From 6e572a11f4693402e72cece8598b88151a27143c Mon Sep 17 00:00:00 2001 From: David Sibley Date: Wed, 6 Dec 2023 15:14:51 +0000 Subject: [PATCH 1/4] removed ability to set custom values for tfinit, set cli entry to assume role in backend account for backend init --- .../workflows/reusable_terraform_plan_apply.yml | 16 ++++++++-------- .../environments/sprinkler/platform_backend.tf | 1 + 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/reusable_terraform_plan_apply.yml b/.github/workflows/reusable_terraform_plan_apply.yml index c3e0397e57d..32392b1b67d 100644 --- a/.github/workflows/reusable_terraform_plan_apply.yml +++ b/.github/workflows/reusable_terraform_plan_apply.yml @@ -41,12 +41,7 @@ on: type: string required: false description: "The terraform version to use" - default: "~1.5" - init_plan_apply_tfargs: - type: string - required: false - description: "Any terraform arguments to be passed into terrafrom init, plan and apply, e.g. --lock-timeout=300s" - default: "-input=false -lock-timeout=300s" + default: "~1.6" plan_apply_tfargs: type: string required: false @@ -99,6 +94,11 @@ jobs: ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT) echo "ACCOUNT_NUMBER=${ACCOUNT_NUMBER}" >> $GITHUB_ENV + - name: Get Backend AWS Account Number + run: | + BACKEND_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) + echo "BACKEND_NUMBER=${BACKEND_NUMBER}" >> $GITHUB_ENV + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: @@ -116,8 +116,8 @@ jobs: working-directory: "terraform/environments/${{ inputs.application }}" run: | terraform --version - echo "terraform init ${{ inputs.init_plan_apply_tfargs }}" - terraform init ${{ inputs.init_plan_apply_tfargs }} + echo "terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::${{env.BACKEND_NUMBER}}:role/modernisation-account-terraform-state-member-access\"}" + terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::${{env.BACKEND_NUMBER}}:role/modernisation-account-terraform-state-member-access\"} - name: Terraform Workspace Select working-directory: "terraform/environments/${{ inputs.application }}" diff --git a/terraform/environments/sprinkler/platform_backend.tf b/terraform/environments/sprinkler/platform_backend.tf index 74fad1af264..7d25e37afcd 100644 --- a/terraform/environments/sprinkler/platform_backend.tf +++ b/terraform/environments/sprinkler/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" From 8482dcd0f472fddab467da9b3125468a689af3c1 Mon Sep 17 00:00:00 2001 From: David Sibley Date: Thu, 7 Dec 2023 08:53:57 +0000 Subject: [PATCH 2/4] updated workflow to use piped-in backend for apply stage --- .github/workflows/reusable_terraform_plan_apply.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/reusable_terraform_plan_apply.yml b/.github/workflows/reusable_terraform_plan_apply.yml index 32392b1b67d..40f7146406d 100644 --- a/.github/workflows/reusable_terraform_plan_apply.yml +++ b/.github/workflows/reusable_terraform_plan_apply.yml @@ -264,6 +264,11 @@ jobs: ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT) echo "ACCOUNT_NUMBER=${ACCOUNT_NUMBER}" >> $GITHUB_ENV + - name: Get Backend AWS Account Number + run: | + BACKEND_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) + echo "BACKEND_NUMBER=${BACKEND_NUMBER}" >> $GITHUB_ENV + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: @@ -281,8 +286,8 @@ jobs: working-directory: "terraform/environments/${{ inputs.application }}" run: | terraform --version - echo "terraform init ${{ inputs.init_plan_apply_tfargs }}" - terraform init ${{ inputs.init_plan_apply_tfargs }} + echo "terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::${{env.BACKEND_NUMBER}}:role/modernisation-account-terraform-state-member-access\"}" + terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::${{env.BACKEND_NUMBER}}:role/modernisation-account-terraform-state-member-access\"} - name: Terraform Workspace Select working-directory: "terraform/environments/${{ inputs.application }}" From cf829e9392779692257831708b4b120f91a89361 Mon Sep 17 00:00:00 2001 From: David Sibley Date: Thu, 7 Dec 2023 15:58:05 +0000 Subject: [PATCH 3/4] added state locking table to all platform_backend.tf files --- terraform/environments/apex/platform_backend.tf | 1 + terraform/environments/ccms-ebs-upgrade/platform_backend.tf | 1 + terraform/environments/ccms-ebs/platform_backend.tf | 1 + terraform/environments/cdpt-chaps/platform_backend.tf | 1 + terraform/environments/cdpt-ifs/platform_backend.tf | 1 + terraform/environments/cooker/platform_backend.tf | 1 + .../environments/corporate-staff-rostering/platform_backend.tf | 1 + terraform/environments/dacp/platform_backend.tf | 1 + .../environments/data-and-insights-wepi/platform_backend.tf | 1 + .../data-platform-apps-and-tools/platform_backend.tf | 1 + terraform/environments/data-platform/platform_backend.tf | 1 + terraform/environments/delius-core/platform_backend.tf | 1 + terraform/environments/delius-iaps/platform_backend.tf | 1 + terraform/environments/delius-jitbit/platform_backend.tf | 1 + .../environments/digital-prison-reporting/platform_backend.tf | 1 + terraform/environments/equip/platform_backend.tf | 1 + terraform/environments/eric/platform_backend.tf | 1 + terraform/environments/example/platform_backend.tf | 1 + terraform/environments/hmpps-domain-services/platform_backend.tf | 1 + .../hmpps-intelligence-management/platform_backend.tf | 1 + terraform/environments/hmpps-oem/platform_backend.tf | 1 + .../environments/laa-ccms-infra-azure-ad-sso/platform_backend.tf | 1 + terraform/environments/laa-oem/platform_backend.tf | 1 + terraform/environments/long-term-storage/platform_backend.tf | 1 + terraform/environments/maat/platform_backend.tf | 1 + terraform/environments/maatdb/platform_backend.tf | 1 + terraform/environments/mlra/platform_backend.tf | 1 + terraform/environments/mojfin/platform_backend.tf | 1 + terraform/environments/ncas/platform_backend.tf | 1 + .../environments/nomis-combined-reporting/platform_backend.tf | 1 + terraform/environments/nomis-data-hub/platform_backend.tf | 1 + terraform/environments/nomis/platform_backend.tf | 1 + terraform/environments/oas/platform_backend.tf | 1 + terraform/environments/oasys/platform_backend.tf | 1 + .../environments/observability-platform/platform_backend.tf | 1 + terraform/environments/performance-hub/platform_backend.tf | 1 + terraform/environments/planetfm/platform_backend.tf | 1 + terraform/environments/portal/platform_backend.tf | 1 + terraform/environments/ppud/platform_backend.tf | 1 + terraform/environments/pra-register/platform_backend.tf | 1 + terraform/environments/refer-monitor/platform_backend.tf | 1 + terraform/environments/tariff/platform_backend.tf | 1 + terraform/environments/tipstaff/platform_backend.tf | 1 + terraform/environments/tribunals/platform_backend.tf | 1 + terraform/environments/wardship/platform_backend.tf | 1 + terraform/environments/xhibit-portal/platform_backend.tf | 1 + 46 files changed, 46 insertions(+) diff --git a/terraform/environments/apex/platform_backend.tf b/terraform/environments/apex/platform_backend.tf index 57ab958dcf3..b67b5183445 100644 --- a/terraform/environments/apex/platform_backend.tf +++ b/terraform/environments/apex/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/ccms-ebs-upgrade/platform_backend.tf b/terraform/environments/ccms-ebs-upgrade/platform_backend.tf index 041612568a9..2058d616b0a 100644 --- a/terraform/environments/ccms-ebs-upgrade/platform_backend.tf +++ b/terraform/environments/ccms-ebs-upgrade/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/ccms-ebs/platform_backend.tf b/terraform/environments/ccms-ebs/platform_backend.tf index 18d09de9182..cdb4b668753 100644 --- a/terraform/environments/ccms-ebs/platform_backend.tf +++ b/terraform/environments/ccms-ebs/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/cdpt-chaps/platform_backend.tf b/terraform/environments/cdpt-chaps/platform_backend.tf index 4630336ca33..06c560e2033 100644 --- a/terraform/environments/cdpt-chaps/platform_backend.tf +++ b/terraform/environments/cdpt-chaps/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/cdpt-ifs/platform_backend.tf b/terraform/environments/cdpt-ifs/platform_backend.tf index c05ee15afe1..98805d3bfe2 100644 --- a/terraform/environments/cdpt-ifs/platform_backend.tf +++ b/terraform/environments/cdpt-ifs/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/cooker/platform_backend.tf b/terraform/environments/cooker/platform_backend.tf index 2c102f1737e..9c14d07b798 100644 --- a/terraform/environments/cooker/platform_backend.tf +++ b/terraform/environments/cooker/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/corporate-staff-rostering/platform_backend.tf b/terraform/environments/corporate-staff-rostering/platform_backend.tf index 5989e2d6960..dc9069df5ac 100644 --- a/terraform/environments/corporate-staff-rostering/platform_backend.tf +++ b/terraform/environments/corporate-staff-rostering/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/dacp/platform_backend.tf b/terraform/environments/dacp/platform_backend.tf index 0d4de5b3182..69843de6a9a 100644 --- a/terraform/environments/dacp/platform_backend.tf +++ b/terraform/environments/dacp/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/data-and-insights-wepi/platform_backend.tf b/terraform/environments/data-and-insights-wepi/platform_backend.tf index ba66bcd64e1..92056b69d2f 100644 --- a/terraform/environments/data-and-insights-wepi/platform_backend.tf +++ b/terraform/environments/data-and-insights-wepi/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/data-platform-apps-and-tools/platform_backend.tf b/terraform/environments/data-platform-apps-and-tools/platform_backend.tf index c8b18032cae..24ed55a537e 100644 --- a/terraform/environments/data-platform-apps-and-tools/platform_backend.tf +++ b/terraform/environments/data-platform-apps-and-tools/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/data-platform/platform_backend.tf b/terraform/environments/data-platform/platform_backend.tf index f935458daf1..6f0d19ccf1c 100644 --- a/terraform/environments/data-platform/platform_backend.tf +++ b/terraform/environments/data-platform/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/delius-core/platform_backend.tf b/terraform/environments/delius-core/platform_backend.tf index a730b5dbecb..aa114101cab 100644 --- a/terraform/environments/delius-core/platform_backend.tf +++ b/terraform/environments/delius-core/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/delius-iaps/platform_backend.tf b/terraform/environments/delius-iaps/platform_backend.tf index e2560f5e149..edaa1661268 100644 --- a/terraform/environments/delius-iaps/platform_backend.tf +++ b/terraform/environments/delius-iaps/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/delius-jitbit/platform_backend.tf b/terraform/environments/delius-jitbit/platform_backend.tf index 4aa505603e5..acd086a42e6 100644 --- a/terraform/environments/delius-jitbit/platform_backend.tf +++ b/terraform/environments/delius-jitbit/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/digital-prison-reporting/platform_backend.tf b/terraform/environments/digital-prison-reporting/platform_backend.tf index d7a6138be47..46733f7bf02 100644 --- a/terraform/environments/digital-prison-reporting/platform_backend.tf +++ b/terraform/environments/digital-prison-reporting/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/equip/platform_backend.tf b/terraform/environments/equip/platform_backend.tf index 900cd63e4f4..a1983f915c4 100644 --- a/terraform/environments/equip/platform_backend.tf +++ b/terraform/environments/equip/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/eric/platform_backend.tf b/terraform/environments/eric/platform_backend.tf index 174ded466dc..4d1b84cf9ca 100644 --- a/terraform/environments/eric/platform_backend.tf +++ b/terraform/environments/eric/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/example/platform_backend.tf b/terraform/environments/example/platform_backend.tf index cdc1d6c1565..a0a523d28b2 100644 --- a/terraform/environments/example/platform_backend.tf +++ b/terraform/environments/example/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/hmpps-domain-services/platform_backend.tf b/terraform/environments/hmpps-domain-services/platform_backend.tf index 62c2e3bda7c..adbf4911db6 100644 --- a/terraform/environments/hmpps-domain-services/platform_backend.tf +++ b/terraform/environments/hmpps-domain-services/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/hmpps-intelligence-management/platform_backend.tf b/terraform/environments/hmpps-intelligence-management/platform_backend.tf index fedfa251b1c..6f6b4cb0d3a 100644 --- a/terraform/environments/hmpps-intelligence-management/platform_backend.tf +++ b/terraform/environments/hmpps-intelligence-management/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/hmpps-oem/platform_backend.tf b/terraform/environments/hmpps-oem/platform_backend.tf index e083eebf45c..68c33790932 100644 --- a/terraform/environments/hmpps-oem/platform_backend.tf +++ b/terraform/environments/hmpps-oem/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/laa-ccms-infra-azure-ad-sso/platform_backend.tf b/terraform/environments/laa-ccms-infra-azure-ad-sso/platform_backend.tf