darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2026-04-05 18:09:12 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #909 from GSA/terraform_doc_update

Browse Source 
Terraform doc update
This commit is contained in:
Carlo Costino
2024-04-15 09:23:59 -04:00
committed by GitHub
parent c49a74f6ec 2cee820e74
commit 8954a0741e
2 changed files with 112 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
terraform/README.md
View File

@@ -1,33 +1,62 @@
# Terraform
This directory holds the terraform modules for maintaining your complete persistent infrastructure.
This directory holds the Terraform modules for maintaining Notify.gov's API infrastructure. You might want to:
* [read about the directory structure](#structure), or
* [get set up to develop HCL code](#retrieving-existing-bucket-credentials).
Prerequisite: install the `jq` JSON processor: `brew install jq`
The Admin app repo [has its own terraform directory](https://github.com/GSA/notifications-admin/tree/main/terraform) but a lot of the below instructions apply to both apps.
## Retrieving existing bucket credentials
:green_book: New developers start here!
Assuming [initial setup](#initial-setup) is complete — which it should be if Notify.gov is online — Terraform state is stored in a shared remote backend. If you are going to be writing Terraform for any of our deployment environments you'll need to hook up to this backend. (You don't need to do this if you are just writing code for the `development` module, because it stores state locally on your laptop.)
1. Enter the bootstrap module with `cd bootstrap`
1. Run `./import.sh` to import the bucket containing remote terraform state into your local state
1. Follow instructions under [Use bootstrap credentials](#use-bootstrap-credentials)
### Use bootstrap credentials
1. Run `./run.sh show -json`.
1. In the output, locate `access_key_id` and `secret_access_key` within the `bucket_creds` resource. These values are secret, so don't share them with anyone or copy them to anywhere online.
1. Add the following to `~/.aws/credentials`:
```
[notify-terraform-backend]
aws_access_key_id = <access_key_id>
aws_secret_access_key = <secret_access_key>
```
1. Check which AWS profile you are using with `aws configure list`. If needed, use `export AWS_PROFILE=notify-terraform-backend` to change to the profile and credentials you just added.
These credentials will allow Terraform to access the AWS/Cloud.gov bucket in which developers share Terraform state files. Now you are ready to develop Terraform using the [Workflow for deployed environments](#workflow-for-deployed-environments).
## Initial setup
1. Manually run the bootstrap module following instructions under `Terraform State Credentials`
These instructions were used for deploying the project for the first time, years ago. We should not have to perform these steps again. They are provided here for reference.
1. Manually run the bootstrap module following instructions under [Terraform State Credentials](#terraform-state-credentials)
1. Setup CI/CD Pipeline to run Terraform
1. Copy bootstrap credentials to your CI/CD secrets using the instructions in the base README
1. Create a cloud.gov SpaceDeployer by following the instructions under `SpaceDeployers`
1. Copy SpaceDeployer credentials to your CI/CD secrets using the instructions in the base README
1. Copy bootstrap credentials to your CI/CD secrets using the instructions in the base README
1. Create a cloud.gov SpaceDeployer by following the instructions under [SpaceDeployers](#spacedeployers)
1. Copy SpaceDeployer credentials to your CI/CD secrets using the instructions in the base README
1. Manually Running Terraform
1. Follow instructions under `Set up a new environment` to create your infrastructure
1. Follow instructions under [Workflow for deployed environments](#workflow-for-deployed-environments) to create your infrastructure
## Terraform State Credentials
### Terraform state credentials
The bootstrap module is used to create an s3 bucket for later terraform runs to store their state in.
