Implement Terraform state locking for member accounts #4254

dms1981 · 2023-12-06T15:15:32Z

As part of ministryofjustice/modernisation-platform#5534, this PR does the following:

Sets the minor Terraform version in use to 1.6
Updates the reusable job to assume a backend role in the Modernisation Platform account when terraform init is run
Removes the ability for customers to set custom Terraform init input values
Configures a state locking table to be used when Terraform is running for all customers

…ume role in backend account for backend init

github-actions · 2023-12-06T15:17:31Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-12-07T08:55:59Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-12-07T16:00:27Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running TFSEC in terraform/environments/nomis-data-hub
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             3.63292ms
  parsing              227.921955ms
  adaptation           153.605µs
  checks               4.062001ms
  total                235.770481ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     265
  files read           68

  results
  ──────────────────────────────────────────
  passed               7
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running Checkov in terraform/environments/nomis-data-hub
terraform scan results:

Passed checks: 102, Failed checks: 12, Skipped checks: 19

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os"]
	File: /main.tf:98-108

		98  | resource "aws_ssm_parameter" "ndh_secrets" {
		99  |   for_each = toset(local.ndh_secrets)
		100 |   name     = each.value
		101 |   type     = "SecureString"
		102 |   value    = random_password.random_value.result
		103 |   lifecycle {
		104 |     ignore_changes = [
		105 |       value,
		106 |     ]
		107 |   }
		108 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_b"]
	File: /main.tf:98-108

		98  | resource "aws_ssm_parameter" "ndh_secrets" {
		99  |   for_each = toset(local.ndh_secrets)
		100 |   name     = each.value
		101 |   type     = "SecureString"
		102 |   value    = random_password.random_value.result
		103 |   lifecycle {
		104 |     ignore_changes = [
		105 |       value,
		106 |     ]
		107 |   }
		108 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_1"]
	File: /main.tf:98-108

		98  | resource "aws_ssm_parameter" "ndh_secrets" {
		99  |   for_each = toset(local.ndh_secrets)
		100 |   name     = each.value
		101 |   type     = "SecureString"
		102 |   value    = random_password.random_value.result
		103 |   lifecycle {
		104 |     ignore_changes = [
		105 |       value,
		106 |     ]
		107 |   }
		108 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os_version"]
	File: /main.tf:98-108

		98  | resource "aws_ssm_parameter" "ndh_secrets" {
		99  |   for_each = toset(local.ndh_secrets)
		100 |   name     = each.value
		101 |   type     = "SecureString"
		102 |   value    = random_password.random_value.result
		103 |   lifecycle {
		104 |     ignore_changes = [
		105 |       value,
		106 |     ]
		107 |   }
		108 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_user"]
	File: /main.tf:98-108

		98  | resource "aws_ssm_parameter" "ndh_secrets" {
		99  |   for_each = toset(local.ndh_secrets)
		100 |   name     = each.value
		101 |   type     = "SecureString"
		102 |   value    = random_password.random_value.result
		103 |   lifecycle {
		104 |     ignore_changes = [
		105 |       value,
		106 |     ]
		107 |   }
		108 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_domain_name"]
	File: /main.tf:98-108

		98  | resource "aws_ssm_parameter" "ndh_secrets" {
		99  |   for_each = toset(local.ndh_secrets)
		100 |   name     = each.value
		101 |   type     = "SecureString"
		102 |   value    = random_password.random_value.result
		103 |   lifecycle {
		104 |     ignore_changes = [
		105 |       value,
		106 |     ]
		107 |   }
		108 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_a"]
	File: /main.tf:98-108

		98  | resource "aws_ssm_parameter" "ndh_secrets" {
		99  |   for_each = toset(local.ndh_secrets)
		100 |   name     = each.value
		101 |   type     = "SecureString"
		102 |   value    = random_password.random_value.result
		103 |   lifecycle {
		104 |     ignore_changes = [
		105 |       value,
		106 |     ]
		107 |   }
		108 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_pass"]
	File: /main.tf:98-108

		98  | resource "aws_ssm_parameter" "ndh_secrets" {
		99  |   for_each = toset(local.ndh_secrets)
		100 |   name     = each.value
		101 |   type     = "SecureString"
		102 |   value    = random_password.random_value.result
		103 |   lifecycle {
		104 |     ignore_changes = [
		105 |       value,
		106 |     ]
		107 |   }
		108 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_b"]
	File: /main.tf:98-108

		98  | resource "aws_ssm_parameter" "ndh_secrets" {
		99  |   for_each = toset(local.ndh_secrets)
		100 |   name     = each.value
		101 |   type     = "SecureString"
		102 |   value    = random_password.random_value.result
		103 |   lifecycle {
		104 |     ignore_changes = [
		105 |       value,
		106 |     ]
		107 |   }
		108 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_2"]
	File: /main.tf:98-108

		98  | resource "aws_ssm_parameter" "ndh_secrets" {
		99  |   for_each = toset(local.ndh_secrets)
		100 |   name     = each.value
		101 |   type     = "SecureString"
		102 |   value    = random_password.random_value.result
		103 |   lifecycle {
		104 |     ignore_changes = [
		105 |       value,
		106 |     ]
		107 |   }
		108 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_a"]
	File: /main.tf:98-108

		98  | resource "aws_ssm_parameter" "ndh_secrets" {
		99  |   for_each = toset(local.ndh_secrets)
		100 |   name     = each.value
		101 |   type     = "SecureString"
		102 |   value    = random_password.random_value.result
		103 |   lifecycle {
		104 |     ignore_changes = [
		105 |       value,
		106 |     ]
		107 |   }
		108 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_harkemsadmin_ssl_pass"]
	File: /main.tf:98-108

		98  | resource "aws_ssm_parameter" "ndh_secrets" {
		99  |   for_each = toset(local.ndh_secrets)
		100 |   name     = each.value
		101 |   type     = "SecureString"
		102 |   value    = random_password.random_value.result
		103 |   lifecycle {
		104 |     ignore_changes = [
		105 |       value,
		106 |     ]
		107 |   }
		108 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running tflint in terraform/environments/nomis-data-hub
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/nomis-data-hub/main.tf line 93:
  93: resource "random_password" "random_value" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

removed ability to set custom values for tfinit, set cli entry to ass…

6e572a1

…ume role in backend account for backend init

github-actions bot added environments-repository Used to exclude PRs from this repo in our Slack PR update github-workflow labels Dec 6, 2023

updated workflow to use piped-in backend for apply stage

8482dcd

dms1981 temporarily deployed to sprinkler-development December 7, 2023 12:52 — with GitHub Actions Inactive

added state locking table to all platform_backend.tf files

cf829e9

dms1981 had a problem deploying to cdpt-chaps-development December 7, 2023 15:59 — with GitHub Actions Failure

dms1981 had a problem deploying to wardship-development December 7, 2023 16:00 — with GitHub Actions Failure

dms1981 had a problem deploying to maatdb-development December 7, 2023 16:00 — with GitHub Actions Failure

dms1981 had a problem deploying to hmpps-domain-services-development December 7, 2023 16:00 — with GitHub Actions Failure

dms1981 had a problem deploying to ccms-ebs-upgrade-development December 7, 2023 16:00 — with GitHub Actions Failure

dms1981 had a problem deploying to hmpps-domain-services-test December 7, 2023 16:00 — with GitHub Actions Failure

dms1981 had a problem deploying to pra-register-development December 7, 2023 16:00 — with GitHub Actions Failure

dms1981 had a problem deploying to data-and-insights-wepi-development December 7, 2023 16:00 — with GitHub Actions Failure

dms1981 temporarily deployed to hmpps-intelligence-management-development December 7, 2023 16:00 — with GitHub Actions Inactive

dms1981 had a problem deploying to digital-prison-reporting-development December 7, 2023 16:01 — with GitHub Actions Failure

dms1981 had a problem deploying to ccms-ebs-development December 7, 2023 16:01 — with GitHub Actions Failure

dms1981 had a problem deploying to performance-hub-development December 7, 2023 16:01 — with GitHub Actions Failure

dms1981 had a problem deploying to delius-jitbit-test December 7, 2023 16:01 — with GitHub Actions Failure

dms1981 had a problem deploying to oas-development December 7, 2023 16:01 — with GitHub Actions Failure

dms1981 had a problem deploying to dacp-development December 7, 2023 16:01 — with GitHub Actions Failure

dms1981 had a problem deploying to hmpps-oem-development December 7, 2023 16:01 — with GitHub Actions Failure

dms1981 had a problem deploying to mojfin-development December 7, 2023 16:02 — with GitHub Actions Failure

dms1981 had a problem deploying to cooker-development December 7, 2023 16:02 — with GitHub Actions Failure

dms1981 had a problem deploying to example-development December 7, 2023 16:02 — with GitHub Actions Failure

dms1981 had a problem deploying to ncas-development December 7, 2023 16:02 — with GitHub Actions Failure

dms1981 had a problem deploying to mlra-test December 7, 2023 16:02 — with GitHub Actions Failure

dms1981 had a problem deploying to data-and-insights-wepi-development December 12, 2023 15:37 — with GitHub Actions Failure

dms1981 had a problem deploying to mlra-test December 12, 2023 15:37 — with GitHub Actions Failure

dms1981 had a problem deploying to digital-prison-reporting-test December 12, 2023 15:37 — with GitHub Actions Failure

dms1981 had a problem deploying to nomis-data-hub-development December 12, 2023 15:38 — with GitHub Actions Failure

dms1981 had a problem deploying to example-development December 12, 2023 15:38 — with GitHub Actions Failure

dms1981 had a problem deploying to apex-development December 12, 2023 15:38 — with GitHub Actions Failure

dms1981 had a problem deploying to maatdb-development December 12, 2023 15:38 — with GitHub Actions Failure

dms1981 temporarily deployed to tariff-development December 12, 2023 15:38 — with GitHub Actions Inactive

dms1981 had a problem deploying to sprinkler-development December 12, 2023 15:38 — with GitHub Actions Failure

dms1981 had a problem deploying to wardship-development December 12, 2023 15:38 — with GitHub Actions Failure

dms1981 had a problem deploying to oas-development December 12, 2023 15:38 — with GitHub Actions Failure

dms1981 had a problem deploying to hmpps-domain-services-development December 12, 2023 15:38 — with GitHub Actions Failure

dms1981 had a problem deploying to nomis-data-hub-test December 12, 2023 15:38 — with GitHub Actions Failure

dms1981 had a problem deploying to digital-prison-reporting-development December 12, 2023 15:39 — with GitHub Actions Failure

dms1981 had a problem deploying to xhibit-portal-development December 12, 2023 15:39 — with GitHub Actions Failure

dms1981 had a problem deploying to delius-core-development December 12, 2023 15:39 — with GitHub Actions Failure

dms1981 temporarily deployed to hmpps-intelligence-management-development December 12, 2023 15:39 — with GitHub Actions Inactive

dms1981 had a problem deploying to mlra-development December 12, 2023 15:39 — with GitHub Actions Failure

dms1981 had a problem deploying to mojfin-development December 12, 2023 15:40 — with GitHub Actions Failure

dms1981 had a problem deploying to pra-register-development December 12, 2023 15:40 — with GitHub Actions Failure

dms1981 had a problem deploying to laa-ccms-infra-azure-ad-sso-development December 12, 2023 15:40 — with GitHub Actions Failure

dms1981 had a problem deploying to corporate-staff-rostering-development December 12, 2023 15:40 — with GitHub Actions Failure

dms1981 had a problem deploying to laa-oem-development December 12, 2023 15:40 — with GitHub Actions Failure

dms1981 had a problem deploying to ccms-ebs-upgrade-development December 12, 2023 15:40 — with GitHub Actions Failure

dms1981 had a problem deploying to ccms-ebs-development December 12, 2023 15:40 — with GitHub Actions Failure

dms1981 had a problem deploying to ccms-ebs-test December 12, 2023 15:40 — with GitHub Actions Failure

dms1981 had a problem deploying to hmpps-oem-development December 12, 2023 15:41 — with GitHub Actions Failure

dms1981 merged commit 9f7410a into main Dec 12, 2023
945 of 1122 checks passed

dms1981 deleted the feature/5534-state-locking branch December 12, 2023 16:01

ASTRobinson mentioned this pull request Apr 19, 2024

🐛 Redeploy After Nuke Update - Terraform init assume backend role #5761

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement Terraform state locking for member accounts #4254

Implement Terraform state locking for member accounts #4254

dms1981 commented Dec 6, 2023 •

edited

Loading

github-actions bot commented Dec 6, 2023

github-actions bot commented Dec 7, 2023

github-actions bot commented Dec 7, 2023

Implement Terraform state locking for member accounts #4254

Implement Terraform state locking for member accounts #4254

Conversation

dms1981 commented Dec 6, 2023 • edited Loading

github-actions bot commented Dec 6, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Dec 7, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Dec 7, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Failed

dms1981 commented Dec 6, 2023 •

edited

Loading

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Failed