index e9d59f0d716..54a5d788aef 100644 --- a/terraform/environments/laa-ccms-infra-azure-ad-sso/platform_backend.tf +++ b/terraform/environments/laa-ccms-infra-azure-ad-sso/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/laa-oem/platform_backend.tf b/terraform/environments/laa-oem/platform_backend.tf index 2981e213e4b..6f8a86dacf9 100644 --- a/terraform/environments/laa-oem/platform_backend.tf +++ b/terraform/environments/laa-oem/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/long-term-storage/platform_backend.tf b/terraform/environments/long-term-storage/platform_backend.tf index 4b6c469285a..c71854a8460 100644 --- a/terraform/environments/long-term-storage/platform_backend.tf +++ b/terraform/environments/long-term-storage/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/maat/platform_backend.tf b/terraform/environments/maat/platform_backend.tf index e7364dab647..155412f6a80 100644 --- a/terraform/environments/maat/platform_backend.tf +++ b/terraform/environments/maat/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/maatdb/platform_backend.tf b/terraform/environments/maatdb/platform_backend.tf index 29c1edc691b..6ac56297ad5 100644 --- a/terraform/environments/maatdb/platform_backend.tf +++ b/terraform/environments/maatdb/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/mlra/platform_backend.tf b/terraform/environments/mlra/platform_backend.tf index 90ea17a7ec9..83e095ff618 100644 --- a/terraform/environments/mlra/platform_backend.tf +++ b/terraform/environments/mlra/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/mojfin/platform_backend.tf b/terraform/environments/mojfin/platform_backend.tf index b628937d6e4..54e2ebc3334 100644 --- a/terraform/environments/mojfin/platform_backend.tf +++ b/terraform/environments/mojfin/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/ncas/platform_backend.tf b/terraform/environments/ncas/platform_backend.tf index be5835bb047..83593a283c4 100644 --- a/terraform/environments/ncas/platform_backend.tf +++ b/terraform/environments/ncas/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/nomis-combined-reporting/platform_backend.tf b/terraform/environments/nomis-combined-reporting/platform_backend.tf index 66e1c7d1d9b..a728f85d9b3 100644 --- a/terraform/environments/nomis-combined-reporting/platform_backend.tf +++ b/terraform/environments/nomis-combined-reporting/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/nomis-data-hub/platform_backend.tf b/terraform/environments/nomis-data-hub/platform_backend.tf index dc3cb6f09fd..8479618132a 100644 --- a/terraform/environments/nomis-data-hub/platform_backend.tf +++ b/terraform/environments/nomis-data-hub/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/nomis/platform_backend.tf b/terraform/environments/nomis/platform_backend.tf index 241393d1bd5..c6286d02f9f 100644 --- a/terraform/environments/nomis/platform_backend.tf +++ b/terraform/environments/nomis/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/oas/platform_backend.tf b/terraform/environments/oas/platform_backend.tf index 66058d44d1b..0c5a4cc9c2a 100644 --- a/terraform/environments/oas/platform_backend.tf +++ b/terraform/environments/oas/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/oasys/platform_backend.tf b/terraform/environments/oasys/platform_backend.tf index 0d98c313104..28a5dee685c 100644 --- a/terraform/environments/oasys/platform_backend.tf +++ b/terraform/environments/oasys/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/observability-platform/platform_backend.tf b/terraform/environments/observability-platform/platform_backend.tf index 60b5f762fde..b0a5a8f3dce 100644 --- a/terraform/environments/observability-platform/platform_backend.tf +++ b/terraform/environments/observability-platform/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/performance-hub/platform_backend.tf b/terraform/environments/performance-hub/platform_backend.tf index d2f764eb2c6..19d52380e57 100644 --- a/terraform/environments/performance-hub/platform_backend.tf +++ b/terraform/environments/performance-hub/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/planetfm/platform_backend.tf b/terraform/environments/planetfm/platform_backend.tf index 04de5db2456..3acfe52a7fb 100644 --- a/terraform/environments/planetfm/platform_backend.tf +++ b/terraform/environments/planetfm/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/portal/platform_backend.tf b/terraform/environments/portal/platform_backend.tf index 88e9054a832..82f94446aa5 100644 --- a/terraform/environments/portal/platform_backend.tf +++ b/terraform/environments/portal/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/ppud/platform_backend.tf b/terraform/environments/ppud/platform_backend.tf index 6c088d50770..b82c6e71a6c 100644 --- a/terraform/environments/ppud/platform_backend.tf +++ b/terraform/environments/ppud/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/pra-register/platform_backend.tf b/terraform/environments/pra-register/platform_backend.tf index d09c79d9543..3dc79057a88 100644 --- a/terraform/environments/pra-register/platform_backend.tf +++ b/terraform/environments/pra-register/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/refer-monitor/platform_backend.tf b/terraform/environments/refer-monitor/platform_backend.tf index 4099cfe584d..47fbca8a407 100644 --- a/terraform/environments/refer-monitor/platform_backend.tf +++ b/terraform/environments/refer-monitor/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/tariff/platform_backend.tf b/terraform/environments/tariff/platform_backend.tf index fcc46945435..4fcf4f924cc 100644 --- a/terraform/environments/tariff/platform_backend.tf +++ b/terraform/environments/tariff/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/tipstaff/platform_backend.tf b/terraform/environments/tipstaff/platform_backend.tf index 2ffdd4ef819..353ceb3e72d 100644 --- a/terraform/environments/tipstaff/platform_backend.tf +++ b/terraform/environments/tipstaff/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/tribunals/platform_backend.tf b/terraform/environments/tribunals/platform_backend.tf index db46b33ebb3..d6cf0962b8e 100644 --- a/terraform/environments/tribunals/platform_backend.tf +++ b/terraform/environments/tribunals/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/wardship/platform_backend.tf b/terraform/environments/wardship/platform_backend.tf index 15f2b23af60..9c071465737 100644 --- a/terraform/environments/wardship/platform_backend.tf +++ b/terraform/environments/wardship/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" diff --git a/terraform/environments/xhibit-portal/platform_backend.tf b/terraform/environments/xhibit-portal/platform_backend.tf index 2d8ed91b9a3..b37b37b9ab6 100644 --- a/terraform/environments/xhibit-portal/platform_backend.tf +++ b/terraform/environments/xhibit-portal/platform_backend.tf @@ -5,6 +5,7 @@ terraform { backend "s3" { acl = "bucket-owner-full-control" bucket = "modernisation-platform-terraform-state" + dynamodb_table = "modernisation-platform-terraform-state-lock" encrypt = true key = "terraform.tfstate" region = "eu-west-2" From 928b629c781316dc1ac014373245b41acd2ac40e Mon Sep 17 00:00:00 2001 From: David Sibley Date: Mon, 11 Dec 2023 15:21:03 +0000 Subject: [PATCH 4/4] added role assumption to test job --- .../reusable_terraform_plan_apply_test.yml | 48 +++++++++++++++---- 1 file changed, 39 insertions(+), 9 deletions(-) diff --git a/.github/workflows/reusable_terraform_plan_apply_test.yml b/.github/workflows/reusable_terraform_plan_apply_test.yml index 9861c7ddf7f..9f895cff68b 100644 --- a/.github/workflows/reusable_terraform_plan_apply_test.yml +++ b/.github/workflows/reusable_terraform_plan_apply_test.yml @@ -42,11 +42,6 @@ on: required: false description: "The terraform version to use" default: "~1.5" - init_plan_apply_tfargs: - type: string - required: false - description: "Any terraform arguments to be passed into terrafrom init, plan and apply, e.g. --lock-timeout=300s" - default: "-input=false -lock-timeout=300s" plan_apply_tfargs: type: string required: false @@ -97,6 +92,12 @@ jobs: run: | ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT) echo "ACCOUNT_NUMBER=${ACCOUNT_NUMBER}" >> $GITHUB_ENV + + - name: Get Backend AWS Account Number + run: | + BACKEND_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) + echo "BACKEND_NUMBER=${BACKEND_NUMBER}" >> $GITHUB_ENV + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: @@ -114,12 +115,14 @@ jobs: working-directory: "terraform/environments/${{ inputs.application }}" run: | terraform --version - echo "terraform init ${{ inputs.init_plan_apply_tfargs }}" - terraform init ${{ inputs.init_plan_apply_tfargs }} + echo "terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::${{env.BACKEND_NUMBER}}:role/modernisation-account-terraform-state-member-access\"}" + terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::${{env.BACKEND_NUMBER}}:role/modernisation-account-terraform-state-member-access\"} + - name: Terraform Workspace Select working-directory: "terraform/environments/${{ inputs.application }}" run: | terraform workspace select "${WORKSPACE_NAME}" + - name: Terraform State Refresh (Optional) if: inputs.do_state_refresh_on_plan == true working-directory: "terraform/environments/${{ inputs.application }}" @@ -128,6 +131,7 @@ jobs: tf_args="${{ inputs.init_plan_apply_tfargs }} ${{ inputs.plan_apply_tfargs }}" echo "terraform apply -refresh-only -auto-approve ${tf_args}" terraform apply -refresh-only -auto-approve ${tf_args} | bash ${GITHUB_WORKSPACE}/scripts/redact-output.sh + - name: Terraform Plan id: plan env: @@ -144,6 +148,7 @@ jobs: echo "exitcode=${exitcode}" # 0=clean plan, 1=error, 2=stuff in plan echo "exitcode=${exitcode}" >> $GITHUB_OUTPUT (( exitcode == 1 )) && exit 1 || exit 0 + - name: Create Plan PR message (Optional) if: github.event_name == 'pull_request' && steps.plan.outputs.exitcode == '2' && inputs.post_plan_to_pr == true working-directory: "terraform/environments/${{ inputs.application }}" @@ -164,6 +169,7 @@ jobs: echo 'TF_PLAN_OUT<> $GITHUB_ENV comment >> $GITHUB_ENV echo 'EOF' >> $GITHUB_ENV + - name: Hide Previous PR comment (Optional) if: ${{ github.event_name == 'pull_request' }} working-directory: "scripts/minimise-comments" @@ -173,6 +179,7 @@ jobs: run: | go build ./minimise-comments + - name: Post Plan to PR (Optional) if: github.event_name == 'pull_request' && steps.plan.outputs.exitcode == '2' && inputs.post_plan_to_pr == true env: @@ -184,6 +191,7 @@ jobs: -H "Authorization: Bearer ${{ env.GITHUB_TOKEN }}" \ "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \ -d '{"body":'"${escaped_message}"'}' + terratest: name: "terratest" needs: plan @@ -197,6 +205,12 @@ jobs: run: | ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT) echo "ACCOUNT_NUMBER=${ACCOUNT_NUMBER}" >> $GITHUB_ENV + + - name: Get Backend AWS Account Number + run: | + BACKEND_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) + echo "BACKEND_NUMBER=${BACKEND_NUMBER}" >> $GITHUB_ENV + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: @@ -223,6 +237,12 @@ jobs: run: | ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT) echo "ACCOUNT_NUMBER=${ACCOUNT_NUMBER}" >> $GITHUB_ENV + + - name: Get Backend AWS Account Number + run: | + BACKEND_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) + echo "BACKEND_NUMBER=${BACKEND_NUMBER}" >> $GITHUB_ENV + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: @@ -240,12 +260,14 @@ jobs: working-directory: "terraform/environments/${{ inputs.application }}" run: | terraform --version - echo "terraform init ${{ inputs.init_plan_apply_tfargs }}" - terraform init ${{ inputs.init_plan_apply_tfargs }} + echo "terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::${{env.BACKEND_NUMBER}}:role/modernisation-account-terraform-state-member-access\"}" + terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::${{env.BACKEND_NUMBER}}:role/modernisation-account-terraform-state-member-access\"} + - name: Terraform Workspace Select working-directory: "terraform/environments/${{ inputs.application }}" run: | terraform workspace select "${WORKSPACE_NAME}" + - name: Terraform Plan working-directory: "terraform/environments/${{ inputs.application }}" run: | @@ -253,6 +275,7 @@ jobs: tf_args="-out x.tfplan ${{ inputs.init_plan_apply_tfargs }} ${{ inputs.plan_apply_tfargs }}" echo "terraform plan ${tf_args}" terraform plan ${tf_args} | bash ${GITHUB_WORKSPACE}/scripts/redact-output.sh + - name: Terraform Apply working-directory: "terraform/environments/${{ inputs.application }}" run: | @@ -260,6 +283,7 @@ jobs: tf_args="${{ inputs.init_plan_apply_tfargs }} ${{ inputs.plan_apply_tfargs }} x.tfplan" echo "terraform apply ${tf_args}" terraform apply ${tf_args} | bash ${GITHUB_WORKSPACE}/scripts/redact-output.sh + smoketest: name: "smoketest" needs: apply @@ -273,6 +297,12 @@ jobs: run: | ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT) echo "ACCOUNT_NUMBER=${ACCOUNT_NUMBER}" >> $GITHUB_ENV + + - name: Get Backend AWS Account Number + run: | + BACKEND_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) + echo "BACKEND_NUMBER=${BACKEND_NUMBER}" >> $GITHUB_ENV + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: