yle_tf 1.3.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7811f980206094727502839932ba9a800a4e37694ae26bc71d9c4935de38d3c3
-  data.tar.gz: 95e2c481a30b3caffb65c08407f9e222210fe01514f59ff88ca38a00915ea31b
+  metadata.gz: e8df78c6d65e3180770988e0fdc1655bfa0af42d57d8f1b5dd19f26de1281a39
+  data.tar.gz: 10f59a1cdd3757d19dbeebfaaeb1328e41c367be464d87486b9bb8b93d6ef845
 SHA512:
-  metadata.gz: 84010f77dfa1d2786f0c9b4a3783073ad15bbf6146bac16f4a49401b8b378e28f0747f82a6880eb01dda175fccbd1465f3e25391586e10c11d424e304fe8e74b
-  data.tar.gz: 95c19822da06edb58e250215fb0c5e2154da99e8881a2b8a8ce4fb9fe7c124772e81d7a2774595fdedb97cec3166e0b34e7c098ac20d8133ad97bfcb1196534e
+  metadata.gz: dc31eb920ce29b2aeb8616739b89e370a0c36a8ff395e3a41b3a1176d4ac592a2da913b6ff11eb0a0c015c33f5819cf5e888b9056b324e7ef81c156f75fa4fc6
+  data.tar.gz: 2fbcf63e27d8a817b654087d676a9252db1acde67629ad66a07e4d12ac20e44396c707718c42c3ee594593bcad74fb5d1be108026b5a17c615dc4663eca42a97

data/lib/yle_tf/action/terraform_init.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
+require 'fileutils'
 require 'pathname'
+require 'shellwords'
 
 require 'yle_tf/logger'
 require 'yle_tf/plugin'
@@ -28,26 +30,53 @@ class YleTf
         Logger.info('Initializing Terraform')
         Logger.debug("Backend configuration: #{backend}")
 
-        init(backend)
+        init_dir
 
-        @app.call(env)
+        if env[:tf_command] == 'init'
+          # Skip initializing Terraform here, as it will be done by the
+          # actuall command later in the middleware stack.
+          @app.call(env)
+          store_terraform_lock
+        else
+          init_terraform
+          store_terraform_lock
+          @app.call(env)
+        end
+
+        tear_down
       end
 
-      def init(backend)
+      def init_dir
         Logger.debug('Configuring the backend')
         backend.configure
 
         Logger.debug('Symlinking errored.tfstate')
-        symlink_errored_tfstate
+        symlink_to_module_dir('errored.tfstate')
+      end
 
+      def tear_down
+        Logger.debug('Tearing down backend')
+        backend.tear_down
+      end
+
+      def init_terraform
         Logger.debug('Initializing Terraform')
-        YleTf::System.cmd('terraform', 'init', *TF_CMD_ARGS, **TF_CMD_OPTS)
+        YleTf::System.cmd('terraform', 'init', *tf_init_args, **TF_CMD_OPTS)
+      end
+
+      def store_terraform_lock
+        Logger.debug('Storing .terraform.lock.hcl')
+        copy_to_module_dir('.terraform.lock.hcl')
       end
 
       def backend
         @backend ||= find_backend
       end
 
+      def tf_init_args
+        TF_CMD_ARGS + Shellwords.split(ENV.fetch('TF_INIT_ARGS', ''))
+      end
+
       def find_backend
         backend_type = config.fetch('backend', 'type').downcase
         backend_proc = Plugin.manager.backends[backend_type]
@@ -56,15 +85,19 @@ class YleTf
         klass.new(config)
       end
 
-      def symlink_errored_tfstate
-        local_path = Pathname.pwd.join('errored.tfstate')
-        remote_path = config.module_dir.join('errored.tfstate')
+      def symlink_to_module_dir(file)
+        local_path = Pathname.pwd.join(file)
+        remote_path = config.module_dir.join(file)
 
         # Remove the possibly copied old file
         local_path.unlink if local_path.exist?
 
         local_path.make_symlink(remote_path)
       end
+
+      def copy_to_module_dir(file)
+        FileUtils.cp(file, config.module_dir.to_s) if File.exist?(file)
+      end
     end
   end
 end

data/lib/yle_tf/action/write_terraformrc_defaults.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 require 'fileutils'
+require 'pathname'
+
 require 'yle_tf/logger'
 
 class YleTf
@@ -10,45 +12,58 @@ class YleTf
       RC_PATH = '~/.terraformrc'
 
       # Path of the plugin cache directory
-      DEFAULT_PLUGIN_CACHE_PATH = '$HOME/.terraform.d/plugin-cache'
+      DEFAULT_PLUGIN_CACHE_PATH = '~/.terraform.d/plugin-cache'
 
       def initialize(app)
         @app = app
       end
 
       def call(env)
-        Logger.debug("Writing default configuration to '#{RC_PATH}'")
-        open_rc_file do |rc_file|
-          keys = existing_keys(rc_file)
-
-          configure_checkpoint(rc_file) if !keys.include?('disable_checkpoint')
-          configure_plugin_cache_dir(rc_file) if !keys.include?('plugin_cache_dir')
+        if rc_file.exist?
+          Logger.debug("Terraform configuration file '#{RC_PATH}' already exists")
+          if !existing_keys.include?('plugin_cache_dir')
+            Logger.warn("'plugin_cache_dir' not configured in '#{RC_PATH}'")
+          end
+        else
+          Logger.debug("Writing default configuration to '#{RC_PATH}'")
+          write_default_config
         end
 
         @app.call(env)
       end
 
-      def open_rc_file(&block)
-        File.open(File.expand_path(RC_PATH), 'a+', &block)
+      def rc_file
+        @rc_file ||= Pathname.new(RC_PATH).expand_path
       end
 
-      def existing_keys(rc_file)
-        [].tap do |keys|
-          rc_file.each_line do |line|
+      def existing_keys
+        @existing_keys ||= [].tap do |keys|
+          rc_file.readlines.each do |line|
+            # The matcher is a bit naive, but enough for out use
             keys << Regexp.last_match(1) if line =~ /^(.+?)[ \t]*=/
           end
         end
       end
 
-      def configure_checkpoint(rc_file)
+      def write_default_config
+        rc_file.open('w') do |rc_file|
+          configure_checkpoint(rc_file)
+          configure_plugin_cache_dir(rc_file)
+        end
+      end
+
+      def configure_checkpoint(file)
         Logger.info("Disabling Terraform upgrade and security bulletin checks by '#{RC_PATH}'")
 
-        rc_file.puts('disable_checkpoint = true')
+        file.puts('disable_checkpoint = true')
       end
 
-      def configure_plugin_cache_dir(rc_file)
+      def configure_plugin_cache_dir(file)
         Logger.info("Configuring global Terraform plugin cache by '#{RC_PATH}'")
-        rc_file.puts("plugin_cache_dir   = \"#{DEFAULT_PLUGIN_CACHE_PATH}\"")
+        # Replace `~` with `$HOME` as it is not expanded correctly in all architectures.
+        # Can't use `$HOME` in the constant though, as it won't be expanded by
+        # `expand_path` below. Can't win this game.
+        file.puts("plugin_cache_dir   = \"#{DEFAULT_PLUGIN_CACHE_PATH.sub(/^~/, '$HOME')}\"")
 
         dir = File.expand_path(DEFAULT_PLUGIN_CACHE_PATH)
         return if File.directory?(dir)

data/lib/yle_tf/backend.rb

@@ -30,6 +30,11 @@ class YleTf
       File.write(BACKEND_CONFIG_FILE, JSON.pretty_generate(data))
     end
 
+    # Tear down the backend
+    def tear_down
+      # Nothing to do by default
+    end
+
     # Returns the backend configuration as a `Hash` for Terraform
     def to_h
       { type => backend_specific_config }

data/lib/yle_tf/config/defaults.rb

@@ -13,7 +13,10 @@ class YleTf
         'backend'   => {
           'type' => 'file',
           'file' => {
-            'path' => '<%= @module %>_<%= @env %>.tfstate'
+            'path'            => '<%= @module %>_<%= @env %>.tfstate',
+            'encrypt'         => false,
+            'encrypt_command' => 'sops --encrypt --input-type binary --output-type binary --output "{{TO}}" "{{FROM}}"',
+            'decrypt_command' => 'sops --decrypt --input-type binary --output-type binary --output "{{TO}}" "{{FROM}}"'
           },
           's3'   => {
             'key' => '<%= @module %>_<%= @env %>.tfstate'

data/lib/yle_tf/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 class YleTf
-  VERSION = '1.3.0'
+  VERSION = '1.4.0'
 end

data/lib/yle_tf_plugins/backends/file/backend.rb

@@ -1,24 +1,83 @@
 # frozen_string_literal: true
 
+require 'fileutils'
 require 'pathname'
+require 'shellwords'
+
 require 'yle_tf/backend'
 require 'yle_tf/logger'
+require 'yle_tf/system'
 
 module YleTfPlugins
   module Backends
     module File
       class Backend < YleTf::Backend
-        # Symlinks local "terraform.tfstate" to the specified path
         def configure
+          if !encrypt?
+            create_tfstate(tfstate_path)
+            symlink_tfstate
+          elsif tfstate_path.exist?
+            decrypt_tfstate
+          end
+        end
+
+        def tear_down
+          encrypt_tfstate if encrypt? && local_tfstate_path.exist?
+        end
+
+        def create_tfstate(path)
+          return if path.exist?
+
+          YleTf::Logger.debug('Creating state file')
+          path.write(tfstate_template, perm: 0o644)
+        end
+
+        def symlink_tfstate
           YleTf::Logger.info("Symlinking state to '#{tfstate_path}'")
-          local_path = Pathname.pwd.join('terraform.tfstate')
-          local_path.make_symlink(tfstate_path)
+          local_tfstate_path.make_symlink(tfstate_path)
+        end
 
-          tfstate_path.write(tfstate_template, perm: 0o644) if !tfstate_path.exist?
+        def encrypt?
+          config.fetch('backend', type, 'encrypt')
+        end
+
+        def decrypt_tfstate
+          YleTf::Logger.info("Decrypting state from '#{tfstate_path}'")
+
+          cmd = config.fetch('backend', type, 'decrypt_command')
+          cmd.gsub!('{{FROM}}', tfstate_path.to_s)
+          cmd.gsub!('{{TO}}', local_tfstate_path.to_s)
+
+          # Split the command to have nicer logs
+          YleTf::System.cmd(*Shellwords.split(cmd))
+        end
+
+        def encrypt_tfstate
+          YleTf::Logger.info("Encrypting state to '#{tfstate_path}'")
+
+          cmd = config.fetch('backend', type, 'encrypt_command')
+          cmd.gsub!('{{FROM}}', local_tfstate_path.to_s)
+          cmd.gsub!('{{TO}}', tfstate_path.to_s)
+
+          YleTf::System.cmd(*Shellwords.split(cmd),
+                            error_handler: method(:on_encrypt_error))
+        end
+
+        def on_encrypt_error(_exit_code, error)
+          plain_tfstate_path = "#{tfstate_path}.plaintext"
+
+          YleTf::Logger.warn("Copying unencrypted state to '#{plain_tfstate_path}'")
+          FileUtils.cp(local_tfstate_path.to_s, plain_tfstate_path)
+
+          raise error
         end
 
         def tfstate_path
-          @tfstate_path ||= config.module_dir.join(config.fetch('backend', 'file', 'path'))
+          @tfstate_path ||= config.module_dir.join(config.fetch('backend', type, 'path'))
+        end
+
+        def local_tfstate_path
+          @local_tfstate_path ||= Pathname.pwd.join('terraform.tfstate')
         end
 
         def tfstate_template

data/lib/yle_tf_plugins/commands/help/command.rb

@@ -2,7 +2,6 @@
 
 require 'optparse'
 
-require 'yle_tf/system'
 require 'yle_tf/plugin'
 
 module YleTfPlugins
@@ -20,18 +19,17 @@ module YleTfPlugins
           o.banner = 'Usage: tf <environment> <command> [<args>]'
           o.separator ''
           o.separator 'YleTf options:'
-          o.on('-h', '--help', 'Prints this help')
+          o.on('-h', '--help',    'Prints this help')
           o.on('-v', '--version', 'Prints the version information')
-          o.on('--debug', 'Print debug information')
-          o.on('--no-color', 'Do not output with colors')
-          o.on('--no-hooks', 'Do not run any hooks')
-          o.on('--only-hooks', 'Only run the hooks')
+          o.on('--debug',         'Print debug information')
+          o.on('--no-color',      'Do not output with colors')
+          o.on('--no-hooks',      'Do not run any hooks')
+          o.on('--only-hooks',    'Only run the hooks')
           o.separator ''
-          o.separator 'Special tf commands:'
+          o.separator 'Special YleTf commands:'
           o.separator tf_command_help
           o.separator ''
-          o.separator 'Terraform commands:'
-          o.separator terraform_help
+          o.separator 'Run `terraform -help` to get list of all Terraform commands.'
         end
       end
       # rubocop:enable Metrics/AbcSize, Metrics/MethodLength
@@ -49,17 +47,6 @@ module YleTfPlugins
           "    #{command.ljust(18)} #{data[:synopsis]}"
         end
       end
-
-      def terraform_help
-        on_error = proc do |exit_code|
-          # exit_code is nil if the command was not found
-          # Ignore other exit codes, as older Terraform versions return
-          # non-zero exit codes for the help.
-          return '    [Terraform not found]' if exit_code.nil?
-        end
-        help = YleTf::System.read_cmd('terraform', '--help', error_handler: on_error)
-        help.lines.grep(/^    /)
-      end
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: yle_tf
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Yleisradio
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-10-12 00:00:00.000000000 Z
+date: 2021-01-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thwait
@@ -182,7 +182,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.2.3
 signing_key:
 specification_version: 4
 summary: Tooling for Terraform