update s3 setup script to create the terraform backend, then push the…

… state to a tfstate workspace
CDCgov · Jun 27, 2024 · 683d1b3 · 683d1b3
1 parent 90cb8bc
commit 683d1b3
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 50 deletions.
diff --git a/terraform/implementation/setup/_variable.tf b/terraform/implementation/setup/_variable.tf
@@ -9,7 +9,7 @@ variable "region" {
   type        = string
   default     = "us-east-1"
 }
-variable "github_repo" {
+variable "oidc_github_repo" {
   type = string
   default = ""
 }
diff --git a/terraform/implementation/setup/backend.tf b/terraform/implementation/setup/backend.tf
@@ -0,0 +1,3 @@
+terraform {
+  backend "s3" {}
+}
diff --git a/terraform/implementation/setup/iam.tf b/terraform/implementation/setup/iam.tf
@@ -19,7 +19,7 @@ data "aws_iam_policy_document" "github_assume_role" {
       test     = "StringLike"
       variable = "token.actions.githubusercontent.com:sub"
       values = [
-        "repo:${var.github_repo}:*",
+        "repo:${var.oidc_github_repo}:*",
       ]
     }
   }
@@ -104,12 +104,12 @@ data "aws_iam_policy_document" "github" {
 }
 
 resource "aws_iam_policy" "github" {
-  name        = "${var.project}-github-policy-${var.owner}-${terraform.workspace}"
+  name        = "${var.project}-github-policy-${var.owner}-${random_string.setup.result}"
   policy      = data.aws_iam_policy_document.github.json
 }
 
 resource "aws_iam_role" "github" {
-  name               = "${var.project}-github-role-${var.owner}-${terraform.workspace}"
+  name               = "${var.project}-github-role-${var.owner}-${random_string.setup.result}"
   assume_role_policy = data.aws_iam_policy_document.github_assume_role.json
 }
 

diff --git a/terraform/implementation/setup/main.tf b/terraform/implementation/setup/main.tf
@@ -3,9 +3,10 @@ provider "aws" {
   region = var.region
   default_tags {
     tags = {
-      Owner       = var.owner
-      Environment = terraform.workspace
-      project     = var.project
+      owner     = var.owner
+      workspace = terraform.workspace
+      project   = var.project
+      id        = random_string.setup.result
     }
   }
 }
@@ -17,7 +18,7 @@ resource "random_string" "setup" {
 }
 
 resource "aws_s3_bucket" "tfstate" {
-  bucket = "${var.project}-tfstate-${var.owner}-${terraform.workspace}-${random_string.setup.result}"
+  bucket = "${var.project}-tfstate-${var.owner}-${random_string.setup.result}"
 
   force_destroy = true
 }
@@ -50,7 +51,7 @@ resource "aws_s3_bucket_versioning" "default" {
 
 # Create a DynamoDB table for locking the state file
 resource "aws_dynamodb_table" "tfstate_lock" {
-  name         = "${var.project}-tfstate-lock-${var.owner}-${terraform.workspace}-${random_string.setup.result}"
+  name         = "${var.project}-tfstate-lock-${var.owner}-${random_string.setup.result}"
   hash_key     = "LockID"
   billing_mode = "PAY_PER_REQUEST"
 
@@ -62,7 +63,7 @@ resource "aws_dynamodb_table" "tfstate_lock" {
 
 resource "local_file" "setup_env" {
   content  = <<-EOT
-    ENVIRONMENT=${terraform.workspace}
+    WORKSPACE=${terraform.workspace}
     BUCKET=${aws_s3_bucket.tfstate.bucket}
     DYNAMODB_TABLE=${aws_dynamodb_table.tfstate_lock.id}
     REGION=${var.region}

diff --git a/terraform/implementation/setup/setup.sh b/terraform/implementation/setup/setup.sh
@@ -1,33 +1,22 @@
 #!/bin/bash
 
-# set default values
-ENVIRONMENT="${ENVIRONMENT:-default}"
-
-while [[ $# -gt 0 ]]
-do
-    key="$1"
-
-    case $key in
-        -env|--env|-e)
-        ENVIRONMENT="$2"
-        shift
-        shift
-        ;;
-        -h|--help)
-        echo "Usage: ./ecs.sh [OPTIONS]"
-        echo "Options:"
-        echo "  -e, --env            | Set the environment (e.g., production, staging) [REQUIRED]"
-        echo "  -h, --help           | Show help"
-        exit 0
-        ;;
-        *)
-        echo "Invalid argument: $1"
+WORKSPACE=tfstate
+
+if [ -f .env ]; then
+    export $(cat .env | xargs)
+    USE_S3_BACKEND=true
+else
+    read -p "Is this your first time running this script? [Yy]: " script_choice
+    script_choice=$script_choice
+    if [[ "$script_choice" =~ ^[Yy]$ ]]; then
+        echo "Running terraform locally, if all goes well, we will set up your s3 backend and push your terraform state."
+        USE_S3_BACKEND=false
+    else
         exit 1
-        ;;
-    esac
-done
+    fi
+fi
 
-if [ -z "$ENVIRONMENT" ]; then
+if [ -z "$WORKSPACE" ]; then
     echo "Missing required arguments. Please provide all the required arguments."
     ./setup.sh -h
     exit 1
@@ -38,40 +27,84 @@ if ! command -v terraform &> /dev/null; then
     exit 1
 fi
 
-if [ ! -f "$ENVIRONMENT.tfvars" ]; then
-    echo "Creating $ENVIRONMENT.tfvars"
-    touch "$ENVIRONMENT.tfvars"
+if [ ! -f "$WORKSPACE.tfvars" ]; then
+    echo "Creating $WORKSPACE.tfvars"
+    touch "$WORKSPACE.tfvars"
 fi
 
-if ! grep -q "owner" "$ENVIRONMENT.tfvars"; then
+if ! grep -q "owner" "$WORKSPACE.tfvars"; then
     read -p "Who is the owner of this infrastructure? ( default=skylight ): " owner_choice
     owner_choice=${owner_choice:-skylight}
-    echo "owner = \"$owner_choice\"" >> "$ENVIRONMENT.tfvars"
+    echo "owner = \"$owner_choice\"" >> "$WORKSPACE.tfvars"
 fi
 
-if ! grep -q "project" "$ENVIRONMENT.tfvars"; then
+if ! grep -q "project" "$WORKSPACE.tfvars"; then
     read -p "What is this project called? ( default=dibbs ): " project_choice
     project_choice=${project_choice:-dibbs}
-    echo "project = \"$project_choice\"" >> "$ENVIRONMENT.tfvars"
+    echo "project = \"$project_choice\"" >> "$WORKSPACE.tfvars"
 fi
 
-if ! grep -q "region" "$ENVIRONMENT.tfvars"; then
+if ! grep -q "region" "$WORKSPACE.tfvars"; then
     read -p "What aws region are you setting up in? ( default=us-east-1 ): " region_choice
     region_choice=${region_choice:-us-east-1}
-    echo "region = \"$region_choice\"" >> "$ENVIRONMENT.tfvars"
+    echo "region = \"$region_choice\"" >> "$WORKSPACE.tfvars"
 fi
 
-if ! grep -q "github_repo" "$ENVIRONMENT.tfvars"; then
+if ! grep -q "oidc_github_repo" "$WORKSPACE.tfvars"; then
     read -p "Are you using GitHub for your source control? (y/n): " github_choice
     if [[ "$github_choice" =~ ^[Yy]$ ]]; then
         read -p "What is the organization/repo value for assume role? ( default=\"\" ): " repo_choice
         repo_choice=${repo_choice:-""}
-        echo "github_repo = \"$repo_choice\"" >> "$ENVIRONMENT.tfvars"
+        echo "oidc_github_repo = \"$repo_choice\"" >> "$WORKSPACE.tfvars"
     fi
 fi
 
 echo "Running Terraform with the following variables:"
-cat "$ENVIRONMENT.tfvars"
+cat "$WORKSPACE.tfvars"
+
+if [ "$USE_S3_BACKEND" == "true" ]; then
+    terraform init \
+        -var-file="$WORKSPACE.tfvars" \
+        -backend-config "encrypt=true" \
+        -backend-config "key=setup_tfstate" \
+        -backend-config "bucket=$BUCKET" \
+        -backend-config "dynamodb_table=$DYNAMODB_TABLE" \
+        -backend-config "region=$REGION"
+else
+echo "terraform {
+  backend \"local\" {}
+}" > backend.tf
+    terraform init -var-file="$WORKSPACE.tfvars"
+fi
+
+# Check if workspace exists
+if terraform workspace list | grep -q "$WORKSPACE"; then
+    echo "Selecting $WORKSPACE terraform workspace"
+    terraform workspace select "$WORKSPACE"
+else
+    echo "Creating '$WORKSPACE' terraform workspace"
+    terraform workspace new "$WORKSPACE"
+fi
+
+terraform apply -var-file="$WORKSPACE.tfvars"
+
+if [ "$USE_S3_BACKEND" == "false" ]; then
+    echo "Setting up your s3 terraform backend"
+    if [ -f .env ]; then
+        export $(cat ../ecs/.env | xargs)
+    fi
+
+echo "terraform {
+  backend \"s3\" {}
+}" > backend.tf
 
-terraform init -var-file="$ENVIRONMENT.tfvars"
-terraform apply -var-file="$ENVIRONMENT.tfvars"
+    terraform init \
+        -var-file="$WORKSPACE.tfvars" \
+        -migrate-state \
+        -backend-config "encrypt=true" \
+        -backend-config "key=setup_tfstate" \
+        -backend-config "bucket=$BUCKET" \
+        -backend-config "dynamodb_table=$DYNAMODB_TABLE" \
+        -backend-config "region=$REGION" \
+        || (echo "terraform init failed, exiting..." && exit 1)
+fi