[services][terraform] Introduce S3 backend

Summary: Part of [[ https://linear.app/comm/issue/ENG-3549/define-a-remote-backend-to-store-the-terraform-state | ENG-3549 ]]. This diff sets up Terraform to use the S3 backend, located on the Terraform/Infra AWS account in the `commapp-terraform` bucket. Logged in to that account, the AWS provider 'assumes role' on the target (staging/prod) accounts in order to perform actions. The following steps were made: 1. Created a new S3 bucket `commapp-terraform` in the Terraform/Infra AWS account 2. Set up appropriate permissions to access the bucket 3. Both staging and prod accounts have a `Terraform` IAM role, assumable by the Terraform/Infra account 4. Set up the code in this diff. 5. Log in to the Terraform/Infra account with CLI and ran `terraform init -migrate-state` to copy local state to S3. Depends on D8667 Test Plan: 1. Logged in to the Terraform/Infra AWS account with AWS CLI 2. Cleared local files and dirs: `terraform.tfstate`, `.terraform/`, `.terraform.tfstate.d/` 3. Ran `terraform init` and `terraform workspace select production`. They succeeded. 4. Ran `terraform plan` - it succeeded and showed the changes that would be applied. 5. Entered S3 console and verified that the state files were last updated during the tf apply. Reviewers: jon, varun Reviewed By: jon Subscribers: ashoat, tomek Differential Revision: https://phab.comm.dev/D8669
CommE2E · Aug 1, 2023 · f471480 · f471480
1 parent cb9abbe
commit f471480
Showing 1 changed file with 19 additions and 3 deletions.
diff --git a/services/terraform/remote/main.tf b/services/terraform/remote/main.tf
@@ -1,18 +1,34 @@
+terraform {
+  backend "s3" {
+    region         = "us-east-2"
+    key            = "terraform.tfstate"
+    bucket         = "commapp-terraform"
+    dynamodb_table = "terraform-lock"
+    encrypt        = true
+  }
+}
+
 provider "sops" {}
 
 data "sops_file" "secrets_json" {
   source_file = "secrets.json"
 }
 
 locals {
-  secrets = jsondecode(data.sops_file.secrets_json.raw)
+  environment = terraform.workspace
+  secrets     = jsondecode(data.sops_file.secrets_json.raw)
+
+  target_account_id  = lookup(local.secrets.accountIDs, local.environment)
+  terraform_role_arn = "arn:aws:iam::${local.target_account_id}:role/Terraform"
 }
 
 provider "aws" {
   region = "us-east-2"
 
-  shared_config_files      = ["${pathexpand("~/.aws/config")}"]
-  shared_credentials_files = ["${pathexpand("~/.aws/credentials")}"]
+  assume_role {
+    role_arn    = local.terraform_role_arn
+    external_id = "terraform"
+  }
 
   # automatically add these tags to all resources
   default_tags {