The bootstrap module is used to create an s3 bucket for later terraform runs to store their state in. (If the bucket is already created, you should [Use bootstrap credentials](#use-bootstrap-credentials))
### Bootstrapping the state storage s3 buckets for the first time
#### Bootstrapping the state storage s3 buckets for the first time
1. Run `terraform init`
1. Within the `bootstrap` directory, run `terraform init`
1. Run `./run.sh plan` to verify that the changes are what you expect
1. Run `./run.sh apply` to set up the bucket and retrieve credentials
1. Follow instructions under `Use bootstrap credentials`
1. Run `./run.sh apply` to set up the bucket
1. Follow instructions under [Use bootstrap credentials](#use-bootstrap-credentials)
1. Ensure that `import.sh` includes a line and correct IDs for any resources created
1. Run `./teardown_creds.sh` to remove the space deployer account used to create the s3 bucket
1. Copy `bucket` from `bucket_credentials` output to the backend block of `staging/providers.tf` and `production/providers.tf`
### To make changes to the bootstrap module
#### To make changes to the bootstrap module
*This should not be necessary in most cases*
@@ -38,22 +67,6 @@ The bootstrap module is used to create an s3 bucket for later terraform runs to
1. Make your changes
1. Continue from step 2 of the boostrapping instructions
### Retrieving existing bucket credentials
1. Run `./run.sh show`
1. Follow instructions under `Use bootstrap credentials`
#### Use bootstrap credentials
1. Add the following to `~/.aws/credentials`
```
[notify-terraform-backend]
aws_access_key_id = <access_key_id from bucket_credentials>
aws_secret_access_key = <secret_access_key from bucket_credentials>
```
1. Copy `bucket` from `bucket_credentials` output to the backend block of `staging/providers.tf` and `production/providers.tf`
## SpaceDeployers
A [SpaceDeployer](https://cloud.gov/docs/services/cloud-gov-service-account/) account is required to run terraform or
@@ -61,46 +74,85 @@ deploy the application from the CI/CD pipeline. Create a new account by running:
`./create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME>`
## Set up a new environment manually
SpaceDeployers are also needed to run Terraform locally &mdash; they fill user and password input variables (via `deployers` within `main.tf`) that some of our Terraform modules require when they start running. Using a SpaceDeployer account locally is covered in [the next section](#workflow-for-deployed-environments).
The below steps rely on you first configuring access to the Terraform state in s3 as described in [Terraform State Credentials](#terraform-state-credentials).
## Workflow for deployed environments
1. `cd` to the environment you are working in
These are the steps for developing Terraform code for our deployed environment modules (`sandbox`, `demo`, `staging` and `production`) locally on your laptop. Or for setting up a new deployment environment, or otherwise for running Terraform manually in any module that uses remote state. You don't need to do all this to run code in the `development` module, because it is not a deployed environment and it does not use remote state.
1. Set up a SpaceDeployer
> [!CAUTION]
> There is one risky step below (`apply`) which is safe only in the `sandbox` environment and **should not** be run in any other deployed environment.
These steps assume shared [Terraform state credentials](#terraform-state-credentials) exist in s3, and that you are [Using those credentials](#use-bootstrap-credentials).
1. `cd` to the environment you plan to work in. When developing new features/resources, try out your code in `sandbox`. Only once the code is proven should you copy-and-paste it to each higher environment.
1. Run `cf spaces` and, from the output, copy the space name for the environment you are working in, such as `notify-sandbox`.
1. Next you will set up a SpaceDeployer. Prepare to fill in these values:
* `<SPACE_NAME>` will be the string you copied from the prior step
* `<ACCOUNT_NAME>` can be anything, although we recommend something that communicates the purpose of the deployer. For example: "circleci-deployer" for the credentials CircleCI uses to deploy the application, or "sandbox-<your_name>" for credentials to run terraform manually.
Put those two values into this command:
```bash
# create a space deployer service instance that can log in with just a username and password
# the value of < SPACE_NAME > should be `staging` or `prod` depending on where you are working
# the value for < ACCOUNT_NAME > can be anything, although we recommend
# something that communicates the purpose of the deployer
# for example: circleci-deployer for the credentials CircleCI uses to
# deploy the application or <your_name>-terraform for credentials to run terraform manually
./create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME> > secrets.auto.tfvars
```
The script will output the `username` (as `cf_user`) and `password` (as `cf_password`) for your `<ACCOUNT_NAME>`. Read more in the [cloud.gov service account documentation](https://cloud.gov/docs/services/cloud-gov-service-account/).
The script will output the `username` (as `cf_user`) and `password` (as `cf_password`) for your `<ACCOUNT_NAME>`. The [cloud.gov service account documentation](https://cloud.gov/docs/services/cloud-gov-service-account/) has more information.
The easiest way to use this script is to redirect the output directly to the `secrets.auto.tfvars` file it needs to be used in
The command uses the redirection operator (`>`) to write that output to the `secrets.auto.tfvars` file. Terraform will find the username and password there, and use them as input variables.
1. Run terraform from your new environment directory with
1. While still in an environment directory, initialize Terraform:
```bash
terraform init
```
If this command fails, you may need to run `terraform init -upgrade` to make sure new module versions are picked up. Or, `terraform init -migrate-state` to bump the remote backend.
1. Then, run Terraform in a non-destructive way:
```bash
terraform plan
```
If the `terraform init` command fails, you may need to run `terraform init -upgrade` to make sure new module versions are picked up.
This will show you any pending changes that Terraform is ready to make.
1. Apply changes with `terraform apply`.
:pencil: Now is the time to write any HCL code you are planning to write, re-running `terraform plan` to confirm that the code works as you develop. Keep in mind that any changes to the codebase that you commit will be run by the CI/CD pipeline.
1. Remove the space deployer service instance if it doesn't need to be used again, such as when manually running terraform once.
1. **Only if it is safe to do so**, apply your changes.
:skull: Applying changes in the wrong directory can mess up a deployed environment that people are relying on
Double-check what directory you are in, like with the `pwd` command. You should probably only apply while in the `sandbox` directory / environment.
Once you are sure it is safe, run:
```bash
terraform apply
```
This command *will deploy your changes* to the cloud. This is a healthy part of testing your code in the sandbox, or if you are creating a new environment (a new directory). **Do not** apply in environments that people are relying upon.
1. Remove the space deployer service instance when you are done manually running Terraform.
```bash
# <SPACE_NAME> and <ACCOUNT_NAME> have the same values as used above.
./destroy_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME>
```
Optionally, you can also `rm secrets.auto.tfvars`
## Structure
Each environment has its own module, which relies on a shared module for everything except the providers code and environment specific variables and settings.
The `terraform` directory contains sub-directories (`staging`, `production`, etc.) named for deployment environments. Each of these is a *module*, which is just Terraform's word for a directory with some .tf files in it. Each module governs the infrastructure of the environment for which it is named. This directory structure forms "[bulkheads](https://blog.gruntwork.io/how-to-manage-terraform-state-28f5697e68fa)" which isolate Terraform commands to a single environment, limiting accidental damage.
The `development` module is rather different from the other environment modules. While the other environments can be used to create (or destroy) cloud resources, the development module mostly just sets up access to pre-existing resources needed for local software development.
The `bootstrap` directory is not an environment module. Instead, it sets up infrastructure needed to deploy Terraform in any of the environments. If you are new to the project, [this is where you should start](#retrieving-existing-bucket-credentials).
Similarly, `shared` is not an environment. It is a module that lends code to all the environments. Please note that changes to `shared` codebase will be applied to all envrionments the next time CI/CD (or a user) runs Terraform in that environment.
> [!WARNING]
> Editing `shared` code is risky because it will be applied to production
Files within these directories look like this:
```
- bootstrap/
@@ -130,3 +182,16 @@ In the bootstrap module:
- `run.sh` Helper script to set up a space deployer and run terraform. The terraform action (`show`/`plan`/`apply`/`destroy`) is passed as an argument
- `teardown_creds.sh` Helper script to remove the space deployer setup as part of `run.sh`
- `import.sh` Helper script to create a new local state file in case terraform changes are needed
## Troubleshooting
### Expired token
```
The token expired, was revoked, or the token ID is incorrect. Please log back in to re-authenticate.
```
You need to re-authenticate with the Cloud Foundry CLI
```
cf login -a api.fr.cloud.gov --sso
```
You may also need to log in again to the Cloud.gov website.

4
terraform/bootstrap/main.tf
View File

@@ -14,7 +14,3 @@ resource "cloudfoundry_service_key" "bucket_creds" {
name = "${local.s3_service_name}-access"
service_instance = module.s3.bucket_id
}
output "bucket_credentials" {
value = cloudfoundry_service_key.bucket_creds.credentials
}