged attribute hidden) } # (1 unchanged attribute hidden) } - mountPoints = [] name = "api-dev" ~ portMappings = [ ~ { - hostPort = 8000 - protocol = "tcp" # (1 unchanged attribute hidden) }, ] - systemControls = [] - volumesFrom = [] # (9 unchanged attributes hidden) }, ] # forces replacement ) ~ id = "api-dev" -> (known after apply) ~ revision = 131 -> (known after apply) - tags = {} -> null # (11 unchanged attributes hidden) } Plan: 1 to add, 2 to change, 1 to destroy. ```
github-project-automation
bot
moved this from In Review
to Done
in Simpler.Grants.gov Product Backlog
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
Via #1782 and navapbc/template-infra#586, it turns out that some of our Github Actions are floating their installed terraform version. This caused all of our deploys to break when the version was silently upgraded to 1.8.0. We should pin our installed terraform version, to avoid running into issues like this in the future.
Here's an example of pinning terraform in a Github Action, this is the thing we should be doing everywhere:
simpler-grants-gov/.github/workflows/infra-service.yml
Lines 23 to 26 in 4136fd6
Additionally we should narrow the acceptable range of terraform versions inside of modules, to just the matching minor version. That would also have avoided this issue, as it would have flagged that we were installing terraform 1.8 instead of 1.7.
Here's an example of where the terraform version range needs to be narrowed in modules:
simpler-grants-gov/infra/api/service/main.tf
Line 57 in 4136fd6
In the example above, it should be changed to
">= 1.7.0, < 1.8.0", or whatever minor version we choose.Finally, when doing this work, we should update to the latest terraform version. At time of writing, that means updating from 1.7 => 1.8
Acceptance criteria
The text was updated successfully, but these errors were encountered: