The latest articles on DEV Community by Pipo Sanfilippo (@mnsanfilippo). https://dev.to/mnsanfilippo https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F556776%2Fb9f4f880-f5fa-45d2-8516-2cc41fe0d252.png https://dev.to/mnsanfilippo en Pipo Sanfilippo Mon, 05 Jul 2021 16:27:40 +0000 https://dev.to/mnsanfilippo/how-to-backup-the-terraform-states-from-terraform-cloud-workspaces-1km4 https://dev.to/mnsanfilippo/how-to-backup-the-terraform-states-from-terraform-cloud-workspaces-1km4 <p>This tool is the result of a no so sad story as it should have been. We had a backup. <br> Until today, Terraform Cloud does not provide a mechanism to backup and restore the terraform states of the workspaces. This tool is the first version of a lambda that every time a workspace changes in the terraform state, the Terraform state will save in an S3 Bucket. So in case of disaster, the Terraform state can be pushed to the workspace.</p> <p>Let us begin.<br> This tool is a serverless and event-driven solution. We are going to use:<br> Lambda <a href="https://github.com/mnsanfilippo/go-tools-tfc-backup" rel="noopener noreferrer">repository</a><br> S3<br> API Gateway<br> Terraform Cloud Workspace Notifications</p> <p>The workflow of the process is:<br> The terraform state change in terraform cloud because a new plan was applied or that a plan has been applied and ended in an errored state. In any case, the terraform state has changed so that we will save this new state.<br> This change of state triggers a notification in Terraform Cloud to a generic endpoint. This generic endpoint is an API Gateway endpoint that has a lambda function integrated.</p> <p>The lambda function receives the payload from the terraform cloud notification, and this payload looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/{proxy+}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/hello/world"</span><span class="p">,</span><span class="w"> </span><span class="nl">"httpMethod"</span><span class="p">:</span><span class="w"> </span><span class="s2">"POST"</span><span class="p">,</span><span class="w"> </span><span class="nl">"headers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Accept"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Accept-Encoding"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gzip, deflate"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cache-control"</span><span class="p">:</span><span class="w"> </span><span class="s2">"no-cache"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CloudFront-Forwarded-Proto"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CloudFront-Is-Desktop-Viewer"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CloudFront-Is-Mobile-Viewer"</span><span class="p">:</span><span class="w"> </span><span class="s2">"false"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CloudFront-Is-SmartTV-Viewer"</span><span class="p">:</span><span class="w"> </span><span class="s2">"false"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CloudFront-Is-Tablet-Viewer"</span><span class="p">:</span><span class="w"> </span><span class="s2">"false"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CloudFront-Viewer-Country"</span><span class="p">:</span><span class="w"> </span><span class="s2">"US"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Content-Type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"headerName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"headerValue"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gy415nuibc.execute-api.us-east-1.amazonaws.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Postman-Token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9f583ef0-ed83-4a38-aef3-eb9ce3f7a57f"</span><span class="p">,</span><span class="w"> </span><span class="nl">"User-Agent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PostmanRuntime/2.4.5"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Via"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.1 d98420743a69852491bbdea73f7680bd.cloudfront.net (CloudFront)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"X-Amz-Cf-Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pn-PWIJc6thYnZm5P0NMgOUglL1DYtl0gdeJky8tqsg8iS_sgsKD1A=="</span><span class="p">,</span><span class="w"> </span><span class="nl">"X-Forwarded-For"</span><span class="p">:</span><span class="w"> </span><span class="s2">"54.240.196.186, 54.182.214.83"</span><span class="p">,</span><span class="w"> </span><span class="nl">"X-Forwarded-Port"</span><span class="p">:</span><span class="w"> </span><span class="s2">"443"</span><span class="p">,</span><span class="w"> </span><span class="nl">"X-Forwarded-Proto"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"multiValueHeaders"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Accept"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"*/*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Accept-Encoding"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"gzip, deflate"</span><span class="p">],</span><span class="w"> </span><span class="nl">"cache-control"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"no-cache"</span><span class="p">],</span><span class="w"> </span><span class="nl">"CloudFront-Forwarded-Proto"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"https"</span><span class="p">],</span><span class="w"> </span><span class="nl">"CloudFront-Is-Desktop-Viewer"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"true"</span><span class="p">],</span><span class="w"> </span><span class="nl">"CloudFront-Is-Mobile-Viewer"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"false"</span><span class="p">],</span><span class="w"> </span><span class="nl">"CloudFront-Is-SmartTV-Viewer"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"false"</span><span class="p">],</span><span class="w"> </span><span class="nl">"CloudFront-Is-Tablet-Viewer"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"false"</span><span class="p">],</span><span class="w"> </span><span class="nl">"CloudFront-Viewer-Country"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"US"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Content-Type"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"application/json"</span><span class="p">],</span><span class="w"> </span><span class="nl">"headerName"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"headerValue"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Host"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"gy415nuibc.execute-api.us-east-1.amazonaws.com"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Postman-Token"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"9f583ef0-ed83-4a38-aef3-eb9ce3f7a57f"</span><span class="p">],</span><span class="w"> </span><span class="nl">"User-Agent"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"PostmanRuntime/2.4.5"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Via"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"1.1 d98420743a69852491bbdea73f7680bd.cloudfront.net (CloudFront)"</span><span class="p">],</span><span class="w"> </span><span class="nl">"X-Amz-Cf-Id"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"pn-PWIJc6thYnZm5P0NMgOUglL1DYtl0gdeJky8tqsg8iS_sgsKD1A=="</span><span class="p">],</span><span class="w"> </span><span class="nl">"X-Forwarded-For"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"54.240.196.186, 54.182.214.83"</span><span class="p">],</span><span class="w"> </span><span class="nl">"X-Forwarded-Port"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"443"</span><span class="p">],</span><span class="w"> </span><span class="nl">"X-Forwarded-Proto"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"https"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"queryStringParameters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"me"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"multiValueQueryStringParameters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"me"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"pathParameters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"proxy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"hello/world"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"stageVariables"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"stageVariableName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"stageVariableValue"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"requestContext"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"accountId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"12345678912"</span><span class="p">,</span><span class="w"> </span><span class="nl">"resourceId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"roq9wj"</span><span class="p">,</span><span class="w"> </span><span class="nl">"stage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"testStage"</span><span class="p">,</span><span class="w"> </span><span class="nl">"domainName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gy415nuibc.execute-api.us-east-2.amazonaws.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"domainPrefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"y0ne18dixk"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"deef4878-7910-11e6-8f14-25afc3e9ae33"</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HTTP/1.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"identity"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"cognitoIdentityPoolId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"theCognitoIdentityPoolId"</span><span class="p">,</span><span class="w"> </span><span class="nl">"accountId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"theAccountId"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cognitoIdentityId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"theCognitoIdentityId"</span><span class="p">,</span><span class="w"> </span><span class="nl">"caller"</span><span class="p">:</span><span class="w"> </span><span class="s2">"theCaller"</span><span class="p">,</span><span class="w"> </span><span class="nl">"apiKey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"theApiKey"</span><span class="p">,</span><span class="w"> </span><span class="nl">"apiKeyId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"theApiKeyId"</span><span class="p">,</span><span class="w"> </span><span class="nl">"accessKey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ANEXAMPLEOFACCESSKEY"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sourceIp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"192.168.196.186"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cognitoAuthenticationType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"theCognitoAuthenticationType"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cognitoAuthenticationProvider"</span><span class="p">:</span><span class="w"> </span><span class="s2">"theCognitoAuthenticationProvider"</span><span class="p">,</span><span class="w"> </span><span class="nl">"userArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"theUserArn"</span><span class="p">,</span><span class="w"> </span><span class="nl">"userAgent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PostmanRuntime/2.4.5"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="s2">"theUser"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"authorizer"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"principalId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientId"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Exata"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"resourcePath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/{proxy+}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"httpMethod"</span><span class="p">:</span><span class="w"> </span><span class="s2">"POST"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestTime"</span><span class="p">:</span><span class="w"> </span><span class="s2">"15/May/2020:06:01:09 +0000"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestTimeEpoch"</span><span class="p">:</span><span class="w"> </span><span class="mi">1589522469693</span><span class="p">,</span><span class="w"> </span><span class="nl">"apiId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gy415nuibc"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"body"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">payload_version</span><span class="se">\"</span><span class="s2">:1,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">notification_configuration_id</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">nc-vxvQ5SpJJ23oAWLk</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">run_url</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">https://app.terraform.io/app/mnsanfilippo/mnsanfilippo/runs/run-uyeKDPGKNpD9PxdC</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">run_id</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">run-uyeKDPGKNpD9PxdC</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">run_message</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">Queued manually using Terraform</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">run_created_at</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">2021-05-30T16:18:00.000Z</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">run_created_by</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">mnsanfilippo</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">workspace_id</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">ws-WzbRhM4ojZXjRvoP</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">workspace_name</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">mnsanfilippo</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">organization_name</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">mnsanfilippo</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">notifications</span><span class="se">\"</span><span class="s2">:[</span><span class="se">\n</span><span class="s2"> {</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">message</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">Run Errored</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">trigger</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">run:errored</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">run_status</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">errored</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">run_updated_at</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">2021-05-30T16:19:14.000Z</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">run_updated_by</span><span class="se">\"</span><span class="s2">:null</span><span class="se">\n</span><span class="s2"> }</span><span class="se">\n</span><span class="s2"> ]</span><span class="se">\n</span><span class="s2">}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The function is going to parse the body of the payload, searching for</p> <ul> <li>workspace_id</li> <li>workspace_name</li> <li>organization_name</li> <li>run_id</li> </ul> <p>With that information, the function retrieves from Terraform Cloud the last tfstate of the workspace and will save it to S3.</p> <p>To get all this working, this terraform module <a href="https://github.com/mnsanfilippo/terraform-cloud-backup" rel="noopener noreferrer">terraform-cloud-backup</a><br> will create and configure the resources needed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module "example" { source = "https://github.com/mnsanfilippo/terraform-cloud-backup.git?ref=main" bucket_builds = var.bucket_builds bucket_name = var.bucket_name lambda_s3_key = var.lambda_s3_key tf_token = var.tf_token workspaces_ids = var.workspaces_ids } </code></pre> </div> <p>To get this up and running, we need a few stuff.</p> <ul> <li>Terraform Cloud Token.</li> <li>The build of the lambda in S3.</li> <li>The name of the S3 bucket where to save the tfstates.</li> <li>The list of the workspaces IDs to backup.</li> </ul> <p>The variables should look like this:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyzb3uft5xngzdguotykl.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyzb3uft5xngzdguotykl.png" alt="Terraform Cloud Variables"></a></p> <p>Once that the module has been applied. There is a new notification in Terraform Cloud<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2dl7o1iq2f4u7rk7fbbu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2dl7o1iq2f4u7rk7fbbu.png" alt="Terraform Cloud Notification"></a><br> And in S3 your tfstates are going to be saved as<br> <code>bucket/organization/workspace/year/month/day/workspace-serial-stateID-runID.tfstate</code><br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Far403mhxtbv1s6zt2inj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Far403mhxtbv1s6zt2inj.png" alt="tfstate in S3"></a></p> <p>This is all for today. In the following days, I will publish the Go-Tool to save all the tfstates on Terraform Cloud.</p> terraform go backup aws Pipo Sanfilippo Tue, 12 Jan 2021 16:57:33 +0000 https://dev.to/mnsanfilippo/testing-iac-with-terratest-and-github-actions-okh https://dev.to/mnsanfilippo/testing-iac-with-terratest-and-github-actions-okh <p><strong>Index</strong></p> <ol> <li>Introduction</li> <li>Creating a new AWS account for testing</li> <li>What you are going to test</li> <li>Project structure</li> <li>Writing a terraform module</li> <li>Using a terraform module</li> <li>Testing the module</li> <li>Testing within GitHub Actions</li> <li>Using terragrunt</li> </ol> <h1> Introduction<a></a> </h1> <p>Hello there!</p> <p>A few months ago, I started to do some stuff in Go, and I fell in love with it, I wrote some scripts and the scripts are now in production, but I didn't like that they were only scripts, I tested them over and over, but manually of course, and it was very tedious, due to the lack of time, ignorance, and a lot of excuses, I postponed the tests of my scripts.</p> <p>Last month, I started to do the AWS Solutions Architect Professional training with Adrian Cantrill, the best instructor in the world. I decided that I wanted to take it seriously. So, I rewrote my scripts now in a TDD way.</p> <p>At first, I tried with LocalStack, which is great, but I encountered myself fighting most of the time with LocalStack that with my code. For example, you can create an SNS topic, publish a message into an SNS topic, but you can't subscribe to your email, and part of what should be tested to send an email. <br> So I found Terratest. With it you deploy real infrastructure, so that means that it has real costs. </p> <h1> Creating a new AWS account for testing<a></a> </h1> <p>The first thing you have to do is create a new account for testing purposes. This is needed because we are going to use <a href="https://github.com/gruntwork-io/cloud-nuke">cloud-nuke</a> to destroy everything that we had created for testing. You will sleep better if there are almost zero chances to destroy something that is in production.</p> <h1> What you are going to test<a></a> </h1> <p>You are going to test the creation of an AWS Account. This will be your test account, where you are going to create and destroy resources without the worries of being in a production environment.</p> <h1> Project structure<a></a> </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>├── terraform │   ├── accounts │   │   ├── main.tf │   │   ├── outputs.tf │   │   └── variables.tf │   └── tests │   ├── go.mod │   ├── go.sum │   └── organizations_accounts_test.go ├── terraform-live │   ├── master │   │   ├── account.hcl │   │   └── us-east-1 │   │   ├── dev │   │   │   ├── accounts │   │   │   │   └── terragrunt.hcl │   │   │   └── env.hcl │   │   └── region.hcl │   └── terragrunt.hcl └── terraform-modules ├── README.md └── aws └── organization └── accounts ├── main.tf ├── outputs.tf └── variables.tf </code></pre> </div> <ol> <li><p><a href="https://github.com/mnsanfilippo/terraform">terraform</a><br> In this repository exists the modules of terraform. </p></li> <li><p><a href="https://github.com/mnsanfilippo/terraform-live">terraform-live</a><br> In this repository, you are going to set up the environment variables.<br> For example:<br> You need two accounts, one for testing and another one for production. Here is where you set up the different environments, but keeping the code DRY, there is no need to copy and paste the same source code and only change the names.</p></li> <li><p><a href="https://github.com/mnsanfilippo/terraform-modules">terraform-modules</a><br> In this repository is the construction of our modules, the resources that we need to create something and the definitions of how it should be created.<br> For example, you want that everyone that uses your module has to set up specific tags for the purpose, environment, owner, or unit business of the resources created.</p></li> </ol> <h1> Writing a terraform module<a></a> </h1> <p>Use modules instead of resources. Using modules, the code keeps DRY, and is reusable. When you use the module, it is cleaner than all the resources needed. In this case, the module of an AWS account is pretty much the same that the resource, but in almost every other case, this is not going to happen.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">#terraform-modules/aws/organization/accounts/main.tf</span> <span class="k">resource</span> <span class="s2">"aws_organizations_account"</span> <span class="s2">"account"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">account_name</span> <span class="nx">email</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">account_email</span> <span class="p">}</span> </code></pre> </div> <h1> Using a terraform module<a></a> </h1> <p>Now that you have your module for the account, you have to specify that source. You can have one repository for each module, or a repository with all the modules, to keep it simple. I decided to keep all the modules together.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">#terraform/accounts/main.tf</span> <span class="k">module</span> <span class="s2">"account"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"git@github.com:mnsanfilippo/terraform-modules.git//aws/organization/accounts"</span> <span class="nx">account_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">account_name</span> <span class="nx">account_email</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">account_email</span> <span class="p">}</span> </code></pre> </div> <h1> Testing the module<a></a> </h1> <p>Testing Infrastructure as Code is not like testing other code. For example, in an app code, you write unit testing isolated from the real world. Testing Infrastructure as Code is testing how your resources behave in the real world. </p> <p>You are going to test the creation of the account. In order to do that, you are going to check that the account exists. In the future, you can add more tests, like can I access correctly from the master account to the new account?.</p> <p>The function TestOrganizationAccountCreation does what it says, verify the creation of an account. To test that, it retrieves the account of the organization with the account_id output from terraform, and then it checks if the email and the name are the same that are used to create the account.</p> <p>This test has a problem, in the real world when you create an account, you can't delete it without completing the sign-up steps before. This is why the code has a "terraformPlan" boolean. If you want to create an account and test correctly this module, change the value to false. If you only want to make a plan of it, leave it in true.</p> <p>Terratest is a library that is going to help you to test terraform code but is not going to do all the job, in this case, there is an auxiliary function (describeAccountById) to retrieve the account info from AWS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">test</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"context"</span> <span class="s">"fmt"</span> <span class="s">"github.com/aws/aws-sdk-go-v2/aws"</span> <span class="s">"github.com/aws/aws-sdk-go-v2/config"</span> <span class="s">"github.com/aws/aws-sdk-go-v2/service/organizations"</span> <span class="s">"github.com/aws/aws-sdk-go-v2/service/organizations/types"</span> <span class="s">"github.com/gruntwork-io/terratest/modules/random"</span> <span class="s">"github.com/gruntwork-io/terratest/modules/terraform"</span> <span class="s">"github.com/stretchr/testify/assert"</span> <span class="s">"log"</span> <span class="s">"testing"</span> <span class="p">)</span> <span class="k">var</span> <span class="n">terraformPlan</span> <span class="o">=</span> <span class="no">true</span> <span class="k">func</span> <span class="n">TestOrganizationAccountCreation</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Set up expected values to be checked later</span> <span class="n">expectedAccountName</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"a4l-dev-%s"</span><span class="p">,</span> <span class="n">random</span><span class="o">.</span><span class="n">UniqueId</span><span class="p">())</span> <span class="n">expectedEmail</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"mnsanfilippo+dev+%s@gmail.com"</span><span class="p">,</span> <span class="n">random</span><span class="o">.</span><span class="n">UniqueId</span><span class="p">())</span> <span class="c">// Construct the terraform options with default retryable errors to handle the most common retryable errors in</span> <span class="c">// terraform testing</span> <span class="n">terraformOptions</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">WithDefaultRetryableErrors</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">terraform</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="c">// The path to where our Terraform code is located</span> <span class="n">TerraformDir</span><span class="o">:</span> <span class="s">"./../accounts/"</span><span class="p">,</span> <span class="c">//Variables to pass to our Terraform code using -var options</span> <span class="n">Vars</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}{</span> <span class="s">"account_name"</span><span class="o">:</span> <span class="n">expectedAccountName</span><span class="p">,</span> <span class="s">"account_email"</span><span class="o">:</span> <span class="n">expectedEmail</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> <span class="c">//At the end of the test, run "terraform destroy" to clean up any resources that were created</span> <span class="c">// In this case, the account is not deleted, to be deleted you need to complete first the account sign-up steps</span> <span class="c">//defer terraform.Destroy(t, terraformOptions)</span> <span class="k">if</span> <span class="n">terraformPlan</span> <span class="p">{</span> <span class="c">// Also, you can only do terraform plan</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Init</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Plan</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c">// This will run `terraform init` and `terraform apply`and fail the test if there any errors</span> <span class="n">terraform</span><span class="o">.</span><span class="n">InitAndApply</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="c">// Look up the Organization Account by id</span> <span class="n">accountId</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Output</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">,</span> <span class="s">"account_id"</span><span class="p">)</span> <span class="n">account</span> <span class="o">:=</span> <span class="n">describeAccountById</span><span class="p">(</span><span class="n">accountId</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">expectedEmail</span><span class="p">,</span> <span class="o">*</span><span class="n">account</span><span class="o">.</span><span class="n">Email</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">expectedAccountName</span><span class="p">,</span> <span class="o">*</span><span class="n">account</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span> <span class="c">// I added this only to see if the account was created in the AWS console before it was deleted</span> <span class="n">log</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Now you can go and check if the account was created in the AWS Console.</span><span class="se">\n</span><span class="s">"</span> <span class="o">+</span> <span class="s">"Remember, to delete the account, you first have to complete the sign-up process."</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">describeAccountById</span><span class="p">(</span><span class="n">id</span> <span class="kt">string</span><span class="p">)</span> <span class="o">*</span><span class="n">types</span><span class="o">.</span><span class="n">Account</span> <span class="p">{</span> <span class="n">cfg</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">config</span><span class="o">.</span><span class="n">LoadDefaultConfig</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">TODO</span><span class="p">())</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatal</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">svc</span> <span class="o">:=</span> <span class="n">organizations</span><span class="o">.</span><span class="n">NewFromConfig</span><span class="p">(</span><span class="n">cfg</span><span class="p">)</span> <span class="n">req</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">svc</span><span class="o">.</span><span class="n">DescribeAccount</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="o">&amp;</span><span class="n">organizations</span><span class="o">.</span><span class="n">DescribeAccountInput</span><span class="p">{</span><span class="n">AccountId</span><span class="o">:</span> <span class="n">aws</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">id</span><span class="p">)})</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Failed retrieving account by ID"</span><span class="p">)</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatal</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">req</span><span class="o">.</span><span class="n">Account</span> <span class="p">}</span> </code></pre> </div> <p>You can test this simply by running<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go <span class="nb">test</span> <span class="nt">-v</span> </code></pre> </div> <h2> Testing within GitHub Actions<a></a> </h2> <p>To test the code before merging with production, you can add a workflow that validates the code every time that has a change in the repository.</p> <p>Set up the following secrets in the repository</p> <ul> <li>SSH_KEY</li> <li>AWS_ACCESS_KEY_ID</li> <li>AWS_SECRET_ACCESS_KEY</li> <li>AWS_DEFAULT_REGION </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Testing new terraform code</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">develop</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">develop</span> <span class="pi">-</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">env</span><span class="pi">:</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">AWS_DEFAULT_REGION</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_DEFAULT_REGION }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Go</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-go@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">go-version</span><span class="pi">:</span> <span class="m">1.15</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Setup</span><span class="nv"> </span><span class="s">SSH</span><span class="nv"> </span><span class="s">Key'</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">webfactory/ssh-agent@v0.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">ssh-private-key</span><span class="pi">:</span> <span class="s">${{ secrets.SSH_KEY }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Dependencies</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">tests/</span> <span class="na">run</span><span class="pi">:</span> <span class="s">go get -v -t -d &amp;&amp; go mod tidy</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">tests/</span> <span class="na">run</span><span class="pi">:</span> <span class="s">go test -v</span> </code></pre> </div> <h1> Using Terragrunt<a></a> </h1> <p>Terragrunt is a tool that helps to have separate environments while keeping the code DRY. Using Terragrunt, you avoid having multiple copies of "terraform/accounts/main.tf" that only differ in the environment names, or the instances types of your EC2 instances. </p> <p>For example, you can specify the email and the account name that the account will have. In order to make another account, you copy this configuration and change the email and the account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># terraform-live/master/us-east-1/dev/accounts/terragrunt.hcl</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Automatically load environment-level variables</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">read_terragrunt_config</span><span class="p">(</span><span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"env.hcl"</span><span class="p">))</span> <span class="c1"># Extract out common variables for reuse</span> <span class="nx">env</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span> <span class="p">}</span> <span class="c1"># Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the</span> <span class="c1"># working directory, into a temporary folder, and execute your Terraform commands in that folder.</span> <span class="k">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"git@github.com:mnsanfilippo/terraform.git//accounts?ref=develop"</span> <span class="p">}</span> <span class="c1"># Include all settings from the root terragrunt.hcl file</span> <span class="nx">include</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">()</span> <span class="p">}</span> <span class="c1"># These are the variables we have to pass in to use the module specified in the terragrunt configuration above</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">account_name</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="nx">account_email</span> <span class="p">=</span> <span class="s2">"mnsanfilippo+dev@gmail.com"</span> <span class="p">}</span> </code></pre> </div> <p>And that will be it for today. I hope that this guide can help you to start testing your code.</p> go terraform testing aws