From 1af8e7ccfbac4bc238bc2733a9249c87f81084bf Mon Sep 17 00:00:00 2001
From: Kenneth Kehl <@kkehl@flexion.us>
Date: Thu, 23 Oct 2025 09:50:56 -0700
Subject: [PATCH 1/2] start upgrading terraform provider

---
 .github/workflows/deploy.yml   | 29 +++++++++++++++++++++++++++++
 terraform/staging/main.tf      | 28 +++++++++++++++-------------
 terraform/staging/providers.tf | 15 ++++++++++++++-
 3 files changed, 58 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 7e3211679..35c289f43 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -36,6 +36,35 @@ jobs:
         AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
         AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
       run: terraform init
+
+
+    # Some excitement for later.  When we have a module we cannot just delete
+    # (db, csv_bucket) we need to modify the state in the tfstate file.
+    #
+    # Once both providers are defined in the providers.tf, the order of operations should be
+    #
+    # 1. Uncomment this command and let it run as part of CI/CD.  This alters the state,
+    #    but the module will be temporarily unusable
+    # 2. Go back to main.tf and update the module syntax and parameters for the new provider
+    # 3. Go through the CI/CD again, at this point it should work.
+    #
+    # - name: Terraform change provider
+    #   working-directory: terraform/staging
+    #   env:
+    #     AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+    #     AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+    #     TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
+    #     TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
+    #   run: |
+    #     terraform state pull | jq '
+    #       .resources |= map(select(.module == "module.csv_upload_bucket"))
+    #     ' > module-csv_upload_bucket.tfstate
+    #     terraform state replace-provider \
+    #       -state=module-csv_upload_bucket.tfstate \
+    #       'registry.terraform.io/cloudfoundry-community/cloudfoundry' \
+    #       'registry.terraform.io/cloudfoundry/cloudfoundry'
+    #     terraform state push module-csv_upload_bucket.tfstate
+
     - name: Terraform apply
       working-directory: terraform/staging
       env:
diff --git a/terraform/staging/main.tf b/terraform/staging/main.tf
index bc6def6d5..e5e8a997c 100644
--- a/terraform/staging/main.tf
+++ b/terraform/staging/main.tf
@@ -21,19 +21,21 @@ module "database" {
   rds_plan_name = "small-psql"
 }
 
-module "redis-v70" {
-  source = "github.com/GSA-TTS/terraform-cloudgov//redis?ref=v1.0.0"
-
-  cf_org_name     = local.cf_org_name
-  cf_space_name   = local.cf_space_name
-  name            = "${local.app_name}-redis-v70-${local.env}"
-  redis_plan_name = "redis-dev"
-  json_params = jsonencode(
-    {
-      "engineVersion" : "7.0",
-    }
-  )
-}
+# module "redis-v70" {
+# source = "github.com/GSA-TTS/terraform-cloudgov//redis?ref=v2.4.0"
+# Right now the default is cfcommunity, remove this when default is cloudfoundry
+# providers = {
+# cloudfoundry = cloudfoundry.official
+# }
+# cf_space_id     = data.cloudfoundry_space.space.id
+# name            = "${local.app_name}-redis-v70-${local.env}"
+# redis_plan_name = "redis-dev"
+# json_params = jsonencode(
+# {
+# "engineVersion" : "7.0",
+# }
+# )
+# }
 
 module "csv_upload_bucket" {
   source = "github.com/GSA-TTS/terraform-cloudgov//s3?ref=v1.0.0"
diff --git a/terraform/staging/providers.tf b/terraform/staging/providers.tf
index b5a1ed547..e14251fdf 100644
--- a/terraform/staging/providers.tf
+++ b/terraform/staging/providers.tf
@@ -2,6 +2,10 @@ terraform {
   required_version = "~> 1.7"
   required_providers {
     cloudfoundry = {
+      source  = "cloudfoundry/cloudfoundry"
+      version = "1.9.0"
+    }
+    cfcommunity = {
       source  = "cloudfoundry-community/cloudfoundry"
       version = "0.53.1"
     }
@@ -9,14 +13,23 @@ terraform {
 
   backend "s3" {
     bucket       = "cg-6b759c13-6253-4a64-9bda-dd1f620185b0"
-    key          = "api.tfstate.stage"
+    key          = "admin.tfstate.stage"
     encrypt      = "true"
     region       = "us-gov-west-1"
     use_lockfile = "true"
   }
 }
 
+# Official provider (should be default but aliased for now)
 provider "cloudfoundry" {
+  alias    = "official"
+  api_url  = "https://api.fr.cloud.gov"
+  user     = var.cf_user
+  password = var.cf_password
+}
+
+# Community provider (should be aliased but default for now)
+provider "cfcommunity" {
   api_url      = "https://api.fr.cloud.gov"
   user         = var.cf_user
   password     = var.cf_password

From 41f12cce1f88e7afd691095a88e80b0021394b20 Mon Sep 17 00:00:00 2001
From: Kenneth Kehl <@kkehl@flexion.us>
Date: Thu, 23 Oct 2025 09:54:27 -0700
Subject: [PATCH 2/2] whoops

---
 terraform/staging/providers.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/staging/providers.tf b/terraform/staging/providers.tf
index e14251fdf..49d72348d 100644
--- a/terraform/staging/providers.tf
+++ b/terraform/staging/providers.tf
@@ -13,7 +13,7 @@ terraform {
 
   backend "s3" {
     bucket       = "cg-6b759c13-6253-4a64-9bda-dd1f620185b0"
-    key          = "admin.tfstate.stage"
+    key          = "api.tfstate.stage"
     encrypt      = "true"
     region       = "us-gov-west-1"
     use_lockfile = "true"